dialin server on RedHat 8.0 with RADIUS authentication
It seems like there is not a good explanation in any one place on how to set this up. Most of what follows was assembled from existing documentation. It took a while to piece these steps togather and make it work, so I thought I would share how I did it. This configuration will allow Linux and Windows clients to dial in to your network, functioning similarly to an WindowsNT RAS server. Users will be authenticated to a RADIUS server. Among other things, this provides a convenient method to authenticate users to an NT domain or Active Directory. Clients must authenticate using PAP (CHAP is not supported). Prerequisites: Working install of RedHat 8.0 (pam_radius_auth will not work with the gcc included on RH 9) Working (non-win) modem (assumed to be /dev/ttyS1) Working RADIUS server accessible from the dialin server. Configure a Windows RADIUS server: For NT4, install "Internet Connection Services" for RAS from the Option Pack CD. Be sure "Internet Authentication Services" is selected. You will also need to install IIS, if it is not already installed. If you wish to authenticate users in an NT domain, the server must be a member of the domain, a PDC or BDC. By default IAS uses ports 1645 and 1646 for RADIUS. You will need to change this to match /etc/services on your dialin server. The Option Pack version of IAS ignores dialin permission settings - all valid users are authenticated. SP5 or later corrects this problem. For Windows 2000 server, install Internet Authentication Service from the Windows 2000 CD. If you wish to authenticate users in an NT domain, the server must be a member of the domain, a PDC or BDC. On the client list, add your dialin server IP and a 'shared_secret'. Configure your dialin server: Install the latest mgetty RPM from ftp://updates.redhat.com/8.0/... (tested with mgetty-1.1.28-9) Install the latest pam RPM from ftp://updates.redhat.com/8.0/... (tested with pam-0.75-46.8.0) Edit /etc/inittab to tell init to start the mgetty service(s). Add one line per modem. Modify "ttyS1" for your modem. The first two characters must be a unique identifier for the inittab entry and are not otherwise relevant. "2345" signifies the runlevels for which mgetty is to be started. "respawn" means that inittab will continually verify mgetty is running and will attempt to restart it if not. S1:2345:respawn:/sbin/mgetty ttyS1 S2:2345:respawn:/sbin/mgetty ttyS2 etc.. Install the ppp RPM from the RedHat CD's and/or check for an updated version at ftp://updates.redhat.com/8.0/... (tested with ppp-2.4.1-7) Edit /etc/ppp/options to include the following: auth -chap +pap login modem crtscts debug proxyarp lock ms-dns 172.16.yy.zz Replace 172.16.yy.zz with the adderss of the DNS server for your dialup clients to use. Create files in /etc/ppp for each modem named "options.ttySx". Each options file should contain one line: hostIP:clientIP Where hostIP is the network interface on the dialin server and clientIP is the IP to be assigned to the dialin cleint. Uncomment or add the following lines as required in /etc/mgetty+sendfax/login.conf /AutoPPP/ - a_ppp /usr/sbin/pppd auth -chap +pap login debug * - - /bin/login @ To force ppp to use RADIUS, edit /etc/ppp/pap-secrets to look like this: # clientserver secret IP addresses * * "" * Install the current pam_radius_auth tarball from ftp://ftp.freeradius.org/pub/radius/ (I used ver. 1.3.15) tar xvf pam_radius-x.xx.xx cd pam_radius-x.xx.xx make (you can ignore warnings about extra tokens) cp pam_radius_auth.so /lib/security If it doesn't already exist, create /etc/raddb cp pam_radius_auth.conf /etc/raddb/server chmod 600 /etc/raddb/server Edit /etc/raddb/server to look like: # server[:port] shared_secret timeout (s) 127.0.0.1 secret 1 172.16.xx.yyyour-radius-server-shared_secret Replace 172.16.xx.yy with the adderss of your RADIUS server. The timeout field can be left blank. Be sure to leave the line containing 127.0.0.1 alone. Edit your PAM configuration to use RADIUS for ppp. Add one line to /etc/pam.d/ppp so the file looks like this: #%PAM-1.0 auth required pam_nologin.so auth sufficient /lib/security/pam_radius_auth.so debug auth required pam_stack.so service=system-auth accountrequired pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth Verify /etc/services contains the following: radius 1812/tcp# Radius radius 1812/udp# Radius radius-acct 1813/tcpradacct # Radius Accounting radius-acct 1813/udpradacct # Radius Accounting Enable proxy arp and IP forwarding at the kernel level. You can add these lines to your /etc/rc.d/rc.local file to make this happen at boot: echo 1 >> /proc/sys/net/ipv4/ip_forward echo 1 >> /proc/sys/net/ipv4/
how to access authorization database from a different RLM than rlm_sql
Hi, This may seem a bit unusual, but I find myself in a situation where I need to update the SQL authorization database from a different RLM module than rlm_sql. That is, in my new RLM I'll want to update the radcheck and usergroup tables with data that will be used by a subsequent authorization attempt through rlm_sql. As you might expect, I prefer to use the APIs provided by rlm_sql, rather than reinvent the wheel. For reference, I'm using Freeradius 0.8.1, MySQL v3.23, Red Hat 7.3. My question is what do I need to do to set this up from my new RLM, which APIs do I use, and how do I clean things up, if at all. Here's some more detail: I see that the instantiate block of rlm_sql creates a client socket to the database. Ideally I would like to use this socket from my new RLM - is that possible? It will be an invalid configuration for my new RLM to be turned on in radiusd.conf without sql also being turned on. If my RLM needs its own socket, I assume I can duplicate the rlm_sql_instantiate logic in my RLM's instantiate function? Or, maybe this is overkill and I should just use the APIs in mysql.h - what do you think? Once I have the socket created, I need APIs to insert and update rows in the radius database tables. I didnt see any APIs for this in rlm_sql.h, which led to my question above about just using mysql.h APIs. Unfortunately I'm not a DB expert, and I didnt see any APIs there with red letter names like insert or update, so any quick pointers here would be helpful. Finally, if I can't reuse the rlm_sql socket, I'll need to clean up the one I created, which should not be a problem - I'll just add the close in my rlm_detach. Regards, Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: defaulting a user's Realm
It is finding realm NULL and not DEFAULT and I set the Autz-type
so it is processed as local sql, but as you can see in the debug
the Autz-type does not get set. I am trying to cover all the bases
here with the settings. I want the user to be processed in the local
sql database.
Users file:
DEFAULT Realm =="NULL", Autz-Type:=sql
DEFAULT Autz-Type:=sql
Proxy.conf
realm DEFAULT {
type = radius
authhost = Local
secret = sss
}
rad_recv: Access-Request packet from host 10.0.0.53:1467, id=1,
length=57
User-Name = "ron"
User-Password = "temp"
Calling-Station-Id = "00022D3C"
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "chap" returns noop
modcall[authorize]: module "mschap" returns noop
rlm_realm: No '@' in User-Name = "ron", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Proxying request from user ron to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop
rlm_realm: Request already proxied. Ignoring.
modcall[authorize]: module "realmslash" returns noop
rlm_realm: Request already proxied. Ignoring.
modcall[authorize]: module "backslash" returns noop
rlm_realm: Request already proxied. Ignoring.
modcall[authorize]: module "realmpercent" returns noop
users: Matched DEFAULT at 15
modcall[authorize]: module "files" returns ok
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop
modcall: group authorize returns ok
modcall: entering group Autz-Type
radius_xlat: ''
modcall[authorize]: module "sql" returns fail
modcall: group Autz-Type returns fail
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 1 with timestamp 3f6b81b4
Nothing to do. Sleeping until we see a request.
> -Original Message-
> From: Alan DeKok [mailto:[EMAIL PROTECTED]
> Sent: Friday, September 19, 2003 2:31 PM
> To: [EMAIL PROTECTED]
> Subject: Re: defaulting a user's Realm
>
> "Ron Wahler" <[EMAIL PROTECTED]> wrote:
> > What would the syntax look like to assign the DEFAULT Realm to Site
?
> >
> > realm DEFAULT {
>
> Yes. That sets the realm to "DEFAULT"
>
> > This does not seem to work. I need to be able to assign the realm to
> > A value like "Site".
>
> Hmm... why not just use DEFAULT? You'd have duplicate entries
> "DEFAULT" and "Site", but that shouldn't be too bad...
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Wireless clients, Cisco leap, Radius & Samba
Alan OK.. I'll go rebuild. Not able to find any refs to EAP-TTLS in Windows XP or Cisco's ACU wireless clients. Does this require a third party option? Thanks for your continued patience. Alan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 19 September 2003 21:42 To: [EMAIL PROTECTED] Subject: Re: Wireless clients, Cisco leap, Radius & Samba "Alan Munday" <[EMAIL PROTECTED]> wrote: > Uncommenting the etc_smbpasswd causes and error on starting the daemon: > > radiusd.conf[772] Failed to link to module 'rlm_passwd': file not found Then build it, and install it. See 'src/modules/rlm_passwd' You probably want to do: $ ./configure --with-experimental-modules $ make $ make install > I can't find a ref to this file in the radiusd.conf file. It is OK when I > re-comment etc_smbpasswd out. You can comment it out, but then please understand that it won't *ever* be used. > I didn't think Cisco supported EAP-TLS yet? Cisco AP's don't. They're not supposed to. Only the client supports it. And I said EAP-TTLS, not TLS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS PAM Module with RH9.
When I am running radiusd -X, it stops at: pam_pass: using pamauth string for pam.conf lookup After this it will not authenticate any other users, PAM or other. Also, the PAM module never seems to contact my IAS server. Thanks, Ken Mix > -Original Message- > From: Alan DeKok [mailto:[EMAIL PROTECTED] > Sent: Friday, September 19, 2003 2:35 PM > To: [EMAIL PROTECTED] > Subject: Re: RADIUS PAM Module with RH9. > > > "Kenneth Mix" <[EMAIL PROTECTED]> wrote: > > Also, freeradius still hangs when I use pam_radius_auth.so for > > authentication. > > "hangs" ? What do you mean by that? > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless clients, Cisco leap, Radius & Samba
"Alan Munday" <[EMAIL PROTECTED]> wrote: > Uncommenting the etc_smbpasswd causes and error on starting the daemon: > > radiusd.conf[772] Failed to link to module 'rlm_passwd': file not found Then build it, and install it. See 'src/modules/rlm_passwd' You probably want to do: $ ./configure --with-experimental-modules $ make $ make install > I can't find a ref to this file in the radiusd.conf file. It is OK when I > re-comment etc_smbpasswd out. You can comment it out, but then please understand that it won't *ever* be used. > I didn't think Cisco supported EAP-TLS yet? Cisco AP's don't. They're not supposed to. Only the client supports it. And I said EAP-TTLS, not TLS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS PAM Module with RH9.
"Kenneth Mix" <[EMAIL PROTECTED]> wrote: > Also, freeradius still hangs when I use pam_radius_auth.so for > authentication. "hangs" ? What do you mean by that? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Wireless clients, Cisco leap, Radius & Samba
Alan
Uncommenting the etc_smbpasswd causes and error on starting the daemon:
radiusd.conf[772] Failed to link to module 'rlm_passwd': file not found
I can't find a ref to this file in the radiusd.conf file. It is OK when I
re-comment etc_smbpasswd out.
I didn't think Cisco supported EAP-TLS yet?
Regards
Alan
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: 19 September 2003 20:57
To: [EMAIL PROTECTED]
Subject: Re: Wireless clients, Cisco leap, Radius & Samba
"Alan Munday" <[EMAIL PROTECTED]> wrote:
> 1) I currently have:
>
> passwd etc_smbpasswd {
..
> In the modules section of radiusd.conf. Now you have mentioned it I can
see
> that it is not loading. But I'm not sure why not.
Because you didn't tell the server where to use it. List it in the
'authorize' section somewhere, and it should work.
> As you may guess this is my first go at putting up a radius server and I
> expected that:
>
> A) I need EAP to provide better security than WEP.
Try EAP-TTLS. It's only in the latest CVS snapshots, but it's much
better than LEAP, from a security point of view.
> B) User account data already on the server (system and Samba accounts are
> aligned) would be used to auth against. I.e. I did not expect to enter
user
> data again.
You don't have to. You've just got to configure the server to use
the existing files.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: defaulting a user's Realm
"Ron Wahler" <[EMAIL PROTECTED]> wrote:
> What would the syntax look like to assign the DEFAULT Realm to Site ?
>
> realm DEFAULT {
Yes. That sets the realm to "DEFAULT"
> This does not seem to work. I need to be able to assign the realm to
> A value like "Site".
Hmm... why not just use DEFAULT? You'd have duplicate entries
"DEFAULT" and "Site", but that shouldn't be too bad...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: defaulting a user's Realm
What would the syntax look like to assign the DEFAULT Realm to Site ?
realm DEFAULT {
type = radius
authhost = Local
secret = thesharedsecret
}
This does not seem to work. I need to be able to assign the realm to
A value like "Site".
realm DEFAULT {
type = radius
authhost = Local
secret = thesharedsecret
realm = "Site"
}
this does not work
any other ideas.
Thanks,
Ron.
> -Original Message-
> From: Alan DeKok [mailto:[EMAIL PROTECTED]
> Sent: Thursday, September 18, 2003 2:52 PM
> To: [EMAIL PROTECTED]
> Subject: Re: defaulting a user's Realm
>
> "Ron Wahler" <[EMAIL PROTECTED]> wrote:
> > No we are just trying to have a user with no realm processed to=
> > a default realm of our choice "Site". We had this working in the
past.
>
> Use the DEFAULT realm in proxy.conf, it will do the same thing.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS PAM Module with RH9.
I am still unable to authenticate via this PAM module, nor is it logging. I know freeradius is configured properly, because I can use otehr PAM authentication sources. Is it possible I misconfigured something? It's a pretty simple config -- here's what I have: Server name and secret int /etc/raddb/server file. PAM module information int /etc/pam.d/radiusd Also, freeradius still hangs when I use pam_radius_auth.so for authentication. Thank you, Ken Mix > -Original Message- > From: Alan DeKok [mailto:[EMAIL PROTECTED] > Sent: Friday, September 19, 2003 8:52 AM > To: [EMAIL PROTECTED] > Subject: Re: RADIUS PAM Module with RH9. > > > "Kenneth Mix" <[EMAIL PROTECTED]> wrote: > > I am having problems with the PAM RADIUS module on a RedHat 9 > > server. > > An updated version of the module was released today, which should > fix that problem. See the FTP site. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius-2.0 and Apache 2.0
Hi, I am trying to get radius authentication working on a redhat 9.0 system, running apache 2.0 and using SSL. I have built and installed mod_auth_radius-2.0, configured per the documentation, however, it does not appear to be working. I see the SSL certificate, but then there is no username/password dialog and the page just displays. Can someone who has got this working please contact me off line and I will summarize to the list when I get this thing figured out. Thanks, Mitch -- Mitchell S. Baltuch Principal MountainStorm Technologies [EMAIL PROTECTED] http://www.mountainstorm.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless clients, Cisco leap, Radius & Samba
"Alan Munday" <[EMAIL PROTECTED]> wrote:
> 1) I currently have:
>
> passwd etc_smbpasswd {
..
> In the modules section of radiusd.conf. Now you have mentioned it I can see
> that it is not loading. But I'm not sure why not.
Because you didn't tell the server where to use it. List it in the
'authorize' section somewhere, and it should work.
> As you may guess this is my first go at putting up a radius server and I
> expected that:
>
> A) I need EAP to provide better security than WEP.
Try EAP-TTLS. It's only in the latest CVS snapshots, but it's much
better than LEAP, from a security point of view.
> B) User account data already on the server (system and Samba accounts are
> aligned) would be used to auth against. I.e. I did not expect to enter user
> data again.
You don't have to. You've just got to configure the server to use
the existing files.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Wireless clients, Cisco leap, Radius & Samba
Alan
Thanks for the response.
1) I currently have:
passwd etc_smbpasswd {
filename = /etc/samba/smbpasswd
format =
"*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
authtype = MS-CHAP
hashsize = 100
ignorenislike = no
allowmultiplekeys = no
}
In the modules section of radiusd.conf. Now you have mentioned it I can see
that it is not loading. But I'm not sure why not.
2) OK. I'm obviously confused as to what should or ought to happen here. My
expectations were led by:
A) The wireless clients have LEAP username/password/domain parameters which
default to those used for the Windows logon (NT Auth against Samba).
B) The WAP Authenticator configuration specifies the radius server can be
used for EAP, MAC, User or MIP authentication. One or more of these options
can be selected.
C) The radiud server appears to be able to auth against most data sources.
As you may guess this is my first go at putting up a radius server and I
expected that:
A) I need EAP to provide better security than WEP.
B) User account data already on the server (system and Samba accounts are
aligned) would be used to auth against. I.e. I did not expect to enter user
data again.
Any further guidance would be gratefully received.
Regards
Alan
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: 19 September 2003 15:32
To: [EMAIL PROTECTED]
Subject: Re: Wireless clients, Cisco leap, Radius & Samba
"Alan Munday" <[EMAIL PROTECTED]> wrote:
> However the radius server also has Samba running on it and I want to
> = have the clients auth against this data. I have edited
> radiusd.conf to include a passwd module to use the Samba passwd
> file.
Not according to the debug output you printed.
> However I don't have the config right yet as I see the following:
>
> 1)rlm_eap_leap: No User-Password or NT-Password configured for this
> user
So configure the 'passwd' module.
> 2) modcall[authorize]: module "mschap" returns noop
If it's doing LEAP authentication, then it won't be doing MS-CHAP
authentication. Or did you expect it to do both?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter
> On Wednesday 17 September 2003 8:05 am, Yacine BOUKABA wrote: >> [...] for example if a user is allowed to for 600 sec: >> 1- in the first connection radius will send a session-timeout of 600 to >> the nat, and if the user disconnect after 300 sec, and here the user >> will >> have 300 sec left. >> 2- in the seconde connection the radius will send an updated >> session-timeout of 300 sec to the nat and the user will be disconnected >> after 300 sec. > > Is this a question or a statement? [note, I'm being a bit of a smart-A.. > :) ] > What you listed is exactly how it works, but there are a couple of other > things that have to happen: > > 1) initial logon -- as you indicate, FR will return a session-timeout > response token with the value "600" [seconds] > 2) the NAS should send and accounting START record > 3) at some point [presumably 300 seconds later per your example] the > user > "logs off" -- the NAS needs to send an accounting STOP record > 4) FR will take the info from the STOP record and increment the > counter(s) > you've specified > 5) the next logon for the user will subtract the amount accumulated thus > far > [300] from the "limit" amount [600] and return the result as the session > limit. [again, 300] > > Where this can fall apart: > >-- no start or stop records: without these records, the "counter" > module > won't have anything to count > >-- simultaneous use: the user logs on from 4 workstations one right > after > another -- all 4 will get a 600-second limit, but after the last > workstation > logs out, the accumulated time will be close to 2400 seconds > -- overlapped use: very similar: the user logs on to one workstation, > AND > watches the clock very carefully -- at 590 seconds into the session, the > user > logs on from a second workstation. This second workstation gets 600 > seconds > from THAT point, or nearly 1200 continuous seconds [the third overlap > should > fail as the first "logout" will set the accumulated time to 600...] > > [this particular problem can be mitigated somewhat by using interim > messages > from the NAS] > > -- > Yet another Blog: http://osnut.homelinux.net > -- Yacine BOUKABA WEBMASTER AUCZONE.COM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS PAM Module with RH9.
"Kenneth Mix" <[EMAIL PROTECTED]> wrote: > I am having problems with the PAM RADIUS module on a RedHat 9 > server. An updated version of the module was released today, which should fix that problem. See the FTP site. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: src/lib/smbdes.c and src/modules/rlm_smb/smbdes.c
Nicolas Baradakis <[EMAIL PROTECTED]> wrote:
> I was wondering if there were other doublons in the source, so I ran
> the following command
> $ find . -name \*.c -exec basename '{}' \; | sort | uniq -d
> smbdes.c
> md4.c
That's a duplicate.
> log.c
> session.c
> smbencrypt.c
> valuepair.c
These aren't.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: When? EAP-PEAP
[EMAIL PROTECTED] wrote: > > > When is the schedule of PEAP? > > > > Right now, whenever it's done. > > I want to test right now. Then you have an opportunity to learn patience. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 0.9.1. under FreeBSD^ making errors
"Rohaizam Abu Bakar" <[EMAIL PROTECTED]> wrote: > patched rlm_counter but still error as below: > > running as # ./configure --without-threads > > > rlm_ippool.c: In function `ippool_detach': If you're not going to use rlm_ippool, then delete it. If you are going to use it, then try to spend some time yourself figuring out how to fix it. It's really not that hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless clients, Cisco leap, Radius & Samba
"Alan Munday" <[EMAIL PROTECTED]> wrote: > However the radius server also has Samba running on it and I want to > = have the clients auth against this data. I have edited > radiusd.conf to include a passwd module to use the Samba passwd > file. Not according to the debug output you printed. > However I don't have the config right yet as I see the following: > > 1)rlm_eap_leap: No User-Password or NT-Password configured for this > user So configure the 'passwd' module. > 2) modcall[authorize]: module "mschap" returns noop If it's doing LEAP authentication, then it won't be doing MS-CHAP authentication. Or did you expect it to do both? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS PAM Module with RH9.
Hello, I am having problems with the PAM RADIUS module on a RedHat 9 server. My current setup is as follows: I am running freeradius 0.9.1. In order to authenticate my RADIUS users against a Win2k AD, I have configured Pam as the authentication type in my users file. The PAM RADIUS module is then configured to authenticate users via IAS on my DC. It seems that the freeradius PAM authentication is functioning properly, because when configure my pam.d/radiusd file to use pam_warn.so, the message does show up in my syslog. However, when I try pam_radius_auth.so in the pam.d/radiusd file, my freeradius server hangs on "pam_pass: using pamauth string for pam.conf lookup". It never recovers. Also, I never see any authentication attempts on my IAS server, nor do I get a response to the NAS. As a side note, when I use pam_radius_auth.so debug, I don't see anything in my syslog file. Any assistance or ideas would be appreciated. Ken Mix +1-406-556-1781 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regexp matching in checkval module (Calling-Station-Id) - Red Hat Linux 9, glibc-2.3.2
On Thu, 18 Sep 2003, Roman M. Bibikov wrote:
> Thank`s Alan, but in my opinion this pattern does not match 11 digits
> length numbers exactly...
> And actually round brackets are not accepting by checkval (by the way,
> why???)
> I.e. i see in the log
>
> Thu Sep 18 11:16:07 2003 : Debug: rlm_checkval: Item Name:
> Calling-Station-Id, Value: 6123444
> Thu Sep 18 11:16:07 2003 : Debug: rlm_checkval: Value Name:
> Calling-Station-Id, Value: ^[6|7]123 <-- Where are the round
> brackets and a rest of pattern
What is the source of the Calling-Station-Id attribute in your check items list?
For example rlm_ldap will do an xlat on the check items received from the ldap
server so you will need to escape {} and the rest.
> Thu Sep 18 11:16:07 2003 : Debug: rlm_checkval: Doing regex
> Thu Sep 18 11:16:07 2003 : Debug: modcall[authorize]: module
> "checkval" returns ok
>
> It is very strange, but "(",")","{","}" brackets does not working in
> pattern.
> In the "checkval" sources "REG_EXTENDED|REG_NOSUB" flags are used in
> regcom().
>
> Probably this problem is not my private only.
> Is there anybody who uses checkval with "=~" operator with some
> problems?
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Recommended value in radiusd.conf for HIGH load env.
On Thu, 18 Sep 2003, Rohaizam Abu Bakar wrote:
> Please help me to tune recommended value in radiusd.conf for HIGH load environment
>
> Used:
>
> FreeBSD 4.8
> Freeradius 0.9.0
> Openldap 2.0.27
>
> .
> max_request_time = 30
> delete_blocked_requests = no
> cleanup_delay = 5
> max_requests = 256000
> hostname_lookups = yes
> allow_core_dumps = no
>
> # THREAD POOL CONFIGURATION
> thread pool {
> start_servers = 5
> max_servers = 2048=> is it too high ???
Probably yes. If your backend responds quickly you wont need to increase it to
such high levels. You will need to increase the start_servers,*spare_servers
directives though to some reasonable values like start_servers = 20
> min_spare_servers = 3
> max_spare_servers = 10
> max_requests_per_server = 0
> }
>
> # MODULE
> ldap {
> server = "10.1.1.1"
> identity = "cn=Sysadmin,ou=Applications,dc=xxx,dc=xx"
> password = xxx
> basedn = "ou=People,dc=,dc=xxx"
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> start_tls = no
> access_attr = "dialupAccess"
> dictionary_mapping = ${raddbdir}/ldap.attrmap
> ldap_connections_number = 2048=> is it too high ?
That's *really* too high. I don't think you will ever need to increase it to
more than 128-256 connections.
> timeout = 10
> timelimit = 10
> net_timeout = 5
> }
> ..
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius-digest authentication
Hi, I use SER (from iptel.org) as a SIP server, freeradius 0.9.1 as a proxy AAA, freeradius 0.9.1 as a AAA server. I use digest authentication between SER and freeradius. The problem i face is that the proxy AAA does not forward the requests to the AAA server. For all the other types of authentication the proxy AAA forward the requests normally. Thanks Dimitris
Re: large (?) radius server: LDAP or SQL
On Fri, 19 Sep 2003, Zoilo wrote: > I need to create a radius server with >100,000 users. > > Should I use LDAP or SQL? Both should work ok. LDAP is just more general and you can base other services on it along with radius. Check the list archives for detailed discussion on this topic. > > Z. > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating using LDAP module
On Thu, 18 Sep 2003, Vishal Jose wrote:
> On Thu, 18 Sep 2003 12:30:02 +0300 (EEST)
> Kostas Kalevras <[EMAIL PROTECTED]> wrote:
>
> > > What I need now is CHAP-Password type to be
> > > send across to Radius Server from Client.My password in the LDAP database is
> > > plain text.I would like to know what is addition that to be given in
> > > radiusd.conf if necessary?
> >
> > This has been discussed many times in the list. Check the list archives. Also
> > doc/rlm_ldap includes plenty of information on the subject.
>
>
> B'4 posting the former mail I checked out the mailing listBut still I didn't
> able to figure out.Sorry if I have missed to pin point something
>
> When I issue command say
>
> $ echo "User-Name = \"vishal\", CHAP-Password = \"vishal\"" | radclient -x -s
> 10.0.1.180 auth testing123
>
> $ radiusd -x
> rad_recv: Access-Request packet from host 10.0.1.180:1122, id=128, length=47
> User-Name = "vishal"
> CHAP-Password = 0x80c8b36527f114b9b5845eee357625c2b4
> rlm_chap: Setting 'Auth-Type := CHAP'
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for vishal
> ldap_get_conn: Got Id: 0
> rlm_ldap: looking for check items in directory...
> rlm_ldap: Adding sn as User-Name, value vishal & op=21
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user vishal authorized to use remote access
> ldap_release_conn: Release Id: 0
> rlm_chap: login attempt by "vishal" with CHAP password ??³e'?^?5v%??
> rlm_chap: Could not find clear text password for user vishal
So the user clear text password is not available. This means that rlm_ldap does
not extract the corresponding password from the user ldap entry
> rad_recv: Access-Request packet from host 10.0.1.180:1122, id=128, length=47
> Sending Access-Reject of id 128 to 10.0.1.180:1122
>
>
> my radiusd.conf is
> ldap{
>
> server = "10.0.1.180"
> basedn = "o=icope"
> filter = "cn=%u"
> password_attribute = userPassword
> password_header = "{clear}"
Based on your posted user entry:
dn: cn=vishal,o=icope
sn: vishal
cn: vishal
userPassword: vishal
objectClass: person
telephoneNumber: 5716909
description: He is a employee
You don't need to set password_header. So leave it commented out.
> dictionary_mapping = ${raddbdir}/ldap.attrmap
> timeout = 4
> timelimit = 3
> net_timeout = 1
> ldap_debug = 0x
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: src/lib/smbdes.c and src/modules/rlm_smb/smbdes.c
Alan DeKok wrote:
> "Paul Hampson" <[EMAIL PROTECTED]> wrote:
>
> > From: Nicolas Baradakis
> > Sent: Thursday, 11 September 2003 7:56 PM
>
> > > Maybe it's a anecdotic question, but...
> > >
> > > I noted there's 2 source files with the same name and with little
> > > differences. Is it in accordance with the expected behaviour ?
[...]
> > And the modules/rlm_smb file supplies two extra functions... Maybe
> > modules/rlm_smb should be calling the code in libradius?
>
> Yes.
[...]
I was wondering if there were other doublons in the source, so I ran
the following command
$ find . -name \*.c -exec basename '{}' \; | sort | uniq -d
log.c
md4.c
session.c
smbdes.c
smbencrypt.c
valuepair.c
Sometimes the files just happened to have the same name but have
different purposes, sometimes I just can't tell.
The interesting files are:
src/lib/md4.c and src/modules/rlm_smb/md4.c
src/lib/smbdes.c and src/modules/rlm_smb/smbdes.c (already discussed)
src/modules/rlm_mschap/smbencrypt.c and src/modules/rlm_smb/smbencrypt.c
--
Nicolas Baradakis
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS and SNMP
Hi, I have a problem with FreeRADIUS and SNMP. I have compiled and installed FreeRADIUS on a Red Hat Linux 7.2/i386 with SNMP support. FreeRADIUS connects successfully to the SNMP agent (ucd-snmp 4.2.4). The problem is that I am not able to do anything with SNMP. On the mailing list archive I found the following email http://www.mail-archive.com/[EMAIL PROTECTED]/msg18911.html which says that: "Then try this: snmpwalk -v 2c -c public localhost .1.3.6.1.2.1.67.1.1.1.1.1.0 You should get the FreeRADIUS version back." When I do this, FreeRADIUS seems to get and parse the request from the agent as the following is printed in the FR debug output: SMUX read start SMUX read len: 38 SMUX message received type: 161 rest len: 34 SMUX_GETNEXT SMUX GET message parse: len 34 SMUX GET reqid: 332 len: 30 SMUX GET errstat 0 len: 27 SMUX GET errindex 0 len: 24 SMUX var parse: len 24 SMUX var parse: type 48 len 20 SMUX var parse: type must be 48 Request OID: 1.3.6.1.2.1.67.1.1.1.1.1.0 SMUX val_type: 5 ASN_NULL SMUX function call index is 1 SMUX function call index is 2 SMUX GETRSP send SMUX GETRSP reqid: 332 SMUX GETRSP errstat: 0 SMUX GETRSP errindex: 0 SMUX getresp send: 41 --- Walking the entire request list --- And in fact the same kind of output is printed for several differend OID. However, the snmpwalk result is: 67.1.1.1.1.1.0 = No more variables left in this MIB View I am obviously doing something wrong but any hints as to what? By the way. If the smux_password is incorrect in snmp.conf, FreeRADIUS crashes with "Broken pipe" when trying to register to SMUX agent. -- Tero Turtiainen [EMAIL PROTECTED] Tel: +358 40 702 8754 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: doubts regarding connection between db2 and freeradius
Well, a part of the example on the website (FAQ/4.12) is definitely wrong! Anyway, a short look to the users file you edited would have solved the problem, too. see below Am Fre, 2003-09-19 um 06.43 schrieb puneeth b: > hello sir, > i've already mailed u regarding some doubts,thanks for the > reply. > > i've few more doubts, > Sir, > Doubts regarding the freeradius server, kindly help me out. > As given in section 4.12 of FAQ Debugging it yourself , i did the > following steps > --- > Step 1: > it is given that > 3. Ensure that you have localhost in your raddb/clients file. > FreeRADIUS > comes configured this way, so it should be there. > so i found entry in > /usr/local/etc/raddb/clients > as > # Client Name Key > # -- > #portmaster1.isp.com testing123 > #portmaster2.isp.com testing123 > #proxyradius.isp2.com TheirKey > #localhost testing123 > --- > Step 2: > 4. Ensure you have a valid user in your raddb/users file. If > everything else > fails, go to the top of the file and add the following entry: > so i did entry in > /usr/local/etc/raddb/users > as it was given in the FAQ > bob Password = "bob" >i Reply-Message = "Hello, bob" make it: bob User-Password == "bob" Reply-Message = "Hello, bob" > > Step 3: > it is given that > 1. Run the server in debugging mode > radiusd -sfxxyz -l stdout > i got the message > Ready to process requests. > - > Step 4: > in another window i ran this command as given in the FAQ > [EMAIL PROTECTED] root]# radtest bob bob localhost 0 testing123 > Sending Access-Request of id 185 to 127.0.0.1:1812 > User-Name = "bob" > User-Password = "bob" > NAS-IP-Address = localhost.localdomain > NAS-Port = 0 > In the server side I got the below listed messages: > rad_recv: Access-Request packet from host 127.0.0.1:1025, id=185, > length=55 > User-Name = "bob" > User-Password = "bob" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 0 > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > modcall[authorize]: module "chap" returns noop > rlm_eap: EAP-Message not found > modcall[authorize]: module "eap" returns noop > rlm_realm: No '@' in User-Name = "bob", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop > users: Matched DEFAULT at 153 > modcall[authorize]: module "files" returns ok > modcall[authorize]: module "mschap" returns noop > modcall: group authorize returns ok > rad_check_password: Found Auth-Type System > auth: type "System" > modcall: entering group authenticate > modcall[authenticate]: module "unix" returns notfound > modcall: group authenticate returns notfound > auth: Failed to validate the user. > Delaying request 0 for 1 seconds > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Sending Access-Reject of id 185 to 127.0.0.1:1025 > Waking up in 4 seconds... > --- Walking the entire request list --- > Cleaning up request 0 ID 185 with timestamp 3f68d908 > Nothing to do. Sleeping until we see a request. > --- > Later after few seconds in the Client window I got the following > message > [EMAIL PROTECTED] root]# radtest bob bob localhost 0 testing123 > Sending Access-Request of id 240 to 127.0.0.1:1812 > User-Name = "bob" > User-Password = "bob" > NAS-IP-Address = localhost.localdomain > NAS-Port = 0 > rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=240, > length=20 > -- > In FAQ it is given that we should get the following message: > Ensure that you see the Reply-Message above and that you do NOT see > an > "Access denied" message. If you get an Access-Accept message, this > means that > the server is running properly. > > Sir, why am i getting the access-reject message from the server. > Kindly help me how do i get the access-accept message from the server > to ensure that the server is running properly? > in anticipation of reply, > regards, > puneeth b. > > > __ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site design software - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: When? EAP-PEAP
Hello. "Alan DeKok" <[EMAIL PROTECTED]> WroteF > [EMAIL PROTECTED] wrote: > > When is the schedule of PEAP? > > Right now, whenever it's done. Thanks I want to test right now. /Masao NISHIKU - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Patch] SQL authentication logging
Paul Hampson wrote: > > > The following patch allow for SQL logging after authentication. It > > > extends the rlm_sql module so now you can put one more query in your > > > sql.conf file. > > > > I'll commit this once either you tell me that it doesn't depend on > > Post-Auth-Type, or I commit the Post-Auth-Type patch. (Which I'm > > going to look at now.) Well, the patch will apply without a problem but it is much less interesting because you can query the db only if the authentication step is successful. For the hotline service for example (ie the bad guys who made me write this patch ^_^) it is much more useful to gather information about failed attempts. > > With one minor change, to call > > (inst->module->sql_finish_query)(sqlsocket, inst->config); > > even for failed queries. (As is done in _some_ of the other sql_ > > function in rlm_sql.c. And PostgresSQL's docs also do it... Only > > postgres and Sybase (off hand, Oracle too maybe) actually implement > > the function anyway. I don't understand. There is a return RLM_MODULE_FAIL just above, so sql_finish_query() is not called on failed query. > Bugger. That patch got boned as well. Can you either attach it to an > email for me, or put it up on a website so I can wget it? It's troubling because I don't copy / paste from my terminal but I do a M-x insert-file in the message. Never mind, I'll send the attached file to you. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
large (?) radius server: LDAP or SQL
I need to create a radius server with >100,000 users. Should I use LDAP or SQL? Z. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use
see /doc/Simultaneous-Use Am Fre, 2003-09-19 um 05.08 schrieb 黄建波: > Hi all! >How to configure some accounts be limited to only one login at a time and some > not? > > > > > > > 致 > 礼! > > > 黄建波 > EMAIL:[EMAIL PROTECTED] > TEL:020-87114020 020-87114021 > 2003-09-19 > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
sorry, but ... LOL Direct: 0701 741 4258 Office: 0870 765 4258 Fax: 0870 765 4259 This email is confidential and may be privileged; it is for use by the named recipient only. If you have received it in error, please notify us immediately; please do not copy or disclose its contents to any person or body, and delete it from your computer systems. - there is nothing confidential in this mail otherwise it would be really dumb to send it out to a archived world-readable list! since i didn't send it, i don't want to know that it is supposed to be confidential. for me it is not and whoever claims the contrary is being foolish - there is no way to know who IS the named recepient since it could be changed by ANYbody - there is no way to know if i receive it in error. if "error" is to be defined by me, then i probably do receive it in error. in this case i would like to know who actually is "us", how i can contact those guys and how in hell i could probably be sure that i'm really contacting those and not some others? - but my personal favorite is still the last sentence: whoever invented this sentence about not copying the email and deleting it from "computer systems" must have been a full complete ass since he's never really understood how email works in the first place. remark: such disclaimers are completely irrelevant and not accepted by any known legislation. greetings artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
