Re: MS-CHAPv2 + MySQL + group authtype failure
On Tue, 2003-12-02 at 19:26, Alan DeKok wrote: Eliot Gable [EMAIL PROTECTED] wrote: The only essential design feature is this: when a user authenticates = against a localnode, a Vendor-Specific attribute (with a vendor code of = 4363 and attribute number of 5) containing a string of the name of = the user's RNET must be returned to the localnode and homenode. sigh You didn't understand it, so you took it to mean that you should so something totally different, rather than figure out how to do it properly. See the dictionary files for examples of vendor dictionariess. Heck, grab the CVS snapshot tomorrow, and I've added a 'dictionary.bristol', based on what you said. Alan, Thanks, this will make life a bit easier. Thanks also for helping Elliot out. This thread was started while I was out of the office, so I wasn't able to cut in and help Elliot myself. Would you mind naming it dictionary.university_of_bristol on the basis that the official IANA vendor code calls it this? I'll also be updating my documentation to include FreeRADIUS info, as well as spit IAS. josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OT: ms-filter attribute
I'm trying to find some information on the format of the MS-Filter VSA. I want to parse this VSA to acquire the encoded filters. I've looked in RFC 2548 where it is defined, but it doesn't explain the formatting. A google search hasn't turned up much either. Does anyone here have any clue as to the formatting of this attribute? many thanks, josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I need help
Buy the O'Reilly RADIUS book. josh. On Wed, 2003-11-26 at 16:57, Jason Tres wrote: I am a microsoft guy who is trying to learn linux, because I have to i freeradius on it. can anyone help me get started in the right direction. Any help is appreciated - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy and No such realm NULL
I have a proxy server configured to proxy to the NULL realm. This has worked fine until recently when it has started to silently drop RADIUS requests rather than forward them. The NAS does not recieve any response and so rejects users. My hypothesis is that the RADIUS server it is proxying to becomes unresponsive temporarily, and so the proxy server marks it dead. Thus, when the next RADIUS requests comes along it has no server to proxy it to, thus it returns an error about the realm. Would this hypothesis be consistent with the No such realm NULL error? A possible flaw in this hypothesis is that the dead time is configured at ten minutes (dead_time = 600) yet the server continues to drop RADIUS packets beyond this time. I would be interested in any ideas or suggestions to fix this. many thanks, josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy where a single server is marked dead?
Can someone please briefly indicate the expected behaviour of FreeRADIUS where a realm has a single instance of a {auth|acct}host is specified, but this server has been marked dead owing to inactivity? My reading of the source suggests to me that it will get dropped silently, but I would appreciate an educated opinion! best regards, josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy where a single server is marked dead?
On Tue, 2003-10-14 at 12:18, Josh Howlett wrote: Can someone please briefly indicate the expected behaviour of FreeRADIUS where a realm has a single instance of a {auth|acct}host is specified, but this server has been marked dead owing to inactivity? My reading of the source suggests to me that it will get dropped silently, but I would appreciate an educated opinion! By it I mean a RADIUS packet that the proxy FreeRADIUS server has recieved. josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy where a single server is marked dead?
On Tue, 2003-10-14 at 15:22, Alan DeKok wrote: Josh Howlett [EMAIL PROTECTED] wrote: My reading of the source suggests to me that it will get dropped silently, but I would appreciate an educated opinion! Pretty much. Sending a reject request may be friendlier, though. Yes. It would be useful if this were implemented. josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Weird username proxying bug?
On Wed, 2003-10-08 at 17:55, Chris Parker wrote: At 10:45 AM 10/8/2003, Josh Howlett wrote: I am using freeradius (0.9) to proxy RADIUS packets. I have run into a possible bug. A username with a Windows domain prepended to the user in the format CC\\username gets proxied in the format C\\username; because the domain is CC the authentication fails: snip You haven't removed some of the defaults from the server. IE, the 'hints' file. Try editing the hints file ( or commenting it out of your config from 'radiusd.conf' ). Thanks, that fixed it. josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Off-topic: RADIUS, VPN and PPPoE for wireless
I've been reading some of the recent messages on wireless authentication, and people have mentioned using VPN and PPPoE and RADIUS to authenticate users. We've developed our own router (linux based) that uses Freeradius, RP-PPPoE and Poptop to implement authenticated wireless roaming on our campus network. A couple of other universities are also using this router for their wireless and wired docking networks. It's really been designed for large wireless deployments, and so it's probably a bit OTT if you only have one or two APs. However, if you have a large number of APs, a large number of users, and non-trivial networking requirements then you might like to look at it. Hopefully it might help someone avoid re-inventing a wheel... http://www.bris.ac.uk/is/services/computers/nwservices/nomadic/download josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pppd + freeradius
On Thu, 2003-08-28 at 05:39, Andrew E. Guly wrote: Has anybody linked ppp-daemon to freeradius server. The 2.4.2b3 release of ppp has its own radiusclient, but it doesn't work. If some ideas, please post. Regards. Use PortSlave I use this patch: http://www.xs4all.nl/~evbergen/radius-pppd.html josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to access Proxy-to-Realm in script?
I'm trying to access the Proxy-to-Realm attribute in a script called via rlm_exec (the script needs to know where proxied requests have been sent). However, I've tried instantiating the script from within the authorize (after the rlm_realm instantiation) and pre-proxy sections, without any luck. Is it not possible to access FR internal attributes in this way? If so, any ideas how I might achieve a similar effect? best regards, josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Static Compilation
http://safari.oreilly.com/ Search for RADIUS. josh. On Wed, 2003-07-09 at 17:38, Gustavo Lozano wrote: Ah So the answer for the FAQ should be ??? 1 go to amazon 2. purchase 3 wait for the shipping.. 4. read etc etc etc.. too slow :( On Wed, 2003-07-09 at 11:09, Jonathan Hassell wrote: RADIUS book, page 79 Gustavo Lozano [EMAIL PROTECTED] wrote: think it is caused because we dont have Ldap libs or Oracle libs in the target servers, so we need to compile it in a static way. Any ideas to acomplish that? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
script: how to detect when in accounting
I have a script that gets executed using the rlm_exec module in the post-proxy section. I only want it executed when proxying Access-Access packets and not accounting packets. I thought the easiest way to do this way to somehow detect at the start of the script from the environment variables whether this was an accounting packet and, if so, to exit immediable. Is this possible? Or is there another way of achieving the same effect? josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
round robin and DEFAULT and NULL realms
Is it possible to use ldflag=round_robin for the DEFAULT and NULL realms? I'm using a CVS version post 0.81 and it doesn't seem to work (just proxies to whichever realm is defined last). Or so it seems... thanks, josh. Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
copy accounting to second server
What's the easiest way to copy accouting packets to a second server, without using radrelay? tia, josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
threads
Hi, I am running radiusd with -X, and compiled without threads. I am noticing that the server sometimes appears to take a while to process simultanous requests; could this be because of the -X and/or non-threading? thanks, josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
matching realm on user-name
What's the best way of matching a realm on the basis of username but /without/ using a realm prefix/suffix? ie. user1 - realm1 user2 - realm1 user3 - realm2 user3 - realm2 Is the only way of doing this by creating a realm per user? thanks, josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS Chap v2
Guy, Do the LDAP server logs show anything? josh. On Wed, 2003-03-26 at 16:10, Guy Warner wrote: Hi I am trying to set up a Freeradius 0.8.1 server to authenticate users with MS Chap v2. The information about each user is obtained from an LDAP server. The requests for authentication are being received via a proxy server. The problem is that all requests to authenticate a user result in rlm_mschap: Nothing in the packet I recognise: Rejecting the user The mschap section of radiusd.conf is as follows mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes } The output from radiusd in debug mode contains the following rad_recv: Access-Request packet from host omitted:1814, id=3, length=172 MS-CHAP-Challenge = 0x18192e70aa5f3989b735ced1b471afd2 MS-CHAP2-Response = 0x0100613e878f3075d4825db25f99da79dac32d620d49a20f637cae65f3 05c09460bdc1c3047ab43476f5 User-Name = [EMAIL PROTECTED] NAS-IP-Address = omitted NAS-Identifier = omitted Service-Type = Framed-User Framed-Protocol = PPP Proxy-State = 0x313630 .. Debug: modcall: entering group authtype Debug: rlm_mschap: doing MS-CHAPv2 with NT-Password Debug: rlm_mschap: Authentication failed Debug: rlm_mschap: Nothing in the packet I recognise: Rejecting the user Debug: modcall[authenticate]: module mschap returns reject The username is stripped of the domain since usernames are storred on the LDAP server in the short form. Any suggestions on how to fix this problem would be gratefully received. If I have not provided sufficient information to diagnose the error then please let me know and I will send more information. Thanks in advance Guy Warner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can RADIUS attributes pass through to Apache?
On Wed, 2003-03-26 at 14:31, Alan DeKok wrote: Josh Howlett [EMAIL PROTECTED] wrote: Might I suggest a general mechanism for implementing this, whereby arbitrary and application-specific variable/value pairs are passed to the WWW application within a 'generic' wrapper A/V? The auth server concatenates the variables within single wrapper A/V in the Access-Accept, which mod_auth_radius unwraps and passes the contained variables to Apache. Sure. What then, does Apache do with them? Unlike FreeRADIUS, Apache doesn't appear to have a generic method of adding information to a request. Forgive me, I don't follow. Why would Apache need to add information to a request? The sole objective, at least from where I'm standing, is to pass information about a user from a database (or equiv.) to apache. josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can RADIUS attributes pass through to Apache?
On Wed, 2003-03-26 at 15:56, Alan DeKok wrote: The sole objective, at least from where I'm standing, is to pass information about a user from a database (or equiv.) to apache. to *where* in Apache? Ah, I understand. I assumed that Apache would provide an nice easy interface for this precisely this kind of thing. Seems like a bit strange that one doesn't exist, IMHO. josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius: compile error
' mod_auth_radius.c: At top level: mod_auth_radius.c:726: parse error before table mod_auth_radius.c: In function `add_cookie': mod_auth_radius.c:728: `r' undeclared (first use in this function) mod_auth_radius.c:728: warning: initialization makes pointer from integer without a cast mod_auth_radius.c:730: `expires' undeclared (first use in this function) mod_auth_radius.c:731: `cookie' undeclared (first use in this function) mod_auth_radius.c:738: `header' undeclared (first use in this function) mod_auth_radius.c: In function `spot_cookie': mod_auth_radius.c:747: warning: assignment makes pointer from integer without a cast mod_auth_radius.c:762: warning: assignment makes pointer from integer without a cast mod_auth_radius.c: In function `radius_authenticate': mod_auth_radius.c:792: `AP_MD5_CTX' undeclared (first use in this function) mod_auth_radius.c:792: parse error before md5_secret mod_auth_radius.c:793: `UINT4' undeclared (first use in this function) mod_auth_radius.c:829: `md5_secret' undeclared (first use in this function) mod_auth_radius.c:831: `my_md5' undeclared (first use in this function) mod_auth_radius.c:847: `service' undeclared (first use in this function) mod_auth_radius.c: In function `authenticate_basic_user': mod_auth_radius.c:1146: structure has no member named `user' mod_auth_radius.c:1156: structure has no member named `user' mod_auth_radius.c:1176: structure has no member named `user' mod_auth_radius.c:1178: `AUTH_REQUIRED' undeclared (first use in this function) mod_auth_radius.c:1194: structure has no member named `user' mod_auth_radius.c:1196: structure has no member named `user' mod_auth_radius.c:1202: structure has no member named `user' mod_auth_radius.c:1203: structure has no member named `user' mod_auth_radius.c:1221: structure has no member named `user' mod_auth_radius.c: At top level: mod_auth_radius.c:1229: `this_module_needs_to_be_ported_to_apache_2_0' undeclared here (not in a function) mod_auth_radius.c:1229: initializer element is not constant mod_auth_radius.c:1229: (near initialization for `radius_auth_module.version') mod_auth_radius.c:1230: warning: initialization makes integer from pointer without a cast mod_auth_radius.c:1231: warning: initialization makes integer from pointer without a cast mod_auth_radius.c:1235: warning: initialization makes integer from pointer without a cast mod_auth_radius.c:1238: warning: initialization from incompatible pointer type mod_auth_radius.c:1243: warning: excess elements in struct initializer mod_auth_radius.c:1243: warning: (near initialization for `radius_auth_module') mod_auth_radius.c:1245: warning: excess elements in struct initializer mod_auth_radius.c:1245: warning: (near initialization for `radius_auth_module') apxs:Error: Command failed with rc=65536 . -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_radius_auth digest auth
In the docs, it states the mod_radius_auth does not support digest authentication. Is this by virtue of it being impossible-in-principle, or merely as-yet-not-implemented? Thanks, josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_radius_auth digest auth
On Tue, 2003-03-04 at 12:00, Alan DeKok wrote: Josh Howlett [EMAIL PROTECTED] wrote: To clarify, I want users to authenticate via HTTP via mod_auth_radius against a remote RADIUS server without the intermediate WWW server (or, for that matter, anything else) gaining knowledge of the user's password. Assuming mod_auth_radius implemented digest authentication, is this a workable solution? Yes. And it shouldn't be too hard to do, either. Take entries from Apache's data structures, pack them into a RADIUS packet, and fire it off. Interesting. Assume that there was a mechanism to send the cookie generated by mod_auth_radius to the remote RADIUS server where it could be stored (for the lifetime of the cookie). Assume also that there existed an rlm_cookie authentication module on that remote RADIUS server that allows the RADIUS server to authenticate a user on the basis of a cookie. In this hypothetical case, would it be feasible for a user to present the same cookie to a different WWW server, which could then attempt to authenticate the user by passing the cookie to the remote RADIUS server? (ie. thereby avoiding the need for the user to present his credentials again - the idea being to enable single sign-on). Is this idea crack-pot or simply brain-dead? josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_radius_auth digest auth
On Tue, 2003-03-04 at 13:47, Alan DeKok wrote: In this hypothetical case, would it be feasible for a user to present the same cookie to a different WWW server, which could then attempt to authenticate the user by passing the cookie to the remote RADIUS server? (ie. thereby avoiding the need for the user to present his credentials again - the idea being to enable single sign-on). Is this idea crack-pot or simply brain-dead? It's a hack, but I see reason why it wouldn't work. You think this is a hack? You should read the Project Liberty or M$ Passport specs :-) josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
realms wildcards
Is it possible to select a realm using wildcards? ie. realm foo* { ... } realm *bar { ... } Thanks, josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
realm length
Hi, I got an error when I tried to specify a realm length 63 characters. Is this an arbitrary limitation that could be extended beyond 63 characters? Thanks. josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
zombies in non-threaded, single-server mode
Regarding: http://freeradius.org/cvs-log/2003-02-18.09%3A00%3A00.html#file-radiusd-src-main-radiusd-c,0 I can confirm that this fix works. josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Realm selection
I note that in the documentation it states that the DEFAULT realm matches all realms. Is it possible to match all realms that are *not* defined? (ie. similar to DEFAULT but not does match on realms that *are defined). thanks, josh. Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy access-accept
Hi all, I'd like to run a script when an Access-Accept is proxied through a Freeradius proxy server (ie. in the same way that you can run a script (through acct_users) when accounting Stop/Start packets are proxied) Is this possible at all? thanks, josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy access-accept
On Tue, 2003-01-14 at 16:37, Alan DeKok wrote: I've been intending to write rlm_exec for a while. It should have a 'post-auth' section which takes over the functionality of Exec-Program-Wait. But integrating it with the server core and threads is annoying. For the short term, you could try using the Perl module. It's really nice. Glad to hear - this would be great. I have looked at the perl module - the problem is that I am working on an embedded implementation where space is limited...so I would far rather use Bash rather than squeeze a Perl interpreter in as well. We may be prepared to consider sponsoring the development of an 'rlm_exec' module (depending on the price) - any takers? josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
add attribute to accounting
Hi, The scripts/exec-program-wait example suggests that you can add arbitrary AVs to RADIUS packets by writing to stdout from witin the exec-program script. Is this a correct interpretation? Should it work with acct_users, because I can't get it to!? thanks, josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: add attribute to accounting
On Thu, 2002-12-19 at 16:31, Alan DeKok wrote: Josh Howlett [EMAIL PROTECTED] wrote: The scripts/exec-program-wait example suggests that you can add arbitrary AVs to RADIUS packets by writing to stdout from witin the exec-program script. Is this a correct interpretation? Should it work with acct_users, because I can't get it to!? Accounting response packets can only contain certain attributes. See the function rfc_clean() in src/main/radiusd.c Ah. So what would be the appropriate mechanism for this? (ie. adding attributes to RADIUS packets). Write to stdout from within an Exec-Program script called from the users file? My RADIUS server is only acting as a proxy, so I assume an Exec-Program script would never be called from within the users file? thanks, josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: MS-CHAP
Dear 3APA3A, Apologies if I am being a bit dim here! Does this mean that I can authenticate MSCHAP against a remote SMB server (using rlm_smb), and authorise them using, for example, an DBMS? I take it that rlm_smb will not provide MPPE keys, only rlm_mschap? thanks josh. On Wed, 2002-11-27 at 15:52, 3APA3A wrote: Dear Josh Howlett, No. rlm_smb is authentication module, not authorization one. You can use either rlm_mschap or rlm_smb. --Wednesday, November 27, 2002, 6:46:43 PM, you wrote to [EMAIL PROTECTED]: JH Does that include rlm_smb? JH thanks, josh. JH On Wed, 2002-11-27 at 15:34, 3APA3A wrote: Dear Josh Howlett, You can use mschap authentication module in conjunction with any authorization module (for example sql or dbm). All you need is cleartext or NT-crypted password to be accessable. So you can use almost any DBMS (Oracle, MySQL, PostgreSQL, MS SQL, DB2, Sybase, etc), LDAP, text password file format, DBM file format, and users file. --Wednesday, November 27, 2002, 5:21:26 PM, you wrote to [EMAIL PROTECTED]: JH Hi, JH What can Freeradius use to authenticate MS-CHAP against? I know of the JH following methods: JH - the 'users' file JH - /etc/smbpasswd JH - LDAP directory JH - proxy to another RADIUS server JH Are there any others? JH thanks, josh. -- ~/ZARAZA Ms ` b veknl, Shk|l, gdexmhi jkhl`r - efekh rnk|jn }rn lnfmn m`gb`r| jkhl`rnl, bonkme qmnqm{i. (Rbem) -- ~/ZARAZA Ohxhre eye. H eqkh b b`xei oerhvhh hlekq j`jni-mhasd| ql{qk, rn, me qreqmq|, p`gzqmhre b wel dekn. (Rbem) -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAP
Hi, What can Freeradius use to authenticate MS-CHAP against? I know of the following methods: - the 'users' file - /etc/smbpasswd - LDAP directory - proxy to another RADIUS server Are there any others? thanks, josh. -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP
Does that include rlm_smb? thanks, josh. On Wed, 2002-11-27 at 15:34, 3APA3A wrote: Dear Josh Howlett, You can use mschap authentication module in conjunction with any authorization module (for example sql or dbm). All you need is cleartext or NT-crypted password to be accessable. So you can use almost any DBMS (Oracle, MySQL, PostgreSQL, MS SQL, DB2, Sybase, etc), LDAP, text password file format, DBM file format, and users file. --Wednesday, November 27, 2002, 5:21:26 PM, you wrote to [EMAIL PROTECTED]: JH Hi, JH What can Freeradius use to authenticate MS-CHAP against? I know of the JH following methods: JH - the 'users' file JH - /etc/smbpasswd JH - LDAP directory JH - proxy to another RADIUS server JH Are there any others? JH thanks, josh. -- ~/ZARAZA Ms ` b veknl, Shk|l, gdexmhi jkhl`r - efekh rnk|jn }rn lnfmn m`gb`r| jkhl`rnl, bonkme qmnqm{i. (Rbem) -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with rewrite
Hi, We are having problems with a number of Windows clients that are pre-pending the username with \\, for unknown reasons. ie: username - \\username I thought that we could work-around this by using the rewrite module. I'm using a search string of \\ and a replace string of . However, for some reason Freeradius sees this as ! Does anyone have any suggestions what else I could try? many thanks, josh. -- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[3]: MS-CHAP and LDAP
Mdd (Believe me, I read the doc-files more than once). Mdd Do you know whether there is a possibility to retrieve the W2k-passwords Mdd via ldap at all? Mdd Or is that another case of MS-special solution? As you was told already (but probably didn't red this answer) you can use MS IAS (Microsoft implementation of RADIUS) and use FreeRADIUS as proxy to IAS. I do this. It works (even if MS IAS is a toy compared to FreeRADIUS). josh. Josh Howlett, Networking and Digital Communications Group, Information Systems Computing, University of Bristol. email: [EMAIL PROTECTED] | phone: +44 (0)117 928 7864 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting-start proxy error
It works fine for authentication request/accept and accounting-stop, but my NAS complains about the accounting-start messages: Then it's most likely a problem with the attributes in the accounting start packet. WARNING: Identifier does not match - ignoring response WARNING: Invalid response signature - check secret! If the first message is true, then the second is a caused by the first. You say that the NAS complains about the accounting-start packet, but FreeRADIUS never sends one to the NAS, it only sends an Accounting-Response packet. So where does this message come from, and when does it happen? Sorry, my mistake, I meant Accounting-Request. This is what Freeradius gets from the NAS: rad_recv: Accounting-Request packet from host xxx.xxx.xxx.xxx:, id=120, length=149 Acct-Delay-Time = 8 NAS-IP-Address = xxx.xxx.xxx.xxx Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = Acct-Status-Type = Start Acct-Session-Id = 3b7a0001 Acct-Authentic = RADIUS User-Name = x This is what Freeradius proxies to MS IAS: Sending Accouting-Request of id 22 to xxx.xxx.xxx.xxx: Acct-Delay-Time = 8 NAS-IP-Address = xxx.xxx.xxx.xxx Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = Acct-Status-Type = Start Acct-Session-Id = 3b7a0001 Acct-Authentic = RADIUS User-Name = x Proxy-State = 120 Freeradius gets the following back from MS IAS: rad_recv: Accouting-Response packet from xxx.xxx.xxx.xxx:, id=22, length=25 Proxy-State = 0x313230 And sends it on to the NAS: Sending Accouting-Response of id 120 to xxx.xxx.xxx.xxx:xx And the NAS generates the error: WARNING: Identifier does not match - ignoring response WARNING: Invalid response signature - check secret! Josh Howlett, Networking and Digital Communications Group, Information Systems Computing, University of Bristol. email: [EMAIL PROTECTED] | phone: +44 (0)117 928 7850 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: voip gateway billing (H323)and radius
Hi, I have freeradius 0.6 acting as a proxy for authentication and accounting. It works fine for authentication request/accept and accounting-stop, but my NAS complains about the accounting-start messages: WARNING: Identifier does not match - ignoring response WARNING: Invalid response signature - check secret! Freeradius does not generate any error messages in debug mode (-X). It seems strange that freeradius is only complaining about accounting-stop, so it looks to me like freeradius is mis-handling accounting-start when proxying them. Has anyone else seen this behaviour? josh. Josh Howlett, Networking and Digital Communications Group, Information Systems Computing, University of Bristol. email: [EMAIL PROTECTED] | phone: +44 (0)117 928 7850 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd pid
Hi, 1) Does freeradius write it's PID anywhere? 2) What signals does freeradius accept? thanks, josh. Josh Howlett, Networking and Digital Communications Group, Information Systems Computing, University of Bristol. email: [EMAIL PROTECTED] | phone: +44 (0)117 928 7850 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql authorisation
I want to use a non-standard SQL schema with Freeradius. I *only* want to authorise users (no authenication) on the basis of their realm, NOT their username (the schema knows nothing about users). I am struggling to find a way to make this work. Does anyone have any ideas? thanks, josh. Josh Howlett, Networking and Digital Communications Group, Information Systems Computing, University of Bristol. email: [EMAIL PROTECTED] | phone: +44 (0)117 928 7850 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
connection speed
Which attribute do NASes usually expect to specify the speed of a connection for a user? thanks, josh. Josh Howlett, Networking and Digital Communications Group, Information Systems Computing, University of Bristol. email: [EMAIL PROTECTED] | phone: +44 (0)117 928 7850 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting on a proxy
Hi, Is it possible to ocnfigure a Freeradius proxy to log details of accounting packets that it is proxying? thanks, josh. Josh Howlett, Networking and Digital Communications Group, Information Systems Computing, University of Bristol. email: [EMAIL PROTECTED] | phone: +44 (0)117 928 7850 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Append A/V pair to proxied packet?
Hi all, Is it possible for freeradius, acting as a proxy, to add an arbitrary A/V pair to a RADIUS packet? thanks, josh. Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Append A/V pair to proxied packet?
I should add: specifically, accounting packets. thanks, josh. Hi all, Is it possible for freeradius, acting as a proxy, to add an arbitrary A/V pair to a RADIUS packet? thanks, josh. Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Append A/V pair to proxied packet?
Would I be able to find this code in the CVS? If so, where? thanks, josh. Is it possible for freeradius, acting as a proxy, to add an arbitrary A/V pair to a RADIUS packet? Right now, no. But I just committed code to start down that path. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compiling/installing freeradius with specific modules
Hi all, Is it possible to configure freeradius to only compile and install certain specified modules? Or do you have to compile the lot, and then remove the modules you don't use? cheers, josh. Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[3]: Fwd: Re: Encrypted attribute problems
Dear 3APA3A, (Cc'd to the mailing list for the archives) I confirm that these patches work correctly: freeradius now authenticates MSCHAP-v2 against the rlm_mschap module and as a proxy server against a remote RADIUS server (IAS in my case). Many thanks for your assistance and rapid support in this matter, josh. On Mon, 27 May 2002, 3APA3A wrote: Dear Josh Howlett, Replace dictionary.microsoft in _both_ RADIUS source and installation (normally /usr/local/etc/raddb) dir, it should help (make sure you have latest CVS snapshot, older FreeRADIUS incorrectly handles tunnel encryption). It should be already enough to solve your problem (no recompilation/reinstallation required) but it will break FreeRADIUS own MS-CHAPv2 functionality. So, I will be very grateful to you if you can also replace rlm_mschap with one attached, rebuild RADIUS and to test MS-CHAPv2 functionality via FreeRADIUS itself, because I have no MS-CHAPv2 compliant NAS to test. --Monday, May 27, 2002, 9:01:26 PM, you wrote to [EMAIL PROTECTED]: JH Dear 3APA3A, JH I would be very pleased to test it! JH Many thanks, josh. JH On Mon, 27 May 2002, 3APA3A wrote: Dear Josh Howlett, As you can see it was forward to [EMAIL PROTECTED], this message was not addressed to you, but to core RADIUS developers. If I'll send you fixed source files can you test it? --Monday, May 27, 2002, 8:53:29 PM, you wrote to [EMAIL PROTECTED]: JH On Mon, 27 May 2002, 3APA3A wrote: Probably the problem is that MS uses for MS-MPPE-Send-Key/MS-MPPE-Recv-Key absolutely same encoding schema as for Tunnel-Password attributes. Currently I do all encoding inside rlm_mschap itself. I'm not sure how does proxy operates: if proxy rebuilds packet and these values are changed I need to rewrite rlm_mschap to not perform encoding and to mark MS-MPPE-Send-Key/MS-MPPE-Recv-Key as encrypt=2 in the dictionary instead. Will it work? BTW: for MS-CHAPv1 Microsoft uses standard rad_pwencode() to encrypt MS-CHAP-MPPE-Keys attribute. Currently I call rad_pwencode() from rlm_mschap. May be we should process all rad_pwencode'd attributes in the way we process Tunnel-Password encryption? That is instead of calling rad_pwencode/rad_pwdecode for Password we should mark Password and MS-CHAP-MPPE-Keys as encrypt=1 in the dictionary and handle all encrypted attributes? JH Hi 3APA3A, JH I am not using rlm_mschap at all because I am only proxying. I assumed JH that the encoding/decoding would be performed automatically as part of JH the proxying process. JH What you suggest sounds sensible to me, but I do not know much at all JH about RADIUS :-(. JH regards, josh. --This is a forwarded message From: Josh Howlett [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Monday, May 27, 2002, 7:28:36 PM Subject: Encrypted attribute problems ===8==Original message text=== Josh Howlett [EMAIL PROTECTED] wrote: What is the status of encrypted attribute support in Freeradius at the moment? It appears to be broken - has anyone had similar problems? WHICH encrypted attribute? There's more than one, and there are a number of different encryption schemes. Sorry for the lack of specificity; I am rather new to RADIUS! My precise problem is this. I have a Microsoft IAS W2K server and a NAS with a Freeradius proxy in the middle: IAS -- Freeradius -- NAS The NAS authenticates clients using MSCHAP-v2 and also provides encryption using MPPE. The NAS can authenticate and retrieve the MPPE keys via RADIUS from the W2K box without any problems. However, if the RADIUS transaction is performed via the Freeradius proxy, the NAS reports problems with de-crypting the MPPE attributes: decrypt_attr_style_1: bogus decrypted length 89 decrypt_attr_style_1: bogus decrypted length -37 Hence, I can authenticate correctly but not retrieve the MPPE keys when Freeradius is acting as proxy. I hope this is clear? thanks, josh. Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ===8===End of original message text=== -- ~/ZARAZA B p`qwer`u a{k` nxhaj`. (Kel) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html JH JH Josh Howlett, Networking Digital
Encrypted attribute problems
Hi, What is the status of encrypted attribute support in Freeradius at the moment? It appears to be broken - has anyone had similar problems? thanks, josh. Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encrypted attribute problems
Josh Howlett [EMAIL PROTECTED] wrote: What is the status of encrypted attribute support in Freeradius at the moment? It appears to be broken - has anyone had similar problems? WHICH encrypted attribute? There's more than one, and there are a number of different encryption schemes. Sorry for the lack of specificity; I am rather new to RADIUS! My precise problem is this. I have a Microsoft IAS W2K server and a NAS with a Freeradius proxy in the middle: IAS -- Freeradius -- NAS The NAS authenticates clients using MSCHAP-v2 and also provides encryption using MPPE. The NAS can authenticate and retrieve the MPPE keys via RADIUS from the W2K box without any problems. However, if the RADIUS transaction is performed via the Freeradius proxy, the NAS reports problems with de-crypting the MPPE attributes: decrypt_attr_style_1: bogus decrypted length 89 decrypt_attr_style_1: bogus decrypted length -37 Hence, I can authenticate correctly but not retrieve the MPPE keys when Freeradius is acting as proxy. I hope this is clear? thanks, josh. Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: Re: Encrypted attribute problems
On Mon, 27 May 2002, 3APA3A wrote: Probably the problem is that MS uses for MS-MPPE-Send-Key/MS-MPPE-Recv-Key absolutely same encoding schema as for Tunnel-Password attributes. Currently I do all encoding inside rlm_mschap itself. I'm not sure how does proxy operates: if proxy rebuilds packet and these values are changed I need to rewrite rlm_mschap to not perform encoding and to mark MS-MPPE-Send-Key/MS-MPPE-Recv-Key as encrypt=2 in the dictionary instead. Will it work? BTW: for MS-CHAPv1 Microsoft uses standard rad_pwencode() to encrypt MS-CHAP-MPPE-Keys attribute. Currently I call rad_pwencode() from rlm_mschap. May be we should process all rad_pwencode'd attributes in the way we process Tunnel-Password encryption? That is instead of calling rad_pwencode/rad_pwdecode for Password we should mark Password and MS-CHAP-MPPE-Keys as encrypt=1 in the dictionary and handle all encrypted attributes? Hi 3APA3A, I am not using rlm_mschap at all because I am only proxying. I assumed that the encoding/decoding would be performed automatically as part of the proxying process. What you suggest sounds sensible to me, but I do not know much at all about RADIUS :-(. regards, josh. --This is a forwarded message From: Josh Howlett [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Monday, May 27, 2002, 7:28:36 PM Subject: Encrypted attribute problems ===8==Original message text=== Josh Howlett [EMAIL PROTECTED] wrote: What is the status of encrypted attribute support in Freeradius at the moment? It appears to be broken - has anyone had similar problems? WHICH encrypted attribute? There's more than one, and there are a number of different encryption schemes. Sorry for the lack of specificity; I am rather new to RADIUS! My precise problem is this. I have a Microsoft IAS W2K server and a NAS with a Freeradius proxy in the middle: IAS -- Freeradius -- NAS The NAS authenticates clients using MSCHAP-v2 and also provides encryption using MPPE. The NAS can authenticate and retrieve the MPPE keys via RADIUS from the W2K box without any problems. However, if the RADIUS transaction is performed via the Freeradius proxy, the NAS reports problems with de-crypting the MPPE attributes: decrypt_attr_style_1: bogus decrypted length 89 decrypt_attr_style_1: bogus decrypted length -37 Hence, I can authenticate correctly but not retrieve the MPPE keys when Freeradius is acting as proxy. I hope this is clear? thanks, josh. Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ===8===End of original message text=== -- ~/ZARAZA B p`qwer`u a{k` nxhaj`. (Kel) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html