RE: NAS-Group? - different replies to different NASes?

[Adrian]

I'm not sure we use the users file (I have the radius.conf pointed to
sql.conf).

This is what I thought might have to happen but I'm not sure if it makes
sense.

Create 2 Groups in radgroupreply like this:
Telco_LAC_Group - with all the tunnel attributes
LNS_Group - which all the users would be assigned to and whatever attributes
they need to share.

In "radgroupcheck" enter a NAS-IP-Address check for the Telco_LAC_Group that
matches on the LAC's IPs.
In "usergroup" assign the user to the LNS_Group
Everything else remains the same as before (radreply and radcheck with the
specific user info)

Does that make sense?

Any other way to group attributes for specific NASes?
Adrian


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ivan Kalik
Sent: Sunday, February 24, 2008 3:57 PM
To: FreeRadius users mailing list
Subject: RE: NAS-Group? - different replies to different NASes?

You would normally use a DEFAULT entry in users file. In 2.0 you can use
unlang and do it in sql.

Ivan Kalik
Kalik Informatika ISP


Dana 24/2/2008, "Adrian" <[EMAIL PROTECTED]> piše:

>Hello Ivan,
>
>Can you point me in the right direction with doing separate requests based
>on the NAS-IP-Address Attribute?  Do I do this in the radius.conf file or
in
>the mysql DB somehow under the groups?
>
>Currently I use the nas list from the flat file and the DB for everything
>else including groups.
>
>Thanks
>Adrian
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On
>Behalf Of Ivan Kalik
>Sent: Friday, February 22, 2008 10:22 AM
>To: FreeRadius users mailing list
>Subject: RE: NAS-Group? - different replies to different NASes?
>
>NAS-IP-Address should be different in LAC and LNS requests. And unlang
>works in version 2.0 not 1.1.x (later post).
>
>Ivan Kalik
>Kalik Informatika ISP
>
>
>Dana 22/2/2008, "Adrian" <[EMAIL PROTECTED]> piše:
>
>>Hello Ivan,
>>
>>The Telco wants me to send those parameters to them.  I have no choice in
>>that.  I'm confused because with every other Telco the setup was straight
>>forward, I setup a tunnel/vpnd-group+virtual template from our LNS to the
>>Telco's LAC and the requests for the user authentication comes from their
>>LAC through my LNS all the time.  With this Telco,  I see the same request
>>twice.  Once from their Radius and then from my LNS.  The problem is
>>distinguishing between them and answering differently.
>>
>>Maybe I don't even have to do that, is just that I'm not sure how to do it
>>otherwise.
>>
>>For now I'll do some reading on "unlang" as per Alan's request and see how
>>that goes.
>>
>>Thanks
>>Adrian
>>
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On
>>Behalf Of Ivan Kalik
>>Sent: Friday, February 22, 2008 6:32 AM
>>To: FreeRadius users mailing list
>>Subject: RE: NAS-Group? - different replies to different NASes?
>>
>>>4. Our radius sends the Tunnel information back to Telco Radius
>>
>>Why? It will be the same every time for every user. Configure tunnel
>>parametars on the (virtual) interface.
>>
>>Ivan Kalik
>>Kalik Informatika ISP
>>
>>-
>>List info/subscribe/unsubscribe? See
>>http://www.freeradius.org/list/users.html
>>
>>-
>>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>>
>>
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>
>
>-
>List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Assignment for Attributes in external Scripts

[niall el-assaad]

many thanks, thats perfect.

2008/2/25 Ivan Kalik <[EMAIL PROTECTED]>:

> http://wiki.freeradius.org/Operators
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 25/2/2008, "niall el-assaad" <[EMAIL PROTECTED]> piše:
>
> >Hi,
> >I am writing an external script to be run based upon an authentication.
> >
> >When the script returns output I am unsure as to what the assignment
> >operators do,
> >
> >for example when should I use += vs := vs =
> >
> >If I look at the exec-program-wait sample script I see:
> >
> >echo "Reply-Message += \"Hello, %u\","
> >echo "Reply-Message += \"PATH=$PATH\","
> >echo Framed-IP-Address = 255.255.255.255
> >
> >Is this documented anywhere?
> >
> >thanks,
> >
> >niall
> >
> >
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Machine auth without cert - EAP-PEAP/MSCHAPV2

[A . L . M . Buxey]

hi,

you cant do this - the request must go through a full EAP
validation cycle - otherwise the client will just barf.
you dont 'need' certs if you want to be insecure on the 
client (but thats foolish) but you do need to take the
incoming request and then do a challenge response against
the PEAP/MSCAHPv2 - eg using ntlm_auth against an AD server
(which works 100% fine for machine accounts)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Machine auth without cert - EAP-PEAP/MSCHAPV2

[Josh Howlett]

Hi Ryan,

What you're trying to do is impossible. MS-CHAPv2 is a mutual
authentication protocol, meaning that FreeRADIUS needs to demonstrate
knowledge of the password to the machine.

josh. 

> -Original Message-
> From: 
> [EMAIL PROTECTED]
> org 
> [mailto:[EMAIL PROTECTED]
eradius.org] On Behalf Of Ryan Kramer
> Sent: 25 February 2008 21:05
> To: [EMAIL PROTECTED]; FreeRadius users mailing list
> Subject: Machine auth without cert - EAP-PEAP/MSCHAPV2
> 
> I've been experimenting with machine auth without using a 
> cert, but I seem to be stuck on the fact that FreeRadius will 
> not authenticate a local user.
> 
> I see the request come across through debugging with a 
> username of "host/mymachine.mydomain.com", and no password, 
> and in my users file I have
> 
> "host/mymachine.mydomain.com" Cleartext-Password="", 
> Auth-Type := Local, MS-CHAP-Use-NTLM-Auth := 0
> Filter-ID = "WIRELESS-USER",
> Fall-Through = 0
> 
> but for some reason it never authenticates...  I've tried 
> every both without the MS-CHAP option, that doesn't seem to 
> change it.  Also tried User-Password instead of cleartext 
> password, no change.  Any suggestions?
> 
> Ryan
> 
> 
> 
> 
> 

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Machine auth without cert - EAP-PEAP/MSCHAPV2

[Ryan Kramer]

I've been experimenting with machine auth without using a cert, but I seem
to be stuck on the fact that FreeRadius will not authenticate a local user.

I see the request come across through debugging with a username of
"host/mymachine.mydomain.com", and no password, and in my users file I have

"host/mymachine.mydomain.com" Cleartext-Password="", Auth-Type := Local,
MS-CHAP-Use-NTLM-Auth := 0
Filter-ID = "WIRELESS-USER",
Fall-Through = 0

but for some reason it never authenticates...  I've tried every both without
the MS-CHAP option, that doesn't seem to change it.  Also tried
User-Password instead of cleartext password, no change.  Any suggestions?

Ryan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Expiration Value

[Marinko Tarlac]

I tried with classic format -MM-DD but it doesn't work.

Tim White wrote:

Ivan Kalik wrote:

The one you have there in the text.
  


Bummer. Does anyone know how to get a format that doesn't use Words 
(month Name)?


Thanks

Tim
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP/802.1x AD authentication for network access working, can AD-LDAP group search work for switch management authorization?

[Joe Vieira]

Hey,

Before I get neck-deep in testing out configs and debugging, I would
like to ask if this is a feasible goal.  

yes totally do able.

If it is, I would appreciate
any relevant references you know of so that I may start researching
the proper configuration changes needed to achieve this.  

the rlm_ldap docs should be most of what you need...


In addition,
I'd like to know if anyone out there has this kind of configuration in
place, and working.
I have it working, I do authorization based on openLDAP ( with groups ) 
and i do authentication off active directories.


Joe Vieira
UNIX Systems Administrator
Clark University - ITS


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

PEAP/802.1x AD authentication for network access working, can AD-LDAP group search work for switch management authorization?

[Charles Jones]

Hello all,

I am relatively new to the RADIUS world, FreeRADIUS is my first RADIUS
server, I am looking forward to learning as much as I can about it.

So far, I have configured FreeRADIUS successfully to authenticate
users against a Windows 2003 Active Directory server for 802.1x PEAP
port-based-authentication using Cisco Catalyst switches.  I used the
ntlm_auth technique for the authentication side.

Now that I have that working, I am researching how to extend the
FreeRADIUS server to provide LDAP-based authorization for privileged
level access into the switches as well.  I would prefer to simply do
an LDAP search to determine if the given user is located inside a
specific AD group, and base the authorization request on the response
from that query.  I've looked through the rlm_ldap docs on the
freeradius wiki, as well as a few other tutorials out on the web.
However, I haven't seen anyone who is simply trying to authorize (not
authenticate) based on group-membership in AD.  I would prefer to
avoid having to store any passwords in the LDAP database if at all
possible.

In the interest of keeping my request simple, I am looking to
accomplish the following:
1.  Keep my current 802.1x PEAP port-based-auth working.
2.  Add in the functionality to control privileged access to Cisco
devices based on group membership in our AD domain.

Before I get neck-deep in testing out configs and debugging, I would
like to ask if this is a feasible goal.  If it is, I would appreciate
any relevant references you know of so that I may start researching
the proper configuration changes needed to achieve this.  In addition,
I'd like to know if anyone out there has this kind of configuration in
place, and working.

Thanks for your time,

Charles
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-PEAP with LDAP for 802.1x authentication

[Alan DeKok]

Ryan wrote:
> Passwords are currently encrypted in LDAP. In this case, am I correct
> to say that I will need to add both nt hash and NT-Password to LDAP
> using smb-ldap related tools for it to work with PEAP?

  You will need to *create* the NT hash or clear-text password on your
LDAP server.  This usually involves asking all of the users to re-enter
their passwords.

> Will samba be
> required to be configured on my LDAP server?

  No.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP and Groups.

[Ivan Kalik]

DEFAULT Ldap-Group == "Engineering", and then list of reply attributes.

Ivan Kalik
Kalik Informatika ISP


Dana 25/2/2008, "David W Bell" <[EMAIL PROTECTED]> piše:

>Ok been fiddling some more.
>
>What I need to now do is work out which group a user belongs to based on
>LDAP users and groups.
>
>I am assuming this is in the radius.conf @ the section about groups.
>
>For Example,
>
>This LDAP user.
>
># belld, people, dxi.net
>dn: uid=belld,ou=people,dc=dxi,dc=net
>cn: David Bell
>gidNumber: 100
>givenName: David
>homeDirectory: /home/belld
>loginShell: /bin/bash
>objectClass: top
>objectClass: posixAccount
>objectClass: shadowAccount
>objectClass: inetOrgPerson
>shadowInactive: -1
>shadowMax: 9
>shadowMin: 0
>shadowWarning: 7
>sn: Bell
>uid: belld
>uidNumber: 1000
>shadowLastChange: 13920
>
>is a member of this LDAP group
>
># Engineering, group, dxi.net
>dn: cn=Engineering,ou=group,dc=dxi,dc=net
>cn: Engineering
>gidNumber: 1000
>member: uid=belld,ou=people,dc=dxi,dc=net
>objectClass: top
>objectClass: posixGroup
>objectClass: groupOfNames
>
>How do I do this, so that I can then have my users file grant
>Cisco-AVPair information based on group membership
>
>Thanks
>
>David
>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP-PEAP with LDAP for 802.1x authentication

[Ryan]

Passwords are currently encrypted in LDAP. In this case, am I correct
to say that I will need to add both nt hash and NT-Password to LDAP
using smb-ldap related tools for it to work with PEAP? Will samba be
required to be configured on my LDAP server?

Thanks/Regards,
Ryan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP and Groups.

[David W Bell]

Ok been fiddling some more.

What I need to now do is work out which group a user belongs to based on 
LDAP users and groups.


I am assuming this is in the radius.conf @ the section about groups.

For Example,

This LDAP user.

# belld, people, dxi.net
dn: uid=belld,ou=people,dc=dxi,dc=net
cn: David Bell
gidNumber: 100
givenName: David
homeDirectory: /home/belld
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
shadowInactive: -1
shadowMax: 9
shadowMin: 0
shadowWarning: 7
sn: Bell
uid: belld
uidNumber: 1000
shadowLastChange: 13920

is a member of this LDAP group

# Engineering, group, dxi.net
dn: cn=Engineering,ou=group,dc=dxi,dc=net
cn: Engineering
gidNumber: 1000
member: uid=belld,ou=people,dc=dxi,dc=net
objectClass: top
objectClass: posixGroup
objectClass: groupOfNames

How do I do this, so that I can then have my users file grant 
Cisco-AVPair information based on group membership


Thanks

David



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Expiration Value

[Tim White]

Ivan Kalik wrote:

The one you have there in the text.
  


Bummer. Does anyone know how to get a format that doesn't use Words 
(month Name)?


Thanks

Tim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

autenticating with realm null only in one NAS

[rgreiner]

I need to configurate freeradius to allow NULL realms only from one or 
two NAS, and all the other must have a realm in the login. What would be 
the best way to do this?


(using freeradius 2.0.2, in a Debian etch platform.)

I tried to add the following in the Users file:

DEFAULT NAS-IP-Address=="1.2.3.4", Proxy-To-Realm := "realm1.com"
DEFAULT NAS-IP-Address=="1.2.3.5", Proxy-To-Realm := "realm1.com"

DEFAULT Realm == NULL, Auth-Type := Reject
   Fall-Through = 1

In proxy.conf, I added the following entry at end of the file:

realm realm1.com {
   pool = my_auth_failover
   # nostrip
}

(I left the example entries from the file enabled.)

freeradius -X display:
In this entry, I did not use a realm in the login, still it connected. 
Any ideas how would be the best way to configure this?


rad_recv: Access-Request packet from host 1.2.3.6 port 2890, id=10, 
length=48

   User-Name = "user1"
   User-Password = "pass1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
   rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
   rlm_realm: No such realm "NULL"
++[suffix] returns noop
 rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
   expand: %{User-Name} -> user1
rlm_sql (sql): sql_set_user escaped user --> 'user1'
rlm_sql (sql): Reserving sql socket id: 3
   expand: SELECT id, username, attribute, value, op   FROM 
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER 
BY id -> SELECT id, username, attribute, value, op   FROM 
radcheck   WHERE username = 'rgreiner'   ORDER BY id

rlm_sql (sql): User found in radcheck table
   expand: SELECT id, username, attribute, value, op   FROM 
radreply   WHERE username = '%{SQL-User-Name}'   ORDER 
BY id -> SELECT id, username, attribute, value, op   FROM 
radreply   WHERE username = 'rgreiner'   ORDER BY id
   expand: SELECT groupname   FROM radusergroup   
WHERE username = '%{SQL-User-Name}'   ORDER BY priority -> 
SELECT groupname   FROM radusergroup   WHERE username = 
'rgreiner'   ORDER BY priority
   expand: SELECT id, groupname, attribute,   Value, 
op   FROM radgroupcheck   WHERE groupname = 
'%{Sql-Group}'   ORDER BY id -> SELECT id, groupname, 
attribute,   Value, op   FROM radgroupcheck   
WHERE groupname = 'dynamic'   ORDER BY id

rlm_sql (sql): User found in group dynamic
   expand: SELECT id, groupname, attribute,   value, 
op   FROM radgroupreply   WHERE groupname = 
'%{Sql-Group}'   ORDER BY id -> SELECT id, groupname, 
attribute,   value, op   FROM radgroupreply   
WHERE groupname = 'dynamic'   ORDER BY id

rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
 rad_check_password:  Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "pass1"
rlm_pap: Using CRYPT encryption.
rlm_pap: User authenticated successfully
++[pap] returns ok
+- entering group session
++[sql] returns noop
Login OK: [user1/pass1] (from client dsu24 port 0)
Sending Access-Accept of id 10 to 1.2.3.6 port 2890
   Framed-Protocol := PPP
   Service-Type := Framed-User
   Framed-MTU := 1500
   Session-Timeout := 86400
   Framed-Compression := Van-Jacobson-TCP-IP
   Framed-Address := 255.255.255.254
   Framed-Netmask := 255.255.255.0
   Idle-Timeout := 3600
Finished request 0.
Going to the next request
Waking up in 0.9 seconds.
Waking up in 3.9 seconds.
Cleaning up request 0 ID 10 with timestamp +6
Ready to process requests.



Thank you very much,

Marcos Roberto Greiner

--
 -
   Marcos Roberto Greiner

  Os otimistas acham que estamos no melhor dos mundos
   Os pessimistas tem medo de que isto seja verdade
  Murphy
 -

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Expiration Value

[Ivan Kalik]

The one you have there in the text.

Ivan Kalik
Kalik Informatika ISP


Dana 25/2/2008, "Tim White" <[EMAIL PROTECTED]> piše:

>So you maintain to instances of this value?
>Once in radcheck, and once in an external table? The first instance, in 
>radcheck, what format do you have that in?
>
>
>Thanks
>
>Tim
>
>Ivan Kalik wrote:
>> We don't do these checks on radius database at all. We have a billing
>> database with users details which has value of this attribute in
>> datetime format and checks are done there.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>>
>> Dana 25/2/2008, "Tim White" <[EMAIL PROTECTED]> piše:
>>
>>   
>>> I'm attempting to use Expiration to expire user accounts after a set
>>> time period. What format does the Date/Time (Value field) have to be?
>>> From what I can see it's in the format of "Monthname Day Year
>>> Hour:Min:Sec". So for example "March 24 2008 00:00:00". But it appears
>>> that in this format you can't use normal SQL datetime operators to see
>>> if it's expired (for example, to run a SQL query to remove all expired
>>> accounts).
>>>
>>> Can someone who has it working please let me know what format they use
>>> for Expiration value, and how they can use MySQL comparison operators
>>> with it?
>>>
>>> (Ether 2.0.2 or 1.1.7).
>>>
>>> Thanks
>>>
>>> Tim
>>>
>>> -
>>> List info/subscribe/unsubscribe? See 
>>> http://www.freeradius.org/list/usershtml
>>>
>>>
>>> 
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>   
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Expiration Value

[Tim White]

So you maintain to instances of this value?
Once in radcheck, and once in an external table? The first instance, in 
radcheck, what format do you have that in?



Thanks

Tim

Ivan Kalik wrote:

We don't do these checks on radius database at all. We have a billing
database with users details which has value of this attribute in
datetime format and checks are done there.

Ivan Kalik
Kalik Informatika ISP


Dana 25/2/2008, "Tim White" <[EMAIL PROTECTED]> piše:

  

I'm attempting to use Expiration to expire user accounts after a set
time period. What format does the Date/Time (Value field) have to be?
From what I can see it's in the format of "Monthname Day Year
Hour:Min:Sec". So for example "March 24 2008 00:00:00". But it appears
that in this format you can't use normal SQL datetime operators to see
if it's expired (for example, to run a SQL query to remove all expired
accounts).

Can someone who has it working please let me know what format they use
for Expiration value, and how they can use MySQL comparison operators
with it?

(Ether 2.0.2 or 1.1.7).

Thanks

Tim

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Expiration Value

[Ivan Kalik]

We don't do these checks on radius database at all. We have a billing
database with users details which has value of this attribute in
datetime format and checks are done there.

Ivan Kalik
Kalik Informatika ISP


Dana 25/2/2008, "Tim White" <[EMAIL PROTECTED]> piše:

>I'm attempting to use Expiration to expire user accounts after a set
>time period. What format does the Date/Time (Value field) have to be?
> From what I can see it's in the format of "Monthname Day Year
>Hour:Min:Sec". So for example "March 24 2008 00:00:00". But it appears
>that in this format you can't use normal SQL datetime operators to see
>if it's expired (for example, to run a SQL query to remove all expired
>accounts).
>
>Can someone who has it working please let me know what format they use
>for Expiration value, and how they can use MySQL comparison operators
>with it?
>
>(Ether 2.0.2 or 1.1.7).
>
>Thanks
>
>Tim
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Assignment for Attributes in external Scripts

[Ivan Kalik]

http://wiki.freeradius.org/Operators

Ivan Kalik
Kalik Informatika ISP


Dana 25/2/2008, "niall el-assaad" <[EMAIL PROTECTED]> piše:

>Hi,
>I am writing an external script to be run based upon an authentication.
>
>When the script returns output I am unsure as to what the assignment
>operators do,
>
>for example when should I use += vs := vs =
>
>If I look at the exec-program-wait sample script I see:
>
>echo "Reply-Message += \"Hello, %u\","
>echo "Reply-Message += \"PATH=$PATH\","
>echo Framed-IP-Address = 255.255.255.255
>
>Is this documented anywhere?
>
>thanks,
>
>niall
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP-PEAP with LDAP for 802.1x authentication

[debug afone]

Hello, 

I use FreeRadius with OpenLDAP to authenticate device using EAP-PEAP and it
works fine. The only problem I had was the encrypted password in my LDAP
database.
I by-passed this problem using clear-text Password in LDAP Database and it
works fine.
You can also have a look at this :
http://deployingradius.com/documents/protocols/compatibility.html

Regards, 

Nicolas SOULEMAN.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Expiration Value

[Tim White]

I'm attempting to use Expiration to expire user accounts after a set 
time period. What format does the Date/Time (Value field) have to be?
From what I can see it's in the format of "Monthname Day Year 
Hour:Min:Sec". So for example "March 24 2008 00:00:00". But it appears 
that in this format you can't use normal SQL datetime operators to see 
if it's expired (for example, to run a SQL query to remove all expired 
accounts).


Can someone who has it working please let me know what format they use 
for Expiration value, and how they can use MySQL comparison operators 
with it?


(Ether 2.0.2 or 1.1.7).

Thanks

Tim

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Assignment for Attributes in external Scripts

[niall el-assaad]

Hi,
I am writing an external script to be run based upon an authentication.

When the script returns output I am unsure as to what the assignment
operators do,

for example when should I use += vs := vs =

If I look at the exec-program-wait sample script I see:

echo "Reply-Message += \"Hello, %u\","
echo "Reply-Message += \"PATH=$PATH\","
echo Framed-IP-Address = 255.255.255.255

Is this documented anywhere?

thanks,

niall
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP-PEAP with LDAP for 802.1x authentication

[debug afone]

Hello, 

I use FreeRadius with OpenLDAP to authenticate device using EAP-PEAP and it
works fine. The only problem I had was the encrypted password in my LDAP
database.
I by-passed this problem using clear-text Password in LDAP Database and it
works fine.
You can also have a look at this :
http://deployingradius.com/documents/protocols/compatibility.html

Regards, 

Nicolas SOULEMAN.

-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la
part de [EMAIL PROTECTED]
Envoyé : lundi 25 février 2008 11:59
À : freeradius-users@lists.freeradius.org
Objet : Freeradius-Users Digest, Vol 34, Issue 124

Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]

You can reach the person managing the list at
[EMAIL PROTECTED]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

   1. rlm_dbm can not work? (Hangjun He)
   2. EAP-PEAP with LDAP for 802.1x authentication (Ryan)
   3. Re: EAP-PEAP with LDAP for 802.1x authentication
  (Arjuna Scagnetto)
   4. Re: rlm_dbm can not work? ([EMAIL PROTECTED])
   5. Re: EAP-PEAP with LDAP for 802.1x authentication (Ivan Kalik)
   6. Re: EAP-PEAP with LDAP for 802.1x authentication (Sergio Belkin)
   7. radius users update after NAS downing (Zahra Bahar)
   8. ldap configuration parameters in radiusd.conf file
  (Gopinath Reddy N)


--

Message: 1
Date: Mon, 25 Feb 2008 11:15:38 +0800 (CST)
From: Hangjun He <[EMAIL PROTECTED]>
Subject: rlm_dbm can not work?
To: FreeRadius users mailing list

Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="gb2312"

Hi,
   
  I am using freeRADIUS 1.1.6.  I can not let rlm_dbm work. 
   
  Result of rlm_dbm_cat:
  [EMAIL PROTECTED] raddb]# pwd
/usr/local/etc/raddb
[EMAIL PROTECTED] raddb]# rlm_dbm_cat -f users.db
"hhe4"  Cleartext-Password := "hhe123"
Reply-Message = "Hello"
 
"hhe123"Cleartext-Password := "hhe123"
Reply-Message = "Hello"
 
[EMAIL PROTECTED] raddb]#
[EMAIL PROTECTED] raddb]# ls users.*
users.db.dir  users.db.pag
[EMAIL PROTECTED] raddb]#
   
  Debug message:
  Module: Loaded dbm
 dbm: usersfile = "/usr/local/etc/raddb/users.db"
Module: Instantiated dbm (dbm)
Listening on authentication *:1812
Listening on accounting *:1813
ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:1033, id=26, length=58
User-Name = "hhe123"
User-Password = "hhe123"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
rlm_dbm: try open database file: /usr/local/etc/raddb/users.db
rlm_dbm: Call parse_user:
sm_parse_user.c: check for loops
Add hhe123 to user list
rlm_dbm: User  not foud in database
Remove hhe123 from user list
sm_parse_user.c: check for loops
Add DEFAULT to user list
rlm_dbm: User  not foud in database
Remove DEFAULT from user list
  modcall[authorize]: module "dbm" returns notfound for request 0
modcall: leaving group authorize (returns noop) for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Sending Access-Reject of id 26 to 127.0.0.1 port 1033
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 26 with timestamp 47c220be
Nothing to do.  Sleeping until we see a request.
   
  John.
   
   

   
-
??? 
-- next part --
An HTML attachment was scrubbed...
URL:


--

Message: 2
Date: Mon, 25 Feb 2008 14:58:11 +0800
From: Ryan <[EMAIL PROTECTED]>
Subject: EAP-PEAP with LDAP for 802.1x authentication
To: freeradius-users@lists.freeradius.org
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1

Hi All,

Understand that it is not possible to authenticate using EAP-PEAP
against OpenLDAP due to encrypted password. Can someone advise on how
exactly OpenLDAP needs be configured so that it can be used in
EAP-PEAP?

I found out from http://vuksan.com/linux/dot1x/802-1x-LDAP.html that
to do so additional attributes n

Re: radius users update after NAS downing

[Alan DeKok]

Zahra Bahar wrote:
> We have a freeradius server for accounting of AS5300 dial users. there is a 
> problem:
> Some users stay in accounting list when AS is restarted, and they not go to 
> stop then can't dial after that until admin makes them out of list .
> why this happen?  

  Because the NAS is broken.  It does not inform the RADIUS server that
it has rebooted.  It is *supposed* to inform the RADIUS server.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ldap configuration parameters in radiusd.conf file

[Gopinath Reddy N]

Hi,

Does any body has idea whether the below parameters are mandatory in
radiusd.conf file ldap section.

groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember==%{Ldap-UserDn})))"
groupmembership_attribute = radiusGroupName

Iam trying to see whether ldap group search functionality can be avoided
using radiusd.conf file.


Thanks in advance.
regards
-gnr
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radius users update after NAS downing

[Zahra Bahar]

Hi,
We have a freeradius server for accounting of AS5300 dial users. there is a 
problem:
Some users stay in accounting list when AS is restarted, and they not go to 
stop then can't dial after that until admin makes them out of list .
why this happen?  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-PEAP with LDAP for 802.1x authentication

[Sergio Belkin]

2008/2/25, Ryan <[EMAIL PROTECTED]>:
> Hi All,
>
>  Understand that it is not possible to authenticate using EAP-PEAP
>  against OpenLDAP due to encrypted password. Can someone advise on how
>  exactly OpenLDAP needs be configured so that it can be used in
>  EAP-PEAP?
>
>  I found out from http://vuksan.com/linux/dot1x/802-1x-LDAP.html that
>  to do so additional attributes needs to be added to LDAP. Is this the
>  only way?
>
>  Thanks/Regards,
>
> Ryan
>  -
>  List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
I think that the easiest way is using EAP-TTLS if you use encrypted
password into OpenLDAP, you should use PAP. The problem is that
Windows has not native PAP support, so you should  use something like
securew2. The other option is that the Ivan Kalikmention it (something
that I asked many times :)  )
-- 
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-PEAP with LDAP for 802.1x authentication

[Ivan Kalik]

>Understand that it is not possible to authenticate using EAP-PEAP
>against OpenLDAP due to encrypted password. Can someone advise on how
>exactly OpenLDAP needs be configured so that it can be used in
>EAP-PEAP?
>

Don't use encrypted password. Or use nt hash and NT-Password. There is
nothing to add - those attributes are already in ldap.attrmap.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_dbm can not work?

[A . L . M . Buxey]

Hi,

> [EMAIL PROTECTED] raddb]# rlm_dbm_cat -f users.db
> "hhe4"  Cleartext-Password := "hhe123"
> Reply-Message = "Hello"
>  
> "hhe123"Cleartext-Password := "hhe123"
> Reply-Message = "Hello"

i have a theory of the entries - remove the quotes from around
your userid's in that database file.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-PEAP with LDAP for 802.1x authentication

[Arjuna Scagnetto]

reading from http://deployingradius.com/documents/protocols/compatibility.html
 you can achive that there's no problem to make ldap work with
EAP-PEAP, the only thing you must take care is the hashing algorithm
for the password.

Reading carefully from http://vuksan.com/linux/dot1x/802-1x-LDAP.html

"It is important depending what kind of password information you have
stored in your LDAP database"

So nobody says you can't make work togher openldap and freeradius. :)

Reading carefully 802-1x.LDAP.html you'll be able to set a working enviroment.



On Mon, Feb 25, 2008 at 7:58 AM, Ryan <[EMAIL PROTECTED]> wrote:
> Hi All,
>
>  Understand that it is not possible to authenticate using EAP-PEAP
>  against OpenLDAP due to encrypted password. Can someone advise on how
>  exactly OpenLDAP needs be configured so that it can be used in
>  EAP-PEAP?
>
>  I found out from http://vuksan.com/linux/dot1x/802-1x-LDAP.html that
>  to do so additional attributes needs to be added to LDAP. Is this the
>  only way?
>
>  Thanks/Regards,
>  Ryan
>  -
>  List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>



-- 
they don't own your box, but they have you
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html