Re: Authentication process
There is an open-source project called NoCatAuth which is a box that acts like a "BlueSocket" appliance. It hi-jacks HTTP sessions and passes off the authentication to a radius box. I haven't yet tried the NoCatAuth soulution, but I had done the above with a BlueSocket box and a FreeRadius server. Ken Connell Intermediate Network Engineer Computer & Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 - Original Message - From: ZORBADELOS KONSTANTINOS <[EMAIL PROTECTED]> Date: Thursday, November 27, 2003 3:42 am Subject: Re: Authentication process > At Wed, 26 Nov 2003 11:55:30 -0800 (PST), > Mike Million wrote: > > > Hi, > I had a talk with a guy in my company that has experience setting up > wireless stuff as I do not have any experience on that (I have a bit > in the radius part). He told me that there are commercial solutions > that offer the functionality you request, that is direct a user to a > web page for AAA and engage a radius session. They are used in > wireless environments and intercept the traffic before the outgoing > router and enforce the policy you configure. Some solutions are > Cisco BBSM, Nomadix USG, Nokia PO22. > Without having any experience on that as I told you before, if I had > to do such a project I would also try to find out if the > functionality can be achieved using open source (free) software. We > already have the radius part. I have seen a relevant article in linux > journal > http://www.linuxjournal.com/article.php?sid=6897 > (Linux Makes Wi-Fi Happen in New York City) > > and also > http://www-106.ibm.com/developerworks/library/l-wap.html?ca=dnt-429 > (Building a wireless access point on Linux) > > I don't know if I helped at all but I also cc that to the list for > archiving purposes. > > > [1 ] > > hello! > > > > Thanks a bunch. > > > > Apart from web form & executing a CGI script, is there any way > around? The accounting will have to be from the radius client in > the NAS. > > > > This is the problem that I am trying to solve. > > When my users go to any of my location (hotel, cafe etc) I want > to authenticate them and also time them. They will be initially > served a login page. I know there are lots of people doing this > already, like the guys who set up hotspots. When I go to a > starbucks house, this T-mobile login page comes up which then > authenticates me. I am looking for pretty much the same > functionality. > > > > I deeply appreciate your tips. > > > > Thanks again > > Mike > > > > ZORBADELOS KONSTANTINOS <[EMAIL PROTECTED]> wrote: > > At Tue, 25 Nov 2003 20:18:30 -0800 (PST), > > Mike Million wrote: > > > > > > [1 ] > > > I am a novice here, so my question may sound pretty silly. > > > > > > I am trying to authenticate users through an Orinico AP-2500 > WAP using an username & a password. AP-2500 provides this "portal > page" feature where you can redirect the users to a webpage (in an > external webserver) for then to log-in. So, I once I have a > external form with the sufficient fields I want, how will i pass > that information (username, pass etc) to the radius server. I mean > what is the format that I use. Are there any client API's that I > can call. ? > > > > > > Any help would be appreciated. > > > > > > Sincerely, > > > Mike > > > > > > > > Your web form should generate a valid radius message > > (access-request). Now if this form sends the message directly to > the radius > > server your script will be the radius client and should > therefore be > > declared in clients.conf (the IP of your web server that is). What > > about the accounting? Is this sent by the NAS equipment? > > Now if you need to create a cgi script or something like that that > > generates radius messages you should look for Radius libraries > > (modules) for your language of choice. The format of the message is > > specified in the rfcs. > > > > > > > > > > > - > > > Do you Yahoo!? > > > Free Pop-Up Blocker - Get it now > > > [2 ] > > > > > == > > Kostas Zorbadelos > > Currently at: Otenet IT Department > > [EMAIL PROTECTED] > > > > Out there in the darkness, out there in the night > > out there in the starlight, one soul burns brighter > > than a thousand suns. > > > > > > - > > Do you Yahoo!? > > Free Pop-Up Blocker - Get it now > > [2 ] > > > == > Kostas Zorbadelos > Currently at: Otenet IT Department > [EMAIL PROTECTED] > > Out there in the darkness, out there in the night > out there in the starlight, one soul burns brighter > than a thousand suns. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication process
At Wed, 26 Nov 2003 11:55:30 -0800 (PST), Mike Million wrote: > Hi, I had a talk with a guy in my company that has experience setting up wireless stuff as I do not have any experience on that (I have a bit in the radius part). He told me that there are commercial solutions that offer the functionality you request, that is direct a user to a web page for AAA and engage a radius session. They are used in wireless environments and intercept the traffic before the outgoing router and enforce the policy you configure. Some solutions are Cisco BBSM, Nomadix USG, Nokia PO22. Without having any experience on that as I told you before, if I had to do such a project I would also try to find out if the functionality can be achieved using open source (free) software. We already have the radius part. I have seen a relevant article in linux journal http://www.linuxjournal.com/article.php?sid=6897 (Linux Makes Wi-Fi Happen in New York City) and also http://www-106.ibm.com/developerworks/library/l-wap.html?ca=dnt-429 (Building a wireless access point on Linux) I don't know if I helped at all but I also cc that to the list for archiving purposes. > [1 ] > hello! > > Thanks a bunch. > > Apart from web form & executing a CGI script, is there any way around? The > accounting will have to be from the radius client in the NAS. > > This is the problem that I am trying to solve. > When my users go to any of my location (hotel, cafe etc) I want to authenticate them > and also time them. They will be initially served a login page. I know there are > lots of people doing this already, like the guys who set up hotspots. When I go to a > starbucks house, this T-mobile login page comes up which then authenticates me. I am > looking for pretty much the same functionality. > > I deeply appreciate your tips. > > Thanks again > Mike > > ZORBADELOS KONSTANTINOS <[EMAIL PROTECTED]> wrote: > At Tue, 25 Nov 2003 20:18:30 -0800 (PST), > Mike Million wrote: > > > > [1 ] > > I am a novice here, so my question may sound pretty silly. > > > > I am trying to authenticate users through an Orinico AP-2500 WAP using an username > > & a password. AP-2500 provides this "portal page" feature where you can redirect > > the users to a webpage (in an external webserver) for then to log-in. So, I once I > > have a external form with the sufficient fields I want, how will i pass that > > information (username, pass etc) to the radius server. I mean what is the format > > that I use. Are there any client API's that I can call. ? > > > > Any help would be appreciated. > > > > Sincerely, > > Mike > > > > > Your web form should generate a valid radius message > (access-request). Now if this form sends the message directly to the radius > server your script will be the radius client and should therefore be > declared in clients.conf (the IP of your web server that is). What > about the accounting? Is this sent by the NAS equipment? > Now if you need to create a cgi script or something like that that > generates radius messages you should look for Radius libraries > (modules) for your language of choice. The format of the message is > specified in the rfcs. > > > > > > > - > > Do you Yahoo!? > > Free Pop-Up Blocker - Get it now > > [2 ] > > > == > Kostas Zorbadelos > Currently at: Otenet IT Department > mailto: [EMAIL PROTECTED] > > Out there in the darkness, out there in the night > out there in the starlight, one soul burns brighter > than a thousand suns. > > > - > Do you Yahoo!? > Free Pop-Up Blocker - Get it now > [2 ] > == Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication process
At Tue, 25 Nov 2003 20:18:30 -0800 (PST), Mike Million wrote: > > [1 ] > I am a novice here, so my question may sound pretty silly. > > I am trying to authenticate users through an Orinico AP-2500 WAP using an username & > a password. AP-2500 provides this "portal page" feature where you can redirect the > users to a webpage (in an external webserver) for then to log-in. So, I once I have > a external form with the sufficient fields I want, how will i pass that information > (username, pass etc) to the radius server. I mean what is the format that I use. Are > there any client API's that I can call. ? > > Any help would be appreciated. > > Sincerely, > Mike > > Your web form should generate a valid radius message (access-request). Now if this form sends the message directly to the radius server your script will be the radius client and should therefore be declared in clients.conf (the IP of your web server that is). What about the accounting? Is this sent by the NAS equipment? Now if you need to create a cgi script or something like that that generates radius messages you should look for Radius libraries (modules) for your language of choice. The format of the message is specified in the rfcs. > > > - > Do you Yahoo!? > Free Pop-Up Blocker - Get it now > [2 ] > == Kostas Zorbadelos Currently at: Otenet IT Department mailto: [EMAIL PROTECTED] Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication against /etc/shadow using ...
=?iso-8859-1?Q?Jos=E9?= Berenguer <[EMAIL PROTECTED]> wrote: > We know that System authentication won't work for EAP-MD5. But, it's > possible to make it using CHAP or PEAP? No. See the FAQ. It talks SPECIFICALLY about system authentication and CHAP. Microsoft PEAP doesn't send clear-text passwords, so it's impossible to use /etc/password for authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication against /etc/shadow using ...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > -Original Message- > From: Artur Hecker [mailto:[EMAIL PROTECTED] > Sent: 18 November 2003 15:49 > To: [EMAIL PROTECTED] > Subject: Re: Authentication against /etc/shadow using ... > > > salut > > > > No, CHAP, and MS-CHAP (the inner authentication method used > with PEAP) > > require clear text passwords. Therefore, the shadow > password file is not > > compatible with these methods. This bit me to start with. > > so, there is no PAP for PEAP? Not if you use an MS client, which is the most convincing reason to do so. ;-) Regards, Guy > > You could always try TTLS with SYSTEM as the inner > authentication mechanism? > > Alan is a strong proponent of TTLS vs PEAP, and I have to > say that in a > > purist sense, he's absolutely right. Unfortunately, the > two largest players > > in the market have used (two incompatible versions of) PEAP > :-(. This means > > that it is more trivial, particularly with Microsoft based > clients, to use > > PEAP/MS-CHAPv2. > > well, one thing is for sure: TTLS supports PAP as the inner > authentication method. > > > ciao > artur > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBP7pAsY3dwu/Ss2PCEQI0UQCfdwp2VP0JbZvrockuDpNgCyYYETwAn3jM jY49iDOiK2chLJfsISuEvWGi =Elbt -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication against /etc/shadow using ...
salut No, CHAP, and MS-CHAP (the inner authentication method used with PEAP) require clear text passwords. Therefore, the shadow password file is not compatible with these methods. This bit me to start with. so, there is no PAP for PEAP? You could always try TTLS with SYSTEM as the inner authentication mechanism? Alan is a strong proponent of TTLS vs PEAP, and I have to say that in a purist sense, he's absolutely right. Unfortunately, the two largest players in the market have used (two incompatible versions of) PEAP :-(. This means that it is more trivial, particularly with Microsoft based clients, to use PEAP/MS-CHAPv2. well, one thing is for sure: TTLS supports PAP as the inner authentication method. ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication against /etc/shadow using ...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 No, CHAP, and MS-CHAP (the inner authentication method used with PEAP) require clear text passwords. Therefore, the shadow password file is not compatible with these methods. This bit me to start with. You could always try TTLS with SYSTEM as the inner authentication mechanism? Alan is a strong proponent of TTLS vs PEAP, and I have to say that in a purist sense, he's absolutely right. Unfortunately, the two largest players in the market have used (two incompatible versions of) PEAP :-(. This means that it is more trivial, particularly with Microsoft based clients, to use PEAP/MS-CHAPv2. Regards, Guy > -Original Message- > From: José Berenguer [mailto:[EMAIL PROTECTED] > Sent: 18 November 2003 12:56 > To: [EMAIL PROTECTED] > Subject: Authentication against /etc/shadow using ... > > > > We are trying to authenticate users with FreeRadius 0.9.2 against > the /etc/shadow file in a solaris system. > > We know that System authentication won't work for > EAP-MD5. But, it's > possible to make it using CHAP or PEAP? > > Thanks! > > ** > José Berenguer Giménez > Área de Comunicaciones-Servicio de Informática > UNIVERSIDAD DE ALMERÍA >Crta. de Sacramento s/n, 04120 - Almería >Tlf.: 950014014 E-mail: [EMAIL PROTECTED] > ** > > -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBP7oj6Y3dwu/Ss2PCEQLwEgCfa8BpLkZkUe1Qvv0VQbJwJhVBF7UAoNLx qmHZ2Al1enQvOwZ0vLgLgN3j =btj/ -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Authentication problem
Am Mit, 2003-10-29 um 09.55 schrieb Remesh: > hai , > > in my case when i am dialing we can see the following entry when we run tcpdump udp > > 16:29:59.071115 164.100.96.13.datametrics > mp9.radius: rad-access-req 66 [id 1] > Attr[ NAS_ipaddr{164.100.96.13} NAS_port{7} NAS_port_type{Sync} User{nitpubpl} > [|radius] > > > no entries in logs especially. 'Ready to process requests' is showing in radius.log. > > please help me > > Remesh run radiusd -X All logs will be shown on the screen... Uli > > On Wed, 29 Oct 2003 Ulrich Walcher wrote : > >Am Mit, 2003-10-29 um 07.57 schrieb Remesh: > > > hai friends, > > > > > > I have installed free radius and radtest commands working fine locally. > > > The OS used is RedHat 8.0 . But When i am trying this command from other > > > servers, it is not responding. Also when i am dialing, i am getting > > > authentication failed message. > > > > >[...] > >Please post the logs. > >Uli > > > > > >- > >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > Remesh Babu. T - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Authentication problem
hai , in my case when i am dialing we can see the following entry when we run tcpdump udp 16:29:59.071115 164.100.96.13.datametrics > mp9.radius: rad-access-req 66 [id 1] Attr[ NAS_ipaddr{164.100.96.13} NAS_port{7} NAS_port_type{Sync} User{nitpubpl} [|radius] no entries in logs especially. 'Ready to process requests' is showing in radius.log. please help me Remesh On Wed, 29 Oct 2003 Ulrich Walcher wrote : >Am Mit, 2003-10-29 um 07.57 schrieb Remesh: > > hai friends, > > > > I have installed free radius and radtest commands working fine locally. > > The OS used is RedHat 8.0 . But When i am trying this command from other servers, > > it is not responding. Also when i am dialing, i am getting authentication failed > > message. > > >[...] >Please post the logs. >Uli > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Remesh Babu. T
Re: Authentication problem
Am Mit, 2003-10-29 um 07.57 schrieb Remesh: > hai friends, > > I have installed free radius and radtest commands working fine locally. > The OS used is RedHat 8.0 . But When i am trying this command from other servers, it > is not responding. Also when i am dialing, i am getting authentication failed > message. > [...] Please post the logs. Uli - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication with FreeRadius and /etc/shadow
=?iso-8859-1?Q?Jos=E9?= Berenguer <[EMAIL PROTECTED]> wrote: > I can't read /etc/shadow. Password are encrypt. > The error is (in debug mode): As you have discovered, you cannot use /etc/passwd to authenticate EAP sessions. EAP *requires* a plain-text password. /etc/passwd does not supply one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication with FreeRadius and /etc/shadow
Hello, now in debug mode: HASH: Stored 1905 entries from /etc/passwd.radius HASH: Stored 107 entries from /etc/group.radius Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "chap" eap: timer_expire = 60 rlm_eap: Loaded and initialized the type md5 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/usr/local/etc/raddb/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded passwd passwd: filename = "/etc/shadow.radius" passwd: format = "*User-Name:Password:::" passwd: authtype = "System" passwd: delimiter = ":" passwd: ignorenislike = no passwd: allowmultiplekeys = no passwd: hashsize = 3000 rlm_passwd: nfields: 9 keyfield 0(User-Name) listable: no Module: Instantiated passwd (etc_shadow) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" Module: Instantiated acct_unique (acct_unique) detail: detailfile = "/usr/local/etc/raddb/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/etc/raddb/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on IP address 150.214.156.2, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. I can't read /etc/shadow. Password are encrypt. The error is (in debug mode): rad_recv: Access-Request packet from host 10.0.120.11:2049, id=133, length=104 User-Name = "jose" NAS-Port = 101 NAS-Port-Type = Ethernet NAS-IP-Address = 10.0.120.11 Service-Type = Framed-User Framed-MTU = 1024 Calling-Station-Id = "00-4F-4E-06-84-2D" EAP-Message = 0x02010009016a6f7365 Message-Authenticator = 0x07be8f6cb6064cc05029d8dd9e900693 modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local/etc/raddb/radacct/10.0.120.11/auth-detail-20031022' rlm_detail: /usr/local/etc/raddb/radacct/%{Client-IP-Address}/auth-detail-%Y%m%2 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_eap: EAP packet type notification id 1 length 9 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated for request 0 rlm_realm: No '@' in User-Name = "jose", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched DEFAULT at 152 users: Matched DEFAULT at 174 modcall[authorize]: module "files" returns ok for request 0 rlm_passwd: Added Password: 'YLp6TAFQQQ6Ek' to config_items rlm_passwd: Adding Auth-Type: System modcall[authorize]: module "etc_shadow" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP rad_check_password: Found Auth-Type System Warning: Found 2 auth-types on request for user 'jose' auth: type "System" modcall: entering group authenticate for request 0 rlm_unix: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "unix" returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Login incorrect: [jose/] (from client prueba port 1) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 133 to 10.0.120.11:2049 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 133 with timestamp 3f9639b9 Nothing to do. Sleeping until we see a request. RADIUSD.CONF: .. user = root group = shadow .. modules { .. chap {
RE: Authentication based on interface?
> I was thinking about checking the interface, but the it appears only when > NAS-Port-Type=ISDN: > Vendor-Specific = "V9:T1:L24:interface=Serial0/0:30" > NAS-Port-Type = ISDN ^^^ > NAS-Port = 20030 Have you ran FreeRADIUS in debug mode (radiusd -X) and done a capture of all the attributes the router sends for the various protocols? A dump of that may be useful > When someone calls from PSTN it doesnt report any Vendor-Specific, but > just Async and a port number: > Cisco-AVPair = "interface=Async92" > NAS-Port-Type = Async > NAS-Port = 92 > (Sometimes instead of "NAS-Port = 92" I get "NAS-Port = 1312686172",why?!) Did you have a look at the link to cisco's web site I sent? Look for 'aaa nas-port extended' > Since I dont get the interface (Serialx/y) info every time, the only way > is to check if the NAS-Port is between a specific range if I get it right. > > Something like that perhaps? > insert into radgroupcheck values('0','group1','NAS-Port','65-94',:=') > insert into radgroupcheck values('0','group2','NAS-Port','97-128',:=') > ... .... > ,'20001-20030' (for ISDN) > supposing that Serial0/0 has ports 65-94, and Serial1/0 97-128. > > I'm not very familiar with sql syntax, so I'd appreciate some help on > that... Close, here's an example INSERT INTO radcheck VALUES (1,'user1','Password',':=','testing123'); INSERT INTO radcheck VALUES (2,'user2','User-Password',':=','VRs1vR06MAQ2M'); INSERT INTO radgroupcheck VALUES (1,'group1','Auth-Type',':=','Local'); INSERT INTO radgroupcheck VALUES (2,'group2','Auth-Type',':=','PAP'); INSERT INTO radgroupcheck VALUES (3,'group1','NAS-Port','==','65-94'); INSERT INTO radgroupcheck VALUES (4,'group2','NAS-Port','==','97-128'); INSERT INTO usergroup VALUES (1,'user1','group1'); INSERT INTO usergroup VALUES (2,'user2','group2'); the password for 'user2' is stored using the SQL ENCRYPT function, they're both authenticated against the SQL database. If you haven't done so already, you may be able to get more information by enabling the extended NAS-Port attribute. See also the Cisco doc on RADIUS attributes at for NAS-Port http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csn t30/user/ad.htm#1173 The easy part is locking users down by groups, the harder part is determining the best way to lock those groups down by interface. It soly depends on the information that the router presents via radius. --- This email, and any files transmitted with it, is copyright and may contain confidential information. The contents are intended for the use of the addressee(s) only. Unauthorized use may be unlawful. If you receive this email by mistake, please advise sender immediately. The views of the author may not necessarily constitute the views of Telco Electronics Limited. Nothing in this mail shall bind Telco Electronics Limited in any contract or obligation. Telco Electronics Limited 6-8 Oxford Court Brackley Northants NN13 7XY Tel 07000 701999 Fax 07000 701777 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication based on interface?
> You forgot to mention how your radius server is configured, using the system > password file, sql, LDAP? I am using mysql. > Either way though, as a general solution you should be able to separate the > two by adding NAS-Port and group as check conditions to the users file. > You'll need one for each interface. I was thinking about checking the interface, but the it appears only when NAS-Port-Type=ISDN: Vendor-Specific = "V9:T1:L24:interface=Serial0/0:30" NAS-Port-Type = ISDN ^^^ NAS-Port = 20030 When someone calls from PSTN it doesnt report any Vendor-Specific, but just Async and a port number: Cisco-AVPair = "interface=Async92" NAS-Port-Type = Async NAS-Port = 92 (Sometimes instead of "NAS-Port = 92" I get "NAS-Port = 1312686172",why?!) Since I dont get the interface (Serialx/y) info every time, the only way is to check if the NAS-Port is between a specific range if I get it right. Something like that perhaps? insert into radgroupcheck values('0','group1','NAS-Port','65-94',:=') insert into radgroupcheck values('0','group2','NAS-Port','97-128',:=') ... .... ,'20001-20030' (for ISDN) supposing that Serial0/0 has ports 65-94, and Serial1/0 97-128. I'm not very familiar with sql syntax, so I'd appreciate some help on that... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication based on interface?
You forgot to mention how your radius server is configured, using the system password file, sql, LDAP? Either way though, as a general solution you should be able to separate the two by adding NAS-Port and group as check conditions to the users file. You'll need one for each interface. http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur _c/scprt2/scrad.htm#xtocid182648 See also the cisco doc that comes with freeradius. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Anastasios > Sotiropoulos > Sent: 21 October 2003 01:49 > To: [EMAIL PROTECTED] > Subject: Authentication based on interface? > > > > I have a cicso 3600 with 2 physical interfaces (2 ISDN PRIs) and want > to make 2 usergroups with separate access to them (ex. group1 can login > only from Serial0/0, and group2 -> Serial1/0). How could that be done? > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html --- This email, and any files transmitted with it, is copyright and may contain confidential information. The contents are intended for the use of the addressee(s) only. Unauthorized use may be unlawful. If you receive this email by mistake, please advise sender immediately. The views of the author may not necessarily constitute the views of Telco Electronics Limited. Nothing in this mail shall bind Telco Electronics Limited in any contract or obligation. Telco Electronics Limited 6-8 Oxford Court Brackley Northants NN13 7XY Tel 07000 701999 Fax 07000 701777 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication with FreeRadius and /etc/shadow
=?iso-8859-1?Q?Jos=E9?= Berenguer <[EMAIL PROTECTED]> wrote: > We are trying to authenticate users with FreeRadius 0.9.2 against > the /etc/shadow file in a Solaris system, but we always get an error > like this: > > Info: Ready to process requests. > Info: rlm_eap_md5: Issuing Challenge > Auth: Login OK: [jose/] > Info: rlm_eap_md5: No password configured for this user > Auth: Login incorrect: [jose/] System authentication will NEVER work for EAP-MD5. It's CHAP. See the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication request hacking
"Hans Jorgensen" <[EMAIL PROTECTED]> wrote: > I am trying to implement my own request type, with its own request number > (100), queries etc. Huh? Why? > I have copied and based the code on auth.c, because I will like the users to > authenticate them selves, when sending the request. > But the authentication does not work. If I change the request number to 1 > (authentication request), the code works. That's because Access-Request is type 1, and it's the only type allowed when authenticating users. > Is the encryption algorithm using the request number when encrypting the > password? No. But other portions of the packet are used. See the RFC's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problem
On Sat, 16 Aug 2003, apellido jr., wilfredo p wrote: Please do not post multiple times, it doesn't help you. > The computer you are dialling cannot establish a > Dial-up Networking connection > Check you password, then try again. Then, when i try > to look in the log there's no activity or message. What does the servers debug output say when you try to connect from dial-up client? In my knowledge, your config seems to be fine, so does the NAS even send any auth-requests to your radius? -- _ | | "... Think about all the positive sides in life, they _ | |_ _ _ _ ___ never last forever ... (c)Sentenced | || | | | || |_| || O |+-+ AMD Duron 1300MHz & ATI Radeon +--+ || |_| || | | || | || http://students.oamk.fi/~sijuma00 | | E-mail: [EMAIL PROTECTED] | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication-Request
Kent Hansen <[EMAIL PROTECTED]> wrote: > rad_recv: Access-Request packet from host ip_on_the_cisco_ap:1024, id=0, > length=159 > Authentication-Request sent to a non-authentication port from client > rtest:1024 - ID 0 : IGNORED ... > The wireless client try to access the network with a username and > password, i have setup on the freeradius. Whats wrong? You've configured the client to send Access-Requests to port 1813. That's wrong. Use 1812. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication request hacking
hmmm, if i understood you correctly, by authentication request you mean the RADIUS Access-Request. in that case, what you do would be a violation of the RFC. why don't you specify your authentication scheme by using a VSA (or EAP-subtype) and specifying a module to handle it? it would be much easier and your server would remain inter-functional. except, there is a misunderstanding in what you say. Access-Requests are not sent by users, they are sent by NASes. perhaps you should read ftp://ftp.rfc-editor.org/in-notes/rfc2865.txt . unless i'm completely misunderstanding what you are saying, you are about to do something very ugly :-) ciao artur Hans Jorgensen wrote: > > Dear list. > > I am trying to implement my own request type, with its own request number > (100), queries etc. > I have copied and based the code on auth.c, because I will like the users to > authenticate them selves, when sending the request. > But the authentication does not work. If I change the request number to 1 > (authentication request), the code works. > This is the case with both CHAP-Password and User-Password. > > Is the encryption algorithm using the request number when encrypting the > password? > > Thanks in advance. > > Hans > > _ > Få gode tilbud direkte i din mailbox http://jatak.msn.dk > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication-Request
At 07:02 PM 8/13/2003 +0200, Kent Hansen wrote: Hi! Get this error when my wireless client try to join the Cisco 350/FreeRadius: Error on freeradius: Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host ip_on_the_cisco_ap:1024, id=0, length=159 Authentication-Request sent to a non-authentication port from client rtest:1024 - ID 0 : IGNORED --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host ip_on_the_cisco_ap:1025, id=1, length=159 Authentication-Request sent to a non-authentication port from client rtest:1025 - ID 1 : IGNORED The wireless client try to access the network with a username and password, i have setup on the freeradius. Whats wrong? From reading the error messages above, it sounds like the server received and authentication-request packet on a port other than 1812. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication-Request
yes, why don't you change the port in the radius configuration of your AP 350? obviously it tries to connect to the port which your server uses for something else: probably a typo of you. it should be (udp)1812 unless you changed something. ciao artur Kent Hansen wrote: Hi! Get this error when my wireless client try to join the Cisco 350/FreeRadius: Error on freeradius: Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host ip_on_the_cisco_ap:1024, id=0, length=159 Authentication-Request sent to a non-authentication port from client rtest:1024 - ID 0 : IGNORED --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host ip_on_the_cisco_ap:1025, id=1, length=159 Authentication-Request sent to a non-authentication port from client rtest:1025 - ID 1 : IGNORED The wireless client try to access the network with a username and password, i have setup on the freeradius. Whats wrong? Kent - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication, Authorization process
> Hello, > > In FreeRADIUS, authorization is done before authentication. Is that a > proper sequence regarding the standard RADIUS concept? > > For example, when a user mistypes the password, FreeRADIUS still send > out the attributes to RADIUS client. Would that be an issue (ie, > security, loading, ...)? The only attributes it should send back to the client with a mistyped password is auth-reject. > > Best Regards, > Bush > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problems with EAP/TLS (and Enterasys)
Sevcik Berndt <[EMAIL PROTECTED]> wrote: > I try to authenticate an XP Client via an Enterasys RoamaboutR2 Access > Point with freeradius. But the client get never authenticated. Does the server send a reject? > Output from radius.log: > ri Aug 8 10:52:28 2003 : Info: rlm_eap_tls: Length Included > Fri Aug 8 10:52:28 2003 : Error: TLS_accept:error in SSLv3 read client > certificate A > Fri Aug 8 10:52:28 2003 : Info: rlm_eap_tls: SSL_read Error > Fri Aug 8 10:52:28 2003 : Error: Error code is . 2 > Fri Aug 8 10:52:28 2003 : Error: SSL Error . 2 Those are recoverable errors. The server continues sending EAP packets, so they're not a problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problems with EAP/TLS (and Enterasys)
Hi, Try to put in clients.conf, in the lines of the NAS the following attribute nastype = other I had a similar problem and with that line all goes perfectly ( or nearly) Good luck Other possibility is to try authenticate with the same configuration but with other AP, if it's possible. Regards. Omar Sevcik Berndt wrote: I try to authenticate an XP Client via an Enterasys RoamaboutR2 Access Point with freeradius. But the client get never authenticated. My problem that I have no idea where I should search for the error. I used the www.impossiblereflex.xom/8021x/eap-tls-HOWTO.htm Howto for setup. Output from freeradius -X -A: Ready to process requests. rad_recv: Access-Request packet from host 10.0.4.14:1205, id=253, length=116 Message-Authenticator = 0x78a9e48d042ad1f7109083edf2b3146d User-Name = "Sevcik Berndt" NAS-IP-Address = 10.0.4.14 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00-01-f4-ec-3d-7c" EAP-Message = 0x024400120153657663696b204265726e6474 Framed-MTU = 1000 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_eap: EAP packet type response id 68 length 18 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "Sevcik Berndt", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 152 users: Matched Sevcik Berndt at 216 modcall[authorize]: module "files" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled modcall: group authenticate returns handled Sending Access-Challenge of id 253 to 10.0.4.14:1205 EAP-Message = 0x014500060d20 Message-Authenticator = 0x State = 0x1c0ccba6d22ad97dab13096d340f0290 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.4.14:1205, id=254, length=196 Message-Authenticator = 0x31199cd93954566ea164f46ce86d6b59 User-Name = "Sevcik Berndt" State = 0x1c0ccba6d22ad97dab13096d340f0290 NAS-IP-Address = 10.0.4.14 NAS-Port = 2 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "00-01-f4-ec-3d-7c" Framed-MTU = 1000 EAP-Message = 0x024500500d8000461603010041013d03013f3371da3a9bab75032c2c86afd3288de5d42d63265b6afe930d235a87d1df9a1600040005000a000900640062000300060013001200630100 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_eap: EAP packet type response id 69 length 80 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "Sevcik Berndt", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 152 users: Matched Sevcik Berndt at 216 modcall[authorize]: module "files" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 undefined: before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 063c], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a0], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap_tls: SSL_read Error Error code is . 2 SSL Error . 2 In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled modcall: group authenticate returns handled Sending Access-Challenge of id 254 to 10.0.4.14:1205 EAP-Message = 0x0146040a0dc00735160301004a024603013f3371d4fe8d552850335d9175f699f43cd56559f163ff0b5ff946dacb6a1374206ca02c80ec917fa450bd683bec1717b4a30e22a02f22c4415966534ce01d79ab000400160301063c0b0006380006350002a8308202a43082020da003020102020101300d06092a864886f70d010104050030818e310b3009060355040613024154310f300d060355040813065669656e6e613121301f060355040a131854474d202d20536368756c652064657220546563686e696b31133011060355040b130a49542d53657276696365311830160
Re: Authentication problems with EAP/TLS (and Enterasys)
nastype = other has not worked. The situation is the same than before. I have also not the possibility to use an other AP. Berndt On Fri, 2003-08-08 at 13:33, diomedes wrote: > Hi, > Try to put in clients.conf, in the lines of the NAS the following attribute > nastype = other > > I had a similar problem and with that line all goes perfectly ( or nearly) > > Good luck > > Other possibility is to try authenticate with the same configuration but > with other AP, if it's possible. > > Regards. > Omar > > > Sevcik Berndt wrote: > > >I try to authenticate an XP Client via an Enterasys RoamaboutR2 Access > >Point with freeradius. But the client get never authenticated. My > >problem that I have no idea where I should search for the error. I used > >the www.impossiblereflex.xom/8021x/eap-tls-HOWTO.htm Howto for setup. > > > >Output from freeradius -X -A: > >Ready to process requests. > >rad_recv: Access-Request packet from host 10.0.4.14:1205, id=253, > >length=116 > >Message-Authenticator = 0x78a9e48d042ad1f7109083edf2b3146d > >User-Name = "Sevcik Berndt" > >NAS-IP-Address = 10.0.4.14 > >NAS-Port = 2 > >NAS-Port-Type = Wireless-802.11 > >Calling-Station-Id = "00-01-f4-ec-3d-7c" > >EAP-Message = 0x024400120153657663696b204265726e6474 > >Framed-MTU = 1000 > >modcall: entering group authorize > > modcall[authorize]: module "preprocess" returns ok > > rlm_eap: EAP packet type response id 68 length 18 > > rlm_eap: EAP Start not found > > modcall[authorize]: module "eap" returns updated > >rlm_realm: No '@' in User-Name = "Sevcik Berndt", looking up realm > >NULL > >rlm_realm: No such realm "NULL" > > modcall[authorize]: module "suffix" returns noop > >users: Matched DEFAULT at 152 > >users: Matched Sevcik Berndt at 216 > > modcall[authorize]: module "files" returns ok > >modcall: group authorize returns updated > > rad_check_password: Found Auth-Type EAP > >auth: type "EAP" > >modcall: entering group authenticate > > rlm_eap: EAP Identity > > rlm_eap: processing type tls > > rlm_eap_tls: Initiate > > rlm_eap_tls: Start returned 1 > > modcall[authenticate]: module "eap" returns handled > >modcall: group authenticate returns handled > >Sending Access-Challenge of id 253 to 10.0.4.14:1205 > >EAP-Message = 0x014500060d20 > >Message-Authenticator = 0x > >State = 0x1c0ccba6d22ad97dab13096d340f0290 > >Finished request 0 > >Going to the next request > >--- Walking the entire request list --- > >Waking up in 6 seconds... > >rad_recv: Access-Request packet from host 10.0.4.14:1205, id=254, > >length=196 > >Message-Authenticator = 0x31199cd93954566ea164f46ce86d6b59 > >User-Name = "Sevcik Berndt" > >State = 0x1c0ccba6d22ad97dab13096d340f0290 > >NAS-IP-Address = 10.0.4.14 > >NAS-Port = 2 > >NAS-Port-Type = Wireless-802.11 > >Calling-Station-Id = "00-01-f4-ec-3d-7c" > >Framed-MTU = 1000 > >EAP-Message = > >0x024500500d8000461603010041013d03013f3371da3a9bab75032c2c86afd3288de5d42d63265b6afe930d235a87d1df9a1600040005000a000900640062000300060013001200630100 > >modcall: entering group authorize > > modcall[authorize]: module "preprocess" returns ok > > rlm_eap: EAP packet type response id 69 length 80 > > rlm_eap: EAP Start not found > > modcall[authorize]: module "eap" returns updated > >rlm_realm: No '@' in User-Name = "Sevcik Berndt", looking up realm > >NULL > >rlm_realm: No such realm "NULL" > > modcall[authorize]: module "suffix" returns noop > >users: Matched DEFAULT at 152 > >users: Matched Sevcik Berndt at 216 > > modcall[authorize]: module "files" returns ok > >modcall: group authorize returns updated > > rad_check_password: Found Auth-Type EAP > >auth: type "EAP" > >modcall: entering group authenticate > > rlm_eap: Request found, released from the list > > rlm_eap: EAP_TYPE - tls > > rlm_eap: processing type tls > > rlm_eap_tls: Authenticate > > rlm_eap_tls: processing TLS > >rlm_eap_tls: Length Included > > eaptls_verify returned 11 > >undefined: before/accept initialization > >TLS_accept: before/accept initialization > > rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello > >TLS_accept: SSLv3 read client hello A > > rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello > >TLS_accept: SSLv3 write server hello A > > rlm_eap_tls: >>> TLS 1.0 Handshake [length 063c], Certificate > >TLS_accept: SSLv3 write certificate A > > rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a0], CertificateRequest > >TLS_accept: SSLv3 write certificate request A > >TLS_accept: SSLv3 flush data > >TLS_accept:error in SSLv3 read client certificate A > >rlm_eap_tls: SSL_read Error > > Error code is . 2 > > SSL Error . 2 > >In SSL Handshake Phase > >In SSL Accept mode > > eaptls_process returned 13 > > modcall[authenticate]: module "eap" returns handl
RE: Authentication with user-password
First, the names in the DB are all case sensitive. They are 'UserName', 'Attribute', 'op', and 'Value'. Not 'username', 'attribute', 'op', and 'value'. Second, name of password field is either 'User-Password', which is the standard attribute defined in the RFC, or 'Crypt-Password' a server side attribute. Look for these names in the 'dictionary' file. 'User-Password' is plain text and 'Crypt-Password' contains encrypted password. The encryption method used is the 'crypt' function in Linux. See the 'cryptpasswd' Perl script under the scripts subdirectory. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Salvin KumarSent: Sunday, July 27, 2003 7:59 PMTo: [EMAIL PROTECTED]Subject: Authentication with user-password Hi I am able to authenticate users from the database with the use of the password. And this is how my radcheck table looks: radius=# SELECT * from radcheck; id | username | attribute | op | value+--+---++--- 3 | trial | password | == | test 1 | joe | password | == | eoj 2 | salvin | password | == | sal(3 rows) Now I want to authenticate a user without the password. How is that possible. cheers
Re: Authentication with user-password
On Mon, Jul 28, 2003 at 02:58:36PM +1200, Salvin Kumar wrote: > Hi > > I am able to authenticate users from the database with the use of the password. And > this is how my radcheck table looks: > > radius=# SELECT * from radcheck; > id | username | attribute | op | value > +--+---++--- > 3 | trial| password | == | test > 1 | joe | password | == | eoj > 2 | salvin | password | == | sal > (3 rows) > > Now I want to authenticate a user without the password. > How is that possible. Auth-Type := Accept - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication Fails From Client Machine
> When I run tcpdump and then run NTRADPING from my > client machine, the server shows the requests for > authentication but I still get a no response from > server error. I'm sure there is something simple > I'm missing any suggestions? What does the freeRadius logfile show? Is the IP address of that client configured on your freeRadius installation? There are some cases where the server can drop a request (or rather 'MUST silently discard' as per the RFC) and not respond, but the logfile will have a note of that! Puneet ___ No banners. No pop-ups. No kidding. Introducing My Way - http://www.myway.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication failures after hours of operation
Oliver Graf <[EMAIL PROTECTED]> wrote: > Yep, the PAP module is sort of useless. Don't forget to check rlm_unix > which also does crypts. rlm_unix should work like rlm_sql: just fetch > data, so that some other module (rlm_pap) can authenticate it. Or am I > wrong? rlm_unix should ONLY do getpwent() and possibly crypt(), but not necessarily crypt(). All of it's hacks as to caching /etc/passwd should go away, once we verify that rlm_passwd does the same thing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication failures after hours of operation
On Fri, May 30, 2003 at 09:32:36AM -0400, Alan DeKok wrote: > Oliver Graf <[EMAIL PROTECTED]> wrote: > > Is this a good place for the mutex? Or is it better to have some init > > function for the mutex which is called from threads.c? > > The best thing to do, as I said before, is to delete the calls to > crypt() (and ALL authentication checks) from src/main/auth.c, and fix > the code so that the PAP module works. > > That will allow the mutex to be in a logical place: the PAP module's > data structure. Yep, the PAP module is sort of useless. Don't forget to check rlm_unix which also does crypts. rlm_unix should work like rlm_sql: just fetch data, so that some other module (rlm_pap) can authenticate it. Or am I wrong? Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication failures after hours of operation
Oliver Graf <[EMAIL PROTECTED]> wrote: > Is this a good place for the mutex? Or is it better to have some init > function for the mutex which is called from threads.c? The best thing to do, as I said before, is to delete the calls to crypt() (and ALL authentication checks) from src/main/auth.c, and fix the code so that the PAP module works. That will allow the mutex to be in a logical place: the PAP module's data structure. ALan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication failures after hours of operation
On Thu, May 29, 2003 at 03:34:30PM +0200, Oliver Graf wrote: > On Thu, May 29, 2003 at 03:19:59PM +0300, Kostas Kalevras wrote: > > > It now locks while using crypt. This is only good, if this is the only > > > use of crypt. If pap (for example) is also used, it should use the > > > same mutex to lock while doing an crypt (as should do any other > > > freeradius code using crypt). > > > > > > The server seems running und is responsive :) the next hours will show > > > if the problem is fixed with this. > > > > OK, then declare a new function radius_crypt() with a mutex in it, put it > > somewhere in src/lib and change all calls to crypt() to call radius_crypt() > > instead. > > Yep, I had something like this in mind. But now I will fetch me some > beer, fire the barbecue and have a nice Vatertag :) > > I'll write the clean version tomorrow. Ok, here it is. I have now one radiusd with the old version, and one with this version running (both production systems :) ). The function lrad_crypt_check does crypt and check in one, cause the return value of crypt might be a reused string buffer... Is this a good place for the mutex? Or is it better to have some init function for the mutex which is called from threads.c? Oliver. --- src/lib/crypt.c.orig2003-05-30 09:40:29.0 +0200 +++ src/lib/crypt.c 2003-05-30 09:29:16.0 +0200 @@ -0,0 +1,61 @@ +/* + * a thread-safe crypt wrapper + */ + +#include "libradius.h" +#include +#include +#include + +#if HAVE_PTHREAD_H +#include +#endif + +static int lrad_crypt_init=0; +static pthread_mutex_t lrad_crypt_mutex; + +/* + * initializes authcrypt_mutex + */ + + +/* + * performs a crypt password check in an thread-safe way. + * + * returns: 0 -- check succeeded + * -1 -- failed to crypt + * 1 -- check failed + */ +int lrad_crypt_check(const char *key, const char *crypted) { + char *libc_crypted=NULL, *our_crypted=NULL; + int result=0; + +#if HAVE_PTHREAD_H + if (!lrad_crypt_init == 0) { + pthread_mutex_init(&lrad_crypt_mutex, NULL); + lrad_crypt_init=1; + } + + pthread_mutex_lock(&lrad_crypt_mutex); +#endif + + libc_crypted=crypt(key,crypted); + if (libc_crypted) + our_crypted=strdup(libc_crypted); + +#if HAVE_PTHREAD_H + pthread_mutex_unlock(&lrad_crypt_mutex); +#endif + + if (our_crypted == NULL) + return -1; + + if (strcmp(crypted, our_crypted) == 0) + result = 0; + else + result = 1; + + free(our_crypted); + + return result; +} Index: src/lib/Makefile === RCS file: /source/radiusd/src/lib/Makefile,v retrieving revision 1.14 diff -u -r1.14 Makefile --- src/lib/Makefile3 Mar 2003 19:48:06 - 1.14 +++ src/lib/Makefile30 May 2003 08:03:54 - @@ -3,7 +3,7 @@ SRCS = dict.c print.c radius.c valuepair.c token.c misc.c \ log.c filters.c missing.c md4.c md5.c sha1.c hmac.c \ - snprintf.c isaac.c smbdes.c + snprintf.c isaac.c smbdes.c crypt.c INCLUDES = ../include/radius.h ../include/libradius.h \ ../include/missing.h ../include/autoconf.h Index: src/include/libradius.h === RCS file: /source/radiusd/src/include/libradius.h,v retrieving revision 1.58 diff -u -r1.58 libradius.h --- src/include/libradius.h 21 Apr 2003 20:39:57 - 1.58 +++ src/include/libradius.h 30 May 2003 08:03:54 - @@ -298,4 +298,7 @@ const unsigned char *challenge, unsigned char *response); +/* crypt wrapper from crypt.c */ +int lrad_crypt_check(const char *key, const char *crypted); + #endif /*LIBRADIUS_H*/ Index: src/main/auth.c === RCS file: /source/radiusd/src/main/auth.c,v retrieving revision 1.125 diff -u -r1.125 auth.c --- src/main/auth.c 10 Apr 2003 18:09:03 - 1.125 +++ src/main/auth.c 30 May 2003 08:03:55 - @@ -31,10 +31,6 @@ #include #include -#if HAVE_CRYPT_H -# include -#endif - #if HAVE_NETINET_IN_H # include #endif @@ -190,7 +186,6 @@ VALUE_PAIR *password_pair; VALUE_PAIR *auth_item; char string[MAX_STRING_LEN]; - const char *crypted_password; int auth_type = -1; int result; int auth_type_count = 0; @@ -276,16 +271,13 @@ return -1; } - crypted_password = crypt((char *)auth_item->strvalue, -(char *)password_pair->strvalue); - if (!crypted_password) { - rad_authlog("Login incorrect " - "(system failed to supply an encrypted password for comparison)", request, 0); - return -1; -
Re: authentication failures after hours of operation
On Thu, May 29, 2003 at 03:19:59PM +0300, Kostas Kalevras wrote: > > It now locks while using crypt. This is only good, if this is the only > > use of crypt. If pap (for example) is also used, it should use the > > same mutex to lock while doing an crypt (as should do any other > > freeradius code using crypt). > > > > The server seems running und is responsive :) the next hours will show > > if the problem is fixed with this. > > OK, then declare a new function radius_crypt() with a mutex in it, put it > somewhere in src/lib and change all calls to crypt() to call radius_crypt() > instead. Yep, I had something like this in mind. But now I will fetch me some beer, fire the barbecue and have a nice Vatertag :) I'll write the clean version tomorrow. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication failures after hours of operation
On Thu, 29 May 2003, Oliver Graf wrote: > On Tue, May 27, 2003 at 05:33:37PM +0200, Oliver Graf wrote: > > On Tue, May 27, 2003 at 09:27:53AM -0400, Alan DeKok wrote: > > > Oliver Graf <[EMAIL PROTECTED]> wrote: > > > > My test showed that the Crypt-Password is the problem. The test users > > > > with User-Password and auth-type Local work as before, test user (and > > > > normal users) with Crypt-Password and Crypt-Local are rejected (auth > > > > failed). > > > > > > OK. See src/modules/rlm_pap/rlm_pap.c for examples of wrapping a > > > pthread mutex around calls to crypt(), which isn't thread-safe. I'll > > > take a look at fixing it in the CVS head. > > > > Hmmm... sort of weird that it takes that long for the bug to > > manifest. But you're right, crypt is not thread safe. > > > > I think I'll wait for your update, cause doing the lock for a module > > is easy cause I have the instance, but (without diving to much into > > the source) I don't see where I get to the thread mutex from only a > > REQUEST *... > > After some fruitless attemps to use PAP, I did patch auth.c a bit. > > It now locks while using crypt. This is only good, if this is the only > use of crypt. If pap (for example) is also used, it should use the > same mutex to lock while doing an crypt (as should do any other > freeradius code using crypt). > > The server seems running und is responsive :) the next hours will show > if the problem is fixed with this. OK, then declare a new function radius_crypt() with a mutex in it, put it somewhere in src/lib and change all calls to crypt() to call radius_crypt() instead. > > Oliver. > > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication failures after hours of operation
On Tue, May 27, 2003 at 05:33:37PM +0200, Oliver Graf wrote: > On Tue, May 27, 2003 at 09:27:53AM -0400, Alan DeKok wrote: > > Oliver Graf <[EMAIL PROTECTED]> wrote: > > > My test showed that the Crypt-Password is the problem. The test users > > > with User-Password and auth-type Local work as before, test user (and > > > normal users) with Crypt-Password and Crypt-Local are rejected (auth > > > failed). > > > > OK. See src/modules/rlm_pap/rlm_pap.c for examples of wrapping a > > pthread mutex around calls to crypt(), which isn't thread-safe. I'll > > take a look at fixing it in the CVS head. > > Hmmm... sort of weird that it takes that long for the bug to > manifest. But you're right, crypt is not thread safe. > > I think I'll wait for your update, cause doing the lock for a module > is easy cause I have the instance, but (without diving to much into > the source) I don't see where I get to the thread mutex from only a > REQUEST *... After some fruitless attemps to use PAP, I did patch auth.c a bit. It now locks while using crypt. This is only good, if this is the only use of crypt. If pap (for example) is also used, it should use the same mutex to lock while doing an crypt (as should do any other freeradius code using crypt). The server seems running und is responsive :) the next hours will show if the problem is fixed with this. Oliver. --- freeradius-snapshot-20030529/src/main/threads.c.orig2003-05-29 13:44:07.0 +0200 +++ freeradius-snapshot-20030529/src/main/threads.c 2003-05-29 13:58:49.0 +0200 @@ -134,6 +134,10 @@ */ static pthread_mutex_t fork_mutex; +/* + * This mutex solves a threading porblem with crypt in auth.c + */ +pthread_mutex_t authcrypt_mutex; /* * A mapping of configuration file names to internal integers @@ -770,6 +774,7 @@ * Initialize the mutex used to remember calls to fork. */ pthread_mutex_init(&fork_mutex, NULL); + pthread_mutex_init(&authcrypt_mutex, NULL); /* * Initialize the data structure where we remember the --- freeradius-snapshot-20030529/src/main/auth.c.orig 2003-05-29 13:42:03.0 +0200 +++ freeradius-snapshot-20030529/src/main/auth.c2003-05-29 13:56:52.0 +0200 @@ -276,8 +276,15 @@ return -1; } +#if HAVE_PTHREAD_H + pthread_mutex_lock(&authcrypt_mutex); +#endif crypted_password = crypt((char *)auth_item->strvalue, -(char *)password_pair->strvalue); +(char *)password_pair->strvalue); +#if HAVE_PTHREAD_H + pthread_mutex_unlock(&authcrypt_mutex); +#endif + if (!crypted_password) { rad_authlog("Login incorrect " "(system failed to supply an encrypted password for comparison)", request, 0); --- freeradius-snapshot-20030529/src/include/radiusd.h.orig 2003-05-29 13:47:12.0 +0200 +++ freeradius-snapshot-20030529/src/include/radiusd.h 2003-05-29 13:58:38.0 +0200 @@ -230,6 +230,7 @@ extern int proxy_port; extern int proxyfd; extern const char *radiusd_version; +extern pthread_mutex_t authcrypt_mutex; /* * Function prototypes.
Re: authentication and accounting using proxy feature
On Tue, 1 Apr 2003, Wisam Najim wrote: > I have configured the freeRADIUS to proxy requests to another remote > RADIUS (...) The problem is for every request the freeRADIUS that > proxies the request tries to authenticate the customer locally even if that > customer rquest is proxied (...) Under the default configuration, yes, at least on 0.8.1. Check doc/configurable_failover.txt. You need to exit authorization {} after you've dealt with the suffix. Putting: suffix { updated = return } before whatever you're using to authorize your non-proxy users should help. > (...) and also, once customer is succesfuley authenticated by > remote RADIUS, it enters an accounting record for that customer in the > local detailed file. I want to know if there is a way to stop this. I > want a proxied request to be authenticated by remote RADIUS only and also I > want the accounting records to be inserted in the remote RADIUS detailed > file only. Read the few days of the list. There's an answer there. Franklin -- Franklin Trumpy, NFA, MNGS, GSc | The wound of peace is surety, Sr. UNIX Systems Administrator | Surety secure; but modest doubt is called Lighthouse Communications | The beacon of the wise, the tent that searches [EMAIL PROTECTED] | To th' bottom of the worst. (515)244-1115 | (888)953-3278 |William Shakespeare http://www.lh.net |Troilus and Cressida (II, ii) On Tue, 1 Apr 2003, Wisam Najim wrote: > Date: Tue, 01 Apr 2003 07:24:04 +0400 > From: Wisam Najim <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: authentication and accounting using proxy feature > > > Hi All, > > I have configured the freeRADIUS to proxy requests to another remote RADIUS. > It works fine and I get all required users proxied to remote RADIUS. The > problem is for every request the freeRADIUS that proxies the request tries > to authenticate the customer locally even if that customer rquest is proxied > and also, once customer is succesfuley authenticated by remote RADIUS, it > enters an accounting record for that customer in the local detailed file. I > want to know if there is a way to stop this. I want a proxied request to be > authenticated by remote RADIUS only and also I want the accounting records > to be inserted in the remote RADIUS detailed file only. > > Your help is highly appreciated. > > > > Regards, > > > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication
an example users entry might be: usernamePassword == "testing123", Calling-Station-ID == "12345678" Framed-MTU = 576, Service-Type = Framed-User If you read into the users file format, you will see you have the identifier (username,group), check items and reply items. The check items are things that must succeed such as password but you can also add items usch as Calling-Station-ID, Called-Station-ID or Nas-IP-Address etc Reply items are those sent back during Authorization to the router/access server once the Authentication is successfull. Cheers Martin On Friday 28 March 2003 03:59, Keith Ballard wrote: > Hi all, > Just a quick question before I go much deeper. > > Is it possible to authenticate a dial-up with freeradius based not just on > username/password, but also phone number called from (ie only allow dial-in > from one particular number per customer). > If so can anyone please point me to a faq, etc (I couldn't find it in the > Radius book). > > regards, > Keith > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Martin ([EMAIL PROTECTED]) ICQ# 748846 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication
Add that to the users file. username User-Password == "whatever", Calling-Station-Id == "333-" something like that. It will look for all three variables before finding a match. On Thu, 27 Mar 2003, Keith Ballard wrote: > Hi all, > Just a quick question before I go much deeper. > > Is it possible to authenticate a dial-up with freeradius based not just on > username/password, but also phone number called from (ie only allow dial-in > from one particular number per customer). > If so can anyone please point me to a faq, etc (I couldn't find it in the > Radius book). > > regards, > Keith > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication
Check page 38 in the Radius book. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Keith > Ballard > Sent: Thursday, March 27, 2003 11:30 AM > To: [EMAIL PROTECTED] > Subject: Authentication > > > Hi all, > Just a quick question before I go much deeper. > > Is it possible to authenticate a dial-up with freeradius based not just on > username/password, but also phone number called from (ie only > allow dial-in > from one particular number per customer). > If so can anyone please point me to a faq, etc (I couldn't find it in the > Radius book). > > regards, > Keith > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Attributes
Chris Hanrahan <[EMAIL PROTECTED]> wrote: > Is there a way to configure FreeRadius such that it verifies a > users's ID and password against an NT domain AND requires that a user > be in an NT Domain group before issuing an access granted reply ? Source code modifications. See pam_winbind, or Samba for some starters. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Attributes
> If I am running winbindd and specify Group=='vpn_users', will> FreeRadius check for a group called "vpn_users" by using winbindd ?> No. The 'Group' is only for Unix groups. Is there a way to configure FreeRadius such that it verifies a users's ID and password against an NT domain AND requires that a user be in an NT Domain group before issuing an access granted reply ? I am trying to replace Microsoft's IAS server with FreeRadius, and IAS is configured in this manner. Thanks Chris Hanrahan Alan DeKok <[EMAIL PROTECTED]> wrote: Chris Hanrahan <[EMAIL PROTECTED]>wrote:> I am running FreeRadius 0.8.1 and am trying to configure the users> file. Are the authentication attributes, such as Auth-Type, Group,> and User-Password documented anywhere ?The User-Password is documented in the RFC's. See:http://www.freeradius.org/rfc/attributes.html> If I am running winbindd and specify Group=='vpn_users', will> FreeRadius check for a group called "vpn_users" by using winbindd ?No. The 'Group' is only for Unix groups.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlDo you Yahoo!? Yahoo! Web Hosting - establish your business online
Re: Authentication Attributes
Chris Hanrahan <[EMAIL PROTECTED]> wrote: > I am running FreeRadius 0.8.1 and am trying to configure the users > file. Are the authentication attributes, such as Auth-Type, Group, > and User-Password documented anywhere ? The User-Password is documented in the RFC's. See: http://www.freeradius.org/rfc/attributes.html > If I am running winbindd and specify Group=='vpn_users', will > FreeRadius check for a group called "vpn_users" by using winbindd ? No. The 'Group' is only for Unix groups. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problem
On Fri, 7 Mar 2003, QAdmin wrote: > Hi everyone, > I have a particular authentication problem that I need to solve > quickly, and I need your help... here it is: > > First, I am using FreeRadius 0.8.1 with the "users" file. > > My freeradius server will receive two authentication requests for > the same User-Name, but will have to return different attributes > depending on the NAS connecting to it. > > So, if it receives a request for [EMAIL PROTECTED] and the request > packet contains NAS-IP-Address 192.168.100.1 then I know I have > to reply with some predefined attributes. > > Next, if a request comes in again for [EMAIL PROTECTED], but this time > the NAS-IP-Address attribute is set to something else than 192.168.100.1 > then I need to return another set of Attributes in reply. > > I've tried to set two "[EMAIL PROTECTED]" entries in the users file, > the first having a check list that looks like this: > > [EMAIL PROTECTED] User-Password == "password" > Auth-Type := Local, > Service-Type = Framed-User > ... > > and another entry below: > > [EMAIL PROTECTED] NAS-IP-Address == "192.168.100.1", User-Password == > "Password" > Auth-Type := Local, > Service-Type = Outbound-User > ... > > > Now, that just don't work. Because the requests are specific > to a single User-Name, it will always match on the first entry it finds > in the users file, matching this User-Name. > > Is there a way I can tell FreeRadius not to stop his match > on the first occurence of "[EMAIL PROTECTED]", but carefully inspect > all values in the checklist ? > > At best, > Would it be possible to have a "catch-all" entry that just watches for > the NAS-IP-Address 192.168.100.1 and return the proper attributes ? DEFAULT NAS-IP-Address == "192.168.100.1", Auth-Type := Local Service-Type = Outbound-User DEFAULT Auth-Type := Local Service-Type = Framed-User [EMAIL PROTECTED] User-Password == "Password" > > I want avoid having to run a separate radius server AND also having > double entries for each user in the users file. > > Thank you for your help. > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problem
Try putting the second one first - the NAS IP entry and then on the bottom of it put Fall-Through = no On Fri, 7 Mar 2003, QAdmin wrote: > Hi everyone, > I have a particular authentication problem that I need to solve > quickly, and I need your help... here it is: > > First, I am using FreeRadius 0.8.1 with the "users" file. > > My freeradius server will receive two authentication requests for > the same User-Name, but will have to return different attributes > depending on the NAS connecting to it. > > So, if it receives a request for [EMAIL PROTECTED] and the request > packet contains NAS-IP-Address 192.168.100.1 then I know I have > to reply with some predefined attributes. > > Next, if a request comes in again for [EMAIL PROTECTED], but this time > the NAS-IP-Address attribute is set to something else than 192.168.100.1 > then I need to return another set of Attributes in reply. > > I've tried to set two "[EMAIL PROTECTED]" entries in the users file, > the first having a check list that looks like this: > > [EMAIL PROTECTED] User-Password == "password" > Auth-Type := Local, > Service-Type = Framed-User > ... > > and another entry below: > > [EMAIL PROTECTED] NAS-IP-Address == "192.168.100.1", User-Password == > "Password" > Auth-Type := Local, > Service-Type = Outbound-User > ... > > > Now, that just don't work. Because the requests are specific > to a single User-Name, it will always match on the first entry it finds > in the users file, matching this User-Name. > > Is there a way I can tell FreeRadius not to stop his match > on the first occurence of "[EMAIL PROTECTED]", but carefully inspect > all values in the checklist ? > > At best, > Would it be possible to have a "catch-all" entry that just watches for > the NAS-IP-Address 192.168.100.1 and return the proper attributes ? > > I want avoid having to run a separate radius server AND also having > double entries for each user in the users file. > > Thank you for your help. > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication against MySQL
>That is exactly what I had to do. All the docs say put it in >radgroupreply. But it seems that it will not recognize it anywhere in >the DB. I never did get a good answer, I think it soemthing in the >recent code, older versions seem to be fine. The only way I could make >it work was to change it at the users file. So now I have no default >System for local logins. There was a thread on this a couple of days ago (which also finally prompted today's updating of the FR/MySQL notes at http://www.frontios.com/freeradius.html). Basically, auth-type should be a check item, not a reply item, and if FreeRadius doesn't get one it defaults to 'Local'. Search the list under the subject: "freeradius not reading Auth-Type from MySQL" for more... Regards, SB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication against MySQL
Well Rick, That is exactly what I had to do. All the docs say put it in radgroupreply. But it seems that it will not recognize it anywhere in the DB. I never did get a good answer, I think it soemthing in the recent code, older versions seem to be fine. The only way I could make it work was to change it at the users file. So now I have no default System for local logins. > Rick Evans wrote: > > Hello, > > I am new to using Freeradius as well as to the list so I apologize for > any ignorant statements. > > I am using Freeradius + MySQL and up until a few minutes ago, I could > get a user 'test' to authenticate against the Radius server as long as > the > user was entered into the system, however not if the user was in the > Radius > database (MySQL). > > I was getting the same errors about "DEFAULT Auth-Type := System" and > it > would reject the username/password combination. I have setup in the > radgroupreply table, a field entry setting the Auth-Type to Local. I > also setup in > the radgroupcheck table the same type of entry based on a previous > read > message. I would still get the same errors when running the Radius > server > in its 'debbuging' mode. > > I just recently modified the 'users' file and changed the Default > Auth-Type to 'Local' > instead of 'System' and it started working. Is this the correct > location to specify > this attribute or is there a cleaner way of setting it? > > Thank you for all of your help and suggestions. > > Rick Evans - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication time
On Fri, Jan 10, 2003 at 10:07:34AM -0500, Roy Wills wrote: > hmmmid ont think i am explaining this very well. I need some users to only have >access for a week > (ie: monday to following monday) and some users have a month of access (ie: Jan 1 to >Jan 31). I do not > think that actuall session times are going to work in this case since they are not >actually doing a > traditional dial-in setup. Radius is just there to have centralized authorization >for about 6 networks > across the city. Is there an attribute to allow from first login to say disable >after 7 days or 30 days? i suspect you'll have to use perl/python and friends to write a script to check through their logs, and when they reach their limit, modify their password so they can no longer authenticate properly. I'm in the middle of doing something similar to work with pre-paid accounts, but i'm in no position to be giving out code at this time. in my case, however, i'm adding a Framed-Address reply for that user, (made easy by using mysql for auth/logging) which belongs to the rfc1918 address range. this allows me to filter any web requests to our own webpage, whch displays an appropriate message (since windows ignores any ppp messages iirc) allowing us to let them on, but not to do anything useful (stops people who have autodial from dialing up a fortune in connect/disconnect charges) Andrew 'ashridah' Pilley > > 1/10/03 4:18:42 AM, Kostas Kalevras <[EMAIL PROTECTED]> wrote: > > >On Thu, 9 Jan 2003, Roy Wills wrote: > > > >> ok...i have read the radiusd.conf and scoured once again the docs and am not > >> grasping where i need to put the attrib. i have users that only have access > >> for a week and some for a month. Its > >> all time-frame based and varies. i guess my question now is do i have a line > >> like this for every usrs on top of the accept lines? > >>DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject > >>Reply-Message = "You've used up more than one hour today > >> or do i need to create a db.counter file for theese? If this is totally wrong > >> can you point me to a faq better than the docs that are with it? > > > >The docs are really just fine. > > > >You can set the corresponding attribute for each user: > > > >userweekly Max-Weekly-Session := 4500 > > > >usermonthly Max-Monthly-Session := 45000 > > > >Just make sure you don't set DEFAULT entries with these attributes. > > > >> > >> > >> 1/9/2003 4:30:35 PM, "Alan DeKok" <[EMAIL PROTECTED]> wrote: > >> > >> >Roy Wills <[EMAIL PROTECTED]> wrote: > >> >> Is there a way to limit the time a user can spend online? What i > >> >> want to do is say that user X has 1 week of use and after that they > >> >> are no longer allowed to log in. > >> > > >> > Yes. Read 'raddb/radiusd.conf', and look for the 'counter' module. > >> > > >> >> If so when does the time start, when the first logins or when i put > >> >> the user/pass in the users file? > >> > > >> > When the user first logs in. > >> > > >> > Alan DeKok. > >> > > >> >- > >> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > >> > > >> > > >> > >> > >> > >> > >> - > >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > >> > > > >-- > >Kostas Kalevras Network Operations Center > >[EMAIL PROTECTED] National Technical University of Athens, Greece > >Work Phone: +30 210 7721861 > >'Go back to the shadow' Gandalf > > > >- > >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication time
hmmmid ont think i am explaining this very well. I need some users to only have access for a week (ie: monday to following monday) and some users have a month of access (ie: Jan 1 to Jan 31). I do not think that actuall session times are going to work in this case since they are not actually doing a traditional dial-in setup. Radius is just there to have centralized authorization for about 6 networks across the city. Is there an attribute to allow from first login to say disable after 7 days or 30 days? 1/10/03 4:18:42 AM, Kostas Kalevras <[EMAIL PROTECTED]> wrote: >On Thu, 9 Jan 2003, Roy Wills wrote: > >> ok...i have read the radiusd.conf and scoured once again the docs and am not >> grasping where i need to put the attrib. i have users that only have access >> for a week and some for a month. Its >> all time-frame based and varies. i guess my question now is do i have a line >> like this for every usrs on top of the accept lines? >>DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject >>Reply-Message = "You've used up more than one hour today >> or do i need to create a db.counter file for theese? If this is totally wrong >> can you point me to a faq better than the docs that are with it? > >The docs are really just fine. > >You can set the corresponding attribute for each user: > >userweekly Max-Weekly-Session := 4500 > >usermonthlyMax-Monthly-Session := 45000 > >Just make sure you don't set DEFAULT entries with these attributes. > >> >> >> 1/9/2003 4:30:35 PM, "Alan DeKok" <[EMAIL PROTECTED]> wrote: >> >> >Roy Wills <[EMAIL PROTECTED]> wrote: >> >> Is there a way to limit the time a user can spend online? What i >> >> want to do is say that user X has 1 week of use and after that they >> >> are no longer allowed to log in. >> > >> > Yes. Read 'raddb/radiusd.conf', and look for the 'counter' module. >> > >> >> If so when does the time start, when the first logins or when i put >> >> the user/pass in the users file? >> > >> > When the user first logs in. >> > >> > Alan DeKok. >> > >> >- >> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >> > >> > >> >> >> >> >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >> > >-- >Kostas KalevrasNetwork Operations Center >[EMAIL PROTECTED] National Technical University of Athens, Greece >Work Phone:+30 210 7721861 >'Go back to the shadow'Gandalf > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication time
On Thu, 9 Jan 2003, Roy Wills wrote: > ok...i have read the radiusd.conf and scoured once again the docs and am not > grasping where i need to put the attrib. i have users that only have access > for a week and some for a month. Its > all time-frame based and varies. i guess my question now is do i have a line > like this for every usrs on top of the accept lines? >DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject >Reply-Message = "You've used up more than one hour today > or do i need to create a db.counter file for theese? If this is totally wrong > can you point me to a faq better than the docs that are with it? The docs are really just fine. You can set the corresponding attribute for each user: userweekly Max-Weekly-Session := 4500 usermonthly Max-Monthly-Session := 45000 Just make sure you don't set DEFAULT entries with these attributes. > > > 1/9/2003 4:30:35 PM, "Alan DeKok" <[EMAIL PROTECTED]> wrote: > > >Roy Wills <[EMAIL PROTECTED]> wrote: > >> Is there a way to limit the time a user can spend online? What i > >> want to do is say that user X has 1 week of use and after that they > >> are no longer allowed to log in. > > > > Yes. Read 'raddb/radiusd.conf', and look for the 'counter' module. > > > >> If so when does the time start, when the first logins or when i put > >> the user/pass in the users file? > > > > When the user first logs in. > > > > Alan DeKok. > > > >- > >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication time
ok...i have read the radiusd.conf and scoured once again the docs and am not grasping where i need to put the attrib. i have users that only have access for a week and some for a month. Its all time-frame based and varies. i guess my question now is do i have a line like this for every usrs on top of the accept lines? DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject Reply-Message = "You've used up more than one hour today or do i need to create a db.counter file for theese? If this is totally wrong can you point me to a faq better than the docs that are with it? 1/9/2003 4:30:35 PM, "Alan DeKok" <[EMAIL PROTECTED]> wrote: >Roy Wills <[EMAIL PROTECTED]> wrote: >> Is there a way to limit the time a user can spend online? What i >> want to do is say that user X has 1 week of use and after that they >> are no longer allowed to log in. > > Yes. Read 'raddb/radiusd.conf', and look for the 'counter' module. > >> If so when does the time start, when the first logins or when i put >> the user/pass in the users file? > > When the user first logs in. > > Alan DeKok. > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication time
Roy Wills <[EMAIL PROTECTED]> wrote: > Is there a way to limit the time a user can spend online? What i > want to do is say that user X has 1 week of use and after that they > are no longer allowed to log in. Yes. Read 'raddb/radiusd.conf', and look for the 'counter' module. > If so when does the time start, when the first logins or when i put > the user/pass in the users file? When the user first logs in. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication vs. Authorization question
Artur Hecker <[EMAIL PROTECTED]> wrote: > his question is how to mangle the response adding authorization data... > Jukka, i think you should take a loot at postproxying available in > freeradius 0.8 or in the snapshots (not sure about that). No. Once the reply is received from the home server, FreeRADIUS will run the packet through the authorization stage again. At this point, you can add whatever authorization you decide is necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication vs. Authorization question
> Jukka wanted to know how to ADD authorization data > to the response sent by the remote server. The > remote server _doesn't_ send any authorization data, > it's not supposed to and there is nothing to be done > about it, at least not by Jukka. > > his question is how to mangle the response adding > authorization data... Exactly. > you can definitely add whatever you want using > postproxying. the question is however, if there > is a simplier way to achieve the same result. Thanks, I'll check it out. __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication vs. Authorization question
The data should be in radreply table or radgroupreply (if your user is in a group in usergroup table) I am not a proxying expert but I think it would be nice to check the remote server if its even able to send these data. I might be off the track also! You can perhaps use the radclient program to test the situation when you connect to server with radclient you should just enter the a/v pairs and then press CTRL+D running #radclient 192.168.168.1 auth YOURSECRET then sending User-Name = "John" User-Password = "hello" ^D should do...do you receive the replies you want? Evren On Wed, 27 Nov 2002, Jukka Lehti wrote: > --- Evren Yurtesen <[EMAIL PROTECTED]> wrote: > > What kind of db are you using? can you send > > radiusd -xx > > output of authentication session? > > I'm using MySQL at the moment and it's working ok. > Output attached. > > > do you mean that the remote server is working good > > when you connect it > > directly? for example with radclient ? > > It's working ok, yes. I get the authentication data > from the remote server but don't know how to add > authorization data from local db to reply? > > > On Wed, 27 Nov 2002, Jukka Lehti wrote: > > > > > Hi, > > > > > > I've set up freeradius 0.8 so that users like > > > john@test get authenticated from a remote RADIUS > > > server, i.e., freeradius works as a proxy. This is > > > working well, so no problem here. But: the remote > > > server only returns authentication data (un/pw > > > ok/bad), I have authorization data in my local DB > > > (Session-Timeout etc). How could I add this > > > authorization data to RADIUS reply after > > successful > > > authentication from the remote server? I've been > > > experimenting with autztype directive, but without > > > success yet. Any other ideas/examples? > > > > > > Thanks in advance. > > > > > > __ > > > Do you Yahoo!? > > > Yahoo! Mail Plus - Powerful. Affordable. Sign up > > now. > > > http://mailplus.yahoo.com > > > > > > - > > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > > > > __ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > http://mailplus.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication vs. Authorization question
Well I suspected if the remote server maybe dont even have this data inside or somehow it doesnt send back. I thought the first thing is to check if the remote server is working good, without any problems. But definetely I am not an expert at proxying but I thought the proxy should automaticly forward all the data received from the server. Thats also another reason why I thought proxy dont receive anything. Evren On Wed, 27 Nov 2002, Artur Hecker wrote: > > Evren, i think you misunderstand the question: Jukka wanted to know how > to ADD authorization data to the response sent by the remote server. The > remote server _doesn't_ send any authorization data, it's not supposed > to and there is nothing to be done about it, at least not by Jukka. > > his question is how to mangle the response adding authorization data... > Jukka, i think you should take a loot at postproxying available in > freeradius 0.8 or in the snapshots (not sure about that). > > you can definitely add whatever you want using postproxying. the > question is however, if there is a simplier way to achieve the same result. > > > ciao > artur > > > > Evren Yurtesen wrote: > > What kind of db are you using? can you send > > radiusd -xx > > output of authentication session? > > > > do you mean that the remote server is working good when you connect it > > directly? for example with radclient ? > > -- > Artur Hecker Groupe Accès et Mobilité > hecker[at]enst[dot]fr Département Informatique et Réseaux > +33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13 > http://www.infres.enst.frENST Paris > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication vs. Authorization question
Evren, i think you misunderstand the question: Jukka wanted to know how to ADD authorization data to the response sent by the remote server. The remote server _doesn't_ send any authorization data, it's not supposed to and there is nothing to be done about it, at least not by Jukka. his question is how to mangle the response adding authorization data... Jukka, i think you should take a loot at postproxying available in freeradius 0.8 or in the snapshots (not sure about that). you can definitely add whatever you want using postproxying. the question is however, if there is a simplier way to achieve the same result. ciao artur Evren Yurtesen wrote: What kind of db are you using? can you send radiusd -xx output of authentication session? do you mean that the remote server is working good when you connect it directly? for example with radclient ? -- Artur Hecker Groupe Accès et Mobilité hecker[at]enst[dot]fr Département Informatique et Réseaux +33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication vs. Authorization question
--- Evren Yurtesen <[EMAIL PROTECTED]> wrote: > What kind of db are you using? can you send > radiusd -xx > output of authentication session? I'm using MySQL at the moment and it's working ok. Output attached. > do you mean that the remote server is working good > when you connect it > directly? for example with radclient ? It's working ok, yes. I get the authentication data from the remote server but don't know how to add authorization data from local db to reply? > On Wed, 27 Nov 2002, Jukka Lehti wrote: > > > Hi, > > > > I've set up freeradius 0.8 so that users like > > john@test get authenticated from a remote RADIUS > > server, i.e., freeradius works as a proxy. This is > > working well, so no problem here. But: the remote > > server only returns authentication data (un/pw > > ok/bad), I have authorization data in my local DB > > (Session-Timeout etc). How could I add this > > authorization data to RADIUS reply after > successful > > authentication from the remote server? I've been > > experimenting with autztype directive, but without > > success yet. Any other ideas/examples? > > > > Thanks in advance. > > > > __ > > Do you Yahoo!? > > Yahoo! Mail Plus - Powerful. Affordable. Sign up > now. > > http://mailplus.yahoo.com > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com rad.log Description: rad.log
Re: Authentication vs. Authorization question
What kind of db are you using? can you send radiusd -xx output of authentication session? do you mean that the remote server is working good when you connect it directly? for example with radclient ? Evren On Wed, 27 Nov 2002, Jukka Lehti wrote: > Hi, > > I've set up freeradius 0.8 so that users like > john@test get authenticated from a remote RADIUS > server, i.e., freeradius works as a proxy. This is > working well, so no problem here. But: the remote > server only returns authentication data (un/pw > ok/bad), I have authorization data in my local DB > (Session-Timeout etc). How could I add this > authorization data to RADIUS reply after successful > authentication from the remote server? I've been > experimenting with autztype directive, but without > success yet. Any other ideas/examples? > > Thanks in advance. > > __ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > http://mailplus.yahoo.com > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication of users ADSL
"Samyr Alves" <[EMAIL PROTECTED]> wrote: > how to configure radius for authentication of users ADSL? Read the docs? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication
"Miles Wilton" <[EMAIL PROTECTED]> wrote: > Is there any way to make authentication occur first from PAM an dthen if > this fails, off a username/password in MySQL db? Yes. See 'doc/configurable_failover' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication rejection
michael j douglas <[EMAIL PROTECTED]> wrote: > I have free radius running with mysql data base..The router is a Cisco > 2611 and I can authenticate locally using the cisco router.When I send > the request to the radius server the tunnel is opened and the radius > server rejects the user. it states "Unable to authenticate the user" Why? Did you bother running the server in debugging mode, and reading the output, as suggested in the FAQ, the README, and about 4 other places? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius re-authentication
Miquel van Smoorenburg wrote: > In article <[EMAIL PROTECTED]>, > Brett Maxfield <[EMAIL PROTECTED]> wrote: > >>An example of this is that you specify a group that says that user may >>ony connect on saturdays and sundays, which is fine unless they connect >>late sunday and stay connected until the following saturday (i >>exaggerate just slightly to make my point) > > > The Login-Time attribute already takes cares of this. It calculates > the remaining time and sends it back to the radius server as > the session-timeout attribute. If you set Login-Time = "Sa,Su" and > you connect on sunday at 23:00, session-timeout is set to 3600 (one hour). > After that: Excellent :) This is what i was after.. Thanks Brett - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius re-authentication
In article <[EMAIL PROTECTED]>, Brett Maxfield <[EMAIL PROTECTED]> wrote: >An example of this is that you specify a group that says that user may >ony connect on saturdays and sundays, which is fine unless they connect >late sunday and stay connected until the following saturday (i >exaggerate just slightly to make my point) The Login-Time attribute already takes cares of this. It calculates the remaining time and sends it back to the radius server as the session-timeout attribute. If you set Login-Time = "Sa,Su" and you connect on sunday at 23:00, session-timeout is set to 3600 (one hour). After that: You can always set session-timeout to 86400 regardless, so every users gets disconnected after 24 hours, forcing them to reconnect and re-authenticate. Mike. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius re-authentication
On Tue, Sep 10, 2002 at 03:50:16PM -0700, Frank Cusack wrote: > The only feasible way to implement this (as far as I can see) is if you > are talking about PPP users that do CHAP. Create a VSA which is a > re-authorise timer. It would be 20-40 or so of additional code in pppd > and no additional code in the radius server. This would not be load > based. Let me correct myself: no additional code anywhere. From pppd(8): chap-interval n If this option is given, pppd will rechallenge the peer every n seconds. /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius re-authentication
On Wed, Sep 11, 2002 at 07:59:26AM +1000, Brett Maxfield wrote: > I think that you are right, insofar as having re-authentication as part > of the radius server itself would be a very bad idea. From a design > point of view it should be a completely seperate server, but for the > sake of reusability of freeradius rules it would make sense to package > such a program with freeradius. Not really, such an application would never work well in practice. The only feasible way to implement this (as far as I can see) is if you are talking about PPP users that do CHAP. Create a VSA which is a re-authorise timer. It would be 20-40 or so of additional code in pppd and no additional code in the radius server. This would not be load based. > If this were a seperate daemon, it would be up to the user to decide if > they needed to run it. The problem i have with leaving kickoffs up to > the user's application, is that it means you have to duplicate the rules > you have already written as part of the radius daemon in a third party > application. So write one up. I doubt it will be well received. (But if it *is* good, no reason it wouldn't be included with freeradius.) If you want to pursue this at least start by generating a more fleshed out design ... so you can be thoroughly flamed. :-) /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius re-authentication
Alan DeKok wrote: > Brett Maxfield <[EMAIL PROTECTED]> wrote: > >>My understanding is that authentication basically happens once, at >>logon. What i would like is for some external agent (not radius) to >>create a list of online users (via SNMP or Telnet/Finger) and >>periodically re-query that list of users against the radius server to >>see if they would be authenticated, based on the current situation. > > That's problematic, and I'm not sure it's a good idea. > > Do you really want to simplify the work of writing and enforcing > timeouts in an application, by increasing the load on the RADIUS > server and the network? I think that you are right, insofar as having re-authentication as part of the radius server itself would be a very bad idea. From a design point of view it should be a completely seperate server, but for the sake of reusability of freeradius rules it would make sense to package such a program with freeradius. If this were a seperate daemon, it would be up to the user to decide if they needed to run it. The problem i have with leaving kickoffs up to the user's application, is that it means you have to duplicate the rules you have already written as part of the radius daemon in a third party application. As far as the network load of checking for users, it would have to be left up to the end user. If all the traffic beween the kickoff server and the access servers is across an ethernet it might be acceptable. Cheers Brett - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius re-authentication
Brett Maxfield <[EMAIL PROTECTED]> wrote: > My understanding is that authentication basically happens once, at > logon. What i would like is for some external agent (not radius) to > create a list of online users (via SNMP or Telnet/Finger) and > periodically re-query that list of users against the radius server to > see if they would be authenticated, based on the current situation. That's problematic, and I'm not sure it's a good idea. Do you really want to simplify the work of writing and enforcing timeouts in an application, by increasing the load on the RADIUS server and the network? > One solution would be to calculate the session time until the next time > the authentication would fail, say 12pm on sunday at logon. I guess this > could be dne with scripts, but it makes the assumption you counter is > time for which there is a control. The Session-Timeout attribute is supposed to be used by any RADIUS client to control session timeouts. If the application ignores this attribute, and implements timeouts via some other method, then it's broken. > This particular would fall down if you wanted to immediately stop a user > when they went over something like a bytes-downloaded-per-day counter. Which isn't a standard RADIUS attribute, precisely because it's so hard to administer. > Generic re-authorization would also allow you to kick off a user after > setting them to be disabled, as the next status check would have them > kicked off because they would fail authorization at that time. Then the application should take care of re-authorization. It's difficult for the RADIUS server to know when to kick the user off, which is why there's no standard 'radkill'. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius re-authentication
Frank Cusack wrote: > On Wed, Sep 11, 2002 at 12:21:55AM +1000, Brett Maxfield wrote: > > (ppp can rechallenge the user when doing chap; which I assume is what > you are going for here--I can't think of another scenario where you > re-authorise users) My bad :) My understanding is that authentication basically happens once, at logon. What i would like is for some external agent (not radius) to create a list of online users (via SNMP or Telnet/Finger) and periodically re-query that list of users against the radius server to see if they would be authenticated, based on the current situation. An example of this is that you specify a group that says that user may ony connect on saturdays and sundays, which is fine unless they connect late sunday and stay connected until the following saturday (i exaggerate just slightly to make my point) One solution would be to calculate the session time until the next time the authentication would fail, say 12pm on sunday at logon. I guess this could be dne with scripts, but it makes the assumption you counter is time for which there is a control. This particular would fall down if you wanted to immediately stop a user when they went over something like a bytes-downloaded-per-day counter. Generic re-authorization would also allow you to kick off a user after setting them to be disabled, as the next status check would have them kicked off because they would fail authorization at that time. Cheers Brett - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius re-authentication
On Wed, Sep 11, 2002 at 12:21:55AM +1000, Brett Maxfield wrote: > Hello, > > I am looking for a copy of radkill or something similar. I have read the > FAQ and the site listed does not work (the name resolves, but there is > no route to host) > > What i would like is to have a daemon periodically query the freeradius > server and re-authorise online users, and if authorisation fails, kick > off each user that fails re-authentication. > > Does anybody know of another ftp location (or an alternative program) ? I don't, but I'm replying anyway because this is most interesting. I was just discussing with someone about how the Class attribute might be incorrect in ppp when doing multiple authentications, but dropped that as an academic point. Your timing is amazing. (ppp can rechallenge the user when doing chap; which I assume is what you are going for here--I can't think of another scenario where you re-authorise users) Note that this is a well known broken part of ppp, for active attackers. An active attacker can login as a user who is currently online by using them as an oracle. For dialup, it's probably a non-issue. You may also come across broken ppp's that don't respond to subsequent chap challenges. The attack does not work if using MPPE since the key will still be unknown. An active attacker can usually get around that via other means though. /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius re-authentication
Hello, I am looking for a copy of radkill or something similar. I have read the FAQ and the site listed does not work (the name resolves, but there is no route to host) What i would like is to have a daemon periodically query the freeradius server and re-authorise online users, and if authorisation fails, kick off each user that fails re-authentication. Does anybody know of another ftp location (or an alternative program) ? Cheers Brett - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using login plus domain
"ntuser" <[EMAIL PROTECTED]> wrote: > Is it possible to configure freeradius to authenticate both login and > login@domain and generate just one type of record in the accounting ? Authentication is completely different than accounting, so the answer is probably "no". > For example, when a user logon using username "jeff" > or "[EMAIL PROTECTED]" the freeradius will generate a record with > just "jeff" in accounting file, for to turn easier the reports > extractions. In this way, I will just search for entries with > the "jeff" authentication. That's what the Stripped-User-Name attribute is for. See 'nostrip' in raddb/proxy.conf Look for 'Stripped-User-Name' in raddb/sql.conf Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problem with PIX-515
It was a misspelled key ('1' and 'l' look the same in some fonts)... It works OK now, I want to thank to all the people who made freeradius... Mario. - Original Message - From: "Mario Vodopivec" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, July 05, 2002 4:14 PM Subject: Authentication problem with PIX-515 > I am using FreeRadius 0.5 and Cisco PIX-515 Firewall.> Authentication is denied and it looks exactly like the secret key is> misspelled on PIX, however I already checked that and it is not. 'radtest'> utility works just fine. Does anyone know if there is something specific> with PIX that would cause this problem?> > Here is a portion of clients.conf file and the debug output:> > client 10.10.1.1 {> secret = jg8d63196hfg> shortname = pix> }> > rad_recv: Access-Request packet from host 10.10.1.1:1645, id=74, length=57> User-Name = "mario"> NAS-IP-Address = 10.10.1.1> User-Password = "\303\035s.\343\000\255l\323\236Z\217DG*\033"> NAS-Port = 5> modcall: entering group authorize> modcall[authorize]: module "preprocess" returns ok> rlm_eap: EAP-Message not found> modcall[authorize]: module "eap" returns noop> modcall[authorize]: module "suffix" returns ok> radius_xlat: 'mario'> sql_escape in: 'mario'> sql_escape out: 'mario'> sql_set_user: escaped user --> 'mario'> radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE> Username = 'mario' ORDER BY id'> rlm_sql: Reserving sql socket id: 4> rlm_postgresql Status: PGRES_TUPLES_OK> sql_postgresql: affected rows => radius_xlat: 'SELECT> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche> ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE> usergroup.Username = 'mario' AND usergroup.GroupName => radgroupcheck.GroupName ORDER BY radgroupcheck.id'> rlm_postgresql Status: PGRES_TUPLES_OK> sql_postgresql: affected rows => radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE> Username = 'mario' ORDER BY id'> rlm_postgresql Status: PGRES_TUPLES_OK> sql_postgresql: affected rows => radius_xlat: 'SELECT> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep> ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE> usergroup.Username = 'mario' AND usergroup.GroupName => radgroupreply.GroupName ORDER BY radgroupreply.id'> rlm_postgresql Status: PGRES_TUPLES_OK> sql_postgresql: affected rows => radius_xlat: 'SELECT Value,Attribute FROM radcheck WHERE UserName = 'mario'> AND ( Attribute = 'User-Password' OR Attribute = 'Password' OR Attribute => 'Crypt-Password' ) ORDER BY Attribute DESC'> rlm_postgresql Status: PGRES_TUPLES_OK> sql_postgresql: affected rows => rlm_sql: Released sql socket id: 4> modcall[authorize]: module "sql" returns ok> modcall: group authorize returns ok> auth: type Local> auth: Failed to validate the user.> Login incorrect: [mario/s\222,\252\031\362\217\314gw\371\352\345\350\260*]> (from nas pix port 5)> WARNING: Unprintable characters in the password. ? Double-check the> shared secret on the server and the NAS!> Delaying request 0 for 1 seconds> Finished request 0> Going to the next request> --- Walking the entire request list ---> Waking up in 1 seconds...> --- Walking the entire request list ---> Waking up in 1 seconds...> --- Walking the entire request list ---> Sending Access-Reject of id 74 to 10.10.1.1:1645> Waking up in 4 seconds...> --- Walking the entire request list ---> Cleaning up request 0 ID 74 with timestamp 3d25f8e9> Nothing to do. Sleeping until we see a request.> > >
Re: authentication / authorization
Florin Andrei <[EMAIL PROTECTED]> wrote: > First, i have to say i'm impressed with its large number of > authentication mechanisms. That's one of the design goals, which makes the server somewhat useful. > Which gave me an idea... Is it possible to use FreeRadius with MySQL > to do only authorization (i see the authorization requests sent via > SQL are fully customisable, which is excellent), but do the actual > authentication via Radius proxy? Sure. List SQL in 'authorize', but not in 'authenticate' But you don't even need to do that. If 'authorize' says to proxy the request, then the internal authentication isn't called, as the proxy has done that for you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication problem!!
Thanx a lot !! What I really wanna know is while acting as a proxy do we need to generate any authentication key (or request authenticator)in case of authentication server as in case of accounting. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: 21 December 2001 15:31 To: [EMAIL PROTECTED] Subject: Re: Authentication problem!! En réponse à Vijay Rana <[EMAIL PROTECTED]>: a little hint for you: I use ic radius for authentic and accounting For testing it, I use an another computer client radius, this machine use a software Windows and in this machine I set up a software called Ntradping. Ntradping is a soft for testing a Radius server. Please test your radius server with this > Hi all, > > I have been working on radius authentication stuff for some time .I have > some problems which I'll like to clarify and hope u might help me out > on this . > > Can any one tell me --am acting as a proxy and am adding a proxy state > attribute to the access request message and then am generating the > authenticator using server shared secret key. Every time am getting the > access reject message from the server . > Whereas in case of accounting same is working fine . Is there any > difference between accounting authentication and access request one. > > Secondly m receiving messages from client I want to decrypt the password > and then encrypt password with server shared key what are the different > possible algorithms for doing this . > > Thanx , > Vijay > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problem!!
"Vijay Rana" <[EMAIL PROTECTED]> wrote: > Can any one tell me --am acting as a proxy and am adding a proxy state > attribute to the access request message and then am generating the > authenticator using server shared secret key. Every time am getting the > access reject message from the server . > Whereas in case of accounting same is working fine . Is there any > difference between accounting authentication and access request one. Yes. Are you doing this work all yourself? It sounds like you're writing your own code to do this. Why? The server does it already. > Secondly m receiving messages from client I want to decrypt the password > and then encrypt password with server shared key what are the different > possible algorithms for doing this . Many. But you don't do that. The server takes care of it for you, IF it's necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problem!!
En réponse à Vijay Rana <[EMAIL PROTECTED]>: a little hint for you: I use ic radius for authentic and accounting For testing it, I use an another computer client radius, this machine use a software Windows and in this machine I set up a software called Ntradping. Ntradping is a soft for testing a Radius server. Please test your radius server with this > Hi all, > > I have been working on radius authentication stuff for some time .I have > some problems which I'll like to clarify and hope u might help me out > on this . > > Can any one tell me --am acting as a proxy and am adding a proxy state > attribute to the access request message and then am generating the > authenticator using server shared secret key. Every time am getting the > access reject message from the server . > Whereas in case of accounting same is working fine . Is there any > difference between accounting authentication and access request one. > > Secondly m receiving messages from client I want to decrypt the password > and then encrypt password with server shared key what are the different > possible algorithms for doing this . > > Thanx , > Vijay > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication by MAC address
Is there a way to use a DHCP server and radius to athenticate? If they have a valid MAC address then assign them an IP out of Pool A, if they do not have a valid MAC, assign them an IP out of Pool B. Brandt - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, November 22, 2001 7:04 AM Subject: Re: Authentication by MAC address > "Kevin" <[EMAIL PROTECTED]> wrote: > > Does anyone know if this radius server can be configured to authenticate by > > MAC address instead of username and password? > > The RADIUS server can make authentication decisins on anything in > the packet. > > So... if your NAS sends the MAC address in a RADIUS attribute, the > answer is 'yes'. If not, the answer is 'no'. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication by MAC address
"Kevin" <[EMAIL PROTECTED]> wrote: > Does anyone know if this radius server can be configured to authenticate by > MAC address instead of username and password? The RADIUS server can make authentication decisins on anything in the packet. So... if your NAS sends the MAC address in a RADIUS attribute, the answer is 'yes'. If not, the answer is 'no'. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication
Guten Tag Dan Houtz, Am Sonntag, 30. September 2001 um 08:14 schrieben Sie: DH> I'm currently testing FreeRadius for a new ISP that I'm currently settings up. This is my first time running one with linux. I've always used NT so this is all new for me. Anyway, I'm DH> authenticating against the linux system accounts. The problem I ran into is that I don't want these customers to be able to telnet into the system. To stop this I set their shell to /bin/false. DH> This stops them from telneting in but it also causes FreeRadius to respond with a reject. Am I going about this in the wrong way? Your assistance is appreciated. DH> Thanks, DH> Dan Houtz hi, we use /bin/passwd ... so telnetting to the radius machine results to a 'change your password' prompt... ppl can change their passwords easy, but not login ... it worked fine with cistron and with freeradius 0.2 :) bye -- Mit freundlichen Grüssen Bauchimailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication
Dan, Hi, Did you try to add "bin/false" to /etc/shells ?. I also use /bin/false to avoid telnet (actually I do not longer use telenet ... :-), and use radius valoidation against system and everything wokrs fine. At least using Cistron, I Suppouse it should be ok with freeradius also. Jorge. - Original Message - From: Dan Houtz To: [EMAIL PROTECTED] Sent: Sunday, September 30, 2001 3:14 AM Subject: Authentication I’m currently testing FreeRadius for a new ISP that I’m currently settings up. This is my first time running one with linux. I’ve always used NT so this is all new for me. Anyway, I’m authenticating against the linux system accounts. The problem I ran into is that I don’t want these customers to be able to telnet into the system. To stop this I set their shell to /bin/false. This stops them from telneting in but it also causes FreeRadius to respond with a reject. Am I going about this in the wrong way? Your assistance is appreciated. Thanks, Dan Houtz
Re: Authentication
At 09:49 PM 8/21/2001 -0500, you wrote: >Can free radius authenticate on a MAC address? >if so >will all of the auditing information be available? It depends on what NAS you are using, and what you mean by 'authenticate on a MAC address'. I'm going to hazard a guess you are doing some type of wireless/dsl/broadband type service. I know of a few people who are using a radius backend to authenticate users on that type of network, so I would say that in the general case it is possible. Not knowing you specific case, it's hard to state with any certainty whether it will work. Give it a try, you've got nothing to loose at this point. :) -Chris -- \\\|||/// \ Chris Parker-Manager, Development Engineering \ ~ ~ / \ WX *is* Wireless!\ [EMAIL PROTECTED] | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Without C we would have 'obol', 'basi', and 'pasal' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication
In article <[EMAIL PROTECTED]>, Lawrence E. Powell SR. <[EMAIL PROTECTED]> wrote: >Can free radius authenticate on a MAC address? That completely depends on what the NAS sends to the radius server. If the NAS sends the MAC address, you can probably authenticate on it. >if so >will all of the auditing information be available? Again, depends on the NAS. The radius server will log all accounting packets that the NAS sends it, nothing more, nothing less. Mike. -- "Answering above the the original message is called top posting. Sometimes also called the Jeopardy style. Usenet is Q & A not A & Q." -- Bob Gootee - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html