Re: Authenticating using LDAP module
Quoting [EMAIL PROTECTED]: > Send Freeradius-Users mailing list submissions to > [EMAIL PROTECTED] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.cistron.nl/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > there seems to be a problem with radius interpreting the IP address of the ldap machine. even if you give ldap://ipaddr it wont contact the ldap server, OR maybe not maybe iam ignorant.(-; , just my view. when you used localhost did you put it in quote like "localhost", if not try that. and how do you want to use ldap for authenticate without using "userPassword" attribute in your ldap entry?? Reddy ([EMAIL PROTECTED]) - This mail sent through IMP: http://horde.org/imp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limiting time to connect
Quoting [EMAIL PROTECTED]: > Send Freeradius-Users mailing list submissions to > [EMAIL PROTECTED] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.cistron.nl/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > Hi all Thanks for suggesting that Mike, if it work for me i will post about it. thank you Reddy - This mail sent through IMP: http://horde.org/imp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Limiting time to connect
Hi all I have a wireless set up, where I authenticate the clients (wireless card) with RADIUS, request coming via NAS(Orinoco AP2000). Is there a way to limit the time, client connected to the network. I think we can limit the time to connect by changing some configuration within NAS(Orinoco AP2000), but that will be same for all users. I want the time to connect to be varied based on each user. I can gather information about user from LDAP (I use LDAP for authorize and authentication). Do i need to append something to access_accept packet? or send some other packet to NAS before access_accept? I appreciate for patient hearing. Thanks Narasimha R Gujja - This mail sent through IMP: http://horde.org/imp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Limiting time to connect
Hi all I have a wireless set up, where I authenticate the clients (wireless card) with RADIUS, request coming via NAS(Orinoco AP2000). Is there a way to limit the time, client connected to the network. I think we can limit the time to connect by changing some configuration within NAS(Orinoco AP2000), but that will be same for all users. I want the time to connect to be varied based on each user. I can gather information about user from LDAP (I use LDAP for authorize and authentication). Do i need to append something to access_accept packet? or send some other packet to NAS before access_accept? I appreciate for patient hearing. Thanks Narasimha R Gujja - This mail sent through IMP: http://horde.org/imp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: understanding checkval
>> hi all >>I posted a question regarding checkval module, but i got no response from >> anyone. >> >> Iam posting the question again on the list. Hope I a reply this time. This is >> my question: >> >> 1) First of all, is it correct to say that checkval only checks for the=20 >> attributes it can extract from the NAS(access point). > >It checks attributes it finds in the access-request with attributes it gets >from >the check items (config items) list. > >> >> 2) Then can i modify checkval to say, call a function in it, this function w= >> ill=20 >> process on the various data elements in the LDAP entry for the user and t= >> hen=20 >> accept or reject or simply send a message. > >Without code patches no. In any case why? You can just extract the data >elements >in the ldap module and make them available as check items to the checkval >module. > >> >> 3) And last and equally important as the two above, what's the call-flow of=20 >> checkval, how does it work. > >Read the code. > >In any case you haven't told us anything about what exactly you are trying to >do. That would make both our lifes and yours much easier. > >> >> thanks >> >> Reddy ([EMAIL PROTECTED]) >> >> this is what i want to do. I may have to authenticate a user based on some attributes not present in the access request. For example expiration date,time etc for which i need to access the time and date of the system and this is not present in the request. Also I need a module (this could be checkval) to bring up the services (could be anything like notepad,a message box etc) from the LDAP before sending the authentication to the user. For this the module has to look into the LDAP entry of the user find the services and bring it up along with the network connection. Hope Iam clear this time. Reddy ([EMAIL PROTECTED]) - This mail sent through IMP: http://horde.org/imp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap config problems
Looking at your debug I think you have not enabled LDAP authentication. in the /raddb/users file enter the following statement DEFAULT Auth-Type := LDAP Fall-Through = 1 and comment the statement where it says Auth-Type := System. The RADIUS is assuming it is System type authentication. You need to change that. Hope it helps Reddy ([EMAIL PROTECTED]) - This mail sent through IMP: http://horde.org/imp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Other then mac address in access point authentication with Freeradius
> Hi everyone, > I know that an access point can act as a radius client & then authenticate > client's mac address with Freeradius server & there got to be an entry for > this client in the users's file. But let's say I have 1000 clients, do I have > to find out every single client's mac address & then add them into the users's > file? Is there a better way of doing it? first of all mac based authentication is not very secure. if you still want to use MAC based authentication and manage a lot of users a better way would be to have all the user base in LDAP. The RADIUS will query LDAP for the MAC address of the card, this will eiliminate entering all the user information in a single user file in RADIUS. Reddy ([EMAIL PROTECTED]) - This mail sent through IMP: http://horde.org/imp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
understanding checkval
hi all I posted a question regarding checkval module, but i got no response from anyone. Iam posting the question again on the list. Hope I a reply this time. This is my question: 1) First of all, is it correct to say that checkval only checks for the=20 attributes it can extract from the NAS(access point). 2) Then can i modify checkval to say, call a function in it, this function w= ill=20 process on the various data elements in the LDAP entry for the user and t= hen=20 accept or reject or simply send a message. 3) And last and equally important as the two above, what's the call-flow of=20 checkval, how does it work. thanks Reddy ([EMAIL PROTECTED]) - This mail sent through IMP: http://horde.org/imp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
understanding checkval
hi all I have been using RADIUS to authenticate wireless users with userbase in LDAP. Iam using checkval part of recent snapshot to restrict users based on access point. There are a few things which are dangling over my head. I hope someone could clarify. First of all, is it correct to say that checkval only checks for the attributes it can extract from the NAS(access point). Then can i modify checkval to say, call a function in it, this function will process on the various data elements in the LDAP entry for the user and then accept or reject or simply send a message. And last and equally important as the two above, what's the call-flow of checkval, how does it work. I hope Iam clear. Thanks in advance. Reddy ([EMAIL PROTECTED]) - This mail sent through IMP: http://horde.org/imp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius+ldap+mschap
Hi I have a wlan in which the RADIUS authenticates the wireless card with it's MAC address stored in ldap. Now i want to use MSCHAP/PEAP with userbase in ldap. How can i do this. Thanks Reddy([EMAIL PROTECTED]) - This mail sent through IMP: http://horde.org/imp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/MD5 authentication problem!
Hi Thanks for the response. I have stopped using MD5 for authentication purpose. Now I am shifting towards EAP/TLS, hope this time i dont get any errors. Thanks for the help Reddy [EMAIL PROTECTED] >hi > >what you've sent is the following: > >eap response identity >md5 challenge >then new eap response identity >and new challenge issued by the server >take a look at the EAP-Message attribute to approve this. > >so, from the server's point of view there was no problem. however, it=20 >never received the necessary response to its challenges. > >thus, the problem is either on your radius client (access device) or at=20 >your user (winXP). what are you trying to do exactly? > > >ciao >artur > > > Narasimha Reddy Gujja wrote: > Hi Artur >=20 > Iam sending the server debug output file.=20 >=20 > Iam trying to authenticate wireless users with XP system. My userbase i= s in=20 > LDAP. >=20 > Any suggestion will be great. Thanks in advance. >=20 > radiusd -X -A* > Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1= 814/udp. > Ready to process requests. > rad_recv: Access-Request packet from host 138.47.102.110:6001, id=3D13,= =20 > length=3D119 > User-Name =3D "Bob" > NAS-IP-Address =3D 138.47.102.110 > Called-Station-Id =3D "00-02-2d-47-23-58" > Calling-Station-Id =3D "00-02-2d-50-a3-f3" > NAS-Identifier =3D "RadiusAP" > Framed-MTU =3D 1400 > NAS-Port-Type =3D Wireless-802.11 > EAP-Message =3D "\002\002\000\010\001Bob" > Message-Authenticator =3D 0x108ee1364eaf6d73afd4fca020f4ce04 > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > modcall[authorize]: module "eap" returns updated > users: Matched Bob at 3 > modcall[authorize]: module "files" returns ok > modcall: group authorize returns updated > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > modcall: entering group authenticate > rlm_eap: processing type md5 > rlm_eap_md5: Issuing Challenge > modcall[authenticate]: module "eap" returns ok > modcall: group authenticate returns ok > Sending Access-Challenge of id 13 to 138.47.102.110:6001 > Service-Type =3D Framed-User > Framed-Protocol =3D PPP > Framed-Routing =3D Broadcast-Listen > Framed-MTU =3D 1750 > Framed-Compression =3D Van-Jacobson-TCP-IP > EAP-Message =3D "\001\r\000\026\004\020HU\235\272in;q~\373)$\30= 4*\360<" > Message-Authenticator =3D 0x > State =3D=20 > 0xb8544111638aa2094bf37fb63b6e4ddae418813eadd92b7dc38bd585e79b2bb05fce5= 9c2 > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > --- Walking the entire request list --- > Cleaning up request 0 ID 13 with timestamp 3e8118e4 > Nothing to do. Sleeping until we see a request. > rad_recv: Access-Request packet from host 138.47.102.110:6001, id=3D14,= =20 > length=3D119 > User-Name =3D "Bob" > NAS-IP-Address =3D 138.47.102.110 > Called-Station-Id =3D "00-02-2d-47-23-58" > Calling-Station-Id =3D "00-02-2d-50-a3-f3" > NAS-Identifier =3D "RadiusAP" > Framed-MTU =3D 1400 > NAS-Port-Type =3D Wireless-802.11 > EAP-Message =3D "\002\002\000\010\001Bob" > Message-Authenticator =3D 0x2b66e939f74c34a4a996282607247b8d > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > modcall[authorize]: module "eap" returns updated > users: Matched Bob at 3 > modcall[authorize]: module "files" returns ok > modcall: group authorize returns updated > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > modcall: entering group authenticate > rlm_eap: processing type md5 > rlm_eap_md5: Issuing Challenge > modcall[authenticate]: module "eap" returns ok > modcall: group authenticate returns ok > Sending Access-Challenge of id 14 to 138.47.102.110:6001 > Service-Type =3D Framed-User > Framed-Protocol =3D PPP > Framed-Routing =3D Broadcast-Listen > Framed-MTU =3D 1750 > Framed-Compression =3D Van-Jacobson-TCP-IP > EAP-Message =3D "\001\016\000\026\004\020J\347\0236\344K\371 > \277y\322u.#H\030\245" > Message-Authenticator =3D 0x > State =3D=20 >
EAP/MD5 authentication problem!
Hi Artur Iam sending the server debug output file. Iam trying to authenticate wireless users with XP system. My userbase is in LDAP. Any suggestion will be great. Thanks in advance. radiusd -X -A* Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 138.47.102.110:6001, id=13, length=119 User-Name = "Bob" NAS-IP-Address = 138.47.102.110 Called-Station-Id = "00-02-2d-47-23-58" Calling-Station-Id = "00-02-2d-50-a3-f3" NAS-Identifier = "RadiusAP" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = "\002\002\000\010\001Bob" Message-Authenticator = 0x108ee1364eaf6d73afd4fca020f4ce04 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "eap" returns updated users: Matched Bob at 3 modcall[authorize]: module "files" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Sending Access-Challenge of id 13 to 138.47.102.110:6001 Service-Type = Framed-User Framed-Protocol = PPP Framed-Routing = Broadcast-Listen Framed-MTU = 1750 Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = "\001\r\000\026\004\020HU\235\272in;q~\373)$\304*\360<" Message-Authenticator = 0x State = 0xb8544111638aa2094bf37fb63b6e4ddae418813eadd92b7dc38bd585e79b2bb05fce59c2 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 13 with timestamp 3e8118e4 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 138.47.102.110:6001, id=14, length=119 User-Name = "Bob" NAS-IP-Address = 138.47.102.110 Called-Station-Id = "00-02-2d-47-23-58" Calling-Station-Id = "00-02-2d-50-a3-f3" NAS-Identifier = "RadiusAP" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = "\002\002\000\010\001Bob" Message-Authenticator = 0x2b66e939f74c34a4a996282607247b8d modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "eap" returns updated users: Matched Bob at 3 modcall[authorize]: module "files" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Sending Access-Challenge of id 14 to 138.47.102.110:6001 Service-Type = Framed-User Framed-Protocol = PPP Framed-Routing = Broadcast-Listen Framed-MTU = 1750 Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = "\001\016\000\026\004\020J\347\0236\344K\371 \277y\322u.#H\030\245" Message-Authenticator = 0x State = 0x8c23059409e8141abbacc10527ed7c20ec18813e310778ff5bce1ea5c9149793b998df93 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 14 with timestamp 3e8118ec Nothing to do. Sleeping until we see a request. Thanks Reddy [EMAIL PROTECTED] - This mail sent through IMP: http://horde.org/imp/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/MD5 authentication problem!
Hi All
I have enabled MAC based authentication for my wireless network using RADIUS
and LDAP. Now I want to authenticate using EAP.
I have serveral doubts.
I configured my client machine to use 'EAP/MD5' and i configure the Access
Point to use '802.1x'.
My problem is that the client(read XP system) machine is not authenticated by
the server, it stays on asking to enter
username and password, but is not authenticated.
Please look into my conf files and log and help me out.
Also how can i check for password in LDAP, instead in the users file.
It will be a great help and thanks for your patience.
***
***users
Bob Auth-Type := EAP, User-Password = "public"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Routing = Broadcast-Listen,
Framed-MTU = 1750,
Framed-Compression = Van-Jacobsen-TCP-IP
**radiusd.conf
modules{
eap {
#default_eap_type = md5
# Supported EAP-types
md5 {
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
