FreeRadius EAP-TLS quesiton
Hamid Salim
salim.h at neu.edu
Wed Aug 10 04:03:38 CEST 2005
Kris,
Thanks for your help.
Do you think that (1) and (2) in my previous message could be the
reason that freeradius will not authenticate the client?
thanks again.
freeradius-users-request at lists.freeradius.org wrote:
>Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
>To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
>or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
>You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Freeradius-Users digest..."
>
>
>Today's Topics:
>
> 1. FreeRadius EAP-TLS quesitons (Hamid Salim)
> 2. Re: problem with using rlm_sql for accounting only (John Donagher)
> 3. Re: problem with using rlm_sql for accounting only (John Donagher)
> 4. Re: FreeRadius EAP-TLS quesitons (Kris Benson)
> 5. sql.conf (update query) (Michel B?langer)
> 6. Re: problem with using rlm_sql for accounting only (Alan DeKok)
> 7. Hi. Windows RADIUS server died. (Derrick MacPherson)
> 8. Re: Hi. Windows RADIUS server died. (Alan DeKok)
> 9. Re: Hi. Windows RADIUS server died. (Derrick MacPherson)
> 10. Re: how to return multiple attributes from ldap? (kevin)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Tue, 9 Aug 2005 13:54:52 -0400 (EDT)
>From: Hamid Salim <salim.h at neu.edu>
>Subject: FreeRadius EAP-TLS quesitons
>To: freeradius-users at lists.freeradius.org
>Message-ID: <4476601.1123610092946.JavaMail.salim.h at neu.edu>
>Content-Type: text/plain; charset=UTF-8
>
>Hello,
>Two part question:
>1. Is it critical to have certificates, dh and random files in
>etc/raddb/certs directory for eap-tls to work.
>2. Is it ok to generate random file as date > random
>
>thanks a lot.
>Hamid.
>
>
>------------------------------
>
>Message: 2
>Date: Tue, 09 Aug 2005 13:55:45 -0400
>From: John Donagher <john at webmeta.com>
>Subject: Re: problem with using rlm_sql for accounting only
>To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
>Message-ID: <1123610145.31591.0.camel at localhost.localdomain>
>Content-Type: text/plain
>
>On Tue, 2005-08-09 at 00:01 +0200, Nicolas Baradakis wrote:
>> John Donagher wrote:
>>
>> > If the SQL server is inaccessible (i.e. down, or locked), freeradius
>> > rejects all radius requests. In my case, since the SQL database is
being
>> > used only for accounting, this is not desired behavior.
>>
>> The link below explains how to control the flow of modules in
FreeRADIUS.
>> http://www.freeradius.org/radiusd/doc/configurable_failover
>>
>> There is an example which looks like what you want to do for
accounting.
>>
>
>Thanks, that was exactly what I was looking for!
>
>John
>
>
>
>
>------------------------------
>
>Message: 3
>Date: Tue, 09 Aug 2005 14:01:11 -0400
>From: John Donagher <john at webmeta.com>
>Subject: Re: problem with using rlm_sql for accounting only
>To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
>Message-ID: <1123610471.31591.7.camel at localhost.localdomain>
>Content-Type: text/plain
>
>On Mon, 2005-08-08 at 18:09 -0400, Alan DeKok wrote:
>> John Donagher <john at webmeta.com> wrote:
>> > If the SQL server is inaccessible (i.e. down, or locked), freeradius
>> > rejects all radius requests. In my case, since the SQL database is
being
>> > used only for accounting, this is not desired behavior.
>>
>> See the log messages.
>>
>> What's probably happening is that all of the threads are blocked,
>> waiting for SQl to respond. Therefore, there are no threads ready to
>> service authentication requests, and they get discarded.
>>
>> The solution is to fix the SQL server so it doesn't go down. If
>> it's a critical part of your infrastructure, I'm a little unsure as to
>> why it would go down, or lock FreeRADIUS out for many seconds at a
>> time.
>
>Indeed.. under normal circumstances it wouldn't go down. My issue is
>that the SQL server is not a critical part of our infrastructure and I
>don't want it to be (at this point anyway). I'm using it for accounting
>trend reporting only.. in any event, Nicolas' suggestion was right on
>and works like a charm.
>
>Thanks
>John
>
>
>
>
>------------------------------
>
>Message: 4
>Date: Tue, 09 Aug 2005 11:18:10 -0700
>From: "Kris Benson" <kbenson at sd57.bc.ca>
>Subject: Re: FreeRadius EAP-TLS quesitons
>To: "FreeRadius users mailing list"
> <freeradius-users at lists.freeradius.org>
>Cc: freeradius-users at lists.freeradius.org
>Message-ID:
> <fc.000f89ac0157986a3b9aca00c03bc7e0.1579876 at mail.sd57.bc.ca>
>Content-Type: text/plain; charset=ISO-8859-1
>
>FreeRadius users mailing list <freeradius-users at lists.freeradius.org> on
>August 9, 2005 at 10:54 -0800 wrote:
>>Hello,
>>Two part question:
>>1. Is it critical to have certificates, dh and random files in
>>etc/raddb/certs directory for eap-tls to work.
>>2. Is it ok to generate random file as date > random
>
>1. Yes, sort of. You can put it in a different directory if you change
>the eap.conf entries.
>
>2. No. This is the correct way:
>
>To generate the dh file you can use a function that comes with openssl
>
>openssl dhparam -check -text -5 512 -out dh
>
>This will generate a 512 Diffie-Hellman key named dh.
>Move this file to /etc/mycerts/
>
>mv dh /etc/mycerts/.
>
>To generate a random file you will need a short C program using openssl
>libraries. Paste this text into a file named 'random.c':
>----8< cut---
>#include <stdio.h>
>#include <openssl/rand.h>
>
>main (void) {
>unsigned char buf[100];
>if (!RAND_bytes(buf, 100)) {
>// the usual md5(time+pid)
>}
>printf("Random : %s\n", buf);
>}
>----8< cut---
>
>Compile it like this: gcc random.c -o random -lcrypto
>
>I will generate 32-bit LSB executable named random, try it with
./random.
>
>Move this file to /etc/mycerts/:
>mv random /etc/mycerts/.
>
>-kb
>--
>Kris Benson, CCP, I.S.P.
>Technical Analyst, District Projects
>School District #57 (Prince George)
>
>
>
>------------------------------
>
>Message: 5
>Date: Tue, 09 Aug 2005 15:34:28 -0400
>From: Michel B?langer <michel.belanger at mediom.qc.ca>
>Subject: sql.conf (update query)
>To: freeradius-users at lists.freeradius.org
>Message-ID: <42F90544.8020804 at mediom.qc.ca>
>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>Hi,
>I try to add an additional query in the query update in sql.conf. This
>is possible to make it ?
>
>Here what I have test:
>
>accounting_update_query = "UPDATE ${acct_table1} \
> SET FramedIPAddress = '%{Framed-IP-Address}', \
> AcctSessionTime = '%{Acct-Session-Time}', \
> AcctInputOctets = '%{Acct-Input-Octets}', \
> AcctOutputOctets = '%{Acct-Output-Octets}' \
> WHERE AcctSessionId = '%{Acct-Session-Id}' \
> AND UserName = '%{SQL-User-Name}' \
> AND NASIPAddress= '%{NAS-IP-Address}'; INSERT into radtempo
>(AcctInputOctets, AcctOutputOctets, AcctSessionId) values('%{Ac
>ct-Input-Octets}', '%{Acct-Output-Octets}', '%{Acct-Session-Id}')"
>
>rlm_sql_mysql: MYSQL check_error: 1064 received
>rlm_sql (sql): Couldn't update SQL accounting ALIVE record - You have
an
>error in your SQL syntax; check the manual that corresponds to your
>MySQL server version for the right syntax to use near '; INSERT into
>radtempo (AcctInputOctets, AcctOutputOctets, AcctSessionId) values' at
>line 1
>--
>------------------------------------------------------------
>
>Michel Bélanger
>
>
>
>
>------------------------------
>
>Message: 6
>Date: Tue, 09 Aug 2005 16:00:34 -0400
>From: "Alan DeKok" <aland at ox.org>
>Subject: Re: problem with using rlm_sql for accounting only
>To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
>Message-ID: <20050809200034.64BA316CCA at mail.nitros9.org>
>
>John Donagher <john at webmeta.com> wrote:
>> Indeed.. under normal circumstances it wouldn't go down. My issue is
>> that the SQL server is not a critical part of our infrastructure and I
>> don't want it to be (at this point anyway). I'm using it for accounting
>> trend reporting only.. in any event, Nicolas' suggestion was right on
>> and works like a charm.
>
> In the CVS head you can use the rlm_sql_log module, which dumps the
>queries to a file. The file can then be post-processed. This removes
>all run-time dependency on SQL, which is a better solution.
>
> Alan DeKok.
>
>
>------------------------------
>
>Message: 7
>Date: Tue, 09 Aug 2005 13:47:29 -0700
>From: Derrick MacPherson <dmacpherson at mainframe.ca>
>Subject: Hi. Windows RADIUS server died.
>To: freeradius-users at lists.freeradius.org
>Message-ID: <1123620449.10739.94.camel at Mandarin-04.mainframe.ca>
>Content-Type: text/plain
>
>I just got asked to try and get a freeradius server running ASAP. I got
>it installed on a freebsd 5.4 box that I had just finished getting squid
>running on, not implemented yet still testing.
>
>I see freeradius can use ntlm_auth as well, though I'm not clear on it's
>syntax. I have squid using the same authentication criteria as the
>radius server was using, that was based upon being in certain group. Can
>freeradius support this as well? My syntax in squid:
>
>ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership
>-of=S-1-5-21-1058564242-1277044956-825688854-1337 Domain Group (2)
>
>Can someone save me with a quick example or am I off to read and google?
>
>
>
>------------------------------
>
>Message: 8
>Date: Tue, 09 Aug 2005 17:22:17 -0400
>From: "Alan DeKok" <aland at ox.org>
>Subject: Re: Hi. Windows RADIUS server died.
>To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
>Message-ID: <20050809212218.06DD216CCA at mail.nitros9.org>
>
>Derrick MacPherson <dmacpherson at mainframe.ca> wrote:
>> I see freeradius can use ntlm_auth as well, though I'm not clear on
it's
>> syntax.
>
> See radiusd.conf for an example, and the ntlm_auth docs for it's
>command-line arguments.
>
>> I have squid using the same authentication criteria as the radius
>> server was using, that was based upon being in certain group. Can
>> freeradius support this as well?
>
> Sure, because FreeRADIUS doesn't care about command-line arguments
>to ntlm_auth. Add ass many arguments to ntlm_auth as you want.
>
>> ntlm_auth --helper-protocol=squid-2.5-ntlmssp
>
> This *isn't* supported. You have to pass the username & password on
>the command line, as in the examples. And if you're doing MSCHAP, you
>MUST also pass the "request nt key" option, too.
>
>> --require-membership
-of=S-1-5-21-1058564242-1277044956-825688854-1337 Domain Group (2)
>
> This is just noise to FreeRADIUS, which doesn't look at it, and
>doesn't care. If ntlm_auth returns success, so does FreeRADIUS. If
>it returns fail, so does FreeRADIUS.
>
> Alan DeKok.
>
>
>
>------------------------------
>
>Message: 9
>Date: Tue, 09 Aug 2005 14:38:38 -0700
>From: Derrick MacPherson <dmacpherson at mainframe.ca>
>Subject: Re: Hi. Windows RADIUS server died.
>To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
>Message-ID: <1123623518.10739.111.camel at Mandarin-04.mainframe.ca>
>Content-Type: text/plain
>
>On Tue, 2005-08-09 at 17:22 -0400, Alan DeKok wrote:
>> See radiusd.conf for an example, and the ntlm_auth docs for it's
>> command-line arguments.
>
>thank you, reading them now.
>
>Is there a way to test if the authentication is passing or failing?
>
>
>
>------------------------------
>
>Message: 10
>Date: Tue, 09 Aug 2005 15:10:17 -0700
>From: kevin <kevinsmbox at earthlink.net>
>Subject: Re: how to return multiple attributes from ldap?
>To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
>Message-ID: <42F929C9.7070102 at earthlink.net>
>Content-Type: text/plain; charset="iso-8859-1"
>
>But, I am still interested in the way returning multiple attributes
>without changing ldap data.
>I thought there must be a way.
>
>kevin
>
>Dusty Doris wrote:
>
>>On Tue, 9 Aug 2005, kevin wrote:
>>
>>
>>
>>>What? So, should I change the ldap attribute values with "+=" ???
>>>Any other way?
>>>
>>>
>>>
>>
>>Yep, it works.
>>
>>I did a test, with this DN only one filter-id was returned.
>>
>>dn: uid=dustytest,ou=users,ou=radius,dc=test,dc=com
>>objectClass: radiusprofile
>>userPassword:: ZHVzdHl0ZXN0
>>radiusGroupName: dial
>>radiusGroupName: adsl
>>uid: dustytest
>>radiusFilterId: filter1
>>radiusFilterId: filter2
>>
>>Received response ID 210, code 2, length = 59
>> Framed-Routing = None
>> Framed-IP-Netmask = 255.255.255.0
>> Framed-Protocol = PPP
>> Service-Type = Framed-User
>> Filter-Id = "filter1"
>>
>>
>>With this dn, both were returned (note there were no quotes in it - that
>>didn't work)
>>
>>dn: uid=dustytest,ou=users,ou=radius,dc=test,dc=com
>>objectClass: radiusprofile
>>userPassword:: ZHVzdHl0ZXN0
>>radiusGroupName: dial
>>radiusGroupName: adsl
>>uid: dustytest
>>radiusFilterId: += filter1
>>radiusFilterId: += filter2
>>
>>Received response ID 214, code 2, length = 68
>> Framed-Routing = None
>> Framed-IP-Netmask = 255.255.255.0
>> Framed-Protocol = PPP
>> Service-Type = Framed-User
>> Filter-Id = "filter1"
>> Filter-Id = "filter2"
>>
>>-
>>List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>>
>>
>>
>
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
https://list.xs4all.nl/pipermail/freeradius-users/attachments/20050809/95391bfa/attachment.html
>
>------------------------------
>
>-
>List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>
>End of Freeradius-Users Digest, Vol 4, Issue 39
>***********************************************
>
More information about the Freeradius-Users
mailing list