Good evening,
Thank you for your suggestions/ reply.
My comments/ questions are underneath your thoughts using ">>".
I have been working with FreeRadius and reading these threads for
sometime now trying to figure out how to properly configure and
implement EAP-TLS using ECDHE-ECDSA ciphers.
Set the right parameters for OpenSSL.
>> Do you mean within the OpenSSL source code? I've been trying to track down the location of where OpenSSL picks a TLS 1.0 handshake over TLS 1.2.
I am writing because perhaps there is a FreeRadius setting/ concept that
I have been foolishly neglecting.
All of the required OpenSSL setting are in the FreeRADIUS config
files. And documented there.
>> I'll continue to read. Is it acceptable under the ECC Curve section in EAP.Conf to use two elliptic curves? That is what wire shark is sending over.
The client (wpa_Supplicant) sends FreeRadius a Client Hello over TLS 1.0
(could perhaps cause problems with ECC?) and then FreeRadius Rejects it
because of and "SSL3_CLIENT_HELLO: no shared cipher." However, I have
confirmed that the latest version of openssl supports my cipher.
Use wireshark to look at the packets. It should be able to decode
both sides of the EAP-TLS conversation, and show you which ciphers are
being used.
>> wire shark has been showing the correct cipher suites are available on nth sides, which is odd. It seems that FR server rejects the Client Hello right away, even though the client hello seemingly has all the necessary information. Could it have something to do with Users/ clients.conf? I can't seem to figure out any combination that does the trick.
Does the EAP.conf/ FR have anything to do with Elliptic Curve's and
their shared cipher besides putting in "ALL" for the cipher and
"secptxxx" for the curve?
That should be it. Depending on OpenSSL magic, maybe "ALL" doesn't
mean "ALL". Try listing the ciphers explicitly.
>> will do.
I have also confirmed through OpenSSL's s_client/ s_server program
that my certificates are set up properly and ONLY succeed with TLS1_2
and not TLS1.0 or TLS1.1.
That tests the local OpenSSL. It doesn't test the remote end.
It's possible that the remote end doesn't support the ciphers.
>> Both machines are identical CentOS images, except for the configuration for FR and Wpa_supplicant on the respective machines. Also, s_client/ s_server works on both.
Thank you very much for your thoughts. Much appreciated.
Max
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.orgTo subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-usersor, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.orgYou can reach the person managing the list at freeradius-users-owner@lists.freeradius.orgWhen replying, please edit your Subject line so it is more specificthan "Re: Contents of Freeradius-Users digest..."Today's Topics: 1. Re: issue with reaped processes timing out in rad_waitpid (Alan DeKok) 2. Re: EAP-TLS Suggestions on FreeRadius (Alan DeKok) 3. Re: 3.0.x rlm_sql mime encoding UTF8 characters (Isaac Boukris) 4. Re: Dailycounter not working (Matej ?erovnik) 5. Re: radius logs with garbage username (Jan Rafaj)----------------------------------------------------------------------Message: 1Date: Sat, 01 Nov 2014 09:05:08 -0400From: Alan DeKok <aland@deployingradius.com>To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>Subject: Re: issue with reaped processes timing out in rad_waitpidMessage-ID: <5454DA84.50302@deployingradius.com>Content-Type: text/plain; charset=ISO-8859-1Alex Sharaz wrote:So just to check, if I download the latest version of 2.x.x from git.freeradius.org as outined at freeradius.org/git it'll have your patch in it?
https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x Look at the right side of the screen. There's a button "download zip". Alan DeKok.------------------------------Message: 2Date: Sat, 01 Nov 2014 09:07:49 -0400From: Alan DeKok <aland@deployingradius.com>To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>Subject: Re: EAP-TLS Suggestions on FreeRadiusMessage-ID: <5454DB25.7020901@deployingradius.com>Content-Type: text/plain; charset=UTF-8Max Freeman wrote:I have been working with FreeRadius and reading these threads for
sometime now trying to figure out how to properly configure and
implement EAP-TLS using ECDHE-ECDSA ciphers.
Set the right parameters for OpenSSL.I am writing because perhaps there is a FreeRadius setting/ concept that
I have been foolishly neglecting.
All of the required OpenSSL setting are in the FreeRADIUS configfiles. And documented there.The client (wpa_Supplicant) sends FreeRadius a Client Hello over TLS 1.0
(could perhaps cause problems with ECC?) and then FreeRadius Rejects it
because of and "SSL3_CLIENT_HELLO: no shared cipher." However, I have
confirmed that the latest version of openssl supports my cipher.
Use wireshark to look at the packets. It should be able to decodeboth sides of the EAP-TLS conversation, and show you which ciphers arebeing used.Does the EAP.conf/ FR have anything to do with Elliptic Curve's and
their shared cipher besides putting in "ALL" for the cipher and
"secptxxx" for the curve?
That should be it. Depending on OpenSSL magic, maybe "ALL" doesn'tmean "ALL". Try listing the ciphers explicitly.I have also confirmed through OpenSSL's s_client/ s_server program
that my certificates are set up properly and ONLY succeed with TLS1_2
and not TLS1.0 or TLS1.1.
That tests the local OpenSSL. It doesn't test the remote end. It's possible that the remote end doesn't support the ciphers. Alan DeKok.------------------------------Message: 3Date: Sat, 1 Nov 2014 16:24:53 +0200From: Isaac Boukris <iboukris@gmail.com>To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>Subject: Re: 3.0.x rlm_sql mime encoding UTF8 charactersMessage-ID: <CAC-fF8RjDSAn7U4418hstWnoF4=K_Tjau_e1MpyvJ=w6npXoyA@mail.gmail.com>Content-Type: text/plain; charset=UTF-8Hi,On Mon, Oct 27, 2014 at 4:31 PM, Adam Hammond <adam.hammond@wicoms.com> wrote:...
My questions are:
Is there a way for me to get rlm_sql to accept UTF8 characters? Or even ignore that check (at my own risk)?
I was faced with the same problem today (version 2.5.5).I managed to get it working by replacing the function'sql_escape_func' in 'rlm_sql.c' with the function'sql_utf8_escape_func' from 'rlm_sql_log.c' file.This seems to pass basic tests, but I am not sure what are theimplications of this change.HTH,Isaac B.------------------------------Message: 4Date: Sat, 01 Nov 2014 16:46:53 +0100From: Matej ?erovnik <matej@zunaj.si>To: freeradius-users@lists.freeradius.orgSubject: Re: Dailycounter not workingMessage-ID: <5455006D.9040409@zunaj.si>Content-Type: text/plain; charset=windows-1252; format=flowedOn 28.10.2014 21:26, Matej ?erovnik wrote:
On 20.10.2014 23:40, Alan DeKok wrote:
Matej ?erovnik wrote:
Hello!
I'm trying to use dailycounter on a LDAP authenticated user and it
doesn't seem to work. I think I did all steps correctly, but then
again,
i have been wrong before:)
...
rlm_sql (sql): Released sql socket id: 2
[sql] User testuser not found
++[sql] returns notfound
The "testuser" isn't found. So the sqlcounter module can't do it's
job, because it doesn't know what value to use for the session limit.
I posted this a while ago, but I'm trying my luck one more time if anyone can point me to the right direction:This is the part that is giving me troubles...My users exists in LDAP to which I don't have access, but I can authenticate with UserDN.I added entrytestuser Max-Daily-Session := 600to mysql radcheck table hoping radius will pick it up and use it in 'dailycounter'.Access-request packet looks like this:rad_recv: Access-Request packet from host 10.10.10.10 port 33651, id=75, length=202 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00:24:D7:47:1C:XX" Called-Station-Id = "hs-kit-testing" NAS-Port-Id = "bridge-bralci" User-Name = "testuser" NAS-Port = 2151677975 Acct-Session-Id = "80400017" Framed-IP-Address = 192.168.81.198 Mikrotik-Host-IP = 192.168.81.198 User-Password = "password" Service-Type = Login-User WISPr-Logoff-URL = "http://192.168.81.1" NAS-Identifier = "kit-testing" NAS-IP-Address = 192.168.1.116Can RADIUS use the username provided in access-request for the sqldailycounter?Is that even suppose to work?Can I use 'dailycounter' on LDAP authenticated users or does that only work on local users, who are in sql database?Matej-- ---Matej Zerovnik------------------------------Message: 5Date: Sun, 2 Nov 2014 01:09:58 +0100 (MET)From: Jan Rafaj <jr-freeradius@cedric.unob.cz>To: freeradius-users@lists.freeradius.orgSubject: Re: radius logs with garbage usernameMessage-ID: <alpine.LNX.2.00.1411020109001.2774@cedric.unob.cz>Content-Type: TEXT/Plain; format=flowed; charset=US-ASCIIOn Wed, 29 Oct 2014, Rando Nakarmi wrote:I have few fews which has garbage username, why does this happens ?
radiusd[367]: Login OK: [u2ttxxBZPlxGkGvGiM6lhPw==]
radiusd[369]: Login OK: [f2vnxxBZPlxGkGvGiM6lhPw==]
any help
Sounds like incorrectly configured mobile phones with Symbian OS.(If not configured correctly for WPAx-Enterprise, they tend to sendidentities with multiple delimiters, base64-encoded cert parts,and what not, in the User-Name...).-------------------------------List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlEnd of Freeradius-Users Digest, Vol 115, Issue 3************************************************