Re: Help me with Access-Challenge configuration

2011-04-11 Thread Stefan Winter 
Hi,

> My simple question:
> How to configure freeRADIUS server so it replay "access-challenge" message
> on "access-request" from a client?   

Alan's problem with this "simple" question of yours is that it's not
just simple, but simplistic. RADIUS can convey *many different*
authentication protocols which are all using an Access-Challenge to send
challenge data back. The content of the Access-Challenge, and the
configuration needed for that specific Access-Challenge, is
significantly different.

The fact that you ask the question like you did is a strong indication
that you don't know about this fact. Please ask a question like

How to configure freeRADIUS server so it replies with a CHAP "access-challenge" 
message on "access-request" from a client?
How to configure freeRADIUS server so it replies with a MS-CHAP 
"access-challenge" message on "access-request" from a client?
How to configure freeRADIUS server so it replies with a MS-CHAPv2 
"access-challenge" message on "access-request" from a client?
How to configure freeRADIUS server so it replies with a EAP-TLS 
"access-challenge" message on "access-request" from a client?
How to configure freeRADIUS server so it replies with a EAP-TTLS 
"access-challenge" message on "access-request" from a client?
How to configure freeRADIUS server so it replies with a PEAP "access-challenge" 
message on "access-request" from a client?

See? You need to be more specific in your question before anyone here can give 
you an answer. Or better yet, read up on RADIUS, and/or EAP methods, and *then* 
ask a well-informed question.

Greetings,


Stefan Winter

> --
> View this message in context: 
> http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-tp4296727p4297493.html
> Sent from the FreeRadius - User mailing list archive at Nabble.com.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473




signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help me with Access-Challenge configuration

2011-04-11 Thread Alan DeKok 
GreenUA wrote:
> 1. "If you're debugging a RADIUS client you wrote, then this isn't a 
> FreeRADIUS question. " 
> It's freeRADIUS question because i need to configure freeRADIUS server

  If you know so much more than we do, why are you asking questions on
this list?

> 2. "> What methods? How i can configure it? 
> 
>   If you don't know, you don't need Access-Challenges."
> 
> If i don't now how to configure it, i don't need it? In such way why are you
> replaying on mails from this forum? 

  Yes.

  You *don't* configure it.  If the authentication method requires
Access-Challenge, then the Access-Challenge is automatically generated.
 If Access-Challenge is not automatically generated, then you don't need it.

> Again sorry if my question not correct, and don't worry i'm not writing
> RADIUS client.

  Well, you said you were.

> My simple question:
> How to configure freeRADIUS server so it replay "access-challenge" message
> on "access-request" from a client?   

  My answer (again) is "you don't".

  If you keep asking the question, then it's clear you don't understand
the answer.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help me with Access-Challenge configuration

2011-04-11 Thread GreenUA 
To Alan DeKok-2
Sorry, for my maybe inconsistent question.
I try to explain:

1. "If you're debugging a RADIUS client you wrote, then this isn't a 
FreeRADIUS question. " 
It's freeRADIUS question because i need to configure freeRADIUS server

2. "> What methods? How i can configure it? 

  If you don't know, you don't need Access-Challenges."

If i don't now how to configure it, i don't need it? In such way why are you
replaying on mails from this forum? 
I want to configure, and i don't know how, that's why i posted my question
here.

FROM RFC:
 
"If all conditions are met and the RADIUS server wishes to issue a
   challenge to which the user must respond, the RADIUS server sends an
   "Access-Challenge" response.  It MAY include a text message to be
   displayed by the client to the user prompting for a response to the
   challenge, and MAY include a State attribute."

But there is noting about: what conditions, "server wishes", etc.


3. "As a hint: people who don't understand the RADIUS protocol shouldn't 
write RADIUS clients. "

Again sorry if my question not correct, and don't worry i'm not writing
RADIUS client.


My simple question:
How to configure freeRADIUS server so it replay "access-challenge" message
on "access-request" from a client?   

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-tp4296727p4297493.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help me with Access-Challenge configuration

2011-04-11 Thread Alan DeKok 
GreenUA wrote:
> What methods? How i can configure it? 

  If you don't know, you don't need Access-Challenges.

> I need to see how my client process challenge response. And i can't generate
> that message.

  If you're debugging a RADIUS client you wrote, then this isn't a
FreeRADIUS question.

  As a hint: people who don't understand the RADIUS protocol shouldn't
write RADIUS clients.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help me with Access-Challenge configuration

2011-04-11 Thread GreenUA 
"Specific authentication methods allow for Access-Challenges.  If 
you're not using one of those methods, you won't get Access-Challenges."

What methods? How i can configure it? 

Maybe my post was not clear enough.


"You're trying to solve one problem, but not saying what it is.  You've 
somehow convinced yourself that Access-Challenges are the solution to 
that problem. So you're asking questions about that instead. 

  What, exactly, is the problem, and why do you think Access-Challenges 
are the solution? "

I'm not trying to configure correct authorization via RADIUS server it's not
my main goal.
I just want to configure and send back "Access-challenge" message to the
client side.
I need to see how my client process challenge response. And i can't generate
that message.



--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-tp4296727p4297457.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help me with Access-Challenge configuration

2011-04-11 Thread Alan DeKok 
GreenUA wrote:
> In my configuration RADIUS checks login and password, so it returns
> "Access-accept" or "Access-reject".

  That's what a RADIUS server does.

  Specific authentication methods allow for Access-Challenges.  If
you're not using one of those methods, you won't get Access-Challenges.

  You're trying to solve one problem, but not saying what it is.  You've
somehow convinced yourself that Access-Challenges are the solution to
that problem. So you're asking questions about that instead.

  What, exactly, is the problem, and why do you think Access-Challenges
are the solution?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help me with Access-Challenge configuration

2011-04-11 Thread GreenUA 
OK guys ) 
Ha Ha i know about "windows must die..." but i can't do nothing with that.
Give me examples for Linux... what files i need to configure,
maybe i should use another "Auth-Type" or something else...

Thanks to Alexander Clouter for FAQ links, but this is debugging and it will
be 
useful if configuration exist and you don't know why it doesn't work. 
My question was how to "say" RADIUS server send "Access-Challenge" for
client "Access-request"

In my configuration RADIUS checks login and password, so it returns
"Access-accept" or "Access-reject".



--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-tp4296727p4297438.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius, how to cooperate with a wireless AP( system is linux, openwrt)

2011-04-11 Thread xuyu 
Hi,I want to build a wireless network with radius server . server computer
is ubuntu , wireless router is a linux system-openwrt.So i need to install
something in the router,So what is it?
Can somebody know something about it? please do me a favor.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

new to radius osx client 3com switch

2011-04-11 Thread jeffrey j donovan 
hello

I have been learning about freeradius and could use some guidance. I have a 
freeradius server a 3com 5500 switch and mac osx client

I setup a test machine and added a client record and shared secret. Joe User is 
getting his credentials from ldap, and the machine he sent the request on is 
10.5.1.8, freeradius running on 10.5.1.101. 

Now I need to configure a 3Com switch, and mac OSX client to send/accept EAP or 
EAPTLS. neither apple or 3com have good setup docs, so Im looking to the list , 
maybe someone has crossed this river before I build a new bridge ?

here was my auth test from remote user;

echo "User-Name = joeuser\n User-Password = hispassword" | radclient -sx 
10.5.1.101 auth Secret

Sending Access-Request of id 137 to 10.5.1.101 port 1812
User-Name = "joeuser"
User-Password = "hispassword"
rad_recv: Access-Accept packet from host 10.5.1.101:1812, id=137, length=20

   Total approved auths:  1
 Total denied auths:  0
   Total lost auths:  0


Mon Apr 11 20:17:42 2011 : Debug: Ready to process requests.
rad_recv: Access-Request packet from host 10.5.1.8 port 57337, id=254, length=51
User-Name = "joeuser"
User-Password = "hispassword"
Mon Apr 11 20:27:04 2011 : Info: +- entering group authorize {...}
Mon Apr 11 20:27:04 2011 : Info: ++[preprocess] returns ok
Mon Apr 11 20:27:04 2011 : Info: ++[chap] returns noop
Mon Apr 11 20:27:04 2011 : Info: ++[mschap] returns noop
Mon Apr 11 20:27:04 2011 : Info: [suffix] No '@' in User-Name = "joeuser", 
looking up realm NULL
Mon Apr 11 20:27:04 2011 : Info: [suffix] No such realm "NULL"
Mon Apr 11 20:27:04 2011 : Info: ++[suffix] returns noop
Mon Apr 11 20:27:04 2011 : Info: [eap] No EAP-Message, not doing EAP
Mon Apr 11 20:27:04 2011 : Info: ++[eap] returns noop
Mon Apr 11 20:27:04 2011 : Info: ++[unix] returns updated
Mon Apr 11 20:27:04 2011 : Info: ++[files] returns noop
Mon Apr 11 20:27:04 2011 : Debug: rlm_opendirectory: The SACL group 
"com.apple.access_radius" does not exist on this system.
Mon Apr 11 20:27:04 2011 : Debug: rlm_opendirectory: The host 10.5.1.8 does not 
have an access group.
Mon Apr 11 20:27:04 2011 : Debug: rlm_opendirectory: no access control groups, 
all users allowed.
Mon Apr 11 20:27:04 2011 : Debug: rlm_opendirectory: Setting Auth-Type = 
opendirectory
Mon Apr 11 20:27:04 2011 : Info: ++[opendirectory] returns ok
Mon Apr 11 20:27:04 2011 : Info: ++[expiration] returns noop
Mon Apr 11 20:27:04 2011 : Info: ++[logintime] returns noop
Mon Apr 11 20:27:04 2011 : Info: [pap] Found existing Auth-Type, not changing 
it.
Mon Apr 11 20:27:04 2011 : Info: ++[pap] returns noop
Mon Apr 11 20:27:04 2011 : Info: Found Auth-Type = opendirectory
Mon Apr 11 20:27:04 2011 : Info: +- entering group opendirectory {...}
Mon Apr 11 20:27:04 2011 : Info: ++[opendirectory] returns ok
Mon Apr 11 20:27:04 2011 : Auth: Login OK: [joeuser/hispassword] (from client 
noc port 0)
Mon Apr 11 20:27:04 2011 : Info: +- entering group post-auth {...}
Mon Apr 11 20:27:04 2011 : Info: ++[exec] returns noop
Sending Access-Accept of id 254 to 10.5.1.8 port 57337
Mon Apr 11 20:27:04 2011 : Info: Finished request 2.
Mon Apr 11 20:27:04 2011 : Debug: Going to the next request
Mon Apr 11 20:27:04 2011 : Debug: Waking up in 4.9 seconds.


okay so thats good. now I assume that I can configure the switch , after 
following 3coms instructions i end up with
5500G-EI]display dot1x int g1/0/5
 Equipment 802.1X protocol is enabled
 CHAP authentication is enabled
 DHCP-launch is disabled
 Proxy trap checker is disabled
 Proxy logoff checker is disabled

 Configuration: Transmit Period 30 s,  Handshake Period   15 s
Quiet Period60 s,  Quiet Period Timer is disabled
Supp Timeout30 s,  Server Timeout 100 s
The maximal retransmitting times  2

 Total maximum 802.1x user resource number is 1024
 Total current used 802.1x resource number is 1

 GigabitEthernet1/0/5  is link-up
   802.1X protocol is enabled
   Proxy trap checker is disabled
   Proxy logoff checker is disabled
   The port is a(n) an authenticator
   Authenticate Mode is Auto
   Port Control Type is Mac-based
   Max on-line user number is 256
  
   Authentication Success: 0, Failed: 2 
   EAPOL Packets: Tx 13, Rx 12 
   Sent EAP Request/Identity Packet : 5 
EAP Request/Challenge Packets: 5 
   Received EAPOL Start Packets : 3 
EAPOL LogOff Packets: 0 
EAP Response/Identity Packets : 5 
EAP Response/Challenge Packets: 0 
Error Packets: 0 
 1. Unauthenticated user : MAC address: 0025-- 

   Controlled User(s) amount to 1
[5500G-EI]  disp domain
0  Domain = nocdomain
   State = Active
   RADIUS Scheme = nocsys  Access-limit = Disable 
   Domain User Template: 
   Idle-cut = Disable
   Self-service = Disable
   Messenger Time = Disable

1  Doma

Re: Help me with Access-Challenge configuration

2011-04-11 Thread Alexander Clouter 
Arran Cudbard-Bell  wrote:
>
> On Apr 11, 2011, at 1:40 PM, Alexander Clouter wrote:
> 
>> GreenUA  wrote:
>>> 
>>> I reviewed RFC and FAQ, but i can't fined sane info about 
>>> configuration of freeRADIUS server (on Windows) to send 
>>> access-challenge message on access-request.
>>> 
>> ...because running FreeRADIUS is not a sane thing to do.
> 
> Shouldn't that be running Windows is not a sane thing to do? :P
> 
Bah, and it would have looked so awesome if I didn't screw it up.

*ahem*

...because running FreeRADIUS on Windows is not a sane thing to do.



Cheers

-- 
Alexander Clouter
.sigmonster says: Some restrictions may apply.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help me with Access-Challenge configuration

2011-04-11 Thread Arran Cudbard-Bell 

On Apr 11, 2011, at 1:40 PM, Alexander Clouter wrote:

> GreenUA  wrote:
>> 
>> I reviewed RFC and FAQ, but i can't fined sane info about 
>> configuration of freeRADIUS server (on Windows) to send 
>> access-challenge message on access-request.
>> 
> ...because running FreeRADIUS is not a sane thing to do.

Shouldn't that be running Windows is not a sane thing to do? :P

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help me with Access-Challenge configuration

2011-04-11 Thread Alexander Clouter 
GreenUA  wrote:
>
> I reviewed RFC and FAQ, but i can't fined sane info about 
> configuration of freeRADIUS server (on Windows) to send 
> access-challenge message on access-request.
>
...because running FreeRADIUS is not a sane thing to do.
 
> My configuration is (users.conf):
>
> [snipped AWOL radiusd.conf file]
> 
> Guys pls help me with the answer or if it's possible give me some link 
> or manual in which i can fined the answer.
>
The best links on FreeRADIUS can be found at:

http://wiki.freeradius.org/index.php/FAQ#Debugging_it_yourself
http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21

Cheers

-- 
Alexander Clouter
.sigmonster says: Check your local listings.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Help me with Access-Challenge configuration

2011-04-11 Thread GreenUA 
I reviewed RFC and FAQ, but i can't fined sane info about configuration of
freeRADIUS server (on Windows) to send access-challenge message on
access-request.

My configuration is (users.conf):

test   Auth-Type := Local, User-Password == "test"
   Service-Type = Login-User,
   Login-IP-Host = 192.99.98.119,
   Login-Service = Telnet,
   CS_Priv_Level = 2,
   Reply-Message = "Hello, %u. Wellcome from RADIUS. You
are Administrator"


For such configuration RADIUS server (receive access-request)checks Login +
Pass and if they are correct sends "Reply-Message" with right
"CS_Priv_Level" for Client (access-accept).
But i need to validate one more parameter from client and sent for him
access-challenge, and i don't know how to configure my RADIUS server to send
"Access-challenge".
Guys pls help me with the answer or if it's possible give me some link or
manual in which i can fined the answer.


--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-tp4296727p4296727.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MS-CHAP-V2 with no retry

2011-04-11 Thread Phil Mayers 

On 11/04/11 14:45, Phil Mayers wrote:



I'll spin up an SSID and give it a try with real clients later today.


Regrettably I can report that this does not work with Symbian.

With "send_error = no", incorrect username/password reports "EAP/PEAP 
authentication failed"


With "send_error = yes", the client just hangs (and in fact crashed my 
phone several times)


:o(
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: MLPPP Acct-Session-Id

2011-04-11 Thread Jay Kuhne (jkuhne) 
Thank you Arran and Alan for your feedback.
I received confirmation it was not yet implemented on Cisco ASR1k.

-Original Message-
From: freeradius-users-bounces+jkuhne=cisco@lists.freeradius.org
[mailto:freeradius-users-bounces+jkuhne=cisco@lists.freeradius.org]
On Behalf Of Arran Cudbard-Bell
Sent: Saturday, April 02, 2011 4:58 AM
To: FreeRadius users mailing list
Subject: Re: MLPPP Acct-Session-Id


On Apr 2, 2011, at 12:34 AM, Alan DeKok wrote:

> Jay Kuhne (jkuhne) wrote:
>> Forgot to mention, also attempted with Acct-Multi-Session-Id, which
was in the accounting record but same result.
> 
>  I would say to ask the NAS manufacturer for a list of what they need 
> in the CoA packet, but that doesn't seem to apply here.
> 
>  I'm not sure why CoA is so complicated.  If there's an 
> Acct-Session-Id attribute, the NAS should use that to identify a 
> session.  Pretty much every other "session identification" attribute
can be ignored.
> 

Some NAS manufacturers require multiple Identification attributes, you
really need to ask the manufacturer what attributes and values are
required to identify a session. Sometimes you also need a minimum number
of policy attributes in addition to the identification attributes. CoA
doesn't differentiate between the two types at a packet level its
completely implementation specific.

-Arran
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP-group filter search is failing

2011-04-11 Thread joezamosc 
I got more info with a different query...



# RobertTest1, WANN, Departments, corp.development.com
dn: CN=RobertTest1,OU=WANN,OU=Departments,DC=corp,DC=development,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: RobertTest1
givenName: RobertTest1
distinguishedName:
CN=RobertTest1,OU=WANN,OU=Departments,DC=corp,DC=development,DC=com
instanceType: 4
whenCreated: 20110401191333.0Z
whenChanged: 20110405164213.0Z
displayName: RobertTest1
uSNCreated: 10906825
uSNChanged: 10913688
name: RobertTest1
objectGUID:: GsSgT0UjekqU6zZku/fn2A==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 129461649719116071
pwdLastSet: 129461588135809607
primaryGroupID: 513
objectSid:: AQUAAAUVJRdSujUPgdGF4vwq+QgAAA==
accountExpires: 9223372036854775807
logonCount: 1
sAMAccountName: RobertTest1
sAMAccountType: 805306368
userPrincipalName: robertte...@corp.development.com
objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=development,DC=com
dSCorePropagationData: 20110405164213.0Z
dSCorePropagationData: 20110405164213.0Z
dSCorePropagationData: 20110405164213.0Z
dSCorePropagationData: 16010108151513.0Z

# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 5


--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/LDAP-group-filter-search-is-failing-tp4289457p4296140.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP-group filter search is failing

2011-04-11 Thread joezamosc 
Alex - as requested...




ldapsearch -h  -x -b ou=Departments,DC=corp,DC=development,DC=com
cn=wann

# extended LDIF
#
# LDAPv3
# base  with scope
subtree
# filter: cn=wann
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1










ldapsearch -h xxx -x -b  ou=Departments,DC=corp,DC=development,DC=com
member=CN=RobertTest1,ou=WANN,ou=Departments,dc=corp,dc=development,dc=com

# extended LDIF
#
# LDAPv3
# base  with scope
subtree
# filter: member=cn=roberttest1
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1


--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/LDAP-group-filter-search-is-failing-tp4289457p4296096.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: UTF-8 UaseName permit?

2011-04-11 Thread John Dennis 

On 04/11/2011 09:38 AM, ziyen wrote:

Hi
I want to use UserName as chinese UTF-8 characters type.
is't special config? olso it permit?
Thanks


UTF-8 is not special and does not require special config, yes it's 
supported.


The only thing you have to do is get the UTF-8 into the data store 
you're using (users file, SQL, ldap, etc.). How to do that is *NOT* 
FreeRADIUS specific, rather it's a generic issue specific to the tools 
you're using to manage your data so please do not ask how to do it here.


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

unable to authenticate freeradius+AD

2011-04-11 Thread Yao Konou 
Hi all,

I  need your help  to  fix  a problem   in an AD configuration with Freeradius
My platform : Freeradius + samba + AD ( windows 2003).
The PB : unable to authenticate AD users
This the debug of the authentication of an AD user on the server

Regards.


Yao Thierry Konou
AMR SERVICES
11 Rue du Petit Châtelier CS90346
44303 NANTES CEDEX 3
Tel : 02 28 44 19 80 - Fax : 02 28 44 53 88
Site: http://www.amr-services.fr


Mon Apr 11 14:24:39 2011 : Debug: (Loaded rlm_realm, checking if it's valid)
Mon Apr 11 14:24:39 2011 : Debug:  Module: Linked to module rlm_realm
Mon Apr 11 14:24:39 2011 : Debug:  Module: Instantiating suffix
Mon Apr 11 14:24:39 2011 : Debug:   realm suffix {
Mon Apr 11 14:24:39 2011 : Debug:   format = "suffix"
Mon Apr 11 14:24:39 2011 : Debug:   delimiter = "@"
Mon Apr 11 14:24:39 2011 : Debug:   ignore_default = no
Mon Apr 11 14:24:39 2011 : Debug:   ignore_null = no
Mon Apr 11 14:24:39 2011 : Debug:   }
Mon Apr 11 14:24:39 2011 : Debug: (Loaded rlm_files, checking if it's valid)
Mon Apr 11 14:24:39 2011 : Debug:  Module: Linked to module rlm_files
Mon Apr 11 14:24:39 2011 : Debug:  Module: Instantiating files
Mon Apr 11 14:24:39 2011 : Debug:   files {
Mon Apr 11 14:24:39 2011 : Debug:   usersfile = "/etc/freeradius/users"
Mon Apr 11 14:24:39 2011 : Debug:   acctusersfile = 
"/etc/freeradius/acct_users"
Mon Apr 11 14:24:39 2011 : Debug:   preproxy_usersfile = 
"/etc/freeradius/preproxy_users"
Mon Apr 11 14:24:39 2011 : Debug:   compat = "no"
Mon Apr 11 14:24:39 2011 : Debug:   }
Mon Apr 11 14:24:39 2011 : Debug: [/etc/freeradius/users]:103 WARNING! Changing 
'Tunnel-Medium-Type =' to 'Tunnel-Medium-Type =='   for comparing RADIUS 
attribute in check item list for user DEFAULT
Mon Apr 11 14:24:39 2011 : Debug:  Module: Checking session {...} for more 
modules to load
Mon Apr 11 14:24:39 2011 : Debug: (Loaded rlm_radutmp, checking if it's 
valid)
Mon Apr 11 14:24:39 2011 : Debug:  Module: Linked to module rlm_radutmp
Mon Apr 11 14:24:39 2011 : Debug:  Module: Instantiating radutmp
Mon Apr 11 14:24:39 2011 : Debug:   radutmp {
Mon Apr 11 14:24:39 2011 : Debug:   filename = "/var/log/freeradius/radutmp"
Mon Apr 11 14:24:39 2011 : Debug:   username = "%{User-Name}"
Mon Apr 11 14:24:39 2011 : Debug:   case_sensitive = yes
Mon Apr 11 14:24:39 2011 : Debug:   check_with_nas = yes
Mon Apr 11 14:24:39 2011 : Debug:   perm = 384
Mon Apr 11 14:24:39 2011 : Debug:   callerid = yes
Mon Apr 11 14:24:39 2011 : Debug:   }
Mon Apr 11 14:24:39 2011 : Debug:  Module: Checking post-proxy {...} for more 
modules to load
Mon Apr 11 14:24:39 2011 : Debug:  Module: Checking post-auth {...} for more 
modules to load
Mon Apr 11 14:24:39 2011 : Debug: (Loaded rlm_attr_filter, checking if it's 
valid)
Mon Apr 11 14:24:39 2011 : Debug:  Module: Linked to module rlm_attr_filter
Mon Apr 11 14:24:39 2011 : Debug:  Module: Instantiating 
attr_filter.access_reject
Mon Apr 11 14:24:39 2011 : Debug:   attr_filter attr_filter.access_reject {
Mon Apr 11 14:24:39 2011 : Debug:   attrsfile = 
"/etc/freeradius/attrs.access_reject"
Mon Apr 11 14:24:39 2011 : Debug:   key = "%{User-Name}"
Mon Apr 11 14:24:39 2011 : Debug:   }
Mon Apr 11 14:24:39 2011 : Debug:  } # modules
Mon Apr 11 14:24:39 2011 : Debug: } # server
Mon Apr 11 14:24:39 2011 : Debug: server {
Mon Apr 11 14:24:39 2011 : Debug:  modules {
Mon Apr 11 14:24:39 2011 : Debug:  Module: Checking authenticate {...} for more 
modules to load
Mon Apr 11 14:24:39 2011 : Debug:  Module: Checking authorize {...} for more 
modules to load
Mon Apr 11 14:24:39 2011 : Debug: (Loaded rlm_preprocess, checking if it's 
valid)
Mon Apr 11 14:24:39 2011 : Debug:  Module: Linked to module rlm_preprocess
Mon Apr 11 14:24:39 2011 : Debug:  Module: Instantiating preprocess
Mon Apr 11 14:24:39 2011 : Debug:   preprocess {
Mon Apr 11 14:24:39 2011 : Debug:   huntgroups = 
"/etc/freeradius/huntgroups"
Mon Apr 11 14:24:39 2011 : Debug:   hints = "/etc/freeradius/hints"
Mon Apr 11 14:24:39 2011 : Debug:   with_ascend_hack = no
Mon Apr 11 14:24:39 2011 : Debug:   ascend_channels_per_line = 23
Mon Apr 11 14:24:39 2011 : Debug:   with_ntdomain_hack = no
Mon Apr 11 14:24:39 2011 : Debug:   with_specialix_jetstream_hack = no
Mon Apr 11 14:24:39 2011 : Debug:   with_cisco_vsa_hack = no
Mon Apr 11 14:24:39 2011 : Debug:   with_alvarion_vsa_hack = no
Mon Apr 11 14:24:39 2011 : Debug:   }
Mon Apr 11 14:24:39 2011 : Debug:  Module: Checking preacct {...} for more 
modules to load
Mon Apr 11 14:24:39 2011 : Debug: (Loaded rlm_acct_unique, checking if it's 
valid)
Mon Apr 11 14:24:39 2011 : Debug:  Module: Linked to module rlm_acct_unique
Mon Apr 11 14:24:39 2011 : Debug:  Module: Instantiating acct_unique
Mon Apr 11 14:24:39 2011 : Debug:   acct_unique {
Mon Apr 11 14:24:39 2011 : Debug:   key = "User-Name, Acct-Session-Id, 
NAS-IP-Address, Client-I

Re: MS-CHAP-V2 with no retry

2011-04-11 Thread Phil Mayers 

On 11/04/11 11:22, Phil Mayers wrote:

On 10/04/11 15:41, James J J Hooper wrote:



This C= needs to be saved and eventually make it's way in to
data->challenge so that the line lower down:
memcpy(challenge->vp_strvalue, data->challenge, MSCHAPV2_CHALLENGE_LEN);


It's actually a bit more complex; the new challenge is being generated
inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2
needs to know it, so that it can add it to the fake request which it
then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute.

This would also get us part of the way there to password change via
mschap (Samba currently lacks the specific API call to do this, with the
values available in an MSCHAP CPW packet, but it might be possible to
compile a C helper which does it...)



The attached patch against git v2.1.x branch makes EAP-MSCHAPV2 retry 
work for me.


It needs a bit of work, specifically there should be a:

 num_retries

...parameter, and the EAP module should keep track of retry attempt 
counts, and stop when either:


 try_number > num_retries

 or

 R=0 in the MS-CHAP-Error attribute

Also, I pulled the EAP-MSCHAPV2 state machine to bits, so I'm not sure 
it should go into 2.1.11 - there's probably not enough testing time.


It works for a Windows XP SP3 client here, as well as with a jury-rigged 
eapol_test/wpa_cli combo.


I'll spin up an SSID and give it a try with real clients later today.

Of note: this gets us nearer to MS-CHAP change-password functionality; 
I've looked into this a couple of times recently and Samba has almost 
all the bits required to make it work... However, that would require 
some infrastructure for the server to override the MS-CHAP error code, 
currently hard-coded at 691 - 648 is "password expired" and would need 
to be set, either by parsing the output of ntlm_auth (for those that use 
it) or from some SQL/database attribute (for those using 
Cleartext/NT-Password)


retry.patch.gz
Description: GNU Zip compressed data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

UTF-8 UaseName permit?

2011-04-11 Thread ziyen 
Hi
I want to use UserName as chinese UTF-8 characters type.
is't special config? olso it permit?

Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Duplicate Accounting maybe once, twice a day

2011-04-11 Thread Marius Pesé 
Hi everyone,

we are having an issue on our FreeRadius setup where our redundant servers will 
maybe once, twice a day create duplicate accounting entries.
I have switched the servers to debug for a full day and caught one of these 
incidents in the log file, see attached.

The strange thing is it only happens maybe once a day, regardless of realm or 
user, and the other couple of hundred accounting requests are fine.
Can anyone see why this particular one would bounce back and forth?

Our setup consists of two virtually identical FreeRadius2 servers, each with 
their own mySQL database, so each of them is capable of doing Auth and Acct, 
and proxies Acct to the other one.
Also I changed the acct_update_alt query to write to a failover table since I 
thought this was the alt query being triggered, but this does not make a 
difference. Still duplicates in radacct table.

Thanks!
Marius

__
Marius Pesé
Senior Software Developer
B.Sc. Computer Science
[cid:image003.jpg@01CBF85B.77F8AF50]
Unit 5, Doncaster Office ParkMindspring Computing
Punters Way, Kenilworth   P O Box 46926
Cape Town, South Africa   Glosderry 7702
Phone: +27 21 657 1780  Fax   : +27 21 671 7599
Cell : 072 100 70 73
E-mail: mar...@mindspring.co.za

<>rad_recv: Accounting-Request packet from host 196.43.1.87 port 1820, id=1, 
length=261
Acct-Session-Id = "3/0/0/5.159_00A0493F"
Framed-Protocol = PPP
Framed-IP-Address = 41.144.110.38
User-Name = "aba...@msp.co.za"
X-Ascend-Connect-Progress = LAN-Session-Up
X-Ascend-PreSession-Time = 3
X-Ascend-Xmit-Rate = 4096000
X-Ascend-Data-Rate = 4096000
Acct-Session-Time = 3404
Acct-Input-Octets = 970
Acct-Output-Octets = 994
X-Ascend-Pre-Input-Octets = 86
X-Ascend-Pre-Output-Octets = 91
Acct-Input-Packets = 62
Acct-Output-Packets = 62
X-Ascend-Pre-Input-Packets = 5
X-Ascend-Pre-Output-Packets = 6
Acct-Authentic = RADIUS
Acct-Status-Type = Interim-Update
NAS-Port-Type = Virtual
NAS-Port = 805634207
NAS-Port-Id = "3/0/0/5.159"
Connect-Info = "AutoShapedVC"
Calling-Station-Id = "0182932392"
Class = "NL1"
Service-Type = Framed-User
NAS-IP-Address = 196.43.27.100
X-Ascend-Session-Svr-Key = "01FB51D4"
Acct-Delay-Time = 5
Telkom-Access-Type = "DSL"
Proxy-State = 0x3436
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 805634207,Client-IP-Address = 
196.43.1.87,NAS-IP-Address = 196.43.27.100,Acct-Session-Id = 
"3/0/0/5.159_00A0493F",User-Name = "aba...@msp.co.za"'
[acct_unique] Acct-Unique-Session-ID = "bf140131ce2e1d1f".
++[acct_unique] returns ok
[suffix] Looking up realm "msp.co.za" for User-Name = "aba...@msp.co.za"
[suffix] Found realm "msp.co.za"
[suffix] Adding Stripped-User-Name = "abacus"
[suffix] Adding Realm = "msp.co.za"
[suffix] Proxying request from user abacus to realm msp.co.za
[suffix] Preparing to proxy accounting request to realm "msp.co.za" 
++[suffix] returns updated
++[files] returns noop
+- entering group accounting {...}
[radutmp]   expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp]   expand: %{User-Name} -> aba...@msp.co.za
++[radutmp] returns ok
[sql]   expand: %{User-Name} -> aba...@msp.co.za
[sql] sql_set_user escaped user --> 'aba...@msp.co.za'
[sql]   expand: %{Acct-Input-Gigawords} -> 
[sql]   ... expanding second conditional
[sql]   expand: %{Acct-Input-Octets} -> 970
[sql]   expand: %{Acct-Output-Gigawords} -> 
[sql]   ... expanding second conditional
[sql]   expand: %{Acct-Output-Octets} -> 994
[sql]   expand:UPDATE radacct   SET  
framedipaddress = '%{Framed-IP-Address}',  acctsessiontime = 
'%{Acct-Session-Time}',  acctinputoctets = 
'%{%{Acct-Input-Gigawords}:-0}'  << 32 |
'%{%{Acct-Input-Octets}:-0}',  acctoutputoctets= 
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}'   WHERE acctsessionid = 
'%{Acct-Session-Id}'   AND username= '%{SQL-User-Name}' 
  AND nasipaddress= '%{NAS-IP-Address}' ->UPDATE radacct
   SET  framedipaddress = '41.144.110.38',  
acctsessiontime = '3404',  acctinputoctets = '0'  << 32 |   
 '970',  acctoutputoctets= '0' 
<< 32 |'994'   WHERE acctsessionid 
= '3/0/0/5.159_00A0493F'   AND username= 'aba...@msp.co.za
rlm_sql (sql): xlat failed.
rlm_sql (sql): Reserving sql socket id: 5
rlm_sql_mysql: query: UPDATE radacct   SET

Re: Problem with EAP-TLS authentication in Freeradius 2.1.0

2011-04-11 Thread senthil kumar 
Hi Alan,
Any solution or debug to this problem.
Please let me know.



Regards
Senthil



On Fri, Apr 8, 2011 at 1:43 PM, senthil kumar  wrote:

> Hi Alan,
> Earlier I have faced the same problem and after changing Make file it
> was working fine.
>Now certificate got expired and I tried to generate new certificate.
>Problem is I am not able to connect with the new certificate.
>So please let me know how to solve this problem.
>
>
>
> Regards
> Senthil
>
>   On Fri, Apr 8, 2011 at 12:40 PM, Alan DeKok 
> wrote:
>
>> senthil kumar wrote:
>> >   I am using Freeradius 2.1.0
>> >   PEAP/TTLS is working fine and I am facing problem in TLS
>> > authentication. I am able to generate certificate but while connecting
>> > it throws Authentication error.
>> >  Please let me know how to debug it.
>>
>>  *Read* the debug log.  There's a lot of text, but looking for
>> "warning" or "error" or "failure" or "reject" is simple.
>>
>> > [tls] <<< TLS 1.0 Alert [length 0002], warning bad_certificate
>> >
>> > TLS Alert read:warning:bad certificate
>>
>>  See?
>>
>>  Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>
>  --
> "Adversity always presents opportunity for Introspection"
>
> Regards
> Senthil
>



-- 
"Adversity always presents opportunity for Introspection"

Regards
Senthil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius proxy caching users

2011-04-11 Thread Alexander Clouter 
Ivan Luska  wrote:
>
> Hello, I use Freeradius as proxy server. Is it possible to cache 
> authenticated users on the proxy and resend access-accept to these 
> users, if home server fails?
> 
If you look through the archives and find out how to failover to a 
virtual server to proxy through instead it is possible.  You would need 
to script up something with rlm_perl/rlm_python to build up a cache, and 
the virtual failover system would then have to query that cache.

Cheers

-- 
Alexander Clouter
.sigmonster says:  I *like* the chicken

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FR and AD with ntlm and Users group

2011-04-11 Thread Raheel Itrat 


Hi, 
 
I am authenticating my Cisco devices by integrating FreeRadius with Active 
Directory. Not using LDAP but ntlm_auth. 
Now If I make a group on my AD server for example Router Admins and put some 
users in it. Now, where would I define in  the FreeRadius that only users from 
Router Admin group are permitted. Do I need to define it in the smb.conf?
 
BR,
Raheel 

 
 
 
 
 
 
 
 
 
 
 

  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius proxy caching users

2011-04-11 Thread Phil Mayers 

On 11/04/11 11:45, Ivan Luska wrote:

Hello, I use Freeradius as proxy server. Is it possible to cache
authenticated users on the proxy and resend access-accept to these
users, if home server fails?


Probably not, but it depends.

If you're using a challenge-response auth method (EAP, for 802.1x 
wireless or wired; CHAP for VPN/dialup/ADSL) then no. It's impossible.


If you're using PAP or similar, then you could probably write a script 
to cache them, or use rlm_caching - see raddb/experimental.conf for the 
"caching" module definition.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Mac Authorization

2011-04-11 Thread syharash 
Joren,

This is how my policy looks, could you please let me know what changes do i
need to make, to make the mac-authentication work;

policy {
#
# Rewrite called station id attribute into a standard format.
#
rewrite_calling_station_id {
if(request:Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request {
Calling-Station-Id :=
"%{1}-%{2}-%{3}-%{4}-%{5}-%{6}"
}
}
else {
noop
}
}
#
#   Forbid all EAP types.
#
forbid_eap {
if (EAP-Message) {
reject
}
}

#
#   Forbid all non-EAP types outside of an EAP tunnel.
#
permit_only_eap {
if (!EAP-Message) {
#  We MAY be inside of a TTLS tunnel.
#  PEAP and EAP-FAST require EAP inside of
#  the tunnel, so this check is OK.
#  If so, then there MUST be an outer EAP message.
if (!"%{outer.request:EAP-Message}") {
reject
}
}
}

#

also my /etc/raddb/users file looks like this;

DEFAULT
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Service-Type = Framed-User,
Fall-Through = Yes

00-1F-3C-D1-2B-6C
User-Name = "subhash",
Cleartext-Password = "sub@1979",
Tunnel-Private-Group-ID = "17"


--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Mac-Authorization-tp4287256p4295664.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius proxy caching users

2011-04-11 Thread Ivan Luska 
Hello, I use Freeradius as proxy server. Is it possible to cache 
authenticated users on the proxy and resend access-accept to these 
users, if home server fails?


Ivan Luska
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MS-CHAP-V2 with no retry

2011-04-11 Thread Phil Mayers 

On 10/04/11 15:41, James J J Hooper wrote:



This C= needs to be saved and eventually make it's way in to
data->challenge so that the line lower down:
memcpy(challenge->vp_strvalue, data->challenge, MSCHAPV2_CHALLENGE_LEN);


It's actually a bit more complex; the new challenge is being generated 
inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2 
needs to know it, so that it can add it to the fake request which it 
then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute.


This would also get us part of the way there to password change via 
mschap (Samba currently lacks the specific API call to do this, with the 
values available in an MSCHAP CPW packet, but it might be possible to 
compile a C helper which does it...)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem in assigning Tunnel-Private-Group-ID

2011-04-11 Thread syharash 
Dear Alan,

Thank you so much. God Bless you all, its
working!

REgards,
Syed

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/problem-in-assigning-Tunnel-Private-Group-ID-tp4290798p4295526.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html