Hi, I am using freeradius v3.0.4 on ubuntu 14.04. I tried to send radius request using command "radtest test password localhost 0 testing123" I got no reply from server. When I checked for open ports I didnot see any ports opened for freeradius. What is the command to start freeradius services? I tried /etc/init/d/freeradius restart which did not work Thanks, Kavya On Wed, Oct 1, 2014 at 11:09 AM, < freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. RE: Maximum username length (Franks Andy (RLZ) IT Systems Engineer) 2. Re: Maximum username length (Alan DeKok) 3. Authentication and Authorization (Alex Gregory) 4. Re: Authentication and Authorization (Nick Owen) 5. Re: Authentication and Authorization (Alex Gregory) 6. Re: Authentication and Authorization (Alan DeKok) 7. EAP-GTC & Yubikey (cellkites@hushmail.com)
----------------------------------------------------------------------
Message: 1 Date: Tue, 30 Sep 2014 15:55:56 +0100 From: "Franks Andy \(RLZ\) IT Systems Engineer" <Andy.Franks@sath.nhs.uk> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Subject: RE: Maximum username length Message-ID: <20140930145557.4FCC5448906@nhs-pd1e-esg106.ad1.nhs.net> Content-Type: text/plain; charset="UTF-8"
They should make a movie..
So you're suggesting I reprogram pfsense then? I'll have to inform the boss it's going to take a bit longer!
Anyway, point taken, I'll have to see what this entails. The string was looking to be pretty long anyway. :-)
-----Original Message----- From: freeradius-users-bounces+andy.franks= sath.nhs.uk@lists.freeradius.org [mailto: freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 30 September 2014 14:03 To: FreeRadius users mailing list Subject: Re: Maximum username length
Franks Andy (RLZ) IT Systems Engineer wrote:
We?re going to attempt to pass a number of delimited variables through via the username field
Dear god no. This is a *terrible* idea. It will cause global warming, rickets, plagues, alien invasions, and help bring on the coming apocalypse.
and split them at the freeradius end, mostly to avoid rewriting the php in the captive portal to use more orthodox existing attributes.
There's no good reason to push crap onto someone else. Your laziness just makes life harder for everyone else.
If you care about your users, *don't* do this.
Can someone confirm the maximum username field length? I can see in the RFCs that 63 is the recommended minimum nas length but there?s not much else I can see in there.
A lot of equipment and systems won't handle more than 63 characters.
This is a terrible, evil, disgusting idea. RADIUS is full of enough crap already without people deliberately adding more.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
Message: 2 Date: Tue, 30 Sep 2014 11:36:39 -0400 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Maximum username length Message-ID: <542ACE07.9050601@deployingradius.com> Content-Type: text/plain; charset=UTF-8
Franks Andy (RLZ) IT Systems Engineer wrote:
So you're suggesting I reprogram pfsense then? I'll have to inform the boss it's going to take a bit longer!
You can fix pfsense once, or thousands of administrators can curse your name while they try to "fix" their RADIUS server so that it works with a non-standard username.
That's a lot of negative karma.
Alan DeKok.
------------------------------
Message: 3 Date: Tue, 30 Sep 2014 19:18:20 +0000 From: Alex Gregory <alex@c2company.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Authentication and Authorization Message-ID: <7A1FE1A4-0B02-4D9E-AB1A-B80D64AF82D3@c2company.com> Content-Type: text/plain; charset="us-ascii"
Hello-
If I have both LDAP and Proxy configured will FreeRadius use both? What I am looking for is the FreeRadius server authorize a user in LDAP and if that passes forward the user to the upstream OTP radius server (via proxy.conf) for authentication. I believe its doing this now with the LDAP module, just authenticating locally, rather than proxied.
Is this possible?
Thanks,
Alex
------------------------------
Message: 4 Date: Tue, 30 Sep 2014 17:02:20 -0400 From: Nick Owen <owen.nick@gmail.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Authentication and Authorization Message-ID: < CAJC4Zap-F3xJHhJPXjx9vRZoC6-4EHOaafv4wummZpRTdGi9gQ@mail.gmail.com> Content-Type: text/plain; charset=UTF-8
Yes, see this tutorial:
https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-... . Note that you login with the username and OTP. No ldap password is needed.
HTH,
Nick
On Tue, Sep 30, 2014 at 3:18 PM, Alex Gregory <alex@c2company.com> wrote:
Hello-
If I have both LDAP and Proxy configured will FreeRadius use both? What I am looking for is the FreeRadius server authorize a user in LDAP and if that passes forward the user to the upstream OTP radius server (via proxy.conf) for authentication. I believe its doing this now with the LDAP module, just authenticating locally, rather than proxied.
Is this possible?
Thanks,
Alex
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Nick Owen WiKID Systems, Inc. http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication
------------------------------
Message: 5 Date: Tue, 30 Sep 2014 22:49:00 +0000 From: Alex Gregory <alex@c2company.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Authentication and Authorization Message-ID: <BCBCCE17-2331-4F9E-B664-D66FF01473DA@c2company.com> Content-Type: text/plain; charset="us-ascii"
Thank you for the link. I have the OTP working on a test server now with proxying. The problem is the hosted OTP server does not supply any group or attribute information back yet like this Wikid server does. But I have two different user groups for two different networks (Corp and Dev users) that need to be differentiated.
In production have two virtual radius servers each doing an LDAP lookup into a different group. If a user tries to access the incorrect network they are denied because they are not in that group. Works great. If I alter the server to proxy the request with the LDAP module configured will it handle things properly?
Thanks,
Alex
On Sep 30, 2014, at 2:02 PM, Nick Owen <owen.nick@gmail.com> wrote:
Yes, see this tutorial:
https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-... .
Note that you login with the username and OTP. No ldap password is needed.
HTH,
Nick
On Tue, Sep 30, 2014 at 3:18 PM, Alex Gregory <alex@c2company.com> wrote:
Hello-
If I have both LDAP and Proxy configured will FreeRadius use both? What I am looking for is the FreeRadius server authorize a user in LDAP and if that passes forward the user to the upstream OTP radius server (via proxy.conf) for authentication. I believe its doing this now with the LDAP module, just authenticating locally, rather than proxied.
Is this possible?
Thanks,
Alex
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Nick Owen WiKID Systems, Inc. http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
Message: 6 Date: Tue, 30 Sep 2014 21:26:56 -0400 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Authentication and Authorization Message-ID: <542B5860.5010803@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1
Alex Gregory wrote:
Thank you for the link. I have the OTP working on a test server now with proxying. The problem is the hosted OTP server does not supply any group or attribute information back yet like this Wikid server does.
There are no standard RADIUS attributes which carry that information. If you need it, the OTP server may not even be able to send that information in RADIUS.
But I have two different user groups for two different networks (Corp and Dev users) that need to be differentiated.
In production have two virtual radius servers each doing an LDAP lookup into a different group. If a user tries to access the incorrect network they are denied because they are not in that group. Works great. If I alter the server to proxy the request with the LDAP module configured will it handle things properly?
LDAP lookups are completely independent of proxying.
If configured correctly, it should work.
Alan DeKok.
------------------------------
Message: 7 Date: Wed, 01 Oct 2014 13:39:23 +0800 From: cellkites@hushmail.com To: freeradius-users@lists.freeradius.org Subject: EAP-GTC & Yubikey Message-ID: <20141001053923.E3D29C0105@smtp.hushmail.com> Content-Type: text/plain; charset="utf-8"
I've been attempting to integrate yubikeys with freeradius and have had great success with the included yubikey module authenticating against both stored aes keys and a private otp validation server. However I am now attempting to use them in conjunction with EAP-GTC and am slightly lost.
Under the gtc section of the eap module config i see that a user password is returned from the connecting client and passed onto another module for authentication. Is it possible to then pass this to the yubikey module to extract the otp portion, authenticate the otp and then continue with PAP authentication using the users password?
Is there another way i should be going about this?