Authentication failure via PAP
Hi,
I'm using Freeradius 1.1.6 inside a Solaris 10 zone and compiled
it from vanilla sources. I configured rlm_ldap since the
usernames and cleartext-passwords are stored in an LDAP
directory and it works just fine for applications like Cisco-VPN
or 802.1X EAP-TTLS. Now I wanted to set up the Captive Portal of
pfsense/m0n0wall to authenticate against radius, which is using
PAP for password transmission but authentication always fails
even if I triple-check the entered user credentials.
The freeradius log always says:
Auth: Login incorrect (rlm_ldap: Bind as user failed):
[my_username] (from client pfsensebox port 1 cli
00:17:f2:xx:yy:zz)
Of course I also checked if the radius client is using the
correct secret. I set auto_headers to yes as it is suggested
in the rlm_pap manpage and put pap at the end of the authorize
section.
I also included an excerpt of my radiusd.conf
---begin radiusd.conf---
modules {
pap {
auto_header = yes
}
ldap {
server = ldapserver.mydomain.com
basedn = ou=people,o=my organization,c=de
filter
= (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
access_attr = uid
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
}
authorize {
auth_log
chap
mschap
suffix
eap
ldap
files
daily
pap
}
authenticate {
pap
chap
mschap
ldap
eap
}
---end radiusd.conf---
Here is an output of radiusd -X:
---begin radiusd -X output---
rad_recv: Access-Request packet from host 111.222.333.444:51087,
id=255, length=131
NAS-IP-Address = 111.222.333.444
NAS-Identifier = pfsense.local
User-Name = my_username
User-Password
= \301q\202\355g\264g)N\265\315\311\374\205i
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 1
Framed-IP-Address = 192.168.23.200
Called-Station-Id = 00:01:02:xx:yy:zz
Calling-Station-Id = 00:17:f2:aa:bb:cc
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
radius_xlat: '/opt/radiusd/var/log//radacct/auth-detail-200709'
rlm_detail: /opt/radiusd/var/log//radacct/auth-detail-%Y%m
expands to /opt/radiusd/var/log//radacct/auth-detail-200709
modcall[authorize]: module auth_log returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = my_username, looking up
realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = my_username
rlm_realm: Proxying request from user my_username to realm
NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for my_username
radius_xlat: '(uid=my_username)'
radius_xlat: 'ou=people,o=my organization,c=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to directory.fernuni-hagen.de:389,
authentication 0
rlm_ldap: bind as / to directory.fernuni-hagen.de:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,o=my organization,c=de,
with filter (uid=my_username)
rlm_ldap: checking if remote access for my_username is allowed by
uid
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding uid as User-Name, value my_username op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user my_username authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
modcall[authorize]: module files returns notfound for request
0
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
modcall[authorize]: module daily returns noop for request 0
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
modcall[authorize]: module pap returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type ldap
auth: type ldap
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by my_username with password Áq?íg
´g)NµÍÉü?i
rlm_ldap: user DN: uid=my_username,ou=People,o=my
Re: Possible FreeBSD Jail problem, or other bug in/with FreeRADIUS 2.0.0-pre2
Scott Lambert wrote: lrad_packet_list_socket_add() is called with a pointer to the radius request packet list structure and the socket file descriptor of the socket which has been created with the call to socket() and bound to an IP and port by bind() during the prior call to lrad_socket(). Is that correct? Yes. In the jail, it asks to bind to 0.0.0.0, but the socket *actually* binds to the jail IP. This is why the inaddr_any check doesn't match. So, should we be looking for != in the above if() from lrad_packet_list_socket_add()? ... no. The issue is that when udpfromto is used, we have: a) socket binds to 0.0.0.0 (really, outside of the jail) b) the server doesn't know which IP is used to send a packet c) the server DOES know which IP the response is sent to Since the received IP doesn't match the source IP, there's a little bit of tweaking that has to be done to match the response to an outstanding request. That's what that check is for. I flipped that to a != comparison and it seems to work inside or outside the jail with or without specifying the Packet_Src-IP-Address. I have no idea why that would work... Problem solved? Or, is this going to break other things? It should really break things... === jail with Packet-Src-IP-Address: But that tells the server which IP to use for the source IP, so the whole inaddr_any checks don't apply. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Limit users traffic quota via radius
Hi, I'm trying to close the connection of a pre-paid mobile user, after he reached a limited amount of traffic (ie. 100 megabytes), the network device is a Cisco router. I've found may way to rate-limit the traffic bandwidth but not one to do this. Is radius the correct way to achieve this goal? It'all about vsa? Thanks all, Massimiliano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending Cisco AV Pairs per realm
Here is a short example that should work for you using the hints file: #hints DEFAULT User-Name =~ @dsl.realm Hint = DSL #/hints #users DEFAULT Hint == DSL Cisco-AVPair += ... #/users Thanks Kevin This looks great, however the caveat is that we're using MySQL and not the users file; I can't for the life of me work out how to get that data in to the tables! Any hints would be appreciated. Cheers Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trouble configuring SQL data store for users (second attempt)
On Mon, 2007-09-17 at 20:30 -0700, Bill Shaver wrote:
Please forgive the duplicate post. I posted this a few days back and
didn't see any response; thought I would give it just one more try.
Thanks for any response.
--Bill
I have started to experiment with using mysql as the datastore for users
and clients instead of the default file method for my relatively small
installation. Right now my work is on a test system and all is working
well, with one exception: a user that is a member of two or more groups.
Based on all I have read, this last thing should be very basic.
If I put the user in only groupA (in the usergroup table), the test
works great. If I put user1 in only groupB, the test works great. When
I put user1 in both groupA and groupB in the usergroup table it will
only work against the first record of the two, the second record always
returns a failure.
Versions of FreeRadius prior to 2.0pre/CVS handle multiple groups a
little bit oddly. The SQL code merges the check items for the user (from
radcheck) and all their groups (from radgroupcheck) into one check list,
compares them all, then if they all match, merges the reply items for
the user (from radreply) and all their groups (from radgroupreply) into
one set of reply items, which are added to the reply.
So having a user in two groups with conflicting check or reply items
doesn't work.
This is annoying, since it's usually what you want to do!
In FreeRadius 2.x the SQL groups work as expected. The user check/reply
items are processed, then the groups are processed in order of
precedence, processing stopping the first time Fall-Through==no (the
default).
The easiest way to get around this is in 1.x to modify the group
membership SQL query to include more than just the username as the
key. I like to refer to this as netgroup-like. For example, you
might set:
group_membership_query =
select groupname from netgroup where \
username='%{SQL-User-Name}' and \
realm='%{Realm}'
In SQL:
create table netgroup (username varchar(253), realm varchar(253),
groupname varchar(253), primary key (username,realm));
insert into netgroup values ('kpass','cisi','CiscoAdm');
insert into netgroup values ('kpass','syst','LdapHpReho');
This is a very simple example, and can in fact be accomplished without
changing anything; just change the SQL-User-Name to be User-Name as
opposed to Stripped-User-Name and put the [EMAIL PROTECTED] in the user column.
However, there are endless variations on this scheme, including putting
things such as:
* Service-Type
* Calling-Station-Id
* Called-Station-Id
* Huntgroup-Name
* etc.
...in the key to the group table.
I am sure this is probably something really stupid, but I just cannot
see it. Any help would be appreciated.
I have attatched table dumps, sample commands, and a debug trace. I hope
it is helpful
Thanks,
--Bill
FreeRadius version 1.0.1
This is ancient. Upgrade to 1.1.7
MySQL version 4.1.20
vm # /usr/bin/radtest -d /etc/raddb [EMAIL PROTECTED] password \
localhost:1645 10 naspass
will sucseed, while
vm # /usr/bin/radtest -d /etc/raddb [EMAIL PROTECTED] password \
localhost:1645 10 naspass
fails, but should sucseed
The following is a test data set to validate a variety of cases that we
need to support in our environment.
select * from radcheck into outfile '/tmp/f1';
idusernameattribute op value
--- -- -
1 billPassword== userpass
5 guest01 Auth-Type := Local
Once you've upgraded to 1.1.7, you can stop setting Auth-Type to Local,
and stop using password comparison. Instead, do:
Cleartext-Password := value
...and ensure the PAP module is at the bottom of the authorize section.
Then it'll a) magically work and b) be the recommended way of doing it.
6 guest01 Password== password
select * from radreply into outfile '/tmp/f4';
idusernameattribute op value
--- -- -
7 guest01 Class := OU=Wireless;
8 guest01 Fall-Through:= No
As above, Fall-Through is irrelevant on SQL groups in FreeRadius 1.x.
select * from radgroupcheck into outfile '/tmp/f2';
idgroupname attribute op value
--- -- -
6 LocalUnix Auth-Type == System
7 LocalUnix Realm == Test
9 LdapCiscoAdmPassword== password
10LdapCiscoAdmAuth-Type == Local
11LdapCiscoAdmRealm == cisi
12LdapHpReho Realm == syst
Denying user from authentication
Hi I am using EAP_TLS authentication with free radius 1.1.7 .The authentication is a certificate based one. I want to reject one user .I have done config in users file anoop07Auth-Type := Reject Reply-Message = \Your account has been disabled.\ Stll the user autheticates.How can i prevent user like this? Regards Anoop - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failure via PAP
1. Secret is different (probability 99%)
2. MD5 libraries on the client or the server are broken
I would delete the secret on the server and the client and type in
another one. If that doesn't work then you will need to fix the MD5
calculations. If it's the server you will get this problem with every
client you try. If it's only one client ...
Ivan Kalik
Kalik Informatika ISP
Dana 18/9/2007, Thomas Schmitz [EMAIL PROTECTED] piše:
Hi,
I'm using Freeradius 1.1.6 inside a Solaris 10 zone and compiled
it from vanilla sources. I configured rlm_ldap since the
usernames and cleartext-passwords are stored in an LDAP
directory and it works just fine for applications like Cisco-VPN
or 802.1X EAP-TTLS. Now I wanted to set up the Captive Portal of
pfsense/m0n0wall to authenticate against radius, which is using
PAP for password transmission but authentication always fails
even if I triple-check the entered user credentials.
The freeradius log always says:
Auth: Login incorrect (rlm_ldap: Bind as user failed):
[my_username] (from client pfsensebox port 1 cli
00:17:f2:xx:yy:zz)
Of course I also checked if the radius client is using the
correct secret. I set auto_headers to yes as it is suggested
in the rlm_pap manpage and put pap at the end of the authorize
section.
I also included an excerpt of my radiusd.conf
---begin radiusd.conf---
modules {
pap {
auto_header = yes
}
ldap {
server = ldapserver.mydomain.com
basedn = ou=people,o=my organization,c=de
filter
= (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
access_attr = uid
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
}
authorize {
auth_log
chap
mschap
suffix
eap
ldap
files
daily
pap
}
authenticate {
pap
chap
mschap
ldap
eap
}
---end radiusd.conf---
Here is an output of radiusd -X:
---begin radiusd -X output---
rad_recv: Access-Request packet from host 111.222.333.444:51087,
id=255, length=131
NAS-IP-Address = 111.222.333.444
NAS-Identifier = pfsense.local
User-Name = my_username
User-Password
= \301q\202\355g\264g)N\265\315\311\374\205i
Service-Type = Login-User
NAS-Port-Type = Ethernet
NAS-Port = 1
Framed-IP-Address = 192.168.23.200
Called-Station-Id = 00:01:02:xx:yy:zz
Calling-Station-Id = 00:17:f2:aa:bb:cc
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
radius_xlat: '/opt/radiusd/var/log//radacct/auth-detail-200709'
rlm_detail: /opt/radiusd/var/log//radacct/auth-detail-%Y%m
expands to /opt/radiusd/var/log//radacct/auth-detail-200709
modcall[authorize]: module auth_log returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = my_username, looking up
realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = my_username
rlm_realm: Proxying request from user my_username to realm
NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for my_username
radius_xlat: '(uid=my_username)'
radius_xlat: 'ou=people,o=my organization,c=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to directory.fernuni-hagen.de:389,
authentication 0
rlm_ldap: bind as / to directory.fernuni-hagen.de:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,o=my organization,c=de,
with filter (uid=my_username)
rlm_ldap: checking if remote access for my_username is allowed by
uid
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding uid as User-Name, value my_username op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user my_username authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
modcall[authorize]: module files returns notfound for request
0
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
modcall[authorize]: module daily returns noop for request 0
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of
Re: Denying user from authentication
Revoke the certificate. Ivan Kalik Kalik Informatika ISP Dana 18/9/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Hi I am using EAP_TLS authentication with free radius 1.1.7 .The authentication is a certificate based one. I want to reject one user .I have done config in users file anoop07Auth-Type := Reject Reply-Message = \Your account has been disabled.\ Stll the user autheticates.How can i prevent user like this? Regards Anoop - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Denying user from authentication
and make sure to use check_crl = yes in eap.conf On 9/18/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Revoke the certificate. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: randomly crashing
version of FR? modules or backend auth system used? Using FR 1.1.5 and using mod_auth_ldap for auth - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit users traffic quota via radius
On 9/18/07, Massimiliano Macrì [EMAIL PROTECTED] wrote: I'm trying to close the connection of a pre-paid mobile user, after he reached a limited amount of traffic (ie. 100 megabytes), the network device is a Cisco router. I've found may way to rate-limit the traffic bandwidth but not one to do this. Is radius the correct way to achieve this goal? It'all about vsa? Radius isn't supposed to terminate anything on its own, it just takes note of a user session history and validates logins. What you should do is to find some way of telling Cisco that a particular session is to be disconnected when a certain limit is reached. If your Cisco can output real time stats AND can accept external disconnection commands, then it might be possible to implement what you want. But honestly this process should be implemented completely inside the Cisco, and then, when a disconnect triggers, your Cisco should tell Radius about it. The opposite isn't bound to happen. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Intel Proset Wireless Client does not process RFC3580 Attributes.
FreeRADIUS Version 1.1.3-r0.1.2 (Upgrade to 1.1.7 is Pending) I am running FreeRADIUS to authenticate wireless users on a bunch of Cisco AP1231's. My wireless supplicants are running a combination of the standard Windows XP client which works fine and the Intel Proset Client which is causing problems. The Radius setup is for PEAP/MSChapv2 and each user has the following attributes assigned. Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-ID = X (Where X is the assigned VLAN Number) The Proset Clients do manage to eventually authenticate, but the above attributes do not appear to get processed. I think this is happening because the Proset Client sends the User-Name as anonymous and as there is no anonymous user defined, the attributes do not get applied. How do I get the User-Name to be sent correctly? Thanks in advance. Terry Pelley Network Analyst Business and Learning Technologies Ottawa-Carleton District School Board [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit users traffic quota via radius
Actually if you are working with MySQL or some other SQL database server maybe you can write your own sql module that accomplishes that. I would suggest taking a look at Max-All-Session as an example. What you want to do is create a kind of sql module that will act as a counter for the traffic used by the user and perform actions based on that. Regards, Liran. On 9/18/07, inverse [EMAIL PROTECTED] wrote: On 9/18/07, Massimiliano Macrì [EMAIL PROTECTED] wrote: I'm trying to close the connection of a pre-paid mobile user, after he reached a limited amount of traffic (ie. 100 megabytes), the network device is a Cisco router. I've found may way to rate-limit the traffic bandwidth but not one to do this. Is radius the correct way to achieve this goal? It'all about vsa? Radius isn't supposed to terminate anything on its own, it just takes note of a user session history and validates logins. What you should do is to find some way of telling Cisco that a particular session is to be disconnected when a certain limit is reached. If your Cisco can output real time stats AND can accept external disconnection commands, then it might be possible to implement what you want. But honestly this process should be implemented completely inside the Cisco, and then, when a disconnect triggers, your Cisco should tell Radius about it. The opposite isn't bound to happen. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Controlling access to my Wireless network.
Hello all, I'm looking for a simple way to protect access to my wireless network. I'm seeing a lot of old documentation on how to use EAP-TLS to protect the wireless network. I've found lots of old documentation on how to setup WPA Enterprise. I would like some updated docuentation on how to do this. I have a couple SonicWall SonicPoint devices that have the capability to do WPA Enterprise or WPA2 enterprise or both. I would like to be able to have a user attempt to join my wireless network, but be presented with the request for Username and Password. From there I would like to be able to have their connection authenticated and then allow them on. No authentication, no getting on. Securing the wireless signal is not the primary focus here. Securing the access to the network is. Is there a way to do this? I have FreeRadius 1.1.7 installed and working and currently will authenticate against my ldap server. Thank you for lending a hand to a newby here. Kent - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Controlling access to my Wireless network.
simplest, don't turn it on. On 9/18/07, Kent Thomas [EMAIL PROTECTED] wrote: Hello all, I'm looking for a simple way to protect access to my wireless network. I'm seeing a lot of old documentation on how to use EAP-TLS to protect the wireless network. I've found lots of old documentation on how to setup WPA Enterprise. I would like some updated docuentation on how to do this. I have a couple SonicWall SonicPoint devices that have the capability to do WPA Enterprise or WPA2 enterprise or both. I would like to be able to have a user attempt to join my wireless network, but be presented with the request for Username and Password. From there I would like to be able to have their connection authenticated and then allow them on. No authentication, no getting on. Securing the wireless signal is not the primary focus here. Securing the access to the network is. Is there a way to do this? I have FreeRadius 1.1.7 installed and working and currently will authenticate against my ldap server. Thank you for lending a hand to a newby here. Kent - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit users traffic quota via radius
On Tue 18 Sep 2007, Massimiliano Macrì wrote: Hi, I'm trying to close the connection of a pre-paid mobile user, after he reached a limited amount of traffic (ie. 100 megabytes), the network device is a Cisco router. I've found may way to rate-limit the traffic bandwidth but not one to do this. Is radius the correct way to achieve this goal? It'all about vsa? You could easily accomplish this with a CoA/PoD request to the cisco when the user hits whatever limit... -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Intel Proset Wireless Client does not process RFC3580 Attributes.
Read instructions in eap.conf. You most likely need to set: use_tunneled_reply = yes in peap section. Ivan Kalik Kalik Informatika ISP Dana 18/9/2007, Terry Pelley [EMAIL PROTECTED] piše: FreeRADIUS Version 1.1.3-r0.1.2 (Upgrade to 1.1.7 is Pending) I am running FreeRADIUS to authenticate wireless users on a bunch of Cisco AP1231's. My wireless supplicants are running a combination of the standard Windows XP client which works fine and the Intel Proset Client which is causing problems. The Radius setup is for PEAP/MSChapv2 and each user has the following attributes assigned. Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-ID = X (Where X is the assigned VLAN Number) The Proset Clients do manage to eventually authenticate, but the above attributes do not appear to get processed. I think this is happening because the Proset Client sends the User-Name as anonymous and as there is no anonymous user defined, the attributes do not get applied. How do I get the User-Name to be sent correctly? Thanks in advance. Terry Pelley Network Analyst Business and Learning Technologies Ottawa-Carleton District School Board [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius +MS Win XP (EAP) problems
Hi,
I want to configure freeradius (Linux) in order to authenticate and
authorize MS Windows XP clients (people connect to Access Point
Linksys). I am using EAP-PEAP and MSCHAP fron Windows. If I perform
radtest from linux clients (using wired network) I have no problem to
access, but I cannot from Windows XP, this is the messages when I run
usinf radiusd -X:
rad_recv: Access-Request packet from host 10.30.1.151:1032, id=66, length=115
User-Name = sbelki
Calling-Station-Id = 00-0e-35-bf-51-18
EAP-Message = 0x020400061900
Framed-MTU = 1287
NAS-IP-Address = 192.168.1.1
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
State = 0xbee0745e6005b8a43128657ff16d08ea
Message-Authenticator = 0xc6044fc3eb7975f75f9afd9edfcca489
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 55
modcall[authorize]: module preprocess returns ok for request 55
modcall[authorize]: module chap returns noop for request 55
modcall[authorize]: module mschap returns noop for request 55
rlm_realm: No '@' in User-Name = sbelki, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 55
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 55
users: Matched entry DEFAULT at line 159
modcall[authorize]: module files returns ok for request 55
rlm_ldap: - authorize
rlm_ldap: performing user authorization for sbelki
radius_xlat: '(uid=sbelki)'
radius_xlat: 'ou=people,dc=palermo,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=palermo,dc=edu, with
filter (uid=sbelki)
request 57 done
rlm_ldap: checking if remote access for sbelki is allowed by uid
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value sample op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user sbelki authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 55
modcall: group authorize returns updated for request 55
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 55
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module eap returns handled for request 55
modcall: group authenticate returns handled for request 55
Sending Access-Challenge of id 66 to 10.30.1.151:1032
EAP-Message = 0x010500061900
Message-Authenticator = 0x
State = 0x06bc31779a10f85cd934953e650bc051
Finished request 55
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 52 ID 63 with timestamp 46f01fd7
Cleaning up request 53 ID 64 with timestamp 46f01fd7
Cleaning up request 54 ID 65 with timestamp 46f01fd7
Cleaning up request 55 ID 66 with timestamp 46f01fd7
***And This is the eap.conf: *
eap {
default_eap_type = mschapv2
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
tls {
private_key_password =
private_key_file = /etc/pki/tls/certs/radius.key
certificate_file = /etc/pki/tls/certs/radius.crt
CA_file = /etc/pki/CA/cacert.pem
dh_file = /etc/raddb/certs/dh
random_file = /dev/urandom
include_length = yes
}
ttls {
default_eap_type = md5
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
Please tell me if something of this file is wrong.
Thanks in advance!!
--
--
Sergio Belkin -
eap.conf
Description: Binary data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Intel Proset Wireless Client does not process RFC3580 Attributes.
Thank you, That worked perfectly. FreeRadius users mailing list freeradius-users@lists.freeradius.org writes: Read instructions in eap.conf. You most likely need to set: use_tunneled_reply = yes in peap section. Ivan Kalik Kalik Informatika ISP Terry Pelley Network Analyst Business and Learning Technologies Ottawa-Carleton District School Board - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radrelay with multiple accounting files, radrelay via NFS
Good morning, freeradius users. I have 2.5 questions. 1. Can radrelay be used with multiple accounting directories? I have multiple (7) directories with files I need to be watching with radrelay. I haven't been able to get radrelay to work properly when I use -a /accounting-dir/ multiple times at the command line. 1.5: Can one use wildcards for the detailfile? I have two RADIUS servers, and each writes to it's own file (detail-radius1, detail-radius2) 2. On linux, radrelay doesn't appear to agree with NFS. I tried to host my detail files via NFS, and radrelay would 'run', but not actively process records. The radrelay debug would tell me it was processing records, but would never send any packets. Meanwhile, the detail file it was supposed to be watching is ballooning with records. 2.5. Note: We have a solaris server where radrelay runs fine via NFS. I'm not too big a newbie to freeradius, but I'm trying to avoid running one process per NAS I need to monitor, and have my radius detail files split (some detail files via NFS, other detail files locally on the machine.) I've read man pages and googled, but haven't found answers. I *do* need to store my files via NFS, for accounting reasons, and doing copies to an NFS mount isn't really an option, either. Any help would is welcomed. Adam signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Controlling access to my Wireless network.
On Tue, 2007-09-18 at 08:13 -0600, Kent Thomas wrote: Hello all, I'm looking for a simple way to protect access to my wireless network. I'm seeing a lot of old documentation on how to use EAP-TLS to protect the wireless network. I've found lots of old documentation on how to setup WPA Enterprise. I would like some updated docuentation on how to do this. This is an extremely common setup. http://wiki.freeradius.org/WPA_HOWTO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Controlling access to my Wireless network.
Phil, Thanks a million for the reply. You are the first to actually reply with some info for me to look at. The document you gave is good, except for the client certificate part. I don't want to have to give certificates out to everyone on my wireless network. Is there a way to get around this? Thanks a million. Kent On 9/18/07 4:01 PM, Phil Mayers [EMAIL PROTECTED] wrote: On Tue, 2007-09-18 at 08:13 -0600, Kent Thomas wrote: Hello all, I'm looking for a simple way to protect access to my wireless network. I'm seeing a lot of old documentation on how to use EAP-TLS to protect the wireless network. I've found lots of old documentation on how to setup WPA Enterprise. I would like some updated docuentation on how to do this. This is an extremely common setup. http://wiki.freeradius.org/WPA_HOWTO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible FreeBSD Jail problem, or other bug in/with FreeRADIUS 2.0.0-pre2
On Tue, Sep 18, 2007 at 09:54:33AM +0200, Alan DeKok wrote: Scott Lambert wrote: lrad_packet_list_socket_add() is called with a pointer to the radius request packet list structure and the socket file descriptor of the socket which has been created with the call to socket() and bound to an IP and port by bind() during the prior call to lrad_socket(). Is that correct? Yes. In the jail, it asks to bind to 0.0.0.0, but the socket *actually* binds to the jail IP. This is why the inaddr_any check doesn't match. So, should we be looking for != in the above if() from lrad_packet_list_socket_add()? ... no. The issue is that when udpfromto is used, we have: a) socket binds to 0.0.0.0 (really, outside of the jail) b) the server doesn't know which IP is used to send a packet c) the server DOES know which IP the response is sent to Since the received IP doesn't match the source IP, there's a little bit of tweaking that has to be done to match the response to an outstanding request. That's what that check is for. I am sorry for being so dense. I think I can see that I was wrong before. However, what I see, though experimentation and lots of printfs, is that sockfd is bind()ing with a specified IP of 0.0.0.0. bind() takes care of fixing that up for processes in the jail and when bind returns, the socket is *actually* bound to the jail's IP address. Without the jail the socket would have remainded bound to 0.0.0.0. Then lrad_packet_list_socket_add() determines what IP we bound to from the *actual* information in the sockaddr_in structure to which sockfd points. That is the ps-ipaddr.ipaddr.ip4addr.s_addr inside lrad_packet_list_socket_add(). In the jail that is actually the jail's IP address. That's all well and good. However, perhaps the problem comes when we get to recv_one_packet() in radclient.c and unconditionally set reply-dst_ipaddr = client_ipaddr which is apparantly due to udpfromto issues. /* * udpfromto issues. We may have bound to *, * and we want to find the replies that are sent to * (say) 127.0.0.1. */ reply-dst_ipaddr = client_ipaddr; Commenting that line out makes my jail work. On my systems, reply-dst_ipaddr == client_ipaddr except when Packet-Src-IP-Address is NOT specified within the jail. When Packet-Src-IP-Address is NOT specified within the jail: radclient: recv_one_packet: client_ipaddr.ipaddr.ip4addr = 0 radclient: recv_one_packet: reply-dst_ipaddr.ipaddr.ip4addr = 460364101 By leaving reply-dst_ipaddr alone, lrad_packet_list_find_byreply is able to match the ps-ipaddr with the reply-dst_ipaddr even though ps-inaddr_any = 0. I don't know the circumstances in which reply-dst_ipaddr != client_ipaddr in such a way that it would be necessary to force them ==. Are those circumstances mutually exclusive of the jail circumstances? Could this be the correct location for a fix? -- Scott LambertKC5MLE Unix SysAdmin [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Controlling access to my Wireless network.
If you have XP clients your best option is PEAP. Read instructions in eap.conf about setting it up. But that will work only if your passwords are stored in plain text or NT hash (not much to do with EAP but MSCHAPv2 used as tunnel authentication protocol). If your passwords are encrypted in some other way you can use SecureW2 suppicant and TTLS-PAP. Ivan Kalik Kalik Informatika ISP Dana 18/9/2007, Kent Thomas [EMAIL PROTECTED] piše: Phil, Thanks a million for the reply. You are the first to actually reply with some info for me to look at. The document you gave is good, except for the client certificate part. I don't want to have to give certificates out to everyone on my wireless network. Is there a way to get around this? Thanks a million. Kent On 9/18/07 4:01 PM, Phil Mayers [EMAIL PROTECTED] wrote: On Tue, 2007-09-18 at 08:13 -0600, Kent Thomas wrote: Hello all, I'm looking for a simple way to protect access to my wireless network. I'm seeing a lot of old documentation on how to use EAP-TLS to protect the wireless network. I've found lots of old documentation on how to setup WPA Enterprise. I would like some updated docuentation on how to do this. This is an extremely common setup. http://wiki.freeradius.org/WPA_HOWTO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Controlling access to my Wireless network.
Ivan,Thanks a million. I've been looking at using peap. I have a mixed network, mac xp. I wouldn't mind using plain text passwords if that could be forced. The only configurations that get close to working get as far as machapv2, then fail because of no nt/lm password. If I could use the password from my ldap connection which seems to be working nicely, then I would be thrilled. Could you give me the eap.conf that would do that? Thanks a million Kent On 9/18/07 4:27 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: If you have XP clients your best option is PEAP. Read instructions in eap.conf about setting it up. But that will work only if your passwords are stored in plain text or NT hash (not much to do with EAP but MSCHAPv2 used as tunnel authentication protocol). If your passwords are encrypted in some other way you can use SecureW2 suppicant and TTLS-PAP. Ivan Kalik Kalik Informatika ISP Dana 18/9/2007, Kent Thomas [EMAIL PROTECTED] piše: Phil, Thanks a million for the reply. You are the first to actually reply with some info for me to look at. The document you gave is good, except for the client certificate part. I don't want to have to give certificates out to everyone on my wireless network. Is there a way to get around this? Thanks a million. Kent On 9/18/07 4:01 PM, Phil Mayers [EMAIL PROTECTED] wrote: On Tue, 2007-09-18 at 08:13 -0600, Kent Thomas wrote: Hello all, I'm looking for a simple way to protect access to my wireless network. I'm seeing a lot of old documentation on how to use EAP-TLS to protect the wireless network. I've found lots of old documentation on how to setup WPA Enterprise. I would like some updated docuentation on how to do this. This is an extremely common setup. http://wiki.freeradius.org/WPA_HOWTO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Controlling access to my Wireless network.
If you are in control of Ldap server then you can enforce whatever password scheme you see fit. If you map Clertext-Password attribute to plain text passwords in Ldap everything will work fine. But if you are using crypt, sha or such on your passwords, mschap will never work. Your eap.conf is likely to be OK if you are getting that far. Mschapv2 is failing because passwords in Ldap are encrypted or mapped to some other password attribute (most often User-Password). But you will need to post the whole eap conversation in order to be sure. Ivan Kalik Kalik Informatika ISP Dana 18/9/2007, Kent Thomas [EMAIL PROTECTED] piše: Ivan,Thanks a million. I've been looking at using peap. I have a mixed network, mac xp. I wouldn't mind using plain text passwords if that could be forced. The only configurations that get close to working get as far as machapv2, then fail because of no nt/lm password. If I could use the password from my ldap connection which seems to be working nicely, then I would be thrilled. Could you give me the eap.conf that would do that? Thanks a million Kent On 9/18/07 4:27 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: If you have XP clients your best option is PEAP. Read instructions in eap.conf about setting it up. But that will work only if your passwords are stored in plain text or NT hash (not much to do with EAP but MSCHAPv2 used as tunnel authentication protocol). If your passwords are encrypted in some other way you can use SecureW2 suppicant and TTLS-PAP. Ivan Kalik Kalik Informatika ISP Dana 18/9/2007, Kent Thomas [EMAIL PROTECTED] piše: Phil, Thanks a million for the reply. You are the first to actually reply with some info for me to look at. The document you gave is good, except for the client certificate part. I don't want to have to give certificates out to everyone on my wireless network. Is there a way to get around this? Thanks a million. Kent On 9/18/07 4:01 PM, Phil Mayers [EMAIL PROTECTED] wrote: On Tue, 2007-09-18 at 08:13 -0600, Kent Thomas wrote: Hello all, I'm looking for a simple way to protect access to my wireless network. I'm seeing a lot of old documentation on how to use EAP-TLS to protect the wireless network. I've found lots of old documentation on how to setup WPA Enterprise. I would like some updated docuentation on how to do this. This is an extremely common setup. http://wiki.freeradius.org/WPA_HOWTO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Solved: Gigawords
Guilherme
Thanks I have committed a patch. Sorry about that. This is one of the reasons
why I normally dont keep the different sql dialect files in sync without
significant testing.. There are just too many differences. Unfortunately
this causes them to gradually get out of sync over time. If you see any
other issues, please let me know and I will fix them
Regards
Peter
On Tue 18 Sep 2007, Guilherme Franco wrote:
Hello,
Just to note that oraclesql.conf (in 1.1.7) is wrong about the gigawords.
The syntax for using bitwise operators is different in oracle and for such
needs, you must use the BITAND function and its variants.
But instead of doing bit shifts, I did this to solve it:
AcctInputOctets = '%{Acct-Input-Octets}' + ('%{Acct-Input-Gigawords}' *
4294967296), AcctOutputOctets = '%{Acct-Output-Octets}' +
('%{Acct-Output-Gigawords}' * 4294967296)
Guilherme Franco
On 9/14/07, Guilherme Franco [EMAIL PROTECTED] wrote:
Hi Mr. DeKok,
Ok, I've just asked it because of:
http://wiki.freeradius.org/index.php/FAQ#Why_do_Acct-Input-Octets_and_Ac
ct-Output-Octets_wrap_at_4_GB.3F (which says that it should work in older
versions)
Also, the rlm_sql_log module version is the same in 1.1.7 as in 1.1.4 (v
1.3.2.2 2005/12/12).
Thank you.
Guilherme Franco
On 9/14/07, Alan DeKok [EMAIL PROTECTED] wrote:
Guilherme Franco wrote:
Hello,
I'm using rlm_sql_log in freeradius 1.1.4.
In order to correctly work with acct-input/ output gigawords,
Upgrade to 1.1.7.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Peter Nixon
http://peternixon.net/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit users traffic quota via radius
You need SNMP to disconnect the link, not Radius. The only other way I can think of is that, if you can use an external program/script to check the quota from your accounting records, and then if that quota is reached, then send the program sends to SNMP to disconnect the user. On 18/09/2007, at 6:34 PM, Massimiliano Macrì wrote: I'm trying to close the connection of a pre-paid mobile user, after he reached a limited amount of traffic (ie. 100 megabytes), the network device is a Cisco router. I've found may way to rate-limit the traffic bandwidth but not one to do this. Is radius the correct way to achieve this goal? It'all about vsa? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Denying user from authentication
HI Thank you for the response.But as per users file configuration it should deny the user if i include that user name-reject file.Do i need to do any config for this to work. Regards Anoop Message: 3 Date: Tue, 18 Sep 2007 11:30:53 +0100 From: [EMAIL PROTECTED] Subject: Re: Denying user from authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 Revoke the certificate. Ivan Kalik Kalik Informatika ISP Dana 18/9/2007, \[EMAIL PROTECTED] [EMAIL PROTECTED] pi?e: Hi I am using EAP_TLS authentication with free radius 1.1.7 .The authentication is a certificate based one. I want to reject one user .I have done config in users file anoop07Auth-Type := Reject Reply-Message = \Your account has been disabled.\ Stll the user autheticates.How can i prevent user like this? Regards Anoop -- Message: 4 Date: Tue, 18 Sep 2007 14:12:50 +0200 From: inverse [EMAIL PROTECTED] Subject: Re: Denying user from authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 and make sure to use check_crl = yes in eap.conf On 9/18/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Revoke the certificate. -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius +MS Win XP (EAP) problems
Sergio Belkin wrote: I want to configure freeradius (Linux) in order to authenticate and authorize MS Windows XP clients (people connect to Access Point Linksys). I am using EAP-PEAP and MSCHAP fron Windows. If I perform radtest from linux clients (using wired network) I have no problem to access, but I cannot from Windows XP, this is the messages when I run usinf radiusd -X: ... Sending Access-Challenge of id 66 to 10.30.1.151:1032 EAP-Message = 0x010500061900 Message-Authenticator = 0x State = 0x06bc31779a10f85cd934953e650bc051 Finished request 55 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 52 ID 63 with timestamp 46f01fd7 This is in the FAQ and comments in the eap.conf distributed with 1.1.7. Please read the existing documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy server config with PAP or CHAP
Dear All, I am trying to configure the following. User - Access Point - Free Radius Server(acting as proxy server) - Radius Server Now the above configuration works when I have PAP as authentication method. Now I need to have EAP MD5 auth between user and free radius server and PAP or CHAP between free radius server and Radius server. Please let me know, what I need to configure. Please reply soon as it is urgent... thanks for the help in advance. Regards, Amit Jain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
