<p>Hi Alan,<br>
I am suspecting some radius setting on my server because free radius on other server is responding and authentication and accounting is successful. </p>
<div class="gmail_quote">On May 24, 2013 7:56 PM, <<a href="mailto:freeradius-users-request@lists.freeradius.org">freeradius-users-request@lists.freeradius.org</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Send Freeradius-Users mailing list submissions to<br>
<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://lists.freeradius.org/mailman/listinfo/freeradius-users" target="_blank">http://lists.freeradius.org/mailman/listinfo/freeradius-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:freeradius-users-request@lists.freeradius.org">freeradius-users-request@lists.freeradius.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:freeradius-users-owner@lists.freeradius.org">freeradius-users-owner@lists.freeradius.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Freeradius-Users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. AES-GCM (Pieter Hulshoff)<br>
2. Re: AES-GCM (Phil Mayers)<br>
3. Re: AES-GCM (Pieter Hulshoff)<br>
4. Re: AES-GCM (Phil Mayers)<br>
5. Re: AES-GCM (Pieter Hulshoff)<br>
6. Re: issue with radius accounting (Alan DeKok)<br>
7. Re: Failure authenticate using IPv6 (Alan DeKok)<br>
8. Re: Retrieving eDirectory VLAN attributes (Alan DeKok)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Fri, 24 May 2013 12:44:02 +0200<br>
From: Pieter Hulshoff <<a href="mailto:phulshof@xs4all.nl">phulshof@xs4all.nl</a>><br>
To: <a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br>
Subject: AES-GCM<br>
Message-ID: <2687107.xyZuJZ1fbJ@spaceballsml><br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
Hello all,<br>
<br>
Does FreeRADIUS support AES-GCM in EAP-TLS? I couldn't find the term in the<br>
documentation, the wiki or the mailinglist archives, but perhaps I'm looking<br>
in the wrong place?<br>
<br>
Kind regards,<br>
<br>
Pieter Hulshoff<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Fri, 24 May 2013 12:21:47 +0100<br>
From: Phil Mayers <<a href="mailto:p.mayers@imperial.ac.uk">p.mayers@imperial.ac.uk</a>><br>
To: <a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br>
Subject: Re: AES-GCM<br>
Message-ID: <<a href="mailto:519F4D4B.4080000@imperial.ac.uk">519F4D4B.4080000@imperial.ac.uk</a>><br>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed<br>
<br>
On 24/05/13 11:44, Pieter Hulshoff wrote:<br>
> Hello all,<br>
><br>
> Does FreeRADIUS support AES-GCM in EAP-TLS? I couldn't find the term in the<br>
> documentation, the wiki or the mailinglist archives, but perhaps I'm looking<br>
> in the wrong place?<br>
<br>
Typically this is down the TLS libraries; it's not usually the case that<br>
the application needs to do anything.<br>
<br>
That said, EAP-TLS is typically TLS 1.0. AIUI, AEAD ciphers require TLS<br>
1.2 - see section 4 of RFC 5288. But again, FreeRADIUS doesn't involve<br>
itself in this level of detail - that's an aspect of the TLS library<br>
(OpenSSL) we use, and whatever the EAP-TLS client is using.<br>
<br>
Note also that EAP-TLS (unlike other TLS-based EAP methods, such as PEAP<br>
or TTLS) never actually sends any data over the TLS session;<br>
essentially, it consists solely of the handshake. In TLS terms, EAP-TLS<br>
never sends any TLS records of type=23 (application data). So, the<br>
negotiated cipher is not used for very much.<br>
<br>
PEAP and TTLS have "inner" EAP exchanges, that are protected with the<br>
TLS session, and sent as TLS type=23 records.<br>
<br>
Slightly OT, there seems to be some degree of uncertainty about GCM in<br>
general, and whether it's a sensible cipher mode - for example, see<br>
<a href="http://www.imperialviolet.org/2013/01/13/rwc03.html" target="_blank">http://www.imperialviolet.org/2013/01/13/rwc03.html</a><br>
<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Fri, 24 May 2013 13:47:36 +0200<br>
From: Pieter Hulshoff <<a href="mailto:phulshof@xs4all.nl">phulshof@xs4all.nl</a>><br>
To: FreeRadius users mailing list<br>
<<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>
Subject: Re: AES-GCM<br>
Message-ID: <2024766.p6x3QSbeB1@spaceballsml><br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
On Friday, May 24, 2013 12:21:47 PM Phil Mayers wrote:<br>
> On 24/05/13 11:44, Pieter Hulshoff wrote:<br>
> > Hello all,<br>
> ><br>
> > Does FreeRADIUS support AES-GCM in EAP-TLS? I couldn't find the term in<br>
> > the<br>
> > documentation, the wiki or the mailinglist archives, but perhaps I'm<br>
> > looking in the wrong place?<br>
><br>
> Typically this is down the TLS libraries; it's not usually the case that<br>
> the application needs to do anything.<br>
<br>
It seems I have a lot to learn yet about what is and is not a part of<br>
FreeRADIUS. My apologies for pushing (slightly) OT subjects onto the<br>
mailinglist.<br>
<br>
> That said, EAP-TLS is typically TLS 1.0. AIUI, AEAD ciphers require TLS<br>
> 1.2 - see section 4 of RFC 5288. But again, FreeRADIUS doesn't involve<br>
> itself in this level of detail - that's an aspect of the TLS library<br>
> (OpenSSL) we use, and whatever the EAP-TLS client is using.<br>
<br>
I guess that if we want to use AEAD cyphers we'll need to find another TLS<br>
library or adapt/contribute to OpenSSL?<br>
<br>
> Note also that EAP-TLS (unlike other TLS-based EAP methods, such as PEAP<br>
> or TTLS) never actually sends any data over the TLS session;<br>
> essentially, it consists solely of the handshake. In TLS terms, EAP-TLS<br>
> never sends any TLS records of type=23 (application data). So, the<br>
> negotiated cipher is not used for very much.<br>
<br>
The EAP-TLS Finished (type=20) are secured/signed with this negotiated cipher<br>
though, correct?<br>
<br>
> Slightly OT, there seems to be some degree of uncertainty about GCM in<br>
> general, and whether it's a sensible cipher mode - for example, see<br>
> <a href="http://www.imperialviolet.org/2013/01/13/rwc03.html" target="_blank">http://www.imperialviolet.org/2013/01/13/rwc03.html</a><br>
<br>
Interesting article nontheless. I guess I've been working as a hardware<br>
engineer for too long; I haven't been bothered by timing side-channel attacks<br>
too much. :) It's something to take into consideration though.<br>
<br>
Kind regards,<br>
<br>
Pieter Hulshoff<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 4<br>
Date: Fri, 24 May 2013 13:06:11 +0100<br>
From: Phil Mayers <<a href="mailto:p.mayers@imperial.ac.uk">p.mayers@imperial.ac.uk</a>><br>
To: <a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br>
Subject: Re: AES-GCM<br>
Message-ID: <<a href="mailto:519F57B3.9030800@imperial.ac.uk">519F57B3.9030800@imperial.ac.uk</a>><br>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed<br>
<br>
On 24/05/13 12:47, Pieter Hulshoff wrote:<br>
> I guess that if we want to use AEAD cyphers we'll need to find another TLS<br>
> library or adapt/contribute to OpenSSL?<br>
<br>
I think they're supported as of OpenSSL 1.0.1, so merely compiling<br>
against that should be sufficient, but both ends then need to use TLS<br>
v1.2 and, as I say, most do not.<br>
<br>
(I'm also not sure if FreeRADIUS explicitly forces a specific TLS<br>
version - it might, check the source code)<br>
<br>
> The EAP-TLS Finished (type=20) are secured/signed with this negotiated cipher<br>
> though, correct?<br>
<br>
Off the top of my head, everything after the change cipher spec is<br>
encrypted with the negotiated symmetric cipher, yes.<br>
<br>
<br>
------------------------------<br>
<br>
Message: 5<br>
Date: Fri, 24 May 2013 14:09:35 +0200<br>
From: Pieter Hulshoff <<a href="mailto:phulshof@xs4all.nl">phulshof@xs4all.nl</a>><br>
To: FreeRadius users mailing list<br>
<<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>
Subject: Re: AES-GCM<br>
Message-ID: <4017853.IFDhid4HjM@spaceballsml><br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
On Friday, May 24, 2013 01:47:36 PM Pieter Hulshoff wrote:<br>
> I guess that if we want to use AEAD cyphers we'll need to find another TLS<br>
> library or adapt/contribute to OpenSSL?<br>
<br>
It seems some people are way ahead of me:<br>
<a href="http://en.wikipedia.org/wiki/Comparison_of_TLS_Implementations#Encryption_Algorithms" target="_blank">http://en.wikipedia.org/wiki/Comparison_of_TLS_Implementations#Encryption_Algorithms</a><br>
Support for AES-GCM was added in v1.0.1<br>
<br>
Kind regards,<br>
<br>
Pieter Hulshoff<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 6<br>
Date: Fri, 24 May 2013 09:53:08 -0400<br>
From: Alan DeKok <<a href="mailto:aland@deployingradius.com">aland@deployingradius.com</a>><br>
To: FreeRadius users mailing list<br>
<<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>
Subject: Re: issue with radius accounting<br>
Message-ID: <<a href="mailto:519F70C4.7060604@deployingradius.com">519F70C4.7060604@deployingradius.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
Arvind Bahuguni wrote:<br>
> Hi,<br>
> Need help in resolving radius issues. My radius server is not<br>
> processing accounting packets, radius server is sending access-accept<br>
> but not proceeding further with accounting, it will send access-accept<br>
> and start waiting for another request.<br>
<br>
This is in the FAQ. Read it.<br>
<br>
> Looks like some radius server setting issues, please help me .<br>
<br>
So... the RADIUS server doesn't receive packets, and you blame it?<br>
<br>
How about blaming the system which *sends* the accounting packets?<br>
<br>
Alan DeKok.<br>
<br>
<br>
------------------------------<br>
<br>
Message: 7<br>
Date: Fri, 24 May 2013 09:56:59 -0400<br>
From: Alan DeKok <<a href="mailto:aland@deployingradius.com">aland@deployingradius.com</a>><br>
To: FreeRadius users mailing list<br>
<<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>
Subject: Re: Failure authenticate using IPv6<br>
Message-ID: <<a href="mailto:519F71AB.6090407@deployingradius.com">519F71AB.6090407@deployingradius.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
Stefan Winter wrote:<br>
> I don't *know* why this doesn't work, but it does with our global-scope<br>
> addresses just fine, so I'm guessing it's the address type.<br>
><br>
> Especially since link-local addresses are only valid with an interface<br>
> scope.<br>
<br>
Exactly.<br>
<br>
> is the valid address. I don't know if the FreeRADIUS address parser is<br>
> prepared to handle such interface-scoped addresses. There's not much use<br>
> case for this.<br>
<br>
FreeRADIUS calls getaddrinfo, which *should* parse link-local<br>
addresses. I guess...<br>
<br>
Alan DeKok.<br>
<br>
<br>
------------------------------<br>
<br>
Message: 8<br>
Date: Fri, 24 May 2013 10:17:33 -0400<br>
From: Alan DeKok <<a href="mailto:aland@deployingradius.com">aland@deployingradius.com</a>><br>
To: FreeRadius users mailing list<br>
<<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>
Subject: Re: Retrieving eDirectory VLAN attributes<br>
Message-ID: <<a href="mailto:519F767D.5030704@deployingradius.com">519F767D.5030704@deployingradius.com</a>><br>
Content-Type: text/plain; charset=UTF-8<br>
<br>
Dan Lietz wrote:<br>
> I?m pretty much a noob when it comes to freeradius as I still don?t<br>
> completely understand what files are used for authorization and<br>
> authentication and where to put different certain pieces of configuration.<br>
<br>
Rule 1: don't touch anything. The configuration is complicated, but<br>
it mostly works.<br>
<br>
The "files used for authorization" are the virtual servers. See<br>
raddb/sites-enabled. Those files reference other configuration. But<br>
it's all reasonably well abstracted.<br>
<br>
i.e. you don't need to know anything about the "mschap" module<br>
configuration to use it. You don't even need to know *where* its<br>
configuration lives. But if you run the server in debugging mode, it<br>
will tell you.<br>
<br>
The "where to put configuration" issue largely depends on what you<br>
want to do. Edit a virtual server? See raddb/sites-enabled. A module?<br>
raddb/modules.<br>
<br>
> I?m trying to set up dynamic vlans for a wireless network with a Ruckus<br>
> Zone Director backend and a freeradius backend authenticating via LDAP<br>
> to eDirectory running on the same box. So far I?ve managed to configure<br>
> 802.11x authentication using PEAP and that is working well.<br>
<br>
That's good.<br>
<br>
> Now I want to be able to retrieve the radius attribute in eDirectory for<br>
> the vlan tag so the Ruckus Zone Directory will automatically place the<br>
> user on the correct vlan once they are authenticated.<br>
<br>
OK.<br>
<br>
> I did some initial testing without using LDAP by adding the following<br>
> lines to my users file:<br>
><br>
><br>
><br>
> DEFAULT<br>
> Tunnel-Type = VLAN,<br>
> Tunnel-Medium-Type = 802,<br>
> Tunnel-Private-Group-ID = 85,<br>
> Fall-Through=Yes<br>
<br>
Yes, that works. It's a good first step.<br>
<br>
> By changing the value of ?Tunnel-Private-Group-ID? (set to 85 in the<br>
> above example) the Zone Director will move users to the vlan ID I<br>
> specify here, but it is obviously static and does not change based on<br>
> the user. The next step is to configure FreeRadius to pull the info from<br>
> eDir via LDAP and that?s the part I?m not getting.<br>
<br>
The "ldap.attrmap" file is in the "raddb" directory. It contains<br>
mappings from LDAP to RADIUS. It's also documented in the comments at<br>
the top of the file.<br>
<br>
> Part of my problem is that I don?t know which attributes mappings are<br>
> built in and which aren?t.<br>
<br>
See ldap.attrmap.<br>
<br>
> According to this document: Integrating<br>
> Novell eDirectory with FreeRadius<br>
> <<a href="https://www.netiq.com/documentation/edir_radius/radiusadmin/?page=/documentation/edir_radius/radiusadmin/data/bv8m2ll.html" target="_blank">https://www.netiq.com/documentation/edir_radius/radiusadmin/?page=/documentation/edir_radius/radiusadmin/data/bv8m2ll.html</a>><br>
> the listed radius attributes are available for use, but does that mean I<br>
> don?t need to add them to ldap.attr or the dictionary file at all? Or<br>
> that I don?t need to add an LDAP attribute map to the LDAP Group object<br>
> in iManager?<br>
<br>
The LDAP to RADIUS map is defined in ldap.attrmap. And ONLY in<br>
ldap.attrmap. Go look there. If a mapping isn't there, it isn't<br>
mapped. If it is there, the LDAP attribute (if any) is mapped to the<br>
RADIUS equivalent.<br>
<br>
> The other thing I don?t understand is where (i.e. what file) to put the<br>
> ldap call for said attributes and what the syntax would look like.<br>
<br>
See raddb/sites-available/inner-tunnel, and "default". Look for<br>
"ldap". Read the comments there.<br>
<br>
<br>
> I?ve configured my eap.conf to include ?copy_request_to_tunnel = yes?<br>
> and ?use_tunneled_reply = yes?<br>
<br>
That's correct for your setup.<br>
<br>
Alan DeKok.<br>
<br>
<br>
------------------------------<br>
<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
<br>
End of Freeradius-Users Digest, Vol 97, Issue 80<br>
************************************************<br>
</blockquote></div>