FreeRadius Log
Hi all, I have installed freeradius on a debian machine and it work well. In the log I see that freeradius record failed and accepted authentication, reporting the user, the password and the user client station, but not the device wich someone has tried to make access. For example: from my pc I try to connect to a router without the correct credentials. Freeradius log that my PC with IP address 1.1.1.1 has tried to make access with the user admin and password admin, but do not report the address of the router to wich someone has tried to make access, so if I use freeradius for authenticating user on many device, I can't know on which device someone has tried to make access. There is a way to log also this information? Regards Danilo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0.5 - configure to use mysql radacct table instead of file
Vidar Hatlemark wrote: I see, so no extra config is needed to route the accounting info from the file it now uses into the mysql radacct table? As I said, the sql module is referenced in raddb/sites-available/default. You need to READ it, and uncomment all of the references to SQL. This includes the references in the accounting section. Since I got the radacct log files I guess I'm sending it wrong? (file instead of sql, even though it reads the sql?) What I said was that the server is NOT receiving accounting requests. Or am I supposed to both get that file with access request AND when the clients sends back the accounting packets then it will fill out the radacct table? What I said was that the radacct packets get populated when the server receives accounting requests. I'm asking so detailed because I expected pfSense to behave and send the accounting packets right. I guess it doesn't since radacct is still empty. Exactly. Read the pfSense documentation to see if it supports accounting packets. And in the schema.sql header it says : myslq -uroot -prootpass radius db_mysql.sql That's a typo. It's been fixed. So, when I log into the Captive Portal in pfSense using the user in my radius mysql table and the radacct tables doesn't get populatet - that's supposed to be a fault from pfSense? That's what I'm trying to tell you. Please believe me, and stop asking the same question again. The answer won't change. Sinse it only gives back the authentication packets logged in the radacct file... No. It's NOT logging to the radacct file. Go back and read the debug output again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
nf-vale wrote: I'm also suffering from this Vista disease. But in my case I can authenticate users using PEAP, from XP SP2 and SP3 clients, even with Validating Server Certificate checked. The problem is only with Vista. I've all the windows updates available installed but I can't get it to work even with the Validate Server Certificate unchecked. In short, Vista is broken. Again. It's a little hard to tell why it's broken. The freeradius version that I'm using it's the 2.0.2, and I've tried both with the radius test certificates and other, and the behavior is exactly the same. Other people have gotten Vista to work with that configuration. Maybe it's an older version with different patches? The radius log always shows the following: ... Sending Access-Challenge of id 93 to 192.168.100.199 port 1024 ... Finished request 11. Going to the next request Waking up in 0.9 seconds. Waking up in 3.9 seconds. Cleaning up request 10 ID 92 with timestamp +1627 Which means that Vista has decided for it's own magical reasons to stop talking to the RADIUS server. Is there anything that I'm missing? Nope. Vista is broken. Microsoft does this in order to tell people that it works better with IAS than with other RADIUS servers. They've done this repeatedly with XP and with Vista. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Log
Danilo Molini wrote: For example: from my pc I try to connect to a router without the correct credentials. Freeradius log that my PC with IP address 1.1.1.1 has tried to make access with the user admin and password admin, but do not report the address of the router to wich someone has tried to make access, so if I use freeradius for authenticating user on many device, I can't know on which device someone has tried to make access. See the FAQ for it doesn't work. Also, I'm not sure I understand what you're talking about. RADIUS does *not* provide the IP address of end machines during the authentication process. Routers do not usually do RADIUS authentication, either. *Switches* do RADIUS authentication. i.e. You seem to have confused the roles and/or names of the machines involved. As a result, it's difficult to understand what's happening, or what you want to have happen. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User-Profile per user per NAS via LDAP? [SEC=UNCLASSIFIED]
UNCLASSIFIED Running version 2.0.5, with LDAP backend for authentication/authorization. Needed functionality: A single user account needs a different ldap/radius profile depending on which huntgroup the request is coming in on... the reason is that each user has a different Framed-IP-Address for each VPN concentrator they are coming in on. So each user needs a profile per NAS, I believe. I have separated out each NAS into its appropriate huntgroup, and am matching on that in the users file. Also trying to dynamically set the User-Profile. DEFAULT Huntgroup-Name == jup-rtr-xauth, Ldap-Group == `cn=%{Huntgroup-Name},ou=Groups,ou=Radius,dc=geowireless,dc=net`, User-Profile := `uid=%{User-Name},ou=jup-rtr-xauth,ou=Profiles,ou=Radius,dc=geowireless, dc=net` Fall-Through = no (entire users file at the end of this message). The user is authenticated successfully (so the group matching and the %{Huntgroup-Name} expansion are working fine), but the User-Profile is not being set. If I hard code in the value for uid, it works, so the problem is in the variable. I had a similar problem and ended up using a rewrite rule to solve it. For 1.1.x here is the rule I used to derive a dn from a huntgroup: attr_rewrite uprof { attribute = User-Profile # may be packet, reply, proxy, proxy_reply or config searchin = config searchfor = replacewith = cn=%{Huntgroup-Name},ou=Profiles,dc=... ignore_case = no new_attribute = yes max_matches = 10 append = no } The call to uprof is in the authorize section. I placed it after 'files' and before 'ldap'. So setting the replacewith = uid=%{User-Name},ou=%{Huntgroup-Name},ou=Profiles,ou=Radius,dc=geowirel ess,dc=net should do exactly what you want. However, using FR 2.x you can probably use unlang to do the same thing in a much clearer manner. regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Log
I try to explain better what I want. My freeradius server is 10.0.0.1 and the router that use the radius service is 192.168.0.1 and I try to connecto to the router from my pc with ip address 172.16.0.1 The log report this information: Auth: Login OK: [test] (from client myhomenetwork-network port 194 cli 172.16.0.1) Is it possibile to add the information of the router on which I have request access? I try to enable the datil log, but seems to be not work... But I'm searching on the mailing list archive an help for this problem. Thanks for the help! Regards Danilo 2008/7/23 Alan DeKok [EMAIL PROTECTED] Danilo Molini wrote: For example: from my pc I try to connect to a router without the correct credentials. Freeradius log that my PC with IP address 1.1.1.1 has tried to make access with the user admin and password admin, but do not report the address of the router to wich someone has tried to make access, so if I use freeradius for authenticating user on many device, I can't know on which device someone has tried to make access. See the FAQ for it doesn't work. Also, I'm not sure I understand what you're talking about. RADIUS does *not* provide the IP address of end machines during the authentication process. Routers do not usually do RADIUS authentication, either. *Switches* do RADIUS authentication. i.e. You seem to have confused the roles and/or names of the machines involved. As a result, it's difficult to understand what's happening, or what you want to have happen. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
POP3
Hi, how to use (a remote) pop3 server with (a local) freeradius to authenticate users? thanks v. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: POP3
Am Mittwoch, 23. Juli 2008 09:44 schrieb Vittore Zen: Hi, how to use (a remote) pop3 server with (a local) freeradius to authenticate users? thanks v. What POP3 server? What methods is this using to authenticate (sasl, unix, pam, ...)? If PAM, see: http://freeradius.org/pam_radius_auth/ -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: [EMAIL PROTECTED] web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: POP3
Vittore Zen wrote: how to use (a remote) pop3 server with (a local) freeradius to authenticate users? What do you want to do? Authenticate pop3 users via RADIUS, or have FreeRADIUS check the pop3 server for valid users? If (1), see the pop3 documentation for any RADIUS and/or PAM integration. You can use native RADIUS, or pam_radius_auth. If (2), write a shell script. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Log
Danilo Molini wrote: I try to explain better what I want. My freeradius server is 10.0.0.1 and the router that use the radius service is 192.168.0.1 and I try to connecto to the router from my pc with ip address 172.16.0.1 'connect... how? Administrator login on the router? Please be specific. You have been careful to *not* describe what you are trying to do. The less information you give, the harder it is for anyone to help you. The log report this information: Auth: Login OK: [test] (from client myhomenetwork-network port 194 cli 172.16.0.1 ) Is it possibile to add the information of the router on which I have request access? Read the log message again. It *is* printing out the client information. In this case, it's myhomenetwork-network. If you want it to print out something else for the name of the client, edit the shortname field of the client entry that defines the client IP, shared secret, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_authentication for multiple supplicants
splintered thoughts wrote: I've trying to get ntlm_auth to authenticate several supplicants using freeradius 1.1.6, Upgrade. Is there a way to use regular expressions or otherwise to inspect the Stripped-User-Name to adjust which radius attribute is used in the ntlm_auth command, in other words look for a value Stripped-User-Name =~ /^value(.*)$/ and then use, for instance, the %{mschap:User-Name}in its place to authenticate? Is there a better approach? Upgrade to 2.0.5, and use unlang to do conditional checks regular expression matches. Set an intermediate variable (e.g. Tmp-String-0), and use that in the command-line to ntlm_auth. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
Lech Karol Pawłaszek wrote: I've tested my configuration with eapol_test command (as suggested at this site[1]) and it works fine. I've tested it against MacOsX 10.4 and MacOsX 10.5 and it works fine. I even tested it against Windows XP SP2 and it works fine. It doesn't work with Windows Vista and Windows XP SP3. Please help! Vista and XP3 are broken. Microsoft does this deliberately. One more thing. If I won't use Windows' PEAP authorization and install securew2 and use securew2's auth - I am able to connect. Work for a minute or so and then NAS reports lost carrier and the connection is lost. Something else is going on there. The securew2 software Maybe the Vista wireless management is getting in the way, and hanging up on a perfectly valid connection. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Log
Right. The log lists short name from clients.conf which is a descriptive name that you give to your routers (so you can tell them apart easier than with IPs). So, login attempt was onto the router you called myhomenetwork-network. Ivan Kalik Kalik Informatika ISP Dana 23/7/2008, Danilo Molini [EMAIL PROTECTED] piše: I try to explain better what I want. My freeradius server is 10.0.0.1 and the router that use the radius service is 192.168.0.1 and I try to connecto to the router from my pc with ip address 172.16.0.1 The log report this information: Auth: Login OK: [test] (from client myhomenetwork-network port 194 cli 172.16.0.1) Is it possibile to add the information of the router on which I have request access? I try to enable the datil log, but seems to be not work... But I'm searching on the mailing list archive an help for this problem. Thanks for the help! Regards Danilo 2008/7/23 Alan DeKok [EMAIL PROTECTED] Danilo Molini wrote: For example: from my pc I try to connect to a router without the correct credentials. Freeradius log that my PC with IP address 1.1.1.1 has tried to make access with the user admin and password admin, but do not report the address of the router to wich someone has tried to make access, so if I use freeradius for authenticating user on many device, I can't know on which device someone has tried to make access. See the FAQ for it doesn't work. Also, I'm not sure I understand what you're talking about. RADIUS does *not* provide the IP address of end machines during the authentication process. Routers do not usually do RADIUS authentication, either. *Switches* do RADIUS authentication. i.e. You seem to have confused the roles and/or names of the machines involved. As a result, it's difficult to understand what's happening, or what you want to have happen. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to set eap/ttls tunnel with auth-type pap work
rlm_pap: No clear-text password in the request. Not performing PAP. ++[pap] returns noop auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Are you sure your supplicant is set to use PAP inside TTLS? You have disabled chap and mschap on the server so we can't see what is supplicant sending - it doesn't seem to be pap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Log
I'm sorry! I try to connect in telnet... Moreover, probably I solved my problem with your suggestion. In the clients.conf I create a specific client for each host on my network, like this: client 192.168.0.1/32 { secret = secret shortname = router } client 192.168.0.2/32 { secret = secret shortname = switch } and not a unique client like I using before: client 192.168.0.0/24 { secret = secret shortname = mynetwork } Now when I try to make access trough telnet on my router or on my switch, in the radius.log I see all the information that I need: Wed Jul 23 12:06:42 2008 : Auth: Login OK: [test] (from client router port 194 cli 172.16.0.1) Wed Jul 23 12:06:42 2008 : Auth: Login OK: [test] (from client switch port 194 cli 172.16.0.1) Thanks for the help! Regards Danilo 2008/7/23 Alan DeKok [EMAIL PROTECTED] Danilo Molini wrote: I try to explain better what I want. My freeradius server is 10.0.0.1 and the router that use the radius service is 192.168.0.1 and I try to connecto to the router from my pc with ip address 172.16.0.1 'connect... how? Administrator login on the router? Please be specific. You have been careful to *not* describe what you are trying to do. The less information you give, the harder it is for anyone to help you. The log report this information: Auth: Login OK: [test] (from client myhomenetwork-network port 194 cli 172.16.0.1 ) Is it possibile to add the information of the router on which I have request access? Read the log message again. It *is* printing out the client information. In this case, it's myhomenetwork-network. If you want it to print out something else for the name of the client, edit the shortname field of the client entry that defines the client IP, shared secret, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What's possible in hints file?
Gurus, normally, I would do a short check, but currently I've no connection to one of my running FR, but have to plan some extensions. Has someone of you done something like the following? Regarding 'hints' - file: Would it be possible to use - $INCLUDE /path/file? - Fall-Trough? - temp A/V pairs defined in the global dictionary file using an ID 3000 and using them as %{My-Attribute} later on? Thank you. Regards Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to send errors filtered to a special log file?
Gurus, For my Application, I have to build a central error file, which will be parsed by the HP Openview agents for monitoring. I'd like to write major errors raised by FR also into this file. It would be enough to have the DB errors in there. How can I configure FR, that these Messages are appended to this error file? Thank You. Regards Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
BCD decoding
Gurus, Would it be possible to BCD decode a VSA value coming from the NAS? I'm working in 3GPP environment. Some of my older GGSNs are sending the 3GPP-IMEISV as it will be delivered to them by the SGSN, which is BCD encoded. They just put the information into the 3GPP VSA. Times ago, it was not clearly defined by 3GPP, how the GGSN has to handle this attribute. Now it is defined, that it must be a string of 16 digits, which will be handled correctly by our new GGSNs. I can separate the different behaviors by the NAS IP, but will need the readable IMEI in the string format for later processing. How would I put such a decoding into a DEFAULT area, possibly in the hints file? Regards Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authorization: unlang/NAS-IP-Address
Hi, I am using freeradius 2.0.5 with MySQL, I am very new to Radius and FreRadius so please pardon my ignorance I need to reject user if his NAS-IP-Address input attribute does not match check attributes defined for his group. For example radgroupcheck | 1 | GROUP1 | NAS-IP-Address | == | x.x.x.1 | 2 | GROUP1 | NAS-IP-Address | == | x.x.x.2 | 3 | GROUP1 | NAS-IP-Address | == | x.x.x.3 If user is coming from NAS-IP-Address x.x.x.1 or x.x.x.2 or x.x.x.3 the user should be accepted and reply attributes are sent back If however if user is coming from NAS-IP-Address y.y.y.1 he should be rejected (even in the case he provide a valid password and NAS y.y.y.1 is properly defined in NAS table with a valid shared key) Since I found that only one operator == for NAS-IP-Address check attrubute can be found, I changed authorize_group_check_query, but still I managed to get reply list as empty for invalid NAS-IP and expected attributes from valid NAS (which is part of check attributes) but user is accepted in both cases. Is there a way to check if reply list is empty in unlang (does not contain ANY attributes)? I tried this, but it does not work. if (!reply:[0]) { # reply list is empty reject } Do you have any suggestions? Thanks you very much for your reply. -- View this message in context: http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p18609937.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization: unlang/NAS-IP-Address
leopold wrote: If user is coming from NAS-IP-Address x.x.x.1 or x.x.x.2 or x.x.x.3 the user should be accepted and reply attributes are sent back If however if user is coming from NAS-IP-Address y.y.y.1 he should be rejected (even in the case he provide a valid password and NAS y.y.y.1 is properly defined in NAS table with a valid shared key) It's a little difficult to do that with just the SQL module. Since I found that only one operator == for NAS-IP-Address check attrubute can be found, I changed authorize_group_check_query, but still I managed to get reply list as empty for invalid NAS-IP and expected attributes from valid NAS (which is part of check attributes) but user is accepted in both cases. Is there a way to check if reply list is empty in unlang (does not contain ANY attributes)? No. However, see the return code from SQL. If it doesn't find the user, it should return notfound, or noop. Read the debug output to see more. You can then do: if (notfound) { reject } Which is what you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
groupmembership and vlan assignment
Hello We have been using the groupmembership attribute in radius.conf to assign users to the appropriate vlans. Up until now we've done it based on the type of LDAP user they are (ie, staff, student, faculty, etc..): groupmembership_attribute = eduPersonPrimaryAffiliation, (where eduPersonPrimaryAffliation=staff, student, facult, etc..) Unfortunately, our student vlans have grown significantly large and we want to take measures to make them smaller. We have looked into using LDAP entitlement fields. There are however a few issues here: - The eduPersonEntitlement attribute is not unique. A user record can have multiple instances of this attribute for each different entitlement they have. - The eduPersonEntitlement attribute has a value that is not simply the name of a vlan. It is typically something like: eduPersonEntitlement: urn:mace:uni.ca:wireless?vlan=student1 So I'd need to parse the value as well to pull out the vlan name, in this case student1. I'm unsure how to get around these two issues. Any suggestions are welcome. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What's possible in hints file?
Stefan A. wrote: Gurus, normally, I would do a short check, but currently I've no connection to one of my running FR, but have to plan some extensions. Has someone of you done something like the following? Regarding 'hints' - file: Would it be possible to use - $INCLUDE /path/file? rlm_preprocess uses pairlist_read to read in the file; this supports $INCLUDE so yes, it should work - Fall-Trough? I wrote a patch for that, which Alan incorporated into one of the recent releases. The git repo I have cloned says it went in on Mar 5th, and that it was in tagged 2.0.3 - see bug 477 - temp A/V pairs defined in the global dictionary file using an ID 3000 and using them as %{My-Attribute} later on? Sure, that's definitely possible. Thank you. Regards Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
Alan DeKok wrote: Lech Karol Pawłaszek wrote: I've tested my configuration with eapol_test command (as suggested at this site[1]) and it works fine. I've tested it against MacOsX 10.4 and MacOsX 10.5 and it works fine. I even tested it against Windows XP SP2 and it works fine. It doesn't work with Windows Vista and Windows XP SP3. Please help! Vista and XP3 are broken. Microsoft does this deliberately. Is there any way to un-break it? I've tried to add server.cer to Vista however this doesn't help. I understand that it's Vista's and XP SP3's fault however I might be forced because of that to use Microsoft's solutions. Is there anyone who use FreeRADIUS w/ Vista for _WIRED_ connections? One more thing. If I won't use Windows' PEAP authorization and install securew2 and use securew2's auth - I am able to connect. Work for a minute or so and then NAS reports lost carrier and the connection is lost. Something else is going on there. The securew2 software Maybe the Vista wireless management is getting in the way, and hanging up on a perfectly valid connection. I know this is not the place to ask such questions however is there any way to check what might getting in the way? Or is there any other software besides Vista's built-in PEAP and securew2 TTLS which can be used w/ 802.1x? Kind regards, -- Lech Karol Pawłaszek ike You will never see me fall from grace [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
does anyone have a fast reauth(session resumption) patch???
Thank you ! Cristian NOVAC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
Lech Karol Pawłaszek wrote: Vista and XP3 are broken. Microsoft does this deliberately. Is there any way to un-break it? Ask Microsoft. I'll ask some of the people who may be (partially) responsible next week. I know this is not the place to ask such questions however is there any way to check what might getting in the way? Check the Windows EAP logs... there's a way to enable this, but I don't recall what it is. Or is there any other software besides Vista's built-in PEAP and securew2 TTLS which can be used w/ 802.1x? Cisco, Juniper, etc. all have supplicants. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Token Authorization
Hi, I'm a new user in freeRADIUS. I'd like to do a solution like token authentication. Firts step. User is authorized by user/password. Secound step: For the authentication from LDAP is taken further informations (like UID, date of birth) and user is asked about it. I think it is something familiar with CHAP Challenge but I don't know how to combine this solutions. Could somebody help me?? Greetings Krzysztof Kardas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Does anyone have a fast reauth(session resumption) patch for freeradius server???
Thank you!!! Cristian Novac. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization: unlang/NAS-IP-Address
The problem is that all the users are valid and SQL module returns OK replyattribute list is empty, so I need somehow reject the user I did some dirty workaround if (!reply:Service-Type) { # reply list does not contain Service-Type reject } See in debug output a valid user with valid password comes from wrong NAS-IP-Address which does not belong to check attributes of the user's group ++[sql] returns ok ++? if (!reply:Service-Type) ? Evaluating !(reply:Service-Type) - FALSE ++? if (!reply:Service-Type) - TRUE ++- entering if (!reply:Service-Type) +++[reject] returns reject ++- if (!reply:Service-Type) returns reject Found Post-Auth-Type Reject +- entering group REJECT The problem is that I do not want to rely that reply list always contains Service-Type reply:Service-Type The SQL module returns OK even if there are no reply attributes Thanks again -- View this message in context: http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p18612055.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
Alan DeKok wrote: Lech Karol Pawłaszek wrote: Vista and XP3 are broken. Microsoft does this deliberately. Is there any way to un-break it? Ask Microsoft. I'll ask some of the people who may be (partially) responsible next week. I know this is not the place to ask such questions however is there any way to check what might getting in the way? Check the Windows EAP logs... there's a way to enable this, but I don't recall what it is. Under windows XP you can do it via netsh; I think the command is: netsh ras set tracing eapol enable I never found a way to do this under Vista, though the last time I looked at Vista was a pre-release version. Or is there any other software besides Vista's built-in PEAP and securew2 TTLS which can be used w/ 802.1x? Cisco, Juniper, etc. all have supplicants. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitively, I have a problem with eap-tls
Sergio escribió: HI, continuing with Reveal MAP problem with unknown ca's under eap-tls using default configuration private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem freeradius tell me this: rlm_eap_tls: TLS 1.0 Handshake [length 0bdb], Certificate -- verify error:num=24:invalid CA certificate rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA well, it isn't a problem: cp server.pem root.pem cat ca.pem root.pem then I change CA_file = ${cadir}/root.pem ..and.eureka authentication succesfully but now there is a problem to check the CRL because root.pem then, something is wrong before making root.pem. well, just tell freeradius how to find certificates c_rehash /usr/local/etc/raddb/certs also doesn't works I think Reveal had the same problem and I have read about this on mailing list but nothing. Also I've tried to install ca.pem on /etc/ssl/certs using ln -s. Has somebody encountered problems with this apart from Reveal MAP and me? P.D. route certification into windows isn't a problem, only tell xp_supplicant who is root authority (It was logical) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Also me, sergio restarting: private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem portatil:/usr/local/etc/raddb/certs# ln -s server.pem $(openssl x509 -hash -noout -in server.pem).0 portatil:/usr/local/etc/raddb/certs# ln -s ca.pem $(openssl x509 -hash -noout -in ca.pem).0 portatil:/usr/local/etc/raddb/certs# ls -l|grep lrw lrwxrwxrwx 1 rootroot 6 2008-07-23 02:47 16593b28.0 - ca.pem lrwxrwxrwx 1 rootroot 10 2008-07-23 02:49 7d18a7eb.0 - server.pem portatil:/usr/local/etc/raddb/certs# openssl verify -CApath . server.pem server.pem: OK portatil:/usr/local/etc/raddb/certs# openssl verify -CApath . client.crt client.crt: OK and then, the user is rejected. The other configuration files are ok, also wpa_supplicant. look at this Reveal, be brave jejeje. am I forgetting something? I have two other eap modules working ok with a diferent authority than the server's and I'm really intrigue about this. somebody joins? jeje regards :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Token Authorization
Firts step. User is authorized by user/password. That would be radius. Secound step: For the authentication from LDAP is taken further informations (like UID, date of birth) and user is asked about it. That would be web or some other application that you will need to write. You sould probably use a captive portal and expand login page with this functionality. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization: unlang/NAS-IP-Address
See in debug output a valid user with valid password comes from wrong NAS-IP-Address which does not belong to check attributes of the user's group ++[sql] returns ok That is wrong. If group check fails sql should return notfound. Check your sql entries again. Have you altered default sql queries in some way (you have left them out of the debug)? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization: unlang/NAS-IP-Address
Ivan, Even with default SQL query it returns OK, because user is defined properly, it is just check attributes of group do not match I went to the code and I saw that rlm_sql_process_groups function causes the whole module to return OK even though NAS-IP-Address attribute does not match Note it does not return attributes, it just return OK /* * rows == 0. This is like having the username on a line * in the user's file with no check vp's. As such, we treat * it as found and add the reply attributes, so that we * match expected behavior */ found = 1; DEBUG2(rlm_sql (%s): User found in group %s, inst-config-xlat_name, group_list_tmp-groupname); User-Name = validuser User-Password = validpasswd NAS-IP-Address = y.y.y.1 rlm_sql (sql): Reserving sql socket id: 6 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'validuser' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'validuser' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'validuser' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'validuser' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'validuser' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'validuser' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'GROUP1' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'GROUP1' ORDER BY id rlm_sql (sql): Released sql socket id: 6 ++[sql] returns ok Should this module return FAIL if group check fails? Ivan Kalik wrote: See in debug output a valid user with valid password comes from wrong NAS-IP-Address which does not belong to check attributes of the user's group ++[sql] returns ok That is wrong. If group check fails sql should return notfound. Check your sql entries again. Have you altered default sql queries in some way (you have left them out of the debug)? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p18614701.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP or TTLS and Microsoft Vista.
http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx To enable logging do the following: - Netsh wlan set tra yes - netsh ras set tr * en - Reproduce your problem - netsh ras set tr * dis - Netsh wlan set tra no If you go to the %windir%\tracing\wireless\ directory you will a load of .etl files in different directories. Use the tracerpt *.* command to change the .etl to readable .txt files. Tom PS. I don't like plugging like this but we are almost finished with the latest SecureW2 EAPSuite which supports EAP-TTLS/EAP-PEAPv0/v1 and EAP-GTC and has been tested quite extensively with Vista SP0/SP1. -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Phil Mayers Verzonden: woensdag 23 juli 2008 16:40 Aan: FreeRadius users mailing list Onderwerp: Re: PEAP or TTLS and Microsoft Vista. Alan DeKok wrote: Lech Karol Pawłaszek wrote: Vista and XP3 are broken. Microsoft does this deliberately. Is there any way to un-break it? Ask Microsoft. I'll ask some of the people who may be (partially) responsible next week. I know this is not the place to ask such questions however is there any way to check what might getting in the way? Check the Windows EAP logs... there's a way to enable this, but I don't recall what it is. Under windows XP you can do it via netsh; I think the command is: netsh ras set tracing eapol enable I never found a way to do this under Vista, though the last time I looked at Vista was a pre-release version. Or is there any other software besides Vista's built-in PEAP and securew2 TTLS which can be used w/ 802.1x? Cisco, Juniper, etc. all have supplicants. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Token Authorization
Dnia 2008-07-23, śro o godzinie 16:28 +0100, Ivan Kalik pisze: Firts step. User is authorized by user/password. That would be radius. Secound step: For the authentication from LDAP is taken further informations (like UID, date of birth) and user is asked about it. That would be web or some other application that you will need to write. You sould probably use a captive portal and expand login page with this functionality. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Well, not quite becouse I'd like to authorize threw radius many other applications that require authentication. For example VPN and dialin for admins. Besides mod_auth_radius works with CHALLENGE są there is no problem to have one good mechanizm for many problems. rlm_otp (as far as I egzam source code) has similar functionality. I'll try to run this module and mabye change some functionality that will it work or maybe wrote some code in perl and rewrite it to C. The main probem for me is the server configuration that server will request for CHALLEGNE. The rest is to develop. -- Greetings Krzysztof Kardas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization: unlang/NAS-IP-Address
It seems that rlm_sql_process_groups in rlm_sql.c does not handle this situation 1. If paircompare fails in rlm_sql_process_groups it should not return found=1 2. rlm_sql_authorize should handle return code of rlm_sql_process_groups so that if it is not found it should actually return not found and not OK diff ./src/modules/rlm_sql/rlm_sql.c.ORIG ./src/modules/rlm_sql/rlm_sql.c 676a677,682 else { found = 0; DEBUG2(rlm_sql (%s): User not found in group %s, inst-config-xlat_name, group_list_tmp-groupname); } 1004a1011,1015 else { /* rows == 0 here */ found = 0; } 1048a1060,1064 else { /* rows == 0 here */ found = 0; Comments? -- View this message in context: http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p18617625.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Token Authorization
krzychk2 wrote: I'd like to do a solution like token authentication. Token authentication is usually done as part of an existing authentication protocol. Which authentication protocol do you plan on using? Firts step. User is authorized by user/password. Secound step: For the authentication from LDAP is taken further informations (like UID, date of birth) and user is asked about it. I think it is something familiar with CHAP Challenge but I don't know how to combine this solutions. CHAP does not do end-user challenges. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Token Authorization
Dnia 2008-07-23, śro o godzinie 21:06 +0200, Alan DeKok pisze: krzychk2 wrote: I'd like to do a solution like token authentication. Token authentication is usually done as part of an existing authentication protocol. Which authentication protocol do you plan on using? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Well I'm in that happy situation that I'm at the beginning of the project and I can choose auth protocol. The only condition is that this has to be done by RADIUS server. So more protocols than better for me. So far I have done simple Active Directory User authorization threw kerberos (radius connects to AD threw kerberos and authorize users), now only tokens. AD LDAP also has no secrets for me so I can get the necessary informations for building tokens. -- Greetings Krzysztof Kardas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitively, I have a problem with eap-tls
Sergio escribió: Sergio escribió: HI, continuing with Reveal MAP problem with unknown ca's under eap-tls using default configuration private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem freeradius tell me this: rlm_eap_tls: TLS 1.0 Handshake [length 0bdb], Certificate -- verify error:num=24:invalid CA certificate rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA well, it isn't a problem: cp server.pem root.pem cat ca.pem root.pem then I change CA_file = ${cadir}/root.pem ..and.eureka authentication succesfully but now there is a problem to check the CRL because root.pem then, something is wrong before making root.pem. well, just tell freeradius how to find certificates c_rehash /usr/local/etc/raddb/certs also doesn't works I think Reveal had the same problem and I have read about this on mailing list but nothing. Also I've tried to install ca.pem on /etc/ssl/certs using ln -s. Has somebody encountered problems with this apart from Reveal MAP and me? P.D. route certification into windows isn't a problem, only tell xp_supplicant who is root authority (It was logical) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Also me, sergio restarting: private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem portatil:/usr/local/etc/raddb/certs# ln -s server.pem $(openssl x509 -hash -noout -in server.pem).0 portatil:/usr/local/etc/raddb/certs# ln -s ca.pem $(openssl x509 -hash -noout -in ca.pem).0 portatil:/usr/local/etc/raddb/certs# ls -l|grep lrw lrwxrwxrwx 1 rootroot 6 2008-07-23 02:47 16593b28.0 - ca.pem lrwxrwxrwx 1 rootroot 10 2008-07-23 02:49 7d18a7eb.0 - server.pem portatil:/usr/local/etc/raddb/certs# openssl verify -CApath . server.pem server.pem: OK portatil:/usr/local/etc/raddb/certs# openssl verify -CApath . client.crt client.crt: OK and then, the user is rejected. The other configuration files are ok, also wpa_supplicant. look at this Reveal, be brave jejeje. am I forgetting something? I have two other eap modules working ok with a diferent authority than the server's and I'm really intrigue about this. somebody joins? jeje regards :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Please, any suggestion? I'm going insane. I can do a new installation and to tell what I'm doing (only proxy_request = no, put my ap into clients.conf and put [EMAIL PROTECTED] into users file)... Also I've tried to install ca.pem and server.crt into /etc/ssl/certs (then openssl verify client.pem returns OK, without -CApath) Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization: unlang/NAS-IP-Address
No, it should return notfound. I can confirm this. If check is put in radcheck table user will be rejected but if check (that should fail) is put in radgroupcheck table user is authenticated. That is not how things should work. It should return notfound if there is no match in radgroupcheck too. Ivan Kalik Kalik Informatika ISP Dana 23/7/2008, leopold [EMAIL PROTECTED] piše: Ivan, Even with default SQL query it returns OK, because user is defined properly, it is just check attributes of group do not match I went to the code and I saw that rlm_sql_process_groups function causes the whole module to return OK even though NAS-IP-Address attribute does not match Note it does not return attributes, it just return OK /* * rows == 0. This is like having the username on a line * in the user's file with no check vp's. As such, we treat * it as found and add the reply attributes, so that we * match expected behavior */ found = 1; DEBUG2(rlm_sql (%s): User found in group %s, inst-config-xlat_name, group_list_tmp-groupname); User-Name = validuser User-Password = validpasswd NAS-IP-Address = y.y.y.1 rlm_sql (sql): Reserving sql socket id: 6 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'validuser' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'validuser' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'validuser' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'validuser' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'validuser' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'validuser' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'GROUP1' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'GROUP1' ORDER BY id rlm_sql (sql): Released sql socket id: 6 ++[sql] returns ok Should this module return FAIL if group check fails? Ivan Kalik wrote: See in debug output a valid user with valid password comes from wrong NAS-IP-Address which does not belong to check attributes of the user's group ++[sql] returns ok That is wrong. If group check fails sql should return notfound. Check your sql entries again. Have you altered default sql queries in some way (you have left them out of the debug)? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p18614701.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html