Hi Is it possible to configure Freeradius to require only a valid TLS client cert created by own CA, in order to get an ACCEPT ? /Henrik
On 06.06.21 10:14, Henrik Schack via Freeradius-Users wrote:
Hi Is it possible to configure Freeradius to require only a valid TLS client cert created by own CA, in order to get an ACCEPT ?
/Henrik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yes. Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
Great, you wouldn't happen to have a configuration example ? /Henrik On Sun, Jun 6, 2021 at 10:42 AM Michael Schwartzkopff <ms@sys4.de> wrote:
On 06.06.21 10:14, Henrik Schack via Freeradius-Users wrote:
Hi Is it possible to configure Freeradius to require only a valid TLS client cert created by own CA, in order to get an ACCEPT ?
/Henrik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yes.
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Mvh/Best regards Henrik Schack Twitter: http://twitter.com/schack
On 06.06.21 11:00, Henrik Schack via Freeradius-Users wrote:
Great, you wouldn't happen to have a configuration example ?
/Henrik
On Sun, Jun 6, 2021 at 10:42 AM Michael Schwartzkopff <ms@sys4.de> wrote:
On 06.06.21 10:14, Henrik Schack via Freeradius-Users wrote:
Hi Is it possible to configure Freeradius to require only a valid TLS client cert created by own CA, in order to get an ACCEPT ?
/Henrik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yes.
See sections tls-common and tls in the eap module. Basically you have to enter the data about your CA and your server cert. Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
Yes, I have come that far, but my Mac still wants to do some username/password authentication on top of that. I have the CA running, CA cert on my Mac, and a client cert installed as well. Br Henrik On Sun, Jun 6, 2021 at 11:07 AM Michael Schwartzkopff <ms@sys4.de> wrote:
On 06.06.21 11:00, Henrik Schack via Freeradius-Users wrote:
Great, you wouldn't happen to have a configuration example ?
/Henrik
On Sun, Jun 6, 2021 at 10:42 AM Michael Schwartzkopff <ms@sys4.de> wrote:
On 06.06.21 10:14, Henrik Schack via Freeradius-Users wrote:
Hi Is it possible to configure Freeradius to require only a valid TLS client cert created by own CA, in order to get an ACCEPT ?
/Henrik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yes.
See sections tls-common and tls in the eap module.
Basically you have to enter the data about your CA and your server cert.
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Mvh/Best regards Henrik Schack Twitter: http://twitter.com/schack
This is how far I get: --cut-- (3) Received Access-Request Id 227 from 176.23.5.126:34447 to 142.93.141.56:1812 length 240 (3) User-Name = "henrik.schack" (3) NAS-Identifier = "868a208e5107" (3) Called-Station-Id = "86-8A-20-8E-51-07:Schack-Radius" (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Calling-Station-Id = "8C-85-90-86-02-F8" (3) Connect-Info = "CONNECT 0Mbps 802.11b" (3) Acct-Session-Id = "7E6FCAA312B559DD" (3) Acct-Multi-Session-Id = "514DA94808250535" (3) WLAN-Pairwise-Cipher = 1027076 (3) WLAN-Group-Cipher = 1027076 (3) WLAN-AKM-Suite = 1027073 (3) Framed-MTU = 1400 (3) EAP-Message = 0x029b00060319 (3) State = 0xb7ab73e6b7307e049cc58c8fe41ba75d (3) Message-Authenticator = 0x9022c329b8e6b424f42bf8e53d3001df (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) [preprocess] = ok (3) eap: Peer sent EAP Response (code 2) ID 155 length 6 (3) eap: Ignoring NAK with request for unknown EAP type (3) [eap] = noop (3) [expiration] = noop (3) [logintime] = noop (3) } # authorize = ok (3) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (3) Failed to authenticate the user (3) Using Post-Auth-Type Reject (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Post-Auth-Type REJECT { (3) attr_filter.access_reject: EXPAND %{User-Name} (3) attr_filter.access_reject: --> henrik.schack (3) attr_filter.access_reject: Matched entry DEFAULT at line 11 (3) [attr_filter.access_reject] = updated (3) eap: Expiring EAP session with state 0xb7ab73e6b7307e04 (3) eap: Finished EAP session with state 0xb7ab73e6b7307e04 (3) eap: Previous EAP request found for state 0xb7ab73e6b7307e04, released from the list (3) eap: Request was previously rejected, inserting EAP-Failure (3) eap: Sending EAP Failure (code 4) ID 155 length 4 (3) [eap] = updated (3) policy remove_reply_message_if_eap { (3) if (&reply:EAP-Message && &reply:Reply-Message) { (3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (3) else { (3) [noop] = noop (3) } # else = noop (3) } # policy remove_reply_message_if_eap = noop (3) } # Post-Auth-Type REJECT = updated (3) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (3) Sending delayed response (3) Sent Access-Reject Id 227 from 142.93.141.56:1812 to 176.23.5.126:34447 length 44 (3) EAP-Message = 0x049b0004 (3) Message-Authenticator = 0x00000000000000000000000000000000 --cut-- /Henrik On Sun, Jun 6, 2021 at 11:11 AM Henrik Schack <henrik@schack.dk> wrote:
Yes, I have come that far, but my Mac still wants to do some username/password authentication on top of that. I have the CA running, CA cert on my Mac, and a client cert installed as well.
Br Henrik
On Sun, Jun 6, 2021 at 11:07 AM Michael Schwartzkopff <ms@sys4.de> wrote:
On 06.06.21 11:00, Henrik Schack via Freeradius-Users wrote:
Great, you wouldn't happen to have a configuration example ?
/Henrik
On Sun, Jun 6, 2021 at 10:42 AM Michael Schwartzkopff <ms@sys4.de> wrote:
On 06.06.21 10:14, Henrik Schack via Freeradius-Users wrote:
Hi Is it possible to configure Freeradius to require only a valid TLS client cert created by own CA, in order to get an ACCEPT ?
/Henrik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yes.
See sections tls-common and tls in the eap module.
Basically you have to enter the data about your CA and your server cert.
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Mvh/Best regards Henrik Schack Twitter: http://twitter.com/schack
-- Mvh/Best regards Henrik Schack Twitter: http://twitter.com/schack
On 06.06.21 11:16, Henrik Schack via Freeradius-Users wrote:
eap: Ignoring NAK with request for unknown EAP type
Now we come to the point. Can you please send the complete debug output of freeradius. Thanks, Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
Hi This is what it generates on startup in debug mode. --cut-- root@ocean:/etc/freeradius/3.0/sites-enabled# service freeradius debug ● freeradius.service - FreeRADIUS multi-protocol policy server Loaded: loaded (/lib/systemd/system/freeradius.service; enabled; vendor preset: enabled) Active: inactive (dead) since Sun 2021-06-06 06:10:24 UTC; 5h 49min ago Docs: man:radiusd(8) man:radiusd.conf(5) http://wiki.freeradius.org/ http://networkradius.com/doc/ Process: 2452 ExecStart=/usr/sbin/freeradius $FREERADIUS_OPTIONS (code=exited, status=0/SUCCESS) Process: 2439 ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cxm -lstdout (code=exited, status=0/SUCCESS) Main PID: 2454 (code=exited, status=0/SUCCESS) Jun 06 06:10:20 ocean freeradius[2439]: Starting - reading configuration files ... Jun 06 06:10:20 ocean freeradius[2439]: Debugger not attached Jun 06 06:10:20 ocean freeradius[2439]: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list fo…alm "DEFAULT". Jun 06 06:10:20 ocean freeradius[2439]: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter li…alm "DEFAULT". Jun 06 06:10:20 ocean freeradius[2439]: Ignoring "sql" (see raddb/mods-available/README.rst) Jun 06 06:10:20 ocean freeradius[2439]: radiusd: #### Skipping IP addresses and Ports #### Jun 06 06:10:20 ocean freeradius[2439]: Configuration appears to be OK Jun 06 06:10:20 ocean systemd[1]: Started FreeRADIUS multi-protocol policy server. Jun 06 06:10:24 ocean systemd[1]: Stopping FreeRADIUS multi-protocol policy server... Jun 06 06:10:24 ocean systemd[1]: Stopped FreeRADIUS multi-protocol policy server. Hint: Some lines were ellipsized, use -l to show in full. FreeRADIUS Version 3.0.16 Copyright (C) 1999-2017 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/3.0/dictionary including configuration file /etc/freeradius/3.0/radiusd.conf including configuration file /etc/freeradius/3.0/proxy.conf including configuration file /etc/freeradius/3.0/clients.conf including files in directory /etc/freeradius/3.0/mods-enabled/ including configuration file /etc/freeradius/3.0/mods-enabled/expiration including configuration file /etc/freeradius/3.0/mods-enabled/expr including configuration file /etc/freeradius/3.0/mods-enabled/logintime including configuration file /etc/freeradius/3.0/mods-enabled/exec including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter including configuration file /etc/freeradius/3.0/mods-enabled/detail including configuration file /etc/freeradius/3.0/mods-enabled/eap including configuration file /etc/freeradius/3.0/mods-enabled/always including configuration file /etc/freeradius/3.0/mods-enabled/realm including configuration file /etc/freeradius/3.0/mods-enabled/preprocess including configuration file /etc/freeradius/3.0/mods-enabled/radutmp including files in directory /etc/freeradius/3.0/policy.d/ including configuration file /etc/freeradius/3.0/policy.d/filter including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids including configuration file /etc/freeradius/3.0/policy.d/accounting including configuration file /etc/freeradius/3.0/policy.d/canonicalization including configuration file /etc/freeradius/3.0/policy.d/debug including configuration file /etc/freeradius/3.0/policy.d/eap including configuration file /etc/freeradius/3.0/policy.d/abfab-tr including configuration file /etc/freeradius/3.0/policy.d/cui including configuration file /etc/freeradius/3.0/policy.d/operator-name including configuration file /etc/freeradius/3.0/policy.d/dhcp including configuration file /etc/freeradius/3.0/policy.d/control including files in directory /etc/freeradius/3.0/sites-enabled/ including configuration file /etc/freeradius/3.0/sites-enabled/default main { security { user = "freerad" group = "freerad" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm storytel.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client copenhagenoffice { ipaddr = 77.221.230.244 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 75 lifetime = 0 idle_timeout = 60 } } client copenhagen { ipaddr = 176.23.5.126 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 75 lifetime = 0 idle_timeout = 60 } } Debugger not attached # Creating Auth-Type = eap radiusd: #### Instantiating modules #### modules { # Loaded module rlm_expiration # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration # Loaded module rlm_expr # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_exec # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_detail # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_eap # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap eap { default_eap_type = "tls" timer_expire = 60 ignore_unknown_eap_types = yes cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_always # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/3.0/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_radutmp # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } instantiate { } # Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/3.0/certs" pem_file_type = yes private_key_file = "/etc/freeradius/3.0/certs/server.key" certificate_file = "/etc/freeradius/3.0/certs/server.pem" ca_file = "/etc/freeradius/3.0/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/freeradius/3.0/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no allow_expired_crl = yes cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" tls_max_version = "1.2" tls_min_version = "1.0" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/3.0/radiusd.conf } # server server default { # from file /etc/freeradius/3.0/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} Ignoring "sql" (see raddb/mods-available/README.rst) # Loading post-proxy {...} # Loading post-auth {...} } # server default radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on proxy address * port 32997 Listening on proxy address :: port 48480 Ready to process requests --cut-- On Sun, Jun 6, 2021 at 11:21 AM Michael Schwartzkopff <ms@sys4.de> wrote:
On 06.06.21 11:16, Henrik Schack via Freeradius-Users wrote:
eap: Ignoring NAK with request for unknown EAP type
Now we come to the point.
Can you please send the complete debug output of freeradius. Thanks,
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Mvh/Best regards Henrik Schack Twitter: http://twitter.com/schack
On Jun 6, 2021, at 8:01 AM, Henrik Schack via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
This is what it generates on startup in debug mode. .. Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on proxy address * port 32997 Listening on proxy address :: port 48480 Ready to process requests
That is not helpful. Please read http://wiki.freeradius.org/list-help To answer your various other questions: 1) ask HOW to do something. FreeRADIUS can do almost anything. If you ask "can I do X?", then the answer is almost always "yes". 2) ask good questions. give as much information as possible about what you want to do, what you tried doing, and what happened 3) don't ask for "a configuration example". The server comes with large amounts of documentation and comments. There's a Wiki, too. 4) If the Mac wants to do username / password authentication, then you need to configure the Mac to do EAP-TLS. Apple has a configuration tool / GUI which you can use: https://apps.apple.com/us/app/apple-configurator-2/id1037126344?mt=12 5) don't play the "20 questions game". Give ALL of the relevant information. In ONE message. If you give new / different information in each message, people get tired, and give up. This is a technical help list. We're happy to help with technical answers. But asking good questions is useful skill. Alan DeKok.
participants (3)
-
Alan DeKok -
Henrik Schack -
Michael Schwartzkopff