Re: ntlm_auth - rlm_mschap: No User-Password configured. Cannot create NT-Password.
[EMAIL PROTECTED] raddb]# /usr/bin/ntlm_auth --request-nt-key --username=e2052982 --domain=ADMIN4182 --challenge=960d6d08f40d6939 --nt-response=89ad9043905fd7c5686086e2493f3ecf32c85d46bc438903 Logon failure (0xc06d) [EMAIL PROTECTED] raddb]# /usr/bin/ntlm_auth --request-nt-key --username=e2052982 --domain=admin4182 --challenge=960d6d08f40d6939 --nt-response=89ad9043905fd7c5686086e2493f3ecf32c85d46bc438903 Logon failure (0xc06d) . [EMAIL PROTECTED] raddb]# /usr/bin/ntlm_auth --request-nt-key --username=e2052982 --domain=ADMIN4182 password: NT_STATUS_OK: Success (0x0) [EMAIL PROTECTED] raddb]# /usr/bin/ntlm_auth --request-nt-key --username=e2052982 --domain=ADMIN4182 password: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a) . . More bad news I am afraid. Is this a samba thing ??? How is the challenge/response generated ?? Were my previous queries about NT password and certificates ok then ?? Peter Peter de Groot Windows Re-Installation Engineer Eastern Goldfields College Ph 08) 90801800 Fax 08) 90801866 Mob 0418915312 http://egshs.wa.edu.au Alan DeKok wrote: Peter de Groot <[EMAIL PROTECTED]> wrote: [EMAIL PROTECTED] raddb]# /usr/bin/ntlm_auth --request-nt-key --username=e2052982 --domain=ADMIN4182 --challenge=6151ad29f27eff47 --nt-response=01e42eabc464bf9915883d804457069d4702d95534ce4d53 Logon failure (0xc06d) If you can get it working from the command-line, it will work in FreeRADIUS. I have few ideas why it doesn't work, though. Maybe upper/lowercase issues in the domain name? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS-PAP-LDAP
"Rohaizam Abu Bakar" <[EMAIL PROTECTED]> wrote: > Login incorrect: [EMAIL PROTECTED] (from client localhost port 0) > TTLS: Got tunneled Access-Reject So read the *previous* debug logs to see why it was rejected. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crypt-Password Problem
[EMAIL PROTECTED] wrote: > juser Auth-Type := Local, Crypt-Password == "H25nfgL4rCxBY" Use ":=", not "==". See "man users". "==" is a comparions. Because there's no Crypt-Password in the request, it will never match. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth - rlm_mschap: No User-Password configured. Cannot create NT-Password.
Peter de Groot <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] raddb]# /usr/bin/ntlm_auth --request-nt-key > --username=e2052982 --domain=ADMIN4182 --challenge=6151ad29f27eff47 > --nt-response=01e42eabc464bf9915883d804457069d4702d95534ce4d53 > Logon failure (0xc06d) If you can get it working from the command-line, it will work in FreeRADIUS. I have few ideas why it doesn't work, though. Maybe upper/lowercase issues in the domain name? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth - rlm_mschap: No User-Password configured. Cannot create NT-Password.
eter de Groot <[EMAIL PROTECTED]> wrote: > I am trying to autheticate against a different domain that than the > samba server is joined to.. should be ok ?? Probably not. > [EMAIL PROTECTED] raddb]# ntlm_auth --request-nt-key > --domain=admin4182 --username=e2052982 > password: > NT_STATUS_OK: Success (0x0) That's nice, but it's not what the server is doing: > radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=e2052982 > --domain=ADMIN4182 --challenge=7801a84637ef5c68 > --nt-response=4f77faa8137d60ae186c5f910fea83f936dbd827ac54f757' What happens when you run the above command from the command line? Alan DeKok. Thanks for the reply I re-ran the connect and then copy and pasted onto the command line from the (radiusd -X ) log.. [EMAIL PROTECTED] raddb]# [EMAIL PROTECTED] raddb]# [EMAIL PROTECTED] raddb]# /usr/bin/ntlm_auth --request-nt-key --username=e2052982 --domain=ADMIN4182 --challenge=6151ad29f27eff47 --nt-response=01e42eabc464bf9915883d804457069d4702d95534ce4d53 Logon failure (0xc06d) [EMAIL PROTECTED] raddb]# [EMAIL PROTECTED] raddb]# Not good. :-( .. but they do give me the domain option .. so it "should" be ok. ? . . . Sorry ... couple more idiot (newbie) questions I am using PEAP with MSCHAPv2 .. and (I think) according to the how-tos .. I do NOT need ANY certificate(s) on the client PC... Is this correct ?? or, if not .. which certificate(s) are REQUIRED on the PC... ?? I am using tinyCA with the OID extra bits for the XP extensions. Is this an error in the following certficate stuff ?? . . . rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHelloTLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHelloTLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0927], CertificateTLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error::lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED . . . . IS the following significant ... ?? It seems to say it cannot create the password ?? modcall: entering group MS-CHAP for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for e2052982 with NT-Password Thanks Peter de Groot Windows Re-Installation Engineer Eastern Goldfields College Ph 08) 90801800 Fax 08) 90801866 Mob 0418915312 http://egshs.wa.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 15, Issue 45
But still, you can try as he said.:-( -- Message: 4 Date: Thu, 13 Jul 2006 23:16:35 -0400 From: [EMAIL PROTECTED] Subject: Re: Crypt-Password Problem To: FreeRadius users mailing list Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=US-ASCII [EMAIL PROTECTED] wrote on 07/13/2006 11:06:56 PM: > Quoting [EMAIL PROTECTED]: > > > > > Excuse me if this has been asked before but I am having a hard time finding > > it in the archives. I have a script that builds a radius users file out of > > a htpasswd file, the password entries are encrypted. This worked great on > > a Redhat Enterprise AS 3 server running freeradius-0.9.3. I have since had > > to upgrade my linux box (to RHEL 4) and used the version that came with it, > > freeradius-1.0.1. Now users can not authenticate. > > > > Here is an entry for the user in the USERS file: > > > > juser Auth-Type := Local, Crypt-Password == "H25nfgL4rCxBY" > > Service-Type = Framed-User, > > Framed-Protocol = PPP, > > > > Here is the problem in your debugging data. > > rad_recv: Access-Request packet from host 172.24.0.14:36180, id=72, > length=46 > User-Name = "user" > User-Password = "password" > > The password is coming through as User-Password, NOT Crypt-Password. So, it > matches nothing in the users file. Furthermore, probably in plain text not > encrypted form like you expect. > > Chris Carver > Network Engineer > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html First off Chris thank you for responding to me email so quickly. Here is a DEBUG from the 0.9.3 server that is still working, using the same users file, and same client request. Here you see the same User-Password but further down you see: rad_check_password: Found Auth-Type Local auth: type Crypt Login OK: [d4lane] (from client slpma1nagioswan port 0) FULL DEBUG BELOW: [EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 rlm_eap: Loaded and initialized the type md5 Module: Instantiated eap (eap) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users"
EAP-TTLS-PAP-LDAP
Trying to do EAP-TTLS-PAP with CRYPT passwd in LDAP.. The tunelling seems fine.. but up to comparing the password it will failed. Refer below logs & config Some says (http://felipe-alfaro.org/blog/category/radius/) PAP is tunneled inside EAP-TTLS through EAP-GTC... Tried that as well.. still same error.. gtc { auth_type = PAP [even trying to change to LDAP/OCE - still same error) } Error auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED] (from client localhost port 0) TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 9 modcall: leaving group authenticate (returns invalid) for request 9 auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED] (from client OCE_JARING port 241 cli 00-11-5b-2d-b2-8e) With setting:- a) radiusd.conf ldapOCE { --some setting } authorize { eap Autz-Type OCE { ldapOCE } } authenticate { Auth-Type OCE { ldapOCE } eap } b) eap.conf eap { default_eap_type = ttls tls { --some setting } ttls { default_eap_type = md5 } c) users:- DEFAULT Realm == "my015.com", Autz-Type := OCE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crypt-Password Problem
[EMAIL PROTECTED] wrote on 07/13/2006 11:06:56 PM: > Quoting [EMAIL PROTECTED]: > > > > > Excuse me if this has been asked before but I am having a hard time finding > > it in the archives. I have a script that builds a radius users file out of > > a htpasswd file, the password entries are encrypted. This worked great on > > a Redhat Enterprise AS 3 server running freeradius-0.9.3. I have since had > > to upgrade my linux box (to RHEL 4) and used the version that came with it, > > freeradius-1.0.1. Now users can not authenticate. > > > > Here is an entry for the user in the USERS file: > > > > juser Auth-Type := Local, Crypt-Password == "H25nfgL4rCxBY" > > Service-Type = Framed-User, > > Framed-Protocol = PPP, > > > > Here is the problem in your debugging data. > > rad_recv: Access-Request packet from host 172.24.0.14:36180, id=72, > length=46 > User-Name = "user" > User-Password = "password" > > The password is coming through as User-Password, NOT Crypt-Password. So, it > matches nothing in the users file. Furthermore, probably in plain text not > encrypted form like you expect. > > Chris Carver > Network Engineer > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html First off Chris thank you for responding to me email so quickly. Here is a DEBUG from the 0.9.3 server that is still working, using the same users file, and same client request. Here you see the same User-Password but further down you see: rad_check_password: Found Auth-Type Local auth: type Crypt Login OK: [d4lane] (from client slpma1nagioswan port 0) FULL DEBUG BELOW: [EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 rlm_eap: Loaded and initialized the type md5 Module: Instantiated eap (eap) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" Module: Instant
Re: Crypt-Password Problem
Quoting [EMAIL PROTECTED]: > > Excuse me if this has been asked before but I am having a hard time finding > it in the archives. I have a script that builds a radius users file out of > a htpasswd file, the password entries are encrypted. This worked great on > a Redhat Enterprise AS 3 server running freeradius-0.9.3. I have since had > to upgrade my linux box (to RHEL 4) and used the version that came with it, > freeradius-1.0.1. Now users can not authenticate. > > Here is an entry for the user in the USERS file: > > juser Auth-Type := Local, Crypt-Password == "H25nfgL4rCxBY" > Service-Type = Framed-User, > Framed-Protocol = PPP, > Here is the problem in your debugging data. rad_recv: Access-Request packet from host 172.24.0.14:36180, id=72, length=46 User-Name = "user" User-Password = "password" The password is coming through as User-Password, NOT Crypt-Password. So, it matches nothing in the users file. Furthermore, probably in plain text not encrypted form like you expect. Chris Carver Network Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Crypt-Password Problem
Excuse me if this has been asked before but I am having a hard time finding it in the archives. I have a script that builds a radius users file out of a htpasswd file, the password entries are encrypted. This worked great on a Redhat Enterprise AS 3 server running freeradius-0.9.3. I have since had to upgrade my linux box (to RHEL 4) and used the version that came with it, freeradius-1.0.1. Now users can not authenticate. Here is an entry for the user in the USERS file: juser Auth-Type := Local, Crypt-Password == "H25nfgL4rCxBY" Service-Type = Framed-User, Framed-Protocol = PPP, THIS IS THE DEBUG OUTPUT FROM THE SERVER Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "root" main: group = "root" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Na
Re: ntlm_auth - rlm_mschap: No User-Password configured. Cannot create NT-Password.
Peter de Groot <[EMAIL PROTECTED]> wrote: > I am trying to autheticate against a different domain that than the > samba server is joined to.. should be ok ?? Probably not. > [EMAIL PROTECTED] raddb]# ntlm_auth --request-nt-key > --domain=admin4182 --username=e2052982 > password: > NT_STATUS_OK: Success (0x0) That's nice, but it's not what the server is doing: > radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=e2052982 > --domain=ADMIN4182 --challenge=7801a84637ef5c68 > --nt-response=4f77faa8137d60ae186c5f910fea83f936dbd827ac54f757' What happens when you run the above command from the command line? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth - rlm_mschap: No User-Password configured. Cannot create NT-Password.
Please help I cannot see the problem after a day of reading the lists and googling... hopefully a fresh pair of eyes I am trying to authorize to the network via an ntlm_auth lookup against winbind using PEAP and MS-CHAP v2 etc etc Doing an ntlm_auth on the command line returns success... but on my radius server does not want to authenticate. I am fairly sure I have the certificates ok ?? Samba is joined to the windows domain o.k. I am trying to autheticate against a different domain that than the samba server is joined to.. should be ok ?? [EMAIL PROTECTED] raddb]# ntlm_auth --request-nt-key --domain=admin4182 --username=e2052982 password: NT_STATUS_OK: Success (0x0) [EMAIL PROTECTED] raddb]# . . . . my "stuff" is XP-SP2 Fedora Core 5 Samba 3.0.22-1 Freeradius 1.1.2 Windows 2003 Server AD Cisco Aironet 1100 series . . . Error message is modcall: entering group MS-CHAP for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for e2052982 with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: d6 radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=e2052982 --domain=ADMIN4182 --challenge=7801a84637ef5c68 --nt-response=4f77faa8137d60ae186c5f910fea83f936dbd827ac54f757' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=e2052982 --domain=ADMIN4182 --challenge=7801a84637ef5c68 --nt-response=4f77faa8137d60ae186c5f910fea83f936dbd827ac54f757 Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 7 . . . radius -X dump follows sorry about the length .. trimmed after first error. TIA Peter Peter de Groot Windows Re-Installation Engineer Eastern Goldfields College Ph 08) 90801800 Fax 08) 90801866 Mob 0418915312 http://egshs.wa.edu.au Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}" Module: Instantiated
Re: Alvarion attributes Re: (no subject)
"Robert Dukes" <[EMAIL PROTECTED]> wrote: > This really sucks :) We invested so much into the gear here as our project > is funding by caring people. So there is no way to get this done ah Try the patch below, which should work in 1.1.x. No guarantees... it just compiles, and I haven't tested it. You'll also have to create a dictionary, but I leave that part up to you. Alan DeKok. Index: src/include/libradius.h === RCS file: /source/radiusd/src/include/libradius.h,v retrieving revision 1.76.2.2.2.9 diff -u -r1.76.2.2.2.9 libradius.h --- src/include/libradius.h 15 Jun 2006 21:47:14 - 1.76.2.2.2.9 +++ src/include/libradius.h 13 Jul 2006 21:22:18 - @@ -65,12 +65,13 @@ #define CHAP_VALUE_LENGTH 16 #define MAX_STRING_LEN 254 /* RFC2138: string 0-253 octets */ +# define VENDOR(x)((x >> 16) & 0x) + #ifdef _LIBRADIUS # define AUTH_HDR_LEN 20 # define VENDORPEC_USR429 #define VENDORPEC_LUCENT 4846 #define VENDORPEC_STARENT 8164 -# define VENDOR(x)((x >> 16) & 0x) # define DEBUGif (librad_debug) printf # define debug_pair(vp) do { if (librad_debug) { \ putchar('\t'); \ Index: src/modules/rlm_preprocess/rlm_preprocess.c === RCS file: /source/radiusd/src/modules/rlm_preprocess/rlm_preprocess.c,v retrieving revision 1.52.2.1.2.1 diff -u -r1.52.2.1.2.1 rlm_preprocess.c --- src/modules/rlm_preprocess/rlm_preprocess.c 5 May 2006 17:31:53 - 1.52.2.1.2.1 +++ src/modules/rlm_preprocess/rlm_preprocess.c 13 Jul 2006 21:22:18 - @@ -48,6 +48,7 @@ int with_ntdomain_hack; int with_specialix_jetstream_hack; int with_cisco_vsa_hack; + int with_alvarion_vsa_hack; } rlm_preprocess_t; static CONF_PARSER module_config[] = { @@ -69,6 +70,8 @@ "no" }, { "with_cisco_vsa_hack",PW_TYPE_BOOLEAN, offsetof(rlm_preprocess_t,with_cisco_vsa_hack), NULL, "no" }, + { "with_alvarion_vsa_hack",PW_TYPE_BOOLEAN, + offsetof(rlm_preprocess_t,with_alvarion_vsa_hack), NULL, "no" }, { NULL, -1, 0, NULL, NULL } }; @@ -115,7 +118,7 @@ charnewattr[MAX_STRING_LEN]; for ( ; vp != NULL; vp = vp->next) { - vendorcode = (vp->attribute >> 16); /* HACK! */ + vendorcode = VENDOR(vp->attribute); if (!((vendorcode == 9) || (vendorcode == 6618))) continue; /* not a Cisco or Quintum VSA, continue */ if (vp->type != PW_TYPE_STRING) continue; @@ -170,6 +173,26 @@ } } + +/* + * Don't even ask what this is doing... + */ +static void alvarion_vsa_hack(VALUE_PAIR *vp) +{ + int vendorcode; + int number = 1; + + for ( ; vp != NULL; vp = vp->next) { + vendorcode = VENDOR(vp->attribute); + if (vendorcode != 12394) continue; + if (vp->type != PW_TYPE_STRING) continue; + + vp->attribute = number | (12394 << 16); + snprintf(vp->name, sizeof(vp->name), +"Breezecom-Attr%d", number++); + } +} + /* * Mangle username if needed, IN PLACE. */ @@ -515,6 +538,14 @@ cisco_vsa_hack(request->packet->vps); } + if (data->with_alvarion_vsa_hack) { + /* +* We need to run this hack because the Alvarion +* people are crazy. +*/ + alvarion_vsa_hack(request->packet->vps); + } + /* * Note that we add the Request-Src-IP-Address to the request * structure BEFORE checking huntgroup access. This allows - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Confused about 'hints' file
Brenckle, Nicholas wrote: I have an entry in the hints file, that when I uncomment, the authentication fails. And I can't figure out why. When/where during the process does the hints file come into play? Im watching everything under debug mode, and I can't figure it out Thank you! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html You have to match on it in the users file. Create your huntgroup in the huntgroups file as shown in the examples, although you can match on any attribute you like not just prefix and suffix. For example I create huntgroups and use NAS-IP-Address frequently. In your users file just match on the huntgroup-name. Here's my setup with data modified for security purposes... ### huntgroup file ### huntgroup1 NAS-IP-Address == 192.168.0.1 huntgroup1 NAS-IP-Address == 192.168.0.2 huntgroup1 NAS-IP-Address == 192.168.0.3 ### users file ### DEFAULT Huntgroup-Name == huntgroup1 Idle-Timeout = 900, Framed-Protocol = PPP, Service-Type = Framed-User, Fall-Through = no Chris Carver Network Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Alvarion attributes Re: (no subject)
This really sucks :) We invested so much into the gear here as our project is funding by caring people. So there is no way to get this done ah On 7/14/06, Alan DeKok <[EMAIL PROTECTED]> wrote: "Robert Dukes" <[EMAIL PROTECTED]> wrote:> Breezenet/Breezecom/Alvarion VSA's. These NASs send> Ethernet port data in VSAs (up to 11 per accounting request) but > unfortunately dont use the same attribute numbers each time. Instead,> the attribute number increments each time, then wraps at 256. Radiator> automatically maps the fist one in a packet to Breezecom-Attr1, the > second to Breezecom-Attr2 etc through to Breezecom-Attr11. Ah. *That* vendor. My suggestion is to throw away their equipmentand buy equipment that works. Barring that, file a bug with them, and tell them their product is retarded. If you *have* to use their equipment, write a module to do thatre-mapping. It should be 30-40 lines of Perl, or about 200 lines of C. Alan DeKok.-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-- Robert Dukes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Confused about 'hints' file
I have an entry in the hints file, that when I uncomment, the authentication fails. And I can't figure out why. When/where during the process does the hints file come into play? Im watching everything under debug mode, and I can't figure it out Thank you! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alvarion attributes Re: (no subject)
"Robert Dukes" <[EMAIL PROTECTED]> wrote: > Breezenet/Breezecom/Alvarion VSA's. These NASs send > Ethernet port data in VSAs (up to 11 per accounting request) but > unfortunately dont use the same attribute numbers each time. Instead, > the attribute number increments each time, then wraps at 256. Radiator > automatically maps the fist one in a packet to Breezecom-Attr1, the > second to Breezecom-Attr2 etc through to Breezecom-Attr11. Ah. *That* vendor. My suggestion is to throw away their equipment and buy equipment that works. Barring that, file a bug with them, and tell them their product is retarded. If you *have* to use their equipment, write a module to do that re-mapping. It should be 30-40 lines of Perl, or about 200 lines of C. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
Here is the dump and you can see what I am talking about. Mapping VSA is not too much an issue Yes you are right about the 256 dic file but the in/out traffic is encoded ith in/out vioce these need to be parse On 7/13/06, Thor Spruyt < [EMAIL PROTECTED]> wrote: How about adding a dictionary will all 256 numbers?- Original Message -From: Robert DukesTo: FreeRadius users mailing listSent: Thursday, July 13, 2006 9:26 PMSubject: Re: (no subject) Sorry, Ok I use Alvarion Su radios that has radius accounting option. butthe radios send some VSA that is not reconizable in the radius.Breezenet/Breezecom/Alvarion VSA's. These NASs sendEthernet port data in VSAs (up to 11 per accounting request) but unfortunately dont use the same attribute numbers each time. Instead,the attribute number increments each time, then wraps at 256. Radiatorautomatically maps the fist one in a packet to Breezecom-Attr1, the second to Breezecom-Attr2 etc through to Breezecom-Attr11.I can send a dump log if you want-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Robert Dukes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
How about adding a dictionary will all 256 numbers? - Original Message - From: Robert Dukes To: FreeRadius users mailing list Sent: Thursday, July 13, 2006 9:26 PM Subject: Re: (no subject) Sorry, Ok I use Alvarion Su radios that has radius accounting option. but the radios send some VSA that is not reconizable in the radius. Breezenet/Breezecom/Alvarion VSA's. These NASs send Ethernet port data in VSAs (up to 11 per accounting request) but unfortunately dont use the same attribute numbers each time. Instead, the attribute number increments each time, then wraps at 256. Radiator automatically maps the fist one in a packet to Breezecom-Attr1, the second to Breezecom-Attr2 etc through to Breezecom-Attr11. I can send a dump log if you want - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
Sorry, Ok I use Alvarion Su radios that has radius accounting option. but the radios send some VSA that is not reconizable in the radius. Breezenet/Breezecom/Alvarion VSA's. These NASs sendEthernet port data in VSAs (up to 11 per accounting request) but unfortunately dont use the same attribute numbers each time. Instead,the attribute number increments each time, then wraps at 256. Radiatorautomatically maps the fist one in a packet to Breezecom-Attr1, the second to Breezecom-Attr2 etc through to Breezecom-Attr11.I can send a dump log if you wantOn 7/13/06, Alan DeKok < [EMAIL PROTECTED]> wrote: "Robert Dukes" <[EMAIL PROTECTED]> wrote:> Has anyone used Freeradius with Alvarion Breezeaccess to do accounting ? > I am having a big issue get the> the radius to understand the rodios Attribs. Could you be more specific? "I have a problem, how do I fix it?"doesn't let anyone help you. Alan DeKok. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html-- Robert Dukes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (no subject)
"Robert Dukes" <[EMAIL PROTECTED]> wrote: > Has anyone used Freeradius with Alvarion Breezeaccess to do accounting ? > I am having a big issue get the > the radius to understand the rodios Attribs. Could you be more specific? "I have a problem, how do I fix it?" doesn't let anyone help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Hello,Has anyone used Freeradius with Alvarion Breezeaccess to do accounting ? I am having a big issue get the the radius to understand the rodios Attribs. Or there other ways to track user traffic. We are in Russia doing a chartity project for Russian Orpahs, So any help to resolve this issues would be a big help. -- Robert Dukes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple post-auth sql queries, possible?
interesting work around... I think I will try this. Thanks - Original Message - From: Jurgen van Vliet To: 'FreeRadius users mailing list' Sent: Thursday, July 13, 2006 9:45 AM Subject: RE: multiple post-auth sql queries, possible? Hi Duane If you use a DB backend that supports stored procedures (like mysql 5) you can make a procedure in your mysql server containing several queries. You can even use IF THEN ELSE structures, and call that procedure from post-auth as a single query. like : postauth_query = "call postauth1('%{SQL-User-Name}');" this calls the stored procedure postauth1 and gives the sql user name as parameter for the procedure to work with. Maybe that solves your problem :) Good luck! Jurgen van Vliet WANBound Technologies | Veldzigt 28 | 3454 PW De Meern | The Netherlands Tel: +31 30 66 61 940 | Fax: +31 30 66 64 339 | Email: [EMAIL PROTECTED] | Website: www.wanbound.com Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Duane CoxVerzonden: donderdag 13 juli 2006 16:32Aan: FreeRadius users mailing listOnderwerp: Re: multiple post-auth sql queries, possible? Is it possible to run a module twice in one section... meaning can I run the sql module twice in the post-auth section ? I am thinking I could, but I would have to call it by a new name and then copy the lib files to also this new name. Thanks Duane Cox - Original Message - From: Duane Cox To: freeradius-users@lists.freeradius.org Sent: Wednesday, July 12, 2006 4:24 PM Subject: multiple post-auth sql queries, possible? Hello List Is there a way to have freeradius 1.1.1 send two or more sql postauth queries? I tried to put together an update statement and an insert statement with a "go" command, but mssql didn't like it because the insert, go, update was all on the same "line" executing the above statement; but broken out on three lines with "go" by itself, works, but I'm not sure if I can do this in freeradius. So is it possible to have freeradius process sql1 and then sql2 in the post-auth section, if so what would be the best way to set this up. here is my current config ... post-auth { sql Post-Auth-Type REJECT { sql }} and then mssql.conf contains one postauth_query Thanks Duane Cox - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_passwd usage
B Thompson <[EMAIL PROTECTED]> wrote: > However, I would now like to restrict access to a particular NAS > device to a particular set of users and I am not sure how best to go > about this. Create a group, and put those users into that group, also using rlm_passwd. You could add a new file, or simply add the group name as another field in the current file. See "man rlm_passwd" for examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_passwd usage
Hi We used to list all our fifty thousand usernames individually in the users file, but this made it quite large so following advice on this mailing list I decided to use rlm_passwd instead. This seems to work very well and the file size is much smaller. I have configured my passwd style users file as follows :- passwd york_passwd { filename = /etc/raddb/yorkpasswd format = "*Stripped-User-Name:NT-Password:Crypt-Password" hashsize = 10 ignorenislike = yes } However, I would now like to restrict access to a particular NAS device to a particular set of users and I am not sure how best to go about this. If these users were still listed in the users file I could do something like this for users allowed access :- user1 NT-Password := "blah", Crypt-Password := "blah" ...and this for disallowed users :- user2 NT-Password := "blah", Crypt-Password := "blah", NAS-Identifier != restrictednas Could anybody suggest a solution using my rlm_passwd setup? Thanks -- Ben Thompson University of York - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: removing domain data from user name
thanks, this way did it. --yedidia fvt3 wrote: I was able to strip the domain portion of it by having radius execute an external script. Here is what I have in radius to execute the external script.. ldapldap_ldap1 { server = "" identity = "" password = "" #basedn = "" basedn = "" # filter = "(SamAccountName=%{Stripped-User-Name:-%{User-Name}})" filter = "(SamAccountName=%{exec:/usr/local/freeradius/etc/raddb /nodomain.pl %u})" I wrote a perl script to strip that off, using a shell script it always add a return character which adds a space after the uid. --- Yedidia Klein <[EMAIL PROTECTED]> wrote: Hello list, I'm using freeradius server as a radius server that forward the auth to an LDAP server, on a RH enterprise system (freeradius-1.0.1-1.1.RHEL3) I want one of my service providers to authenticate against this radius, After enabling some debug option I found that it sends me the users in the form of [EMAIL PROTECTED], that (of course) my ldap don't know and refuse to auth. Is there a way on freeradius to pass to the ldap server only the left site of the @ sign ? I tried to use "with_ntdomain_hack = yes" in my ldap section on radiusd.conf w/o success. thanks, --Yedidia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: multiple post-auth sql queries, possible?
Hi Duane If you use a DB backend that supports stored procedures (like mysql 5) you can make a procedure in your mysql server containing several queries. You can even use IF THEN ELSE structures, and call that procedure from post-auth as a single query. like : postauth_query = "call postauth1('%{SQL-User-Name}');" this calls the stored procedure postauth1 and gives the sql user name as parameter for the procedure to work with. Maybe that solves your problem :) Good luck! Jurgen van Vliet WANBound Technologies | Veldzigt 28 | 3454 PW De Meern | The Netherlands Tel: +31 30 66 61 940 | Fax: +31 30 66 64 339 | Email: [EMAIL PROTECTED] | Website: www.wanbound.com Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Duane CoxVerzonden: donderdag 13 juli 2006 16:32Aan: FreeRadius users mailing listOnderwerp: Re: multiple post-auth sql queries, possible? Is it possible to run a module twice in one section... meaning can I run the sql module twice in the post-auth section ? I am thinking I could, but I would have to call it by a new name and then copy the lib files to also this new name. Thanks Duane Cox - Original Message - From: Duane Cox To: freeradius-users@lists.freeradius.org Sent: Wednesday, July 12, 2006 4:24 PM Subject: multiple post-auth sql queries, possible? Hello List Is there a way to have freeradius 1.1.1 send two or more sql postauth queries? I tried to put together an update statement and an insert statement with a "go" command, but mssql didn't like it because the insert, go, update was all on the same "line" executing the above statement; but broken out on three lines with "go" by itself, works, but I'm not sure if I can do this in freeradius. So is it possible to have freeradius process sql1 and then sql2 in the post-auth section, if so what would be the best way to set this up. here is my current config ... post-auth { sql Post-Auth-Type REJECT { sql }} and then mssql.conf contains one postauth_query Thanks Duane Cox - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple post-auth sql queries, possible?
Is it possible to run a module twice in one section... meaning can I run the sql module twice in the post-auth section ? I am thinking I could, but I would have to call it by a new name and then copy the lib files to also this new name. Thanks Duane Cox - Original Message - From: Duane Cox To: freeradius-users@lists.freeradius.org Sent: Wednesday, July 12, 2006 4:24 PM Subject: multiple post-auth sql queries, possible? Hello List Is there a way to have freeradius 1.1.1 send two or more sql postauth queries? I tried to put together an update statement and an insert statement with a "go" command, but mssql didn't like it because the insert, go, update was all on the same "line" executing the above statement; but broken out on three lines with "go" by itself, works, but I'm not sure if I can do this in freeradius. So is it possible to have freeradius process sql1 and then sql2 in the post-auth section, if so what would be the best way to set this up. here is my current config ... post-auth { sql Post-Auth-Type REJECT { sql }} and then mssql.conf contains one postauth_query Thanks Duane Cox - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freerad & routing problem
Hello, I have in my LAN a Colubris Access Conroller (IP: 192.168.10.81, gw: 192.168.10.1/80.B.C.D) which I authenticate on a freeradius via Internet (IP of freerad server : 63.E.F.G). My server receives : rad_recv: Access-Request packet from host 80.B.C.D:10901, id=64, length=251 Acct-Session-Id = "7592eefb" NAS-Port = 0 NAS-Port-Type = Wireless-802.11 User-Name = "noven-ac1" Calling-Station-Id = "00-03-52-01-FC-33" Called-Station-Id = "00-03-52-01-FC-33" Framed-IP-Address = 192.168.1.1 User-Password = "novenac1" NAS-Identifier = "noven.Vincennes.0" NAS-IP-Address = 192.168.10.81 Framed-MTU = 1496 Connect-Info = "HTTPS" Service-Type = Administrative-User WISPr-Location-Name = "noven.Noven-WiFi" WISPr-Location-ID = "noven2/Noven-WiFi" Message-Authenticator = 0xa4619c3e1b4b1f7f5a877de95f208ab0 Processing the authorize section of radiusd.conf. and returns : Sending Access-Accept of id 64 to 80.B.C.D:10901 Framed-Protocol := PPP Service-Type := Framed-User Framed-MTU := 1500 Colubris-AVPair += "transport-page=https://192.168.10.82/Noven/transport.html" Colubris-AVPair += "session-page=https://192.168.10.82/Noven/session.html" My problem is that the response from the radius server does not reach my AC (IP 192.168.10.81) although the answer was indeed turned over to my router (IP : 80.B.C.D) !!! Someone can help me ? Please Thanks; Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: removing domain data from user name
I was able to strip the domain portion of it by having radius execute an external script. Here is what I have in radius to execute the external script.. ldapldap_ldap1 { server = "" identity = "" password = "" #basedn = "" basedn = "" # filter = "(SamAccountName=%{Stripped-User-Name:-%{User-Name}})" filter = "(SamAccountName=%{exec:/usr/local/freeradius/etc/raddb /nodomain.pl %u})" I wrote a perl script to strip that off, using a shell script it always add a return character which adds a space after the uid. --- Yedidia Klein <[EMAIL PROTECTED]> wrote: > Hello list, > > > I'm using freeradius server as a radius server that > forward the auth to > an LDAP server, > > on a RH enterprise system > (freeradius-1.0.1-1.1.RHEL3) > > I want one of my service providers to authenticate > against this radius, > > After enabling some debug option I found that it > sends me the users in > the form of [EMAIL PROTECTED], that (of course) my > ldap don't know and > refuse to auth. > > Is there a way on freeradius to pass to the ldap > server only the left > site of the @ sign ? > > > I tried to use "with_ntdomain_hack = yes" in my ldap > section on > radiusd.conf w/o success. > > > thanks, > > > --Yedidia > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: removing domain data from user name
Yedidia Klein wrote: Hello list, I'm using freeradius server as a radius server that forward the auth to an LDAP server, on a RH enterprise system (freeradius-1.0.1-1.1.RHEL3) I want one of my service providers to authenticate against this radius, After enabling some debug option I found that it sends me the users in the form of [EMAIL PROTECTED], that (of course) my ldap don't know and refuse to auth. Is there a way on freeradius to pass to the ldap server only the left site of the @ sign ? I tried to use "with_ntdomain_hack = yes" in my ldap section on radiusd.conf w/o success. Two ways: 1. Use /etc/raddb/hints to rewrite the packet, e.g. DEFAULT NAS-IP-Address == the.isp.server.ip, User-Name =~ "^(.*)@.*$" User-Name := `%{1}` # or maybe DEFAULT Suffix = "@domain.tld", Strip-User-Name = Yes Hint = "FromTheIsp" 2. Use the proxy/realm feature - see the various "realm" module definitions in radiusd.conf and the realm definitions in proxy.conf. Basically: modules { realm suffix { format = suffix delimiter = "@" ignore_default = yes ignore_null = yes } } authorize { preprocess suffix ldap # other stuff } ...then in proxy.conf: realm domain.tld { type = radius authhost = LOCAL accthost = LOCAL strip } Method 1. is simpler and probably best for this situation. Method 2. is really intended for when you make requests to another server, as opposed to when they make them to you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfault when loading a module in rlm_perl?
On Thu, Jul 13, 2006 at 10:41:57AM +0300, Boian Jordanov wrote: > On Wednesday 12 July 2006 20:13, Nikola Pavkovic wrote: > > Any hints are very welcome. > > > > Any traces are welcome :-) Boian, but it seems that we resolved the issue following the advices found at http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg19699.html It seems that it was a libperl issue on Debian. Thanks anyway ;) Sincerely, Nikola Pavkovic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:- Authenticating user with FDS
Yes, that method is working fine. Thank you very much for your help. Hariharan R wrote: Hi all, I am using FreeRADIUS1.1.1 with Fedora Directory server as a backend data store. Let us consider the scenario.. I have two servers, one is a mail server and another one is a proxy server. Both servers are configured to use RADIUS+FDS for user authentication. In FDS i have two organizational unit under root domain. For Ex; ou=mailusers,dc=example,dc=com ou=proxyusers,dc=example,dc=com In the 'raddb/radiusd.conf' file i specified the base domain as (In LDAP module) basedn = "dc=example,dc=com" So whenever a client request comes to the RADIUS server it will look for the username in FDS. The problem is, how the RADIUS will identify that whether the request is comes from the 'mail server' or from the 'proxy server'. Because for mailserver users i have to look in the "ou=mailusers,dc=example,dc=com" and for proxy users i have to look in the "ou=proxyusers,dc=example,dc=com". Try this: /etc/raddb/huntgroups: mailNAS-IP-Address == the.mail.server.ip proxy NAS-IP-Address == the.proxy.server.ip /etc/radiusd.conf: modules { ldap { basedn = "ou=%{Huntgroup-Name},dc=example,dc=com" } } How i can change the LDAP basedn according to the request. Use any string expansion you like, as above. --- Regards, Hariharan.R - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
removing domain data from user name
Hello list, I'm using freeradius server as a radius server that forward the auth to an LDAP server, on a RH enterprise system (freeradius-1.0.1-1.1.RHEL3) I want one of my service providers to authenticate against this radius, After enabling some debug option I found that it sends me the users in the form of [EMAIL PROTECTED], that (of course) my ldap don't know and refuse to auth. Is there a way on freeradius to pass to the ldap server only the left site of the @ sign ? I tried to use "with_ntdomain_hack = yes" in my ldap section on radiusd.conf w/o success. thanks, --Yedidia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP configuration on Free Radius
Elie Hani wrote: I’ve installed the Free Radius on FC4 OS, I need to know if it’s possible to configure DHCP on this server. I want that the dial up users take an IP from a pool, dynamically configured on the Radius server itself. If it’s possible, can you tell me the steps, otherwise, can you Not out of the box. provide me with a solution? See the "ippool" module - it is extensively commented in radiusd.conf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfault when loading a module in rlm_perl?
On Wednesday 12 July 2006 20:13, Nikola Pavkovic wrote: > Hello all, > > I'm expiriencing strange behaviour when starting freeradius using > rlm_perl. When I include any module (for example DBI) inside my custom > AAA script, i get a segfault. (Debian sarge, freeradius 1.1.2). > > Any hints are very welcome. > Any traces are welcome :-) -- Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DHCP configuration on Free Radius
Hi; I’ve installed the Free Radius on FC4 OS, I need to know if it’s possible to configure DHCP on this server. I want that the dial up users take an IP from a pool, dynamically configured on the Radius server itself. If it’s possible, can you tell me the steps, otherwise, can you provide me with a solution? Thanks Elie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html