need info on EAP-SIM

Kalyani Garigipati (kagarigi) kagarigi at cisco.com
Mon May 26 12:17:00 CEST 2008 

Hi Alan,

Thanks for the reply .But I am still getting the same errors.I have put
the lines as follows. I did not put any balnk lines in between . the
editor in the mail is shoing like that.

DEFAULT EAP-Sim-Rand1 = 0x89abcbeef9abcdef89abcdef89abcdef
 EAP-Sim-Rand2 = 0x9abcdef89abcdef89abcdef89abcdef8,
 EAP-Sim-Rand3 = 0xabcdef89abcdef89abcdef89abcdef89,
 EAP-Sim-SRES1 = 0x1234abcd,
 EAP-Sim-SRES2 = 0x234abcd1,
 EAP-Sim-SRES3 = 0x34abcd12,
 EAP-Sim-KC1 = 0x0011223344556677,
 EAP-Sim-KC2 = 0x1021324354657687,
 EAP-Sim-KC3 = 0x30415263748596a7

I am getting the following errors
[/usr/local/etc/raddb/users]:203 WARNING! Check item "EAP-Sim-Rand2"
found in reply item list for user "DEFAULT".    This attribute MUST go
on the first line with the other check items
[/usr/local/etc/raddb/users]:203 WARNING! Check item "EAP-Sim-Rand3"
found in reply item list for user "DEFAULT".    This attribute MUST go
on the first line with the other check items
[/usr/local/etc/raddb/users]:203 WARNING! Check item "EAP-Sim-SRES1"
found in reply item list for user "DEFAULT".    This attribute MUST go
on the first line with the other check items
[/usr/local/etc/raddb/users]:203 WARNING! Check item "EAP-Sim-SRES2"
found in reply item list for user "DEFAULT".    This attribute MUST go
on the first line with the other check items
[/usr/local/etc/raddb/users]:203 WARNING! Check item "EAP-Sim-SRES3"
found in reply item list for user "DEFAULT".    This attribute MUST go
on the first line with the other check items
[/usr/local/etc/raddb/users]:203 WARNING! Check item "EAP-Sim-KC1"
found in reply item list for user "DEFAULT".    This attribute MUST go
on the first line with the other check items
[/usr/local/etc/raddb/users]:203 WARNING! Check item "EAP-Sim-KC2"
found in reply item list for user "DEFAULT".    This attribute MUST go
on the first line with the other check items
[/usr/local/etc/raddb/users]:203 WARNING! Check item "EAP-Sim-KC3"
found in reply item list for user "DEFAULT".    This attribute MUST go
on the first line with the other check items
 Module: Checking session {...} for more modules to load

Regards,
Kalyani

-----Original Message-----
From: freeradius-users-bounces+kagarigi=cisco.com at lists.freeradius.org
[mailto:freeradius-users-bounces+kagarigi=cisco.com at lists.freeradius.org
] On Behalf Of freeradius-users-request at lists.freeradius.org
Sent: Monday, May 26, 2008 3:30 PM
To: freeradius-users at lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 37, Issue 125

Send Freeradius-Users mailing list submissions to
	freeradius-users at lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
	freeradius-users-request at lists.freeradius.org

You can reach the person managing the list at
	freeradius-users-owner at lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

   1. Re: radius x509 authentication + LDAP ? [SEC=UNCLASSIFIED]
      (Riccardo Veraldi)
   2. chap for ldap (Zahra Bahar)
   3. Re: need info on EAP-SIM (A.L.M.Buxey at lboro.ac.uk)


----------------------------------------------------------------------

Message: 1
Date: Mon, 26 May 2008 11:26:26 +0200
From: Riccardo Veraldi <Riccardo.Veraldi at cnaf.infn.it>
Subject: Re: radius x509 authentication + LDAP ? [SEC=UNCLASSIFIED]
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <483A8242.3030708 at cnaf.infn.it>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

I wrote a rule in users file to reject login for users being in a 
certain grup, but still access is given

DEFAULT Ldap-Group == "cn=rjgroup", Auth-Type := Reject
        Reply-Message = "Sorry, you are not allowed to have dialup
access"

user can authenticate succesfully with EAP-TLS.
User is found in LDAP tree, user is part of ldap group rjgroup, but 
still is not being rejected.
What am I missing ?

thanks

Riccardo


Alan DeKok ha scritto:
> Riccardo Veraldi wrote:
>   
>> Not all the people having a certificate should authenticate on my
WiFi
>> infrastructure.
>> These certificates are for general purpose, so also for EAP-TLS,
>>     
>
>   Then your PKI system is wrong.  You should NOT issue certificates
for
> multiple purposes.
>
>   You should issue RADIUS (EAP-TLS) certificates ONLY to the people
who
> are allowed to use EAP-TLS.
>
>   
>> but some user in my case should not be authenticated.
>> To select which are the users to be authenticated and which are not,
>> I wanted to use LDAP properties. If a user is in the LDAP directory
>> it should pass, if it is not, it should be refused, but at the end, I
am
>> unable to do it.
>>     
>
>   Did you read my statement about using LDAP groups?  Do you know what
> an LDAP group is?
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>   



------------------------------

Message: 2
Date: Mon, 26 May 2008 14:02:15 +0330 (IRST)
From: Zahra Bahar <zahra_bahar at ec.iut.ac.ir>
Subject: chap for ldap
To: freeradius-users at lists.freeradius.org
Message-ID: <30958651.75851211797935796.JavaMail.root at mta.iut.ac.ir>
Content-Type: text/plain; charset=utf-8

Hi,
we have freeradius using ldap for authorization and authentication. can
we have chap for security between NAS and radius and then pap between
radius and ldap server? 


------------------------------

Message: 3
Date: Mon, 26 May 2008 10:44:09 +0100
From: A.L.M.Buxey at lboro.ac.uk
Subject: Re: need info on EAP-SIM
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <20080526094409.GA8435 at lboro.ac.uk>
Content-Type: text/plain; charset=us-ascii

hi,

put the first check on the same line as DEFAULT and
remove all those blank lines from between each check

alan


------------------------------

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


End of Freeradius-Users Digest, Vol 37, Issue 125
*************************************************

More information about the Freeradius-Users mailing list