802.1x & kerberos (Fixed Subject Line)

Reynolds, Walter waltr at umich.edu
Fri Oct 12 19:27:50 CEST 2007


Yes Ivan, I apologize for pasting an incomplete image command from my
test machine.

---
Walt Reynolds
Principal Systems Security Development Engineer
Information Technology Central Services
University of Michigan
(734) 615-9438


> -----Original Message-----
Date: Fri, 12 Oct 2007 15:26:50 +0100
From: <tnt at kalik.co.yu>
Subject: RE: Freeradius-Users Digest, Vol 30, Issue 48
To: "FreeRadius users mailing list"
	<freeradius-users at lists.freeradius.org>
Message-ID: <n4B28c5h.1192199210.5441340.tnt at kalik.co.yu>
Content-Type: text/plain; charset=ISO-8859-2

>> > DEFAULT         Freeradius-Proxied-To == 127.0.0.1
>> >                  Fall-Through = Yes
>> 
>>   That entry does nothing.
>I agree it does nothing for authentication, but this will be part of 
>the solution to get accounting records based on the inner identity and 
>not the outer with TTLS
>
>Has something changes in recent code that makes this unnecessary?
>

No. You probably want:

DEFAULT      FreeRADIUS-Proxied-To == 127.0.0.1
                    User-Name = `%{User-Name}`

Ivan Kalik
Kalik Informatika ISP


> From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-
> users-bounces at lists.freeradius.org] On Behalf Of freeradius-users-
> request at lists.freeradius.org
> Sent: Friday, October 12, 2007 12:34 PM
> To: freeradius-users at lists.freeradius.org
> Subject: Freeradius-Users Digest, Vol 30, Issue 51
> 
> Send Freeradius-Users mailing list submissions to
> 	freeradius-users at lists.freeradius.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> 	freeradius-users-request at lists.freeradius.org
> 
> You can reach the person managing the list at
> 	freeradius-users-owner at lists.freeradius.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: Freeradius-Users Digest, Vol 30, Issue 48 (Alan DeKok)
>    2. RE: Freeradius-Users Digest, Vol 30, Issue 48 (tnt at kalik.co.yu)
>    3. Re: rlm_realm doesn't strip the username (Tomasz Zieleniewski)
>    4. Re: FATAL: Thread create failed: Cannot allocate memory
>       (A.L.M.Buxey at lboro.ac.uk)
>    5. Re: Darwin DirectoryServices (warnnings) (Alan DeKok)
>    6. Using freeradius and 802.1x for ssign VLAN X
>       (lvizcardof at unsa.edu.pe)
>    7. Re: rlm_realm doesn't strip the username (tnt at kalik.co.yu)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Fri, 12 Oct 2007 16:23:33 +0200
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: Freeradius-Users Digest, Vol 30, Issue 48
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <470F8365.9050603 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Reynolds, Walter wrote:
> ...
> >>> DEFAULT         Freeradius-Proxied-To == 127.0.0.1
> >>>                  Fall-Through = Yes
> >>   That entry does nothing.
> > I agree it does nothing for authentication, but this will be part of
> > the solution to get accounting records based on the inner identity
> and
> > not the outer with TTLS
> 
>   I don't see why.
> 
> > http://www.mail-archive.com/freeradius-
> users at lists.freeradius.org/msg02045.html
> 
>   Which doesn't mention an entry like the one quoted above.
> 
> > Has something changes in recent code that makes this unnecessary?
> 
>   I would first like to know why that entry does anything.  It
> certainly
> doesn't set the User-Name.  So it doesn't have anything to do with
> fixing the anonymous accounting issue.
> 
>   Alan DeKok.
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Fri, 12 Oct 2007 15:26:50 +0100
> From: <tnt at kalik.co.yu>
> Subject: RE: Freeradius-Users Digest, Vol 30, Issue 48
> To: "FreeRadius users mailing list"
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <n4B28c5h.1192199210.5441340.tnt at kalik.co.yu>
> Content-Type: text/plain; charset=ISO-8859-2
> 
> >> > DEFAULT         Freeradius-Proxied-To == 127.0.0.1
> >> >                  Fall-Through = Yes
> >>
> >>   That entry does nothing.
> >I agree it does nothing for authentication, but this will be part of
> the solution to get accounting records based on the inner identity and
> not the outer with TTLS
> >
> >Has something changes in recent code that makes this unnecessary?
> >
> 
> No. You probably want:
> 
> DEFAULT      FreeRADIUS-Proxied-To == 127.0.0.1
>                     User-Name = `%{User-Name}`
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Fri, 12 Oct 2007 16:51:49 +0200
> From: "Tomasz Zieleniewski" <tzieleniewski at gmail.com>
> Subject: Re: rlm_realm doesn't strip the username
> To: freeradius-users at lists.freeradius.org
> Cc: aland at deployingradius.com
> Message-ID:
> 	<5fd52d7a0710120751s1eb4ba67x402a733a1a98f055 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> Thank you Alan
> 
> I updated to 2.0.0-pre2. But now I have some errors and I can' tcheck
> again:)
> Now when my NAS sends the Accounting request or I try to run 'radtest'
> tool,
> the verification fails.
> I didn't change anything in the configuration and in the database. I
> have
> the same NAS configuration.
> I get the following error in the debug mode:
> 
> Ignoring request to authentication address * 1812 from unknown client
> 127.0.0.1 port 37391
> 
> Please point me what do I missed:)
> 
> Best regards
> tomasz
> 
> Tomasz Zieleniewski wrote:
> > > I am using radius version 2.0.0-pre0.
> > > I have the following problem that when I receive the Accounting-
> Request
> > > with the username whose domain part is not checked with any of my
> realm
> > > defined in the proxy.conf file. The username is not stripped.
> > > I use the suffix rule for domain: 'username at domain" in my realm
> module
> > > and I inoke it in preacct in radiusd.conf.
> > > I have the DEFAULT realm defined and it doesn't have the nostrip
> option
> > > activated.
> > > So I think when there is no domain match the username should also
> be
> > > stripped??
> >
> >   Likely, yes.  What does debug mode say?
> >
> >   You could also try running CVS head, which has a number of fixes
> over
> > 2.0-pre0.
> >
> >   Alan DeKok.
> >
> >
> > ------------------------------
> >
> > Message: 10
> > Date: Fri, 12 Oct 2007 10:16:43 -0300
> > From: "Sergio Belkin" <sebelk at gmail.com>
> > Subject: Re: TLS fatal access_denied
> > To: "FreeRadius users mailing list"
> >         <freeradius-users at lists.freeradius.org>
> > Message-ID:
> >
<8c6f7f450710120616t48014e18g8c02184fdaef6b97 at mail.gmail.com>
> > Content-Type: text/plain; charset=ISO-8859-1
> >
> > 2007/10/11, tnt at kalik.co.yu <tnt at kalik.co.yu>:
> > > How sure are you that you are using EAP-TTLS?
> > >
> > > >  rlm_eap: EAP NAK
> > > > rlm_eap: EAP-NAK asked for EAP-Type/peap   <==
> > >
> > > Ivan Kalik
> > > Kalik Informatika ISP
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > >
> >
> > I am pretty sure because I has  default_eap_type = ttls. I've just
> > fixed, it was a problem of certificates...
> >
> > thanks-
> >
> > --
> > --
> > Sergio Belkin -
> >
> >
> > ------------------------------
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> >
> > End of Freeradius-Users Digest, Vol 30, Issue 49
> > ************************************************
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.freeradius.org/pipermail/freeradius-
> users/attachments/20071012/c57ad3d5/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 4
> Date: Fri, 12 Oct 2007 16:01:19 +0100
> From: A.L.M.Buxey at lboro.ac.uk
> Subject: Re: FATAL: Thread create failed: Cannot allocate memory
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <20071012150119.GA25677 at lboro.ac.uk>
> Content-Type: text/plain; charset=us-ascii
> 
> Hi,
> 
> > We had one of our MAC-auth radius server instances hang up with this
> > error at about 0200 this morning.
> >
> > That server receives pretty heavy load, and it's bursty, so we see
> this
> > a couple of times a day:
> >
> > The maximum number of threads (32) are active, cannot spawn new
> thread
> > to handle request
> >
> > ...but it does not cause problems. An inability to create a new
> thread
> > is an entirely different matter though; it implies <max threads are
> > running, the server tried to create a new one, and the OS couldn't
> > allocate a thread.
> >
> > Any ideas how to resolve this? Version is FreeRadius 1.1.6 (only
> reason
> > we haven't upgraded is change control, it's due shortly)
> 
> we recently had a similar issue after migrating to using FR for VMPS
> handling. the system may deal with many hundreds of requests per
second
> as with VMPS the switch re-auths all ports at exactly the same time.
> with 48 port switches this gets interesting. anyway. the issue was
> that we had the following config
> 
> radiusd.conf  max_servers = X
> experimental.conf - perl, max_clones = Y
> 
> where X != Y
> 
> this is a big problem and you get the above mentioned errors. you ALSO
> get the error when X = Y and the load/demand is very high. in this
case
> the radius thread appears to be trying to launch a new PERL instace
> before the old ones have gone.  anyway, a rapid increase of the values
> helped straight away.  as did a proper optimization of the DB to get
> much much faster PERL code.
> 
> what you have to ensure in these cases is you dont see these ones:
> 
> Fri Feb 11 16:00:11 2006 : Error: Discarding duplicate request from
> client BLAH port 49464 - ID: 10313 due to unfinished request 6
> 
> as although seemingly okay the client isnt getting an answer from its
> requests.
> 
> alan
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Fri, 12 Oct 2007 18:07:20 +0200
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: Darwin DirectoryServices (warnnings)
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <470F9BB8.6090601 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Arran Cudbard-Bell wrote:
> > Hi,
> > Running radiusd 2.0pre2 (cvs head)
> >
> > Just checked the system logs on one of our radius servers, and i'm
> > seeing some strange error messages from directory services.
> >
> > Oct 12 12:02:50 wolverine DirectoryService[54]: Potential VM growth
> in
> > DirectoryService since client PID: 9179, has 675 open references
when
> > the warning limit is 500.
> 
>   Hmm... the only OpenDirectory code in the server is in rlm_mschap.
> If
> you set "use_open_directory = no" in the rlm_mschap configuration,
this
> issue *should* go away.
> 
>   Unless, of course, you're actually using OpenDirectory.  In which
> case, the bug would need fixing.
> 
> > Could this explain the possible memory leak in radiusd, that only
> seems
> > to appear on Darwin ?
> 
>   Yup.
> 
>   Alan DeKok.
> 
> 
> ------------------------------
> 
> Message: 6
> Date: Fri, 12 Oct 2007 11:27:19 -0500
> From: "lvizcardof at unsa.edu.pe" <lvizcardof at unsa.edu.pe>
> Subject: Using freeradius and 802.1x for ssign VLAN X
> To: freeradius-users at lists.freeradius.org
> Message-ID: <20071012112719.mdbbnguhdcssk80c at mail.unsa.edu.pe>
> Content-Type: text/plain;	charset=ISO-8859-1;	DelSp="Yes";
> 	format="flowed"
> 
> Hi,
> I use freeradius-1.0.4-1.FC4.1 version in a PC Linux Fedora Core 4. I
> form the file uses:
> 
> lucy  Auth-Type := EAP, User-Password == "lucy"
>           Service-Type = Framed-User,
>           Tunne-type = VLAN,
>           Tunnel-medium-type = IEEE-802,
>           Tunnel-Private-Group-Id = 2
> 
> I have this problem:
> The user "lucy" should to access to vlan 2. But for default it user
> access to the vlan 1. I don't know how to do for the user "lucy"
> access to vlan 2
> 
> This is the configuration of file eap.conf
> ==================
> eap {
> 		default_eap_type =tls
> 		timer_expire     = 60
> 		ignore_unknown_eap_types = no
> 		md5 {
> 		}
> 		leap {
> 		}
> 		gtc {
> 			auth_type = PAP
> 		}
> 		tls {
> 			private_key_password = whatever
> 			private_key_file =
${raddbdir}/certs/cert-srv.pem
> 			certificate_file =
${raddbdir}/certs/cert-srv.pem
> 			CA_file = ${raddbdir}/certs/demoCA/cacert.pem
> 			dh_file = ${raddbdir}/certs/dh
> 			random_file = ${raddbdir}/certs/random
> 			fragment_size = 1024
> 			include_length = yes
> 		  }
> 		ttls {
> 			default_eap_type = md5
> 			use_tunneled_reply = yes
> 		}
> 		peap {
> 			default_eap_type = mschapv2
> 		}
> 		mschapv2 {
> 		}
> 	}
> ==============
> 
> If any know how resolv this, please write me.
> 
> 
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
> 
> 
> 
> 
> ------------------------------
> 
> Message: 7
> Date: Fri, 12 Oct 2007 17:34:03 +0100
> From: <tnt at kalik.co.yu>
> Subject: Re: rlm_realm doesn't strip the username
> To: "FreeRadius users mailing list"
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <4kiXw4zk.1192206843.0052930.tnt at kalik.co.yu>
> Content-Type: text/plain; charset=ISO-8859-2
> 
> Add this to clients.conf:
> 
> client 127.0.0.1 {
>         secret          = testing123
>         shortname       = localhost
> }
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> 
> 
> Dana 12/10/2007, "Tomasz Zieleniewski" <tzieleniewski at gmail.com> pi?e:
> 
> >Thank you Alan
> >
> >I updated to 2.0.0-pre2. But now I have some errors and I can' tcheck
> >again:)
> >Now when my NAS sends the Accounting request or I try to run
'radtest'
> tool,
> >the verification fails.
> >I didn't change anything in the configuration and in the database. I
> have
> >the same NAS configuration.
> >I get the following error in the debug mode:
> >
> >Ignoring request to authentication address * 1812 from unknown client
> >127.0.0.1 port 37391
> >
> >Please point me what do I missed:)
> >
> >Best regards
> >tomasz
> >
> >Tomasz Zieleniewski wrote:
> >> > I am using radius version 2.0.0-pre0.
> >> > I have the following problem that when I receive the Accounting-
> Request
> >> > with the username whose domain part is not checked with any of my
> realm
> >> > defined in the proxy.conf file. The username is not stripped.
> >> > I use the suffix rule for domain: 'username at domain" in my realm
> module
> >> > and I inoke it in preacct in radiusd.conf.
> >> > I have the DEFAULT realm defined and it doesn't have the nostrip
> option
> >> > activated.
> >> > So I think when there is no domain match the username should also
> be
> >> > stripped??
> >>
> >>   Likely, yes.  What does debug mode say?
> >>
> >>   You could also try running CVS head, which has a number of fixes
> over
> >> 2.0-pre0.
> >>
> >>   Alan DeKok.
> >>
> >>
> >> ------------------------------
> >>
> >> Message: 10
> >> Date: Fri, 12 Oct 2007 10:16:43 -0300
> >> From: "Sergio Belkin" <sebelk at gmail.com>
> >> Subject: Re: TLS fatal access_denied
> >> To: "FreeRadius users mailing list"
> >>         <freeradius-users at lists.freeradius.org>
> >> Message-ID:
> >>
> <8c6f7f450710120616t48014e18g8c02184fdaef6b97 at mail.gmail.com>
> >> Content-Type: text/plain; charset=ISO-8859-1
> >>
> >> 2007/10/11, tnt at kalik.co.yu <tnt at kalik.co.yu>:
> >> > How sure are you that you are using EAP-TTLS?
> >> >
> >> > >  rlm_eap: EAP NAK
> >> > > rlm_eap: EAP-NAK asked for EAP-Type/peap   <==
> >> >
> >> > Ivan Kalik
> >> > Kalik Informatika ISP
> >> >
> >> > -
> >> > List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >> >
> >>
> >> I am pretty sure because I has  default_eap_type = ttls. I've just
> >> fixed, it was a problem of certificates...
> >>
> >> thanks-
> >>
> >> --
> >> --
> >> Sergio Belkin -
> >>
> >>
> >> ------------------------------
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >>
> >>
> >> End of Freeradius-Users Digest, Vol 30, Issue 49
> >> ************************************************
> >>
> >
> >
> 
> 
> 
> ------------------------------
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 
> End of Freeradius-Users Digest, Vol 30, Issue 51
> ************************************************




More information about the Freeradius-Users mailing list