Freeradius-Users Digest, Vol 49, Issue 95
Marco De Magistris
marco.de.magistris at ericsson.com
Thu May 21 14:43:59 CEST 2009
Hi Ivan,
3. RE: Freeradius-Users Digest, Vol 49, Issue 93 (Ivan Kalik)
____________________________________________________________________________
> Radius Client --> Radius Proxy
> 192.168.1.2 192.168.1.3 192.168.14.3 --> IPS1(192.168.14.4)
> 192.168.24.3 --> IPS2(192.168.24.4)
____________________________________________________________________________
You say:
>>Yes. Proxy server will change NAS-IP-Address from the original NAS >>address into it's own. That is OK.
It not works. In my scenario I have two different NAS-IP-Address(a NAS-IP-Address for ISP1 and a NAS-IP-Address for ISP2).
Radius Proxy sees 3 different ip address:
- 192.168.1.3: ipaddress client side.
- 192.168.14.3: ipaddress for isp1
- 192.168.14.3: ipaddress for isp2
In my opinion the packet (received from Radius Client) is sent towards the default gateway.
The following link describes the same scenario:
http://www.opensubscriber.com/message/freeradius-users@lists.freeradius.org/82575.html
They introduce proxyip = 10.10.10.10 in proxy.conf.
Thanks again.
Marco
-----Original Message-----
From: freeradius-users-bounces+marco.de.magistris=ericsson.com at lists.freeradius.org [mailto:freeradius-users-bounces+marco.de.magistris=ericsson.com at lists.freeradius.org] On Behalf Of freeradius-users-request at lists.freeradius.org
Sent: mercoledì 20 maggio 2009 15.55
To: freeradius-users at lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 49, Issue 95
Send Freeradius-Users mailing list submissions to
freeradius-users at lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request at lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner at lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: question about windows users (Bartosz Chodzinski)
2. Re: R: Sql Counter reads only the first 4 digits (Alan DeKok)
3. RE: Freeradius-Users Digest, Vol 49, Issue 93 (Ivan Kalik)
4. R: R: Sql Counter reads only the first 4 digits
(Mauro Iorio - Smart Soft s.r.l.)
5. Re: question about windows users (Bartosz Chodzinski)
----------------------------------------------------------------------
Message: 1
Date: Wed, 20 May 2009 15:23:22 +0200
From: Bartosz Chodzinski <bartosz.c at gmail.com>
Subject: Re: question about windows users
To: tnt at kalik.net, FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID:
<1f06c2db0905200623k5e90f148naaadaf7402c82c16 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
ok I changed it to default
proxy_requests = yes
$INCLUDE proxy.conf
/etc/freeradius/certs/Makefile
was
#client.crt: client.csr server.crt server.key index.txt serial
# openssl ca -batch -keyfile server.key -cert server.crt -in
client.csr -key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext
-extfile xpextensions -config ./client.cnf
is now:
client.crt: client.csr ca.pem ca.key index.txt serial
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key
$(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile
xpextensions -config ./client.cnf
changes in client.cnf
was:
certificate = $dir/server.pem
serial = $dir/serial
private_key = $dir/server.key
commonName = user at example.com
is now:
certificate = $dir/ca.pem
serial = $dir/serial
private_key = $dir/ca.key
commonName = user_certificate
now after instalation ca.der and client.p12 in windows everything in
certificate stores seams to be ok.
there is no exclamation mark on user_certificate, and certification path is
ok
back to the server:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=240,
length=147
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "user_certificate"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x0200001501757365725f6365727469666963617465
Message-Authenticator = 0x0d65a52fd78035c3c828c30d2a2442d9
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user_certificate", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 240 to 192.168.5.206 port 1812
EAP-Message = 0x0101001604100c91af03e9cd5c25126407d36f22684a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb5a5cfd0b5a4cb20491e5ee122e4a622
Finished request 0.
Going to the next request
On Wed, May 20, 2009 at 2:39 PM, Ivan Kalik <tnt at kalik.net> wrote:
> >>> The steps you took show that you are NOT following the guide.
> >>> Good luck. You clearly are *not* interested in solving the problem.
> >
> > the guide in radiusd.conf says:
> > #The server has proxying turned on by default. If your system is NOT
> > # set up to proxy requests to another server, then you can turn proxying
> > # off here. This will save a small amount of resources on the server.
> > I tried to read carefully with undrestanding, I dont use proxy, my system
> > not sending request to another server, so I turned it off.
>
> You might not want to, but you *are* proxying your requests. You have
> created client certificate with predefined data in client.cnf - which is
> part of the proxy demonstration setup. So, leave proxy settings alone and
> concentrate on doing what you have been advised - changing data in
> client.cnf so created client certificate won't have @example.com as part
> of the username.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090520/dace037b/attachment.html>
------------------------------
Message: 2
Date: Wed, 20 May 2009 15:29:45 +0200
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: R: Sql Counter reads only the first 4 digits
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <4A1405C9.8020005 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1
Mauro Iorio - Smart Soft s.r.l. wrote:
> Yes, it does. Check the following output:
...
> [sessioncounter] expand: %{sql:SELECT 123456 FROM radacct WHERE
> UserName='mauro'} -> 1234
Hmm... I don't use the unixodbc drivers, so I can't test it here. I
don't see anything in the code that would chop the results at 4 digits.
Alan DeKok.
------------------------------
Message: 3
Date: Wed, 20 May 2009 14:47:44 +0100 (BST)
From: "Ivan Kalik" <tnt at kalik.net>
Subject: RE: Freeradius-Users Digest, Vol 49, Issue 93
To: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
Message-ID:
<61032.194.176.105.44.1242827264.squirrel at webmail.kalik.net>
Content-Type: text/plain;charset=utf-8
>
>>What does that mean? IP of the original NAS packet?
>
> I have 2 interfaces towards the network.
>
> ____________________________________________________________________________
> Radius Client --> Radius Proxy
> 192.168.1.2 192.168.1.3 192.168.14.3 --> IPS1(192.168.14.4)
> 192.168.24.3 --> IPS2(192.168.24.4)
> ____________________________________________________________________________
>
> Steps:
> 1)Radius Client ---> Send packet with NAS-IP-Address = 192.168.1.2
> towards Radius Proxy.
> 2)Radius Proxy changes NAS-IP-Address with 192.168.14.3 for IPS1(or
> 192.168.24.3 for IPS2) and sends it.
>
>
> You say that changing NAS-IP-Address the packet is transmitted correctly.
> Right?
>
> From 192.168.14.3 to IPS1(192.168.14.4) if NAS-IP-Address =
> 192.168.14.3
> From 192.168.24.3 to IPS1(192.168.24.4) if NAS-IP-Address =
> 192.168.24.3
>
Yes. Proxy server will change NAS-IP-Address from the original NAS address
into it's own. That is OK.
>> That's in internal attribute Packet-Src-IP-Address.
>
> Should I modify this attribute or FreeRadius associates
> Packet-Src-IP-Address = NAS-IP-Address.
No, Packet-Src-IP-Address has the originating IP address for the radius
packet (in your case it will be 192.168.1.2). If ISP needs to know the
original NAS IP they should look in Packet-Src-IP-Address.
Ivan Kalik
Kalik Informatika ISP
------------------------------
Message: 4
Date: Wed, 20 May 2009 15:48:25 +0200
From: "Mauro Iorio - Smart Soft s.r.l." <m.iorio at smartsoft.it>
Subject: R: R: Sql Counter reads only the first 4 digits
To: tnt at kalik.net, "'FreeRadius users mailing list'"
<freeradius-users at lists.freeradius.org>
Message-ID: <CFF53251EC794CACBFC36E03F72AF74E at zuccherino>
Content-Type: text/plain; charset="us-ascii"
>
> Don't bother with all that. Hardcode just:
>
> SELECT 123456
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
Done. Same result: 1234.
Mauro Iorio.
------------------------------
Message: 5
Date: Wed, 20 May 2009 15:54:56 +0200
From: Bartosz Chodzinski <bartosz.c at gmail.com>
Subject: Re: question about windows users
To: freeradius-users at lists.freeradius.org
Message-ID:
<1f06c2db0905200654h286a5bbfi44d40e166af02717 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
I am using a standard settings of eap.conf
when I change eap.conf to:
# default_eap_type = md5
default_eap_type = peap
I have similar communicate
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=242,
length=147
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "user_certificate"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x0200001501757365725f6365727469666963617465
Message-Authenticator = 0x4fea88a60594825de9229268206fb02d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "user_certificate", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 242 to 192.168.5.206 port 1812
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x54cef72d54cfee66f11829ca8f9f95d7
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 242 with timestamp +37
Ready to process requests.
On Wed, May 20, 2009 at 3:51 PM, Ivan Kalik <tnt at kalik.net> wrote:
> > [eap] processing type md5
> > rlm_eap_md5: Issuing Challenge
>
> Hm, you are saying you want to do EAP-TLS but your server reports that it
> has got EAP-MD5 request. Check connection settings on Windows machine.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090520/99755328/attachment.html>
------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 49, Issue 95
************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090521/71339279/attachment.html>
More information about the Freeradius-Users
mailing list