Freeradius-Users Digest, Vol 114, Issue 1

Wed Oct 1 11:55:17 CEST 2014

Hi,

I am using freeradius v3.0.4 on ubuntu 14.04.
I tried to send radius request using command "radtest test password
localhost 0 testing123"
I got no reply from server.
When I checked for open ports I didnot see any ports opened for freeradius.
What is the command to start freeradius services?
I tried /etc/init/d/freeradius restart which did not work

Thanks,
Kavya

On Wed, Oct 1, 2014 at 11:09 AM, <
freeradius-users-request at lists.freeradius.org> wrote:

> Send Freeradius-Users mailing list submissions to
>         freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>         freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>         freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. RE: Maximum username length
>       (Franks Andy (RLZ) IT Systems Engineer)
>    2. Re: Maximum username length (Alan DeKok)
>    3. Authentication and Authorization (Alex Gregory)
>    4. Re: Authentication and Authorization (Nick Owen)
>    5. Re: Authentication and Authorization (Alex Gregory)
>    6. Re: Authentication and Authorization (Alan DeKok)
>    7. EAP-GTC & Yubikey (cellkites at hushmail.com)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 30 Sep 2014 15:55:56 +0100
> From: "Franks Andy \(RLZ\) IT Systems Engineer"
>         <Andy.Franks at sath.nhs.uk>
> To: "FreeRadius users mailing list"
>         <freeradius-users at lists.freeradius.org>
> Subject: RE: Maximum username length
> Message-ID: <20140930145557.4FCC5448906 at nhs-pd1e-esg106.ad1.nhs.net>
> Content-Type: text/plain;       charset="UTF-8"
>
> They should make a movie..
>
> So you're suggesting I reprogram pfsense then? I'll have to inform the
> boss it's going to take a bit longer!
>
> Anyway, point taken, I'll have to see what this entails. The string was
> looking to be pretty long anyway.
> :-)
>
>
>
> -----Original Message-----
> From: freeradius-users-bounces+andy.franks=
> sath.nhs.uk at lists.freeradius.org [mailto:
> freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org] On
> Behalf Of Alan DeKok
> Sent: 30 September 2014 14:03
> To: FreeRadius users mailing list
> Subject: Re: Maximum username length
>
> Franks Andy (RLZ) IT Systems Engineer wrote:
> >   We?re going to attempt to pass a number of delimited variables
> > through via the username field
>
>   Dear god no.  This is a *terrible* idea.  It will cause global warming,
> rickets, plagues, alien invasions, and help bring on the coming apocalypse.
>
> > and split them at the freeradius end, mostly to avoid rewriting the
> > php in the captive portal to use more orthodox existing attributes.
>
>   There's no good reason to push crap onto someone else.  Your laziness
> just makes life harder for everyone else.
>
>   If you care about your users, *don't* do this.
>
> > Can someone confirm the maximum username field length? I can see in
> > the RFCs that 63 is the recommended minimum nas length but there?s not
> > much else I can see in there.
>
>   A lot of equipment and systems won't handle more than 63 characters.
>
>   This is a terrible, evil, disgusting idea.  RADIUS is full of enough
> crap already without people deliberately adding more.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> ------------------------------
>
> Message: 2
> Date: Tue, 30 Sep 2014 11:36:39 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Maximum username length
> Message-ID: <542ACE07.9050601 at deployingradius.com>
> Content-Type: text/plain; charset=UTF-8
>
> Franks Andy (RLZ) IT Systems Engineer wrote:
> > So you're suggesting I reprogram pfsense then? I'll have to inform the
> boss it's going to take a bit longer!
>
>   You can fix pfsense once, or thousands of administrators can curse
> your name while they try to "fix" their RADIUS server so that it works
> with a non-standard username.
>
>   That's a lot of negative karma.
>
>   Alan DeKok.
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 30 Sep 2014 19:18:20 +0000
> From: Alex Gregory <alex at c2company.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Authentication and Authorization
> Message-ID: <7A1FE1A4-0B02-4D9E-AB1A-B80D64AF82D3 at c2company.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Hello-
>
> If I have both LDAP and Proxy configured will FreeRadius use both?  What I
> am looking for is the FreeRadius server authorize a user in LDAP and if
> that passes forward the user to the upstream OTP radius server (via
> proxy.conf) for authentication.  I believe its doing this now with the LDAP
> module, just authenticating locally, rather than proxied.
>
> Is this possible?
>
> Thanks,
>
> Alex
>
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 30 Sep 2014 17:02:20 -0400
> From: Nick Owen <owen.nick at gmail.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Authentication and Authorization
> Message-ID:
>         <
> CAJC4Zap-F3xJHhJPXjx9vRZoC6-4EHOaafv4wummZpRTdGi9gQ at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Yes, see this tutorial:
>
> https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-openldap-and-freeradius
> .
> Note that you login with the username and OTP.  No ldap password is
> needed.
>
> HTH,
>
> Nick
>
> On Tue, Sep 30, 2014 at 3:18 PM, Alex Gregory <alex at c2company.com> wrote:
> > Hello-
> >
> > If I have both LDAP and Proxy configured will FreeRadius use both?  What
> I am looking for is the FreeRadius server authorize a user in LDAP and if
> that passes forward the user to the upstream OTP radius server (via
> proxy.conf) for authentication.  I believe its doing this now with the LDAP
> module, just authenticating locally, rather than proxied.
> >
> > Is this possible?
> >
> > Thanks,
> >
> > Alex
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> --
> --
> Nick Owen
> WiKID Systems, Inc.
> http://www.wikidsystems.com
> Commercial/Open Source Two-Factor Authentication
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 30 Sep 2014 22:49:00 +0000
> From: Alex Gregory <alex at c2company.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Authentication and Authorization
> Message-ID: <BCBCCE17-2331-4F9E-B664-D66FF01473DA at c2company.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Thank you for the link.  I have the OTP working on a test server now with
> proxying.  The problem is the hosted OTP server does not supply any group
> or attribute information back yet like this Wikid server does.  But I have
> two different user groups for two different networks (Corp and Dev users)
> that need to be differentiated.
>
> In production have two virtual radius servers each doing an LDAP lookup
> into a different group.  If a user tries to access the incorrect network
> they are denied because they are not in that group.  Works great.  If I
> alter the server to proxy the request with the LDAP module configured will
> it handle things properly?
>
> Thanks,
>
> Alex
>
>
>
> On Sep 30, 2014, at 2:02 PM, Nick Owen <owen.nick at gmail.com> wrote:
>
> > Yes, see this tutorial:
> >
> https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-openldap-and-freeradius
> .
> > Note that you login with the username and OTP.  No ldap password is
> > needed.
> >
> > HTH,
> >
> > Nick
> >
> > On Tue, Sep 30, 2014 at 3:18 PM, Alex Gregory <alex at c2company.com>
> wrote:
> >> Hello-
> >>
> >> If I have both LDAP and Proxy configured will FreeRadius use both?
> What I am looking for is the FreeRadius server authorize a user in LDAP and
> if that passes forward the user to the upstream OTP radius server (via
> proxy.conf) for authentication.  I believe its doing this now with the LDAP
> module, just authenticating locally, rather than proxied.
> >>
> >> Is this possible?
> >>
> >> Thanks,
> >>
> >> Alex
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> >
> >
> > --
> > --
> > Nick Owen
> > WiKID Systems, Inc.
> > http://www.wikidsystems.com
> > Commercial/Open Source Two-Factor Authentication
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> ------------------------------
>
> Message: 6
> Date: Tue, 30 Sep 2014 21:26:56 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Authentication and Authorization
> Message-ID: <542B5860.5010803 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Alex Gregory wrote:
> > Thank you for the link.  I have the OTP working on a test server now
> with proxying.  The problem is the hosted OTP server does not supply any
> group or attribute information back yet like this Wikid server does.
>
>   There are no standard RADIUS attributes which carry that information.
>  If you need it, the OTP server may not even be able to send that
> information in RADIUS.
>
> >  But I have two different user groups for two different networks (Corp
> and Dev users) that need to be differentiated.
> >
> > In production have two virtual radius servers each doing an LDAP lookup
> into a different group.  If a user tries to access the incorrect network
> they are denied because they are not in that group.  Works great.  If I
> alter the server to proxy the request with the LDAP module configured will
> it handle things properly?
>
>   LDAP lookups are completely independent of proxying.
>
>   If configured correctly, it should work.
>
>   Alan DeKok.
>
>
> ------------------------------
>
> Message: 7
> Date: Wed, 01 Oct 2014 13:39:23 +0800
> From: cellkites at hushmail.com
> To: freeradius-users at lists.freeradius.org
> Subject: EAP-GTC & Yubikey
> Message-ID: <20141001053923.E3D29C0105 at smtp.hushmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> I've been attempting to integrate yubikeys with freeradius and have
> had great success with the included yubikey module authenticating
> against both stored aes keys and a private otp validation server.
> However I am now attempting to use them in conjunction with EAP-GTC
> and am slightly lost.
>
> Under the gtc section of the eap module config i see that a user
> password is returned from the connecting client and passed onto
> another module for authentication. Is it possible to then pass this to
> the yubikey module to extract the otp portion, authenticate the otp
> and then continue with PAP authentication using the users password?
>
> Is there another way i should be going about this?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141001/cc61eb8c/attachment.html
> >
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> End of Freeradius-Users Digest, Vol 114, Issue 1
> ************************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141001/1c343d18/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radiusd
Type: application/octet-stream
Size: 6144 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141001/1c343d18/attachment-0001.obj>