Freeradius-Users Digest, Vol 30, Issue 110

Maribel Hernandez mhernandezl at yahoo.com
Tue Oct 30 19:29:13 CET 2007 

Hola:

freeradius-users-request at lists.freeradius.org wrote:  Send Freeradius-Users mailing list submissions to
freeradius-users at lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request at lists.freeradius.org

You can reach the person managing the list at
freeradius-users-owner at lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

1. RE: PAM_RADIUS_AUTH (Sobanbabu Bakthavathsalu)
2. pam_radius_auth updated spec file, please include in future
releases (Florin Andrei)
3. Re: pam_radius_auth updated spec file, please include in
future releases (Florin Andrei)
4. Cert Problem with EAP-TTSL, SecureW2 (1.0.5-->1.1.7)
(Martin Pauly)


----------------------------------------------------------------------

Message: 1
Date: Tue, 30 Oct 2007 21:31:09 +0530
From: Sobanbabu Bakthavathsalu 
Subject: RE: PAM_RADIUS_AUTH
To: FreeRadius users mailing list

Message-ID:
<50E6D895B5B13C4FB2D86D295813A4830CECEC9005 at BLRKECMBX05.ad.infosys.com>

Content-Type: text/plain; charset="us-ascii"


Hi Nick,

Thank you for the response. There is no firewall in between the RADIUS server and Solaris server (RADIUS client), only an Cisco router with standard ACL. I have verified the ACL matches counter and found that the request from the clinet itself is not reachign the router.
Is that host entries in /etc/hosts file wont work for this, do I need a DNS server for RADIUS server name authentication to work with pam_radius_auth.

The server in question is not configured for any DNS server for name resolution, it uses the hosts file only.
Hope this provides more information.

Regards
Soban


________________________________________
From: freeradius-users-bounces at lists.freeradius.org [freeradius-users-bounces at lists.freeradius.org] On Behalf Of Nick Owen [nowen at wikidsystems.com]
Sent: 30 October 2007 15:37
To: FreeRadius users mailing list
Subject: Re: PAM_RADIUS_AUTH

On 10/30/07, Sobanbabu Bakthavathsalu wrote:
>
> Hi
>
> I am trying install the PAM_RADIUS_AUTH on a Solaris 10 server to use RADIUS for user authentication.
> I have managed to successfully compile and install the pam plugin.
> When I tried to telnet to the machine from a different server I am getting the following error.
>
> Failed looking up IP address for RADIUS server radius1 (errcode=12)
>
> I have made a host entry for this server name in /etc/hosts file and able to ping the RADIUS server with name.
> But still its not working.
>
> Could you please help on resolving this.
>
Lots of times this is a firewall issue where the port opening is set
for tcp and not UDP. check that. Check that both are using port
1812, if that is what you are using. Have you edited your telnet pam
entry? I'm not familiar with solaris, but that is what I would check.

More info would be helpful too.

HTH,

Nick

--
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

**************** CAUTION - Disclaimer *****************
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system.
***INFOSYS******** End of Disclaimer ********INFOSYS***



------------------------------

Message: 2
Date: Tue, 30 Oct 2007 09:51:56 -0700
From: Florin Andrei 
Subject: pam_radius_auth updated spec file, please include in future
releases
To: freeradius-users at lists.freeradius.org
Message-ID: <4727612C.8090901 at andrei.myip.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

I attached an updated spec file for pam_radius_auth. The original one 
fails when building as non-root. I fixed that and made a few other minor 
changes.

It would be nice if the build system could generate this spec file from 
a template, automatically replace the version number inside the spec 
with the actual version of the pam_radius_auth tarball, and include the 
automatically generated spec in the tarball.
That way, users could generate RPM packages out of the tarball by simply 
downloading the archive and running:

rpmbuild -ta pam_radius...(version number here)...tar.gz

Thanks,

-- 
Florin Andrei

http://florin.myip.org/


------------------------------

Message: 3
Date: Tue, 30 Oct 2007 10:04:51 -0700
From: Florin Andrei 
Subject: Re: pam_radius_auth updated spec file, please include in
future releases
To: freeradius-users at lists.freeradius.org
Message-ID: <47276433.7080402 at andrei.myip.org>
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"

Florin Andrei wrote:
> I attached an updated spec file for pam_radius_auth.

No, I didn't. _Now_ I did. :-/

-- 
Florin Andrei

http://florin.myip.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pam_radius_auth.spec
Type: text/x-rpm-spec
Size: 1488 bytes
Desc: not available
Url : 

------------------------------

Message: 4
Date: Tue, 30 Oct 2007 18:15:17 +0100
From: Martin Pauly 

Subject: Cert Problem with EAP-TTSL, SecureW2 (1.0.5-->1.1.7)
To: FreeRadius users mailing list

Message-ID: <200710301815.18376.pauly at hrz.uni-marburg.de>
Content-Type: text/plain; charset="iso-8859-15"

Hi everybody,

I'm trying to upgrade form 1.0.5 to 1.1.7.
For a test run, I copied all the cert and key files 
(only server-side, it's TTLS) from the production server,
and 1.1.7 starts up fine (well, almost, see below). 
When connecting with a SecureW2 client that goes along
well with the 1.0.5 server, I get a dialog window
presenting the cert, but SecureW2 complains it's 
unable to put it into the hierarchy (which is in 
place already). There is no way to go on then,
installing manually won't work either.

Have I missed some change in the cert handling?

Thanks for any help
Martin

Here's the output:

Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/freeradius/proxy.conf
Config: including file: /etc/freeradius/clients.conf
Config: including file: /etc/freeradius/snmp.conf
Config: including file: /etc/freeradius/eap.conf
Config: including file: /etc/freeradius/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/freeradius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/freeradius/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/freeradius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/freeradius/freeradius.pid"
main: user = "freerad"
main: group = "freerad"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/var/log/freeradius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "ttls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/freeradius/certs/key-radius-staff.pem"
tls: certificate_file = "/etc/freeradius/certs/cert-radius-staff.pem"
tls: CA_file = "/etc/freeradius/certs/unimr-ssl-ca.pem"
tls: private_key_password = "omihnl"
tls: dh_file = "/etc/freeradius/certs/dh"
tls: random_file = "/dev/urandom"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
tls: cipher_list = "(null)"
tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work!
WARNING: Fix this by running the OpenSSL command listed in eap.conf
rlm_eap: Loaded and initialized type tls
ttls: default_eap_type = "md5"
ttls: copy_request_to_tunnel = yes
ttls: use_tunneled_reply = yes
rlm_eap: Loaded and initialized type ttls
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/freeradius/huntgroups"
preprocess: hints = "/etc/freeradius/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/freeradius/users"
files: acctusersfile = "/etc/freeradius/acct_users"
files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/freeradius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.


--------------------------- Now the EAP conversation ----------------------------

rad_recv: Access-Request packet from host 192.168.75.247:1645, id=47, length=136
User-Name = "anonymous"
Framed-MTU = 1400
Called-Station-Id = "0013.8011.9a60"
Calling-Station-Id = "0018.decc.af5f"
Service-Type = Login-User
Message-Authenticator = 0xfca416db4cadc5cd8d623f4ffa044a8c
EAP-Message = 0x0202000e01616e6f6e796d6f7573
NAS-Port-Type = Wireless-802.11
NAS-Port = 1077
NAS-IP-Address = 192.168.75.247
NAS-Identifier = "warz003"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "anonymous"
rlm_realm: Proxying request from user anonymous to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 3
rlm_eap: EAP packet type response id 2 length 14
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
modcall[authorize]: module "files" returns notfound for request 3
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 3
modcall: leaving group authorize (returns updated) for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 47 to 192.168.75.247 port 1645
EAP-Message = 0x010300061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x90e816dcec17882e035976d1081fbf9c
Finished request 3
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.75.247:1645, id=48, length=200
User-Name = "anonymous"
Framed-MTU = 1400
Called-Station-Id = "0013.8011.9a60"
Calling-Station-Id = "0018.decc.af5f"
Service-Type = Login-User
Message-Authenticator = 0x47f848aca44779c6fe8451fd18e46ec8
EAP-Message = 0x0203003c158000000032160301002d01000029030118e9b132c7808e219ee90a0861130998e95ddde2e6cc192ebf55af97907d967d000002000a0100
NAS-Port-Type = Wireless-802.11
NAS-Port = 1077
State = 0x90e816dcec17882e035976d1081fbf9c
NAS-IP-Address = 192.168.75.247
NAS-Identifier = "warz003"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "anonymous"
rlm_realm: Proxying request from user anonymous to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: EAP packet type response id 3 length 60
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
modcall[authorize]: module "files" returns notfound for request 4
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 06c4], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 4
modcall: leaving group authenticate (returns handled) for request 4
Sending Access-Challenge of id 48 to 192.168.75.247 port 1645
EAP-Message = 0x0104040a15c000000721160301004a020000460301472724a3f12ef9d27b81a1de39e0df087e3fe05bf25a3286f8f7c3b660f5c5b220bfee9fee4cbf509b91f36992d5e1064063ca128700a209fa5dd265ca771f3f0e000a0016030106c40b0006c00006bd0006ba308206b63082059ea003020102020200bb300d06092a864886f70d0101040500308181310b3009060355040613024445311d301b060355040a1314556e69766572736974616574204d617262757267312d302b06035504031324582e3530392043657274696669636174696f6e20417574686f72697479202832303034293124302206092a864886f70d010901161573736c2d6361
EAP-Message = 0x40756e692d6d6172627572672e6465301e170d3037303331393133313531305a170d3038303131333133313531305a3081c6310b3009060355040613024445310f300d0603550408130648657373656e3110300e060355040713074d617262757267311e301c060355040a13155068696c697070732d556e69766572736974616574311f301d060355040b1316486f6368736368756c72656368656e7a656e7472756d312430220603550403131b5261646975732e53746166662e556e692d4d6172627572672e4445312d302b06092a864886f70d010901161e756d726e65742d7465616d4068727a2e756e692d6d6172627572672e646530819f300d
EAP-Message = 0x06092a864886f70d010101050003818d0030818902818100a7b25329a57dcf9f4045f7ca2582b5dfd6c8979bdf109e1cc8acd71fd527c570f0b01e088a4cd1ad922dfa7dece1be7cf36f8b6557008ecc84335d15a02852639b27f38ae4da2adcde274eb0c678c88b7fa1491f9aeda8c817362cf263c13fe3a93377eff7dfa5fda65aa8865f21a757c93c0352b1ea493994cbac1ad290687d0203010001a38203733082036f300c0603551d130101ff04023000300b0603551d0f0404030205a030130603551d25040c300a06082b06010505070301301d0603551d0e04160414a103cee748c398670ec57153cf72f7429b6568533081dc0603551d2304
EAP-Message = 0x81d43081d180142fd7076c8060bddab7344958057dd6211b9b6fd8a181b2a481af3081ac310b30090603550406130244453121301f060355040a131844657574736368657320466f72736368756e67736e65747a31163014060355040b130d44464e2d4345525420476d62483110300e060355040b130744464e2d504341312d302b0603550403132444464e20546f706c6576656c2043657274696669636174696f6e20417574686f726974793121301f06092a864886f70d010901161263657274696679407063612e64666e2e64658204042c914130290603551d1104223020811e756d726e65742d7465616d4068727a2e756e692d6d6172627572

=== message truncated ===


               CON CARIÑO
MARIBEL HERNÁNDEZ LÓPEZ
                             

 __________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071030/d5842b3a/attachment.html>

More information about the Freeradius-Users mailing list