Seek through several RADIUS severs without realms
My scenario is as follow: I use more then one strong authentication system, which is OTP (One Time Password) based and has a RADIUS interface. I use the same users repository for the various authentication systems and wish to differ between the authentication systems, using Free RADIUS .Net. I wouldn't like to use realms, as I would like users to use ordinary username and not make them use a realm. I think that the way to do it, is to create sort of loop, which will run through the various RADIUS interfaces of the OTP systems and seek for a given username. If it fails on one system, continue to the next one, and if not found in any of them, send reject access response. Best, Ronen. smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Device authentication and User+Device authentication
Cristian Novac wrote:
CURRENT CONDITIONS:
I'm currently using FreeRadius server in a system where the server is
authenticating to the client using a server certificate.
For now, the client is authenticating through username and password.
The method used is EAP-TTLS.
---
THE TARGET is the client to not only use username and password, but a
device CERTIFICATE.
---
I assume that I have to include in the etc/raddb/eap.conf file the
LIST OF DEVICE ROOT CERTIFICATES.
If so, can you tell me how to do that?
Otherwise, may you tell me what other things I have to do?
Could someone just tell whether my assumption is wright?
I attached my current eap.conf file
Thank you!
Cristian NOVAC.
Alan DeKok wrote:
Cristian Novac wrote:
Could someone tell me what has to be configured to be able to do Device
authentication and User+Device authentication.
It all depends how you plan on authenticating the devices and users.
i.e. Which authentication protocols are you using?
Then configure the authentication protocols.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
# -*- text -*-
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
# $Id: eap.conf,v 1.4.4.1 2006/01/04 14:29:29 nbk Exp $
#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
default_eap_type = ttls
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to "yes", you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = no
# Supported EAP-types
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
md5 {
}
# Cisco LEAP
#
# We do not recommend using LEAP in new deployments. See:
# http://www.securiteam.com/tools/5TP012ACKE.html
#
# Cisco LEAP uses the MS-CHAP algorithm (but not
# the MS-CHAP attributes) to perform it's authentication.
#
# As a result, LEAP *requires* access to the plain-text
# User-Password, or the NT-Password attributes.
# 'System' authentication is impossible with LEAP.
#
# leap {
# }
# Generic Token Card.
#
# Currently, this is only permitted inside of EAP-TTLS,
# or EAP-PEAP. The module "challenges" the user with
# text, and the response from the user is taken to be
# the User-Password.
#
Re: Device authentication and User+Device authentication
Cristian Novac wrote: ... >> I assume that I have to include in the etc/raddb/eap.conf file the >> LIST OF DEVICE ROOT CERTIFICATES. >> If so, can you tell me how to do that? Read eap.conf? This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible bug in unlang?
Phil Mayers wrote: > We've recently moved our servers to FreeRadius 2, and we've been having > reports of some problems with our wireless service. ... > ...specifically, it seems that the xlat of this string is treating > embedded "\" as escape characters. That needs to be fixed. I'll take a look next week, as I'm away at a conference right now. > I've solved that problem by removing the "update outer.reply", which > leads me to a 2nd question - given that the "eap" module does this > anyway (and since it uses a dumb "memcpy", correctly) why is that unlang > statement there in the sample configs? Is it necessary? No. > One final thing; can I suggest the attached patch (though it should > probably escape the data, since it comes from the user) Sure. Send it via git-format-patch, and it can be committed with your name on it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ldap-Group unlang 2.0.5
Dear all,
I'm in process migrating from FR 1.1.X to FR 2.0.5 but stuck with Ldap-Group
using unlang.
I'm trying to convert below line in users file to unlang in authorize
section.. but it's not working..
Using FreeBSD 7.0.
users:-
==
DEFAULT Called-Station-Id == "Y5", ldapmain1-Ldap-Group == "TEST",
Autz-Type := Y5
authorize:-
===
Trying a few as below but not working...
i) if ( ldapmain1-Ldap-Group == "TEST" ) {
ii) if ( control:ldapmain1-Ldap-Group == "TEST" ) {
iii) if ( "%{ldapmain1-Ldap-Group}" == "TEST" ) {
iv) if ( "%{ldapmain1:Ldap-Group}" == "TEST" ) {
modules/ldap:-
='
ldap ldapmain1 {
groupname_attribute = jaringService
groupmembership_filter = "(&(uid=%{Stripped-User-Name:-
{UserName}})(objectclass=radiusprofile))"
}
Debug:-
==
++? if ("%{ldapmain1:Ldap-Group}" == "TEST" )
rlm_ldap: - ldap_xlat
expand: Ldap-Group -> Ldap-Group
rlm_ldap: String passed does not look like an LDAP URL.
expand: %{ldapmain1:Ldap-Group} ->
? Evaluating ("%{ldapmain1:Ldap-Group}" == "TEST" ) -> FALSE
++? if ("%{ldapmain1:Ldap-Group}" == "TEST" ) -> FALSE
--haizam
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
peap-tls support in freeradius
Hi, I would like to know whether peap-tls(peap as outer authentication, tls as inner authentication method) is supported in freeradius. Some of my clients use peap-tls so want to know whether its supported by freeradius. I tried using a setup that works for tls for peap-tls but it fails saying "rlm_eap_peap: Tunneled data is invalid. " Thanks in advance for ur help. Regards Gopi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap-tls support in freeradius
Gopinath Reddy N wrote: > I would like to know whether peap-tls(peap as outer authentication, tls > as inner authentication method) is supported in freeradius. Some of my > clients use peap-tls so want to know whether its supported by freeradius It works in 2.0.5 last I checked. > I tried using a setup that works for tls for peap-tls but it fails > saying "rlm_eap_peap: Tunneled data is invalid. " Which version are you running? 1.x? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radrelay freeradius 2.x
Hi there, I wonder if there's an easy way/guide to reproduce the freeradius 1.x radrelay behavior? I'm afraid that the copy-to-home-server solution does not execute the accounting requests, but only relays them. Am I right? I want to execute accounting requests and relay these packets to another RADIUS server for testing purposes. best regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
acct and syslog
Hi folks, Is there a simple way to send accounting logs (of FR 2.0.5) to syslog ? I mean the various detail files: auth_log, reply_log, pre||post_proxy_log ... It is possible to append them to radius.log (who can be maintained by syslog) but i think is a bad idea. thanks for any clues... -- Mustapha BOUIKHIF Service Systèmes d'Information CNRS - DR4 tel: +33 1 69 82 33 97 fax: +33 1 69 82 33 39 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radrelay freeradius 2.x
Hi I'm not sure what you mean by 'execute' but you can configure a virtual server that simply reads a detail file. Packets 'received' this way are treated as any other packets received over the network. If you make multiple copies of the packets (to multiple detail files) you can process them locally and proxy to a remote server. kind regards pshem 2008/7/29 Raffael Himmelreich <[EMAIL PROTECTED]>: > Hi there, > > I wonder if there's an easy way/guide to reproduce the > freeradius 1.x radrelay behavior? > > I'm afraid that the copy-to-home-server solution does not > execute the accounting requests, but only relays them. Am I right? > > I want to execute accounting requests and relay these packets to another > RADIUS server for testing purposes. > > best regards > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radrelay freeradius 2.x
Pshem Kowalczyk wrote: > I'm not sure what you mean by 'execute' but you can configure a > virtual server that simply reads a detail file. Packets 'received' > this way are treated as any other packets received over the network. > If you make multiple copies of the packets (to multiple detail files) > you can process them locally and proxy to a remote server. Exactly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
Hello everyone, I am having an issue where when a user attempts to authenticate the following error is logged: Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow FreeRADIUS receives appropriate information as to whether or not the credentials used were correct, but it also throws that error which I suspect is an easy fix. Unforunately, I'm not sure why it can't set that option correctly. Thanks, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
%{2} not expanding for accounting packets?
We've got some switches that don't include the MAC address in the
Calling-Station-Id of accounting packets. To simplify the config, I use
an unlang expression to add it:
if ((!Calling-Station-Id) && (NAS-Port-Type == Ethernet) && (User-Name
=~ /(..)(..)(..)(..)(..)(..)/)) {
update request {
Calling-Station-Id = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}"
}
}
However, the output of that is:
00::22:33:44:55
...which is odd:
rad_recv: Accounting-Request packet from host 172.16.54.36 port 32770,
id=92, length=113
Acct-Status-Type = Start
User-Name = "001E0BA09F67"
NAS-IP-Address = 172.16.54.36
Acct-Session-Id = "Tue Jul 29, 2008 18:54:00"
Service-Type = Login-User
NAS-Port = 1035
NAS-Port-Type = Ethernet
Tunnel-Private-Group-Id:0 = "14"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Acct-Delay-Time = 0
server macauth {
+- entering group preacct
calling-mac-1: Could not find value pair for attribute Calling-Station-Id
++[calling-mac-1] returns noop
calling-mac-2: Could not find value pair for attribute Calling-Station-Id
++[calling-mac-2] returns noop
called-mac-1: Could not find value pair for attribute Called-Station-Id
++[called-mac-1] returns noop
called-mac-2: Could not find value pair for attribute Called-Station-Id
++[called-mac-2] returns noop
++? if ((!Calling-Station-Id) && (NAS-Port-Type == Ethernet) &&
(User-Name =~ /(..)(..)(..)(..)(..)(..)/))
?? Evaluating !(Calling-Station-Id) -> FALSE
?? Evaluating (NAS-Port-Type == Ethernet) -> TRUE
?? Evaluating (User-Name =~ /(..)(..)(..)(..)(..)(..)/) -> TRUE
++? if ((!Calling-Station-Id) && (NAS-Port-Type == Ethernet) &&
(User-Name =~ /(..)(..)(..)(..)(..)(..)/)) -> TRUE
++- entering if ((!Calling-Station-Id) && (NAS-Port-Type == Ethernet) &&
(User-Name =~ /(..)(..)(..)(..)(..)(..)/))
expand: %{1}:%{2}:%{3}:%{4}:%{5}:%{6} -> 00::0B:A0:9F:67
Similar expressions in the "authorize" section appear to work.
Anyone have any ideas?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
peap/mschapv2 + mysql + filter-id
I've been working trying to setup freeradius to work with peap/mschapv2 backended by a mysql database on Enterasys switches. I've got almost everything working except for when a user authenticates with a 802.1x supplicant with peap/mschapv2, freeradius sends an access-accept packet but does not append the Filter-Id that is required for Enterasys switches to switch the default port policy. However, when I authenticate to the management portion of the switch, which uses pap, it authenticates and sends the Filter-Id as it should. I'm not sure what I'm missing here and I honestly don't know what configs you guys would need to see to help with this. So if I can provide any logs or config files, please let me know. Thanks for any help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Openser+radiusclient-ng+Freeradius+IAS
Hi all, I'm trying to put toghether one way to register softphones into openser doing the users authentication in IAS. I would like to put some questions into the list in way to clear out my doubts. 1 Can radiusclient-ng authenticate in IAS If so how? I've tried it and IAS says that there is an malformed radius message. 2 Putting freeradius in the midlle of the radiusclient-ng and IAS shoud he act as a proxy between the radiusclient-ng and the IAS? this configuration works? has anyone done it? Thanks in advance for all the help that anyone can give - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Digest Authentications Cisco Access Registrar 4.1.X
Hello,
Thanks for all the RADIUS messages. They are very helpful.
I am able to successfully implemented digest authentications in FreeRADIUS and
have been using
it ever since. This is after getting help from the great people on this
mailing.
I wonder if anyone here has any experience Cisco Access Registrar 4.1.X as it
relates to digest
authentications? I know it is probably not related to FreeRADIUS but I tried
everything and
Cisco Access Registrar 4.1.X keeps dropping the Access-Request packets with
response-type: -1. cisco support is of no help.
I went through 5 support representatives so far.
Below is the output of the trace file (i.e. name_radius_1_trace). This is
running on Solaris 10 on
a T1000 Ultrasparc T1 8 cores, 4 threads per core, 32 virtual cpus total. I am
not sure if any
of the cores make any difference.
As always, your assistances are greatly appreciated. Best regards, Hoa
-- Output of trace file --
07/29/2008 18:55:04: P11864: Packet received from 10.8.140.21
07/29/2008 18:55:04: P11864: Packet successfully added
07/29/2008 18:55:04: P11864: Trace of Access-Request packet
07/29/2008 18:55:04: P11864:identifier = 209
07/29/2008 18:55:04: P11864:length = 218
07/29/2008 18:55:04: P11864:reqauth =
cf:04:c9:51:ae:f5:ed:34:aa:47:61:ed:9f:96:63:eb
07/29/2008 18:55:04: P11864:User-Name = fakeuser
07/29/2008 18:55:04: P11864:Service-Type = 200
07/29/2008 18:55:04: P11864:NAS-Identifier =
qcs-qchat-ops-2-3.qln.test.com.(none)
07/29/2008 18:55:04: P11864:NAS-Port-Type = Virtual
07/29/2008 18:55:04: P11864:Digest-Response = fakeqcdigest
07/29/2008 18:55:04: P11864:Digest-Attributes = { Realm = fakedomain }
07/29/2008 18:55:04: P11864:Digest-Attributes = { Nonce = fakeqcnonce }
07/29/2008 18:55:04: P11864:Digest-Attributes = { Method = QCHAT-REGISTER }
07/29/2008 18:55:04: P11864:Digest-Attributes = { URI = fakedomain }
07/29/2008 18:55:04: P11864:Digest-Attributes = { QOP = auth }
07/29/2008 18:55:04: P11864:Digest-Attributes = { Algorithm = MD5-sess }
07/29/2008 18:55:04: P11864:Digest-Attributes = { CNonce = fakeqccnonce }
07/29/2008 18:55:04: P11864:Digest-Attributes = { Nonce-Count = 1 }
07/29/2008 18:55:04: P11864:Digest-Attributes = { User-Name = fakeuseraddr }
07/29/2008 18:55:04: P11864: Running Server's IncomingScript: show-contents
07/29/2008 18:55:04: Log: Request from 10.8.140.21: Server IncomingScript
failed fakeuser
07/29/2008 18:55:04: P11864: Dropping request (response-type: -1)
07/29/2008 18:55:04: P11864: Packet successfully removed
-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap-tls support in freeradius
Hi Alan, Thanks for the info. Iam running 2.0.2 Regards Gopi On Tue, Jul 29, 2008 at 6:14 PM, Alan DeKok <[EMAIL PROTECTED]>wrote: > Gopinath Reddy N wrote: > > I would like to know whether peap-tls(peap as outer authentication, tls > > as inner authentication method) is supported in freeradius. Some of my > > clients use peap-tls so want to know whether its supported by freeradius > > It works in 2.0.5 last I checked. > > > I tried using a setup that works for tls for peap-tls but it fails > > saying "rlm_eap_peap: Tunneled data is invalid. " > > Which version are you running? 1.x? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ldap-Group unlang FR 2.0.5
OS: FB 7.0
FR: 2.0.5
Let we analyze below if statement using unlang with Ldap-Group:-
++? if (("%{NAS-Port-Type}" =~ /^ISDN|^Sync/) && ((ldap1-Ldap-Group ==
"UNLIMITED") || (ldap2-Ldap-Group == "UNLIMITED")))
expand: %{NAS-Port-Type} ->
?? Evaluating ("%{NAS-Port-Type}" =~ /^ISDN|^Sync/) -> FALSE
??? Skipping (ldap1-Ldap-Group == "UNLIMITED")
??? Skipping (ldap2-Ldap-Group == "UNLIMITED")
++? if (("%{NAS-Port-Type}" =~ /^ISDN|^Sync/) && ((ldap1-Ldap-Group ==
"UNLIMITED") || (ldap2-Ldap-Group == "UNLIMITED"))) -> TRUE
++- entering if (("%{NAS-Port-Type}" =~ /^ISDN|^Sync/) && ((ldap1-Ldap-Group
== "UNLIMITED") || (ldap2-Ldap-Group == "UNLIMITED")))
suppose if ("%{NAS-Port-Type}" =~ /^ISDN|^Sync/) -> FALSE, the whole line
should FALSE. but why it show TRUE? It is AND (&&) comparison.
Or possible problem in my if statement??
--haizam
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: %{2} not expanding for accounting packets?
Phil Mayers wrote: ... > Similar expressions in the "authorize" section appear to work. > > Anyone have any ideas? Weird. No idea why that happens. I'll try to reproduce it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap/mschapv2 + mysql + filter-id
Adam W. Sewell wrote: > I've been working trying to setup freeradius to work with peap/mschapv2 > backended by a mysql database on Enterasys switches. I've got almost > everything working except for when a user authenticates with a 802.1x > supplicant with peap/mschapv2, freeradius sends an access-accept packet but > does not append the Filter-Id that is required for Enterasys switches to > switch the default port policy. However, when I authenticate to the > management portion of the switch, which uses pap, it authenticates and sends > the Filter-Id as it should. I'm not sure what I'm missing here and I honestly > don't know what configs you guys would need to see to help with this. So if I > can provide any logs or config files, please let me know. Read the debug output. Or, post the output here, and maybe a sample of your config files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Openser+radiusclient-ng+Freeradius+IAS
António Rio Costa wrote: > 1 Can radiusclient-ng authenticate in IAS If so how? I've tried it > and IAS says that there is an malformed radius message. Use wireshark to grab copies of the packets. Put the pcap files on a web page, and post the URL here. > 2 Putting freeradius in the midlle of the radiusclient-ng and IAS shoud > he act as a proxy between the radiusclient-ng and the IAS? this > configuration works? has anyone done it? Try it. It's not hard. Or, use freeradius-client. There have been a number of bug fixes to the code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
