Freeradius 2
Harry Hoffman
hhoffman at ip-solutions.net
Wed Mar 9 20:48:24 CET 2011
Yum install freeradius2-ldap
Cheers,
Harry
From:
freeradius-users-bounces+hhoffman=ip-solutions.net at lists.freeradius.org
[mailto:freeradius-users-bounces+hhoffman=ip-solutions.net at lists.freeradius.
org] On Behalf Of Usuário do Sistema
Sent: Wednesday, March 09, 2011 2:39 PM
To: freeradius-users at lists.freeradius.org
Cc: freeradius-users-request at lists.freeradius.org
Subject: Re: Freeradius 2
Hello everyone, I've Installed by yum freeradius2-2.1.7-7.el5 but I'm can't
found the ldap dirctory under /etc/raddb/..
I have creta it or install more any package ??
thank!
2011/3/5 <freeradius-users-request at lists.freeradius.org>
Send Freeradius-Users mailing list submissions to
freeradius-users at lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request at lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner at lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Caching techniques with ntlm_auth usage?
(EAP-PEAP-MSchapV2) (Phil Mayers)
2. Re: Freeraidus 2 (Gary Gatten)
3. Re: Caching techniques with ntlm_auth usage?
(EAP-PEAP-MSchapV2) (James J J Hooper)
4. RE: mschap with ntlm_auth and Active Directory (McNutt, Justin M.)
5. Re: MS-CHAP-V2 with no retry (Alan DeKok)
6. Re: Hopefully quick question: conditional processing sneaking
in and setting Auth-Type (Alan DeKok)
7. Re: Freeraidus 2 (Alan Buxey)
----------------------------------------------------------------------
Message: 1
Date: Sat, 05 Mar 2011 00:45:43 +0000
From: Phil Mayers <p.mayers at imperial.ac.uk>
Subject: Re: Caching techniques with ntlm_auth usage?
(EAP-PEAP-MSchapV2)
To: freeradius-users at lists.freeradius.org
Message-ID: <4D7187B7.5000402 at imperial.ac.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 03/05/2011 12:21 AM, Gary Gatten wrote:
> I kinda like your caching idea, but not sure of any security
> implications.
It's not a workable idea. MSCHAP responses are specific to the 8-byte
random challenge, which is different every time. You can't cache them.
>
> I have (2) FR servers (each pointing to different DC) and my NAS's
> are configured to use both. But, iirc if AD is down on the backend
> FR still replies (with something) so the NAS never rolls over to the
> other FR server.
Yes, this is a bad idea.
Just configure samba to autodiscover the AD controllers. Winbind will
cache connections and open new ones when the old ones go away.
>
> So, I thought about some script that would use ntlm_auth every...n
> seconds, if it fails kill FR process (or use FR policy to act dead).
> When it starts working again, restart FR. This should make the NAS
> roll to the next FR server.
That might work, but it seems like a sledgehammer to crack a nut.
>
> What about OpenLDAP on the FR server that's "refreshed" / sync'd to
> the winblows/AD? I've never tried this but assume it's doable.
It's not possible. AD controllers will only sync to other AD controllers.
At some point in the future, Samba 4 might be able to slave the LDAP
database of an AD controller, but it's purely theoretical at the moment
I think.
------------------------------
Message: 2
Date: Fri, 4 Mar 2011 18:54:44 -0600
From: Gary Gatten <Ggatten at waddell.com>
Subject: Re: Freeraidus 2
To: "'freeradius-users at lists.freeradius.org'"
<freeradius-users at lists.freeradius.org>
Message-ID:
<27487_1299286485_4D7189D5_27487_3768_1_D9B37353831173459FDAA836D3B43499BD35
4A55 at WADPMBXV0.waddell.com>
Content-Type: text/plain; charset="utf-8"
Try ../sites_enabled/default; or if *eap requests it would be inner-tunnel,
- I think...
From: Paulo Maia [mailto:phc.maia at gmail.com]
Sent: Friday, March 04, 2011 06:43 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Freeraidus 2
Compilou o instalou via yum ? Geralmente fica em $RADIUSDIR/modules/ldap
Abs,
2011/3/4 Usu?rio do Sistema <maiconlp at ig.com.br<mailto:maiconlp at ig.com.br>>
Hello everyone, I'm Maicon from Brazil.
I'm in a project with Freeradius. I want to deployment authentication with
certificate from my wireless users EAP-TLS but I'm finding some difficult.
there is a good how to for version 2 ?? I've started with version 1.x but
decided to change for version 2 and I'm not finding where I set the LDAP
conection. at the older version it was inside radiusd.conf. anybody help me
??
thank!
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in
0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freeradius.org/pipermail/freeradius-users/attachments/2011030
4/3cfd97ca/attachment.html>
------------------------------
Message: 3
Date: Sat, 05 Mar 2011 01:17:54 +0000
From: James J J Hooper <jjj.hooper at bristol.ac.uk>
Subject: Re: Caching techniques with ntlm_auth usage?
(EAP-PEAP-MSchapV2)
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <403FF343B2CCD5B162F64B80@[172.16.13.237]>
Content-Type: text/plain; charset=us-ascii; format=flowed
--On 04 March 2011 12:34 -0500 John Douglass <john.douglass at oit.gatech.edu>
wrote:
> Group,
>
> Recently, my AD servers were patched by another support group and this
> caused a (small but noticeable) service outage for our WPA radius
> services (Radius 2.1.9)
I can think of two things to investigate:
* Recent Samba can do winbind credential caching IIRC - I haven't
experimented with this so I'm not sure if it will work for this application.
* Enable Fast Session Resumption:
<https://github.com/alandekok/freeradius-server/blob/master/raddb/modules/ea
p#L312>
... We dropped the hits on our DCs by > 40% by doing this. N.B Resumed
sessions will not touch your inner-tunnel config, so you have to make sure
that you pay attention when (re-)assigning VLANs / other returned
attributes based on username.
-James
--
James J J Hooper
Network Specialist, University of Bristol
http://www.wireless.bristol.ac.uk <http://www.wireless.bristol.ac.uk/>
--
------------------------------
Message: 4
Date: Fri, 4 Mar 2011 21:05:46 -0600
From: "McNutt, Justin M." <McNuttJ at missouri.edu>
Subject: RE: mschap with ntlm_auth and Active Directory
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID:
<0A99E1DA688C7A4796A68B3BC4F74B793CE60E78A4 at UM-EMAIL04.um.umsystem.edu>
Content-Type: text/plain; charset="us-ascii"
> > root at FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D6650564
> > --password=Pa$$w0rd
> > NT_STATUS_OK: Success (0x0)
> > root at FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D670F3A6
> > --password=Pa$$w0rd
> > NT_STATUS_OK: Success (0x0)
> > root at FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D6650564
> > --password=Pa$$w0rd
> > NT_STATUS_OK: Success (0x0)
> >
> > The password Pa$$w0rd is set in the Wireless Controller, if
> thats what you
> > mean by mschap client?
May I suggest two things:
1) I'm assuming that the password is not actually 'Pa$$w0rd', but that
string reminds me that certain special characters - the dollar sign is a
notable one - are not always handled correctly in password strings. Even if
FreeRADIUS is handling it correctly, AD may not, and the wireless controller
may not. I suggest setting the password to something simpler. If your
password policy requires special characters, use dash, equals, underscore,
or dot. I have used passwords with these characters successfully when
authenticating via EAP/PEAP through FreeRADIUS and then on through MSCHAPv2
to AD via ntlm_auth. (Same chain as you.)
2) Even if you are confident that your real password's characters are not a
problem, re-enter it on the wireless controller, MANUALLY. You may have
accidentally entered an unprintable character or a space or some similar
thing that causes the password to APPEAR to be correct, when in fact it
doesn't match.
--J
------------------------------
Message: 5
Date: Sat, 05 Mar 2011 07:23:54 +0100
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: MS-CHAP-V2 with no retry
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <4D71D6FA.7030306 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1
John.Hayward at wheaton.edu wrote:
> 1) In freeradius version 2.1.10 and older (at least 1.1.7) when there was
> a bug in that when there was a PW_EAP_MSCHAPV2_FAILURE while there was
> a response sent back to the client but there was no message in the
> response.
It's more complicated. The server would send EAP-Failure, and nothing
else.
> 2) The patch given resolves that problem - giving the message
> of the rlm_mschap.c module of E=691 R=1
On closer inspection, the patch doesn't resolve anything. It still
sends an EAP-Failure. It should instead send an EAP-Response with
EAP-MSCHAPv2-Failure, and the "E=691 R=1" failure code. After the
client has ACKed that, it should *then* send EAP-Failure.
i.e. fixing it is likely a fair bit more work.
> 3) It is possible to configure in radius.conf the message on failure by:
No. That sends back an MS-CHAP-Error. The code has to package that
MS-CHAP-Error into an EAP sub-type, and send it back to the client in an
*additional* request/response round trip, before finally sending
EAP-Failure.
Alan DeKok.
------------------------------
Message: 6
Date: Sat, 05 Mar 2011 07:38:15 +0100
From: Alan DeKok <aland at deployingradius.com>
Subject: Re: Hopefully quick question: conditional processing sneaking
in and setting Auth-Type
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <4D71DA57.5080400 at deployingradius.com>
Content-Type: text/plain; charset=UTF-8
Gary Gatten wrote:
> I can?t find where this conditional processing is happing. I have two
> FR servers with ?nearly? the same config. Auth works on one, but not
> the other:
Posting 2-3 lines of debug output doesn't help.
Alan DeKok.
------------------------------
Message: 7
Date: Sat, 5 Mar 2011 09:44:15 +0000
From: Alan Buxey <A.L.M.Buxey at lboro.ac.uk>
Subject: Re: Freeraidus 2
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <20110305094415.GA20802 at lboro.ac.uk>
Content-Type: text/plain; charset=us-ascii
hi,
th details for your LDAP in 2.x go into $RADDB/modules/ldap
in 2.x most of the stuff was broken out of radiusd.conf
and put into either modules/* or sites-available/*
if you want a particular feature, then configure the
module file , configure the sites-available file,
module files are pulled in by default, but to activate a 'site'
you need to ensure its in the sites-enabled/ directory
(a few 'sites' files are symlinked there by default... eg
default, inner-tunnel .....)
alan
------------------------------
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 71, Issue 32
************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110309/56ac99d6/attachment.html>
More information about the Freeradius-Users
mailing list