Many thanks, Mega fast replies guys and also thanks to Fajar Nugraha :) Stuart -----Original message-----
From:freeradius-users-request@lists.freeradius.org <freeradius-users-request@lists.freeradius.org> Sent: Thursday 31st July 2014 11:05 To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 111, Issue 87
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. RE: Freeradius-Users Digest, Vol 111, Issue 84 (Stefan Paetow)
----------------------------------------------------------------------
Message: 1 Date: Thu, 31 Jul 2014 09:53:03 +0000 From: Stefan Paetow <Stefan.Paetow@ja.net> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: RE: Freeradius-Users Digest, Vol 111, Issue 84 Message-ID: <C072996E0B81144DBB9426B44462540C0D691CE3@EXC001> Content-Type: text/plain; charset="us-ascii"
Stuart:
https://launchpad.net/~freeradius/+archive/ubuntu/testing-3.x
These builds are being maintained by Fajar Nugraha, who is also very active on this list.
Please note, you *must* uninstall FR 2.x and then move your configuration away from the standard /etc/freeradius before installing these, as FR 2.x configuration files are not entirely compatible with FR 3.x. It is recommended that you copy the changes in your 2.x configuration to 3.x manually.
:-)
Stefan
-----Original Message----- From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] On Behalf Of Stuart Naylor Sent: 31 July 2014 10:33 To: freeradius-users@lists.freeradius.org Subject: RE: Freeradius-Users Digest, Vol 111, Issue 84
Thanks Arran ,
Apols as stuck back in time due to Ubuntu.
Are there any debs anywhere is the compiler always scares this noob :)
Just had a search and everything is firmly stuck in the land of 2.0 series.
Is there anyway to add multiple ldap search queries with different base DNs.
Just stuck as bit stumped that scope=sub isn't supported?!
Stuart
-----Original message-----
From:freeradius-users-request@lists.freeradius.org <freeradius-users-request@lists.freeradius.org> Sent: Thursday 31st July 2014 0:45 To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 111, Issue 84
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. RE: Freeradius Log with Rsyslog (Puzzel) 2. Re: Multivalued attributes (Herwin Weststrate) 3. TLS Alert: Fatal: Protocol version (Soham T. Aurangabadkar) 4. LDAP scope (Stuart Naylor) 5. Re: LDAP scope (Arran Cudbard-Bell) 6. Re: Some inconsistencies concerning OpenSSL include configuration in FRS 3 (Arran Cudbard-Bell)
----------------------------------------------------------------------
Message: 1 Date: Wed, 30 Jul 2014 19:56:02 +0200 From: "Puzzel" <puzzel1982@gmail.com> To: "'FreeRadius users mailing list'" <freeradius-users@lists.freeradius.org> Subject: RE: Freeradius Log with Rsyslog Message-ID: <009f01cfac1f$87e243b0$97a6cb10$@com> Content-Type: text/plain; charset="us-ascii"
You need to install rsyslog daemon on radius machine. Then in /etc/rsyslog.conf
# Save radius logs into file
local1.* /var/log/radius/radius.log
# All to syslog server
*.* @ip_address_of_your_syslog_server
It works fine form me
-----Original Message----- From: freeradius-users-bounces+puzzel1982=gmail.com@lists.freeradius.org [mailto:freeradius-users-bounces+puzzel1982=gmail.com@lists.freeradius .org] On Behalf Of Marco Aresu Sent: Wednesday, July 30, 2014 3:43 PM To: FreeRadius users mailing list Subject: Freeradius Log with Rsyslog
Hi all,
i ve configured Freeradius on my server and i would like to forward authentication log to an external server. I saw in the forum that i have to change Logdir from file to syslog but where do i have to specify the destination server?
Thanks
Marco Aresu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
Message: 2 Date: Wed, 30 Jul 2014 20:08:06 +0200 From: Herwin Weststrate <herwin@quarantainenet.nl> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Multivalued attributes Message-ID: <53D93486.6060203@quarantainenet.nl> Content-Type: text/plain; charset=windows-1252
On 30-07-14 11:51, Phil Mayers wrote:
On 30/07/14 09:21, Herwin Weststrate wrote:
What would the semantics be if a negative comparison operator would be used, like this?
if (Attr[*] !~ /regex/)
My intuition would say this would only be true if none of the attributes matches, instead of if at least one of the attributes matches.
Assuming I've understood correctly, using the analogy of the postgres operator, this is more like:
if (any Attr !~ /regex/)
i.e. if any of the attributes *don't* match.
That would make the following two expressions different:
if (Attr[*] !~ /regex/) if (!(Attr[*] =~ /regex/))
First one is true if any of the attributes doesn't match the regex, the second one if none of the attribute match the regex. I would expect them to return the same. There might be some rule or lemma in mathematical set theory here, but I'm not really sure about that (especially since that would probably require explicit any/all-modifiers).
The regex operators would presumably have the special behaviour of setting capture groups for the first of the attributes. This doesn't have much meaning for !~
Using capture groups with !~ would require an else (because if the regex doesn't match, there are no capture groups). Using code like that would just be stupid:
if (Attr !~ /(regex)/) { ... } else { # Do someting with %{1} }
Just write it a little bit different and use =~. But this discussion is not really related to multivalued attributes.
And I'm not sure what the expected result should be in the following statement:
if (Attr[*] > 10)
Likewise
if (any Attr > 10)
This gives the same behaviour as with !~, I would expect these two to be the same
if (Attr[*] > 10) if (!(Attr[*] <= 9))
About a year ago I was working on a small filtering language for an API which required multi-valued attributes. We changed the use of >, <, <= and >= to yield to syntax errors when combined with multi-valued attributes, because nobody here really knew what they were supposed to do in this context.
-- Herwin Weststrate
------------------------------
Message: 3 Date: Wed, 30 Jul 2014 16:06:21 -0400 (EDT) From: "Soham T. Aurangabadkar" <sohama4@ccs.neu.edu> To: freeradius-users@lists.freeradius.org Subject: TLS Alert: Fatal: Protocol version Message-ID: <10005916.567041406750781574.JavaMail.root@zimbra> Content-Type: text/plain; charset=utf-8
Hello, I am getting a strange error in my FreeRADIUS debug output, which I have posted below. I have built the client using C, OpenSSL and raw sockets, and uses the 'user@example.com.pem' certificate generated by the scripts provided in /raddb/certs. Can you please tell me where am I going wrong? It is an error at the penultimate step of the EAP-TLS exchange. Thank you ! :)
- Soham
rad_recv: Access-Request packet from host 192.168.1.11 port 62733, id=254, length=829 User-Name = "sohama411111" Called-Station-Id = "ec-e5-55-9c-c3-b6" Calling-Station-Id = "00:24:9b:0c:2f:6e" NAS-Identifier = "ec-e5-55-9c-c3-ac" NAS-IP-Address = 192.168.1.11 NAS-Port = 6 Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0xa2a1f780a7a7fad11c1fdcdf4905f39b EAP-Message = 0x020602a00d8000000a825997f20225258bb1ff09cf6b173f27777f32ed2ef263a69ea7500fa0df24d984336cfaa193a9be78c06dc15278b6ef4b7cd930d166dd8427b3d155235edc0ce87fedcb214f913db8080089ccb1c651ec2042c9f1f8438926650157af19f77f059a5be97bb32f4c522230719d03a1f6553f3e311249f84eb6bb6740d218c346fe6fb5e08a471fe90bce818d62480b66b82412ff00a1fde2d7e9e2ef2c09d9dcddb20923c9d911fc13aa74742728bf7a2228a1a3de6cb4e9375b66638d73dee5d6dfde7144f8d701a9e16304225c983231cb1bbf1d67f713eb13d5ad916e404c71160301004610000042410414242a58afc24797 EAP-Message = 0x1adbed2ab769f9d1840a5956aad1bc07ec4de29645f706568bdeb474f455be264384b32a21ef52fa83a0ce73f1eb065a0a67cde112c2082916030101060f0001020100cb37b6b39e07acbe5db0119c5f7bc8d2aef80ae74c33c1c7c4e3a85bdb9d98a0c540d9d16d6f08d0e019b1fce07a337e9869e079519f2f65161a744f38b0a3e541461a74c2c05adebde38b07c6c6d7301be51de656cf231ff4d58e4836e09633bdc379bca36a538b5bc4646e2a212b9c436af8749840e14d646268d52770f263e0bcbc965b37ae0d0dbb5e3e259882a29cdfb0f7eaba21d984748d017f4e495bcbe909d71e2f7a3d08689a49d9479e4887ea0558293d4e0dcc74 EAP-Message = 0x61e3d33b48576d468e293468648476786964d5d050203aa0706fef1426432c3e5f5e49d33f77148209d34f01928db02b6b8d30338b9fd51e589b57576217a16c19c5a60bc875140301000101160301003099875a615089ecf3a1b21b7297c276f5bc8ab7be2f85d981f32a93c53ba178cf38c3be709ef5a241f1641f18bfc86cff1503010020ecc14febfeb1efd89ca273228fabc163f4d2536f8077de497b8257f10c0cfd80 Message-Authenticator = 0xb2addbdef36eea66889ed2c3e3ee302e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "sohama411111", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 6 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 2690 [tls] Length Included [tls] eaptls_verify returned 11 [tls] <<< TLS 1.0 Handshake [length 08c7], Certificate [tls] chain-depth=1, [tls] error=0 [tls] --> User-Name = sohama411111 [tls] --> BUF-Name = Example Certificate Authority [tls] --> subject = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.com/CN=Example Certificate Authority [tls] --> issuer = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.com/CN=Example Certificate Authority [tls] --> verify return:1 TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication" [tls] chain-depth=0, [tls] error=0 [tls] --> User-Name = sohama411111 [tls] --> BUF-Name = sohama4@gmail.com [tls] --> subject = /C=FR/ST=Radius/O=Example Inc./CN=sohama4@gmail.com/emailAddress=sohama4@gmail.com [tls] --> issuer = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.com/CN=Example Certificate Authority [tls] --> verify return:1 [tls] TLS_accept: SSLv3 read client certificate A [tls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [tls] TLS_accept: SSLv3 read client key exchange A [tls] <<< TLS 1.0 Handshake [length 0106], CertificateVerify [tls] TLS_accept: SSLv3 read certificate verify A [tls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [tls] <<< TLS 1.0 Handshake [length 0010], Finished [tls] TLS_accept: SSLv3 read finished A [tls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [tls] TLS_accept: SSLv3 write change cipher spec A [tls] >>> TLS 1.0 Handshake [length 0010], Finished [tls] TLS_accept: SSLv3 write finished A [tls] TLS_accept: SSLv3 flush data [tls] (other): SSL negotiation finished successfully [tls] <<< TLS 1.0 Alert [length 0002], fatal protocol_version TLS Alert read:fatal:protocol version rlm_eap: SSL error error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version SSL Connection Established [tls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 254 to 192.168.1.11 port 62733 EAP-Message = 0x010700450d800000003b1403010001011603010030fcca5a85d37c2ec29f40904ccb9dbe3ac886668b24f36a70ea88aed096ed2520ee567dcce866caf89a455cdc9b1421ed Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2a1f780a4a6fad11c1fdcdf4905f39b Finished request 6. Going to the next request Waking up in 2.2 seconds. rad_recv: Access-Request packet from host 192.168.1.11 port 62733, id=255, length=159 User-Name = "sohama411111" Called-Station-Id = "ec-e5-55-9c-c3-b6" Calling-Station-Id = "00:24:9b:0c:2f:6e" NAS-Identifier = "ec-e5-55-9c-c3-ac" NAS-IP-Address = 192.168.1.11 NAS-Port = 6 Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0xa2a1f780a4a6fad11c1fdcdf4905f39b EAP-Message = 0x020700060d00 Message-Authenticator = 0x9edad03d955fdbb9df9945226a174d53 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "sohama411111", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 7 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK alert [tls] eaptls_verify returned 4 [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> sohama411111 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 255 to 192.168.1.11 port 62733 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 1.2 seconds. Cleaning up request 0 ID 248 with timestamp +21 Waking up in 2.6 seconds. Cleaning up request 1 ID 249 with timestamp +24 Cleaning up request 2 ID 250 with timestamp +24 Cleaning up request 3 ID 251 with timestamp +24 Cleaning up request 4 ID 252 with timestamp +24 Cleaning up request 5 ID 253 with timestamp +24 Cleaning up request 6 ID 254 with timestamp +24 Waking up in 1.0 seconds. Cleaning up request 7 ID 255 with timestamp +24
------------------------------
Message: 4 Date: Wed, 30 Jul 2014 23:59:35 +0100 From: Stuart Naylor <stuartiannaylor@thursbygarden.org> To: freeradius-users@lists.freeradius.org <freeradius-users@lists.freeradius.org> Subject: LDAP scope Message-ID: <zarafa.53d978d7.73bf.594fda2e60fe5c48@zent1.thursbygarden.lan> Content-Type: text/plain; charset=utf-8
Hi,
I am having problems with ldap.
I am running FreeRADIUS Version 2.1.12 and Samba4 and the LDAP searches are not subtree searches.
I have to add the CN=Users to the base DN and it works.
If I want to search from the base DN I get an ldap search error.
Is there anyway to set the search scope to subtree?
Stuart
------------------------------
Message: 5 Date: Wed, 30 Jul 2014 19:40:48 -0400 From: Arran Cudbard-Bell <a.cudbardb@freeradius.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: LDAP scope Message-ID: <42D1F2C2-5061-45D0-9833-29709DF2A8EF@freeradius.org> Content-Type: text/plain; charset="us-ascii"
On 30 Jul 2014, at 18:59, Stuart Naylor <stuartiannaylor@thursbygarden.org> wrote:
Hi,
I am having problems with ldap.
I am running FreeRADIUS Version 2.1.12 and Samba4 and the LDAP searches are not subtree searches.
I have to add the CN=Users to the base DN and it works.
If I want to search from the base DN I get an ldap search error.
Is there anyway to set the search scope to subtree?
1. Download v3.0.3 2. Install v3.0.3 3. Enjoy the ability to alter search scopes for LDAP objects
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 881 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20 140730/ed95504f/attachment-0001.pgp>
------------------------------
Message: 6 Date: Wed, 30 Jul 2014 19:42:24 -0400 From: Arran Cudbard-Bell <a.cudbardb@freeradius.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Some inconsistencies concerning OpenSSL include configuration in FRS 3 Message-ID: <DD0F2DD5-2CF8-4BE4-817D-29FACC737F60@freeradius.org> Content-Type: text/plain; charset="us-ascii"
On 29 Jul 2014, at 12:55, Dr. Andreas Rieke <rieke@isl.de> wrote:
Arran Cudbard-Bell wrote:
On 29 Jul 2014, at 06:05, Dr. Andreas Rieke <rieke@isl.de> wrote:
Arran Cudbard-Bell wrote:
Should work now without dumb hacks... I have tested your solution, too, and it also works well. However, there is a small difference between your an Alan's appraoch: With Alan's suggestion, the rlm_wimax shared object does not have any references to openssl, whereas in your approch, ldd says that both libssl and libcrypto are required.
I do not know which one is correct,
Mine, seeing as the module uses symbols from those libraries.
Technically it probably only needs libcrypto, but never mind.
Thanks a lot to Alan and you, Arran, for your time and for your patience with a newbie on this list,
No problem, thanks for reporting the OpenSSL issues.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 881 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20 140730/df2937ad/attachment.pgp>
------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 111, Issue 84 *************************************************
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 111, Issue 87 *************************************************