Re: Freeradius VLANID Question

[Michael Schwartzkopff]

Am Mittwoch, 17. August 2005 19:46 schrieb Armin Krämer:
> Hi, at the moment i´m planing to build a Network based out of 20 VLAN over
> 8 Nortel switches. Depending on the given Layout of the Network I need to
> add some PC´s to more than one Port based VLAN. Is it posible to give the
> VLAN ID over the Radius Server, and is it possible to send more than one
> VLAN ID for one Client to the Switch? Does this work?
>
> Armin

hi,

I does work. I tried it with switches from HP and Cisco and I see no reason 
why it should not work with nortel. I wrote an article in the German Linux 
Magazin 12/2004 with the details. Please mail me direct if you are interested 
in further details.

There are also a lot of good HOWTOs, especially one from Vladimir Vuksan 
under:

http://vuksan.com/linux/dot1x/802-1x-LDAP.html

-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Bretonischer Ring 7
85630 Grasbrunn

Tel: (+49 89) 456 911 - 0
Fax: (+49 89) 456 911 - 21
mob: (+49 174) 343 28 75

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42


pgpH8H6SHhNZH.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

about authentication with PAP

[Lee Bobby]

hi,all,
  I wanna use PAP to authenticate the users.But I don't know how to change 
the radiusd.conf.

 Can any one help me?
Bobby from Beijing.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

mod_auth_radius values

[Ayres G.J.]

Hello all,
I am developing a web system that authenticates users to a web site
through free radius using the mod_auth_radius module for apache. It all
works fine, but I would like to get the username of the user that has
authenticated for use on pages once they have authenticated. 

I am not sure how to go about this. I guess that the values are set in a
cookie or in the HTTP Headers by mod_auth_radius? Does anyone know a way I
could retrieve the values, either through HTML or PHP?

Thanks,
Gareth.

- - - - - - - - - - - - - - - -
Gareth Ayres
Wireless Network Officer
Library & Information Services
University of Wales Swansea,
Singleton Park,
Wales, UK
SA2 8PP
e-mail: [EMAIL PROTECTED]
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RadZap Still given (negative Port)

[Sarkis Gabriel]

I compiled the cvs update and still get

[EMAIL PROTECTED] root]# radiusd -v
radiusd: FreeRADIUS Version 1.0.4, for host , built on Aug 17 2005 at 
23:01:39

Copyright (C) 2000-2003 The FreeRADIUS server project.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.


[EMAIL PROTECTED] root]# radwho -r
1291,1291,shell,S2148532295,Thu 09:27,192.116.123.117,10.10.11.250


[EMAIL PROTECTED] root]# radwho -RZ -u 1291
User-Name = "1291"
Acct-Session-Id = "80100047"
Acct-Status-Type = Stop
NAS-IP-Address = 192.116.123.117
NAS-Port = -2146435001
Service-type = Login-User
Framed-IP-Address = 10.10.11.250
Acct-Session-Time = 21400
Calling-Station-Id = "00:11:5B:38:1F:"

Thanks

Sarky


Alan DeKok wrote:

"Sarkis Gabriel" <[EMAIL PROTECTED]> wrote:


After installing the CVS although not the latest one as of today but it was 
suppose to
have the fix for the Negative port.



  cvs update

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Dial-up admin

[Allan Borman]

Hi All,
I have freeradius 
operational on a new X86 dell server platform running LINUX ES.  I am 
having issues with Dialup-admin and PHP.  Has anyone installed this 
interface successfully on LINUX ES.  Is there any docs on this.  I 
have read the docs that comes with Dialup-admin.  Any help is appreciated in advance.

 Best 
Regards,
 
Allan Borman.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mod_auth_radius values

[Alan DeKok]

"Ayres G.J." <[EMAIL PROTECTED]> wrote:
>   I am developing a web system that authenticates users to a web site
> through free radius using the mod_auth_radius module for apache. It all
> works fine, but I would like to get the username of the user that has
> authenticated for use on pages once they have authenticated. 

  It's in the HTTP headers.  The username & password are sent in every
request.

> I am not sure how to go about this. I guess that the values are set in a
> cookie or in the HTTP Headers by mod_auth_radius? Does anyone know a way I
> could retrieve the values, either through HTML or PHP?

  Not HTML.  Maybe PHP, if it allows you to get HTTP headers.  See the
module source code for where the headers are, and the PHP docs for how
to get at them.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: General Question..

[Kris Benson]

FreeRadius users mailing list  on
August 17, 2005 at 15:47 -0800 wrote:
>Can we use Radius/LDAP to do this.
>What I was hope we can do is as follow:
>everyone will get one user-id/password But for every service we will
>create 
>a boolean attribute. All services, dialup/wireless/vpn/etc will use one 
>radius server for both Auth(authenticate/authorize).
>The question is can FreeRadius(or any radius) be configured to as the
>LDAP 
>for the correct service attribute and give access both base on the 
>user-id/password and what the value of the services?

Sort of.

The best bet is to use the LDAP "posixgroup" objectclass -- then you can
force certain radius clients to require a specific group membership.

Let me know when you get closer to implementation and I can help you with
some config files.

-kb
--
Kris Benson, CCP, I.S.P.
Technical Analyst, District Projects
School District #57 (Prince George)

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Issues authenticating vs 2003 AD

[Tim P]

Ok using these settings it seems to authenticate with radtest
> Radius.conf
> ldap {
> server = "domcon.company.org"
> basedn = "dc=company,dc=org"
> filter = 
> "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
> password_attribute = "userPassword"
> identity = "cn=administrator,cn=Users,dc=company,dc=org"
> password = password

[EMAIL PROTECTED] ~]# radtest user userpass localhost:1812 1 radiussecret
Sending Access-Request of id 201 to 127.0.0.1:1812
User-Name = "user"
User-Password = "userpass"
NAS-IP-Address = redguard.company.net
NAS-Port = 1
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=201, length=20

And the output of radius -X -A shows
rlm_ldap: - authorize
rlm_ldap: performing user authorization for tporritt
radius_xlat:  '(sAMAccountName=tporritt)'
radius_xlat:  'dc=gtdsolutions,dc=org'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=gtdsolutions,dc=org, with filter
(sAMAccountName=tporritt)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user tporritt authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 1
modcall: group authorize returns ok for request 1
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 1
rlm_ldap: - authenticate
rlm_ldap: login attempt by "tporritt" with password "pantera"
rlm_ldap: user DN: CN=Tim Porritt,CN=Users,DC=gtdsolutions,DC=org
rlm_ldap: (re)connect to gtds-domcon.gtdsolutions.org:389, authentication 1
rlm_ldap: bind as CN=Tim
Porritt,CN=Users,DC=gtdsolutions,DC=org/pantera to
gtds-domcon.gtdsolutions.org:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user tporritt authenticated succesfully
  modcall[authenticate]: module "ldap" returns ok for request 1
modcall: group Auth-Type returns ok for request 1
Sending Access-Accept of id 201 to 127.0.0.1:32770
Finished request 1


These two look to me like they authenticated the user successfully.  

I have l2tp handling authentication which puts it to pppd
In /etc/ppp/options.l2tpd  I have

# added for radius auth with radius
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe
lcp-echo-failure 30
lcp-echo-interval 5
plugin radius.so


Is it possible that this will work?

I tried using ntlm_auth with no luck from pppd as it gave me 

Aug 18 10:13:56 redguard pppd[2260]: WINBIND plugin initialized.
Aug 18 10:13:56 redguard pppd[2260]: In file /etc/ppp/options.l2tpd:
unrecognized option '--helper-protocol=ntlm-server-1'

The line I had was 
# winbind auth
plugin winbind.so
ntlm_auth-helper /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1


Just looking for a way (and preferably and example) of the
authentication vs AD since I don't seem to understand how to do it.  I
have looked in radius.conf and enabled the ntlm authentication but it
seems to insist upon using chap and not mschap-v2, is there a
difference?  It still complains about the "no cleartext password"

an example would be greatly apprecated!

Thanks
Tim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Issues authenticating vs 2003 AD

[Alan DeKok]

Tim P <[EMAIL PROTECTED]> wrote:
> Ok using these settings it seems to authenticate with radtest
...
> [EMAIL PROTECTED] ~]# radtest user userpass localhost:1812 1 radiussecret

  i.e. clear-text password.

> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...

  i.e. NO PASSWORD WAS RETURNED BY AD.

> rlm_ldap: bind as CN=Tim
> Porritt,CN=Users,DC=gtdsolutions,DC=org/pantera to
> gtds-domcon.gtdsolutions.org:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: user tporritt authenticated succesfully

  i.e. You're binding to AD as the user.

  You are using AD as an "authentication oracle".  You hand it bits of
information, and it returns yes/no.  You are NOT using AD as a database.

> These two look to me like they authenticated the user successfully.  

  Yes.  Now try MSCHAP.

> In /etc/ppp/options.l2tpd  I have
..
> Is it possible that this will work?

  Yes.  But you're not getting the password from AD.

  As I said: AD will not supply the password.  Nothing in what you've
posted contradicts that.

> Just looking for a way (and preferably and example) of the
> authentication vs AD since I don't seem to understand how to do it.  I
> have looked in radius.conf and enabled the ntlm authentication but it
> seems to insist upon using chap and not mschap-v2, is there a
> difference?

  The client asks for CHAP, so that's what the RADIUS server sees.
The RADIUS server DOES NOT, and CAN NOT change the authentication
method the client uses.

>   It still complains about the "no cleartext password"

  Because, as I've said repeatedly, AD doesn't supply the password to
you.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mod_auth_radius values

[Ken A]

Try the environment variable REMOTE_USER

 #!/usr/bin/perl
 print "Content-type: text/html\n\n";
 foreach $key (keys %ENV) {
  print "$key --> $ENV{$key}";
 }

Ken


Alan DeKok wrote:


"Ayres G.J." <[EMAIL PROTECTED]> wrote:


I am developing a web system that authenticates users to a web site
through free radius using the mod_auth_radius module for apache. It all
works fine, but I would like to get the username of the user that has
authenticated for use on pages once they have authenticated. 



  It's in the HTTP headers.  The username & password are sent in every
request.



I am not sure how to go about this. I guess that the values are set in a
cookie or in the HTTP Headers by mod_auth_radius? Does anyone know a way I
could retrieve the values, either through HTML or PHP?



  Not HTML.  Maybe PHP, if it allows you to get HTTP headers.  See the
module source code for where the headers are, and the PHP docs for how
to get at them.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mod_auth_radius values

[Ken A]

or even easier, if apache is setup for SSI, you can just plunk this into 
your web page where you want the authenticated username:




Ken


Alan DeKok wrote:


"Ayres G.J." <[EMAIL PROTECTED]> wrote:


I am developing a web system that authenticates users to a web site
through free radius using the mod_auth_radius module for apache. It all
works fine, but I would like to get the username of the user that has
authenticated for use on pages once they have authenticated. 



  It's in the HTTP headers.  The username & password are sent in every
request.



I am not sure how to go about this. I guess that the values are set in a
cookie or in the HTTP Headers by mod_auth_radius? Does anyone know a way I
could retrieve the values, either through HTML or PHP?



  Not HTML.  Maybe PHP, if it allows you to get HTTP headers.  See the
module source code for where the headers are, and the PHP docs for how
to get at them.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Issues authenticating vs 2003 AD

[Tim P]

Sorry to keep asking but can you post an example (using mschap) to
authenticate from freeradius to AD using the ntlm_auth method?

On 8/18/05, Alan DeKok <[EMAIL PROTECTED]> wrote:
> Tim P <[EMAIL PROTECTED]> wrote:
> > Ok using these settings it seems to authenticate with radtest
> ...
> > [EMAIL PROTECTED] ~]# radtest user userpass localhost:1812 1 radiussecret
> 
>   i.e. clear-text password.
> 
> > rlm_ldap: looking for check items in directory...
> > rlm_ldap: looking for reply items in directory...
> 
>   i.e. NO PASSWORD WAS RETURNED BY AD.
> 
> > rlm_ldap: bind as CN=Tim
> > Porritt,CN=Users,DC=gtdsolutions,DC=org/pantera to
> > gtds-domcon.gtdsolutions.org:389
> > rlm_ldap: waiting for bind result ...
> > rlm_ldap: Bind was successful
> > rlm_ldap: user tporritt authenticated succesfully
> 
>   i.e. You're binding to AD as the user.
> 
>   You are using AD as an "authentication oracle".  You hand it bits of
> information, and it returns yes/no.  You are NOT using AD as a database.
> 
> > These two look to me like they authenticated the user successfully.
> 
>   Yes.  Now try MSCHAP.
> 
> > In /etc/ppp/options.l2tpd  I have
> ..
> > Is it possible that this will work?
> 
>   Yes.  But you're not getting the password from AD.
> 
>   As I said: AD will not supply the password.  Nothing in what you've
> posted contradicts that.
> 
> > Just looking for a way (and preferably and example) of the
> > authentication vs AD since I don't seem to understand how to do it.  I
> > have looked in radius.conf and enabled the ntlm authentication but it
> > seems to insist upon using chap and not mschap-v2, is there a
> > difference?
> 
>   The client asks for CHAP, so that's what the RADIUS server sees.
> The RADIUS server DOES NOT, and CAN NOT change the authentication
> method the client uses.
> 
> >   It still complains about the "no cleartext password"
> 
>   Because, as I've said repeatedly, AD doesn't supply the password to
> you.
> 
>   Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Issues authenticating vs 2003 AD

[Alan DeKok]

Tim P <[EMAIL PROTECTED]> wrote:
> Sorry to keep asking but can you post an example (using mschap) to
> authenticate from freeradius to AD using the ntlm_auth method?

  What's wrong with reading radiusd.conf?

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FR suddenly doesn't respond any more and eats all cpu

[Benedikt Panzer]

Hello everyone,

I've configured here a FreeRADIUS 1.0.4 and I'm running it now to handle 
test requests. First, everything looked ok. FR responded all requests 
correctly. But suddenly it didn't respond any more to RADIUS requests 
and I saw it used 1 of my 2 cpus completly. Before it took between 1-2 
percent of the cpu. FreeRADIUS even could not be killed by a normal 
kill, I needed kill -9 to terminate it. It's very strange to me that 
happend after half an hour normal behavior. Then I started FreeRADIUS in 
debugging mode (-X) but then the error didn't occur until I stopped it 1 
day later. Just now I ran it again in not-debugging mode and again after 
about half an hour the same strange error: processor load about 99% and 
no responses to any requests. And at the moment there are really few 
RADIUS requests.


As I wrote, I don't have any debugging output before the error occured. 
The error doesn't occur when running in debugging mode. It doesn't want 
to be caught ;-)


Nevertheless, has anyone yet seen such a behavior or has an idea where 
to look or a guest for the reason?


Thanks a lot, Benedikt

--
Benedikt PanzerAbteilung Ausbildung
Rechenzentrum
Universität Stuttgart  
Allmandring 30 
70550 Stuttgartwww.rus.uni-stuttgart.de


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MPPE/PEAP support not in anything but CVS snapshots?

[Bill Carr]

I have a quick question, I ran across a note in a document about 0.97 stating 
that MPPE support was only in the nightly snapshots and not in the normal 
releases.
(http://www.alphacore.net/contrib/nantes-wireless/eap-tls-HOWTO.html)

If this changed since 2002, could someone let me know when? 

Otherwise I'm chasing my tail using a RHEL ES RPM which starts, runs but won't 
start the EAP piece, but a freshly compiled version works fine.

I have a client who's a stickler for using the "vendor"-blessed versions and 
I've been trying to figure out why this has been more difficult to set up than 
most of my out-of-the-box configs.

Thanks a bunch!

 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MPPE/PEAP support not in anything but CVS snapshots?

[Alan DeKok]

"Bill Carr" <[EMAIL PROTECTED]> wrote:
> I have a quick question, I ran across a note in a document about
> 0.97 stating that MPPE support was only in the nightly snapshots and
> not in the normal releases.
>
> (http://www.alphacore.net/contrib/nantes-wireless/eap-tls-HOWTO.html)
> 
> If this changed since 2002, could someone let me know when? 

  When 1.0.0 was released.
 
> Otherwise I'm chasing my tail using a RHEL ES RPM which starts, runs
> but won't start the EAP piece, but a freshly compiled version works
> fine.

  Since you won't say what (if any) error message is produced, it's a little 
difficult to help you.

> I have a client who's a stickler for using the "vendor"-blessed
> versions and I've been trying to figure out why this has been more
> difficult to set up than most of my out-of-the-box configs.

  You're also not saying which version you're trying to install.

  Try giving information which will help people understand what you're
doing.  And if you're installing 0.9.x, the official answer is "don't".

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html