FreeRadius Log
Hi all, I have installed freeradius on a debian machine and it work well. In the log I see that freeradius record failed and accepted authentication, reporting the user, the password and the user client station, but not the device wich someone has tried to make access. For example: from my pc I try to connect to a router without the correct credentials. Freeradius log that my PC with IP address 1.1.1.1 has tried to make access with the user admin and password admin, but do not report the address of the router to wich someone has tried to make access, so if I use freeradius for authenticating user on many device, I can't know on which device someone has tried to make access. There is a way to log also this information? Regards Danilo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0.5 - configure to use mysql radacct table instead of file
Vidar Hatlemark wrote: I see, so no extra config is needed to route the accounting info from the file it now uses into the mysql radacct table? As I said, the sql module is referenced in raddb/sites-available/default. You need to READ it, and uncomment all of the references to SQL. This includes the references in the accounting section. Since I got the radacct log files I guess I'm sending it wrong? (file instead of sql, even though it reads the sql?) What I said was that the server is NOT receiving accounting requests. Or am I supposed to both get that file with access request AND when the clients sends back the accounting packets then it will fill out the radacct table? What I said was that the radacct packets get populated when the server receives accounting requests. I'm asking so detailed because I expected pfSense to behave and send the accounting packets right. I guess it doesn't since radacct is still empty. Exactly. Read the pfSense documentation to see if it supports accounting packets. And in the schema.sql header it says : myslq -uroot -prootpass radius db_mysql.sql That's a typo. It's been fixed. So, when I log into the Captive Portal in pfSense using the user in my radius mysql table and the radacct tables doesn't get populatet - that's supposed to be a fault from pfSense? That's what I'm trying to tell you. Please believe me, and stop asking the same question again. The answer won't change. Sinse it only gives back the authentication packets logged in the radacct file... No. It's NOT logging to the radacct file. Go back and read the debug output again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
nf-vale wrote: I'm also suffering from this Vista disease. But in my case I can authenticate users using PEAP, from XP SP2 and SP3 clients, even with Validating Server Certificate checked. The problem is only with Vista. I've all the windows updates available installed but I can't get it to work even with the Validate Server Certificate unchecked. In short, Vista is broken. Again. It's a little hard to tell why it's broken. The freeradius version that I'm using it's the 2.0.2, and I've tried both with the radius test certificates and other, and the behavior is exactly the same. Other people have gotten Vista to work with that configuration. Maybe it's an older version with different patches? The radius log always shows the following: ... Sending Access-Challenge of id 93 to 192.168.100.199 port 1024 ... Finished request 11. Going to the next request Waking up in 0.9 seconds. Waking up in 3.9 seconds. Cleaning up request 10 ID 92 with timestamp +1627 Which means that Vista has decided for it's own magical reasons to stop talking to the RADIUS server. Is there anything that I'm missing? Nope. Vista is broken. Microsoft does this in order to tell people that it works better with IAS than with other RADIUS servers. They've done this repeatedly with XP and with Vista. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Log
Danilo Molini wrote: For example: from my pc I try to connect to a router without the correct credentials. Freeradius log that my PC with IP address 1.1.1.1 has tried to make access with the user admin and password admin, but do not report the address of the router to wich someone has tried to make access, so if I use freeradius for authenticating user on many device, I can't know on which device someone has tried to make access. See the FAQ for it doesn't work. Also, I'm not sure I understand what you're talking about. RADIUS does *not* provide the IP address of end machines during the authentication process. Routers do not usually do RADIUS authentication, either. *Switches* do RADIUS authentication. i.e. You seem to have confused the roles and/or names of the machines involved. As a result, it's difficult to understand what's happening, or what you want to have happen. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User-Profile per user per NAS via LDAP? [SEC=UNCLASSIFIED]
UNCLASSIFIED
Running version 2.0.5, with LDAP backend for
authentication/authorization.
Needed functionality: A single user account needs a different
ldap/radius profile depending on which huntgroup the request is coming
in on... the reason is that each user has a different Framed-IP-Address
for each VPN concentrator they are coming in on. So each user needs a
profile per NAS, I believe.
I have separated out each NAS into its appropriate huntgroup, and am
matching on that in the users file. Also trying to dynamically set the
User-Profile.
DEFAULT Huntgroup-Name == jup-rtr-xauth, Ldap-Group ==
`cn=%{Huntgroup-Name},ou=Groups,ou=Radius,dc=geowireless,dc=net`,
User-Profile :=
`uid=%{User-Name},ou=jup-rtr-xauth,ou=Profiles,ou=Radius,dc=geowireless,
dc=net`
Fall-Through = no
(entire users file at the end of this message).
The user is authenticated successfully (so the group matching and the
%{Huntgroup-Name} expansion are working fine), but the User-Profile is
not being set. If I hard code in the value for uid, it works, so the
problem is in the variable.
I had a similar problem and ended up using a rewrite rule to solve it.
For 1.1.x here is the rule I used to derive a dn from a huntgroup:
attr_rewrite uprof {
attribute = User-Profile
# may be packet, reply, proxy, proxy_reply or
config
searchin = config
searchfor =
replacewith = cn=%{Huntgroup-Name},ou=Profiles,dc=...
ignore_case = no
new_attribute = yes
max_matches = 10
append = no
}
The call to uprof is in the authorize section. I placed it after 'files'
and before 'ldap'.
So setting the replacewith =
uid=%{User-Name},ou=%{Huntgroup-Name},ou=Profiles,ou=Radius,dc=geowirel
ess,dc=net should do exactly what you want.
However, using FR 2.x you can probably use unlang to do the same thing
in a much clearer manner.
regards,
Frank Ranner
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Log
I try to explain better what I want. My freeradius server is 10.0.0.1 and the router that use the radius service is 192.168.0.1 and I try to connecto to the router from my pc with ip address 172.16.0.1 The log report this information: Auth: Login OK: [test] (from client myhomenetwork-network port 194 cli 172.16.0.1) Is it possibile to add the information of the router on which I have request access? I try to enable the datil log, but seems to be not work... But I'm searching on the mailing list archive an help for this problem. Thanks for the help! Regards Danilo 2008/7/23 Alan DeKok [EMAIL PROTECTED] Danilo Molini wrote: For example: from my pc I try to connect to a router without the correct credentials. Freeradius log that my PC with IP address 1.1.1.1 has tried to make access with the user admin and password admin, but do not report the address of the router to wich someone has tried to make access, so if I use freeradius for authenticating user on many device, I can't know on which device someone has tried to make access. See the FAQ for it doesn't work. Also, I'm not sure I understand what you're talking about. RADIUS does *not* provide the IP address of end machines during the authentication process. Routers do not usually do RADIUS authentication, either. *Switches* do RADIUS authentication. i.e. You seem to have confused the roles and/or names of the machines involved. As a result, it's difficult to understand what's happening, or what you want to have happen. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
POP3
Hi, how to use (a remote) pop3 server with (a local) freeradius to authenticate users? thanks v. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: POP3
Am Mittwoch, 23. Juli 2008 09:44 schrieb Vittore Zen: Hi, how to use (a remote) pop3 server with (a local) freeradius to authenticate users? thanks v. What POP3 server? What methods is this using to authenticate (sasl, unix, pam, ...)? If PAM, see: http://freeradius.org/pam_radius_auth/ -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: [EMAIL PROTECTED] web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: POP3
Vittore Zen wrote: how to use (a remote) pop3 server with (a local) freeradius to authenticate users? What do you want to do? Authenticate pop3 users via RADIUS, or have FreeRADIUS check the pop3 server for valid users? If (1), see the pop3 documentation for any RADIUS and/or PAM integration. You can use native RADIUS, or pam_radius_auth. If (2), write a shell script. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Log
Danilo Molini wrote: I try to explain better what I want. My freeradius server is 10.0.0.1 and the router that use the radius service is 192.168.0.1 and I try to connecto to the router from my pc with ip address 172.16.0.1 'connect... how? Administrator login on the router? Please be specific. You have been careful to *not* describe what you are trying to do. The less information you give, the harder it is for anyone to help you. The log report this information: Auth: Login OK: [test] (from client myhomenetwork-network port 194 cli 172.16.0.1 ) Is it possibile to add the information of the router on which I have request access? Read the log message again. It *is* printing out the client information. In this case, it's myhomenetwork-network. If you want it to print out something else for the name of the client, edit the shortname field of the client entry that defines the client IP, shared secret, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_authentication for multiple supplicants
splintered thoughts wrote:
I've trying to get ntlm_auth to authenticate several supplicants using
freeradius 1.1.6,
Upgrade.
Is there a way to use regular expressions or otherwise to inspect the
Stripped-User-Name to adjust which radius attribute is used in the
ntlm_auth command, in other words look for a value
Stripped-User-Name =~ /^value(.*)$/
and then use, for instance, the %{mschap:User-Name}in its place to
authenticate? Is there a better approach?
Upgrade to 2.0.5, and use unlang to do conditional checks regular
expression matches. Set an intermediate variable (e.g. Tmp-String-0),
and use that in the command-line to ntlm_auth.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
Lech Karol Pawłaszek wrote: I've tested my configuration with eapol_test command (as suggested at this site[1]) and it works fine. I've tested it against MacOsX 10.4 and MacOsX 10.5 and it works fine. I even tested it against Windows XP SP2 and it works fine. It doesn't work with Windows Vista and Windows XP SP3. Please help! Vista and XP3 are broken. Microsoft does this deliberately. One more thing. If I won't use Windows' PEAP authorization and install securew2 and use securew2's auth - I am able to connect. Work for a minute or so and then NAS reports lost carrier and the connection is lost. Something else is going on there. The securew2 software Maybe the Vista wireless management is getting in the way, and hanging up on a perfectly valid connection. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Log
Right. The log lists short name from clients.conf which is a descriptive name that you give to your routers (so you can tell them apart easier than with IPs). So, login attempt was onto the router you called myhomenetwork-network. Ivan Kalik Kalik Informatika ISP Dana 23/7/2008, Danilo Molini [EMAIL PROTECTED] piše: I try to explain better what I want. My freeradius server is 10.0.0.1 and the router that use the radius service is 192.168.0.1 and I try to connecto to the router from my pc with ip address 172.16.0.1 The log report this information: Auth: Login OK: [test] (from client myhomenetwork-network port 194 cli 172.16.0.1) Is it possibile to add the information of the router on which I have request access? I try to enable the datil log, but seems to be not work... But I'm searching on the mailing list archive an help for this problem. Thanks for the help! Regards Danilo 2008/7/23 Alan DeKok [EMAIL PROTECTED] Danilo Molini wrote: For example: from my pc I try to connect to a router without the correct credentials. Freeradius log that my PC with IP address 1.1.1.1 has tried to make access with the user admin and password admin, but do not report the address of the router to wich someone has tried to make access, so if I use freeradius for authenticating user on many device, I can't know on which device someone has tried to make access. See the FAQ for it doesn't work. Also, I'm not sure I understand what you're talking about. RADIUS does *not* provide the IP address of end machines during the authentication process. Routers do not usually do RADIUS authentication, either. *Switches* do RADIUS authentication. i.e. You seem to have confused the roles and/or names of the machines involved. As a result, it's difficult to understand what's happening, or what you want to have happen. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to set eap/ttls tunnel with auth-type pap work
rlm_pap: No clear-text password in the request. Not performing PAP. ++[pap] returns noop auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Are you sure your supplicant is set to use PAP inside TTLS? You have disabled chap and mschap on the server so we can't see what is supplicant sending - it doesn't seem to be pap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Log
I'm sorry! I try to connect in telnet...
Moreover, probably I solved my problem with your suggestion.
In the clients.conf I create a specific client for each host on my network,
like this:
client 192.168.0.1/32 {
secret = secret
shortname = router
}
client 192.168.0.2/32 {
secret = secret
shortname = switch
}
and not a unique client like I using before:
client 192.168.0.0/24 {
secret = secret
shortname = mynetwork
}
Now when I try to make access trough telnet on my router or on my switch, in
the radius.log I see all the information that I need:
Wed Jul 23 12:06:42 2008 : Auth: Login OK: [test] (from client router port
194
cli 172.16.0.1)
Wed Jul 23 12:06:42 2008 : Auth: Login OK: [test] (from client switch port
194
cli 172.16.0.1)
Thanks for the help!
Regards
Danilo
2008/7/23 Alan DeKok [EMAIL PROTECTED]
Danilo Molini wrote:
I try to explain better what I want.
My freeradius server is 10.0.0.1 and the router that
use the radius service is 192.168.0.1 and I try to
connecto to the router from my pc with ip address 172.16.0.1
'connect... how? Administrator login on the router? Please be specific.
You have been careful to *not* describe what you are trying to do.
The less information you give, the harder it is for anyone to help you.
The log report this information:
Auth: Login OK: [test] (from client myhomenetwork-network port 194 cli
172.16.0.1 )
Is it possibile to add the information of the router on which I have
request access?
Read the log message again. It *is* printing out the client
information. In this case, it's myhomenetwork-network.
If you want it to print out something else for the name of the client,
edit the shortname field of the client entry that defines the client
IP, shared secret, etc.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What's possible in hints file?
Gurus,
normally, I would do a short check, but currently I've no connection to one
of my running FR, but have to plan some extensions.
Has someone of you done something like the following?
Regarding 'hints' - file: Would it be possible to use
- $INCLUDE /path/file?
- Fall-Trough?
- temp A/V pairs defined in the global dictionary file using an ID 3000
and using them as %{My-Attribute} later on?
Thank you.
Regards
Stefan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to send errors filtered to a special log file?
Gurus, For my Application, I have to build a central error file, which will be parsed by the HP Openview agents for monitoring. I'd like to write major errors raised by FR also into this file. It would be enough to have the DB errors in there. How can I configure FR, that these Messages are appended to this error file? Thank You. Regards Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
BCD decoding
Gurus, Would it be possible to BCD decode a VSA value coming from the NAS? I'm working in 3GPP environment. Some of my older GGSNs are sending the 3GPP-IMEISV as it will be delivered to them by the SGSN, which is BCD encoded. They just put the information into the 3GPP VSA. Times ago, it was not clearly defined by 3GPP, how the GGSN has to handle this attribute. Now it is defined, that it must be a string of 16 digits, which will be handled correctly by our new GGSNs. I can separate the different behaviors by the NAS IP, but will need the readable IMEI in the string format for later processing. How would I put such a decoding into a DEFAULT area, possibly in the hints file? Regards Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authorization: unlang/NAS-IP-Address
Hi,
I am using freeradius 2.0.5 with MySQL, I am very new to Radius and
FreRadius so please pardon my ignorance
I need to reject user if his NAS-IP-Address input attribute does not match
check attributes defined for his group.
For example radgroupcheck
| 1 | GROUP1 | NAS-IP-Address | == | x.x.x.1
| 2 | GROUP1 | NAS-IP-Address | == | x.x.x.2
| 3 | GROUP1 | NAS-IP-Address | == | x.x.x.3
If user is coming from NAS-IP-Address x.x.x.1 or x.x.x.2 or x.x.x.3 the user
should be accepted and reply attributes are sent back
If however if user is coming from NAS-IP-Address y.y.y.1 he should be
rejected (even in the case he provide a valid password and NAS y.y.y.1 is
properly defined in NAS table with a valid shared key)
Since I found that only one operator == for NAS-IP-Address check attrubute
can be found, I changed
authorize_group_check_query, but still I managed to get reply list as empty
for invalid NAS-IP and expected attributes from valid NAS (which is part of
check attributes) but user is accepted in both cases.
Is there a way to check if reply list is empty in unlang (does not contain
ANY attributes)?
I tried this, but it does not work.
if (!reply:[0]) {
# reply list is empty
reject
}
Do you have any suggestions?
Thanks you very much for your reply.
--
View this message in context:
http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p18609937.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization: unlang/NAS-IP-Address
leopold wrote:
If user is coming from NAS-IP-Address x.x.x.1 or x.x.x.2 or x.x.x.3 the user
should be accepted and reply attributes are sent back
If however if user is coming from NAS-IP-Address y.y.y.1 he should be
rejected (even in the case he provide a valid password and NAS y.y.y.1 is
properly defined in NAS table with a valid shared key)
It's a little difficult to do that with just the SQL module.
Since I found that only one operator == for NAS-IP-Address check attrubute
can be found, I changed
authorize_group_check_query, but still I managed to get reply list as empty
for invalid NAS-IP and expected attributes from valid NAS (which is part of
check attributes) but user is accepted in both cases.
Is there a way to check if reply list is empty in unlang (does not contain
ANY attributes)?
No. However, see the return code from SQL. If it doesn't find the
user, it should return notfound, or noop. Read the debug output to
see more. You can then do:
if (notfound) {
reject
}
Which is what you want.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
groupmembership and vlan assignment
Hello We have been using the groupmembership attribute in radius.conf to assign users to the appropriate vlans. Up until now we've done it based on the type of LDAP user they are (ie, staff, student, faculty, etc..): groupmembership_attribute = eduPersonPrimaryAffiliation, (where eduPersonPrimaryAffliation=staff, student, facult, etc..) Unfortunately, our student vlans have grown significantly large and we want to take measures to make them smaller. We have looked into using LDAP entitlement fields. There are however a few issues here: - The eduPersonEntitlement attribute is not unique. A user record can have multiple instances of this attribute for each different entitlement they have. - The eduPersonEntitlement attribute has a value that is not simply the name of a vlan. It is typically something like: eduPersonEntitlement: urn:mace:uni.ca:wireless?vlan=student1 So I'd need to parse the value as well to pull out the vlan name, in this case student1. I'm unsure how to get around these two issues. Any suggestions are welcome. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What's possible in hints file?
Stefan A. wrote:
Gurus,
normally, I would do a short check, but currently I've no connection to one
of my running FR, but have to plan some extensions.
Has someone of you done something like the following?
Regarding 'hints' - file: Would it be possible to use
- $INCLUDE /path/file?
rlm_preprocess uses pairlist_read to read in the file; this supports
$INCLUDE so yes, it should work
- Fall-Trough?
I wrote a patch for that, which Alan incorporated into one of the recent
releases. The git repo I have cloned says it went in on Mar 5th, and
that it was in tagged 2.0.3 - see bug 477
- temp A/V pairs defined in the global dictionary file using an ID 3000
and using them as %{My-Attribute} later on?
Sure, that's definitely possible.
Thank you.
Regards
Stefan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
Alan DeKok wrote: Lech Karol Pawłaszek wrote: I've tested my configuration with eapol_test command (as suggested at this site[1]) and it works fine. I've tested it against MacOsX 10.4 and MacOsX 10.5 and it works fine. I even tested it against Windows XP SP2 and it works fine. It doesn't work with Windows Vista and Windows XP SP3. Please help! Vista and XP3 are broken. Microsoft does this deliberately. Is there any way to un-break it? I've tried to add server.cer to Vista however this doesn't help. I understand that it's Vista's and XP SP3's fault however I might be forced because of that to use Microsoft's solutions. Is there anyone who use FreeRADIUS w/ Vista for _WIRED_ connections? One more thing. If I won't use Windows' PEAP authorization and install securew2 and use securew2's auth - I am able to connect. Work for a minute or so and then NAS reports lost carrier and the connection is lost. Something else is going on there. The securew2 software Maybe the Vista wireless management is getting in the way, and hanging up on a perfectly valid connection. I know this is not the place to ask such questions however is there any way to check what might getting in the way? Or is there any other software besides Vista's built-in PEAP and securew2 TTLS which can be used w/ 802.1x? Kind regards, -- Lech Karol Pawłaszek ike You will never see me fall from grace [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
does anyone have a fast reauth(session resumption) patch???
Thank you ! Cristian NOVAC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
Lech Karol Pawłaszek wrote: Vista and XP3 are broken. Microsoft does this deliberately. Is there any way to un-break it? Ask Microsoft. I'll ask some of the people who may be (partially) responsible next week. I know this is not the place to ask such questions however is there any way to check what might getting in the way? Check the Windows EAP logs... there's a way to enable this, but I don't recall what it is. Or is there any other software besides Vista's built-in PEAP and securew2 TTLS which can be used w/ 802.1x? Cisco, Juniper, etc. all have supplicants. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Token Authorization
Hi, I'm a new user in freeRADIUS. I'd like to do a solution like token authentication. Firts step. User is authorized by user/password. Secound step: For the authentication from LDAP is taken further informations (like UID, date of birth) and user is asked about it. I think it is something familiar with CHAP Challenge but I don't know how to combine this solutions. Could somebody help me?? Greetings Krzysztof Kardas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Does anyone have a fast reauth(session resumption) patch for freeradius server???
Thank you!!! Cristian Novac. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization: unlang/NAS-IP-Address
The problem is that all the users are valid and SQL module returns OK
replyattribute list is empty, so I need somehow reject the user
I did some dirty workaround
if (!reply:Service-Type) {
# reply list does not contain Service-Type
reject
}
See in debug output a valid user with valid password comes from wrong
NAS-IP-Address which does not belong to check attributes of the user's group
++[sql] returns ok
++? if (!reply:Service-Type)
? Evaluating !(reply:Service-Type) - FALSE
++? if (!reply:Service-Type) - TRUE
++- entering if (!reply:Service-Type)
+++[reject] returns reject
++- if (!reply:Service-Type) returns reject
Found Post-Auth-Type Reject
+- entering group REJECT
The problem is that I do not want to rely that reply list always contains
Service-Type
reply:Service-Type
The SQL module returns OK even if there are no reply attributes
Thanks again
--
View this message in context:
http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p18612055.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
Alan DeKok wrote: Lech Karol Pawłaszek wrote: Vista and XP3 are broken. Microsoft does this deliberately. Is there any way to un-break it? Ask Microsoft. I'll ask some of the people who may be (partially) responsible next week. I know this is not the place to ask such questions however is there any way to check what might getting in the way? Check the Windows EAP logs... there's a way to enable this, but I don't recall what it is. Under windows XP you can do it via netsh; I think the command is: netsh ras set tracing eapol enable I never found a way to do this under Vista, though the last time I looked at Vista was a pre-release version. Or is there any other software besides Vista's built-in PEAP and securew2 TTLS which can be used w/ 802.1x? Cisco, Juniper, etc. all have supplicants. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitively, I have a problem with eap-tls
Sergio escribió:
HI,
continuing with Reveal MAP problem with unknown ca's under eap-tls
using default configuration
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
freeradius tell me this:
rlm_eap_tls: TLS 1.0 Handshake [length 0bdb], Certificate
-- verify error:num=24:invalid CA certificate
rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
well, it isn't a problem:
cp server.pem root.pem
cat ca.pem root.pem
then I change CA_file = ${cadir}/root.pem
..and.eureka authentication succesfully but
now there is a problem to check the CRL because root.pem then, something
is wrong before making root.pem.
well, just tell freeradius how to find certificates
c_rehash /usr/local/etc/raddb/certs also doesn't works
I think Reveal had the same problem and I have read about this on
mailing list but nothing.
Also I've tried to install ca.pem on /etc/ssl/certs using ln -s. Has
somebody encountered problems with this apart from Reveal MAP and me?
P.D. route certification into windows isn't a problem, only tell
xp_supplicant who is root authority (It was logical)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Also me, sergio
restarting:
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
portatil:/usr/local/etc/raddb/certs# ln -s server.pem $(openssl x509
-hash -noout -in server.pem).0
portatil:/usr/local/etc/raddb/certs# ln -s ca.pem $(openssl x509 -hash
-noout -in ca.pem).0
portatil:/usr/local/etc/raddb/certs# ls -l|grep lrw
lrwxrwxrwx 1 rootroot 6 2008-07-23 02:47 16593b28.0 - ca.pem
lrwxrwxrwx 1 rootroot 10 2008-07-23 02:49 7d18a7eb.0 -
server.pem
portatil:/usr/local/etc/raddb/certs# openssl verify -CApath . server.pem
server.pem: OK
portatil:/usr/local/etc/raddb/certs# openssl verify -CApath . client.crt
client.crt: OK
and then, the user is rejected. The other configuration files are ok,
also wpa_supplicant. look at this Reveal, be brave jejeje.
am I forgetting something?
I have two other eap modules working ok with a diferent authority than
the server's and I'm really intrigue about this. somebody joins? jeje
regards :)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Token Authorization
Firts step. User is authorized by user/password. That would be radius. Secound step: For the authentication from LDAP is taken further informations (like UID, date of birth) and user is asked about it. That would be web or some other application that you will need to write. You sould probably use a captive portal and expand login page with this functionality. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization: unlang/NAS-IP-Address
See in debug output a valid user with valid password comes from wrong NAS-IP-Address which does not belong to check attributes of the user's group ++[sql] returns ok That is wrong. If group check fails sql should return notfound. Check your sql entries again. Have you altered default sql queries in some way (you have left them out of the debug)? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization: unlang/NAS-IP-Address
Ivan,
Even with default SQL query it returns OK, because user is defined properly,
it is just check attributes of group do not match
I went to the code and I saw that rlm_sql_process_groups function causes the
whole module to return OK even though NAS-IP-Address attribute does not
match
Note it does not return attributes, it just return OK
/*
* rows == 0. This is like having the username on
a line
* in the user's file with no check vp's. As
such, we treat
* it as found and add the reply attributes, so
that we
* match expected behavior
*/
found = 1;
DEBUG2(rlm_sql (%s): User found in group %s,
inst-config-xlat_name,
group_list_tmp-groupname);
User-Name = validuser
User-Password = validpasswd
NAS-IP-Address = y.y.y.1
rlm_sql (sql): Reserving sql socket id: 6
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
- SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'validuser' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'validuser' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
- SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'validuser' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'validuser' ORDER BY id
expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority - SELECT
groupname FROM radusergroup WHERE username = 'validuser'
ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'validuser' ORDER BY priority
expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id - SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'GROUP1' ORDER BY
id
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'GROUP1' ORDER BY
id
rlm_sql (sql): Released sql socket id: 6
++[sql] returns ok
Should this module return FAIL if group check fails?
Ivan Kalik wrote:
See in debug output a valid user with valid password comes from wrong
NAS-IP-Address which does not belong to check attributes of the user's
group
++[sql] returns ok
That is wrong. If group check fails sql should return notfound. Check
your sql entries again. Have you altered default sql queries in some way
(you have left them out of the debug)?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
View this message in context:
http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p18614701.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP or TTLS and Microsoft Vista.
http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx To enable logging do the following: - Netsh wlan set tra yes - netsh ras set tr * en - Reproduce your problem - netsh ras set tr * dis - Netsh wlan set tra no If you go to the %windir%\tracing\wireless\ directory you will a load of .etl files in different directories. Use the tracerpt *.* command to change the .etl to readable .txt files. Tom PS. I don't like plugging like this but we are almost finished with the latest SecureW2 EAPSuite which supports EAP-TTLS/EAP-PEAPv0/v1 and EAP-GTC and has been tested quite extensively with Vista SP0/SP1. -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Phil Mayers Verzonden: woensdag 23 juli 2008 16:40 Aan: FreeRadius users mailing list Onderwerp: Re: PEAP or TTLS and Microsoft Vista. Alan DeKok wrote: Lech Karol Pawłaszek wrote: Vista and XP3 are broken. Microsoft does this deliberately. Is there any way to un-break it? Ask Microsoft. I'll ask some of the people who may be (partially) responsible next week. I know this is not the place to ask such questions however is there any way to check what might getting in the way? Check the Windows EAP logs... there's a way to enable this, but I don't recall what it is. Under windows XP you can do it via netsh; I think the command is: netsh ras set tracing eapol enable I never found a way to do this under Vista, though the last time I looked at Vista was a pre-release version. Or is there any other software besides Vista's built-in PEAP and securew2 TTLS which can be used w/ 802.1x? Cisco, Juniper, etc. all have supplicants. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Token Authorization
Dnia 2008-07-23, śro o godzinie 16:28 +0100, Ivan Kalik pisze: Firts step. User is authorized by user/password. That would be radius. Secound step: For the authentication from LDAP is taken further informations (like UID, date of birth) and user is asked about it. That would be web or some other application that you will need to write. You sould probably use a captive portal and expand login page with this functionality. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Well, not quite becouse I'd like to authorize threw radius many other applications that require authentication. For example VPN and dialin for admins. Besides mod_auth_radius works with CHALLENGE są there is no problem to have one good mechanizm for many problems. rlm_otp (as far as I egzam source code) has similar functionality. I'll try to run this module and mabye change some functionality that will it work or maybe wrote some code in perl and rewrite it to C. The main probem for me is the server configuration that server will request for CHALLEGNE. The rest is to develop. -- Greetings Krzysztof Kardas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization: unlang/NAS-IP-Address
It seems that rlm_sql_process_groups in rlm_sql.c does not handle this
situation
1. If paircompare fails in rlm_sql_process_groups it should not return
found=1
2. rlm_sql_authorize should handle return code of rlm_sql_process_groups so
that if it is not found it should actually return not found and not OK
diff ./src/modules/rlm_sql/rlm_sql.c.ORIG ./src/modules/rlm_sql/rlm_sql.c
676a677,682
else
{
found = 0;
DEBUG2(rlm_sql (%s): User not found in
group %s,
inst-config-xlat_name,
group_list_tmp-groupname);
}
1004a1011,1015
else
{
/* rows == 0 here */
found = 0;
}
1048a1060,1064
else
{
/* rows == 0 here */
found = 0;
Comments?
--
View this message in context:
http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p18617625.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Token Authorization
krzychk2 wrote: I'd like to do a solution like token authentication. Token authentication is usually done as part of an existing authentication protocol. Which authentication protocol do you plan on using? Firts step. User is authorized by user/password. Secound step: For the authentication from LDAP is taken further informations (like UID, date of birth) and user is asked about it. I think it is something familiar with CHAP Challenge but I don't know how to combine this solutions. CHAP does not do end-user challenges. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Token Authorization
Dnia 2008-07-23, śro o godzinie 21:06 +0200, Alan DeKok pisze: krzychk2 wrote: I'd like to do a solution like token authentication. Token authentication is usually done as part of an existing authentication protocol. Which authentication protocol do you plan on using? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Well I'm in that happy situation that I'm at the beginning of the project and I can choose auth protocol. The only condition is that this has to be done by RADIUS server. So more protocols than better for me. So far I have done simple Active Directory User authorization threw kerberos (radius connects to AD threw kerberos and authorize users), now only tokens. AD LDAP also has no secrets for me so I can get the necessary informations for building tokens. -- Greetings Krzysztof Kardas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: definitively, I have a problem with eap-tls
Sergio escribió:
Sergio escribió:
HI,
continuing with Reveal MAP problem with unknown ca's under eap-tls
using default configuration
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
freeradius tell me this:
rlm_eap_tls: TLS 1.0 Handshake [length 0bdb], Certificate
-- verify error:num=24:invalid CA certificate
rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
well, it isn't a problem:
cp server.pem root.pem
cat ca.pem root.pem
then I change CA_file = ${cadir}/root.pem
..and.eureka authentication succesfully but
now there is a problem to check the CRL because root.pem then, something
is wrong before making root.pem.
well, just tell freeradius how to find certificates
c_rehash /usr/local/etc/raddb/certs also doesn't works
I think Reveal had the same problem and I have read about this on
mailing list but nothing.
Also I've tried to install ca.pem on /etc/ssl/certs using ln -s. Has
somebody encountered problems with this apart from Reveal MAP and me?
P.D. route certification into windows isn't a problem, only tell
xp_supplicant who is root authority (It was logical)
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Also me, sergio
restarting:
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
portatil:/usr/local/etc/raddb/certs# ln -s server.pem $(openssl x509
-hash -noout -in server.pem).0
portatil:/usr/local/etc/raddb/certs# ln -s ca.pem $(openssl x509 -hash
-noout -in ca.pem).0
portatil:/usr/local/etc/raddb/certs# ls -l|grep lrw
lrwxrwxrwx 1 rootroot 6 2008-07-23 02:47 16593b28.0 - ca.pem
lrwxrwxrwx 1 rootroot 10 2008-07-23 02:49 7d18a7eb.0 -
server.pem
portatil:/usr/local/etc/raddb/certs# openssl verify -CApath . server.pem
server.pem: OK
portatil:/usr/local/etc/raddb/certs# openssl verify -CApath . client.crt
client.crt: OK
and then, the user is rejected. The other configuration files are ok,
also wpa_supplicant. look at this Reveal, be brave jejeje.
am I forgetting something?
I have two other eap modules working ok with a diferent authority than
the server's and I'm really intrigue about this. somebody joins? jeje
regards :)
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Please, any suggestion? I'm going insane. I can do a new installation
and to tell what I'm doing (only proxy_request = no, put my ap into
clients.conf and put [EMAIL PROTECTED] into users file)...
Also I've tried to install ca.pem and server.crt into /etc/ssl/certs
(then openssl verify client.pem returns OK, without -CApath)
Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization: unlang/NAS-IP-Address
No, it should return notfound.
I can confirm this. If check is put in radcheck table user will be
rejected but if check (that should fail) is put in radgroupcheck table
user is authenticated. That is not how things should work. It should
return notfound if there is no match in radgroupcheck too.
Ivan Kalik
Kalik Informatika ISP
Dana 23/7/2008, leopold [EMAIL PROTECTED] piše:
Ivan,
Even with default SQL query it returns OK, because user is defined properly,
it is just check attributes of group do not match
I went to the code and I saw that rlm_sql_process_groups function causes the
whole module to return OK even though NAS-IP-Address attribute does not
match
Note it does not return attributes, it just return OK
/*
* rows == 0. This is like having the username on
a line
* in the user's file with no check vp's. As
such, we treat
* it as found and add the reply attributes, so
that we
* match expected behavior
*/
found = 1;
DEBUG2(rlm_sql (%s): User found in group %s,
inst-config-xlat_name,
group_list_tmp-groupname);
User-Name = validuser
User-Password = validpasswd
NAS-IP-Address = y.y.y.1
rlm_sql (sql): Reserving sql socket id: 6
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
- SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'validuser' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'validuser' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
- SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'validuser' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'validuser' ORDER BY id
expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority - SELECT
groupname FROM radusergroup WHERE username = 'validuser'
ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'validuser' ORDER BY priority
expand: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}'
ORDER BY id - SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'GROUP1' ORDER BY
id
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'GROUP1' ORDER BY
id
rlm_sql (sql): Released sql socket id: 6
++[sql] returns ok
Should this module return FAIL if group check fails?
Ivan Kalik wrote:
See in debug output a valid user with valid password comes from wrong
NAS-IP-Address which does not belong to check attributes of the user's
group
++[sql] returns ok
That is wrong. If group check fails sql should return notfound. Check
your sql entries again. Have you altered default sql queries in some way
(you have left them out of the debug)?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
View this message in context:
http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p18614701.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
