Authentication by validating RADIUS attribute value
Hi all, I am using FreeRADIUS1.1.1 and Fedora directory server7.2 as the LDAP backend to store all the user information. I configured RADIUS to contact LDAP server for authenticate the user request. I have to implement the following requirement, For each user in the LDAP server i will set some value to the RADIUS attribute , say for eg Filter-ID = 100 If an authentication request comes to the RADIUS server it will contact the LDAP server, if the user is present in the LDAP server the RADIUS will authenticate the user. What i want is, i want to authenticate the user by validating the value of the RADIUS attribute in LDAP server. For example if the Filter-ID is 100 for user 'jack' i have to authenticate. If 'jack' has Filter-ID as 123 i should not authenticate. Is i have to call a script before authenticating an user? If it is so how i can call and from which file i have to define the entries? What are the various methods by which i can achieve the above? Anyone pls help me to get rid of the problem. Thanks in advance. Pls give me the complete details. --- Regards, ___ No banners. No pop-ups. No kidding. Make My Way your home on the Web - http://www.myway.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication by validating RADIUS attribute value
---BeginMessage--- Hi all, I am using FreeRADIUS1.1.1 and Fedora directory server7.2 as the LDAP backend to store all the user information. I configured RADIUS to contact LDAP server for authenticate the user request. I have to implement the following requirement, For each user in the LDAP server i will set some value to the RADIUS attribute , say for eg Filter-ID = 100 If an authentication request comes to the RADIUS server it will contact the LDAP server, if the user is present in the LDAP server the RADIUS will authenticate the user. What i want is, i want to authenticate the user by validating the value of the RADIUS attribute in LDAP server. For example if the Filter-ID is 100 for user 'jack' i have to authenticate. If 'jack' has Filter-ID as 123 i should not authenticate. Is i have to call a script before authenticating an user? If it is so how i can call and from which file i have to define the entries? What are the various methods by which i can achieve the above? Anyone pls help me to get rid of the problem. Thanks in advance. Pls give me the complete details. --- Regards, Hariharan.R ---End Message--- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Questions about debug output
1. First, what does this mean: 'module chap returns noop for request
3?' My client uses CHAP, so why doesn't chap, here, return ok? What
does noop mean?
This packet was the one coming from the client, and as such only contains the
TTLS tunnel. The inside of the TTLS tunnel can't be seen at this stage, so
there is no CHAP here at all. noop means no operation - the module just
didn't do anything.
2. I read in a comment in the out-of-the-box eap.conf file that it is
customary to specify anonymous for the name of the user 'outside' of
the tunnel with ttls { use_tunneled_reply = yes }. Is the User-Name
field in the above Access-Request this outside user name?
This has nothing to do with use_tunneled_reply. You can use anonymous also
without this option.
But, yes, this is the outside user name.
3. Is the User-Name in the Access-Request the same as what I've seen
called the outer identity?
Yes. In your above terminology, outside user name = outer identity.
4. Is just using anonymous okay? Should I include a realm, e.g.,
[EMAIL PROTECTED] Is there something I lose by not specifying a
realm in User-Name (everything seems to work okay so far)?
If your real (inside) user name contains a realm, use the same realm for
outer. The not-realm-specific part doesn't matter. If you don't use realms,
but anything in it you like (except the realm delimiter). You lose or gain
nothing, except that if your server is configured for multiple realms and you
confuse it by using the wrong/no realms, things might break.
5. What does No EAP Start mean?
You picked a packet in the middle of an authentication. So it's not the start
of the process, but an ongoing packet. There are multiple RADIUS messages
exchanged during an EAP authentication.
6. Why does modcall[authorize] say Matched entry DEFAULT at line 173
here and in the subsequent challenge response (not shown), whereas later
in the challenge response it says Matched entry plong at line 76
(plong is the name part of the inner identity, if I'm using the
terminology correctly)?
Eventually, the tunneled data arrived and your user was authenticated with the
entry you set in line 76. As long as only the TTLS tunnel is being looked at,
it's obvious that the server can't use line 76 (it doesn't *know* the inner
user name yet), so the packet fell through up to line 173. If you're curious,
look into line 173 of the users file, and you will see what's in there.
Nothing spectacular, I guess.
Greetings,
Stefan Winter
--
Stefan WINTER
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche - Ingénieur de recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x authentication
just do google everything is there Pradeep Date: Fri, 7 Jul 2006 09:32:17 -0500From: Jin Fan [EMAIL PROTECTED]Subject: RE: 802.1x authenticationTo: FreeRadius users mailing listfreeradius-users@lists.freeradius.org Message-ID:[EMAIL PROTECTED]Content-Type: text/plain; charset=iso-8859-1 Hi, all:To further describe my challenge, here is debugging output from freeradius.One line says, rlm_eap: Failed in EAP select.I must have set up eap wrong.Could anyone help me out here?Btw, in the following example, user TRPZEDU\\jfan tries to authenticate through 802.1x.Thanks.Jinrad_recv: Access-Request packet from host 192.168.3.26:2, id=89, length=157NAS-Port-Id = 1/1Calling-Station-Id = 00-0B-BE-D4-50-46 Called-Station-Id = 00-0B-0E-13-74-C0:hotspotService-Type = Framed-UserUser-Name = TRPZEDU\\jfanState = 0xdcfe3f22dc8680c7b0e05b3d498b6090EAP-Message = 0x020200060319 NAS-Identifier = TrapezeNAS-Port-Type = Wireless-802.11NAS-IP-Address = 192.168.3.26Message-Authenticator = 0xc846da111c9f48b4a5570fff318767a2 Processing the authorize section of radiusd.confmodcall: entering group authorize for request 6modcall[authorize]: module preprocess returns ok for request 6modcall[authorize]: module chap returns noop for request 6 modcall[authorize]: module mschap returns noop for request 6rlm_realm: No '@' in User-Name = TRPZEDU\jfan, looking up realm NULLrlm_realm: No such realm NULLmodcall[authorize]: module suffix returns noop for request 6 rlm_eap: EAP packet type response id 2 length 6rlm_eap: No EAP Start, assuming it's an on-going EAP conversationmodcall[authorize]: module eap returns updated for request 6users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171users: Matched entry TRPZEDU\jfan at line 228modcall[authorize]: module files returns ok for request 6radius_xlat:'TRPZEDU\\jfan'rlm_sql (sql): sql_set_user escaped user -- 'TRPZEDU\\jfan' radius_xlat:'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'TRPZEDU=5C=5C=5C=5Cjfan' ORDER BY id'rlm_sql (sql): Reserving sql socket id: 3rlm_sql (sql): User TRPZEDU\\jfan not found in radcheck radius_xlat:'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.opFROM radgroupcheck,usergroup WHERE usergroup.Username = 'TRPZEDU=5C=5C=5C=5Cjfan' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'radius_xlat:'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute ,radgroupreply.Value,radgroupreply.opFROM radgroupreply,usergroup WHERE usergroup.Username = 'TRPZEDU=5C=5C=5C=5Cjfan' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id 'rlm_sql (sql): User TRPZEDU\\jfan not found in radgroupcheckrlm_sql (sql): User not foundrlm_sql (sql): Released sql socket id: 3modcall[authorize]: module sql returns notfound for request 6 modcall: group authorize returns updated for request 6rad_check_password:Found Auth-Type EAPauth: type EAPProcessing the authenticate section of radiusd.confmodcall: entering group authenticate for request 6 rlm_eap: Request found, released from the listrlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: No such EAP type peaprlm_eap: Failed in EAP selectmodcall[authenticate]: module eap returns invalid for request 6 modcall: group authenticate returns invalid for request 6auth: Failed to validate the user.Delaying request 6 for 1 secondsFinished request 6Going to the next requestWaking up in 1 seconds...--- Walking the entire request list --- Waking up in 1 seconds...--- Walking the entire request list ---Sending Access-Reject of id 89 to 192.168.3.26:2EAP-Message = 0x04020004Message-Authenticator = 0x Trapeze-VLAN-Name = vlan10Waking up in 4 seconds...--- Walking the entire request list ---Cleaning up request 5 ID 88 with timestamp 44ae6d5dCleaning up request 6 ID 89 with timestamp 44ae6d5d Nothing to do.Sleeping until we see a request.From: freeradius-users-bounces+jfan=[EMAIL PROTECTED] on behalf of Jin FanSent: Thu 7/6/2006 5:22 PMTo: FreeRadius users mailing listSubject: 802.1x authenticationHi, All:I need some pointers on how to set up 802.1x (PEAP/MSCHAP v.2 )authentication in freeradius.Generating certificates? Modifyingconfigurations?Jin-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- next part --A non-text attachment was scrubbed...Name: not availableType: application/ms-tnefSize: 7486 bytesDesc: not availableUrl : https://list.xs4all.nl/pipermail/freeradius-users/attachments/20060707/9c97739f/attachment.bin---List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlEnd of Freeradius-Users Digest, Vol 15, Issue 19-- Regards Pradeep Singh+91-9320216000 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: WARNING: Unresponsive child
fellows,we are facing a continuous problems in free-radius server. It had been working fine but lately now an error that it generates as we enable forwarding packets from INFRANET Radius Server to FreeRadius server. freeradius ver 1.1.0the error that it generates in radius.log file is:Wed Jul 5 17:45:20 2006 : Info: Using deprecated naslist file. Support for this will go away soon.Wed Jul 5 17:45:20 2006 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Wed Jul 5 17:45:20 2006 : Info: rlm_jradius: configuring jradius server 200.100.96.20:1825Wed Jul 5 17:45:20 2006 : Info: Ready to process requests.Wed Jul 5 17:50:52 2006 : Error: WARNING: Unresponsive child (id 6) for request 16 Wed Jul 5 17:50:52 2006 : Error: WARNING: Unresponsive child (id 7) for request 17Wed Jul 5 17:50:52 2006 : Error: WARNING: Unresponsive child (id 4) for request 19Wed Jul 5 17:50:52 2006 : Error: WARNING: Unresponsive child (id 5) for request 20 Wed Jul 5 17:50:52 2006 : Error: WARNING: Unresponsive child (id 8) for request 21Wed Jul 5 17:50:52 2006 : Error: WARNING: Unresponsive child (id 10) for request 22Wed Jul 5 17:50:52 2006 : Error: WARNING: Unresponsive child (id 9) for request 24 Wed Jul 5 17:51:04 2006 : Error: WARNING: Unresponsive child (id 4) for request 25Wed Jul 5 17:51:04 2006 : Error: WARNING: Unresponsive child (id 7) for request 26Wed Jul 5 17:51:04 2006 : Error: WARNING: Unresponsive child (id 6) for request 28 Wed Jul 5 17:51:06 2006 : Error: WARNING: Unresponsive child (id 5) for request 35Wed Jul 5 17:51:07 2006 : Error: WARNING: Unresponsive child (id 10) for request 39Wed Jul 5 17:51:07 2006 : Error: WARNING: Unresponsive child (id 8) for request 38 Wed Jul 5 17:51:07 2006 : Error: WARNING: Unresponsive child (id 9) for request 42Wed Jul 5 17:51:19 2006 : Error: WARNING: Unresponsive child (id 7) for request 44Wed Jul 5 17:51:19 2006 : Error: WARNING: Unresponsive child (id 8) for request 46 Wed Jul 5 17:51:19 2006 : Error: WARNING: Unresponsive child (id 4) for request 48Wed Jul 5 17:51:20 2006 : Error: WARNING: Unresponsive child (id 10) for request 50Wed Jul 5 17:51:21 2006 : Error: WARNING: Unresponsive child (id 5) for request 52 Wed Jul 5 17:51:21 2006 : Error: WARNING: Unresponsive child (id 6) for request 56Wed Jul 5 17:51:22 2006 : Error: WARNING: Unresponsive child (id 9) for request 57Wed Jul 5 17:51:34 2006 : Error: WARNING: Unresponsive child (id 7) for request 58 Wed Jul 5 17:51:34 2006 : Error: WARNING: Unresponsive child (id 10) for request 59Wed Jul 5 17:51:34 2006 : Error: WARNING: Unresponsive child (id 6) for request 63Wed Jul 5 17:51:34 2006 : Error: WARNING: Unresponsive child (id 4) for request 66 Wed Jul 5 17:51:34 2006 : Error: WARNING: Unresponsive child (id 8) for request 68Wed Jul 5 17:51:36 2006 : Error: WARNING: Unresponsive child (id 5) for request 75Wed Jul 5 17:51:37 2006 : Error: WARNING: Unresponsive child (id 9) for request 79 Wed Jul 5 17:51:51 2006 : Error: WARNING: Unresponsive child (id 8) for request 81Wed Jul 5 17:51:51 2006 : Error: WARNING: Unresponsive child (id 7) for request 83Wed Jul 5 17:51:51 2006 : Error: WARNING: Unresponsive child (id 10) for request 86 Wed Jul 5 17:51:51 2006 : Error: WARNING: Unresponsive child (id 6) for request 88Wed Jul 5 17:51:51 2006 : Error: WARNING: Unresponsive child (id 5) for request 89Wed Jul 5 17:51:52 2006 : Error: WARNING: Unresponsive child (id 4) for request 92 Wed Jul 5 17:51:52 2006 : Error: WARNING: Unresponsive child (id 5) for request 90Wed Jul 5 17:52:04 2006 : Error: WARNING: Unresponsive child (id 9) for request 95Wed Jul 5 17:52:08 2006 : Error: WARNING: Unresponsive child (id 10) for request 96 Wed Jul 5 17:52:08 2006 : Error: WARNING: Unresponsive child (id 6) for request 98Wed Jul 5 17:52:09 2006 : Error: WARNING: Unresponsive child (id 7) for request 105Wed Jul 5 17:52:09 2006 : Error: WARNING: Unresponsive child (id 5) for request 106 Wed Jul 5 17:52:09 2006 : Error: WARNING: Unresponsive child (id 4) for request 111Wed Jul 5 17:52:09 2006 : Error: WARNING: Unresponsive child (id 6) for request 101Wed Jul 5 17:52:09 2006 : Error: WARNING: Unresponsive child (id 8) for request 102 Wed Jul 5 17:52:19 2006 : Error: WARNING: Unresponsive child (id 4) for request 113Wed Jul 5 17:52:19 2006 : Error: WARNING: Unresponsive child (id 9) for request 114Wed Jul 5 17:52:22 2006 : Error: Dropping conflicting packet from client 202.100.96.21:39779 - ID: 38 due to unfinished request 124Wed Jul 5 17:52:35 2006 : Error: WARNING: Unresponsive child (id 7) for request 118 we have no clue as what the problem has occured. the other question that i have to ask is that is there a way that the freeradius server acknowledge the main INFRANET radius server (which is forwarding the packets to freeradius server) with OK so that main radius server dont get stuck due to waiting of packets acknowldement from freeradius server? our freeradius server is acting as proxy server for the jradius
Windows XP keeps verifying identity
Hello, I have been trying to set up an Access Point on a soekris-board for some days now, but I keep getting stuck. The certificates are all in place, Freeradius starts up nicely, hostapd seems to work... But the trouble starts in Windows XP SP2: When I try to associate with the AP, it keeps sitting in a Attempting Verification-loop. In my freeradius-window, the authentication messages keep scrolling by, but it seems like the Windows-client doesn't listen to them I am using freeradius 1.0.2 built from source on kernel 2.6.15 Below is some of the Radius-output (radiusd -X -A) and some of that from hostapd: =Freeradius== rad_recv: Access-Request packet from host 127.0.0.1:1026, id=74, length=245 User-Name = KlaasDC NAS-IP-Address = 127.0.0.1 NAS-Port = 1 Called-Station-Id = 00-02-6F-3C-37-D7:soekris4521 Calling-Station-Id = 00-02-6F-3C-37-D8 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x026800500d8000461603010041013d030144afac86153ed083623ea17e4a82459787262b54cdb6eb6b33603567da79e7861600040005000a000900640062000300060013001200630100 State = 0xe1ca3273104420e8f3fa797348da4fbf Message-Authenticator = 0xb662295a5ab68423baa41ed3e1976b0f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 74 modcall[authorize]: module preprocess returns ok for request 74 modcall[authorize]: module chap returns noop for request 74 modcall[authorize]: module mschap returns noop for request 74 rlm_realm: No '@' in User-Name = KlaasDC, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 74 rlm_eap: EAP packet type response id 104 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 74 users: Matched entry KlaasDC at line 97 modcall[authorize]: module files returns ok for request 74 modcall: group authorize returns updated for request 74 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 74 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 057b], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 006d], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 74 modcall: group authenticate returns handled for request 74 Sending Access-Challenge of id 74 to 127.0.0.1:1026 EAP-Message = 0x0169040a0dc00641160301004a0246030144afaba4db9800c241c6097bfa7eb313e6b163c2c1db2a249c781b6c7e2648f3206bb401df913de39db66c828301156e1d7429bfd2b70632a98e371577d7a57871000400160301057b0b00057700057400025930820255308201bea003020102020101300d06092a864886f70d0101040500305c310b3009060355040613024245310c300a0603550408130357564c310b3009060355040a13024e413110300e060355040313074b6c61617344433120301e06092a864886f70d01090116116b6c616173646340676d61696c2e636f6d301e170d3036303730383039313133395a170d3037303730 EAP-Message = 0x383039313133395a306c310b3009060355040613024245310c300a0603550408130357564c310e300c060355040713055469656c74310b3009060355040a13024e413110300e060355040313074b6c61617344433120301e06092a864886f70d01090116116b6c616173646340676d61696c2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100af6bd5feb703ca2b30d6cecb02524a0fcb8bc364a2c2bc39400561629844d18a24c448656f1cf6964c9a064c82cc3616264e2419e073093ab7289e8688c656f652f8e4e63a9a54dd1492a5757df04bc0ecd4441868f158da2fdadcb4bd31a07243fe8bce413f7fbf85f0 EAP-Message = 0xd006ecbcd62019e26e8c58290e1fe1ccd2189e2c53450203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000381810052b4fd21f12d8d14ffd712d100fb12a3daa5e681a44b0e2dda3762829611171cfd8d5828a6f1db3216cce98190a1f6a110a66848e8b2846a2da6254a5a42ad21731004b858723fbf9651bdae4915d167ce8b8be8c9167ee7c78b1de730334035d321ceb8196873e73d8ae15c5e6d974d2cca62bff234a117561c16408e25bde9000315308203113082027aa003020102020100300d06092a864886f70d0101040500305c310b3009060355040613024245310c300a06 EAP-Message =
Re: Windows XP keeps verifying identity
Ow, I forgot to say that I'm trying to use EAP-TLS... 2006/7/8, Klaas De Craemer [EMAIL PROTECTED] ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: WARNING: Unresponsive child
Farhan Karim [EMAIL PROTECTED] wrote: we are facing a continuous problems in free-radius server. It had been working fine but lately now an error that it generates as we enable forwarding packets from INFRANET Radius Server to FreeRadius server. INFRANET? What's that? Wed Jul 5 17:50:52 2006 : Error: WARNING: Unresponsive child (id 6) for request 16 It looks like one of the modules that is handling the request is blocked. Fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP keeps verifying identity
Klaas De Craemer [EMAIL PROTECTED] wrote: I have been trying to set up an Access Point on a soekris-board for some days now, but I keep getting stuck. The certificates are all in place, Freeradius starts up nicely, hostapd seems to work... But the trouble starts in Windows XP SP2: When I try to associate with the AP, it keeps sitting in a Attempting Verification-loop. You don't have the Microsoft OID's in the server certificate. See the documentation for details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication by validating RADIUS attribute value
HariHaran [EMAIL PROTECTED] wrote: Pls give me the complete details. The documentation describes how to do what you want. What part of it is unclear? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Windows XP keeps verifying identity
Do you mean the so-called xpextensions (1.3.6.1.5.5.7.3.2 for the client and .1 for the server)? I have used them to generate the certificates... Klaas De Craemer klaasdc at gmail.com wrote: I have been trying to set up an Access Point on a soekris-board for some days now, but I keep getting stuck. The certificates are all in place, Freeradius starts up nicely, hostapd seems to work... But the trouble starts in Windows XP SP2: When I try to associate with the AP, it keeps sitting in a Attempting Verification-loop. You don't have the Microsoft OID's in the server certificate. See the documentation for details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Get my SSHA ldap passwds?
Hi, I have plain-text passwords coming from a pix firewall for vpn authentication. I have SSHA hashed passwds stored in ldap. Can't I hash the passwds from the pix and compare 'em the SSHA passwds from ldap somehow? It works fine if I put plain text passwords in ldap. But I don't relish the thought of storing them plain text. Thanks, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
