Re: how to logout user

[Alan DeKok]

Alex French wrote:
> It can, but it doesn't. Not freeradius.

  FreeRADIUS can run radclient.  At that point, it's irrelevant whether
or not the code is "internal" to FreeRADIUS.  You can make disconnect
messages part of your FreeRADIUS policy: that's the only important thing.

> Look, we can go back and forth on this, but the poor guy wants to know
> how to log people off his APs. The short answer is,

  You don't.  Most cheap AP's have near-zero functionality.

> 1) The Freeradius server will not do this for you

  You have to write maybe 10 lines of configuration to get this done.

> 2) It is unlikely that your AP will allow you to do this through
> radius *at all*. The majority of access points allow you to log people
> off only using proprietary methods, or maybe through  SNMP if you're
> lucky. So this list is not going to provide the answer, unfortunately.

  The more expensive AP's will often let you do this.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: strange crash with freeradius 1.1.2 on startup

[Alan DeKok]

Guillaume Rousse wrote:
>>   2007.1?  What's that?
> mandriva 2007.1, the only version where the problem occurs. Both
> mandriva 2007.0 (previous mandriva version) and cooker (development
> version) are OK.

  Then file a bug with Mandriva.  Their package is broken.

  When anyone else uses 1.1.7 on any other platform, it works.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: session updates

[Alan DeKok]

Fred Zinsli wrote:
> Freeradius starts up properly without errors and the user can logon and 
> logout as expected.  However, when the screen is presented to the user 
> showing the current session details, nothing is updated as expected, 
> only thye clock cycles over.

  What screen are you talking about?

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: strange crash with freeradius 1.1.2 on startup

[Guillaume Rousse]

Alan DeKok a écrit :
> Guillaume Rousse wrote:
>>>   2007.1?  What's that?
>> mandriva 2007.1, the only version where the problem occurs. Both
>> mandriva 2007.0 (previous mandriva version) and cooker (development
>> version) are OK.
> 
>   Then file a bug with Mandriva.  Their package is broken.
Maybe you should read my original message again: the bug report is
already open, and I'm the guy trying to fix it...
-- 
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS question

[Peter Nixon]

On Sun 19 Aug 2007, Douglas Lane wrote:
> On 8/19/07, Peter Nixon <[EMAIL PROTECTED]> wrote:
> > On Sun 19 Aug 2007, Douglas Lane wrote:
> > > Hi All,
> > >
> > > I have a little project for a small ISP that I would like to execute,
> > > however, am just wondering about the infrastructure.
> > >
> > > Currently, the core radius server is hosted in a secure datacenter
> > > that has ample bandwidth available.
> > >
> > > Now the issue I have is the "cells" where the Cisco Concentrators are
> >
> > have
> >
> > > slow links to the core radius server (these would be around 64 -
> > > 512kb). Now I know that radius packets are small, however, the other
> > > issue is these links will be used for internet access aswell.
> > > Currently each
> >
> > router
> >
> > > controlling the cell links have a VPN link over the internet to the
> > > core radius server.
> > >
> > > Now steps have been taken to enable QoS on these links so the VPN
> >
> > traffic
> >
> > > gets highest priority, however, what I wanna ask is the following:
> > >
> > > I'd like to "cache" the usernames and password (effectively radcheck
> > > and radgroupcheck) on each cell network (each cell has a local RADIUS
> > > server that proxies the realm to the core radius server). This way,
> > > avoiding
> >
> > the
> >
> > > possibility that the link may be to slow to auth the user and hence
> >
> > cause
> >
> > > a timeout, as well as in case the VPN link itself is down.
> > >
> > > The other question I'd like to get your opinion on is I'd like to have
> > > accounting local to the cell's RADIUS server (for lookups from the
> >
> > Cisco),
> >
> > > but also have a way to replicate the accounting data to the
> > > core-radius server.
> > >
> > > I've looked at use MySQL replication, but i feel its not sufficient
> > > for
> >
> > my
> >
> > > requirements. Perhaps I'm wrong?
> > >
> > > Obviously, for this particular situation, I'd like to only "cache" the
> > > radcheck and radgroupcheck information for valid accounts in the that
> > > cell. I don't really want to have every cell's users part of the the
> >
> > other
> >
> > > cell's. Obviously the idea is if the local RADIUS can't auth the use
> > > on itself, it must peer to the next available RADIUS server (core
> > > radius).
> > >
> > > Hope I've been as descriptive as possible.
> > >
> > > I appreciate the help.
> >
> > Use an LDAP backend for authentication and just replicate the parts of
> > the tree you need to each remote POP. Use radrelay (or even direct
> > proxying) to
> > push your accounting records back to your central radius..
> >
> > --
> >
> > Peter Nixon
> > http://peternixon.net/
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> Hi Peter,
>
> Thanks for the reply. Already started setting up my LDAP directory here.
>
> I just wanted to confirm something:
>
> I can use rlm_ldap for authentication and authorization and the rlm_sql
> for accounting? (need simultaneous support here).

Sure. You can even have multiple LDAP and SQL servers used for AuthX and 
multiple SQL servers used for Acct if you wish.

> Also when it comes to "peering" the authentication, I'd imagine I'd define
> a pool of ldap servers. the first being my local radius for the POP, then
> the next ldap in the heirachy?

If you wish. LDAP also has the capability to refer to other LDAP servers in a 
hieracy..Or you could proxy the radius request to a parent RADIUS server if 
the local one cant service it.. Depends on how you prefer to solve the 
problem

> Also, last question I have is, my users will have at times multiple
> services available to them (like Shaped/Unshaped ADSL and Hotspot access).
> In this case, would I have to add multiple users to the organizationalUnit
> controlling my POP, with different reply messages if the auth is accepted?
>
> Or could I have a single entry for my user, say [EMAIL PROTECTED] and
> under neath that, have multiple services assigned with the correct reply
> messages show auth succeed? I'd imagine in this case i would have a
> multiple entries of the same username and password as the parent uid
> entry, however, with different reply messages?

You can selectively return attributes from both ldap and sql as you can 
modify the query.. Thats why we don't hard code queries :-)

> Thanks again for the help

You're welcome

-- 

Peter Nixon
http://peternixon.net/
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: session updates

[Fred Zinsli]

This is a wifi system, so we are using chillispot as a captive portal 
with hotcakes as a manager.  Hence when an unautherized user attempts to 
use the network there requests are trapped and they have to logon via a 
web client.  Once the user is logged on a small web page is left open so 
the client can logout.  The small web window also shows information 
about the current session, ie. Time online, data in/out and the like.  
It is this information I am refering to.

I hope this is clear.

Regards

Fred


-Original Message-
From: Alan DeKok <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED],  FreeRadius users mailing list 

Date: Mon, 20 Aug 2007 03:35:58 -0400
Subject: Re: session updates

> Fred Zinsli wrote:
> > Freeradius starts up properly without errors and the user can logon
> and 
> > logout as expected.  However, when the screen is presented to the
> user 
> > showing the current session details, nothing is updated as expected, 
> > only thye clock cycles over.
> 
>   What screen are you talking about?
> 
>   Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: strange crash with freeradius 1.1.2 on startup

[Alan DeKok]

Guillaume Rousse wrote:
>>   Then file a bug with Mandriva.  Their package is broken.
> Maybe you should read my original message again: the bug report is
> already open, and I'm the guy trying to fix it...

  Forgive me for getting large volumes of mail, and not remembering all
of the details of each and every one.

  In this case, try an install of 1.1.7 on a fresh machine.  It works
for every other distribution.

  Failing that, because 1.1.7 works on every other system, I have little
additional advice to offer.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: strange crash with freeradius 1.1.2 on startup

[Guillaume Rousse]

Alan DeKok a écrit :
> Guillaume Rousse wrote:
>>>   Then file a bug with Mandriva.  Their package is broken.
>> Maybe you should read my original message again: the bug report is
>> already open, and I'm the guy trying to fix it...
> 
>   Forgive me for getting large volumes of mail, and not remembering all
> of the details of each and every one.
> 
>   In this case, try an install of 1.1.7 on a fresh machine.  It works
> for every other distribution.
A manual install works OK, I already know. This is likely to be a build
 issue in the official package.

If that matters, the whole package, including patches and spec file, are
available from the:
http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/freeradius/current/

>   Failing that, because 1.1.7 works on every other system, I have little
> additional advice to offer.
Can you have a look at the traces I posted at
http://qa.mandriva.com/show_bug.cgi?id=32597, and try to guess why the
wrong build tries to open a socket immediatly after forking, whereas the
correct build does setsid first, then opens its pid file ?

Despite my initial guess, HAVE_SETSID is defined in both cases.

-- 
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: session updates

[Alan DeKok]

Fred Zinsli wrote:
> This is a wifi system, so we are using chillispot as a captive portal 
> with hotcakes as a manager.  Hence when an unautherized user attempts to 
> use the network there requests are trapped and they have to logon via a 
> web client.  Once the user is logged on a small web page is left open so 
> the client can logout.  The small web window also shows information 
> about the current session, ie. Time online, data in/out and the like.  
> It is this information I am refering to.

  FreeRADIUS doesn't include any such web GUI.  Please ask the authors
of that program why it's not working.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: strange crash with freeradius 1.1.2 on startup

[Alan DeKok]

Guillaume Rousse wrote:
> If that matters, the whole package, including patches and spec file, are
> available from the:
> http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/freeradius/current/

  Some of your site-specific patches are problematic.  The patch to
un-comment "/etc/shadow" isn't necessary.

  I suggest trying the build with the patches installed one by one.
It's highly likely that of the patches is breaking the server.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

PAM Radius

[Sayan S]

Greetings, I am very new to RADIUS and PAM RADIUS.
I am trying to configure PAM Radius to authenticate users on a Linux host. I 
would like to know, how to configure PAM Radius to authenticate users from 
different realms, as the current configuration doesn't seem to take realm.
please help me with this as I have configured users to be part of different 
realms on radius server and now want to authenticate all those users to the 
same Linux host.

thanks for all the help in advance.

regards,
sayan.

   
-
Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, 
photos & more. - 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

sqlcounter test

[zahra bahar]

Hi,
I am testing freeradius with :radclient.
I use sqlcounter module for monthly and add max-monthly-session in users file. 
then I send this tests:
radclient -f filename localhost auth testing123
radclient -f filename localhost acct testing123 : with acct-status-type=start
after "max-monthly-seesion" second :
radclient -f filename localhost acct testing123 :with acct-status-type=stop
now I think this user hasn't any acct, I send another radclient auth test and 
waiting to receive access-reject, but it accepts.
what is wrong?
does sqlcounter have problem?


   
-
Fussy? Opinionated? Impossible to please? Perfect.  Join Yahoo!'s user panel 
and lay it on us.- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PAM Radius

[Alan DeKok]

Sayan S wrote:
> Greetings, I am very new to RADIUS and PAM RADIUS.
> I am trying to configure PAM Radius to authenticate users on a Linux
> host. I would like to know, how to configure PAM Radius to authenticate
> users from different realms, as the current configuration doesn't seem
> to take realm.

  You don't use realms in Unix logins.

> please help me with this as I have configured users to be part of
> different realms on radius server and now want to authenticate all those
> users to the same Linux host.

  You just login as "[EMAIL PROTECTED]".  That might work.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: healthcheck?

[Santiago Balaguer García]

Use:
  Auth-Type := reject




From:  Kevin J <[EMAIL PROTECTED]>Reply-To:  FreeRadius users mailing list To:  freeradius-users@lists.freeradius.orgSubject:  healthcheck?Date:  Thu, 16 Aug 2007 09:40:56 -0700 (PDT)
We want to reject slb health checks immediately.  What is the best way to do that?   tried to add "healthcheck Auth := Reject" but it still go through all authorization/authentication modules.  Is there anyway that we can immediately reject it so we can make it lighter?Thanks in advance.Kevin

  

Be a better Globetrotter. Get better travel answers from someone who knows.Yahoo! Answers - Check it out.



>->List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ofertas y reservas para viajar por todo el mundo.  Organiza y contrata tus viajes aquí. 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PAM Radius

[Sayan S]

Thanks Alan for the quick response.
I am referring to realm here, as RADIUS support realms, and we are using RADIUS 
to authenticate the users to Linux, so seems like we need to have all users 
contained in the same realm.

Is having username in [EMAIL PROTECTED] form a valid unix format? I was 
thinking the first part of the [EMAIL PROTECTED] should be the unix username 
though the radius request is sent as [EMAIL PROTECTED] Otherwise we need to 
have a comprehensive [EMAIL PROTECTED] to Unix-userid mapping.

regards,
sayan

Alan DeKok <[EMAIL PROTECTED]> wrote: Sayan S wrote:
> Greetings, I am very new to RADIUS and PAM RADIUS.
> I am trying to configure PAM Radius to authenticate users on a Linux
> host. I would like to know, how to configure PAM Radius to authenticate
> users from different realms, as the current configuration doesn't seem
> to take realm.

  You don't use realms in Unix logins.

> please help me with this as I have configured users to be part of
> different realms on radius server and now want to authenticate all those
> users to the same Linux host.

  You just login as "[EMAIL PROTECTED]".  That might work.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


   
-
Park yourself in front of a world of choices in alternative vehicles.
Visit the Yahoo! Auto Green Center.- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Chap-password to User-password

[Carl aniams]

Hi all

I installed freeradius 1.1.6 with mysql for storing users login.
i created some users  through dialup admin page and had their password
stored in User-password attribute.(i checked in the database select from
radcheck)

when i fire up radius in debug i notice that there is a CHAP challenge and
the password is in a CHAP-password format rejecting then access with message
auth: local
auth: user supplied password does not match local user-password

when in my radiusd.conf authorize section i uncomment chap
i have
auth: type CHAP
rlm_chap:login attempt by username with CHAP password
rlm_chap: using clear text password 'mypass' for user username
authentication
rlm_chap: passxord check failed

I would like to stop the put my password in User-password rather than
CHAP-password, but don't know how it should be done.

please a help
-- 
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

ANIAMBOSSOU Carl
NIAMS TECHNOLOGIES
tel: +229 90 04 08 58   +229 97 48 01 33
COTONOU
REPUBLIC OF BENIN
WEST AFRICA
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: PAM Radius

[Josh Howlett]

Hi Sayan,

I think I have tried this previously, and it was possible (on
Linux/glibc anyway - YMMV with other unices).

TBH, I don't really see the point in using RADIUS when you'll (probably)
want to use LDAP anyway for nss resolution, so you might as well just
use LDAP for PAM.

josh. 

> -Original Message-
> From: 
> [EMAIL PROTECTED]
> org 
> [mailto:[EMAIL PROTECTED]
eradius.org] On Behalf Of Sayan S
> Sent: 20 August 2007 14:04
> To: FreeRadius users mailing list
> Subject: Re: PAM Radius
> 
> Thanks Alan for the quick response.
> I am referring to realm here, as RADIUS support realms, and 
> we are using RADIUS to authenticate the users to Linux, so 
> seems like we need to have all users contained in the same realm.
> 
> Is having username in [EMAIL PROTECTED] form a valid unix format? I 
> was thinking the first part of the [EMAIL PROTECTED] should be the 
> unix username though the radius request is sent as 
> [EMAIL PROTECTED] Otherwise we need to have a comprehensive 
> [EMAIL PROTECTED] to Unix-userid mapping.
> 
> regards,
> sayan
> 
> Alan DeKok <[EMAIL PROTECTED]> wrote:
> 
>   Sayan S wrote:
>   > Greetings, I am very new to RADIUS and PAM RADIUS.
>   > I am trying to configure PAM Radius to authenticate 
> users on a Linux
>   > host. I would like to know, how to configure PAM 
> Radius to authenticate
>   > users from different realms, as the current 
> configuration doesn't seem
>   > to take realm.
>   
>   You don't use realms in Unix logins.
>   
>   > please help me with this as I have configured users 
> to be part of
>   > different realms on radius server and now want to 
> authenticate all those
>   > users to the same Linux host.
>   
>   You just login as "[EMAIL PROTECTED]". That might work.
>   
>   Alan DeKok.
>   - 
>   List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>   
> 
> 
> 
> 
> Park yourself in front of a world of choices in alternative vehicles.
> Visit the Yahoo! Auto Green Center. 
> 
_ylc=X3oDMTE5cDF2bXZzBF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDZ
> 3JlZW4tY2VudGVy> 
> 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Chap-password to User-password

[Alan DeKok]

Carl aniams wrote:
> I installed freeradius 1.1.6 with mysql for storing users login.
> i created some users  through dialup admin page and had their password
> stored in User-password attribute.(i checked in the database select from
> radcheck)

  As of 1.1.5, it should be in Cleartext-Password.  See the README.

> when i fire up radius in debug i notice that there is a CHAP challenge
> and the password is in a CHAP-password format 

  Because that's what the client sends.  If you don't want to use CHAP,
fix the client.

> rlm_chap:login attempt by username with CHAP password
> rlm_chap: using clear text password 'mypass' for user username
> authentication
> rlm_chap: passxord check failed

  You don't have the same password on the client as you have on the server.

> I would like to stop the put my password in User-password rather than
> CHAP-password, but don't know how it should be done.

  Fix the client to send User-Password.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: strange crash with freeradius 1.1.2 on startup

[Guillaume Rousse]

Alan DeKok a écrit :
> Guillaume Rousse wrote:
>> If that matters, the whole package, including patches and spec file, are
>> available from the:
>> http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/freeradius/current/
> 
>   Some of your site-specific patches are problematic.  The patch to
> un-comment "/etc/shadow" isn't necessary.
> 
>   I suggest trying the build with the patches installed one by one.
> It's highly likely that of the patches is breaking the server.
Actually, the problem was absolutly not related to freeradius, nor to
applied patches, but to nss_ldap version shipped in 2007.1, as the
server was trying to resolve 'radius' user id and gid:
http://bugzilla.padl.com/show_bug.cgi?id=273

I'm interested to your opinion about applied patches however, i may
discuss them with the package maintainer. And we would be interested in
having everything related to biarch handling
(freeradius-1.1.2-libdir.diff) merged, if possible.
-- 
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Realm question

[Jeff Crowe]

Hi all,

Sorry if this question has been answered (I did search the archives and
google to no avail):  I have subscribers that connect with 2 realms as the
prefix.  How do I strip both and just authenticate locally?

IE: username: realm1/realm2/username  or realm1/realm3/username.  Realm1
will always be present followed by either realm2 or realm3 (no others).

Thanks,

Jeff

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Help configuring FreeRadius with PPPD and ntlm_auth

[Bruce Marriner]

I am setting up a Linux VPN for Windows clients via L2TP/IPSEC.  I had 
everything working using basic PPPD chap-secrets authentication via MSCHAPv2 
and am trying to add on the Radius part.  I’ve read a bunch of how-to’s but 
they all seem to be wrote for a different setup or different versions and many 
of them have incorrect statements about what is or is not in the config files ☺ 
  I have samba configured and winbindd running.  I tried to follow the 
instructions from the below links which are for PPTP not L2TP but both systems 
use PPPD for the username/pass authentication.

http://wiki.freeradius.org/PopTop
http://www.members.optushome.com.au/~wskwok/poptop_ads_howto_8.htm


I can run ntlm_auth as the radius user and it runs okay.
impasse ~ # sudo -u radiusd /usr/bin/ntlm_auth --request-nt-key 
--domain=ameristarfence.com --username=supersecretuser
password:
NT_STATUS_OK: Success (0x0)

On all examples of setting up FreeRadius with VPN configurations against AD 
they all just say to basicly.. change the radiusd.conf file to turn on mppe in 
the mschap section and setup winbindd so it works.  But I read some place that 
I also need EAP or.. PEAP to get this to work.  I’m not sure if that’s required 
and that’s my primary question right now?  Does anyone know the specific things 
I need to setup so freeradius can authenticate via the ntlm_auth tool back to 
PPPD?  Below is the versions of everything.   Last night I got frustrated and 
removed freeradius and reinstalled it with all fresh new config files.  
Followed the poptop guide on freeradius wiki site again and am not surprisingly 
getting the same response.  Below is what the radius server is saying about all 
this :) I see the part where it sets the authtype to CHAP.  And I think that 
should be MS-CHAP but I don't really know (obviously).  Any help would be very 
appreciated :)



-
impasse ~ # radiusd -x
Starting - reading configuration files ...
Using deprecated naslist file.  Support for this will go away soon.
Module: Loaded exec
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded System
Module: Instantiated unix (unix)
Module: Loaded eap
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
rlm_eap: Loaded and initialized type gtc
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
Module: Instantiated realm (suffix)
Module: Loaded files
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
Module: Instantiated detail (detail)
Module: Loaded radutmp
Module: Instantiated radutmp (radutmp)
Initializing the thread pool...
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:32774, id=123, length=94
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "supersecretuser"
CHAP-Challenge = 0xafd50494421ab0f8cc743432bbd7000278ee8748078c2b
CHAP-Password = 0x8a3ab7e348bc7de701db2207475d474831
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
  rlm_chap: Setting 'Auth-Type := CHAP'
rlm_pap: WARNING! No "known good" password found for the user.  Authentication 
may fail because of this.
  rlm_chap: login attempt by "supersecretuser" with CHAP password
  rlm_chap: Could not find clear text password for user supersecretuser
Login incorrect (rlm_chap: Clear text password not available): 
[supersecretuser/] (from client localhost port 0)
rad_recv: Access-Request packet from host 127.0.0.1:32774, id=123, length=94
Sending Access-Reject of id 123 to 127.0.0.1 port 32774
-


Below is a list of versions and compile features (via Gentoo USE statements)
-
samba-3.0.24-r3  
USE="acl kerberos ldap oav pam python readline syslog winbind -async -automount 
-caps -cups -doc -examples -fam -quotas (-selinux) -swat" 

freeradius-1.1.6  
USE="debug kerberos ldap mysql pam snmp ssl -edirectory -firebird -frascend 
-frnothreads -frxp -postgres -udpfromto" 0 kB

xl2tpd-1.1.10  0 kB

openssl-0.9.8e-r1  
USE="bindist sse2 zlib -emacs -test" 0 kB

strongswan-2.8.4  
USE="ldap nat -curl -smartcard" 0 kB

ppp-2.4.4-r9  
USE="pam radius -activefilter -atm -dhcp -eap-tls -gtk -ipv6 -mppe-mppc" 0 kB

Linux impasse 2.6.21-gentoo-r4 #11 SMP Tue Aug 14 16:29:27 CDT 2007 i686 
Intel(R) Pentium(R) D CPU 3.20GHz Gen

Certificate verification

[abhishek singh]

I am using Free radius to perform EAP_TLS negotiations. When we send client
certificates for validations, does free radius imposes any depth on the
certification validation. What i mean to say , if the certificate is self
signed , then certificate will not be accepted by the Free radius.

If the free radius imposes depth, the what is the value for the depth ?

Thanks in advance
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PAM Radius

[Peter Nixon]

On Mon 20 Aug 2007, Sayan S wrote:
> Thanks Alan for the quick response.
> I am referring to realm here, as RADIUS support realms, and we are using
> RADIUS to authenticate the users to Linux, so seems like we need to have
> all users contained in the same realm.
>
> Is having username in [EMAIL PROTECTED] form a valid unix format? I was 
> thinking
> the first part of the [EMAIL PROTECTED] should be the unix username though the
> radius request is sent as [EMAIL PROTECTED] Otherwise we need to have a
> comprehensive [EMAIL PROTECTED] to Unix-userid mapping.

I happily use [EMAIL PROTECTED] logins on my hosting servers with an LDAP 
backend (not radius at present)

Regards

-- 

Peter Nixon
http://peternixon.net/
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Chap-password to User-password

[Carl aniams]

Alan,

sorry coming back to you
i understood clearly your explanation doing a little litterature(rfc 2865
SECTION 4.1) i understood it.
I'm using a linksys box with dd-wrt and chillispot enable, and i have been
going round
i really don't see what brings about CHAP in my client and radius exchange.
Moreover i've been built the same architecture successfully.
please give me an idea
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Chap-password to User-password

[Alan DeKok]

Carl aniams wrote:
> i understood clearly your explanation doing a little litterature(rfc
> 2865 SECTION 4.1) i understood it.
> I'm using a linksys box with dd-wrt and chillispot enable, and i have
> been going round
> i really don't see what brings about CHAP in my client and radius exchange.
> Moreover i've been built the same architecture successfully.
> please give me an idea

  The client is Chillispot.  It is the one that is choosing to use CHAP.
 Go read the Chillispot documentation and configuration files.  Look for
CHAP.  Fix it.

  There is NOTHING you can do to the RADIUS server that will cause
Chillispot to stop using CHAP.  Therefore, stop trying to figure out how
to fix the RADIUS server.  It's not broken.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Certificate verification

[Alan DeKok]

abhishek singh wrote:
> I am using Free radius to perform EAP_TLS negotiations. When we send
> client certificates for validations, does free radius imposes any depth
> on the certification validation. What i mean to say , if the certificate
> is self signed , then certificate will not be accepted by the Free radius.

  EAP-TLS does not allow self-signed client certificates.

> If the free radius imposes depth, the what is the value for the depth ?

  Any depth is imposed by OpenSSL.  see the OpenSSL documentation.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help configuring FreeRadius with PPPD and ntlm_auth

[Alan DeKok]

Bruce Marriner wrote:
> On all examples of setting up FreeRadius with VPN configurations against AD 
> they all just say to basicly.. change the radiusd.conf file to turn on mppe 
> in the mschap section and setup winbindd so it works.  But I read some place 
> that I also need EAP or.. PEAP to get this to work.

  No.  The documentation says that PEAP and Active Directory require
ntlm_auth.  ntlm_auth && VPN's do not require EAP or PEAP.


>  I’m not sure if that’s required and that’s my primary question right now?  
> Does anyone know the specific things I need to setup so freeradius can 
> authenticate via the ntlm_auth tool back to PPPD?

  Get ntlm_auth working from the command line.

  Get ntlm_auth working for a request sent via "radtest".

  Make sure PPPd isn't using CHAP.

  It should work.
...
> rad_recv: Access-Request packet from host 127.0.0.1:32774, id=123, length=94
> Service-Type = Framed-User
> Framed-Protocol = PPP
> User-Name = "supersecretuser"
> CHAP-Challenge = 0xafd50494421ab0f8cc743432bbd7000278ee8748078c2b
> CHAP-Password = 0x8a3ab7e348bc7de701db2207475d474831

  Make sure PPPd isn't using CHAP.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Help configuring FreeRadius with PPPD and ntlm_auth

[Bruce Marriner]

I wish I could be very specific here.  But I fixed it.  
I reinstalled PPP and I looked very close at all its options and the config for 
XL2TP and removed every option that wasn't required (didn't break my non-radius 
connection).  I tried the connection again.  Wasn't even talking to radius so I 
edited the /etc/ppp/radius/servers file.  It started talking to radius!  This 
time it actually said it was doing mschap auth.  Then complained about security 
on the winbindd_privileged folder.  Now I'm not sure what user it's running as. 
 The radiusd user has writes to that folder.  But for testing I just changed it 
to 777 and now it's working.

So I'm down to my very last step is this whole thing.  I'll dig on the internet 
and manuals for this as well.  But I'd like to ask here too :)  I need to 
select what IP Pool specific users are given.  So for our general users (field 
sales) we could allow access to all the email/intranet servers.  Then our 
special users who do maintenance work on some machines in the shop would only 
have access to those machines.  If I can assign different IP pool I can handle 
the access in netfilter.

So is there a method of pulling a ip pool from Active Directory?  If not, what 
options are there? Thanks.  I'm documenting most of this :) and working on 
writing a howto on the whole thing.  Since I couldn't really find any that 
currently exist.   Once done it will exist at http://sqls.net/?s=article&id=6  
(just in case someone ends up finding this while searching for how to do this)


-Original Message-
From: Bruce Marriner 
Sent: Monday, August 20, 2007 9:30 AM
To: 'freeradius-users@lists.freeradius.org'
Subject: Help configuring FreeRadius with PPPD and ntlm_auth

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html