OS X Mavericks not connecting to Debian FreeRADIUS
Edward Ulrich
email at edwardulrich.com
Wed Aug 12 01:02:57 CEST 2015
I think configuring FreeRadius can be more within the grasp of people
who aren’t career sys admins if the instructions were more clear. For
example when finding the value to use as “ipaddr” in clients.conf, the
instructions in the config file only mention to use the IP of the
client, it does not mention if I should use the LAN IP or the WAN IP of
my wireless router, for example. Now, obviously I would be able to
figure that out through trail and error, but when there is a problem
someplace else in the chain I want to know for certain that this value
has been set exactly to what it needs to be right from the start.. A
career systems administrator may already know which value to use but
others would not, so why don’t they just give a specific example of
using a wireless router in the lengthy docs of the config file and
mention the name LAN IP or WAN IP? Also it is annoying to me how often
the wireless router is referred to as the “client” in all sorts of
instructions that I see, it is confusing terminology for the process
even if it is technically correct.
Anyway, with the ipaddr set to be the WAN IP of the router (and I also
tried using the LAN IP, since the instructions don’t specify!) and the
“Auth Server Address” set to be the IP of the server computer, the OS X
client computer still gives me the “Invalid password” error.
(Previously I have already tried all combinations of the IP addresses
even before posting to this forum, I just wanted to clarify once and for
all when I asked..)
I have seen varying instructions which explain differing optimum
addresses to set the static address of the server computer to be. I
realize that it is important to set this to ensure that it doesn't
change over time, but you did not really answer my question when I asked
if it is crucial to set that for testing purposes when I know what the
address of the server computer is in the meantime.
Are you familiar with using XLM profiles for configuring networking on
Mac Computers on newer OS X operating systems? I have seen information
about that associated with WPA2-Enterprise and some sources even seem to
suggest that it is mandatory with the newer Operating systems.
As far as using the default method for creating the certificates in
“raddb/certs,” almost all of the online sources I have seen have said
not to use that method and give instructions for clearing that out and
using custom openssl commands instead. Do you know of success creating
certificates that work with OS X Mavericks using that default method?
And can that method be automated using scripting? Right now that
directory has been wiped out on my computer according to online
instructions I have followed, so I can’t read any instructions that may
have been included with it. Do you know if there has there been recent
upgrades to the “raddb/certs” method in the newer versions of FreeRADIUS
which would give it greater compatibility with newer versions of OS X?
Thank you for your help!
> freeradius-users-request at lists.freeradius.org
> <mailto:freeradius-users-request at lists.freeradius.org>
> August 11, 2015 at 6:00 AM
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: OS X Mavericks not connecting to Debian FreeRADIUS
> (Alan DeKok)
> 2. Re: Proxy (check status of the 3rd party server) (Alan DeKok)
> 3. Re: Proxy (check status of the 3rd party server) (Alan Buxey)
> 4. MAC Auth tied to user (johan firdianto)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 11 Aug 2015 09:41:28 +0200
> From: Alan DeKok<aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: OS X Mavericks not connecting to Debian FreeRADIUS
> Message-ID:<471E3D86-06A1-45EA-AA7B-F79FBBA6F423 at deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Aug 10, 2015, at 9:57 PM, Edward Ulrich<email at edwardulrich.com> wrote:
>> Question #1. As for the RADIUS requests not getting to the server, I have a question about the value of "ipaddr" in the "clients.conf" file. All of the instructions that I have seen have been unclear about what this value this should be set to specifically..
>
> I don't see how the instructions are unclear. The IP address is the address of the RADIUS client. i.e. the Access Point, etc.
>
>> Should it be the IP address of the computer hosting the Radius server (192.168.1.113), or the IP address of the router (192.168.1.1), or some other value? I have tried all values and still get the same error message. Note that I have not yet set the ip address of the server computer to be static in the "/etc/network/interfaces" file.
>
> You will need a static IP for the RADIUS server.
>
>> Question 1a: What is the best value to use for the "ipaddr" variable in "clients.conf"? Such as the ip address of the server computer, ect..
>
> The client. The file is called "clients.conf" for a reason. It defines clients. It doesn't define servers.
>
>> Question 1b: What is the best value to use for the "Radius Auth Server Address" setting in the router (using DD-WRT)? Presumably it is the same value as 1a?
>
> No. It is the address of the server. I have no idea how this can be confusing.
>
>> Question 1c: How important is setting the IP address of the server computer to be static while testing even though I am sure that the IP address of the server computer is currently 192.168.1.113 for the time being?
>
> It is important to have a static IP.
>
>> Question 1d: What is the best source of information about this issue if the answer is complex?
>
> The answer is simple. The meaning of the fields are clearly defined in the configuration files.
>
>> Question #2. Version 2.1.12 of FreeRADIUS is the one that was installed when I entered the "apt-get update" and "apt-get install freeradius" commands. What would be the biggest benefits of upgrading to a newer version? Presumably I would need to reconfigure from scratch if I upgraded, am I correct? I have a feeling my problems are elsewhere for the time being if the user client computer is not connecting to the server though.
>
> I would suggest getting the basics right first, before trying something complicated.
>
>> Question #3. When you say "Users cannot manually configure their 802.1x settings" on Mac computers starting with OS X Lion, do you mean that it is mandatory to configure Mavericks using the XML method?
>
> I have no idea what that means. Which "You" are you referring to? Where did you get this information from?
>
>> Question #4. As for the certificates, they are being created using the "sha1" method like you suggested (typed like that rather than "sha-1" if that makes any difference.) The "default_bits" are set to 2048. Following is the command I used to create the DH file: "openssl dhparam -check -text -5 1024 -out dh". I have seen some instructions that say to trim sections out of the certificates using a text editor before using them with a Mac, would it be helpful to do that at all?
>
> You should create certificates using the instructions and tools in raddb/certs/. That is set up to be simple and painless.
>
> Alan DeKok.
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 11 Aug 2015 09:42:44 +0200
> From: Alan DeKok<aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Proxy (check status of the 3rd party server)
> Message-ID:<C0DDDB63-57F2-44B7-9067-D2CF85D7B530 at deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Aug 11, 2015, at 9:14 AM, Peter Balsianok<balsianok.peter at gmail.com> wrote:
>> Could you please tell me, why my RADIUS server doesnt find reply
>> (status-check via using "request" ) from 3rd party RADIUS server ?
>
> Post the debug output as suggested in the FAQ, "man" pages, web pages, and daily on this list.
>
> Alan DeKok.
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 11 Aug 2015 08:51:31 +0100
> From: Alan Buxey<A.L.M.Buxey at lboro.ac.uk>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>, Peter Balsianok
> <balsianok.peter at gmail.com>
> Subject: Re: Proxy (check status of the 3rd party server)
> Message-ID:<CE9E3C49-75F0-4E64-BA6E-B6E2B343ECF0 at lboro.ac.uk>
> Content-Type: text/plain; charset="UTF-8"
>
>> Could you please tell me, why my>RADIUS server doesnt find reply
>> (status-check via using "request" ) from>3rd party RADIUS server ?
>
> Does that other server support status-server? What do the logs on that other server show? What does the debug on that other server show and what does the debug on your server show?
>
> alan
>
> ------------------------------
>
> Message: 4
> Date: Tue, 11 Aug 2015 02:25:22 -0700
> From: johan firdianto<johanfirdi at gmail.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: MAC Auth tied to user
> Message-ID:
> <CAAFGz8esR2iTHeURyNj_ZOaLD9RN2yejZZ83PYrpMYebCO6FZQ at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> anyone here have experience to implement
> authorization and accounting from mac to user ?
> For example:
> User john is tied to mac aa-bb-cc-dd-ee-ff.
> every authorization comes from this mac,
> radius will check session for user john.
> and do accounting for user john also.
> So, every packet auth/acct come from NAS, username 'mac' will be replaced
> to 'user' subsquent process.
> i think unlang is the solution.
> anyone here could give us suggest/idea ?
> Cheers.
>
> Johan
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 124, Issue 20
> *************************************************
More information about the Freeradius-Users
mailing list