Re: Spaces in the end of User-Name.
admin wrote:
Something of type such this?
if (%{User-Name}=~/([a-zA-Z0-9_.]+)\s+$/i) {
%{User-Name}=%{1}
}
Not quite...
if (User-Name =~ /(.+)\s+$/i) {
update request {
User-Name := %{1}
}
}
See man unlang.
Where it is necessary to insert it in config file that User-Name changed
globally before any actions with it?
In the authorize section. *Read* the debug output. It's clear that
the authorize section is processed first when the server receives a
packet.
However... my $0.02 is that you shouldn't. Instead, if you see a
User-Name with spaces, *reject* it. The user is trying to play games.
Yes, but it creates many questions from users.
Like how did you catch my trying to cheat you?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradiusd 2.1.8
Brian Carpio wrote: No one was on the box doing anything… I was looking into this issue with google and came across a thread back in Nov 2009 about an issue a user was experiencing with radiusd 2.1.8, and this user send some gdb dumps to the development team… I can’t seem to recreate the issue as quickly as he does (plus my server is in production) but I didn’t see any follow up if this is a known bug? Is this fixed in 2.1.10? It's something which is seen only on FreeBSD. As far as I can tell, it's a race condition in the threading code. It's difficult to track down and debug, unfortunately. Given the level of complexity of the current code, it's probably best to re-write it, to be simpler and cleaner. That way the bugs will be easier to track down. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying authentication from FreeRadius to Cisco ACS
Erisan Nyamutenha wrote: ... In the failed attempts logs on the ACS it says bad username or password. i'm pretty sure im using the correct password. Is there any reason why this should not work? I've posted my logs below:- See the logs from ACS. Looking at the logs from FreeRADIUS is useless. If ACS doesn't give you useful information, upgrade to a RADIUS server which *does* give you useful information. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Call for 2.1.11
Johan Meiring wrote: I still think this might make alot of questions go away. http://lists.freeradius.org/pipermail/freeradius-users/2009-September/msg00357.html At this point, I agree. Adding the EAP warning in 2.1.10 just meant that a bunch of people posted the message to the list, asking what does this mean? sigh Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.10
Samuel Isaias Barriga Perez wrote: I'm working on setting it up to authenticate users (windows XP) to our wireless network which I succesfully completed, when I run radiusd -X (debug) my output is as follow: ... I tried everything and according to the debug output this is what I am getting, and the wiki page said that I should check into the certificates, I erase the the clients certificates reinstalled and I have the same output, plese can some one give me a hand. The wiki page doesn't say to erase and re-install the client certificates. The wiki page *does* include a reference to my web site, which has *explicit* and *detailed* instructions for debugging EAP. This is documented. Stop asking questions. Instead, read the documentation and follow its instructions. Honestly, it isn't hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Storing of salt in freeradius
Hi Fajar, How did you generate that hash? md5sum of testpass doesn't return that value for me. On 19-Jan-2011, at 3:07 PM, Fajar A. Nugraha wrote: On Wed, Jan 19, 2011 at 12:39 PM, Mark m...@edgewire.sg wrote: Hi folks, Been trying to look for information on this but haven't been able to find anything, prompting me to turn to the mailing list for help. In the event of using salted md5 hashes for passwords, where exactly does one store the salt? In the beginning of the password. There doesn't seem to be a place within the FR config to do that. Any advice would be much appreciated. No special place needed. You're probably confusing MD5-Password and Crypt-Password (which in turn can use MD5 hash). For example, if you use PAP, these three attributes will allow access when user enter password testpass: Cleartext-Password := testpass MD5-Password := 179ad45c6ce2cb97cf1029e212046e81 Crypt-Password := $1$12345678$duTc/02K9TK/XCYFyofbZ/ Crypt-Password := 122U0BPYjrauc MD5-Password does not have any salt. Crypt-Password in the first example has the salt $1$12345678$, with MD5-based hash (crypted passwords have the hash in front of them, which for MD5 starts with $1$ and is 12 characters long) Crypt-Password in the second example has the salt 12, with DES-based hash See also: http://freeradius.org/radiusd/man/rlm_pap.txt http://en.wikipedia.org/wiki/Crypt_(Unix)#MD5-based_scheme http://id.php.net/manual/en/function.crypt.php -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Kind regards, Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying authentication from FreeRadius to Cisco ACS
Erisan Nyamutenha erisan.nyamute...@uct.ac.za wrote:
I am setting up an Eduroam authentication server using FreeRadius 2.1.1
on Suse Linux 12.
Do you mean 2.1.10? If not, upgrade to 2.1.10.
I am proxying authentication requests to a Cisco ACS. When testing
using radtest from the FreeRadius box authentication is proxyed to ACS
fine and i get an access-accept back. However when i try from a
wireless client the proxy response from the ACS is an Access-Reject.
In the failed attempts logs on the ACS it says bad username or
password. i'm pretty sure im using the correct password. Is there any
reason why this should not work? I've posted my logs below:-
rad_recv: Access-Request packet from host 1.1.1.1 port 32768, id=210,
length=255
User-Name = username ( mailto:01420...@uct.ac.za )@xyz.ac.za
Calling-Station-Id = 00-1e-64-8f-f1-2a
Called-Station-Id = 08-17-35-32-f2-90:Eduroam --- 'eduroam'
NAS-Port = 29
NAS-IP-Address = 1.1.1.1
NAS-Identifier = uc-wism-2
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 63
EAP-Message = [snipped]
State = [snipped]
Message-Authenticator = [snipped]
'eduroam' is a case-senstive SSID, it *must* be lowercase otherwise your
users will be unable to roam and our users will be unable to visit you.
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm xyz.ac.za for User-Name = usern...@xyz.ac.za
[suffix] Found realm xyz.ac.za
[suffix] Adding Stripped-User-Name = username
[suffix] Adding Realm = xyz.ac.za
[suffix] Proxying request from user username to realm xyz.ac.za
[suffix] Preparing to proxy authentication request to realm xyz.ac.za
++[suffix] returns updated
[eap] Request is supposed to be proxied to Realm xyz.ac.za. Not doing EAP.
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Sending Access-Request of id 81 to 2.2.2.2 port 1812
User-Name = username
Calling-Station-Id = 00-1e-64-8f-f1-2a
Called-Station-Id = 08-17-35-32-f2-90:Eduroam
NAS-Port = 29
NAS-IP-Address = 1.1.1.1
NAS-Identifier = uc-wism-2
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 63
EAP-Message = [snipped]
State = [snipped]
Message-Authenticator = [snipped]
Proxy-State = 0x323130
Proxying request 8 to home server 2.2.2.2 port 1812
Sending Access-Request of id 81 to 2.2.2.2 port 1812
User-Name = username
Calling-Station-Id = 00-1e-64-8f-f1-2a
Called-Station-Id = 08-17-35-32-f2-90:Eduroam
NAS-Port = 29
NAS-IP-Address = 1.1.1.1
NAS-Identifier = uc-wism-2
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 63
EAP-Message = [snipped]
State = [snipped]
Message-Authenticator = [snipped]
Proxy-State = 0x323130
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Reject packet from host 2.2.2.2 port 1812, id=81, length=61
Proxy-State = 0x323130
EAP-Message = 0x04a4
Reply-Message = Rejected\n\r
Message-Authenticator = [snipped]
A complete guess, but considering:
* I am probably not legally permitted to answer your email (due to your
disclaimer below)
* you have not showed an example of the Access-Accept traffic (use
tcpdump in verbose mode and/or put a pcap file somewhere)
* the problem is your *Cisco* box is rejecting the request, not
FreeRADIUS, so why do you not, (a) read your Cisco log files,
they will tell you why the request was rejected (b) speak to
Cisco, it's their kit and you are paying them for support
I am guessing the Cisco box is expecting '@xyz.ac.za' to be appended
onto the username, and you have configured FreeRADIUS to strip the
realm. Without more information, it is hard to help...if I am legally
permitted to according to the terms of your disclaimer... :-/
###
UNIVERSITY OF CAPE TOWN
This e-mail is subject to the UCT ICT policies and e-mail disclaimer
published on our website at
http://www.uct.ac.za/about/policies/emaildisclaimer/ or obtainable from
+27 21 650 9111. This e-mail is intended only for the person(s) to whom
it is addressed. If the e-mail has reached you in
Re: Call for 2.1.11
Johan Meiring jmeir...@pcservices.co.za wrote: I think the updfromto fixes should go in, if I can figure out how to make it work on Linux *and* other systems. I still think this might make alot of questions go away. http://lists.freeradius.org/pipermail/freeradius-users/2009-September/msg00357.html ...we all work in IT, we all know deep down this is futile :) As for your approach, maybe for the output of 'freeradius -X', but to appear in syslog and my logfiles...familarise yourself with the rules: http://perldoc.perl.org/Sys/Syslog.html#THE-RULES-OF-SYS::SYSLOG You would be violating the 'fifth' :) Cheers -- Alexander Clouter .sigmonster says: How much does she love you? Less than you'll ever know. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Spaces in the end of User-Name.
admin b...@iptv.by wrote:
What i must to specify in a config file of freeradius2 that in each
request before its further handling it automatically deleted spaces
in the end of %{User-Name}?
You need to write a custom rule in unlang.
Something of type such this?
if (%{User-Name}=~/([a-zA-Z0-9_.]+)\s+$/i) {
%{User-Name}=%{1}
}
Where it is necessary to insert it in config file that User-Name changed
globally before any actions with it?
No, that's incorrect...I am also not going to help you hang yourself by
giving you the answer :)
However... my $0.02 is that you shouldn't. Instead, if you see a
User-Name with spaces, *reject* it. The user is trying to play
games.
Yes, but it creates many questions from users.
It creates even more problems for you later on down the line. There
will be times when you will be unable to strip the whitespace (maybe you
auth straight against LDAP, say Apache doing group membership checks
against LDAP...the whitespace will *kill* you) from a username and those
users stuck in the habit of putting spaces in usernames will come back
and haunt you.
Best to make it work only if you do things correctly.
Ideally you should do something like:
authorization {
[snipped]
if (User-Name =~ /^\s/ || User-Name =~ /\s$/) {
update reply {
Reply-Message := Remove spaces from User-Name
}
reject
}
[snipped]
}
Hopefully your environment enables that message to get back to the user.
Cheers
--
Alexander Clouter
.sigmonster says: If you can't understand it, it is intuitively obvious.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Storing of salt in freeradius
Nevermind this, found the solution. http://blog.sam-pointer.com/2010/01/26/md5sum-vs-phps-md5-function Thanks all. On 19-Jan-2011, at 3:07 PM, Fajar A. Nugraha wrote: On Wed, Jan 19, 2011 at 12:39 PM, Mark m...@edgewire.sg wrote: Hi folks, Been trying to look for information on this but haven't been able to find anything, prompting me to turn to the mailing list for help. In the event of using salted md5 hashes for passwords, where exactly does one store the salt? In the beginning of the password. There doesn't seem to be a place within the FR config to do that. Any advice would be much appreciated. No special place needed. You're probably confusing MD5-Password and Crypt-Password (which in turn can use MD5 hash). For example, if you use PAP, these three attributes will allow access when user enter password testpass: Cleartext-Password := testpass MD5-Password := 179ad45c6ce2cb97cf1029e212046e81 Crypt-Password := $1$12345678$duTc/02K9TK/XCYFyofbZ/ Crypt-Password := 122U0BPYjrauc MD5-Password does not have any salt. Crypt-Password in the first example has the salt $1$12345678$, with MD5-based hash (crypted passwords have the hash in front of them, which for MD5 starts with $1$ and is 12 characters long) Crypt-Password in the second example has the salt 12, with DES-based hash See also: http://freeradius.org/radiusd/man/rlm_pap.txt http://en.wikipedia.org/wiki/Crypt_(Unix)#MD5-based_scheme http://id.php.net/manual/en/function.crypt.php -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Kind regards, Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Storing of salt in freeradius
On Wed, Jan 19, 2011 at 4:05 PM, Mark m...@edgewire.sg wrote:
Hi Fajar,
How did you generate that hash? md5sum of testpass doesn't return that
value for me.
the MD5-password? Probably due to new line effect. I created it using php's
md5 function (http://php.net/manual/en/function.md5.php)
$ echo ?=md5('testpass');?|php;echo
179ad45c6ce2cb97cf1029e212046e81
$ echo -n testpass | md5sum
179ad45c6ce2cb97cf1029e212046e81 -
$ echo testpass | md5sum
0ba06b1790d48b9baf71162124a04685 -
mysql select md5('testpass');
+--+
| md5('testpass') |
+--+
| 179ad45c6ce2cb97cf1029e212046e81 |
+--+
1 row in set (0.14 sec)
See the difference between second and third example?
--
Fajar
On 19-Jan-2011, at 3:07 PM, Fajar A. Nugraha wrote:
On Wed, Jan 19, 2011 at 12:39 PM, Mark m...@edgewire.sg wrote:
Hi folks,
Been trying to look for information on this but haven't been able to find
anything, prompting me to turn to the mailing list for help.
In the event of using salted md5 hashes for passwords, where exactly does
one store the salt?
In the beginning of the password.
There doesn't seem to be a place within the FR config to do that. Any
advice would be much appreciated.
No special place needed.
You're probably confusing MD5-Password and Crypt-Password (which in turn
can use MD5 hash). For example, if you use PAP, these three attributes will
allow access when user enter password testpass:
Cleartext-Password := testpass
MD5-Password := 179ad45c6ce2cb97cf1029e212046e81
Crypt-Password := $1$12345678$duTc/02K9TK/XCYFyofbZ/
Crypt-Password := 122U0BPYjrauc
MD5-Password does not have any salt.
Crypt-Password in the first example has the salt $1$12345678$, with
MD5-based hash (crypted passwords have the hash in front of them, which for
MD5 starts with $1$ and is 12 characters long)
Crypt-Password in the second example has the salt 12, with DES-based hash
See also:
http://freeradius.org/radiusd/man/rlm_pap.txt
http://en.wikipedia.org/wiki/Crypt_(Unix)#MD5-based_scheme
http://id.php.net/manual/en/function.crypt.php
--
Fajar
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Storing of salt in freeradius
Fajar A. Nugraha l...@fajar.net wrote: How did you generate that hash? md5sum of testpass doesn't return that value for me. the MD5-password? Probably due to new line effect. I created it using php's md5 function (http://php.net/manual/en/function.md5.php) ...the rest of us use the unlang xlat md5 feature. Cheers -- Alexander Clouter .sigmonster says: Cobol programmers are down in the dumps. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Spaces in the end of User-Name.
Alexander Clouter a...@digriz.org.uk писал(а) в своём письме Wed, 19 Jan
2011 10:54:11 +0200:
Ideally you should do something like:
authorization {
[snipped]
if (User-Name =~ /^\s/ || User-Name =~ /\s$/) {
update reply {
Reply-Message := Remove spaces from User-Name
}
reject
}
[snipped]
}
Something doesn't work.
sites-enabled/default:
authorize {
preprocess
chap
mschap
suffix
files
sql
logintime
auth
}
radiusd.conf:
exec auth {
program = /usr/local/freeradius/run/Money %u %n %{NAS-Port}
wait = yes
input_pairs = request
shell_escape = yes
output = no
output_pairs = reply
}
If I check existence of spaces in User-Name in my program
/usr/local/freeradius/run/Money all works.
If I insert
if (User-Name =~ /^\s/ || User-Name =~ /\s$/) {
update reply {
Reply-Message := Remove spaces from User-Name
}
reject
}
in section authorize{} in any place the user with spaces in User-Name
successfully transits authorization.
This unlang-code doesn't work too
if (User-Name =~ /(.+)\s+$/i) {
update request {
User-Name := %{1}
}
}
Where I was mistaken?
FreeRADIUS Version 2.1.10
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying authentication from FreeRadius to Cisco ACS
Hi, as per message previously sent, 'eduroam' SSID must be all lowercase. and thats a MUST. SSID are case sensitive...if you have Eduroam then all visiting clients will need to be reconfigured to use it. Suse Linux 12. I am proxying authentication requests to a Cisco ACS. When testing using radtest from the FreeRadius box authentication is proxyed to ACS fine and i get an access-accept back. However when i try from a wireless client the proxy response from the ACS is an Access-Reject. In the failed attempts logs on the ACS it says bad username or password. i'm pretty sure im using the correct password. Is there any reason why this should not work? I've posted my logs below:- length=61 Proxy-State = 0x323130 EAP-Message = 0x04a4 Reply-Message = Rejected\n\r Message-Authenticator = 0xbcede120e168d2d92558e5f4ab8e03d5 check your ACS logs to find out why it went wrong - as thats the system that decided that things werent right - FreeRADIUS is just a simple proxy in this picture. I would assume that its something to do with the realm not being handled correctlyyou might need to strip or nostrip it (in proxy.conf) depending on your ACS configuration and policy settings. PS as per other response, signature seperator is '--' and please dont put legal junk in your emails to public lists alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Request information for EAP TTLS
Hi I am new to Free Radius and was just wondering if some1 can help me out. I am planning to implement an EAP TTLS client and was wondering the following about Free Radius for my testing. 1.) Does Free Radius Implementation of EAP TTLS Support the following a.) Client auth during phase 1 b.) Id privacy can be explicitly enabled or disables c.) Allowing tunneled methods such as FAST, PEAP as inner methods d.) Method chaining in phase 2 Thanx in advance for your help guys Aman Arneja - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Spaces in the end of User-Name.
admin wrote: This unlang-code doesn't work too sigh See the FAQ for it doesn't work. Also, try reading the documentation, and using the previous examples as the basis for experimentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with user authentication
Thanks for that... I dounf coovachilli and installed it, now my freeradius wont start.. when i type: radiusd -X i get a whole lot of errors, any ideas where i could have gone wrong? We have a cisco 2800 or 2850 on its way from the company we have purchased our internet link from, so i am not sure if that can do the captive portal thing? On 19/01/2011 4:24 AM, Fajar A. Nugraha wrote: On Wed, Jan 19, 2011 at 1:52 PM, Johan Meiring jmeir...@pcservices.co.za mailto:jmeir...@pcservices.co.za wrote: On 2011/01/19 04:24 AM, Luke Hammond wrote: I want to have a wireless network, that will be open, and when a user connects and tries to browse they get redirected to a page where they have to login It's called captive portal http://en.wikipedia.org/wiki/Captive_portal Try coova.org/CoovaChilli http://coova.org/CoovaChilli What we usually do: - get a wireless AP which has captive portal feature. I find it easier than having to install a captive portal manually on a server. For example, if you're willing to use third-party firmware, dd-wrt support these devices: http://www.dd-wrt.com/wiki/index.php/Supported_Devices - get a radius server (you already have that) - get a login page. Something like http://net-mai.net/files/hotspotlogin.php.txt - adjust settings as required -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
force_check_config - how to use?
About twenty months ago, a commit to src/main/modules.c occurred with the following comment: Allow administrators to force_check_config There is a check inside find_module_instance() in that file for a value pair of that name with a value of yes: cp = cf_pair_find(cs, force_check_config); if (cp) value = cf_pair_value(cp); if (value (strcmp(value, yes) == 0)) goto print_inst; cf_log_module(cs, Skipping instantiation of %s, instname); The use of force_check_config doesn't seem to be documented anywhere. The only hits on Google are from the above commit. I have seached back three years on this list for the string force_check_config to no avail. I assume I need to have a force_check_config value pair with a value of yes somewhere in the request, but I don't know how to make that happen. Any pointers would be appreciated. Thanks. Regards, web... -- William Bulley Email: w...@umich.edu 72 characters width template -| - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with iPods/iTouches
Hi Rob, Can you please do the following: Install the iPhone Configuration Utility (if you don't already have it you can get it here: http://www.apple.com/support/iphone/enterprise/). Connect an iOS device to the system that has iPhone Configuration Utility installed and open the application. You should see the connected device in the left pane. Select the device. Once selected, click the Console tab in the right-side pane. This will give us some logging information (possibly nothing useful, but worth a shot). Once you have this set up can you collect a packet trace while you reproduce the problem? Send me an E-mail with the logs and packet trace. We can continue discussing off list - but the above information is useful for other FreeRADIUS users. - Terry On Mon, Jan 17, 2011 at 6:22 AM, Rob Yamry rya...@kimberly.k12.wi.uswrote: Does this problem also happen with iOS 4.x devices other than the iPod Touch? Does the problem happen with non-Enterasys gear? (Do you have any that you can test with?) Additionally, what firmware version are you running on the Enterasys gear? Can you share your config (or at least the relevant pieces)? Hi Terry- The problem also happens with an iPad. Ive had a teacher report problems with his iPhone too, but I havent gotten my hands on it yet. We dont have any other wireless gear except for the Enterasys controller and APs. We updated the firmware to v7.31.03.0005 last week but we also had the problem on the previous version as well v7.31.2.10. A default config for FreeRadius 2.1.8 or 2.1.10 shows the problem. As for the controller, the settings on the SSID its set to use WPA v2 with AES enc. 802.1x for auth. The radius server config on the controller is using MSCHAPv2 by default. Is that what you were looking for? Thanks for your help- Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: force_check_config - how to use?
According to Alan DeKok al...@deployingradius.com on Wed, 01/19/11 at 13:57:
I *think* it's something you can add to a module configuration to
force it to instantiate itself. Normally, when radiusd -C is used,
the SQL module is skipped, because checking the config doesn't mean
opening 50 sockets to the SQL server. Adding force_check_config=yes
will make modules like SQL instantiate themselves, including opening 50
sockets to the SQL server.
Thanks. I came across this while trying to debug a gnarly situation with
the mschap module. The configs in modules/mschap include at the end:
#ntlm_auth = /path/to/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
This was changed by an adminstrator to --username=%{mschap:User-Name:-None}
except that the leading left brace ({) was omitted... :-(
The output of radiusd -XC concluded that Configuration appears to be OK.
when in fact mschap authentications could never recover the User-Name when
ntlm_auth was given --username=%mschap:User-Name:-None} to deal with...
My question: is there any way to parse and check the value of the
ntlm_auth variable in the modules/mschap file for valid syntax?
Inside cf_item_parse() in src/main/conffile.c there is a PW_TYPE_STRING_PTR
case of the switch statement. In this case there is the following comment:
/*
* Expand variables which haven't already been
* expanded automagically when the configuration
* file was read.
*/
It doesn't seem that this ntlm_auth variable was expanded when the config
file was read.
After this comment is an if statement if (value == dflt) which, if true,
results in a call to cf_expand_variables() passing the above ntlm_auth
string value as value. It appears to me that this if statement will
never be true, since the default value for ntlm_auth is NULL, so any
string value (right hand side of ntlm_auth variable) will not be NULL,
nor will the pointers match. And if they did, what is the purpose of
expanding a variable which is NULL? The net result is that the human
error (see typo above) was not discovered while configuration checking
with -XC which gave a false positive indication. Very confusing...
Regards,
web...
--
William Bulley Email: w...@umich.edu
72 characters width template -|
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Issue with local authentication of MS-ChapV2
I am trying to get PEAP/MS-ChapV2 working on my Radius Server. The version I am using is FreeRadius 2.1.8. I already have EAP-TLS working between a FreeRadius Server and an XP supplicant, so I am pretty sure that my certificates are configured correctly on the FreeRadius Server as well as the XP supplicant that I am trying to configure PEAP/MS-ChapV2 on. I have attached the FreeRadius debug log from one of my attempted connections. It appears that the EAP-TLS tunnel comes up but the MS-ChapV2 authentication fails. I did see this warning: Warning: Found 2 auth-types on request for user 'jsmith1' But I am uncertain what it means and how to correct it. As stated earlier, I am trying to use local authentication for the MS-ChapV2 and this seems to be the point of failure. I have a packet capture between the Radius Server and the authenticator showing Radius Access Challenges and Requests but no Access Accepts. Not sure what I have mis-configured, so any suggestions would be greatly appreciated. Regards, John Radius Log for PEAP_MS-ChapV2 19 jan 2011.rtf Description: Radius Log for PEAP_MS-ChapV2 19 jan 2011.rtf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radping Works Wireless fails
Hi all I am trying to setup freeradius on an OES2 server to authenticate via ldap to edir. I have been following the document freeradius-edir from here http://www.novell.com/coolsolutions/assets/freeradius-edir.pdf , but now i am stuck. Radping works shown as the first login, but wireless fails shown after the broken line. Can anyone shed some light on what might be wrong? Thanks in advance Mark radius2:/home/radius # radiusd -x Starting - reading configuration files ... Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded LDAP rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x80125f20 Module: Instantiated ldap (ldap) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls rlm_eap: Loaded and initialized type ttls rlm_eap: Loaded and initialized type peap rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Initializing the thread pool... Listening on authentication 172.17.152.34:1812 Listening on accounting 172.17.152.34:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.152.0.61:1851, id=27, length=46 User-Name = mjones User-Password = x rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. rlm_ldap: - authenticate rlm_ldap: login attempt by mjones with password rlm_ldap: ldap_get_conn: Checking Id:
RE: Issue with local authentication of MS-ChapV2
Hi All, We solved the issue in house. Regards, John -Original Message- From: freeradius-users-bounces+jhanavan=avaya@lists.freeradius.org [mailto:freeradius-users-bounces+jhanavan=avaya@lists.freeradius.org] On Behalf Of Hanavan, John (John) Sent: Wednesday, January 19, 2011 3:56 PM To: 'freeradius-users@lists.freeradius.org' Subject: Issue with local authentication of MS-ChapV2 I am trying to get PEAP/MS-ChapV2 working on my Radius Server. The version I am using is FreeRadius 2.1.8. I already have EAP-TLS working between a FreeRadius Server and an XP supplicant, so I am pretty sure that my certificates are configured correctly on the FreeRadius Server as well as the XP supplicant that I am trying to configure PEAP/MS-ChapV2 on. I have attached the FreeRadius debug log from one of my attempted connections. It appears that the EAP-TLS tunnel comes up but the MS-ChapV2 authentication fails. I did see this warning: Warning: Found 2 auth-types on request for user 'jsmith1' But I am uncertain what it means and how to correct it. As stated earlier, I am trying to use local authentication for the MS-ChapV2 and this seems to be the point of failure. I have a packet capture between the Radius Server and the authenticator showing Radius Access Challenges and Requests but no Access Accepts. Not sure what I have mis-configured, so any suggestions would be greatly appreciated. Regards, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Issue with local authentication of MS-ChapV2
Glad to hear you solved it, care to share so we can all benefit ? Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On Behalf Of Hanavan, John (John) Sent: Wednesday, January 19, 2011 6:18 PM To: 'FreeRadius users mailing list' Subject: RE: Issue with local authentication of MS-ChapV2 Hi All, We solved the issue in house. Regards, John -Original Message- From: freeradius-users-bounces+jhanavan=avaya@lists.freeradius.org [mailto:freeradius-users-bounces+jhanavan=avaya@lists.freeradius.org] On Behalf Of Hanavan, John (John) Sent: Wednesday, January 19, 2011 3:56 PM To: 'freeradius-users@lists.freeradius.org' Subject: Issue with local authentication of MS-ChapV2 I am trying to get PEAP/MS-ChapV2 working on my Radius Server. The version I am using is FreeRadius 2.1.8. I already have EAP-TLS working between a FreeRadius Server and an XP supplicant, so I am pretty sure that my certificates are configured correctly on the FreeRadius Server as well as the XP supplicant that I am trying to configure PEAP/MS-ChapV2 on. I have attached the FreeRadius debug log from one of my attempted connections. It appears that the EAP-TLS tunnel comes up but the MS-ChapV2 authentication fails. I did see this warning: Warning: Found 2 auth-types on request for user 'jsmith1' But I am uncertain what it means and how to correct it. As stated earlier, I am trying to use local authentication for the MS-ChapV2 and this seems to be the point of failure. I have a packet capture between the Radius Server and the authenticator showing Radius Access Challenges and Requests but no Access Accepts. Not sure what I have mis-configured, so any suggestions would be greatly appreciated. Regards, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
