Hi,<br>I have freeradius with eap support on debian etch, radius v1.1.3<br>"everthing" working fine but I'd like to have much more simple configuration<br>only by certificate and nothing more,<br>so I have few question:<br>
<br>1. <br>fragment of my log first, before question<br>Listening on authentication *:1812<br>Listening on accounting *:1813<br>Ready to process requests.<br>rad_recv: Access-Request packet from host <a href="http://192.168.5.206:1812">192.168.5.206:1812</a>, id=182, length=159<br>
        NAS-IP-Address = 192.168.5.206<br>        NAS-Port = 50046<br>        NAS-Port-Type = Ethernet<br>        User-Name = "PC-01\\Administrator"<br>        Called-Station-Id = "00-0C-30-81-9B-EE"<br>
        Calling-Station-Id = "00-0A-E4-13-1A-02"<br>        Service-Type = Framed-User<br>        Framed-MTU = 1500<br>        EAP-Message = 0x0200001b014e4c504c2d4943455c41646d696e6973747261746f72<br>        Message-Authenticator = 0xe0b4e2966553f890137d9e56bebd0b3d<br>
  Processing the authorize section of radiusd.conf<br>modcall: entering group authorize for request 0<br>  modcall[authorize]: module "preprocess" returns ok for request 0<br>  modcall[authorize]: module "mschap" returns noop for request 0<br>
    rlm_realm: No '@' in User-Name = "PC-01\Administrator", looking up realm NULL<br>    rlm_realm: No such realm "NULL"<br>  modcall[authorize]: module "suffix" returns noop for request 0<br>
<br>my users file contain:<br>"PC-01\\Administrator" User-Password == "passwd"<br><br>how can I avoid this value PC-01 ?, its really annoying, I would like to have only real user, PC-01 is "my computer -> properties -> computer name -> full computer name". I would like to have only username (with no matter of case sensitive). sth like<br>
"administrator" User-Password == "passwd"<br>
<br><br>2. <br>I would like to use only certificate to check wheter or not some computer should have network connection,<br>I dont care about login or password, <br>if client has a valid cacert.pem installed on pc (windows xp) it should grant acces to network, is it possible to do that?<br>
I tried do sth like: <br>users:<br>DEFAULT                Auth-Type := Accept<br>but it didn't work<br>the perfect way for me is possiblity to set up something in radiusd.conf and live file users empty<br><br>3. <br>when I read log from freeradius -X I see that one pc need to have 7requests in freeradius and in 8-th request is accepted, is it ok? <br>
<br>modcall: entering group authenticate for request 8<br>  rlm_eap: Request found, released from the list<br>  rlm_eap: EAP/peap<br>  rlm_eap: processing type peap<br>  rlm_eap_peap: Authenticate<br>  rlm_eap_tls: processing TLS<br>
  eaptls_verify returned 7<br>  rlm_eap_tls: Done initial handshake<br>  eaptls_process returned 7<br>  rlm_eap_peap: EAPTLS_OK<br>  rlm_eap_peap: Session established.  Decoding tunneled attributes.<br>  rlm_eap_peap: Received EAP-TLV response.<br>
  rlm_eap_peap: Tunneled data is valid.<br>  rlm_eap_peap: Success<br>  rlm_eap: Freeing handler<br>  modcall[authenticate]: module "eap" returns ok for request 8<br>modcall: leaving group authenticate (returns ok) for request 8<br>
Sending Access-Accept of id 193 to 192.168.5.206 port 1812<br>        MS-MPPE-Recv-Key = 0xc349694508a365a56e56e085069e36270cb13b60c3cc7847129b2386a7062dde<br>        MS-MPPE-Send-Key = 0xf93f6de4f455056df7f1d88aa3d12a26cd1a71994fdf6c31bb726612eaf2f038<br>
        EAP-Message = 0x03080004<br>        Message-Authenticator = 0x00000000000000000000000000000000<br>        User-Name = "PC-01\\Administrator"<br>Finished request 8<br><br><br>-----------------------------------------------<br>
my configuration files:<br>eap.conf<br>eap {<br>        default_eap_type = peap<br>        timer_expire     = 60<br>        ignore_unknown_eap_types = no<br>        cisco_accounting_username_bug = no<br>   md5 {<br>   }<br>
   leap {<br>   }<br>   gtc {<br>      auth_type = PAP<br>   }<br>  tls {<br>      private_key_file = /etc/freeradius/eap/newkey.pem<br>      certificate_file = /etc/freeradius/eap/newcert.pem<br>      CA_file = /etc/freeradius/eap/eapCA/cacert.pem<br>
      dh_file = /etc/freeradius/eap/dh<br>      random_file = /etc/freeradius/eap/random<br>      fragment_size = 1024<br>      include_length = yes<br>      check_crl = no<br>   }<br>   peap {<br>         default_eap_type = mschapv2<br>
   }<br>   mschapv2 {<br>   }<br>}<br><br>radiusd.conf<br><br>prefix = /usr<br>exec_prefix = /usr<br>sysconfdir = /etc<br>localstatedir = /var<br>sbindir = ${exec_prefix}/sbin<br>logdir = /var/log/freeradius<br>raddbdir = /etc/freeradius<br>
radacctdir = ${logdir}/radacct<br>confdir = ${raddbdir}<br>run_dir = ${localstatedir}/run/freeradius<br>log_file = ${logdir}/radius.log<br>libdir = /usr/lib/freeradius<br>pidfile = ${run_dir}/freeradius.pid<br>user = freerad<br>
group = freerad<br>max_request_time = 30<br>delete_blocked_requests = no<br>cleanup_delay = 5<br>max_requests = 1024<br>bind_address = *<br>port = 0<br>hostname_lookups = no<br>allow_core_dumps = no<br>regular_expressions     = yes<br>
extended_expressions    = yes<br>log_stripped_names = no<br>log_auth = no<br>log_auth_badpass = no<br>log_auth_goodpass = no<br>usercollide = no<br>lower_user = no<br>lower_pass = no<br>nospace_user = no<br>nospace_pass = no<br>
checkrad = ${sbindir}/checkrad<br>security {<br>        max_attributes = 200<br>        reject_delay = 1<br>        status_server = no<br>}<br>proxy_requests  = yes<br>$INCLUDE  ${confdir}/proxy.conf<br>$INCLUDE  ${confdir}/clients.conf<br>
snmp    = no<br>$INCLUDE  ${confdir}/snmp.conf<br>thread pool {<br>        start_servers = 5<br>        max_servers = 32<br>        min_spare_servers = 3<br>        max_spare_servers = 10<br>        max_requests_per_server = 0<br>
}<br>modules {<br>        pap {<br>                encryption_scheme = crypt<br>        }<br>        chap {<br>                authtype = CHAP<br>        }<br>        pam {<br>                pam_auth = radiusd<br>        }<br>
        unix {<br>                cache = no<br>                cache_reload = 600<br>                shadow = /etc/shadow<br>                radwtmp = ${logdir}/radwtmp<br>        }<br>$INCLUDE ${confdir}/eap.conf<br>        mschap {<br>
                authtype = MS-CHAP<br>                use_mppe = yes<br>                require_encryption = yes<br>                require_strong = yes<br>                with_ntdomain_hack = yes<br>        }<br>        ldap {<br>
                server = "ldap.your.domain"<br>                basedn = "o=My Org,c=UA"<br>                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"<br>                start_tls = no<br>
                access_attr = "dialupAccess"<br>                dictionary_mapping = ${raddbdir}/ldap.attrmap<br>                ldap_connections_number = 5<br>                timeout = 4<br>                timelimit = 3<br>
                net_timeout = 1<br>        }<br>        realm IPASS {<br>                format = prefix<br>                delimiter = "/"<br>                ignore_default = no<br>                ignore_null = no<br>
        }<br>        realm suffix {<br>                format = suffix<br>                delimiter = "@"<br>                ignore_default = no<br>                ignore_null = no<br>        }<br>        realm realmpercent {<br>
                format = suffix<br>                delimiter = "%"<br>                ignore_default = no<br>                ignore_null = no<br>        }<br>        realm ntdomain {<br>                format = prefix<br>
                delimiter = "\\"<br>                ignore_default = no<br>                ignore_null = no<br>        }<br>        checkval {<br>                item-name = Calling-Station-Id<br>                check-name = Calling-Station-Id<br>
                data-type = string<br>        }<br>        preprocess {<br>                huntgroups = ${confdir}/huntgroups<br>                hints = ${confdir}/hints<br>                with_ascend_hack = no<br>                ascend_channels_per_line = 23<br>
                with_ntdomain_hack = no<br>                with_specialix_jetstream_hack = no<br>                with_cisco_vsa_hack = no<br>        }<br><br>        files {<br>                usersfile = ${confdir}/users<br>
                acctusersfile = ${confdir}/acct_users<br>                preproxy_usersfile = ${confdir}/preproxy_users<br>                compat = no<br>        }<br><br>        detail {<br>                detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d<br>
                detailperm = 0600<br>        }<br>        acct_unique {<br>                key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"<br>        }<br><br>        $INCLUDE  ${confdir}/sql.conf<br>
        radutmp {<br>                filename = ${logdir}/radutmp<br>                username = %{User-Name}<br>                case_sensitive = yes<br>                check_with_nas = yes<br>                perm = 0600<br>
                callerid = "yes"<br>        }<br>        radutmp sradutmp {<br>                filename = ${logdir}/sradutmp<br>                perm = 0644<br>                callerid = "no"<br>        }<br>
        attr_filter {<br>                attrsfile = ${confdir}/attrs<br>        }<br>        counter daily {<br>                filename = ${raddbdir}/db.daily<br>                key = User-Name<br>                count-attribute = Acct-Session-Time<br>
                reset = daily<br>                counter-name = Daily-Session-Time<br>                check-name = Max-Daily-Session<br>                allowed-servicetype = Framed-User<br>                cache-size = 5000<br>
        }<br>        sqlcounter dailycounter {<br>                counter-name = Daily-Session-Time<br>                check-name = Max-Daily-Session<br>                sqlmod-inst = sql<br>                key = User-Name<br>
                reset = daily<br>                query = "SELECT SUM(AcctSessionTime - \<br>                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \<br>                 FROM radacct WHERE UserName='%{%k}' AND \<br>
                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"<br>        }<br><br>        sqlcounter monthlycounter {<br>                counter-name = Monthly-Session-Time<br>                check-name = Max-Monthly-Session<br>
                sqlmod-inst = sql<br>                key = User-Name<br>                reset = monthly<br>                query = "SELECT SUM(AcctSessionTime - \<br>                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \<br>
                 FROM radacct WHERE UserName='%{%k}' AND \<br>                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"<br>        }<br>        always fail {<br>                rcode = fail<br>
        }<br>        always reject {<br>                rcode = reject<br>        }<br>        always ok {<br>                rcode = ok<br>                simulcount = 0<br>                mpp = no<br>        }<br>        expr {<br>
        }<br>        digest {<br>        }<br>        exec {<br>                wait = yes<br>                input_pairs = request<br>        }<br>        exec echo {<br>                wait = yes<br>                program = "/bin/echo %{User-Name}"<br>
                input_pairs = request<br>                output_pairs = reply<br>        }<br>        ippool main_pool {<br>                range-start = 192.168.1.1<br>                range-stop = 192.168.3.254<br>                netmask = 255.255.255.0<br>
                cache-size = 800<br>                session-db = ${raddbdir}/db.ippool<br>                ip-index = ${raddbdir}/db.ipindex<br>                override = no<br>                maximum-timeout = 0<br>        }<br>
}<br>instantiate {<br>        exec<br>        expr<br>}<br>authorize {<br>        preprocess<br>        mschap<br>        suffix<br>        eap<br>        files<br>}<br>authenticate {<br>        Auth-Type PAP {<br>                pap<br>
        }<br>        Auth-Type CHAP {<br>                chap<br>        }<br>        Auth-Type MS-CHAP {<br>                mschap<br>        }<br>        unix<br>        eap<br>}<br>preacct {<br>        preprocess<br>        acct_unique<br>
        suffix<br>        files<br>}<br>accounting {<br>        detail<br>        unix<br>        radutmp<br>}<br>session {<br>        radutmp<br>}<br>post-auth {<br>}<br>pre-proxy {<br>}<br>post-proxy {<br>        eap<br>
}<br><br><br>