Re: RE : Radius Authentication
Dear Thibault, thanx for ur help yes ,my DB server used for accounting only not authentication. but i tried what u said, as i understand it makes the RADIUS be down while the DB is down. i don't want this. i need the RADIUS to authenticate the users without inserting accounting info into the DB to minimize the outage,i need it to try to insert accounting info & if it fails NO PROBLEM authenticate the user & forget about the accounting. that's it thanx alot Thibault Le Meur wrote: i'm facing a little problem. in some times my mysql DB server is down & the radius can't insert records into it of-course, so the users can't login as the radius doesn't authenticate them unless he can record them. Is there any solution to make the radius authenticate the users without insert records in the DB. I suppose your mysql DB server isn't used to authenticate your users, otherwise having your radius server work even if your DB is down would make no sense (unless you have another module able to authenticate users?). If your DB server is used only for logging purpose (accounting, post-authenticate, ...). You may find interresting information in the doc/configurable_failover file in order to make the DB module failure be non-critial. Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting on different mysql on different host
Hi we have 2 freeradius ver 1.1.0 server that on different locations. They use mysql servers(one master and one replica(read only) configuration) to download users' attributes. Every radius server point to own local mysql server. I have a probem with radius that point to mysql replica: it can't write accounting info on mysql. Is it possible to configure two different mysql servers on radius so it reads info from one and write accounting info on other? Any idea? Thank you Cheers Mau - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: configuring FreeRadius pools
Hi; I have configured a RAS Patton 2960, it's connected to the FreeRadius Server. The authentication and everything is working great with postgre database. I've been reading in the radiusd.conf file, there's something in it called ippools. I tried to configure 2 different pools, but when I test it, I get the pool configured on the Ras only, this means it's not working. My problem consists in the following: I want to configure 2 pools, the first one is a fake IP pool,where the dial up user on the patton gets an IP from this pool, and then he will enter the necessary information, once all the informations entered are true, he will reconnect with his new username, then he will get an IP from the other pool wich contains real IPs. I don't have a problem in configuring the redirection page or in writing any script, but in configuring the 2 pools of IPs, can it be done on the Radius directly, or should I configure a DHCP server. If so, how can I relay the Radius to the DHCP? Thanks Elie Hani -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Nixon Sent: Wednesday, July 19, 2006 6:18 PM To: FreeRadius users mailing list Subject: Re: configuring FreeRadius pools On Tue 18 Jul 2006 10:24, Elie Hani wrote: > Hi > I a using FreeRadius with Postgre, I need to know the way to configure a > double pool of addresses so the dial up user, while connecting, gets a fake > IP Address, then when authenticated, he will redial and gets the real ip > address. > > My problem consists in configuring the pools only, where ae these pools > configured in the freeradius? Without more info about what and where you are trying to a) dial into b) authenticate we can't really help you... -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: running log_badlogins
Avrohom wrote:
> I have run log_badlogins from the command line and it does work. I was
> just wondering where the best place to run the script is from. it should
> always be running so a cron job is not necessary. should i just have it
> run when the radius server starts up?
>
> Thanks,
> Avrohom
If you're on a RedHat-ish system, the attached startup script might work
for you. It's a quick hack based on the FreeRADIUS startup script.
I see on re-reading it that it doesn't source
/etc/sysconfig/failed_logins, so you will have to hand-edit it to change
the path to your dialup_admin installation.
Regards,
Richard Siddall
#!/bin/sh
#
# chkconfig: - 89 9
# description: Start/Stop the failed login daemon for dialup_admin
#
#This program is free software; you can redistribute it and/or modify
#it under the terms of the GNU General Public License as published by
#the Free Software Foundation; either version 2 of the License, or
#(at your option) any later version.
#
#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
#GNU General Public License for more details.
#
#You should have received a copy of the GNU General Public License
#along with this program; if not, write to the Free Software
#Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
#Copyright (C) 2001 The FreeRADIUS Project http://www.freeradius.org
#
# Source function library.
. /etc/rc.d/init.d/functions
FAILEDD=/home/dialup_admin/bin/log_badlogins
LOCKF=/var/lock/subsys/log_badlogins
LOGFILE=/var/log/radius/radius.log
CONFIG=/home/dialup_admin/conf/admin.conf
PIDFILE=/var/run/log_badlogins.pid
[ -f $FAILEDD ] || exit 0
[ -f $CONFIG ] || exit 0
RETVAL=0
case "$1" in
start)
echo -n $"Starting failed login server: "
#daemon $FAILEDD $LOGFILE $CONFIG
$FAILEDD $LOGFILE $CONFIG &
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
echo $! > $PIDFILE
success "failed logins startup"
echo
touch $LOCKF
else
echo_failure
fi
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch $LOCKF
;;
stop)
echo -n $"Stopping failed login server: "
killproc $FAILEDD
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f $LOCKF
;;
status)
status log_badlogins
RETVAL=$?
;;
restart)
$0 stop
sleep 3
$0 start
RETVAL=$?
;;
condrestart)
if [ -f $LOCKF ]; then
$0 stop
sleep 3
$0 start
RETVAL=$?
fi
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart}"
exit 1
esac
exit $RETVAL
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mschap machine authentication
I'm using Free Radius 1.1.2. I wanted to share what I did to get Windows machine authentication (via ntlm_auth) to work properly in my network. After configuring FreeRadius for ntlm_auth against my windows network, I found that not all machines got authenticated. Machines with names longer than 15 characters did not get authenticated. I found out that this is because Windows supplicant send the machine name as "host/quitelongmachinename.company.domain", and the mschap module of FreeRadius strip "quitelongmachinename" and use that when running ntlm_auth (it actually uses "quitelongmachinename$". But, ntlm_auth needs "quitelongmachin$" to work (i.e. only the first 15 chars). So, I went to "src/modules/rlm_mschap/rlm_mschap.c" and changed this line: snprintf(out, outlen, "%s$", user_name->strvalue + 5); with these lines: char largo[20]=""; snprintf(largo, 16, "%s", user_name->strvalue + 5); strcat(largo, "$"); strNcpy(out,largo,17); And recompiled. That got FreeRadius to send to ntlm_auth only the first 15 chars of the machinename when doing machine authentication. I'm not a programmer so probably what's above is not the nicer way to get the idea done, but hey, it worked pretty well. Now machine authentication works no matter how long the machine name is. Thought I would share it... FreeRadius version: 1.1.2 Authentication method: PEAP-MSCHAP Client: Windows XP supplicant Authenticating against: A windows AD domain via ntlm_auth Samba version: 3.0.22 G. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with distributed proxy nodes - how do I pass back "unavailable" when upstream is down temporarily?
Hi all, I'm fairly new to using radius for authentication so please excuse any incorrect terminology. I'll give a brief overview of what I've got and then describe where I want to go but don't know how :) Setup = I'm using freeradius 1.1.0 on a mixture of debian woody and sarge boxes. There is a central radius server which holds all user auth and optionally proxies some realms to LDAP etc - works like a charm. I've also got a number of remote dumb proxy freeradius nodes running at the other end of volatile links, say modem dialup, that connect back to the central area for monitoring purposes. They are configured to proxy NULL realms and DEFAULT back to the central server. Auth requests come from cisco switches etc on the local LAN for each node. Again - works a treat. A star radius network if you like. The problem comes when the link between the remote node and central server drops for a while. Local requests come in, the node tries to contact central node, can't connect, temporarily marks the central server as dead but then gives back an "unauthorised" message. This means that the devices on the local node LAN never fail over to local auth and we're effectively locked out of those devices :) Question So, how can I pass back a different radius message that causes the local LAN devices to fall over to local auth instead of radius in the case where the upstream is dead? Alternatively, I could have a single account on the node itself with a particular realm that doesn't get proxied but the intent of this setup is to only allow device-specific local accounts to be used when the radius is completely down. How would you do this? Perhaps a completely different approach rather than dump proxying is necessary? Any feedback at all would be appreciated. Thanks! -- Andrew O'Brien - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
running log_badlogins
I have run log_badlogins from the command line and it does work. I was just wondering where the best place to run the script is from. it should always be running so a cron job is not necessary. should i just have it run when the radius server starts up? Thanks, Avrohom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I'm writing a RADIUS book... who's interested?
I'm in the process of writing a RADIUS book, with everything I've learned over the last 10 years working with RADIUS. I'm wondering who's interested. :) The goal is to have 200-300 pages of densely packed information. The working title is "Deploying RADIUS: Practices and Principles". My main difficult is that I'm finding it hard to bootstap the book. i.e. time/money. I'm wondering who's interested in buying the book (i.e. is there a market for it). Having a known market means it's much easier for me to find the time to finish it I'm also wondering how many people are interested in buying pre-prints, with additional rights not available to the average buyer. (i.e. internal duplication, etc). This *is* a call for funding. I've been putting a lot of work into the server for many years now, and it just keeps getting bigger and better. With additional funding, I should be able to devote significantly more time to developing those features and documentation that everyone is interested in. Please respond privately with interest, if any. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Map LDAP Attribute to RADIUS Attribute
Paul Asadoorian <[EMAIL PROTECTED]> wrote: > The "User-Category" was in the pull-down on the menu where you map > attributes to roles on the controller. Not certain why it was there > if you are not supposed to use it. The vendor's GUI is not the same as what's available in FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Map LDAP Attribute to RADIUS Attribute
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The "User-Category" was in the pull-down on the menu where you map attributes to roles on the controller. Not certain why it was there if you are not supposed to use it. I will bring up this issue with the vendor (they are pretty good and play nice with standards and open-source). I did make it work by using the Aruba attribute "Aruba-User-Role". Works like a champ, thanks for all of your help. Paul On Jul 19, 2006, at 1:59 PM, Alan DeKok wrote: Paul Asadoorian <[EMAIL PROTECTED]> wrote: The RADIUS client is actually an Aruba wireless controller. It had an attribute already defined called "User-Category". Where? In the NAS documentation, or in the Aruba dictionary? Please look at the "dictionary.aruba" file. It contains pre-defined Aruba attributes that do not conflict with other attributes in the dictionaries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - -- Paul Asadoorian Email: [EMAIL PROTECTED] Web: http://pauldotcom.com IRC: #pauldotcom | irc.freenode.net Fingerprint: 2693 0204 8497 2E5F 4853 11D5 1153 6151 487F E094 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEvpGFEVNhUUh/4JQRAtJcAJ95adEJGcieaxKWZnFuc/9CAKvk2QCfVcij YBa5olq5PnqrIMJin8uGlaw= =+mJO -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Map LDAP Attribute to RADIUS Attribute
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks Phil! That seemed to do the trick, I now get: Sending Access-Accept of id 141 to 127.0.0.1 port 32908 Aruba-User-Role = "student" Thanks to all for the assistance. Paul On Jul 19, 2006, at 12:13 PM, Phil Mayers wrote: Paul Asadoorian wrote: The RADIUS client is actually an Aruba wireless controller. It had an attribute already defined called "User-Category". I also checked the Ok, you should get Aruba's dictionary, or ask them what their enterprise number + the attribute number is. That attribute certainly doesn't seem to be in the FreeRadius dictionary.aruba Maybe Aruba-User-Role? dictionary file for "User-Category" and this is what I found: # grep User-Category * dictionary.freeradius.internal:ATTRIBUTEUser- Category 1029string Ah, ok. That's a FreeRadius internal attribute. It'll never appear on the wire, it's intended for use inside the server e.g. as a classification/matching attribute. You'll have to name whatever Aruba's attribute is differently. - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html - -- Paul Asadoorian Email: [EMAIL PROTECTED] Web: http://pauldotcom.com IRC: #pauldotcom | irc.freenode.net Fingerprint: 2693 0204 8497 2E5F 4853 11D5 1153 6151 487F E094 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEvoBsEVNhUUh/4JQRAgEeAKDTsfYKpoStI4Y11nV18/BoUrr4YQCePO7f bvf5ssfAkHTMvICk09aHJkQ= =847J -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple group membership & processing
greetings, I have users that should only be able to use 2 of 10 APs(chillispot nas). I found that when I create the following, the user can only login to the desired AP. Radcheck table fred User-Password := mypass radgroupcheck table cust1 Called-Station-ID == 00-13-10-94-AF-3C usergroup fred cust11 This works great, however, how do I expand this so that fred's login works for two Called-Station-IDs? Do I create another group with a different priority? Can't seem to get both groups to work as a logical OR. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius Authentication
Why don't you try to use users file as your configuration method! Carlos Rosero S. Programmer / IT www.uaa.edu 787-834-9595 x2203 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thibault Le Meur Sent: Wednesday, July 19, 2006 3:28 AM To: 'FreeRadius users mailing list' Subject: RE : Radius Authentication > i'm facing a little problem. > in some times my mysql DB server is down & the radius can't insert > records into it of-course, so the users can't login as the radius > doesn't authenticate them unless he can record them. > Is there any solution to make the radius authenticate the > users without > insert records in the DB. I suppose your mysql DB server isn't used to authenticate your users, otherwise having your radius server work even if your DB is down would make no sense (unless you have another module able to authenticate users?). If your DB server is used only for logging purpose (accounting, post-authenticate, ...). You may find interresting information in the doc/configurable_failover file in order to make the DB module failure be non-critial. Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Map LDAP Attribute to RADIUS Attribute
Paul Asadoorian <[EMAIL PROTECTED]> wrote: > The RADIUS client is actually an Aruba wireless controller. It had > an attribute already defined called "User-Category". Where? In the NAS documentation, or in the Aruba dictionary? Please look at the "dictionary.aruba" file. It contains pre-defined Aruba attributes that do not conflict with other attributes in the dictionaries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating Against a Trusted Domain
Yes, "anotherdomain" is an AD domain, however, my freeradius server can only talk to "ourdomain". ourdomain has a trust with anotherdomain and can pass windows authentication (file shares, etc.) over the trust for authentication. Is it possible to authenticate "anotherdomain" users via LDAP from the freeradius server by piping the auth requests through "mydomain" (which should then, as windows does, recognize the domain from "anotherdomain\username" and send the auth request up the trust)? I'm obviously formulating the wrong LDAP queries. But if this isn't even possible I won't bother spinning in circles. Josh --- Phil Mayers <[EMAIL PROTECTED]> wrote: > Josh wrote: > > > > I haven't been successful with using Samba (which > is > > connected to ourdomain)... I can get Samba to > > You didn't specify what authentication type you're > trying to get > working. I suspect you're trying to use PEAP-MSCHAP > for wireless, yes? > > There have been posts in the last few days about > this - it seems that a > Samba server may be able to do cross-realm fileshare > or plaintext auth, > but not cross-realm MS-CHAP. This may depend on > settings on one or both > ends, or may be more fundamental - it's been long > enough since I've been > involved in windows domain protocols that I can't > tell. > > What errors are you getting, and what is your > configuration? > > > authenticate users on ourdomain but not the > trusted > > anotherdomain. I figured I would give LDAP a try > but > > can't find any documentation on the correct LDAP > > requests for freeradius. > > > > LDAP to a "real" AD domain (which I assume > "anotherdomain" is) is only > useful if you want to answer PAP requests. > > What part of the extensively commented ldap stanza > in radiusd.conf or > the doc/rlm_ldap file is unclear? > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Map LDAP Attribute to RADIUS Attribute
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jul 19, 2006, at 11:09 AM, Phil Mayers wrote: What is the client? Can you use the "Class" attribute, which is intended exactly for this? Hmmm, appears that the Class attribute is octects: dictionary.rfc2865:ATTRIBUTE Class 25 octets The value I am getting back from the LDAP attribute is a string, i.e. "student" or "staff" or "faculty" (in case anyone was wondering whether or not this is an edu or not :) My guess is this will not work? The client is actually an Aruba wireless controller. Thank You, Paul - -- Paul Asadoorian Email: [EMAIL PROTECTED] Web: http://pauldotcom.com IRC: #pauldotcom | irc.freenode.net Fingerprint: 2693 0204 8497 2E5F 4853 11D5 1153 6151 487F E094 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEvmvEEVNhUUh/4JQRAmb1AJ0fVJ0duMtvMdJySzytVVcZvoMwwACeM2Yw os5vd8i+sHyH5GLls9rRK3A= =+3ZV -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : freeradius server and PPP
> > Moustapha Ould Maouloud <[EMAIL PROTECTED]> wrote: > > My problem is that the response from the radius server does > not reach > > my AC (IP 192.168.10.81) although the answer was indeed > turned over to > > my router (IP : 80.x.x.x) !!! > > The packet dump you quoted shows that the RADIUS packet is > being sent to 80.x.x.x, not 192.168.10.81. I have no idea > why you think the RADIUS packet would be sent to > 192.168.10.81, RADIUS doesn't work that way. I think his Access Controller is natted between his router's external IP address. Since his radius server is outside (somewhere on the Internet), it can only reply to his router's external IP address. It is then up to the router to translate the IP address to match the internal private Ip address of the Access Controller: and it seems that the problem is on the router side only. I've sent him a little things to check on his router offlist since it's not, as far as I know, a freeradius problem... unless someone has some Radius specific recommendations when NAT is involved between the AC and the Radius server... thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help setting up PEAP authentication
On 7/19/06, Reynald Borer <[EMAIL PROTECTED]> wrote: Error: TLS_accept:error in SSLv3 read client certificate A Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Info: rlm_eap_mschapv2: Issuing Challenge That's no problem, provided you really try PEAP. It's just openssl complaining that it can't verify the non-mandatory client's certificate. So does someone have a working freeradius configuration to share with me ? Or some tips to get it working ? Assuming you really listed all modified conf files, you should check http://www.tldp.org/HOWTO/8021X-HOWTO/freeradius.html#confradius #5. (cited out of context) Here is what is displayed in the logs (without verbose mode): Anything else leads to much more if's and perhaps' an assuming's so you should provide the debug output as mentioned in various docs. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring FreeRadius pools
On Tue 18 Jul 2006 10:24, Elie Hani wrote: > Hi > I a using FreeRadius with Postgre, I need to know the way to configure a > double pool of addresses so the dial up user, while connecting, gets a fake > IP Address, then when authenticated, he will redial and gets the real ip > address. > > My problem consists in configuring the pools only, where ae these pools > configured in the freeradius? Without more info about what and where you are trying to a) dial into b) authenticate we can't really help you... -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpEz2BprIQKj.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help setting up PEAP authentication
Reynald Borer wrote: Here is what is displayed in the logs (without verbose mode): Error: TLS_accept:error in SSLv3 read client certificate A Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Info: rlm_eap_mschapv2: Issuing Challenge These logs are useless I'm afraid. Please run the server under debugging (with the -X argument) and examine the debugging output - the cause is in there. If you can't figure it out, post the debug output (or a link to it) here. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Map LDAP Attribute to RADIUS Attribute
Paul Asadoorian wrote: The RADIUS client is actually an Aruba wireless controller. It had an attribute already defined called "User-Category". I also checked the Ok, you should get Aruba's dictionary, or ask them what their enterprise number + the attribute number is. That attribute certainly doesn't seem to be in the FreeRadius dictionary.aruba Maybe Aruba-User-Role? dictionary file for "User-Category" and this is what I found: # grep User-Category * dictionary.freeradius.internal:ATTRIBUTE User-Category 1029string Ah, ok. That's a FreeRadius internal attribute. It'll never appear on the wire, it's intended for use inside the server e.g. as a classification/matching attribute. You'll have to name whatever Aruba's attribute is differently. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com problem with service-type
I know that I can use huntgroups and create for each huntgroup a different account for the same user with different attributes, but I dont want to use huntgroups because I already use it for Mac-address authentication (and apparently a same NAS-IP-Address cannot belong to more than 1 huntgroup as RADIUS returns the first huntgroup that matches the NAS-IP-Address). You should make your huntgroups match on more that just the NAS IP - e.g. switches NAS-IP-Address == a.b.c.d, Service-Type == Framed-User adminaccess NAS-IP-Address == a.b.c.d, Service-Type == Whatever - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help setting up PEAP authentication
Hi, > I'm trying to setup freeradius to authenticate users of my wireless > networks and I'm facing some problems. I've tried to follow the guide > located at http://www.tldp.org/HOWTO/8021X-HOWTO/ , which explains > exactly the setup I would like (that is, authentication with username / > password credentials). Fair enough, a common thing to do. > So I've setup freeradius like explained (I've already have everything > needed for ssl, CA root certificate and server certificate), and I've > configured my access point to use my radius server. Great. > So when I try to login, for example with wpa_supplicant, it tolds me > that authentication with MSCHAPv2 went ok, and then 30 seconds later it > says "Authentication timed out", and it tries to re authenticate. So I'm > able to use my wireless network 30 seconds only (for example if I start > up a dhcp client then I get an IP) before I'm re authenticated. > > I've also tried with a Windows XP client, and it continues asking me my > credentials. You did think of adding the Microsoft TLS Web Server Authentication OID? > Here is what is displayed in the logs (without verbose mode): > Error: TLS_accept:error in SSLv3 read client certificate A > Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) > Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) > Info: rlm_eap_mschapv2: Issuing Challenge Which is completely useless for debugging. This is *normal* with PEAP. If you want people here to help, you should do as the FAQ tells you and send a *complete* *debug* log. > So does someone have a working freeradius configuration to share with me > ? Or some tips to get it working ? I would exchange tipps for a decent debug log. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help setting up PEAP authentication
Reynald Borer <[EMAIL PROTECTED]> wrote: > So when I try to login, for example with wpa_supplicant, it tolds me > that authentication with MSCHAPv2 went ok, and then 30 seconds later it > says "Authentication timed out", and it tries to re authenticate. And what does debugging mode on the server say? > Here is what is displayed in the logs (without verbose mode): So why are you not running in debugging mode? > P.S2: I've attached my freeradius config files (modified parts only). Why? The documentation, FAQ, README, and INSTALL say to run the server in debugging mode. Why are you not doing that? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help setting up PEAP authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey Reynald, Independent of FreeRADIUS, have you checked the following: - - Does your client and RADIUS server have the correct CA certificate installed and trusted? Looks like you are getting a certificate error... - - Have you tried temporarily disabling certificate validation on the XP client to rule out other problems? (I know this defeats the purpose, but can help in troubleshooting) Paul On Jul 19, 2006, at 10:55 AM, Reynald Borer wrote: Here is what is displayed in the logs (without verbose mode): Error: TLS_accept:error in SSLv3 read client certificate A Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Info: rlm_eap_mschapv2: Issuing Challenge - -- Paul Asadoorian Email: [EMAIL PROTECTED] Web: http://pauldotcom.com IRC: #pauldotcom | irc.freenode.net Fingerprint: 2693 0204 8497 2E5F 4853 11D5 1153 6151 487F E094 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEvlKaEVNhUUh/4JQRAnthAJ93ksq3YLf6AZmxcUBe/7iZHQsFPgCeND4F Tzlx3qVvLBFH05OgrNLFlPA= =KiET -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius server and PPP
Moustapha Ould Maouloud <[EMAIL PROTECTED]> wrote: > My problem is that the response from the radius server does not > reach my AC (IP 192.168.10.81) although the answer was indeed turned > over to my router (IP : 80.x.x.x) !!! The packet dump you quoted shows that the RADIUS packet is being sent to 80.x.x.x, not 192.168.10.81. I have no idea why you think the RADIUS packet would be sent to 192.168.10.81, RADIUS doesn't work that way. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth issue
"Mircea Harapu" <[EMAIL PROTECTED]> wrote: > I'm trying to make a ssh authentication with pam_radius_auth + freeradius + > ldap > The problem is that radius is sending the password to ldap in clear and not > crypted with CRYPT as configured in ldap module . Huh? pam_radius_auth sends the password to FreeRADIUS in the clear, because that's what it does. FreeRADIUS sends this to LDAP because LDAP doesn't understand anything else. And there is NO configuration in the LDAP module to send the password in crypted form. I think you're mistaking the configuration that *reads* the password from LDAP for something else. And in any case, you haven't said why it's a problem. LDAP gets a clear-text password. So? That's how everyone else uses LDAP. Why is this wrong for you? What problems does it cause? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3com problem with service-type
Nuno Cervaens <[EMAIL PROTECTED]> wrote: > I know that I can use huntgroups and create for each huntgroup a > different account for the same user with different attributes, but I > dont want to use huntgroups because I already use it for Mac-address > authentication (and apparently a same NAS-IP-Address cannot belong to > more than 1 huntgroup as RADIUS returns the first huntgroup that matches > the NAS-IP-Address). Use rlm_passwd. Put the NAS-IP-Address in one column, and the service-type in another. Didn't you ask this question before, and get a response? What was wrong with the previous solution? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool and tcp TIME_WAIT state
Sebastien Cantos wrote: Phil Mayers wrote: It would in theory be possible to save the key from the last walk, and next time we allocate an IP start from that key and wrap back around, which would allocate IPs in a more round-robin fashion. Yes, that should be a solution. I was more thinking of adding a parameter to make sure an IP is kept used in the pool for a certain amount of time after a disconnection and before being available for allocation. Good idea. I don't know what is more easy to hack. I'm going to try using my some little developer skills to look at rlm_ippool.c and see what I can do. Your idea would be much easier, since there's code in the module to deal with expiry already. You'd need to change the code in rlm_ippool.c:ippool_accounting around line 392 (in the CVS) to be: entry.active = 1; entry.timestamp = request->timestamp; entry.timeout = 240; /* or whatever TIME_WAIT time */ ...and then remove the bit further below completely: /* Decrease allocated count from the ip index */ Be aware that, rather obviously, this will greatly increase the contention for IPs from the pool. If you find that a problem, you might need to increase the pool size or change the code in postauth (around line 645) to either aggressively age inactive entries, or to pass through again if no entries are free and force inactive the oldest one. Good luck! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : Problem with secrets
> Most authentication methods don't use the secret as part of > the password > encoding and use independent information for encoding. > > PAP is the only authentication method that depends on the secret. > > For example CHAP uses the password, two random numbers and > MD5 to encode > the password. Thanks a lot, I understand your previous mail now. Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Map LDAP Attribute to RADIUS Attribute
Thibault Le Meur wrote: with no luck. I also modified the "attrs" file to include this attribute: But no luck there either. Any help is greatly appreciated. Yes, but I don't think you can create a new Radius attribute like this. You should at least declare it in a dictionnary (wince a Radius attribute corresponds to a number in fact). See /etc/raddb/dictionnary and any Included files. Can anyone confirm my analysis and propose a procedure to create new attributes ? Correct, attributes are created by editing the dictionary. The "attrs" file is for the proxy attribute filtering module. Isn't i necessary to register new attributes/number somewhere ? Is it Yes in principle - you can obtain an enterprise number, then in dictionary do: VENDOR MyName MyEnterpriseNumber ATTRIBUTE My-Attribute-11 string MyName ATTRIBUTE My-Attribute-22 ipaddr MyName ...however, burning through the limited number of enterprise numbers for one attribute is a bit wasteful. possible to define "private attributes" ? Yes. Attributes sent over the wire should be either existing, registered attributes, or vendor-specific attributes, using an IANA enterprise number if need be. However if you're *certain* the client and server will never leave your network, then you can re-use any number you like. Better yet is to use an existing attribute - it is highly unlikely you're doing something no-one else has ever done. What is the client? Can you use the "Class" attribute, which is intended exactly for this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Map LDAP Attribute to RADIUS Attribute
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thibault, Thank you for reviewing my post. Here is a little more information: The RADIUS client is actually an Aruba wireless controller. It had an attribute already defined called "User-Category". I also checked the dictionary file for "User-Category" and this is what I found: # grep User-Category * dictionary.freeradius.internal:ATTRIBUTEUser- Category 1029string I am happy to change my attribute to something more standard or different if this seems to be the problem Thank You! Paul On Jul 19, 2006, at 10:34 AM, Thibault Le Meur wrote: I am running FreeRADIUS version 1.1.2 on Debian Linux (Stable x86). I am trying to map an LDAP attribute to a RADIUS attribute. A little background, we have a RADIUS client that needs to make decisions based on an LDAP attribute (we'll call it User-Category). Based on the value of this attribute the end user will be given rights on the network. So, I setup my ldap.attrmap with *only* the following line: replyItem User-Category orgPrimaryAffiliation rlm_ldap: Adding orgPrimaryAffiliation as User-Category, value auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 4 rlm_ldap: - authenticate rlm_ldap: login attempt by "mytestuser" with password "12345" rlm_ldap: user DN: orgUUID=53d66879-e0a0- da8f-4c49-514b567713ad,ou=People,dc=org,dc=com rlm_ldap: (re)connect to ldapserver.org.com:389, authentication 1 rlm_ldap: bind as orgUUID=53d66879-e0a0- da8f-4c49-514b567713ad,ou=People,dc=org,dc=com/12345 to ldapserver.org.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user mytestuser authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 4 modcall: leaving group LDAP (returns ok) for request 4 Sending Access-Accept of id 192 to 127.0.0.1 port 32904 Finished request 4 Ok everything seems ok untill now... The problem is that I never see the RADIUS server return the "User- Category" attribute back to the RADIUS client. It seems to only want to send the "Access-Accept" or "Access-Reject" message with no User- Category value. I tried including the "User-Category" in the request with no luck. I also modified the "attrs" file to include this attribute: DEFAULT Service-Type == Framed-User, Service-Type == Login-User, Login-Service == Telnet, Login-Service == Rlogin, Login-Service == TCP-Clear, Login-TCP-Port <= 65536, Framed-IP-Address == 255.255.255.254, Framed-IP-Netmask == 255.255.255.255, Framed-Protocol == PPP, Framed-Protocol == SLIP, Framed-Compression == Van-Jacobson-TCP-IP, Framed-MTU >= 576, Framed-Filter-ID =* ANY, Reply-Message =* ANY, User-Category =* ANY, Proxy-State =* ANY, Session-Timeout <= 28800, Idle-Timeout <= 600, Port-Limit <= 2 But no luck there either. Any help is greatly appreciated. Yes, but I don't think you can create a new Radius attribute like this. You should at least declare it in a dictionnary (wince a Radius attribute corresponds to a number in fact). See /etc/raddb/dictionnary and any Included files. Can anyone confirm my analysis and propose a procedure to create new attributes ? Isn't i necessary to register new attributes/number somewhere ? Is it possible to define "private attributes" ? Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - -- Paul Asadoorian Email: [EMAIL PROTECTED] Web: http://pauldotcom.com IRC: #pauldotcom | irc.freenode.net Fingerprint: 2693 0204 8497 2E5F 4853 11D5 1153 6151 487F E094 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEvkpOEVNhUUh/4JQRAkLYAJ9A9E//OYrXhxqDL1c3R9Pug6DrdQCfcuol nHLn4xrMTZwDskv6eLGrG40= =lqlM -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
3com problem with service-type
Hi guys, I have a lot of hp switches and a lot of 3com switches. I have users that I want them to have Administrator privilege and others that will have NAS-Prompt privilege. So, my users files should be like this, so it can work for both brands: userA Password = pass Service-Type = 7, 3Com-User-Access-Level = 1 userB Password = pass Service-Type = 6, 3Com-User-Access-Level = 3 The problem is that 3COM doesnt accept a service-type =7! It only accepts Service-Type = 6! So the 3COM rejects the access-accept from RADIUS for userA. I know that I can use huntgroups and create for each huntgroup a different account for the same user with different attributes, but I dont want to use huntgroups because I already use it for Mac-address authentication (and apparently a same NAS-IP-Address cannot belong to more than 1 huntgroup as RADIUS returns the first huntgroup that matches the NAS-IP-Address). Does anyone has a solution for my problem? Thanks, Nuno - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help setting up PEAP authentication
Hi,
I'm trying to setup freeradius to authenticate users of my wireless
networks and I'm facing some problems. I've tried to follow the guide
located at http://www.tldp.org/HOWTO/8021X-HOWTO/ , which explains
exactly the setup I would like (that is, authentication with username /
password credentials).
So I've setup freeradius like explained (I've already have everything
needed for ssl, CA root certificate and server certificate), and I've
configured my access point to use my radius server.
So when I try to login, for example with wpa_supplicant, it tolds me
that authentication with MSCHAPv2 went ok, and then 30 seconds later it
says "Authentication timed out", and it tries to re authenticate. So I'm
able to use my wireless network 30 seconds only (for example if I start
up a dhcp client then I get an IP) before I'm re authenticated.
I've also tried with a Windows XP client, and it continues asking me my
credentials.
Here is what is displayed in the logs (without verbose mode):
Error: TLS_accept:error in SSLv3 read client certificate A
Error: rlm_eap: SSL error error::lib(0):func(0):reason(0)
Error: rlm_eap: SSL error error::lib(0):func(0):reason(0)
Info: rlm_eap_mschapv2: Issuing Challenge
So does someone have a working freeradius configuration to share with me
? Or some tips to get it working ?
Thanks in advance,
Reynald Borer
P.S: I'm using debian so I've recompiled freeradius to link against libssl
P.S2: I've attached my freeradius config files (modified parts only).
Complete files are available at
http://www.borer.name/files/index.php?dir=radius/
eap {
default_eap_type = peap
## default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = yes
cisco_accounting_username_bug = no
tls {
#private_key_password = whatever
private_key_file = ${raddbdir}/certs/bob.keyunsecure.pem
certificate_file = ${raddbdir}/certs/newcert.pem
CA_file = ${raddbdir}/certs/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
}
ttls {
default_eap_type = md5
use_tunneled_reply = no
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
#with_ntdomain_hack = no
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
authtype = MS-CHAP
}
authorize {
preprocess
mschap
suffix
# ntdomain
eap
files
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
3com problem with service-type
Hi guys, I have a lot of hp switches and a lot of 3com switches. I have users that I want them to have Administrator privilege and others that will have NAS-Prompt privilege. So, my users files should be like this, so it can work for both brands: userA Password = pass Service-Type = 7, 3Com-User-Access-Level = 1 userB Password = pass Service-Type = 6, 3Com-User-Access-Level = 3 The problem is that 3COM doesnt accept a service-type =7! It only accepts Service-Type = 6! So the 3COM rejects the access-accept from RADIUS for userA. I know that I can use huntgroups and create for each huntgroup a different account for the same user with different attributes, but I dont want to use huntgroups because I already use it for Mac-address authentication (and apparently a same NAS-IP-Address cannot belong to more than 1 huntgroup as RADIUS returns the first huntgroup that matches the NAS-IP-Address). Does anyone has a solution for my problem? Thanks, Nuno - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
3com problem with service-type
Hi guys, I have a lot of hp switches and a lot of 3com switches. I have users that I want them to have Administrator privilege and others that will have NAS-Prompt privilege. So, my users files should be like this, so it can work for both brands: userA Password = pass Service-Type = 7, 3Com-User-Access-Level = 1 userB Password = pass Service-Type = 6, 3Com-User-Access-Level = 3 The problem is that 3COM doesnt accept a service-type =7! It only accepts Service-Type = 6! So the 3COM rejects the access-accept from RADIUS for userA. I know that I can use huntgroups and create for each huntgroup a different account for the same user with different attributes, but I dont want to use huntgroups because I already use it for Mac-address authentication (and apparently a same NAS-IP-Address cannot belong to more than 1 huntgroup as RADIUS returns the first huntgroup that matches the NAS-IP-Address). Does anyone has a solution for my problem? Thanks, Nuno - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
3com problem with service-type
Hi guys, I have a lot of hp switches and a lot of 3com switches. I have users that I want them to have Administrator privilege and others that will have NAS-Prompt privilege. So, my users files should be like this, so it can work for both brands: userA Password = pass Service-Type = 7, 3Com-User-Access-Level = 1 userB Password = pass Service-Type = 6, 3Com-User-Access-Level = 3 The problem is that 3COM doesnt accept a service-type =7! It only accepts Service-Type = 6! So the 3COM rejects the access-accept from RADIUS for userA. I know that I can use huntgroups and create for each huntgroup a different account for the same user with different attributes, but I dont want to use huntgroups because I already use it for Mac-address authentication (and apparently a same NAS-IP-Address cannot belong to more than 1 huntgroup as RADIUS returns the first huntgroup that matches the NAS-IP-Address). Does anyone has a solution for my problem? Thanks, Nuno - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Map LDAP Attribute to RADIUS Attribute
> > I am running FreeRADIUS version 1.1.2 on Debian Linux (Stable x86). > I am trying to map an LDAP attribute to a RADIUS attribute. > A little > background, we have a RADIUS client that needs to make decisions > based on an LDAP attribute (we'll call it User-Category). Based on > the value of this attribute the end user will be given rights on the > network. So, I setup my ldap.attrmap with *only* the following line: > > replyItem User-Category orgPrimaryAffiliation > > rlm_ldap: Adding orgPrimaryAffiliation as User-Category, value > auth: type "LDAP" >Processing the authenticate section of radiusd.conf > modcall: entering group LDAP for request 4 > rlm_ldap: - authenticate > rlm_ldap: login attempt by "mytestuser" with password "12345" > rlm_ldap: user DN: orgUUID=53d66879-e0a0- > da8f-4c49-514b567713ad,ou=People,dc=org,dc=com > rlm_ldap: (re)connect to ldapserver.org.com:389, authentication 1 > rlm_ldap: bind as orgUUID=53d66879-e0a0- > da8f-4c49-514b567713ad,ou=People,dc=org,dc=com/12345 to > ldapserver.org.com:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: user mytestuser authenticated succesfully >modcall[authenticate]: module "ldap" returns ok for request 4 > modcall: leaving group LDAP (returns ok) for request 4 > Sending Access-Accept of id 192 to 127.0.0.1 port 32904 > Finished request 4 Ok everything seems ok untill now... > The problem is that I never see the RADIUS server return the "User- > Category" attribute back to the RADIUS client. It seems to > only want > to send the "Access-Accept" or "Access-Reject" message with no User- > Category value. I tried including the "User-Category" in the > request > with no luck. I also modified the "attrs" file to include this > attribute: > > DEFAULT > Service-Type == Framed-User, > Service-Type == Login-User, > Login-Service == Telnet, > Login-Service == Rlogin, > Login-Service == TCP-Clear, > Login-TCP-Port <= 65536, > Framed-IP-Address == 255.255.255.254, > Framed-IP-Netmask == 255.255.255.255, > Framed-Protocol == PPP, > Framed-Protocol == SLIP, > Framed-Compression == Van-Jacobson-TCP-IP, > Framed-MTU >= 576, > Framed-Filter-ID =* ANY, > Reply-Message =* ANY, > User-Category =* ANY, > Proxy-State =* ANY, > Session-Timeout <= 28800, > Idle-Timeout <= 600, > Port-Limit <= 2 > > But no luck there either. Any help is greatly appreciated. Yes, but I don't think you can create a new Radius attribute like this. You should at least declare it in a dictionnary (wince a Radius attribute corresponds to a number in fact). See /etc/raddb/dictionnary and any Included files. Can anyone confirm my analysis and propose a procedure to create new attributes ? Isn't i necessary to register new attributes/number somewhere ? Is it possible to define "private attributes" ? Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Problem with secrets
Most authentication methods don't use the secret as part of the password encoding and use independent information for encoding. PAP is the only authentication method that depends on the secret. For example CHAP uses the password, two random numbers and MD5 to encode the password. Thibault Le Meur wrote: Even though the secret is incorrect the authentication can be correct. The server returns an Access-Accept. Why? The server trusts the client (it's in the accepted NAS list) and performs the authentication. I might have missed something here, sorry in advance ;-) Since the secret is incorrect, Freeradius wont be able to correctly decrypt the user-password. So authentication shouldn't be succesful ? (section 4.1 of http://www.freeradius.org/faq/). Have you got any pointer to the thread you are talking about (I haven't found it with a wuick googleing) ? Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with secrets
On Wednesday 19 July 2006 13:55, Michael Lecuyer wrote: > This has been explained before in this list and it's how RADIUS works. > > The Even though the secret is incorrect the authentication can be > correct. The server returns an Access-Accept. Why? The server trusts the > client (it's in the accepted NAS list) and performs the authentication. Why then if the secret is a lot different does the server reject the client? Or is it just that MD5 can generate identical results from two different input strings, and we were just unlucky? David > The server then signs the response packet with it's version of the > secret. The client doesn't trust the server and checks the signature. If > the signature is not correct the client rejects the packet. > > The opposite is true with accounting packets - the client signs the > request and the server checks the signature. > > The Message-Authenticator attribute can be used to sign the > Access-Request packet which will cause the server to reject a packet > with the an incorrect MA signature. > > David Goodenough wrote: > > I just hit a really odd problem with a secrets. > > > > We were asked to use FreeRadius to provide IP addresses to an Ericsonn > > NAS. We set up the server and have some test clients with simple > > secrets. If those are right it works, if they are wrong it fails. > > > > Then we put in the secret for the Ericsonn (I can not put it in this > > note as it is someone else's secret and I do not know what else it might > > be the secret for, but privately I could make it available for testing). > > > > This secret is 13 digits long, mixed numbers and letters, looks > > reasonably random, and in the proper secret all the letters were upper > > case. However somehow one of the letters (an O) got put into the server > > in lower case. > > > > The server happily accepts Access-Request packets with an authenticator > > built from the all upper case secret, even though its secret was > > different, it was only the client which rejected the Access-Accept. > > Diagnosing this however was very difficult as we had no access to the > > Ericsonn box and any console messages it might log (we could only see > > what went on the wire and whether the connection succeeded). > > > > A quick look at the code did not find anywhere where the secret gets > > folded to all upper case (but I might have missed it) and if there were > > such folding it would be unfortunate if this was only done on checking > > the received packet not on generating the reply. > > > > I am new to RADIUS, and I could not find any rules about case folding for > > secrets, but I might have missed them. > > > > It could simply be one of those freak places where the MD5 checksum > > happens to be the same for the request but not the response, but that > > does not feel right. > > > > I am using 1.1.1 (I am also using JRadius which last time I looked only > > produced patches for 1.1.1, not 1.1.2). > > > > David > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Problem with secrets
> Even though the secret is incorrect the authentication can be > correct. The server returns an Access-Accept. Why? The server trusts the > client (it's in the accepted NAS list) and performs the authentication. I might have missed something here, sorry in advance ;-) Since the secret is incorrect, Freeradius wont be able to correctly decrypt the user-password. So authentication shouldn't be succesful ? (section 4.1 of http://www.freeradius.org/faq/). Have you got any pointer to the thread you are talking about (I haven't found it with a wuick googleing) ? Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Map LDAP Attribute to RADIUS Attribute
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
All:
I am running FreeRADIUS version 1.1.2 on Debian Linux (Stable x86).
I am trying to map an LDAP attribute to a RADIUS attribute. A little
background, we have a RADIUS client that needs to make decisions
based on an LDAP attribute (we'll call it User-Category). Based on
the value of this attribute the end user will be given rights on the
network. So, I setup my ldap.attrmap with *only* the following line:
replyItem User-Category orgPrimaryAffiliation
I setup the following config for rlm_ldap:
server = "ldapserver.org.com"
identity = "cn=Radius_admin,ou=Special
Users,dc=org,dc=com"
password = 12345
basedn = "dc=org,dc=com"
filter = "(&(objectclass=*) (orgShortid=%{Stripped-
User-Name:-%{User-Name}}))"
base_filter = "(objectclass=*)"
# port = 636
port = 389
The following debug logs show the successful authentication of the
user and the mapping of the attributes:
rad_recv: Access-Request packet from host 127.0.0.1:32904, id=192,
length=58
User-Name = "mytestuser"
User-Password = "12345"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "mytestuser", looking up realm
NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for mytestuser
radius_xlat: '(&(objectclass=*) (orgShortid=mytestuser))'
radius_xlat: 'dc=org,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=org,dc=com, with filter (&
(objectclass=*) (orgShortid=mytestuser))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding orgPrimaryAffiliation as User-Category, value
student & op=11
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user mytestuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 4
modcall: leaving group authorize (returns ok) for request 4
rad_check_password: Found Auth-Type ldap
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 4
rlm_ldap: - authenticate
rlm_ldap: login attempt by "mytestuser" with password "12345"
rlm_ldap: user DN: orgUUID=53d66879-e0a0-
da8f-4c49-514b567713ad,ou=People,dc=org,dc=com
rlm_ldap: (re)connect to ldapserver.org.com:389, authentication 1
rlm_ldap: bind as orgUUID=53d66879-e0a0-
da8f-4c49-514b567713ad,ou=People,dc=org,dc=com/12345 to
ldapserver.org.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user mytestuser authenticated succesfully
modcall[authenticate]: module "ldap" returns ok for request 4
modcall: leaving group LDAP (returns ok) for request 4
Sending Access-Accept of id 192 to 127.0.0.1 port 32904
Finished request 4
The problem is that I never see the RADIUS server return the "User-
Category" attribute back to the RADIUS client. It seems to only want
to send the "Access-Accept" or "Access-Reject" message with no User-
Category value. I tried including the "User-Category" in the request
with no luck. I also modified the "attrs" file to include this
attribute:
DEFAULT
Service-Type == Framed-User,
Service-Type == Login-User,
Login-Service == Telnet,
Login-Service == Rlogin,
Login-Service == TCP-Clear,
Login-TCP-Port <= 65536,
Framed-IP-Address == 255.255.255.254,
Framed-IP-Netmask == 255.255.255.255,
Framed-Protocol == PPP,
Framed-Protocol == SLIP,
Framed-Compression == Van-Jacobson-TCP-IP,
Framed-MTU >= 576,
Framed-Filter-ID =* ANY,
Reply-Message =* ANY,
User-Category =* ANY,
Proxy-State =* ANY,
Session-Timeout <= 28800,
Idle-Timeout <= 600,
Port-Limit <= 2
But no luck there either. Any help is greatly appreciated.
Thank You,
Paul
- --
Paul Asadoorian
Email: [EMAIL PROTECTED]
Web: http://pauldotcom.com
IRC: #pauldotcom | irc.freenode.net
Fingerprint: 2693 0204 8497 2E5F 4853 11D5 1153 6151 487F E094
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFEvjotEVNhUUh/4JQRAqM/AKCWYfgBERhaBQ/xKUDMGD552JPB4QCfTP+v
knyeEwAg7Annq9xXcdwK8s0=
=Gzks
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco 7200 NAS-Port useless
Hi Guys, Has anyone tried to use simultaneous use with l2tp tunnels on a 7200. For some reason the NAS-Port is sends back is the "Uniq" and not the virtual interface number so I have no way to track it with simultaneous-use. Any help appreciated, Regards, John -- John Mylchreest ioko T: +44 (0)1904 438000 x324 M: +44 (0)7730 529047 F: +44 (0)1904 435450 E: [EMAIL PROTECTED] Communications on or through ioko's computer systems may be monitored or recorded to secure effective system operation and for other lawful purposes. Unless otherwise agreed expressly in writing, this communication is to be treated as confidential and the information in it may not be used or disclosed except for the purpose for which it has been sent. If you have reason to believe that you are not the intended recipient of this communication, please contact the sender immediately. No employee is authorised to conclude any binding agreement on behalf of ioko with another party by e-mail without prior express written confirmation. ioko365 Ltd. VAT reg 656 2443 31. Reg no 3048367. All rights reserved. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with secrets
This has been explained before in this list and it's how RADIUS works. The Even though the secret is incorrect the authentication can be correct. The server returns an Access-Accept. Why? The server trusts the client (it's in the accepted NAS list) and performs the authentication. The server then signs the response packet with it's version of the secret. The client doesn't trust the server and checks the signature. If the signature is not correct the client rejects the packet. The opposite is true with accounting packets - the client signs the request and the server checks the signature. The Message-Authenticator attribute can be used to sign the Access-Request packet which will cause the server to reject a packet with the an incorrect MA signature. David Goodenough wrote: I just hit a really odd problem with a secrets. We were asked to use FreeRadius to provide IP addresses to an Ericsonn NAS. We set up the server and have some test clients with simple secrets. If those are right it works, if they are wrong it fails. Then we put in the secret for the Ericsonn (I can not put it in this note as it is someone else's secret and I do not know what else it might be the secret for, but privately I could make it available for testing). This secret is 13 digits long, mixed numbers and letters, looks reasonably random, and in the proper secret all the letters were upper case. However somehow one of the letters (an O) got put into the server in lower case. The server happily accepts Access-Request packets with an authenticator built from the all upper case secret, even though its secret was different, it was only the client which rejected the Access-Accept. Diagnosing this however was very difficult as we had no access to the Ericsonn box and any console messages it might log (we could only see what went on the wire and whether the connection succeeded). A quick look at the code did not find anywhere where the secret gets folded to all upper case (but I might have missed it) and if there were such folding it would be unfortunate if this was only done on checking the received packet not on generating the reply. I am new to RADIUS, and I could not find any rules about case folding for secrets, but I might have missed them. It could simply be one of those freak places where the MD5 checksum happens to be the same for the request but not the response, but that does not feel right. I am using 1.1.1 (I am also using JRadius which last time I looked only produced patches for 1.1.1, not 1.1.2). David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth issue
Hello , I'm trying to make a ssh authentication with pam_radius_auth + freeradius + ldap The problem is that radius is sending the password to ldap in clear and not crypted with CRYPT as configured in ldap module . Using : pam_radius-1.3.16-68 FreeRADIUS Version 1.0.4 --- Mircea Harapu Abuse Engineer Bucharest NOC RCS & RDS SA [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ippool and tcp TIME_WAIT state
Phil Mayers wrote: > It would in theory be possible to save the key from the last walk, and > next time we allocate an IP start from that key and wrap back around, > which would allocate IPs in a more round-robin fashion. Yes, that should be a solution. I was more thinking of adding a parameter to make sure an IP is kept used in the pool for a certain amount of time after a disconnection and before being available for allocation. I don't know what is more easy to hack. I'm going to try using my some little developer skills to look at rlm_ippool.c and see what I can do. If there are some freeradius developers around that could help I'll really appreciate. Regards, Sebastien. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with secrets
I just hit a really odd problem with a secrets. We were asked to use FreeRadius to provide IP addresses to an Ericsonn NAS. We set up the server and have some test clients with simple secrets. If those are right it works, if they are wrong it fails. Then we put in the secret for the Ericsonn (I can not put it in this note as it is someone else's secret and I do not know what else it might be the secret for, but privately I could make it available for testing). This secret is 13 digits long, mixed numbers and letters, looks reasonably random, and in the proper secret all the letters were upper case. However somehow one of the letters (an O) got put into the server in lower case. The server happily accepts Access-Request packets with an authenticator built from the all upper case secret, even though its secret was different, it was only the client which rejected the Access-Accept. Diagnosing this however was very difficult as we had no access to the Ericsonn box and any console messages it might log (we could only see what went on the wire and whether the connection succeeded). A quick look at the code did not find anywhere where the secret gets folded to all upper case (but I might have missed it) and if there were such folding it would be unfortunate if this was only done on checking the received packet not on generating the reply. I am new to RADIUS, and I could not find any rules about case folding for secrets, but I might have missed them. It could simply be one of those freak places where the MD5 checksum happens to be the same for the request but not the response, but that does not feel right. I am using 1.1.1 (I am also using JRadius which last time I looked only produced patches for 1.1.1, not 1.1.2). David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool and tcp TIME_WAIT state
Sebastien Cantos wrote: I’ve noticed that rlm_ippool is nearly always reassigning an IP address that has just been releasing for a new connexion. This cause some TCP connexion problems because of the TIME_WAIT state. Interesting. The IPs are allocated by a GDBM walk of the database, and use of the first free or expired IP. This will always tend to be the same one hence the repeat allocations. It would in theory be possible to save the key from the last walk, and next time we allocate an IP start from that key and wrap back around, which would allocate IPs in a more round-robin fashion. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Operation of a radius server
hello dave i know the following: the clients dsl router establishes a pppoe connection with the NAS (my a cisco access router with pppoe support and authentification agains radius). the NAS needs the framed-ip, compression type, mtu, etc. from the radius. the radius is getting a request with the encrypted password from the NAS. if the login is correct the radius will answer with a accept packet and the information like framed-ip, mut, compression type, etc. Dave schrieb: I was just hoping someone here could explain to me how the radius server process works. My situation will be authorizing for DSL. I think the process is: My DSL wholesaler gets requests for a logins under my realm to their NAS, then sends it to me, then I send back a yes or no answer. My question is what information do I have to supply to my DSL wholesaler and what information do I need from them? regarding authorization types or encryption? Any info would help a lot. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ippool and tcp TIME_WAIT state
Hi, I’ve noticed that rlm_ippool is nearly always reassigning an IP address that has just been releasing for a new connexion. This cause some TCP connexion problems because of the TIME_WAIT state. Scenario: 1/ one device connects using source port 1024 (ppp) and gets an IP address from freeradius 2/ this device disconnects, the ip is freed from the pool 3/ another devices connects using source port 1024 and gets the same ip address as before 4/ the connexion is impossible to the server because the connexion of last device is still in TIME_WAIT state How can I make sure an IP address is not assigned before some time period (240 seconds, time period of the TIME_WAIT state) after being released ? Regards, 127 avenue Joseph Pierre Boitelet BP50 84302 CAVAILLON Cedex FRANCE Sébastien, Cantos IT Manager [EMAIL PROTECTED] + 33 4 90 76 08 08 + 33 1 40 39 23 23 http://www.neopost.com The information contained in this message or any of its attachments is confidential and is intended for the exclusive use of the addressee. The information may also be legally privileged. The Internet cannot guarantee the integrity of this message. Neopost shall not therefore be liable for the message if modified. The views expressed may not be company policy, but the personal views of the originator. If you are not the addressee, any disclosure, reproduction, distribution or other dissemination or use of this communication is strictly prohibited. If you have received this message in error, please contact [EMAIL PROTECTED] and then delete this message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius server and PPP
Hello, I have in my LAN an access controller Colubris CN3200 (IP : 192.168.10.80), router (gw) IP : 192.168.10.1/80.x.x.x, and I authenticate it on a remote radius server (IP 63.x.x.x). In server side i have this (radiusd -X) : rad_recv: Access-Request packet from host 80.x.x.x:10901, id=64, length=251 Acct-Session-Id = "7592eefb" NAS-Port = 0 NAS-Port-Type = Wireless-802.11 User-Name = "noven-ac1" Calling-Station-Id = "00-03-52-01-FC-33" Called-Station-Id = "00-03-52-01-FC-33" Framed-IP-Address = 192.168.1.1 User-Password = "novenac1" NAS-Identifier = "noven.Vincennes.0" NAS-IP-Address = 192.168.10.81 Framed-MTU = 1496 Connect-Info = "HTTPS" Service-Type = Administrative-User WISPr-Location-Name = "noven.Noven-WiFi" WISPr-Location-ID = "noven2/Noven-WiFi" Message-Authenticator = 0xa4619c3e1b4b1f7f5a877de95f208ab0 Processing the authorize section of radiusd.conf . ..Sending Access-Accept of id 64 to 80.x.x.x:10901 Framed-Protocol := PPP Service-Type := Framed-User Framed-MTU := 1500 Colubris-AVPair += "transport-page=https://192.168.10.82/Noven/transport.html" Colubris-AVPair += "session-page=https://192.168.10.82/Noven/session.html" My problem is that the response from the radius server does not reach my AC (IP 192.168.10.81) although the answer was indeed turned over to my router (IP : 80.x.x.x) !!! Perhaps I need to install a PPP or PPPoE server ? I have no idea ... Someone can help me ? Please Thanks; Moustapha Maouloud Avez-vous essayé le nouveau Yahoo! Mail ? Plus rapide, plus efficace... simplement révolutionnaire ! Découvrez-le. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Radius Authentication
> i'm facing a little problem. > in some times my mysql DB server is down & the radius can't insert > records into it of-course, so the users can't login as the radius > doesn't authenticate them unless he can record them. > Is there any solution to make the radius authenticate the > users without > insert records in the DB. I suppose your mysql DB server isn't used to authenticate your users, otherwise having your radius server work even if your DB is down would make no sense (unless you have another module able to authenticate users?). If your DB server is used only for logging purpose (accounting, post-authenticate, ...). You may find interresting information in the doc/configurable_failover file in order to make the DB module failure be non-critial. Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Authentication
Dear All, i'm using freeradius 1.1.0 . i'm facing a little problem. in some times my mysql DB server is down & the radius can't insert records into it of-course, so the users can't login as the radius doesn't authenticate them unless he can record them. Is there any solution to make the radius authenticate the users without insert records in the DB. thanks for your help -- regards, Amr el-Saeed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
