802.1x & kerberos (Fixed Subject Line)
Reynolds, Walter
waltr at umich.edu
Fri Oct 12 19:27:50 CEST 2007
Yes Ivan, I apologize for pasting an incomplete image command from my
test machine.
---
Walt Reynolds
Principal Systems Security Development Engineer
Information Technology Central Services
University of Michigan
(734) 615-9438
> -----Original Message-----
Date: Fri, 12 Oct 2007 15:26:50 +0100
From: <tnt at kalik.co.yu>
Subject: RE: Freeradius-Users Digest, Vol 30, Issue 48
To: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
Message-ID: <n4B28c5h.1192199210.5441340.tnt at kalik.co.yu>
Content-Type: text/plain; charset=ISO-8859-2
>> > DEFAULT Freeradius-Proxied-To == 127.0.0.1
>> > Fall-Through = Yes
>>
>> That entry does nothing.
>I agree it does nothing for authentication, but this will be part of
>the solution to get accounting records based on the inner identity and
>not the outer with TTLS
>
>Has something changes in recent code that makes this unnecessary?
>
No. You probably want:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
User-Name = `%{User-Name}`
Ivan Kalik
Kalik Informatika ISP
> From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-
> users-bounces at lists.freeradius.org] On Behalf Of freeradius-users-
> request at lists.freeradius.org
> Sent: Friday, October 12, 2007 12:34 PM
> To: freeradius-users at lists.freeradius.org
> Subject: Freeradius-Users Digest, Vol 30, Issue 51
>
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: Freeradius-Users Digest, Vol 30, Issue 48 (Alan DeKok)
> 2. RE: Freeradius-Users Digest, Vol 30, Issue 48 (tnt at kalik.co.yu)
> 3. Re: rlm_realm doesn't strip the username (Tomasz Zieleniewski)
> 4. Re: FATAL: Thread create failed: Cannot allocate memory
> (A.L.M.Buxey at lboro.ac.uk)
> 5. Re: Darwin DirectoryServices (warnnings) (Alan DeKok)
> 6. Using freeradius and 802.1x for ssign VLAN X
> (lvizcardof at unsa.edu.pe)
> 7. Re: rlm_realm doesn't strip the username (tnt at kalik.co.yu)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 12 Oct 2007 16:23:33 +0200
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: Freeradius-Users Digest, Vol 30, Issue 48
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <470F8365.9050603 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Reynolds, Walter wrote:
> ...
> >>> DEFAULT Freeradius-Proxied-To == 127.0.0.1
> >>> Fall-Through = Yes
> >> That entry does nothing.
> > I agree it does nothing for authentication, but this will be part of
> > the solution to get accounting records based on the inner identity
> and
> > not the outer with TTLS
>
> I don't see why.
>
> > http://www.mail-archive.com/freeradius-
> users at lists.freeradius.org/msg02045.html
>
> Which doesn't mention an entry like the one quoted above.
>
> > Has something changes in recent code that makes this unnecessary?
>
> I would first like to know why that entry does anything. It
> certainly
> doesn't set the User-Name. So it doesn't have anything to do with
> fixing the anonymous accounting issue.
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 12 Oct 2007 15:26:50 +0100
> From: <tnt at kalik.co.yu>
> Subject: RE: Freeradius-Users Digest, Vol 30, Issue 48
> To: "FreeRadius users mailing list"
> <freeradius-users at lists.freeradius.org>
> Message-ID: <n4B28c5h.1192199210.5441340.tnt at kalik.co.yu>
> Content-Type: text/plain; charset=ISO-8859-2
>
> >> > DEFAULT Freeradius-Proxied-To == 127.0.0.1
> >> > Fall-Through = Yes
> >>
> >> That entry does nothing.
> >I agree it does nothing for authentication, but this will be part of
> the solution to get accounting records based on the inner identity and
> not the outer with TTLS
> >
> >Has something changes in recent code that makes this unnecessary?
> >
>
> No. You probably want:
>
> DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
> User-Name = `%{User-Name}`
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 12 Oct 2007 16:51:49 +0200
> From: "Tomasz Zieleniewski" <tzieleniewski at gmail.com>
> Subject: Re: rlm_realm doesn't strip the username
> To: freeradius-users at lists.freeradius.org
> Cc: aland at deployingradius.com
> Message-ID:
> <5fd52d7a0710120751s1eb4ba67x402a733a1a98f055 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Thank you Alan
>
> I updated to 2.0.0-pre2. But now I have some errors and I can' tcheck
> again:)
> Now when my NAS sends the Accounting request or I try to run 'radtest'
> tool,
> the verification fails.
> I didn't change anything in the configuration and in the database. I
> have
> the same NAS configuration.
> I get the following error in the debug mode:
>
> Ignoring request to authentication address * 1812 from unknown client
> 127.0.0.1 port 37391
>
> Please point me what do I missed:)
>
> Best regards
> tomasz
>
> Tomasz Zieleniewski wrote:
> > > I am using radius version 2.0.0-pre0.
> > > I have the following problem that when I receive the Accounting-
> Request
> > > with the username whose domain part is not checked with any of my
> realm
> > > defined in the proxy.conf file. The username is not stripped.
> > > I use the suffix rule for domain: 'username at domain" in my realm
> module
> > > and I inoke it in preacct in radiusd.conf.
> > > I have the DEFAULT realm defined and it doesn't have the nostrip
> option
> > > activated.
> > > So I think when there is no domain match the username should also
> be
> > > stripped??
> >
> > Likely, yes. What does debug mode say?
> >
> > You could also try running CVS head, which has a number of fixes
> over
> > 2.0-pre0.
> >
> > Alan DeKok.
> >
> >
> > ------------------------------
> >
> > Message: 10
> > Date: Fri, 12 Oct 2007 10:16:43 -0300
> > From: "Sergio Belkin" <sebelk at gmail.com>
> > Subject: Re: TLS fatal access_denied
> > To: "FreeRadius users mailing list"
> > <freeradius-users at lists.freeradius.org>
> > Message-ID:
> >
<8c6f7f450710120616t48014e18g8c02184fdaef6b97 at mail.gmail.com>
> > Content-Type: text/plain; charset=ISO-8859-1
> >
> > 2007/10/11, tnt at kalik.co.yu <tnt at kalik.co.yu>:
> > > How sure are you that you are using EAP-TTLS?
> > >
> > > > rlm_eap: EAP NAK
> > > > rlm_eap: EAP-NAK asked for EAP-Type/peap <==
> > >
> > > Ivan Kalik
> > > Kalik Informatika ISP
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > >
> >
> > I am pretty sure because I has default_eap_type = ttls. I've just
> > fixed, it was a problem of certificates...
> >
> > thanks-
> >
> > --
> > --
> > Sergio Belkin -
> >
> >
> > ------------------------------
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> >
> > End of Freeradius-Users Digest, Vol 30, Issue 49
> > ************************************************
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.freeradius.org/pipermail/freeradius-
> users/attachments/20071012/c57ad3d5/attachment-0001.html>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 12 Oct 2007 16:01:19 +0100
> From: A.L.M.Buxey at lboro.ac.uk
> Subject: Re: FATAL: Thread create failed: Cannot allocate memory
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <20071012150119.GA25677 at lboro.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> > We had one of our MAC-auth radius server instances hang up with this
> > error at about 0200 this morning.
> >
> > That server receives pretty heavy load, and it's bursty, so we see
> this
> > a couple of times a day:
> >
> > The maximum number of threads (32) are active, cannot spawn new
> thread
> > to handle request
> >
> > ...but it does not cause problems. An inability to create a new
> thread
> > is an entirely different matter though; it implies <max threads are
> > running, the server tried to create a new one, and the OS couldn't
> > allocate a thread.
> >
> > Any ideas how to resolve this? Version is FreeRadius 1.1.6 (only
> reason
> > we haven't upgraded is change control, it's due shortly)
>
> we recently had a similar issue after migrating to using FR for VMPS
> handling. the system may deal with many hundreds of requests per
second
> as with VMPS the switch re-auths all ports at exactly the same time.
> with 48 port switches this gets interesting. anyway. the issue was
> that we had the following config
>
> radiusd.conf max_servers = X
> experimental.conf - perl, max_clones = Y
>
> where X != Y
>
> this is a big problem and you get the above mentioned errors. you ALSO
> get the error when X = Y and the load/demand is very high. in this
case
> the radius thread appears to be trying to launch a new PERL instace
> before the old ones have gone. anyway, a rapid increase of the values
> helped straight away. as did a proper optimization of the DB to get
> much much faster PERL code.
>
> what you have to ensure in these cases is you dont see these ones:
>
> Fri Feb 11 16:00:11 2006 : Error: Discarding duplicate request from
> client BLAH port 49464 - ID: 10313 due to unfinished request 6
>
> as although seemingly okay the client isnt getting an answer from its
> requests.
>
> alan
>
>
> ------------------------------
>
> Message: 5
> Date: Fri, 12 Oct 2007 18:07:20 +0200
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: Darwin DirectoryServices (warnnings)
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <470F9BB8.6090601 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Arran Cudbard-Bell wrote:
> > Hi,
> > Running radiusd 2.0pre2 (cvs head)
> >
> > Just checked the system logs on one of our radius servers, and i'm
> > seeing some strange error messages from directory services.
> >
> > Oct 12 12:02:50 wolverine DirectoryService[54]: Potential VM growth
> in
> > DirectoryService since client PID: 9179, has 675 open references
when
> > the warning limit is 500.
>
> Hmm... the only OpenDirectory code in the server is in rlm_mschap.
> If
> you set "use_open_directory = no" in the rlm_mschap configuration,
this
> issue *should* go away.
>
> Unless, of course, you're actually using OpenDirectory. In which
> case, the bug would need fixing.
>
> > Could this explain the possible memory leak in radiusd, that only
> seems
> > to appear on Darwin ?
>
> Yup.
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 6
> Date: Fri, 12 Oct 2007 11:27:19 -0500
> From: "lvizcardof at unsa.edu.pe" <lvizcardof at unsa.edu.pe>
> Subject: Using freeradius and 802.1x for ssign VLAN X
> To: freeradius-users at lists.freeradius.org
> Message-ID: <20071012112719.mdbbnguhdcssk80c at mail.unsa.edu.pe>
> Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes";
> format="flowed"
>
> Hi,
> I use freeradius-1.0.4-1.FC4.1 version in a PC Linux Fedora Core 4. I
> form the file uses:
>
> lucy Auth-Type := EAP, User-Password == "lucy"
> Service-Type = Framed-User,
> Tunne-type = VLAN,
> Tunnel-medium-type = IEEE-802,
> Tunnel-Private-Group-Id = 2
>
> I have this problem:
> The user "lucy" should to access to vlan 2. But for default it user
> access to the vlan 1. I don't know how to do for the user "lucy"
> access to vlan 2
>
> This is the configuration of file eap.conf
> ==================
> eap {
> default_eap_type =tls
> timer_expire = 60
> ignore_unknown_eap_types = no
> md5 {
> }
> leap {
> }
> gtc {
> auth_type = PAP
> }
> tls {
> private_key_password = whatever
> private_key_file =
${raddbdir}/certs/cert-srv.pem
> certificate_file =
${raddbdir}/certs/cert-srv.pem
> CA_file = ${raddbdir}/certs/demoCA/cacert.pem
> dh_file = ${raddbdir}/certs/dh
> random_file = ${raddbdir}/certs/random
> fragment_size = 1024
> include_length = yes
> }
> ttls {
> default_eap_type = md5
> use_tunneled_reply = yes
> }
> peap {
> default_eap_type = mschapv2
> }
> mschapv2 {
> }
> }
> ==============
>
> If any know how resolv this, please write me.
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
>
>
> ------------------------------
>
> Message: 7
> Date: Fri, 12 Oct 2007 17:34:03 +0100
> From: <tnt at kalik.co.yu>
> Subject: Re: rlm_realm doesn't strip the username
> To: "FreeRadius users mailing list"
> <freeradius-users at lists.freeradius.org>
> Message-ID: <4kiXw4zk.1192206843.0052930.tnt at kalik.co.yu>
> Content-Type: text/plain; charset=ISO-8859-2
>
> Add this to clients.conf:
>
> client 127.0.0.1 {
> secret = testing123
> shortname = localhost
> }
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
>
> Dana 12/10/2007, "Tomasz Zieleniewski" <tzieleniewski at gmail.com> pi?e:
>
> >Thank you Alan
> >
> >I updated to 2.0.0-pre2. But now I have some errors and I can' tcheck
> >again:)
> >Now when my NAS sends the Accounting request or I try to run
'radtest'
> tool,
> >the verification fails.
> >I didn't change anything in the configuration and in the database. I
> have
> >the same NAS configuration.
> >I get the following error in the debug mode:
> >
> >Ignoring request to authentication address * 1812 from unknown client
> >127.0.0.1 port 37391
> >
> >Please point me what do I missed:)
> >
> >Best regards
> >tomasz
> >
> >Tomasz Zieleniewski wrote:
> >> > I am using radius version 2.0.0-pre0.
> >> > I have the following problem that when I receive the Accounting-
> Request
> >> > with the username whose domain part is not checked with any of my
> realm
> >> > defined in the proxy.conf file. The username is not stripped.
> >> > I use the suffix rule for domain: 'username at domain" in my realm
> module
> >> > and I inoke it in preacct in radiusd.conf.
> >> > I have the DEFAULT realm defined and it doesn't have the nostrip
> option
> >> > activated.
> >> > So I think when there is no domain match the username should also
> be
> >> > stripped??
> >>
> >> Likely, yes. What does debug mode say?
> >>
> >> You could also try running CVS head, which has a number of fixes
> over
> >> 2.0-pre0.
> >>
> >> Alan DeKok.
> >>
> >>
> >> ------------------------------
> >>
> >> Message: 10
> >> Date: Fri, 12 Oct 2007 10:16:43 -0300
> >> From: "Sergio Belkin" <sebelk at gmail.com>
> >> Subject: Re: TLS fatal access_denied
> >> To: "FreeRadius users mailing list"
> >> <freeradius-users at lists.freeradius.org>
> >> Message-ID:
> >>
> <8c6f7f450710120616t48014e18g8c02184fdaef6b97 at mail.gmail.com>
> >> Content-Type: text/plain; charset=ISO-8859-1
> >>
> >> 2007/10/11, tnt at kalik.co.yu <tnt at kalik.co.yu>:
> >> > How sure are you that you are using EAP-TTLS?
> >> >
> >> > > rlm_eap: EAP NAK
> >> > > rlm_eap: EAP-NAK asked for EAP-Type/peap <==
> >> >
> >> > Ivan Kalik
> >> > Kalik Informatika ISP
> >> >
> >> > -
> >> > List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >> >
> >>
> >> I am pretty sure because I has default_eap_type = ttls. I've just
> >> fixed, it was a problem of certificates...
> >>
> >> thanks-
> >>
> >> --
> >> --
> >> Sergio Belkin -
> >>
> >>
> >> ------------------------------
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >>
> >>
> >> End of Freeradius-Users Digest, Vol 30, Issue 49
> >> ************************************************
> >>
> >
> >
>
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 30, Issue 51
> ************************************************
More information about the Freeradius-Users
mailing list