Re: Config for proxying based on auth-protocol
Nitin Bhardwaj wrote: I want to configure FreeRADIUS to do the following two things: (1) Handle tunnel for PEAP authentication requested by any supplicant(s), and do mschapv2 auth with another RADIUS server. (Irrespective of the realm in the user-name) (2) Transparently proxy all other non-PEAP requests to another RADIUS server (like LEAP, EAP-FAST etc etc). ( Again, Irrespective of the realm in the user-name). That's impossible. By the time the server discovers that the client is using a particular EAP method, the EAP session has started, and it's impossible to proxy it to another RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 failing with Windows 7
On 05/09/2011 10:55 PM, Gary Gatten wrote: Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject You've trimmed the debug output, so we can't see what the problem is. Don't do that. In the PEAP properties, EAP-MSCHAP v2, if you DISABLE “automatically use my windows logon name and password” and instead enter the credentials manually it works. Are the machines domain members? I should note, it appears the Aruba gear is terminating the PEAP – FR only sees an MSCHAP request. DEFINITELY don't do that! Is it passing the PEAP inner as EAP-MSCHAPv2 or plain MS-CHAPv2? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config for proxying based on auth-protocol
On 10/05/2011 12:54 PM, Alan DeKok wrote: Nitin Bhardwaj wrote: I want to configure FreeRADIUS to do the following two things: (1) Handle tunnel for PEAP authentication requested by any supplicant(s), and do mschapv2 auth with another RADIUS server. (Irrespective of the realm in the user-name) (2) Transparently proxy all other non-PEAP requests to another RADIUS server (like LEAP, EAP-FAST etc etc). ( Again, Irrespective of the realm in the user-name). That's impossible. By the time the server discovers that the client is using a particular EAP method, the EAP session has started, and it's impossible to proxy it to another RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks a lot Alan for the insight. -- Nitin Bhardwaj - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 failing with Windows 7
Check some basic stuff too. Make sure your radius user can run ntlm_auth. Sent from Verizon Wireless -Original Message- From: Phil Mayers p.may...@imperial.ac.uk Sender: freeradius-users-bounces+ironrake=yahoo@lists.freeradius.org Date: Tue, 10 May 2011 09:55:54 To: freeradius-users@lists.freeradius.org Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: PEAP/MSCHAPv2 failing with Windows 7 On 05/09/2011 10:55 PM, Gary Gatten wrote: Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject You've trimmed the debug output, so we can't see what the problem is. Don't do that. In the PEAP properties, EAP-MSCHAP v2, if you DISABLE “automatically use my windows logon name and password” and instead enter the credentials manually it works. Are the machines domain members? I should note, it appears the Aruba gear is terminating the PEAP – FR only sees an MSCHAP request. DEFINITELY don't do that! Is it passing the PEAP inner as EAP-MSCHAPv2 or plain MS-CHAPv2? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 failing with Windows 7
The same FR instance works perfectly using the same Aruba controller and user creds if the client OS is XP. As noted, everything also works with Windows 7 if you don't select use windows login info. - Original Message - From: ironr...@yahoo.com [mailto:ironr...@yahoo.com] Sent: Tuesday, May 10, 2011 06:40 AM To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: PEAP/MSCHAPv2 failing with Windows 7 Check some basic stuff too. Make sure your radius user can run ntlm_auth. Sent from Verizon Wireless -Original Message- From: Phil Mayers p.may...@imperial.ac.uk Sender: freeradius-users-bounces+ironrake=yahoo@lists.freeradius.org Date: Tue, 10 May 2011 09:55:54 To: freeradius-users@lists.freeradius.org Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: PEAP/MSCHAPv2 failing with Windows 7 On 05/09/2011 10:55 PM, Gary Gatten wrote: Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject You've trimmed the debug output, so we can't see what the problem is. Don't do that. In the PEAP properties, EAP-MSCHAP v2, if you DISABLE “automatically use my windows logon name and password” and instead enter the credentials manually it works. Are the machines domain members? I should note, it appears the Aruba gear is terminating the PEAP – FR only sees an MSCHAP request. DEFINITELY don't do that! Is it passing the PEAP inner as EAP-MSCHAPv2 or plain MS-CHAPv2? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 failing with Windows 7
Sorry, I trimmed because everything is the same between success and failure up until the exec program output... Yes, they are domain members. FR sees only a basic MSCHAP request, no *EAP of any kind. - Original Message - From: Phil Mayers [mailto:p.may...@imperial.ac.uk] Sent: Tuesday, May 10, 2011 03:55 AM To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Subject: Re: PEAP/MSCHAPv2 failing with Windows 7 On 05/09/2011 10:55 PM, Gary Gatten wrote: Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject You've trimmed the debug output, so we can't see what the problem is. Don't do that. In the PEAP properties, EAP-MSCHAP v2, if you DISABLE “automatically use my windows logon name and password” and instead enter the credentials manually it works. Are the machines domain members? I should note, it appears the Aruba gear is terminating the PEAP – FR only sees an MSCHAP request. DEFINITELY don't do that! Is it passing the PEAP inner as EAP-MSCHAPv2 or plain MS-CHAPv2? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 failing with Windows 7
On 05/10/2011 01:20 PM, Gary Gatten wrote: Sorry, I trimmed because everything is the same between success and failure up until the exec program output... Well, unfortunately the same didn't trigger my crystal ball, so I have no idea what it was, regardless of whether it's the same. I want to try to help, but in the absence of the debug output I would just have to ask a long list of questions, which to be honest I'm too lazy to do ;o) Yes, they are domain members. FR sees only a basic MSCHAP request, no *EAP of any kind. So the Aruba kit is fiddling quite extensively with the EAP transaction. Seriously: at least try it with the PEAP terminated on FreeRADIUS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 failing with Windows 7
I don't have access to the debug right now, but will post it later. I was hoping someone would pop up and say, oh yeah - you need patch xyz on Winblows 7 No such luck :) Thx G - Original Message - From: Phil Mayers [mailto:p.may...@imperial.ac.uk] Sent: Tuesday, May 10, 2011 07:34 AM To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Subject: Re: PEAP/MSCHAPv2 failing with Windows 7 On 05/10/2011 01:20 PM, Gary Gatten wrote: Sorry, I trimmed because everything is the same between success and failure up until the exec program output... Well, unfortunately the same didn't trigger my crystal ball, so I have no idea what it was, regardless of whether it's the same. I want to try to help, but in the absence of the debug output I would just have to ask a long list of questions, which to be honest I'm too lazy to do ;o) Yes, they are domain members. FR sees only a basic MSCHAP request, no *EAP of any kind. So the Aruba kit is fiddling quite extensively with the EAP transaction. Seriously: at least try it with the PEAP terminated on FreeRADIUS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Restrict user only to a NAS
Hello everyone. I have a doubt regarding the restriction of a user by the NAS. I am 40 and NAS connected to freeradius requires each user to connect only to a specific NAS, denying access to the user when the other NAS What parameter do I need to activate this feature? Thanks All . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restrict user only to a NAS
I forgot to mention that I use MySQL to manage my users and NAS. In the table that records the users exists a field 'radnas_id' where I can tell the NAS that he is entitled to connect, but can not enable this restriction - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP/MSCHAPv2 failing with Windows 7
In the PEAP properties, EAP-MSCHAP v2, if you DISABLE automatically use my windows logon name and password and instead enter the credentials manually it works. What version of FR are you running? If it's 2.1.10, try it with 2.1.10. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 failing with Windows 7
I think its 2.1.6, maybe 2.1.7. I can/will upgrade, but the symptoms lead me to believe its a windows thing. What leads you to believe an FR upgrade would fix it? - Original Message - From: Garber, Neal [mailto:neal.gar...@iberdrolausa.com] Sent: Tuesday, May 10, 2011 08:44 AM To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Subject: RE: PEAP/MSCHAPv2 failing with Windows 7 In the PEAP properties, EAP-MSCHAP v2, if you DISABLE automatically use my windows logon name and password and instead enter the credentials manually it works. What version of FR are you running? If it's 2.1.10, try it with 2.1.10. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restrict user only to a NAS
I Believe you have to use Huntgroups to do that http://wiki.freeradius.org/SQL_Huntgroup_HOWTO On Tue, May 10, 2011 at 3:30 PM, Marcos TP mark...@gmail.com wrote: I forgot to mention that I use MySQL to manage my users and NAS. In the table that records the users exists a field 'radnas_id' where I can tell the NAS that he is entitled to connect, but can not enable this restriction - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP/MSCHAPv2 failing with Windows 7
In the PEAP properties, EAP-MSCHAP v2, if you DISABLE automatically use my windows logon name and password and instead enter the credentials manually it works. Look at: http://freeradius.1045715.n5.nabble.com/MSCHAP-Authentication-Issue-td2785146.html to see if this is your problem (look at the table in the post). If so and you're running a version 2.1.10, upgrade as this problem is fixed in 2.1.10.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple FR Server and NAS
Hi How can i configure FR if i have multiple FR Server and NAS. How can i tell for example a specific user is for specific NAS. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Multiple-FR-Server-and-NAS-tp4384579p4384579.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP/MSCHAPv2 failing with Windows 7
I can/will upgrade, but the symptoms lead me to believe its a windows thing. What leads you to believe an FR upgrade would fix it? I sent another response with more info. The issue I'm thinking of is one we talked about quite a while ago (I asked if you could test it). It's the one where the case (i.e., upper vs. lower) of the User-Name differs between the inner and outer tunnels. Take a look at the link I included in my last response. In it, there's a table that showed the results of tests I performed. It was with XP not Win7, but the same *may* apply. I would look in the debug output at the Access-Requests and compare the User-Name attributes for inner and outer tunnels to see if they are *exactly* the same (it's case-sensitive as it is used to construct the challenge/response. I thought of this because my testing produced different results depending upon whether credentials were passed automatically (which is a symptom you described). Look at the table in: http://freeradius.1045715.n5.nabble.com/MSCHAP-Authentication-Issue-td2785146.html to see what I mean.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 failing with Windows 7
On 05/10/2011 03:00 PM, Garber, Neal wrote: In the PEAP properties, EAP-MSCHAP v2, if you DISABLE automatically use my windows logon name and password and instead enter the credentials manually it works. Look at: http://freeradius.1045715.n5.nabble.com/MSCHAP-Authentication-Issue-td2785146.html to see if this is your problem (look at the table in the post). If so and you're running a version 2.1.10, upgrade as this problem is fixed in 2.1.10.. One additional note: the fixes that went into 2.1.10 extract (verbatim) the client username from the EAP-MSCHAPv2 response, and pass that through to the rlm_mschap module as an extra attribute. This won't work for the OP even under 2.1.10, because his Aruba kit is terminating the PEAP, and then proxying the EAP-MSCHAPv2 as plain MS-CHAPv2, so (as advised elsewhere) he'll still need to change that. You're almost certainly right about the cause/fix. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: User-Name is not the same as MS-CHAP name
... FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = CAD08862\\ldapuser You then RE-WRITE the User-Name. Don't do that. As you were told, re-writing the User-Name for EAP is wrong. Don't do it. The User-Name attribute is untouch. You can believe what you *think* happens. Or you can believe the debug output of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6110 (20110510) __ Le message a ete verifie par ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP password check
Hello,
I have a freeradius server that i use to authenticate users before they
access network switches. user passwords reside in an ldap directory with
the following attributes and formats:
userPassword: (CRYPT password)
sambaNTPassword: (NT Hash)
sambaLMPassword: (LM hash)
PAP is choosing automaticaly the NT encryption to validate the password.
Is there a way to force PAP to use the userPassword with the CRYPT
encryption?
PS: i have to keep sambaNTPassword and sambaLMPassword along with
userPassword as check items for other use scenarii.
i'll post the relevant part of my radius log file in case it helps,
thank you.
[ldap] looking for check items in directory...
[ldap] userPassword - Password-With-Header ==
{CRYPT}$1$$xkbzS/dF4YU/JKyjA5.36.
[ldap] sambaNtPassword - NT-Password ==
0x4539463933393235373938463136464345394639333932353739384631364642
[ldap] sambaLmPassword - LM-Password ==
0x424041323738464338383546424538393735438383546424538393735456
[ldap] userPassword - User-Password ==
{CRYPT}$1$$xkbzS/dF4YU/JKyjA5.36.
[ldap] looking for reply items in directory...
[ldap] user theUser authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password thepassword
[pap] Using NT encryption.
[pap] expand: %{User-Password} - thepassword
[pap] NT-Hash of thepassword = e9f93925798f16fc4c9f93925798f1
[pap] expand: %{mschap:NT-Hash %{User-Password}} -
e9f93925798f16fc4c9f93925798f1
[pap] User authenticated successfully
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 05/10/2011 03:35 PM, Robert Mc Cready wrote: If the User-Name is being rewritten it is not intentional. Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = CAD08862\\ldapuser but I don't know want I am doing wrong. http://www.cspi.qc.ca/sinfrmc/windowsxp2.htm I presume there's a debug at this URL, but I have no reachability to it from where I am (tried from a couple of different source networks): 17 Vlan1999.icore1.MTT-Montreal.as6453.net (216.6.115.54) 90.786 ms 90.770 ms 90.740 ms 18 Vlan50.icore1.MTT-Montreal.as6453.net (206.82.135.10) 90.800 ms 90.918 ms 91.056 ms 19 tge-1-3.ar1.mtl2.mtotelecom.net (64.254.224.165) 91.241 ms 90.598 ms 90.634 ms 20 tge-1-2.ar1.mtrlpq07.mtotelecom.net (64.254.224.198) 79.405 ms 79.282 ms 79.230 ms 21 * * * 22 * * * 23 * * * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Robert Mc Cready wrote: If the User-Name is being rewritten it is not intentional. Well... it's obviously someone you've changed, because it doesn't happen in the default configuration. Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = CAD08862\\ldapuser but I don't know want I am doing wrong. You're stripping the domain. Why? It's just not necessary. The way you're doing it is wrong, and is breaking the server. Instead, set up CAD08862 as a LOCAL realm. See proxy.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP password check
mic night wrote: I have a freeradius server that i use to authenticate users before they access network switches. user passwords reside in an ldap directory with the following attributes and formats: userPassword: (CRYPT password) sambaNTPassword: (NT Hash) sambaLMPassword: (LM hash) PAP is choosing automaticaly the NT encryption to validate the password. Is there a way to force PAP to use the userPassword with the CRYPT encryption? Why does it matter? You're asking how to implement a solution. That's wrong. Instead, talk about the problem. What *is* the problem? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP/MSCHAPv2 failing with Windows 7
One additional note: the fixes that went into 2.1.10 extract (verbatim) the client username from the EAP-MSCHAPv2 response, and pass that through to the rlm_mschap module as an extra attribute. You're right Phil. It's been too long since I wrote that patch. Gary: Forget what I said about comparing User-Name in inner vs outer tunnels. You would need to look at the User-Name attribute vs. the username contained in the MSCHAP response. If you have a test server, I would test it with 2.1.10 after you get Aruba not to be the termination point for PEAP.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP password check
Le 10/05/2011 16:50, Alan DeKok a écrit : mic night wrote: I have a freeradius server that i use to authenticate users before they access network switches. user passwords reside in an ldap directory with the following attributes and formats: userPassword: (CRYPT password) sambaNTPassword: (NT Hash) sambaLMPassword: (LM hash) PAP is choosing automaticaly the NT encryption to validate the password. Is there a way to force PAP to use the userPassword with the CRYPT encryption? Why does it matter? You're asking how to implement a solution. That's wrong. Instead, talk about the problem. What *is* the problem? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yes , sorry i didn't expose the problem... Actualy, we have a problem generating the sambaNTPassword an sambaLMPassword and that's why i'm (temporary) trying to force PAP to use the userPassword attribute. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: User-Name is not the same as MS-CHAP name
The host name are not domain names, there are computers account name, and we have hundreds of them . We only use the MS Domain to authenticate the computers account, not the users. -Message d'origine- De : freeradius-users-bounces+robert-mccready=cspi.qc...@lists.freeradius.org [mailto:freeradius-users-bounces+robert-mccready=cspi.qc.ca@lists.freeradius .org] De la part de Alan DeKok Envoyé : 10 mai 2011 10:49 À : FreeRadius users mailing list Objet : Re: Error: User-Name is not the same as MS-CHAP name Robert Mc Cready wrote: If the User-Name is being rewritten it is not intentional. Well... it's obviously someone you've changed, because it doesn't happen in the default configuration. Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = CAD08862\\ldapuser but I don't know want I am doing wrong. You're stripping the domain. Why? It's just not necessary. The way you're doing it is wrong, and is breaking the server. Instead, set up CAD08862 as a LOCAL realm. See proxy.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6110 (20110510) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6110 (20110510) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: User-Name is not the same as MS-CHAP name
seconds.
Packet 9
rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=180,
length=212
User-Name = CAD08862\\ldapuser
NAS-IP-Address = 10.220.30.5
NAS-Port = 0
Called-Station-Id = 58-16-26-AA-F7-B1:WIRELESS
Calling-Station-Id = 00-16-EA-C5-78-9C
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11g
EAP-Message = 0x021400261900170301001b7a27bfb0b0524f3a9afbf1b1f407 ...
State = 0xa5fe4130adea583a08d7b8b3e893ab3f
Message-Authenticator = 0xe8c786bb73038b5f6172a3637d73a61d
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = CAD08862\ldapuser, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 20 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug
output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for reject or fail. Those earlier messages will tell
you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - CAD08862\ldapuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 238 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 238
Sending Access-Reject of id 180 to 10.220.30.5 port 29002
EAP-Message = 0x04140004
Message-Authenticator = 0x
Waking up in 3.8 seconds.
Cleaning up request 229 ID 171 with timestamp +857
Cleaning up request 230 ID 172 with timestamp +857
Cleaning up request 231 ID 173 with timestamp +857
Cleaning up request 232 ID 174 with timestamp +857
Cleaning up request 233 ID 175 with timestamp +857
Cleaning up request 234 ID 176 with timestamp +857
Cleaning up request 235 ID 177 with timestamp +857
Cleaning up request 236 ID 178 with timestamp +857
Cleaning up request 237 ID 179 with timestamp +857
Waking up in 1.0 seconds.
---
On 05/10/2011 03:35 PM, Robert Mc Cready wrote:
If the User-Name is being rewritten it is not intentional.
Now, I reinstalled from scratch, save the default configuration, join the
server to the domain, modified clients.conf, attr_rewrite, ldap, mschap
and
inner-tunnel and ran diff. I can see in the debug output of the server
that
User-Name = CAD08862\\ldapuser but I don't know want I am doing wrong.
http://www.cspi.qc.ca/sinfrmc/windowsxp2.htm
I presume there's a debug at this URL, but I have no reachability to it
from where I am (tried from a couple of different source networks):
17 Vlan1999.icore1.MTT-Montreal.as6453.net (216.6.115.54) 90.786 ms
90.770 ms 90.740 ms
18 Vlan50.icore1.MTT-Montreal.as6453.net (206.82.135.10) 90.800 ms
90.918 ms 91.056 ms
19 tge-1-3.ar1.mtl2.mtotelecom.net (64.254.224.165) 91.241 ms 90.598
ms 90.634 ms
20 tge-1-2.ar1.mtrlpq07.mtotelecom.net (64.254.224.198) 79.405 ms
79.282 ms 79.230 ms
21 * * *
22 * * *
23 * * *
__ Information provenant d'ESET NOD32 Antivirus, version de la base
des signatures de virus 6110 (20110510) __
Le message a ete verifie par ESET NOD32 Antivirus.
http://www.eset.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Robert Mc Cready wrote: The host name are not domain names, there are computers account name, and we have hundreds of them . We only use the MS Domain to authenticate the computers account, not the users. Well... re-writing the names in the inner-tunnel server is breaking authentication. *Why* are you re-writing them? What do you expect to do with the names? Why isn't there another way to achieve the same goal? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Custom Accounting Fields
Hi all, We are using Freeradius for accounting from our voip system. Is there documentation somewhere, that you can point me to, on how I can add a couple of custom vendor fields to the radacct database schema and the INSERT query? I have no problem reading the documentation, but I can't seem to find which documentation I need to review, especially to find what the default SQL query is, so I can make sure that the data stays consistent. Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP password check
mic night wrote: Yes , sorry i didn't expose the problem... Actualy, we have a problem generating the sambaNTPassword an sambaLMPassword and that's why i'm (temporary) trying to force PAP to use the userPassword attribute. $ man unlang See !*. You can delete attributes from the control list. So... delete the NT-Password attribute after it was added, and before it's used for authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restrict user only to a NAS
Hello, Huntgroups I know, but the functionality it provides me not for me. I need the user only has permission to access a NAS, as much as I could with Huntgroups was to restrict the access group, because several groups have access, containing their speed and can not do the search for access group, but by concentrator. I think the lock should be in the Login table, where I have a field to indicate which NAS that User has access. Making then the file sql.conf the restriction that user response to this condition. Someone followed my reasoned I Believe you have to use Huntgroups to do that http://wiki.freeradius.org/SQL_Huntgroup_HOWTO On Tue, May 10, 2011 at 3:30 PM, Marcos TP mark...@gmail.com wrote: I forgot to mention that I use MySQL to manage my users and NAS. In the table that records the users exists a field 'radnas_id' where I can tell the NAS that he is entitled to connect, but can not enable this restriction - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom Accounting Fields
Tim Donahue wrote: Hi all, We are using Freeradius for accounting from our voip system. Is there documentation somewhere, that you can point me to, on how I can add a couple of custom vendor fields to the radacct database schema and the INSERT query? raddb/sql.conf This is documented. I have no problem reading the documentation, but I can't seem to find which documentation I need to review, especially to find what the default SQL query is, so I can make sure that the data stays consistent. The configuration files are *loaded* with comments. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
about access denied and Reject
Dear All im using version ffreeradius-server-2.1.8.. and also radius manager is installed here.. when my Mikrotik PPPOE users got Disconnect and trying to relogin they cant.. Access Denied,you are already logged in and Reject authentication failed msg like that which i got from My Radius Server.. at once too many connection Cannot login here .. how do i Resolve it thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about access denied and Reject
im getting this log from mikrotik some users is connected some are not g,packet received Access-Reject with id 190 from 10.10.100.7:1812 On Wed, May 11, 2011 at 1:15 AM, Tanjil Ahmed tan...@tanjil.net wrote: Dear All im using version ffreeradius-server-2.1.8.. and also radius manager is installed here.. when my Mikrotik PPPOE users got Disconnect and trying to relogin they cant.. Access Denied,you are already logged in and Reject authentication failed msg like that which i got from My Radius Server.. at once too many connection Cannot login here .. how do i Resolve it thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Restrict user only to a NAS
On Tue, May 10, 2011 at 01:59:44PM -0300, Marcos TP wrote:
Huntgroups I know, but the functionality it provides me not for me.
I need the user only has permission to access a NAS, as much as I could
with Huntgroups was to restrict the access group, because several
groups have access, containing their speed and can not do the search
for access group, but by concentrator.
Read the unlang documentation; then add some logic in the authorize
section of your server config. You don't even need huntgroups if you're
just authorizing a single NAS-IP-Address:
if (%{control:Permitted-NAS} %{control:Permitted-NAS} !=
NAS-IP-Address) {
reject
}
However I'd suggest you use huntgroups for greater flexibility.
if (%{control:Permitted-Huntgroup} %{control:Permitted-Huntgroup} !=
Huntgroup-Name) {
reject
}
Using this approach, you'd need to add a new attribute in your dictionary,
such as Permitted-NAS and Permitted-Huntgroup in the examples above (I
just picked these at random)
Then in the radcheck table for the user, set the control attribute:
Permitted-NAS := 1.2.3.4
That's one way to do it anyway.
I think the lock should be in the Login table, where I have a field to
indicate which NAS that User has access.
Ah, well if you have a custom schema, then you need to show the schema.
If you have a users table and you do a join to select the radcheck
attributes, then you could just change the query you're using, limiting it
to only matching the expected NAS-IP-Address or Huntgroup-Name:
... AND (permitted_nas = '%{NAS-IP-Address}'
OR permitted_nas IS NULL)
alternatively:
... AND (permitted_huntgroup = '%{Huntgroup-Name}'
OR permitted_huntgroup IS NULL)
Regards,
Brian.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
De-autentication
Hi, I have just experienced some weird problem. I'm used to watch the mikrotik log of my pppoe.. and at some point more than 100 clients disconnected from it.. i was looking at the radius log, and I realize this information. Tue May 10 11:50:49 2011 : Error: Discarding duplicate request from client XXX.XXX.XXX.XXX/24:49942 - ID: 217 due to unfinished request 627656 Tue May 10 11:50:49 2011 : Error: Dropping conflicting packet from client XXX.XXX.XXX.XXX/24:54930 - ID: 202 due to unfinished request 627641 It repeated a dozens of times... do you know what could be happend. Thanks Rodrigo Yoshioka Suporte Tecnico Rede Telecom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: De-autentication
slow database (probably)... On 5/10/2011 10:08 PM, Rodrigo Yoshioka wrote: Hi, I have just experienced some weird problem. I'm used to watch the mikrotik log of my pppoe.. and at some point more than 100 clients disconnected from it.. i was looking at the radius log, and I realize this information. Tue May 10 11:50:49 2011 : Error: Discarding duplicate request from client XXX.XXX.XXX.XXX/24:49942 - ID: 217 due to unfinished request 627656 Tue May 10 11:50:49 2011 : Error: Dropping conflicting packet from client XXX.XXX.XXX.XXX/24:54930 - ID: 202 due to unfinished request 627641 It repeated a dozens of times... do you know what could be happend. Thanks Rodrigo Yoshioka Suporte Tecnico Rede Telecom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: De-autentication
Rodrigo Yoshioka wrote: I have just experienced some weird problem. I'm used to watch the mikrotik log of my pppoe.. and at some point more than 100 clients disconnected from it.. i was looking at the radius log, and I realize this information. Tue May 10 11:50:49 2011 : Error: Discarding duplicate request from client XXX.XXX.XXX.XXX/24:49942 - ID: 217 due to unfinished request 627656 Tue May 10 11:50:49 2011 : Error: Dropping conflicting packet from client XXX.XXX.XXX.XXX/24:54930 - ID: 202 due to unfinished request 627641 It repeated a dozens of times... do you know what could be happend. The database used by FreeRADIUS is probably too slow. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Free Radius 2.1.8 + Mikrotik
Can someone give me a hint how to solve following: We are using PPPoE server with FreeRadius autentification and we are using Simultaneous Use Checking. We are limiting number of simultaneous connections to 1. The problem is in nonstandard situation when PPPoE server is nonstandardly restarted and there will stay open sessions on the radius. New connections are unauthorized because of simultaneous checking. We must manually delete open sessions. All users are Reject/authetication failed that time... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius 2.1.8 + Mikrotik
Dear All sometimes im getting that type of msg from Freeradius!
[radutmp] expand: /usr/local/var/log/radius/radutmp -
/usr/local/var/log/radius/radutmp
[radutmp] expand: %{User-Name} - bnetelvis
checkrad: No NAS type, or type other not checking
++[radutmp] returns ok
Using Post-Auth-Type Reject
On Wed, May 11, 2011 at 2:50 AM, Ahmed Syed zerocoo...@gmail.com wrote:
Can someone give me a hint how to solve following:
We are using PPPoE server with FreeRadius autentification and we are using
Simultaneous Use Checking. We are limiting number of simultaneous
connections to 1.
The problem is in nonstandard situation when PPPoE server is nonstandardly
restarted and there will stay open sessions on the radius. New connections
are unauthorized because of simultaneous checking. We must manually delete
open sessions.
All users are Reject/authetication failed that time...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius 2.1.8 + Mikrotik
Ahmed Syed zerocoo...@gmail.com wrote: Can someone give me a hint how to solve following: We are using PPPoE server with FreeRadius autentification and we are using Simultaneous Use Checking. We are limiting number of simultaneous connections to 1. The problem is in nonstandard situation when PPPoE server is nonstandardly restarted and there will stay open sessions on the radius. New connections are unauthorized because of simultaneous checking. We must manually delete open sessions. All users are Reject/authetication failed that time... Set your Acct-Interim-Interval to something low (say 300 seconds) and amend your SQL check for Simultaneous-Use so that it ignores stale data that has not been updated in more than 900 seconds (a value three times larger than Acct-Interim-Interval). You need to have serious words with your NAS vendor why you are not seeing accounting on-off packets (your NAS will send a 'reset' accounting packet to your RADIUS server that you can use to trigger an early session stop for all the users). Cheers -- Alexander Clouter .sigmonster says: Accordion, n.: A bagpipe with pleats. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Custom reply message
Hi, I have freeradius 2.1.10 installed and was able to customize some reply messages to another language, the only one I am unable to change is the one for simultaneous login check, where would I chnage this reply message? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
