Re: self-signed root CA

2012-01-26 Thread Christ Schlacta
I've attached android, windows 7, macosx, and ubuntu linux to an eap-tls network using wpa2-eap-tls, which requires client and CA certs. it's no issue once you know what you're doing. the hardest part is the nearly complete lack of documentation for any OS except linux. you're limited to wha

Re: self-signed root CA

2012-01-26 Thread Christ Schlacta
Self-signed provides stronger security in most cases. I'm using self-signed here, and distributing a certificate to unmanaged user devices is as easy as placing a p12 file on a USB drive and requiring users to stop by ops before getting on wireless. If you're using a public CA to sign certs,

Re: Service radiusd Start vs radiusd

2012-01-26 Thread eric.chang
My RHEL 5.7 is only a 30 days evaluation, there wont be any support. Just trying it and doing some learning at home. At work we use RHEL 5.6, when we do setup the new server and if the same SELinux problem occur, i will try the support procedures. Thanks Eric -- View this message in context: ht

Re: Authorization with Active Directory

2012-01-26 Thread Alan Buxey
Hi, > Everything works perfect except the conditional checking for > Client-Shortname. I tried using: > > *if (Client-Shortname =~ /^localhost/) {* thats wrong > It didn't work saying Client-Shortname as unknown attribute. > > Again I tried using: > > * if ("%{client: shortname}" =~ /^localho

Re: freradius Segmentation fault

2012-01-26 Thread Fajar A. Nugraha
On Fri, Jan 27, 2012 at 12:49 AM, Ski Mountain wrote: > It was simply installed from the ubuntu repository with aptitiude. > > Does this mean that I should just try compiling a new version of freeradius > from source, Yes, if you know how to build from source. Or take a look at https://launchpa

Re: Problems sending session-timeout

2012-01-26 Thread Fajar A. Nugraha
On Thu, Jan 26, 2012 at 10:14 PM, tonimanel wrote: > Hi guys, > > I have a problem with my freeradius service. I would like to get that > freeradius sends to my NAS the session-timeout attribute. Can you tell my > how could I get it? Just put it it radreply :) I think you meant this though: http

Re: Authorization with Active Directory

2012-01-26 Thread suggestme
Thanks a lot again for showing me the direction. Everything works perfect except the conditional checking for Client-Shortname. I tried using: *if (Client-Shortname =~ /^localhost/) {* It didn't work saying Client-Shortname as unknown attribute. Again I tried using: * if ("%{client: shortname}

Re: freradius Segmentation fault

2012-01-26 Thread Ski Mountain
It was simply installed from the ubuntu repository with aptitiude. Does this mean that I should just try compiling a new version of freeradius from source, and if the source version does not work, compile it to enable core dumps.   Thanks - Original Message - From: Alan DeKok To: Sk

Re: Authorization with Active Directory

2012-01-26 Thread Phil Mayers
On 01/26/2012 04:42 PM, Phil Mayers wrote: 3. Run the LDAP module, then compare the attribute. Note - because you've mapped the item to check/control lists, you can't use a "users" file - you must use unlang, like so: Damn, sorry, this should be: authorize { ... ldap if (control:My-Ext

Re: Authorization with Active Directory

2012-01-26 Thread Phil Mayers
On 01/26/2012 02:41 PM, suggestme wrote: ## I tried using Called-Station-Id to check the condition; which is ok for now for testing ; but which I guess is not feasible if there are thousands of NAS devices. I don't know what would be best test condition for this. There are many options. You co

Re: Service radiusd Start vs radiusd

2012-01-26 Thread John Dennis
On 01/26/2012 06:33 AM, Alan Buxey wrote: Hi, yes but as already said, RHEL SElinux policy should already be fine for this It's been a while since I looked, but when I did the RHEL5 SELinux policy was good for nothing except very, very basic FreeRADIUS usage. Has that changed now? Using "ses

Re: freradius Segmentation fault

2012-01-26 Thread Alan DeKok
Ski Mountain wrote: > I am testing out authentication with radtest. If I send the wrong group > password I get "invalid Message-Authenticator" which is what I expect, the > second I put in the correct password I get the "Segmentation fault" > > Is this a knows issue, or am I screwing something

freradius Segmentation fault

2012-01-26 Thread Ski Mountain
I am testing out authentication with radtest.  If I send the wrong group password I get "invalid Message-Authenticator" which is what I expect, the second I put in the correct password I get the "Segmentation fault"  This is on Ubuntu 10.04.3 LTS.  Is this a knows issue, or am I screwing so

Freeradius and rlm_perl auth

2012-01-26 Thread Fabricio Flores
Hello I´m using a perl script to authenticate in a web services. My scrpit works with the web services but I want that with my scrpit authenticate in a freeradius server. I don´t know wich files I must modify and what I must modify to it works. Thaks for your answers. -- Fabricio A. Flores G. Egr

Re: mschap/NTLM and different membership-of with variables

2012-01-26 Thread Gonzalo
sorry, I found my mistake and was on the AP device. the "outer.reply" work fine. But still want understand how this work so , if somebody can share a link that's explain how variables work in detail, it will be appreciate. Thanks. Gonzalo. -- View this message in context: http://freeradius.104

Problems sending session-timeout

2012-01-26 Thread tonimanel
Hi guys, I have a problem with my freeradius service. I would like to get that freeradius sends to my NAS the session-timeout attribute. Can you tell my how could I get it? This is the output result: FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 14 2010 at 20:41:03 Copyrig

Re: Authorization with Active Directory

2012-01-26 Thread suggestme
Hi, I had implemented the idea given by Phil for authorizing the users of Active directory to use VPN or Wifi or whatever for which they are for depending upon the value of Active directory's "extensionAttribute10" attribute as: ## /usr/local/etc/raddb/modules/ldap: filter = "(&(extensionAttribu

Re: Changing domain for ntlm_auth

2012-01-26 Thread Alan DeKok
NdK wrote: > Been confused by the error: it pointed to the last line of the chain, > not to the *first* closing brace followed by a keyword, forming an > invalid entry. BTW, it stays unclear why the keyword can't be on the > same line with the closing brace. Can't figure out unlang's grammar in EBN

Re: Changing domain for ntlm_auth

2012-01-26 Thread NdK
Il 26/01/2012 12:24, Phil Mayers ha scritto: > You can re-use bits of "unlang" as virtual modules. See "policy.conf". > This is often a bit neater than $INCLUDE. Perfect! Exactly what was needed. > FreeRADIUS config is basically: [...] > "if", "elsif" are just blocks. Blocks need to start on thei

Re: Service radiusd Start vs radiusd

2012-01-26 Thread Alan Buxey
Hi, > > yes but as already said, RHEL SElinux policy should already be fine for this > > It's been a while since I looked, but when I did the RHEL5 SELinux > policy was good for nothing except very, very basic FreeRADIUS usage. > > Has that changed now? Using "sesearch" I don't for example see

Re: Changing domain for ntlm_auth

2012-01-26 Thread Phil Mayers
On 01/26/2012 09:36 AM, NdK wrote: Since it seems I have to do EXACTLY the same mapping both in "default" and "inner-tunnel" sites, I saved my "if" chain in unibo.map and used $INCLUDE to insert it in both virtual servers, just after the opening brace of authorize. Hope it's the correct thing to

Re: self-signed root CA

2012-01-26 Thread Phil Mayers
On 01/26/2012 01:43 AM, Matthew Newton wrote: Public CA - easier as you don't have to distribute the CA cert. You're open to spoofing attacks where someone can get another cert from the same CA and put it on a rogue RADIUS server. These days it seems anyone can get a public-CA certificate for a

Re: self-signed root CA

2012-01-26 Thread Phil Mayers
On 01/26/2012 12:08 AM, McNutt, Justin M. wrote: So I'm getting some pushback in my organization against using a self-signed CA for signing my RADIUS server certs. To make a long story short, I was asked to find out what other people were doing. This has been discussed extensively on the list!

Re: Service radiusd Start vs radiusd

2012-01-26 Thread Phil Mayers
On 01/26/2012 10:27 AM, Alan Buxey wrote: Hi, I guess we have a winner: setsebool -P radiusd_disable_trans=1 yes but as already said, RHEL SElinux policy should already be fine for this It's been a while since I looked, but when I did the RHEL5 SELinux policy was good for nothing except ve

Re: Changing domain for ntlm_auth

2012-01-26 Thread NdK
Il 26/01/2012 10:40, Alan DeKok ha scritto: > NdK wrote: >> Too bad it seems unlang doesn't like : >> if (cond) { >> ... >> } elsif (othercond) { > > Perhaps you could try reading "man unlang" to learn it's syntax. Been confused by the error: it pointed to the last line of the chain, not to the

Re: Service radiusd Start vs radiusd

2012-01-26 Thread eric.chang
i did some reading on SELinux... but there are pages and pages of info, and with my limited linux skill... I hardly understand a thing... Welcome if anyone have any instruction which I can try Thanks Eric -- View this message in context: http://freeradius.1045715.n5.nabble.com/Service-radiusd-S

Re: Service radiusd Start vs radiusd

2012-01-26 Thread Alan Buxey
Hi, > I guess we have a winner: > setsebool -P radiusd_disable_trans=1 yes but as already said, RHEL SElinux policy should already be fine for this alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Service radiusd Start vs radiusd

2012-01-26 Thread eric.chang
First I set SELinux back to enforcing reboot & test (not working, fail to auth) setsebool -P radiusd_disable_trans=1 reboot & test (everything works fine) ---lets try disable postgresql instead of radiusd setsebool -P radiusd_disable_trans=0 setsebool -P postgresql_disable_trans=1 reboot &

Re: Changing domain for ntlm_auth

2012-01-26 Thread Alan DeKok
NdK wrote: > Too bad it seems unlang doesn't like : > if (cond) { > ... > } elsif (othercond) { Perhaps you could try reading "man unlang" to learn it's syntax. > That seems quite a serious limit in the unlang grammar... Sure. It can't parse Perl, Python, Ruby, C, or any other invented gram

Re: Changing domain for ntlm_auth

2012-01-26 Thread NdK
Il 25/01/2012 20:54, Phil Mayers ha scritto: >> [...] >> So I *can* insert unlang code there! Perfect! > No. This is not "unlang". It's just a string expansion. Yup. Sorry, I was referencing the cut part. > Unlang is a processing "language" that is only valid inside the virtual > server "authoriz

Re: Organizing accounting attributes

2012-01-26 Thread Alan Buxey
Hi, >Is it possible to sort accounting attributes and values in a certain order >under the detail files ? you really might want to look at using SQL to store accounting rather than using flat detail files if there is some sort/select stuff you need to do with the records.. alan - List in

Re: self-signed root CA

2012-01-26 Thread Alan Buxey
hi, self-signed CA. the authentication is a closed-loop system. the only people that need to trust your RADIUS server for authentication are your own users (unlike eg a public web server). you have full control of your own CA..and know its policies. With an external CA you are a slave to their rep

Re: Service radiusd Start vs radiusd

2012-01-26 Thread eric.chang
i mean i did #2 disabled selinux entirely -- View this message in context: http://freeradius.1045715.n5.nabble.com/Service-radiusd-Start-vs-radiusd-tp5429517p5432261.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.fre

Re: self-signed root CA

2012-01-26 Thread Stefan Winter
Hi, that's a discussion / holy war admins are fighting over for *years* in the eduroam roaming consortium. I agree with all what was said in the thread, regarding security vs. convenience. Just to add one thing to the mix: if you allow "bring your own device" for your network, you'll have much l

Re: Service radiusd Start vs radiusd

2012-01-26 Thread eric.chang
I have did number 1 :( Let me try number 2 now, and see what happen. btw my setup is: Red Hat Enterprise Linux Server 5.7 FreeRADIUS 2.1.7 PostgreSQL 9.1.2 -- View this message in context: http://freeradius.1045715.n5.nabble.com/Service-radiusd-Start-vs-radiusd-tp5429517p5432257.html Sent fro