LDAP scope

Stuart Naylor stuartiannaylor at thursbygarden.org
Thu Jul 31 11:49:47 CEST 2014


Apols doh title

 
 
-----Original message-----
> From:freeradius-users-request at lists.freeradius.org <freeradius-users-request at lists.freeradius.org>
> Sent: Thursday 31st July 2014 10:35
> To: freeradius-users at lists.freeradius.org
> Subject: Freeradius-Users Digest, Vol 111, Issue 85
> 
> Send Freeradius-Users mailing list submissions to
> 	freeradius-users at lists.freeradius.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> 	freeradius-users-request at lists.freeradius.org
> 
> You can reach the person managing the list at
> 	freeradius-users-owner at lists.freeradius.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: Freeradius Log with Rsyslog (Marco Aresu)
>    2. Re: Multivalued attributes (Alan DeKok)
>    3. RE: Freeradius Log with Rsyslog (Puzzel)
>    4. Re: Freeradius Log with Rsyslog (Marco Aresu)
>    5. RE: Freeradius-Users Digest, Vol 111, Issue 84 (Stuart Naylor)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Thu, 31 Jul 2014 10:32:14 +0200
> From: Marco Aresu <marcoaresu at gmail.com>
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Subject: Re: Freeradius Log with Rsyslog
> Message-ID:
> 	<CAKvBoPkuackJCBsHECj+LAn=THp75yMpHkbLfg4SsyksfWSxEQ at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
> 
> Hi Puzzel,
> 
> thanks for your reply, it seems to be ok.
> Just last question, where i will choose the log level to send in the
> syslog?Into Radiusd.conf file?
> 
> Thanks
> Marco
> 
> Marco Aresu
> 
> 
> On 30 July 2014 19:56, Puzzel <puzzel1982 at gmail.com> wrote:
> > You need to install rsyslog daemon on radius machine.
> > Then in /etc/rsyslog.conf
> >
> > # Save radius logs into file
> >
> > local1.*     /var/log/radius/radius.log
> >
> > # All to syslog server
> >
> > *.*          @ip_address_of_your_syslog_server
> >
> > It works fine form me
> >
> > -----Original Message-----
> > From: freeradius-users-bounces+puzzel1982=gmail.com at lists.freeradius.org
> > [mailto:freeradius-users-bounces+puzzel1982=gmail.com at lists.freeradius.org]
> > On Behalf Of Marco Aresu
> > Sent: Wednesday, July 30, 2014 3:43 PM
> > To: FreeRadius users mailing list
> > Subject: Freeradius Log with Rsyslog
> >
> > Hi all,
> >
> > i ve configured Freeradius on my server and i would like to forward
> > authentication log to an external server.
> > I saw in the forum that i have to change Logdir from file to syslog but
> > where do i have to specify the destination server?
> >
> > Thanks
> >
> > Marco Aresu
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Thu, 31 Jul 2014 10:33:49 +0200
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Subject: Re: Multivalued attributes
> Message-ID: <53D9FF6D.1030004 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Herwin Weststrate wrote:
> > That would make the following two expressions different:
> > 
> >   if (Attr[*] !~ /regex/)
> >   if (!(Attr[*] =~ /regex/))
> 
>   In general, != and !~ should be the same as !(.. == ) and !(.. =~)
> 
> > First one is true if any of the attributes doesn't match the regex, the
> > second one if none of the attribute match the regex. I would expect them
> > to return the same. There might be some rule or lemma in mathematical
> > set theory here, but I'm not really sure about that (especially since
> > that would probably require explicit any/all-modifiers).
> 
>   I'll try to remember my math.  I'm sure I had this in one of my degrees.
> 
> > About a year ago I was working on a small filtering language for an API
> > which required multi-valued attributes. We changed the use of >, <, <=
> > and >= to yield to syntax errors when combined with multi-valued
> > attributes, because nobody here really knew what they were supposed to
> > do in this context.
> 
>   Makes sense.
> 
>   Alan DeKok.
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Thu, 31 Jul 2014 10:49:31 +0200
> From: "Puzzel" <puzzel1982 at gmail.com>
> To: "'FreeRadius users mailing list'"
> 	<freeradius-users at lists.freeradius.org>
> Subject: RE: Freeradius Log with Rsyslog
> Message-ID: <00fd01cfac9c$59f15ea0$0dd41be0$@com>
> Content-Type: text/plain;	charset="us-ascii"
> 
> Yes in radiusd.conf find the line "syslog_facility = local1"
> 
> -----Original Message-----
> From: freeradius-users-bounces+puzzel1982=gmail.com at lists.freeradius.org
> [mailto:freeradius-users-bounces+puzzel1982=gmail.com at lists.freeradius.org]
> On Behalf Of Marco Aresu
> Sent: Thursday, July 31, 2014 10:32 AM
> To: FreeRadius users mailing list
> Subject: Re: Freeradius Log with Rsyslog
> 
> Hi Puzzel,
> 
> thanks for your reply, it seems to be ok.
> Just last question, where i will choose the log level to send in the
> syslog?Into Radiusd.conf file?
> 
> Thanks
> Marco
> 
> Marco Aresu
> 
> 
> On 30 July 2014 19:56, Puzzel <puzzel1982 at gmail.com> wrote:
> > You need to install rsyslog daemon on radius machine.
> > Then in /etc/rsyslog.conf
> >
> > # Save radius logs into file
> >
> > local1.*     /var/log/radius/radius.log
> >
> > # All to syslog server
> >
> > *.*          @ip_address_of_your_syslog_server
> >
> > It works fine form me
> >
> > -----Original Message-----
> > From: 
> > freeradius-users-bounces+puzzel1982=gmail.com at lists.freeradius.org
> > [mailto:freeradius-users-bounces+puzzel1982=gmail.com at lists.freeradius
> > .org]
> > On Behalf Of Marco Aresu
> > Sent: Wednesday, July 30, 2014 3:43 PM
> > To: FreeRadius users mailing list
> > Subject: Freeradius Log with Rsyslog
> >
> > Hi all,
> >
> > i ve configured Freeradius on my server and i would like to forward 
> > authentication log to an external server.
> > I saw in the forum that i have to change Logdir from file to syslog 
> > but where do i have to specify the destination server?
> >
> > Thanks
> >
> > Marco Aresu
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> > -
> > List info/subscribe/unsubscribe? See 
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Thu, 31 Jul 2014 11:12:46 +0200
> From: Marco Aresu <marcoaresu at gmail.com>
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Subject: Re: Freeradius Log with Rsyslog
> Message-ID:
> 	<CAKvBoPkbs++eHen+k_utT9cY-=Bn0k-Fw332V+Z_y6N2GWkCvg at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
> 
> Puzzel,
> 
> facility is working. Do you know if i will send to syslog Radacct
> logs? I need them for verify authentication.
> 
> Thanks
> Marco
> 
> Marco Aresu
> 
> 
> On 31 July 2014 10:49, Puzzel <puzzel1982 at gmail.com> wrote:
> > Yes in radiusd.conf find the line "syslog_facility = local1"
> >
> > -----Original Message-----
> > From: freeradius-users-bounces+puzzel1982=gmail.com at lists.freeradius.org
> > [mailto:freeradius-users-bounces+puzzel1982=gmail.com at lists.freeradius.org]
> > On Behalf Of Marco Aresu
> > Sent: Thursday, July 31, 2014 10:32 AM
> > To: FreeRadius users mailing list
> > Subject: Re: Freeradius Log with Rsyslog
> >
> > Hi Puzzel,
> >
> > thanks for your reply, it seems to be ok.
> > Just last question, where i will choose the log level to send in the
> > syslog?Into Radiusd.conf file?
> >
> > Thanks
> > Marco
> >
> > Marco Aresu
> >
> >
> > On 30 July 2014 19:56, Puzzel <puzzel1982 at gmail.com> wrote:
> >> You need to install rsyslog daemon on radius machine.
> >> Then in /etc/rsyslog.conf
> >>
> >> # Save radius logs into file
> >>
> >> local1.*     /var/log/radius/radius.log
> >>
> >> # All to syslog server
> >>
> >> *.*          @ip_address_of_your_syslog_server
> >>
> >> It works fine form me
> >>
> >> -----Original Message-----
> >> From:
> >> freeradius-users-bounces+puzzel1982=gmail.com at lists.freeradius.org
> >> [mailto:freeradius-users-bounces+puzzel1982=gmail.com at lists.freeradius
> >> .org]
> >> On Behalf Of Marco Aresu
> >> Sent: Wednesday, July 30, 2014 3:43 PM
> >> To: FreeRadius users mailing list
> >> Subject: Freeradius Log with Rsyslog
> >>
> >> Hi all,
> >>
> >> i ve configured Freeradius on my server and i would like to forward
> >> authentication log to an external server.
> >> I saw in the forum that i have to change Logdir from file to syslog
> >> but where do i have to specify the destination server?
> >>
> >> Thanks
> >>
> >> Marco Aresu
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Thu, 31 Jul 2014 10:32:38 +0100
> From: Stuart Naylor <stuartiannaylor at thursbygarden.org>
> To: freeradius-users at lists.freeradius.org
> 	<freeradius-users at lists.freeradius.org>
> Subject: RE: Freeradius-Users Digest, Vol 111, Issue 84
> Message-ID:
> 	<zarafa.53da0d36.4554.3fc820511be3c041 at zent1.thursbygarden.lan>
> Content-Type: text/plain; charset=utf-8
> 
> Thanks Arran ,
> 
> Apols as stuck back in time due to Ubuntu.
> 
> Are there any debs anywhere is the compiler always scares this noob :)
> 
> Just had a search and everything is firmly stuck in the land of 2.0 series.
> 
> Is there anyway to add multiple ldap search queries with different base DNs.
> 
> Just stuck as bit stumped that scope=sub isn't supported?!
> 
> Stuart
> 
> 
>  
>  
> -----Original message-----
> > From:freeradius-users-request at lists.freeradius.org <freeradius-users-request at lists.freeradius.org>
> > Sent: Thursday 31st July 2014 0:45
> > To: freeradius-users at lists.freeradius.org
> > Subject: Freeradius-Users Digest, Vol 111, Issue 84
> > 
> > Send Freeradius-Users mailing list submissions to
> > 	freeradius-users at lists.freeradius.org
> > 
> > To subscribe or unsubscribe via the World Wide Web, visit
> > 	http://lists.freeradius.org/mailman/listinfo/freeradius-users
> > or, via email, send a message with subject or body 'help' to
> > 	freeradius-users-request at lists.freeradius.org
> > 
> > You can reach the person managing the list at
> > 	freeradius-users-owner at lists.freeradius.org
> > 
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Freeradius-Users digest..."
> > 
> > 
> > Today's Topics:
> > 
> >    1. RE: Freeradius Log with Rsyslog (Puzzel)
> >    2. Re: Multivalued attributes (Herwin Weststrate)
> >    3. TLS Alert: Fatal: Protocol version (Soham T. Aurangabadkar)
> >    4. LDAP scope (Stuart Naylor)
> >    5. Re: LDAP scope (Arran Cudbard-Bell)
> >    6. Re: Some inconsistencies concerning OpenSSL include
> >       configuration in	FRS 3 (Arran Cudbard-Bell)
> > 
> > 
> > ----------------------------------------------------------------------
> > 
> > Message: 1
> > Date: Wed, 30 Jul 2014 19:56:02 +0200
> > From: "Puzzel" <puzzel1982 at gmail.com>
> > To: "'FreeRadius users mailing list'"
> > 	<freeradius-users at lists.freeradius.org>
> > Subject: RE: Freeradius Log with Rsyslog
> > Message-ID: <009f01cfac1f$87e243b0$97a6cb10$@com>
> > Content-Type: text/plain;	charset="us-ascii"
> > 
> > You need to install rsyslog daemon on radius machine.
> > Then in /etc/rsyslog.conf 
> > 
> > # Save radius logs into file
> > 
> > local1.*     /var/log/radius/radius.log
> > 
> > # All to syslog server
> > 
> > *.*          @ip_address_of_your_syslog_server
> > 
> > It works fine form me
> > 
> > -----Original Message-----
> > From: freeradius-users-bounces+puzzel1982=gmail.com at lists.freeradius.org
> > [mailto:freeradius-users-bounces+puzzel1982=gmail.com at lists.freeradius.org]
> > On Behalf Of Marco Aresu
> > Sent: Wednesday, July 30, 2014 3:43 PM
> > To: FreeRadius users mailing list
> > Subject: Freeradius Log with Rsyslog
> > 
> > Hi all,
> > 
> > i ve configured Freeradius on my server and i would like to forward
> > authentication log to an external server.
> > I saw in the forum that i have to change Logdir from file to syslog but
> > where do i have to specify the destination server?
> > 
> > Thanks
> > 
> > Marco Aresu
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > 
> > 
> > 
> > ------------------------------
> > 
> > Message: 2
> > Date: Wed, 30 Jul 2014 20:08:06 +0200
> > From: Herwin Weststrate <herwin at quarantainenet.nl>
> > To: FreeRadius users mailing list
> > 	<freeradius-users at lists.freeradius.org>
> > Subject: Re: Multivalued attributes
> > Message-ID: <53D93486.6060203 at quarantainenet.nl>
> > Content-Type: text/plain; charset=windows-1252
> > 
> > On 30-07-14 11:51, Phil Mayers wrote:
> > > On 30/07/14 09:21, Herwin Weststrate wrote:
> > > 
> > >> What would the semantics be if a negative comparison operator would be
> > >> used, like this?
> > >>
> > >>    if (Attr[*] !~ /regex/)
> > >>
> > >> My intuition would say this would only be true if none of the attributes
> > >> matches, instead of if at least one of the attributes matches.
> > > 
> > > Assuming I've understood correctly, using the analogy of the postgres
> > > operator, this is more like:
> > > 
> > > if (any Attr !~ /regex/)
> > > 
> > > i.e. if any of the attributes *don't* match.
> > 
> > That would make the following two expressions different:
> > 
> >   if (Attr[*] !~ /regex/)
> >   if (!(Attr[*] =~ /regex/))
> > 
> > First one is true if any of the attributes doesn't match the regex, the
> > second one if none of the attribute match the regex. I would expect them
> > to return the same. There might be some rule or lemma in mathematical
> > set theory here, but I'm not really sure about that (especially since
> > that would probably require explicit any/all-modifiers).
> > 
> > > The regex operators would presumably have the special behaviour of
> > > setting capture groups for the first of the attributes. This doesn't
> > > have much meaning for !~
> > 
> > Using capture groups with !~ would require an else (because if the regex
> > doesn't match, there are no capture groups). Using code like that would
> > just be stupid:
> > 
> >   if (Attr !~ /(regex)/) {
> >     ...
> >   } else {
> >     # Do someting with %{1}
> >   }
> > 
> > Just write it a little bit different and use =~. But this discussion is
> > not really related to multivalued attributes.
> > 
> > >> And I'm not sure what the expected result should be in the following
> > >> statement:
> > >>
> > >>    if (Attr[*] > 10)
> > > 
> > > Likewise
> > > 
> > > if (any Attr > 10)
> > 
> > This gives the same behaviour as with !~, I would expect these two to be
> > the same
> > 
> >   if (Attr[*] > 10)
> >   if (!(Attr[*] <= 9))
> > 
> > About a year ago I was working on a small filtering language for an API
> > which required multi-valued attributes. We changed the use of >, <, <=
> > and >= to yield to syntax errors when combined with multi-valued
> > attributes, because nobody here really knew what they were supposed to
> > do in this context.
> > 
> > -- 
> > Herwin Weststrate
> > 
> > 
> > ------------------------------
> > 
> > Message: 3
> > Date: Wed, 30 Jul 2014 16:06:21 -0400 (EDT)
> > From: "Soham T. Aurangabadkar" <sohama4 at ccs.neu.edu>
> > To: freeradius-users at lists.freeradius.org
> > Subject: TLS Alert: Fatal: Protocol version
> > Message-ID: <10005916.567041406750781574.JavaMail.root at zimbra>
> > Content-Type: text/plain; charset=utf-8
> > 
> > Hello, I am getting a strange error in my FreeRADIUS debug output, which I have posted below. I have built the client using C, OpenSSL and raw sockets, and uses the 'user at example.com.pem' certificate generated by the scripts provided in /raddb/certs. Can you please tell me where am I going wrong? It is an error at the penultimate step of the EAP-TLS exchange. Thank you ! :)
> > 
> > - Soham
> > 
> > 
> > 
> > rad_recv: Access-Request packet from host 192.168.1.11 port 62733, id=254, length=829
> > 	User-Name = "sohama411111"
> > 	Called-Station-Id = "ec-e5-55-9c-c3-b6"
> > 	Calling-Station-Id = "00:24:9b:0c:2f:6e"
> > 	NAS-Identifier = "ec-e5-55-9c-c3-ac"
> > 	NAS-IP-Address = 192.168.1.11
> > 	NAS-Port = 6
> > 	Framed-MTU = 1500
> > 	NAS-Port-Type = Ethernet
> > 	State = 0xa2a1f780a7a7fad11c1fdcdf4905f39b
> > 	EAP-Message = 0x020602a00d8000000a825997f20225258bb1ff09cf6b173f27777f32ed2ef263a69ea7500fa0df24d984336cfaa193a9be78c06dc15278b6ef4b7cd930d166dd8427b3d155235edc0ce87fedcb214f913db8080089ccb1c651ec2042c9f1f8438926650157af19f77f059a5be97bb32f4c522230719d03a1f6553f3e311249f84eb6bb6740d218c346fe6fb5e08a471fe90bce818d62480b66b82412ff00a1fde2d7e9e2ef2c09d9dcddb20923c9d911fc13aa74742728bf7a2228a1a3de6cb4e9375b66638d73dee5d6dfde7144f8d701a9e16304225c983231cb1bbf1d67f713eb13d5ad916e404c71160301004610000042410414242a58afc24797
> > 	EAP-Message = 0x1adbed2ab769f9d1840a5956aad1bc07ec4de29645f706568bdeb474f455be264384b32a21ef52fa83a0ce73f1eb065a0a67cde112c2082916030101060f0001020100cb37b6b39e07acbe5db0119c5f7bc8d2aef80ae74c33c1c7c4e3a85bdb9d98a0c540d9d16d6f08d0e019b1fce07a337e9869e079519f2f65161a744f38b0a3e541461a74c2c05adebde38b07c6c6d7301be51de656cf231ff4d58e4836e09633bdc379bca36a538b5bc4646e2a212b9c436af8749840e14d646268d52770f263e0bcbc965b37ae0d0dbb5e3e259882a29cdfb0f7eaba21d984748d017f4e495bcbe909d71e2f7a3d08689a49d9479e4887ea0558293d4e0dcc74
> > 	EAP-Message = 0x61e3d33b48576d468e293468648476786964d5d050203aa0706fef1426432c3e5f5e49d33f77148209d34f01928db02b6b8d30338b9fd51e589b57576217a16c19c5a60bc875140301000101160301003099875a615089ecf3a1b21b7297c276f5bc8ab7be2f85d981f32a93c53ba178cf38c3be709ef5a241f1641f18bfc86cff1503010020ecc14febfeb1efd89ca273228fabc163f4d2536f8077de497b8257f10c0cfd80
> > 	Message-Authenticator = 0xb2addbdef36eea66889ed2c3e3ee302e
> > # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
> > +group authorize {
> > ++[preprocess] = ok
> > ++[chap] = noop
> > ++[mschap] = noop
> > ++[digest] = noop
> > [suffix] No '@' in User-Name = "sohama411111", looking up realm NULL
> > [suffix] No such realm "NULL"
> > ++[suffix] = noop
> > [eap] EAP packet type response id 6 length 253
> > [eap] No EAP Start, assuming it's an on-going EAP conversation
> > ++[eap] = updated
> > ++[files] = noop
> > ++[expiration] = noop
> > ++[logintime] = noop
> > ++[pap] = noop
> > +} # group authorize = updated
> > Found Auth-Type = EAP
> > # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> > +group authenticate {
> > [eap] Request found, released from the list
> > [eap] EAP/tls
> > [eap] processing type tls
> > [tls] Authenticate
> > [tls] processing EAP-TLS
> >   TLS Length 2690
> > [tls] Length Included
> > [tls] eaptls_verify returned 11 
> > [tls] <<< TLS 1.0 Handshake [length 08c7], Certificate  
> > [tls] chain-depth=1, 
> > [tls] error=0
> > [tls] --> User-Name = sohama411111
> > [tls] --> BUF-Name = Example Certificate Authority
> > [tls] --> subject = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin at example.com/CN=Example Certificate Authority
> > [tls] --> issuer  = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin at example.com/CN=Example Certificate Authority
> > [tls] --> verify return:1
> > 	TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication"
> > [tls] chain-depth=0, 
> > [tls] error=0
> > [tls] --> User-Name = sohama411111
> > [tls] --> BUF-Name = sohama4 at gmail.com
> > [tls] --> subject = /C=FR/ST=Radius/O=Example Inc./CN=sohama4 at gmail.com/emailAddress=sohama4 at gmail.com
> > [tls] --> issuer  = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin at example.com/CN=Example Certificate Authority
> > [tls] --> verify return:1
> > [tls]     TLS_accept: SSLv3 read client certificate A
> > [tls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange  
> > [tls]     TLS_accept: SSLv3 read client key exchange A
> > [tls] <<< TLS 1.0 Handshake [length 0106], CertificateVerify  
> > [tls]     TLS_accept: SSLv3 read certificate verify A
> > [tls] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
> > [tls] <<< TLS 1.0 Handshake [length 0010], Finished  
> > [tls]     TLS_accept: SSLv3 read finished A
> > [tls] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
> > [tls]     TLS_accept: SSLv3 write change cipher spec A
> > [tls] >>> TLS 1.0 Handshake [length 0010], Finished  
> > [tls]     TLS_accept: SSLv3 write finished A
> > [tls]     TLS_accept: SSLv3 flush data
> > [tls]     (other): SSL negotiation finished successfully
> > [tls] <<< TLS 1.0 Alert [length 0002], fatal protocol_version  
> > TLS Alert read:fatal:protocol version
> > rlm_eap: SSL error error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
> > SSL Connection Established 
> > [tls] eaptls_process returned 13 
> > ++[eap] = handled
> > +} # group authenticate = handled
> > Sending Access-Challenge of id 254 to 192.168.1.11 port 62733
> > 	EAP-Message = 0x010700450d800000003b1403010001011603010030fcca5a85d37c2ec29f40904ccb9dbe3ac886668b24f36a70ea88aed096ed2520ee567dcce866caf89a455cdc9b1421ed
> > 	Message-Authenticator = 0x00000000000000000000000000000000
> > 	State = 0xa2a1f780a4a6fad11c1fdcdf4905f39b
> > Finished request 6.
> > Going to the next request
> > Waking up in 2.2 seconds.
> > rad_recv: Access-Request packet from host 192.168.1.11 port 62733, id=255, length=159
> > 	User-Name = "sohama411111"
> > 	Called-Station-Id = "ec-e5-55-9c-c3-b6"
> > 	Calling-Station-Id = "00:24:9b:0c:2f:6e"
> > 	NAS-Identifier = "ec-e5-55-9c-c3-ac"
> > 	NAS-IP-Address = 192.168.1.11
> > 	NAS-Port = 6
> > 	Framed-MTU = 1500
> > 	NAS-Port-Type = Ethernet
> > 	State = 0xa2a1f780a4a6fad11c1fdcdf4905f39b
> > 	EAP-Message = 0x020700060d00
> > 	Message-Authenticator = 0x9edad03d955fdbb9df9945226a174d53
> > # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
> > +group authorize {
> > ++[preprocess] = ok
> > ++[chap] = noop
> > ++[mschap] = noop
> > ++[digest] = noop
> > [suffix] No '@' in User-Name = "sohama411111", looking up realm NULL
> > [suffix] No such realm "NULL"
> > ++[suffix] = noop
> > [eap] EAP packet type response id 7 length 6
> > [eap] No EAP Start, assuming it's an on-going EAP conversation
> > ++[eap] = updated
> > ++[files] = noop
> > ++[expiration] = noop
> > ++[logintime] = noop
> > ++[pap] = noop
> > +} # group authorize = updated
> > Found Auth-Type = EAP
> > # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> > +group authenticate {
> > [eap] Request found, released from the list
> > [eap] EAP/tls
> > [eap] processing type tls
> > [tls] Authenticate
> > [tls] processing EAP-TLS
> > [tls] Received TLS ACK
> > [tls] ACK alert
> > [tls] eaptls_verify returned 4 
> > [tls] eaptls_process returned 4 
> > [eap] Handler failed in EAP/tls
> > [eap] Failed in EAP select
> > ++[eap] = invalid
> > +} # group authenticate = invalid
> > Failed to authenticate the user.
> > Using Post-Auth-Type REJECT
> > # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> > +group REJECT {
> > [attr_filter.access_reject] 	expand: %{User-Name} -> sohama411111
> > attr_filter: Matched entry DEFAULT at line 11
> > ++[attr_filter.access_reject] = updated
> > +} # group REJECT = updated
> > Delaying reject of request 7 for 1 seconds
> > Going to the next request
> > Waking up in 0.9 seconds.
> > Sending delayed reject for request 7
> > Sending Access-Reject of id 255 to 192.168.1.11 port 62733
> > 	EAP-Message = 0x04070004
> > 	Message-Authenticator = 0x00000000000000000000000000000000
> > Waking up in 1.2 seconds.
> > Cleaning up request 0 ID 248 with timestamp +21
> > Waking up in 2.6 seconds.
> > Cleaning up request 1 ID 249 with timestamp +24
> > Cleaning up request 2 ID 250 with timestamp +24
> > Cleaning up request 3 ID 251 with timestamp +24
> > Cleaning up request 4 ID 252 with timestamp +24
> > Cleaning up request 5 ID 253 with timestamp +24
> > Cleaning up request 6 ID 254 with timestamp +24
> > Waking up in 1.0 seconds.
> > Cleaning up request 7 ID 255 with timestamp +24
> > 
> > 
> > ------------------------------
> > 
> > Message: 4
> > Date: Wed, 30 Jul 2014 23:59:35 +0100
> > From: Stuart Naylor <stuartiannaylor at thursbygarden.org>
> > To: freeradius-users at lists.freeradius.org
> > 	<freeradius-users at lists.freeradius.org>
> > Subject: LDAP scope
> > Message-ID:
> > 	<zarafa.53d978d7.73bf.594fda2e60fe5c48 at zent1.thursbygarden.lan>
> > Content-Type: text/plain; charset=utf-8
> > 
> > Hi,
> > 
> > I am having problems with ldap.
> > 
> > I am running FreeRADIUS Version 2.1.12 and Samba4 and the LDAP searches are not subtree searches.
> > 
> > I have to add the CN=Users to the base DN and it works.
> > 
> > If I want to search from the base DN I get an ldap search error.
> > 
> > Is there anyway to set the search scope to subtree?
> > 
> > Stuart
> > 
> > 
> > 
> > 
> > ------------------------------
> > 
> > Message: 5
> > Date: Wed, 30 Jul 2014 19:40:48 -0400
> > From: Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> > To: FreeRadius users mailing list
> > 	<freeradius-users at lists.freeradius.org>
> > Subject: Re: LDAP scope
> > Message-ID: <42D1F2C2-5061-45D0-9833-29709DF2A8EF at freeradius.org>
> > Content-Type: text/plain; charset="us-ascii"
> > 
> > 
> > On 30 Jul 2014, at 18:59, Stuart Naylor <stuartiannaylor at thursbygarden.org> wrote:
> > 
> > > Hi,
> > > 
> > > I am having problems with ldap.
> > > 
> > > I am running FreeRADIUS Version 2.1.12 and Samba4 and the LDAP searches are not subtree searches.
> > > 
> > > I have to add the CN=Users to the base DN and it works.
> > > 
> > > If I want to search from the base DN I get an ldap search error.
> > > 
> > > Is there anyway to set the search scope to subtree?
> > 
> > 1. Download v3.0.3
> > 2. Install v3.0.3
> > 3. Enjoy the ability to alter search scopes for LDAP objects
> > 
> > -Arran
> > 
> > Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> > FreeRADIUS development team
> > 
> > FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
> > 
> > -------------- next part --------------
> > A non-text attachment was scrubbed...
> > Name: signature.asc
> > Type: application/pgp-signature
> > Size: 881 bytes
> > Desc: Message signed with OpenPGP using GPGMail
> > URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140730/ed95504f/attachment-0001.pgp>
> > 
> > ------------------------------
> > 
> > Message: 6
> > Date: Wed, 30 Jul 2014 19:42:24 -0400
> > From: Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> > To: FreeRadius users mailing list
> > 	<freeradius-users at lists.freeradius.org>
> > Subject: Re: Some inconsistencies concerning OpenSSL include
> > 	configuration in	FRS 3
> > Message-ID: <DD0F2DD5-2CF8-4BE4-817D-29FACC737F60 at freeradius.org>
> > Content-Type: text/plain; charset="us-ascii"
> > 
> > 
> > On 29 Jul 2014, at 12:55, Dr. Andreas Rieke <rieke at isl.de> wrote:
> > 
> > > Arran Cudbard-Bell wrote:
> > >> 
> > >> On 29 Jul 2014, at 06:05, Dr. Andreas Rieke <rieke at isl.de> wrote:
> > >> 
> > >>> Arran Cudbard-Bell wrote:
> > >>>> Should work now without dumb hacks...
> > >>> I have tested your solution, too, and it also works well. However, there is a small difference between your an Alan's appraoch: With Alan's suggestion, the rlm_wimax shared object does not have any references to openssl, whereas in your approch, ldd says that both libssl and libcrypto are required.
> > >>> 
> > >>> I do not know which one is correct,
> > >> 
> > >> Mine, seeing as the module uses symbols from those libraries. 
> > >> 
> > >> Technically it probably only needs libcrypto, but never mind.
> > >> 
> > > Thanks a lot to Alan and you, Arran, for your time and for your patience with a newbie on this list,
> > 
> > No problem, thanks for reporting the OpenSSL issues.
> > 
> > -Arran
> > 
> > Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> > FreeRADIUS development team
> > 
> > FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
> > 
> > -------------- next part --------------
> > A non-text attachment was scrubbed...
> > Name: signature.asc
> > Type: application/pgp-signature
> > Size: 881 bytes
> > Desc: Message signed with OpenPGP using GPGMail
> > URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140730/df2937ad/attachment.pgp>
> > 
> > ------------------------------
> > 
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> > 
> > End of Freeradius-Users Digest, Vol 111, Issue 84
> > *************************************************
> > 
> 
> 
> ------------------------------
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> End of Freeradius-Users Digest, Vol 111, Issue 85
> *************************************************
> 


More information about the Freeradius-Users mailing list