-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: Saturday, November 22, 2003 04:59
To: [EMAIL PROTECTED]
Subject: Freeradius-Users digest, Vol 1 #2552 - 10 msgs
Send Freeradius-Users mailing list submissions to
[EMAIL PROTECTED]
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.cistron.nl/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: 093 Crashes with unknown tokens (Greg G)
2. Re: 093 Crashes with unknown tokens (Alan DeKok)
3. Re: 093 Crashes with unknown tokens (Richard Siddall)
4. Re: 093 Crashes with unknown tokens (Greg G)
5. <newbie alert> Freeradius, EAP-TTLS, and OpenSSL questions (Chris
Woodfield)
6. Re: <newbie alert> Freeradius, EAP-TTLS, and OpenSSL questions (Alan
DeKok)
7. Re: <newbie alert> Freeradius, EAP-TTLS, and OpenSSL questions (Chris
Woodfield)
8. Re: 093 Crashes with unknown tokens (Matt Sapp)
9. Re: 093 Crashes with unknown tokens (Kristina Pfaff-Harris)
10. Re: 0.9.3 has been released (Paul Hampson)
--__--__--
Message: 1
Date: Fri, 21 Nov 2003 16:01:59 -0500
From: Greg G <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: 093 Crashes with unknown tokens
Reply-To: [EMAIL PROTECTED]
This is a multi-part message in MIME format.
--------------060702050606000400090309
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Alan DeKok wrote:
>Greg G <[EMAIL PROTECTED]> wrote:
>
>
>>> Ah, yes. The "you've got to do what I want NOW for FREE!" response.
>>>
>>>
>>>
>> No, it's the "Hey, asshole, maybe you know the code better than I do"
>>reponse.
>>
>>
>
> I *do* know the code better than you, and I disagree with your
>position. All else aside, that should tell you something.
>
It does, but not what you'd hoped. It looks like I'm going to wind
up using GNU Radius, because it *doesn't* exit when it encounters
something it doesn't understand in the user file. It discards the entry
for the invalid user. It doesn't seg fault if I make an acct request.
And I don't have to fight with someone whose idea of gathering up new
coders is "Fix it" without any help or guidance whatsoever.
>The main README file is ever so
>applicable to this situation. Go read it, and stop wasting your time
>posting baseless complaints on the list.
>
>
So my asking for a feature is a baseless complaint? Riiiight.
-Greg G
--------------060702050606000400090309
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
<br>
<br>
Alan DeKok wrote:<br>
<blockquote type="cite" cite="[EMAIL PROTECTED]">
<pre wrap="">Greg G <a class="moz-txt-link-rfc2396E"
href="mailto:[EMAIL PROTECTED]"><[EMAIL PROTECTED]></a> wrote:
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap=""> Ah, yes. The "you've got to do what I want NOW for
FREE!" response.
</pre>
</blockquote>
<pre wrap=""> No, it's the "Hey, asshole, maybe you know the code
better than I do"
reponse.
</pre>
</blockquote>
<pre wrap=""><!---->
I *do* know the code better than you, and I disagree with your
position. All else aside, that should tell you something.</pre>
</blockquote>
<br>
It does, but not what you'd hoped. It looks like I'm
going to wind
up using GNU Radius, because it *doesn't* exit when it encounters
something it doesn't understand in the user file. It discards the
entry for the invalid user. It doesn't seg fault if I make an acct
request. And I don't have to fight with someone whose idea of
gathering up new coders is "Fix it" without any help or guidance
whatsoever.<br>
<br>
<br>
<blockquote type="cite" cite="[EMAIL PROTECTED]">
<pre wrap="">The main README file is ever so
applicable to this situation. Go read it, and stop wasting your time
posting baseless complaints on the list.
</pre>
</blockquote>
So my asking for a feature is a baseless complaint?
Riiiight.<br>
<br>
-Greg G<br>
<br>
</body>
</html>
--------------060702050606000400090309--
--__--__--
Message: 2
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: 093 Crashes with unknown tokens
Date: Fri, 21 Nov 2003 16:13:37 -0500
Reply-To: [EMAIL PROTECTED]
Greg G <[EMAIL PROTECTED]> wrote:
> It does, but not what you'd hoped. It looks like I'm going to wind
> up using GNU Radius, because it *doesn't* exit when it encounters
> something it doesn't understand in the user file. It discards the entry
> for the invalid user.
Meaning that the server doesn't behave as intended, and it's
probably difficult for the administrator to figure that out. So
you're left with a server which isn't doing what you want...
> It doesn't seg fault if I make an acct request.
<shrug> You're probably running Solaris. That will get fixed in a
future release.
> And I don't have to fight with someone whose idea of gathering up new
> coders is "Fix it" without any help or guidance whatsoever.
No... I told you what my opinion was, and why. You didn't
understand me, or didn't care enough to listen to me. Your response
was a blind repetition of "YOU fix it!"
My response was then simply an echoing of your complaint:
No, YOU fix it.
I find it instructive that your own words directed at you cause huge
amounts of anger and hostility.
> So my asking for a feature is a baseless complaint? Riiiight.
Not listening to the response makes it baseless.
But why am I wasting my time? You've already made it clear that you
can't read the documentation, the README, or my replies on this list.
Alan DeKok.
--__--__--
Message: 3
Date: Fri, 21 Nov 2003 16:36:55 -0500
From: Richard Siddall <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: 093 Crashes with unknown tokens
Reply-To: [EMAIL PROTECTED]
Greg G wrote:
> Nothing is unclear about it. I would prefer that the daemon not fail
> out if there's a data error in one of the files. It should report that
> error to a log and continue on. Otherwise, it becomes a fairly trivial
> task to crash out the daemon. Our users file is fairly dynamic and if
> someone makes a typo putting in a new entry, I don't want the whole
> system coming down.
>
cp users users.old
vi users
check-radiusd-config
if $?; then
cp users.old users
mail -t ggersh -s "Typo in users file" << startup.log
else
service radiusd restart
fi
Or something like that.
--__--__--
Message: 4
Date: Fri, 21 Nov 2003 16:51:54 -0500
From: Greg G <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: 093 Crashes with unknown tokens
Reply-To: [EMAIL PROTECTED]
This is a multi-part message in MIME format.
--------------000009080206030608060504
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Alan DeKok wrote:
>Greg G <[EMAIL PROTECTED]> wrote:
>
>
>> It does, but not what you'd hoped. It looks like I'm going to wind
>>up using GNU Radius, because it *doesn't* exit when it encounters
>>something it doesn't understand in the user file. It discards the entry
>>for the invalid user.
>>
>>
>
> Meaning that the server doesn't behave as intended, and it's
>probably difficult for the administrator to figure that out. So
>you're left with a server which isn't doing what you want...
>
>
No, it's doing just what I want. It's logging the problem with the
user entry and getting on with processing. There's no reason that an
single authentication item in the users file should halt the server. If
it's a problem in the configuration file or something critical like
that, absolutely there should be no further action.
I understand that you have a different opinion, but that doesn't
negate mine, or the fact that this is how I'd like it to work. Pointing
me at the readme file isn't much help either, since that boils down to
"fix it, or don't. Whatever."
-Greg G
--------------000009080206030608060504
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
<br>
<br>
Alan DeKok wrote:<br>
<blockquote type="cite" cite="[EMAIL PROTECTED]">
<pre wrap="">Greg G <a class="moz-txt-link-rfc2396E"
href="mailto:[EMAIL PROTECTED]"><[EMAIL PROTECTED]></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap=""> It does, but not what you'd hoped. It looks like I'm
going to wind
up using GNU Radius, because it *doesn't* exit when it encounters
something it doesn't understand in the user file. It discards the entry
for the invalid user.
</pre>
</blockquote>
<pre wrap=""><!---->
Meaning that the server doesn't behave as intended, and it's
probably difficult for the administrator to figure that out. So
you're left with a server which isn't doing what you want...
</pre>
</blockquote>
No, it's doing just what I want. It's logging the problem
with the
user entry and getting on with processing. There's no reason that an
single authentication item in the users file should halt the server.
If it's a problem in the configuration file or something critical like
that, absolutely there should be no further action.<br>
I understand that you have a different opinion, but that
doesn't
negate mine, or the fact that this is how I'd like it to work.
Pointing me at the readme file isn't much help either, since that boils
down to "fix it, or don't. Whatever."<br>
<br>
-Greg G<br>
<br>
</body>
</html>
--------------000009080206030608060504--
--__--__--
Message: 5
Date: Fri, 21 Nov 2003 17:04:29 -0500
From: Chris Woodfield <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: <newbie alert> Freeradius, EAP-TTLS, and OpenSSL questions
Reply-To: [EMAIL PROTECTED]
Hello,
I'm trying to set up a radius server here in my office to permit WLAN usage,
and I
really feel like I'm coming up against my limits of understanding on the
technologies
involved.
I've successfully compiled yesterday's CVS release which include EAP-TTLS
support, but
I'm running into some serious issues (most likely due to lack of clue on my
part)
getting it working. The server is a Debian testing install, with openssl
compiled
from source. The base station is a Linksys WRT-54G, although I haven't
gotten to
the point were I think there's a problem there.
Here's my list of questions:
1. EAP-TTLS is dependent on EAP-TLS, which requires a server cert. So far,
I've been
unable to successfully create a cert that freeradius likes. In the
radiusd.conf file,
there's an certificate_file argument, along with a CA_file argument. My
understanding
of the reason for this is that with EAP-TLS, authentication is done by certs
alone -
the user must have the server cert's public key loaded, and the user must
present a
public key signed by the CA.
But with TTLS, the client cert does not appear to be a requirement. Does
that mean I
can use a self-signed cert and not worry about the CA_file, or do I still
need to
create both? And if so, does anyone have a working openssl recipe to create
these? So
far I've been unsuccessful in creating anything other than a self-signed
key.
2. I think I'm missing some understanding when it comes to the differences
between
authentication protocols (pap, mschap, etc) and authentication mechanisms
(users file,
smbpasswd, sql, pam, etc). My ideal scenario is for TTLS to use PAM (which
authenticates based on md5 hashes in /etc/shadow), allowing anyone with an
account on the
server running radiusd to connect to the WLAN, but I'm not quite sure how
the auth
protocol interacts with auth-types. I have "DEFAULT Auth-Type := Pam" in my
users file;
do I need to do anything further depending on the auth protocol I use
"inside" the
ESP-TTLS tunnel (pap, chap, etc)?
3. I'm really, really in the dark when it comes to the key distribution
mechanism. with
EAP-TTLS and WPA, what system actually generates and distributes the WPA
key? Does the
radius server handle that, or does it only negotate access and let the base
station
generate a random key? Is there a knob in the config I need to set up for
this?
Thank you in advance for your patience. I'm sure I'll have more questions
later.
Thanks,
-Chris
--__--__--
Message: 6
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: <newbie alert> Freeradius, EAP-TTLS, and OpenSSL questions
Date: Fri, 21 Nov 2003 17:31:42 -0500
Reply-To: [EMAIL PROTECTED]
Chris Woodfield <[EMAIL PROTECTED]> wrote:
> 1. EAP-TTLS is dependent on EAP-TLS, which requires a server cert. So
> far, I've been unable to successfully create a cert that freeradius
> likes. In the radiusd.conf file, there's an certificate_file argument,
> along with a CA_file argument. My understanding of the reason for this
> is that with EAP-TLS, authentication is done by certs alone - the user
> must have the server cert's public key loaded, and the user must
> present a public key signed by the CA.
Yes. But TTLS still requires a server certificate.
> But with TTLS, the client cert does not appear to be a
> requirement. Does that mean I can use a self-signed cert and not worry
> about the CA_file, or do I still need to create both?
You still need a server certificate.
> And if so, does anyone have a working openssl recipe to create
> these? So far I've been unsuccessful in creating anything other than
> a self-signed key.
See scripts/CA.all
> 2. I think I'm missing some understanding when it comes to the
> differences between authentication protocols (pap, mschap, etc) and
> authentication mechanisms (users file, smbpasswd, sql, pam, etc). My
> ideal scenario is for TTLS to use PAM (which authenticates based on
> md5 hashes in /etc/shadow),
Huh? Why not just use 'System' authentication?
> I have "DEFAULT Auth-Type := Pam" in my users file; do I need to do
> anything further depending on the auth protocol I use "inside" the
> ESP-TTLS tunnel (pap, chap, etc)?
CHAP won't work with passwords from /etc/passwd. See the FAQ.
> 3. I'm really, really in the dark when it comes to the key
> distribution mechanism. with EAP-TTLS and WPA, what system actually
> generates and distributes the WPA key? Does the radius server handle
> that,
Yes.
> Is there a knob in the config I need to set up for this?
No.
Alan DeKok.
--__--__--
Message: 7
Date: Fri, 21 Nov 2003 18:38:38 -0500
From: Chris Woodfield <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: <newbie alert> Freeradius, EAP-TTLS, and OpenSSL questions
Reply-To: [EMAIL PROTECTED]
--0OAP2g/MAC+5xKAE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
> See scripts/CA.all
Ran this, and it appears that everything worked right up until the end,=20
when I got these errors:
Certificate is to be certified until Nov 20 23:34:06 2004 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
+ openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out=20
cert-srv.p12 -clcerts -passin pass:whatever -passout pass:whatever
No certificate matches private key
+ openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin pass:whatever=
=20
-passout pass:whatever
23118:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too=20
long:asn1_lib.c:140:
+ openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der
unable to load certificate
23119:error:0906D06C:PEM routines:PEM_read_bio:no start=20
line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE
+ echo -e '\n\t\t##################\n'
##################
tino:/usr/local/ssl/certs#
Any idea what's happening? This is OpenSSL 0.9.7c.
-C
>=20
> > 2. I think I'm missing some understanding when it comes to the
> > differences between authentication protocols (pap, mschap, etc) and
> > authentication mechanisms (users file, smbpasswd, sql, pam, etc). My
> > ideal scenario is for TTLS to use PAM (which authenticates based on
> > md5 hashes in /etc/shadow),
>=20
> Huh? Why not just use 'System' authentication?
>=20
> > I have "DEFAULT Auth-Type :=3D Pam" in my users file; do I need to do
> > anything further depending on the auth protocol I use "inside" the
> > ESP-TTLS tunnel (pap, chap, etc)?
>=20
> CHAP won't work with passwords from /etc/passwd. See the FAQ.
>=20
> > 3. I'm really, really in the dark when it comes to the key
> > distribution mechanism. with EAP-TTLS and WPA, what system actually
> > generates and distributes the WPA key? Does the radius server handle
> > that,
>=20
> Yes.
>=20
> > Is there a knob in the config I need to set up for this?
>=20
> No.
>=20
> Alan DeKok.
>=20
> -=20
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users=
.html
--0OAP2g/MAC+5xKAE
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/vqH+qP/YiunDNcERAjUjAKCPfxjKfh1TbjiD59zuP3fdYePOggCgt9fL
5KCewXRWFddxMIvhfpSwAJ0=
=SWfl
-----END PGP SIGNATURE-----
--0OAP2g/MAC+5xKAE--
--__--__--
Message: 8
From: "Matt Sapp" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: 093 Crashes with unknown tokens
Date: Fri, 21 Nov 2003 18:33:22 -0500
Reply-To: [EMAIL PROTECTED]
Greg,
While you may have misunderstood Alan's terseness as him being nasty to you,
please look at the situation.
You're saying that if there was a configuration file error, then by all
means, stop the server, but if it's "just" a users file error, then it
shouldn't be halted and the server should keep going on with some
half-correct information.
Personally, I don't see how the users file being in proper shape is any less
critical than any other configuration file being correct. You'd be much
better off implementing some solution to make sure the users file is correct
(perhaps some type checking in whatever system you use to manage your users
-- surely you don't have a bunch of type-prone data entry people editing the
users file by hand, do you?). The users file has a very specific format,
and it's not hard to follow. If you have proper checks in your management
system, this is a moot point, and this has been pointed out in reference to
the dialup_admin package.
However, as has been stated, if you really think it should keep going and
skip any users entries that are broken, you do have the source, and you can
do whatever you wish with it. This doesn't mean Alan is going to accept it
back into the main FR tree, but if you're dead-set on expecting the server
to handle your typos rather than dealing with them where they should be
corrected elsewhere, it's probably a 5 line change to do so.
-Matt
MNU Network Administrator
--- Original Message Below ---
From: Greg G <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: 093 Crashes with unknown tokens
Date: Fri, 21 Nov 2003 16:51:54 -0500
No, it's doing just what I want. It's logging the problem with the
user entry and getting on with processing. There's no reason that an
single authentication item in the users file should halt the server. If
it's a problem in the configuration file or something critical like
that, absolutely there should be no further action.
I understand that you have a different opinion, but that doesn't
negate mine, or the fact that this is how I'd like it to work. Pointing
me at the readme file isn't much help either, since that boils down to
"fix it, or don't. Whatever."
-Greg G
--__--__--
Message: 9
Date: Fri, 21 Nov 2003 16:42:37 -0800 (PST)
From: Kristina Pfaff-Harris <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: 093 Crashes with unknown tokens
Reply-To: [EMAIL PROTECTED]
On Fri, 21 Nov 2003, Matt Sapp wrote:
> Personally, I don't see how the users file being in proper shape is any
> less critical than any other configuration file being correct. You'd be
> much better off implementing some solution to make sure the users file
> is correct (perhaps some type checking in whatever system you use to
> manage your users -- surely you don't have a bunch of type-prone data
> entry people editing the users file by hand, do you?).
For what it's worth, it may be better to make this a matter of procedure.
For my part, whenever I make any change to Radius configuration files, I
follow the following steps:
1) Edit the file and make changes.
2) Run "radiusd -X". This will show any fatal errors in the config
without you having to stop your "good" radius. It will quit with a message
about radius already running, but up until then, will show you whether or
not radius *will* start with the new config.
3) Restart radiusd with the new config if radiusd -X worked out okay.
It's probably possible to write a script (and eventually I probably will
but am too lazy now) to run this sort of check and only restart radiusd if
things are okay, but I think just making sure that people check is a
quicker fix than code hacking.
Not a better fix, but a quicker fix. :-)
I do agree that I don't really want Radius running with a semi-woogly
config, although it can be a pain the times where I forget to check it
with -X, since those are always the times I've made a mistake.
Heh.
Kristina
--__--__--
Message: 10
Date: Sat, 22 Nov 2003 13:58:30 +1100
To: [EMAIL PROTECTED]
Subject: Re: 0.9.3 has been released
From: [EMAIL PROTECTED] (Paul Hampson)
Reply-To: [EMAIL PROTECTED]
On Fri, Nov 21, 2003 at 09:12:31AM -0600, Nick Davis wrote:
> On Thursday 20 November 2003 20:07, Paul Hampson wrote:
> > As a bonus, the rlm_ippool pod2man call got fixed for perl < 5.6, and
> > rlm_eap has been silenced in the case where it is called upon a non-EAP
> > packet.
> >
> > There are pacakges for Debian at
> > http://www.tbble.com/freeradius/
> > They're numbered 0.9.2-4 since (a) I'm moving and don't have time to
> > muck with the new source archive; and (b) we're >< this close to getting
> > into Debian/unstable so I don't want to muck with things too much until
> > that's done.
> >
> > Just to reiterate, the 0.9.2-4 packages at
http://www.tbble.com/freeradius/
> > are the same as the 0.9.3 tarball above, but with major Debian packaging
> > improvements (biiiig thanks to Steve Langasek for his guidance here)
which
> > will hopefully go into 1.0.0 and 0.9.4's tarballs.
> Paul,
> I see that these deb packages have the same dependency issues we
discussed in
> September with libiodbc2 and libltdl3. The Depends says:
> freeradius: Depends: libiodbc2 (>= 3.51.1-3) but 3.51.1-1 is installed
> Depends: libltdl3 (>= 1.5-3) but 1.5-2 is installed
> freeradius-mysql: Depends: zlib1g (>= 1:1.2.1) but 1:1.1.4-16 is
installed
To be honest, I don't remember discussing this in September, but my mail
archives are currently in transit, so I can't check what I said.
According to my local Debian mirror, (mirror.aarnet.edu.au), the current
libiodbc2 in sid (/unstable) is 3.51.1-3, the current libltdl3 is 1.5-7,
and the current zlib1g is 1:1.2.1-1
> I am running Sarge, and I tried to search through unstable. Where do those
> versions of those libraries come from? Several of the debian web servers
have
> been compromised and are down for inspection, so I am not able to search
for
> the necessary versions of these libraries.
Ah, that's the problem, testing's not up to date on these libraries.
Since we're going for Debian archive acceptance, they have to be built
against unstable. I may have previously built against testing, but I
don't think I put those binaries anywhere, as they were built on a
powerpc machine.
On Fri, Nov 21, 2003 at 11:00:19AM -0600, Nick Davis wrote:
> All,
> I posted new versions of my slimed down debian packages:
> http://mrtizmo.com/freeradius/index.html
>
> The big thing I did was to remove the need for iodbc, since it has a lot
of
> nasty dependencies.
Apart from libc6, what other dependancies are you seeing from libiodbc2?
(My unstable build machine is currently also in transit, so I can't
check that myself. Last time I tried to get iodbc broken out into its
own package, the lack of interesting dependancies was the deciding
factor. I do intend to readdress this issue once we're in the Debian
archive)
--
Paul "TBBle" Hampson, from an alternate email client.
--__--__--
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
