Re: limiting user access by day
radcheck and it works fine for me 2008/3/3 Budiono [EMAIL PROTECTED]: Thank you for replying, Fyi, I'm using freeradius 1.1.3 base on Centos 5.1 distro and mysql 5.0 Is Expiration attribute put on radcheck or radgroupcheck in mysql ? or is there any link or how-to to do this configuration? Budiono - Original Message - From: Ivan Kalik [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thursday, February 28, 2008 6:38 PM Subject: Re: limiting user access by day Login-Time to restrict user to the days on which he can log in. And set Expiration to the end of the current day (? 24 hours - what's a day) on first login (script). Ivan Kalik Kalik Informatika ISP Dana 28/2/2008, Budiono U. [EMAIL PROTECTED] piše: Hi all, I'm currently setup freeradius server for hotspot, but right now I have some problem for limiting access user to particular day. As example : user1 accessing on Monday to Friday and user2 only accesing on Saturday or Sunday. And each user is limiting for one day access only, and after that day he/she can't login again. Is there any module or attribute to setup radius for this system. Any help would be appreciated. Thank you Budiono - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi, I'm writing codes for a EAP-TTLS client, but I have some confusions when cope with diameter AVP format; Would anyone please send me some logs of EAP-TTLS handshake? ( I mean, just the EAP-TTLS messages exchange between a server and a client, which I can use for illustration ) Thanks so much! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
Xiao Peng wrote: I’m writing codes for a EAP-TTLS client, but I have some confusions when cope with diameter AVP format; This is not a general help list for RADIUS or EAP topics. However, the source code to FreeRADIUS *is* available to you, and it *does* work with all known clients. Would anyone please send me some logs of EAP-TTLS handshake? ( I mean, just the EAP-TTLS messages exchange between a server and a client, which I can use for illustration ) Install FreeRADIUS, configure *another* supplicant with TTLS, and get the logs yourself. Also, look at the EAP-TTLS code in FreeRADIUS for how the Diameter AVP format is handled. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ClearText-Password?
I am migrating my RADIUS from: a) FreeBSD, FreeRADIUS 1.1.7, eDirectory lookups. to b) Solaris 10 x86, FreeRADIUS 2.0.1, Active Directory, winbindd etc. I stripped out all the LDAP stuff from the config, enabled ntlm_auth in the mschap module, changed the users file DEFAULT entry from LDAP to mschap, and bingo it works, almost! At least both a and b work for 802.1x/EAP-TTLS clients. However for other clients such as EZProxy, only a works. From my new config, debug says: +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: No MS-CHAP-Challenge in the request ++[mschap] returns reject So it fails. My Question is: Where is no ClearText-Password configured? 1) Is it the RADIUS client not providing one? 2) Is it the RADIUS config that is missing something? 3) Is it the AD directory that is missing a ClearText-Password? --- Barry Dean Networks Team Computing Services Department Tel: 0151 794 5641 (x45641) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fetching username and password through perl script
hi, I am using free radius 2 along with Ms Sql 2000, I need to authenticate with perl script using my own table schema which contains only username and password. How do I read username and password from these customize table using perl script. With Regards Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fetching username and password through perl script
I am using free radius 2 along with Ms Sql 2000, I need to authenticate with perl script using my own table schema which contains only username and password. How do I read username and password from these customize table using perl script. You don't use a Perl script. Just configure the mssql queries so that they match your custom schema. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Control Items. Make TTLS Require a client cert
Hi, I have a short question (i hope). From eap.conf (2.0.2): # You can make TTLS require a client cert by setting # # EAP-TLS-Require-Client-Cert = Yes # # in the control items for a request. How or where do I set Control Items. I can't find any information about them in the archive of the mailing list, wiki or faq. Or is this just a different name for check-items? Thank you very much Regards Wolfgang Burger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ClearText-Password?
4) changed the users file DEFAULT entry from LDAP to mschap +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: No MS-CHAP-Challenge in the request ++[mschap] returns reject Post the whole debug. It looks like you are trying to force mschap onto something that isn't a mschap request. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ClearText-Password?
Hi,
rad_recv: Access-Request packet from host 138.253.XXX.XXX port 47032,
id=195, length=49 User-Name = user
User-Password = passwd
NAS-IP-Address = 138.253.XXX.XXX
There. No MS-CHAP-Challenge. You are not supposed to process this packet with
the rlm_mschap module. Why does it fail? ...
Config:
users:
DEFAULT Auth-Type = mschap
Acct-Session-Id = Local,
Fall-Through = Yes
Write a hundred times on the blackboard: I will not set Auth-Type. The
server will figure out itself what to do. In this case, PAP.
If I don’t force MSCHAP in users, how else do I get the user checked
against AD when the only place ntlm_auth is called is inside the mschap
module?
You configure your AD server in the ldap {} section and uncomment the ldap
stanzas in authorize and authenticate. You don't call ntlm_auth then, and
that is because you don't need ntlm_auth - user authentication is done with
an LDAP bind() operation with the user credentials.
Greetings,
Stefan Winter
--
Stefan WINTER
Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung Entwicklung
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1
http://www.restena.lu Fax: +352 422473
signature.asc
Description: This is a digitally signed message part.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ClearText-Password?
Debug:
==
rad_recv: Access-Request packet from host 138.253.XXX.XXX port 47032, id=195,
length=49
User-Name = user
User-Password = passwd
NAS-IP-Address = 138.253.XXX.XXX
+- entering group authorize
++[preprocess] returns ok
++? if (%{User-Name} =~ /barred-user/i)
expand: %{User-Name} - user
? Evaluating (%{User-Name} =~ /barred-user/i) - FALSE
++? if (%{User-Name} =~ /barred-user/i) - FALSE
expand:
/usr/radius201/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/usr/radius201/log/radacct/138.253.XXX.XXX/auth-detail-20080303
rlm_detail: /usr/radius201/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /usr/radius201/log/radacct/138.253.XXX.XXX/auth-detail-20080303
expand: %t - Mon Mar 3 11:28:08 2008
++[auth_log] returns ok
++[mschap] returns noop
++[chap] returns noop
rlm_realm: No '@' in User-Name = user, looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = user
rlm_realm: Proxying request from user user to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
users: Matched entry DEFAULT at line 211
++[files] returns ok
rlm_pap: WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type mschap
auth: type MSCHAP
+- entering group MS-CHAP
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password.
rlm_mschap: No MS-CHAP-Challenge in the request
++[mschap] returns reject
auth: Failed to validate the user.
Login incorrect: [user/passwd] (from client EZProxy port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - user
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 195 to 138.253.XXX.XXX port 47032
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 138.253.XXX.XXX port 47032, id=195,
length=49
Sending duplicate reply to client EZProxy port 47032 - ID: 195
Sending Access-Reject of id 195 to 138.253.XXX.XXX port 47032
Waking up in 4.9 seconds.
Cleaning up request 0 ID 195 with timestamp +24
Ready to process requests.
==
Config:
users:
DEFAULT Auth-Type = mschap
Acct-Session-Id = Local,
Fall-Through = Yes
radiusd.conf:
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = /usr/sfw/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
}
If I don’t force MSCHAP in users, how else do I get the user checked against AD
when the only place ntlm_auth is called is inside the mschap module?
---
Barry Dean
Networks Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How do I used my customized table in.
hi,
I am using free radius server 2.0 and Ms Sql 2000, I want to used my
customized tables which contains only username and password.I've tried
modyfying the query in dialup.conf, but it doesn't work. Please tell me the
solution.
here is the piece of output after rejecting the user that is stored in the
database
rad_recv: Access-Request packet from host 127.0.0.1 port 32807, id=226,
length=56
User-Name = John
User-Password = 1
NAS-IP-Address = 192.168.2.227
NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = John, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} - John
rlm_sql (sql): sql_set_user escaped user -- 'John'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT UserName,Value FROM checking WHERE Username =
'%{SQL-User-Name}' - SELECT UserName,Value FROM checking WHERE Username =
'John'
query: SELECT UserName,Value FROM checking WHERE Username = 'John'
rlm_sql_getvpdata: database query error
rlm_sql (sql): SQL query error; rejecting user
rlm_sql (sql): Released sql socket id: 3
++[sql] returns fail
Invalid user: [John/1] (from client localhost port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - John
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 226 to 127.0.0.1 port 32807
Waking up in 4.9 seconds.
Cleaning up request 1 ID 226 with timestamp +17
Ready to process requests.
Regards
Elangbam Johnson
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mideye authentication
.. See rlm_example for a simple C challenge-response authentication module. You may also need a consistent State attribute. That code is in rlm_eap, but should probably be pulled into src/main, because other modules may need it, too. Thanks, that was the missing link. Norbert Wegener Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I used my customized table in.
Hi,
expand: SELECT UserName,Value FROM checking WHERE Username =
'%{SQL-User-Name}' - SELECT UserName,Value FROM checking WHERE Username =
'John'
query: SELECT UserName,Value FROM checking WHERE Username = 'John'
rlm_sql_getvpdata: database query error
rlm_sql (sql): SQL query error; rejecting user
rlm_sql (sql): Released sql socket id: 3
Ah, no. FreeRADIUS always needs to get its four columns back from SQL. You
only have two, user's name and cleartext password. You need
username = username - fetched in query
attribute = Cleartext-Password - FIXED in query
op= := - FIXED in query
value = password - fetched in query
This means something like
SELECT UserName,Cleartext-Password as attribute, := as op, Value FROM
checking WHERE Username = 'John'
Something like that. I use MySQL, but you should get the idea...
Stefan
--
Stefan WINTER
Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung Entwicklung
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1
http://www.restena.lu Fax: +352 422473
signature.asc
Description: This is a digitally signed message part.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Control Items. Make TTLS Require a client cert
Wolfgang Burger wrote: How or where do I set Control Items. I can't find any information about them in the archive of the mailing list, wiki or faq. Or is this just a different name for check-items? Yes. The term check items has been removed from 2.x $ man unlang Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x, EAP and LDAP
Hi,
The debug log says whens tarting up:
rlm_ldap: Over-riding set_auth_type, as we're not listed in the
authenticate section.
My first suggestion would be: check if the mentions of ldap are commented out
in the authenticate { } section - they are by default. Change that, and see
how far you get. Chances are that that was all and it works :-)
Stefan
--
Stefan WINTER
Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung Entwicklung
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1
http://www.restena.lu Fax: +352 422473
signature.asc
Description: This is a digitally signed message part.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x, EAP and LDAP
Mike Richardson wrote: My first post: I'm trying to do 802.1x between Xsupplicant (through a Cisco switch) to Freeradius 1.1.7 using Novell eDirectory LDAP. 1) Configure and test TTLS with a user in the users file. 2) Configure an test LDAP with radtest (clear-text password) for a *different* user 3) test TTLS with a user in LDAP. I can successfully authenticate as a local user in the 'users' file but the LDAP side is eluding me. Don't do 802.1x and LDAP until you have normal radtest working with LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
error running perl
Hello, I am getting such an error when i try to run perl. symbol lookup error: /usr/lib/perl5/auto/DBI/DBI.so: undefined symbol: Perl_Tstack_sp_ptr Where should i check for debugging this error? What might be the possible reasons for that ? freeradius -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/freeradius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/freeradius/freeradius.pid main: user = freerad main: group = freerad main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded perl perl: module = /usr/local/bin/login.pl perl: func_authorize = authorize perl: func_authenticate = authenticate perl: func_accounting = accounting perl: func_preacct = preacct perl: func_checksimul = checksimul perl: func_detach = detach perl: func_xlat = xlat perl: func_pre_proxy = pre_proxy perl: func_post_proxy = post_proxy perl: func_post_auth = post_auth perl: perl_flags = (null) perl: func_start_accounting = (null) perl: func_stop_accounting = (null) freeradius: symbol lookup error: /usr/lib/perl5/auto/DBI/DBI.so: undefined symbol: Perl_Tstack_sp_ptr --- freeradius -v freeradius: FreeRADIUS Version 1.1.3, for host x86_64-pc-linux-gnu, built on Dec 17 2006 at 01:07:30 Copyright (C) 2000-2006 The FreeRADIUS server project. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. - perl -v This is perl, v5.8.8 built for x86_64-linux-gnu-thread-multi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I used my customized table in.
You had your answer: rlm_sql expects a password attribute and an
operator. You don't have those in your schema so it can't create the
attribute-value pair. Rewrite the code in rlm_sql and fix them to some
value or write anothe (?perl) module to authenticate the user.
Ivan Kalik
Kalik Informatika ISP
Dana 3/3/2008, johnson elangbam [EMAIL PROTECTED] piše:
hi,
I am using free radius server 2.0 and Ms Sql 2000, I want to used my
customized tables which contains only username and password.I've tried
modyfying the query in dialup.conf, but it doesn't work. Please tell me the
solution.
here is the piece of output after rejecting the user that is stored in the
database
rad_recv: Access-Request packet from host 127.0.0.1 port 32807, id=226,
length=56
User-Name = John
User-Password = 1
NAS-IP-Address = 192.168.2.227
NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = John, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} - John
rlm_sql (sql): sql_set_user escaped user -- 'John'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT UserName,Value FROM checking WHERE Username =
'%{SQL-User-Name}' - SELECT UserName,Value FROM checking WHERE Username =
'John'
query: SELECT UserName,Value FROM checking WHERE Username = 'John'
rlm_sql_getvpdata: database query error
rlm_sql (sql): SQL query error; rejecting user
rlm_sql (sql): Released sql socket id: 3
++[sql] returns fail
Invalid user: [John/1] (from client localhost port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - John
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 226 to 127.0.0.1 port 32807
Waking up in 4.9 seconds.
Cleaning up request 1 ID 226 with timestamp +17
Ready to process requests.
Regards
Elangbam Johnson
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x, EAP and LDAP
On Mon, Mar 03, 2008 at 03:38:32PM +0100, Stefan Winter wrote:
Hi,
The debug log says whens tarting up:
rlm_ldap: Over-riding set_auth_type, as we're not listed in the
authenticate section.
My first suggestion would be: check if the mentions of ldap are commented out
in the authenticate { } section - they are by default. Change that, and see
how far you get. Chances are that that was all and it works :-)
If it were only that easy... I've messed with that before. AFAICT that only
applies if you are doing plain text authentication. I'm using TTLS and PAP
because the password is going to be stored in an encryted format in LDAP.
Here's the output after uncommenting as suggested:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/freeradius/proxy.conf
Config: including file: /etc/freeradius/clients.conf
Config: including file: /etc/freeradius/imported_clients.cfg
Config: including file: /etc/freeradius/snmp.conf
Config: including file: /etc/freeradius/eap.conf
Config: including file: /etc/freeradius/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/freeradius
main: libdir = /usr/lib/freeradius
main: radacctdir = /var/log/freeradius/radacct
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/freeradius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/freeradius/freeradius.pid
main: user = freerad
main: group = freerad
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = yes
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded LDAP
ldap: server = UK-AC-MAN-MTEST
ldap: port = 636
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = cn=radiusadmin,ou=dir,o=ac,c=uk
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = /tmp/oak-test-publickeycert.pem
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = demand
ldap: password = radius30
ldap: basedn = c=uk
ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = (null)
ldap: password_attribute = nspmdistributionpassword
ldap: access_attr = (null)
ldap: groupname_attribute = cn
ldap: groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
ldap: groupmembership_attribute = (null)
ldap: dictionary_mapping = /etc/freeradius/ldap.attrmap
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: edir_account_policy_check = yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute uni_ldap-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for uni_ldap-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name uni_ldap
rlm_ldap: Over-riding set_auth_type, as we're not listed in the authenticate
section.
rlm_ldap: reading ldap-radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS
support for wimax vsa
Is it possible to approximate on when the wimax vsa support will be included in FreeRadius??? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x, EAP and LDAP
On Mon, Mar 03, 2008 at 03:44:29PM +0100, Alan DeKok wrote:
Mike Richardson wrote:
My first post: I'm trying to do 802.1x between Xsupplicant (through a Cisco
switch) to Freeradius 1.1.7 using Novell eDirectory LDAP.
1) Configure and test TTLS with a user in the users file.
Works.
2) Configure an test LDAP with radtest (clear-text password)
for a *different* user
Doesn't work. Similar sort of error though.
3) test TTLS with a user in LDAP.
I can successfully authenticate as a local user in the 'users' file but the
LDAP side is eluding me.
Don't do 802.1x and LDAP until you have normal radtest working with
LDAP.
AFAICT radtest doesn't do EAP so it didn't seem to be a particularly valid
test. The approach required appeared quite different but I'm open to
suggestions. I've spent a long time trying to get RADIUS/LDAP auth to work
in any format.
Anyway, the output from a test with 'radtest' and LDAP:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/freeradius/proxy.conf
Config: including file: /etc/freeradius/clients.conf
Config: including file: /etc/freeradius/imported_clients.cfg
Config: including file: /etc/freeradius/snmp.conf
Config: including file: /etc/freeradius/eap.conf
Config: including file: /etc/freeradius/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/freeradius
main: libdir = /usr/lib/freeradius
main: radacctdir = /var/log/freeradius/radacct
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/freeradius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/freeradius/freeradius.pid
main: user = freerad
main: group = freerad
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = yes
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded LDAP
ldap: server = UK-AC-MAN-MTEST
ldap: port = 636
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = cn=radiusadmin,ou=dir,o=ac,c=uk
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = /tmp/oak-test-publickeycert.pem
ldap: tls_cacertdir = (null)
ldap: tls_certfile = (null)
ldap: tls_keyfile = (null)
ldap: tls_randfile = (null)
ldap: tls_require_cert = demand
ldap: password = radius30
ldap: basedn = c=uk
ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}})
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = (null)
ldap: password_attribute = nspmdistributionpassword
ldap: access_attr = (null)
ldap: groupname_attribute = cn
ldap: groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
ldap: groupmembership_attribute = (null)
ldap: dictionary_mapping = /etc/freeradius/ldap.attrmap
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: edir_account_policy_check = yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute uni_ldap-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for uni_ldap-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name uni_ldap
rlm_ldap: Over-riding
How do I used my customized table in Ms Sql through perl script
hi, I am using free radius server 2.0 and Ms Sql 2000, I want to used my customized tables which contains only username and password.I used to authenticate using perl script. Can I write SQL queries inside the perl script to fetch the data from the table rather than from the dialup.conf for Ms Sql so that i can used my customize table. Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x, EAP and LDAP
On Mon, Mar 03, 2008 at 04:46:36PM +0100, Alan DeKok wrote: Mike Richardson wrote: 2) Configure an test LDAP with radtest (clear-text password) for a *different* user Doesn't work. Similar sort of error though. Then fix that before proceeding with EAP. Don't do 802.1x and LDAP until you have normal radtest working with LDAP. AFAICT radtest doesn't do EAP so it didn't seem to be a particularly valid test. To be blunt: it's rude to ask questions of experts, and then to tell them that their answers are invalid. If you know better, why are you asking questions on this list? I'm not trying to be rude I promise. I'm asking here because I don't know better. I'm sorry if it sounds differently, it's just that after a solid week on this I'm a little frustrated. Apologies if this came through. I'd read that radtest didn't do EAP so I installed Xsupplicant and was using that for tests. That seems to be a more realisic approach. If you think that I can fix the problem by not attempting EAP and using radtest then that is exactly what I shall do. The approach required appeared quite different but I'm open to suggestions. I've spent a long time trying to get RADIUS/LDAP auth to work in any format. I've spent over 10 years working with RADIUS, and almost 9 years with FreeRADIUS. The Active Directory with LDAP TTLS issue has come up more times than I can count. It has been *solved* more times than I can count, by FOLLOWING INSTRUCTIONS. I am doing everything that has been asked of me. Anyway, the output from a test with 'radtest' and LDAP: ... rlm_ldap: Over-riding set_auth_type, as we're not listed in the authenticate section. You were told to go fix this. Do it. Now I DID. I didn't think that posting the new radius config would be of use but the section in authenticate is DEFINTIELY there and uncommented. Why this message is appearing in the output is a mystery to me. rad_recv: Access-Request packet from host 130.88.200.85:1025, id=61, length=48 User-Name = raduser2 User-Password = raduser20 ... rlm_ldap: looking for check items in directory... Nothing. This isn't surprising for Active Directory. Novell eDirectory not active directory. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user If you have configured ldap in the authenticate section, then this would work. The LDAP bind as user works with AD for PAP requests. I did. Hint: look in the configuration files for instances of the word ldap. Read the comments. Un-comment the sample configurations. I did. It's *not* hard. I know, that's why I did it. 1) install FreeRADIUS 2) configure LDAP (*all* references in radiusd.conf sites-available/default) 3) validate that radtest works. I'm reading everything and following all the instructions to the letter. Please don't take that sort of attitude. I've explained that I'm not so I'd appreciate it if you'd do the same. Thanks, Mike -- Mike Richardson Networks IT Services, University of Manchester *Plain text only please - attachments stripped on arrival* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap lower case usernames
Hi, So, i am using ldap groups to handle my authorization, for wireless (peap) and the uid field in openldap is not case sensitive (caseignorematch) on the other hand memberUID (for the groups) is (caseExactIA5Match). so wicked sucky right? how can i get the user-name lower cased for JUST my ldap authorization section, i don't want to mess with it anywhere else... -- Joe Vieira UNIX Systems Administrator Clark University - ITS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x, EAP and LDAP
Mike Richardson wrote: I'd read that radtest didn't do EAP so I installed Xsupplicant and was using that for tests. That seems to be a more realisic approach. If you think that I can fix the problem by not attempting EAP and using radtest then that is exactly what I shall do. Yes. The problem has nothing to do with EAP. rlm_ldap: Over-riding set_auth_type, as we're not listed in the authenticate section. You were told to go fix this. Do it. Now I DID. I didn't think that posting the new radius config would be of use but the section in authenticate is DEFINTIELY there and uncommented. Why this message is appearing in the output is a mystery to me. How much of the default configuration file did you edit? Start with the *default* configuration, and make small changes from there. The default configuration *works*. If you've been trying to get this working for a long time, then either there's a major bug in the version you're using, *or*, you're not editing testing the configuration in a systematic way. I'm reading everything and following all the instructions to the letter. Please don't take that sort of attitude. I've explained that I'm not so I'd appreciate it if you'd do the same. My amazement is that it appears to be so hard to get this working. Honestly, the default configuration works in the widest possible set of circumstances. I can't tell you how many people just installed the server, un-commented the ldap config, pointed it to their local ldap server, tested with radtest, and saw that it worked. It really *is* that easy. Try it. If it doesn't work for you, then there's something major going wrong. *That's* why configurations are tested in pieces. If plain PAP doesn't work when going to LDAP, then it's a complete and total waste of your time to install and configure an 802.1x supplicant. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Class attribute, RFC Specified usage of ...
Hi, RFC 2865: 5.25. Class Description This Attribute is available to be sent by the server to the client in an Access-Accept and SHOULD be sent unmodified by the client to the accounting server as part of the Accounting-Request packet if accounting is supported. The client MUST NOT interpret the attribute locally. A summary of the Class Attribute format is shown below. The fields are transmitted from left to right. 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type |Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Type 25 for Class. Length = 3 String The String field is one or more octets. The actual format of the information is site or application specific, and a robust implementation SHOULD support the field as undistinguished octets. The codification of the range of allowed usage of this field is outside the scope of this specification. Was there an RFC that went on to define the proper usage of the Class attribute, or is it's usage still ambiguous ? I know some people use it to link accounting data to an authentication attempt Thanks, Arran -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Calling-Station-Id problem
While I am using Calling-Station-Id freeradius does not authenicate
user. Without calling-station-id (user Rob) works Ok. Can anybody
point me where is the problem?
Checkval exists in radiusd.conf.
Freeradius 1.1.7
user file:
Alan User-Password == 12345, Calling-Station-Id == 000d88b7c2de
Rob User-Password == 123456
DEFAULTAuth-Type = EAP,EAP-Type == PEAP, Proxy-To-Realm = LOCAL
Log from radius -X:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/freeradius
main: libdir = /usr/lib/freeradius
main: radacctdir = /var/log/freeradius/radacct
main: hostname_lookups = no
main: max_request_time = 130
main: cleanup_delay = 10
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = /var/log/freeradius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /var/run/freeradius/radiusd.pid
main: user = radius
main: group = radius
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /var/log/freeradius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = peap
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /etc/raddb/certs/cert-srv.pem
tls: certificate_file = /etc/raddb/certs/cert-srv.pem
tls: CA_file = /etc/raddb/certs/demoCA/cacert.pem
tls: private_key_password = whatever
tls: dh_file = /etc/raddb/certs/dh
tls: random_file = /dev/urandom
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = (null)
tls: cipher_list = (null)
tls: check_cert_issuer = (null)
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = mschapv2
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /etc/raddb/users
files: acctusersfile = /etc/raddb/acct_users
files: preproxy_usersfile = /etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm =
Re: How do I used my customized table in Ms Sql through perl script
Can I write SQL queries inside the perl script to fetch the data from the table rather than from the dialup.conf for Ms Sql so that i can used my customize table. Yes. See doc/variables.txt for a list of variables that you might need to pass to the script (you will need to pass at least the username). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x, EAP and LDAP
On Mon, Mar 03, 2008 at 05:23:44PM +0100, Alan DeKok wrote: Mike Richardson wrote: I'd read that radtest didn't do EAP so I installed Xsupplicant and was using that for tests. That seems to be a more realisic approach. If you think that I can fix the problem by not attempting EAP and using radtest then that is exactly what I shall do. Yes. The problem has nothing to do with EAP. rlm_ldap: Over-riding set_auth_type, as we're not listed in the authenticate section. You were told to go fix this. Do it. Now I DID. I didn't think that posting the new radius config would be of use but the section in authenticate is DEFINTIELY there and uncommented. Why this message is appearing in the output is a mystery to me. How much of the default configuration file did you edit? Start with the *default* configuration, and make small changes from there. I've been making changes for 8 hours a day for over a week so it might differ from the original. However I been back to the defaults twice. As of tomorrow I'll reinstall and try it again. From what you're saying I believe I need to put in the LDAP config for our eDirectory and uncomment any LDAP authorisation/authentication entries. Anything else? Then I can use radtest to test the authentication? How does the config know to use PAP rather than CHAP/MSCHAP? The default configuration *works*. If you've been trying to get this working for a long time, then either there's a major bug in the version you're using, *or*, you're not editing testing the configuration in a systematic way. Freeradius 1.1.7 on debian etch. I've been through every config guide I can find on the net, several times. Admittedly at the start I'd only used Radiator so the Freeradius config was quite different. It's only today though that I found a site which explained the limitations of the PAP/CHAP/MSCHAP with respect to password encryptions. Most guides assume MSCHAP, for use with PEAP, and most use flat file user authentication. Not many touch on LDAP and only Novell have eDirectory based documentation. I'm reading everything and following all the instructions to the letter. Please don't take that sort of attitude. I've explained that I'm not so I'd appreciate it if you'd do the same. My amazement is that it appears to be so hard to get this working. Honestly, the default configuration works in the widest possible set of circumstances. I can't tell you how many people just installed the server, un-commented the ldap config, pointed it to their local ldap server, tested with radtest, and saw that it worked. That's what I keep reading and trying but so far nothing. I have set up an OpenLDAP server but so far I've got the same error messages as with eDirectory. It really *is* that easy. Try it. If it doesn't work for you, then there's something major going wrong. *That's* why configurations are tested in pieces. If plain PAP doesn't work when going to LDAP, then it's a complete and total waste of your time to install and configure an 802.1x supplicant. eDirectory was the only piece I have no control over (managed elsewhere) so started with Supplicant-RADIUS-files and got that working then attempted to add LDAP. It seemed to make sense at the time given the plethora of documentation to help with this and little for RADIUS-LDAP. In hindsight it was the wrong order but wisdom is not always learned linearly. I hope that it all works and I won't need to come back other than to thank you. Mike -- Mike Richardson Networks IT Services, University of Manchester *Plain text only please - attachments stripped on arrival* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP with perl module
From RFC: 2865: The random challenge can either be included in the CHAP-Challenge attribute or, if it is 16 octets long, it can be placed in the Request Authenticator field of the Access-Request packet. We are able to retrieve the clear text password and encrypt it with the CHAP-Challenge and see if it matches the CHAP-Password, but as far as I can tell, we don't have access to the Request Authenticator of the Access-Request packet in the perl module. Any thoughts on how to support the RFC? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-Id problem
Fix obvious errors: - first line in eap.conf says not to use Auth-Type EAP - instructions in users file (FAQ etc.) suggest a different password attribute. Ivan Kalik Kalik Informatika ISP Dana 3/3/2008, Rob [EMAIL PROTECTED] piše: While I am using Calling-Station-Id freeradius does not authenicate user. Without calling-station-id (user Rob) works Ok. Can anybody point me where is the problem? Checkval exists in radiusd.conf. Freeradius 1.1.7 user file: Alan User-Password == 12345, Calling-Station-Id == 000d88b7c2de Rob User-Password == 123456 DEFAULTAuth-Type = EAP,EAP-Type == PEAP, Proxy-To-Realm = LOCAL Log from radius -X: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: max_request_time = 130 main: cleanup_delay = 10 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /var/log/freeradius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /var/run/freeradius/radiusd.pid main: user = radius main: group = radius main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /var/log/freeradius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/raddb/certs/cert-srv.pem tls: certificate_file = /etc/raddb/certs/cert-srv.pem tls: CA_file = /etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /etc/raddb/certs/dh tls: random_file = /dev/urandom tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) tls: cipher_list = (null) tls: check_cert_issuer = (null) rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name,
Re: 802.1x, EAP and LDAP
From what you're saying I believe I need to put in the LDAP config for our eDirectory and uncomment any LDAP authorisation/authentication entries. Anything else? Then I can use radtest to test the authentication? Yes. First test with user file entry, then with entry in the directory. How does the config know to use PAP rather than CHAP/MSCHAP? Welcome to Freeradius. Server will figure it out on it's own (it can determine what type of a request it is) and apply the appropriate processing (ie. set Auth-Type itself). Once pap is working you can send a mschap request (radtest doesn't do it but something like JRadius Simulator can) to make sure that works (you haven't encrypted the password or such) before sending a PEAP request. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Class attribute, RFC Specified usage of ...
Was there an RFC that went on to define the proper usage of the Class attribute, or is it's usage still ambiguous ? Ambiguous how? The RFC seems pretty specific to me; the field is NOT to be interpreted by the NAS, is generated in the Access-Accept and sent in Accounting-Request - i.e. it's local to the radius server, do what you like with it. I know some people use it to link accounting data to an authentication attempt That's one (common) use. There are others e.g. I've used it to signal to the accounting server the type of NAS so that the exact method for kicking a session is known purely from the SQL accounting info. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with 1.0.6-2.0.1 connecting to OpenLDAP 2.3.33
Sorry to reply to my own post, just curious if anyone had a chance to
take a glance at this. I'm still stumped and starting to suspect that
my OpenLDAP is borked somehow, due to the numerous revisions of
Freeradius I've attempted now.
Thanks again,
--Zach
On Mar 1, 2008, at 6:18 PM, Zach Lowry wrote:
I'm running FreeRadius 2.0.1 on OpenBSD 4.2 on sparc64. I've also
tried versions 1.0.6 and 1.1.6. I'm using OpenLDAP 2.3.33 with
rlm_ldap. It works for the first request, then returns the following:
From FreeRadius:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 2362, id=66,
length=56
User-Name = zach
User-Password = *
NAS-IP-Address = 192.168.2.11
NAS-Port = 1812
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = zach, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for zach
WARNING: Deprecated conditional expansion :-. See man unlang for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=zach)
expand: o=zachlowry.net,c=US - o=zachlowry.net,c=US
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=zachlowry.net,c=US, with filter
(uid=zach)
rlm_ldap: ldap_search() failed: Timed out while waiting for server to
respond. Please increase the timeout.
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns fail
Invalid user: [zach/*] (from client localhost port 1812)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - zach
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 66 to 127.0.0.1 port 2362
Waking up in 4.9 seconds.
Cleaning up request 2 ID 66 with timestamp +113
Ready to process requests.
From OpenLDAP:
Mar 1 10:25:01 tweedledum slapd[9985]: conn=8483 op=4 SRCH
base=o=zachlowry.net,c=US scope=2 deref=0 filter=(uid=zach)
Mar 1 10:25:01 tweedledum slapd[9985]: conn=8483 op=4 SRCH
attr=radiusNASIpAddress radiusExpiration acctFlags sambaNtPassword
sambaLmPassword ntPassword lmPassword radiusCallingStationId
radiusCalledStationId radiusSimultaneousUse radiusAuthType
radiusCheckItem radiusReplyMessage radiusLoginLATPort radiusPortLimit
radiusFramedAppleTalkZone radiusFramedAppleTalkNetwork
radiusFramedAppleTalkLink radiusLoginLATGroup radiusLoginLATNode
radiusLoginLATService radiusTerminationAction radiusIdleTimeout
radiusSessionTimeout radiusClass radiusFramedIPXNetwork
radiusCallbackId
Mar 1 10:25:01 tweedledum slapd[9985]: conn=8483 op=4 SRCH
attr=radiusCallbackNumber radiusLoginTCPPort radiusLoginService
radiusLoginIPHost radiusFramedCompression radiusFramedMTU
radiusFilterId radiusFramedRouting radiusFramedRoute
radiusFramedIPNetmask radiusFramedIPAddress radiusFramedProtocol
radiusServiceType radiusReplyItem userPassword
Mar 1 10:25:01 tweedledum slapd[9985]: conn=8483 op=4 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Mar 1 10:25:01 tweedledum slapd[9985]: conn=8483 op=5 ABANDON msg=5
I can't find where the ABANDON is sent to the LDAP server. The
increase the timeout error is found easily enough in rlm_ldap.c,
but I can't figure out what timeout to increase. I think there's a
deeper issue afoot, however.
Thanks,
--Zach
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-Id problem
Rob wrote: While I am using Calling-Station-Id freeradius does not authenicate user. Without calling-station-id (user Rob) works Ok. Can anybody point me where is the problem? Checkval exists in radiusd.conf. Checkval isn't needed. I have no idea why you would use it here. Freeradius 1.1.7 user file: Alan User-Password == 12345, Calling-Station-Id == 000d88b7c2de You don't need quotes around the user name. The examples in the users file show this. You need to use Cleartext-Password := ..., too. This is in the FAQ. Rob User-Password == 123456 DEFAULTAuth-Type = EAP,EAP-Type == PEAP, Proxy-To-Realm = LOCAL Delete that last line. I have no idea why so many people insist on setting Auth-Type. Can you please explain why you added it, and which documentation said it was a good idea? All of the documentation that is shipped with the server says that you are NOT supposed to add it. Log from radius -X: ... peap: copy_request_to_tunnel = no The Calling-Station-Id is *not* present in the tunneled request. So... unless you set this to yes, the entry above in the users file will NOT match! And the debug log shows this: ... modcall[authorize]: module files returns notfound for request 6 See? No match. modcall: leaving group authorize (returns updated) for request 6 ... rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for Alan with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. And then authentication fails. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP with perl module
Jeremy Kusnetz wrote: We are able to retrieve the clear text password and encrypt it with the CHAP-Challenge and see if it matches the CHAP-Password, but as far as I can tell, we don't have access to the Request Authenticator of the Access-Request packet in the perl module. Why would you want access to it in the Perl module? The chap module already does this. Any thoughts on how to support the RFC? Use the code that's already in the server? Your Perl module should supply a Cleartext-Password to the server, and the server will Just Do the Right Thing. If you're thinking of doing something else, I'd like to know why. Odds are it's overly complicated and unnecessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with 1.0.6-2.0.1 connecting to OpenLDAP 2.3.33
Zach Lowry wrote: Sorry to reply to my own post, just curious if anyone had a chance to take a glance at this. I'm still stumped and starting to suspect that my OpenLDAP is borked somehow, due to the numerous revisions of Freeradius I've attempted now. Or maybe the OpenLDAP libraries on your system. Do the command-line ldap tools work? Do other applications using the ldap libraries work? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap lower case usernames
Joe Vieira wrote: So, i am using ldap groups to handle my authorization, for wireless (peap) and the uid field in openldap is not case sensitive (caseignorematch) on the other hand memberUID (for the groups) is (caseExactIA5Match). so wicked sucky right? how can i get the user-name lower cased for JUST my ldap authorization section, i don't want to mess with it anywhere else... Perl. Or, extend unlang to add tr support. That's ugly, but useful. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x, EAP and LDAP
Mike Richardson wrote: I've been making changes for 8 hours a day for over a week so it might differ from the original. Which is a bit of a problem in and of itself. However I been back to the defaults twice. As of tomorrow I'll reinstall and try it again. From what you're saying I believe I need to put in the LDAP config for our eDirectory and uncomment any LDAP authorisation/authentication entries. Anything else? Not for LDAP. Then I can use radtest to test the authentication? Yes. How does the config know to use PAP rather than CHAP/MSCHAP? Because all of the experience of the developers working for years with RADIUS is distilled into the configuration files. I've been through every config guide I can find on the net, several times. If it takes more than 10 minutes to get FreeRADIUS authenticating to LDAP, ask a question on the list. Honestly. It's *so* much better to get an answer on the list than to fight for a week... It's only today though that I found a site which explained the limitations of the PAP/CHAP/MSCHAP with respect to password encryptions. My deployingradius.com site? It has a number of resources. Most guides assume MSCHAP, for use with PEAP, and most use flat file user authentication. Not many touch on LDAP and only Novell have eDirectory based documentation. Of course. Only Novell understands how eDirectory works. For LDAP, buy the O'Reilly OpenLDAP book. It has a good section on getting OpenLDAP FreeRADIUS to talk to each other. It's very quick... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
