Hi, I'am trying to make FR 2.1.10 on Squeeze work with my LDAP installation. What I want to do is: A host-based authentification for my workstations. All the names of the workstations are in LDAP, the authentification itself should be done with EAP-TLS. I would like to have a hint, how to start EAP when the LDAP-Query was successfull. The LDAP-Query works I think, FR says: [ldap] user scit-beerchen authorized to use remote access, but then it tries to make some kind of password authentification (I have no password for workstations in LDAP), and is not starting EAP-TLS. The asking host "scit-beerchen" is in the WLAN-User Group. What could I do? Please have a look on my Debug-Output: rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0, length=139 User-Name = "scit-beerchen" NAS-IP-Address = 10.48.244.28 Called-Station-Id = "0016b64f44cc" Calling-Station-Id = "002268c63ff2" NAS-Identifier = "0016b64f44cc" NAS-Port = 11 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200001201736369742d626565726368656e Message-Authenticator = 0x12969f7ffa42f57be53a54474c1274be # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "scit-beerchen", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "scit-beerchen", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for scit-beerchen [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> scit-beerchen [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=scit-beerchen) [ldap] expand: dc=verwaltung,dc=kh-berlin,dc=de -> dc=verwaltung,dc=kh-berlin,dc=de [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to physalis:389, authentication 0 [ldap] bind as / to physalis:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with filter (uid=scit-beerchen) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user scit-beerchen authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (notfound) ? Evaluating (notfound) -> FALSE ++? if (notfound) -> FALSE ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=scit-beerchen [ntlm_auth] expand: --password=%{User-Password} -> --password= Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Exec-Program: returned: 1 ++[ntlm_auth] returns reject Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> scit-beerchen attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.8 seconds. rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0, length=139 Cleaning up request 0 ID 0 with timestamp +1034 User-Name = "scit-beerchen" NAS-IP-Address = 10.48.244.28 Called-Station-Id = "0016b64f44cc" Calling-Station-Id = "002268c63ff2" NAS-Identifier = "0016b64f44cc" NAS-Port = 11 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200001201736369742d626565726368656e Message-Authenticator = 0x11c70e19e2f1150428f5cc12d535e57b # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "scit-beerchen", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "scit-beerchen", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for scit-beerchen [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> scit-beerchen [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=scit-beerchen) [ldap] expand: dc=verwaltung,dc=kh-berlin,dc=de -> dc=verwaltung,dc=kh-berlin,dc=de [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with filter (uid=scit-beerchen) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user scit-beerchen authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (notfound) ? Evaluating (notfound) -> FALSE ++? if (notfound) -> FALSE ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=scit-beerchen [ntlm_auth] expand: --password=%{User-Password} -> --password= Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Exec-Program: returned: 1 ++[ntlm_auth] returns reject Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> scit-beerchen attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0, length=139 Cleaning up request 1 ID 0 with timestamp +1034 User-Name = "scit-beerchen" NAS-IP-Address = 10.48.244.28 Called-Station-Id = "0016b64f44cc" Calling-Station-Id = "002268c63ff2" NAS-Identifier = "0016b64f44cc" NAS-Port = 11 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200001201736369742d626565726368656e Message-Authenticator = 0x781aba777bfd1eee9fb99135f368597f # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "scit-beerchen", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "scit-beerchen", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for scit-beerchen [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> scit-beerchen [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=scit-beerchen) [ldap] expand: dc=verwaltung,dc=kh-berlin,dc=de -> dc=verwaltung,dc=kh-berlin,dc=de [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with filter (uid=scit-beerchen) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user scit-beerchen authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (notfound) ? Evaluating (notfound) -> FALSE ++? if (notfound) -> FALSE ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=scit-beerchen [ntlm_auth] expand: --password=%{User-Password} -> --password= Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Exec-Program: returned: 1 ++[ntlm_auth] returns reject Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> scit-beerchen attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 0 to 10.48.244.28 port 3079 Waking up in 4.9 seconds. Cleaning up request 2 ID 0 with timestamp +1034 Ready to process requests. This is my "default" site: authorize { preprocess chap mschap digest suffix ntdomain eap { ok = return } files ldap if (notfound) { reject } expiration logintime pap ntlm_auth } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix eap Auth-Type LDAP { ldap if (LDAP-Group == "WLAN-User") { noop } else { reject } } ntlm_auth } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp exec attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } TIA Alex
On 16/05/11 13:32, Alexandros Gougousoudis wrote:
Hi,
I'am trying to make FR 2.1.10 on Squeeze work with my LDAP installation. What I want to do is:
A host-based authentification for my workstations. All the names of the workstations are in LDAP, the authentification itself should be done with EAP-TLS. I would like to have a hint, how to start EAP when the LDAP-Query was successfull. The LDAP-Query works I think, FR says: [ldap] user scit-beerchen authorized to use remote access, but then it tries to make some kind of password authentification (I have no password for workstations in LDAP), and is not starting EAP-TLS. The asking host "scit-beerchen" is in the WLAN-User Group.
What could I do?
The reason it's failing is nothing to do with LDAP. It's because you've added a module "ntlm_auth" to the authorize section.
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=scit-beerchen [ntlm_auth] expand: --password=%{User-Password} -> --password= Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Exec-Program: returned: 1 ++[ntlm_auth] returns reject Using Post-Auth-Type Reject
You've broken the default configs by adding in modules you don't need and don't understand. Go back to the default configs. Then *just* configure LDAP, and things will work.
Hi Phil, Phil Mayers schrieb:
You've broken the default configs by adding in modules you don't need and don't understand.
Go back to the default configs. Then *just* configure LDAP, and things will work.
Thats what I did right now, EAP starts (Ubuntu 10.04, with working cert on FR 1.1) but conversation is ended without Access-OK. Phil, I also understand a lot of things and I can read, but the documentation of FR is not ideal. I've googled around, looked examples and had more questions than before. Where are all these features documented, like the "if then"-things in the conf, all the keywords like "ok=return" and so on, what's the difference between Autz-Type and Auth-Type? The only thing to get help is here on the list, on the net you find a lot infos to FR 1.1 and 2 (one is deployinradius and one the FR site) sites containing a little bit information, no much more than the conf-files coming with the FR-archive. I'am not complaining, because it's an open source project, but you should note that it's sometimes not the lack of understanding than the lack of well documented features. And if I can't find the infos I need in the docs, I start to try things out. I've added ntlm_auth to authorize requests from NT4-Users, didn't know that this is a NoGo. :-) Here's my debug: rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0, length=139 User-Name = "scit-beerchen" NAS-IP-Address = 10.48.244.28 Called-Station-Id = "0016b64f44cc" Calling-Station-Id = "002268c63ff2" NAS-Identifier = "0016b64f44cc" NAS-Port = 11 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200001201736369742d626565726368656e Message-Authenticator = 0x651ac911817a87ba89a408f0d94ab4aa # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "scit-beerchen", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "scit-beerchen", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for scit-beerchen [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> scit-beerchen [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=scit-beerchen) [ldap] expand: dc=verwaltung,dc=kh-berlin,dc=de -> dc=verwaltung,dc=kh-berlin,dc=de [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to physalis:389, authentication 0 [ldap] bind as / to physalis:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with filter (uid=scit-beerchen) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user scit-beerchen authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (notfound) ? Evaluating (notfound) -> FALSE ++? if (notfound) -> FALSE ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 10.48.244.28 port 3079 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe9291e9ae928135b6c752006f18ad076 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.48.244.28 port 3079, id=0, length=240 Cleaning up request 0 ID 0 with timestamp +22 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xe9291e9ae928135b did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "scit-beerchen" NAS-IP-Address = 10.48.244.28 Called-Station-Id = "0016b64f44cc" Calling-Station-Id = "002268c63ff2" NAS-Identifier = "0016b64f44cc" NAS-Port = 11 Framed-MTU = 1400 State = 0xe9291e9ae928135b6c752006f18ad076 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100650d00160301005a0100005603014dd12d46c92ff47f67ef53def49b382dd1bcbc2402586b0ff4cb827f86d0357600002800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff020100000400230000 Message-Authenticator = 0x9fe2b3e6bad80f4dc0e8255016f17083 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "scit-beerchen", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "scit-beerchen", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 1 length 101 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for scit-beerchen [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> scit-beerchen [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=scit-beerchen) [ldap] expand: dc=verwaltung,dc=kh-berlin,dc=de -> dc=verwaltung,dc=kh-berlin,dc=de [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=verwaltung,dc=kh-berlin,dc=de, with filter (uid=scit-beerchen) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user scit-beerchen authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (notfound) ? Evaluating (notfound) -> FALSE ++? if (notfound) -> FALSE ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 005a], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 0031], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 0ee1], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 030d], ServerKeyExchange [tls] TLS_accept: SSLv3 write key exchange A [tls] >>> TLS 1.0 Handshake [length 00bf], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 10.48.244.28 port 3079 EAP-Message = 0x010204000dc0000012f216030100310200002d03014dd129e0adad8673f2fce2ffdc2d9de7d042d80ddb9e351e2a4edcf3964bf407000039010005ff010001001603010ee10b000edd000eda000768308207643082054ca003020102020200a2300d06092a864886f70d01010505003081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f EAP-Message = 0x06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465301e170d3131303531363131323030335a170d3135303930323131323030335a30818c310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312a3028060355040313216e65777261646975732e76657277616c74756e672e6b682d6265726c696e2e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100dfeef8cb014fe248fe43e06a93e2 EAP-Message = 0x7ecb291d93be1541d256785c0e58a376bcd3acda16b7381691a454c0bfc93071fc156389a4219452823096a6b9a847a799dfe50de0c94c3d454255f25daa54be452d8a83ba73f9d6e9b7ac0ea8510f59b190148aec94351f0df3902a983f3ff6cbfdc67e234ca67300fa7512d382a7a626b513acc30d5b0ec159c12beeb479e1c3b652d7a38ee6afaf5e3cc7a44f675eca597bdea3d4dc339f1106e5c7f60ed277a3086ebef50dccd376c15fbcebefa3f9837334da2d60da8c788e22832c7f2db1fc51269527afacbd740c0dfc595cbeecb486bb7c827bd61dbb5a831e43c677c5ad344ead828356fc64f7089fa8ced44cc4ad4db57b035080698e6b96 EAP-Message = 0xd6c9928a8bee9d73bcb417faf0517733a38962d274b76aeb13fa1690260ed413415750a39db8354b2c2196f656d61d86fdcd8f33ffd3ec209a008815ecd6dd376e2ff2cab0b28366eb4e9a1aa6cb38b187daec729aeafbc01403ba25c82cc2560133e59c2608898c3ef918f58a07f664e0e3b9109b2ef687992f51ab82f8c6abbe938bd11e215e6be38ef0977501c8c72c52153cd1cd8b0f48a6cb70848b8ce4cb8af06615eda1adb8f289ee71c67980bb2db646317c91a25c37f328abe7cebffec0b2619b5a5ff1a44b676fe65497b81d0f7cdf20cf995167bfc15f3efdfd723c91415d3ccf186a49ebe6e79c7fdebe1541a6ae090203010001a38201 EAP-Message = 0xae308201aa30090603551d13 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe9291e9ae82b135b6c752006f18ad076 Finished request 1. Going to the next request Waking up in 4.9 seconds. TIA Alex
On 05/16/2011 10:13 AM, Alexandros Gougousoudis wrote:
Phil, I also understand a lot of things and I can read, but the documentation of FR is not ideal. I've googled around, looked examples and had more questions than before. Where are all these features documented, like the "if then"-things in the conf, all the keywords like "ok=return" and so on, what's the difference between Autz-Type and Auth-Type? The only thing to get help is here on the list, on the net you find a lot infos to FR 1.1 and 2 (one is deployinradius and one the FR site) sites containing a little bit information, no much more than the conf-files coming with the FR-archive. I'am not complaining, because it's an open source project, but you should note that it's sometimes not the lack of understanding than the lack of well documented features. And if I can't find the infos I need in the docs, I start to try things out.
+1 I have to agree, the lack of comprehensive documentation, including an overview of concepts and the flow of operations is the greatest impediment to the success of FreeRADIUS as an open source project. The power and flexibility of FreeRADIUS is awesome, Alan and the other developers have done a wonderful job of providing the open source community with a fantastic piece of critical software. They have excelled at constant innovation and timely bug fixes. The response on the mailing is exceptional. But all these positive attributes are sometimes negated by the difficulty of understanding the system. Many justifiably feel configuring FreeRADIUS is a black art. It's often been pointed out that config files, doc directory and the wiki contains all you need to know. There is a modicum of truth in that. But the reality is it's very difficult to locate, extract, interpret and interpolate the missing pieces to form a functioning mental model in order to accomplish a specific deployment task. I've worked with FreeRADIUS for a while now and I'm still confounded things I don't know, incorrect expectations of behavior (e.g. != does not work for group testing). There are things which as far as I can tell are simply not documented. Just last week I had to help someone who was frustrated by the inability to add attributes to successfully proxied Auth-Accept's using a users file. By reading the source I found the postproxy_users_file config, as far as I could tell this is completely undocumented. When it comes to supporting users "Use the source Luke" isn't viable. I'd like to suggest the next most import task item for the team is not the 3.0 release, it's not any change to the code base. Rather the single most import task is producing comprehensive documentation collected in a single location augmented with cookbook examples of how to solve common deployment problems. I'll wager the time spent on this list answering questions will greatly diminish thus providing free time for feature enhancements and bug fixes. I'm also concerned at the obvious frustration expressed countless times on this list were folks have spent days, weeks, or in some cases months beating their heads against the wall in frustration. There will be a tipping point at some point in the future where that frustration will doom the project as it gets replaced by an alternative or forked. I've been in open source long enough to have seen this scenario play out multiple times. Just my 2 cents, worth what you paid for it :-) I'll now return you to your regular scheduled programming :-) And in case you missed it above, Alan and everyone else have done a wonderful job and provided a fantastic service to the community. All I'm suggesting here is the task priorities need to be tweaked a bit. P.S.: One thing which has been lacking in the project is public list of the project team. One might make the assumption Alan is the sole contributor, if so then that's truly amazing. But I'm going to guess others are involved. We would like to thank them as well and perhaps have some more insight into the project's organization. At best all I've been able to do in intuit based on reading this list and the dev list over an extended period that some list participants seem to have such an extensive knowledge it suggests to me they must be on the development team, either that or just like myself they've spent a lot of time reading the source code out of necessity. Questions like, what is the project's timeline, what is upcoming in new releases, what is the anticipated release schedule, how is the project organized, who are significant players and what are their roles are information unusually published by open source projects but have been missing (maybe just another example of missing documentation?). -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
Hi John, Just to chime in, I find all of the comments in radiusd.conf, etc. distracting & overwhelming. I strip out the comments from the files I'm using - usually to find out how simple the configuration really is. When I'm missing something, I refer back to the original files & look up the relevant comment entry. I would prefer all of the comments be assembled into straightforward documentation, using examples for the appropriate configuration sections. My 2 cents, as we say... -John On 05/16/2011 11:20 AM, John Dennis wrote:
On 05/16/2011 10:13 AM, Alexandros Gougousoudis wrote:
Phil, I also understand a lot of things and I can read, but the documentation of FR is not ideal. I've googled around, looked examples and had more questions than before. Where are all these features documented, like the "if then"-things in the conf, all the keywords like "ok=return" and so on, what's the difference between Autz-Type and Auth-Type? The only thing to get help is here on the list, on the net you find a lot infos to FR 1.1 and 2 (one is deployinradius and one the FR site) sites containing a little bit information, no much more than the conf-files coming with the FR-archive. I'am not complaining, because it's an open source project, but you should note that it's sometimes not the lack of understanding than the lack of well documented features. And if I can't find the infos I need in the docs, I start to try things out.
+1
I have to agree, the lack of comprehensive documentation, including an overview of concepts and the flow of operations is the greatest impediment to the success of FreeRADIUS as an open source project. The power and flexibility of FreeRADIUS is awesome, Alan and the other developers have done a wonderful job of providing the open source community with a fantastic piece of critical software. They have excelled at constant innovation and timely bug fixes. The response on the mailing is exceptional.
But all these positive attributes are sometimes negated by the difficulty of understanding the system. Many justifiably feel configuring FreeRADIUS is a black art. It's often been pointed out that config files, doc directory and the wiki contains all you need to know. There is a modicum of truth in that. But the reality is it's very difficult to locate, extract, interpret and interpolate the missing pieces to form a functioning mental model in order to accomplish a specific deployment task.
I've worked with FreeRADIUS for a while now and I'm still confounded things I don't know, incorrect expectations of behavior (e.g. != does not work for group testing). There are things which as far as I can tell are simply not documented. Just last week I had to help someone who was frustrated by the inability to add attributes to successfully proxied Auth-Accept's using a users file. By reading the source I found the postproxy_users_file config, as far as I could tell this is completely undocumented. When it comes to supporting users "Use the source Luke" isn't viable.
I'd like to suggest the next most import task item for the team is not the 3.0 release, it's not any change to the code base. Rather the single most import task is producing comprehensive documentation collected in a single location augmented with cookbook examples of how to solve common deployment problems.
I'll wager the time spent on this list answering questions will greatly diminish thus providing free time for feature enhancements and bug fixes. I'm also concerned at the obvious frustration expressed countless times on this list were folks have spent days, weeks, or in some cases months beating their heads against the wall in frustration. There will be a tipping point at some point in the future where that frustration will doom the project as it gets replaced by an alternative or forked. I've been in open source long enough to have seen this scenario play out multiple times.
Just my 2 cents, worth what you paid for it :-) I'll now return you to your regular scheduled programming :-)
And in case you missed it above, Alan and everyone else have done a wonderful job and provided a fantastic service to the community. All I'm suggesting here is the task priorities need to be tweaked a bit.
P.S.:
One thing which has been lacking in the project is public list of the project team. One might make the assumption Alan is the sole contributor, if so then that's truly amazing. But I'm going to guess others are involved. We would like to thank them as well and perhaps have some more insight into the project's organization. At best all I've been able to do in intuit based on reading this list and the dev list over an extended period that some list participants seem to have such an extensive knowledge it suggests to me they must be on the development team, either that or just like myself they've spent a lot of time reading the source code out of necessity. Questions like, what is the project's timeline, what is upcoming in new releases, what is the anticipated release schedule, how is the project organized, who are significant players and what are their roles are information unusually published by open source projects but have been missing (maybe just another example of missing documentation?).
John, I believe Alan started a project to try and improve documentation in May last year. A few documents were converted RST format, but I don't think it was ever completed. I'm going to suggest the same thing I did back then. Add RST support to the Wiki, setup a well defined documentation structure (as in these are the subjects and example configurations that should be covered), and then roll page exports from the wiki into the documentation that 'ships' with FreeRADIUS. There's so much to document that it needs to be a collaborative effort. -Arran Arran Cudbard-Bell RM-RF Limited - Security consultation and contracting VoIP: +1 916-436-1352 Cell: +44 7854041841
On 05/16/2011 02:20 PM, Arran Cudbard-Bell wrote:
John,
I believe Alan started a project to try and improve documentation in May last year. A few documents were converted RST format, but I don't think it was ever completed.
I'm going to suggest the same thing I did back then. Add RST support to the Wiki, setup a well defined documentation structure (as in these are the subjects and example configurations that should be covered), and then roll page exports from the wiki into the documentation that 'ships' with FreeRADIUS.
There's so much to document that it needs to be a collaborative effort.
Sounds like a fine plan to me. I do recall the documentation effort from last year. But the various promises of documentation seem to wither on the vine, the effort you cite is a perfect example. Maybe Alan's book is the answer, but that's been promised for a long time too. My basic take this is the classic developer's dilemma, developers want to write code, not documentation. When time allocation occurs the choice is to write code and defer the doc. But doc must get done, it needs an owner who is going to own the task and get it done. FWIW, I constantly get complaints about the difficulty of using FreeRADIUS and the lack of usable documentation. Only last week this reached all the way to my manager who had to intervene and assert this is an upstream project issue and not something Red Hat can fix. Sorry, just being the messenger, just trying to ultimately help by saying there is a pain point and not sweep it under the rug. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
If I knew more about it I would take my time to write some ... examples, use cases, case studies, whatever. But, I can barely get by - each time I think I understand something it turns out I really don't. I don't want to spread bad info so I say nothing - usually :) IMHO a good starting point would be a single point of all "authorized" documentation: freeradius.org, Wiki, don't care - but it's frustrating when you find doc that seems legit that conflicts with other doc that also seems legit. The single source of info then needs to have whatever is there vetted by those that actually KNOW whats what and kept current. Unfortunately most people don't understand the details of PEAP, *CHAP, GTC, certs, etc. so they simply follow instructions verbatim. If those instructions are "wrong", skip some steps, or even have basic typo's: it will lead to a lot of frustration not only to the novice user, but the smart people on here that constantly address the same "simple" issues. I will step up to the plate and offer up a standard format for a "Recipe". I will pick an "easy" deployment scenario - such as: "How do I configure FR to authenticate VTY access to my Cisco gear using AD on the backend, and users must be a member of GroupX" I'm sure I will get some things wrong, but perhaps "we" can at least settle on a common template/format which will at least help moving forward. -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of John Dennis Sent: Monday, May 16, 2011 1:52 PM To: FreeRadius users mailing list Subject: Re: documentation and project organization (Was: Using LDAP with EAP-TLS) On 05/16/2011 02:20 PM, Arran Cudbard-Bell wrote:
John,
I believe Alan started a project to try and improve documentation in May last year. A few documents were converted RST format, but I don't think it was ever completed.
I'm going to suggest the same thing I did back then. Add RST support to the Wiki, setup a well defined documentation structure (as in these are the subjects and example configurations that should be covered), and then roll page exports from the wiki into the documentation that 'ships' with FreeRADIUS.
There's so much to document that it needs to be a collaborative effort.
Sounds like a fine plan to me. I do recall the documentation effort from last year. But the various promises of documentation seem to wither on the vine, the effort you cite is a perfect example. Maybe Alan's book is the answer, but that's been promised for a long time too. My basic take this is the classic developer's dilemma, developers want to write code, not documentation. When time allocation occurs the choice is to write code and defer the doc. But doc must get done, it needs an owner who is going to own the task and get it done. FWIW, I constantly get complaints about the difficulty of using FreeRADIUS and the lack of usable documentation. Only last week this reached all the way to my manager who had to intervene and assert this is an upstream project issue and not something Red Hat can fix. Sorry, just being the messenger, just trying to ultimately help by saying there is a pain point and not sweep it under the rug. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Gary Gatten wrote:
I will step up to the plate and offer up a standard format for a "Recipe". I will pick an "easy" deployment scenario - such as: "How do I configure FR to authenticate VTY access to my Cisco gear using AD on the backend, and users must be a member of GroupX"
That's configuring 4 things at once... people will find it useful, but my worry is that it's too specific.
I'm sure I will get some things wrong, but perhaps "we" can at least settle on a common template/format which will at least help moving forward.
A template recipe sounds like a wonderful idea. Alan DeKok.
Good point about configuring multiple things at once - but that is a "recipe" - right? Several ingredients that make a tasty cake? I think it would be a pretty common deployment scenario: lots of people have Cisco and AD, and want to auth their Cisco admins / VTY access against AD. We used this exact scenario as a basic starting point with FR (and I've noticed others on here do the same) before moving on to more complicated setups. I probably "should" doc some stuff for internal use regardless, so even if no one else finds it useful it won't be a waste of time. G -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, May 16, 2011 2:31 PM To: FreeRadius users mailing list Subject: Re: documentation and project organization (Was: Using LDAP with EAP-TLS) Gary Gatten wrote:
I will step up to the plate and offer up a standard format for a "Recipe". I will pick an "easy" deployment scenario - such as: "How do I configure FR to authenticate VTY access to my Cisco gear using AD on the backend, and users must be a member of GroupX"
That's configuring 4 things at once... people will find it useful, but my worry is that it's too specific.
I'm sure I will get some things wrong, but perhaps "we" can at least settle on a common template/format which will at least help moving forward.
A template recipe sounds like a wonderful idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Gary Gatten wrote:
Good point about configuring multiple things at once - but that is a "recipe" - right? Several ingredients that make a tasty cake?
Yes. It should be done as a recipe with multiple steps. See http://deployingradius.com for examples.
I think it would be a pretty common deployment scenario: lots of people have Cisco and AD, and want to auth their Cisco admins / VTY access against AD. We used this exact scenario as a basic starting point with FR (and I've noticed others on here do the same) before moving on to more complicated setups.
Sure. But the layout should be: (1) configuring Active Directory (2) group checking via AD (3) configuring FR to do VTY access *independent* of anything else! (4) Using steps 1-3 to create a combined configuration I've seen too many guides which put all of 1-4 into one guide. The result is that anyone doing something a *little* bit different is lost. For your suggested doc, it should be easy. (1) and (2) exist already. Just refer to them. Then, create a simple doc for (3), using the "users" file as an example, with local password and no group checking. Then, write (4) showing how you've changed the "users" file entry from (3) to use the features of (1) and (2). Each step should be no more than a page or so of text, with configuration file examples, instructions on what to type, and explanations as to what it all means. Again, the deployingradius.com docs should be used as an example of layout and style. In the last 6 years, the only complaints about those docs have been (1) typos, and (2) people who didn't follow the steps correctly. Alan DeKok.
John Dennis wrote:
Sounds like a fine plan to me. I do recall the documentation effort from last year. But the various promises of documentation seem to wither on the vine, the effort you cite is a perfect example. Maybe Alan's book is the answer, but that's been promised for a long time too.
I had planned on finishing it this spring. I got busy, in a "you don't want to know" kind of way.
FWIW, I constantly get complaints about the difficulty of using FreeRADIUS and the lack of usable documentation. Only last week this reached all the way to my manager who had to intervene and assert this is an upstream project issue and not something Red Hat can fix. Sorry, just being the messenger, just trying to ultimately help by saying there is a pain point and not sweep it under the rug.
If the customers care, refer them to me. If it's a priority for them, someone can be found to do the work. Alan DeKok.
Arran Cudbard-Bell wrote:
I believe Alan started a project to try and improve documentation in May last year. A few documents were converted RST format, but I don't think it was ever completed.
I received a number of patches from one person, a few from another one or two, and nothing else. I've been saying for ~10 years that this is a community effort. I'd *like* additional documentation, but I don't get paid to write it. I get paid to write code. The community has spoken: documentation isn't important enough. I'd like to change that, but I'm busy.
I'm going to suggest the same thing I did back then. Add RST support to the Wiki, setup a well defined documentation structure (as in these are the subjects and example configurations that should be covered), and then roll page exports from the wiki into the documentation that 'ships' with FreeRADIUS.
My $0.02 is that we should use github. They now support git-backed Wikis, which use "markdown". It's close enough, and has a lot of benefits. But it requires converting the existing Wiki pages. I'm not inclined to do it, as I have too many other things to do.
There's so much to document that it needs to be a collaborative effort.
It's not hard. Read the comments in the config files, and write a document summarizing them. Add one or two simple examples. Alan DeKok.
On 16/05/11 20:26, Alan DeKok wrote:
My $0.02 is that we should use github. They now support git-backed Wikis, which use "markdown". It's close enough, and has a lot of benefits.
I quite like Markdown. We have some internal "introduction to radius" and "introduction to FreeRADIUS" documents. If there is consensus on documentation structure, I can try to start putting some stuff together. If someone wants to start off with the basic doc structures, I'll make some time to write some docs. Recipies I like the idea of, but it strikes me that a bit of work with the existing module/unlang/configurable-failover docs would go a long way to explaining how FreeRADIUS processes a request, and how to accomplish what you want (i.e. put the right modules in the right order!)
John Center wrote:
Just to chime in, I find all of the comments in radiusd.conf, etc. distracting & overwhelming. I strip out the comments from the files I'm using - usually to find out how simple the configuration really is. When I'm missing something, I refer back to the original files & look up the relevant comment entry. I would prefer all of the comments be assembled into straightforward documentation, using examples for the appropriate configuration sections.
Sure. Submit a patch. Alan DeKok.
John Dennis wrote:
But all these positive attributes are sometimes negated by the difficulty of understanding the system. Many justifiably feel configuring FreeRADIUS is a black art. It's often been pointed out that config files, doc directory and the wiki contains all you need to know. There is a modicum of truth in that. But the reality is it's very difficult to locate, extract, interpret and interpolate the missing pieces to form a functioning mental model in order to accomplish a specific deployment task.
Yup.
I've worked with FreeRADIUS for a while now and I'm still confounded things I don't know, incorrect expectations of behavior (e.g. != does not work for group testing). There are things which as far as I can tell are simply not documented.
Oh yes, lots.
Just last week I had to help someone who was frustrated by the inability to add attributes to successfully proxied Auth-Accept's using a users file. By reading the source I found the postproxy_users_file config, as far as I could tell this is completely undocumented. When it comes to supporting users "Use the source Luke" isn't viable.
Yes, well... there isn't much to argue with there.
I'd like to suggest the next most import task item for the team is not the 3.0 release, it's not any change to the code base. Rather the single most import task is producing comprehensive documentation collected in a single location augmented with cookbook examples of how to solve common deployment problems.
Sure. Except that 3.0 is pretty much ready now.
I'll wager the time spent on this list answering questions will greatly diminish thus providing free time for feature enhancements and bug fixes.
For me, time on the list is 30 seconds in between other work. i.e. "wait for compile: answer post". It's really quite minimal, despite the volume of messages I send.
I'm also concerned at the obvious frustration expressed countless times on this list were folks have spent days, weeks, or in some cases months beating their heads against the wall in frustration. There will be a tipping point at some point in the future where that frustration will doom the project as it gets replaced by an alternative or forked. I've been in open source long enough to have seen this scenario play out multiple times.
The level of frustration has diminished significantly with 2.0, and again with 2.1. The default configurations "just work", and the debug messages have been improved to the point where mere mortals can understand them.
One thing which has been lacking in the project is public list of the project team. One might make the assumption Alan is the sole contributor, if so then that's truly amazing.
Look at github. The only person other than me who's had meaningful contributions in the last 2 years is Phil Mayers. Many other "authors" listed (e.g. Dante) are contractual obligations, implemented by me.
But I'm going to guess others are involved. We would like to thank them as well and perhaps have some more insight into the project's organization. At best all I've been able to do in intuit based on reading this list and the dev list over an extended period that some list participants seem to have such an extensive knowledge it suggests to me they must be on the development team, either that or just like myself they've spent a lot of time reading the source code out of necessity.
There are a number of people who run multiple RADIUS servers (machines && products) for their living. They're familiar with pretty much everything. We're all in their debt for answers, docs, bug reports, bug fixes, etc.
Questions like, what is the project's timeline, what is upcoming in new releases, what is the anticipated release schedule, how is the project organized, who are significant players and what are their roles are information unusually published by open source projects but have been missing (maybe just another example of missing documentation?).
Project timeline: whenever What's upcoming: see doc/ChangeLog in git. release schedule: usually every 3-4 months organization / people / roles: code: Alan mgmt: Alan docs: Alan web site: Alan releases: Alan bug fixes: Alan Wiki: Peter Nixon Sense a theme? Alan DeKok.
On 05/16/2011 03:41 PM, Alan DeKok wrote:
organization / people / roles: code: Alan mgmt: Alan docs: Alan web site: Alan releases: Alan bug fixes: Alan Wiki: Peter Nixon
Sense a theme?
I do see a theme but I also see a problem. FreeRADIUS has gotten big enough that 1 person, even one as amazing as you are, can't do it all. I humbly suggest you try to offload some of the work by running this as a project and having a team. You can delegate responsibilities, coordinate and still have a significant architectural and coding role. Plus you get the added benefit of being "Benevolent Dictator for Life" of FreeRADIUS (http://en.wikipedia.org/wiki/Benevolent_Dictator_For_Life) -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
John Dennis wrote:
I do see a theme but I also see a problem. FreeRADIUS has gotten big enough that 1 person, even one as amazing as you are, can't do it all. I humbly suggest you try to offload some of the work by running this as a project and having a team.
Sure. Volunteers? It was run as a team for a while. The main team members gradually got busy doing other things.
You can delegate responsibilities, coordinate and still have a significant architectural and coding role.
Sure. Using git means that delegation is much less of an issue, though. Simply fork FreeRADIUS using github, write patches, and submit them. That's how all of the recent third-party patches have gone in. Again: look at the track record. Pretty much any interesting new feature, or patch or bugfix gets added. But the volume of such submissions is pretty low. There's no need to volunteer, or to take on a role. Just do the work, and the title will come automatically. Alan DeKok.
Alexandros Gougousoudis wrote:
Phil, I also understand a lot of things and I can read, but the documentation of FR is not ideal. I've googled around, looked examples and had more questions than before. Where are all these features documented, like the "if then"-things in the conf, all the keywords like "ok=return" and so on,
All documented. See "man unlang".
what's the difference between Autz-Type and Auth-Type?
See doc/Autz-Type
The only thing to get help is here on the list, on the net you find a lot infos to FR 1.1 and 2 (one is deployinradius and one the FR site) sites containing a little bit information, no much more than the conf-files coming with the FR-archive.
The detailed guides on my web site are a *lot* more than the config files that come with the server.
I'am not complaining, because it's an open source project, but you should note that it's sometimes not the lack of understanding than the lack of well documented features. And if I can't find the infos I need in the docs, I start to try things out.
The main issue with the current documentation is organization. The organization is currently pretty bad. But nearly everything is documented somewhere. Alan DeKok.
Alexandros Gougousoudis wrote:
A host-based authentification for my workstations. All the names of the workstations are in LDAP, the authentification itself should be done with EAP-TLS. I would like to have a hint, how to start EAP when the LDAP-Query was successfull.
You don't. Instead, do reject the user if the LDAP query failed.
The LDAP-Query works I think, FR says: [ldap] user scit-beerchen authorized to use remote access, but then it tries to make some kind of password authentification (I have no password for workstations in LDAP), and is not starting EAP-TLS. The asking host "scit-beerchen" is in the WLAN-User Group.
What could I do?
Read the debug log you posted to the list. You're forcing Auth-Type, and using ntlm_auth for EAP-TLS. This is wrong. Don't force Auth-Type. Alan DeKok.
Hi Alan, Alan DeKok schrieb:
You're forcing Auth-Type, and using ntlm_auth for EAP-TLS. This is wrong.
Don't force Auth-Type.
I didn't want that, now after kicking out ntlm_auth things work, even the cert has been accepted. I assume the problem I had was, that the time of the radius-machine was not synchrone to the network and the signal for Wlan was to low. After fixing both, the conversation worked an I got an Access-Accept. Thanks to you and Phil for the help. bye Alex
participants (7)
-
Alan DeKok -
Alexandros Gougousoudis -
Arran Cudbard-Bell -
Gary Gatten -
John Center -
John Dennis -
Phil Mayers