Freeradius-Users Digest, Vol 111, Issue 84

Stuart Naylor stuartiannaylor at thursbygarden.org
Thu Jul 31 11:32:38 CEST 2014


Thanks Arran ,

Apols as stuck back in time due to Ubuntu.

Are there any debs anywhere is the compiler always scares this noob :)

Just had a search and everything is firmly stuck in the land of 2.0 series.

Is there anyway to add multiple ldap search queries with different base DNs.

Just stuck as bit stumped that scope=sub isn't supported?!

Stuart


 
 
-----Original message-----
> From:freeradius-users-request at lists.freeradius.org <freeradius-users-request at lists.freeradius.org>
> Sent: Thursday 31st July 2014 0:45
> To: freeradius-users at lists.freeradius.org
> Subject: Freeradius-Users Digest, Vol 111, Issue 84
> 
> Send Freeradius-Users mailing list submissions to
> 	freeradius-users at lists.freeradius.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> 	freeradius-users-request at lists.freeradius.org
> 
> You can reach the person managing the list at
> 	freeradius-users-owner at lists.freeradius.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
> 
> 
> Today's Topics:
> 
>    1. RE: Freeradius Log with Rsyslog (Puzzel)
>    2. Re: Multivalued attributes (Herwin Weststrate)
>    3. TLS Alert: Fatal: Protocol version (Soham T. Aurangabadkar)
>    4. LDAP scope (Stuart Naylor)
>    5. Re: LDAP scope (Arran Cudbard-Bell)
>    6. Re: Some inconsistencies concerning OpenSSL include
>       configuration in	FRS 3 (Arran Cudbard-Bell)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Wed, 30 Jul 2014 19:56:02 +0200
> From: "Puzzel" <puzzel1982 at gmail.com>
> To: "'FreeRadius users mailing list'"
> 	<freeradius-users at lists.freeradius.org>
> Subject: RE: Freeradius Log with Rsyslog
> Message-ID: <009f01cfac1f$87e243b0$97a6cb10$@com>
> Content-Type: text/plain;	charset="us-ascii"
> 
> You need to install rsyslog daemon on radius machine.
> Then in /etc/rsyslog.conf 
> 
> # Save radius logs into file
> 
> local1.*     /var/log/radius/radius.log
> 
> # All to syslog server
> 
> *.*          @ip_address_of_your_syslog_server
> 
> It works fine form me
> 
> -----Original Message-----
> From: freeradius-users-bounces+puzzel1982=gmail.com at lists.freeradius.org
> [mailto:freeradius-users-bounces+puzzel1982=gmail.com at lists.freeradius.org]
> On Behalf Of Marco Aresu
> Sent: Wednesday, July 30, 2014 3:43 PM
> To: FreeRadius users mailing list
> Subject: Freeradius Log with Rsyslog
> 
> Hi all,
> 
> i ve configured Freeradius on my server and i would like to forward
> authentication log to an external server.
> I saw in the forum that i have to change Logdir from file to syslog but
> where do i have to specify the destination server?
> 
> Thanks
> 
> Marco Aresu
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Wed, 30 Jul 2014 20:08:06 +0200
> From: Herwin Weststrate <herwin at quarantainenet.nl>
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Subject: Re: Multivalued attributes
> Message-ID: <53D93486.6060203 at quarantainenet.nl>
> Content-Type: text/plain; charset=windows-1252
> 
> On 30-07-14 11:51, Phil Mayers wrote:
> > On 30/07/14 09:21, Herwin Weststrate wrote:
> > 
> >> What would the semantics be if a negative comparison operator would be
> >> used, like this?
> >>
> >>    if (Attr[*] !~ /regex/)
> >>
> >> My intuition would say this would only be true if none of the attributes
> >> matches, instead of if at least one of the attributes matches.
> > 
> > Assuming I've understood correctly, using the analogy of the postgres
> > operator, this is more like:
> > 
> > if (any Attr !~ /regex/)
> > 
> > i.e. if any of the attributes *don't* match.
> 
> That would make the following two expressions different:
> 
>   if (Attr[*] !~ /regex/)
>   if (!(Attr[*] =~ /regex/))
> 
> First one is true if any of the attributes doesn't match the regex, the
> second one if none of the attribute match the regex. I would expect them
> to return the same. There might be some rule or lemma in mathematical
> set theory here, but I'm not really sure about that (especially since
> that would probably require explicit any/all-modifiers).
> 
> > The regex operators would presumably have the special behaviour of
> > setting capture groups for the first of the attributes. This doesn't
> > have much meaning for !~
> 
> Using capture groups with !~ would require an else (because if the regex
> doesn't match, there are no capture groups). Using code like that would
> just be stupid:
> 
>   if (Attr !~ /(regex)/) {
>     ...
>   } else {
>     # Do someting with %{1}
>   }
> 
> Just write it a little bit different and use =~. But this discussion is
> not really related to multivalued attributes.
> 
> >> And I'm not sure what the expected result should be in the following
> >> statement:
> >>
> >>    if (Attr[*] > 10)
> > 
> > Likewise
> > 
> > if (any Attr > 10)
> 
> This gives the same behaviour as with !~, I would expect these two to be
> the same
> 
>   if (Attr[*] > 10)
>   if (!(Attr[*] <= 9))
> 
> About a year ago I was working on a small filtering language for an API
> which required multi-valued attributes. We changed the use of >, <, <=
> and >= to yield to syntax errors when combined with multi-valued
> attributes, because nobody here really knew what they were supposed to
> do in this context.
> 
> -- 
> Herwin Weststrate
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Wed, 30 Jul 2014 16:06:21 -0400 (EDT)
> From: "Soham T. Aurangabadkar" <sohama4 at ccs.neu.edu>
> To: freeradius-users at lists.freeradius.org
> Subject: TLS Alert: Fatal: Protocol version
> Message-ID: <10005916.567041406750781574.JavaMail.root at zimbra>
> Content-Type: text/plain; charset=utf-8
> 
> Hello, I am getting a strange error in my FreeRADIUS debug output, which I have posted below. I have built the client using C, OpenSSL and raw sockets, and uses the 'user at example.com.pem' certificate generated by the scripts provided in /raddb/certs. Can you please tell me where am I going wrong? It is an error at the penultimate step of the EAP-TLS exchange. Thank you ! :)
> 
> - Soham
> 
> 
> 
> rad_recv: Access-Request packet from host 192.168.1.11 port 62733, id=254, length=829
> 	User-Name = "sohama411111"
> 	Called-Station-Id = "ec-e5-55-9c-c3-b6"
> 	Calling-Station-Id = "00:24:9b:0c:2f:6e"
> 	NAS-Identifier = "ec-e5-55-9c-c3-ac"
> 	NAS-IP-Address = 192.168.1.11
> 	NAS-Port = 6
> 	Framed-MTU = 1500
> 	NAS-Port-Type = Ethernet
> 	State = 0xa2a1f780a7a7fad11c1fdcdf4905f39b
> 	EAP-Message = 0x020602a00d8000000a825997f20225258bb1ff09cf6b173f27777f32ed2ef263a69ea7500fa0df24d984336cfaa193a9be78c06dc15278b6ef4b7cd930d166dd8427b3d155235edc0ce87fedcb214f913db8080089ccb1c651ec2042c9f1f8438926650157af19f77f059a5be97bb32f4c522230719d03a1f6553f3e311249f84eb6bb6740d218c346fe6fb5e08a471fe90bce818d62480b66b82412ff00a1fde2d7e9e2ef2c09d9dcddb20923c9d911fc13aa74742728bf7a2228a1a3de6cb4e9375b66638d73dee5d6dfde7144f8d701a9e16304225c983231cb1bbf1d67f713eb13d5ad916e404c71160301004610000042410414242a58afc24797
> 	EAP-Message = 0x1adbed2ab769f9d1840a5956aad1bc07ec4de29645f706568bdeb474f455be264384b32a21ef52fa83a0ce73f1eb065a0a67cde112c2082916030101060f0001020100cb37b6b39e07acbe5db0119c5f7bc8d2aef80ae74c33c1c7c4e3a85bdb9d98a0c540d9d16d6f08d0e019b1fce07a337e9869e079519f2f65161a744f38b0a3e541461a74c2c05adebde38b07c6c6d7301be51de656cf231ff4d58e4836e09633bdc379bca36a538b5bc4646e2a212b9c436af8749840e14d646268d52770f263e0bcbc965b37ae0d0dbb5e3e259882a29cdfb0f7eaba21d984748d017f4e495bcbe909d71e2f7a3d08689a49d9479e4887ea0558293d4e0dcc74
> 	EAP-Message = 0x61e3d33b48576d468e293468648476786964d5d050203aa0706fef1426432c3e5f5e49d33f77148209d34f01928db02b6b8d30338b9fd51e589b57576217a16c19c5a60bc875140301000101160301003099875a615089ecf3a1b21b7297c276f5bc8ab7be2f85d981f32a93c53ba178cf38c3be709ef5a241f1641f18bfc86cff1503010020ecc14febfeb1efd89ca273228fabc163f4d2536f8077de497b8257f10c0cfd80
> 	Message-Authenticator = 0xb2addbdef36eea66889ed2c3e3ee302e
> # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "sohama411111", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] EAP packet type response id 6 length 253
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] = updated
> ++[files] = noop
> ++[expiration] = noop
> ++[logintime] = noop
> ++[pap] = noop
> +} # group authorize = updated
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/tls
> [eap] processing type tls
> [tls] Authenticate
> [tls] processing EAP-TLS
>   TLS Length 2690
> [tls] Length Included
> [tls] eaptls_verify returned 11 
> [tls] <<< TLS 1.0 Handshake [length 08c7], Certificate  
> [tls] chain-depth=1, 
> [tls] error=0
> [tls] --> User-Name = sohama411111
> [tls] --> BUF-Name = Example Certificate Authority
> [tls] --> subject = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin at example.com/CN=Example Certificate Authority
> [tls] --> issuer  = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin at example.com/CN=Example Certificate Authority
> [tls] --> verify return:1
> 	TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication"
> [tls] chain-depth=0, 
> [tls] error=0
> [tls] --> User-Name = sohama411111
> [tls] --> BUF-Name = sohama4 at gmail.com
> [tls] --> subject = /C=FR/ST=Radius/O=Example Inc./CN=sohama4 at gmail.com/emailAddress=sohama4 at gmail.com
> [tls] --> issuer  = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin at example.com/CN=Example Certificate Authority
> [tls] --> verify return:1
> [tls]     TLS_accept: SSLv3 read client certificate A
> [tls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange  
> [tls]     TLS_accept: SSLv3 read client key exchange A
> [tls] <<< TLS 1.0 Handshake [length 0106], CertificateVerify  
> [tls]     TLS_accept: SSLv3 read certificate verify A
> [tls] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
> [tls] <<< TLS 1.0 Handshake [length 0010], Finished  
> [tls]     TLS_accept: SSLv3 read finished A
> [tls] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
> [tls]     TLS_accept: SSLv3 write change cipher spec A
> [tls] >>> TLS 1.0 Handshake [length 0010], Finished  
> [tls]     TLS_accept: SSLv3 write finished A
> [tls]     TLS_accept: SSLv3 flush data
> [tls]     (other): SSL negotiation finished successfully
> [tls] <<< TLS 1.0 Alert [length 0002], fatal protocol_version  
> TLS Alert read:fatal:protocol version
> rlm_eap: SSL error error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
> SSL Connection Established 
> [tls] eaptls_process returned 13 
> ++[eap] = handled
> +} # group authenticate = handled
> Sending Access-Challenge of id 254 to 192.168.1.11 port 62733
> 	EAP-Message = 0x010700450d800000003b1403010001011603010030fcca5a85d37c2ec29f40904ccb9dbe3ac886668b24f36a70ea88aed096ed2520ee567dcce866caf89a455cdc9b1421ed
> 	Message-Authenticator = 0x00000000000000000000000000000000
> 	State = 0xa2a1f780a4a6fad11c1fdcdf4905f39b
> Finished request 6.
> Going to the next request
> Waking up in 2.2 seconds.
> rad_recv: Access-Request packet from host 192.168.1.11 port 62733, id=255, length=159
> 	User-Name = "sohama411111"
> 	Called-Station-Id = "ec-e5-55-9c-c3-b6"
> 	Calling-Station-Id = "00:24:9b:0c:2f:6e"
> 	NAS-Identifier = "ec-e5-55-9c-c3-ac"
> 	NAS-IP-Address = 192.168.1.11
> 	NAS-Port = 6
> 	Framed-MTU = 1500
> 	NAS-Port-Type = Ethernet
> 	State = 0xa2a1f780a4a6fad11c1fdcdf4905f39b
> 	EAP-Message = 0x020700060d00
> 	Message-Authenticator = 0x9edad03d955fdbb9df9945226a174d53
> # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "sohama411111", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] EAP packet type response id 7 length 6
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] = updated
> ++[files] = noop
> ++[expiration] = noop
> ++[logintime] = noop
> ++[pap] = noop
> +} # group authorize = updated
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/tls
> [eap] processing type tls
> [tls] Authenticate
> [tls] processing EAP-TLS
> [tls] Received TLS ACK
> [tls] ACK alert
> [tls] eaptls_verify returned 4 
> [tls] eaptls_process returned 4 
> [eap] Handler failed in EAP/tls
> [eap] Failed in EAP select
> ++[eap] = invalid
> +} # group authenticate = invalid
> Failed to authenticate the user.
> Using Post-Auth-Type REJECT
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +group REJECT {
> [attr_filter.access_reject] 	expand: %{User-Name} -> sohama411111
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] = updated
> +} # group REJECT = updated
> Delaying reject of request 7 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 7
> Sending Access-Reject of id 255 to 192.168.1.11 port 62733
> 	EAP-Message = 0x04070004
> 	Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 1.2 seconds.
> Cleaning up request 0 ID 248 with timestamp +21
> Waking up in 2.6 seconds.
> Cleaning up request 1 ID 249 with timestamp +24
> Cleaning up request 2 ID 250 with timestamp +24
> Cleaning up request 3 ID 251 with timestamp +24
> Cleaning up request 4 ID 252 with timestamp +24
> Cleaning up request 5 ID 253 with timestamp +24
> Cleaning up request 6 ID 254 with timestamp +24
> Waking up in 1.0 seconds.
> Cleaning up request 7 ID 255 with timestamp +24
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Wed, 30 Jul 2014 23:59:35 +0100
> From: Stuart Naylor <stuartiannaylor at thursbygarden.org>
> To: freeradius-users at lists.freeradius.org
> 	<freeradius-users at lists.freeradius.org>
> Subject: LDAP scope
> Message-ID:
> 	<zarafa.53d978d7.73bf.594fda2e60fe5c48 at zent1.thursbygarden.lan>
> Content-Type: text/plain; charset=utf-8
> 
> Hi,
> 
> I am having problems with ldap.
> 
> I am running FreeRADIUS Version 2.1.12 and Samba4 and the LDAP searches are not subtree searches.
> 
> I have to add the CN=Users to the base DN and it works.
> 
> If I want to search from the base DN I get an ldap search error.
> 
> Is there anyway to set the search scope to subtree?
> 
> Stuart
> 
> 
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Wed, 30 Jul 2014 19:40:48 -0400
> From: Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Subject: Re: LDAP scope
> Message-ID: <42D1F2C2-5061-45D0-9833-29709DF2A8EF at freeradius.org>
> Content-Type: text/plain; charset="us-ascii"
> 
> 
> On 30 Jul 2014, at 18:59, Stuart Naylor <stuartiannaylor at thursbygarden.org> wrote:
> 
> > Hi,
> > 
> > I am having problems with ldap.
> > 
> > I am running FreeRADIUS Version 2.1.12 and Samba4 and the LDAP searches are not subtree searches.
> > 
> > I have to add the CN=Users to the base DN and it works.
> > 
> > If I want to search from the base DN I get an ldap search error.
> > 
> > Is there anyway to set the search scope to subtree?
> 
> 1. Download v3.0.3
> 2. Install v3.0.3
> 3. Enjoy the ability to alter search scopes for LDAP objects
> 
> -Arran
> 
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS development team
> 
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
> 
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 881 bytes
> Desc: Message signed with OpenPGP using GPGMail
> URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140730/ed95504f/attachment-0001.pgp>
> 
> ------------------------------
> 
> Message: 6
> Date: Wed, 30 Jul 2014 19:42:24 -0400
> From: Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Subject: Re: Some inconsistencies concerning OpenSSL include
> 	configuration in	FRS 3
> Message-ID: <DD0F2DD5-2CF8-4BE4-817D-29FACC737F60 at freeradius.org>
> Content-Type: text/plain; charset="us-ascii"
> 
> 
> On 29 Jul 2014, at 12:55, Dr. Andreas Rieke <rieke at isl.de> wrote:
> 
> > Arran Cudbard-Bell wrote:
> >> 
> >> On 29 Jul 2014, at 06:05, Dr. Andreas Rieke <rieke at isl.de> wrote:
> >> 
> >>> Arran Cudbard-Bell wrote:
> >>>> Should work now without dumb hacks...
> >>> I have tested your solution, too, and it also works well. However, there is a small difference between your an Alan's appraoch: With Alan's suggestion, the rlm_wimax shared object does not have any references to openssl, whereas in your approch, ldd says that both libssl and libcrypto are required.
> >>> 
> >>> I do not know which one is correct,
> >> 
> >> Mine, seeing as the module uses symbols from those libraries. 
> >> 
> >> Technically it probably only needs libcrypto, but never mind.
> >> 
> > Thanks a lot to Alan and you, Arran, for your time and for your patience with a newbie on this list,
> 
> No problem, thanks for reporting the OpenSSL issues.
> 
> -Arran
> 
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS development team
> 
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
> 
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 881 bytes
> Desc: Message signed with OpenPGP using GPGMail
> URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140730/df2937ad/attachment.pgp>
> 
> ------------------------------
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> End of Freeradius-Users Digest, Vol 111, Issue 84
> *************************************************
> 


More information about the Freeradius-Users mailing list