Re: FreeRadius EAP-TLS quesiton

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Re: FreeRadius EAP-TLS quesiton

Hamid Salim
Kris,
Thanks for your help.

Do you think that (1) and (2) in my previous message could be the
reason that freeradius will not authenticate the client?

thanks again.


[hidden email] wrote:


>Send Freeradius-Users mailing list submissions to
> [hidden email]
>
>To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
>or, via email, send a message with subject or body 'help' to
> [hidden email]
>
>You can reach the person managing the list at
> [hidden email]
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Freeradius-Users digest..."
>
>
>Today's Topics:
>
>   1. FreeRadius EAP-TLS quesitons (Hamid Salim)
>   2. Re: problem with using rlm_sql for accounting only (John Donagher)
>   3. Re: problem with using rlm_sql for accounting only (John Donagher)
>   4. Re: FreeRadius EAP-TLS quesitons (Kris Benson)
>   5. sql.conf (update query) (Michel B?langer)
>   6. Re: problem with using rlm_sql for accounting only  (Alan DeKok)
>   7. Hi. Windows RADIUS server died. (Derrick MacPherson)
>   8. Re: Hi. Windows RADIUS server died.  (Alan DeKok)
>   9. Re: Hi. Windows RADIUS server died. (Derrick MacPherson)
>  10. Re: how to return multiple attributes from ldap? (kevin)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Tue, 9 Aug 2005 13:54:52 -0400 (EDT)
>From: Hamid Salim <[hidden email]>
>Subject: FreeRadius EAP-TLS quesitons
>To: [hidden email]
>Message-ID: <[hidden email]>
>Content-Type: text/plain; charset=UTF-8
>
>Hello,
>Two part question:
>1. Is it critical to have certificates, dh and random files in
>etc/raddb/certs directory for eap-tls to work.
>2. Is it ok to generate random file as date > random
>
>thanks a lot.
>Hamid.
>
>
>------------------------------
>
>Message: 2
>Date: Tue, 09 Aug 2005 13:55:45 -0400
>From: John Donagher <[hidden email]>
>Subject: Re: problem with using rlm_sql for accounting only
>To: FreeRadius users mailing list
> <[hidden email]>
>Message-ID: <[hidden email]>
>Content-Type: text/plain
>
>On Tue, 2005-08-09 at 00:01 +0200, Nicolas Baradakis wrote:
>> John Donagher wrote:
>>
>> > If the SQL server is inaccessible (i.e. down, or locked), freeradius
>> > rejects all radius requests. In my case, since the SQL database is
being
>> > used only for accounting, this is not desired behavior.
>>
>> The link below explains how to control the flow of modules in
FreeRADIUS.
>> http://www.freeradius.org/radiusd/doc/configurable_failover
>>
>> There is an example which looks like what you want to do for
accounting.

>>
>
>Thanks, that was exactly what I was looking for!
>
>John
>
>
>
>
>------------------------------
>
>Message: 3
>Date: Tue, 09 Aug 2005 14:01:11 -0400
>From: John Donagher <[hidden email]>
>Subject: Re: problem with using rlm_sql for accounting only
>To: FreeRadius users mailing list
> <[hidden email]>
>Message-ID: <[hidden email]>
>Content-Type: text/plain
>
>On Mon, 2005-08-08 at 18:09 -0400, Alan DeKok wrote:
>> John Donagher <[hidden email]> wrote:
>> > If the SQL server is inaccessible (i.e. down, or locked), freeradius
>> > rejects all radius requests. In my case, since the SQL database is
being

>> > used only for accounting, this is not desired behavior.
>>
>>   See the log messages.
>>
>>   What's probably happening is that all of the threads are blocked,
>> waiting for SQl to respond.  Therefore, there are no threads ready to
>> service authentication requests, and they get discarded.
>>
>>   The solution is to fix the SQL server so it doesn't go down.  If
>> it's a critical part of your infrastructure, I'm a little unsure as to
>> why it would go down, or lock FreeRADIUS out for many seconds at a
>> time.
>
>Indeed.. under normal circumstances it wouldn't go down. My issue is
>that the SQL server is not a critical part of our infrastructure and I
>don't want it to be (at this point anyway). I'm using it for accounting
>trend reporting only.. in any event, Nicolas' suggestion was right on
>and works like a charm.
>
>Thanks
>John
>
>
>
>
>------------------------------
>
>Message: 4
>Date: Tue, 09 Aug 2005 11:18:10 -0700
>From: "Kris Benson" <[hidden email]>
>Subject: Re: FreeRadius EAP-TLS quesitons
>To: "FreeRadius users mailing list"
> <[hidden email]>
>Cc: [hidden email]
>Message-ID:
> <[hidden email]>
>Content-Type: text/plain; charset=ISO-8859-1
>
>FreeRadius users mailing list <[hidden email]> on
>August 9, 2005 at 10:54 -0800 wrote:
>>Hello,
>>Two part question:
>>1. Is it critical to have certificates, dh and random files in
>>etc/raddb/certs directory for eap-tls to work.
>>2. Is it ok to generate random file as date > random
>
>1. Yes, sort of.  You can put it in a different directory if you change
>the eap.conf entries.
>
>2. No. This is the correct way:
>
>To generate the dh file you can use a function that comes with openssl
>
>openssl dhparam -check -text -5 512 -out dh
>
>This will generate a 512 Diffie-Hellman key named dh.
>Move this file to /etc/mycerts/
>
>mv dh /etc/mycerts/.
>
>To generate a random file you will need a short C program using openssl
>libraries.  Paste this text into a file named 'random.c':
>----8< cut---
>#include <stdio.h>
>#include <openssl/rand.h>
>
>main (void) {
>unsigned char buf[100];
>if (!RAND_bytes(buf, 100)) {
>// the usual md5(time+pid)
>}
>printf("Random : %s\n", buf);
>}
>----8< cut---
>
>Compile it like this: gcc random.c -o random -lcrypto
>
>I will generate 32-bit LSB executable named random, try it with
./random.

>
>Move this file to /etc/mycerts/:
>mv random /etc/mycerts/.
>
>-kb
>--
>Kris Benson, CCP, I.S.P.
>Technical Analyst, District Projects
>School District #57 (Prince George)
>
>
>
>------------------------------
>
>Message: 5
>Date: Tue, 09 Aug 2005 15:34:28 -0400
>From: Michel B?langer <[hidden email]>
>Subject: sql.conf (update query)
>To: [hidden email]
>Message-ID: <[hidden email]>
>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>Hi,
>I try to add an additional query in the query update in sql.conf. This
>is possible to make it ?
>
>Here what I have test:
>
>accounting_update_query = "UPDATE ${acct_table1} \
>         SET FramedIPAddress = '%{Framed-IP-Address}', \
>         AcctSessionTime = '%{Acct-Session-Time}', \
>         AcctInputOctets = '%{Acct-Input-Octets}', \
>         AcctOutputOctets = '%{Acct-Output-Octets}' \
>         WHERE AcctSessionId = '%{Acct-Session-Id}' \
>         AND UserName = '%{SQL-User-Name}' \
>         AND NASIPAddress= '%{NAS-IP-Address}'; INSERT into radtempo
>(AcctInputOctets, AcctOutputOctets, AcctSessionId) values('%{Ac
>ct-Input-Octets}', '%{Acct-Output-Octets}', '%{Acct-Session-Id}')"
>
>rlm_sql_mysql: MYSQL check_error: 1064 received
>rlm_sql (sql): Couldn't update SQL accounting ALIVE record - You have
an

>error in your SQL syntax; check the manual that corresponds to your
>MySQL server version for the right syntax to use near '; INSERT into
>radtempo (AcctInputOctets, AcctOutputOctets, AcctSessionId) values' at
>line 1
>--
>------------------------------------------------------------
>
>Michel BĂ©langer
>
>
>
>
>------------------------------
>
>Message: 6
>Date: Tue, 09 Aug 2005 16:00:34 -0400
>From: "Alan DeKok" <[hidden email]>
>Subject: Re: problem with using rlm_sql for accounting only
>To: FreeRadius users mailing list
> <[hidden email]>
>Message-ID: <[hidden email]>
>
>John Donagher <[hidden email]> wrote:
>> Indeed.. under normal circumstances it wouldn't go down. My issue is
>> that the SQL server is not a critical part of our infrastructure and I
>> don't want it to be (at this point anyway). I'm using it for accounting
>> trend reporting only.. in any event, Nicolas' suggestion was right on
>> and works like a charm.
>
>  In the CVS head you can use the rlm_sql_log module, which dumps the
>queries to a file.  The file can then be post-processed.  This removes
>all run-time dependency on SQL, which is a better solution.
>
>  Alan DeKok.
>
>
>------------------------------
>
>Message: 7
>Date: Tue, 09 Aug 2005 13:47:29 -0700
>From: Derrick MacPherson <[hidden email]>
>Subject: Hi. Windows RADIUS server died.
>To: [hidden email]
>Message-ID: <[hidden email]>
>Content-Type: text/plain
>
>I just got asked to try and get a freeradius server running ASAP. I got
>it installed on a freebsd 5.4 box that I had just finished getting squid
>running on, not implemented yet still testing.
>
>I see freeradius can use ntlm_auth as well, though I'm not clear on it's
>syntax. I have squid using the same authentication criteria as the
>radius server was using, that was based upon being in certain group. Can
>freeradius support this as well? My syntax in squid:
>
>ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership
>-of=S-1-5-21-1058564242-1277044956-825688854-1337 Domain Group (2)
>
>Can someone save me with a quick example or am I off to read and google?
>
>
>
>------------------------------
>
>Message: 8
>Date: Tue, 09 Aug 2005 17:22:17 -0400
>From: "Alan DeKok" <[hidden email]>
>Subject: Re: Hi. Windows RADIUS server died.
>To: FreeRadius users mailing list
> <[hidden email]>
>Message-ID: <[hidden email]>
>
>Derrick MacPherson <[hidden email]> wrote:
>> I see freeradius can use ntlm_auth as well, though I'm not clear on
it's

>> syntax.
>
>  See radiusd.conf for an example, and the ntlm_auth docs for it's
>command-line arguments.
>
>> I have squid using the same authentication criteria as the radius
>> server was using, that was based upon being in certain group. Can
>> freeradius support this as well?
>
>  Sure, because FreeRADIUS doesn't care about command-line arguments
>to ntlm_auth.  Add ass many arguments to ntlm_auth as you want.
>
>> ntlm_auth --helper-protocol=squid-2.5-ntlmssp
>
>  This *isn't* supported.  You have to pass the username & password on
>the command line, as in the examples.  And if you're doing MSCHAP, you
>MUST also pass the "request nt key" option, too.
>
>> --require-membership  
-of=S-1-5-21-1058564242-1277044956-825688854-1337 Domain Group (2)

>
>  This is just noise to FreeRADIUS, which doesn't look at it, and
>doesn't care.  If ntlm_auth returns success, so does FreeRADIUS.  If
>it returns fail, so does FreeRADIUS.
>
>  Alan DeKok.
>
>
>
>------------------------------
>
>Message: 9
>Date: Tue, 09 Aug 2005 14:38:38 -0700
>From: Derrick MacPherson <[hidden email]>
>Subject: Re: Hi. Windows RADIUS server died.
>To: FreeRadius users mailing list
> <[hidden email]>
>Message-ID: <[hidden email]>
>Content-Type: text/plain
>
>On Tue, 2005-08-09 at 17:22 -0400, Alan DeKok wrote:
>>   See radiusd.conf for an example, and the ntlm_auth docs for it's
>> command-line arguments.
>
>thank you, reading them now.
>
>Is there a way to test if the authentication is passing or failing?
>
>
>
>------------------------------
>
>Message: 10
>Date: Tue, 09 Aug 2005 15:10:17 -0700
>From: kevin <[hidden email]>
>Subject: Re: how to return multiple attributes from ldap?
>To: FreeRadius users mailing list
> <[hidden email]>
>Message-ID: <[hidden email]>
>Content-Type: text/plain; charset="iso-8859-1"
>
>But, I am still interested in the way returning multiple attributes
>without changing ldap data.
>I thought there must be a way.
>
>kevin
>
>Dusty Doris wrote:
>
>>On Tue, 9 Aug 2005, kevin wrote:
>>
>>  
>>
>>>What?  So, should I change the ldap attribute values with "+=" ???
>>>Any other way?
>>>
>>>    
>>>
>>
>>Yep, it works.
>>
>>I did a test, with this DN only one filter-id was returned.
>>
>>dn: uid=dustytest,ou=users,ou=radius,dc=test,dc=com
>>objectClass: radiusprofile
>>userPassword:: ZHVzdHl0ZXN0
>>radiusGroupName: dial
>>radiusGroupName: adsl
>>uid: dustytest
>>radiusFilterId: filter1
>>radiusFilterId: filter2
>>
>>Received response ID 210, code 2, length = 59
>>        Framed-Routing = None
>>        Framed-IP-Netmask = 255.255.255.0
>>        Framed-Protocol = PPP
>>        Service-Type = Framed-User
>>        Filter-Id = "filter1"
>>
>>
>>With this dn, both were returned (note there were no quotes in it - that
>>didn't work)
>>
>>dn: uid=dustytest,ou=users,ou=radius,dc=test,dc=com
>>objectClass: radiusprofile
>>userPassword:: ZHVzdHl0ZXN0
>>radiusGroupName: dial
>>radiusGroupName: adsl
>>uid: dustytest
>>radiusFilterId: += filter1
>>radiusFilterId: += filter2
>>
>>Received response ID 214, code 2, length = 68
>>        Framed-Routing = None
>>        Framed-IP-Netmask = 255.255.255.0
>>        Framed-Protocol = PPP
>>        Service-Type = Framed-User
>>        Filter-Id = "filter1"
>>        Filter-Id = "filter2"
>>
>>-
>>List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>>
>>  
>>
>
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
https://list.xs4all.nl/pipermail/freeradius-users/attachments/20050809/95391bfa/attachment.html
>
>------------------------------
>
>-
>List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>
>End of Freeradius-Users Digest, Vol 4, Issue 39
>***********************************************
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius EAP-TLS quesiton

Kris Benson
FreeRadius users mailing list <[hidden email]> on
August 9, 2005 at 19:03 -0800 wrote:
>Kris,
>Thanks for your help.
>
>Do you think that (1) and (2) in my previous message could be the
>reason that freeradius will not authenticate the client?

No, not now.  Judging from the message you send OOB, it's an issue with
the OpenSSL libraries.  In fact, if gcc and openssl can't find them,
support for TLS (and any other public-key based method) is likely not even
compiled into your freeradius binary.

Fix the library problem, then generate your dh and random files.  If those
work, try radius... if it still doesn't work, make sure the rlm_eap_tls
module is compiled and installed.  If not, recompile freeradius and check
again.

-kb
--
Kris Benson, CCP, I.S.P.
Technical Analyst, District Projects
School District #57 (Prince George)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html