Menu
▾
▴
Re: [PacketFence-users] Radtest Fail
|
From: Frederic H. <fhe...@ne...> - 2014-06-05 12:59:03
|
Hello Carla, for this one, you need to check http://freeradius.org/security.html (quote below) : " We suggest that all administrators upgrade all of their systems to a version of OpenSSL which is not vulnerable to this attack. Sites which allow random IPs to connect to a TLS server (e.g. SMTPS or HTTPS) should assume that all information available to those servers has been stolen from those systems. This information includes user credentials, keys for private certificates, cookies sent over HTTPS, etc. We have updated FreeRADIUS (all versions) so that it refuses to start when it detects the vulnerable versions of OpenSSL. Administrators can over-ride this check by setting allow_vulnerable_openssl = yes in the security subsection of radiusd.conf. " So you need to add the this parameter in your radius configuration. It is set in the radius configuration provided by packetfence 4.2.2, in /usr/local/conf/radiusd/radiusd.conf ----- Mail original ----- > De: "Carla Nurse" <pac...@gm...> > À: pac...@li... > Envoyé: Jeudi 5 Juin 2014 12:53:17 > Objet: Re: [PacketFence-users] Radtest Fail > OKay, so I think I know why the tests weren't working. The radiusd > service isn't running. > [root@pf-zen-esx ~]# service radiusd status > radiusd is stopped > [root@pf-zen-esx ~]# service radiusd start > Starting radiusd: [FAILED] > When I run the radiusd -X command, the end indicates that it is > "Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb > 2013 (in range 1.0.1 - 1.0.1f). Security advisory CVE-2014-0160 > (Heartbleed)". I tried to update it using the yum install openssl > 1.0.1g but that failed. Indicating that the package was not > available. > [root@pf-zen-esx ~]# radiusd -X > radiusd: FreeRADIUS Version 2.2.5, for host x86_64-redhat-linux-gnu, > built on Apr 29 2014 at 09:18:14 > Copyright (C) 1999-2013 The FreeRADIUS server project and > contributors. > There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A > PARTICULAR PURPOSE. > You may redistribute copies of FreeRADIUS under the terms of the > GNU General Public License. > For more information about these matters, see the file named > COPYRIGHT. > Starting - reading configuration files ... > including configuration file /etc/raddb/radiusd.conf > including configuration file /etc/raddb/proxy.conf > including configuration file /etc/raddb/clients.conf > including files in directory /etc/raddb/modules/ > including configuration file /etc/raddb/modules/pap > including configuration file /etc/raddb/modules/pam > including configuration file /etc/raddb/modules/smsotp > including configuration file /etc/raddb/modules/sradutmp > including configuration file /etc/raddb/modules/redis > including configuration file /etc/raddb/modules/linelog > including configuration file /etc/raddb/modules/sql_log > including configuration file /etc/raddb/modules/ippool > including configuration file /etc/raddb/modules/mac2vlan > including configuration file /etc/raddb/modules/replicate > including configuration file /etc/raddb/modules/logintime > including configuration file /etc/raddb/modules/mschap > including configuration file /etc/raddb/modules/unix > including configuration file /etc/raddb/modules/files > including configuration file /etc/raddb/modules/preprocess > including configuration file /etc/raddb/modules/always > including configuration file /etc/raddb/modules/ldap > including configuration file /etc/raddb/modules/counter > including configuration file /etc/raddb/modules/etc_group > including configuration file /etc/raddb/modules/attr_rewrite > including configuration file /etc/raddb/modules/echo > including configuration file /etc/raddb/modules/krb5 > including configuration file /etc/raddb/modules/detail.log > including configuration file /etc/raddb/modules/acct_unique > including configuration file /etc/raddb/modules/rediswho > including configuration file /etc/raddb/modules/dynamic_clients > including configuration file /etc/raddb/modules/policy > including configuration file > /etc/raddb/modules/sqlcounter_expire_on_login > including configuration file /etc/raddb/modules/soh > including configuration file /etc/raddb/modules/attr_filter > including configuration file /etc/raddb/modules/cache > including configuration file /etc/raddb/modules/chap > including configuration file /etc/raddb/modules/exec > including configuration file /etc/raddb/modules/smbpasswd > including configuration file /etc/raddb/modules/otp > including configuration file /etc/raddb/modules/cui > including configuration file /etc/raddb/modules/realm > including configuration file /etc/raddb/modules/radutmp > including configuration file /etc/raddb/modules/expr > including configuration file /etc/raddb/modules/inner-eap > including configuration file /etc/raddb/modules/opendirectory > including configuration file /etc/raddb/modules/dhcp_sqlippool > including configuration file /etc/raddb/sql/mysql/ippool-dhcp.conf > including configuration file /etc/raddb/modules/passwd > including configuration file /etc/raddb/modules/perl > including configuration file /etc/raddb/modules/mac2ip > including configuration file /etc/raddb/modules/ detail.example.com > including configuration file /etc/raddb/modules/digest > including configuration file /etc/raddb/modules/wimax > including configuration file /etc/raddb/modules/radrelay > including configuration file /etc/raddb/modules/detail > including configuration file /etc/raddb/modules/expiration > including configuration file /etc/raddb/modules/checkval > including configuration file /etc/raddb/modules/ntlm_auth > including configuration file /etc/raddb/eap.conf > including configuration file /etc/raddb/policy.conf > including files in directory /etc/raddb/sites-enabled/ > including configuration file /etc/raddb/sites-enabled/inner-tunnel > including configuration file /etc/raddb/sites-enabled/control-socket > including configuration file /etc/raddb/sites-enabled/default > main { > user = "radiusd" > group = "radiusd" > allow_core_dumps = no > } > including dictionary file /etc/raddb/dictionary > main { > name = "radiusd" > prefix = "/usr" > localstatedir = "/var" > sbindir = "/usr/sbin" > logdir = "/var/log/radius" > run_dir = "/var/run/radiusd" > libdir = "/usr/lib64/freeradius" > radacctdir = "/var/log/radius/radacct" > hostname_lookups = no > max_request_time = 30 > cleanup_delay = 5 > max_requests = 1024 > pidfile = "/var/run/radiusd/radiusd.pid" > checkrad = "/usr/sbin/checkrad" > debug_level = 0 > proxy_requests = yes > log { > stripped_names = no > auth = no > auth_badpass = no > auth_goodpass = no > } > security { > max_attributes = 200 > reject_delay = 1 > status_server = yes > allow_vulnerable_openssl = no > } > } > radiusd: #### Loading Realms and Home Servers #### > proxy server { > retry_delay = 5 > retry_count = 3 > default_fallback = no > dead_time = 120 > wake_all_if_all_dead = no > } > home_server localhost { > ipaddr = 127.0.0.1 > port = 1812 > type = "auth" > secret = "testing123" > response_window = 20 > max_outstanding = 65536 > require_message_authenticator = yes > zombie_period = 40 > status_check = "status-server" > ping_interval = 30 > check_interval = 30 > num_answers_to_alive = 3 > num_pings_to_alive = 3 > revive_interval = 120 > status_check_timeout = 4 > coa { > irt = 2 > mrt = 16 > mrc = 5 > mrd = 30 > } > } > home_server_pool my_auth_failover { > type = fail-over > home_server = localhost > } > realm example.com { > auth_pool = my_auth_failover > } > realm LOCAL { > } > radiusd: #### Loading Clients #### > client localhost { > ipaddr = 127.0.0.1 > require_message_authenticator = no > secret = "testing123" > nastype = "other" > } > Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 > (in range 1.0.1 - 1.0.1f). Security advisory CVE-2014-0160 > (Heartbleed) > For more information see http://heartbleed.com > I am now officially stumped. Are there any other files that I should > be checking in order to get this sorted? > Rich: > I do not know enough about Linux or Samba for the error messages to > be much use. Is there something in particular that I should be > looking for? > Carla > On Wed, Jun 4, 2014 at 4:30 PM, Louis Munro < lm...@in... > > wrote: > > Hi Carla, > > > No, this file is not part of PacketFence. > > > I doubt that is really the issue. That file is mostly used to > > authenticate local users. > > > I believe pam.d/common-auth is only on Debian (and maybe Ubuntu) so > > if you have a RedHat based system that will not apply in any case. > > > What you are trying to achieve is authentication of external (i.e. > > RADIUS) users via ntlm_auth. > > > All FreeRadius really cares about is the return code from > > ntlm_auth. > > > I have never had to change pam settings to get ntlm_auth working. > > > Regards, > > > -- > > > Louis Munro > > > lm...@in... :: www.inverse.ca > > > +1.514.447.4918 *125 :: +1 (866) 353-6153 > > > Inverse inc. :: Leaders behind SOGo ( www.sogo.nu ) and PacketFence > > ( > > www.packetfence.org ) > > > On 2014-06-04, at 15:27 , Carla Nurse < pac...@gm... > > > wrote: > > > > Louis, > > > > > > I am currently working with the Samba mail list. One person has > > > indicated it may be a lack of a file /etc/pam.d/common-auth. > > > > > > Is this file usually found on PacketFence? And if so, can you > > > give > > > me > > > an idea of the configuration required for it? > > > > > > Carla > > > > > > On Mon, Jun 2, 2014 at 5:17 PM, Carla Nurse < > > > pac...@gm... > > > > > > > wrote: > > > > > > > Louis, > > > > > > > > > > I will check with them and see if there is anything that can be > > > > done. > > > > I will continue to work on the configuration during that time. > > > > > > > > > > Thank you for your assistance. > > > > > > > > > > Carla > > > > > > > > > > On Mon, Jun 2, 2014 at 5:04 PM, Louis Munro < lm...@in... > > > > > > > > > wrote: > > > > > > > > > > > wbinfo -u should return the list of users in the domain. > > > > > > > > > > > > > > > This would seem to indicate an issue with either the rights > > > > > of > > > > > the > > > > > user doing the query or the AD configuration. > > > > > > > > > > > > > > > You might be better helped by the samba mailing list as this > > > > > issue > > > > > is > > > > > really more with winbind/AD than with PacketFence. > > > > > > > > > > > > > > > Best regards, > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > > Louis Munro > > > > > > > > > > > > > > > lm...@in... :: www.inverse.ca > > > > > > > > > > > > > > > +1.514.447.4918 *125 :: +1 (866) 353-6153 > > > > > > > > > > > > > > > Inverse inc. :: Leaders behind SOGo ( www.sogo.nu ) and > > > > > PacketFence > > > > > ( > > > > > www.packetfence.org ) > > > > > > > > > > > > > > > On 2014-06-02, at 16:50 , Carla Nurse < pac...@gm... > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > Hi Louis, > > > > > > > > > > > > > > > > > > > > > When I run wbinfo -u it goes straight back to prompt. I > > > > > > tried > > > > > > wbinfo > > > > > > -p and the ping to winbindd succeeded. > > > > > > > > > > > > > > > > > > > > > On Mon, Jun 2, 2014 at 4:36 PM, Louis Munro < > > > > > > lm...@in... > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > > > > > > > > Learn Graph Databases - Download FREE O'Reilly Book > > > > > > > > > > > > > > > "Graph Databases" is the definitive new guide to graph > > > > > databases > > > > > and > > > > > their > > > > > > > > > > > > > > > applications. Written by three acclaimed leaders in the > > > > > field, > > > > > > > > > > > > > > > this first edition is now available. Download your free book > > > > > today! > > > > > > > > > > > > > > > http://p.sf.net/sfu/NeoTech > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > > > > > PacketFence-users mailing list > > > > > > > > > > > > > > > Pac...@li... > > > > > > > > > > > > > > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > Learn Graph Databases - Download FREE O'Reilly Book > > > > > > "Graph Databases" is the definitive new guide to graph databases > > > and > > > their > > > > > > applications. Written by three acclaimed leaders in the field, > > > > > > this first edition is now available. Download your free book > > > today! > > > > > > http://p.sf.net/sfu/NeoTech_______________________________________________ > > > > > > PacketFence-users mailing list > > > > > > Pac...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > ------------------------------------------------------------------------------ > > > Learn Graph Databases - Download FREE O'Reilly Book > > > "Graph Databases" is the definitive new guide to graph databases > > and > > their > > > applications. Written by three acclaimed leaders in the field, > > > this first edition is now available. Download your free book today! > > > http://p.sf.net/sfu/NeoTech > > > _______________________________________________ > > > PacketFence-users mailing list > > > Pac...@li... > > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and > their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/NeoTech > _______________________________________________ > PacketFence-users mailing list > Pac...@li... > https://lists.sourceforge.net/lists/listinfo/packetfence-users |
