Re: Open Authentication for a realm
On Fri, Feb 24, 2006 at 11:39:17AM -0500, Dusty Doris wrote: > >I want to have open authentication on a realm and setup an IP pool for > >that realm. So if your username is [EMAIL PROTECTED], you will be > >authenticated, no matter what your password is and you will be given an > >IP from the pool 10.0.0.0/24. Where in the config files do I have to > >put this? > > users file will work Two questions: 1. How do you specify a realm as opposed to a specific username? 2. How do you specify a pool of IPs to use? -- John Oxley Systems Administrator Yo!Africa E-Mail: john at yoafrica.com Tel: +263 4 858404 echo '9k[l:l;sx]s"[1+l>] s>[q]s-[d77/3*2-s;47l"x-P1+d78>`]s`0[d23/.5-3*s:0l`xr10P1+d24>$]ds$x'|dc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Disconnect the user if reach the limit
Hello Alan, Wednesday, February 22, 2006, 12:25:07 AM, you wrote: > Yudi Wijaya <[EMAIL PROTECTED]> wrote: >> How to disconnect user when reach the usage limit (ex: 50 >> hours, 50 MBytes)? depends on they prepaid registration, so it will >> stored at RADIUS (MySQL Database). Everyone can register via web based > For 50 hours, see rlm_counter. + hmm.. i will use rlm_sqlcounter, i'll test it in this week.. please help me if i got problem, ok? :) thanks > For 50MBytes, it's not really possible. + is there any trick of it? i really want implement that, so when user reach 500 MBytes will be disconnect and can not login until they re-fill the deposit. I believe you have some trick of this, because you're an expert of this :) please do details :) -- Best regards, Yudi Wijaya +62-856-1022800 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
type of lvalue in VALUE_PAIR
Hi, I know this question is probably for the developer list, but I think someone can answer me without any further complications ;) As I "promised", I am patching freeradius ( sqlcounter actually ) so it can do traffic accounting. I have patched it but since I want to have the ability to set the limit by entering the amount of bytes ( in my backend ), I am limited by lvalue of value_pair struct. So values above a (ca) 4 GB are above the limit of uint32 right? What can I do to increase the limit without crashing the freeradius functions. Can I simply change it to uint64_t ( 2 ^64 should be enough ;) ) ??? Regards, Edvin PS: the patched freeradius is working and is able to account traffic, but I think it would not be RFC compliant because I haven't found the needed attributes in the dictionaries - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to confirm locally??
hi everybody, i'm using debian sarge kernel 2.6.13, openssl 0.9.8a, hostapd 0.5.1, freeradius 1.0.5, madwifi-ng-r1406, i want to use eap-tls in my wlan and over my own ap over linux. so i can install and configure all programs (except hostapd, so instead compile myself i installed it from .deb format), now i have my certificates and programs running but when try to connect a windows client i get this error: "Received packet from (my freeradius server ip direction) with invalid Message Authenticator (invalid signature) (shared secret is incorrect)". i generate certifictes using winxp extensions. so my question is: is there any way i can test my certificates from freeradius?? any command? or may be install wpa-supplicant over my debian and test from there (authenticator and supplicant in same machine??). If clients try to connect without freeradius and hostapd running it's possible, but with these two programs clients lost immediately ip direction and show a message of "Error authenticating". could any body try to help? thanks in advance for your help and time. _ MSN Amor: busca tu ½ naranja http://latam.msn.com/amor/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius authorization without "username"
I have a freeradius, and I need "Calling-Station-Id" for authorization. This is
the one attribute, which I select in the radiusd.conf
checkval {
# The attribute to look for in the request
item-name = Calling-Station-Id
# The attribute to look for in check items. Can be multi valued
check-name = Calling-Station-Id
# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string
# If set to yes and we dont find the item-name attribute in the
# request then we send back a reject
# DEFAULT is no
notfound-reject = yes
}
(But in fact, I do not use this)
Why, when freeradius rescieve the access-request packet, and "username" field
is empty, then we got access-denied?
I use SQL authorization module.
In the database (I use it as a blacklist, id Calling-Station-Id exist in the
list, then access denied.):
+++---+++
| id | UserName | Attribute | op | Value |
+++---+++
| 2 | 333922 | Auth-Type | == | Reject |
| 1 | all_users_not_in_black_list| Auth-Type | == | Accept |
+++---+++
>From sql.conf:
authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
FROM ${authcheck_table} \
WHERE Username =
IF(Username='%{SQL-User-Name}','%{SQL-User-Name}','all_users_not_in_black_list')
\
LIMIT 1"
authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \
FROM ${authreply_table} \
WHERE Username = 'all_users_not_in_black_list' \
ORDER BY id"
So, info from radiusd in debug mode:
rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX:1812, id=182,
length=113
NAS-Identifier = "ggsn2"
User-Name = ""
User-Password = ""
NAS-IP-Address = XXX.XXX.XXX.XXX
NAS-Port-Type = Virtual
Called-Station-Id = "1000"
Calling-Station-Id = "333925"
Acct-Session-Id = "d45d6126057478b1"
Acct-Multi-Session-Id = "d45d6126b77a"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
radius_xlat: '/usr/local/var/log/radius/radacct/auth-detail.log'
rlm_detail: /usr/local/var/log/radius/radacct/auth-detail.log expands to
/usr/local/var/log/radius/radacct/auth-detail.log
modcall[authorize]: module "auth_log" returns ok for request 0
rlm_sql (sql): zero length username not permitted
modcall[authorize]: module "sql" returns invalid for request 0
modcall: leaving group authorize (returns invalid) for request 0
Invalid user: [/] (from client ggsn2 port 0 cli 3719248521)
Sending Access-Reject of id 182 to XXX.XXX.XXX.XXX port 1812
I don't care, what kind of username do we have! How I can avoid this problem?
:-( Can someone help me with this quesion?
Here is the part of my radiusd.conf file:
<...skipped...>
modules {
checkval {
# The attribute to look for in the request
item-name = Calling-Station-Id
# The attribute to look for in check items. Can be multi valued
check-name = Calling-Station-Id
# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string
# If set to yes and we dont find the item-name attribute in the
# request then we send back a reject
# DEFAULT is no
notfound-reject = yes
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
# Livingston-style 'users' file
#
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
# to 'compat = cistron'. You can the copy your 'users'
# file from Cistron.
compat = no
}
# Write a detailed log of all accounting records received.
#
detail {
detailfile = ${radacctdir}/acct-detail.log
detailperm = 0600
}
detail auth_log {
detailfile = ${radacctdir}/auth-detail.log
detailperm = 0600
}
detail reply_log {
detailfile = ${radacctdir}/reply-detail.log
detailperm = 0600
}
$
re: Client certs with MSCHAPV2 in PEAP
"Dave Huff" http://lists.freeradius.org/mailman/listinfo/freeradius-users>> wrote: / > For EAP-TLS to work, the client certs have to be />>/ > signed by the server cert. />>/ Signed by the server cert or by the CA cert? I have a CA that signed the />/> server and client certs, and the eap.conf file knows where server and CA />/> certs are. / If you're using 1.0.x, that won't work. It doesn't do certificate chains. The client cert MUST be signed by the server cert. Using a CA to sign them, both won't work. I'm not even sure it will work in 1.1.0, to be honest. Alan DeKok In 1.1.0 I have chained client certificates and for me EAP-TLS works, if the client does not require the server to authenticate itself. The client cert is not signed by the server cert. It seems to be neccessary,that if you have a root ca and an issuing ca, the CA_file must contain the certificates of both of them. If the client requires the server to authenticate itself, the whole process fails. Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius authorization without "username"
???, ?? wrote: rlm_sql (sql): zero length username not permitted modcall[authorize]: module "sql" returns invalid for request 0 This has been discussed at length recently. You would need to patch the code. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP auth and different use of access_attr
I've a FreeRADIUS server (1.0.2, from debian stable) that is set up to authenticate users of a VPN into the network. I've presently got the firewall talking to FreeRADIUS which then talks to LDAP and check the existence access_attr: vpntype If the users profile has the attribute of vpntype in it, they're let in. What we'd rather do is allow access based on the value of access_attr . So rather than just allowing if it exists, we might later pass on some extra rights to people in different groups. vpntype: fooor vpntype: bar vpntype: baz - whatever those values might be. Am I looking in the wrong spot for this ? Is access_attr: the right place to put such a setting? Or is there someplace else. I've done some basic searches of the mail archive, but I think my barking up the wrong tree may be causing my searches to be too broad. Pointers towards fine tuning my search or possibly some threads on this, would be welcome. Thanks j - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: Disconnect the user if reach the limit
Yudi Wijaya <[EMAIL PROTECTED]> wrote: > > For 50MBytes, it's not really possible. > + is there any trick of it? i really want implement that, so when > user reach 500 MBytes will be disconnect and can not login until they > re-fill the deposit. The most you can do is to write a script that runs when accounting packets are received. If the user is over their limit, that scrip can do something (it depends on the NAS) to the NAS to disconnect them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: type of lvalue in VALUE_PAIR
"Seferovic Edvin" <[EMAIL PROTECTED]> wrote: > As I "promised", I am patching freeradius ( sqlcounter actually ) so it can > do traffic accounting. I have patched it but since I want to have the > ability to set the limit by entering the amount of bytes ( in my backend ), > I am limited by lvalue of value_pair struct. So values above a (ca) 4 GB are > above the limit of uint32 right? Yes. > What can I do to increase the limit without crashing the freeradius > functions. Can I simply change it to uint64_t ( 2 ^64 should be > enough ;) ) ??? See the dictionaries. Use Acct-Input-GigiWords > PS: the patched freeradius is working and is able to account traffic, but I > think it would not be RFC compliant because I haven't found the needed > attributes in the dictionaries Which attributes? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging Access-Reject messages
Richard Marriner II wrote:
> Geoff Silver wrote:
>
>> post-auth {
>> reply_log
>> }
>>
>
>
> Mine looks like this, I log to an sql db. I am sure you could replace
> "sql" with "reply_log".
>
> post-auth {
>sql
>Post-Auth-Type REJECT {
>sql
>}
> }
>
That worked. Thanks! I'm surprised Post-Auth-Type ACCEPT is logged by
default, but not REJECT. *shrugs*.
Thanks again ;-)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and MySQL boot problem
"Diniz Da Rocha" <[EMAIL PROTECTED]> wrote: > The MySQL server is on another server with ip "myip" I initially thought it > was a firewall block but even with no firewall I get this error. But once > the server has started and I run "service radiusd restart" from a terminal > the connect to the MySQL server works fine and has no problems. I even tried > running the service from rc.local but it still fails did anyone have this > problem??? is anyone running the MySQL server on another machine Is > there a fix for this??? The server *should* re-connect to MySQL after a period of time. If it doesn't, it's a bug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP auth and different use of access_attr
John Keimel <[EMAIL PROTECTED]> wrote: > What we'd rather do is allow access based on the value of access_attr . > So rather than just allowing if it exists, we might later pass on some > extra rights to people in different groups. vpntype: fooor > vpntype: bar vpntype: baz - whatever those values might be. Use LDAP-Group. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
another sql database
I have got onother database on my serwer. I it used by ISP accounting. In this database is the table called users where are logins and passwords. I have tried to put in radiusd.conf another module called sql1 and create file sql1.conf When i start radius it says me that the parameters are in attribute = format. I know what im doing wrong, but is there anyway to correct this. I know the RFC about freeradius and supouse there is not anyway to do this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: type of lvalue in VALUE_PAIR
>"Seferovic Edvin" <[EMAIL PROTECTED]> wrote: >> As I "promised", I am patching freeradius ( sqlcounter actually ) so it >can >> do traffic accounting. I have patched it but since I want to have the >> ability to set the limit by entering the amount of bytes ( in my backend >), >> I am limited by lvalue of value_pair struct. So values above a (ca) 4 GB >are >> above the limit of uint32 right? > > Yes. I was taking about variable in the struct value_pair ( libradius.h ). >> What can I do to increase the limit without crashing the freeradius >> functions. Can I simply change it to uint64_t ( 2 ^64 should be >> enough ;) ) ??? > > See the dictionaries. Use Acct-Input-GigiWords Okay - but I suppose I will have to patch my NAS ( Poptop server ) to use Acct-Input-GigaWords and Output- instead of Octets. Still if I patch my NAS to send GigaWords.. when I use sqlcounter to count the MBs I will still not be able to compare the check-name which is written into uint32 variable. Shouldn't this be patched too ( I am not a professional programmer - so excuse my "silly" question ). >> PS: the patched freeradius is working and is able to account traffic, but >I >> think it would not be RFC compliant because I haven't found the needed >> attributes in the dictionaries > > Which attributes? Poptop server accepts Session-Octets-Limit for the traffic limit ( actually it is ppp that is doing the limiting ). So Ive added this attribute to my dictionary. PPP also needs Octets-Direction so it can know which traffic flow to count. Ive added both attributes and it is working ( for 2^32 ). Can you give me some directives how to implement this. Maybe to extend the config of sqlcounter and value_pair struct? Thank you in advance > > Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: type of lvalue in VALUE_PAIR
"Seferovic Edvin" <[EMAIL PROTECTED]> wrote: > Okay - but I suppose I will have to patch my NAS ( Poptop server ) to use > Acct-Input-GigaWords and Output- instead of Octets. Still if I patch my NAS > to send GigaWords.. when I use sqlcounter to count the MBs I will still not > be able to compare the check-name which is written into uint32 variable. > Shouldn't this be patched too ( I am not a professional programmer - so > excuse my "silly" question ). Yes, but that doesn't have much to do with RADIUS attributes. If your NAS doesn't send the Gigawords attributes, then why are you worried about people using more than 4G of traffic? Your NAS will never tell the server that the user had more than 4G of traffic. > Poptop server accepts Session-Octets-Limit for the traffic limit ( actually > it is ppp that is doing the limiting ). So Ive added this attribute to my > dictionary. PPP also needs Octets-Direction so it can know which traffic > flow to count. Ive added both attributes and it is working ( for 2^32 ). Ah, Ok. > Can you give me some directives how to implement this. Maybe to extend the > config of sqlcounter and value_pair struct? I don't see how that will help if your NAS doesn't send the Gigaword attributes. If it does send them, then yes, you'll have to update the sqlcounter module to handle 64-bit numbers. But you don't need to update any of the valuepair structures. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: type of lvalue in VALUE_PAIR
> -Oorspronkelijk bericht- > Van: freeradius-users- > [EMAIL PROTECTED] > [mailto:freeradius-users- > [EMAIL PROTECTED] Namens Alan > DeKok > Verzonden: maandag 27 februari 2006 23:17 > Aan: [EMAIL PROTECTED]; FreeRadius users mailing list > Onderwerp: Re: type of lvalue in VALUE_PAIR > > "Seferovic Edvin" <[EMAIL PROTECTED]> wrote: > > Okay - but I suppose I will have to patch my NAS ( Poptop server ) to > use > > Acct-Input-GigaWords and Output- instead of Octets. Still if I patch my > NAS > > to send GigaWords.. when I use sqlcounter to count the MBs I will still > not > > be able to compare the check-name which is written into uint32 variable. > > Shouldn't this be patched too ( I am not a professional programmer - so > > excuse my "silly" question ). > > Yes, but that doesn't have much to do with RADIUS attributes. > > If your NAS doesn't send the Gigawords attributes, then why are you > worried about people using more than 4G of traffic? Your NAS will > never tell the server that the user had more than 4G of traffic. > The nice thingy about this is that most nasses just wrap around 2GB (2^31, signed int instead of 2^32,unsigned int) > > Poptop server accepts Session-Octets-Limit for the traffic limit ( > actually > > it is ppp that is doing the limiting ). So Ive added this attribute to > my > > dictionary. PPP also needs Octets-Direction so it can know which traffic > > flow to count. Ive added both attributes and it is working ( for 2^32 ). > > Ah, Ok. > > > Can you give me some directives how to implement this. Maybe to extend > the > > config of sqlcounter and value_pair struct? > > I don't see how that will help if your NAS doesn't send the Gigaword > attributes. > > If it does send them, then yes, you'll have to update the sqlcounter > module to handle 64-bit numbers. But you don't need to update any of > the valuepair structures. You could do it by using a multiplicator, say using kbytes/mbytes instead of bits/bytes. That will save you the 64-bit numbering within sqlcounter. SQL can handle this with the builtin calculation functions J. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap: Handler failed in EAP/peap
Dear All, I've got a problem with my freeradius. I've installed freeradius 1.1.0. I'm gonna using EAP/PEAP and MSCHAPv2. The radius returned Access-Reject message when I try to authenicate user. This is the debug message from freeradius: --- BEGIN DEBUG --- rad_recv: Access-Request packet from host 128.16.100.2:21645, id=112, length=219 User-Name = "agus" Framed-MTU = 1400 Called-Station-Id = "0012.43f9.07f0" Calling-Station-Id = "0040.96a6.0915" Service-Type = Login-User Message-Authenticator = 0x035385584153738e930ae5647bba4e77 EAP-Message = 0x020900561900170301004bbeba44dea711ccc50b11d2b66d81c5ee2f2254128135c4bfbc0c8f56c11d93419377cb9061b873416e21389346112ea96d1078b7ad8db16c64b70d812a071923b02819bd681a5902ead889 NAS-Port-Type = Wireless-802.11 NAS-Port = 208 State = 0xbe8af775ecd2998b486819e32c8c5eb3 NAS-IP-Address = 128.16.100.2 NAS-Identifier = "iSpot" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "agus", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 86 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 7 rlm_passwd: Added LM-Password: 'B736D7A84FBDE543AAD3B435B51404EE' to config_items rlm_passwd: Added NT-Password: 'AA4348E74FCFE5BB2061F2FF5C085304' to config_items rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U ]' to config_items rlm_passwd: Adding "Auth-Type = MS-CHAP" modcall[authorize]: module "etc_smbpasswd" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to agus PEAP: Adding old state with e5 7c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "agus", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 63 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 7 rlm_passwd: Added LM-Password: 'B736D7A84FBDE543AAD3B435B51404EE' to config_items rlm_passwd: Added NT-Password: 'AA4348E74FCFE5BB2061F2FF5C085304' to config_items rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U ]' to config_items rlm_passwd: Adding "Auth-Type = MS-CHAP" modcall[authorize]: module "etc_smbpasswd" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 7 rlm_mschap: Found LM-Password rlm_mschap: Found NT-Password rlm_mschap: Told to do MS-CHAPv2 for agus with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 60 radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=agus --challenge=b7bc51d8fa48dfc5 --nt-response=09d697e7c477017b27c969c52b93deb49200295bda22bf6b' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=agus --challenge=b7bc51d8fa48dfc5 --nt-response=09d697e7c477017b27c969c52b93deb49200295bda22bf6b [20
Re: Please HELP!!! Any ideas??? MySQL and users file... Difference???
Alex Savguira wrote: > Alan, > > I've solved my problems already... I've even finished the custom > modification to dialup-admin which takes care of changing the > Crypt-Passwords to User-Passwords for users accessing the new > services. Thanks for clearing things up... > >>> btest| NT-Password | == | NT-hashbla-bla-bla^&&@0-3443 >>> btest| Crypt-Password | == | $$KyUhHIHD$R7mAm4rPX1q4WTEJY5rKQ1 > >> Which is exactly what I keep saying is not needed, and is causing >> problems for you. > > OK, I understood your point, but would you be so kind to explain WHY > do you think it is such a bad idea (besides the fact that it doesn't If you have the clear or NT hash, you don't need the Crypted one. PAP can use either. CHAP *requires* clear or NT hash. Read that again. Requires. It is not a preference of Alan or anyone else. With CHAP, RADIUS (of any kind, not just FreeRADIUS) receives a crypted pass over the wire. You cannot compare two crypted passwords unless they happen to be crypted in exactly the same way (unlikely). Since you can't decrypt them, one of the passwords has to be clear to be able to be crypted in the proper way and then compared to the other. With PAP, the password is clear over the wire, so it can compare to either a clear or a crypted password. NT Hash is just as secure as clear. The clear password can be derived from the hash with little effort and is not considered a security enhancement. So, to remove confusion and possible setup issues (syncing issues during password changes, etc), if a user has a hashed or clear password, remove the crypted one. It does not add anything and can only cause problems. You can always create a crypted password if you want to force PAP at a later date. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap: Handler failed in EAP/peap
SEE BELOW: --- Agus Supriyadi <[EMAIL PROTECTED]> wrote: > Dear All, > > I've got a problem with my freeradius. I've > installed freeradius 1.1.0. I'm > gonna using EAP/PEAP and MSCHAPv2. The radius > returned Access-Reject message > when I try to authenicate user. > > This is the debug message from freeradius: > --- BEGIN DEBUG > --- > rad_recv: Access-Request packet from host > 128.16.100.2:21645, id=112, > length=219 > User-Name = "agus" > Framed-MTU = 1400 > Called-Station-Id = "0012.43f9.07f0" > Calling-Station-Id = "0040.96a6.0915" > Service-Type = Login-User > Message-Authenticator = > 0x035385584153738e930ae5647bba4e77 > EAP-Message = > 0x020900561900170301004bbeba44dea711ccc50b11d2b66d81c5ee2f2254128135c4bfbc0c8f56c11d93419377cb9061b873416e21389346112ea96d1078b7ad8db16c64b70d812a071923b02819bd681a5902ead889 > NAS-Port-Type = Wireless-802.11 > NAS-Port = 208 > State = 0xbe8af775ecd2998b486819e32c8c5eb3 > NAS-IP-Address = 128.16.100.2 > NAS-Identifier = "iSpot" > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 7 > modcall[authorize]: module "preprocess" returns ok > for request 7 > modcall[authorize]: module "chap" returns noop for > request 7 > modcall[authorize]: module "mschap" returns noop > for request 7 > rlm_realm: No '@' in User-Name = "agus", looking > up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop > for request 7 > rlm_eap: EAP packet type response id 9 length 86 > rlm_eap: No EAP Start, assuming it's an on-going > EAP conversation > modcall[authorize]: module "eap" returns updated > for request 7 > users: Matched entry DEFAULT at line 152 > modcall[authorize]: module "files" returns ok for > request 7 > rlm_passwd: Added LM-Password: > 'B736D7A84FBDE543AAD3B435B51404EE' to > config_items > rlm_passwd: Added NT-Password: > 'AA4348E74FCFE5BB2061F2FF5C085304' to > config_items > rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U > ]' to config_items > rlm_passwd: Adding "Auth-Type = MS-CHAP" > modcall[authorize]: module "etc_smbpasswd" returns > ok for request 7 > modcall: leaving group authorize (returns updated) > for request 7 > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > Processing the authenticate section of > radiusd.conf > modcall: entering group authenticate for request 7 > rlm_eap: Request found, released from the list > rlm_eap: EAP/peap > rlm_eap: processing type peap > rlm_eap_peap: Authenticate > rlm_eap_tls: processing TLS > eaptls_verify returned 7 > rlm_eap_tls: Done initial handshake > eaptls_process returned 7 > rlm_eap_peap: EAPTLS_OK > rlm_eap_peap: Session established. Decoding > tunneled attributes. > rlm_eap_peap: EAP type mschapv2 > rlm_eap_peap: Tunneled data is valid. > PEAP: Setting User-Name to agus > PEAP: Adding old state with e5 7c > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 7 > modcall[authorize]: module "preprocess" returns ok > for request 7 > modcall[authorize]: module "chap" returns noop for > request 7 > modcall[authorize]: module "mschap" returns noop > for request 7 > rlm_realm: No '@' in User-Name = "agus", looking > up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop > for request 7 > rlm_eap: EAP packet type response id 9 length 63 > rlm_eap: No EAP Start, assuming it's an on-going > EAP conversation > modcall[authorize]: module "eap" returns updated > for request 7 > users: Matched entry DEFAULT at line 152 > modcall[authorize]: module "files" returns ok for > request 7 > rlm_passwd: Added LM-Password: > 'B736D7A84FBDE543AAD3B435B51404EE' to > config_items > rlm_passwd: Added NT-Password: > 'AA4348E74FCFE5BB2061F2FF5C085304' to > config_items > rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U > ]' to config_items > rlm_passwd: Adding "Auth-Type = MS-CHAP" > modcall[authorize]: module "etc_smbpasswd" returns > ok for request 7 > modcall: leaving group authorize (returns updated) > for request 7 > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > Processing the authenticate section of > radiusd.conf > modcall: entering group authenticate for request 7 > rlm_eap: Request found, released from the list > rlm_eap: EAP/mschapv2 > rlm_eap: processing type mschapv2 > Processing the authenticate section of > radiusd.conf > modcall: entering group MS-CHAP for request 7 > rlm_mschap: Found LM-Password > rlm_mschap: Found NT-Password > rlm_mschap: Told to do MS-CHAPv2 for agus with > NT-Password > radius_xlat: Running registered xlat function of > module mschap for string > 'Challenge' > mschap2: 60 > radius_xlat: Running registered xlat function of > module mschap for string >
Re: Is it possible to make PAP module understand both CRYPT (MD5) and plaintext passwords?
Alex Savguira wrote:
> Having
> pap pap{
> encryption_scheme = crypt
> }
> pap papplain{
> encryption_scheme = clear
> }
>
If I understand you, then you are redoing what the server already does.
FreeRADIUS knows which scheme to use based on the attribute in the
users file or SQL:
username Password := blah
or
username Crypt-Password := $1$blah
If it sees, the first, it knows that "blah" is the clear password it
needs to check against. If it sees the second, it knows that it is crypted.
--
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and MySQL boot problem
Diniz Da Rocha wrote: > The MySQL server is on another server with ip "myip" I initially thought > it was a firewall block but even with no firewall I get this error. But > once the server has started and I run "service radiusd restart" from a > terminal the connect to the MySQL server works fine and has no problems. > I even tried running the service from rc.local but it still fails did > anyone have this problem??? is anyone running the MySQL server on > another machine Is there a fix for this??? Our SQL server is on another machine and works fine on reboots. It looks like your networking service may not be completely up and functional before radius starts. Add a sleep for 10 or 20sec in rc.local before FR starts and see what happens. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and MySQL boot problem
do you know how long it *should* take before retrying?? On 2/27/06, Alan DeKok <[EMAIL PROTECTED]> wrote: "Diniz Da Rocha" <[EMAIL PROTECTED]> wrote:> The MySQL server is on another server with ip "myip" I initially thought it > was a firewall block but even with no firewall I get this error. But once> the server has started and I run "service radiusd restart" from a terminal> the connect to the MySQL server works fine and has no problems. I even tried > running the service from rc.local but it still fails did anyone have this> problem??? is anyone running the MySQL server on another machine Is> there a fix for this???The server *should* re-connect to MySQL after a period of time. If it doesn't, it's a bug.Alan DeKok.-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and MySQL boot problem
I also had that impression so I did a sleep for 30 secs but still no luck, I was wondering if it has something to do with the user who runs at startup if its not root??? but havent any info on this yet... what os are you running your FreeRadius on??? On 2/28/06, Dennis Skinner <[EMAIL PROTECTED]> wrote: Diniz Da Rocha wrote:> The MySQL server is on another server with ip "myip" I initially thought > it was a firewall block but even with no firewall I get this error. But> once the server has started and I run "service radiusd restart" from a> terminal the connect to the MySQL server works fine and has no problems. > I even tried running the service from rc.local but it still fails did> anyone have this problem??? is anyone running the MySQL server on> another machine Is there a fix for this???Our SQL server is on another machine and works fine on reboots. It looks like your networking service may not be completely up andfunctional before radius starts. Add a sleep for 10 or 20sec inrc.local before FR starts and see what happens.--Dennis SkinnerSystems Administrator BlueFrog Internethttp://www.bluefrog.com-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap: Handler failed in EAP/peap
On 2/28/06, Laker Netman <[EMAIL PROTECTED]> wrote:
It looks like you didn't include the domain info byhaving --domain=%{mschap:NT-Domain} in your"ntlm_auth" command line in the mschap section of yourradius.conf file.
Thanks Laker,,,
You're right.. after I added --domain=%{mschap:NT-Domain} to ntlm_auth,, script failed error is gone.
But There's new error occured, It looks like this:
BEGIN ERROR ---
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 28
--- END ERROR ---
The full debug message of the request just like this:
=== BEGIN DEBUG ===
rad_recv: Access-Request packet from host 128.16.100.2:21646, id=106, length=144
User-Name = "WORKGROUP\\agus"
Framed-MTU = 1400
Called-Station-Id = "0012.43f9.07f0"
Calling-Station-Id = "0040.96a6.0915"
Service-Type = Login-User
Message-Authenticator = 0xceeac013eeaa43fc5650c013e93f651c
EAP-Message = 0x0201001301574f524b47524f55505c61677573
NAS-Port-Type = Wireless-802.11
NAS-Port = 491
NAS-IP-Address = 128.16.100.2
NAS-Identifier = "iSpot"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 28
modcall[authorize]: module "preprocess" returns ok for request 28
modcall[authorize]: module "chap" returns noop for request 28
modcall[authorize]: module "mschap" returns noop for request 28
rlm_realm: No '@' in User-Name = "agus", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 28
rlm_eap: EAP packet type response id 1 length 19
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 28
users: Matched entry DEFAULT at line 152
modcall[authorize]: module "files" returns ok for request 28
rlm_passwd: Added LM-Password: 'B736D7A84FBDE543AAD3B435B51404EE' to config_items
rlm_passwd: Added NT-Password: 'AA4348E74FCFE5BB2061F2FF5C085304' to config_items
rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U ]' to config_items
rlm_passwd: Adding "Auth-Type = MS-CHAP"
modcall[authorize]: module "etc_smbpasswd" returns ok for request 28
modcall: leaving group authorize (returns updated) for request 28
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 28
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 28
modcall: leaving group authenticate (returns invalid) for request 28
auth: Failed to validate the user.
=== END DEBUG ===
Is that because eap performing certificate CN check with user-name
attrib but not with the hostname of the server? (Just my guess)
-BEGIN GEEK CODE BLOCK-Version: 3.1GCS d(-) s:-
a--- C++(+++)$>$ UL$>$ P+? L++$>$ !E--- W++ !N !o !K--
w !O M !V PS PE !Y PGP t 5 X R tv b DI D G e h r y--END GEEK CODE BLOCK--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
