Freeradius-Users Digest, Vol 94, Issue 19
Alex Sharaz
alex.sharaz at york.ac.uk
Fri Feb 8 17:42:10 CET 2013
1st response
On 8 Feb 2013, at 16:09, freeradius-users-request at lists.freeradius.org wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: Issues with Freeradius crashing after a sighup (Alan DeKok)
> 2. RE: [EAP/TLS] Authenfication through a certificate
> (vazoumana fofana)
> 3. Re: Session-Timeout anomalies (Bill Isaacs)
> 4. Re: Session-Timeout anomalies (Alan DeKok)
> 5. Any interoperability issues with Aruba and Freeradius
> (Alex Sharaz)
> 6. Re: MAc-Auth with EAP (Tunde Ogedengbe)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 08 Feb 2013 10:10:05 -0500
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Issues with Freeradius crashing after a sighup
> Message-ID: <5115154D.5070804 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Alex Sharaz wrote:
>> Firstly the 2.1 servers
>
> <shrug> Upgrade.
>
>> password files are updated every 15 mins and are followed by a "service freeradius reload" command to bring them on line.
>
> See the changelog for 2.2.0. The "passwd" module had issues with
> older versions of the server.
>
> You can also reload individual modules. That will be less likely to
> have issues. i.e.
>
> $ radmin -e "hup passwd"
>
>> Anyone else seen serve crashes on a reload?
>
> Unfortunately I've seen this before. I haven't seen enough
> information to track it down and fix it, though.
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 8 Feb 2013 15:24:53 +0000
> From: vazoumana fofana <zoumlander at hotmail.com>
> To: "freeradius-users at lists.freeradius.org"
> <freeradius-users at lists.freeradius.org>
> Subject: RE: [EAP/TLS] Authenfication through a certificate
> Message-ID: <SNT137-W406D40D7E02D3B5D51A487D2050 at phx.gbl>
> Content-Type: text/plain; charset="iso-8859-1"
>
>
> i begin setting up configuration. bit i got two problems :
>
> client with good certificate can be authenticated even if they're not in "users" file.
> I assume it's due to my code. Here is under authenticate section of default :
>
> Auth-Type eap {
> eap
> if ( "%{TLS-Client-Cert-Subject}" =~ /\/xxxxxxxx\// ) {
> if ( "%{TLS-Client-Cert-Subject}" =~ /\/xxxxxxxxxxx\// ) {
> ok
> }
> else {
> fail
> }
> It's like when condition is checked, it bypassed "users" file.
>
> Maybe, i must move these lines under authorize ?
> anyone to confirm it ?
>
> cheers
>
>
>> Date: Mon, 4 Feb 2013 10:32:22 -0500
>> From: aland at deployingradius.com
>> To: freeradius-users at lists.freeradius.org
>> Subject: Re: [EAP/TLS] Authenfication through a certificate
>>
>> vazoumana fofana wrote:
>>> i've got question about EAP/TLS and authentification for a client
>>> through a certificate ?
>>> I succeed setting up. But , i notice that freeradius matches client
>>> login with certificate CNAME.
>>> Is it possible to change it in order to match email instead of CNAME ?
>>
>> Yes.
>>
>> Read the eap.conf file, and the raddb/sites-available/default. This
>> is documented.
>>
>> Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130208/f72a3bc9/attachment-0001.html>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 08 Feb 2013 09:35:59 -0600
> From: Bill Isaacs <bill.isaacs at island-wifi.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Session-Timeout anomalies
> Message-ID: <51151B5F.6060208 at island-wifi.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>
> Ok so the question then is: where the hell is radclient getting the
> notion that the account has 2366393 seconds left?
>
>> That is *entirely* the wrong question. It's why you haven't solved
>> the problem yet.
>>
>> Look at the *radius server* debug output. It's the one sending the
>> Session-Timeout. You should be able to figure out where the
>> session-timeout is coming from.
>>
>>> Where is
>>> "Session-Timeout" getting this information? Why is it only doing it on
>>> some accounts and not others?
>> Look at the debug output.
>>
>> Honestly.
>>
>> We say this DAILY on this list. There is no excuse for refusing to do
>> that.
>>
>>
> Alan, take a deep breath. Of course I've looked at the debug output.
> Note my opening sentence, ol' pardner. ;)
>
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 08 Feb 2013 10:50:17 -0500
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Session-Timeout anomalies
> Message-ID: <51151EB9.404 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Bill Isaacs wrote:
>> Ok so the question then is: where the hell is radclient getting the
>> notion that the account has 2366393 seconds left?
>
> From the RADIUS server. This isn't magic. radclient doesn't invent
> attributes in reply packets. It receives them from the RADIUS server.
>
>> Alan, take a deep breath. Of course I've looked at the debug output.
>> Note my opening sentence, ol' pardner. ;)
>
> Well... your question about "where does radclient get that value from"
> is entirely missing the point. It gets it from the RADIUS server. I've
> said this. I have no idea how to convince you it's true.
>
> And the *only* way to debug the RADIUS server is to look at the debug
> output.
>
> And no, your original message did *not* say you had run the server in
> debugging mode. There's only a reference to creating an account for
> debugging purposes. There's no "radiusd -X" output.
>
> My frustration here is that the documentation and my messages cannot
> possibly be any more clear. Yet you're wandering around doing
> everything *but* what the documentation says, and then wondering why I'm
> getting annoyed.
>
> Run the server in debugging mode. Really. Do it. I mean it.
>
> If you want to track down the issue to a specific module, update the
> config to do:
>
> update reply {
> Reply-Message += "A %{reply:Session-Timeout}"
> }
>
> Cut & paste that through various pieces of authorize, post-auth, etc.
> Change the "A" to "B", "C", etc. You should see 10-20 Reply-Messages
> in the Access-Accept. Each with a value for Session-Timeout. That lets
> you track *what* the value is, and *where* in the config the value is
> coming from.
>
> Then once you know it's a particular module, you can figure out how to
> fix that module.
>
> Right now, you're staring at the radclient output, wondering why the
> server isn't working. That's a mistake.
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 5
> Date: Fri, 8 Feb 2013 16:08:22 +0000
> From: Alex Sharaz <alex.sharaz at york.ac.uk>
> To: "freeradius-users at lists.freeradius.org"
> <freeradius-users at lists.freeradius.org>
> Subject: Any interoperability issues with Aruba and Freeradius
> Message-ID: <33B79501-6775-4442-B14E-DA574F637459 at york.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> Hi All,
>
> I'm sure the answer to this is nope, but ...
>
> At a recent Aruba training course in amongst the documentation supplied to us were a couple of presentation slides showing different types of eap authentication against recommended RADIUS servers for use with Aruba equipment (Just to be sure the slide heading said Aruba RADIUS Compatibility).
>
> The surprising bit was the fact that there was a "No" against Freeradius/TTLS (MD5,TLS,PEAP,LEAP,FAST all were yes) and a coment that said Freeradius also supports TTLS.
>
> Now it my well be that the slide is a bit old and just hasn't been updated but it does beg the question have any people using Freeradius with Aruba kit experienced any funnies that needed a specific set of "tweaking" for Aruba? I really can't imaging that it would be the case, but just thought I'd check.
>
> Rgds
> Alex
>
>
>
> ------------------------------
>
> Message: 6
> Date: Fri, 8 Feb 2013 16:09:34 +0000
> From: Tunde Ogedengbe <tunde at xtracomonline.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: MAc-Auth with EAP
> Message-ID:
> <CACXXqacFDThXBDnzPbseQnZv=VYGkQ0PD6OXkXV+Q_S3nKqBgg at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Ok. Can you pls help with procedure for configuring pre-login on Windows
> for 802.1x? Windows is sending packets to RADIUS as
> host/machine-name.domain. I would like to have a dedicated userid/password
> configured on windows for pre-login machine authentication.
>
> 'Tunde Ogedengbe
> On 8 Feb 2013 13:18, "Phil Mayers" <p.mayers at imperial.ac.uk> wrote:
>
>> On 08/02/13 12:52, Tunde Ogedengbe wrote:
>>
>> see from the log that the MAC addresses is checked and OK. But there is
>>> an [eap] returns reject just after the mac address was successfully
>>> checked. I guess I need a way to get radius to force an EAP accept
>>> after successful checking of the MAC addresses.
>>>
>>
>> This doesn't work. You can't "force accept" of an EAP session. The
>> protocol is challenge/response and must complete correctly at both ends.
>>
>> Your approach won't work.
>>
>> Instead, you must configure pre-login 802.1x authentication correct on the
>> Windows side, either using machine credentials or user creds.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
>> list/users.html <http://www.freeradius.org/list/users.html>
>>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130208/6504bf9e/attachment.html>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> End of Freeradius-Users Digest, Vol 94, Issue 19
> ************************************************
More information about the Freeradius-Users
mailing list