Hi,

I am using freeradius v3.0.4 on ubuntu 14.04. 
I tried to send radius request using command "radtest test password localhost 0 testing123"
I got no reply from server.
When I checked for open ports I didnot see any ports opened for freeradius.
What is the command to start freeradius services?
I tried /etc/init/d/freeradius restart which did not work


Thanks,
Kavya



On Wed, Oct 1, 2014 at 11:09 AM, <freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to
        freeradius-users@lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
        http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
        freeradius-users-request@lists.freeradius.org

You can reach the person managing the list at
        freeradius-users-owner@lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

   1. RE: Maximum username length
      (Franks Andy (RLZ) IT Systems Engineer)
   2. Re: Maximum username length (Alan DeKok)
   3. Authentication and Authorization (Alex Gregory)
   4. Re: Authentication and Authorization (Nick Owen)
   5. Re: Authentication and Authorization (Alex Gregory)
   6. Re: Authentication and Authorization (Alan DeKok)
   7. EAP-GTC & Yubikey (cellkites@hushmail.com)


----------------------------------------------------------------------

Message: 1
Date: Tue, 30 Sep 2014 15:55:56 +0100
From: "Franks Andy \(RLZ\) IT Systems Engineer"
        <Andy.Franks@sath.nhs.uk>
To: "FreeRadius users mailing list"
        <freeradius-users@lists.freeradius.org>
Subject: RE: Maximum username length
Message-ID: <20140930145557.4FCC5448906@nhs-pd1e-esg106.ad1.nhs.net>
Content-Type: text/plain;       charset="UTF-8"

They should make a movie..

So you're suggesting I reprogram pfsense then? I'll have to inform the boss it's going to take a bit longer!

Anyway, point taken, I'll have to see what this entails. The string was looking to be pretty long anyway.
:-)



-----Original Message-----
From: freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradius.org] On Behalf Of Alan DeKok
Sent: 30 September 2014 14:03
To: FreeRadius users mailing list
Subject: Re: Maximum username length

Franks Andy (RLZ) IT Systems Engineer wrote:
>   We?re going to attempt to pass a number of delimited variables
> through via the username field

  Dear god no.  This is a *terrible* idea.  It will cause global warming, rickets, plagues, alien invasions, and help bring on the coming apocalypse.

> and split them at the freeradius end, mostly to avoid rewriting the
> php in the captive portal to use more orthodox existing attributes.

  There's no good reason to push crap onto someone else.  Your laziness just makes life harder for everyone else.

  If you care about your users, *don't* do this.

> Can someone confirm the maximum username field length? I can see in
> the RFCs that 63 is the recommended minimum nas length but there?s not
> much else I can see in there.

  A lot of equipment and systems won't handle more than 63 characters.

  This is a terrible, evil, disgusting idea.  RADIUS is full of enough crap already without people deliberately adding more.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

------------------------------

Message: 2
Date: Tue, 30 Sep 2014 11:36:39 -0400
From: Alan DeKok <aland@deployingradius.com>
To: FreeRadius users mailing list
        <freeradius-users@lists.freeradius.org>
Subject: Re: Maximum username length
Message-ID: <542ACE07.9050601@deployingradius.com>
Content-Type: text/plain; charset=UTF-8

Franks Andy (RLZ) IT Systems Engineer wrote:
> So you're suggesting I reprogram pfsense then? I'll have to inform the boss it's going to take a bit longer!

  You can fix pfsense once, or thousands of administrators can curse
your name while they try to "fix" their RADIUS server so that it works
with a non-standard username.

  That's a lot of negative karma.

  Alan DeKok.


------------------------------

Message: 3
Date: Tue, 30 Sep 2014 19:18:20 +0000
From: Alex Gregory <alex@c2company.com>
To: FreeRadius users mailing list
        <freeradius-users@lists.freeradius.org>
Subject: Authentication and Authorization
Message-ID: <7A1FE1A4-0B02-4D9E-AB1A-B80D64AF82D3@c2company.com>
Content-Type: text/plain; charset="us-ascii"

Hello-

If I have both LDAP and Proxy configured will FreeRadius use both?  What I am looking for is the FreeRadius server authorize a user in LDAP and if that passes forward the user to the upstream OTP radius server (via proxy.conf) for authentication.  I believe its doing this now with the LDAP module, just authenticating locally, rather than proxied.

Is this possible?

Thanks,

Alex



------------------------------

Message: 4
Date: Tue, 30 Sep 2014 17:02:20 -0400
From: Nick Owen <owen.nick@gmail.com>
To: FreeRadius users mailing list
        <freeradius-users@lists.freeradius.org>
Subject: Re: Authentication and Authorization
Message-ID:
        <CAJC4Zap-F3xJHhJPXjx9vRZoC6-4EHOaafv4wummZpRTdGi9gQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

Yes, see this tutorial:
https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-openldap-and-freeradius.
Note that you login with the username and OTP.  No ldap password is
needed.

HTH,

Nick

On Tue, Sep 30, 2014 at 3:18 PM, Alex Gregory <alex@c2company.com> wrote:
> Hello-
>
> If I have both LDAP and Proxy configured will FreeRadius use both?  What I am looking for is the FreeRadius server authorize a user in LDAP and if that passes forward the user to the upstream OTP radius server (via proxy.conf) for authentication.  I believe its doing this now with the LDAP module, just authenticating locally, rather than proxied.
>
> Is this possible?
>
> Thanks,
>
> Alex
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication


------------------------------

Message: 5
Date: Tue, 30 Sep 2014 22:49:00 +0000
From: Alex Gregory <alex@c2company.com>
To: FreeRadius users mailing list
        <freeradius-users@lists.freeradius.org>
Subject: Re: Authentication and Authorization
Message-ID: <BCBCCE17-2331-4F9E-B664-D66FF01473DA@c2company.com>
Content-Type: text/plain; charset="us-ascii"

Thank you for the link.  I have the OTP working on a test server now with proxying.  The problem is the hosted OTP server does not supply any group or attribute information back yet like this Wikid server does.  But I have two different user groups for two different networks (Corp and Dev users) that need to be differentiated.

In production have two virtual radius servers each doing an LDAP lookup into a different group.  If a user tries to access the incorrect network they are denied because they are not in that group.  Works great.  If I alter the server to proxy the request with the LDAP module configured will it handle things properly?

Thanks,

Alex



On Sep 30, 2014, at 2:02 PM, Nick Owen <owen.nick@gmail.com> wrote:

> Yes, see this tutorial:
> https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-openldap-and-freeradius.
> Note that you login with the username and OTP.  No ldap password is
> needed.
>
> HTH,
>
> Nick
>
> On Tue, Sep 30, 2014 at 3:18 PM, Alex Gregory <alex@c2company.com> wrote:
>> Hello-
>>
>> If I have both LDAP and Proxy configured will FreeRadius use both?  What I am looking for is the FreeRadius server authorize a user in LDAP and if that passes forward the user to the upstream OTP radius server (via proxy.conf) for authentication.  I believe its doing this now with the LDAP module, just authenticating locally, rather than proxied.
>>
>> Is this possible?
>>
>> Thanks,
>>
>> Alex
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>
> --
> --
> Nick Owen
> WiKID Systems, Inc.
> http://www.wikidsystems.com
> Commercial/Open Source Two-Factor Authentication
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



------------------------------

Message: 6
Date: Tue, 30 Sep 2014 21:26:56 -0400
From: Alan DeKok <aland@deployingradius.com>
To: FreeRadius users mailing list
        <freeradius-users@lists.freeradius.org>
Subject: Re: Authentication and Authorization
Message-ID: <542B5860.5010803@deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

Alex Gregory wrote:
> Thank you for the link.  I have the OTP working on a test server now with proxying.  The problem is the hosted OTP server does not supply any group or attribute information back yet like this Wikid server does.

  There are no standard RADIUS attributes which carry that information.
 If you need it, the OTP server may not even be able to send that
information in RADIUS.

>  But I have two different user groups for two different networks (Corp and Dev users) that need to be differentiated.
>
> In production have two virtual radius servers each doing an LDAP lookup into a different group.  If a user tries to access the incorrect network they are denied because they are not in that group.  Works great.  If I alter the server to proxy the request with the LDAP module configured will it handle things properly?

  LDAP lookups are completely independent of proxying.

  If configured correctly, it should work.

  Alan DeKok.


------------------------------

Message: 7
Date: Wed, 01 Oct 2014 13:39:23 +0800
From: cellkites@hushmail.com
To: freeradius-users@lists.freeradius.org
Subject: EAP-GTC & Yubikey
Message-ID: <20141001053923.E3D29C0105@smtp.hushmail.com>
Content-Type: text/plain; charset="utf-8"

I've been attempting to integrate yubikeys with freeradius and have
had great success with the included yubikey module authenticating
against both stored aes keys and a private otp validation server.
However I am now attempting to use them in conjunction with EAP-GTC
and am slightly lost.

Under the gtc section of the eap module config i see that a user
password is returned from the connecting client and passed onto
another module for authentication. Is it possible to then pass this to
the yubikey module to extract the otp portion, authenticate the otp
and then continue with PAP authentication using the users password?

Is there another way i should be going about this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141001/cc61eb8c/attachment.html>

------------------------------

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

End of Freeradius-Users Digest, Vol 114, Issue 1
************************************************