Re: Some help with etc_smbpasswd auth and eap ttls
Hi, I have configured everything and gotten free radius to authenticate off /etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have run into is when I switch the securew2 windows xp eap-ttls client to use the current logged on user credentials. Then, SecureW2 sends the username in the format of DOMAIN/user (which in this case is HTN/josh). Authentication then fails because of this extra domain part in the user. Ok fine, I first enable the nt_domain_hack in the mschap module then I configured realm ntdomain and simply set a default realm in proxy.conf to strip off the domain part. Nope, that fails (output will be included below). I also tried nostrip but that also fails obviously. Also tried silently stripping the domain in pre-process in radiusd.conf. Auth is successful but finally rejected because the user doesnt match the original HTN/josh user sent. you need to look at using the Sripped-User-Name rather than just the User-Name (because that contains the REALM/ stuff). alternatively, you can specify in proxy.conf to proxy anything with REALM/ to your RADIUS server with realm stripping on - this should send the request back to your server with just User-Name plain.. but its not clean. As Alan DeKok states, this sort of thing is very nice in 2.x FreeRADIUS, it just works(tm) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with radiusclient-ng and Cisco h323 VoIP attributes
Hi Luciano, Many thanks for the reply. Yes, it was a client-side error (now fixed, see below). I removed the empty lines between VENDOR and the first attributes and that didn't make any difference. The Cisco attributes were added by me creating a dictionary.cisco file which I then included in the main dictionary with the $INCLUDE directive. As for testing, I was just using the radiusclient-ng at command line and manually trying to enter an AUTH packet with the Cisco attributes. But it's now working fine. If anyone else stumbles upon this thread after having problems with using a RADIUS based SIPPY B2BUA with FreeRadius, the fix is:- 1. After installing the radiusclient-ng client application, edit the radiusclient-ng.conf file and tell it to use the SIPPY dictionary (which is probably in /usr/src/sippy/). Don't use the radiusclient-ng library (that's why mine wasn't working at first). 2. Edit the SIPPY dictionary file and add the following entries, or alternatively put these in to a new file and include them in the main dictionary with the $INCLUDE directive:- VENDOR Cisco 9 ATTRIBUTE Cisco-AVPair1 string Cisco ATTRIBUTE h323-remote-address 23 string Cisco ATTRIBUTE h323-conf-id24 string Cisco ATTRIBUTE h323-setup-time 25 string Cisco ATTRIBUTE h323-call-origin26 string Cisco ATTRIBUTE h323-call-type 27 string Cisco ATTRIBUTE h323-connect-time 28 string Cisco ATTRIBUTE h323-disconnect-time29 string Cisco ATTRIBUTE h323-disconnect-cause 30 string Cisco ATTRIBUTE h323-voice-quality 31 string Cisco ATTRIBUTE h323-ivr-out32 string Cisco ATTRIBUTE h323-credit-time102 string Cisco ATTRIBUTE h323-return-code103 string Cisco ATTRIBUTE h323-redirect-number106 string Cisco ATTRIBUTE h323-preferred-lang 107 string Cisco ATTRIBUTE h323-billing-model 109 string Cisco ATTRIBUTE h323-currency 110 string Cisco Dean On 6 Jan 2009, at 13:17, Luciano Afranllie wrote: Dean, Do you see that error on client side, right? Some very stupid thing I can tell you is remove the empty line between VENDOR line and first attribute. I have the same config (without the empty line) and is working fine. How and where do you added cisco attributes? Just a tip, you can create a new dictionary file (dictionary.cisco for example) and use an include directive at the end of the default dictionary file of radiusclient-ng $INCLUDE dictionary.cisco How are you testing this attribute? Regards Luciano On Tue, Jan 6, 2009 at 8:58 AM, Dean Elwood dean.elw...@gmail.com wrote: Hi there, I'm having real trouble getting FreeRadius and radiusclient-ng to talk to each other with Cisco h323 attributes. I believe I have set up FreeRadius correctly. I can connect using radiusclient-ng and do standard AUTH commands and all works fine. As soon as I try to add an attribute like:- h323-conf-id = '78FF6EBC 2F74D29E 4F400B22 8B4AA1C1' I get this parse error from radiusclient-ng:- : can't parse AV pair I assumed that this meant that radiusclient-ng didn't recognise the h323-conf-id attribute, so I included in the radiusclient-ng *client* dictionary the following:- VENDOR Cisco 9 ATTRIBUTE Cisco-AVPair1 string Cisco ATTRIBUTE h323-call-origin26 string Cisco ATTRIBUTE h323-remote-address 23 string Cisco ATTRIBUTE h323-conf-id24 string Cisco ATTRIBUTE h323-setup-time 25 string Cisco ATTRIBUTE h323-call-origin26 string Cisco ATTRIBUTE h323-call-type 27 string Cisco ATTRIBUTE h323-connect-time 28 string Cisco ATTRIBUTE h323-disconnect-time29 string Cisco ATTRIBUTE h323-disconnect-cause 30 string Cisco ATTRIBUTE h323-voice-quality 31 string Cisco ATTRIBUTE h323-gw-id 33 string Cisco ATTRIBUTE h323-incoming-conf-id 35 string Cisco The client appears to be happy with this dictionary file (at least the client runs and still does standard AUTH's ok), but I still get the parse error on the h323 vars. The fact that the parse error states an error parsing AV pair makes me think that these attributes need to be formatted in a particular way. Could that be it? Any assistance or pointers in the right direction would be much appreciated Thanks,
Re: Freeradius process dies with some (bad?!) EAP requests
Alexander Clouter wrote: From what I can remember, I think the segfault for use was in the GNU regexp library it's-self. Yes. glibc was segfaulting on internal functions. The only solution is to upgrade glibc to a version that works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: NAS-Identifier and radgroupcheck table
Hi. I find you tutorial and followed it. It is exactly what I need. Thanks a lot. Arrigo. -Messaggio originale- Da: freeradius-users-bounces+a.savio=bascom...@lists.freeradius.org [mailto:freeradius-users-bounces+a.savio=bascom...@lists.freeradius.org] Per conto di a.l.m.bu...@lboro.ac.uk Inviato: lunedì 5 gennaio 2009 18.20 A: FreeRadius users mailing list Oggetto: Re: NAS-Identifier and radgroupcheck table Hi, I recently posted a howto explaining how to implement huntgroups in SQL using unlang in 2.x, look in the mail archives. It also illustrates how to use the SQL huntgroups to control logon access based on the NAS. Perhaps I should put this on the wiki. certainly! things posted to this mailing list tend to lurk into the darkest depths after just a short time I know why! imagine joining this list then attempting to trawl through hundreds or historical messages that have been thread hijacked etc so the subject title doesnt match, the thread doesnt match etc. we just need a web-version of something like spotlight/beagle that works on the ML posts. mm. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Digest authentication and perl authorization
Luciano Afranllie wrote: Now, I have an stupid question. When I do digest authentication with this config, digest module set Auth-Type = Digest but I am overriding it with Auth-Type = Accept in perl module. How do I set Auth-Type in perl only if it is not already set? What is the value for a not-set attribute in perl? The Auth-Type attribute is in the RAD_CHECK hash. Just look for it using normal Perl code. Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: NAS-Identifier and radgroupcheck table
MMM... Not so easy... I made other tests, but I had a wrong profile on user table. I corrected the profile and I still have my problem. At the moment I can classify users belonging to a group, and all is OK. The problem is for users that don't belong to any group. They are still authenticated (I read that this is the expected behaviour). I'd like to send by default an Access-Reject reply to everybody, sending the Access-Accept only to grouped one. Is it possible to modofy the default answer of freeradius? Thanks. Arrigo -Messaggio originale- Da: freeradius-users-bounces+a.savio=bascom...@lists.freeradius.org [mailto:freeradius-users-bounces+a.savio=bascom...@lists.freeradius.org] Per conto di Arrigo Savio Inviato: mercoledì 7 gennaio 2009 11.01 A: 'FreeRadius users mailing list' Oggetto: R: NAS-Identifier and radgroupcheck table Hi. I find you tutorial and followed it. It is exactly what I need. Thanks a lot. Arrigo. -Messaggio originale- Da: freeradius-users-bounces+a.savio=bascom...@lists.freeradius.org [mailto:freeradius-users-bounces+a.savio=bascom...@lists.freeradius.org] Per conto di a.l.m.bu...@lboro.ac.uk Inviato: lunedì 5 gennaio 2009 18.20 A: FreeRadius users mailing list Oggetto: Re: NAS-Identifier and radgroupcheck table Hi, I recently posted a howto explaining how to implement huntgroups in SQL using unlang in 2.x, look in the mail archives. It also illustrates how to use the SQL huntgroups to control logon access based on the NAS. Perhaps I should put this on the wiki. certainly! things posted to this mailing list tend to lurk into the darkest depths after just a short time I know why! imagine joining this list then attempting to trawl through hundreds or historical messages that have been thread hijacked etc so the subject title doesnt match, the thread doesnt match etc. we just need a web-version of something like spotlight/beagle that works on the ML posts. mm. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: NAS-Identifier and radgroupcheck table
MMM... Not so easy... I made other tests, but I had a wrong profile on user table. I corrected the profile and I still have my problem. At the moment I can classify users belonging to a group, and all is OK. The problem is for users that don't belong to any group. They are still authenticated (I read that this is the expected behaviour). I'd like to send by default an Access-Reject reply to everybody, sending the Access-Accept only to grouped one. Put DEFAULT Auth-Type := Reject in users file. Add Auth-Type Accept with := as op in radgroupcheck for each group. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address override NAS pool?
I now want to assign a few users different, static IPs using this: testuser Service-Type == Framed-User Framed-Protocol == PPP, Framed-IP-Address = 192.168.1.2, Framed-IP-Netmask = 255.255.255.0, Framed-Compression = Van-Jacobson-TCP-IP This sort of thing used to work fine with Cisco dialup NAS's and Cistron, even though the NAS had no pool using that IP range in its config...radius just forced it to override the default pool, but in this case, it just keeps assigning an IP from the NAS pool (and yes, I have the above statement ABOVE the DEFAULT statement). Is Framed-IP-Address in the Access-Accept packet? You should probably return Service-Type as well. If attribute is not in the accept packet post the debug. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: R: NAS-Identifier and radgroupcheck table
I followed your suggestion, but I still have the problem. I put DEFAULT Auth-Type := Reject at the bottom of users file. I have a mysql database containing users, not file: this could be a problem? Arrigo -Messaggio originale- Da: freeradius-users-bounces+a.savio=bascom...@lists.freeradius.org [mailto:freeradius-users-bounces+a.savio=bascom...@lists.freeradius.org] Per conto di t...@kalik.net Inviato: mercoledì 7 gennaio 2009 12.24 A: FreeRadius users mailing list Oggetto: Re: R: NAS-Identifier and radgroupcheck table MMM... Not so easy... I made other tests, but I had a wrong profile on user table. I corrected the profile and I still have my problem. At the moment I can classify users belonging to a group, and all is OK. The problem is for users that don't belong to any group. They are still authenticated (I read that this is the expected behaviour). I'd like to send by default an Access-Reject reply to everybody, sending the Access-Accept only to grouped one. Put DEFAULT Auth-Type := Reject in users file. Add Auth-Type Accept with := as op in radgroupcheck for each group. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: NAS-Identifier and radgroupcheck table
I followed your suggestion, but I still have the problem. I put DEFAULT Auth-Type := Reject at the bottom of users file. It should be on the same line: DEFAULT Auth-Type := Reject And it should go to the front of the users file. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl - dbi - freetds works on radiusd -X but fails to sql connect in background
I've changed the example.pl perl script so it 'use DBI;' to query a Sybase
server via freetds.
It works fine when running in foreground radiusd -X while testing.
However, if ran in background, the perl script gets triggered, but the dbi
connect fails:
my $dbh = DBI-connect(dbi:Sybase:server=*, $user, $passwd,
{PrintError = 0});
Error: rlm_perl: perl_embed:: module = /etc/raddb/myperlscript.pm , func =
authenticate exit status= Unable for connect to server OpenClient message:
LAYER = (0) ORIGIN = (0) SEVERITY = (78) NUMBER = (41) Server **,
database Message String: Server is unavailable or does not exist.
* Tethereal shows that there is no network activity towards the Sybase
server.
* At first I guessed using user radiusd instead of root would sabotage
access to /etc/freetds.conf and/or freetds libraries, but changing
radiusd.conf so it keep root priviledges didn't help.
* I've been checking environment parameters between foreground and
background, but could not find a discriminator.
* Assuming some chroot'ing getting done by radiusd I have moved freetds.conf
inside /etc/raddb ( and /etc/raddb/etc ) to no avail.
* I have ran strace -f -p pid in the hope to see what the perlscript tries
to do when invoked by a radius request, but I only see it writing the error
to the /var/log/radius/radius.log
* Changed the hostname towards ip address in /etc/freetds.conf to avoid a
failing name resolving.
Any hints welcome for solution or better tools to debug/strace into the perl
script.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: R: R: NAS-Identifier and radgroupcheck table
You're right: putting the parameter in the first lines of the file everything is OK (and now I'm sure of that). Thanks. Arrigo -Messaggio originale- Da: freeradius-users-bounces+a.savio=bascom...@lists.freeradius.org [mailto:freeradius-users-bounces+a.savio=bascom...@lists.freeradius.org] Per conto di t...@kalik.net Inviato: mercoledì 7 gennaio 2009 12.52 A: FreeRadius users mailing list Oggetto: Re: R: R: NAS-Identifier and radgroupcheck table I followed your suggestion, but I still have the problem. I put DEFAULT Auth-Type := Reject at the bottom of users file. It should be on the same line: DEFAULT Auth-Type := Reject And it should go to the front of the users file. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using checkval for Call Routing with Sippy B2BUA
Hello, i am using FreeRadius 1.1.3 and want to use it for Call Routing. The Sippy B2BUA will send AAA Requests to RADIUS and i want the routing based on the Called-Station-Id Attribute. For the beginning i would like to configure the routes in the users-File and later switch to an sql backend. This is my users-File: b2b Called-Station-Id == 555,Called-Station-Id == 557,Auth-Type := Accept h323-ivr-in = 'Routing:12...@192.168.1.1;expires=30;Codecs:alaw,g.726' b2b Called-Station-Id == 556,Called-Station-Id == 558,Auth-Type := Accept h323-ivr-in = 'Routing:12...@192.168.1.2;expires=30;Codecs:alaw,g.726' The Calls will always come from the same user and the called number will have to decide what SIP Server to use. If i have only one Called-Station-Id in the check pairs line, i get the Access-Accept with the reply data. But since one route can have a lot of numbers i need to be able to have several Called-Station-Id Entrys. From the description of the checkval attribute it appeared to me the correct solution. Apart from this the different number ranges are conncected to different end users, which i have to find. This will be an accounting issue. How can this be solved with Freeradius ? The real user is not known when the INVITE reaches Sippy. Sippy sends the request to Freeradius with a lot of information, from which Called-Station-Id will indicate what SIP Server to use and what End User is associated with the call. Just want to clarify the whole procedure: I have several incoming SIP Servers, which sends SIP calls to Sippy. Each SIP Server will control a certain number range and will send its servername as Username. The SIP Server have no infomation about which number belongs to which end user, they forward all calls to Sippy. The Radius Server will have the information what numbers are associated with a certain end user and to which sip server a call have to be sent. The Authorize Request from Sippy should confirm wether the destination number is valid (is configured for an end user) and replys with the correct sip server to use and with a special codec list for the call. If the number is not configured, a Access-Reject is send and the call is aborted. I hope i made myself clear ;) Kind regards, -- Tobias Wolf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl - dbi - freetds works on radiusd -X but fails to sql connect in background
hi, do you have eg SELINUX running on this system? if so, then it may be blocking access between the processes. check your selinux log (or change the mode to permissive and check logs!) and then edit the selinux config to allow operation alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using checkval for Call Routing with Sippy B2BUA
i am using FreeRadius 1.1.3 and want to use it for Call Routing. For the beginning i would like to configure the routes in the users-File and later switch to an sql backend. b2b Called-Station-Id == 555,Called-Station-Id == 557,Auth-Type := Accept With that version you won't be able to use sql/unlang workaround for huntgroups. You will have to use huntgroups file or upgrade. b2b Huntgroup-Name == hg1, Auth-Type := Accept etc. And in huntgroups file: hg1 Called-Station-Id == 555 hg1 Called-Station-Id == 557 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl - dbi - freetds works on radiusd -X but fails to sql connect in background
selinux was the culprit, thank you very much! On Wed, Jan 7, 2009 at 2:22 PM, nes pa nesp...@gmail.com wrote: I've changed the example.pl perl script so it 'use DBI;' to query a Sybase server via freetds. Any hints welcome for solution or better tools to debug/strace into the perl script. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Some help with etc_smbpasswd auth and eap ttls
Alan DeKok wrote: I suggest upgrading. It's not hard to build an RPM of the latest version of the server. Information on this wiki page will be helpful to you: http://wiki.freeradius.org/Red_Hat_FAQ -- John Dennis jden...@redhat.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-Identifier and radgroupcheck table
a.l.m.bu...@lboro.ac.uk wrote: Hi, I recently posted a howto explaining how to implement huntgroups in SQL using unlang in 2.x, look in the mail archives. It also illustrates how to use the SQL huntgroups to control logon access based on the NAS. Perhaps I should put this on the wiki. certainly! things posted to this mailing list tend to lurk into the darkest depths after just a short time I know why! imagine joining this list then attempting to trawl through hundreds or historical messages that have been thread hijacked etc so the subject title doesnt match, the thread doesnt match etc. we just need a web-version of something like spotlight/beagle that works on the ML posts. mm. I have updated the FreeRADIUS Wiki with a new howto describing how to implement huntgroups in SQL. You can find the page here: http://wiki.freeradius.org/SQL_Huntgroup_HOWTO -- John Dennis jden...@redhat.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS
Hi,
I've modified the eap.conf, clients.conf, and users respectfully but am getting
the below error when started radius:
Module: Loaded eap
eap: default_eap_type = tls
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: No EAP type configured, module cannot do anything.
radiusd.conf[10]: eap: Module instantiation failed.
radiusd.conf[1939] Unknown module eap.
radiusd.conf[1886] Failed to parse authenticate section.
The following are the config's I made. Please let me know if you see anything
that needs to change just to get radius start.
eap.conf
default_eap_type =tls
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
# Trusted Root CA list
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
clients.conf
client 148.85.0.0/16 {
#
# The shared secret use to encrypt and sign packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
#
# The secret can be any string, up to 31 characters in length.
#
secret = XXX
#
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
shortname = WAPS
users
DEFAULT Auth-Type :=EAP
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 300,
Thanks,
Brian
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS
Brian Ertel wrote:
I've modified the eap.conf, clients.conf, and users respectfully but am
getting the below error when started radius:
You have edited *too much*.
Module: Loaded eap
eap: default_eap_type = tls
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: No EAP type configured, module cannot do anything.
Because you deleted almost everything from the eap.conf file. Why?
The following are the config's I made. Please let me know if you see
anything that needs to change just to get radius start.
eap.conf
default_eap_type =tls
tls {
This is wrong. See the *default* eap.conf for why.
DEFAULT Auth-Type :=EAP
The text you deleted in eap.conf says that you should NOT set Auth-Type.
Start with the default eap.conf, and make MINOR edits. Read man
radiusd.conf to see how the configuration file syntax works.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address override NAS pool?
On Wed, 7 Jan 2009, t...@kalik.net wrote: I now want to assign a few users different, static IPs using this: testuserService-Type == Framed-User Framed-Protocol == PPP, Framed-IP-Address = 192.168.1.2, Framed-IP-Netmask = 255.255.255.0, Framed-Compression = Van-Jacobson-TCP-IP This sort of thing used to work fine with Cisco dialup NAS's and Cistron, even though the NAS had no pool using that IP range in its config...radius just forced it to override the default pool, but in this case, it just keeps assigning an IP from the NAS pool (and yes, I have the above statement ABOVE the DEFAULT statement). Is Framed-IP-Address in the Access-Accept packet? You should probably return Service-Type as well. If attribute is not in the accept packet post the debug. It appears to be. From debug, after Login OK: +- entering group post-auth ++[exec] returns noop Framed-Protocol == PPP Framed-IP-Address = 192.168.1.2 (The address I want) Framed-IP-Netmask = 255.255.255.0 Framed-Compression = Van-Jacobson-TCP-IP Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 195 with timestamp +79 Ready to process requests. However, that is not the IP that my client shows...it shows 192.168.0.2, which is from the pool defined in the Cisco router's config. It seems to be overriding the radius users' config. James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Framed-IP-Address override NAS pool?
I now want to assign a few users different, static IPs using this: testuser Service-Type == Framed-User Framed-Protocol == PPP, Framed-IP-Address = 192.168.1.2, Framed-IP-Netmask = 255.255.255.0, Framed-Compression = Van-Jacobson-TCP-IP This sort of thing used to work fine with Cisco dialup NAS's and Cistron, even though the NAS had no pool using that IP range in its config...radius just forced it to override the default pool, but in this case, it just keeps assigning an IP from the NAS pool (and yes, I have the above statement ABOVE the DEFAULT statement). Is Framed-IP-Address in the Access-Accept packet? You should probably return Service-Type as well. If attribute is not in the accept packet post the debug. It appears to be. From debug, after Login OK: +- entering group post-auth ++[exec] returns noop Framed-Protocol == PPP Framed-IP-Address = 192.168.1.2 (The address I want) Framed-IP-Netmask = 255.255.255.0 Framed-Compression = Van-Jacobson-TCP-IP Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 195 with timestamp +79 Ready to process requests. However, that is not the IP that my client shows...it shows 192.168.0.2, which is from the pool defined in the Cisco router's config. It seems to be overriding the radius users' config. -- Hi James I was running into this problem on my Redback. The issue was the Redback wanted an IP address in the same subnet so I had to setup 192.168.1.1/24 as a sub interface to allow subscribers to be assigned addresses in the 192.168.1.x/24 range. My Shasta was completely different and would allow any IP address to be returned via radius and it would allow the IP to be used. Cheers, Jeff, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Framed-IP-Address override NAS pool?
On Wed, 7 Jan 2009, Jeff Crowe wrote: I was running into this problem on my Redback. The issue was the Redback wanted an IP address in the same subnet so I had to setup 192.168.1.1/24 as a sub interface to allow subscribers to be assigned addresses in the 192.168.1.x/24 range. My Shasta was completely different and would allow any IP address to be returned via radius and it would allow the IP to be used. Ok, I just tried assigning a secondary IP from that subnet to faste0/0, since I can't assign secondary IPs to the VirtualTemplate I/F, since it's IP unnumbered eth0/0. No go. What I would expect from the Cisco, judging from my past experience with AS5200s, is for it to allow radius to assign whatever address it wants, but simply not route it until I fix that part of it, which is fine. One fix I would think would start to work would be to simply add this new subnet to the pool on the Cisco. However, then the DEFAULT users would start to assign from that pool as well, unless I figure out a way to force it to assign from the first subnet. If there's a way to force that, I'd appreciate pointers. I saw the ippool option, but I'm not clear how that co-exists with the pool already configured on the Cisco. Perhaps you need both, it's just not clear to me. James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ippools; wasRE: Framed-IP-Address override NAS pool?
Sorry for the top-post, but I'm replying to myself and I want to keep my
questions clear. I tried creating two different ippools in the
radiusd.conf using the different ranges I want to use, but the client
ignored it and went only to the pool that the Cisco has. I then changed
the Cisco pool to include the entire range of IPs from both pools, but it
still doesn't seem to recognize the FreeRadius pools, and defaults to
whatever the first IP is in the Cisco pool.
I find the examples given in the radiusd.conf a little incomplete, but
this is what I tried (IPs given are just examples)
ippool users_pool {
range-start = 172.16.1.2
range-stop = 172.16.30.253
netmask = 255.255.255.0
cache-size = 251
session-db = ${db_dir}/db.ippool
ip-index = ${db_dir}/db.ipindex
override = yes
}
ippool admin_pool {
range-start = 172.16.30.2
range-stop = 172.16.30.253
netmask = 255.255.255.0
cache-size = 251
session-db = ${db_dir}/db.ippool
ip-index = ${db_dir}/db.ipindex
override = yes
}
The above seems to be clear from the example...but the example for the
raddb/users file is incomplete...here is what I tried:
testuserService-Type == Framed-User
Group == users, Pool-Name :=users_pool,
Framed-Protocol == PPP,
Framed-IP-Address = 172.16.1.2,
Framed-IP-Netmask = 255.255.255.0,
Framed-Compression = Van-Jacobson-TCP-IP
I'm a little unlcear about the Group attribute above, and whether it
pertains to unix groups at all, which I haven't done anything to yet. In
any case, any pointers on how to make different users use different IP
pools would be greatly appreciated.
On Wed, 7 Jan 2009, u...@3.am wrote:
On Wed, 7 Jan 2009, Jeff Crowe wrote:
I was running into this problem on my Redback. The issue was the Redback
wanted an IP address in the same subnet so I had to setup 192.168.1.1/24 as
a sub interface to allow subscribers to be assigned addresses in the
192.168.1.x/24 range. My Shasta was completely different and would allow
any IP address to be returned via radius and it would allow the IP to be
used.
Ok, I just tried assigning a secondary IP from that subnet to faste0/0, since
I can't assign secondary IPs to the VirtualTemplate I/F, since it's IP
unnumbered eth0/0. No go. What I would expect from the Cisco, judging from
my past experience with AS5200s, is for it to allow radius to assign whatever
address it wants, but simply not route it until I fix that part of it, which
is fine.
One fix I would think would start to work would be to simply add this new
subnet to the pool on the Cisco. However, then the DEFAULT users would start
to assign from that pool as well, unless I figure out a way to force it to
assign from the first subnet. If there's a way to force that, I'd appreciate
pointers. I saw the ippool option, but I'm not clear how that co-exists
with the pool already configured on the Cisco. Perhaps you need both, it's
just not clear to me.
James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am http://3.am
=
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am http://3.am
=
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ippools; wasRE: Framed-IP-Address override NAS pool?
ippool users_pool {
range-start = 172.16.1.2
range-stop = 172.16.30.253
netmask = 255.255.255.0
cache-size = 251
session-db = ${db_dir}/db.ippool
ip-index = ${db_dir}/db.ipindex
override = yes
}
ippool admin_pool {
range-start = 172.16.30.2
range-stop = 172.16.30.253
netmask = 255.255.255.0
cache-size = 251
session-db = ${db_dir}/db.ippool
ip-index = ${db_dir}/db.ipindex
override = yes
}
Change override to no. You don't want the pool to override static IP
addresses.
The above seems to be clear from the example...but the example for the
raddb/users file is incomplete...here is what I tried:
testuser Service-Type == Framed-User
Group == users, Pool-Name :=users_pool,
Framed-Protocol == PPP,
Framed-IP-Address = 172.16.1.2,
Framed-IP-Netmask = 255.255.255.0,
Framed-Compression = Van-Jacobson-TCP-IP
Group and Pool-Name should be on the first line. There should be
attribute Service-Type = Framed-User in the reply as well.
I'm a little unlcear about the Group attribute above, and whether it
pertains to unix groups at all, which I haven't done anything to yet. In
any case, any pointers on how to make different users use different IP
pools would be greatly appreciated.
Yes, Group is the attribute for unix groups.
Tip: use netmask 255.255.255.255 for point to point connections. They
don't need network, gateway or broadcast addresses.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Some help with etc_smbpasswd auth and eap ttls
Alan DeKok wrote:
Josh Hiner wrote:
Trying to configure eap ttls with mschapv2 using Freeradius version
Version 1.1.3 in Redhat enterprise Linux 5.
I suggest upgrading. It's not hard to build an RPM of the latest
version of the server.
Upgrading will get you a lot.
Ok I did upgrade, please see my post below =D.
I have configured everything and gotten free radius to authenticate off
/etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have
run into is when I switch the securew2 windows xp eap-ttls client to use
the current logged on user credentials. Then, SecureW2 sends the
username in the format of DOMAIN/user (which in this case is HTN/josh).
Authentication then fails because of this extra domain part in the user.
Ok fine, I first enable the nt_domain_hack in the mschap module then I
configured realm ntdomain and simply set a default realm in proxy.conf
to strip off the domain part. Nope, that fails (output will be included
below). I also tried nostrip but that also fails obviously. Also tried
silently stripping the domain in pre-process in radiusd.conf. Auth is
successful but finally rejected because the user doesnt match the
original HTN/josh user sent.
This is fixed in 2.x. You can have different policies for inside the
TLS tunnel and outside of it. This makes these configurations easier.
Ok I do see this now but am still getting the same error. Please see below.
Anyways, anyone know of how to get etc_smbpasswd module to work. I dont
want to use the users file (blech) even though it does work when I put
the user in there, and again, if I just supply the username and password
(and leave the domain part blank in SecureW2 ttls client) authentication
does work of /etc/samba/smbpasswd.
Honestly... there are 3-4 solutions which are trivial in 2.x. Any
solution is hard in 1.1.3. I don't even recall what feature set it has
(or is missing).
Alan DeKok.
Ok, I have upgraded to Freeradius version 2.1.3 (following the
suggestion above). I have configured and gotten everything to work
except for the domain name stripping at the front of the username (eg:
HTN/josh). If I dont supply the domain name, authentication succeeds
perfectly. I am still getting the same error that I was with Freeradius
version 1.3.1. Ive configured a HTN realm to strip off the HTN part and
in the debug, it appears to work as stripped-user=josh gets proxied
back. Then authentication failes in the same way as it did before? It is
mentioned above that there are 3-4 solutions which are trivial in 2.x.
Since I have Freeradius basically running, could someone spare some of
their valuable time with a pointer on stripping off the HTN part of the
user so authentication will succeed? Thanks =D. Below is the part of my
debug output from Freeradius showing the authentication failure. Once
again, it works perfectly if I dont supply the domain name (I can then
connect perfectly via eap-ttls with mschapv2). Hopefully I am close. I
can supply more of my configs if needed.
Thanks -Josh
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = HTN\josh, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[ntdomain] Looking up realm HTN for User-Name = HTN\josh
[ntdomain] Found realm HTN
[ntdomain] Adding Stripped-User-Name = josh
[ntdomain] Adding Realm = HTN
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++[control] returns ok
[eap] EAP packet type response id 1 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[etc_smbpasswd] returns notfound
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for josh with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
MS-CHAP-Error = \001E=691 R=1
EAP-Message = 0x04010004
Message-Authenticator = 0x
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
rlm_eap_ttls: Freeing handler for user HTN\josh
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Some help with etc_smbpasswd auth and eap ttls
Honestly... there are 3-4 solutions which are trivial in 2.x. Any solution is hard in 1.1.3. I don't even recall what feature set it has (or is missing). Alan DeKok. Ok, I have upgraded to Freeradius version 2.1.3 (following the suggestion above). I have configured and gotten everything to work except for the domain name stripping at the front of the username (eg: HTN/josh). If I dont supply the domain name, authentication succeeds perfectly. I am still getting the same error that I was with Freeradius version 1.3.1. Ive configured a HTN realm to strip off the HTN part and in the debug, it appears to work as stripped-user=josh gets proxied back. Then authentication failes in the same way as it did before? It is mentioned above that there are 3-4 solutions which are trivial in 2.x. Since I have Freeradius basically running, could someone spare some of their valuable time with a pointer on stripping off the HTN part of the user so authentication will succeed? Thanks =D. Below is the part of my debug output from Freeradius showing the authentication failure. Once again, it works perfectly if I dont supply the domain name (I can then connect perfectly via eap-ttls with mschapv2). Hopefully I am close. I can supply more of my configs if needed. Thanks -Josh Ok well once again, the answer was in the debug output. Since it was sending back Stripped-username instead of Username, I had to create a 2nd smbpasswd module. In this module I mapped stripped-user instead of username. This worked. This does work. Is this a good and acceptable solution? I'd still be interested in hearing other solutions if there are any out there. Thanks again! -Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS without client authentication
This may sound like a strange request, but I'd like to know if it is possible to use FreeRADIUS to perform EAP-TLS without asking for a client certificate. The purpose is to allow for a secure connection to an access point without client authentication. I think this might be useful to replace open wireless for public wireless access with something more secure. According to the EAP-TLS RFC (rfc2716), it sounds like it might be possible: The certificate_request message is included when the server desires the client to authenticate itself via public key. While the EAP server SHOULD require client authentication, this is not a requirement, since it may be possible that the server will require that the peer authenticate via some other means. I tried this with FreeRADIUS and eapol_test (from wpa_supplicant) with the following result: [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. The only change I've made from the default eap.conf is to try disabling the CA_file setting (I've tried it both ways). Does it sound like this is something that should be possible, or am I off base? Thanks! Christopher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
