Re: OS X Mavericks not connecting to Debian FreeRADIUS
I think configuring FreeRadius can be more within the grasp of people who aren’t career sys admins if the instructions were more clear. For example when finding the value to use as “ipaddr” in clients.conf, the instructions in the config file only mention to use the IP of the client, it does not mention if I should use the LAN IP or the WAN IP of my wireless router, for example. Now, obviously I would be able to figure that out through trail and error, but when there is a problem someplace else in the chain I want to know for certain that this value has been set exactly to what it needs to be right from the start.. A career systems administrator may already know which value to use but others would not, so why don’t they just give a specific example of using a wireless router in the lengthy docs of the config file and mention the name LAN IP or WAN IP? Also it is annoying to me how often the wireless router is referred to as the “client” in all sorts of instructions that I see, it is confusing terminology for the process even if it is technically correct. Anyway, with the ipaddr set to be the WAN IP of the router (and I also tried using the LAN IP, since the instructions don’t specify!) and the “Auth Server Address” set to be the IP of the server computer, the OS X client computer still gives me the “Invalid password” error. (Previously I have already tried all combinations of the IP addresses even before posting to this forum, I just wanted to clarify once and for all when I asked..) I have seen varying instructions which explain differing optimum addresses to set the static address of the server computer to be. I realize that it is important to set this to ensure that it doesn't change over time, but you did not really answer my question when I asked if it is crucial to set that for testing purposes when I know what the address of the server computer is in the meantime. Are you familiar with using XLM profiles for configuring networking on Mac Computers on newer OS X operating systems? I have seen information about that associated with WPA2-Enterprise and some sources even seem to suggest that it is mandatory with the newer Operating systems. As far as using the default method for creating the certificates in “raddb/certs,” almost all of the online sources I have seen have said not to use that method and give instructions for clearing that out and using custom openssl commands instead. Do you know of success creating certificates that work with OS X Mavericks using that default method? And can that method be automated using scripting? Right now that directory has been wiped out on my computer according to online instructions I have followed, so I can’t read any instructions that may have been included with it. Do you know if there has there been recent upgrades to the “raddb/certs” method in the newer versions of FreeRADIUS which would give it greater compatibility with newer versions of OS X? Thank you for your help!
freeradius-users-request@lists.freeradius.org <mailto:freeradius-users-request@lists.freeradius.org> August 11, 2015 at 6:00 AM Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: OS X Mavericks not connecting to Debian FreeRADIUS (Alan DeKok) 2. Re: Proxy (check status of the 3rd party server) (Alan DeKok) 3. Re: Proxy (check status of the 3rd party server) (Alan Buxey) 4. MAC Auth tied to user (johan firdianto)
----------------------------------------------------------------------
Message: 1 Date: Tue, 11 Aug 2015 09:41:28 +0200 From: Alan DeKok<aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: OS X Mavericks not connecting to Debian FreeRADIUS Message-ID:<471E3D86-06A1-45EA-AA7B-F79FBBA6F423@deployingradius.com> Content-Type: text/plain; charset=us-ascii
On Aug 10, 2015, at 9:57 PM, Edward Ulrich<email@edwardulrich.com> wrote:
Question #1. As for the RADIUS requests not getting to the server, I have a question about the value of "ipaddr" in the "clients.conf" file. All of the instructions that I have seen have been unclear about what this value this should be set to specifically..
I don't see how the instructions are unclear. The IP address is the address of the RADIUS client. i.e. the Access Point, etc.
Should it be the IP address of the computer hosting the Radius server (192.168.1.113), or the IP address of the router (192.168.1.1), or some other value? I have tried all values and still get the same error message. Note that I have not yet set the ip address of the server computer to be static in the "/etc/network/interfaces" file.
You will need a static IP for the RADIUS server.
Question 1a: What is the best value to use for the "ipaddr" variable in "clients.conf"? Such as the ip address of the server computer, ect..
The client. The file is called "clients.conf" for a reason. It defines clients. It doesn't define servers.
Question 1b: What is the best value to use for the "Radius Auth Server Address" setting in the router (using DD-WRT)? Presumably it is the same value as 1a?
No. It is the address of the server. I have no idea how this can be confusing.
Question 1c: How important is setting the IP address of the server computer to be static while testing even though I am sure that the IP address of the server computer is currently 192.168.1.113 for the time being?
It is important to have a static IP.
Question 1d: What is the best source of information about this issue if the answer is complex?
The answer is simple. The meaning of the fields are clearly defined in the configuration files.
Question #2. Version 2.1.12 of FreeRADIUS is the one that was installed when I entered the "apt-get update" and "apt-get install freeradius" commands. What would be the biggest benefits of upgrading to a newer version? Presumably I would need to reconfigure from scratch if I upgraded, am I correct? I have a feeling my problems are elsewhere for the time being if the user client computer is not connecting to the server though.
I would suggest getting the basics right first, before trying something complicated.
Question #3. When you say "Users cannot manually configure their 802.1x settings" on Mac computers starting with OS X Lion, do you mean that it is mandatory to configure Mavericks using the XML method?
I have no idea what that means. Which "You" are you referring to? Where did you get this information from?
Question #4. As for the certificates, they are being created using the "sha1" method like you suggested (typed like that rather than "sha-1" if that makes any difference.) The "default_bits" are set to 2048. Following is the command I used to create the DH file: "openssl dhparam -check -text -5 1024 -out dh". I have seen some instructions that say to trim sections out of the certificates using a text editor before using them with a Mac, would it be helpful to do that at all?
You should create certificates using the instructions and tools in raddb/certs/. That is set up to be simple and painless.
Alan DeKok.
------------------------------
Message: 2 Date: Tue, 11 Aug 2015 09:42:44 +0200 From: Alan DeKok<aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Proxy (check status of the 3rd party server) Message-ID:<C0DDDB63-57F2-44B7-9067-D2CF85D7B530@deployingradius.com> Content-Type: text/plain; charset=us-ascii
On Aug 11, 2015, at 9:14 AM, Peter Balsianok<balsianok.peter@gmail.com> wrote:
Could you please tell me, why my RADIUS server doesnt find reply (status-check via using "request" ) from 3rd party RADIUS server ?
Post the debug output as suggested in the FAQ, "man" pages, web pages, and daily on this list.
Alan DeKok.
------------------------------
Message: 3 Date: Tue, 11 Aug 2015 08:51:31 +0100 From: Alan Buxey<A.L.M.Buxey@lboro.ac.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>, Peter Balsianok <balsianok.peter@gmail.com> Subject: Re: Proxy (check status of the 3rd party server) Message-ID:<CE9E3C49-75F0-4E64-BA6E-B6E2B343ECF0@lboro.ac.uk> Content-Type: text/plain; charset="UTF-8"
Could you please tell me, why my>RADIUS server doesnt find reply (status-check via using "request" ) from>3rd party RADIUS server ?
Does that other server support status-server? What do the logs on that other server show? What does the debug on that other server show and what does the debug on your server show?
alan
------------------------------
Message: 4 Date: Tue, 11 Aug 2015 02:25:22 -0700 From: johan firdianto<johanfirdi@gmail.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: MAC Auth tied to user Message-ID: <CAAFGz8esR2iTHeURyNj_ZOaLD9RN2yejZZ83PYrpMYebCO6FZQ@mail.gmail.com> Content-Type: text/plain; charset=UTF-8
anyone here have experience to implement authorization and accounting from mac to user ? For example: User john is tied to mac aa-bb-cc-dd-ee-ff. every authorization comes from this mac, radius will check session for user john. and do accounting for user john also. So, every packet auth/acct come from NAS, username 'mac' will be replaced to 'user' subsquent process. i think unlang is the solution. anyone here could give us suggest/idea ? Cheers.
Johan
------------------------------
Subject: Digest Footer
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
End of Freeradius-Users Digest, Vol 124, Issue 20 *************************************************
On 12/08/2015, at 11:02, Edward Ulrich <email@edwardulrich.com> wrote:
I think configuring FreeRadius can be more within the grasp of people who aren’t career sys admins if the instructions were more clear. For example when finding the value to use as “ipaddr” in clients.conf, the instructions in the config file only mention to use the IP of the client, it does not mention if I should use the LAN IP or the WAN IP of my wireless router, for example. Now, obviously I would be able to figure that out through trail and error, but when there is a problem someplace else in the chain I want to know for certain that this value has been set exactly to what it needs to be right from the start.. A career systems administrator may already know which value to use but others would not, so why don’t they just give a specific example of using a wireless router in the lengthy docs of the config file and mention the name LAN IP or WAN IP? Also it is annoying to me how often the wireless router is referred to as the “client” in all sorts of instructions that I see, it is confusing terminology for the process even if it is technically correct.
That’s true, I mean, why doesn’t the FreeRADIUS documentation include details about the location of the power switch for my routers? A career sys admin would know this, but this is unclear to others. I don’t think it’s reasonable to expect that the documentation for one component of your network include details about how the rest of your network is configured, or an introduction to the protocols it uses. Web server documentation wouldn’t say “here’s how HTTP works”, so why should a RADIUS server say “here’s how RADIUS” works? I’ve often thought that there should be a “for dummies” book though, for people who “want some RADIUS” but don’t really know what that means. Googling “FreeRADIUS for dummies” reveals this, which seems to be good, though I can’t vouch for it as I’ve just skimmed a PDF I saw of it. http://www.amazon.com/FreeRADIUS-Beginners-Guide-Dirk-Walt/dp/1849514089 <http://www.amazon.com/FreeRADIUS-Beginners-Guide-Dirk-Walt/dp/1849514089> It’s dated, sure, but the concepts are likely to largely be the same. I’d suggest reading that. Maybe someone has, or wants to, put together some set of end-to-end worked examples with configs etc., but I imagine that that would be a nightmare to support, and there’d be just as many people saying “why don’t your examples cover <corner case>”. -- Nathan Ward
It should be obvious that is the IP ages of the client as seen by freeradius. Ie theIP address used by the NAS to talk to the freeradius server. Whether that's its lan or wan IP would depend on your architecture! Likewise on kit with SVI/BVI you'd probably define on the router what interface is used to present packets to the RADIUS server. If you run freeradius in debug mode it becomes quickly obvious what IP address your router or NAS is using (and therefore what value needs to be in clients.conf) alan
On Aug 12, 2015, at 1:02 AM, Edward Ulrich <email@edwardulrich.com> wrote:
I think configuring FreeRadius can be more within the grasp of people who aren’t career sys admins if the instructions were more clear.
The documentation assumes that you understand a little bit about networking and system administration. We do *not* provide a full "introduction to Unix" course as part of FreeRADIUS. Such expectations are unreasonable.
For example when finding the value to use as “ipaddr” in clients.conf, the instructions in the config file only mention to use the IP of the client, it does not mention if I should use the LAN IP or the WAN IP of my wireless router, for example.
This requires understanding routing. Can the LAN IP route to the RADIUS server IP? Yes? Then that's what you use. If you think that IP addresses are magic numbers with no meaning... you're going to have a bad time.
Now, obviously I would be able to figure that out through trail and error, but when there is a problem someplace else in the chain I want to know for certain that this value has been set exactly to what it needs to be right from the start.. A career systems administrator may already know which value to use but others would not, so why don’t they just give a specific example of using a wireless router in the lengthy docs of the config file and mention the name LAN IP or WAN IP?
Because not every system has a LAN IP and a WAN IP. Many just have one IP. We presume that the administrator is experienced enough to know which one to use. i.e. stop thinking about your particular system. We have to document FreeRADIUS for *everyone*. It is again unreasonable to expect that we document *everything* about *everyone's* system... world-wide.
Also it is annoying to me how often the wireless router is referred to as the “client” in all sorts of instructions that I see, it is confusing terminology for the process even if it is technically correct.
It's not just "technically correct", it's the accepted terminology. It's how people refer to systems on the net. If you take your car to a mechanic, he's going to get cranky when you refer to the engine as a "carrot", because you find the term "engine" too "techy", and too hard to remember.
I have seen varying instructions which explain differing optimum addresses to set the static address of the server computer to be. I realize that it is important to set this to ensure that it doesn't change over time, but you did not really answer my question when I asked if it is crucial to set that for testing purposes when I know what the address of the server computer is in the meantime.
I did answer your question. As you've shown, you're unwilling to believe the documentation, or my answers here.
As far as using the default method for creating the certificates in “raddb/certs,” almost all of the online sources I have seen have said not to use that method and give instructions for clearing that out and using custom openssl commands instead.
Those sources are stupid and wrong. If you read the FreeRADIUS documentation (I suggest doing so...), the docs and web pages say that most third party documentation is wrong and outdated.
Do you know of success creating certificates that work with OS X Mavericks using that default method? And can that method be automated using scripting?
Uh... the default methods *already* use scripting.
Right now that directory has been wiped out on my computer according to online instructions I have followed,
Go back and re-install the default configuration.
so I can’t read any instructions that may have been included with it.
If only there was a way for you to download a *new* copy of the server, and get a fresh copy of the files. Your attitude is part of the problem. It's why you're finding this so difficult to do. You shoot yourself in the foot, refuse all help... and then complain that your foot hurts. Just stop it.
Do you know if there has there been recent upgrades to the “raddb/certs” method in the newer versions of FreeRADIUS which would give it greater compatibility with newer versions of OS X?
Did you even bother trying the default scripts that come with the server? No? Since you're too lazy to follow the documentation and use the examples that ships with the server, I'm too lazy to answer any more of your questions. Alan DeKok.
Edward, FreeRADIUS has a steep learning curve that you have to appreciate. You won't be an expert in FR in a week... many people here have been using it for years.
career systems administrator may already know which value to use but others would not, so why don’t they just give a specific example of using a wireless router in the lengthy docs of the config file and mention the name LAN IP or WAN IP? Also it is annoying to me how often the wireless router is referred to as the “client” in all sorts of instructions that I see, it is confusing terminology for the process even if it is technically correct.
It is not confusing. It is in fact very straight-forward. Anything connecting to the RADIUS server (i.e. the server running FreeRADIUS) is a client. If you have a WiFi Access Point that you're connecting to FR, that is your client. It must have an IP address defined in clients.conf, or else it can't talk to the server. The same goes for Network Access Servers, which connect to the FR server. They are the FR clients in the context of clients.conf.
Anyway, with the ipaddr set to be the WAN IP of the router (and I also tried using the LAN IP, since the instructions don’t specify!) and the “Auth Server Address” set to be the IP of the server computer, the OS X client computer still gives me the “Invalid password” error. (Previously I have already tried all combinations of the IP addresses even before posting to this forum, I just wanted to clarify once and for all when I asked..)
When your OS X client computer attempts to authenticate, do you see anything happening on the FreeRADIUS server (run it in debug mode)? If not, the client address you've given is likely to be incorrect. You *can* provide a CIDR notation for an entire subnet (i.e. 192.168.23.0/24) to allow the entire subnet to come through the same client definition. That is documented in clients.conf.
I have seen varying instructions which explain differing optimum addresses to set the static address of the server computer to be. I realize that it is important to set this to ensure that it doesn't change over time, but you did not really answer my question when I asked if it is crucial to set that for testing purposes when I know what the address of the server computer is in the meantime.
Yes it is crucial to know what your server IP address is. Without it you can't expect to get a connection if you define a single IP address as a client.
Are you familiar with using XLM profiles for configuring networking on Mac Computers on newer OS X operating systems? I have seen information about that associated with WPA2-Enterprise and some sources even seem to suggest that it is mandatory with the newer Operating systems.
Alan Buxey has been very clear about this. You need to create a file that you import on the client computer, i.e. the endpoint, the machine that is trying to connect to the network. Apple has made things more difficult in newer operating systems by removing certain configuration utilities and dialogs, so you are now required to 'provision' configuration files. This URL explains what Alan has already told you: http://www.wi-fiplanet.com/tutorials/configuring-802.1x-in-mac-os-x-lion-and..., but it is (obviously) somewhat out of date now. This URL explains how profiles work in Yosemite (and explains the Profile Manager in OS X Server): http://arstechnica.com/apple/2014/11/a-power-users-guide-to-os-x-server-yose... The profile manager and the Apple Configurator (which replaced the iPhone Configuration Utility, or IPCU as everyone refers to it) are what you use to create a .mobileconfig file. Apple Configurator help is here: http://help.apple.com/configurator/mac/1.7.2/#/cadbf9e6ff (don't say we're not being helpful ;-))
As far as using the default method for creating the certificates in “raddb/certs,” almost all of the online sources I have seen have said not to use that method and give instructions for clearing that out and using custom openssl commands instead.
Look at the date of said online sources, and when they were last updated. If it's anything before last year, you can be guaranteed that they are out of date. FreeRADIUS makes *huge* strides in a year (and I know this because I first had exposure to FR 2.1.12 in 2013 and have found that the product has vastly improved since). Everyone I know uses the 'make' or 'bootstrap' commands in the /etc/raddb/certs directory... The makefile and the certificate configs (ca.cnf, server.cnf and client.cnf) have been regularly updated to the latest recommended configurations (amongst them using SHA1 as the hashing algorithm and 2048 bits as key length). Alan, Arran, and all the contributors try to keep everything as best practice as they can, but it's up to your distribution to keep up with the developments. If they don't, you are still free to build the product from source with any of the distribution build scripts that are included in the source, and they are very straight-forward.
Do you know of success creating certificates that work with OS X Mavericks using that default method? And can that method be automated using scripting?
Yes. And yes. The default contents of /etc/raddb/certs contains everything you need to script it.
Right now that directory has been wiped out on my computer according to online instructions I have followed, so I can’t read any instructions that may have been included with it. Do you know if there has there been recent upgrades to the “raddb/certs” method in the newer versions of FreeRADIUS which would give it greater compatibility with newer versions of OS X?
You can download the contents of the /etc/raddb/certs directory from Github if you need to... Tweak the .CNF files to suit your organisation details, and if necessary adjust certificate expiry periods. Then run 'make clean' to clear out old certificates, then ./bootstrap or 'make' to make new ones. :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
Look at the date of said online sources, and when they were last updated. If it's anything before last year, you can be guaranteed that they are out of date. FreeRADIUS makes *huge* strides in a year (and I know this because I first had exposure to FR 2.1.12 in 2013 and have found that the product has vastly improved since). Everyone I know uses the 'make' or 'bootstrap' commands in the /etc/raddb/certs directory... The makefile and the certificate configs (ca.cnf, server.cnf and client.cnf) have been regularly updated to the latest recommended configurations (amongst them using SHA1 as the hashing algorithm and 2048 bits as key length).
Actually... We all should be using SHA-256 and not SHA-1 for new installations. Microsoft, Google and Mozilla are now deprecating the use of SHA-1 based certificates: http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy. aspx http://googleonlinesecurity.blogspot.com /2014/09/gradually-sunsetting-sha-1.html https://wiki.mozilla.org/CA:Problematic_Practices#SHA-1_Certificates Also see: https://wiki.terena.org/display/H2eduroam/EAP+Server+Certificate+considerati... The SHA-1 hash algorithm is now on the verge of practically being broken (76/80 round collision already generated). See: https://marc-stevens.nl/research/ It is likely that the same approach that was taken for MD5 will soon be taken with SHA-1. We shouldn't be building up a technical debt by deploying new certificates with this algorithm. It will just cause pain down the line. Regards, Nick Lowe
Actually... We all should be using SHA-256 and not SHA-1 for new installations.
Actually I am incorrect. The sources use sha256. :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
Hi,
Actually...
We all should be using SHA-256 and not SHA-1 for new installations.
2.2.x is SHA256 - has been for a while now (probably a patch I submitted or after some feedback I left ;-) ) ca.cnf:default_md = sha256 client.cnf:default_md = sha256 server.cnf:default_md = sha256 alan
directory... The makefile and the certificate configs (ca.cnf, server.cnf and client.cnf) have been regularly updated to the latest recommended configurations (amongst them using SHA1 as the hashing algorithm and 2048 bits as key length).
Correction: SHA-256. ;-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
Hi,
FreeRADIUS has a steep learning curve that you have to appreciate. You won't be an expert in FR in a week... many people here have been using it for years.
10,000 hours should do it - Malcolm Gladwell "Outliers" :-) alan
participants (7)
-
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Alan DeKok -
Edward Ulrich -
Nathan Ward -
Nick Lowe -
Stefan Paetow