Re: FreeRadius Server: Installation problem
Hi, > > I am trying to install 1.1.6. When i try to make the SUSE Linux Package > > and run the rpm build command then an error message comes which reads: > > freeRadius 1.1.5.gz file not present. check the "Version" line in the freeradius.spec file of the 1.1.6 suse directory. probably 1.1.5 rather than 1.1.6 - debian got hit by a similar bug/miss. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication problem with sql
Hi, > No one knows? > > On 10/23/07, hadi golestani <[EMAIL PROTECTED]> wrote: ^ you posted less than 24 hours ago. this isnt a commercial support contract. maybe someone knows and is currently busy or away. looking from the logs, it seems that your FR is configured to use system authentication (unix module) - and yet you want to auth via SQL. so remove DEFAULT Auth-Type = System from your users file/ that should help. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication problem with sql
hadi golestani wrote: > > No one knows? Edit the "users" file, and delete the entry setting Auth-Type to System. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication problem with sql
No one knows? On 10/23/07, hadi golestani <[EMAIL PROTECTED]> wrote: > > Hi, > my freeradius works well with users files users but when I test it with > one of my users that is stored in db, the authentication fails. > what is needed to authenticate users that are stored in db. > > two debug mode output is attached: > it's debug response for a user that is stored in db: > > rad_recv: Access-Request packet from host 127.0.0.1:1029, id=90, length=58 > User-Name = "n2test" > User-Password = "n2test" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 1645 > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 1 > modcall[authorize]: module "preprocess" returns ok for request 1 > modcall[authorize]: module "chap" returns noop for request 1 > modcall[authorize]: module "mschap" returns noop for request 1 > rlm_realm: No '@' in User-Name = "n2test", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 1 > rlm_eap: No EAP-Message, not doing EAP > modcall[authorize]: module "eap" returns noop for request 1 > users: Matched entry DEFAULT at line 154 > modcall[authorize]: module "files" returns ok for request 1 > radius_xlat: 'n2test' > rlm_sql (sql): sql_set_user escaped user --> 'n2test' > radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM > radcheck WHERE Username = 'n2test' ORDER BY id' > rlm_sql (sql): Reserving sql socket id: 2 > radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName, > radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM > radgroupcheck,usergroup WHERE usergroup.Username = 'n2test' AND > usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' > radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM > radreply WHERE Username = 'n2test' ORDER BY id' > radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName, > radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM > radgroupreply,usergroup WHERE usergroup.Username = 'n2test' AND > usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' > rlm_sql (sql): Released sql socket id: 2 > modcall[authorize]: module "sql" returns ok for request 1 > rlm_pap: Found existing Auth-Type, not changing it. > modcall[authorize]: module "pap" returns noop for request 1 > modcall: leaving group authorize (returns ok) for request 1 > rad_check_password: Found Auth-Type System > auth: type "System" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 1 > modcall[authenticate]: module "unix" returns notfound for request 1 > modcall: leaving group authenticate (returns notfound) for request 1 > auth: Failed to validate the user. > Delaying request 1 for 1 seconds > Finished request 1 > Going to the next request > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Sending Access-Reject of id 90 to 127.0.0.1 port 1029 > Waking up in 4 seconds... > --- Walking the entire request list --- > Cleaning up request 1 ID 90 with timestamp 471de1e9 > Nothing to do. Sleeping until we see a request. > > > > and it's the output for a normal user that is stored in users file: > > rad_recv: Access-Request packet from host 127.0.0.1:1029, id=43, length=62 > User-Name = "normaltest" > User-Password = "normaltest" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 1645 > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > modcall[authorize]: module "chap" returns noop for request 0 > modcall[authorize]: module "mschap" returns noop for request 0 > rlm_realm: No '@' in User-Name = "normaltest", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 0 > rlm_eap: No EAP-Message, not doing EAP > modcall[authorize]: module "eap" returns noop for request 0 > users: Matched entry normaltest at line 1 > modcall[authorize]: module "files" returns ok for request 0 > radius_xlat: 'normaltest' > rlm_sql (sql): sql_set_user escaped user --> 'normaltest' > radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM > radcheck WHERE Username = 'normaltest' ORDER BY id' > rlm_sql (sql): Reserving sql socket id: 4 > rlm_sql (sql): User normaltest not found in radcheck > radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName, > radgroupcheck.Attribute ,radgroupcheck.Value,radgroupcheck.op FROM > radgroupcheck,usergroup WHERE usergroup.Username = 'normaltest' AND > usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgrou
Re: Please help with my EAP config - PEAP/MSCHAP
Nyle wrote: > Thank you, thank you, thank you - You know after you've looked at a > problem from 6 different directions for too long. Often the simplest > solution doesn't come to mind. You last statement - "Tell the server what > the users correct password is." - took me to the simplest fix. Reset the > users Novell eDirectory based Universal Password. Once I set the password it > worked, now I can debug why the system that should synchronize those > passwords automatically isn't working right. :) > I do have another related question but it might need to be a separate post. > However, let me ask it here and see. > > The built in Windows XP Pro SP2 wireless will now connect correctly but when > I switch back to the DELL Wireless Utility and use > WPA-ENTERPRISE/PEAP/MSCHAPv2, I don't even see debugging information from > radiusd. It's like it doesn't even receive the request at all. Well, that would suggest that the machine isn't trying to log in at *all*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ip pool lease migration
Francesco Cristofori wrote: > Is it a good idea to use rlm_ippool_tool to extract leases from radA and > then inserting them in radB with rlm_ippool_tool -n ? Why? If you need to copy information from one server to another, see "radrelay". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding attributes
Hi, How do I add cisco attributes to a user or a group of users? For single user example, user bob has "permit ip any x", user john has "permit ip any y", user kevin has "permit ip any z". For group users example, users of group 1 have "permit ip any x", and users of group 2 have "permit ip any y". So that users can authenticate from any ip to these two servers. Thanks in advance for your reply. I am using freeRadius 1.1.7 on Linux Radhat ES 4.0 Vinh __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: aaa accounting command
in case any help, here's some howto's for TACACS+ integrating with some other features http://www.debian-administration.org/articles/429 or for BSD http://www.joe-ma.co.za/page.php?9 Andy On 23/10/2007, Kevin Bonner <[EMAIL PROTECTED]> wrote: > On Tuesday 23 October 2007 11:58:22 Dominique Demore wrote: > > Hi folks, > > > > Is there any method of keeping track of the commands issued by a user with > > Radius. Under the aaa option, there is "aaa accounting command " but > > for some reason, I'm not seeing the accounting information stored in the > > radacct information. I know a few years ago, this was an issue, but I'm not > > sure if it has been resolved. > > http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg39493.html > http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg34103.html > > > Does anyone have an alternative to accomplish this if it's not possible > > with Radius. > > TACACS+ > > Kevin Bonner > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: aaa accounting command
On Tuesday 23 October 2007 11:58:22 Dominique Demore wrote: > Hi folks, > > Is there any method of keeping track of the commands issued by a user with > Radius. Under the aaa option, there is "aaa accounting command " but > for some reason, I'm not seeing the accounting information stored in the > radacct information. I know a few years ago, this was an issue, but I'm not > sure if it has been resolved. http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg39493.html http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg34103.html > Does anyone have an alternative to accomplish this if it's not possible > with Radius. TACACS+ Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help with my EAP config - PEAP/MSCHAP
Alan DeKok-4 wrote: > > Nyle wrote: >> I'm sure it's something simple I missed when following >> the online setup guides that are supposed to walk you through. I've >> checked >> and re-checked my eap.conf and rediusd.conf. > > There's a lot of this error: Maybe you want to check that out. > >> rlm_ldap: performing search in ou=TechSupport,ou=JeffS,o=Jeff, with >> filter >> (cn=auser) >> rlm_ldap: checking if remote access for auser is allowed by >> wirelessAccess >> rlm_ldap: Error reading Universal Password.Return Code = -16049 >> rlm_ldap: looking for check items in directory... >> rlm_ldap: looking for reply items in directory... > > And there's no "known good" password found for the user. > >> rlm_mschap: No User-Password configured. Cannot create LM-Password. >> rlm_mschap: No User-Password configured. Cannot create NT-Password. >> rlm_mschap: Told to do MS-CHAPv2 for auser with NT-Password >> rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. > > Tell the server what the users correct password is. > > Alan DeKok. > > Thank you, thank you, thank you - You know after you've looked at a problem from 6 different directions for too long. Often the simplest solution doesn't come to mind. You last statement - "Tell the server what the users correct password is." - took me to the simplest fix. Reset the users Novell eDirectory based Universal Password. Once I set the password it worked, now I can debug why the system that should synchronize those passwords automatically isn't working right. I do have another related question but it might need to be a separate post. However, let me ask it here and see. The built in Windows XP Pro SP2 wireless will now connect correctly but when I switch back to the DELL Wireless Utility and use WPA-ENTERPRISE/PEAP/MSCHAPv2, I don't even see debugging information from radiusd. It's like it doesn't even receive the request at all. As I said, I understand if I don't get a reply but has anyone seen this? -Nyle -- View this message in context: http://www.nabble.com/Please-help-with-my-EAP-config---PEAP-MSCHAP-tf4677183.html#a13369086 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
aaa accounting command
Hi folks, Is there any method of keeping track of the commands issued by a user with Radius. Under the aaa option, there is "aaa accounting command " but for some reason, I'm not seeing the accounting information stored in the radacct information. I know a few years ago, this was an issue, but I'm not sure if it has been resolved. Does anyone have an alternative to accomplish this if it's not possible with Radius. Thanks. -- Dominique - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ip pool lease migration
Hi all, I have two FR instances up with only one (let's call it radA, the other radB) actually serving IP addresses from several ip pools. Is it a good idea to use rlm_ippool_tool to extract leases from radA and then inserting them in radB with rlm_ippool_tool -n ? I think it would be better to use sql_ippool (having only one centralized ip pool cache), but now it's not a viable solution to me. Suggestions are always welcome. :-) Thanks in advance, Francesco. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proposed Freeradius - Kerberos authentication
David Pullman wrote: > I've been reading the FAQs, the man pages, and going over mailing list > archives, and also the info at deployingradius.com. I thought I should > start by checking that I'm heading in the right direction before trying > building stuff. I'm proposing that we use Freeradius to authenticate > the connections to the wireless APs using the MIT Kerberos server. If > this is possible, would it be done using EAP-TTLS from the clients, Yes. > and > the Auth-Type would need to be defaulted to Kerberos so that the > rlm_krb5 module would be used? I'm basing this on the Protocols page in > conjunction with a thread from earlier in October about EAP-TTLS and > Kerberos. Pretty much. If you follow the instructions in the previous thread, you can set: DEFAULT FreeRADIUS-Proxied-To := 127.0.0.1, Auth-Type = Kerberos Put that at the top of the "users" file, and EAP-TTLS with tunneled PAP should work. This also means having EAP-TTLS software on the clients (SecureW2 for Windows), and configuring them with PAP as the inner tunnel authentication method. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proposed Freeradius - Kerberos authentication
David, > I've been reading the FAQs, the man pages, and going over > mailing list archives, and also the info at > deployingradius.com. I thought I should start by checking > that I'm heading in the right direction before trying > building stuff. I'm proposing that we use Freeradius to > authenticate the connections to the wireless APs using the > MIT Kerberos server. If this is possible, would it be done > using EAP-TTLS from the clients, and the Auth-Type would need > to be defaulted to Kerberos so that the > rlm_krb5 module would be used? I'm basing this on the > Protocols page in conjunction with a thread from earlier in > October about EAP-TTLS and Kerberos. You're heading in the right direction. Note that if the synced passwords all exist in the AD, you can also consider the use of EAP-PEAP; the principal advantage being the use of the Windows native supplicant; this does not support EAP-TTLS without the use of third-party tools. josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proposed Freeradius - Kerberos authentication
We have a new requirement to provide wireless access to our network with an authenticated connection. The wireless access/connection is controlled by a Cisco 4402 controller. The clients that will connect are Windows XP, Mac OSX, and Linux OS laptops. We have all of the systems on the wired network currently logging in to either to a Windows AD domain (XP) or to a MIT Kerberos realm (Linux and OSX). The user password is synchronized on these two authentication sources. I've been reading the FAQs, the man pages, and going over mailing list archives, and also the info at deployingradius.com. I thought I should start by checking that I'm heading in the right direction before trying building stuff. I'm proposing that we use Freeradius to authenticate the connections to the wireless APs using the MIT Kerberos server. If this is possible, would it be done using EAP-TTLS from the clients, and the Auth-Type would need to be defaulted to Kerberos so that the rlm_krb5 module would be used? I'm basing this on the Protocols page in conjunction with a thread from earlier in October about EAP-TTLS and Kerberos. Thanks very much. --David Pullman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authentication problem with sql
Hi, my freeradius works well with users files users but when I test it with one of my users that is stored in db, the authentication fails. what is needed to authenticate users that are stored in db. two debug mode output is attached: it's debug response for a user that is stored in db: rad_recv: Access-Request packet from host 127.0.0.1:1029, id=90, length=58 User-Name = "n2test" User-Password = "n2test" NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "n2test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 154 modcall[authorize]: module "files" returns ok for request 1 radius_xlat: 'n2test' rlm_sql (sql): sql_set_user escaped user --> 'n2test' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'n2test' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName, radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'n2test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'n2test' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName, radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'n2test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns ok for request 1 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 modcall[authenticate]: module "unix" returns notfound for request 1 modcall: leaving group authenticate (returns notfound) for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 90 to 127.0.0.1 port 1029 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 90 with timestamp 471de1e9 Nothing to do. Sleeping until we see a request. and it's the output for a normal user that is stored in users file: rad_recv: Access-Request packet from host 127.0.0.1:1029, id=43, length=62 User-Name = "normaltest" User-Password = "normaltest" NAS-IP-Address = 255.255.255.255 NAS-Port = 1645 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "normaltest", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry normaltest at line 1 modcall[authorize]: module "files" returns ok for request 0 radius_xlat: 'normaltest' rlm_sql (sql): sql_set_user escaped user --> 'normaltest' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'normaltest' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): User normaltest not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName, radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'normaltest' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName, radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'normaltest' AND usergroup.GroupName = radgroupreply.GroupName ORDER
Re: Please help with my EAP config - PEAP/MSCHAP
Nyle wrote: > I'm trying to set up Freeradius on SuSe 9 to authenticate against LDAP on > the same box. I can use radtest locally and ntradping from a remote > workstation and receive an accept. So it looks like it's configured well > enough for the direct LDAP with clients.conf. However, when I try and use a > Windows XP Pro client with my 3COM AP it returned a reject. I've tried > searching on the what appears to be the errors in the below log but nothing > seems to stand out. I'm sure it's something simple I missed when following > the online setup guides that are supposed to walk you through. I've checked > and re-checked my eap.conf and rediusd.conf. There's a lot of this error: Maybe you want to check that out. > rlm_ldap: performing search in ou=TechSupport,ou=JeffS,o=Jeff, with filter > (cn=auser) > rlm_ldap: checking if remote access for auser is allowed by wirelessAccess > rlm_ldap: Error reading Universal Password.Return Code = -16049 > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... And there's no "known good" password found for the user. > rlm_mschap: No User-Password configured. Cannot create LM-Password. > rlm_mschap: No User-Password configured. Cannot create NT-Password. > rlm_mschap: Told to do MS-CHAPv2 for auser with NT-Password > rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. Tell the server what the users correct password is. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please help with my EAP config - PEAP/MSCHAP
Hello, I'm trying to set up Freeradius on SuSe 9 to authenticate against LDAP on the same box. I can use radtest locally and ntradping from a remote workstation and receive an accept. So it looks like it's configured well enough for the direct LDAP with clients.conf. However, when I try and use a Windows XP Pro client with my 3COM AP it returned a reject. I've tried searching on the what appears to be the errors in the below log but nothing seems to stand out. I'm sure it's something simple I missed when following the online setup guides that are supposed to walk you through. I've checked and re-checked my eap.conf and rediusd.conf. Below is the output from radiusd. Any help is greatly appreciated and thanks in advance. :-D http://www.nabble.com/file/p13363453/radiusd.conf radiusd.conf http://www.nabble.com/file/p13363453/eap.conf eap.conf -Nyle Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = "localhost" ldap: port = 636 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "cn=RADMIN,o=SuSeRadius" ldap: tls_mode = yes ldap: start_tls = no ldap: tls_cacertfile = "/etc/raddb/certs/rootcert.pem" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "XX" ldap: basedn = "ou=TechSupport,ou=JeffS,o=Jeff" ldap: filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "nspmPassword" ldap: access_attr = "wirelessAccess" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: edir_account_policy_check = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC
Re: Freeradius doesn't detect EAP when authenticating against MySQL
primoz wrote: > Aah, i like the reverse psyhology approach here, but I'm just trying to > gather information and knowledge from different sources. Q: Hi, how does RADIUS work? A: here's how... Q: But web works differently... A: So? Q: Why are you so mean? A: > Sorry for my newbiness, will dive into the documentation and decide > whether to use PAP or store passwords in clear text. Once you decide which authentication mechanism to use, the choice of storing passwords MUST be taken from the web page I showed you. i.e. you DO NOT have a choice as to how to store passwords. You MUST pick one of the available options. Picking any other option means that your selected authentication method WILL NOT WORK. > EAP_TTLS would work, but windows XP client doesn't support it, and i > would like to avoid installing extra supplicant. So... read the web page. Decide if it's OK for you to store passwords in one of the approved formats. If not, decide that it's OK for you to NOT use that authentication mechanism. It's not hard. It doesn't require reading massive documentation or how-to's. It involves reading what's possible, believing it, and making a choice from the possible alternatives. You can then move on, and devote time and effort to understanding complicated problems. Don't waste time trying to figure out EAP/password compatibility when there's a web page giving you ALL the answers. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Struggling - radgroupcheck/radgroupreply
On Mon, 2007-10-22 at 19:30 -0400, Bryan Martin wrote: > I need to have my NetworkGroup get passed one set of attributes and my > ServerGroup get passed another. But I have some EnterpriseAdmins who need > access to both sets so i need to pass the correct attribute back depending > on which device they try to auth from. This is getting to be an FAQ. http://marc.info/?l=freeradius-users&m=119010719300080&w=2 > > User Joe is a EnterpriseAdmin. He is a member of the NetworkGroup and the > ServerGroup so I need him to have the correct attributes passed to him > depending on which NAS-IP-Address he comes from respectivly. For instance, > if joe trys to log in through 192.168.0.50 I need to pass back "Class = > OU=ServerGroup". If joe trys to log in through 192.168.0.1 I need to pass > him "Class = OU=NetworkGroup". The way it stands no matter which > NAS-IP-Address he comes from because he is a member of both groups he gets > both attributes sent back from radgroupreply. > > User Sally is a member of the NetworkGroup so I only want radgroupreply to > send just the attributes for the NetworkGroup. > > User Bob is a ServerGroup so I only want bob to get the attributes from the > ServerGroup. > > mysql> select * from radcheck; > ++--+--++---+ > | id | UserName | Attribute| op | Value > | > ++--+--++---+ > | 8 | joe | Password-With-Header | := | > {md5}928a40033e748ad825e92ec4f9870696 | > | 9 | sally| Password-With-Header | := | > {md5}928a40033e748ad825e92ec4f9870696 | > | 10 | bob | Password-With-Header | := | > {md5}928a40033e748ad825e92ec4f9870696 | > ++--+--++---+ > > mysql> select * from usergroup; > +--+--+--+ > | UserName | GroupName| priority | > +--+--+--+ > | joe | NetworkGroup |1 | > | joe | ServerGroup |2 | > | sally| NetworkGroup |1 | > | bob | ServerGroup |1 | > +--+--+--+ > > mysql> select * from radgroupcheck; > ++--+++--+ > | id | GroupName| Attribute | op | Value| > ++--+++--+ > | 9 | ServerGroup | NAS-IP-Address | = | 192.168.0.50 | > | 10 | ServerGroup | Auth-Type | = | MD5 | > | 11 | NetworkGroup | NAS-IP-Address | = | 192.168.0.1 | > | 12 | NetworkGroup | Auth-Type | = | MD5 | > ++--+++--+ > > mysql> select * from radgroupreply; > ++--+---++-+ > | id | GroupName| Attribute | op | Value | > ++--+---++-+ > | 17 | NetworkGroup | Class | := | OU=NetworkGroup | > | 18 | ServerGroup | Class | := | OU=serverGroup | > ++--+---++-+ > > > Steps to reproduce if needed. > insert into usergroup (UserName, GroupName, priority) VALUES ('joe', > 'NetworkGroup', 1); > insert into usergroup (UserName, GroupName, priority) VALUES ('joe', > 'ServerGroup', 2); > insert into usergroup (UserName, GroupName, priority) VALUES ('sally', > 'NetworkGroup', 1); > insert into usergroup (UserName, GroupName, priority) VALUES ('bob', > 'ServerGroup', 1); > > insert into radgroupcheck (GroupName, Attribute, op, value) VALUES > ('ServerGroup', 'NAS-IP-Address', '=', '192.168.0.50'); > insert into radgroupcheck (GroupName, Attribute, op, value) VALUES > ('ServerGroup', 'Auth-Type', '=', 'MD5'); > insert into radgroupcheck (GroupName, Attribute, op, value) VALUES > ('NetworkGroup', 'NAS-IP-Address', '=', '192.168.0.1'); > insert into radgroupcheck (GroupName, Attribute, op, value) VALUES > ('NetworkGroup', 'Auth-Type', '=', 'MD5'); > > insert into radgroupreply (GroupName, Attribute, op, Value) VALUES > ('NetworkGroup', 'Class', ':=', 'OU=NetworkGroup'); > insert into radgroupreply (GroupName, Attribute, op, Value) VALUES > ('ServerGroup', 'Class', ':=', 'OU=serverGroup'); > > Thanks for your time. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius doesn't detect EAP when authenticating against MySQL
Aah, i like the reverse psyhology approach here, but I'm just trying to gather information and knowledge from different sources. Sorry for my newbiness, will dive into the documentation and decide whether to use PAP or store passwords in clear text. EAP_TTLS would work, but windows XP client doesn't support it, and i would like to avoid installing extra supplicant. thanks for everybody's time... greetz, primski On 10/23/07, Alan DeKok <[EMAIL PROTECTED]> wrote: > > primoz wrote: > > And PAP is not very safe and smart way to go as i read it. > > PAP is fine for RADIUS. > > > So, crypted passwords are usefull only in web applications? > > That's not at all what I said. I specifically mentioned Unix logins. > Crypt'd passwords are useful only for PAP. There are many, many, kinds > of systems using clear-text passwords (i.e. PAP) for authentication. > > > I read a lot > > lately about, how one should never store passwords in clear text, i > > guess that applies only to web apps. > > No. It's written by people who either don't understand security, OR > aren't using EAP methods. Again, if all you're doing is PAP, then > crypt'd passwords are OK. If you need EAP, you also need clear-text > passwords. > > Stop trying to apply comments from web application "how-to's" to > RADIUS. They're not the same, and the security analysis is not the same. > > > It is safe, sane, and common practice to store passwords in clear > > text. > > > > I do not have many experience with this, in fact its my first project on > > the matter. > > Then why are you questioning the answers you get here? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius doesn't detect EAP when authenticating against MySQL
Hi, > And PAP is not very safe and smart way to go as i read it. as an inner auth type for EAP-TTLS it isnt too bad. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius doesn't detect EAP when authenticating against MySQL
primoz wrote: > And PAP is not very safe and smart way to go as i read it. PAP is fine for RADIUS. > So, crypted passwords are usefull only in web applications? That's not at all what I said. I specifically mentioned Unix logins. Crypt'd passwords are useful only for PAP. There are many, many, kinds of systems using clear-text passwords (i.e. PAP) for authentication. > I read a lot > lately about, how one should never store passwords in clear text, i > guess that applies only to web apps. No. It's written by people who either don't understand security, OR aren't using EAP methods. Again, if all you're doing is PAP, then crypt'd passwords are OK. If you need EAP, you also need clear-text passwords. Stop trying to apply comments from web application "how-to's" to RADIUS. They're not the same, and the security analysis is not the same. > It is safe, sane, and common practice to store passwords in clear > text. > > I do not have many experience with this, in fact its my first project on > the matter. Then why are you questioning the answers you get here? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and SNMP questions
Geoffroy Arnoud wrote: > 1/ Is it possible to run 2 FreeRADIUS servers on the > same box, with SNMP support activated? I understand > it's possible, using distinct values for smux_password > parameter. I'm not sure. FreeRADIUS tries to grab the IETF RADIUS SNMP OID space. If there are two servers, they may conflict with their OID registration. Perhaps it would be useful to *also* export the IETF SNMP space under a configurable hierarchy? > 2/ Connecting FreeRADIUS to Net-SNMP using SMUX is > quite easy. Has anyone connected FreeRADIUS with BMC > PAtrol agent using SMUX? Not me, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius doesn't detect EAP when authenticating against MySQL
On 10/23/07, Alan DeKok <[EMAIL PROTECTED]> wrote: > > preem wrote: > > So, what is a common practice to do this then? > > It's not. > > People store MD5 or crypt'd passwords when the ONLY authentication > they're doing is PAP. i.e. Unix logins, where the user supplies a > clear-text password to the authentication system. And PAP is not very safe and smart way to go as i read it. For many EAP types, people do NOT store MD5 or crypt'd passwords, > because they're useless. So, crypted passwords are usefull only in web applications? I read a lot lately about, how one should never store passwords in clear text, i guess that applies only to web apps. > I understand its not very > > safe nor sane to store passwords in clear text, thats why I wanted to > avoid > > that, however it seems inevitable. > > It is safe, sane, and common practice to store passwords in clear text. I do not have many experience with this, in fact its my first project on the matter. > I am managing a wired network for some 300 users, its a student dorm and > the > > university owns the network and they require authentication for the ease > of > > management and control. 802.1x felt like the right way to go, because we > are > > planning some wireless access points as well. There are HP's Procurve > 2650 > > switches in use. I choose mysql db backend, because I also created set > of > > PHP scripts, where users can change their passwords and admin can > > add/del/modify user info. > > So what can one do to avoid storing passes in clear text or is it sane > > enough? The server also serves some web pages and dhcp requests. > > Ensure that no one has physical access to the system storing the > passwords. Ensure that no one has network access to the system storing > the passwords. That will be no problem, since I'm the only one with physical access. I would also suggest running the RADIUS server and/or the MySQL server > with passwords on a separate machine from the web/dhcp server. That > way, if someone breaks into the web server, they won't have access to > the passwords. I am using VMWare server, so that won't require much work. Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html Thanks again, for clearing this up. primski - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS and SNMP questions
Hi all, I have 2 questions regarding FreeRADIUS and SNMP: 1/ Is it possible to run 2 FreeRADIUS servers on the same box, with SNMP support activated? I understand it's possible, using distinct values for smux_password parameter. 2/ Connecting FreeRADIUS to Net-SNMP using SMUX is quite easy. Has anyone connected FreeRADIUS with BMC PAtrol agent using SMUX? Thanks for any answer Geoff. _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Are SHA-256 certificates supported?
[EMAIL PROTECTED] wrote: > I need to set up a RADIUS server that accepts certificates which use > SHA-256 as signature algorithm (OID sha256WithRSAEncryption). I have set > up a FreeRADIUS 2.0.0-pre2 server to see if this would work out of the > box. If OpenSSL supports it, AND the client supplicant supports it, it should work. > Here's a snippet of the log I got from my SHA-256 test: > > = > --> verify error:num=7:certificate signature failure > rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal decrypt_error > TLS Alert write:fatal:decrypt error > TLS_accept:error in SSLv3 read client certificate B > rlm_eap: SSL error error:0D0C50A1:asn1 encoding > routines:ASN1_item_verify:unknown message digest algorithm That would seem to be an SSL issue. > So, I'd like to know if FreeRADIUS supports SHA-256 certificates? > If it doesn't, is the support for them planned? FreeRADIUS doesn't support SSL. It uses OpenSSL, which *does* support SSL. So if there are SSL issues, find out why OpenSSL doesn't like the TLS session. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS with Mutual Authentication
Zolotov, Eyal wrote: > By ‘mutual authentication’ I refer to the following authentication process: > > 1. The client authenticate the server Give the client the CA cert used to sign the server cert. > 2. The server authenticate the client Create a client cert, signed by the server cert. > 3. Only than – the clients sends username + password using MSCHAPv2 In unlang, set: update control { EAP-TLS-Require-Client-Cert = yes } This forces the server to validate the client cert, which is normally not required for TTLS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius doesn't detect EAP when authenticating against MySQL
preem wrote: > So, what is a common practice to do this then? It's not. People store MD5 or crypt'd passwords when the ONLY authentication they're doing is PAP. i.e. Unix logins, where the user supplies a clear-text password to the authentication system. For many EAP types, people do NOT store MD5 or crypt'd passwords, because they're useless. > I understand its not very > safe nor sane to store passwords in clear text, thats why I wanted to avoid > that, however it seems inevitable. It is safe, sane, and common practice to store passwords in clear text. > I am managing a wired network for some 300 users, its a student dorm and the > university owns the network and they require authentication for the ease of > management and control. 802.1x felt like the right way to go, because we are > planning some wireless access points as well. There are HP's Procurve 2650 > switches in use. I choose mysql db backend, because I also created set of > PHP scripts, where users can change their passwords and admin can > add/del/modify user info. > So what can one do to avoid storing passes in clear text or is it sane > enough? The server also serves some web pages and dhcp requests. Ensure that no one has physical access to the system storing the passwords. Ensure that no one has network access to the system storing the passwords. I would also suggest running the RADIUS server and/or the MySQL server with passwords on a separate machine from the web/dhcp server. That way, if someone breaks into the web server, they won't have access to the passwords. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Are SHA-256 certificates supported?
Hi, I need to set up a RADIUS server that accepts certificates which use SHA-256 as signature algorithm (OID sha256WithRSAEncryption). I have set up a FreeRADIUS 2.0.0-pre2 server to see if this would work out of the box. After verifying that EAP-TLS authentication works with SHA-1 certificates I switched to SHA-256 certificate that was created with OpenSSL 0.9.8b, the same that FreeRADIUS was compiled against. Here's a snippet of the log I got from my SHA-256 test: = --> verify error:num=7:certificate signature failure rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert write:fatal:decrypt error TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm = It would seem there's a problem somewhere. It may very well be in the client I'm using. So, I'd like to know if FreeRADIUS supports SHA-256 certificates? If it doesn't, is the support for them planned? thanks in advance, - Hannu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TTLS with Mutual Authentication
Hi, Can you please let me know how to configure free-radius with TTLS/MSCHAPv2 and mutual authentication? By 'mutual authentication' I refer to the following authentication process: 1. The client authenticate the server 2. The server authenticate the client 3. Only than - the clients sends username + password using MSCHAPv2 Thanks, Eyal. - Envara, Ltd. This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius doesn't detect EAP when authenticating against MySQL
Ah yes, that explains it, thanks Alan. So, what is a common practice to do this then? I understand its not very safe nor sane to store passwords in clear text, thats why I wanted to avoid that, however it seems inevitable. Let me explain a little better what I'm trying to do: I am managing a wired network for some 300 users, its a student dorm and the university owns the network and they require authentication for the ease of management and control. 802.1x felt like the right way to go, because we are planning some wireless access points as well. There are HP's Procurve 2650 switches in use. I choose mysql db backend, because I also created set of PHP scripts, where users can change their passwords and admin can add/del/modify user info. So what can one do to avoid storing passes in clear text or is it sane enough? The server also serves some web pages and dhcp requests. Thanks for information. Alan DeKok-4 wrote: > > preem wrote: >> I have a simillar problem with EAP-MD5 authenticating against MySQL >> DataBase. >> >> Whatever i do, it won't accept password, which is stored in the MySQL db >> using MD5('') function. However, if i send a password's hash as password >> it >> accepts it, which indicates something is not hashing password before >> comparing to the hash in the db. > > EAP-MD5 requires access to the clear-text password. MD5 hashed > passwords are not appropriate. > > http://deployingradius.com/documents/protocols/compatibility.html > >> I do not understand, should the Windows XP's supplicant encrypt password >> prior to sending, or does it send it in cleartext and the radius encrypts >> before comparing? > > There is no encryption of the password. It is hashed. The details > aren't important. Read the above web page for compatibility issues. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://www.nabble.com/Freeradius-doesn%27t-detect-EAP-when-authenticating-against-MySQL-tf4404187.html#a13358460 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html