Re: FREERADIUS + MYSQL +DHCP3
Hi, There are already small DHCP servers (dnsmasq, udhcp), but there is no supported open source server that can do leases from a DB, and no open source server that scales to 10M records. Sauron? http://sauron.jyu.fi/ The questions on the ISC DHCP list aren't too bad. :) I'm awaiting their new versions patiently ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : MySQL: don't logging to radacct
Hi, [EMAIL PROTECTED] /tmp]# cat radius.teste | radclient 127.0.0.1 auth teste Received response ID 198, code 2, length = 20 [EMAIL PROTECTED] /tmp]# cat radius.teste | radclient 127.0.0.1 acct teste radclient: no response from server for ID 204 are you firewalling port 1813 UDP? accounting is done on that port by defauly. open up a couple more shell windows, run freeradius is full debugging mode (radiusd -X) and run tcpdump in the other.. eg 'tcpdump -eqntl -i eth0' (or 'tcpdump -eqntl -i eth0 not port 22' if you are SSH'd to the box! ;-) and then run your radclient stuff again. simple, solid debugging. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl - Debian sarge
On 12 Dec 2006, at 16:01, Jonathan De Graeve wrote: Hi, I have written a module for use with freeRADIUS which seems to work fine and dandy on my desktop Fedora box. However when I drop this module and config on one of the production (and now test) Debian Sarge boxes running the same initial config with same version of freeRADIUS I get : /usr/sbin/freeradius: relocation error: /usr/lib/perl5/auto/DBI/ DBI.so: undefined symbol: Perl_Gthr_key_ptr and freeRADIUS obvioulsy refuses to start. I solved it by starting freeradius (and changing the startup scripts) using LD_PRELOAD=/usr/lib/libperl.so freeradius $freeradiusargs You sir.. are a STAR! I have been pulling what little hair I have out for a few days now.. thank you VERY VERY much .. /me is a happy camper. :) Graeme - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: PEAP+MSCHAP+AD (please help)
Hi, I've followed Phil's advice and ran netsh ras set tracing * enable on the windows client. I tried first one automatic login and then a manual one. The CHAP log generated by Windows is as follows: [356] 12-11 13:11:49:953: RasEapGetIdentity [356] 12-11 13:11:49:953: ReadUserData [356] 12-11 13:11:49:953: ReadConnectionData [2052] 12-11 13:11:50:864: EapChapBeginMSChapV2 [2052] 12-11 13:11:50:864: ReadUserData [2052] 12-11 13:11:50:864: ReadConnectionData [2052] 12-11 13:11:50:864: EapChapBeginCommon [2052] 12-11 13:11:50:864: ChapBegin(fS=0,bA=0x81) [2052] 12-11 13:11:50:864: ChapBegin done. [2052] 12-11 13:11:50:864: ChapMakeMessage,RBuf= [2052] 12-11 13:11:50:864: ChapCMakeMessage... [2052] 12-11 13:11:50:864: CS_Initial [2052] 12-11 13:11:50:864: EapMSChapv2MakeMessage [2052] 12-11 13:11:50:864: EapMSChapv2CMakeMessage [2052] 12-11 13:11:50:864: EMV2_Initial [2052] 12-11 13:11:50:864: ChapMakeMessage,RBuf=10163023 [2052] 12-11 13:11:50:864: ChapCMakeMessage... [2052] 12-11 13:11:50:864: CS_WaitForChallenge [2052] 12-11 13:11:50:864: MakeResponseMessage... [2052] 13:11:50:864: GetChallengeResponse [2052] 13:11:50:864: RegisterLSA [2052] 13:11:50:864: GetChallengeResponse Success [2052] 13:11:50:864: GetChallengeResponse [2052] 13:11:50:864: RegisterLSA [2052] 13:11:50:864: GetChallengeResponse Success [2052] 12-11 13:11:50:864: GetChallengeResponse=0 02 09 00 47 31 16 91 4A BB 0F C1 CF 81 D2 AD 9F |...G1..J| C6 FD FD D8 18 00 00 00 00 00 00 00 00 88 DF 78 |...x| 8C 30 79 E0 53 C7 4C A6 19 5D EE 1A 00 8D 7C 2A |.0y.S.L..]|*| C7 90 FF 88 36 00 44 4F 4D 41 49 4E 5C 54 45 53 |6.DOMAIN\TES| 54 55 53 45 52 00 00 00 00 00 00 00 00 00 00 00 |TUSER...| [2052] 12-11 13:11:58:985: EapMSChapv2MakeMessage [2052] 12-11 13:11:58:985: EapMSChapv2CMakeMessage [2052] 12-11 13:11:58:985: EMV2_ResponseSend [2052] 12-11 13:11:58:985: Got a Code Failure when expecting Response. Failing Auth [348] 12-11 13:12:22:314: EapMSChapv2End [348] 12-11 13:12:22:314: ChapEnd [2052] 12-11 13:12:39:816: RasEapGetIdentity [2052] 12-11 13:12:39:816: ReadUserData [2052] 12-11 13:12:39:816: ReadConnectionData [3496] 12-11 13:12:39:966: EapChapBeginMSChapV2 [3496] 12-11 13:12:39:966: ReadUserData [3496] 12-11 13:12:39:966: ReadConnectionData [3496] 12-11 13:12:39:966: EapChapBeginCommon [3496] 12-11 13:12:39:966: ChapBegin(fS=0,bA=0x81) [3496] 12-11 13:12:39:966: ChapBegin done. [3496] 12-11 13:12:39:966: ChapMakeMessage,RBuf= [3496] 12-11 13:12:39:966: ChapCMakeMessage... [3496] 12-11 13:12:39:966: CS_Initial [3496] 12-11 13:12:39:966: EapMSChapv2MakeMessage [3496] 12-11 13:12:39:966: EapMSChapv2CMakeMessage [3496] 12-11 13:12:39:966: EMV2_Initial [3496] 12-11 13:12:39:966: ChapMakeMessage,RBuf=10163023 [3496] 12-11 13:12:39:966: ChapCMakeMessage... [3496] 12-11 13:12:39:966: CS_WaitForChallenge [3496] 12-11 13:12:39:966: MakeResponseMessage... [3496] 13:12:39:966: GetChallengeResponse [3496] 13:12:39:966: GetDESChallengeResponse [3496] 13:12:39:966: GetDESChallengeResponse Success [3496] 13:12:39:966: GetMD5ChallengeResponse Success [3496] 13:12:39:966: GetMD5ChallengeResponse Success [3496] 13:12:39:966: GetChallengeResponse Success [3496] 12-11 13:12:39:966: GetChallengeResponse=0 02 09 00 47 31 94 01 2F 4B 82 44 97 AE AC 27 F6 |...G1../K.D...'.| 0E 95 AD C5 69 00 00 00 00 00 00 00 00 7D B8 B6 |i}..| 08 24 86 E1 D0 C4 3B FA CC 43 FB FA 6E F5 5D 9F |.$;..C..n.].| 3E EE 9E A8 11 00 44 4F 4D 41 49 4E 5C 74 65 73 |.DOMAIN\tes| 74 75 73 65 72 00 00 00 00 00 00 00 00 00 00 00 |tuser...| [3496] 12-11 13:12:40:176: EapMSChapv2MakeMessage [3496] 12-11 13:12:40:176: EapMSChapv2CMakeMessage [3496] 12-11 13:12:40:176: EMV2_ResponseSend [3496] 12-11 13:12:40:176: ChapMakeMessage,RBuf=10163023 [3496] 12-11 13:12:40:176: ChapCMakeMessage... [3496] 12-11 13:12:40:176: CS_ResponseSent [3496] 12-11 13:12:40:176: Message received... 03 09 00 2E 53 3D 30 36 42 39 38 32 31 34 43 38 |S=06B98214C8| 43 36 30 44 43 37 42 37 32 38 34 44 34 34 41 41 |C60DC7B7284D44AA| 39 43 46 38 35 44 38 34 30 37 36 38 34 44 00 00 |9CF85D8407684D..| [3496] 12-11 13:12:40:176: Done :) [3496] 12-11 13:12:40:176: GetClientMPPEKeys [3496] 12-11 13:12:40:186: EapMSChapv2MakeMessage [3496] 12-11 13:12:40:186: EapMSChapv2CMakeMessage [3496] 12-11 13:12:40:186: EMV2_CHAPAuthSuccess [3496] 12-11 13:12:40:186: AllocateUserDataWithEncPwd [3496] 12-11 13:12:40:237: EapMSChapv2End [3496] 12-11 13:12:40:237: ChapEnd Windows sends both domain and username, but only the manual login succeeds. For the manual login, Windows uses DES and MD5 but for the automatic one uses Local Security Authority, but I don't think this has something to do with my problem, does it? I've also tried other things on the client side: Cleaned cached user credentials from regedit, just in case, but the result is the same. I've tried using different computers and the result is the same. Using a different supplicant
Re: AW: AW: PEAP+MSCHAP+AD (please help)
[EMAIL PROTECTED] wrote: on the windows client. I tried first one automatic login and then a manual one. The CHAP log generated by Windows is as follows: Hmph. That wasn't as useful as I'd hoped (the PPP logs are much better) Windows sends both domain and username, but only the manual login succeeds. For the manual login, Windows uses DES and MD5 but for the automatic one uses Local Security Authority, but I don't think this has something to do with my problem, does it? Not really - the automatic login calls out to the LSA to get the logged-in creds. The manual login does a portion of that locally. I've also tried other things on the client side: Cleaned cached user credentials from regedit, just in case, but the result is the same. I've tried using different computers and the result is the same. Using a different supplicant (SecureW2) seemed to work, but not using PEAP. I selected EAP-MSCHAP v2 and both automatic and manual logins worked on my computer through SW2. Then I tried it on another computer, and didn't work. Different accounts and the result is the same. I haven't tried yet bumping the debugging level in Samba. I was just trying on the client side, but unfortunately nothing succeeded :( Well, now I have to try things on the server side. I doubt there's anything in the Radius server that'll help at this point. Only two things I can think of: 1. Does your password have odd (non-ascii) characters in it? That should NOT matter for MS-CHAP since it's explicitly unicode aware 2. Does the domain you are in have particular tight security policies that might be preventing the LSA from successfully completing an MS-CHAP but would allow the manual code to work? Both are extremely unlikely. Sorry I can't be more help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: AW: AW: PEAP+MSCHAP+AD (please help)
1. Does your password have odd (non-ascii) characters in it? That should NOT matter for MS-CHAP since it's explicitly unicode aware MS-CHAP is unicode aware, but FreeRADIUS' implementation is not. It definitely borks on non-ASCII characters in passwords. (I submitted a patch some time ago to fix this, check the archives). (I've not been following this thread, so I don't know if pertinent or not.) Josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: !!! Assertion failed in listen.c, line 621 !!!
So, that was it! It works now, thanks. Back to the threads again :) On 12/12/06, Guilherme Franco [EMAIL PROTECTED] wrote: Thanks a lot! I gonna test it right now! On 12/12/06, Alan DeKok [EMAIL PROTECTED] wrote: Peter Nixon wrote: Running CVS HEAD in single threaded mode works around the problem for the time being... Ugh. After staring at the code a little more, the bug is in threads.c, where it was passing 'request-proxysecret' rather than 'request' to the 'listener-send' function. It should be fixed now. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FREERADIUS + MYSQL +DHCP3
[EMAIL PROTECTED] wrote: There are already small DHCP servers (dnsmasq, udhcp), but there is no supported open source server that can do leases from a DB, and no open source server that scales to 10M records. Sauron? http://sauron.jyu.fi/ It's a front end, not a server. Try adding 10M records to SQL: not a problem. Try adding 10M records to ISC DHCPD: 10m startup time with an *empty* leases file. Sauron would be a fair bit easier if the DNS/DHCP protocol servers would read/write to SQL natively. Plus, the data in the GUI would be live, rather than stale. See a post to the sauron list describing this exact problem: http://lists.jyu.fi/pipermail/sauron-users/2006/000252.html The questions on the ISC DHCP list aren't too bad. :) I'm awaiting their new versions patiently ;-) 3.1, in which the failover protocol is incompatible with 3.0? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 20, Issue 46
Date: Wed, 13 Dec 2006 08:05:32 +
From: B Thompson [EMAIL PROTECTED]
Subject: Re: Huntgroups, Users and Proxy
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=us-ascii
On Tue, Dec 12, 2006 at 04:23:43PM -0500, Walt Reynolds wrote:
I am going in circles here and not getting anywhere. I will try to
describe what I want to do starting with huntgroups.
huntgroup:
All NAS-IP-Address == 10.213.226.1
All NAS-IP-Address == 10.213.226.2
All NAS-IP-Address == 10.213.226.3
All NAS-IP-Address == 192.168.224.5
All NAS-IP-Address == 192.168.224.36
All NAS-IP-Address == 172.213.226.46
Bldg1 NAS-IP-Address == 10.213.226.1
Bldg1 NAS-IP-Address == 10.213.226.2
Bldg1 NAS-IP-Address == 10.213.226.3
Bldg1 NAS-IP-Address == 192.168.224.5
Bldg1 NAS-IP-Address == 192.168.224.36
Bldg2 NAS-IP-Address == 172.213.226.46
You can't have the same IP address in more than one huntgroup - See bug
#233.
http://bugs.freeradius.org/show_bug.cgi?id=233
The solution is to use rlm_passwd instead.
Ok, Thanks for that info. Now lets say I put each NAS in one huntgroup
(I added the extra groups for possibilities.
So lets say I have the following:
UnitANAS-IP-Address == 10.213.226.1
UnitANAS-IP-Address == 10.213.226.2
UnitANAS-IP-Address == 10.213.226.3
UnitBNAS-IP-Address == 192.168.224.5
UnitABNAS-IP-Address == 172.213.226.46
TypeVPNNAS-IP-Address == 192.168.224.5
TypeGWNAS-IP-Address == 192.168.224.36
So this sets each NAS into a single group. The rest of my question I am
still confused about.
UnitA Authenticate with [EMAIL PROTECTED]
or
Authenticate with Null Realm
or
Authenticate [EMAIL PROTECTED]
But NOT
[EMAIL PROTECTED]
UnitB Authenticate with [EMAIL PROTECTED]
or
Authenticate with Null Realm
or
Authenticate [EMAIL PROTECTED]
but NOT
[EMAIL PROTECTED]
UnitAB Authenticate with [EMAIL PROTECTED]
or
Authenticate with [EMAIL PROTECTED]
or
[EMAIL PROTECTED]
or
Null realm
TypeVPN Authenticate ONLY with Null Realm
TypeGW authenticate with Null realm or generic.edu
So would I add the following to the users file: (Not sure about UnitAB
and TypeVPN with Fall-Through = No. I think the rest is right though)
DEFAULT Huntgroup-Name == UnitAB, User-Name =~ [EMAIL PROTECTED],
Proxy-To-Realm := unita.generic.edu
Fall-Through = Yes
DEFAULT Huntgroup-Name == UnitAB, User-Name =~ [EMAIL PROTECTED],
Proxy-To-Realm := unitb.generic.edu
Fall-Through = Yes
DEFAULT Huntgroup-Name == UnitA, Proxy-To-Realm := unita.generic.edu
Fall-Through = Yes
DEFAULT Huntgroup-Name == UnitB, Proxy-To-Realm := unitb.generic.edu
Fall-Through = Yes
DEFAULT Huntgroup-Name == TypeGW, Proxy-To-Realm := generic.edu
Fall-Through = Yes
DEFAULT Huntgroup-Name == TypeVPN, Proxy-To-Realm := NULL
Fall-Through = No
Then in the proxy.conf
proxy server {
synchronous = no
retry_delay = 5
retry_count = 3
dead_time = 120
default_fallback = yes
post_proxy_authorize = yes
}
realm unita.generic.edu {
type= radius
authhost= radius.unita.generic.edu:1812
accthost= radius.unita.generic.edu:1813
nostrip
}
realm unitb.generic.edu {
type= radius
authhost= radius.unita.generic.edu:1812
accthost= radius.unita.generic.edu:1813
nostrip
}
realm generic.edu {
type= radius
authhost= LOCAL
accthost= LOCAL
strip
}
realm NULL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm DEFAULT {
type= radius
authhost= radius.highered.edu:1812
accthost= radius.highered.edu:1812
secret =
nostrip
}
Thanks. There are so many things our there that I got a little lost. I
guess that is a problem with so many options and ways to do things.
--
Walter Reynolds
Principle Systems Security Development Engineer
Information Technology Central Services
University of Michigan
(734)615-9438
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Which Variable name for sql result
The query which appears in sql.conf returns a set of registers. This query behieves as radreply attributes, it means this querys corresponds to the attributes of a username. Find in a manual about the attributes of a username. From: [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Date: Tue, 12 Dec 2006 12:47:27 +1030 Subject: Which Variable name for sql result Hi When radgroupcheck does its query, what variable name does it store its results in? The default sql (ie authorize_group_check_query) should be returning the GroupName, but I cannot seem to access it. Also, in doc/rlm_sql point 3c refers to the 'read_groups' directive. I'm assuing a couple of things here. (a) That this is set in sql.conf (b) By default its set to yes. Thanks.Cheers, Stavros Patiniotis EscapeNet ~ 08 8292 5200 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Consigue el nuevo Windows Live Messenger http://get.live.com/messenger/overview- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple entries for a realm
Hi people, I do roaming with other companies successfully. My roaming partner has two RADIUS servers, so in the proxy.conf I have two entries for the realm weroam/. However, only the first entry works because if I change the IP for a incorrect one (case of fallback), freeradius does not redirect to the second entry. The option ldflag is ignored. My question is: what it the utility of having sereral entries for the same domain _ Busca desde cualquier página Web con una protección excepcional. Consigue la Barra de herramientas de Windows Live hoy mismo y GRATUITAMENTE. http://www.toolbar.live.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple entries for a realm
Hi, Hi people, I do roaming with other companies successfully. My roaming partner has two RADIUS servers, so in the proxy.conf I have two entries for the realm weroam/. However, only the first entry works because if I change the IP for a incorrect one (case of fallback), freeradius does not redirect to the second entry. The option ldflag is ignored. which ldflag option did you use? failover, roundrobin? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups, Users and Proxy
Date: Wed, 13 Dec 2006 08:05:32 +
From: B Thompson [EMAIL PROTECTED]
Subject: Re: Huntgroups, Users and Proxy
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=us-ascii
On Tue, Dec 12, 2006 at 04:23:43PM -0500, Walt Reynolds wrote:
I am going in circles here and not getting anywhere. I will try to
describe what I want to do starting with huntgroups.
huntgroup:
All NAS-IP-Address == 10.213.226.1
All NAS-IP-Address == 10.213.226.2
All NAS-IP-Address == 10.213.226.3
All NAS-IP-Address == 192.168.224.5
All NAS-IP-Address == 192.168.224.36
All NAS-IP-Address == 172.213.226.46
Bldg1 NAS-IP-Address == 10.213.226.1
Bldg1 NAS-IP-Address == 10.213.226.2
Bldg1 NAS-IP-Address == 10.213.226.3
Bldg1 NAS-IP-Address == 192.168.224.5
Bldg1 NAS-IP-Address == 192.168.224.36
Bldg2 NAS-IP-Address == 172.213.226.46
You can't have the same IP address in more than one huntgroup - See bug
#233.
http://bugs.freeradius.org/show_bug.cgi?id=233
The solution is to use rlm_passwd instead.
Ok, Thanks for that info. Now lets say I put each NAS in one huntgroup
(I added the extra groups for possibilities.
So lets say I have the following:
UnitANAS-IP-Address == 10.213.226.1
UnitANAS-IP-Address == 10.213.226.2
UnitANAS-IP-Address == 10.213.226.3
UnitBNAS-IP-Address == 192.168.224.5
UnitABNAS-IP-Address == 172.213.226.46
TypeVPNNAS-IP-Address == 192.168.224.5
TypeGWNAS-IP-Address == 192.168.224.36
So this sets each NAS into a single group. The rest of my question I am
still confused about.
UnitA Authenticate with [EMAIL PROTECTED]
or
Authenticate with Null Realm
or
Authenticate [EMAIL PROTECTED]
But NOT
[EMAIL PROTECTED]
UnitB Authenticate with [EMAIL PROTECTED]
or
Authenticate with Null Realm
or
Authenticate [EMAIL PROTECTED]
but NOT
[EMAIL PROTECTED]
UnitAB Authenticate with [EMAIL PROTECTED]
or
Authenticate with [EMAIL PROTECTED]
or
[EMAIL PROTECTED]
or
Null realm
TypeVPN Authenticate ONLY with Null Realm
TypeGW authenticate with Null realm or generic.edu
So would I add the following to the users file: (Not sure about UnitAB
and TypeVPN with Fall-Through = No. I think the rest is right though)
DEFAULT Huntgroup-Name == UnitAB, User-Name =~ [EMAIL PROTECTED],
Proxy-To-Realm := unita.generic.edu
Fall-Through = Yes
DEFAULT Huntgroup-Name == UnitAB, User-Name =~ [EMAIL PROTECTED],
Proxy-To-Realm := unitb.generic.edu
Fall-Through = Yes
DEFAULT Huntgroup-Name == UnitA, Proxy-To-Realm := unita.generic.edu
Fall-Through = Yes
DEFAULT Huntgroup-Name == UnitB, Proxy-To-Realm := unitb.generic.edu
Fall-Through = Yes
DEFAULT Huntgroup-Name == TypeGW, Proxy-To-Realm := generic.edu
Fall-Through = Yes
DEFAULT Huntgroup-Name == TypeVPN, Proxy-To-Realm := NULL
Fall-Through = No
Then in the proxy.conf
proxy server {
synchronous = no
retry_delay = 5
retry_count = 3
dead_time = 120
default_fallback = yes
post_proxy_authorize = yes
}
realm unita.generic.edu {
type= radius
authhost= radius.unita.generic.edu:1812
accthost= radius.unita.generic.edu:1813
nostrip
}
realm unitb.generic.edu {
type= radius
authhost= radius.unita.generic.edu:1812
accthost= radius.unita.generic.edu:1813
nostrip
}
realm generic.edu {
type= radius
authhost= LOCAL
accthost= LOCAL
strip
}
realm NULL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm DEFAULT {
type= radius
authhost= radius.highered.edu:1812
accthost= radius.highered.edu:1812
secret =
nostrip
}
Thanks. There are so many things our there that I got a little lost. I
guess that is a problem with so many options and ways to do things.
Sorry for the resend, but wanted the same subject for threading
--
Walter Reynolds
Principle Systems Security Development Engineer
Information Technology Central Services
University of Michigan
(734)615-9438
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Advice on poptop - freeradius - ldap
Thanks Alan,
my configuration works now. Like always (in radius) just a very few lines
of changes in the default config made it:
Dirk Enrique Seiffert wrote:
I set ldap in authorize {} and authenticate {}. In users I added
DEFAULT Auth-Type := LDAP
Fall-Through = 1
Why? That's not necessary.
OK, I went back to the default user file.
When i try to connect from an pptp client my logs show:
Tue Dec 12 19:07:31 2006 : Debug: rlm_ldap: Added password
{md5}rcBovg3Uck47CSFRhqdtdQ== in check items
1.1.3 doesn't really support that.
Tue Dec 12 19:07:31 2006 : Debug: rlm_ldap: looking for check items in
directory...
Tue Dec 12 19:07:31 2006 : Debug: rlm_ldap: Adding sambaNTPassword as
CHAP-Password, value 80B328568267E5A48ACD43F6F67DAD2F op=21
Huh? It looks like you edited the ldap.attrmap file. Why?
I am not using the default radius scheme but a custom one. I don't want to
receive radius attributes from LDAP but check users. These are the changes
I made in ldap.attrmap to fit my LDAP scheme:
checkItem LM-Password sambaLMPassword
checkItem NT-Password sambaNTPassword
Now it works like a charme, thanks again!
--
Dirk Enrique Seiffert - Lintec S.A.
Ed. Torre del Reloj - Of. 401
Plaza de los Coches, Centro
Cartagena - Colombia
http://www.lintecsa.com
--
Este mensaje ha sido analizado por MailScanner
en busca de virus y otros contenidos peligrosos,
y se considera que está limpio.
http://www.lintecsa.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help ocnfiguring freeradius to handle a cisco aeronet 1200 with peap and mschap2
I upgraded my radius server
from: radiusd: FreeRADIUS Version 1.0.4, for host , built on Aug 30
2005 at 20:59:48
to: radiusd: FreeRADIUS Version 1.1.2, for host , built on Sep 4
2006 at 19:15:42
in order to allow plain-text passwords to correctly work from a wifi
client connecting to a cisco aeronet 1200 server which then connects
to a raidus server which uses a ldap database as the user database.
The ldap server has sha1 and crypt passwords, generally, though it
might have others I suppose..
Till the upgrade, I had to include the already encrypted password
(with leading {crypt} or {ssha}) as the password on the client.
Meaning, for one, that whenever a user changed their password through
some means or another, they have to get ahold of the encrypted
version of their password from the LDAP database and use that for
their wireless connections. Unpleasant.
I read about auto_header and it implied that by upgrading, I could
get the whole thing to use unecrypted passwords (which would be
generally simpler for our users) instead. This failed to work.
Something mis-configured, or possibly not doable?!
Here is a dump of radiusd -X with the new server. Can anyone out
there point out what I might be doing wrong?
[EMAIL PROTECTED] raddb]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib/freeradius
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radius
main: group = radius
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded Pam
pam: pam_auth = radiusd
Module: Instantiated pam (pam)
Module: Loaded LDAP
ldap: server = ldapsvr.laszlosystems.com
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = cn=Manager,dc=laszlosystems,dc=com
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = (null)
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = allow
ldap: password = BLABLABLA
ldap: basedn = ou=Users,dc=laszlosystems,dc=com
ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = (null)
ldap: password_attribute = userPassword
ldap: access_attr = (null)
ldap: groupname_attribute = cn
ldap: groupmembership_filter = (|((objectClass=GroupOfNames)(member=
%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%
{Ldap-UserDn})))
ldap: groupmembership_attribute = (null)
ldap: dictionary_mapping = /etc/raddb/ldap.attrmap
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap-radius mappings from file /etc/raddb/
ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped
Re: Help ocnfiguring freeradius to handle a cisco aeronet 1200 with peap and mschap2
Joseph Silverman wrote:
in order to allow plain-text passwords to correctly work from a wifi
client
The debug log you posted shows the clients doing PEAP. There are NO
plaintext passwords in PEAP. The server MUST have access to either the
plaintext password, or the NT hash form, for PEAP to work.
Till the upgrade, I had to include the already encrypted password (with
leading {crypt} or {ssha}) as the password on the client. Meaning, for
one, that whenever a user changed their password through some means or
another, they have to get ahold of the encrypted version of their
password from the LDAP database and use that for their wireless
connections. Unpleasant.
And the only way to get PEAP to work. See:
http://deployingradius.com/documents/protocols/compatibility.html
I read about auto_header and it implied that by upgrading, I could get
the whole thing to use unecrypted passwords (which would be generally
simpler for our users) instead. This failed to work. Something
mis-configured, or possibly not doable?!
It's impossible. See the above web page.
Sending Access-Challenge of id 39 to 192.168.43.106 port 1645
EAP-Message = 0x010600061900
Message-Authenticator = 0x
State = 0x7c82b915bfc84d169d053dc47c2c3aa6
Finished request 4
Going to the next request
Waking up in 5 seconds...
And this is in the FAQ: PEAP doesn't work.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: help
Hi Alan, Many thanks for the informatiom. I have experenced the following issues after following your instructures on your webpage: 1.) [EMAIL PROTECTED] ~]# net join -U Administrator Administrator's password: [2006/12/12 12:39:38, 0] utils/net_ads.c:ads_startup(186) ads_connect: Invalid credentials Joined domain MBUS. 2.) [EMAIL PROTECTED] ~]# wbinfo -a administrator%test plaintext password authentication failed Could not authenticate user administrator%test with plaintext password could not obtain winbind separator! could not obtain winbind domain name! challenge/response password authentication failed Could not authenticate user administrator with challenge/response 3.) Kerberos server has been installed but I could not start it. Would you please give me some hints how to start the Kerberos server and how to solve the issue of ads_connect: Invalid credentials. Many thanks agin and much appreciated. Regards John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, 8 December 2006 1:21 PM To: FreeRadius users mailing list Subject: Re: help John Wan wrote: But I would like to use the Windows 2k3 AD to authenticate the username and password instead of using the user name and password from the file /etc/raddb/users or in mysql. See the Wiki my web site for instructions on using Active Directory. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ___ Notice from Melbourne Business School Ltd The information contained in this e-mail is confidential, and is intended for the named person's use only. It may contain proprietary or legally privileged information. If you have received this email in error, please notify the sender and delete it immediately. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient Internet communications are not secure. You should scan this message and any attachments for viruses. Melbourne Business School does not accept any liability for loss or damage which may result from receipt of this message or any attachments. __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy-State problem
freeradius https://10.0.2.61:1/software/edit_pack.cgi?search=freeradiuspackage=fr eeradiusversion=1%2E1%2E3%2D1%2E1 1.1.3-1.1 build from latest rpm for for fedora 6. Commindico/Soul NAS List Authentication packets are received and the radius daemon passes an auth ok but doesn't return the proxy-state packet correctly, as a result the user is not authorized. All that is passed seems to be a hex dump and not the same as what is received. I obviously must have missed something in the config files so I'm hoping someone here might be able to point me in the right direction. Cory - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help
John Wan wrote: Would you please give me some hints how to start the Kerberos server and how to solve the issue of ads_connect: Invalid credentials. Unfortunately, I'm not a kerberos or Samba expert. I know just enough to follow the script. If it doesn't work, I suggest asking on the Samba / kerberos lists. i.e. the people who wrote the software are the ones most likely to be able to help you. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
