date:20081009

You can always add your own.

http://freeradius.org/radiusd/man/dictionary.html

Ivan Kalik
Kalik Informatika ISP

Dana 9/10/2008, "Bladan2000" <[EMAIL PROTECTED]> piše:

>
>Yeah. That's kind of my "rescue" solution. To create a que that is processed
>on a daily basis. But I thought that since there is an expire attribute that
>it might be a start as well. It would obviously take less effort to just add
>that kind of attribute instead of adding a que and some kind of quehandler
>to our application.
>
>//Johan
>
>
>
>tnt-4 wrote:
>>
>>>Any thoughts?
>>>
>>
>> Don't create the username before the startdate. There is absolutely no
>> reason for it to be in the database before it. Make a script that
>> creates the user entry when startdate is reached.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>
>--
>View this message in context: 
>http://www.nabble.com/Startdate-for-sessions-in-FreeRadius-with-MySql--tp19837587p19892931.html
>Sent from the FreeRadius - User mailing list archive at Nabble.com.
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: Problem with ntlm_auth

Thanks, now it works :)

 

Now the last step: How can I test it? What tool/program etc. can/should I use 
to test it?

"The radclient cannot currently be used to send this request, unfortunately, 
which makes testing a little difficult If everything goes well, you should see 
the server returning an Access-Accept 
  message as above."

 

Mit freundlichen Grüßen / Kind regards

Frederik Niedernolte
---
arvato services
An der Autobahn
33310 Gütersloh
Germany
http://www.arvato-services.de
[EMAIL PROTECTED]  
Tel.:  +49 (0)5241 80-40554

arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 | 
Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard 
Südmersen

 

Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Syed Anwarul 
Hasan
Gesendet: Donnerstag, 9. Oktober 2008 11:44
An: FreeRadius users mailing list
Betreff: Re: Problem with ntlm_auth

 

Hi Frederik,

1) Put User entry on TOP of users file.
2) In default file, in authenticate section, add ntlm_auth. Don't set using 
Auth-Type.
3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel. Add 
ntlm_auth in Authenticate Section.

I hope it will solve your problem.
SYED




On Thu, Oct 9, 2008 at 11:17 AM, <[EMAIL PROTECTED]> wrote:

I have finished all steps till "user Auth-Type := ntlm_auth" from 
http://deployingradius.com/documents/configuration/active_directory.html.

With this command I get this error message at the end of "/usr/sbin/freeradius 
-X":

 

/etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown value 
ntlm_auth for attribute Auth-Type

Errors reading /etc/freeradius/users

/etc/freeradius/modules/files[7]: Instantiation failed for module "files"

/etc/freeradius/sites-enabled/inner-tunnel[111]: Failed to find module "files".

/etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing authorize 
section.

 }

}

Errors initializing modules

 

The authenticate section in the /etc/freeradius/sites-enabled/default looks 
like this (only important part):

 

authenticate {

#

#  NTML_AUTH authentication.

Auth-Type ntlm_auth {

   ntlm_auth

}

 

What is wrong and what can I do to solve the problem?

Thanks in advance.

Best regards, F. Niedernolte


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: Problem with ntlm_auth

So to understand you right:

Every user that should be authenticated has to be an entry in the users file?

Isn't it possible to add an forwarding for every user so that all requests are 
just forwarded and checked?

If not I must add all users from the AD to the users file, mustn't I?

 

 

Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Syed Anwarul 
Hasan
Gesendet: Donnerstag, 9. Oktober 2008 13:16
An: FreeRadius users mailing list
Betreff: Re: Problem with ntlm_auth

 

And also don't remove ntlm_auth from authenticate section of both default and 
inner-tunnel files.

On Thu, Oct 9, 2008 at 1:12 PM, Syed Anwarul Hasan <[EMAIL PROTECTED]> wrote:

Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is Bind 
as User. That is USer Entry is added in Users file and after using ntlm_auth, 
it is checked against a Active Directory or LDAP server backend using NT Lan 
manager Authentication Protocol.

For example:
Users file:
User  Auth-Type :- ntlm_auth

In Active Directory
User should be a member.

So, then ntlm_auth requests will be passed from your Server to Active Directory 
or LDAP Server.

Otherwise you will not setup ntlm_auth.

SYED

 

On Thu, Oct 9, 2008 at 12:58 PM, <[EMAIL PROTECTED]> wrote:

OK, I have tested it with "radtest MyUser MyPassword localhost 0 testing123" 
and this is what the server gave back:

 

Ready to process requests.

rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92, length=58

User-Name = "MyUser"

User-Password = "MyPassword"

NAS-IP-Address = IP.OF.THE.SERVER

NAS-Port = 0

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] No '@' in User-Name = "MyUser", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

++[unix] returns notfound

++[files] returns noop

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication may 
fail because of this.

++[pap] returns noop

No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user

Failed to authenticate the user.

Using Post-Auth-Type Reject

+- entering group REJECT {...}

[attr_filter.access_reject] expand: %{User-Name} -> MyUser

 attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 0 for 1 seconds

Going to the next request

Waking up in 0.9 seconds.

Sending delayed reject for request 0

Sending Access-Reject of id 92 to 127.0.0.1 port 32793

Waking up in 4.9 seconds.

Cleaning up request 0 ID 92 with timestamp +3710

Ready to process requests.

 

Now what should I do?
Thanks in advance.

 

Von: [EMAIL PROTECTED] [mailto:freeradius-users-bounces+frederik.niedernolte 
 [EMAIL PROTECTED] Im 
Auftrag von Syed Anwarul Hasan
Gesendet: Donnerstag, 9. Oktober 2008 12:12


An: FreeRadius users mailing list
Betreff: Re: Problem with ntlm_auth

 

Hi,
You can use radtest tool to check with the Server.The Server will return 
accept-accept message.
Other tool includes JRadius Simulator as IVAN told. bu I have not used it.
Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP 
requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if you 
have)

SYED

On Thu, Oct 9, 2008 at 11:54 AM, <[EMAIL PROTECTED]> wrote:

Thanks, now it works :)

 

Now the last step: How can I test it? What tool/program etc. can/should I use 
to test it?

"The radclient cannot currently be used to send this request, unfortunately, 
which makes testing a little difficult If everything goes well, you should see 
the server returning an Access-Accept 
  message as above."

 

Mit freundlichen Grüßen / Kind regards

Frederik Niedernolte
---
arvato services
An der Autobahn
33310 Gütersloh
Germany
http://www.arvato-services.de
[EMAIL PROTECTED]  
Tel.:  +49 (0)5241 80-40554

arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 | 
Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard 
Südmersen

 

Von: [EMAIL PROTECTED] [mailto:freeradius-users-bounces+frederik.niedernolte 
 [EMAIL PROTECTED] Im 
Auftrag von Syed Anwarul Hasan
Gesendet: Donnerstag, 9. Oktober 2008 11:44
An: FreeRadius users mailing list
Betreff: Re: Problem with ntlm_auth

 

Hi Frederik,

1) Put User entry on TOP of users file.
2) In default file, in authenticate section, add ntlm_auth. Don't set using 
Auth-Type.
3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel. Add 
ntlm_auth in Authenticate Section.

I hope it will solve your problem.
SYED

O

Re: AW: Problem with ntlm_auth

>OK, I have tested it with "radtest MyUser MyPassword localhost 0 testing123" 
>and this is what the server gave back:
>
..
>
>++[files] returns noop
>

So, where is the user file entry setting Auth-Type ntlm_auth? It didn't
match. Something is wrong with it.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: AW: AW: Problem with ntlm_auth

Is is possible to use only one freeRADIUS server (the just configured one) for 
a bunch of different domains
in my active directory network?
How?

F. Niedernolte


-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL 
PROTECTED]
Gesendet: Donnerstag, 9. Oktober 2008 14:05
An: FreeRadius users mailing list
Betreff: Re: AW: AW: Problem with ntlm_auth

>OK, thanks.
>Now it works.
>Is this the way it should look right?
>

Yes. that's OK.

..
>[files] users: Matched entry DEFAULT at line 2
>++[files] returns ok

Entry setting Auth-Type.

..
>[pap] WARNING! No "known good" password found for the user.  Authentication 
>may fail because of this.

That's because the password is not given to radius server but is checked
in AD.

>++[pap] returns noop
>Found Auth-Type = ntlm_auth

This was forced in users file.

>+- entering group authenticate {...}
>[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=MyUser
>[ntlm_auth] expand: --password=%{User-Password} -> --password=MyPassword
>Exec-Program output: NT_STATUS_OK: Success (0x0)
>Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
>Exec-Program: returned: 0
>++[ntlm_auth] returns ok

And user is authenticated in AD.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: AW: AW: Problem with ntlm_auth

[EMAIL PROTECTED] wrote:
> Is is possible to use only one freeRADIUS server (the just configured one) 
> for a bunch of different domains
> in my active directory network?

  Configure Samba to join all of the domains.  Point FreeRADIUS at
Samba, via ntlm_auth.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: AW: Problem with ntlm_auth

OK, thanks.
Now it works.
Is this the way it should look right?

Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=97, length=59
User-Name = "MyUser"
User-Password = "MyPassword"
NAS-IP-Address = IP.ADDRESS.OF.SERVER
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "MyUser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may 
fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=MyUser
[ntlm_auth] expand: --password=%{User-Password} -> --password=MyPassword
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 97 to 127.0.0.1 port 32793
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 97 with timestamp +16
Ready to process requests.

F. Niedernolte

-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL 
PROTECTED]
Gesendet: Donnerstag, 9. Oktober 2008 13:28
An: FreeRadius users mailing list
Betreff: Re: AW: Problem with ntlm_auth

>Every user that should be authenticated has to be an entry in the users file?
>
>Isn't it possible to add an forwarding for every user so that all requests are 
>just forwarded and checked?
>
>If not I must add all users from the AD to the users file, mustn't I?
>

DEFAULT   Auth-Type := ntlm_auth

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with ntlm_auth

And also don't remove ntlm_auth from authenticate section of both default
and inner-tunnel files.

On Thu, Oct 9, 2008 at 1:12 PM, Syed Anwarul Hasan <
[EMAIL PROTECTED]> wrote:

> Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is
> Bind as User. That is USer Entry is added in Users file and after using
> ntlm_auth, it is checked against a Active Directory or LDAP server backend
> using NT Lan manager Authentication Protocol.
>
> For example:
> Users file:
> User  Auth-Type :- ntlm_auth
>
> In Active Directory
> User should be a member.
>
> So, then ntlm_auth requests will be passed from your Server to Active
> Directory or LDAP Server.
>
> Otherwise you will not setup ntlm_auth.
>
> SYED
>
>
> On Thu, Oct 9, 2008 at 12:58 PM, <[EMAIL PROTECTED]>wrote:
>
>>  OK, I have tested it with "radtest MyUser MyPassword localhost 0
>> testing123" and this is what the server gave back:
>>
>>
>>
>> Ready to process requests.
>>
>> rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92,
>> length=58
>>
>> User-Name = "MyUser"
>>
>> User-Password = "MyPassword"
>>
>> NAS-IP-Address = IP.OF.THE.SERVER
>>
>> NAS-Port = 0
>>
>> +- entering group authorize {...}
>>
>> ++[preprocess] returns ok
>>
>> ++[chap] returns noop
>>
>> ++[mschap] returns noop
>>
>> [suffix] No '@' in User-Name = "MyUser", looking up realm NULL
>>
>> [suffix] No such realm "NULL"
>>
>> ++[suffix] returns noop
>>
>> [eap] No EAP-Message, not doing EAP
>>
>> ++[eap] returns noop
>>
>> ++[unix] returns notfound
>>
>> ++[files] returns noop
>>
>> ++[expiration] returns noop
>>
>> ++[logintime] returns noop
>>
>> [pap] WARNING! No "known good" password found for the user.
>> Authentication may fail because of this.
>>
>> ++[pap] returns noop
>>
>> No authenticate method (Auth-Type) configuration found for the request:
>> Rejecting the user
>>
>> Failed to authenticate the user.
>>
>> Using Post-Auth-Type Reject
>>
>> +- entering group REJECT {...}
>>
>> [attr_filter.access_reject] expand: %{User-Name} -> MyUser
>>
>>  attr_filter: Matched entry DEFAULT at line 11
>>
>> ++[attr_filter.access_reject] returns updated
>>
>> Delaying reject of request 0 for 1 seconds
>>
>> Going to the next request
>>
>> Waking up in 0.9 seconds.
>>
>> Sending delayed reject for request 0
>>
>> Sending Access-Reject of id 92 to 127.0.0.1 port 32793
>>
>> Waking up in 4.9 seconds.
>>
>> Cleaning up request 0 ID 92 with timestamp +3710
>>
>> Ready to process requests.
>>
>>
>>
>> Now what should I do?
>> Thanks in advance.
>>
>>
>>
>> *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@
>> lists.freeradius.org [mailto:
>> freeradius-users-bounces+frederik.niedernolte
>> [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan
>> *Gesendet:* Donnerstag, 9. Oktober 2008 12:12
>>
>> *An:* FreeRadius users mailing list
>> *Betreff:* Re: Problem with ntlm_auth
>>
>>
>>
>> Hi,
>> You can use radtest tool to check with the Server.The Server will return
>> accept-accept message.
>> Other tool includes JRadius Simulator as IVAN told. bu I have not used it.
>> Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP
>> requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if
>> you have)
>>
>> SYED
>>
>>  On Thu, Oct 9, 2008 at 11:54 AM, <[EMAIL PROTECTED]>
>> wrote:
>>
>> Thanks, now it works :)
>>
>>
>>
>> Now the last step: How can I test it? What tool/program etc. can/should I
>> use to test it?
>>
>> "The radclient cannot currently be used to send this request,
>> unfortunately, which makes testing a little difficult If everything goes
>> well, you should see the server returning an 
>> Access-Acceptmessage 
>> as above."
>>
>>
>>
>> Mit freundlichen Grüßen / Kind regards
>>
>> Frederik Niedernolte
>> ---
>> arvato services
>> An der Autobahn
>> 33310 Gütersloh
>> Germany
>> http://www.arvato-services.de
>> [EMAIL PROTECTED]<[EMAIL PROTECTED]>
>> Tel.:  +49 (0)5241 80-40554
>>
>> arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 |
>> Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard
>> Südmersen
>>
>>
>>
>> *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@
>> lists.freeradius.org [mailto:
>> freeradius-users-bounces+frederik.niedernolte
>> [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan
>> *Gesendet:* Donnerstag, 9. Oktober 2008 11:44
>> *An:* FreeRadius users mailing list
>> *Betreff:* Re: Problem with ntlm_auth
>>
>>
>>
>> Hi Frederik,
>>
>> 1) Put User entry on *TOP* of users file.
>> 2) In default file, in authenticate section, add *ntlm_auth. *Don't set
>> using Auth-Type.
>> 3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner
>> Tunnel. Add *ntlm_auth* in Authenticate Section.
>>
>> I hope it will solve your problem.
>> SYED
>>
>>  On Thu, Oct 9, 2008 at 11:17 A

RE: EAP-TLS & computer account(not user)

You (or whoever makes these certificates) have set up certificate
creation that way. Change it so that CN is equal to User-Name.

Ivan Kalik
Kalik Informatika ISP


Dana 9/10/2008, "Guk Victor" <[EMAIL PROTECTED]> piše:

>
>
>
>  
>  
>
>
>
>  I use eap-tsl for the registration record of computer. It is necessary
>>to open access to the network to pressure of Ctrl+Alt+Del.
>>I will not understand what is the matter:
>>
>  
>  ..
>  
>  
>>radius_xlat:  'host/cit44'
>>rlm_eap_tls: checking certificate CN (cit44) with xlat'ed value
>>(host/cit44)
>>rlm_eap_tls: Certificate CN (cit44) does not match specified value
>>(host/cit44)!
>>chain-depth=0,
>>error=0
>>--> User-Name = host/cit44
>>--> BUF-Name = cit44
>>--> subject = /C=UA/ST=Berkshire/L=Newbury/O=zaz/OU=mis/CN=cit44
>>--> issuer  = /C=UA/ST=ZaporozshE/L=ZP/O=ZAZ/OU=MIS/CN=Administrator
>>--> verify return:0
>
>  
>  ..
>
>User-Name and CN are not the same. Create a proper certificate.
>
>I created new certificate from CN=host/cit44. This is what it is
>obtained:
>
>radius_xlat:  'host/host/cit44'
>rlm_eap_tls: checking certificate CN (host/cit44) with xlat'ed value
>(host/host/cit44)
>rlm_eap_tls: Certificate CN (host/cit44) does not match specified value
>(host/host/cit44)!
>chain-depth=0,
>error=0
>User-Name = host/host/cit44
>BUF-Name = host/cit44
>subject = /C=UA/ST=Berkshire/L=Newbury/O=zaz/OU=mis/CN=host/cit44
>issuer  = /C=UA/ST=ZaporozshE/L=ZP/O=ZAZ/OU=MIS/CN=Administrator
>verify return:0
>Why to User-Name is added "/host"?
>
>
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem with ntlm_auth

I have finished all steps till "user Auth-Type := ntlm_auth" from
http://deployingradius.com/documents/configuration/active_directory.html
.

With this command I get this error message at the end of
"/usr/sbin/freeradius -X":

 

/etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown
value ntlm_auth for attribute Auth-Type

Errors reading /etc/freeradius/users

/etc/freeradius/modules/files[7]: Instantiation failed for module
"files"

/etc/freeradius/sites-enabled/inner-tunnel[111]: Failed to find module
"files".

/etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing authorize
section.

 }

}

Errors initializing modules

 

The authenticate section in the /etc/freeradius/sites-enabled/default
looks like this (only important part):

 

authenticate {

#

#  NTML_AUTH authentication.

Auth-Type ntlm_auth {

   ntlm_auth

}

 

What is wrong and what can I do to solve the problem?

Thanks in advance.

Best regards, F. Niedernolte

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with ntlm_auth

Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is
Bind as User. That is USer Entry is added in Users file and after using
ntlm_auth, it is checked against a Active Directory or LDAP server backend
using NT Lan manager Authentication Protocol.

For example:
Users file:
User  Auth-Type :- ntlm_auth

In Active Directory
User should be a member.

So, then ntlm_auth requests will be passed from your Server to Active
Directory or LDAP Server.

Otherwise you will not setup ntlm_auth.

SYED

On Thu, Oct 9, 2008 at 12:58 PM, <[EMAIL PROTECTED]>wrote:

>  OK, I have tested it with "radtest MyUser MyPassword localhost 0
> testing123" and this is what the server gave back:
>
>
>
> Ready to process requests.
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92,
> length=58
>
> User-Name = "MyUser"
>
> User-Password = "MyPassword"
>
> NAS-IP-Address = IP.OF.THE.SERVER
>
> NAS-Port = 0
>
> +- entering group authorize {...}
>
> ++[preprocess] returns ok
>
> ++[chap] returns noop
>
> ++[mschap] returns noop
>
> [suffix] No '@' in User-Name = "MyUser", looking up realm NULL
>
> [suffix] No such realm "NULL"
>
> ++[suffix] returns noop
>
> [eap] No EAP-Message, not doing EAP
>
> ++[eap] returns noop
>
> ++[unix] returns notfound
>
> ++[files] returns noop
>
> ++[expiration] returns noop
>
> ++[logintime] returns noop
>
> [pap] WARNING! No "known good" password found for the user.  Authentication
> may fail because of this.
>
> ++[pap] returns noop
>
> No authenticate method (Auth-Type) configuration found for the request:
> Rejecting the user
>
> Failed to authenticate the user.
>
> Using Post-Auth-Type Reject
>
> +- entering group REJECT {...}
>
> [attr_filter.access_reject] expand: %{User-Name} -> MyUser
>
>  attr_filter: Matched entry DEFAULT at line 11
>
> ++[attr_filter.access_reject] returns updated
>
> Delaying reject of request 0 for 1 seconds
>
> Going to the next request
>
> Waking up in 0.9 seconds.
>
> Sending delayed reject for request 0
>
> Sending Access-Reject of id 92 to 127.0.0.1 port 32793
>
> Waking up in 4.9 seconds.
>
> Cleaning up request 0 ID 92 with timestamp +3710
>
> Ready to process requests.
>
>
>
> Now what should I do?
> Thanks in advance.
>
>
>
> *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@
> lists.freeradius.org 
> [mailto:freeradius-users-bounces+frederik.niedernolte
> [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan
> *Gesendet:* Donnerstag, 9. Oktober 2008 12:12
>
> *An:* FreeRadius users mailing list
> *Betreff:* Re: Problem with ntlm_auth
>
>
>
> Hi,
> You can use radtest tool to check with the Server.The Server will return
> accept-accept message.
> Other tool includes JRadius Simulator as IVAN told. bu I have not used it.
> Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP
> requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if
> you have)
>
> SYED
>
>  On Thu, Oct 9, 2008 at 11:54 AM, <[EMAIL PROTECTED]>
> wrote:
>
> Thanks, now it works :)
>
>
>
> Now the last step: How can I test it? What tool/program etc. can/should I
> use to test it?
>
> "The radclient cannot currently be used to send this request,
> unfortunately, which makes testing a little difficult If everything goes
> well, you should see the server returning an 
> Access-Acceptmessage as 
> above."
>
>
>
> Mit freundlichen Grüßen / Kind regards
>
> Frederik Niedernolte
> ---
> arvato services
> An der Autobahn
> 33310 Gütersloh
> Germany
> http://www.arvato-services.de
> [EMAIL PROTECTED]<[EMAIL PROTECTED]>
> Tel.:  +49 (0)5241 80-40554
>
> arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 |
> Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard
> Südmersen
>
>
>
> *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@
> lists.freeradius.org 
> [mailto:freeradius-users-bounces+frederik.niedernolte
> [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan
> *Gesendet:* Donnerstag, 9. Oktober 2008 11:44
> *An:* FreeRadius users mailing list
> *Betreff:* Re: Problem with ntlm_auth
>
>
>
> Hi Frederik,
>
> 1) Put User entry on *TOP* of users file.
> 2) In default file, in authenticate section, add *ntlm_auth. *Don't set
> using Auth-Type.
> 3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel.
> Add *ntlm_auth* in Authenticate Section.
>
> I hope it will solve your problem.
> SYED
>
>  On Thu, Oct 9, 2008 at 11:17 AM, <[EMAIL PROTECTED]>
> wrote:
>
> I have finished all steps till „*user* Auth-Type := ntlm_auth" from
> http://deployingradius.com/documents/configuration/active_directory.html.
>
> With this command I get this error message at the end of
> "/usr/sbin/freeradius –X":
>
>
>
> /etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown
> value ntlm_auth for attri

Re: Problem with ntlm_auth

That was example,to check with different Users,DEFAULT should be used as
rightly said by Ivan.


On Thu, Oct 9, 2008 at 1:22 PM, <[EMAIL PROTECTED]> wrote:

>  So to understand you right:
>
> Every user that should be authenticated has to be an entry in the users
> file?
>
> Isn't it possible to add an forwarding for every user so that all requests
> are just forwarded and checked?
>
> If not I must add all users from the AD to the users file, mustn't I?
>
>
>
>
>
> *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@
> lists.freeradius.org 
> [mailto:freeradius-users-bounces+frederik.niedernolte
> [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan
> *Gesendet:* Donnerstag, 9. Oktober 2008 13:16
>
> *An:* FreeRadius users mailing list
> *Betreff:* Re: Problem with ntlm_auth
>
>
>
> And also don't remove ntlm_auth from authenticate section of both default
> and inner-tunnel files.
>
> On Thu, Oct 9, 2008 at 1:12 PM, Syed Anwarul Hasan <
> [EMAIL PROTECTED]> wrote:
>
> Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is
> Bind as User. That is USer Entry is added in Users file and after using
> ntlm_auth, it is checked against a Active Directory or LDAP server backend
> using NT Lan manager Authentication Protocol.
>
> For example:
> Users file:
> User  Auth-Type :- ntlm_auth
>
> In Active Directory
> User should be a member.
>
> So, then ntlm_auth requests will be passed from your Server to Active
> Directory or LDAP Server.
>
> Otherwise you will not setup ntlm_auth.
>
> SYED
>
>
>
> On Thu, Oct 9, 2008 at 12:58 PM, <[EMAIL PROTECTED]>
> wrote:
>
> OK, I have tested it with "radtest MyUser MyPassword localhost 0
> testing123" and this is what the server gave back:
>
>
>
> Ready to process requests.
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92,
> length=58
>
> User-Name = "MyUser"
>
> User-Password = "MyPassword"
>
> NAS-IP-Address = IP.OF.THE.SERVER
>
> NAS-Port = 0
>
> +- entering group authorize {...}
>
> ++[preprocess] returns ok
>
> ++[chap] returns noop
>
> ++[mschap] returns noop
>
> [suffix] No '@' in User-Name = "MyUser", looking up realm NULL
>
> [suffix] No such realm "NULL"
>
> ++[suffix] returns noop
>
> [eap] No EAP-Message, not doing EAP
>
> ++[eap] returns noop
>
> ++[unix] returns notfound
>
> ++[files] returns noop
>
> ++[expiration] returns noop
>
> ++[logintime] returns noop
>
> [pap] WARNING! No "known good" password found for the user.  Authentication
> may fail because of this.
>
> ++[pap] returns noop
>
> No authenticate method (Auth-Type) configuration found for the request:
> Rejecting the user
>
> Failed to authenticate the user.
>
> Using Post-Auth-Type Reject
>
> +- entering group REJECT {...}
>
> [attr_filter.access_reject] expand: %{User-Name} -> MyUser
>
>  attr_filter: Matched entry DEFAULT at line 11
>
> ++[attr_filter.access_reject] returns updated
>
> Delaying reject of request 0 for 1 seconds
>
> Going to the next request
>
> Waking up in 0.9 seconds.
>
> Sending delayed reject for request 0
>
> Sending Access-Reject of id 92 to 127.0.0.1 port 32793
>
> Waking up in 4.9 seconds.
>
> Cleaning up request 0 ID 92 with timestamp +3710
>
> Ready to process requests.
>
>
>
> Now what should I do?
> Thanks in advance.
>
>
>
> *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@
> lists.freeradius.org 
> [mailto:freeradius-users-bounces+frederik.niedernolte
> [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan
> *Gesendet:* Donnerstag, 9. Oktober 2008 12:12
>
>
> *An:* FreeRadius users mailing list
> *Betreff:* Re: Problem with ntlm_auth
>
>
>
> Hi,
> You can use radtest tool to check with the Server.The Server will return
> accept-accept message.
> Other tool includes JRadius Simulator as IVAN told. bu I have not used it.
> Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP
> requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if
> you have)
>
> SYED
>
> On Thu, Oct 9, 2008 at 11:54 AM, <[EMAIL PROTECTED]>
> wrote:
>
> Thanks, now it works :)
>
>
>
> Now the last step: How can I test it? What tool/program etc. can/should I
> use to test it?
>
> "The radclient cannot currently be used to send this request,
> unfortunately, which makes testing a little difficult If everything goes
> well, you should see the server returning an 
> Access-Acceptmessage as 
> above."
>
>
>
> Mit freundlichen Grüßen / Kind regards
>
> Frederik Niedernolte
> ---
> arvato services
> An der Autobahn
> 33310 Gütersloh
> Germany
> http://www.arvato-services.de
> [EMAIL PROTECTED]<[EMAIL PROTECTED]>
> Tel.:  +49 (0)5241 80-40554
>
> arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 |
> Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard
> Südmersen
>
>
>
> *Von:* freeradius-users-bounces+f

Re: FreeRADIUS and EDUROAM timeout issues

2008-10-09 Thread Arran Cudbard-Bell

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Peter Eriksson wrote:
> 
> Alan DeKok wrote:
>> Peter Eriksson wrote:
>>> The default setting seems to be less than optimal since if a remote site
>>> have problems with their home RADIUS servers then we risk having our
>>> local servers mark the upstream servers as "dead" since it's not
>>> receiving answers for a specific 'realm'...
>>   That's been a bit of a problem in RADIUS proxying.  The specification
>> says that serves MUST answer Access-Requests.  But some implementations
>> don't do that when they're proxying.  This causes all sorts of problems.
>>
>>> Perhaps increase the 'response_window',
>>> and lower 'zombie_period' and 'revive_interval'
>>> and 'check_interval' values...
>>   If you're using "status-server", then "revive_interval" isn't used.
> 
> Hmm.. When I have been testing stuff here it feels like it was that
> (review_interval) timeout that was being used before the server first
> sent a 'status-server' check after having marked it 'down'. But I might
> have been mistaken. Gonna do some more tests...
> 
> I wonder how low I can set things to lessen this issue. Perhaps set
> zombie_period and check_interval to one second...
> 
> 
>>> Best would probably be if FreeRadius kept a
>>> separate timeout for each 'server/realm' tuple...
>>   Ugh.  That's adding complexity to work around bugs in other RADIUS
>> servers, IMHO.  Rather than keeping track of N realms && M home servers,
> 
> Well, it doesn't necessarily have to be bugs in RADIUS server. It can be
> a multitude of stuff that causes a far away home server to not respond.
> Like a network outage. It doesn't feel right to have a system where a
> network outage in (for example) Australia can take out all the EDUROAM
> service for people at our university, just because we happen to have a
> guest from that Australian university that made an attempt to connect
> to the EDUROAM system...
> 
> 
> 
>> it now has to keep track of (N x M) combinations.  That's expensive.
> 
> Yes... But that is what I think the EDUROAM people that use 'Radiator'
> does use.
> 

Really in an system of chained proxy servers like EDUROAM you only want
to be testing first hop connectivity.

One way to do this (as there is no guarantee your NRPS will accept
Status-Server packets) is to use the 'request' status_check and specify
local credentials, so that the requests get looped back round your NRPS
to your servers.

Alan, do you think it might be a good idea to provide an option to
disregard failures from standard authentication requests, and instead
use periodic status_checks to mark servers alive or dead?

This would make the EDUROAM problem go away...

Thanks,
Arran


- --
Arran Cudbard-Bell ([EMAIL PROTECTED]),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjtyKgACgkQcaklux5oVKKysgCfe1wnU+vJeoKes/4ovNXS/vnQ
OxQAnRa0EcMItBQ192ZsaLYrtYgNX8PX
=JQ0q
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: Problem with ntlm_auth

>Every user that should be authenticated has to be an entry in the users file?
>
>Isn't it possible to add an forwarding for every user so that all requests are 
>just forwarded and checked?
>
>If not I must add all users from the AD to the users file, mustn't I?
>

DEFAULT   Auth-Type := ntlm_auth

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with ntlm_auth

Hi Frederik,

1) Put User entry on *TOP* of users file.
2) In default file, in authenticate section, add *ntlm_auth. *Don't set
using Auth-Type.
3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel.
Add *ntlm_auth* in Authenticate Section.

I hope it will solve your problem.
SYED



On Thu, Oct 9, 2008 at 11:17 AM, <[EMAIL PROTECTED]>wrote:

>  I have finished all steps till „*user* Auth-Type := ntlm_auth" from
> http://deployingradius.com/documents/configuration/active_directory.html.
>
> With this command I get this error message at the end of
> "/usr/sbin/freeradius –X":
>
>
>
> /etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown
> value ntlm_auth for attribute Auth-Type
>
> Errors reading /etc/freeradius/users
>
> /etc/freeradius/modules/files[7]: Instantiation failed for module "files"
>
> /etc/freeradius/sites-enabled/inner-tunnel[111]: Failed to find module
> "files".
>
> /etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing authorize
> section.
>
>  }
>
> }
>
> Errors initializing modules
>
>
>
> The authenticate section in the /etc/freeradius/sites-enabled/default looks
> like this (only important part):
>
>
>
> authenticate {
>
> #
>
> #  NTML_AUTH authentication.
>
> Auth-Type ntlm_auth {
>
>ntlm_auth
>
> }
>
>
>
> What is wrong and what can I do to solve the problem?
>
> Thanks in advance.
>
> Best regards, F. Niedernolte
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Proxy when database value is set

2008-10-09 Thread Laar, Johan van de

I've achieved the following:


-  A user with a username which contains a realm logs in.

-  Freeradius checks some radius request values like calling-station-id 
etc.

-  Freeradius will give a reject or accept depending on the above query.


What I cannot achieve is:


-  Freeradius must proxy to request to a token server but only when it 
authenticated the user successfully.

Any ideas?

Thank you in advance.

Regards,
Johan van de Laar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: AW: AW: AW: Problem with ntlm_auth

And how can I do that?
I cannot find something like that via Google :(

-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan DeKok
Gesendet: Donnerstag, 9. Oktober 2008 14:59
An: FreeRadius users mailing list
Betreff: Re: AW: AW: AW: Problem with ntlm_auth

[EMAIL PROTECTED] wrote:
> Is is possible to use only one freeRADIUS server (the just configured one) 
> for a bunch of different domains
> in my active directory network?

  Configure Samba to join all of the domains.  Point FreeRADIUS at
Samba, via ntlm_auth.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: AW: AW: AW: Problem with ntlm_auth

[EMAIL PROTECTED] wrote:
> And how can I do that?
> I cannot find something like that via Google :(

  See the Samba documentation?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: Problem with ntlm_auth Solved and SURPRISED ME !!

2008-10-09 Thread luis a

HEY PAL

CHEK THIS OUT 

thanks to everyone in the list 
o yes!! in user file i added 
users Auth-Type := ntlm_auth

an also 

DEFAULT Auth-Type := ntlm_auth

and restart freeradius 

and in the output


istening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 33818, id=145, 
length=72
User-Name = "luis"
User-Password = "test"
NAS-IP-Address = 172.16.1.11
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "luis", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
[files] users: Matched entry DEFAULT at line 4
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=luis
[ntlm_auth] expand: --password=%{User-Password} -> --password=test
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 145 to 127.0.0.1 port 33818
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 145 with timestamp +23
Ready to process requests.



now im going to follow the next steps

the modems :-)
hugs and many thanks for everyone read my questions 

brb , now im going to find out how to connect the 16 modems to my linux server 

Luis

--- El jue, 9/10/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> escribió:
De: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Asunto: Re: AW: Problem with ntlm_auth
Para: "FreeRadius users mailing list" 
Fecha: jueves, 9 octubre, 2008 11:27

>Every user that should be authenticated has to be an entry in the users
file?
>
>Isn't it possible to add an forwarding for every user so that all
requests are just forwarded and checked?
>
>If not I must add all users from the AD to the users file, mustn't I?
>

DEFAULT   Auth-Type := ntlm_auth

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: AW: AW: AW: Problem with ntlm_auth

2008-10-09 Thread Stephen Bowman

On Thu, Oct 9, 2008 at 10:46 AM, Alan DeKok <[EMAIL PROTECTED]>wrote:

> [EMAIL PROTECTED] wrote:
> > And how can I do that?
> > I cannot find something like that via Google :(
>

Ask the Samba people?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: AW: AW: AW: AW: Problem with ntlm_auth

There are too many pages to check.
Perhaps you can give me a specific link?
I want to do it on my own but with no information it is impossible.

F. Niedernolte

-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan DeKok
Gesendet: Donnerstag, 9. Oktober 2008 16:46
An: FreeRadius users mailing list
Betreff: Re: AW: AW: AW: AW: Problem with ntlm_auth

[EMAIL PROTECTED] wrote:
> And how can I do that?
> I cannot find something like that via Google :(

  See the Samba documentation?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy when database value is set

>What I cannot achieve is:
>
>
>-  Freeradius must proxy to request to a token server but only when it 
>authenticated the user successfully.
>

No. Your client should send another request to token server once it gets
Access-Accept from radius server.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: AW: Problem with ntlm_auth

>OK, thanks.
>Now it works.
>Is this the way it should look right?
>

Yes. that's OK.

..
>[files] users: Matched entry DEFAULT at line 2
>++[files] returns ok

Entry setting Auth-Type.

..
>[pap] WARNING! No "known good" password found for the user.  Authentication 
>may fail because of this.

That's because the password is not given to radius server but is checked
in AD.

>++[pap] returns noop
>Found Auth-Type = ntlm_auth

This was forced in users file.

>+- entering group authenticate {...}
>[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=MyUser
>[ntlm_auth] expand: --password=%{User-Password} -> --password=MyPassword
>Exec-Program output: NT_STATUS_OK: Success (0x0)
>Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
>Exec-Program: returned: 0
>++[ntlm_auth] returns ok

And user is authenticated in AD.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: AW: AW: AW: AW: Problem with ntlm_auth

Oh, you would like us to read the documentation for you!?! Sorry, no can
do!

Samba also has a support list. Ask there.

Ivan Kalik
Kalik Informatika ISP


Dana 9/10/2008, "[EMAIL PROTECTED]"
<[EMAIL PROTECTED]> piše:

>There are too many pages to check.
>Perhaps you can give me a specific link?
>I want to do it on my own but with no information it is impossible.
>
>F. Niedernolte
>
>
>-Ursprüngliche Nachricht-
>Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan DeKok
>Gesendet: Donnerstag, 9. Oktober 2008 16:46
>An: FreeRadius users mailing list
>Betreff: Re: AW: AW: AW: AW: Problem with ntlm_auth
>
>[EMAIL PROTECTED] wrote:
>> And how can I do that?
>> I cannot find something like that via Google :(
>
>  See the Samba documentation?
>
>  Alan DeKok.
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: Problem with ntlm_auth

OK, I have tested it with "radtest MyUser MyPassword localhost 0 testing123" 
and this is what the server gave back:

 

Ready to process requests.

rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92, length=58

User-Name = "MyUser"

User-Password = "MyPassword"

NAS-IP-Address = IP.OF.THE.SERVER

NAS-Port = 0

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] No '@' in User-Name = "MyUser", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

++[unix] returns notfound

++[files] returns noop

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication may 
fail because of this.

++[pap] returns noop

No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user

Failed to authenticate the user.

Using Post-Auth-Type Reject

+- entering group REJECT {...}

[attr_filter.access_reject] expand: %{User-Name} -> MyUser

 attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 0 for 1 seconds

Going to the next request

Waking up in 0.9 seconds.

Sending delayed reject for request 0

Sending Access-Reject of id 92 to 127.0.0.1 port 32793

Waking up in 4.9 seconds.

Cleaning up request 0 ID 92 with timestamp +3710

Ready to process requests.

 

Now what should I do?
Thanks in advance.

 

Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Syed Anwarul 
Hasan
Gesendet: Donnerstag, 9. Oktober 2008 12:12
An: FreeRadius users mailing list
Betreff: Re: Problem with ntlm_auth

 

Hi,
You can use radtest tool to check with the Server.The Server will return 
accept-accept message.
Other tool includes JRadius Simulator as IVAN told. bu I have not used it.
Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP 
requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if you 
have)

SYED



On Thu, Oct 9, 2008 at 11:54 AM, <[EMAIL PROTECTED]> wrote:

Thanks, now it works :)

 

Now the last step: How can I test it? What tool/program etc. can/should I use 
to test it?

"The radclient cannot currently be used to send this request, unfortunately, 
which makes testing a little difficult If everything goes well, you should see 
the server returning an Access-Accept 
  message as above."

 

Mit freundlichen Grüßen / Kind regards

Frederik Niedernolte
---
arvato services
An der Autobahn
33310 Gütersloh
Germany
http://www.arvato-services.de
[EMAIL PROTECTED]  
Tel.:  +49 (0)5241 80-40554

arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 | 
Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard 
Südmersen

 

Von: [EMAIL PROTECTED] [mailto:freeradius-users-bounces+frederik.niedernolte 
 [EMAIL PROTECTED] Im 
Auftrag von Syed Anwarul Hasan
Gesendet: Donnerstag, 9. Oktober 2008 11:44
An: FreeRadius users mailing list
Betreff: Re: Problem with ntlm_auth

 

Hi Frederik,

1) Put User entry on TOP of users file.
2) In default file, in authenticate section, add ntlm_auth. Don't set using 
Auth-Type.
3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel. Add 
ntlm_auth in Authenticate Section.

I hope it will solve your problem.
SYED



On Thu, Oct 9, 2008 at 11:17 AM, <[EMAIL PROTECTED]> wrote:

I have finished all steps till "user Auth-Type := ntlm_auth" from 
http://deployingradius.com/documents/configuration/active_directory.html.

With this command I get this error message at the end of "/usr/sbin/freeradius 
-X":

 

/etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown value 
ntlm_auth for attribute Auth-Type

Errors reading /etc/freeradius/users

/etc/freeradius/modules/files[7]: Instantiation failed for module "files"

/etc/freeradius/sites-enabled/inner-tunnel[111]: Failed to find module "files".

/etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing authorize 
section.

 }

}

Errors initializing modules

 

The authenticate section in the /etc/freeradius/sites-enabled/default looks 
like this (only important part):

 

authenticate {

#

#  NTML_AUTH authentication.

Auth-Type ntlm_auth {

   ntlm_auth

}

 

What is wrong and what can I do to solve the problem?

Thanks in advance.

Best regards, F. Niedernolte


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: AW: AW: AW: AW: AW: Problem with ntlm_auth

I didn't mean that.
I thought you would know a link or site for this but if noone knows I will ask 
the samba people.
Thanks.

Frederik Niedernolte

-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL 
PROTECTED]
Gesendet: Donnerstag, 9. Oktober 2008 17:03
An: FreeRadius users mailing list
Betreff: Re: AW: AW: AW: AW: AW: Problem with ntlm_auth

Oh, you would like us to read the documentation for you!?! Sorry, no can
do!

Samba also has a support list. Ask there.

Ivan Kalik
Kalik Informatika ISP

Dana 9/10/2008, "[EMAIL PROTECTED]"
<[EMAIL PROTECTED]> piše:

>There are too many pages to check.
>Perhaps you can give me a specific link?
>I want to do it on my own but with no information it is impossible.
>
>F. Niedernolte
>
>
>-Ursprüngliche Nachricht-
>Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan DeKok
>Gesendet: Donnerstag, 9. Oktober 2008 16:46
>An: FreeRadius users mailing list
>Betreff: Re: AW: AW: AW: AW: Problem with ntlm_auth
>
>[EMAIL PROTECTED] wrote:
>> And how can I do that?
>> I cannot find something like that via Google :(
>
>  See the Samba documentation?
>
>  Alan DeKok.
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS and EDUROAM timeout issues

Arran Cudbard-Bell wrote:
> Really in an system of chained proxy servers like EDUROAM you only want
> to be testing first hop connectivity.

  Exactly.

> Alan, do you think it might be a good idea to provide an option to
> disregard failures from standard authentication requests, and instead
> use periodic status_checks to mark servers alive or dead?

  How about having it send Status-Server packets (or whatever you
configure) at the START of the zombie period.  i.e. as soon as it
determines that the server hasn't responded to a request, start pinging
it with Status-Server packets.

  If it responds to the Status-Server, it will be marked "live", even if
it doesn't respond to Access-Request packets.

  That will help, but the only solution to working with broken servers
is to implement the N x M realm/server management.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem with ntlm_auth

Hi,
You can use radtest tool to check with the Server.The Server will return
accept-accept message.
Other tool includes JRadius Simulator as IVAN told. bu I have not used it.
Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP
requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if
you have)

SYED


On Thu, Oct 9, 2008 at 11:54 AM, <[EMAIL PROTECTED]>wrote:

>  Thanks, now it works :)
>
>
>
> Now the last step: How can I test it? What tool/program etc. can/should I
> use to test it?
>
> "The radclient cannot currently be used to send this request,
> unfortunately, which makes testing a little difficult If everything goes
> well, you should see the server returning an 
> Access-Acceptmessage as 
> above."
>
>
>
> Mit freundlichen Grüßen / Kind regards
>
> Frederik Niedernolte
> ---
> arvato services
> An der Autobahn
> 33310 Gütersloh
> Germany
> http://www.arvato-services.de
> [EMAIL PROTECTED]<[EMAIL PROTECTED]>
> Tel.:  +49 (0)5241 80-40554
>
> arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 |
> Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard
> Südmersen
>
>
>
> *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@
> lists.freeradius.org 
> [mailto:freeradius-users-bounces+frederik.niedernolte
> [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan
> *Gesendet:* Donnerstag, 9. Oktober 2008 11:44
> *An:* FreeRadius users mailing list
> *Betreff:* Re: Problem with ntlm_auth
>
>
>
> Hi Frederik,
>
> 1) Put User entry on *TOP* of users file.
> 2) In default file, in authenticate section, add *ntlm_auth. *Don't set
> using Auth-Type.
> 3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel.
> Add *ntlm_auth* in Authenticate Section.
>
> I hope it will solve your problem.
> SYED
>
>
>  On Thu, Oct 9, 2008 at 11:17 AM, <[EMAIL PROTECTED]>
> wrote:
>
> I have finished all steps till „*user* Auth-Type := ntlm_auth" from
> http://deployingradius.com/documents/configuration/active_directory.html.
>
> With this command I get this error message at the end of
> "/usr/sbin/freeradius –X":
>
>
>
> /etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown
> value ntlm_auth for attribute Auth-Type
>
> Errors reading /etc/freeradius/users
>
> /etc/freeradius/modules/files[7]: Instantiation failed for module "files"
>
> /etc/freeradius/sites-enabled/inner-tunnel[111]: Failed to find module
> "files".
>
> /etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing authorize
> section.
>
>  }
>
> }
>
> Errors initializing modules
>
>
>
> The authenticate section in the /etc/freeradius/sites-enabled/default looks
> like this (only important part):
>
>
>
> authenticate {
>
> #
>
> #  NTML_AUTH authentication.
>
> Auth-Type ntlm_auth {
>
>ntlm_auth
>
> }
>
>
>
> What is wrong and what can I do to solve the problem?
>
> Thanks in advance.
>
> Best regards, F. Niedernolte
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS and EDUROAM timeout issues

Peter Eriksson wrote:
> I wonder how low I can set things to lessen this issue. Perhaps set
> zombie_period and check_interval to one second...

  That's not a good idea.  It means that the server will be marked dead
MORE quickly.

>>> Best would probably be if FreeRadius kept a
>>> separate timeout for each 'server/realm' tuple...
>>   Ugh.  That's adding complexity to work around bugs in other RADIUS
>> servers, IMHO.  Rather than keeping track of N realms && M home servers,
> 
> Well, it doesn't necessarily have to be bugs in RADIUS server. It can be
> a multitude of stuff that causes a far away home server to not respond.

  That isn't the problem.  The problem is that the NEXT hop isn't
responding,  The RFC's say it MUST respond.  Some implementations don't
respond if they're also proxying the request, and the home server
doesn't respond to them.

> Like a network outage. It doesn't feel right to have a system where a
> network outage in (for example) Australia can take out all the EDUROAM
> service for people at our university, just because we happen to have a
> guest from that Australian university that made an attempt to connect
> to the EDUROAM system...

  The eduroam servers SHOULD respond to the local university if
Australia is down: "Authentication failed.  Couldn't reach Australia!"

  Instead, some implementations don't respond.  So your local university
can't tell the difference between Australia being down, and the Eduroam
servers being down...  because the eduroam server is pretending it's
down, too.

>> it now has to keep track of (N x M) combinations.  That's expensive.
> 
> Yes... But that is what I think the EDUROAM people that use 'Radiator'
> does use.

  Radiator is part of the problem.  The only reason they implement that
N x M combination is because *their* implementation behaves poorly.
i.e. A radiator proxy doesn't respond to a local server if the upstream
home server doesn't respond to radiator.

  Their solution?  Add complexity.  This is supposed to make things more
"stable".

  Ugh.

  I think the preferred approach is what I said in my other message.
Have FreeRADIUS start pinging the proxy as soon as the proxy MIGHT be
down.  That way, network outages are minimized.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS and EDUROAM timeout issues

2008-10-09 Thread Arran Cudbard-Bell

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Alan DeKok wrote:
> Arran Cudbard-Bell wrote:
>> Really in an system of chained proxy servers like EDUROAM you only want
>> to be testing first hop connectivity.
> 
>   Exactly.
> 
>> Alan, do you think it might be a good idea to provide an option to
>> disregard failures from standard authentication requests, and instead
>> use periodic status_checks to mark servers alive or dead?
> 
>   How about having it send Status-Server packets (or whatever you
> configure) at the START of the zombie period.  i.e. as soon as it
> determines that the server hasn't responded to a request, start pinging
> it with Status-Server packets.

That'd work. So when a server is marked as a Zombie Access-Requests
still sent to it until the Zombie period has expired? If so do responses
to Access-Requests sent during the Zombie Period force the server live
again?

But of course you can't guarantee successful authentication within the
Zombie Period... So you send the Status-Server packets before you Mark
the server as dead, if the server responds then the first hop is good,
and it's the ORPS that's dead. If it doesn't, then the first hop is bad
and we fail over to another server.

> 
>   If it responds to the Status-Server, it will be marked "live", even if
> it doesn't respond to Access-Request packets.
> 
>   That will help, but the only solution to working with broken servers
> is to implement the N x M realm/server management.
> 

Thanks,
Arran
- --
Arran Cudbard-Bell ([EMAIL PROTECTED]),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjuH7oACgkQcaklux5oVKJb8wCfb3ZEDi5ZVuCmHzA4HR05jHF9
WacAniG+Vpf7rGZBHE2m94RzQuR5oTsF
=8Om7
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius reply multivalue VSA question.

Hi Ivan,
  Thanks for the reply. After changing the operator += I am still seeing all 
the VARRAY in the reply. It should reply back only 
Sending Access-Accept of id 65 to 216.121.193.1 port 49266

    rEntitlements += "WIFILOC1"

    rAttribute1 = "1"

    rCidx = "1"

and not as it is happening now

auth: type "LDAP"
+- entering group LDAP
rlm_ldap: - authenticate
rlm_ldap: login attempt by "etest300" with password "test123"
rlm_ldap: user DN: uid=test1212121
rlm_ldap: (re)connect to x:389, authentication 1
rlm_ldap: bind as uid=test1212121/test123 to xxx:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user etest300 authenticated succesfully
++[ldap1] returns ok
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 65 to 216.2.193.1 port 49266
    rEntitlements += "webhosting"
    rEntitlements += "2UP15DWN"
    rEntitlements += "5UP30DWN"
    rEntitlements += "WIFILOC1"
    rAttribute1 = "1"
    rCidx = "1"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 65 with timestamp +1
Ready to process requests.

Please let me know.
Thanks so much in advance.

Regards.


--- On Wed, 10/8/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
From: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Subject: Re: Radius reply multivalue VSA question.
To: freeradius-users@lists.freeradius.org
Date: Wednesday, October 8, 2008, 7:18 PM

+=

http://wiki.freeradius.org/Operators

Ivan Kalik
Kalik Informatika ISP


Dana 8/10/2008, "Eric Martell" <[EMAIL PROTECTED]> piše:

>Hi, 
>   We are defining custom VSA's for our company. We have ldap
configured in freeradius which returns back the VSA's. 
>
>I defined custom VSA in
>$freeradius/share/freeradius/dictionary.abc
>ATTRIBUTE   rEntitlements  
113 string
>
>entitlements is multivalue attribute (vARRAY) in LDAP.
>
>In the ldap.attrmap it is defined as
>
>replyItem   rEntitlements  
entitlements  ==
>
>
>So after the successful authentication, I am getting the rEntitlements back
as   
>
>Sending Access-Accept of id 50 to 69.74.69.31 port 1814
>    Session-Timeout = 7200
>    rEntitlements == "ADMALL"
>    rEntitlements == "STORE"
>    rEntitlements == "WEPG"
>    rEntitlements == "WADM"
>    rEntitlements == "SDNLD"
>    rEntitlements == "WIFILOC1"
>
>
>BUT I am looking for ONLY WIFILOC1 for the NAS. NAS will redirect if
WIFILOC1 exists.
>
>Can I do regex in the rEntitlements so freeradius ONLY returns 
>rEntitlements = "WIFILOC1" and ignore the rest?
>
>Please let me know.
>Thanks in advance.
>
>
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: AW: AW: AW: AW: AW: Problem with ntlm_auth

You have misunderstood what this list is about. This is a support list
for Freeradius users. You will be provided the details of basic
configuration for other projects/devices (Open Source/Cisco/Microsoft
etc.) wich will enable server to cooperate with them in some common
applications. If you need advanced configuartion for those
projects/applications don't look for answers here.

Ivan Kalik
Kalik Informatika ISP


Dana 9/10/2008, "[EMAIL PROTECTED]"
<[EMAIL PROTECTED]> piše:

>I didn't mean that.
>I thought you would know a link or site for this but if noone knows I will ask 
>the samba people.
>Thanks.
>
>Frederik Niedernolte
>
>-Ursprüngliche Nachricht-
>Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL 
>PROTECTED]
>Gesendet: Donnerstag, 9. Oktober 2008 17:03
>An: FreeRadius users mailing list
>Betreff: Re: AW: AW: AW: AW: AW: Problem with ntlm_auth
>
>Oh, you would like us to read the documentation for you!?! Sorry, no can
>do!
>
>Samba also has a support list. Ask there.
>
>Ivan Kalik
>Kalik Informatika ISP
>
>
>Dana 9/10/2008, "[EMAIL PROTECTED]"
><[EMAIL PROTECTED]> piše:
>
>>There are too many pages to check.
>>Perhaps you can give me a specific link?
>>I want to do it on my own but with no information it is impossible.
>>
>>F. Niedernolte
>>
>>
>>-Ursprüngliche Nachricht-
>>Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan DeKok
>>Gesendet: Donnerstag, 9. Oktober 2008 16:46
>>An: FreeRadius users mailing list
>>Betreff: Re: AW: AW: AW: AW: Problem with ntlm_auth
>>
>>[EMAIL PROTECTED] wrote:
>>> And how can I do that?
>>> I cannot find something like that via Google :(
>>
>>  See the Samba documentation?
>>
>>  Alan DeKok.
>>-
>>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>-
>>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius reply multivalue VSA question.

>  Thanks for the reply. After changing the operator += I am still seeing all 
>the VARRAY in the reply. It should reply back only 
>Sending Access-Accept of id 65 to 216.121.193.1 port 49266
>
>    rEntitlements += "WIFILOC1"
>
>    rAttribute1 = "1"
>
>    rCidx = "1"
>
>and not as it is happening now
>

So why did you put those other rEntitlements into the user profile. If
they are not the same thing they shold have different attribute names.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: AW: AW: AW: AW: Problem with ntlm_auth

[EMAIL PROTECTED] wrote:
> There are too many pages to check.

  Maybe I should go read the pages, and point you to specific ones?

> Perhaps you can give me a specific link?

  This isn't a Samba help list.  We are not Samba experts.

  I suggest asking on the Samba list how to configure Samba for multiple
domains.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius reply multivalue VSA question.

Hi Ivan,
   I agree with you. But I am reading those attributes from LDAP. In LDAP 
"entitlements" attribute is defined as Multivalue (array). I can't not change 
the existing LDAP structure.

I am mapping "entitlements" attribute from LDAP with the radius attribute 
rEntitlements in the ldap.attrmap

replyItem   rEntitlements   entitlements  +=

which is good so far. But I don't need entire array from LDAP as reply just 
looking for WIFILOC1 and send that as reply.

Please let me know if you need more information.

Thanks so much.
Regards.

--- On Thu, 10/9/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
From: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Subject: Re: Radius reply multivalue VSA question.
To: freeradius-users@lists.freeradius.org
Date: Thursday, October 9, 2008, 11:40 AM

>  Thanks for the reply. After changing the operator += I am still seeing
all the VARRAY in the reply. It should reply back only 
>Sending Access-Accept of id 65 to 216.121.193.1 port 49266
>
>    rEntitlements += "WIFILOC1"
>
>    rAttribute1 = "1"
>
>    rCidx = "1"
>
>and not as it is happening now
>

So why did you put those other rEntitlements into the user profile. If
they are not the same thing they shold have different attribute names.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS and EDUROAM timeout issues

Arran Cudbard-Bell wrote:
> That'd work. So when a server is marked as a Zombie Access-Requests
> still sent to it until the Zombie period has expired?

  Yes.  I also noticed that the current code doesn't send Status-Server
packets until "check_interval" time AFTER it's marked "dead".  So we
have "response_window" delay, followed by "zombie_period", followed by
"check_interval".  In some cases, it might not start pinging the home
server until a minute after it stops responding.  Not nice.

  My current proposal is to start pinging it at the start of
"zombie_period".  If you then set:

zombie_period = 21
check_interval = 6
num_pings_to_alive = 3

  It will start pinging the home server as soon as it stops responding.
 if it responds to all 3 pings, it will be marked "live" again, without
ever being marked "dead".

> If so do responses
> to Access-Requests sent during the Zombie Period force the server live
> again?

  Yes.

> But of course you can't guarantee successful authentication within the
> Zombie Period... So you send the Status-Server packets before you Mark
> the server as dead, if the server responds then the first hop is good,
> and it's the ORPS that's dead. If it doesn't, then the first hop is bad
> and we fail over to another server.

  Yes.

  This still means that requests will be sent to that home server,even
if they're for an upstream realm that's dead.  If there are multiple
paths to the upstream realm, then those other paths won't be discovered.

  But there is no RADIUS "routing protocol"[1].  So that's that.

  Alan DeKok.

[1] For now.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS and EDUROAM timeout issues

2008-10-09 Thread A . L . M . Buxey

Hi,

>   This still means that requests will be sent to that home server,even
> if they're for an upstream realm that's dead.  If there are multiple
> paths to the upstream realm, then those other paths won't be discovered.
> 
>   But there is no RADIUS "routing protocol"[1].  So that's that.

s'funny that you should mention that - what with a hierarchical system.
I thought it would be neat if a downstream system could notify the upstream
about what realms it could deal with and - via a trusted and encrypted
channel - thus no more manually adding new records to higher tiers
for new realms dealt with.. much like advertising routing space via
BGP or OSPF

still. that'd be a new RFC for sure ! :-)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius reply multivalue VSA question.

>   I agree with you. But I am reading those attributes from LDAP. In LDAP 
>"entitlements" attribute is defined as Multivalue (array).

Which is of no use to you.

>I can't not change the existing LDAP structure.
>

Are you a developer or not? If you are, then you say what LDAP structure
should look like. If your superiors are in love with that multivalue
field insist that data that you need should be kept in a separate
attribute as well.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Ldap group

2008-10-09 Thread Bert Beaudin

Hello 
 
I have ldap working to authencate users to a cisci switch. I now want to
limit it to group membership. Any help would be great. 
 
Here is what I have in my ldap config for the groups. 
 
#  Group membership checking.  Disabled by default.
#
 groupname_attribute = "cn"
 groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(object
Class=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
 groupmembership_attribute = "radius"
 
#compare_check_items = yes
# do_xlat = yes
#access_attr_used_for_allow = yes
 
Here is waht I see in my logs with radiusd -X
 
Ready to process requests.
rad_recv: Access-Request packet from host 10.12.8.230 port 1645, id=35,
length=86
User-Name = "bbeaudin"
User-Password = "xxx^"
NAS-Port = 194
NAS-Port-Id = "tty194"
NAS-Port-Type = Virtual
Calling-Station-Id = "10.12.8.71"
NAS-IP-Address = 10.12.8.230
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "bbeaudin", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
rlm_ldap: Entering ldap_groupcmp()
expand: OU=Employees,DC=yipes,DC=com ->
OU=Employees,DC=yipes,DC=com
expand: (&(samaccountname=%{user-name})) ->
(&(samaccountname=bbeaudin))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to dendc1.yipes.com:389, authentication 0
rlm_ldap: bind as [EMAIL PROTECTED]/ to dendc1.yipes.com:389
rlm_ldap: waiting for bind result ...
request done: ld 0x121a6760 msgid 1
rlm_ldap: Bind was successful
rlm_ldap: performing search in OU=Employees,DC=yipes,DC=com, with filter
(&(samaccountname=bbeaudin))
request done: ld 0x121a6760 msgid 2
rlm_ldap: ldap_release_conn: Release Id: 0
expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectC
lass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) ->
(|(&(objectClass=GroupOfNames)(member=CN\3dBert Beaudin\2cOU\3dIT
Staff\2cOU\3dEmployees\2cDC\3dyipes\2cDC\3dcom))(&(objectClass=GroupOfUn
iqueNames)(uniquemember=)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=radius,dc=yipes,dc=com, with filter
(|(&(objectClass=GroupOfNames)(member=CN\3dBert Beaudin\2cOU\3dIT
Staff\2cOU\3dEmployees\2cDC\3dyipes\2cDC\3dcom))(&(objectClass=GroupOfUn
iqueNames)(uniquemember=)))
request done: ld 0x121a6760 msgid 3
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in CN=Bert Beaudin,OU=IT
Staff,OU=Employees,DC=yipes,DC=com, with filter (objectclass=*)
request done: ld 0x121a6760 msgid 4
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for bbeaudin
expand: (&(samaccountname=%{user-name})) ->
(&(samaccountname=bbeaudin))
expand: OU=Employees,DC=yipes,DC=com ->
OU=Employees,DC=yipes,DC=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Employees,DC=yipes,DC=com, with filter
(&(samaccountname=bbeaudin))
request done: ld 0x121a6760 msgid 5
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Pairs do not match. Rejecting user.
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns reject
  Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> bbeaudin
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 35 to 10.12.8.230 port 1645
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 35 with timestamp +9
Ready to process requests.
 
 
 
Thanks,

Bert Beaudin
Systems Administrator
RelianceGlobalcom Services, Inc.
Office:303-785-6641
Cell:303-478-7789
Fax:415-677-9534
[EMAIL PROTECTED]  
www.relianceglobalcom.com http://www.yipes.com/> 
 

 
<>-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Ldap group

> groupmembership_filter =
>"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(object
>Class=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"

It should aso be control:Ldap-UserDn for uniquemember. Hope that helps.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius reply multivalue VSA question.

Ivan,
   I told the management but looks like no go.

is there any way I can change the rlm_ldap.c?

I am not proficient in c, so might need additional help.

Or there are any other options.

Let me know.
Thanks in advance.

--- On Thu, 10/9/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
From: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Subject: Re: Radius reply multivalue VSA question.
To: freeradius-users@lists.freeradius.org
Date: Thursday, October 9, 2008, 1:54 PM

>   I agree with you. But I am reading those attributes from LDAP. In LDAP
"entitlements" attribute is defined as Multivalue (array).

Which is of no use to you.

>I can't not change the existing LDAP structure.
>

Are you a developer or not? If you are, then you say what LDAP structure
should look like. If your superiors are in love with that multivalue
field insist that data that you need should be kept in a separate
attribute as well.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Ldap group

2008-10-09 Thread Bert Beaudin

Hello all

I have made the change uniquemember=%{control:Ldap-UserDn}

But I still have the issue. Any other ideas or other information I can
provide. Any configs I could look at. 
 

Thanks,
Bert


-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, October 09, 2008 12:39 PM
To: FreeRadius users mailing list
Subject: Re: Ldap group

> groupmembership_filter =
>"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objec
>t Class=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"

It should aso be control:Ldap-UserDn for uniquemember. Hope that helps.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Error in the negotiations

2008-10-09 Thread Martin Silvero

Any suggestions for this topic guys?

thanks!!!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS and EDUROAM timeout issues

[EMAIL PROTECTED] wrote:
>>   But there is no RADIUS "routing protocol"[1].  So that's that.
> 
> s'funny that you should mention that - what with a hierarchical system.
> I thought it would be neat if a downstream system could notify the upstream
> about what realms it could deal with and - via a trusted and encrypted
> channel - thus no more manually adding new records to higher tiers
> for new realms dealt with.. much like advertising routing space via
> BGP or OSPF

  This will happen.  There is sufficient buy-in from large telcos that
it's necessary.

  FreeRADIUS will likely be the first compliant implementation... before
the specification is written.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius reply multivalue VSA question.

>is there any way I can change the rlm_ldap.c?
>
>I am not proficient in c, so might need additional help.
>
>Or there are any other options.
>

Well, before resorting to source code alterations try using unlang. Have
a look at update reply with -= operator. You can't use regex with that
operator so you will probably need to run a script that will filter what
needs to be removed.

http://freeradius.org/radiusd/man/unlang.html

Ivan Kalik
Kalik Informatika

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error in the negotiations

You should read the list. I gave the workable solution to somebody else
yesterday.

Ivan Kalik
Kalik Informatika ISP


Dana 9/10/2008, "Martin Silvero" <[EMAIL PROTECTED]> piše:

>Any suggestions for this topic guys?
>
>thanks!!!
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS and EDUROAM timeout issues

2008-10-09 Thread A . L . M . Buxey

Hi,

>   This will happen.  There is sufficient buy-in from large telcos that
> it's necessary.

cool. it wasnt just me toking on the crack pipe too many times 8-)

Stefan, you hearing this? and you be thinking I crazy :-)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Error in the negotiations

2008-10-09 Thread Martin Silvero

Is this the issue that you say?:




Re: CA.all and CA.certs in Freeradius
2.x
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Cisco VPN Radius with expiry & Windows domain password expiration

2008-10-09 Thread kesm0724

Hello All,

I have a cisco vpn concentrator and in the past have had it pointed to a
Windows IAS Server. I have now switched to Freeradius and have discovered
that when a user needs to "Change password on next logon" the cisco vpn
client does not prompt for a password change. Prior to moving to Freeradius
the password change prompt comes up allowing the user to change their
password. On the concentrator I do have "Radius with Expiry" configured and
have switched back and forth between the IAS Server and the Freeradius
server to ensure it was something particular to the authentication servers
not the concentrator.

I notice the following in debug:

rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
expand: --username=%{mschap:User-Name} -> --username=test
mschap2: 83
expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=04e843995bfbdbca
expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=a378afdf127434783890d2e2e4f9d5bd97976a00d2c51fa4
Exec-Program output: Must change password (0xc224)
Exec-Program-Wait: plaintext: Must change password (0xc224)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

I have been looking on Google for windows domain password expiry +
freeradius amongst other search strings all to no avail. Can anyone tell me
what I'm doing wrong?

Thanks.

--
View this message in context:
http://www.nabble.com/Cisco-VPN-Radius-with-expiry---Windows-domain-password-expiration-tp19907575p19907575.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Error in the negotiations

That's it.

Ivan Kalik
Kalik Informatika ISP


Dana 9/10/2008, "Martin Silvero" <[EMAIL PROTECTED]> piše:

>Is this the issue that you say?:
>
>
>
>
>Re: CA.all and CA.certs in Freeradius
>2.x
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP MSK: how is it transported between server and authenticator

2008-10-09 Thread Richard Chan

Hi all,

After an EAP authentication which supports key derivation (MSK)
how does freeradius transport the MSK to an NAS(authenticator)? I.e., what
kind of attribute is used?
(I am assuming that the EAP Server (freeradius) is a separate entity to the
NAS; NAS talks to freeradius
using RADIUS and acts as EAP proxy between EAP client and freeradius).

There is an IETF draft on encrypted RADIUS attributes (which specifically
mentions "EAP MSK"):
http://www.ietf.org/internet-drafts/draft-zorn-radius-encattr-14.txt

but this seems too recent to be actually used in the field (besides
including undefined magic numbers).

Browsing another RADIUS server document (Cisco Secure ACS), there is a
"RADIUS Key Wrap" secret
that can be configured. Presumably this is used to send MSKs between server
and authenticator, but once
again there are no details on how it is actually done. I couldn't find a
similar configuration parameter in the
freeradius config files, either radiusd.conf (
http://wiki.freeradius.org/Radiusd.conf) or the client side (
http://wiki.freeradius.org/Clients.conf).

Googling 'radius key wrap' etc doesn't lead to further enlightenment.

Tks!
-richard-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius reply multivalue VSA question.