Re: V1.10 File and LDAP Problems
After sending the second email, I realized that while you're having problems with the Authorization section, I gave solutions applicable to the Authentication section. I don't know if you can set certain fail and reject codes in the Autz section. The real answer to your first question was that as long as you setup the LDAP information correctly, you'll no longer have the Autz section failing on you. The rest of the information I gave should be useful in the Auth section though. Sorry for the confusion. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: V1.10 File and LDAP Problems
> How do you go about setting the weighting. I want to be able to use text, > ldap and mysql so that we have various fall back options with a failure of > the external databases (ldap and mysql). > I'm pulling this straight from the "configurable_failover.gz" file from the documentation: ---cut- Rewriting results for single modules Normally, when a module fails, the entire section ("authorize", "accounting", etc.) stops being processed. In some cases, we may want to permit "soft failures". That is, we may want to tell the server that it is "ok" for a module to fail, and that the failure should not be treated as a fatal error. In this case, the module is treated as a "section", rather than just as a single line in "radiusd.conf". The configuration entries for that section are taken from the "configurable fail-over" code, and not from the configuration information for that module. For example, the "detail" module normally returns "fail" if it is unable to write its information to the "detail" file. As a test, we can configure the server so that it continues processing the request, even if the "detail" module fails. The following example shows how: #-- # Handle accounting packets accounting { detail { fail = 1 } redundant { sql1 sql2 handled } } #-- The "fail = 1" entry tells the server to remember the "fail" code, with priority "1". The normal configuration is "fail = return", which means "if the detail module fails, stop processing the accounting section". ---cut- So by setting fail equal to a value (1-9) you override the default "fail = return." > > Once you can > login to the LDAP, if the user does not exist in there then LDAP > should return "noop" for the request. If you want a user to > exist in > both the LDAP and the users file with different passwords, that > requires a bit of tweaking but I've got it working if you need to see > > > Would like to see how you did it. > Here's how I have ldap/unix redundant group setup: Auth-Type LDAP { ldap { reject = 3 fail = 3 } unix } If the user exists in the LDAP (module ldap returns ok for the request), then the Auth-Type is set to LDAP by default (assuming you have things setup correctly). If the password provided by the user does not match the one in the LDAP, then instead of flat out rejecting the user and stopping processing, I assign an arbitrary value of 3 to the reject codes (I do the same with fail, although looking back I don't know if there's any real reason to do so). Now rather than returning reject (or fail) for the entire request, the section calls the unix module to attempt to authorize via /etc/passwd. You could just as simply have it check the users file (module "files") or a number of other methods. Does that make things any more clear? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
V1.10 File and LDAP Problems
Andrew thanks for the quick reply. Looks like you don't have the LDAP information setup correctly. FreeRADIUS can't login to LDAP with the settings (un)specified. > rlm_ldap: (re)connection attempt failed > rlm_ldap: search failed > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns fail for request 0 > modcall: leaving group authorize (returns fail) for request 0 Yep, knew that, but expected to continue with the text auth since the user existed in that file. LDAP returns fail, which is weighted heavier than the both the "noop" returned by mschap and the "ok" returned by files. Because LDAP returns "fail," the entire request returns "fail." You can specify different weighted settings for noop, fail, etc, but the obvious answer is to fix your LDAP settings and then try again. How do you go about setting the weighting. I want to be able to use text, ldap and mysql so that we have various fall back options with a failure of the external databases (ldap and mysql). Once you can login to the LDAP, if the user does not exist in there then LDAP should return "noop" for the request. If you want a user to exist in both the LDAP and the users file with different passwords, that requires a bit of tweaking but I've got it working if you need to see Would like to see how you did it. Hope this helps! Andrew Gerry Dalton, Network System Support Consolidated Communications Cell: 214 532-1905 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: V1.10 File and LDAP Problems
> NOT WORKING: > > Ready to process requests. > rad_recv: Access-Request packet from host 10.0.90.32:2017, id=62, length=46 > User-Name = "testme" > User-Password = "123456" >Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 >modcall[authorize]: module "preprocess" returns ok for request 0 > users: Matched entry testme at line 142 >modcall[authorize]: module "files" returns ok for request 0 >modcall[authorize]: module "mschap" returns noop for request 0 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for testme > radius_xlat: '(sAMAccountname=testme)' > radius_xlat: 'dc=consolidated,dc=com' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to 10.0.60.177:389, authentication 0 > rlm_ldap: bind as cn=someuser,cn=Users,dc=ourcompany,dc=com/secret to > 10.0.xx.xxx:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: LDAP login failed: check identity, password settings in > ldap section of radiusd.conf Looks like you don't have the LDAP information setup correctly. FreeRADIUS can't login to LDAP with the settings (un)specified. > rlm_ldap: (re)connection attempt failed > rlm_ldap: search failed > rlm_ldap: ldap_release_conn: Release Id: 0 >modcall[authorize]: module "ldap" returns fail for request 0 > modcall: leaving group authorize (returns fail) for request 0 LDAP returns fail, which is weighted heavier than the both the "noop" returned by mschap and the "ok" returned by files. Because LDAP returns "fail," the entire request returns "fail." You can specify different weighted settings for noop, fail, etc, but the obvious answer is to fix your LDAP settings and then try again. Once you can login to the LDAP, if the user does not exist in there then LDAP should return "noop" for the request. If you want a user to exist in both the LDAP and the users file with different passwords, that requires a bit of tweaking but I've got it working if you need to see how sometime. Hope this helps! Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
V1.10 File and LDAP Problems
I have installed Freeradius 1.10, on Solaris 8. Using default radiusd.conf, and users file, added a couple of users. Tested and I am able to auth my testme user. I then add in the LDAP module, and un-comment ldap places in the radiusd.conf file. I again try to auth the same user who is in the user text file, and I can not auth that user. No other changes, just put the ldap directives in and it seems to break text file auth. I need to have the capability to fall back to text file of users in case the LDAP server is not available/problems/etc. Below are traces from each test. Note in the second test, that I know the login to the LDAP server is not valid, but this simulates the server being broken etc. I have also tested with a valid connection and get the same results. DEGUG FOLLOWS:-- WORKING: The ldap module is not enabled in the radiusd.conf file: Ready to process requests. rad_recv: Access-Request packet from host 10.0.90.32:2016, id=61, length=46 User-Name = "testme" User-Password = "123456" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 users: Matched entry testme at line 142 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "testme", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [testme] (from client Dallas port 0) Sending Access-Accept of id 61 to 10.0.90.32 port 2016 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 61 with timestamp 43fe2e2d Nothing to do. Sleeping until we see a request. NOT WORKING: Ready to process requests. rad_recv: Access-Request packet from host 10.0.90.32:2017, id=62, length=46 User-Name = "testme" User-Password = "123456" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 users: Matched entry testme at line 142 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testme radius_xlat: '(sAMAccountname=testme)' radius_xlat: 'dc=consolidated,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.0.60.177:389, authentication 0 rlm_ldap: bind as cn=someuser,cn=Users,dc=ourcompany,dc=com/secret to 10.0.xx.xxx:389 rlm_ldap: waiting for bind result ... rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail for request 0 modcall: leaving group authorize (returns fail) for request 0 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 62 with timestamp 43fe2e82 Nothing to do. Sleeping until we see a request. Gerry Dalton, Network System Support Consolidated Communications Cell: 214 532-1905 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS-CHAP
I am not trying to do that. I just want to authenticate MS-CHAPv2 passwords. My question is: Where do I have those passwords in my Linux server? Thank you, Charles - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Thursday, February 23, 2006 6:34 PM Subject: Re: Help needed with MS-CHAP "Charles Blake" <[EMAIL PROTECTED]> wrote: I need now to authenticate MS-CHAPv2 passwords. I have been looking everywhere, FAQ, googled and I have not found where to against to authenticate. User file? MySQL? Anywhere that will give you the clear-text passwords. And no, you can't convert shadow file entries into clear-text passwords. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client certs with MSCHAPV2 in PEAP
Robert Myers <[EMAIL PROTECTED]> wrote: > The reason I ask, is that I'm using a client cert signed by my CA to do > eap/tls, and it's working. I have not implemented the server cert as of > yet. Then it *should* work with PEAP. But I don't know of many people that use client certs with PEAP. I suspect no one has tested that, and that the client may be doing something different than with EAP-TLS. My suggestion is don't use client certs with PEAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Solaris 8 - radiusd: Cannot find ELF
Thanks for pointing me in the right direction. Mr Google did know the problem: The problem is solved when using SUNWbtool's /usr/ccs/bin/strip instead of GNU strip. GNU strip is likely located in /usr/local/bin. Make sure that /usr/ccs/bin is located before /usr/local/bin in your PATH and run make install: PATH=/usr/ccs/bin:$PATH make install What a pain?!? For the "configure", you initially have to have your system variables set as, PATH=$PATH:/sbin:/etc:/usr/ccs/bin:/usr/local/bin:/usr/local/sbin:.; export PATH LD_LIBRARY_PATH=/usr/local/lib; export LD_LIBRARY_PATH CC=gcc; export CC For the "make", I had to specify "/usr/ccs/bin/make" (not "/usr/local/bin/make"). Before running "make install", change your PATH to, [EMAIL PROTECTED] echo $PATH /usr/ccs/bin:/usr/sbin:/usr/bin:/sbin:/etc:/usr/local/bin:/usr/local/sbin:. I vi'd my /usr/local/etc/raddb/radiusd.conf file to un-# passwd = /etc/passwd shadow = /etc/shadow group = /etc/group Now it starts up as, [EMAIL PROTECTED] radiusd Thu Feb 23 18:01:50 2006 : Info: Starting - reading configuration files ... Whew...finally!! It starts up without the "Cannot find ELF" message. It appears to be running. I hope these notes help another Solaris user out there. That Google guy is purdy smert. Now, does it actually work... Thank you, -Mike Becker Alan DeKok wrote: Mike Becker <[EMAIL PROTECTED]> wrote: [EMAIL PROTECTED] radiusd radiusd: Cannot find ELF It looks like a tool chain problem on Solaris. Search for "cannot find elf" in google. You'll see lots of links. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS-CHAP
"Charles Blake" <[EMAIL PROTECTED]> wrote: > I need now to authenticate MS-CHAPv2 passwords. I have been looking > everywhere, FAQ, googled and I have not found where to against to > authenticate. User file? MySQL? Anywhere that will give you the clear-text passwords. And no, you can't convert shadow file entries into clear-text passwords. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS, dialup_admin and Microsoft SQL database ???
Hi, I'm doing some test installations regarding the implementation of FreeRADIUS. I was thinking about using our existing MS SQL server as a database for user Authentication/Authorization (due to integration of user data into CRM ...) I have made an initial installation of FreeRADIUS and MySQL as database - and Dialup Admin tool works quite fine in our test environment. Now I have a question - Has anyone managed to modify dialup_admin to work with MS SQL database. I imagine that a lot of tweaking of sql code would be necessary (to accommodate to standard sql syntax used by unixODBC). What is your experience - is it doable? If not - which alternative tool could I use instead of dialup_admin? Thanks for any info. Regards, Tadej Bregar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help needed with MS-CHAP
Just to further my own knowledge. > -Original Message- > > Charles Blake wrote: > > > I am trying to set up a freeradius-1.1.0 server for authenticating > > users using MS-CHAP passwords. > > > > I pretend to authenticate users against shadow. > > You can't do that. > > MS-CHAP requires the NT hash, the plaintext password from > which it can derive the NT hash, or Samba configured as a > domain member and use of the "ntlm_auth" helper. > Does this also apply to MS-CHAPv2? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS-CHAP
Alan: Thank you very much for your reply. I have been using Radius for many years, but always authenticating against shadow passwords. I need now to authenticate MS-CHAPv2 passwords. I have been looking everywhere, FAQ, googled and I have not found where to against to authenticate. User file? MySQL? Where do I have to create de user/password pairs so radius can authenticate these users with MS-CHAPv2 passwords? Thenk you very much for your help. Charles - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Thursday, February 23, 2006 4:40 PM Subject: Re: Help needed with MS-CHAP "Charles Blake" <[EMAIL PROTECTED]> wrote: I am trying to set up a freeradius-1.1.0 server for authenticating users using MS-CHAP passwords. I pretend to authenticate users against shadow. It's impossible to use /etc/shadow and MS-CHAP. See the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client certs with MSCHAPV2 in PEAP
Does this only apply if the supplicant uses a server cert during eap/tls? The reason I ask, is that I'm using a client cert signed by my CA to do eap/tls, and it's working. I have not implemented the server cert as of yet. -Bob Alan DeKok wrote: "Dave Huff" <[EMAIL PROTECTED]> wrote: For EAP-TLS to work, the client certs have to be signed by the server cert. Signed by the server cert or by the CA cert? I have a CA that signed the server and client certs, and the eap.conf file knows where server and CA certs are. If you're using 1.0.x, that won't work. It doesn't do certificate chains. The client cert MUST be signed by the server cert. Using a CA to sign them, both won't work. I'm not even sure it will work in 1.1.0, to be honest. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS-CHAP
Charles Blake wrote: I am trying to set up a freeradius-1.1.0 server for authenticating users using MS-CHAP passwords. I pretend to authenticate users against shadow. You can't do that. MS-CHAP requires the NT hash, the plaintext password from which it can derive the NT hash, or Samba configured as a domain member and use of the "ntlm_auth" helper. radtest shows ok: This is a PAP request. They work fine against /etc/shadow # radtest mts mypassword localhost 0 testing123 Sending Access-Request of id 160 to 127.0.0.1 port 1812 User-Name = "mts" User-Password = "mypassword" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=160, length=20 But when I try to authenticate an user using MS-CHAP, I am getting this output: This is an MS-CHAP request - you cannot authenticate it against /etc/shadow. See above. rad_recv: Access-Request packet from host 127.0.0.1:1027, id=5, length=146 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "mts" MS-CHAP-Challenge = 0x6b61b1ed954a289c0fa3aebedc329ac6 MS-CHAP2-Response = 0x8f0001684e1d34295e1232edb0682bd04e6e2caaa9579823e00501812d3e2dce9225b7dd251c02e1fd89 These error messages are quite detailed: Wed Feb 22 20:47:07 2006 : Debug: rlm_mschap: No User-Password configured. Cannot create LM-Password. Wed Feb 22 20:47:07 2006 : Debug: rlm_mschap: No User-Password configured. Cannot create NT-Password. Wed Feb 22 20:47:07 2006 : Debug: rlm_mschap: Told to do MS-CHAPv2 for mts with NT-Password Wed Feb 22 20:47:07 2006 : Debug: rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. As it says. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate entries and incorrect accounting and authorization (Cont'd)
<[EMAIL PROTECTED]> wrote: > Thank you for your response. As you pointed out, by watching > tcpdump outcome I see no Radius Responses coming back to the NAS (I > do see Radius Requests going out the NAS though). The shared secret > is fine and I use chillispot with the right configuration (pointing > at the right radius server). Also, I did not introduce any changes > at the NAS side from my previous working version. All changes were > introduced at the Radius server side. Any more suggestions? You have a firewall on the RADIUS server that's blocking outgoing packets. Or, the packets are going somewhere else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dictionary.rfc2865 discrepancy?
Geoff Silver <[EMAIL PROTECTED]> wrote: > With the stock dictionaries, when radiusd returns a Class, it's in > hex, not as a string. Looking at the RFC, it looks to me like the > dictionary is wrong. Can someone confirm this? This has come up before. The type octets/string in the dictionary has *nothing* to do with what goes on the wire. All it affects is printing and parsing of configuration data on the server. And for historical reasons (on both sides), the RFC's use "string" to mean opaque binary data, where FreeRADIUS uses "octets" to mean that. > If I change dictionary.rfc2865 as follows: > > -ATTRIBUTE Class 25 octets > +ATTRIBUTE Class 25 string > > It works just fine (ie. I get back Class = "OU=MYCOMPANY.COM"). Am > I misusing the class attribute (ie. should it not be a string?), or > is the dictionary wrong? If you use Class like that, it works for you. But not everyone uses class like that. Some people send opaque binary strings in a Class attribute, and expect to see that data when it's printed, rather than weird characters with umlauts. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client certs with MSCHAPV2 in PEAP
"Dave Huff" <[EMAIL PROTECTED]> wrote: > > For EAP-TLS to work, the client certs have to be > > signed by the server cert. > Signed by the server cert or by the CA cert? I have a CA that signed the > server and client certs, and the eap.conf file knows where server and CA > certs are. If you're using 1.0.x, that won't work. It doesn't do certificate chains. The client cert MUST be signed by the server cert. Using a CA to sign them, both won't work. I'm not even sure it will work in 1.1.0, to be honest. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help needed with MS-CHAP
"Charles Blake" <[EMAIL PROTECTED]> wrote: > I am trying to set up a freeradius-1.1.0 server for authenticating users > using MS-CHAP passwords. > > I pretend to authenticate users against shadow. It's impossible to use /etc/shadow and MS-CHAP. See the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Solaris 8 - radiusd: Cannot find ELF
Mike Becker <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] radiusd > radiusd: Cannot find ELF It looks like a tool chain problem on Solaris. Search for "cannot find elf" in google. You'll see lots of links. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: set 'Tunnel Private Group ID' based on OU in certificate?
Well, you'd approach it the same way you'd do group authentication in the users file. Check out the users file documentation, then just understand that rlm_sql is just another users file. -Bob Carl Wahlin wrote: What I'm doing to set these, is via the rlm_sql module. The tables are pretty straight forward, and could be manipulated programmatically. The sql tables are setup just like the users file, and has group support and all. Maybe when you issue the cert, you could do some inserts into the DB? -Bob Sounds like something I should take a look at. I don't think I would need a separate entry for each cert. I would need one for each group of users belonging to ie. an OU. Not sure if I would be able to do this with the rlm_sql module, but I'll take a look. /Carl Carl Wahlin wrote: Hello, Quite new to radius, so this might be a stupid question. Although I have been searching google for the last 2 hours trying to find the answer without any luck... So, we are testing ciscos new Airespace wlan controller and would like to map users based on "OrganizationalUnit" (or something else) in the certificate to a specific VLAN. Cisco calls this feature of changing default values with radius "AAA override". There are a few more things you can change (QoS profile etc), but we are only interested in the VLAN for now. I have managed to get it working for all EAP authentications but that does not at all serve my needs more than that I see that my wlan controller interprets the radius message correctly. DEFAULT Auth-Type := EAP Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 2 So how can I get selective and change the Group-Id based on stuff in the certificate? /Carl W. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help needed with MS-CHAP
Dear friends: I am trying to set up a freeradius-1.1.0 server for authenticating users using MS-CHAP passwords. I pretend to authenticate users against shadow. I am using the default radius.conf and users files. I have included the microsoft dictionary in radiusclient.conf file. radtest shows ok: # radtest mts mypassword localhost 0 testing123 Sending Access-Request of id 160 to 127.0.0.1 port 1812 User-Name = "mts" User-Password = "mypassword" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=160, length=20 But when I try to authenticate an user using MS-CHAP, I am getting this output: rad_recv: Access-Request packet from host 127.0.0.1:1027, id=5, length=146 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "mts" MS-CHAP-Challenge = 0x6b61b1ed954a289c0fa3aebedc329ac6 MS-CHAP2-Response = 0x8f0001684e1d34295e1232edb0682bd04e6e2caaa9579823e00501812d3e2dce9225b7dd251c02e1fd89 Calling-Station-Id = "172.16.255.11" NAS-IP-Address = 192.168.181.254 NAS-Port = 0 Wed Feb 22 20:47:07 2006 : Debug: Processing the authorize section of radiusd.conf Wed Feb 22 20:47:07 2006 : Debug: modcall: entering group authorize for request 0 Wed Feb 22 20:47:07 2006 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Wed Feb 22 20:47:07 2006 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Wed Feb 22 20:47:07 2006 : Debug: modcall[authorize]: module "preprocess" returns ok for request 0 Wed Feb 22 20:47:07 2006 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Wed Feb 22 20:47:07 2006 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Wed Feb 22 20:47:07 2006 : Debug: modcall[authorize]: module "chap" returns noop for request 0 Wed Feb 22 20:47:07 2006 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Wed Feb 22 20:47:07 2006 : Debug: rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP' Wed Feb 22 20:47:07 2006 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Wed Feb 22 20:47:07 2006 : Debug: modcall[authorize]: module "mschap" returns ok for request 0 Wed Feb 22 20:47:07 2006 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Wed Feb 22 20:47:07 2006 : Debug: rlm_realm: No '@' in User-Name = "mts", looking up realm NULL Wed Feb 22 20:47:07 2006 : Debug: rlm_realm: No such realm "NULL" Wed Feb 22 20:47:07 2006 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Wed Feb 22 20:47:07 2006 : Debug: modcall[authorize]: module "suffix" returns noop for request 0 Wed Feb 22 20:47:07 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Wed Feb 22 20:47:07 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP Wed Feb 22 20:47:07 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Wed Feb 22 20:47:07 2006 : Debug: modcall[authorize]: module "eap" returns noop for request 0 Wed Feb 22 20:47:07 2006 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Wed Feb 22 20:47:07 2006 : Debug: users: Matched entry DEFAULT at line 152 Wed Feb 22 20:47:07 2006 : Debug: users: Matched entry DEFAULT at line 171 Wed Feb 22 20:47:07 2006 : Debug: users: Matched entry DEFAULT at line 183 Wed Feb 22 20:47:07 2006 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Wed Feb 22 20:47:07 2006 : Debug: modcall[authorize]: module "files" returns ok for request 0 Wed Feb 22 20:47:07 2006 : Debug: modcall: leaving group authorize (returns ok) for request 0 Wed Feb 22 20:47:07 2006 : Debug: rad_check_password: Found Auth-Type MS-CHAP Wed Feb 22 20:47:07 2006 : Debug: auth: type "MS-CHAP" Wed Feb 22 20:47:07 2006 : Debug: Processing the authenticate section of radiusd.conf Wed Feb 22 20:47:07 2006 : Debug: modcall: entering group MS-CHAP for request 0 Wed Feb 22 20:47:07 2006 : Debug: modsingle[authenticate]: calling mschap (rlm_mschap) for request 0 Wed Feb 22 20:47:07 2006 : Debug: rlm_mschap: No User-Password configured. Cannot create LM-Password. Wed Feb 22 20:47:07 2006 : Debug: rlm_mschap: No User-Password configured. Cannot create NT-Password. Wed Feb 22 20:47:07 2006 : Debug: rlm_mschap: Told to do MS-CHAPv2 for mts with NT-Password Wed Feb 22 20:47:07 2006 : Debug: rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. Wed Feb 22 20:47:07 2006 : Debug: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Wed Feb 22 20:47:07 2006 : Debug: modsingle[authenticate]: returned from mschap (rlm_mschap) for request 0 Wed Feb 22 20:47:07 2006 : Debug: modcall[authenticate]: module "mschap" returns reject for request 0 Wed Feb 22 20:47:07 2006 : Debug: modcall: leaving group MS-CHAP
Duplicate entries and incorrect accounting and authorization (Cont'd)
>> Basically I've got duplicate entries in radpostauth, no entries in >> radacct and the NAS does not recognize the successful >> authentication even though from the radius server point of view it >> seems to get authentication right. > Then either the reply is coming from an IP that the NAS doesn't > like, or the shared secret is wrong. > Once you get the NAS to accept the response from the server, the > duplicate entries in will disappear, and accounting will start. > I suggest using 'tcpdump' on the network to see what's going on with > the RADIUS packets. Look at src/dst IP's... > Alan DeKok. Alan, Thank you for your response. As you pointed out, by watching tcpdump outcome I see no Radius Responses coming back to the NAS (I do see Radius Requests going out the NAS though). The shared secret is fine and I use chillispot with the right configuration (pointing at the right radius server). Also, I did not introduce any changes at the NAS side from my previous working version. All changes were introduced at the Radius server side. Any more suggestions? Thanks again, -Bill Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Solaris 8 - radiusd: Cannot find ELF
Hello. I am new to the freeradius application. I am trying to install freeradius-1.1.0 in a lab environment onto a Sun Ultra 10, running Solaris 8 02/04. I understand there are no pre-built packages available. I've now made it through the "configure, make, make install" process but whenever I attempt to start radiusd, I get the following output, [EMAIL PROTECTED] radiusd radiusd: Cannot find ELF Killed I've searched through the mailing list archives here and tried many suggestions but I'm still getting the same results. Here is some info on my system... [EMAIL PROTECTED] uname -a SunOS TE-Radius 5.8 Generic_117350-27 sun4u sparc SUNW,Ultra-5_10 [EMAIL PROTECTED] echo $CC gcc [EMAIL PROTECTED] echo $PATH /usr/local/bin:/usr/sbin:/usr/bin:/sbin:/etc:/usr/ccs/bin:/usr/local/sbin:. [EMAIL PROTECTED] echo $LD_LIBRARY_PATH /usr/local/lib I added the following packages, binutils-2.11.2 gdbm-1.8.3 libiconv-1.8 GNUzip freeradius glib-2.6.2 zlib-1.2.3 bash-3.0 gcc-3.4.2gmake-3.80 [EMAIL PROTECTED] gcc -v Reading specs from /usr/local/lib/gcc/sparc-sun-solaris2.8/3.4.2/specs Configured with: ../configure --with-as=/usr/ccs/bin/as --with-ld=/usr/ccs/bin/ld --disable-nls Thread model: posix gcc version 3.4.2 [EMAIL PROTECTED] file /usr/local/sbin/radiusd /usr/local/sbin/radiusd:ELF 32-bit MSB executable SPARC Version 1, dynamically linked, stripped I suspect there may have been a problem during the compiling/installation but I am not familiar enough with this process to determine where the problem might be. I saved the output from "configure, make, make install". They're a little lengthy for an email. Perhaps I can ftp them somewhere for further review? Thank you in advance! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: set 'Tunnel Private Group ID' based on OU in certificate?
> What I'm doing to set these, is via the rlm_sql module. > > The tables are pretty straight forward, and could be manipulated > programmatically. The sql tables are setup just like the users file, > and has group support and all. > > Maybe when you issue the cert, you could do some inserts into the DB? > > -Bob Sounds like something I should take a look at. I don't think I would need a separate entry for each cert. I would need one for each group of users belonging to ie. an OU. Not sure if I would be able to do this with the rlm_sql module, but I'll take a look. /Carl > > > > Carl Wahlin wrote: >> Hello, >> >> Quite new to radius, so this might be a stupid question. Although I have >> been searching google for the last 2 hours trying to find the answer >> without any luck... >> >> So, we are testing ciscos new Airespace wlan controller and would like >> to >> map users based on "OrganizationalUnit" (or something else) in the >> certificate to a specific VLAN. Cisco calls this feature of changing >> default values with radius "AAA override". There are a few more things >> you >> can change (QoS profile etc), but we are only interested in the VLAN for >> now. I have managed to get it working for all EAP authentications but >> that >> does not at all serve my needs more than that I see that my wlan >> controller interprets the radius message correctly. >> >> DEFAULT Auth-Type := EAP >> Tunnel-Type = 13, >> Tunnel-Medium-Type = 6, >> Tunnel-Private-Group-Id = 2 >> >> So how can I get selective and change the Group-Id based on stuff in the >> certificate? >> >> /Carl W. >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dictionary.rfc2865 discrepancy?
Hi all, With the stock dictionaries, when radiusd returns a Class, it's in hex, not as a string. Looking at the RFC, it looks to me like the dictionary is wrong. Can someone confirm this? # echo 'User-Name= "geoff", Password = "geoff", NAS-IP-Address = 127.0.0.1, NAS-Port = 1' | /opt/reverb/bin/radclient -d /opt/reverb/share/dictionary -x 127.0.0.1:1812 auth 1234test1234 Sending Access-Request of id 73 to 127.0.0.1 port 1812 User-Name = "geoff" Password = "geoff" NAS-IP-Address = 127.0.0.1 NAS-Port = 1 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=73, length=57 Connect-Info = "OFFICE" Class = 0x4f523e404e4c2d5447 Filter-Id = "EMPLOYEE" If I change dictionary.rfc2865 as follows: -ATTRIBUTE Class 25 octets +ATTRIBUTE Class 25 string It works just fine (ie. I get back Class = "OU=MYCOMPANY.COM"). Am I misusing the class attribute (ie. should it not be a string?), or is the dictionary wrong? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Client certs with MSCHAPV2 in PEAP
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Alan DeKok > > "Dave Huff" <[EMAIL PROTECTED]> wrote: > > rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal > > certificate_unknown TLS Alert read:fatal:certificate unknown > > SSL is telling FreeRADIUS that the certificate sent by the > client is bad. That's what I thought too, but I configured the CA, server, and client certs all on Openssl pretty much like http://www.cisco.com/en/US/products/ps6379/products_configuration_guide_chap ter09186a00805ac269.html Windows is using the cert I installed from the linux box, at least I have a choice in ProSET. If Windows overrides for some reason, I wouldn't know...can I set a debug mode that would tell me? > > You're probably doing EAP-TLS where the server has one > cert, and the client has cert signed by someone else > entirely. For EAP-TLS to work, the client certs have to be > signed by the server cert. Signed by the server cert or by the CA cert? I have a CA that signed the server and client certs, and the eap.conf file knows where server and CA certs are. Dan > > Alan DeKok. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem returning attributes to Bluesocket
"David L Wolford" <[EMAIL PROTECTED]> wrote: > A sniffer trace of the attempted authentication reveals that the > Freeradius does request the attributes that I am interested in > (x121address and edupersonprimaryaffiliation) and does receive the > values back from LDAP. My problem is that these values are not then > passed on to the Bluesocket gateway. What am I missing? Those attributes are defined in LDAP, but not in RADIUS. Therefore, they can't go into a RADIUS packet. > Portion of ldap.attrmap follows: > > checkItem radiusx121address x121address > checkItem edupersonprimaryaffiliation > edupersonprimaryaffiliation The last column should be RADIUS attributes, as defined in a dictionary file. If you didn't define those attributes in a dictionary, then they will never go into a packet. In addition, if the Bluesocket gateway doesn't mention those attributes in it's documentation, then it won't understand them in a RADIUS packet. Please read the bluesocket docs to see what RADIUS attributes it understands. Then, see if those attributes are in the FreeRADIUS dictionaries. If they're not, add them. Then, make FreeRADIUS send those attributes. See "man dictionary" for additional details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate entries and incorrect accounting and authorization
<[EMAIL PROTECTED]> wrote: > Basically I've got duplicate entries in radpostauth, no entries in > radacct and the NAS does not recognize the successful > authentication even though from the radius server point of view it > seems to get authentication right. Then either the reply is coming from an IP that the NAS doesn't like, or the shared secret is wrong. Once you get the NAS to accept the response from the server, the duplicate entries in will disappear, and accounting will start. I suggest using 'tcpdump' on the network to see what's going on with the RADIUS packets. Look at src/dst IP's... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM
Laker Netman <[EMAIL PROTECTED]> wrote: > NTLM is sufficient to gain access to resources on > Windows domain, "machine account" or no, in ANY > windows domain flavor. Yes, but the issue is the protocol that encapsulates NTLM. There are multiple versions of Windows "connect to DC" protocols. Some require massive amounts of code to obtain a working implementation. Others (e.g. rlm_smb) do not. > My home PCs are not "work" domain members. In fact, I > run my own "home" domain. So these home systems > actually have different native security (machine > account) credentials than my work PC. And until you look at the packet traces, you have no idea which version of what protocols they're using. Odds are they're using the Win2K or XP-style "infinite number of packets" method to log into the DC. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM
=?ISO-8859-1?Q?Andr=E9_Lemos?= <[EMAIL PROTECTED]> wrote: > > PLEASE don't post HTML to the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: limit the RADIUS threads
"DilipSimha.N.M" <[EMAIL PROTECTED]> wrote: > so is there any method to limit the number of threads(2-3) that start > when FREERADIUS is started??? Read radiusd.conf. Look for "thread". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM
Phil Mayers <[EMAIL PROTECTED]> wrote: > You seem convinced I'm operating from a state of ignorance. I'm quite > willing to believe I'm wrong. Best of luck. Let me retry. Machine authentication is something "new" in post NT4 domain controllers. As such, to do it properly, the client is required to implement massive amounts of RPC nonsense. User authentication is another story. The smbclient program can be used to demonstrate that users can be authenticated to a DC using NTLM, with a minimum number of packets, because it uses an older version of the protocol. It's not that I think you're operating from a state of ignorance. It's that I think you're focussing on the wrong thing. The huge XP-style RPC stuff cannot be implemented in a small client, so I ignore it. The much smaller older protocol used by smbclient is demonstratably implemented in a small client: smbclient. There's no winbindd, smbd, or any other daemons required. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem returning attributes to Bluesocket
Hi, I am trying to set a wireless network where a client will use a Bluesocket gateway in conjunction with Freeradius to perform authentication. I want the radius server to authenticate a user in LDAP and return certain attributes to the Bluesocket gateway so that the gateway can place the user in a role based on those attributes. A sniffer trace of the attempted authentication reveals that the Freeradius does request the attributes that I am interested in (x121address and edupersonprimaryaffiliation) and does receive the values back from LDAP. My problem is that these values are not then passed on to the Bluesocket gateway. What am I missing? Output from debug mode follows: rad_recv: Access-Request packet from host A.B.C.D:32801, id=140, length=145 User-Name = "someuser" User-Password = "somepwd" NAS-IP-Address = A.B.C.D Service-Type = Login-User Framed-IP-Address = W.X.Y.Z Called-Station-Id = "00:90:0B:02:DF:24" Calling-Station-Id = "" NAS-Identifier = "wg1.wireless.uab.edu" Acct-Session-Id = "00:90:0B:02:DF:24:1140706217" NAS-Port-Type = Wireless-802.11 rlm_ldap: - authorize rlm_ldap: performing user authorization for someuser rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: (re)connect to myldap.com:389, authentication 0 rlm_ldap: bind as / to myldap.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: looking for check items in directory... rlm_ldap: Adding edupersonprimaryaffiliation as edupersonprimaryaffiliation, value staff & op=21 rlm_ldap: Adding x121address as radiusx121address, value wifi & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user someuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "someuser" with password "somepwd" rlm_ldap: user DN: uid=someuser, ou=people, dc=uab, dc=edu rlm_ldap: (re)connect to myldap.com:389, authentication 1 rlm_ldap: bind as uid=someuser, ou=people, dc=uab, dc=edu/somepwd to ldap.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user someuser authenticated succesfully Sending Access-Accept of id 140 to A.B.C.D:32801 Portion of ldap.attrmap follows: checkItem radiusx121address x121address checkItem edupersonprimaryaffiliation edupersonprimaryaffiliation replyItem x121address radiusx121address LDAP portion of radiusd.conf follows: ldap { server = myldap.com # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = dc=uab,dc=edu filter = "(uid=%u)" # base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile= /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = "{clear}" # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # # password_attribute = userPassword # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = ra
Duplicate entries and incorrect accounting and authorization
I was using freeradius 1.05 with MYSQL 4.0 without any problems. I've upgraded the OS in my server (freebsd 5.1 to 6.0), upgraded to freeradius 1.10 and MySQL 4.1, copied the previous working raddb directory, initially preserving the same configuration files and I couldn't get things working back again. Basically I've got duplicate entries in radpostauth, no entries in radacct and the NAS does not recognize the successful authentication even though from the radius server point of view it seems to get authentication right. I've read the FAQ (my server has a single NIC), docs in the release (before, I was using the sqlcounter module but now I've decided to remove it since radiusd.conf already has the dailycounter and monthlycounter functionality that I needed) but still I can not get it right. Here's the relevant info: [EMAIL PROTECTED] /usr/local/sbin/radiusd -X -y Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius.log" main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: bind_address = YYY.YYY.YYY.YYY IP address [YYY.YYY.YYY.YYY] main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/var/log/radacct/%{Client-IP-Address}/auth- detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded SQL sql: driver = "rlm_sql_mysql" sql: server = "localhost" sql: port = "" sql: login = "root" sql: password = "password" sql: radius_db = "radius" sql: acct_table = "radacct" sql: acct_table2 = "radacct" sql: authcheck_table = "radcheck" sql: authreply_table = "radreply" sql: groupcheck_table = "radgroupcheck" sql: groupreply_table = "radgroupreply" sql: usergroup_table = "usergroup" sql: nas_table = "nas" sql: dict_table = "dictionary" sql: sqltrace = yes sql: sqltracefile = "/var/log/sqltrace.sql" sql: readclients = no sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = "%{User-Name}" sql: default_user_profile = "" sql: query_on_not_found = no sql: authorize_check_query = "SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL- User-Name}' ORDER BY id" sql: authorize_reply_quer
Re: NTLM
--- Alan DeKok <[EMAIL PROTECTED]> wrote: > Phil Mayers <[EMAIL PROTECTED]> wrote: > > Ok, different libntlm then. Have you got the URL > handy? > > http://josefsson.org/libntlm/ > > > I don't know what you mean by this. Samba can act > as both a client and > > (member) server for win2k/win2k3 authentication > methods (GSS-SPNEGO > > primarily) using machine account credentials > acquired using that domains > > native protocols (kerberos+LDAP). > > You keep saying "machine authentication". I'm > talking about > authenticating users. > > I did this using Samba & smbclient. There were 4 > packets. Most of > the packet content was NTLM stuff. There was no > extra RPC nonsense, > like is done with a normal XP login to a DC. > > > The point I am (badly) trying to communicate is > that, with a microsoft > > domain controller (NT4, win2k, win2k3), to execute > the RPC call required > > to validate an MS-CHAPv2 request and return the NT > key you MUST have a > > machine account in the domain > > For user authentication? I don't think so. > > > It's 4 packets for me too, but TCP segments on an > already-open MSRPC > > pipe to a domain controller. > > Uh, no. Try using smbclient to grab a list of > shares from a domain > controller. It's 4 packets to authenticate the > user, start to finish. > The rest of the traffic is the "get list of shares" > stuff. And those > packets happen after the authentication. > > > The SMB packets are SMB-signed/sealed, the > > contents are a Netlogon SCHANNEL RPC which is > itself further signed and > > sealed, and the variety and number of versions of > a call and versions of > > structures passed as arguments are truly, truly > bewildering. > > Yes. I've spent time looking at those RPC's, > they're truly horrid. > > But... I can't argue with success. smbclient does > NTLM > authentication in 4 packets. Why can't we? > > I understand the whole complexity and RPC > nonsense, but forgive me > if I'm stuck on a working example. > > Try it. Start tcpdump listening on packets from > your machine to a > domain controller. Verify that there are no packets > going to the DC. > Run smbclient to get the list of shares. Look at > how many packets go > back and forth. Then, tell me it's a huge amount of > work to replicate > that traffic, because there are endless other RPC's > that have to be > done. > > I just don't believe it. And I don't understand > why you think it's > so complicated to reproduce that traffic. I *think* > you're talking > about reproducing an entirely different kind of > traffic, with a lot > more packets. > > I've spent time looking at the Windows AD RPC's. > In order to do a > full XP-style login, there are nearly billions of > packets you have to > send back and forth. There are CLDAP packets, RPC > packets, and > multiple kinds of crap inside of the RPC's. But > smbclient doesn't do > any of that. And it's very successful doing NTLM > against a domain > controller, where that domain controller refuses to > allow rlm_smb to > work. > > The point here is that smbclient is *not* doing a > full XP-style > login. That would be truly a large amount of work. > Instead, > smbclient is doing something much simpler. > > Again, try it. Then, explain why we need to do > more to get the same > result of authenticating the user. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > NTLM is sufficient to gain access to resources on Windows domain, "machine account" or no, in ANY windows domain flavor. To wit: I access shares and printers on work systems from home, via vpn, by mapping a drive and specifying a different username/password than my home system login in the process. To let our work DC (mixed-mode W2K3 AD) know who I am (from its perspecitve) I qualify my credentials with my work domain. Thus, user: WORKDOMAIN\username password: My home PCs are not "work" domain members. In fact, I run my own "home" domain. So these home systems actually have different native security (machine account) credentials than my work PC. A machine account is required (and only available to NT-branch OSes, i.e., not 95, 98, ME) to allow the domain controller to administer the security of the "workstation". Things like group policy, (workstation-level) registry and share management, etc necessitate a machine account. Laker __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: set "Tunnel Private Group ID" based on OU in certificate?
What I'm doing to set these, is via the rlm_sql module. The tables are pretty straight forward, and could be manipulated programmatically. The sql tables are setup just like the users file, and has group support and all. Maybe when you issue the cert, you could do some inserts into the DB? -Bob Carl Wahlin wrote: Hello, Quite new to radius, so this might be a stupid question. Although I have been searching google for the last 2 hours trying to find the answer without any luck... So, we are testing ciscos new Airespace wlan controller and would like to map users based on "OrganizationalUnit" (or something else) in the certificate to a specific VLAN. Cisco calls this feature of changing default values with radius "AAA override". There are a few more things you can change (QoS profile etc), but we are only interested in the VLAN for now. I have managed to get it working for all EAP authentications but that does not at all serve my needs more than that I see that my wlan controller interprets the radius message correctly. DEFAULT Auth-Type := EAP Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 2 So how can I get selective and change the Group-Id based on stuff in the certificate? /Carl W. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure my scenario
Hi, > One question Stefan, in the Autz-Type file I read that > the order should look like that: > > authorize{ > preprocess > suffix > Autz-Type LDAP1 { > interface1 > } > Autz-Type LDAP2 { > interface2 > } > Autz-Type LDAP3 { > interface3 > } > files > } > > > files is before or after Autz-Type lines in the > authorize section? Now that I think of it... I think I set Autz-Type already during preprocess, so files could be behind the Autz-Type stanzas. But it should work the other way around as well. -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure my scenario
--- Stefan Winter <[EMAIL PROTECTED]> escribió: > Hi, > > > My problem is how to select the correct authorize > > method of an instance depending on the > NAS-IP-Address > > of the Access-Request packet. For example, if the > > NAS-IP-Address is a.b.c.d I would like to use the > > authorize method of interface1 (and NOT the > authorize > > method of interface2 or interface3) > > > to seperate within the authorize section, you have > set Autz-Type as well. That > would be > > DEFAULT NAS-IP-Address == a.b.c.d, Auth-Type > :=LDAP1, Autz-Type := LDAP1 > DEFAULT NAS-IP-Address == a2.b2.c2.d2, Auth-Type > :=LDAP2, Autz-Type := LDAP2 > DEFAULT NAS-IP-Address == a3.b3.c3.d3, Auth-Type > :=LDAP3, Autz-Type := LDAP3 > > (just always make sure that files is before the > interfaceX bits, to ensure > that Autz-Type is already set. You can then do > > > authorize{ > >preprocess > >suffix > >files > Autz-Type LDAP1 { > interface1 >} >Autz-Type LDAP2 { > interface2 >} >Autz-Type LDAP3 { > interface3 >} > > } One question Stefan, in the Autz-Type file I read that the order should look like that: authorize{ preprocess suffix Autz-Type LDAP1 { interface1 } Autz-Type LDAP2 { interface2 } Autz-Type LDAP3 { interface3 } files } files is before or after Autz-Type lines in the authorize section? Thank you very much Peter > That should work, I did a very similar thing just > last week :-) > > Greetings, > > Stefan Winter > > -- > Stefan WINTER > > Stiftung RESTENA - Réseau Téléinformatique de > l'Education Nationale et de > la Recherche > Ingenieur Forschung & Entwicklung > > 6, rue Richard Coudenhove-Kalergi > L-1359 Luxembourg > E-Mail: [EMAIL PROTECTED] Tel.: +352 > 424409-1 > http://www.restena.lu Fax: +352 > 422473 > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure my scenario
Hi, > My problem is how to select the correct authorize > method of an instance depending on the NAS-IP-Address > of the Access-Request packet. For example, if the > NAS-IP-Address is a.b.c.d I would like to use the > authorize method of interface1 (and NOT the authorize > method of interface2 or interface3) to seperate within the authorize section, you have set Autz-Type as well. That would be DEFAULT NAS-IP-Address == a.b.c.d, Auth-Type :=LDAP1, Autz-Type := LDAP1 DEFAULT NAS-IP-Address == a2.b2.c2.d2, Auth-Type :=LDAP2, Autz-Type := LDAP2 DEFAULT NAS-IP-Address == a3.b3.c3.d3, Auth-Type :=LDAP3, Autz-Type := LDAP3 (just always make sure that files is before the interfaceX bits, to ensure that Autz-Type is already set. You can then do > authorize{ >preprocess >suffix >files Autz-Type LDAP1 { interface1 } Autz-Type LDAP2 { interface2 } Autz-Type LDAP3 { interface3 } > } That should work, I did a very similar thing just last week :-) Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure my scenario
- Original Message - From: "Peter Manckok" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Thursday, February 23, 2006 11:52 AM Subject: Re: how to configure my scenario > > --- Phil Mayers <[EMAIL PROTECTED]> escribió: > > > Peter Manckok wrote: > > > > > > authenticate { > > >.. > > >Auth-Type LDAP1 { > > > interface1 > > >} > > >Auth-Type LDAP2 { > > > interface2 > > >} > > >Auth-Type LDAP3 { > > > interface3 > > >} > > > > > > } > > > > > > In my authorize section I have: > > > authorize{ > > > > > > files > > > ... > > > } > > > > > > In my users file I have: > > > DEFAULT NAS-IP-Address == a.b.c.d, Auth-Type > > :=LDAP1 > > > DEFAULT NAS-IP-Address == a2.b2.c2.d2, Auth-Type > > > :=LDAP2 > > > DEFAULT NAS-IP-Address == a3.b3.c3.d3, Auth-Type > > > :=LDAP3 > > > > > > > > > Provided there's nothing after the "files" in > > "authorize" that might be > > (re)setting Auth-Type, that should work. > > Thanks for the warning > > > Don't snip > > bits out - what is > > the full contents of the authorize and authenticate > > sections? What does > > the radius server say when you run it in debug mode > > (with -X)? > > - > > Hy Phil, > > My problem is how to select the correct authorize > method of an instance depending on the NAS-IP-Address > of the Access-Request packet. For example, if the > NAS-IP-Address is a.b.c.d I would like to use the > authorize method of interface1 (and NOT the authorize > method of interface2 or interface3) > > I haven´t tested it yet, I am not in my company now > > In the authorize section I have: > > authorize{ >preprocess >suffix >files >??? ---> how can I discriminate between the > differents authorize methods of interface1, > interface2, interface3 depending on the source > NAS-IP-Address? > } > > In the authenticate section: > > authenticate { > > Auth-Type LDAP1 { > interface1 > } > Auth-Type LDAP2 { > interface2 >} >Auth-Type LDAP3 { >interface3 >} > unix > } > > > Thanks again > > Any hint is very appreciated > > Peter > Use Autz-Type to select between authorization methods > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > > __ > LLama Gratis a cualquier PC del Mundo. > Llamadas a fijos y móviles desde 1 céntimo por minuto. > http://es.voice.yahoo.com > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to configure my scenario
--- Phil Mayers <[EMAIL PROTECTED]> escribió: > Peter Manckok wrote: > > > > authenticate { > >.. > >Auth-Type LDAP1 { > > interface1 > >} > >Auth-Type LDAP2 { > > interface2 > >} > >Auth-Type LDAP3 { > > interface3 > >} > > > > } > > > > In my authorize section I have: > > authorize{ > > > > files > > ... > > } > > > > In my users file I have: > > DEFAULT NAS-IP-Address == a.b.c.d, Auth-Type > :=LDAP1 > > DEFAULT NAS-IP-Address == a2.b2.c2.d2, Auth-Type > > :=LDAP2 > > DEFAULT NAS-IP-Address == a3.b3.c3.d3, Auth-Type > > :=LDAP3 > > > > > Provided there's nothing after the "files" in > "authorize" that might be > (re)setting Auth-Type, that should work. Thanks for the warning > Don't snip > bits out - what is > the full contents of the authorize and authenticate > sections? What does > the radius server say when you run it in debug mode > (with -X)? > - Hy Phil, My problem is how to select the correct authorize method of an instance depending on the NAS-IP-Address of the Access-Request packet. For example, if the NAS-IP-Address is a.b.c.d I would like to use the authorize method of interface1 (and NOT the authorize method of interface2 or interface3) I haven´t tested it yet, I am not in my company now In the authorize section I have: authorize{ preprocess suffix files ??? ---> how can I discriminate between the differents authorize methods of interface1, interface2, interface3 depending on the source NAS-IP-Address? } In the authenticate section: authenticate { Auth-Type LDAP1 { interface1 } Auth-Type LDAP2 { interface2 } Auth-Type LDAP3 { interface3 } unix } Thanks again Any hint is very appreciated Peter > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM
Alan DeKok wrote: I understand the whole complexity and RPC nonsense, but forgive me if I'm stuck on a working example. You seem convinced I'm operating from a state of ignorance. I'm quite willing to believe I'm wrong. Best of luck. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM
so this is the only way to get NT/LM for an AD server? Gilmour, Scott wrote: I read that you need to setup ntlm_auth to get Machine Authentication to work with Active Directory. How do I properly set up ntlm_auth to do this? Thanks, Scott Gilmour Software Engineer ENET, & ENSRT Enterasys Networks Phone: 978-684-1236 Email:sgilmour@enterasys.com www: http://www.enterasys.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- _ André Ventura Lemos Software Engineer Critical Software, SA MSN: [EMAIL PROTECTED] GSM: +351916401042 TLF: +351239989100 DISCLAIMER: This message may contain confidential information or privileged material and is intended only for the individual(s) named. If you are not a named addressee and mistakenly received this message you should not copy or otherwise disseminate it: please delete this e-mail from your system and notify the sender immediately. E-mail transmissions are not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, the sender does not accept liability for any errors or omissions in the contents of this message that arise as a result of e-mail transmissions. Please request a hard-copy version if verification is required. Critical Software. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users authorization
I've got several questions on freeradius. My task is to send reject to users whose usernames can be found in the data base. Now, as far as I understand, sql-module supposes authorization for users, who are included in the data base. That is to say, it works vice versa (sends accept if the user is included in the data base). Could you, please, help me with implementation of my variant of authorization? PS: Earlier I was using xtradius and running-up perl-script, which was sending request to the base. But, unfortunately, it's ineffective, because a permanent connection to mysql is necessary. That's why I decided to deal with freeradius. --- http://www.one.lv - Tavs mobilais e-pasts! Tagad lasi savu e-pastu ar mobilo telefonu - wap.one.lv! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
limit the RADIUS threads
hi, i would like to have 2-3 instances of FREERADIUS running on my system. so is there any method to limit the number of threads(2-3) that start when FREERADIUS is started??? --DilipSimha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: SV: Any Trusted CA problem
Alan DeKok wrote: > "Torkel Mathisen" <[EMAIL PROTECTED]> wrote: > > I don't use client certificates I think. Atleast I haven't installed any > > certificates on my clients. > > It looks like the client is sending one. > > > So how can I fix that? Just delete the client certificate from the > > radius server ? > > No, delete it from the client. I'm sorry, but I don't understand why this is the client certificate. The problem is that on my clients I have to uncheck the "Validate server certificate" option. Only when i uncheck that, the authentication with radius works. And the problem is that some drivers don't let you do that. Even if its set to "Any trusted CA" it doesn't work. There is a picture of that option here: (even though this is for EAP-TLS, which I'm not using): http://www.alphacore.net/contrib/nantes-wireless/eap-tls-HOWTO.html (search for "Validate server certificate") Regards, Torkel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html