Re: segmentation fault when calling inst->module->sql_error
Hi,
found a small bug, which cause segmentation fault, when sql socket not
found for mysql.
the patch is for src/modules/rlm_sql/sql_mysql.c
patch:
--- sql_mysql.c.org Fri Aug 2 14:02:29 2002
+++ sql_mysql.c Fri Aug 2 14:03:41 2002
@@ -288,6 +288,12 @@
*/
char *sql_error(SQLSOCK * sqlsocket, SQL_CONFIG *config) {
rlm_sql_mysql_sock *mysql_sock = sqlsocket->conn;
+
+ if (mysql_sock == NULL || mysql_sock->sock == NULL) {
+ radlog(L_INFO, "rlm_sql: sql sock null");
+ return NULL;
+ }
+
return mysql_error(mysql_sock->sock);
}
On Thu, 25 Jul 2002, CheongMeng wrote:
> Date: Thu, 25 Jul 2002 18:00:21 +0800 (SGT)
> From: CheongMeng <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: segmentation fault when calling inst->module->sql_error
>
> Hi,
>
> I am using freeradius CVS (25 July) & mysql for accounting.
>
> noticed that radiusd always get segmentation fault when it call the
> function
> (sql_error()) at the rlm_sql.c, eg:
>
> if (rlm_sql_query(sqlsocket, inst, querystr)) {
> radlog(L_ERR, "rlm_sql: Couldn't
> update SQL accounting STOP record - %s", (char
> *)(inst->module->sql_error)(sqlsocket, inst->config));
> }
>
> it doesn't happen in the 0.6 release.
>
> just would like to check if this happen also on anyone else on the list.
>
> I will be grateful, if anyone can shed some light :)
> thx in advance.
>
>
--
Cheers,
CM.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strange problem with pam_radius_auth (SOLVED)
On Thu, Aug 01, 2002 at 06:47:10PM +0600, Dr. Muhammad Masroor Ali wrote: > My problem has been solved by the kind suggestion of Mojahedul Hoque Abul Hasanat > <[EMAIL PROTECTED]>. Direct quote from his mail. > > > > This is a bit wild guess, but might help. Put an "account" line squids > pam config file with pam_permit.so as the module. The line will be > similar to: > > account requiredpam_permit.so > > I have seen some applications that don't seem to need an "account" > section at first glance. But they open a pam session requiring an > account entry. They do it to impose login time restrictions. > > > > > > Greetings, > > I have tried both the kind suggestions of Alan DeKok and Frank Cusack > > without any avail. First of all, the latest version from CVS, did > > improve the situation. And second, putting daemon.debug in syslog.conf > > is not generating anything. The relevant lines I used, > > > > # Daemon debug messages > > daemon.debug/usr/local/var/log/deamondebuglog > > > > Yes, this file exists (created by touch) and I remembered to restart > > syslogd. > > > > I am really frustrated. Any help will be appreciated. > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > -- > Nobody's gonna believe that computers are intelligent until they start > coming in late and lying about it. > > Dr. Muhammad Masroor Ali > Associate Professor and Associate Director > Institute of Information and Communication Technology > Bangladesh University of Engineering and Technology > Dhaka-1000, Bangladesh > > Phone: 880 2 966 5650 ext 7245, 7756 (work) > ext 7748 or 880 2 966 5700 (residence) > FAX: 880 2 861 3046, 880 2 861 3026 > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it possible to have more than one users list?
It most certainly is. Put something like this in your main users file: $INCLUDE /etc/raddb/users.perm$INCLUDE /etc/raddb/users.sat Andrew TaitSystem AdministratorCountry NetLink Pty, LtdE-Mail: [EMAIL PROTECTED]WWW: http://www.cnl.com.au30 Bank St Cobram, VIC 3644, AustraliaPh: +61 (03) 58 711 000Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: Kim To: [EMAIL PROTECTED] Sent: Friday, August 02, 2002 9:49 AM Subject: Is it possible to have more than one users list? Hi, Im using FreeRADIUS 0.4 and I have one users file and one access deny list. The access deny list contains ID and Phonenumbers extracted from a DB2 database.I need to use this access deny list and make sure that all users on this list can NOT access the Radius server. The access deny list is dynamic and it changes. Does anybody know if this is possible ? Is there some documentation how to use more than one users files ,one users file and one access deny list? I would appreciate any help or hint. Thanks Kim
Is it possible to have more than one users list?
Hi, Im using FreeRADIUS 0.4 and I have one users file and one access deny list. The access deny list contains ID and Phonenumbers extracted from a DB2 database.I need to use this access deny list and make sure that all users on this list can NOT access the Radius server. The access deny list is dynamic and it changes. Does anybody know if this is possible ? Is there some documentation how to use more than one users files ,one users file and one access deny list? I would appreciate any help or hint. Thanks Kim
Re: Howto on EAP/MD5 with Windows XP
hi > I was mistaken, but I was always under the impression that EAP/TLS || > EAP/MD5 was something like Cisco's LEAP where Supplicant -> AP > encryption is possible. Thanks for clearing that up! I know understand > that it's not the same thing :) i don't know much about leap, but i think that it's actually is. except that cisco leap is a complete proprietary product, including the user, the client and server parts. so, basically they could make it using SMTP and you wouldn't even know. what i want to say, leap kind of combines different routines needed for authentication and the final key distribution in an unknown way (at least for me). eap/??? is always only the authentication part of the whole scenario. additionally, eap/md5 and eap/tls are in some rfcs during no part of cisco leap is, for as far as i know. that's for the authentication part. then, for the actual key distribution, the key distribution pathes in leap and in mppe (which is also proprietary actually, but they at least have an informational rfc) are not the same, they say. what you should finally accept is: the authentication can happen without key distribution. it's very very dumb to do so; the key should even depend on the information exchanged securely during the successfull authentication but there is no magic about it - if there is no provision for it, it will not happen automatically. ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Howto on EAP/MD5 with Windows XP
I was mistaken, but I was always under the impression that EAP/TLS || EAP/MD5 was something like Cisco's LEAP where Supplicant -> AP encryption is possible. Thanks for clearing that up! I know understand that it's not the same thing :) Thanks for your replies, and again thanks for the great How-To. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > Artur Hecker > Sent: Thursday, August 01, 2002 4:23 PM > To: [EMAIL PROTECTED] > Subject: Re: Howto on EAP/MD5 with Windows XP > > > Hello :-) > > > > > Yes, I understand that TLS negotiates WEP keys dynamically > based on the > > certificate information shared between the AAA server and the > > supplicant. I don't think I explained myself well enough > in my first > > reply, as my terminology is lacking due to the fact that I am not > > extreamely familiar with all of this quite yet. Basically, I was > > wondering if the EAP/MD5 combination does infact encrypt the data > > between the client and AP, period. Correct me if I am > wrong, but this > > Look, that's exactly what I tried to explain below: EAP/MD5 does not > encrypt anything on the air interface. Nor does TLS. Those are two > authentication methods which happen between the USER and the > SERVER. The > air encryption is between AP and USER, ok? :-) > > > > method encrypts a preshared WEP key shared between the > supplicant and > > the AP using MD5? That same MD5 challenge is used to > encrypt the data > > between the AP and the supplicant? If yes, I know it's not > as secure as > > negotiated dynamic keys but none the less, it's encryption > of some sort, > > which is better than just a wep key and unencrypted data between > > supplicant and AP. > > Ahem, no, no, no and once more: NO. You can define static WEP keys but > that has nothing to do with EAP/MD5. It's a basic misunderstanding, > that's why I tried to explain it below. Please, read it. Everything > what's WEP begins AFTER the EAP/MD5 has successfully > finished. Otherwise > it doesn't happen at all. That's the sense of the port control (which > EAP/MD5 is part of). > > > > Your explaination below is a little over my head, so please > forgive me > > if I've asked a question or made an assumption which is > contrary to the > > explaination you gave below in the first place :) > > Shake it and try to reread it, I think it's comprehensive. > But make your > head free of wrong assumptions about the WEP keys and the EAP > authentication. > > You are confusing the SKA (WEP secret based network > authentication) with > EAP/MD5. SKA would represent a very similiar exchange to EAP/MD5 but > it's completely different in terms of protocol, used cryptographic > bricks (RC4 in WEP and MD5 in EAP/MD5) and where it takes > place. And: it > is not secure at all since WEP has a lot of security flaws with > available tools to use those. > > > Regards, > > artur > > > -- > Artur Hecker > artur[at]hecker.info > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto on EAP/MD5 with Windows XP
Hello :-) > Yes, I understand that TLS negotiates WEP keys dynamically based on the > certificate information shared between the AAA server and the > supplicant. I don't think I explained myself well enough in my first > reply, as my terminology is lacking due to the fact that I am not > extreamely familiar with all of this quite yet. Basically, I was > wondering if the EAP/MD5 combination does infact encrypt the data > between the client and AP, period. Correct me if I am wrong, but this Look, that's exactly what I tried to explain below: EAP/MD5 does not encrypt anything on the air interface. Nor does TLS. Those are two authentication methods which happen between the USER and the SERVER. The air encryption is between AP and USER, ok? :-) > method encrypts a preshared WEP key shared between the supplicant and > the AP using MD5? That same MD5 challenge is used to encrypt the data > between the AP and the supplicant? If yes, I know it's not as secure as > negotiated dynamic keys but none the less, it's encryption of some sort, > which is better than just a wep key and unencrypted data between > supplicant and AP. Ahem, no, no, no and once more: NO. You can define static WEP keys but that has nothing to do with EAP/MD5. It's a basic misunderstanding, that's why I tried to explain it below. Please, read it. Everything what's WEP begins AFTER the EAP/MD5 has successfully finished. Otherwise it doesn't happen at all. That's the sense of the port control (which EAP/MD5 is part of). > Your explaination below is a little over my head, so please forgive me > if I've asked a question or made an assumption which is contrary to the > explaination you gave below in the first place :) Shake it and try to reread it, I think it's comprehensive. But make your head free of wrong assumptions about the WEP keys and the EAP authentication. You are confusing the SKA (WEP secret based network authentication) with EAP/MD5. SKA would represent a very similiar exchange to EAP/MD5 but it's completely different in terms of protocol, used cryptographic bricks (RC4 in WEP and MD5 in EAP/MD5) and where it takes place. And: it is not secure at all since WEP has a lot of security flaws with available tools to use those. Regards, artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Howto on EAP/MD5 with Windows XP
> > How does EAP/MD5 compare with EAP/TLS in regards to data > encryption over the air between the > > Client and the AP? Is it the > > same, just using a different mechanism to do the encryption > (MD5 challenge, verses a > > Certificate)? > > Short answer: > > NO, it's not the same! EAP/TLS can negotiate dynamic WEP-keys which > EAP/MD5 simply *can't*. FreeRADIUS now begins to support this dynamic > WEP keys using Henrik and Lars patch and thanks to the recent changes. > This patch is/will be integrated into 0.7. Yes, I understand that TLS negotiates WEP keys dynamically based on the certificate information shared between the AAA server and the supplicant. I don't think I explained myself well enough in my first reply, as my terminology is lacking due to the fact that I am not extreamely familiar with all of this quite yet. Basically, I was wondering if the EAP/MD5 combination does infact encrypt the data between the client and AP, period. Correct me if I am wrong, but this method encrypts a preshared WEP key shared between the supplicant and the AP using MD5? That same MD5 challenge is used to encrypt the data between the AP and the supplicant? If yes, I know it's not as secure as negotiated dynamic keys but none the less, it's encryption of some sort, which is better than just a wep key and unencrypted data between supplicant and AP. Your explaination below is a little over my head, so please forgive me if I've asked a question or made an assumption which is contrary to the explaination you gave below in the first place :) > > Explanation; > > Every EAP mechanism being part of 802.1x basically defines the > authentication scheme. So, neither of both has a direct regard to the > air encryption, i.e. the RFCs of both specification do not talk about > the used WEP encryption and WEP keys. The problem generally > is that from > the point of view of the supplicant (user) the > EAP-communication ends at > the server during the WEP encryption takes place between the > supplicant > and the AP. According to the idea of 802.1x the AP will not > participate > at the whichever EAP conversation. (It even couldn't in the > case of TLS, > that's the sense of TLS). So, what to do? > > However, EAP/TLS has a great advantage over EAP/MD5 because it > negotiates the master keys (every TLS does). EAP/MD5 can't negotiate > anything, it only verifies the identity with a rather weak method, > cryptoanalitically spoken and compared to the PK-based TLS. > > Anyway, some negotiated key material is available at the supplicant > (user) and the authentication server after the TLS exchange. This > material could be used to derive some other keys, which could then be > sent to the AP (radius-client) using some (new) attributes. The > supplicant already has the necessary key material since it > participated > at the TLS exchange. > > This advantage is used by MS and Cicso in their MPPE definition for > WLANs (s. e.g. RFCs 3078 and 3079 and cisco documentation at > www.cisco.com). The server adds the MPPE-Send-Key and MPPE-Recv-Key > attributes, puts in these the derived key material and sends > them to the > client (AP). AP has to understand these attributes. It then > derives the > unicast and broadcast keys, encrypts them with the negotiated key and > sends those in the EAPOL-Key message to the user. The user > uses its own > key to decrypt the received EAPOL keys. These keys are setup > as dynamic > WEP keys on the user side and at by the AP. An exact > description of the > exchange is being prepared for as far as I know. Ask Raghu or > Henrik in > case of doubt (or look in the RFCs :-)) > > The patch provided by Henrik and Lars adds the MPPE attributes to the > server Accept message. There are people reporting that it works. In my > case, with a Cicso AP340 I currently fail to activate it correctly: > setting up dynamic WEP results in a communication breakdown. I'm > currently on it, I hope the guys will help me ;-) > > > That's it. > > Artur > > > > -- > Artur Hecker > artur[at]hecker.info > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto on EAP/MD5 with Windows XP
Artur Hecker <[EMAIL PROTECTED]> wrote: > how can i supply the changes? i mail the new version to you? Sure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto on EAP/MD5 with Windows XP
> "Smart" quotes are annoying, so I've deleted them. Other than that, > I haven't changed anything other than minor formatting. i'm sorry, it was originally a word document :-) and ms interpretation of what is html is really kind of bizar... how can i supply the changes? i mail the new version to you? -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto on EAP/MD5 with Windows XP
Artur Hecker <[EMAIL PROTECTED]> wrote: > I've written a small html-howto on EAP/MD5 with Windows XP. Raghu > advised me to send it to the list. So here we go. (Since the file isn't > big and I don't have a reliable web-server I will attach it to the > message.) > > Comments are highly appreciated. http://www.freeradius.org/doc/EAP-MD5.html "Smart" quotes are annoying, so I've deleted them. Other than that, I haven't changed anything other than minor formatting. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto on EAP/MD5 with Windows XP
Hi Pavel > I'd suggest to add note about the way how WinXP asks about user's > identification info to the document. Ok, I'll add some text on it, you are right. Ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto on EAP/MD5 with Windows XP
Hello Jason > How does EAP/MD5 compare with EAP/TLS in regards to data encryption over the air >between the > Client and the AP? Is it the > same, just using a different mechanism to do the encryption (MD5 challenge, verses a > Certificate)? Short answer: NO, it's not the same! EAP/TLS can negotiate dynamic WEP-keys which EAP/MD5 simply *can't*. FreeRADIUS now begins to support this dynamic WEP keys using Henrik and Lars patch and thanks to the recent changes. This patch is/will be integrated into 0.7. Explanation; Every EAP mechanism being part of 802.1x basically defines the authentication scheme. So, neither of both has a direct regard to the air encryption, i.e. the RFCs of both specification do not talk about the used WEP encryption and WEP keys. The problem generally is that from the point of view of the supplicant (user) the EAP-communication ends at the server during the WEP encryption takes place between the supplicant and the AP. According to the idea of 802.1x the AP will not participate at the whichever EAP conversation. (It even couldn't in the case of TLS, that's the sense of TLS). So, what to do? However, EAP/TLS has a great advantage over EAP/MD5 because it negotiates the master keys (every TLS does). EAP/MD5 can't negotiate anything, it only verifies the identity with a rather weak method, cryptoanalitically spoken and compared to the PK-based TLS. Anyway, some negotiated key material is available at the supplicant (user) and the authentication server after the TLS exchange. This material could be used to derive some other keys, which could then be sent to the AP (radius-client) using some (new) attributes. The supplicant already has the necessary key material since it participated at the TLS exchange. This advantage is used by MS and Cicso in their MPPE definition for WLANs (s. e.g. RFCs 3078 and 3079 and cisco documentation at www.cisco.com). The server adds the MPPE-Send-Key and MPPE-Recv-Key attributes, puts in these the derived key material and sends them to the client (AP). AP has to understand these attributes. It then derives the unicast and broadcast keys, encrypts them with the negotiated key and sends those in the EAPOL-Key message to the user. The user uses its own key to decrypt the received EAPOL keys. These keys are setup as dynamic WEP keys on the user side and at by the AP. An exact description of the exchange is being prepared for as far as I know. Ask Raghu or Henrik in case of doubt (or look in the RFCs :-)) The patch provided by Henrik and Lars adds the MPPE attributes to the server Accept message. There are people reporting that it works. In my case, with a Cicso AP340 I currently fail to activate it correctly: setting up dynamic WEP results in a communication breakdown. I'm currently on it, I hope the guys will help me ;-) That's it. Artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Howto on EAP/MD5 with Windows XP
Title: RE: Howto on EAP/MD5 with Windows XP Here are my comments on the document: One of the problems I had to make WinXP work with 802.1x was that I didn't pay attention to the tooltip/bubble which came from the system status bar at the time when WinXP got connected to Authenticator and which said to click there to enter login info for new connection. If you click on this bubble you get a dialog box where you enter name, password and domain and that this info will be sent to radius for authentication. My problem was that I expected Windows to popup dialogs of such importance without clicking on any bubble/tooltip windows, which usually report about minor events which happen to your system and I didn't notice this bubble/tooltip window for a while. I'd suggest to add note about the way how WinXP asks about user's identification info to the document. Regards, Pavel -Original Message- From: Artur Hecker [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 01, 2002 10:48 AM To: List FreeRADIUS Subject: Howto on EAP/MD5 with Windows XP Hi all I've written a small html-howto on EAP/MD5 with Windows XP. Raghu advised me to send it to the list. So here we go. (Since the file isn't big and I don't have a reliable web-server I will attach it to the message.) Comments are highly appreciated. More problems+workarounds and more experiences with other hardware, etc. can be sent to my email address, I will include those. Regards, artur -- Artur Hecker Groupe Accès et Mobilité hecker[at]enst[dot]fr Département Informatique et Réseaux +33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris
RE: Howto on EAP/MD5 with Windows XP
Title: Message
This
is a great How-To! Thanks Arthur!
I have
a question though. Not specifically to Arthur, but to anyone who knows the
answer:
How
does EAP/MD5 compare with EAP/TLS in regards to data encryption over the air
between the Client and the AP? Is it the same, just using a different
mechanism to do the encryption (MD5 challenge, verses a
Certificate)?
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Artur
HeckerSent: Thursday, August 01, 2002 1:48 PMTo: List
FreeRADIUSSubject: Howto on EAP/MD5 with Windows
XP
FreeRADIUS EAP/MD5: Windows XP as supplicant
Basic understandingEAP/MD5 and other types of EAP authentication are
part of „Port based network access control“, as defined in the IEEE 802.1X
standard. All you have to know at this time are the three main actors:
AAA server (RADIUS) which will verify user credentials and give commands
to accept or reject the user login request.
the network access device (NAS), which will take the EAP-frames out of
the traffic on one side and translate them into RADIUS-attributes on the
other and vice versa, thus acting as pass-through device.
the one to be authenticated, i.e. your Windows/Linux whatever machine
using the WLAN
Server configuration (FreeRADIUS)Assumptions:
You have a server that starts without any errors when doing: ./radiusd –s –x
You have at least one properly configured client which we will call
access point (ap) from now on.
You have at least one configured user and your radtest user password 10 secretworks from a test
host (e.g. localhost), i.e. you receive an Accept message from your
server.Please take a look at the provided configuration files in
order to accomplish the setup so far. It’s really not difficult to have the
system configured this way by just correcting the supplied configuration
files. The files concerned here are in the etcdirectory of your
FreeRADIUS server:
users
clients.conf
radiusd.conf User configuration
(users):
Alter the existent user or add another one which will be used for test
purposes. The simplest possible configurations are given in the examples. More
complicated configurations are out of the scope of this document.
Examples: Auth-Type := System, User-Password = “Hello”or Auth-Type := Local, User-Password = “Hello”Please note the ":="
operator. "=" instead will not work.
Sections (radiusd.conf):
The interesting part here are authorize AND authenticate
sections. (At the very bottom of the file.) Ignore all the following as those
will deal with the accounting. authorize {
preprocess
files
eap
}
authenticate {
eap
}Finally, the EAP module itself has to be configured this way: eap {
md5 {
}
}That’s it for FreeRADIUS
Client configurationFirst of all: please read the documentation of
your client. There are a plenty of different clients on the market, we can’t
provide any help for them. Basically, you have to activate „Network port based
802.1X authentication“, sometimes called „Network EAP“ (Cisco) or similiar.
Please see the Technical Documentation of your AP. Then, of course, you have
to find the „Authentication Server“ configuration part and supply the data
about the used RADIUS server, i.e. it’s IP-address, UDP-port and the
pre-shared secret (the same one you configured for your access point – client
– in the FreeRADIUS configuration files). Sometimes you can
supply a bunch of those servers and sometimes you can use them for other
purposes, too, like e.g. MAC-based access control. You only have to activate
the EAP-Authentication.
Please note: you can perfectly use EAP-authentication without using WEP or
providing whichever keys in the AP. Do it so for the test purposes. Once
you’ve got it running, you can setup your WEP keys, whatever. That will allow
you to analyze traffic if something goes wrong.
For Cisco AP340 it would look like following:
[PICTURE]
Deactivate older authentication types (Open, Shared, CHAP, PAP, whatever)
to prevent misunderstanding during the test.
User configurationWindows XP
Go to the Network Connections window. Right-click the connection
corresponding to the adapter which is going to use EAP authentication. Go to
the "Authentication" tab. If it doesn’t appear (yes, it’s weird sometimes) try
to unplug and plug your adapter till it does (PCMCIA...) Otherwise, download
the software for the adapter configuration like e.g. ACU for the Cisco
adapters and try to de- and reactivate the card.
In the Authentication dialog, assure the box „Use IEEE802.1X network
authentication“ is checked. Set your EAP type there (EAP/MD5 Challenge).
That’s all. Now deactivate and reactivate your LAN-connection on this
adapter and it should work.
Troubleshoot
Howto on EAP/MD5 with Windows XP
Hi all
I've written a small html-howto on EAP/MD5 with Windows XP. Raghu
advised me to send it to the list. So here we go. (Since the file isn't
big and I don't have a reliable web-server I will attach it to the
message.)
Comments are highly appreciated.
More problems+workarounds and more experiences with other hardware, etc.
can be sent to my email address, I will include those.
Regards,
artur
--
Artur Hecker Groupe Accès et Mobilité
hecker[at]enst[dot]fr Département Informatique et Réseaux
+33 1 45 81 750746, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr ENST Paris
Title: WinXP - FreeRADIUS: EAP/MD5 HowTo
FreeRADIUS EAP/MD5: Windows XP as supplicant
Basic understanding
EAP/MD5 and other types of EAP authentication are part of Port based network
access control, as defined in the IEEE 802.1X standard. All you have to
know at this time are the three main actors:
AAA server (RADIUS) which will verify user credentials and give commands
to accept or reject the user login request.
the network access device (NAS), which will take the EAP-frames out of
the traffic on one side and translate them into RADIUS-attributes on the
other and vice versa, thus acting as pass-through device.
the one to be authenticated, i.e. your Windows/Linux whatever machine using
the WLAN
Server configuration (FreeRADIUS)
Assumptions:
You have a server that starts without any errors when doing:
./radiusd s x
You have at least one properly configured client which we will call access
point (ap) from now on.
You have at least one configured user and your
radtest user password 10 secret
works from a test host (e.g. localhost), i.e. you receive an Accept
message from your server.
Please take a look at the provided configuration files in order to accomplish
the setup so far. Its really not difficult to have the system configured
this way by just correcting the supplied configuration files. The files
concerned here are in the etcdirectory of your FreeRADIUS
server:
users
clients.conf
radiusd.conf
User configuration (users):
Alter the existent user or add another one which will be used for test
purposes. The simplest possible configurations are given in the examples.
More complicated configurations are out of the scope of this document.
Examples:
Auth-Type := System, User-Password = Hello
or
Auth-Type := Local, User-Password = Hello
Please note the ":=" operator. "=" instead will not work.
Sections (radiusd.conf):
The interesting part here are authorize AND authenticate
sections. (At the very bottom of the file.) Ignore all the following as
those will deal with the accounting.
authorize {
preprocess
files
eap
}
authenticate {
eap
}
Finally, the EAP module itself has to be configured this way:
eap {
md5 {
}
}
Thats it for FreeRADIUS
Client configuration
First of all: please read the documentation of your client. There are a
plenty of different clients on the market, we cant provide any help for
them. Basically, you have to activate Network port based 802.1X authentication,
sometimes called Network EAP (Cisco) or similiar. Please see the Technical
Documentation of your AP. Then, of course, you have to find the Authentication
Server configuration part and supply the data about the used RADIUS server,
i.e. its IP-address, UDP-port and the pre-shared secret (the same one
you configured for your access point client in the FreeRADIUS
configuration files). Sometimes you can supply a bunch of those servers
and sometimes you can use them for other purposes, too, like e.g. MAC-based
access control. You only have to activate the EAP-Authentication.
Please note: you can perfectly use EAP-authentication without using
WEP or providing whichever keys in the AP. Do it so for the test purposes.
Once youve got it running, you can setup your WEP keys, whatever. That
will allow you to analyze traffic if something goes wrong.
For Cisco AP340 it would look like following:
[PICTURE]
Deactivate older authentication types (Open, Shared, CHAP, PAP, whatever)
to prevent misunderstanding during the test.
User configuration
Windows XP
Go to the Network Connections window. Right-click the connection corresponding
to the adapter which is going to use EAP authentication. Go to the "Authentication"
tab. If it doesnt appear (yes, its weird sometimes) try to unplug and
plug your adapter till it does (PCMCIA...) Otherwise, download the software
for the adapter configuration like e.g. ACU for the Cisco adapters and
try to de- and reactivate the card.
In the Authentication dialog, assure the box Use IEEE802.1X network
authentication is checked. Set your EAP type there (EAP/MD5 Challenge).
Thats all. Now deactivate and reactivate your LAN-connection on this
adapter and it should work.
Troubleshooting
Problems:
Problem 1:
Your AP keeps on saying Unknown
E
No detail file generated in mod_radius_auth
Hello all, After some grueling days and kind advice from fellow netizens, mod_radius_auth does perfect authentication for squid (2.4.STABLE1) in my RH 7.3 linux box. However, no accounting records are being written. That is, /usr/local/var/log/radius/radacct/ is completely empty. My pam.d file for squid is, # authrequired /lib/security/pam_securetty.so sessionrequired/lib/security/pam_radius_auth.so debug accountrequired/lib/security/pam_radius_auth.so debug authrequired/lib/security/pam_radius_auth.so Nothing is being said in /var/log/messages or daemon.debug file. What is I could be missing? -- Nobody's gonna believe that computers are intelligent until they start coming in late and lying about it. Dr. Muhammad Masroor Ali Associate Professor and Associate Director Institute of Information and Communication Technology Bangladesh University of Engineering and Technology Dhaka-1000, Bangladesh Phone: 880 2 966 5650 ext 7245, 7756 (work) ext 7748 or 880 2 966 5700 (residence) FAX: 880 2 861 3046, 880 2 861 3026 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and RPM Spec File
I'm working on a FreeRADIUS rpm that I've built from scratch. I was waiting for 0.7 (and returning from vacation, which I have) before letting people at it. I just tried building it, but there seems to be enough differences that I need to sit down and see what has changed (looks mainly like a libradius was added for my old SPEC file to work out of the box). I'll probably have something for the general public early next week. -Shawn On Thu, 1 Aug 2002, Sheldon Fougere wrote: > Hi, > > I'm new to radius and I've been experimenting with Freeradius. I started at > version 0.6. In that version in the redhat directory there was a > freeradius.spec file that I used to build an RPM of freeradius. This worked > fine. When 0.7 came out I tried the same thing. I did notice the spec file > was still for version 0.6 so I changed the spec file version to 0.7 but this > failed. The RPM didn't build. During the build process I noticed errors > stating that files weren't found. > > Is there a freeradius.spec file available for version 0.7? > > Thanks, > Sheldon > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and RPM Spec File
Hi, I'm new to radius and I've been experimenting with Freeradius. I started at version 0.6. In that version in the redhat directory there was a freeradius.spec file that I used to build an RPM of freeradius. This worked fine. When 0.7 came out I tried the same thing. I did notice the spec file was still for version 0.6 so I changed the spec file version to 0.7 but this failed. The RPM didn't build. During the build process I noticed errors stating that files weren't found. Is there a freeradius.spec file available for version 0.7? Thanks, Sheldon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: realmpercent & suffix
Vects <[EMAIL PROTECTED]> wrote: > Could you help me with configuration of the freeradius 0.7 ? > I want to use '@' and '%' as delimiter for realms. I added realmpercent > before suffix in authorisation but it's not working properly. It's also telling you what it's doing. Read the messages you posted to the list. > modcall[authorize]: module "preprocess" returns ok > rlm_realm: Looking up realm NULL for User-Name = "user@" > rlm_realm: Found realm NULL > rlm_realm: Adding Stripped-User-Name = "user@" > rlm_realm: Proxying request from user user@ to realm NULL > rlm_realm: Adding Realm = "NULL" > rlm_realm: Authentication realm is LOCAL. > rlm_realm: auth_port is not set. proxy cancelled You've got a NULL realm set up, which is a catch-all for user names not matching any other realm. There's no '%' in 'user@', so the 'realmpercent' configuration says it must be a local realm. Then, the 'suffix' realm doesn't even look for the '@', because the request is already marked up as being a LOCAL realm. The error messages you posted pretty much describe what's happening. A solution would be to remove the NULL realm, or to use a different method for discovering realms. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS book from O'Reilly
Title: Message Hi, Doug - you're right. It goes into final proofing next Wednesday, and from there it goes directly to the printer. I am skeptical that it will be October: I still believe mid-September is a more accurate estimation. Jon -Original Message-From: De Yong, Doug [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 01, 2002 10:56 AMTo: [EMAIL PROTECTED]Subject: RE: RADIUS book from O'Reilly well it seems you might have to wait for the O'Reilly book hey I've been to Rush../doug Doug De Yong, CISSP, ESSE#1, SSE, CCSE Sr. Sales & Security Engineer Enterasys Networks, Lexington Kentucky -- fatbrain.com Radius Jonathan Hassell Not Yet Available:Preorder Now This book will be available on September 26, place your advance order now and we will ship it when it arrives! Format: Paperback, 304pp. ISBN: 0596003226 Publisher: O'Reilly & Associates, Incorporated Pub. Date: September 2002 --- Amazon.com RADIUS by Jonathan Hassell This item will be published in October 2002. You may order it now and we will ship it to you when it arrives. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 30, 2002 4:12 PM To: [EMAIL PROTECTED] Subject: RE: RADIUS book from O'Reilly This might be a dumb question, but... I'd like to buy the book and have my company pay for it. (Read: fill out a PO, go through the whole purchasing thing, blah blah blah...) Any way for FR to get the kickback then? (I'd imagine not, but figured I'd ask anyway.) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center Pinball is a way of life. My way! "Jonathan Hassell" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 07/30/2002 03:07 PM Please respond to freeradius-users To: <[EMAIL PROTECTED]> cc: Subject: RE: RADIUS book from O'Reilly And I just happen to be the author of said O'Reilly book, and I monitor this list frequently. I haven't had time to contribute much during the past few months, though. At any rate, please feel free to ask any questions about the book to me personally, or call me stupid, and I'll do my best to respond appropriately. (No, I won't hold it against you for calling me stupid.) If you do decide to purchase the book, please do so through the FreeRADIUS site. There is a real potential for a decent chunk of change to become available to support the development of this project. Thanks for your support! Jonathan Hassell [EMAIL PROTECTED] -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 30, 2002 2:01 PM To: [EMAIL PROTECTED] Subject: RADIUS book from O'Reilly A RADIUS book from O'Reilly has been announced, and it's on Amazon. See: http://www.freeradius.org/related/ I've taken the liberty of signing up for an 'Amazon associates' program, so if you're thinking about buying the book, please us the link, and some $$ will be contributed to FreeRADIUS. Since there is currently no legal entity called "FreeRADIUS", I've signed up for the Amazon Associates program under my name. If the incoming $$ are sufficient, it may be worth legally registering FreeRADIUS as a non-profit entity. In any case, the moneys received from the associates program will go to fostering the development of the server. I will be posting periodic summaries of the $$, and request for comment as to where/how the money should be spent. If, in fact, the link makes money. :) In the interests of transparency, I was a technical reviewer of the book, and saw it in pre-publication draft. It isn't perfect, but it's better than the nearly complete lack of documentation that comes with the server today. It also explains in greater detail the "why" and the "how" of the RADIUS protocol, and may answer many initial questions someone may have about the RADIUS protocol, and the FreeRADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html �
RE: RADIUS book from O'Reilly
Title: RE: RADIUS book from O'Reilly well it seems you might have to wait for the O'Reilly book hey I've been to Rush../doug Doug De Yong, CISSP, ESSE#1, SSE, CCSE Sr. Sales & Security Engineer Enterasys Networks, Lexington Kentucky -- fatbrain.com Radius Jonathan Hassell Not Yet Available:Preorder Now This book will be available on September 26, place your advance order now and we will ship it when it arrives! Format: Paperback, 304pp. ISBN: 0596003226 Publisher: O'Reilly & Associates, Incorporated Pub. Date: September 2002 --- Amazon.com RADIUS by Jonathan Hassell This item will be published in October 2002. You may order it now and we will ship it to you when it arrives. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 30, 2002 4:12 PM To: [EMAIL PROTECTED] Subject: RE: RADIUS book from O'Reilly This might be a dumb question, but... I'd like to buy the book and have my company pay for it. (Read: fill out a PO, go through the whole purchasing thing, blah blah blah...) Any way for FR to get the kickback then? (I'd imagine not, but figured I'd ask anyway.) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center Pinball is a way of life. My way! "Jonathan Hassell" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 07/30/2002 03:07 PM Please respond to freeradius-users To: <[EMAIL PROTECTED]> cc: Subject: RE: RADIUS book from O'Reilly And I just happen to be the author of said O'Reilly book, and I monitor this list frequently. I haven't had time to contribute much during the past few months, though. At any rate, please feel free to ask any questions about the book to me personally, or call me stupid, and I'll do my best to respond appropriately. (No, I won't hold it against you for calling me stupid.) If you do decide to purchase the book, please do so through the FreeRADIUS site. There is a real potential for a decent chunk of change to become available to support the development of this project. Thanks for your support! Jonathan Hassell [EMAIL PROTECTED] -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 30, 2002 2:01 PM To: [EMAIL PROTECTED] Subject: RADIUS book from O'Reilly A RADIUS book from O'Reilly has been announced, and it's on Amazon. See: http://www.freeradius.org/related/ I've taken the liberty of signing up for an 'Amazon associates' program, so if you're thinking about buying the book, please us the link, and some $$ will be contributed to FreeRADIUS. Since there is currently no legal entity called "FreeRADIUS", I've signed up for the Amazon Associates program under my name. If the incoming $$ are sufficient, it may be worth legally registering FreeRADIUS as a non-profit entity. In any case, the moneys received from the associates program will go to fostering the development of the server. I will be posting periodic summaries of the $$, and request for comment as to where/how the money should be spent. If, in fact, the link makes money. :) In the interests of transparency, I was a technical reviewer of the book, and saw it in pre-publication draft. It isn't perfect, but it's better than the nearly complete lack of documentation that comes with the server today. It also explains in greater detail the "why" and the "how" of the RADIUS protocol, and may answer many initial questions someone may have about the RADIUS protocol, and the FreeRADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd: Cannot findELF
Hi everybody. My sistem is: bash-2.03# uname -X System = SunOS Node = nnm Release = 5.8 KernelID = Generic_108528-14 Machine = sun4u BusType = Serial = Users = OEM# = 0 Origin# = 1 NumCPU = 1 I have downloaded and extracted freeradius-0.7.tar.gz Then ./configure --localstatedir=/var --sysconfdir=/etc make make install then after editing raiusd.conf: cd /usr/local/sbin ./check-radiusd-config I've got this message: bash-2.03# ./check-radiusd-config radiusd: Cannot findELF 25652 Killed Radius server configuration looks OK. I tried to reconfigure and rebuild like this: ./configure --localstatedir=/var --sysconfdir=/etc --disable-shared --disabl e-static and I tried to edit libdir entry in radiusd.conf to help radiusd find libelf* but this does not work. What kind of problem may be here? Thanks, Denis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
realmpercent & suffix
Hi folks, Could you help me with configuration of the freeradius 0.7 ? I want to use '@' and '%' as delimiter for realms. I added realmpercent before suffix in authorisation but it's not working properly. If I put realmpercent before suffix the '%' is working but '@' and vice versa. I've attached the log below. Thanks, Serge. Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "%" Module: Instantiated realm (realmpercent) realm: format = "suffix" realm: delimiter = "@" user@ modcall[authorize]: module "preprocess" returns ok rlm_realm: Looking up realm NULL for User-Name = "user@" rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = "user@" rlm_realm: Proxying request from user user@ to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. rlm_realm: auth_port is not set. proxy cancelled modcall[authorize]: module "realmpercent" returns noop rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 165 modcall[authorize]: module "files" returns ok user% modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_realm: Looking up realm for User-Name = "user%" rlm_realm: Found realm rlm_realm: Adding Stripped-User-Name = "user" rlm_realm: Proxying request from user user to realm rlm_realm: Adding Realm = "" rlm_realm: Authentication realm is LOCAL. rlm_realm: auth_port is not set. proxy cancelled modcall[authorize]: module "realmpercent" returns noop rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 165 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: active directory
Allister Maguire writes: > > We do it for our ISP, we use rlm_ldap for authorisation and rlm_pam for > authentication (using Kerberos), works great. We have created our own > ldap schema attributes, but you can use the Microsoft ones. One thing, > because we use kerberos it also requires the use of nss_ldap for user > lookup, the best option for you would be to use rlm_ldap for > authorisation and authentication. I would think it would also be important to configure rlm_ldap to use TLS, lest plain text passwords be sent from the FreeRadius server to the Active Directory Server in the simple password LDAP authentication method rlm_ldap uses. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco PPTP
Hello anyone of the list have already configured freeradius to work with a Cisco IOS to authenticate users of a PPTP/MPPE VPN? Can somebody help me? thanks sergio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
