about the passwd in the database
hello,everyone, I am trying to write a NAS software which is located in the user PC.But now,I meet problems: I have read some codes of freeradius-0.9.3,and find that on the SERVER the user-passwd is make out of the MD5 digest.I also find that the server use the real user-passwd from the database to compare with the user-passwd from the RADISU packet. Any one can help me to resolve the problem? Why the user-passwd is turned into real passwd which is used to compare with the passwd from the database? Thank you for all reading my poor English. regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free radius server sends Shared secret is incorrect
Hello,
Iam running the free radius server which i downloaded from freeradius.org
I am using my own radius client and not the radius client which is provided along with the server.
This is the response which i get
Listening on authentication 132.186.71.56:1812Listening on accounting 132.186.71.56:1813Listening on proxy 132.186.71.56:1814Ready to process requests.rad_recv: Accounting-Request packet from host 132.186.71.55:1813, id=60, length=20Received Accounting-Request packet from 132.186.71.55 with invalid signature! (Shared secret is incorrect.)Server rejecting request 0.Finished request 0Going to the next request--- Walking the entire request list ---Waking up in 6 seconds...--- Walking the entire request list ---
However in the /usr/local/etc/raddb/clients.conf i have specified as
client 132.186.71.55 { secret = geheimesPasswort shortname = imscpt1}
This 132.186.71.55 is the client from where is send the RADIUS Accounting request.
The client's secrets.cfg has the following info.
## RADIUS Secrets Configuration File## Example:# 12.34.45.67 sOMEsTUPIDsECRET
132.186.71.56 geheimesPasswort
Could you tell me where i'm going wrong.How to make the server accept my request and how do i get back a response??
Regards,
tester
Do you Yahoo!?
New and Improved Yahoo! Mail - 1GB free storage!-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + TLS for Wifi networks
Thank you for the feedback Kris! I truly appreciate it. I shall send the HOWTO to you in a separate email. --Moonshi On Wed, 2005-08-03 at 08:21 -0700, Kris Benson wrote: [EMAIL PROTECTED] on August 3, 2005 at 03:51 -0800 wrote: However, I noticed that we have had multiple dropped connections from Windows XP Pro with the Planet WAP-4000 and 3Com Office Connect Wireless Access Points every 30 to 45 minutes but the freeradius server logs does not show any errors. Remember: the logs only show what is sent to the radius server -- if the WAP doesn't send an accounting packet or authentication packet, nothing will be in your logs. I don't think this is a freeradius issue but I need to verify with someone that this is not a radius related problem. It doesn't sound like it is. Is there any configuration parameters within freeradius that I can tweak to debug and check that radius is not the one causing this problem? Well, if you start radius like so: radiusd -X it will output debug info to stdout. It's rather complete information, but it only starts one process and may cause more output than you really want. Logically, I don't think it's a radius issue but I might be wrong. The only way it's a radius issue is if the machine is trying to reauthenticate, and radius is denying it the second time. Of course, this would show up in the radius logs if your AP was doing the right thing. If there is anyone that would like to get a copy of our RADIUS + TLS HOWTO documentation with to find out how we did this integration, please send me a personal email and I will send the PDF copy over. I'd love to see your documentation -- we're in the process of writing our own now, and anything that might have some more gotchas is good. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
auth proxied, not acct using users file setting Proxy-To-Realm
]: module acct_unique returns ok for request 2
rlm_realm: Looking up realm dsl3.ukonline.co.uk for User-Name =
[EMAIL PROTECTED]
rlm_realm: No such realm dsl3.ukonline.co.uk
modcall[preacct]: module suffix returns noop for request 2
modcall[preacct]: module files returns noop for request 2
modcall: group preacct returns ok for request 2
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 2
radius_xlat:
'/opt/freeradius102/var/log/radius/radacct/212.135.9.6/detail-20050805'
rlm_detail:
/opt/freeradius102/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to
/opt/freeradius102/var/log/radius/radacct/212.135.9.6/detail-20050805
modcall[accounting]: module detail returns ok for request 2
modcall[accounting]: module unix returns ok for request 2
radius_xlat: '/opt/freeradius102/var/log/radius/radutmp'
radius_xlat: '[EMAIL PROTECTED]'
modcall[accounting]: module radutmp returns ok for request 2
modcall: group accounting returns ok for request 2
Sending Accounting-Response of id 29 to 212.135.9.6:1512
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Accounting-Request packet from host 212.135.9.6:1512, id=30,
length=135
User-Name = [EMAIL PROTECTED]
Service-Type = Framed-User
NAS-IP-Address = 82.108.57.17
NAS-Port = 1234
NAS-Port-Type = Async
Acct-Session-Id = 1234
Acct-Status-Type = Stop
Called-Station-Id = 123456789
Calling-Station-Id = 987654321
Acct-Delay-Time = 0
Acct-Session-Time = 1000
Acct-Input-Octets = 2
Acct-Output-Octets = 3
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 3
modcall[preacct]: module preprocess returns noop for request 3
rlm_acct_unique: Hashing 'NAS-Port = 1234,Client-IP-Address =
212.135.9.6,NAS-IP-Address = 82.108.57.17,Acct-Session-Id =
1234,User-Name = [EMAIL PROTECTED]'
rlm_acct_unique: Acct-Unique-Session-ID = d0c84fbbd11b50cb.
modcall[preacct]: module acct_unique returns ok for request 3
rlm_realm: Looking up realm dsl3.ukonline.co.uk for User-Name =
[EMAIL PROTECTED]
rlm_realm: No such realm dsl3.ukonline.co.uk
modcall[preacct]: module suffix returns noop for request 3
modcall[preacct]: module files returns noop for request 3
modcall: group preacct returns ok for request 3
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 3
radius_xlat:
'/opt/freeradius102/var/log/radius/radacct/212.135.9.6/detail-20050805'
rlm_detail:
/opt/freeradius102/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to
/opt/freeradius102/var/log/radius/radacct/212.135.9.6/detail-20050805
modcall[accounting]: module detail returns ok for request 3
modcall[accounting]: module unix returns ok for request 3
radius_xlat: '/opt/freeradius102/var/log/radius/radutmp'
radius_xlat: '[EMAIL PROTECTED]'
modcall[accounting]: module radutmp returns ok for request 3
modcall: group accounting returns ok for request 3
Sending Accounting-Response of id 30 to 212.135.9.6:1512
Finished request 3
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Password Prompts
[EMAIL PROTECTED] wrote:
As I'm troubleshooting this, I generated another question in my head.
This time I'll give some freeradius debug (see blocks
between *):
Here's an exerpt from first try (failure):
...
Sending Access-Challenge of id 186 to 192.168.3.2:1024
That doesn't look like a failure to me. The supplicant may stop
talking to the server, and start a new session, but the server thinks
everything's OK.
I looked back through some of the output, and it seems that each time
it fails I get eaptls_process returned 13, but when it is succeeds I
get eaptls_process returned 7. Anyone know what 7 and 13 represent
(please don't say 'sucess' or 'failure'...i'm hoping it more
meaningful than that).
From src/modules/rlm_eap/types/rlm_eap_tls.h:
typedef enum {
EAPTLS_INVALID = 0, /* invalid, don't reply */
EAPTLS_REQUEST, /* request, ok to send, invalid to
receive */
EAPTLS_RESPONSE,/* response, ok to receive, invalid to
send */
EAPTLS_SUCCESS, /* success, send success */
EAPTLS_FAIL,/* fail, send fail */
EAPTLS_NOOP,/* noop, continue */
EAPTLS_START, /* start, ok to send, invalid to
receive */
EAPTLS_OK, /* ok, continue */
EAPTLS_ACK, /* acknowledge, continue */
EAPTLS_FIRST_FRAGMENT, /* first fragment */
EAPTLS_MORE_FRAGMENTS, /* more fragments, to send/receive */
EAPTLS_LENGTH_INCLUDED, /* length included */
EAPTLS_MORE_FRAGMENTS_WITH_LENGTH, /* more fragments with length */
EAPTLS_HANDLED /* tls code has handled it */
} eaptls_status_t;
So I don't see any particular reason why one session would succeed
and the other would fail.
Also, anyone know what the rlm_eap_tls messages mean that accompany
the 'returned 13' block?
Information about internal TLS stuff. There are a *lot* of TLS
packets that go back and forth.
At this point, the only thing I can suggest is to put a packet
capture on the net somewhere. That might give more information.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Freeradius for mobile device authentication
Alan, Thanks for your reply and sorry for my sluggishness in getting back to you with more info... Alan DeKok [EMAIL PROTECTED] wrote: Yes. The server allows you nearly unlimited control over what to look for, and what to do when it finds data of interest. That is good to know :) Your description is useful, but still a little vague. You describe what you want, but not how the data is seen by the RADIUS server (i.e. attributes). Ok.. lets give this an other shot.. the setup I'm building is to authenticate/authorize and account mobile users. The user will specify his username (User-Name), his password (User-Password) and the NAS is also configured to send the MS-ISDN to the radius server which I'm told is send using Calling-Station-ID. Now the way I want this to work is that as soon as a request comes in from the NAS the radius server will check Calling-Station-ID against a list of known values and if no match is found it denies the request. If a match is found it will go on to check for a valid username and password combination. If none is found it should reject the session. If a match is found it should reply with the proper attributes. In an ideal situation I'd like to use realms and bind a group of known Calling-Station-ID's to a specific realm. If this is not possible than a generic list of Calling-Station-ID's for all users will also work but is the less preferred solution. So if I go thru the steps I get.. 1. Check realm a) no realm - reject b) realm found go to 2 2. Check Calling-Station-ID a) no match found for this realm - reject b) match - go to 3 3. Check user+pass a) no match - reject b) match - return attribs for user So in this situation: realm test1: - known cli's ,1112,1113 - known users [EMAIL PROTECTED] w/ pass moo realm test2: - known cli's ,2223,2224 - known users [EMAIL PROTECTED] w/ pass bla If [EMAIL PROTECTED] tries to login with pass of moo coming from cli -1113 he is allow - any other cli will not be allowed. I was the rlm_checkval module.. is this what I would use for this? A sample configuration and users file entry would be really appreciated. I hope this helps to clarify the issue, Thanks, - Jasper - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Coa and Disconnect Message
gennaro amelio [EMAIL PROTECTED] wrote: To use sqlcounter disconnect is probably more flexible because a prepaid user can buy more time and so the session 's length can dinamically change. What do you think? Sure, but that's not using disconnect. That's Change of Authorization. And if the user buys more time, all you really need is a RADIUS client to send a CoA packet to the NAS. The RADIUS server doesn't really have to be involved. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about the passwd in the database
Lee Bobby [EMAIL PROTECTED] wrote: Any one can help me to resolve the problem? Why the user-passwd is turned into real passwd which is used to compare with the passwd from the database? Because that's how security systems work. If that's a difficult point to get, I would strongly suggest that you not write NAS software. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Authentication Question
Hamid Salim [EMAIL PROTECTED] wrote: With the following setup to use eap-tls,do i need to enable mschap?w No. EAP-TLS doesn't use mschap. But if you're going to use PEAP, it needs mschap. Since mschap is enabled in the default configuration, I'm not sure why this is a problem. the problem is that the radius is not receiving any requests from the client! Then that has nothing to do with mschap or eap-tls, or anything in the server. Use tcpdump to see where the packets are going. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: auth proxied, not acct using users file setting Proxy-To-Realm
Tariq Rashid [EMAIL PROTECTED] wrote: I am finding that auth requests are proxied, as expected, but not accounting. This appears to affect domain names which are proxied according to wildcard entries in the users file as follows: Add those lines to the acct_users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AcctOutputOctets AcctIntputOctets limit
Hi, I installed a freeradius for PPPoE users and I have problems with AcctOutputOctets AcctInputOctets which are limited to 2 GB. Several of my users download 75 GB and more per month. Is this normal this limit? Do all the ISP have this problem? How I can bypass this limit? -Michel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - LDAP Authenication
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 5, 2005 at 08:12 -0800 wrote: rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '((objectClass=aRadiusAccount)(uid=testuser))' radius_xlat: 'o=marymount.edu,o=marymount.edu' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 198.100.0.18:389, authentication 0 rlm_ldap: bind as cn=account mgr/* to 198.100.0.18:389 rlm_ldap: cn=directory manager bind to 198.100.0.18:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 Here's the section of your debug where the problem lies. note this line: rlm_ldap: cn=directory manager bind to 198.100.0.18:389 failed: Can't contact LDAP server Have you double checked the IP address? I'm not sure on how descriptive the error messages are -- perhaps double check that the admin user/password also works -- start by making it the full dn of the admin user in the 'identity' field. If you this doesn't work, let me know and we can go from there... -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - LDAP Authenication
server (running on another machine). I have the vpn talking successfully to freeradius, but I cannot get the onward connection to the LDAP to work. I have validated that the server running freeradius is able to talk to the ldap by using ldapsearch. rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 198.100.0.18:389, authentication 0 rlm_ldap: bind as cn=account mgr/* to 198.100.0.18:389 rlm_ldap: cn=directory manager bind to 198.100.0.18:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed This is pretty clear that it cannot connect. What does your ldapsearch command look like? Perhaps, you have the wrong port or ip in your config? What does telnet 198.100.0.18 389 show you? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: auth proxied, not acct using users file setting Proxy-To-Real m
just to confirm for the archives - this works well. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok Sent: 05 August 2005 16:14 To: FreeRadius users mailing list Subject: Re: auth proxied, not acct using users file setting Proxy-To-Realm Tariq Rashid [EMAIL PROTECTED] wrote: I am finding that auth requests are proxied, as expected, but not accounting. This appears to affect domain names which are proxied according to wildcard entries in the users file as follows: Add those lines to the acct_users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Coa and Disconnect Message
You are right, i ' m agree with you. Thanks a lot, Alan. Gennaro - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius - LDAP Authenication
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dusty Doris Sent: Friday, August 05, 2005 11:57 AM To: FreeRadius users mailing list Subject: Re: Freeradius - LDAP Authenication This is pretty clear that it cannot connect. What does your ldapsearch command look like? Perhaps, you have the wrong port or ip in your config? What does telnet 198.100.0.18 389 show you? Hi Dusty and Kris, The ip address I am using for the ldap is correct, when using ldapsearch ldapsearch -h 198.100.0.18 -b ou=people,o=marymount.edu,o=marymount.edu -D cn=directory manager -W I can connect and get prompted for the password, after which I get a complete dump of the LDAP. I did a tcpdump on the freeradius machine and this is the output tcpdump: listening on dc0 11:32:59.115890 morris.marymount.edu.34613 cooper.marymount.edu.ldap: S 3685972564:3685972564(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1366456907 0 (DF) 11:32:59.116137 cooper.marymount.edu.ldap morris.marymount.edu.34613: S 3939941434:3939941434(0) ack 3685972565 win 49232 nop,nop,timestamp 48298597 1366456907,mss 1460,nop,wscale 0,nop,nop,sackOK (DF) 11:32:59.116222 morris.marymount.edu.34613 cooper.marymount.edu.ldap: . ack 1 win 16384 nop,nop,timestamp 1366456907 48298597 (DF) 11:32:59.116312 morris.marymount.edu.34613 cooper.marymount.edu.ldap: F 1:1(0) ack 1 win 16384 nop,nop,timestamp 1366456907 48298597 (DF) 11:32:59.116427 cooper.marymount.edu.ldap morris.marymount.edu.34613: . ack 2 win 49232 nop,nop,timestamp 48298597 1366456907 (DF) 11:32:59.117917 cooper.marymount.edu.ldap morris.marymount.edu.34613: F 1:1(0) ack 2 win 49232 nop,nop,timestamp 48298597 1366456907 (DF) 11:32:59.117987 morris.marymount.edu.34613 cooper.marymount.edu.ldap: . ack 2 win 16383 nop,nop,timestamp 1366456907 48298597 (DF) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accepting all users in PEAP
Hello freeradius-users, I'm trying to make life easier for users that don't configure well the access to our wireless network or are using the wrong credentials. My idea was to always accept them, but force them to some special network (Vlan) that for every web access redirects them to a page explaining the problem (yes I know Reply-Message is meant to this, but unfortunately Windows doesn't show the message to users ...) I've made some tests to this without success ... Does anyone have a similar setup that could give-me some tips (example configuration) ? Thanks! Note: Our Wireless Network is based in Cisco AP1230G APs with FreeRADIUS doing the AAA and getting the users credentials from a MySQL Backend. Authentication EAP/PEAP/MSCHAPv2 or EAP/TTLS/PAP For curious people here goes the URL for some extra information: http://www.net.ipl.pt/index.php?id=19 ( in Portuguese ) -- Best regards, Pedro mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorize based on the destination IP
Ana Bizarro [EMAIL PROTECTED] wrote: We're running a virtual lab (with freeradius as our AAA server) and we have users that at specific points in time should be allowed to access some devices in the lab but sometime later, when they swap out their experiment, we need to deny access to those devices. How can I do this? 1. Determine what information is in the radius requests 2. configure the server to accept those packets 3. at a later time, configure the server to reject those packets Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Password Prompts
Thanks for the response. See below:
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
Date: Friday, August 5, 2005 11:03 am
Subject: Re: Multiple Password Prompts
[EMAIL PROTECTED] wrote:
As I'm troubleshooting this, I generated another question in my
head.
This time I'll give some freeradius debug (see blocks
between *):
Here's an exerpt from first try (failure):
...
Sending Access-Challenge of id 186 to 192.168.3.2:1024
That doesn't look like a failure to me. The supplicant may stop
talking to the server, and start a new session, but the server thinks
everything's OK.
Sorry...maybe I used the wrong word. By failure, I meant that from
the end user's perspective, the first attempt was a failure.
If the server get's an incomplete reply to it's challenge, or no reply,
will it resend it's challenge? Or, will the client sense that the
server didn't respond to it's challenge response and start a new
session. I ask because, in talking to the vendors, there is a question
of which side is giving up, or which side isn't sending complete
requests/responses. Of course, because each vendor has their own radius
server and 802.1x client solution, they want to blame freeradius so that
I'll buy their product. I'm trying my hardest to fight this, because
I'm a big freeradius fan.
The debug on the Odyssey Client shows that it believes it sent the
response to the challenge. The debug on the WLAN switch shows that it
forwards both the challenge from freeradius and the challenge response
from the client. Freeradius debug appears to get the response from the
client, sees the outer credentials (anonymous, etc.), but doesn't
process the tunneled information for some reason.
I looked back through some of the output, and it seems that each
time
it fails I get eaptls_process returned 13, but when it is
succeeds I
get eaptls_process returned 7. Anyone know what 7 and 13
represent
(please don't say 'sucess' or 'failure'...i'm hoping it more
meaningful than that).
From src/modules/rlm_eap/types/rlm_eap_tls.h:
typedef enum {
EAPTLS_INVALID = 0,/* invalid, don't reply */
EAPTLS_REQUEST,/* request, ok to send,
invalid to receive */
EAPTLS_RESPONSE, /* response, ok to receive,
invalid to send */
EAPTLS_SUCCESS,/* success, send success */
EAPTLS_FAIL, /* fail, send fail */
EAPTLS_NOOP, /* noop, continue */
EAPTLS_START, /* start, ok to send, invalid
to receive */
EAPTLS_OK, /* ok, continue */
EAPTLS_ACK,/* acknowledge, continue */
EAPTLS_FIRST_FRAGMENT, /* first fragment */
EAPTLS_MORE_FRAGMENTS, /* more fragments, to
send/receive */
EAPTLS_LENGTH_INCLUDED,/* length included */
EAPTLS_MORE_FRAGMENTS_WITH_LENGTH, /* more fragments with
length */
EAPTLS_HANDLED /* tls code has handled it */
} eaptls_status_t;
So I don't see any particular reason why one session would succeed
and the other would fail.
So, does this mean that I should interpret the above enum to have
elements 0-13, or 1-14, and match the numbers 7 and 13 with it's
position in the enum?
Also, anyone know what the rlm_eap_tls messages mean that accompany
the 'returned 13' block?
Information about internal TLS stuff. There are a *lot* of TLS
packets that go back and forth.
I'm curious why we can see the TLS stuff during the first try (13), but
not the second try (7). What is the difference? I agree...it seems
like there should nothing different between what the client sends in the
first try and the second.
At this point, the only thing I can suggest is to put a packet
capture on the net somewhere. That might give more information.
I performed a packet capture using ethereal, listening on the interface
that freeradius is running on. Did this on the box, not inline. I
would rather not post it to the list, but I'd be glad to send it to you
if you'd be willing to look at it. Let me know.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - LDAP Authenication
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 5, 2005 at 09:58 -0800 wrote: This is pretty clear that it cannot connect. What does your ldapsearch command look like? Perhaps, you have the wrong port or ip in your config? What does telnet 198.100.0.18 389 show you? Hi Dusty and Kris, The ip address I am using for the ldap is correct, when using ldapsearch ldapsearch -h 198.100.0.18 -b ou=people,o=marymount.edu,o=marymount.edu -D cn=directory manager -W I can connect and get prompted for the password, after which I get a complete dump of the LDAP. What if you change the identity portion of the radiusd.conf to be the full DN of the admin user? I have a sneaking suspicion that the can't connect may also include can't authenticate... So, assuming that the directory manager user is in the people ou, try this for the identity: cn=directory manager,ou=people,o-marymount.edu,o=marymount.edu -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius - LDAP Authenication
What if you change the identity portion of the radiusd.conf to be the full DN of the admin user? I have a sneaking suspicion that the can't connect may also include can't authenticate... So, assuming that the directory manager user is in the people ou, try this for the identity: cn=directory manager,ou=people,o-marymount.edu,o=marymount.edu Kris, I have tried various accounts my own and test accounts along with variations of the DN and I get the same errors. I'm at a loss as ldapsearch and telneting to the port all seem to work. Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - LDAP Authenication
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 5, 2005 at 12:27 -0800 wrote: I have tried various accounts my own and test accounts along with variations of the DN and I get the same errors. I'm at a loss as ldapsearch and telneting to the port all seem to work. Well, having just looked at your config again, I'm wondering if it isn't this filter: ldap: filter = ((objectClass=aRadiusAccount)(uid=%u)) is that 'a' supposed to be there? Also, have you custom defined the LDAP schmea for this objectclass? If not, I don't believe the 'aRadiusAccount' is valid, at least not in the standard OpenLDAP w/FreeRadius extensions schema that I have. What if you start by removing that part of the filter and just searching for the uid? -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
expiration
I am trying to set an expiration date for daily cards where tha expiration date
is inserted into the database with a postauth query. I am not sure how to add
this to my radiusd.conf file (1.0.4) I am guessing that I need a key,
counter-name and check-name.
right now I have:
expiration {
reply-message = Your account has expired, %{User-Name}\r\n
}
Also, do I need to add expiration to instantiate?
Thanks for any input,
Carl Peterson
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
different eap/tls config for different interfaces
I'm running freeradius on a linux box with 2 nics, eth0 and eth1. Let's say eth0 has an ip of 192.168.5.5, and eth1 has an ip of 192.168.6.6. And, eth0 is a member of vlan 5 and eth1 is a member of vlan 6. I bind freeradius to *, so it's listening on both interfaces/ip's. I generated freeradius' tls certificate with a common name matching the ip of eth0 (192.168.5.5). Will this cause problems when a client tries to connect to freeradius via eth1 (192.168.6.6)? If so, is it possible to have 2 different tls sections that service the 2 different interfaces? Seems like I read somewhere that you can represent more than one IP in the common name of a certificate, but can't remember for sure as it's been a while. Anyone have any suggestions? thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Max-Daily-Session
Can I set Max-Daily-Session = 1800 in the radgroupcheck table (MySQL), and if so is the max of 1800 set for the entire group, or for each user in that group? Thanks -- --- | Nick White | | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expiration
Carl Peterson [EMAIL PROTECTED] wrote:
I am trying to set an expiration date for daily cards where tha
expiration date is inserted into the database with a postauth query.
I am not sure how to add this to my radiusd.conf file (1.0.4) I am
guessing that I need a key, counter-name and check-name.
...
expiration {
reply-message = Your account has expired, %{User-Name}\r\n
}
The expiration module does not exist in 1.0.4.
The Expiration feature doesn't work in 1.0.4. We will be releasing
1.0.5 to correct this, and other issues.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different eap/tls config for different interfaces
[EMAIL PROTECTED] wrote: I generated freeradius' tls certificate with a common name matching the ip of eth0 (192.168.5.5). Will this cause problems when a client tries to connect to freeradius via eth1 (192.168.6.6)? No, because the wireless clients interact with the server via IP, so they don't know it's IP address. If so, is it possible to have 2 different tls sections that service the 2 different interfaces? No. FreeRADIUS supports only 1 TLS module at a time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Password Prompts
[EMAIL PROTECTED] wrote: If the server get's an incomplete reply to it's challenge, or no reply, will it resend it's challenge? No. RADIUS is entirely driven by the clients. Or, will the client sense that the server didn't respond to it's challenge response and start a new session. The client *does* see the Access-Challenge, but it decides for some reason to stop talking to the server. Of course, because each vendor has their own radius server and 802.1x client solution, they want to blame freeradius so that I'll buy their product. FreeRADIUs is interoperable with pretty much everything out there. Novell is dumping their proprietary server for FreeRADIUS. Zyxel is selling a $500 FreeRADIUS box (with some question of possible GPL violations), and I know of 2 other companies using FreeRADIUs as part of their RADIUS server solutions. I'm trying my hardest to fight this, because I'm a big freeradius fan. Thanks. The debug on the Odyssey Client shows that it believes it sent the response to the challenge. The debug on the WLAN switch shows that it forwards both the challenge from freeradius and the challenge response from the client. Freeradius debug appears to get the response from the client, sees the outer credentials (anonymous, etc.), but doesn't process the tunneled information for some reason. Hmm... I do know that the odyssey client does some very weird things. In some cases, it's interoperable *only* with Funk's server, which is a nice way for them to say other servers are broken, rather than our client is broken. So, does this mean that I should interpret the above enum to have elements 0-13, or 1-14, and match the numbers 7 and 13 with it's position in the enum? 0-13 I'm curious why we can see the TLS stuff during the first try (13), but not the second try (7). What is the difference? The client is behaving differently the second time around. FreeRADIUS treats the two TLS sessions as being 100% unique. It responds in the same way to the same input every time. So if one session fails and the other succeeds, it's because the client is doing something different. I performed a packet capture using ethereal, listening on the interface that freeradius is running on. Did this on the box, not inline. I would rather not post it to the list, but I'd be glad to send it to you if you'd be willing to look at it. Let me know. Put it on a web page and mail me the link. On a plus, the latest version of Ethereal appears to have stolen the FreeRADIUS dictionary files, so the radius packets it decodes should make a lot more sense. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different eap/tls config for different interfaces
[EMAIL PROTECTED] wrote: If so, is it possible to have 2 different tls sections that service the 2 different interfaces? No. FreeRADIUS supports only 1 TLS module at a time. What Alan forgot to mention is a solution. If you run two copies of the Radius server, with one bound to either a different set of ports, or one to each IP, you could have separate configs. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rewriting the User-Name attr
Hi,
i'm looking for some help to rewrite the User-Name attribute.
My problem is:
my organisation has to proxy to two different realms on two different
servers.
one realm is students, the other is professors (some users are handled
locally).
The User-Name of professors is [EMAIL PROTECTED] so it was easy to
prepare a real in proxy.conf named professors
The students realm is not explicetely found in the User-Name attributes
but I can distinguish the students by the presence of a '.' point in the
username.
(I used this rule in the users file
DEFAULT User-Name =~ \\., Proxy-To-Realm := encrypt)
My problem is now that I want to change the User-Name attr for students
only, to [EMAIL PROTECTED] before proxying it to the other radius
server.
I was planning to use rlm_attr_rewrite and I see 2 ways to do it:
1) I recognaize the realm by the Proxy-To-Real attr, but I don't know haw
to tell it to the attr_rewrite module
attr_rewrite studenti {
attribute = User-Name
# may be packet, reply, proxy, proxy_reply or
config
searchin = proxy
searchfor = $
replacewith = @students
ignore_case = no
new_attribute = no
max_matches = 10
append = no
}
2) I recognaize once again the packet by the presence of a '.' point in
the name but I don't know if I can use a perlish/awkish expression like
attr_rewrite studenti {
attribute = User-Name
# may be packet, reply, proxy, proxy_reply or
config
searchin = proxy
searchfor = \(*\\.*\)
replacewith = [EMAIL PROTECTED]
ignore_case = no
new_attribute = no
max_matches = 10
append = no
}
Can you address me in the right direction?
Thank you,
matteo faleschini
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Password Prompts
Alan DeKok wrote: Zyxel is selling a $500 FreeRADIUS box (with some question of possible GPL violations) *sigh* If this is the case I hope you will inform the list. josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Removing Authentication
Hi everyone, I have just started using freeradius and have managed to setup access by username/password to my hotspot controller with mysql as the backend. It works fine and even sends back the session-timeout (1 hour for testing) so my controller forces users to re-authenticate. I created a few perl scripts for managing my customers, removing users from the rad tables after their time expires or else people could just login again and get another hour. Is this a correct way to manage users, or is there a method using accounting modules to prevent people from logging in after their time has expired? Thank you for any assistance, Robin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hot spot, each additional minute scenario
Hi, I am wondering if anyone out there has implemented freeradius in a wifi hotspot where you bill a user's credit card for amount for a certain amount of time that they purchase upfront and then for each additional minute that they want to continue, its an additional charge per minute? I am kind of hung up on how the additional minutes can be added for a user in freeradius in conjunction with how the credit card processing would work in this type of scenario. Currently we have it so that once the user hits their expiration in radius, they have to buy more time to keep going. Any ideas would be great. -will - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rewriting the User-Name attr
Matteo Faleschini [EMAIL PROTECTED] wrote: My problem is now that I want to change the User-Name attr for students only, to [EMAIL PROTECTED] before proxying it to the other radius server. That's what pre-proxy-users file is for. DEFAULT User-Name =~ \\. User-Name := [EMAIL PROTECTED] Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP won't authenticate with EAP TLS - log shows unknown_ca fatal error
Hi Landon, I think this piece from the log is suspicious: rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: TLS 1.0 Handshake [length 02ab], Certificate -- verify error:num=18:self signed certificate chain-depth=0, error=18 -- User-Name = 360VL -- BUF-Name = 360VL -- subject = /C=US/ST=Colorado/L=Colorado Springs/O=360VL Incorporated/CN=360VL/emailAddress=emailwithheld -- issuer = /C=US/ST=Colorado/L=Colorado Springs/O=360VL Incorporated/CN=360VL/emailAddress=emailwithheld -- verify return:0 rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. I think the problem is the user certificate that you imported into XP is self-signed. What you need to do is use openssl to create a certificate request (using openssl req ...) and then sign that request using the CA (using openssl ca). Then package up the user key and signed user cert into the pkcs#12 envelope (using openssl pkcs12). Finally import into XP. I looked at the instructions for certificate generation in the linux format article and they look OK. Make sure you did not miss a step or use the wrong command somewhere. As to using a password for the pkcs#12 envelope, go ahead and use it. When you import the pkcs#12 file into XP, it will just ask for it, and you enter it, and that should be it. Hope that helps. Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Password Prompts
Josh Howlett [EMAIL PROTECTED] wrote: Zyxel is selling a $500 FreeRADIUS box (with some question of possible GPL violations) *sigh* If this is the case I hope you will inform the list. It was discussed on freeradius-devel a little. I've exchanged email with one of their sales reps, and was told: - zyxel complies with the GPL - there is no mention of GPL or download offer in the product - we offer source only to paying customers This is despite that fact that the GPL says: a) you must OFFER source b) anyone who gets binaries can request source The binaries are on their web site, for anyone to download. Running strings on it yeilds many references to FreeRADIUS-specific terms. Maybe I'll send their legal department a nice letter, asking for a CD of source, and saying that if they refuse to send me a CD, they should stop infringing on my (and others) copyright. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rewriting the User-Name attr
My problem is now that I want to change the User-Name attr for students
only, to [EMAIL PROTECTED] before proxying it to the other radius
server.
attr_rewrite studenti {
attribute = User-Name
# may be packet, reply, proxy, proxy_reply or
config
searchin = proxy
searchfor = \(*\\.*\)
replacewith = [EMAIL PROTECTED]
ignore_case = no
new_attribute = no
max_matches = 10
append = no
}
Can you address me in the right direction?
Read doc/variables.txt.
Use %{0} instead of $1 if the students enter their username as name.surname
Zoltan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expiration
Does it exist in an earlier version or nightly? if not, any idea when 1.0.5 will come out? Thanks, Carl Peterson On Friday 05 August 2005 17:13, Alan DeKok wrote: The expiration module does not exist in 1.0.4. The Expiration feature doesn't work in 1.0.4. We will be releasing 1.0.5 to correct this, and other issues. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Password Prompts
- Original Message - From: Alan DeKok [EMAIL PROTECTED] Date: Friday, August 5, 2005 5:30 pm Subject: Re: Multiple Password Prompts [EMAIL PROTECTED] wrote: If the server get's an incomplete reply to it's challenge, or no reply, will it resend it's challenge? No. RADIUS is entirely driven by the clients. Gotcha Or, will the client sense that the server didn't respond to it's challenge response and start a new session. The client *does* see the Access-Challenge, but it decides for some reason to stop talking to the server. Yep...that's sort of weird. Of course, because each vendor has their own radius server and 802.1x client solution, they want to blame freeradius so that I'll buy their product. FreeRADIUs is interoperable with pretty much everything out there. Novell is dumping their proprietary server for FreeRADIUS. Zyxel is selling a $500 FreeRADIUS box (with some question of possible GPL violations), and I know of 2 other companies using FreeRADIUs as part of their RADIUS server solutions. I agree. In their argument, they even pointed me to a security web site that supposedly listed 42 freeradius vulnerabilities, most of which had still not been addressed (according to them). I visited the site, read the material, followed the links, and apparently they just typed freeradius and clicked search, and didn't actually read the results, because half of the results were totally unrelated and the rest were describing things that were fixed in version 0.4 or something. I'm trying my hardest to fight this, because I'm a big freeradius fan. Thanks. No prob. Just keep it up. The debug on the Odyssey Client shows that it believes it sent the response to the challenge. The debug on the WLAN switch shows that it forwards both the challenge from freeradius and the challenge response from the client. Freeradius debug appears to get the response from the client, sees the outer credentials (anonymous, etc.), but doesn't process the tunneled information for some reason. Hmm... I do know that the odyssey client does some very weird things. In some cases, it's interoperable *only* with Funk's server, which is a nice way for them to say other servers are broken, rather than our client is broken. Yep, I'm beginning to suspect as much. So, does this mean that I should interpret the above enum to have elements 0-13, or 1-14, and match the numbers 7 and 13 with it's position in the enum? 0-13 thanks I'm curious why we can see the TLS stuff during the first try (13), but not the second try (7). What is the difference? The client is behaving differently the second time around. FreeRADIUS treats the two TLS sessions as being 100% unique. It responds in the same way to the same input every time. So if one session fails and the other succeeds, it's because the client is doing something different. Gotcha. I performed a packet capture using ethereal, listening on the interface that freeradius is running on. Did this on the box, not inline. I would rather not post it to the list, but I'd be glad to send it to you if you'd be willing to look at it. Let me know. Put it on a web page and mail me the link. Will do. I'll shoot for tomorrow (08/06). On a plus, the latest version of Ethereal appears to have stolen the FreeRADIUS dictionary files, so the radius packets it decodes should make a lot more sense. Yeh...I noticed that. Very nice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different eap/tls config for different interfaces
Oh...duh...that makes sense. Should have considered that. I have since tested the behavior of the scenario I described, and Alan's on target. Doesn't really seem to matter which interface I enter on, or which common-name I use. Seems to work either way. thanks for the help! - Original Message - From: Kris Benson [EMAIL PROTECTED] Date: Friday, August 5, 2005 5:28 pm Subject: Re: different eap/tls config for different interfaces [EMAIL PROTECTED] wrote: If so, is it possible to have 2 different tls sections that service the 2 different interfaces? No. FreeRADIUS supports only 1 TLS module at a time. What Alan forgot to mention is a solution. If you run two copies of the Radius server, with one bound to either a different set of ports, or one to each IP, you could have separate configs. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: expiration
Carl Peterson [EMAIL PROTECTED] wrote: Does it exist in an earlier version or nightly? if not, any idea when 1.0.5 will come out? The fix is in CVS: $ cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -r release_1_0 radiusd Use the Expiration attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple Password Prompts
[EMAIL PROTECTED] wrote: I agree. In their argument, they even pointed me to a security web site that supposedly listed 42 freeradius vulnerabilities, most of which had still not been addressed (according to them). Liars. This isn't just incompetence, it's pretty close to libel. I visited the site, read the material, followed the links, and apparently they just typed freeradius and clicked search, and didn't actually read the results, because half of the results were totally unrelated and the rest were describing things that were fixed in version 0.4 or something. Do that on CERT, for example, and you'll get stacks of hits for FreeRADIUS, most of which say things like FreeRADIUS: no response from vendor for vulnerability FOO in Mozilla. Personally, I interpret their attitude as indicating that FreeRADIUS is significantly cutting into their sales. If they have to lie about it to make their sales, it shows that FreeRADIUS is so much better than their product that they just can't compete on a technical level. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different eap/tls config for different interfaces
After I'm done with the rlm_eap_tls rewrites and rlm_eap updates, there will be functionality to have multiple EAP submodules of the same type with different configurations. With this, you'll be able to force the use of a specific EAP type instance by its instance name. In the meantime, if you want to avoid bringing up two servers, you *can* configure two EAP module instances, each with a different tls submodule configuration. Force the Auth-Type to the EAP module with the correct tls configuration based on your criteria. I've used this scenario in the past. --Mike [EMAIL PROTECTED] wrote: Oh...duh...that makes sense. Should have considered that. I have since tested the behavior of the scenario I described, and Alan's on target. Doesn't really seem to matter which interface I enter on, or which common-name I use. Seems to work either way. thanks for the help! - Original Message - From: Kris Benson [EMAIL PROTECTED] Date: Friday, August 5, 2005 5:28 pm Subject: Re: different eap/tls config for different interfaces [EMAIL PROTECTED] wrote: If so, is it possible to have 2 different tls sections that service the 2 different interfaces? No. FreeRADIUS supports only 1 TLS module at a time. What Alan forgot to mention is a solution. If you run two copies of the Radius server, with one bound to either a different set of ports, or one to each IP, you could have separate configs. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
