<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div><span style="background-color: rgba(255, 255, 255, 0);">Good evening,</span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);">Thank you for your suggestions/ reply. </span></div><div><span style="background-color: rgba(255, 255, 255, 0);">My comments/ questions are underneath your thoughts using ">>". </span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span><blockquote type="cite"><font color="#000000"><span style="background-color: rgba(255, 255, 255, 0);">I have been working with FreeRadius and reading these threads for<br></span></font></blockquote><blockquote type="cite"><font color="#000000"><span style="background-color: rgba(255, 255, 255, 0);">sometime now trying to figure out how to properly configure and<br></span></font></blockquote><blockquote type="cite"><font color="#000000"><span style="background-color: rgba(255, 255, 255, 0);">implement EAP-TLS using ECDHE-ECDSA ciphers. </span></font></blockquote><span style="background-color: rgba(255, 255, 255, 0);"><br> Set the right parameters for OpenSSL.</span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br>>> Do you mean within the OpenSSL source code? I've been trying to track down the location of where OpenSSL picks a TLS 1.0 handshake over TLS 1.2. <br><br></span><blockquote type="cite"><font color="#000000"><span style="background-color: rgba(255, 255, 255, 0);">I am writing because perhaps there is a FreeRadius setting/ concept that<br></span></font></blockquote><blockquote type="cite"><font color="#000000"><span style="background-color: rgba(255, 255, 255, 0);">I have been foolishly neglecting.</span></font></blockquote><span style="background-color: rgba(255, 255, 255, 0);"><br> All of the required OpenSSL setting are in the FreeRADIUS config<br>files. And documented there.</span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br>>> I'll continue to read. Is it acceptable under the ECC Curve section in EAP.Conf to use two elliptic curves? That is what wire shark is sending over. <br><br></span><blockquote type="cite"><font color="#000000"><span style="background-color: rgba(255, 255, 255, 0);">The client (wpa_Supplicant) sends FreeRadius a Client Hello over TLS 1.0<br></span></font></blockquote><blockquote type="cite"><font color="#000000"><span style="background-color: rgba(255, 255, 255, 0);">(could perhaps cause problems with ECC?) and then FreeRadius Rejects it<br></span></font></blockquote><blockquote type="cite"><font color="#000000"><span style="background-color: rgba(255, 255, 255, 0);">because of and "SSL3_CLIENT_HELLO: no shared cipher." However, I have<br></span></font></blockquote><blockquote type="cite"><font color="#000000"><span style="background-color: rgba(255, 255, 255, 0);">confirmed that the latest version of openssl supports my cipher. </span></font></blockquote><span style="background-color: rgba(255, 255, 255, 0);"><br> Use wireshark to look at the packets. It should be able to decode<br>both sides of the EAP-TLS conversation, and show you which ciphers are<br>being used.</span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);">>> wire shark has been showing the correct cipher suites are available on nth sides, which is odd. It seems that FR server rejects the Client Hello right away, even though the client hello seemingly has all the necessary information. Could it have something to do with Users/ clients.conf? I can't seem to figure out any combination that does the trick. <br><br></span><blockquote type="cite"><font color="#000000"><span style="background-color: rgba(255, 255, 255, 0);">Does the EAP.conf/ FR have anything to do with Elliptic Curve's and<br></span></font></blockquote><blockquote type="cite"><font color="#000000"><span style="background-color: rgba(255, 255, 255, 0);">their shared cipher besides putting in "ALL" for the cipher and<br></span></font></blockquote><blockquote type="cite"><font color="#000000"><span style="background-color: rgba(255, 255, 255, 0);">"secptxxx" for the curve?</span></font></blockquote><span style="background-color: rgba(255, 255, 255, 0);"><br> That should be it. Depending on OpenSSL magic, maybe "ALL" doesn't<br>mean "ALL". Try listing the ciphers explicitly.<br><br>>> will do.<br><br></span><blockquote type="cite"><font color="#000000"><span style="background-color: rgba(255, 255, 255, 0);">I have also confirmed through OpenSSL's s_client/ s_server program<br></span></font></blockquote><blockquote type="cite"><font color="#000000"><span style="background-color: rgba(255, 255, 255, 0);">that my certificates are set up properly and ONLY succeed with TLS1_2<br></span></font></blockquote><blockquote type="cite"><font color="#000000"><span style="background-color: rgba(255, 255, 255, 0);">and not TLS1.0 or TLS1.1.</span></font></blockquote><span style="background-color: rgba(255, 255, 255, 0);"><br> That tests the local OpenSSL. It doesn't test the remote end.<br><br> It's possible that the remote end doesn't support the ciphers.<br><br>>> Both machines are identical CentOS images, except for the configuration for FR and Wpa_supplicant on the respective machines. Also, s_client/ s_server works on both. </span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);">Thank you very much for your thoughts. Much appreciated. </span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);">Max </span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br> <br></span>Sent via mobile<div><br></div></div><div><br>On Nov 2, 2014, at 6:00 AM, <a href="mailto:freeradius-users-request@lists.freeradius.org">freeradius-users-request@lists.freeradius.org</a> wrote:<br><br></div><blockquote type="cite"><div><span>Send Freeradius-Users mailing list submissions to</span><br><span> <a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a></span><br><span></span><br><span>To subscribe or unsubscribe via the World Wide Web, visit</span><br><span> <a href="http://lists.freeradius.org/mailman/listinfo/freeradius-users">http://lists.freeradius.org/mailman/listinfo/freeradius-users</a></span><br><span>or, via email, send a message with subject or body 'help' to</span><br><span> <a href="mailto:freeradius-users-request@lists.freeradius.org">freeradius-users-request@lists.freeradius.org</a></span><br><span></span><br><span>You can reach the person managing the list at</span><br><span> <a href="mailto:freeradius-users-owner@lists.freeradius.org">freeradius-users-owner@lists.freeradius.org</a></span><br><span></span><br><span>When replying, please edit your Subject line so it is more specific</span><br><span>than "Re: Contents of Freeradius-Users digest..."</span><br><span></span><br><span></span><br><span>Today's Topics:</span><br><span></span><br><span> 1. Re: issue with reaped processes timing out in rad_waitpid</span><br><span> (Alan DeKok)</span><br><span> 2. Re: EAP-TLS Suggestions on FreeRadius (Alan DeKok)</span><br><span> 3. Re: 3.0.x rlm_sql mime encoding UTF8 characters (Isaac Boukris)</span><br><span> 4. Re: Dailycounter not working (Matej ?erovnik)</span><br><span> 5. Re: radius logs with garbage username (Jan Rafaj)</span><br><span></span><br><span></span><br><span>----------------------------------------------------------------------</span><br><span></span><br><span>Message: 1</span><br><span>Date: Sat, 01 Nov 2014 09:05:08 -0400</span><br><span>From: Alan DeKok <<a href="mailto:aland@deployingradius.com">aland@deployingradius.com</a>></span><br><span>To: FreeRadius users mailing list</span><br><span> <<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>></span><br><span>Subject: Re: issue with reaped processes timing out in rad_waitpid</span><br><span>Message-ID: <<a href="mailto:5454DA84.50302@deployingradius.com">5454DA84.50302@deployingradius.com</a>></span><br><span>Content-Type: text/plain; charset=ISO-8859-1</span><br><span></span><br><span>Alex Sharaz wrote:</span><br><blockquote type="cite"><span>So just to check, if I download the latest version of 2.x.x from <a href="http://git.freeradius.org">git.freeradius.org</a> as outined at <a href="http://freeradius.org/git">freeradius.org/git</a> it'll have your patch in it?</span><br></blockquote><span></span><br><span><a href="https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x">https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x</a></span><br><span></span><br><span> Look at the right side of the screen. There's a button "download zip".</span><br><span></span><br><span> Alan DeKok.</span><br><span></span><br><span></span><br><span>------------------------------</span><br><span></span><br><span>Message: 2</span><br><span>Date: Sat, 01 Nov 2014 09:07:49 -0400</span><br><span>From: Alan DeKok <<a href="mailto:aland@deployingradius.com">aland@deployingradius.com</a>></span><br><span>To: FreeRadius users mailing list</span><br><span> <<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>></span><br><span>Subject: Re: EAP-TLS Suggestions on FreeRadius</span><br><span>Message-ID: <<a href="mailto:5454DB25.7020901@deployingradius.com">5454DB25.7020901@deployingradius.com</a>></span><br><span>Content-Type: text/plain; charset=UTF-8</span><br><span></span><br><span>Max Freeman wrote:</span><br><blockquote type="cite"><span>I have been working with FreeRadius and reading these threads for</span><br></blockquote><blockquote type="cite"><span>sometime now trying to figure out how to properly configure and</span><br></blockquote><blockquote type="cite"><span>implement EAP-TLS using ECDHE-ECDSA ciphers. </span><br></blockquote><span></span><br><span> Set the right parameters for OpenSSL.</span><br><span></span><br><blockquote type="cite"><span>I am writing because perhaps there is a FreeRadius setting/ concept that</span><br></blockquote><blockquote type="cite"><span>I have been foolishly neglecting.</span><br></blockquote><span></span><br><span> All of the required OpenSSL setting are in the FreeRADIUS config</span><br><span>files. And documented there.</span><br><span></span><br><blockquote type="cite"><span>The client (wpa_Supplicant) sends FreeRadius a Client Hello over TLS 1.0</span><br></blockquote><blockquote type="cite"><span> (could perhaps cause problems with ECC?) and then FreeRadius Rejects it</span><br></blockquote><blockquote type="cite"><span>because of and "SSL3_CLIENT_HELLO: no shared cipher." However, I have</span><br></blockquote><blockquote type="cite"><span>confirmed that the latest version of openssl supports my cipher. </span><br></blockquote><span></span><br><span> Use wireshark to look at the packets. It should be able to decode</span><br><span>both sides of the EAP-TLS conversation, and show you which ciphers are</span><br><span>being used.</span><br><span></span><br><blockquote type="cite"><span>Does the EAP.conf/ FR have anything to do with Elliptic Curve's and</span><br></blockquote><blockquote type="cite"><span>their shared cipher besides putting in "ALL" for the cipher and</span><br></blockquote><blockquote type="cite"><span>"secptxxx" for the curve?</span><br></blockquote><span></span><br><span> That should be it. Depending on OpenSSL magic, maybe "ALL" doesn't</span><br><span>mean "ALL". Try listing the ciphers explicitly.</span><br><span></span><br><blockquote type="cite"><span>I have also confirmed through OpenSSL's s_client/ s_server program</span><br></blockquote><blockquote type="cite"><span>that my certificates are set up properly and ONLY succeed with TLS1_2</span><br></blockquote><blockquote type="cite"><span>and not TLS1.0 or TLS1.1.</span><br></blockquote><span></span><br><span> That tests the local OpenSSL. It doesn't test the remote end.</span><br><span></span><br><span> It's possible that the remote end doesn't support the ciphers.</span><br><span></span><br><span> Alan DeKok.</span><br><span></span><br><span></span><br><span>------------------------------</span><br><span></span><br><span>Message: 3</span><br><span>Date: Sat, 1 Nov 2014 16:24:53 +0200</span><br><span>From: Isaac Boukris <<a href="mailto:iboukris@gmail.com">iboukris@gmail.com</a>></span><br><span>To: FreeRadius users mailing list</span><br><span> <<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>></span><br><span>Subject: Re: 3.0.x rlm_sql mime encoding UTF8 characters</span><br><span>Message-ID:</span><br><span> <<a href="mailto:CAC-fF8RjDSAn7U4418hstWnoF4=K_Tjau_e1MpyvJ=w6npXoyA@mail.gmail.com">CAC-fF8RjDSAn7U4418hstWnoF4=K_Tjau_e1MpyvJ=w6npXoyA@mail.gmail.com</a>></span><br><span>Content-Type: text/plain; charset=UTF-8</span><br><span></span><br><span>Hi,</span><br><span></span><br><span>On Mon, Oct 27, 2014 at 4:31 PM, Adam Hammond <<a href="mailto:adam.hammond@wicoms.com">adam.hammond@wicoms.com</a>> wrote:</span><br><span>...</span><br><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>My questions are:</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Is there a way for me to get rlm_sql to accept UTF8 characters? Or even ignore that check (at my own risk)?</span><br></blockquote><span></span><br><span>I was faced with the same problem today (version 2.5.5).</span><br><span></span><br><span>I managed to get it working by replacing the function</span><br><span>'sql_escape_func' in 'rlm_sql.c' with the function</span><br><span>'sql_utf8_escape_func' from 'rlm_sql_log.c' file.</span><br><span></span><br><span>This seems to pass basic tests, but I am not sure what are the</span><br><span>implications of this change.</span><br><span></span><br><span>HTH,</span><br><span>Isaac B.</span><br><span></span><br><span></span><br><span>------------------------------</span><br><span></span><br><span>Message: 4</span><br><span>Date: Sat, 01 Nov 2014 16:46:53 +0100</span><br><span>From: Matej ?erovnik <<a href="mailto:matej@zunaj.si">matej@zunaj.si</a>></span><br><span>To: <a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a></span><br><span>Subject: Re: Dailycounter not working</span><br><span>Message-ID: <<a href="mailto:5455006D.9040409@zunaj.si">5455006D.9040409@zunaj.si</a>></span><br><span>Content-Type: text/plain; charset=windows-1252; format=flowed</span><br><span></span><br><span>On 28.10.2014 21:26, Matej ?erovnik wrote:</span><br><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>On 20.10.2014 23:40, Alan DeKok wrote:</span><br></blockquote><blockquote type="cite"><blockquote type="cite"><span>Matej ?erovnik wrote:</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span> Hello!</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>I'm trying to use dailycounter on a LDAP authenticated user and it</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>doesn't seem to work. I think I did all steps correctly, but then </span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>again,</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>i have been wrong before:)</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>...</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>rlm_sql (sql): Released sql socket id: 2</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>[sql] User testuser not found</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>++[sql] returns notfound</span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span> The "testuser" isn't found. So the sqlcounter module can't do it's</span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span>job, because it doesn't know what value to use for the session limit. </span><br></blockquote></blockquote><span>I posted this a while ago, but I'm trying my luck one more time if </span><br><span>anyone can point me to the right direction:</span><br><span></span><br><span>This is the part that is giving me troubles...</span><br><span>My users exists in LDAP to which I don't have access, but I can </span><br><span>authenticate with UserDN.</span><br><span>I added entry</span><br><span>testuser Max-Daily-Session := 600</span><br><span>to mysql radcheck table hoping radius will pick it up and use it in </span><br><span>'dailycounter'.</span><br><span></span><br><span>Access-request packet looks like this:</span><br><span>rad_recv: Access-Request packet from host 10.10.10.10 port 33651, id=75, </span><br><span>length=202</span><br><span> NAS-Port-Type = Wireless-802.11</span><br><span> Calling-Station-Id = "00:24:D7:47:1C:XX"</span><br><span> Called-Station-Id = "hs-kit-testing"</span><br><span> NAS-Port-Id = "bridge-bralci"</span><br><span> User-Name = "testuser"</span><br><span> NAS-Port = 2151677975</span><br><span> Acct-Session-Id = "80400017"</span><br><span> Framed-IP-Address = 192.168.81.198</span><br><span> Mikrotik-Host-IP = 192.168.81.198</span><br><span> User-Password = "password"</span><br><span> Service-Type = Login-User</span><br><span> WISPr-Logoff-URL = "<a href="http://192.168.81.1">http://192.168.81.1</a>"</span><br><span> NAS-Identifier = "kit-testing"</span><br><span> NAS-IP-Address = 192.168.1.116</span><br><span></span><br><span>Can RADIUS use the username provided in access-request for the </span><br><span>sqldailycounter?</span><br><span>Is that even suppose to work?</span><br><span>Can I use 'dailycounter' on LDAP authenticated users or does that only </span><br><span>work on local users, who are in sql database?</span><br><span></span><br><span>Matej</span><br><span></span><br><span>-- </span><br><span>---</span><br><span>Matej Zerovnik</span><br><span></span><br><span></span><br><span></span><br><span>------------------------------</span><br><span></span><br><span>Message: 5</span><br><span>Date: Sun, 2 Nov 2014 01:09:58 +0100 (MET)</span><br><span>From: Jan Rafaj <<a href="mailto:jr-freeradius@cedric.unob.cz">jr-freeradius@cedric.unob.cz</a>></span><br><span>To: <a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a></span><br><span>Subject: Re: radius logs with garbage username</span><br><span>Message-ID: <<a href="mailto:alpine.LNX.2.00.1411020109001.2774@cedric.unob.cz">alpine.LNX.2.00.1411020109001.2774@cedric.unob.cz</a>></span><br><span>Content-Type: TEXT/Plain; format=flowed; charset=US-ASCII</span><br><span></span><br><span></span><br><span>On Wed, 29 Oct 2014, Rando Nakarmi wrote:</span><br><span></span><br><blockquote type="cite"><span>I have few fews which has garbage username, why does this happens ?</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>radiusd[367]: Login OK: [u2ttxxBZPlxGkGvGiM6lhPw==]</span><br></blockquote><blockquote type="cite"><span>radiusd[369]: Login OK: [f2vnxxBZPlxGkGvGiM6lhPw==]</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>any help</span><br></blockquote><span></span><br><span>Sounds like incorrectly configured mobile phones with Symbian OS.</span><br><span>(If not configured correctly for WPAx-Enterprise, they tend to send</span><br><span>identities with multiple delimiters, base64-encoded cert parts,</span><br><span>and what not, in the User-Name...).</span><br><span></span><br><span></span><br><span></span><br><span>------------------------------</span><br><span></span><br><span>-</span><br><span>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a></span><br><span></span><br><span>End of Freeradius-Users Digest, Vol 115, Issue 3</span><br><span>************************************************</span><br></div></blockquote></body></html>