Re: Active Directory (Win2003) rlm_ldap
"Charlie B" <[EMAIL PROTECTED]> wrote: > I have checked the shared secret, and earlier in the debug you can see that > it binds successfully. To LDAP? That doesn't matter. The shared secret isn't used there. > After which it attempt to authenticate the user with > the credientials provided and fails, the only thing I can see is that it is > changing the password provided into garbage Because, as the message says, the shared secret is wrong. > In all the examples I can find on the password sent is in clear > test, so then why in my example is it encrypted? Because the shared secret is wrong. > How do I undo this? Use the correct shared secret. I fail to understand why you're arguing when you could just go fix the shared secret, and prove to yourself that fixing it solves the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Accept with invalid signature
Norbert Wegener <[EMAIL PROTECTED]> wrote: > rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=32, length=20 > rad_decode: Received Access-Accept packet from client 127.0.0.1 port > 1812 with invalid signature (err=2)! (Shared secret is incorrect.) That message would appear to be definitive. > The output of radiusd -AX does not show anything strange to me and can > be found at: http://www.wegener-net.de/fr/typescript For one, the password printed out in debugging mode is NOT what was sent from the client. And the only reason you got an Access-Accept is that password checking was bypassed completely (Auth-Type Accept) > So, is the last message important or can it be ignored? It's important. Never ignore it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring FreeRadius pools
"Elie Hani" <[EMAIL PROTECTED]> wrote: > Well I'm trying to configure 2 pools of IPs, where these pools should be > created? In the server configuration? Using the ippool module? > can it be done on the radius and this radius will take care of > giving the IPs to the users? or should I configure a dhcp and relay it to > the radius? There are no DHCP to RADIUS gateways. > I tried to configure on the radius , in the config file file, in the ippools > section, 2 pools of IPs, but it didn't work. That's a pretty pointless comment. See the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: FreeRadius+mysql+crypted passwords
"Marek Soha - intrak.sk" <[EMAIL PROTECTED]> wrote: > Have you any idea to configure it with crypted passwords stored in the > database and with cisco accesspoint clients autentification? > Now im using EAP/PEAP in cisco ap to authorize windows xp client (PEAP > required). Please go back and read my reply. I already answered this. Asking the same question again is counter-productive. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth issue
"Mircea Harapu" <[EMAIL PROTECTED]> wrote: > The pam_radius_auth is sending User-Password without beeing encrypted . If you know more about RADIUS than the people on this list, I'm curious why you're asking questions about it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why doesn't := "Always match?"
Comments inline... Phil Mayers wrote: Paul Long wrote: A man page (http://www.die.net/doc/linux/man/man5/users.5.html) for the users file says, "Attribute := Value ... Always matches as a check item..." So does that mean, no matter what the value is, it will always Well, the wording might be a bit confusing. FreeRadius works the following way: 1. All attribute-value pairs that come in are the "request" pairs 2. Internal server attribute per-request are the "config" pairs 3. Attribute-value pairs to go back to the client are the "reply" pairs someuser User-Password := "somevalue" ...actually sets (unconditionally) the User-Password AVP in the "config" items. This password is *COMPARED* to the password supplied by the client in the "request" items. Okay, so then what is meant in the man page by "Always matches a check item?" Should it have said, "Always checks a check item?" :-) As is, it sounds like it always returns true. It's not a simple equality - a CHAP request will require a challenge/response calculation with the config password + request challenge and then an equality test of the chap response. match the attribute? I don't see that happening. As an experiment, I have a supplicant in a WiFi phone with user name of "plong" and password of "123". With the following entry in the users file: plongAuth-Type = Local, User-Password := "126" ...I assumed it would match even though the value is different; however, Though I realise the terminology might be initially confusing, how did you imagine a user with a password of "123" would be matched/accepted by a password of "126". I didn't expect it to match.accept. I was just playing around with values trying to better understand the operators. I have everything working the way I want--I was just going for extra credit. :-) it does not match, and the access request is rejected: rlm_chap: login attempt by "plong" with CHAP password rlm_chap: Using clear text password 126 for user plong authentication. rlm_chap: Pasword check failed To get it to match, I have to have the correct value: plongAuth-Type = Local, User-Password := "123" which results in this debug output: rlm_chap: login attempt by "plong" with CHAP password rlm_chap: Using clear text password 123 for user plong authentication. rlm_chap: chap user plong authenticated succesfully Yes... In fact, := behaves exactly like == in this case. What's the deal? Why doesn't := "always match?" Am I misunderstanding what it means to "match?" As per man(5) users: Attribute := Value Always matches as a check item, and replaces in the configuration items any attribute of the same name. If no attribute of that name appears in the request, then this attribute is added. As a reply item, it has an identical meaning, but for the reply items, instead of the request items. Basically, := is a "force set" operator. In a "check" item, it sets a check/config pair. So "Always matches a check item" just means that a check will be performed and says nothing about the outcome of that check? In a reply item, it sets/forces a reply pair. See doc/aaa.txt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why doesn't := "Always match?"
Paul Long wrote: A man page (http://www.die.net/doc/linux/man/man5/users.5.html) for the users file says, "Attribute := Value ... Always matches as a check item..." So does that mean, no matter what the value is, it will always Well, the wording might be a bit confusing. FreeRadius works the following way: 1. All attribute-value pairs that come in are the "request" pairs 2. Internal server attribute per-request are the "config" pairs 3. Attribute-value pairs to go back to the client are the "reply" pairs someuser User-Password := "somevalue" ...actually sets (unconditionally) the User-Password AVP in the "config" items. This password is *COMPARED* to the password supplied by the client in the "request" items. It's not a simple equality - a CHAP request will require a challenge/response calculation with the config password + request challenge and then an equality test of the chap response. match the attribute? I don't see that happening. As an experiment, I have a supplicant in a WiFi phone with user name of "plong" and password of "123". With the following entry in the users file: plongAuth-Type = Local, User-Password := "126" ...I assumed it would match even though the value is different; however, Though I realise the terminology might be initially confusing, how did you imagine a user with a password of "123" would be matched/accepted by a password of "126". it does not match, and the access request is rejected: rlm_chap: login attempt by "plong" with CHAP password rlm_chap: Using clear text password 126 for user plong authentication. rlm_chap: Pasword check failed To get it to match, I have to have the correct value: plongAuth-Type = Local, User-Password := "123" which results in this debug output: rlm_chap: login attempt by "plong" with CHAP password rlm_chap: Using clear text password 123 for user plong authentication. rlm_chap: chap user plong authenticated succesfully Yes... In fact, := behaves exactly like == in this case. What's the deal? Why doesn't := "always match?" Am I misunderstanding what it means to "match?" As per man(5) users: Attribute := Value Always matches as a check item, and replaces in the configuration items any attribute of the same name. If no attribute of that name appears in the request, then this attribute is added. As a reply item, it has an identical meaning, but for the reply items, instead of the request items. Basically, := is a "force set" operator. In a "check" item, it sets a check/config pair. In a reply item, it sets/forces a reply pair. See doc/aaa.txt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Why doesn't := "Always match?"
A man page (http://www.die.net/doc/linux/man/man5/users.5.html) for the users file says, "Attribute := Value ... Always matches as a check item..." So does that mean, no matter what the value is, it will always match the attribute? I don't see that happening. As an experiment, I have a supplicant in a WiFi phone with user name of "plong" and password of "123". With the following entry in the users file: plongAuth-Type = Local, User-Password := "126" ...I assumed it would match even though the value is different; however, it does not match, and the access request is rejected: rlm_chap: login attempt by "plong" with CHAP password rlm_chap: Using clear text password 126 for user plong authentication. rlm_chap: Pasword check failed To get it to match, I have to have the correct value: plongAuth-Type = Local, User-Password := "123" which results in this debug output: rlm_chap: login attempt by "plong" with CHAP password rlm_chap: Using clear text password 123 for user plong authentication. rlm_chap: chap user plong authenticated succesfully In fact, := behaves exactly like == in this case. What's the deal? Why doesn't := "always match?" Am I misunderstanding what it means to "match?" Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Droping clients from radius (they are connected into radius but they are not connected in their houses)
Hoercher, Thank you so much for your time. I really think that it is a problem over my pppoe-server but it is something I cant change (its enbeded into a system box). The configuration to radius autentication are very limited. To solve the problem I made a script into my linux box that get info using net-snmp about the pppoe-users connected to the remote server. With this info I use "radwho" to tell me witch users are into radius database as "online" so with this two information I can make a script to diferentiate the files and tell me wich user is still logged in (in freeradius) that is not anymore online into pppoe-server. So I use radzap to drop the connection and allow the same login to get online again (I use simultaneous use = 1). This is not the best option, but it is working for now... ;) Att, Nataniel Klug .'. Hi, ok, sorry about that bit of levity. I meant "missing in action" in respect of your not connected users. As I said, freeradius doesn't keep some state of "connected users", if they really aren't serviced anymore due to whatever circumstances, it doesn't know so unless told by something (looks like the mentioned PPPoE server here). As you didn't provide much detail I'm left to guessing around. So I talked about the accounting function of freeradius as something which might be seen as coming near to having a state by recording information it *gets*. So, if you cannot find suitable inforamtion in the documentation, please consider asking more specifically and provide as much information about your problem as possible. best regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Droping clients from radius (they are connected into radius but they are not connected in their houses)
On 7/21/06, Nataniel Klug <[EMAIL PROTECTED]> wrote: I could not understand what you mean with this MIA. I will look for more info into my PPPoE-Server. Hi, ok, sorry about that bit of levity. I meant "missing in action" in respect of your not connected users. As I said, freeradius doesn't keep some state of "connected users", if they really aren't serviced anymore due to whatever circumstances, it doesn't know so unless told by something (looks like the mentioned PPPoE server here). As you didn't provide much detail I'm left to guessing around. So I talked about the accounting function of freeradius as something which might be seen as coming near to having a state by recording information it *gets*. So, if you cannot find suitable inforamtion in the documentation, please consider asking more specifically and provide as much information about your problem as possible. best regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password Problem
Sorry for being such a noob, but what type of auth should I use? I'm going to go read the man to find out how to tell it to use crypted passwords... unless anyone feels like giving me a pointer:) The howto I used must have been a bad one. Thanks -- View this message in context: http://www.nabble.com/Password--Problem-tf1975280.html#a5438460 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Droping clients from radius (they are connected into radius but they are not connected in their houses)
Hoercher, I could not understand what you mean with this MIA. I will look for more info into my PPPoE-Server. Att, Nataniel Klug K. Hoercher escreveu: There is no such thing as "user remains connected into my radius server". It's the client's (here PPPoE Server?) responsibility to act accordingly. In particular it should eventually update the accounting if a "client"/user is MIA. That might be near to the problem you are refering to. Best regards K .Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Where to find info about DEFAULT value
All, I see reference to setting DEFAULT in mysql database tables. I need to set the default value of Acct-Interim-Interval = 60s for all users. Can I just put this in my radreply table: user attribute op value --- DEFAULT, Acct-Interim-Interval, :=, 60 Will this make sure that any user that doesn't have this attribute set elswhere, will get 60? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius wireless authentication
Hi, Can anyone point me to some good tutorials for using Freeradius to authenticate wireless users in a WISP environment? Thanks, Lisa Casey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Droping clients from radius (they are connected into radius but they are not connected in their houses)
There is no such thing as "user remains connected into my radius server". It's the client's (here PPPoE Server?) responsibility to act accordingly. In particular it should eventually update the accounting if a "client"/user is MIA. That might be near to the problem you are refering to. Best regards K .Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Using mschap authentication without EAP
All rightNow authentication works fine.Many thanks to all ones which have given me these useful advicesHave a nice dayThanks AgainGiusy Venezia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
unsubscribe This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message.Global Edge Software Ltd has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Global Edge Software Ltd reserves the right to monitor and review the content of all messages sent to or from this e-mail address - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP short question
Hi, > I've been watching the logs and my question is why localhost takes part in > the process. Inner workings of FreeRADIUS. The "inner" authentication (within the EAP TLS tunnel) counts as a new request, coming from localhost. Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory (Win2003) rlm_ldap
Thanks for the reply,I have checked the shared secret, and earlier in the debug you can see that it binds successfully. After which it attempt to authenticate the user with the credientials provided and fails, the only thing I can see is that it is changing the password provided into garbage and sending this to Active directory which is turing around and saying incorrect password. In all the examples I can find on the password sent is in clear test, so then why in my example is it encrypted? How do I undo this? On 7/20/06, Alan DeKok <[EMAIL PROTECTED]> wrote: "Charlie B" <[EMAIL PROTECTED]> wrote:> Question: What is causing the password to be encrypted? It is not the> password entered. Read the debug output: > WARNING: Unprintable characters in the password. ? Double-check the> shared secret on the server and the NAS! Alan DeKok.-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access-Accept with invalid signature
I want to use mysql with freeradius and a default entry in the users file. Testing with radtest I get an Access-Accept which is ok. But there is an additional information, which irritates me and I have no idea, what it means. In case of an incorrect shared secret - as far as I know - no Access-Accept would have been sent. suse:/home/norbert # radtest nw123 xx localhost 0 1812 maxen Sending Access-Request of id 32 to 127.0.0.1 port 1812 User-Name = "nw123" User-Password = "xx" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Framed-Protocol = PPP rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=32, length=20 rad_decode: Received Access-Accept packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) The output of radiusd -AX does not show anything strange to me and can be found at: http://www.wegener-net.de/fr/typescript So, is the last message important or can it be ignored? Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Droping clients from radius (they are connected into radius but they are not connected in their houses)
Hello all, I am with a very big problem. I have a system that uses PPPoE server to authenticate my clients into an FreeRadius server. The server is running ok but when something not expected happens in my clients (like a enery blackout or something like that) the user remains connected into my radius server. There is anyway I could make a test to see if the user is not online and them drop it? Att, Nataniel Klug - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unsubscribe
Unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP short question
Hi all, I've been watching the logs and my question is why localhost takes part in the process. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Using mschap authentication without EAP
> > Thibault Le Meur wrote: > > rad_recv: Access-Request packet from host 127.0.0.1:32801, > id=0, length=217 > > User-Name = "misterc" > > CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e > > CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986 > > > > > That means that your client is trying MS-CHAP, and MS-CHAP can't be > > used > > with something else than NT-Hash passwords or cleartext > passwords in the > > authorize backend (in your case LDAP). > > No, it does NOT. > > It means his client is trying CHAP. Not MS-CHAP You're right... sorry I was too fast in my reply... ;-) but the conclusion was about the same : use a cleartext password (except for the Nt-hash alternative ;-) ). Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth issue
Mircea Harapu wrote: PAP sends the following radius request: User-Name = "Someuser" User-Password = "somepassword" HOWEVER, the User-Password field in a radius packet is defined by RFC to be encrypted with the radius shared secret. The pam_radius_auth is sending User-Password without beeing encrypted . I have set the same shared secret in /etc/raddb/server and clients.conf I believe you are incorrect. Have you looked at the actual packets on the wire with a sniffer? Remember, when FreeRadius displays the packet, it has already decrypted it so of course you will see it in the clear in the FR debug output and logs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users file for NULL realm, LDAP for another
John Keimel wrote: I have two Freeradius servers, one of which authenticates MAC addresses for wireless, the other [EMAIL PROTECTED] for some other network access. I'd like to combine the two of them into one server. If the username comes through without a realm (a MAC address) I'd like it to check the users file. If it comes through with a realm, just check LDAP. If the MAC address fails, it should never ever check LDAP. That just beats up the LDAP server and the LDAP admin yells (with good reason!). Use Autz-Type and 2nd files module, like so modules { files { usersfile = ${confdir}/users } files files2 { usersfile = ${confdir}/users2 } ldap { ... } } authorize { preprocess files Autz-Type MAC { files2 } Autz-Type USER { ldap } } in ${confdir}/users: DEFAULT User-Name =~ "[EMAIL PROTECTED]", Autz-Type := USER DEFAULT Autz-Type := MAC in ${confdir}/users2: 00-11-22-33-44-55 Whatever-Attributes == "somevalue" Reply-Attribute-1 = foo, Reply-Attribute-2 = bar Should I be looking to do this just in the radiusd.conf? Or should I be attempting to mangle some kind of proxy arrangement? Would anyone care to share any sample configs for such a thing? It looks to me like there may be several ways to do this and I'd like to spend the time building up the best method. Proxy? Autz-type? Autz-Type Proxy is really intended for if you're going to send the request on somewhere else. It *can* strip the username, but there are easier ways to do it. You could also configure a huntgroup based on various attributes e.g. ${confdir}/huntgroups: ethernet NAS-Port-Type == Ethernet vpn NAS-Port-Type == Async, NAS-IP-Address == my.vpn.server.ip ${confdir}/users: DEFAULT Huntgroup-Name == "ethernet", Autz-Type := MAC DEFAULT Huntgroup-Name == "vpn", Autz-Type := USER ...and so on - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
dn: cn=Vito Cu,ou=utenti,dc=,dc=it userPassword:: e1NIQX1TQ01UU1l5cVpESHcvSXhqRUJGWHdQQnFTTXM9 This is: userPassword: {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= You MUST have plaintext passwords in your LDAP directory to do CHAP. Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding userPassword as User-Password, value {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= & op=21 Fri Jul 21 11:15:51 2006 : Debug: auth: type "LDAP" Fri Jul 21 11:15:51 2006 : Debug: Processing the authenticate section of radiusd.conf Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group LDAP for request 0 Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling pap (rlm_pap) for request 0 Fri Jul 21 11:15:51 2006 : Auth: rlm_pap: Attribute "Password" is required for authentication. Cannot use "CHAP-Password". Your NAS submitted a CHAP request. You cannot check CHAP requests by simple bind to LDAP, only PAP. You have three choices: 1. Store plaintext passwords in userPassword in LDAP, and use CHAP, configured like this: authorize { preprocess chap ldap } authenticate { Auth-Type CHAP { chap } } 2. Store whatever you like in LDAP, configure your NAS to use PAP and LDAP simple binds, configured like this: authorize { preprocess ldap } authenticate { Auth-Type LDAP { ldap } } 3. Store crypted passwords in userPassword, configure your NAS to use PAP, and do PAP at the server side. Not recommended. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
Thibault Le Meur wrote: rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217 User-Name = "misterc" CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986 That means that your client is trying MS-CHAP, and MS-CHAP can't be used with something else than NT-Hash passwords or cleartext passwords in the authorize backend (in your case LDAP). No, it does NOT. It means his client is trying CHAP. Not MS-CHAP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
Well, after some changes in OpenLDAP config, this is the result: So your first issue was openldap related... Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: bind as cn=Manager,dc=,dc=it/PASSWORD to 192.168.1.221:389 Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: waiting for bind result ... Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Bind was successful Bind as manager is ok... Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing search in ou=utenti,dc=,dc=it, with filter (uid=misterc) Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: checking if remote access for misterc is allowed by userPassword Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Added password {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= in check items Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for check items in directory... Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP & op=21 Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding userPassword as User-Password, value {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= & op=21 Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for reply items in directory... Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: user misterc authorized to use remote access Great rlm_ldap has retreived everything needed. Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group authorize (returns ok) for request 0 Now it's time to run the authenticate module Fri Jul 21 11:15:51 2006 : Debug: rad_check_password: Found Auth-Type LDAP Fri Jul 21 11:15:51 2006 : Debug: auth: type "LDAP" Fri Jul 21 11:15:51 2006 : Debug: Processing the authenticate section of radiusd.conf Ldap module will be used (that is to say a bind with the user's credential will be attempted, provided that the request contains the necessary data. Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group LDAP for request 0 Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling pap (rlm_pap) for request 0 Fri Jul 21 11:15:51 2006 : Auth: rlm_pap: Attribute "Password" is required for authentication. Cannot use "CHAP-Password". Well, it seems that your radius client is trying CHAP and not PAP. You wrote in a previous mail that the request was: rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217 User-Name = "misterc" CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986 NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.2 Calling-Station-Id = "XX-XX-XX-XX-XX-XX" Called-Station-Id = "AA-AA-AA-AA-DD-AA" NAS-Identifier = "nas01" Acct-Session-Id = "44bfd15d" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0xf61479bee3c987c66cca254dcfa39c0a WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff"; That means that your client is trying MS-CHAP, and MS-CHAP can't be used with something else than NT-Hash passwords or cleartext passwords in the authorize backend (in your case LDAP). Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: configuring FreeRadius pools
Well I'm trying to configure 2 pools of IPs, where these pools should be created? can it be done on the radius and this radius will take care of giving the IPs to the users? or should I configure a dhcp and relay it to the radius? I tried to configure on the radius , in the config file file, in the ippools section, 2 pools of IPs, but it didn't work. Thanks Elie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Nixon Sent: Friday, July 21, 2006 10:44 AM To: FreeRadius users mailing list Subject: Re: configuring FreeRadius pools Welli The problem is you still haven't exactly explained what you are trying to do with radius. Are you assigning the IP addresses from pools on radius or pools on the patton? Assuming that radius is assigning the pools, you simply need to create 2 of them. (Read the radiusd.conf the comments explain it) Then configure radius to return an address from the first pool by default, and the second pool when the patton sends whatever information it sends to say that the user is authed or valid or whatever. You need to figure that out as I dont have any experience with patton. RADIUS is not magic. It can only respond when asked a question, and it can only give an answer based on what it is asked. You therefore need to make sure that patton is asking 2 different questions, and configure your 2 different replies based on what question it is asking... radiusd -X (debug mode) is your friend in this instance.. Hope that Helps -Peter On Fri 21 Jul 2006 10:16, Elie Hani wrote: > Thanks Alan, but this was not my problem. My problem is in configuring the > IP pools, I need a way to configure the 2 pools of IPs which are one Fake > and the other Real. I don't have a problem in redirection, it's in how to > configure the 2 pools of IPs. > > Thanks > Elie > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Alan DeKok > Sent: Thursday, July 20, 2006 5:16 PM > To: FreeRadius users mailing list > Subject: Re: configuring FreeRadius pools > > "Elie Hani" <[EMAIL PROTECTED]> wrote: > > I want to configure 2 pools, the first one is a fake IP pool,where the > > dial > > > up user on the patton gets an IP from this pool, and then he will enter > > the > > > necessary information, once all the informations entered are true, he > > will reconnect with his new username, then he will get an IP from the > > other > > pool > > > wich contains real IPs. > > This is called a "captive portal". Please use on of those, which > solves most of these problems for you, including IP allocation. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: FreeRadius+mysql+crypted passwords
Hi. Thanks for a reply. Have you any idea to configure it with crypted passwords stored in the database and with cisco accesspoint clients autentification? Now im using EAP/PEAP in cisco ap to authorize windows xp client (PEAP required). Thanks for any idea. Alan, dňa 21. júla 2006 ste napísali: > "Marek Soha - intrak.sk" <[EMAIL PROTECTED]> wrote: >> I have configured FreeRadius+EAP/PEAP+mysql in working state...But now, i >> want to have encrypted passwords stored in mysql database (in that >> table where plaintext passwords are stored now). >> Can you give me an advice how to do that? > If you store the passwords in encrypted form, then PEAP will stop > working. > Alan DeKok. Best regards S prianim pekneho dna ,_,Marek Soha (O,O) Student FEI, Odbor Informatika, TU Kosice ( ) [EMAIL PROTECTED] [EMAIL PROTECTED] 146-284-791 -"-"-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring FreeRadius pools
Welli The problem is you still haven't exactly explained what you are trying to do with radius. Are you assigning the IP addresses from pools on radius or pools on the patton? Assuming that radius is assigning the pools, you simply need to create 2 of them. (Read the radiusd.conf the comments explain it) Then configure radius to return an address from the first pool by default, and the second pool when the patton sends whatever information it sends to say that the user is authed or valid or whatever. You need to figure that out as I dont have any experience with patton. RADIUS is not magic. It can only respond when asked a question, and it can only give an answer based on what it is asked. You therefore need to make sure that patton is asking 2 different questions, and configure your 2 different replies based on what question it is asking... radiusd -X (debug mode) is your friend in this instance.. Hope that Helps -Peter On Fri 21 Jul 2006 10:16, Elie Hani wrote: > Thanks Alan, but this was not my problem. My problem is in configuring the > IP pools, I need a way to configure the 2 pools of IPs which are one Fake > and the other Real. I don't have a problem in redirection, it's in how to > configure the 2 pools of IPs. > > Thanks > Elie > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Alan DeKok > Sent: Thursday, July 20, 2006 5:16 PM > To: FreeRadius users mailing list > Subject: Re: configuring FreeRadius pools > > "Elie Hani" <[EMAIL PROTECTED]> wrote: > > I want to configure 2 pools, the first one is a fake IP pool,where the > > dial > > > up user on the patton gets an IP from this pool, and then he will enter > > the > > > necessary information, once all the informations entered are true, he > > will reconnect with his new username, then he will get an IP from the > > other > > pool > > > wich contains real IPs. > > This is called a "captive portal". Please use on of those, which > solves most of these problems for you, including IP allocation. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpXWLupMxlKQ.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
On 7/20/06, Thibault Le Meur <[EMAIL PROTECTED]> wrote: Well isn't it a pb of rights ? Is the anonymous user able to search theopenldap directory for users entries ?Yes, the anonymous user is able to search. What is the result of a simple "ldapsearch" with the same ldap filter.ldapsearch -x -b "dc=,dc=it" "(uid=misterc)"# extended LDIF## LDAPv3# base with scope subtree # filter: (uid=misterc)# requesting: ALL## Vito Cu, utenti, .itdn: cn=Vito Cu,ou=utenti,dc=,dc=ituid: mistercdescription: bel giovinesn: Cucn: newperson cn: Vito CuuserPassword:: e1NIQX1TQ01UU1l5cVpESHcvSXhqRUJGWHdQQnFTTXM9objectClass: radiusprofileobjectClass: inetOrgPersonradiusA10:21uthType: LDAP# search resultsearch: 2result: 0 Success 10:21# numResponses: 2# numEntries: 1 Have you got ACLs in your openldap directory configuration files ? All the users have the rights.Well, after some changes in OpenLDAP config, this is the result:Fri Jul 21 11:15:51 2006 : Debug: Processing the authorize section of radiusd.conf Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group authorize for request 0Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0Fri Jul 21 11:15:51 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall[authorize]: module "eap" returns noop for request 0Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0 Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: - authorizeFri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing user authorization for mistercFri Jul 21 11:15:51 2006 : Debug: radius_xlat: '(uid=misterc)'Fri Jul 21 11:15:51 2006 : Debug: radius_xlat: 'ou=utenti,dc=,dc=it' Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: attempting LDAP reconnection Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: (re)connect to 192.168.1.221:389, authentication 0Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: bind as cn=Manager,dc=,dc=it/PASSWORD to 192.168.1.221:389Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: waiting for bind result ...Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Bind was successfulFri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing search in ou=utenti,dc=,dc=it, with filter (uid=misterc) Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: checking if remote access for misterc is allowed by userPasswordFri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Added password {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= in check items Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for check items in directory...Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP & op=21Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding userPassword as User-Password, value {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= & op=21 Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for reply items in directory...Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: user misterc authorized to use remote accessFri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall[authorize]: module "ldap" returns ok for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group authorize (returns ok) for request 0 Fri Jul 21 11:15:51 2006 : Debug: rad_check_password: Found Auth-Type LDAPFri Jul 21 11:15:51 2006 : Debug: auth: type "LDAP"Fri Jul 21 11:15:51 2006 : Debug: Processing the authenticate section of radiusd.confFri Jul 21 11:15:51 2006 : Debug: modcall: entering group LDAP for request 0Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling pap (rlm_pap) for request 0Fri Jul 21 11:15:51 2006 : Auth: rlm_pap: Attribute "Password" is required for authentication. Cannot use "CHAP-Password". Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: returned from pap (rlm_pap) for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall[authenticate]: module "pap" returns invalid for request 0 Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling ldap (rlm_ldap) for request 0Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: - authenticateFri Jul 21 11:15:51 2006 : Auth: rlm_ldap: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password". Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: returned from ldap (rlm_ldap) for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall[authenticate]: module "ldap" returns invalid for request 0 Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group LDAP (returns invalid) for request 0Fri Jul 21 11:15:51 2006 : Debug: auth: Failed to validate the user.Config files are the same of above. Best regards.Giusy Venezia - List inf
[Fwd: IP Pool management]
Original Message Subject: IP Pool management From:[EMAIL PROTECTED] Date:Fri, July 21, 2006 10:16 am To: freeradius-users@lists.freeradius.org -- Hi, I am new to radius. I want to understand functionality of IP Pool management and 802.1x,means EAP,EAP-MD5,LEAP . How can I customize the same using free radius ? Thanxs to all Darshak - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html