Freeradius 2

Usuário do Sistema maiconlp at ig.com.br
Wed Mar 9 22:36:05 CET 2011


Thank Cheers Harry. it's work.

now I'm configurating the freeradius with EAP-TLS.

I will give reports about this case.

thank!



2011/3/9 Harry Hoffman <hhoffman at ip-solutions.net>

>  Yum install freeradius2-ldap
>
>
>
> Cheers,
>
> Harry
>
>
>
> *From:* freeradius-users-bounces+hhoffman=ip-solutions.net@
> lists.freeradius.org [mailto:freeradius-users-bounces+hhoffman=
> ip-solutions.net at lists.freeradius.org] *On Behalf Of *Usuário do Sistema
> *Sent:* Wednesday, March 09, 2011 2:39 PM
>
> *To:* freeradius-users at lists.freeradius.org
> *Cc:* freeradius-users-request at lists.freeradius.org
> *Subject:* Re: Freeradius 2
>
>
>
> Hello everyone, I've Installed by yum freeradius2-2.1.7-7.el5 but I'm can't
> found the ldap dirctory under /etc/raddb/..
>
> I have creta it or install more any package ??
>
>
>
>
>
> thank!
>
>
>
>
>
>
>
>
>
>
>
>
> 2011/3/5 <freeradius-users-request at lists.freeradius.org>
>
> Send Freeradius-Users mailing list submissions to
>        freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>        freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>        freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>   1. Re: Caching techniques with ntlm_auth usage?
>      (EAP-PEAP-MSchapV2) (Phil Mayers)
>   2. Re: Freeraidus 2 (Gary Gatten)
>   3. Re: Caching techniques with ntlm_auth usage?
>      (EAP-PEAP-MSchapV2) (James J J Hooper)
>   4. RE: mschap with ntlm_auth and Active Directory (McNutt, Justin M.)
>   5. Re: MS-CHAP-V2 with no retry (Alan DeKok)
>   6. Re: Hopefully quick question: conditional processing sneaking
>      in        and     setting Auth-Type (Alan DeKok)
>   7. Re: Freeraidus 2 (Alan Buxey)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 05 Mar 2011 00:45:43 +0000
> From: Phil Mayers <p.mayers at imperial.ac.uk>
> Subject: Re: Caching techniques with ntlm_auth usage?
>        (EAP-PEAP-MSchapV2)
> To: freeradius-users at lists.freeradius.org
> Message-ID: <4D7187B7.5000402 at imperial.ac.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 03/05/2011 12:21 AM, Gary Gatten wrote:
> > I kinda like your caching idea, but not sure of any security
> > implications.
>
> It's not a workable idea. MSCHAP responses are specific to the 8-byte
> random challenge, which is different every time. You can't cache them.
>
> >
> > I have (2) FR servers (each pointing to different DC) and my NAS's
> > are configured to use both.  But, iirc if AD is down on the backend
> > FR still replies (with something) so the NAS never rolls over to the
> > other FR server.
>
> Yes, this is a bad idea.
>
> Just configure samba to autodiscover the AD controllers. Winbind will
> cache connections and open new ones when the old ones go away.
>
> >
> > So, I thought about some script that would use ntlm_auth every...n
> > seconds, if it fails kill FR process (or use FR policy to act dead).
> > When it starts working again, restart FR.  This should make the NAS
> > roll to the next FR server.
>
> That might work, but it seems like a sledgehammer to crack a nut.
>
> >
> > What about OpenLDAP on the FR server that's "refreshed" / sync'd to
> > the winblows/AD?  I've never tried this but assume it's doable.
>
> It's not possible. AD controllers will only sync to other AD controllers.
>
> At some point in the future, Samba 4 might be able to slave the LDAP
> database of an AD controller, but it's purely theoretical at the moment
> I think.
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 4 Mar 2011 18:54:44 -0600
> From: Gary Gatten <Ggatten at waddell.com>
> Subject: Re: Freeraidus 2
> To: "'freeradius-users at lists.freeradius.org'"
>        <freeradius-users at lists.freeradius.org>
> Message-ID:
>        <
> 27487_1299286485_4D7189D5_27487_3768_1_D9B37353831173459FDAA836D3B43499BD354A55 at WADPMBXV0.waddell.com
> >
>
> Content-Type: text/plain; charset="utf-8"
>
> Try ../sites_enabled/default; or if *eap requests it would be inner-tunnel,
> - I think...
>
> From: Paulo Maia [mailto:phc.maia at gmail.com]
> Sent: Friday, March 04, 2011 06:43 PM
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Subject: Re: Freeraidus 2
>
> Compilou o instalou via yum  ?  Geralmente fica em $RADIUSDIR/modules/ldap
>
> Abs,
>
>
> 2011/3/4 Usu?rio do Sistema <maiconlp at ig.com.br<mailto:maiconlp at ig.com.br
> >>
> Hello everyone, I'm Maicon from Brazil.
>
> I'm in a project with Freeradius. I want to deployment authentication with
> certificate from my wireless users EAP-TLS but I'm finding some difficult.
> there is a good how to for version 2 ?? I've started with version 1.x but
> decided to change for version 2 and I'm not finding where I set the LDAP
> conection. at the older version it was inside radiusd.conf. anybody help me
> ??
>
>
> thank!
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
>
>
>
> <font size="1">
> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in
> 0in 1.0pt 0in'>
> </div>
> "This email is intended to be reviewed by only the intended recipient
>  and may contain information that is privileged and/or confidential.
>  If you are not the intended recipient, you are hereby notified that
>  any review, use, dissemination, disclosure or copying of this email
>  and its attachments, if any, is strictly prohibited.  If you have
>  received this email in error, please immediately notify the sender by
>  return email and delete this email from your system."
> </font>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110304/3cfd97ca/attachment.html
> >
>
> ------------------------------
>
> Message: 3
> Date: Sat, 05 Mar 2011 01:17:54 +0000
> From: James J J Hooper <jjj.hooper at bristol.ac.uk>
> Subject: Re: Caching techniques with ntlm_auth usage?
>        (EAP-PEAP-MSchapV2)
> To: FreeRadius users mailing list
>        <freeradius-users at lists.freeradius.org>
> Message-ID: <403FF343B2CCD5B162F64B80@[172.16.13.237]>
> Content-Type: text/plain; charset=us-ascii; format=flowed
>
>
>
> --On 04 March 2011 12:34 -0500 John Douglass <john.douglass at oit.gatech.edu
> >
> wrote:
>
> > Group,
> >
> > Recently, my AD servers were patched by another support group and this
> > caused a (small but noticeable) service outage for our WPA radius
> > services (Radius 2.1.9)
>
> I can think of two things to investigate:
> * Recent Samba can do winbind credential caching IIRC - I haven't
> experimented with this so I'm not sure if it will work for this
> application.
>
> * Enable Fast Session Resumption:
> <
> https://github.com/alandekok/freeradius-server/blob/master/raddb/modules/eap#L312
> >
>
> ... We dropped the hits on our DCs by > 40% by doing this. N.B Resumed
> sessions will not touch your inner-tunnel config, so you have to make sure
> that you pay attention when (re-)assigning VLANs / other returned
> attributes based on username.
>
> -James
>
> --
> James J J Hooper
> Network Specialist, University of Bristol
> http://www.wireless.bristol.ac.uk
> --
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 4 Mar 2011 21:05:46 -0600
> From: "McNutt, Justin M." <McNuttJ at missouri.edu>
> Subject: RE: mschap with ntlm_auth and Active Directory
> To: FreeRadius users mailing list
>        <freeradius-users at lists.freeradius.org>
> Message-ID:
>        <
> 0A99E1DA688C7A4796A68B3BC4F74B793CE60E78A4 at UM-EMAIL04.um.umsystem.edu>
>
> Content-Type: text/plain; charset="us-ascii"
>
> > > root at FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D6650564
> > > --password=Pa$$w0rd
> > > NT_STATUS_OK: Success (0x0)
> > > root at FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D670F3A6
> > > --password=Pa$$w0rd
> > > NT_STATUS_OK: Success (0x0)
> > > root at FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D6650564
> > > --password=Pa$$w0rd
> > > NT_STATUS_OK: Success (0x0)
> > >
> > > The password Pa$$w0rd is set in the Wireless Controller, if
> > thats what you
> > > mean by mschap client?
>
> May I suggest two things:
>
> 1)  I'm assuming that the password is not actually 'Pa$$w0rd', but that
> string reminds me that certain special characters - the dollar sign is a
> notable one - are not always handled correctly in password strings.  Even if
> FreeRADIUS is handling it correctly, AD may not, and the wireless controller
> may not.  I suggest setting the password to something simpler.  If your
> password policy requires special characters, use dash, equals, underscore,
> or dot.  I have used passwords with these characters successfully when
> authenticating via EAP/PEAP through FreeRADIUS and then on through MSCHAPv2
> to AD via ntlm_auth.  (Same chain as you.)
>
> 2)  Even if you are confident that your real password's characters are not
> a problem, re-enter it on the wireless controller, MANUALLY.  You may have
> accidentally entered an unprintable character or a space or some similar
> thing that causes the password to APPEAR to be correct, when in fact it
> doesn't match.
>
> --J
>
>
> ------------------------------
>
> Message: 5
> Date: Sat, 05 Mar 2011 07:23:54 +0100
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: MS-CHAP-V2 with no retry
> To: FreeRadius users mailing list
>        <freeradius-users at lists.freeradius.org>
> Message-ID: <4D71D6FA.7030306 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> John.Hayward at wheaton.edu wrote:
> > 1) In freeradius version 2.1.10 and older (at least 1.1.7) when there was
> >    a bug in that when there was a PW_EAP_MSCHAPV2_FAILURE while there was
> >    a response sent back to the client but there was no message in the
> >    response.
>
>  It's more complicated.  The server would send EAP-Failure, and nothing
> else.
>
> > 2) The patch given resolves that problem - giving the message
> >    of the rlm_mschap.c module of E=691 R=1
>
>  On closer inspection, the patch doesn't resolve anything.  It still
> sends an EAP-Failure.  It should instead send an EAP-Response with
> EAP-MSCHAPv2-Failure, and the "E=691 R=1" failure code.  After the
> client has ACKed that, it should *then* send EAP-Failure.
>
>  i.e. fixing it is likely a fair bit more work.
>
> > 3) It is possible to configure in radius.conf the message on failure by:
>
>  No.  That sends back an MS-CHAP-Error.  The code has to package that
> MS-CHAP-Error into an EAP sub-type, and send it back to the client in an
> *additional* request/response round trip, before finally sending
> EAP-Failure.
>
>  Alan DeKok.
>
>
> ------------------------------
>
> Message: 6
> Date: Sat, 05 Mar 2011 07:38:15 +0100
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: Hopefully quick question: conditional processing sneaking
>        in      and     setting Auth-Type
> To: FreeRadius users mailing list
>        <freeradius-users at lists.freeradius.org>
> Message-ID: <4D71DA57.5080400 at deployingradius.com>
> Content-Type: text/plain; charset=UTF-8
>
> Gary Gatten wrote:
> > I can?t find where this conditional processing is happing.  I have two
> > FR servers with ?nearly? the same config.  Auth works on one, but not
> > the other:
>
>  Posting 2-3 lines of debug output doesn't help.
>
>  Alan DeKok.
>
>
> ------------------------------
>
> Message: 7
> Date: Sat, 5 Mar 2011 09:44:15 +0000
> From: Alan Buxey <A.L.M.Buxey at lboro.ac.uk>
> Subject: Re: Freeraidus 2
> To: FreeRadius users mailing list
>        <freeradius-users at lists.freeradius.org>
> Message-ID: <20110305094415.GA20802 at lboro.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> hi,
>
> th details for your LDAP in 2.x go into $RADDB/modules/ldap
>
> in 2.x most of the stuff was broken out of radiusd.conf
> and put into either modules/*  or sites-available/*
>
> if you want a particular feature, then configure the
> module file , configure the sites-available file,
>
> module files are pulled in by default, but to activate a 'site'
> you need to ensure its in the sites-enabled/ directory
> (a few 'sites' files are symlinked there by default... eg
> default, inner-tunnel .....)
>
> alan
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 71, Issue 32
> ************************************************
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110309/144a9f53/attachment.html>


More information about the Freeradius-Users mailing list