Hi,<br>I have freeradius with eap support on debian etch, radius v1.1.3<br>"everthing" working fine but I'd like to have much more simple configuration<br>only by certificate and nothing more,<br>so I have few question:<br>
<br>1. <br>fragment of my log first, before question<br>Listening on authentication *:1812<br>Listening on accounting *:1813<br>Ready to process requests.<br>rad_recv: Access-Request packet from host <a href="http://192.168.5.206:1812">192.168.5.206:1812</a>, id=182, length=159<br>
NAS-IP-Address = 192.168.5.206<br> NAS-Port = 50046<br> NAS-Port-Type = Ethernet<br> User-Name = "PC-01\\Administrator"<br> Called-Station-Id = "00-0C-30-81-9B-EE"<br>
Calling-Station-Id = "00-0A-E4-13-1A-02"<br> Service-Type = Framed-User<br> Framed-MTU = 1500<br> EAP-Message = 0x0200001b014e4c504c2d4943455c41646d696e6973747261746f72<br> Message-Authenticator = 0xe0b4e2966553f890137d9e56bebd0b3d<br>
Processing the authorize section of radiusd.conf<br>modcall: entering group authorize for request 0<br> modcall[authorize]: module "preprocess" returns ok for request 0<br> modcall[authorize]: module "mschap" returns noop for request 0<br>
rlm_realm: No '@' in User-Name = "PC-01\Administrator", looking up realm NULL<br> rlm_realm: No such realm "NULL"<br> modcall[authorize]: module "suffix" returns noop for request 0<br>
<br>my users file contain:<br>"PC-01\\Administrator" User-Password == "passwd"<br><br>how can I avoid this value PC-01 ?, its really annoying, I would like to have only real user, PC-01 is "my computer -> properties -> computer name -> full computer name". I would like to have only username (with no matter of case sensitive). sth like<br>
"administrator" User-Password == "passwd"<br>
<br><br>2. <br>I would like to use only certificate to check wheter or not some computer should have network connection,<br>I dont care about login or password, <br>if client has a valid cacert.pem installed on pc (windows xp) it should grant acces to network, is it possible to do that?<br>
I tried do sth like: <br>users:<br>DEFAULT Auth-Type := Accept<br>but it didn't work<br>the perfect way for me is possiblity to set up something in radiusd.conf and live file users empty<br><br>3. <br>when I read log from freeradius -X I see that one pc need to have 7requests in freeradius and in 8-th request is accepted, is it ok? <br>
<br>modcall: entering group authenticate for request 8<br> rlm_eap: Request found, released from the list<br> rlm_eap: EAP/peap<br> rlm_eap: processing type peap<br> rlm_eap_peap: Authenticate<br> rlm_eap_tls: processing TLS<br>
eaptls_verify returned 7<br> rlm_eap_tls: Done initial handshake<br> eaptls_process returned 7<br> rlm_eap_peap: EAPTLS_OK<br> rlm_eap_peap: Session established. Decoding tunneled attributes.<br> rlm_eap_peap: Received EAP-TLV response.<br>
rlm_eap_peap: Tunneled data is valid.<br> rlm_eap_peap: Success<br> rlm_eap: Freeing handler<br> modcall[authenticate]: module "eap" returns ok for request 8<br>modcall: leaving group authenticate (returns ok) for request 8<br>
Sending Access-Accept of id 193 to 192.168.5.206 port 1812<br> MS-MPPE-Recv-Key = 0xc349694508a365a56e56e085069e36270cb13b60c3cc7847129b2386a7062dde<br> MS-MPPE-Send-Key = 0xf93f6de4f455056df7f1d88aa3d12a26cd1a71994fdf6c31bb726612eaf2f038<br>
EAP-Message = 0x03080004<br> Message-Authenticator = 0x00000000000000000000000000000000<br> User-Name = "PC-01\\Administrator"<br>Finished request 8<br><br><br>-----------------------------------------------<br>
my configuration files:<br>eap.conf<br>eap {<br> default_eap_type = peap<br> timer_expire = 60<br> ignore_unknown_eap_types = no<br> cisco_accounting_username_bug = no<br> md5 {<br> }<br>
leap {<br> }<br> gtc {<br> auth_type = PAP<br> }<br> tls {<br> private_key_file = /etc/freeradius/eap/newkey.pem<br> certificate_file = /etc/freeradius/eap/newcert.pem<br> CA_file = /etc/freeradius/eap/eapCA/cacert.pem<br>
dh_file = /etc/freeradius/eap/dh<br> random_file = /etc/freeradius/eap/random<br> fragment_size = 1024<br> include_length = yes<br> check_crl = no<br> }<br> peap {<br> default_eap_type = mschapv2<br>
}<br> mschapv2 {<br> }<br>}<br><br>radiusd.conf<br><br>prefix = /usr<br>exec_prefix = /usr<br>sysconfdir = /etc<br>localstatedir = /var<br>sbindir = ${exec_prefix}/sbin<br>logdir = /var/log/freeradius<br>raddbdir = /etc/freeradius<br>
radacctdir = ${logdir}/radacct<br>confdir = ${raddbdir}<br>run_dir = ${localstatedir}/run/freeradius<br>log_file = ${logdir}/radius.log<br>libdir = /usr/lib/freeradius<br>pidfile = ${run_dir}/freeradius.pid<br>user = freerad<br>
group = freerad<br>max_request_time = 30<br>delete_blocked_requests = no<br>cleanup_delay = 5<br>max_requests = 1024<br>bind_address = *<br>port = 0<br>hostname_lookups = no<br>allow_core_dumps = no<br>regular_expressions = yes<br>
extended_expressions = yes<br>log_stripped_names = no<br>log_auth = no<br>log_auth_badpass = no<br>log_auth_goodpass = no<br>usercollide = no<br>lower_user = no<br>lower_pass = no<br>nospace_user = no<br>nospace_pass = no<br>
checkrad = ${sbindir}/checkrad<br>security {<br> max_attributes = 200<br> reject_delay = 1<br> status_server = no<br>}<br>proxy_requests = yes<br>$INCLUDE ${confdir}/proxy.conf<br>$INCLUDE ${confdir}/clients.conf<br>
snmp = no<br>$INCLUDE ${confdir}/snmp.conf<br>thread pool {<br> start_servers = 5<br> max_servers = 32<br> min_spare_servers = 3<br> max_spare_servers = 10<br> max_requests_per_server = 0<br>
}<br>modules {<br> pap {<br> encryption_scheme = crypt<br> }<br> chap {<br> authtype = CHAP<br> }<br> pam {<br> pam_auth = radiusd<br> }<br>
unix {<br> cache = no<br> cache_reload = 600<br> shadow = /etc/shadow<br> radwtmp = ${logdir}/radwtmp<br> }<br>$INCLUDE ${confdir}/eap.conf<br> mschap {<br>
authtype = MS-CHAP<br> use_mppe = yes<br> require_encryption = yes<br> require_strong = yes<br> with_ntdomain_hack = yes<br> }<br> ldap {<br>
server = "ldap.your.domain"<br> basedn = "o=My Org,c=UA"<br> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"<br> start_tls = no<br>
access_attr = "dialupAccess"<br> dictionary_mapping = ${raddbdir}/ldap.attrmap<br> ldap_connections_number = 5<br> timeout = 4<br> timelimit = 3<br>
net_timeout = 1<br> }<br> realm IPASS {<br> format = prefix<br> delimiter = "/"<br> ignore_default = no<br> ignore_null = no<br>
}<br> realm suffix {<br> format = suffix<br> delimiter = "@"<br> ignore_default = no<br> ignore_null = no<br> }<br> realm realmpercent {<br>
format = suffix<br> delimiter = "%"<br> ignore_default = no<br> ignore_null = no<br> }<br> realm ntdomain {<br> format = prefix<br>
delimiter = "\\"<br> ignore_default = no<br> ignore_null = no<br> }<br> checkval {<br> item-name = Calling-Station-Id<br> check-name = Calling-Station-Id<br>
data-type = string<br> }<br> preprocess {<br> huntgroups = ${confdir}/huntgroups<br> hints = ${confdir}/hints<br> with_ascend_hack = no<br> ascend_channels_per_line = 23<br>
with_ntdomain_hack = no<br> with_specialix_jetstream_hack = no<br> with_cisco_vsa_hack = no<br> }<br><br> files {<br> usersfile = ${confdir}/users<br>
acctusersfile = ${confdir}/acct_users<br> preproxy_usersfile = ${confdir}/preproxy_users<br> compat = no<br> }<br><br> detail {<br> detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d<br>
detailperm = 0600<br> }<br> acct_unique {<br> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"<br> }<br><br> $INCLUDE ${confdir}/sql.conf<br>
radutmp {<br> filename = ${logdir}/radutmp<br> username = %{User-Name}<br> case_sensitive = yes<br> check_with_nas = yes<br> perm = 0600<br>
callerid = "yes"<br> }<br> radutmp sradutmp {<br> filename = ${logdir}/sradutmp<br> perm = 0644<br> callerid = "no"<br> }<br>
attr_filter {<br> attrsfile = ${confdir}/attrs<br> }<br> counter daily {<br> filename = ${raddbdir}/db.daily<br> key = User-Name<br> count-attribute = Acct-Session-Time<br>
reset = daily<br> counter-name = Daily-Session-Time<br> check-name = Max-Daily-Session<br> allowed-servicetype = Framed-User<br> cache-size = 5000<br>
}<br> sqlcounter dailycounter {<br> counter-name = Daily-Session-Time<br> check-name = Max-Daily-Session<br> sqlmod-inst = sql<br> key = User-Name<br>
reset = daily<br> query = "SELECT SUM(AcctSessionTime - \<br> GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \<br> FROM radacct WHERE UserName='%{%k}' AND \<br>
UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"<br> }<br><br> sqlcounter monthlycounter {<br> counter-name = Monthly-Session-Time<br> check-name = Max-Monthly-Session<br>
sqlmod-inst = sql<br> key = User-Name<br> reset = monthly<br> query = "SELECT SUM(AcctSessionTime - \<br> GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \<br>
FROM radacct WHERE UserName='%{%k}' AND \<br> UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"<br> }<br> always fail {<br> rcode = fail<br>
}<br> always reject {<br> rcode = reject<br> }<br> always ok {<br> rcode = ok<br> simulcount = 0<br> mpp = no<br> }<br> expr {<br>
}<br> digest {<br> }<br> exec {<br> wait = yes<br> input_pairs = request<br> }<br> exec echo {<br> wait = yes<br> program = "/bin/echo %{User-Name}"<br>
input_pairs = request<br> output_pairs = reply<br> }<br> ippool main_pool {<br> range-start = 192.168.1.1<br> range-stop = 192.168.3.254<br> netmask = 255.255.255.0<br>
cache-size = 800<br> session-db = ${raddbdir}/db.ippool<br> ip-index = ${raddbdir}/db.ipindex<br> override = no<br> maximum-timeout = 0<br> }<br>
}<br>instantiate {<br> exec<br> expr<br>}<br>authorize {<br> preprocess<br> mschap<br> suffix<br> eap<br> files<br>}<br>authenticate {<br> Auth-Type PAP {<br> pap<br>
}<br> Auth-Type CHAP {<br> chap<br> }<br> Auth-Type MS-CHAP {<br> mschap<br> }<br> unix<br> eap<br>}<br>preacct {<br> preprocess<br> acct_unique<br>
suffix<br> files<br>}<br>accounting {<br> detail<br> unix<br> radutmp<br>}<br>session {<br> radutmp<br>}<br>post-auth {<br>}<br>pre-proxy {<br>}<br>post-proxy {<br> eap<br>
}<br><br><br>