Issue with radius accounting
Arvind Bahuguni
arvindnb1 at gmail.com
Sat May 25 18:39:33 CEST 2013
Hi Alan,
I am suspecting some radius setting on my server because free radius on
other server is responding and authentication and accounting is successful.
On May 24, 2013 7:56 PM, <freeradius-users-request at lists.freeradius.org>
wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. AES-GCM (Pieter Hulshoff)
> 2. Re: AES-GCM (Phil Mayers)
> 3. Re: AES-GCM (Pieter Hulshoff)
> 4. Re: AES-GCM (Phil Mayers)
> 5. Re: AES-GCM (Pieter Hulshoff)
> 6. Re: issue with radius accounting (Alan DeKok)
> 7. Re: Failure authenticate using IPv6 (Alan DeKok)
> 8. Re: Retrieving eDirectory VLAN attributes (Alan DeKok)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 24 May 2013 12:44:02 +0200
> From: Pieter Hulshoff <phulshof at xs4all.nl>
> To: freeradius-users at lists.freeradius.org
> Subject: AES-GCM
> Message-ID: <2687107.xyZuJZ1fbJ at spaceballsml>
> Content-Type: text/plain; charset="us-ascii"
>
> Hello all,
>
> Does FreeRADIUS support AES-GCM in EAP-TLS? I couldn't find the term in the
> documentation, the wiki or the mailinglist archives, but perhaps I'm
> looking
> in the wrong place?
>
> Kind regards,
>
> Pieter Hulshoff
>
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 24 May 2013 12:21:47 +0100
> From: Phil Mayers <p.mayers at imperial.ac.uk>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: AES-GCM
> Message-ID: <519F4D4B.4080000 at imperial.ac.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 24/05/13 11:44, Pieter Hulshoff wrote:
> > Hello all,
> >
> > Does FreeRADIUS support AES-GCM in EAP-TLS? I couldn't find the term in
> the
> > documentation, the wiki or the mailinglist archives, but perhaps I'm
> looking
> > in the wrong place?
>
> Typically this is down the TLS libraries; it's not usually the case that
> the application needs to do anything.
>
> That said, EAP-TLS is typically TLS 1.0. AIUI, AEAD ciphers require TLS
> 1.2 - see section 4 of RFC 5288. But again, FreeRADIUS doesn't involve
> itself in this level of detail - that's an aspect of the TLS library
> (OpenSSL) we use, and whatever the EAP-TLS client is using.
>
> Note also that EAP-TLS (unlike other TLS-based EAP methods, such as PEAP
> or TTLS) never actually sends any data over the TLS session;
> essentially, it consists solely of the handshake. In TLS terms, EAP-TLS
> never sends any TLS records of type=23 (application data). So, the
> negotiated cipher is not used for very much.
>
> PEAP and TTLS have "inner" EAP exchanges, that are protected with the
> TLS session, and sent as TLS type=23 records.
>
> Slightly OT, there seems to be some degree of uncertainty about GCM in
> general, and whether it's a sensible cipher mode - for example, see
> http://www.imperialviolet.org/2013/01/13/rwc03.html
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 24 May 2013 13:47:36 +0200
> From: Pieter Hulshoff <phulshof at xs4all.nl>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: AES-GCM
> Message-ID: <2024766.p6x3QSbeB1 at spaceballsml>
> Content-Type: text/plain; charset="us-ascii"
>
> On Friday, May 24, 2013 12:21:47 PM Phil Mayers wrote:
> > On 24/05/13 11:44, Pieter Hulshoff wrote:
> > > Hello all,
> > >
> > > Does FreeRADIUS support AES-GCM in EAP-TLS? I couldn't find the term in
> > > the
> > > documentation, the wiki or the mailinglist archives, but perhaps I'm
> > > looking in the wrong place?
> >
> > Typically this is down the TLS libraries; it's not usually the case that
> > the application needs to do anything.
>
> It seems I have a lot to learn yet about what is and is not a part of
> FreeRADIUS. My apologies for pushing (slightly) OT subjects onto the
> mailinglist.
>
> > That said, EAP-TLS is typically TLS 1.0. AIUI, AEAD ciphers require TLS
> > 1.2 - see section 4 of RFC 5288. But again, FreeRADIUS doesn't involve
> > itself in this level of detail - that's an aspect of the TLS library
> > (OpenSSL) we use, and whatever the EAP-TLS client is using.
>
> I guess that if we want to use AEAD cyphers we'll need to find another TLS
> library or adapt/contribute to OpenSSL?
>
> > Note also that EAP-TLS (unlike other TLS-based EAP methods, such as PEAP
> > or TTLS) never actually sends any data over the TLS session;
> > essentially, it consists solely of the handshake. In TLS terms, EAP-TLS
> > never sends any TLS records of type=23 (application data). So, the
> > negotiated cipher is not used for very much.
>
> The EAP-TLS Finished (type=20) are secured/signed with this negotiated
> cipher
> though, correct?
>
> > Slightly OT, there seems to be some degree of uncertainty about GCM in
> > general, and whether it's a sensible cipher mode - for example, see
> > http://www.imperialviolet.org/2013/01/13/rwc03.html
>
> Interesting article nontheless. I guess I've been working as a hardware
> engineer for too long; I haven't been bothered by timing side-channel
> attacks
> too much. :) It's something to take into consideration though.
>
> Kind regards,
>
> Pieter Hulshoff
>
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 24 May 2013 13:06:11 +0100
> From: Phil Mayers <p.mayers at imperial.ac.uk>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: AES-GCM
> Message-ID: <519F57B3.9030800 at imperial.ac.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 24/05/13 12:47, Pieter Hulshoff wrote:
> > I guess that if we want to use AEAD cyphers we'll need to find another
> TLS
> > library or adapt/contribute to OpenSSL?
>
> I think they're supported as of OpenSSL 1.0.1, so merely compiling
> against that should be sufficient, but both ends then need to use TLS
> v1.2 and, as I say, most do not.
>
> (I'm also not sure if FreeRADIUS explicitly forces a specific TLS
> version - it might, check the source code)
>
> > The EAP-TLS Finished (type=20) are secured/signed with this negotiated
> cipher
> > though, correct?
>
> Off the top of my head, everything after the change cipher spec is
> encrypted with the negotiated symmetric cipher, yes.
>
>
> ------------------------------
>
> Message: 5
> Date: Fri, 24 May 2013 14:09:35 +0200
> From: Pieter Hulshoff <phulshof at xs4all.nl>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: AES-GCM
> Message-ID: <4017853.IFDhid4HjM at spaceballsml>
> Content-Type: text/plain; charset="us-ascii"
>
> On Friday, May 24, 2013 01:47:36 PM Pieter Hulshoff wrote:
> > I guess that if we want to use AEAD cyphers we'll need to find another
> TLS
> > library or adapt/contribute to OpenSSL?
>
> It seems some people are way ahead of me:
>
> http://en.wikipedia.org/wiki/Comparison_of_TLS_Implementations#Encryption_Algorithms
> Support for AES-GCM was added in v1.0.1
>
> Kind regards,
>
> Pieter Hulshoff
>
>
>
> ------------------------------
>
> Message: 6
> Date: Fri, 24 May 2013 09:53:08 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: issue with radius accounting
> Message-ID: <519F70C4.7060604 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Arvind Bahuguni wrote:
> > Hi,
> > Need help in resolving radius issues. My radius server is not
> > processing accounting packets, radius server is sending access-accept
> > but not proceeding further with accounting, it will send access-accept
> > and start waiting for another request.
>
> This is in the FAQ. Read it.
>
> > Looks like some radius server setting issues, please help me .
>
> So... the RADIUS server doesn't receive packets, and you blame it?
>
> How about blaming the system which *sends* the accounting packets?
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 7
> Date: Fri, 24 May 2013 09:56:59 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Failure authenticate using IPv6
> Message-ID: <519F71AB.6090407 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Stefan Winter wrote:
> > I don't *know* why this doesn't work, but it does with our global-scope
> > addresses just fine, so I'm guessing it's the address type.
> >
> > Especially since link-local addresses are only valid with an interface
> > scope.
>
> Exactly.
>
> > is the valid address. I don't know if the FreeRADIUS address parser is
> > prepared to handle such interface-scoped addresses. There's not much use
> > case for this.
>
> FreeRADIUS calls getaddrinfo, which *should* parse link-local
> addresses. I guess...
>
> Alan DeKok.
>
>
> ------------------------------
>
> Message: 8
> Date: Fri, 24 May 2013 10:17:33 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Retrieving eDirectory VLAN attributes
> Message-ID: <519F767D.5030704 at deployingradius.com>
> Content-Type: text/plain; charset=UTF-8
>
> Dan Lietz wrote:
> > I?m pretty much a noob when it comes to freeradius as I still don?t
> > completely understand what files are used for authorization and
> > authentication and where to put different certain pieces of
> configuration.
>
> Rule 1: don't touch anything. The configuration is complicated, but
> it mostly works.
>
> The "files used for authorization" are the virtual servers. See
> raddb/sites-enabled. Those files reference other configuration. But
> it's all reasonably well abstracted.
>
> i.e. you don't need to know anything about the "mschap" module
> configuration to use it. You don't even need to know *where* its
> configuration lives. But if you run the server in debugging mode, it
> will tell you.
>
> The "where to put configuration" issue largely depends on what you
> want to do. Edit a virtual server? See raddb/sites-enabled. A module?
> raddb/modules.
>
> > I?m trying to set up dynamic vlans for a wireless network with a Ruckus
> > Zone Director backend and a freeradius backend authenticating via LDAP
> > to eDirectory running on the same box. So far I?ve managed to configure
> > 802.11x authentication using PEAP and that is working well.
>
> That's good.
>
> > Now I want to be able to retrieve the radius attribute in eDirectory for
> > the vlan tag so the Ruckus Zone Directory will automatically place the
> > user on the correct vlan once they are authenticated.
>
> OK.
>
> > I did some initial testing without using LDAP by adding the following
> > lines to my users file:
> >
> >
> >
> > DEFAULT
> > Tunnel-Type = VLAN,
> > Tunnel-Medium-Type = 802,
> > Tunnel-Private-Group-ID = 85,
> > Fall-Through=Yes
>
> Yes, that works. It's a good first step.
>
> > By changing the value of ?Tunnel-Private-Group-ID? (set to 85 in the
> > above example) the Zone Director will move users to the vlan ID I
> > specify here, but it is obviously static and does not change based on
> > the user. The next step is to configure FreeRadius to pull the info from
> > eDir via LDAP and that?s the part I?m not getting.
>
> The "ldap.attrmap" file is in the "raddb" directory. It contains
> mappings from LDAP to RADIUS. It's also documented in the comments at
> the top of the file.
>
> > Part of my problem is that I don?t know which attributes mappings are
> > built in and which aren?t.
>
> See ldap.attrmap.
>
> > According to this document: Integrating
> > Novell eDirectory with FreeRadius
> > <
> https://www.netiq.com/documentation/edir_radius/radiusadmin/?page=/documentation/edir_radius/radiusadmin/data/bv8m2ll.html
> >
> > the listed radius attributes are available for use, but does that mean I
> > don?t need to add them to ldap.attr or the dictionary file at all? Or
> > that I don?t need to add an LDAP attribute map to the LDAP Group object
> > in iManager?
>
> The LDAP to RADIUS map is defined in ldap.attrmap. And ONLY in
> ldap.attrmap. Go look there. If a mapping isn't there, it isn't
> mapped. If it is there, the LDAP attribute (if any) is mapped to the
> RADIUS equivalent.
>
> > The other thing I don?t understand is where (i.e. what file) to put the
> > ldap call for said attributes and what the syntax would look like.
>
> See raddb/sites-available/inner-tunnel, and "default". Look for
> "ldap". Read the comments there.
>
>
> > I?ve configured my eap.conf to include ?copy_request_to_tunnel = yes?
> > and ?use_tunneled_reply = yes?
>
> That's correct for your setup.
>
> Alan DeKok.
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> End of Freeradius-Users Digest, Vol 97, Issue 80
> ************************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130525/95bf70b0/attachment-0001.html>
More information about the Freeradius-Users
mailing list