Wireless Authentication Script in both Englisg & Turkish...
# Purpose:For Newbees # Easy Installations and configurations of FreeRADIUS-0.81 & OpenLDAP-2.0.27 for Wireless Networks # MAC Address & User Authentication # It should also work for Wired Networks... # # RUN: # $sh wireless_authenticate.0.0.1.sh # TESTED PLATFORM: # *Red Hat 7.1 # *Red Hat 8.0 # TODO: # * EAP-MD5 Script # * EAP-TLS Script # * Currently, This script depends on the current config files of FreeRADIUS and OpenLDAP # It should be version independent. # * Needs some script improvements # * Apache Interface -Web Authentication- should be included # * New languages should be added Script: #!/bin/sh # Purpose:For Newbees # Easy Installations and configurations of FreeRADIUS-0.81 & OpenLDAP-2.0.27 for Wireless Networks # MAC Address & User Authentication # It should also work for Wired Networks... # #(c) 10 January 2003 Tamer Demir <[EMAIL PROTECTED]> # http://www.netlab.boun.edu.tr/~tamer/ # - #This program is free software; you can redistribute it and/or modify #it under the terms of the GNU General Public License as published by #the Free Software Foundation; either version 2 of the License, or #(at your option) any later version. # #This program is distributed in the hope that it will be useful, #but WITHOUT ANY WARRANTY; without even the implied warranty of #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #GNU General Public License for more details. # #You should have received a copy of the GNU General Public License #along with this program; if not, write to the Free Software #Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # --- # RUN: # $sh wireless_authenticate.0.0.1.sh # TESTED PLATFORM: # *Red Hat 7.1 # *Red Hat 8.0 # TODO: # * EAP-MD5 Script # * EAP-TLS Script # * Currently, This script depends on the current config files of FreeRADIUS and OpenLDAP # It should be version independent. # * Needs some script improvements # * Apache Interface -Web Authentication- should be included # * New languages should be added clear echo Suggestion: echo First read the source code of this program make your changes if you desire then run!! echo Tavsiye: echo nce kaynak kodu okuyun gerekiyorsa baz deiiklikleri yaptktan sonra altrn!! echo echo Choose your language during installation \"MAC Address \& User Authentication with RADIUS\&LDAP in Wireless Networks\" echo \"Kablosuz Alarda RADIUS ve LDAP ile \"MAC Address \& User Authentication Uygulamas \" kurulumu icin dilinizi seciniz echo "Trke = t" echo "english = e" read dil clear # Trke if test $dil = "t" then echo echo "LDAP kurmak istiyormusun?" echo "Evet = e" echo "Hayir = h" read LDAP if test $LDAP = "e" then echo imdi OpenLDAP-2.0.27 dosyasn indiriyorum \(www.openldap.org\) echo Kaynan olduu sunucuda bir sorun olursa www.openldap.org dan bu klasre indirebilirsiniz # wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.0.27.tgz # wget http://www.cmpe.boun.edu.tr/~demirt/sil-source/openldap-2.0.27.tgz # wget http://www.netlab.boun.edu.tr/~tamer/LDAP/openldap-2.0.27.tgz rm -r openldap-2.0.27/ tar zxvf openldap-2.0.27.tgz cd openldap-2.0.27/ ( ./configure --prefix=/usr/local/openldap-2.0.27/ --exec-prefix=/usr/local/openldap-2.0.27/ make depend make make test make install ) cd .. rm -r openldap-2.0.27 fi echo "imdi FreeRADIUS u indiriyorum" #RADIUS # wget ftp://ftp.freeradius.org/pub/radius/freeradius-0.8.1.tar.gz # wget http://www.cmpe.boun.edu.tr/~demirt/sil-source/freeradius-0.8.1.tar.gz # wget http://www.netlab.boun.edu.tr/~tamer/RADIUS/freeradius-0.8.1.tar.gz rm -r freeradius-0.8.1 tar zxvf freeradius-0.8.1.tar.gz cd freeradius-0.8.1 ( ./configure --prefix=/usr/local/freeradius-0.8.1-LDAP/ --with-radacctdir=/usr/local/freeradius-0.8.1-LDAP/ --with-ldap --with-openldap=/usr/local/openldap --without-rlm_x99_token make make install ) cd .. clear sleep 2 echo "Kablosuz kullancnn balanaca Access Point sayisini yaziniz, NAS" echo "Bu sayi RADIUS serverini kullanma izni olacak AP lerin sayisidir" export COUNT=1 read COUNT while [ "$COUNT" != "0" ] do echo "Kablosuz kullancnn balanaca Access Point in IP numarasn u ekilde girin, rnek: 192.168.91.102" read A echo "$A secret ">>/usr/local/freeradius-0.8.1-LDAP/etc/raddb/clients export COUNT=$[$COUNT - 1] echo $COUNT adet AP kald geriye... echo echo done sleep 2 echo echo "AP de RADIUS ayarlarnda RADIUS servernn IP sini girmeyi ve sifresine secret yazmay unutmayn" echo
LDAP help needed
Hello, I just started to try the FreeRADIUS with LDAP. Since I am new to LDAP I have encourted many problems and finaly wanted to consult to the users who done LDAP+Radius. Can you send simple one user examples files of: slapd.conf ldap.conf users radiusd.conf or just mentioning the required changes in the above files with an example users.ldif file with how to insert it into the LDAP database. Thanks in advance, Tamer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ???
ftp://rpmfind.net/linux/engarde/people/dave/RADIUS/freeradius-20021109-1.2.0.i386.rpm ftp://rpmfind.net/linux/engarde/people/dave/RADIUS/freeradius-0.8-1.2.5.i386.rpm Maybe this would help Tamer >Anyone have a RP? for freeRadius 0.8 (RedHat 7.2 i386)? > >If not anyone want to make one for me as I'm a newbie to such things and haven't the time? :) > >Brian J. >>-Original Message- >>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Murat Hakan >>Sent: Monday, December 23, 2002 3:02 PM >>To: [EMAIL PROTECTED] >>Subject: ??? >> >> >>Hello all, >> >>Sorry for the subject since I could not find a subject for my problem. >> >>First, thanks for building such a flexible RADIUS server. >> >>I am trying to authenticate the Wireless Users by FreeRADIUS. I have >>managed to do MAC address authentication. Since in MAC authentication >>the user does not do anything, the Access Point sends the MAC address automatically >to the RADIUS server. But I cannot do username/password >>authentication, this is because I do not know how to send the >>username/password combination to the Avaya Access Point which has RADIUS >>support. >> >>I think I must use a software like Dial-Up Networking software, but in >>Wireless Networks I can not dial a number like traditional ISP >>connection. >> >>And, I cannot see any "detail" file or any file in the >>"radacct" directory, I think this means that, Avaya Access Point does >>not >>send accounting packets (I read this from the FAQ). >> >>Thanks for anyhelp, >> >>Murat >> >> >> >> >> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 + Proxy...
At 05:23 PM 12/20/2002, you wrote: 20-Dec-02 at 17:23, Tamer Demir ([EMAIL PROTECTED]) wrote : > I know it looks strange but, In an scenario like this: you are a big > company and you have a contract with many smaller companies with their own > realms. The users which are in this small companies may connect to the > Internet by using other small companies' NASes. And in order to solve the > accounting conflict between the small companies the big company wants all > the data about the authenticating users from all other small companies. Big > company just will act as a referee. > > Is this somehow possible by using proxy option in FreeRADIUS, if yes how? Either all your radius servers are proxies to the big company's radius server(s) or you use something like radrelay and just use the accounting information (which contains the detail you need) you don't need the actual packets that are sent to the user, just the accounting info. Unfortunately, What if big company wants all the detailed informations and also the small companies want all the detailed info too, like MAC address of the users, the beginning and end time of the connection and the small company name that the wireless user connected. Tamer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 + Proxy...
At 04:05 PM 12/20/2002, you wrote: Tamer Demir <[EMAIL PROTECTED]> wrote: > Is FreeRADIUS IPv6 compatible? What do you mean by that? I mean, can FreeRADIUS understand the authentication packets that comes from a client that has an IPv6 IP address(128)? Since we are planning to use RADIUS in an IPv6 Testbed to authenticate the users. > And, after the authentication of the user I want to send (proxy) the > authentication packets to another FreeRADIUS server, How can I do > that? Why? I know it looks strange but, In an scenario like this: you are a big company and you have a contract with many smaller companies with their own realms. The users which are in this small companies may connect to the Internet by using other small companies' NASes. And in order to solve the accounting conflict between the small companies the big company wants all the data about the authenticating users from all other small companies. Big company just will act as a referee. Is this somehow possible by using proxy option in FreeRADIUS, if yes how? Thanks a lot, Tamer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IPv6 + Proxy...
Hello, Is FreeRADIUS IPv6 compatible? And, after the authentication of the user I want to send (proxy) the authentication packets to another FreeRADIUS server, How can I do that? It is like proxying the packets to 2 other RADIUS server but one of them is its own. Regards, Tamer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius ...
Hello Alan, I have configured your "mod_auth_radius.c" and now using it with FreeRadius. While configuring I encountered many difficulties both in adding the c file in ./configure and by using it with apxs. I know this is because I do not know the details of apache but at last with apache 1.3.26 I wrote the below commands and everything worked somehow everything worked fine? with apache 1.3.26 & ftp://ftp.freeradius.org/pub/radius/mod_auth_radius.tar & Red Hat 7.x (Linux 2.4.9-21) ./configure --add-module=/root/mod_auth_radius-1.5.4/mod_auth_radius.c --enable-shared=auth_radius make make install Now my question is that: if user connected from NAS_A then I want to send him dynamically created web_page-a.html and if user is connected from NAS_B then I want to send him dynamically created web page-b.html. How can I do that? Regards, Tamer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/MD5 in Windows XP Problem..
quot;(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. **rad_recv: Access-Request packet from host 192.168.91.102:192, id=1, length=110 User-Name = "bob" NAS-IP-Address = 192.168.91.102 Called-Station-Id = "00022d034186" Calling-Station-Id = "00022d176e31" NAS-Identifier = "Orinoco 2" NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 EAP-Message = "\002\001\000\010\001bob" Message-Authenticator = 0x5e92e3b76a8cdda96c86e7f5a0759f5f modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok users: Matched bob at 2 modcall[authorize]: module "files" returns ok modcall[authorize]: module "eap" returns updated modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Login OK: [bob/] (from client AP102 port 0 cli 00022d176e31) Sending Access-Challenge of id 1 to 192.168.91.102:192 EAP-Message = "\001\002\000\026\004\020\352\214\347=\276$Cu\372O9\324\232R\341\267" Message-Authenticator = 0x State = 0xe70a7e23ec5636d88fdcd2041a5c50ad5de1ec3d7d399bf7817221bdb074a18416ece725 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 1 with timestamp 3dece15d Nothing to do. Sleeping until we see a request. ** At 18:44 02.12.2002, you wrote: hi tamer read the EAP/MD5 FAQ. the solution: get rid of the Reply-Message incuded by xlat in the Challenge. and by the way what's all this mess with the Framed-MTU? greetings artur Tamer Demir wrote: > > After the radius server send the challenge, XP does not send respond and > stays in the authentication state. Do you know any solution? > > I am doing both MAC address and user authantication, The Windows XP asks a > user name and password when I wrote this, XP is stucks at authenticating > state! (In the XP ptions I chosed MD5 challenge...) > > Config files: > > users: > ** > #my user > tamer Auth-Type := EAP, User-Password = "demir" > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-Routing = Broadcast-Listen, > Framed-MTU = 1750, > Framed-Compression = Van-Jacobsen-TCP-IP > > #Orinoco Card Cisca > 00022d-034186 Auth-Type := Local, User-Password == "secret" > Service-Type = Framed-User, > Framed-Protocol = PPP, > Framed-Routing = Broadcast-Listen, > Framed-MTU = 1500, > Framed-Compression = Van-Jacobsen-TCP-IP > ** > > radius.conf: > ** > user = root > group = root > modules { >unix { > cache = yes > cache_reload = 600 > passwd = /etc/passwd > shadow = /etc/shadow > group = /etc/group > radwtmp = ${logdir}/radwtmp > } > eap { > #default_eap_type = md5 > # Supported EAP-types > md5 { > } > .. > } > authorize { > eap > preprocess > files > suffix > } > authenticate { > eap > unix > } > accounting { > detail > unix > radutmp > > } > session { > radutmp > } > ** > > Output: > > * > Starting - reading configuration files ... > reread_config: reading radiusd.conf > Config: including file: /usr/local/etc/raddb/proxy.conf > Config: including file: /usr/local/etc/raddb/clients.conf > Config: including file: /usr/local/etc/raddb/snmp.conf > Config: including file: /usr/local/etc/raddb/sql
EAP/MD5 in Windows XP Problem..
After the radius server send the challenge, XP does not send respond and stays in the authentication state. Do you know any solution? I am doing both MAC address and user authantication, The Windows XP asks a user name and password when I wrote this, XP is stucks at authenticating state! (In the XP ptions I chosed MD5 challenge...) Config files: users: ** #my user tamer Auth-Type := EAP, User-Password = "demir" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = Broadcast-Listen, Framed-MTU = 1750, Framed-Compression = Van-Jacobsen-TCP-IP #Orinoco Card Cisca 00022d-034186 Auth-Type := Local, User-Password == "secret" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Routing = Broadcast-Listen, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP ** radius.conf: ** user = root group = root modules { unix { cache = yes cache_reload = 600 passwd = /etc/passwd shadow = /etc/shadow group = /etc/group radwtmp = ${logdir}/radwtmp } eap { #default_eap_type = md5 # Supported EAP-types md5 { } .. } authorize { eap preprocess files suffix } authenticate { eap unix } accounting { detail unix radutmp } session { radutmp } ** Output: * Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "root" main: group = "root" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: servers_per_realm = 15 security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 rlm_eap: Loaded and initialized the type md5 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" [/usr/local/etc/raddb/users]:90 WARNING! Changing 'User-Password =' to 'User-Password ==' ?for comparing RADIUS attribute in check item list for user tamer Module: Instantiated files (files) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = yes unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 HASH: Reinitializing hash structures and lists for caching... HASH: user root found in hashtable bucket 11726 HASH: user bin found in hashtable bu
segmentation fault???
While testing freeRADIUS with NtRadPing program, when I send the request-type "status server" freeradius gives segmentation fault Is this a bug?? output: Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 11 with timestamp 3de5e911 Nothing to do. Sleeping until we see a request. rad_recv: Status-Server packet from host 192.168.194.101:4881, id=12, length=35 WARNING: Ignoring Status-Server request due to security configuration User-Name = "00022d-3d425a" Segmentation fault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS Accounting tools?
www.pgregg.com/projects/radiusreport/ At 10:00 28.11.2002, you wrote: Hi all, Looking on behalf of a client, i'm seeking a RADIUS accounting tool. Are any of You familiar with a tool useful for an Application Service Provider to provide accounting information for specific clients hosted? Thanks! Jonas
AP does not send any request??
Hello all, I configured freeradius for a wireless LAN, I will try to use MAC address authentication, but unfortunately AP does not send any request. I used "tcpdump" and did not see any request, I tested the freeradius by using both NTRadPing and radtest it is working perfectly. Any idea?? Regards, PS: below is the user the user and clients.conf file example entries: PS2: do I need to enter the MAC address of the ethernet card in the AP?? clients.conf: *** client 192.168.91.104 { secret = secret shortname = AP104 } *** users: #Orinoco Card AP-1000 00022d-033170 Auth-Type := Local, User-Password == "secret" Service-Type = Framed-User, Framed-Protocol = PPP, # Framed-IP-Address = 172.16.3.33, # Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, # Framed-Filter-Id = "std.ppp", Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP #Orinoco Card PCMCIA 00022d-02a23b Auth-Type := Local, User-Password == "secret" Service-Type = Framed-User, Framed-Protocol = PPP, # Framed-IP-Address = 172.16.3.33, # Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, # Framed-Filter-Id = "std.ppp", Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wireless LAN with Freeradius...
Hi all, Could you please write your freeradius experiences in 802.11 Wireless LAN. Can we setup freeradius to allow certain MAC addresses? and Is there need for a third party software in the Wireless clients? Regards, Tamer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html