Wireless Authentication Script in both Englisg & Turkish...

[Tamer Demir]

# Purpose:For Newbees
# Easy Installations and configurations of FreeRADIUS-0.81 & OpenLDAP-2.0.27 for 
Wireless Networks 
# MAC Address & User Authentication
# It should also work for Wired Networks...
#


# RUN:
# $sh wireless_authenticate.0.0.1.sh
# TESTED PLATFORM:
# *Red Hat 7.1
# *Red Hat 8.0
# TODO:
# * EAP-MD5 Script  
# * EAP-TLS Script
# * Currently, This script depends on the current config files of FreeRADIUS and 
OpenLDAP
#   It should be version independent.
# * Needs some script improvements
# * Apache Interface -Web Authentication- should be included 
# * New languages should be added


Script:
#!/bin/sh
# Purpose:For Newbees
# Easy Installations and configurations of FreeRADIUS-0.81 &
OpenLDAP-2.0.27 for Wireless Networks 
# MAC Address & User Authentication
# It should also work for Wired Networks...
#
#(c) 10 January 2003 Tamer Demir  <[EMAIL PROTECTED]>
# http://www.netlab.boun.edu.tr/~tamer/
#
-
#This program is free software; you can redistribute it and/or modify
#it under the terms of the GNU General Public License as published by
#the Free Software Foundation; either version 2 of the License, or
#(at your option) any later version.
#
#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#GNU General Public License for more details.
#
#You should have received a copy of the GNU General Public License
#along with this program; if not, write to the Free Software
#Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307
USA
# ---
# RUN:
# $sh wireless_authenticate.0.0.1.sh
# TESTED PLATFORM:
# *Red Hat 7.1
# *Red Hat 8.0
# TODO:
# * EAP-MD5 Script  
# * EAP-TLS Script
# * Currently, This script depends on the current config files of
FreeRADIUS and OpenLDAP
#   It should be version independent.
# * Needs some script improvements
# * Apache Interface -Web Authentication- should be included 
# * New languages should be added
clear
echo Suggestion:
echo First read the source code of this program make your changes if you
desire then run!!
echo Tavsiye:
echo nce kaynak kodu okuyun gerekiyorsa baz deiiklikleri yaptktan sonra
altrn!!
echo
echo Choose your language during installation \"MAC Address \& User
Authentication with RADIUS\&LDAP in Wireless Networks\"
echo \"Kablosuz Alarda RADIUS ve LDAP ile \"MAC Address \& User
Authentication Uygulamas \" kurulumu icin dilinizi seciniz
echo "Trke = t"
echo "english = e"
read dil
clear
# Trke
if test $dil = "t"
then
 echo
 echo "LDAP kurmak istiyormusun?"
 echo "Evet = e"
 echo "Hayir = h"
 read LDAP
 if test $LDAP = "e"
 then
   echo imdi OpenLDAP-2.0.27 dosyasn indiriyorum \(www.openldap.org\)
   echo Kaynan olduu sunucuda bir sorun olursa www.openldap.org dan bu
klasre indirebilirsiniz 
   # wget
ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.0.27.tgz
   # wget
http://www.cmpe.boun.edu.tr/~demirt/sil-source/openldap-2.0.27.tgz
   # wget http://www.netlab.boun.edu.tr/~tamer/LDAP/openldap-2.0.27.tgz
   rm -r openldap-2.0.27/
   tar zxvf openldap-2.0.27.tgz
   cd openldap-2.0.27/
(
 ./configure --prefix=/usr/local/openldap-2.0.27/
--exec-prefix=/usr/local/openldap-2.0.27/
 make depend
 make
 make test 
 make install
)
   cd ..
   rm -r openldap-2.0.27
 fi
 echo "imdi FreeRADIUS u indiriyorum"
#RADIUS
# wget ftp://ftp.freeradius.org/pub/radius/freeradius-0.8.1.tar.gz
# wget
http://www.cmpe.boun.edu.tr/~demirt/sil-source/freeradius-0.8.1.tar.gz
# wget http://www.netlab.boun.edu.tr/~tamer/RADIUS/freeradius-0.8.1.tar.gz
 rm -r freeradius-0.8.1
 tar zxvf freeradius-0.8.1.tar.gz
 cd freeradius-0.8.1
(
./configure --prefix=/usr/local/freeradius-0.8.1-LDAP/
--with-radacctdir=/usr/local/freeradius-0.8.1-LDAP/ --with-ldap
--with-openldap=/usr/local/openldap --without-rlm_x99_token
make
make install
)
 cd .. 
clear
sleep 2
echo "Kablosuz kullancnn balanaca Access Point sayisini yaziniz, NAS"
echo "Bu sayi RADIUS serverini kullanma izni olacak AP lerin sayisidir"
export COUNT=1
read COUNT
while [ "$COUNT" != "0" ]
do
  echo "Kablosuz kullancnn balanaca Access Point in IP numarasn u ekilde
girin, rnek: 192.168.91.102"
  read A 
  echo "$A  secret
">>/usr/local/freeradius-0.8.1-LDAP/etc/raddb/clients
  export COUNT=$[$COUNT - 1]
  echo $COUNT adet AP kald geriye...
  echo
  echo
done
sleep 2
echo
echo "AP de RADIUS ayarlarnda RADIUS servernn IP sini girmeyi ve sifresine
secret yazmay unutmayn"
echo 

LDAP help needed

[Tamer Demir]

Hello,

I just started to try the FreeRADIUS with LDAP. Since I am new to LDAP I
have encourted many problems and finaly wanted to consult to the users who
done LDAP+Radius.

Can you send simple one user examples files of:
slapd.conf
ldap.conf
users
radiusd.conf

or just mentioning the required changes in the above files with an example
users.ldif file with how to insert it into the LDAP database.

Thanks in advance,
Tamer

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: ???

[Tamer Demir]

ftp://rpmfind.net/linux/engarde/people/dave/RADIUS/freeradius-20021109-1.2.0.i386.rpm
ftp://rpmfind.net/linux/engarde/people/dave/RADIUS/freeradius-0.8-1.2.5.i386.rpm

Maybe this would help

Tamer

>Anyone have a RP? for freeRadius 0.8 (RedHat 7.2 i386)?
> 
>If not anyone want to make one for me as I'm a newbie to such things and
haven't the time?  :)
> 
>Brian J.
>>-Original Message-
>>From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Murat Hakan
>>Sent: Monday, December 23, 2002 3:02 PM
>>To: [EMAIL PROTECTED]
>>Subject: ???
>>
>>
>>Hello all,
>>
>>Sorry for the subject since I could not find a subject for my problem.
>>
>>First, thanks for building such a flexible RADIUS server.
>>
>>I am trying to authenticate the Wireless Users by FreeRADIUS. I have
>>managed to do MAC address authentication. Since in MAC authentication
>>the user does not do anything, the Access Point sends the MAC address automatically 
>to the RADIUS server. But I cannot do username/password
>>authentication, this is because I do not know how to send the
>>username/password combination to the Avaya Access Point which has RADIUS
>>support.
>>
>>I think I must use a software like Dial-Up Networking software, but in
>>Wireless Networks I can not dial a number like traditional ISP
>>connection. 
>>
>>And, I cannot see any "detail" file or any file in the
>>"radacct" directory, I think this means that, Avaya Access Point does
>>not
>>send accounting packets (I read this from the FAQ).
>>
>>Thanks for anyhelp,
>>
>>Murat
>>
>>
>>
>>
>>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPv6 + Proxy...

[Tamer Demir]

At 05:23 PM 12/20/2002, you wrote:

20-Dec-02 at 17:23, Tamer Demir ([EMAIL PROTECTED]) wrote :
> I know it looks strange but, In an scenario like this: you are a big
> company and you have a contract with many smaller companies with their own
> realms. The users which are in this small companies may connect to the
> Internet by using other small companies' NASes. And in order to solve the
> accounting conflict between the small companies the big company wants all
> the data about the authenticating users from all other small companies. 
Big
> company just will act as a referee.
>
> Is this somehow possible by using proxy option in FreeRADIUS, if yes how?

Either all your radius servers are proxies to the big company's radius
server(s) or you use something like radrelay and just use the accounting
information (which contains the detail you need) you don't need the
actual packets that are sent to the user, just the accounting info.

Unfortunately, What if big company wants all the detailed informations and 
also the small companies want all the detailed info too, like MAC address 
of the users, the beginning and end time of the connection and the small 
company name that the wireless user connected.

Tamer


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPv6 + Proxy...

[Tamer Demir]

At 04:05 PM 12/20/2002, you wrote:

Tamer Demir <[EMAIL PROTECTED]> wrote:
> Is FreeRADIUS  IPv6 compatible?

  What do you mean by that?


I mean, can FreeRADIUS understand the authentication packets that comes 
from a client that has an IPv6 IP address(128)? Since we are planning to 
use RADIUS in an IPv6 Testbed to authenticate the users.

> And, after the authentication of the user I want to send (proxy) the
> authentication packets to another FreeRADIUS server, How can I do
> that?

  Why?


I know it looks strange but, In an scenario like this: you are a big 
company and you have a contract with many smaller companies with their own 
realms. The users which are in this small companies may connect to the 
Internet by using other small companies' NASes. And in order to solve the 
accounting conflict between the small companies the big company wants all 
the data about the authenticating users from all other small companies. Big 
company just will act as a referee.

Is this somehow possible by using proxy option in FreeRADIUS, if yes how?

Thanks a lot,

Tamer



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

IPv6 + Proxy...

[Tamer Demir]

Hello,

Is FreeRADIUS  IPv6 compatible?

And, after the authentication of the user I want to send (proxy) the 
authentication packets to another FreeRADIUS server, How can I do that? It 
is like proxying the packets to 2 other RADIUS server but one of them is 
its own.

Regards,
Tamer


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

mod_auth_radius ...

[Tamer Demir]

Hello Alan,
I have configured your "mod_auth_radius.c" and now using it with FreeRadius.
While configuring I encountered many difficulties both in adding the c file 
in ./configure and by using it with apxs. I know this is because I do not 
know the details of apache but at last with apache 1.3.26 I wrote the below 
commands and everything worked somehow everything worked fine?

with apache 1.3.26 & 
ftp://ftp.freeradius.org/pub/radius/mod_auth_radius.tar & Red Hat 7.x 
(Linux 2.4.9-21)
 ./configure --add-module=/root/mod_auth_radius-1.5.4/mod_auth_radius.c 
--enable-shared=auth_radius
make
make install

Now my question is that:
if user connected from NAS_A then I want to send him dynamically created 
web_page-a.html and if user is connected from NAS_B then I want to send him 
dynamically created web page-b.html.

How can I do that?

Regards,
Tamer


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/MD5 in Windows XP Problem..

[Tamer Demir]

quot;(null)"
 unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
 radutmp: filename = "/usr/local/var/log/radius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
**rad_recv: 
Access-Request packet from host 192.168.91.102:192, id=1, length=110
User-Name = "bob"
NAS-IP-Address = 192.168.91.102
Called-Station-Id = "00022d034186"
Calling-Station-Id = "00022d176e31"
NAS-Identifier = "Orinoco 2"
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1400
EAP-Message = "\002\001\000\010\001bob"
Message-Authenticator = 0x5e92e3b76a8cdda96c86e7f5a0759f5f
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
users: Matched bob at 2
  modcall[authorize]: module "files" returns ok
  modcall[authorize]: module "eap" returns updated
modcall: group authorize returns updated
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
  modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Login OK: [bob/] (from client AP102 port 0 cli 
00022d176e31)
Sending Access-Challenge of id 1 to 192.168.91.102:192
EAP-Message = 
"\001\002\000\026\004\020\352\214\347=\276$Cu\372O9\324\232R\341\267"
Message-Authenticator = 0x
State = 
0xe70a7e23ec5636d88fdcd2041a5c50ad5de1ec3d7d399bf7817221bdb074a18416ece725
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 1 with timestamp 3dece15d
Nothing to do.  Sleeping until we see a request.
**

At 18:44 02.12.2002, you wrote:
hi tamer

read the EAP/MD5 FAQ.

the solution: get rid of the Reply-Message incuded by xlat in the
Challenge.


and by the way what's all this mess with the Framed-MTU?

greetings
artur




Tamer Demir wrote:
>
> After the radius server send the challenge, XP does not send respond and
> stays in the authentication state. Do you know any solution?
>
> I am doing both MAC address and user authantication, The Windows XP asks a
> user name and password when I wrote this, XP is stucks at authenticating
> state! (In the XP ptions I chosed MD5 challenge...)
>
> Config files:
>
> users:
> **
> #my user
> tamer   Auth-Type := EAP, User-Password = "demir"
>  Service-Type = Framed-User,
>  Framed-Protocol = PPP,
>  Framed-Routing = Broadcast-Listen,
>  Framed-MTU = 1750,
>  Framed-Compression = Van-Jacobsen-TCP-IP
>
> #Orinoco Card Cisca
> 00022d-034186   Auth-Type := Local, User-Password == "secret"
>  Service-Type = Framed-User,
>  Framed-Protocol = PPP,
>  Framed-Routing = Broadcast-Listen,
>  Framed-MTU = 1500,
>  Framed-Compression = Van-Jacobsen-TCP-IP
> **
>
> radius.conf:
> **
> user = root
> group = root
> modules {
>unix {
>  cache = yes
>  cache_reload = 600
>  passwd = /etc/passwd
>  shadow = /etc/shadow
>  group = /etc/group
>  radwtmp = ${logdir}/radwtmp
>  }
>   eap {
>  #default_eap_type = md5
>  # Supported EAP-types
>  md5 {
>  }
> ..
> }
> authorize {
> eap
> preprocess
> files
> suffix
> }
> authenticate {
>  eap
>  unix
> }
> accounting {
>  detail
>  unix
>  radutmp
>
> }
> session {
>  radutmp
> }
> **
>
> Output:
>
> *
> Starting - reading configuration files ...
> reread_config:  reading radiusd.conf
> Config:   including file: /usr/local/etc/raddb/proxy.conf
> Config:   including file: /usr/local/etc/raddb/clients.conf
> Config:   including file: /usr/local/etc/raddb/snmp.conf
> Config:   including file: /usr/local/etc/raddb/sql

EAP/MD5 in Windows XP Problem..

[Tamer Demir]

After the radius server send the challenge, XP does not send respond and 
stays in the authentication state. Do you know any solution?

I am doing both MAC address and user authantication, The Windows XP asks a 
user name and password when I wrote this, XP is stucks at authenticating 
state! (In the XP ptions I chosed MD5 challenge...)









Config files:

users:
**
#my user
tamer   Auth-Type := EAP, User-Password = "demir"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Routing = Broadcast-Listen,
Framed-MTU = 1750,
Framed-Compression = Van-Jacobsen-TCP-IP

#Orinoco Card Cisca
00022d-034186   Auth-Type := Local, User-Password == "secret"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Routing = Broadcast-Listen,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
**

radius.conf:
**
user = root
group = root
modules {
  unix {
cache = yes
cache_reload = 600
passwd = /etc/passwd
shadow = /etc/shadow
group = /etc/group
radwtmp = ${logdir}/radwtmp
}
 eap {
#default_eap_type = md5
# Supported EAP-types
md5 {
}
..
}
authorize {
	eap
	preprocess
	files
	suffix
}
authenticate {
eap
unix
}
accounting {
detail
unix
radutmp

}
session {
radutmp
}
**

Output:

*
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/proxy.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/snmp.conf
Config:   including file: /usr/local/etc/raddb/sql.conf
 main: prefix = "/usr/local"
 main: localstatedir = "/usr/local/var"
 main: logdir = "/usr/local/var/log/radius"
 main: libdir = "/usr/local/lib"
 main: radacctdir = "/usr/local/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = yes
 main: log_file = "/usr/local/var/log/radius/radius.log"
 main: log_auth = yes
 main: log_auth_badpass = yes
 main: log_auth_goodpass = yes
 main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
 main: user = "root"
 main: group = "root"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/local/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: servers_per_realm = 15
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded eap
 eap: default_eap_type = "md5"
 eap: timer_expire = 60
rlm_eap: Loaded and initialized the type md5
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
 preprocess: hints = "/usr/local/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded files
 files: usersfile = "/usr/local/etc/raddb/users"
 files: acctusersfile = "/usr/local/etc/raddb/acct_users"
 files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
 files: compat = "no"
[/usr/local/etc/raddb/users]:90 WARNING! Changing 'User-Password =' to 
'User-Password ==' ?for comparing RADIUS attribute in check item list for 
user tamer
Module: Instantiated files (files)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded detail
 detail: detailfile = 
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
 unix: cache = yes
 unix: passwd = "/etc/passwd"
 unix: shadow = "/etc/shadow"
 unix: group = "/etc/group"
 unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
HASH:  Reinitializing hash structures and lists for caching...
  HASH:  user root found in hashtable bucket 11726
  HASH:  user bin found in hashtable bu

segmentation fault???

[Tamer Demir]

While testing freeRADIUS with NtRadPing program,
when I send the request-type "status server"
freeradius gives segmentation fault

Is this a bug??

output:

Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 11 with timestamp 3de5e911
Nothing to do.  Sleeping until we see a request.
rad_recv: Status-Server packet from host 192.168.194.101:4881, id=12, length=35
WARNING: Ignoring Status-Server request due to security configuration
User-Name = "00022d-3d425a"
Segmentation fault



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS Accounting tools?

[Tamer Demir]

www.pgregg.com/projects/radiusreport/
At 10:00 28.11.2002, you wrote:
Hi all,

Looking on behalf of a client, i'm seeking a RADIUS accounting tool. 
Are any of You familiar with a tool useful for an Application Service Provider 
to provide accounting information for specific clients hosted? 
Thanks! 
Jonas 

AP does not send any request??

[Tamer Demir]

Hello all,
I configured freeradius for a wireless LAN, I will try to use MAC address 
authentication, but unfortunately AP does not send any request.
I used "tcpdump" and did not see any request, I tested the freeradius by 
using both NTRadPing and radtest it is working perfectly.

Any idea??

Regards,

PS: below is the user the user and clients.conf file example entries:
PS2: do I need to enter the MAC address of the ethernet card in the AP??












clients.conf:
***
client 192.168.91.104 {
secret  = secret
shortname   = AP104
}
***
users:

#Orinoco Card AP-1000
00022d-033170   Auth-Type := Local, User-Password == "secret"
Service-Type = Framed-User,
Framed-Protocol = PPP,
#   Framed-IP-Address = 172.16.3.33,
#   Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
#   Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP

#Orinoco Card PCMCIA
00022d-02a23b   Auth-Type := Local, User-Password == "secret"
Service-Type = Framed-User,
Framed-Protocol = PPP,
#   Framed-IP-Address = 172.16.3.33,
#   Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
#   Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Wireless LAN with Freeradius...

[Tamer Demir]

Hi all,

Could you please write your freeradius experiences in 802.11 Wireless LAN.

Can we setup freeradius to allow certain MAC addresses? and Is there  need 
for a third party software in the Wireless clients?

Regards,

Tamer


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html