AW: Freeradius-Users digest, Vol 1 #3878 - 8 msgs

[Jankowski, Jan]

-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL PROTECTED]
Gesendet: Donnerstag, 21. Oktober 2004 17:24
An: [EMAIL PROTECTED]
Betreff: Freeradius-Users digest, Vol 1 #3878 - 8 msgs


Send Freeradius-Users mailing list submissions to
[EMAIL PROTECTED]

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]

You can reach the person managing the list at
[EMAIL PROTECTED]

When replying, please edit your Subject line so it is more specific than "Re: Contents 
of Freeradius-Users digest..."


Today's Topics:

   1. Re: UDPFROMTO and Proxy Problem (Raimund Sacherer)
   2. FreeRADIUS and DTC Radius interoperability (Benoit ROVERA)
   3. Re: gnugk+freeradius+mysql works well,but how to configure for prepaid?? (Alan 
DeKok)
   4. Re: problem authenticating to passwd/shadow files (Alan DeKok)
   5. RE: Reauthenticate User (Nurul Faizal Bin M.Shukeri)
   6. Re: WPA - Freeradius external script problem (Alan DeKok)
   7. Re: Missing db_mssql.sql in 1.0.1 distribution (Alan DeKok)
   8. Re: Password Encryption (Alan DeKok)

--__--__--

Message: 1
Organization: eWave
Date: Thu, 21 Oct 2004 17:03:28 +0200
Subject: Re: UDPFROMTO and Proxy Problem
Date: Thu, 21 Oct 2004 17:03:28 +0200
From: "Raimund Sacherer" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]


--=-gwod5HvytZ7RIAWLVMwZ
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hi Nicolas, Thomas!

Here is a more detailed description of our scenario:=20


 +--+
  +---+  | NAS/Roaming  | (NAS/Roaming Partner may not be
  | 1 |  | RadiusServer | part of our Network and can have their
  +---+  +--+ own Public/Private IP Networks)
|
|
|
 +--+
 | Our  |
+>---| FireWall/|
|| IPSEC|
|| Tunnel   |
|| Endpoint |
|+--+
|   |
|+---+  |
|| 2 | +++
|+---+ | |
|Clients which   Clients with=20
|comes from  "direct"
|IPSec Tunnels   Internet Access
|  | |
|  | |
|   eth0:1 eth0
| 10.0.0.10  62.62.62.62
|  | |
|+--+
|| Our  |-eth1-<->-[internal AdminLan]
|| RadiusServer |
|+--+
|  | |
|   +---+eth0:1 eth0
|   | 3 |  10.0.0.10  62.62.62.62
|   +---+  | |
+---<--+---<-+


1. Packet comes from NAS or from a Roaming Partner, either from internet or via IPSEC 
Tunnel, which terminates on "Our Firewall".

2. The Firewall routes the Packet to our Radius Server.

3. The radius server auth/acct local realms and proxies all other realms to the 
appropriate foreign radius proxy/server back via "Our Firewall". If the packet has to 
go to a partner which needs an IPSEC Tunnel it is proxied over eth0:1, otherwise over 
eth0.

That's the point of our problem.

In our case the default gateway points to the public ip_address of the internal 
interface of "Our Firewall". For a Proxy Packet the
Packet->src_ipaddr is empty. As the sendmsg function has no src_ipaddr
it uses the default gateway as src_ipaddr for this packet. Therefore the IPSEC tunnel 
on "Our Firewall" discards the proxy packet because they expect the packet from 
10.0.0.10 (LeftSide/RightSide IPSEC). Even if the IPSEC tunnel would allow our 
packets, the foreign radius server would silently discard the packet as it uses the 
wrong src_ipaddr.

In your scenario you are direct connected to the networks where your proxyserver 
resides so you don't need to use a default gateway to reach your servers.

My previously posted patch adds configuration items for the proxy.conf config file 
where you can define the ip_addr which should be used for each Realm.

I would be glad if someone can confirm this as problem and my patch as the right 
solution ;-)

For our 2.nd Problem i stated previously in this thread (that the above scenario is 
NOT working if eth0:1 is a physical interface) we will rebuild our test-scenario to 
post better debugging information.

best regards

Raimund Sacherer


On Wed, 2004-10-20 at 16:34 +0200, Thomas MARCHESSEAU wrote:
> Hi Raimund,
>=20
> Nicolas and I did some test on proxy forwarding , we use this model : 
>=20 =20
>=20
> 

Re: documentation for freeradius

[Thor Spruyt]

.org of course :)

John Simms wrote:
> Hi, can anyone tell me where I can get good
> documentation for freeradius.  I've just installed it
> on my linux box and need to configure it and begin
> using it for work.
> 
> Thanks!
> 
> 
> 
> ___
> Do you Yahoo!?
> Declare Yourself - Register online to vote today!
> http://vote.yahoo.com
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html 

-- 
Regards,

Thor Spruyt
E: [EMAIL PROTECTED]
W: www.thor-spruyt.com
M: +32 (0)475 67 22 65


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: documentation for freeradius

[Thor Spruyt]

http://www.freeradius.com
 
John Simms wrote:> Hi, can anyone tell me 
where I can get good> documentation for freeradius.  I've just 
installed it> on my linux box and need to configure it and begin> 
using it for work.> > Thanks!> > > > 
___> Do you Yahoo!?> Declare Yourself 
- Register online to vote today!> http://vote.yahoo.com> > 
-> List info/subscribe/unsubscribe? See> http://www.freeradius.org/list/users.html -- Regards,Thor SpruytE: [EMAIL PROTECTED]W: www.thor-spruyt.comM: +32 (0)475 
67 22 65

Freeradius using special characters in username and/or password

[Stelios Stylianou]

Hi everyone,
I use freeradius 0.9.3.
Does anyone know what special characters this version support for using in 
username or passwords (e.g."\","-","_","^","space", etc) either in the 
users file or mysql database?
Can you give me a documentation site where I can find as much of this 
information as possible?

Thanks,
Stelios Stylianou.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

documentation for freeradius

[John Simms]

Hi, can anyone tell me where I can get good
documentation for freeradius.  I've just installed it
on my linux box and need to configure it and begin
using it for work.

Thanks!



___
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Daniel Carrol

[Meadows, Loris C]

Please refer to the message posted below by Dan Carrol. I am trying to eMail Dan 
directly (as he suggests) but cannot find his email address - Does any body have any 
ideas?

Thanks,

Loris Meadows
Manager, ICT Security & Risk
Department of Education & Training

2 Treasury Place
East Melbourne VIC 3002
AUSTRALIA
---

EAP-TLS: machine authentication 
Daniel Carroll [EMAIL PROTECTED] 
Wed, 21 Jul 2004 22:06:18 -0600 

For what it's worth, I encountered a similar problem with EAP/TLS
and machine authentication.  It turned out that the reason I was
having problems was that I had generated my certs in OpenSSL, and
OpenSSL was missing one important step that isn't documented on
Microsoft's web site about EAP/TLS and machine authentication.

I modified OpenSSL (0.9.7d) to add one extra OID to the
PKCS#7 keybag attributes holding the client's private key and
that solved my problems.  Just having this particular OID present
was enough to get it working -- it didn't matter what value the
OID was set to.  The OID was: 1.3.6.1.4.1.311.17.2  In my search
on the web for this OID, I found a grand total of ONE useful reference
to this OID on the web.  From what I can tell, the presence of this
OID tells Windows XP that the cert is intended for use by the
computer itself, and not by an end-user.

The other solution is to use Microsoft's web certificate server
to generate these certs.


If you want the patch for OpenSSL, let me know and I'd be happy
to mail it to you.  Please send me the e-mail directly -- mail
sent to the list goes into a folder that I only check infrequently.



Important - 
This email and any attachments may be confidential. If received in error, please 
contact us and delete all copies. Before opening or using attachments check them for 
viruses and defects. Regardless of any loss, damage or consequence, whether caused by 
the negligence of the sender or not, resulting directly or indirectly from the use of 
any attached files our liability is limited to resupplying any affected attachments. 
Any representations or opinions expressed are those of the individual sender, and not 
necessarily those of the Department of Education & Training.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using MS AD for LDAP Group authorisation

[Glen Eustace]

G.

Quickest way to look silly. Post a question with a simple answer to a
support list :-(

I had commented out 'files' from the authorisation section, must have
thought that the 'ldap' covered things.

I am now getting queries and can work on the attributes and search etc.
-- 
 .*.  | Glen Eustace, Infrastructure Development Engineer
 /V\  | Information Technology Services PN460, Turitea,
(/ \) | Massey University, Palmerston North, New Zealand.
(   ) | Ph: +64 6 356 9099 x 81005, Fax: +64 6 350 5607,
^^_^^ | Mob: +64 27 4 500 321
--+- 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using MS AD for LDAP Group authorisation

[Glen Eustace]

On Fri, 2004-10-22 at 11:10, Kostas Kalevras wrote:

> Use the Ldap-Group attribute:
> 
> --users file--
> 
> DEFAULT   Ldap-Group == "mygroup"
>   Reply-Message = "user in group mygroup"

Tried all sorts of combinations of that and no query is evident from
radiusd -X.

I am using 0.9.3 on FC1 by the way.

the entry current is
DEFAULT Ldap-group == "ITS ISS Group", Auth-Type := LDAP
Fall-through = no

-- 
 .*.  | Glen Eustace, Infrastructure Development Engineer
 /V\  | Information Technology Services PN460, Turitea,
(/ \) | Massey University, Palmerston North, New Zealand.
(   ) | Ph: +64 6 356 9099 x 81005, Fax: +64 6 350 5607,
^^_^^ | Mob: +64 27 4 500 321
--+- 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using MS AD for LDAP Group authorisation

[Kostas Kalevras]

On Fri, 22 Oct 2004, Glen Eustace wrote:
I am trying to use our MS AD database for with LDAP. Authentication
works fine but I can not get authourisation based on group membership to
work.
The issue seems to be that radiusd never queries and group info from the
directory at all. I have read the various how-to's etc, but they are all
based on using an openLDAP directory. I saw one similiar posting from
someone else with the same problem and he was referred to Dustins'
how-to, I have read that and I am obviously still missing something.
I believe I will be able to get the searches worked out as soon as I can
get the server to actually do a query.
Use the Ldap-Group attribute:
--users file--
DEFAULT Ldap-Group == "mygroup"
Reply-Message = "user in group mygroup"

--
.*.  | Glen Eustace, Infrastructure Development Engineer
/V\  | Information Technology Services PN460, Turitea,
(/ \) | Massey University, Palmerston North, New Zealand.
(   ) | Ph: +64 6 356 9099 x 81005, Fax: +64 6 350 5607,
^^_^^ | Mob: +64 27 4 500 321
--+-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MS-CHAP2-Response is incorrect

[kevin J]

Have we found the solution?
If so, can I get it?

Kevin.

Alan DeKok wrote:

  kevin J <[EMAIL PROTECTED]> wrote:
  
  
I tried to use MSCHAP v2 in freeradius 1.0.0 but got
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
I guess this can happen only when "response" is not matched with
"calculated".
But MSCHAP v2 worked with freeradius 0.9.3 version and the same NAS.

  
  
  If you're running Solaris, this is a bug in 1.0.x.  We hope to have
it fixed in 1.0.2.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  

Using MS AD for LDAP Group authorisation

[Glen Eustace]

I am trying to use our MS AD database for with LDAP. Authentication
works fine but I can not get authourisation based on group membership to
work.

The issue seems to be that radiusd never queries and group info from the
directory at all. I have read the various how-to's etc, but they are all
based on using an openLDAP directory. I saw one similiar posting from
someone else with the same problem and he was referred to Dustins'
how-to, I have read that and I am obviously still missing something.

I believe I will be able to get the searches worked out as soon as I can
get the server to actually do a query.
-- 
 .*.  | Glen Eustace, Infrastructure Development Engineer
 /V\  | Information Technology Services PN460, Turitea,
(/ \) | Massey University, Palmerston North, New Zealand.
(   ) | Ph: +64 6 356 9099 x 81005, Fax: +64 6 350 5607,
^^_^^ | Mob: +64 27 4 500 321
--+- 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Missing db_mssql.sql in 1.0.1 distribution

[[EMAIL PROTECTED]]

http://lists.cistron.nl/pipermail/freeradius-users/
Regards
Doc
- Original Message - 
From: "Rogier Mulder" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, October 21, 2004 10:40 PM
Subject: RE: Missing db_mssql.sql in 1.0.1 distribution

Alan,
thanks for your reply. I only started today with this list so I do not have 
access to yesterday's contributions. Could you forward these to me or point 
me to an arhcive?

rgrds rgr
-Original Message-
From: [EMAIL PROTECTED] on behalf of Alan DeKok
Sent: Thu 21-10-2004 18:32
To: [EMAIL PROTECTED]
Subject: Re: Missing db_mssql.sql in 1.0.1 distribution
"Rogier Mulder" <[EMAIL PROTECTED]> wrote:
While digging deeper into the src tree, I'm getting the feeling that
there is more I'm missing. In
src/modules/rlm_sql/drivers/rlm_sql_freetds there is only
Makefile. It references sql_freetds.c which is not on the system.
 The freetds support was deleted.
What do I need to do, to make a plain-vanilla 1.0.1 distribution to work
with MS SQL Server 7/2000?
 This was answered on the list yesterday, I believe.  See rlm_sql_iodbc.
 Alan DeKok.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Missing db_mssql.sql in 1.0.1 distribution

[Rogier Mulder]

Alan,

thanks for your reply. I only started today with this list so I do not have access to 
yesterday's contributions. Could you forward these to me or point me to an arhcive?

rgrds rgr


-Original Message-
From: [EMAIL PROTECTED] on behalf of Alan DeKok
Sent: Thu 21-10-2004 18:32
To: [EMAIL PROTECTED]
Subject: Re: Missing db_mssql.sql in 1.0.1 distribution 
 
"Rogier Mulder" <[EMAIL PROTECTED]> wrote:
> While digging deeper into the src tree, I'm getting the feeling that
> there is more I'm missing. In
> src/modules/rlm_sql/drivers/rlm_sql_freetds there is only
> Makefile. It references sql_freetds.c which is not on the system.

  The freetds support was deleted.

> What do I need to do, to make a plain-vanilla 1.0.1 distribution to work
> with MS SQL Server 7/2000?

  This was answered on the list yesterday, I believe.  See rlm_sql_iodbc.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


<>

Re: MS-CHAP2-Response is incorrect

[Alan DeKok]

kevin J <[EMAIL PROTECTED]> wrote:
> I tried to use MSCHAP v2 in freeradius 1.0.0 but got
> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
> I guess this can happen only when "response" is not matched with
> "calculated".
> But MSCHAP v2 worked with freeradius 0.9.3 version and the same NAS.

  If you're running Solaris, this is a bug in 1.0.x.  We hope to have
it fixed in 1.0.2.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MS-CHAP2-Response is incorrect

[kevin J]

Hi all,

I tried to use MSCHAP v2 in freeradius 1.0.0 but got
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
I guess this can happen only when "response" is not matched with
"calculated".
But MSCHAP v2 worked with freeradius 0.9.3 version and the same NAS.
Take a look at the log below and let me know your thought.

Thanks
Kevin

rad_recv: Access-Request packet from host 1.2.3.4:1645, id=1, length=189
Framed-Protocol = PPP
User-Name = "[EMAIL PROTECTED]"
MS-CHAP-Challenge = 0xc1cf72bd0daa9cd9bc695811264ae8c6
MS-CHAP2-Response =
0x010080914194e9ca506a41b2dfd66c76af4df9ac2d5de4e08ae2f85dca84f2f47b5877eea11177308811
NAS-Port-Type = Virtual
Cisco-NAS-Port = "Uniq-Sess-ID735"
NAS-Port = 735
Service-Type = Framed-User
NAS-IP-Address = 1.2.3.3
Proxy-State = 0xdeadbeef0001
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "attr_filter" returns noop for request 0
rlm_realm: Looking up realm "test.com" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: No such realm "test.com"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched [EMAIL PROTECTED] at 102
modcall[authorize]: module "files" returns ok for request 0
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP'
modcall[authorize]: module "mschap" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 0
modcall: group Auth-Type returns reject for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 1 to 1.2.3.4:1645
MS-CHAP-Error = "\001E=691 R=1"
Proxy-State = 0xdeadbeef0001
Waking up in 4 seconds...


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Unresponsive Child Critical Errors

[Nate M]

I've been having issues sending to the list, so apologies if this is dup.

I've got some weirdness with freeradius 1.0.1 (same results
in previous versions).  Test systems are x86_64 and i386 Fedora Core 2
machines (2.6.8.1).  Same tests on older redhat9 machine (2.6.4) do not have
the same issue.

My users entry looks like:
DEFAULT Auth-Type := Accept
Exec-Program-Wait = "/etc/raddb/scripts/pre_auth.sh",
Fall-Through = Yes

There are no other authentication mechanisms enabled, all requests go to
pre_auth.sh.  The script is configured to only exit 0 (although I get
identical results when rejecting requests with exit 1) and pass attributes.
Same results w/o attributes.

This issue only happens when running in standard mode, in debug -x or debug
-xx mode.  The problem can be duplicated over and over on various platforms.
The problem does not happen in -X debug mode.  Problem also does not happen
in single thread mode.

When sending test radius packets it will authenticate the first always, then
depending on the frequency of the incoming packets it will hang usually once
they are sent at a rate of apx 1+/second.  Sending packets continuously at 1
each 2 seconds it will never have any problem.

It appears to be in the following entry that it is hanging right before it
gets to the "Exec-Program: returned: 0" section.  Almost as if it's not
catching the return value of the external program.  Later (10-15 seconds) it
drops that client as unresponsive.  Attaching 2 -xx debug reports, the first
is the request which bombs, the 2nd is a good request.

Any help in further debugging or solving this issue is greatly appreciated.


##  REQUEST WHICH BOMBS  ##
Going to the next request
Thread 7 waiting to be assigned a request
rad_recv: Access-Request packet from host 63.228.227.6:2300, id=67,
length=53
Waking up in 2 seconds...
Thread 8 got semaphore
Thread 8 handling request 6, (1 handled so far)
User-Name = "[EMAIL PROTECTED]"
User-Password = "x"
rad_rmspace_pair:  User-Name now '[EMAIL PROTECTED]'   
  Processing the authorize section of radiusd.conf 
modcall: entering group authorize for request 6
  modcall[authorize]: module "preprocess" returns ok for request 6
  modcall[authorize]: module "attr_filter" returns noop for request 6
rlm_realm: No '#' in User-Name = "[EMAIL PROTECTED]", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "prefix" returns noop for request 6
rlm_realm: Looking up realm "visp.net" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: No such realm "visp.net"
  modcall[authorize]: module "suffix" returns noop for request 6
users: Matched DEFAULT at 36
  modcall[authorize]: module "files" returns ok for request 6
modcall: group authorize returns ok for request 6
  rad_check_password:  Found Auth-Type Accept
  rad_check_password: Auth-Type = Accept, accepting the user
radius_xlat:  '/etc/raddb/scripts/pre_auth.sh'
Exec-Program: /etc/raddb/scripts/pre_auth.sh
Re-wait 2
Exec-Program output: Idle-Timeout = 1140, Session-Timeout = 28800,
Service-Type = Framed-User, Framed-IP-Address = 255.255.255.254,
Framed-Protocol = PPP, Simultaneous-Use = 1,
Exec-Program-Wait: value-pairs: Idle-Timeout = 1140, Session-Timeout =
28800, Service-Type = Framed-User, Framed-IP-Address = 255.255.255.254,
Framed-Protocol = PPP, Simultaneous-Use = 1,
--- Walking the entire request list ---
Cleaning up request 0 ID 61 with timestamp 416c1c9c
Cleaning up request 1 ID 62 with timestamp 416c1c9c
Cleaning up request 2 ID 63 with timestamp 416c1c9c
Waking up in 1 seconds...
Threads: total/active/spare threads = 15/1/14
--- Walking the entire request list ---
Cleaning up request 3 ID 64 with timestamp 416c1c9d
Cleaning up request 4 ID 65 with timestamp 416c1c9d
Cleaning up request 5 ID 66 with timestamp 416c1c9d
Waking up in 5 seconds...
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
WARNING: Unresponsive child (id 1145158576) for request 6
Server rejecting request 6.
Sending Access-Reject of id 67 to 63.228.227.6:2300
Waking up in 5 seconds...
--- Walking the entire request list ---

  STRACE OUTPUT at time of error 
radius_xlat:  '/etc/raddb/scripts/pre_auth.sh'
Exec-Program: /etc/raddb/scripts/pre_auth.sh
Exec-Program output: Idle-Timeout = 1140, Session-Timeout = 28800,
Service-Type = Framed-User, Framed-IP-Address = 255.255.255.254,
Framed-Protocol = PPP, Simultaneous-Use = 1, 
Exec-Program-Wait: value-pairs: Idle-Timeout = 1140, Session-Timeout =
28800, Service-Type = Framed-User, Framed-IP-Address = 255.255.255.254,
Framed-Protocol = PPP, Simultaneous-Use = 1, 
)  = 0 (Timeout)
time(NULL)  = 1097605809
time(NULL)  = 1097605809
write(1, "--- Walking the entire request l"..., 40--- Walking the entire
request list ---
) = 40


##  REQUEST WHIC

Re: UDPFROMTO and Proxy Problem

[Alan DeKok]

"Raimund Sacherer" <[EMAIL PROTECTED]> wrote:
> My previously posted patch adds configuration items for the proxy.conf
> config file where you can define the ip_addr which should be used for
> each Realm.
> 
> I would be glad if someone can confirm this as problem and my patch as
> the right solution ;-)

  The patch helps a bit.  Please submit it to bugs.freeradius.org so
it isn't lost.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

test, ignore-me.

[Nate M]

Been having trouble sending to this list, this is just a test.  No need to
reply, please ignore.  Thanks.

- Nate



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius and Active Directory

[Josh Howlett]

On Thu, 21 Oct 2004, Alan DeKok wrote:
> > Additionally how the authentication request is
> > forwarded to AD.
>
>   FreeRADIUS can do authentication to a Windows domain via ntlm_auth.
> It's not quite the same thing, but it's close.

Another, possibly simpler, solution is to install IAS on the Windows box
and proxy RADIUS requests from FR to IAS.

josh.


Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: [EMAIL PROTECTED]



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS and DTC Radius interoperability

[Alan DeKok]

Benoit ROVERA <[EMAIL PROTECTED]> wrote:
> I'm experiencing some troubles to receive some RADIUS requests using my
> FreeRADIUS server.
> The RADIUS server who sends the requests is a DTC Radius server :
> http://www.dtc.co.jp/Radius2.0/RelNoteE.html.
> I get the following error message :
> 
> "Error: WARNING: Malformed RADIUS packet from host x.x.x.x : Vendor-Specific has 
> invalid length 0"

  Yuck.  Their RADIUS server is NOT following the RFC's, and is
sending you garbage attributes.

> I captured the datagrams coming from the DTC radius server. I noticed
> that the datagrams are well formed but the length field value is 2.
> 
> Does anybody know how to deal with this issue ?

  edit src/lib/radius.c, to allow 2-byte VSA's.

  The problem is taht you can't DO anything with those VSA's, other
than discard them.  They're complete nonsense.

  I suggest, at the minimum, filing a bug report with DTC, asking them
to fix their RADIUS server.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius and Active Directory

[Alan DeKok]

Cool Man <[EMAIL PROTECTED]> wrote:
> My problem is I am proxying user of a specfic domain
> to  another radius server which is infact an Active
> directory. 

  Active Directory is not a RADIUS server.

  Could you say which RADIUS server you're actually using?

> Now the EAP packets proxied to AD are rejected
> straight away, Now my question is how should I setup
> my kerbeors  so that the request goes to proxied AD. 

  You've got the terminology all wrong.  Until you correct it, you
won't be able tyo solve your problems.

> Secodly, The users coming to my network are using EAP
> for access authentication, therefore, how the EAP
> packets is treated if I set Default 
> Auth-Type == kerberos. 

  It won't work.  Ever.

> Additionally how the authentication request is
> forwarded to AD.

  FreeRADIUS can do authentication to a Windows domain via ntlm_auth.
It's not quite the same thing, but it's close.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Password Encryption

[Alan DeKok]

[EMAIL PROTECTED] wrote:
> I'm working with PPP Dial-In connections to a Cisco box with CHAP
> authentication. My users are authenticated through Radius server
> (freeradius 1.0.1) and the user profiles are load in a MySQL
> database created with the script provided in a freeradius.tar.gz
> file. All is working fine. However all passwords are in clear text
> and I'd like to work with Encrypted password.

  No.  It's impossible.  Stop trying.

> Do you have some suggestions about this issue?

  Leave the passwords in clear-text in SQL.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Missing db_mssql.sql in 1.0.1 distribution

[Alan DeKok]

"Rogier Mulder" <[EMAIL PROTECTED]> wrote:
> While digging deeper into the src tree, I'm getting the feeling that
> there is more I'm missing. In
> src/modules/rlm_sql/drivers/rlm_sql_freetds there is only
> Makefile. It references sql_freetds.c which is not on the system.

  The freetds support was deleted.

> What do I need to do, to make a plain-vanilla 1.0.1 distribution to work
> with MS SQL Server 7/2000?

  This was answered on the list yesterday, I believe.  See rlm_sql_iodbc.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WPA - Freeradius external script problem

[Alan DeKok]

[EMAIL PROTECTED] wrote:
> Ok. I wasn't explaining the situation clear enough. The script
> always succeeds only for testing. Later on I will implement some
> logic to it which will check the received user account from external
> systems and returns exit value 0 or 1 depending on the external
> authentication. I print out the password because I thought it was
> needed in the freeradius to authenticate EAP-PEAP authentication
> request. Obviously I'm wrong?

  You are contradicting yourself again.  If your script authenticates
the user, then FreeRADIUS doesn't need to authenticate the user.  If
your script is simply printing a User-Password, and expects FreeRADIUS
to use that password to authenticate the user, then your script is not
authenticating the user.

  If your script doesn't understand PEAP, then it can't authenticate
the user.

  Move your script to the "authorize" section, and let FreeRADIUS
decide how to authenticate the user.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Reauthenticate User

[Nurul Faizal Bin M.Shukeri]

I use two level of authentication.First username and password (EAP-PEAP) and
then check for MAC Addresses. I've try to use session-timeout, but when I
use this attribute, cache for user info will lost and we need to enter
username & password again. Hope u can help me Julius Igugu. TQ very much for
your respose. 

Nurul Faizal Bin M.Shukeri
Pusat Komputer,
Universiti Sains Malaysia.


What do you use for authentication? 
MAC Addresses, 802.1x, etc?

--- "Nurul Faizal Bin M.Shukeri" <[EMAIL PROTECTED]> wrote:

> I've got cisco aironet 350 series AP.
> 
>  
> 
> ---
> 
>  
> 
> This will depend on your NAS/RAS.
> 
>  
> 
> Which one do you have?
> 
>  
> 
> --- "Nurul Faizal Bin M.Shukeri" <[EMAIL PROTECTED]> wrote:
> 
>  
> 
> > Hi again..,
> 
> > 
> 
> >  
> 
> > 
> 
> > Anyone plz help me. How to reauthenticate user every example 30 min
> without
> 
> > reenter username and password ?
> 
> > 
> 
>  
> 
> Nurul Faizal Bin M.Shukeri
> 
> Pusat Komputer,
> 
> Universiti Sains Malaysia.
> 
>  
> 
> 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem authenticating to passwd/shadow files

[Alan DeKok]

"Cameron Birky" <[EMAIL PROTECTED]> wrote:
> I encrypt at my client and then the pptpd calls the freeradius
> plugin for authentication.  does anyone know if pptpd decrypts
> before it passes the string to freeradius for authentication?

  Q: How do you "encrypt" at the client?

  Q: How could pptpd decrypt the password?

  If the answer to the second question is "it can't", then FreeRADIUS
probably can't decrypt it, either.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: gnugk+freeradius+mysql works well,but how to configure for prepaid??

[Alan DeKok]

Stefan Bosnjakovic <[EMAIL PROTECTED]> wrote:
> We need to implement pre-paid cards as well. Users can buy 30, 60,
> 120mins cards.

  rlm_sqlcounter should do exactly this.  Set up users in groups, and
then configure the maximum session time per-group.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRADIUS and DTC Radius interoperability

[Benoit ROVERA]

Hi there,

I'm experiencing some troubles to receive some RADIUS requests using my
FreeRADIUS server.
The RADIUS server who sends the requests is a DTC Radius server :
http://www.dtc.co.jp/Radius2.0/RelNoteE.html.
I get the following error message :

"Error: WARNING: Malformed RADIUS packet from host x.x.x.x : Vendor-Specific has 
invalid length 0"


I captured the datagrams coming from the DTC radius server. I noticed
that the datagrams are well formed but the length field value is 2.

Does anybody know how to deal with this issue ?

Thanks for your help.

Benoit
-- 

Benoit ROVERA
Quiconnect 
This message may contain privileged or confidential information 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: UDPFROMTO and Proxy Problem

[Raimund Sacherer]

Hi Nicolas, Thomas!

Here is a more detailed description of our scenario: 


 +--+
  +---+  | NAS/Roaming  | (NAS/Roaming Partner may not be
  | 1 |  | RadiusServer | part of our Network and can have their
  +---+  +--+ own Public/Private IP Networks)
|
|
|
 +--+
 | Our  |
+>---| FireWall/|
|| IPSEC|
|| Tunnel   |
|| Endpoint |
|+--+
|   |
|+---+  |
|| 2 | +++
|+---+ | |
|Clients which   Clients with 
|comes from  "direct"
|IPSec Tunnels   Internet Access
|  | |
|  | |
|   eth0:1 eth0
| 10.0.0.10  62.62.62.62
|  | |
|+--+
|| Our  |-eth1-<->-[internal AdminLan]
|| RadiusServer |
|+--+
|  | |
|   +---+eth0:1 eth0
|   | 3 |  10.0.0.10  62.62.62.62
|   +---+  | |
+---<--+---<-+


1. Packet comes from NAS or from a Roaming Partner, either from internet
or via IPSEC Tunnel, which terminates on "Our Firewall".

2. The Firewall routes the Packet to our Radius Server.

3. The radius server auth/acct local realms and proxies all other realms
to the appropriate foreign radius proxy/server back via "Our Firewall".
If the packet has to go to a partner which needs an IPSEC Tunnel it is
proxied over eth0:1, otherwise over eth0.

That's the point of our problem.

In our case the default gateway points to the public ip_address of the
internal interface of "Our Firewall". For a Proxy Packet the
Packet->src_ipaddr is empty. As the sendmsg function has no src_ipaddr
it uses the default gateway as src_ipaddr for this packet. Therefore the
IPSEC tunnel on "Our Firewall" discards the proxy packet because they
expect the packet from 10.0.0.10 (LeftSide/RightSide IPSEC). Even if the
IPSEC tunnel would allow our packets, the foreign radius server would
silently discard the packet as it uses the wrong src_ipaddr.

In your scenario you are direct connected to the networks where your
proxyserver resides so you don't need to use a default gateway to reach
your servers.

My previously posted patch adds configuration items for the proxy.conf
config file where you can define the ip_addr which should be used for
each Realm.

I would be glad if someone can confirm this as problem and my patch as
the right solution ;-)

For our 2.nd Problem i stated previously in this thread (that the above
scenario is NOT working if eth0:1 is a physical interface) we will
rebuild our test-scenario to post better debugging information.

best regards

Raimund Sacherer


On Wed, 2004-10-20 at 16:34 +0200, Thomas MARCHESSEAU wrote:
> Hi Raimund,
> 
> Nicolas and I did some test on proxy forwarding , we use this model :
> 
> 
> 
>   CLIENT 172.16.69.1
>   |
> vlan 69
>   |
> 172.16.69.3 (virtual ip 
> handled by keepalived)
>   |
> 172.16.69.2 (eth2)
>   |
>  +-+
>  | PROXY with udpfromto|
>  | and bind_addr * |
>  | ldflag = round_robin|
>  +-+
> | |
>eth0  eth3
> 192.168.7.241 10.17.1.243
> | |
> | |
>   +--+ +---+
>   | |
>   | |
>  +--+ 
> +--+
>  | Radius Srv   | | Radius 
> Srv   |
>  | 192.168.7.243| | 
> 10.17.10.242 |
>  +--+ 
> +--+
> 
> 
> We hope that it match w

Re: Password Encryption

[elimachi]

Hi Doris:

I tried again but the problem persiste.
I ran radius in debug mode and this is the output:

rad_recv: Access-Request packet from
host 10.250.1.1:1645, id=55, length=76
        NAS-IP-Address
= 10.250.1.1
        NAS-Port
= 1
        NAS-Port-Type
= Async
        User-Name
= "cisco"
        CHAP-Password
= 0x1d4cf1f5afcc05956d50d493b34cf5f2cb
        Service-Type
= Framed-User
        Framed-Protocol
= PPP
  Processing the authorize section
of radiusd.conf
modcall: entering group authorize for
request 0
  modcall[authorize]: module "preprocess"
returns ok for request 0
  rlm_chap: Setting 'Auth-Type
:= CHAP'
  modcall[authorize]: module "chap"
returns ok for request 0
  modcall[authorize]: module "mschap"
returns noop for request 0
    rlm_realm: No '@' in User-Name
= "cisco", looking up realm NULL
    rlm_realm: No such realm
"NULL"
  modcall[authorize]: module "suffix"
returns noop for request 0
  rlm_eap: No EAP-Message, not
doing EAP
  modcall[authorize]: module "eap"
returns noop for request 0
radius_xlat:  'cisco'
rlm_sql (sql): sql_set_user escaped
user --> 'cisco'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op
FROM radcheck WHERE Username = 'cisco' ORDER BY id'
rlm_sql (sql): Reserving sql socket
id: 4
radius_xlat:  'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
 FROM radgroupcheck,usergroup WHERE usergroup.Username = 'cisco' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op
FROM radreply WHERE Username = 'cisco' ORDER BY id'
radius_xlat:  'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
 FROM radgroupreply,usergroup WHERE usergroup.Username = 'cisco' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id:
4
  modcall[authorize]: module "sql"
returns ok for request 0
modcall: group authorize returns ok
for request 0
  rad_check_password:  Found
Auth-Type CHAP
auth: type "CHAP"
  Processing the authenticate
section of radiusd.conf
modcall: entering group Auth-Type
for request 0
  rlm_chap: login attempt by
"cisco" with CHAP password
  rlm_chap: Could not find clear
text password for user cisco
  modcall[authenticate]: module
"chap" returns invalid for request 0
modcall: group Auth-Type returns
invalid for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list
---
Waking up in 1 seconds...
--- Walking the entire request list
---
Waking up in 1 seconds...
--- Walking the entire request list
---
Sending Access-Reject of id 55 to 10.250.1.1:1645
        Cisco-AVPair
= "lcp:callback-dialstring="
Waking up in 4 seconds...
--- Walking the entire request list
---
Cleaning up request 0 ID 55 with timestamp
4177ccb4
Nothing to do.  Sleeping until
we see a request.

freeradius always expect to find password
in clear text?. Any ideas?

Thank you.

EDWIN LIMACHI N.
ENTEL - Operaciones y Mantenimiento
Regional La Paz
TSE - INFONET BOLIVIA
Phone. 591-2-2123978
Movil: 591-715-29967
Fax: 591-2-2123975  








Dustin Doris <[EMAIL PROTECTED]>

Enviado por: [EMAIL PROTECTED]
21/10/2004 10:31



Por favor, responda a
[EMAIL PROTECTED]





Para
[EMAIL PROTECTED]


cc



Asunto
Re: Password Encryption









> Dera list:
>
> I´m working with PPP Dial-In connections to a Cisco box with CHAP
> authentication. My users are authenticated through Radius server
> (freeradius 1.0.1) and the user profiles are load in a MySQL database
> created with the script provided in a freeradius.tar.gz file. All
is
> working fine. However all passwords are in clear text and I´d like
to work
> with Encrypted password.
> For a first test I filled the radcheck table with this mysql sentence:
>
> insert into radcheck (Username,Attribute,op,Value) Values
> ('my_user','User-Password','==',ENCRYT('my_password'));

I believe you need to change it from User-Password to Crypt-Password in
mysql.

('my_user', 'Crypt-Password', '==', ENCRYPT('my_password')


Hope that helps.

Dusty Doris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Password Encryption

[Stefan . Neis]

Hi,
(snipp)
> > CHAP
(snipp)
> > Encrypted password.
(snipp)

It's impossible to combine CHAP and "encrypted" (hashed!) passwords,
see my other mail with the subject
  Re: problem authenticating to passwd/shadow files

HTH,
Stefan



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem authenticating to passwd/shadow files

[Stefan . Neis]

Hi,

> there are obviously different kinds of encryption and as you mention with
> out a key, decryption is not possible.

It's not only the question of a key, it's also a question of methods
used. Given a hash value (often called "encrypted password"), you
just can't get back to the clear text.

> that leaves public key based encryption.  so, poptop can
> do ssl based encryption,
> can that be utilized to encrypt the transport in much the same way https
> encrypts http traffic?

Actually, RADIUS supports an authentication protocol called EAP-TLS which
essentially does just that. However, it requires eaach client to have
a certificate and be able to verify the authentication servers
certificate. Also client and server must support it.

> does anyone know if pptpd decrypts
> before it passes the string to freeradius for authentication?

Sorry, that's exactly what I have been trying to explain:
If you are using (MS-)CHAP, there is nothing which can be
decrypted (the password is only used to compute/verify some
hash value). Only if you are using PAP the password is contained
in the authentication request and only then whatever server
decrypts it (if it ever was encrypted) and reencrypts it in a different
way to send it to the radius server.

> just pass on the encrypted stream and thus tries
> to compare the mschapv2 encrypted stream with a md5 encrypted unix password?
>   which lead to alan's response of "it won't work and never will".

If you're using (MS-)CHAP, "challenge" and "response" will be passed on
to the server, but to verify that the response matches the challenge,
you do _need_ the clear text password. And since it's impossible to
"decrypt" to "encrypted unix passwords" (which really are "hashed
passwords"), there's no way to make this work.

In short: You can either use (MS-)CHAP and store cleartext passwords
on the server (to be able to check that challenge and response do
match) or you can use PAP (i.e. transfer "cleartext" passwords when
authenticating) and e.g. check if the password has the correct
hash value stored on the server (e.g. an MD5-hash or a Unix hash).

[ For completness:
 In the particular case of MS-CHAP, the first step in verification of
 challenge/response is an encryption of the password, so it's sufficient
 to store that intermediate result on the server (LM-Password and
 NT-Password), but OTOH, that's also all an attacker needs to know, so
 there's no real benefit in storing those in place of the real password.]


HTH,
Stefan




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius and Active Directory

[Cool Man]

Hi Bill, 

My problem is I am proxying user of a specfic domain
to  another radius server which is infact an Active
directory. 

Now the EAP packets proxied to AD are rejected
straight away, Now my question is how should I setup
my kerbeors  so that the request goes to proxied AD. 

Secodly, The users coming to my network are using EAP
for access authentication, therefore, how the EAP
packets is treated if I set Default 
Auth-Type == kerberos. 

Additionally how the authentication request is
forwarded to AD.

Regards,
Raza.


--- Bill Schwanitz <[EMAIL PROTECTED]> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> 
> 
> Cool Man wrote:
> | Hi,
> |
> |
> | Active Directory works with freeradius through,
> but if
> | you want to use it within a 802.1x/EAP environment
> it
> | won't work. Because you have to get out of Active
> | Directory the NT Passwords. Active Directory
> doesn't
> | support this, so far I came to know.
> |
> 
> Suggestion: look at getting rlm_krb5 to work. If you
> want an example config:
> 
> /etc/krb5.conf:
> 
> - --- begin ---
> [logging]
> ~ default = FILE:/var/log/krb5libs.log
> ~ default = SYSLOG
> ~ kdc = FILE:/var/log/krb5kdc.log
> ~ kdc = SYSLOG
> ~ admin_server = FILE:/var/log/kadmind.log
> ~ admin_server = SYSLOG
> 
> [libdefaults]
> ~ ticket_lifetime = 24000
> ~ default_realm = DOMAIN.ORG
> ~ dns_lookup_realm = false
> ~ dns_lookup_kdc = false
> 
> [realms]
> ~ DOMAIN.ORG = {
> ~  kdc = 1.2.3.4:88
> ~  admin_server = 1.2.3.4
> ~ }
> 
> [domain_realm]
> ~ .telsource.net = DOMAIN.ORG
> ~ telsource.net = DOMAIN.ORG
> 
> [kdc]
> ~ profile = /var/kerberos/krb5kdc/kdc.conf
> 
> [appdefaults]
> ~ pam = {
> ~   debug = true
> ~   ticket_lifetime = 36000
> ~   renew_lifetime = 36000
> ~   forwardable = true
> ~   krb4_convert = false
> ~   addressless = true
> ~ }
> - --- end ---
> 
> then, in radiusd.conf:
> 
> modules {
> 
> ~krb5 {
> ~service_principal = DOMAIN.ORG
> ~}
> 
> }
> 
> authenticate {
> ~#
> ~# krb5 / kerberos
> ~#
> ~krb5
> }
> 
> /etc/users:
> 
> DEFAULT Auth-Type = Kerberos
> ~Fall-Through = 1
> 
> | Is there any solution to this.
> |
> | Thanks,
> | Raza.
> |
> |
> |
> |
> | --- Thomas Lasswell <[EMAIL PROTECTED]> wrote:
> |
> |
> |>Yes, you can do this, you have to use LDAP to
> |>integrate the two, and
> |>I've included a link that might be of some use...
> |>
> |>LDAP (Incorporates radius server with AD
> |>Authentication)
>
|>http://www.siliconvalleyccie.com/linux-adv/ldap.htm
> |>
> |>--
> |>Thomas Lasswell
> |>http://www.graphinesystems.com
> |>[EMAIL PROTECTED]
> |>[EMAIL PROTECTED]
> |>
> |>On Wed, 20 Oct 2004 05:36:46 -0700 (PDT), Cool Man
> |><[EMAIL PROTECTED]> wrote:
> |>
> |>>Hi ,
> |>>
> |>>I would like to know if freeradius works with
> |>
> |>Active
> |>
> |>>directory. If so how can I configure it.
> |>>
> |>>secondly, I want to use Active Directory within
> |>
> |>for
> |>
> |>>802.1x/EAP authentication. Is there any
> |>
> |>possibility to
> |>
> |>>establish this tak.
> |>>
> |>>Thanks,
> |>>Raza.
> |>>
> |>>
> |>>__
> |>>Do you Yahoo!?
> |>>Read only the mail you want - Yahoo! Mail
> |>
> |>SpamGuard.
> |>
> |>>http://promotions.yahoo.com/new_mail
> |>>
> |>>-
> |>>List info/subscribe/unsubscribe? See
> |>
> |>http://www.freeradius.org/list/users.html
> |>
> |>-
> |>List info/subscribe/unsubscribe? See
> |>http://www.freeradius.org/list/users.html
> |>
> |
> |
> |
> |
> | 
> | __
> | Do you Yahoo!?
> | Y! Messenger - Communicate in real time. Download
> now.
> | http://messenger.yahoo.com
> |
> | -
> | List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> |
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.2.3 (GNU/Linux)
> Comment: Using GnuPG with Mozilla -
> http://enigmail.mozdev.org
> 
>
iD8DBQFBd7qDJMsmxxUXIdYRArkPAKC6OBXfpkhcUoxgcBJRdYxpqlQ2hQCg2At6
> DQ+qEP+oPUTDJZIIePITkUM=
> =Tbnh
> -END PGP SIGNATURE-
> 
> 
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 




___
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Password Encryption

[Dustin Doris]

> Dera list:
>
> I´m working with PPP Dial-In connections to a Cisco box with CHAP
> authentication. My users are authenticated through Radius server
> (freeradius 1.0.1) and the user profiles are load in a MySQL database
> created with the script provided in a freeradius.tar.gz file. All is
> working fine. However all passwords are in clear text and I´d like to work
> with Encrypted password.
> For a first test I filled the radcheck table with this mysql sentence:
>
> insert into radcheck (Username,Attribute,op,Value) Values
> ('my_user','User-Password','==',ENCRYT('my_password'));

I believe you need to change it from User-Password to Crypt-Password in
mysql.

('my_user', 'Crypt-Password', '==', ENCRYPT('my_password')


Hope that helps.

Dusty Doris


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius and Active Directory

[Bill Schwanitz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Michael,
This is more out of curosity than anything ( I have not looked at the
ntlm_auth module ... for the record ):
What does the ntlm_auth module give you over the kerberos authentication
for user auth. Does the ntlm_auth module give you the ability to handle
group lookups and such or is it just authentication?
Bill
Michael Griego wrote:
| For using PEAP with FreeRADIUS and Active Directory, you'll need to use
| the ntlm_auth functionality in the mschap module.
|
| --Mike
|
|
| On Thu, 2004-10-21 at 06:36, Cool Man wrote:
|
|>Hi,
|>
|>
|>Active Directory works with freeradius through, but if
|>you want to use it within a 802.1x/EAP environment it
|>won't work. Because you have to get out of Active
|>Directory the NT Passwords. Active Directory doesn't
|>support this, so far I came to know.
|>
|>Is there any solution to this.
|>
|>Thanks,
|>Raza.
|>
|>
|>
|>
|>--- Thomas Lasswell <[EMAIL PROTECTED]> wrote:
|>
|>
|>>Yes, you can do this, you have to use LDAP to
|>>integrate the two, and
|>>I've included a link that might be of some use...
|>>
|>>LDAP (Incorporates radius server with AD
|>>Authentication)
|>>http://www.siliconvalleyccie.com/linux-adv/ldap.htm
|>>
|>>--
|>>Thomas Lasswell
|>>http://www.graphinesystems.com
|>>[EMAIL PROTECTED]
|>>[EMAIL PROTECTED]
|>>
|>>On Wed, 20 Oct 2004 05:36:46 -0700 (PDT), Cool Man
|>><[EMAIL PROTECTED]> wrote:
|>>
|>>>Hi ,
|>>>
|>>>I would like to know if freeradius works with
|>>
|>>Active
|>>
|>>>directory. If so how can I configure it.
|>>>
|>>>secondly, I want to use Active Directory within
|>>
|>>for
|>>
|>>>802.1x/EAP authentication. Is there any
|>>
|>>possibility to
|>>
|>>>establish this tak.
|>>>
|>>>Thanks,
|>>>Raza.
|>>>
|>>>
|>>>__
|>>>Do you Yahoo!?
|>>>Read only the mail you want - Yahoo! Mail
|>>
|>>SpamGuard.
|>>
|>>>http://promotions.yahoo.com/new_mail
|>>>
|>>>-
|>>>List info/subscribe/unsubscribe? See
|>>
|>>http://www.freeradius.org/list/users.html
|>>
|>>-
|>>List info/subscribe/unsubscribe? See
|>>http://www.freeradius.org/list/users.html
|>>
|>
|>
|>
|>   
|>__
|>Do you Yahoo!?
|>Y! Messenger - Communicate in real time. Download now.
|>http://messenger.yahoo.com
|>
|>-
|>List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
|
|
|
| -
| List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
|
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFBd8QFJMsmxxUXIdYRAjnAAKC3cXU31tcUKUgrkPhzVWbmSkbodgCg1KKO
VeS4eGqi6kn8iKCb32oJlzk=
=LcJp
-END PGP SIGNATURE-
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Password Encryption

[elimachi]

Dera list:

I´m working with PPP Dial-In connections
to a Cisco box with CHAP authentication. My users are authenticated through
Radius server (freeradius 1.0.1) and the user profiles are load in a MySQL
database created with the script provided in a freeradius.tar.gz file.
All is working fine. However all passwords are in clear text and I´d like
to work with Encrypted password.
For a first test I filled the radcheck
table with this mysql sentence:

insert into radcheck (Username,Attribute,op,Value)
Values ('my_user','User-Password','==',ENCRYT('my_password'));

but the authentication fails because
the password string that NAS send to radius not match with the string stored
into Value field.  And when I send the password using the string result
of ENCRYPT mysql function, the user is authenticated.

Do you have some suggestions about this
issue?

Thank you.

EDWIN LIMACHI N.
ENTEL - Operaciones y Mantenimiento
Regional La Paz
Phone. 591-2-2123978
Movil: 591-715-29967
Fax: 591-2-2123975  

Re: Freeradius and Active Directory

[Michael Griego]

For using PEAP with FreeRADIUS and Active Directory, you'll need to use
the ntlm_auth functionality in the mschap module.

--Mike


On Thu, 2004-10-21 at 06:36, Cool Man wrote:
> Hi, 
> 
> 
> Active Directory works with freeradius through, but if
> you want to use it within a 802.1x/EAP environment it
> won't work. Because you have to get out of Active
> Directory the NT Passwords. Active Directory doesn't
> support this, so far I came to know. 
> 
> Is there any solution to this. 
> 
> Thanks,
> Raza.
> 
> 
> 
> 
> --- Thomas Lasswell <[EMAIL PROTECTED]> wrote:
> 
> > Yes, you can do this, you have to use LDAP to
> > integrate the two, and
> > I've included a link that might be of some use...
> > 
> > LDAP (Incorporates radius server with AD
> > Authentication)
> > http://www.siliconvalleyccie.com/linux-adv/ldap.htm
> > 
> > -- 
> > Thomas Lasswell
> > http://www.graphinesystems.com
> > [EMAIL PROTECTED]
> > [EMAIL PROTECTED]
> > 
> > On Wed, 20 Oct 2004 05:36:46 -0700 (PDT), Cool Man
> > <[EMAIL PROTECTED]> wrote:
> > > Hi ,
> > > 
> > > I would like to know if freeradius works with
> > Active
> > > directory. If so how can I configure it.
> > > 
> > > secondly, I want to use Active Directory within
> > for
> > > 802.1x/EAP authentication. Is there any
> > possibility to
> > > establish this tak.
> > > 
> > > Thanks,
> > > Raza.
> > > 
> > > 
> > > __
> > > Do you Yahoo!?
> > > Read only the mail you want - Yahoo! Mail
> > SpamGuard.
> > > http://promotions.yahoo.com/new_mail
> > > 
> > > -
> > > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > >
> > 
> > - 
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > 
> 
> 
> 
>   
> __
> Do you Yahoo!?
> Y! Messenger - Communicate in real time. Download now. 
> http://messenger.yahoo.com
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius and Active Directory

[Bill Schwanitz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Cool Man wrote:
| Hi,
|
|
| Active Directory works with freeradius through, but if
| you want to use it within a 802.1x/EAP environment it
| won't work. Because you have to get out of Active
| Directory the NT Passwords. Active Directory doesn't
| support this, so far I came to know.
|
Suggestion: look at getting rlm_krb5 to work. If you want an example config:
/etc/krb5.conf:
- --- begin ---
[logging]
~ default = FILE:/var/log/krb5libs.log
~ default = SYSLOG
~ kdc = FILE:/var/log/krb5kdc.log
~ kdc = SYSLOG
~ admin_server = FILE:/var/log/kadmind.log
~ admin_server = SYSLOG
[libdefaults]
~ ticket_lifetime = 24000
~ default_realm = DOMAIN.ORG
~ dns_lookup_realm = false
~ dns_lookup_kdc = false
[realms]
~ DOMAIN.ORG = {
~  kdc = 1.2.3.4:88
~  admin_server = 1.2.3.4
~ }
[domain_realm]
~ .telsource.net = DOMAIN.ORG
~ telsource.net = DOMAIN.ORG
[kdc]
~ profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
~ pam = {
~   debug = true
~   ticket_lifetime = 36000
~   renew_lifetime = 36000
~   forwardable = true
~   krb4_convert = false
~   addressless = true
~ }
- --- end ---
then, in radiusd.conf:
modules {
~krb5 {
~service_principal = DOMAIN.ORG
~}
}
authenticate {
~#
~# krb5 / kerberos
~#
~krb5
}
/etc/users:
DEFAULT Auth-Type = Kerberos
~Fall-Through = 1
| Is there any solution to this.
|
| Thanks,
| Raza.
|
|
|
|
| --- Thomas Lasswell <[EMAIL PROTECTED]> wrote:
|
|
|>Yes, you can do this, you have to use LDAP to
|>integrate the two, and
|>I've included a link that might be of some use...
|>
|>LDAP (Incorporates radius server with AD
|>Authentication)
|>http://www.siliconvalleyccie.com/linux-adv/ldap.htm
|>
|>--
|>Thomas Lasswell
|>http://www.graphinesystems.com
|>[EMAIL PROTECTED]
|>[EMAIL PROTECTED]
|>
|>On Wed, 20 Oct 2004 05:36:46 -0700 (PDT), Cool Man
|><[EMAIL PROTECTED]> wrote:
|>
|>>Hi ,
|>>
|>>I would like to know if freeradius works with
|>
|>Active
|>
|>>directory. If so how can I configure it.
|>>
|>>secondly, I want to use Active Directory within
|>
|>for
|>
|>>802.1x/EAP authentication. Is there any
|>
|>possibility to
|>
|>>establish this tak.
|>>
|>>Thanks,
|>>Raza.
|>>
|>>
|>>__
|>>Do you Yahoo!?
|>>Read only the mail you want - Yahoo! Mail
|>
|>SpamGuard.
|>
|>>http://promotions.yahoo.com/new_mail
|>>
|>>-
|>>List info/subscribe/unsubscribe? See
|>
|>http://www.freeradius.org/list/users.html
|>
|>-
|>List info/subscribe/unsubscribe? See
|>http://www.freeradius.org/list/users.html
|>
|
|
|
|
|   
| __
| Do you Yahoo!?
| Y! Messenger - Communicate in real time. Download now.
| http://messenger.yahoo.com
|
| -
| List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
|
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFBd7qDJMsmxxUXIdYRArkPAKC6OBXfpkhcUoxgcBJRdYxpqlQ2hQCg2At6
DQ+qEP+oPUTDJZIIePITkUM=
=Tbnh
-END PGP SIGNATURE-
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius and Active Directory

[Cool Man]

Hi, 


Active Directory works with freeradius through, but if
you want to use it within a 802.1x/EAP environment it
won't work. Because you have to get out of Active
Directory the NT Passwords. Active Directory doesn't
support this, so far I came to know. 

Is there any solution to this. 

Thanks,
Raza.




--- Thomas Lasswell <[EMAIL PROTECTED]> wrote:

> Yes, you can do this, you have to use LDAP to
> integrate the two, and
> I've included a link that might be of some use...
> 
> LDAP (Incorporates radius server with AD
> Authentication)
> http://www.siliconvalleyccie.com/linux-adv/ldap.htm
> 
> -- 
> Thomas Lasswell
> http://www.graphinesystems.com
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> 
> On Wed, 20 Oct 2004 05:36:46 -0700 (PDT), Cool Man
> <[EMAIL PROTECTED]> wrote:
> > Hi ,
> > 
> > I would like to know if freeradius works with
> Active
> > directory. If so how can I configure it.
> > 
> > secondly, I want to use Active Directory within
> for
> > 802.1x/EAP authentication. Is there any
> possibility to
> > establish this tak.
> > 
> > Thanks,
> > Raza.
> > 
> > 
> > __
> > Do you Yahoo!?
> > Read only the mail you want - Yahoo! Mail
> SpamGuard.
> > http://promotions.yahoo.com/new_mail
> > 
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> 
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 




__
Do you Yahoo!?
Y! Messenger - Communicate in real time. Download now. 
http://messenger.yahoo.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re:gnugk+freeradius+mysql works well,but how to configure for prepaid??

[Kyriaki Gali]

Hello,
First of all, you can set radius.conf to "see" your database (sql.conf). You
can make some tables like users.
In users you can have fields like Prepaid ->yes or no, Calling Card-> yes or
no, Balance, Usage etc.

There is a radacct table that includes AcctStopTime, AcctStartTime,
AcctSessionTime(seconds) etc.
This table updated (in sql.conf) when an accounting_start and an
acconting_stop packet comes.

You get the AcctSessionTime(seconds) and calculate the credits(money). You
must have in mind charge_step, minimum_charge etc.

Regards,

Kyriaki Gali,
IT Applications Specialist
Kinetix Tele.com Support Center,
Tel & Fax: +30 2310 256140
GSM: +30 6947 723737
http://www.kinetix.gr
e-mail: [EMAIL PROTECTED]
- Original Message - 
From: "Stefan Bosnjakovic" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, October 21, 2004 2:25 AM
Subject: Re:gnugk+freeradius+mysql works well,but how to configure for
prepaid??


Hi gokhan,

> this is my first mail. actually I am reading mails for a while. and by the
aim of this list
> ý managed to install and run mysql radius and gnugk.
> from now I want to make a sistem that works with tarriff and prepaid
balances.
> for example usera calls userb and it talks 60 seconds. the tarriff is 1
USD for 60 seconds.
> so usera's balance must decrease 1 USD. so how can I manage this. What is
the configuration for this. thank you

I'm just working on a similar setup, hooking up a Nomadix HSG to
freeradius/MySQL linux box controlling a
WLAN hotspot. I have to admit that I'm not a RADIUS guru though ... :-(
We need to implement pre-paid cards as well. Users can buy 30, 60, 120mins
cards.
I could not figure out how to do this with the unmodified above setup, so
I'm currently patching the MySQL driver.
I implement an additional table holding the "time left" per user. That value
gets sent to the NAS with the
Session-Timeout directive as an additional answer to an authentication
request. After each RADIUS-Stop-Accounting-Request,
I subtract the used time from that table. With a short inactivity timer and
automatic reconnect and reauthentication
that should work pretty well.
The only snag is, that generally I hate such sort of patching, since it
makes it virtually impossible to stay
up-to-date when a new version of freeradius is beeing rolled out.

So any ideas & suggestions are most welcome!

Cheers, Stefan !



-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Missing db_mssql.sql in 1.0.1 distribution

[Rogier Mulder]

While digging deeper into the src tree, I'm getting the feeling that there is more I'm 
missing. In src/modules/rlm_sql/drivers/rlm_sql_freetds there is only Makefile. It 
references sql_freetds.c which is not on the system.
 
What do I need to do, to make a plain-vanilla 1.0.1 distribution to work with MS SQL 
Server 7/2000?
 
rgrds rgr



Van: [EMAIL PROTECTED] namens Rogier Mulder
Verzonden: do 21-10-2004 10:27
Aan: [EMAIL PROTECTED]
Onderwerp: Missing db_mssql.sql in 1.0.1 distribution


Hi,
 
I've downloaded and compiled 1.0.1 and I see that the distrubution does not contain 
db_mssql.conf. If one of you has this file (MS SQL Server database schema), could you 
send it to me via e-mail?
 
 
Rogier Mulder
[EMAIL PROTECTED]
<>

Re: WPA - Freeradius external script problem

[mikkox]

>From: "Alan DeKok" <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Re: WPA - Freeradius external script problem
>Date: Wed, 20 Oct 2004 14:16:42 -0400
>Reply-To: [EMAIL PROTECTED]
>
>[EMAIL PROTECTED] wrote:
>> I'm using freeRadius version 1.0 and Linksys AP. I am trying to
>> authentic= ate Wlan users using WPA authentication. The actual
>> authentication is suppose= d to be done in an external script which
>> is launched from freeRadius.
>
>  Are you sure?  From the example you posted, it doesn't look like
>that.

when I start radiusd with parameter it says:

radiusd: FreeRADIUS Version 1.0.0-pre3, for host , built on Jul 29 2004
at 09:36:56

At least I thought I was running version 1.0.0-pre3 :)



>
>> exec login {
>>  wait =3D yes
>>  program =3D "/home/tester/loginauth %{User-Name} %{NAS-I=
>> dentifier}"
>>  input_pairs =3D request
>>  output_pairs =3D config
>
>  Ok...
>
>> And I the users file I have the following:
>>
>> DEFAULT  Auth-Type :=3D LOGIN
>>
>> The external script return exit value 0 and prints the user password
in
>> the following manner:
>
>  Why?  You said above that the external script authenticates the user.
>
>  Here, you're saying that the script ALWAYS succeeds, and prints the
>password, for some reason.
>
>  Can you explain why you have the script always succeed?  Can you
>explain why you have the script print the password?

Ok. I wasn't explaining the situation clear enough. The script always succeeds
only for testing. Later on I will implement some logic to it which will
check the received user account from external systems and returns exit value
0 or 1 depending on the external authentication. I print out the password
because I thought it was needed in the freeradius to authenticate EAP-PEAP
authentication request. Obviously I'm wrong?

Has anybode implemented this kind of PEAP/EAP 802.1x authentication for
wlan users using external script that is called from freeradius?




___
Etsi ystävien ja tuttujen yhteystiedot: http://henkilot.eniro.fi/

Hakupalvelut aina mukanasi - kännykässä: http://www.eniro.fi/mobiili/wap/




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Missing db_mssql.sql in 1.0.1 distribution

[Rogier Mulder]

Hi,
 
I've downloaded and compiled 1.0.1 and I see that 
the distrubution does not contain db_mssql.conf. If one of you has this file (MS 
SQL Server database schema), could you send it to me via e-mail?
 
 
Rogier Mulder
[EMAIL PROTECTED]