Re: 802.1x with freeradius + PEAP + 3com Switch
t...@kalik.net wrote:
That should be:
ldap ldap1 {
..
}
ldap ldap2 {
..
}
What i wrote should go in the authorize section instead of ldap entry.
Hi,
Thanks a zillion times ;)
Laurent
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: command autho. is it possible?
>I have read a lot of manual, example and post, but I still don't know >what is the solutions. > >I have newest freeradius, and cisco devices(now AP). > >I want the user authentication to the cisco device by fr, >It works, >I configure the users file like this: > >test Cleadtext-Password := "test" >Service-Type = NAS-Prompt-User, >cisco-avpair = "shell:priv-lvl=15" > >The user get the level what i set. >The enable level ( $enalXX$) works too. > >But don't know how can I set the command authorization, on the >freeradius and cisco. You can't. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
otp daemon for use with freeradius
in otp.conf an otpd is mentioned for use with freeradius. According to the licence the daemon can only be used with tokens from tri-dsystems. Is there another otpd around that is free? Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP authentication and multiple LDAP userpassword attributes
Hi,
I'm working on upgrading from FR 1.1.7 to FR 2.1.3.
I use FR for EAP-TTLS/PAP authentication with LDAP.
FR 1.1.7 successfully authenticates users with multiple LDAPuserpassword
attributes which are stored with crypt and/or MD5 hash, the passwords
are not the same (even it's better if the are) :
###
[...]
rlm_ldap: performing user authorization for mylogin
radius_xlat: '(&(uid=mylogin)(udsradiusProfileWifi=*))'
radius_xlat: 'ou=people,o=annuaire'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,o=annuaire, with filter
(&(uid=mylogin)(udsradiusProfileWifi=*))
rlm_ldap: performing search in uid=wifi-crc,ou=profilsWifi,o=annuaire,
with filter (objectclass=radiusprofile)
rlm_ldap: Added password {MD5}x in check items
rlm_ldap: Added password {crypt}x in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user mylogin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "LDAP_OSIRIS" returns ok for request 29
modcall: leaving group LDAP_OSIRIS (returns ok) for request 29
rad_check_password: Found Auth-Type LDAP_OSIRIS
auth: type "LDAP_OSIRIS"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP_OSIRIS for request 29
rlm_ldap: - authenticate
rlm_ldap: login attempt by "saillard" with password "mycleartextpassword"
rlm_ldap: user DN: uid=mylogin,ou=uds,ou=people,o=annuaire
rlm_ldap: (re)connect to ldaps://ldapuds.u-strasbg.fr, authentication 1
rlm_ldap: setting TLS mode to 1
rlm_ldap: bind as uid=mylogin,ou=uds,ou=people,o=annuaire/polopackvih+
to ldaps://ldapuds.u-strasbg.fr
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user mylogin authenticated succesfully
[...]
###
Now with FR 2.1.3, it looks like only the first password attribute is used :
###
[...]
[ldap] expand:
(&(uid=%{Stripped-User-Name:-%{User-Name}})(udsradiusProfileWifi=*)) ->
(&(uid=mylogin)(udsradiusProfileWifi=*))
[ldap] expand: ou=people,o=annuaire -> ou=people,o=annuaire
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,o=annuaire, with filter
(&(uid=mylogin)(udsradiusProfileWifi=*))
rlm_ldap: performing search in uid=wifi-crc,ou=profilsWifi,o=annuaire,
with filter (objectclass=radiusprofile)
[ldap] Added User-Password = {crypt}x in check items
[ldap] Added User-Password = {MD5}x in check items
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user mylogin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[pap] returns updated
Found Auth-Type = PAP
+- entering group authenticate {...}
[pap] login attempt with password "mycleartextpassword"
[pap] Using CRYPT encryption.
[pap] Passwords don't match
[...]
###
Is there a way to tell FR to try with others attributes ?
My configuration is quite simple, here's my
sites-enabled/proxy-inner-tunnel :
server proxy-inner-tunnel {
authorize {
eap
ldap
pap
}
authenticate {
eap
pap
}
post-proxy {
eap
}
}
And the pap modules :
pap {
auto_header = yes
}
Any clue ?
Thanks
--
---
Christophe Saillard
Université de Strasbourg
Direction Informatique
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
command autho. is it possible?
Hi all! I have read a lot of manual, example and post, but I still don't know what is the solutions. I have newest freeradius, and cisco devices(now AP). I want the user authentication to the cisco device by fr, It works, I configure the users file like this: test Cleadtext-Password := "test" Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15" The user get the level what i set. The enable level ( $enalXX$) works too. But don't know how can I set the command authorization, on the freeradius and cisco. The cisco commands what I set: aaa group server radius Radius-Servers server 10.10.10.10 auth-port 1812 acct-port 1813 aaa authentication login default group Radius-Servers aaa authentication enable default group Radius-Servers enable aaa authorization console aaa authorization exec default group Radius-Servers if-authenticated aaa authorization network default group Radius-Servers if-authenticated aaa session-id common In fact, at first time I just want set show running-config but disable configure command. using privilege levels is not good, both commands are on the same level(15). What is the solutions? I don't want use 2 server (tacacs+ and fr) for this. I saw something tacacs+ integration into freeradius but I don't know this is a good solution, an how can I configure. Thank you, Best regards Gabor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: command autho. is it possible?
Hegedus Gabor wrote: > What is the solutions? > I don't want use 2 server (tacacs+ and fr) for this. > I saw something tacacs+ integration into freeradius but I don't know > this is a good solution, an how can I configure. FreeRADIUS doesn't currently support TACACS+. Maybe in a future release. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: otp daemon for use with freeradius
Norbert Wegener wrote: > in otp.conf an otpd is mentioned for use with freeradius. > According to the licence the daemon can only be used with tokens from > tri-dsystems. > Is there another otpd around that is free? Not that I know of. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: otp daemon for use with freeradius
* Alan DeKok [Fri, 06 Feb 2009 19:30:06 +0100]: > > Norbert Wegener wrote: > >> in otp.conf an otpd is mentioned for use with freeradius. >> According to the licence the daemon can only be used with tokens from >> tri-dsystems. >> Is there another otpd around that is free? > > Not that I know of. > Would Alan grumble if I was to xlat enable the challenge in rlm_eap_gtc? Then a bit of pam_opie action could be probably called upon...or something could get excited and shovel the information into LDAP. This means then SecureW2 would take on an extra level of shinyness... Cheers -- Alexander Clouter .sigmonster says: If you analyse anything, you destroy it. -- Arthur Miller - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VLAN assignment on PEAP
Hi, When I use 802.1x and MD5 (PAP) I can add easily pass VLAN assignment back to the NAS using username Cleartext-Password := "password" Reply-Message = "Hello, misch", Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 100 in the users file. When I switch the supplicant the PEAP-MSCHAPv2 I see these attributes beeing addes to the inner tunnel. The outer tunnel only has the EAP attributes and tehe switch doe not see the VLAN attributes. How is it possible to pass these attributes to the switch in the outer tunnel? Thanks for any help. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN assignment on PEAP
>When I use 802.1x and MD5 (PAP) I can add easily pass VLAN assignment back to >the NAS using >username Cleartext-Password := "password" >Reply-Message = "Hello, misch", >Tunnel-Type = VLAN, >Tunnel-Medium-Type = IEEE-802, >Tunnel-Private-Group-ID = 100 > >in the users file. When I switch the supplicant the PEAP-MSCHAPv2 I see these >attributes beeing addes to the inner tunnel. The outer tunnel only has the EAP >attributes and tehe switch doe not see the VLAN attributes. > >How is it possible to pass these attributes to the switch in the outer tunnel? use_tunneled_reply in peap section of eap.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user by Calling-Station-Id
yey thats seam to work, but still getting one problem. So the comp gets bloket regardless of username, but the Reply-message from the bloked table is not being displayed. So I have "bloked" huntgroup name and I have SQL group: Deny_Trial that sends Reply-Message + Reject for all its members (which works fine if i assign user to that group) Here is my debug: rad_recv: Access-Request packet from host xxx.147.xxx.xxx:60365, id=125, length=138 NAS-IP-Address = xxx.147.xxx.xxx NAS-Identifier = "domain.com" User-Name = "alexus" User-Password = "" Service-Type = Login-User NAS-Port-Type = Ethernet NAS-Port = 1 Framed-IP-Address = 192.168.1.244 Called-Station-Id = "00:0d:b9:xx:xx:xx" Calling-Station-Id = "00:0b:6a:xx:xx:xx" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 rlm_sql (sql): - sql_groupcmp radius_xlat: 'alexus' rlm_sql (sql): sql_set_user escaped user --> 'alexus' radius_xlat: 'SELECT GroupName FROM usergroup WHERE UserName='alexus'' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT GroupName FROM usergroup WHERE UserName='alexus' rlm_sql (sql): Released sql socket id: 3 rlm_sql (sql): - sql_groupcmp finished: User does not belong in group Deny_Trial No huntgroup access: [alexus] (from client home_segment port 1 cli 00:0b:6a:xx:xx:xx) modcall[authorize]: module "preprocess" returns reject for request 2 modcall: leaving group authorize (returns reject) for request 2 Delaying request 2 for 1 seconds Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 125 to xxx.147.xxx.xxx port 60365 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 125 with timestamp 498cd334 Nothing to do. Sleeping until we see a request. 2009/1/31 > Here is a trick from the old days: > > Create a huntgroup like: > > blocked Calling-Station-Id == whatever > SQL-Group == "suspend" > > Where suspend is the group with Auth-Type := Reject in it. That will blok > him if he is in suspend group or not (only the message in radius.log > will be different). It means using huntgroups file and restart for each > change to it but if it's only 3 users ... > > Ivan Kalik > Kalik Informatika ISP > > > > Dana 31/1/2009, "Alex M" piše: > > >damn, upgrade will be painfull for me :( > >I guess I will try to use other means to block missbehaving users. At > least > >we got only 3 people who try to free ride. > > > >thanks for help > > > >2009/1/31 > > > >> Ah, sql groups don't work properly in 1.x. Upgrade. > >> > >> Ivan Kalik > >> Kalik Informatika ISP > >> > >> > >> Dana 31/1/2009, "Alex M" piše: > >> > >> >I guess its different in newer version of radius but in my 1.5 the only > >> >table that has PRIO is radgroupreply > >> > > >> >and there is table radusergroup instead there is a group called > usergroup. > >> > > >> >I'm getting fustrated. :( > >> > > >> >On Fri, Jan 30, 2009 at 7:32 PM, wrote: > >> > > >> >> >Tried that... > >> >> >now i'm getting all users rejected regardless of mac address in the > >> given > >> >> >group :( > >> >> > >> >> That shouldn't happen. Post the debug. > >> >> > >> >> >How do i set priorities? > >> >> > >> >> You have priority field in radusergroup table. > >> >> > >> >> >I though priorities only apply to radreply. > >> >> > >> >> There are no priorities in radreply. > >> >> > >> >> > > >> >> >Do I have to set fall through? > >> >> > > >> >> > >> >> No. > >> >> > >> >> Ivan Kalik > >> >> Kalik Informatika ISP > >> >> > >> >> - > >> >> List info/subscribe/unsubscribe? See > >> >> http://www.freeradius.org/list/users.html > >> >> > >> > > >> > > >> > >> - > >> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user by Calling-Station-Id
>yey thats seam to work, but still getting one problem. >So the comp gets bloket regardless of username, but the Reply-message from >the bloked table is not being displayed. So I have "bloked" huntgroup name >and I have SQL group: Deny_Trial that sends Reply-Message + Reject for all >its members (which works fine if i assign user to that group) > I am afraid that sql group is just a gimick. As you have noticed user doesn't have to be a member of it to get rejected. It doesn't even have to exist. It's a trick to get something done, not a proper policy. You can send replies for individual macs: DEFAULT Calling-Station-Id == whatever Reply-Message = "Naughty boy" Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reject user by Calling-Station-Id
ok well i guess i will do manuall replys for each user :( So freeRadius 2.x have taken care of my problem and I actually can use SQL to controll everything? On Fri, Feb 6, 2009 at 8:07 PM, wrote: > >yey thats seam to work, but still getting one problem. > >So the comp gets bloket regardless of username, but the Reply-message from > >the bloked table is not being displayed. So I have "bloked" huntgroup name > >and I have SQL group: Deny_Trial that sends Reply-Message + Reject for > all > >its members (which works fine if i assign user to that group) > > > > I am afraid that sql group is just a gimick. As you have noticed user > doesn't have to be a member of it to get rejected. It doesn't even > have to exist. It's a trick to get something done, not a proper policy. > > You can send replies for individual macs: > > DEFAULT Calling-Station-Id == whatever > Reply-Message = "Naughty boy" > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: otp daemon for use with freeradius
Alexander Clouter wrote: > Would Alan grumble if I was to xlat enable the challenge in rlm_eap_gtc? > Then a bit of pam_opie action could be probably called upon...or > something could get excited and shovel the information into LDAP. Sure... send a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
