freeradius documentation: Auth-Type
Hi, As someone very new to freeradius, I find that I am struggling with the available documentation. I have problem trying to find explanations on important attributes such as Auth-Type on what it means, what are the valid values etc. Can someone point me to the right place? I know http://www.freeradius.org/rfc/attributes.htm is around but it does not list all attributes, including Auth-Type.
Instructions for using Auth-Type: Don't use it. Let server figure it out. Exceptions: Types Accept and Reject. Uses for them are explained in FAQ. Ivan Kalik Kalik Informatika ISP Dana 14/5/2008, "NPY" <npy@pdog-vpn.com> piše:
Hi,
As someone very new to freeradius, I find that I am struggling with the available documentation.
I have problem trying to find explanations on important attributes such as Auth-Type on what it means, what are the valid values etc. Can someone point me to the right place?
I know http://www.freeradius.org/rfc/attributes.htm is around but it does not list all attributes, including Auth-Type.
NPY wrote:
As someone very new to freeradius, I find that I am struggling with the available documentation.
Well... yes.
I have problem trying to find explanations on important attributes such as Auth-Type on what it means, what are the valid values etc. Can someone point me to the right place?
Auth-Type means "use the named Auth-Type sub-section from the authenticate section".
I know http://www.freeradius.org/rfc/attributes.htm is around but it does not list all attributes, including Auth-Type.
It lists the RFC standard attributes. It doesn't list the other 4000 vendor-specific attributes. Alan DeKok.
Hi, I'm installing a Cisco VPN service (using a Catalyst 6500 and a SPA-IPSEC-2G board), and was wondering what attributes the VPN board would accept/understand from the radius server (besides the basic ones like session-timeout), but couldn't find any document answering that. So, could somebody point me to such a document/page? Thank you very much, Roberto Greiner -- ----------------------------------------------------- Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy -----------------------------------------------------
Hi,
I'm installing a Cisco VPN service (using a Catalyst 6500 and a SPA-IPSEC-2G board), and was wondering what attributes the VPN board would accept/understand from the radius server (besides the basic ones like session-timeout), but couldn't find any document answering that. So, could somebody point me to such a document/page?
cisco.com - the documentation for that blade should list all the RADIUS stuff. you may need to add dictionary entries or files to the server. you might also be able to do funky things (you can on some cisco kit) such as; show aaa attributes alan
Hi All, I have problem generating client certificate for Windows Xp. # make client.pem openssl req -new -out client.csr -keyout client.key -config ./client.cnf Generating a 2048 bit RSA private key ...................................................................+++ .......+++ writing new private key to 'client.key' ----- openssl ca -batch -keyfile server.key -cert server.crt -in client.csr -key `grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf Using configuration from ./client.cnf unable to load certificate 4773:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE make: *** [client.crt] Error 1 I looked in client.cnf and I could not figure out where got wrong!
Hi, Thanks for the advice..The problem to generae certs was solved. Now it comes back to existing problem in version 1.1.7 where the client request to server is on and on and never get connected. I wonder why NAS-IP-Address = 0.0.0.0 unlike the other as I know got IP address assigned. Here the log Ready to process requests. User-Name = "MarsNet" NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = "00:30:1a:29:03:66" Calling-Station-Id = "00:1c:f0:10:56:b8" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "127.0.0.1" Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0201000c014d6172734e6574 Message-Authenticator = 0x971de64ca91d1afd0e499d63b8b9aff2 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "MarsNet", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry MarsNet at line 91 expand: Hello, %{User-Name} -> Hello, MarsNet ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Reply-Message = "Hello, MarsNet" EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x13382f46133a22a47c694fefa3fc3d08 Finished request 0. Going to the next request Waking up in 4.9 seconds. User-Name = "MarsNet" NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = "00:30:1a:29:03:66" Calling-Station-Id = "00:1c:f0:10:56:b8" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "127.0.0.1" Connect-Info = "CONNECT 11Mbps 802.11b" State = 0x13382f46133a22a47c694fefa3fc3d08 EAP-Message = 0x020200500d800000004616030100410100003d03014832660e2f0fb111fc67ba57fe53cac5b6e069fba786f0ec44807023b4284a8800001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x0fe925603be76e65a1404457ac5412b6 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "MarsNet", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry MarsNet at line 91 expand: Hello, %{User-Name} -> Hello, MarsNet ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS TLS Length 70 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 084c], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a6], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 ++[eap] returns handled Reply-Message = "Hello, MarsNet" EAP-Message = 0x010304000dc00000094b160301004a020000460301483265fd7c96a0e9fc9713fe93e9d180d22d37c1ae1a232b02433ecfcf033a34206f7a9cb000aa67272b2e95ac37019ecdc8a5bf6c574b0298bf67ddb71033c027000400160301084c0b0008480008450003a13082039d30820285a003020102020101300d06092a864886f70d0101040500308194310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3127302506035504 EAP-Message = 0x03131e4d617273696e646f20436572746966696361746520417574686f72697479301e170d3038303532303034333135355a170d3039303532303034333135355a3076310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e311d301b060355040313144d617273696e646f2053657276657220436572743120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100bca7c767561f951c18502242b005f2d0727dc1affd01c9b29918bbd3af268c095b091c EAP-Message = 0xc62304d82d388c4380d586d49eab42a7f82f4b9b86bdb1d5b0889644476f901a737c94349781c611d7d2da2ffbe8de5fa4534c28a4dffb2fbf805a6c9dff87227d8a0fab4dea651fc4223748b75d302ee960e8beda05996d8b2342b841770b030bef53297a177f431184747aa3bdc11f49750b8c603cb589c13583904a9ba6ef6560df8519d5a2dbeb7fe33c8a0ac801bb3e1f68d510b0c82312bd7fcb8d50c6286f3f7a45079625c0b4f9912cc83664227c5d418c10006a230c66172677d3bb4091370b0b871bda07bec0a82ee8f1377d3a8fadf0398f35beea0d89f70203010001a317301530130603551d25040c300a06082b06010505070301300d EAP-Message = 0x06092a864886f70d010104050003820101004fbfef54576f9aac86015d57964cc2def331a16bf997b2b983ec834fb72f42e43b335bf1ad890123b205fac6a64bc0f824f34806cab4532dc9d48c1f827fc8050d3fe13af9df766b71ba58c515eaef089cfc685c5399371f1ef8f123cee3990828942848c20c60c6ab0ef93ba786b829816f24183e53aefeeea6fd11061a320fc0fe871220ad9f403497754f7187b2fe58dbf420af6cbf62297119bf1724539671bd8015dc1cc3a7c55b69cd63a4a2c35d523463ac9f44338f049b9d3b10c330b7d2dc183a1565cba70bb125c57ffdeed44785e3f36d404a094df74380dc1133d675c9aa87a6fd41e8e79f EAP-Message = 0x93bd38749f3d952fe10c35a8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x13382f46123b22a47c694fefa3fc3d08 Finished request 1. Going to the next request Kwok Sianbin <sianbin_kwok@yahoo.com> wrote: Hi All, I have problem generating client certificate for Windows Xp. # make client.pem openssl req -new -out client.csr -keyout client.key -config ./client.cnf Generating a 2048 bit RSA private key ...................................................................+++ .......+++ writing new private key to 'client.key' ----- openssl ca -batch -keyfile server.key -cert server.crt -in client.csr -key `grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf Using configuration from ./client.cnf unable to load certificate 4773:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE make: *** [client.crt] Error 1 I looked in client.cnf and I could not figure out where got wrong! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, Sorry for my English. After make some changes in the client.cnf the #make client.pem can't be run. Now the # radiusd -X also got problem. . . . Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "Mars123" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/usr/local/etc/raddb/certs/bootstrap" } rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line rlm_eap_tls: Error reading certificate file /usr/local/etc/raddb/certs/server.pe m rlm_eap: Failed to initialize type tls /usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module "eap" /usr/local/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module "eap ". /usr/local/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticat e section. } } Errors initializing modules Plz anyone can help!
participants (6)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Ivan Kalik -
Kwok Sianbin -
NPY -
rgreiner