Re: Dropping requests when no authentication possible
On Sat, Mar 14, 2009 at 8:08 AM, Alan DeKok al...@deployingradius.comwrote:
Chris Phillips wrote:
Thanks, frustrating this, maybe I'll need to revert to ideas about a
cron job to do some housekeeping checks...
One more thought:
authorize {
...
redundant {
redundant {
ldap1
ldap2
}
group {
update control {
Response-Packet-Type = Do-Not-Respond
}
handled # i.e. not ok
}
}
...
}
The handled return code says stop processing right now...
Yahooo! that's the one! Debug instantly said that it will stop
processing the request and no response is to be sent. Brilliant.
Is there an angle to filter out the Access-Type field in the packet that
gets sent back? Would a useless packet have the same effect as no packet
at all?
What's Access-Type?
It's me not remembering RADIUS correctly. I just wondered if it was possible
to send a packet back that was not an accept, reject or anything useful at
all. Irrelevant now anyway, thanks for your help.
Chris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: trying to use Post-Auth-Type REJECT to insert users
The high level goal is to have a new radius server slurp all the users on a DSL ATM aggregation link into a SQL database. We are taking over a bunch of users from a defunct ISP and don't have the UserName / Password data. What I'm thinking is that there should be a way to have Post-Auth-Type REJECT do two SQL insert commands. Then when the user tries to auth again there will be a valid user. Will this work ?? Only for PAP requests. They will have both username and clear text password in them. It won't work with any other authentication method. How to have two SQL statements run when this event is triggered??? See man unlang. Is there a better way ?? Don't they have a backup of their user database on a tape/DVD? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dropping requests when no authentication possible
Chris Phillips wrote:
Yahooo! that's the one! Debug instantly said that it will stop
processing the request and no response is to be sent. Brilliant.
OK. In order for this to work properly, you WILL need to grab the
latest stable branch from git.freeradius.org. It has another fix that
prevents the server from responding on client re-transmits.
I've also added a sample policy in raddb/policy.conf. You can now do:
...
redundant {
ldap1
do_not_respond
}
...
Which says if ldap1 fails, do not respond
That's a lot easier to understand.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: trying to use Post-Auth-Type REJECT to insert users
On Sun, Mar 15, 2009 at 4:35 PM, t...@kalik.net wrote: Is there a better way ?? Don't they have a backup of their user database on a tape/DVD? Unlikely. We had a similar situation once (also with DSL ATM), and the only user data we got was usernames and encrypted (with some unknown encryption) passwords. We ended up doing it the hard way, full migration (which involves giving out new usernames and passwords). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap not working for windows XP client
[suffix] No '@' in User-Name = ITDEPT.COM\scoe, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop You left username as it is. the username i am using is scoe,the domain name is ITDEPT.COM,the password is testing .. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack? [mschap] Told to do MS-CHAPv2 for ITDEPT.COM\scoe with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. Where is password for the user suposed to be? Is password under ITDEPT.COM\scoe or just scoe? If you need to strip out the domain you need to enable ntdomain (in authorize), add domain as local realm in proxy.conf and nt_domain_hack (in reddb/modules/mschap). i am using a single access point as client and i am not using any proxy server. Is it still necessary to make the changes in proxy.conf file?? I ve understood my mistake in the mschap module. -- View this message in context: http://www.nabble.com/peap-not-working-for-windows-XP-client-tp22473441p22525386.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap not working for windows XP client
the username i am using is scoe,the domain name is ITDEPT.COM,the password
is testing
So, you need to strip out the domain.
i am using a single access point as client and i am not using any proxy
server.
Is it still necessary to make the changes in proxy.conf file??
Yes, you won't be proxying anything. It will be a local realm.
I ve understood my mistake in the mschap module.
I a way - yes. It doesn't know what is DOMAIN\username (but it did warn
that User-Name looks like that). So, enable ntdomain (in authorize just
under suffix), ntdomain hack (in raddb/modules/mschap) and enter your
domain as local realm in proxy.conf:
realm ITDEPT.COM {
}
Server will then look for username scoe (not ITDEPT.COM\scoe), find the
password and authenticate the user.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap authentication works on v1.1.4 but fails on 2.1.3
18:07:11 2009 : Debug: rlm_ldap: ldap_release_conn:
Release Id: 0
Sun Mar 15 18:07:11 2009 : Debug: modsingle[authorize]:
returned from ldap (rlm_ldap) for request 0
Sun Mar 15 18:07:11 2009 : Debug: modcall[authorize]: module
ldap returns ok for request 0
Sun Mar 15 18:07:11 2009 : Debug: modsingle[authorize]:
calling pap (rlm_pap) for request 0
Sun Mar 15 18:07:11 2009 : Debug: rlm_pap: WARNING! No known
good password found for the user. Authentication may fail because of
this.
Sun Mar 15 18:07:11 2009 : Debug: modsingle[authorize]:
returned from pap (rlm_pap) for request 0
Sun Mar 15 18:07:11 2009 : Debug: modcall[authorize]: module
pap returns noop for request 0
Sun Mar 15 18:07:11 2009 : Debug: modcall: leaving group
authorize (returns ok) for request 0
Sun Mar 15 18:07:11 2009 : Debug: rad_check_password: Found
Auth-Type ldap
Sun Mar 15 18:07:11 2009 : Debug: auth: type LDAP
Sun Mar 15 18:07:11 2009 : Debug: Processing the authenticate
section of radiusd.conf
Sun Mar 15 18:07:11 2009 : Debug: modcall: entering group LDAP
for request 0
Sun Mar 15 18:07:11 2009 : Debug: modsingle[authenticate]:
calling ldap (rlm_ldap) for request 0
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: - authenticate
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: login attempt by
bill with password blahblah
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: user DN:
CN=bill,dc=foo,dc=ac,dc=uk
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: (re)connect to
ad.foo.ac.uk:389, authentication 1
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: bind as
CN=bill,dc=foo,dc=ac,dc=uk/blahblah to ad.foo.ac.uk:389
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: waiting for bind
result ...
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: Bind was successful
Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: user bill
authenticated succesfully
Sun Mar 15 18:07:11 2009 : Debug: modsingle[authenticate]:
returned from ldap (rlm_ldap) for request 0
Sun Mar 15 18:07:11 2009 : Debug: modcall[authenticate]:
module ldap returns ok for request 0
Sun Mar 15 18:07:11 2009 : Debug: modcall: leaving group LDAP
(returns ok) for request 0
Sun Mar 15 18:07:11 2009 : Auth: Login OK: [bill] (from client
localNas port 0)
Sending Access-Accept of id 216 to 127.0.0.1 port 56359
Sun Mar 15 18:07:11 2009 : Debug: Finished request 0
Sun Mar 15 18:07:11 2009 : Debug: Going to the next request
Sun Mar 15 18:07:11 2009 : Debug: --- Walking the entire request
list ---
Sun Mar 15 18:07:11 2009 : Debug: Waking up in 6 seconds...
Sun Mar 15 18:07:17 2009 : Debug: --- Walking the entire request
list ---
Sun Mar 15 18:07:17 2009 : Debug: Cleaning up request 0 ID 216
with timestamp 49bd43cf
Sun Mar 15 18:07:17 2009 : Debug: Nothing to do. Sleeping until
we see a request.
And this is the debug output for version 2.1.3...
rad_recv: Access-Request packet from host 127.0.0.1 port 32787,
id=186, length=27
User-Name = bill
Sun Mar 15 17:59:37 2009 : Info: +- entering group authorize
{...}
Sun Mar 15 17:59:37 2009 : Info: ++[preprocess] returns ok
Sun Mar 15 17:59:37 2009 : Info: [auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radius/radacct/127.0.0.1/auth-detail-20090315
Sun Mar 15 17:59:37 2009 : Info: [auth_log]
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/127.0.0.1/auth-detail-20090315
Sun Mar 15 17:59:37 2009 : Info: [auth_log] expand: %t -
Sun Mar 15 17:59:37 2009
Sun Mar 15 17:59:37 2009 : Info: ++[auth_log] returns ok
Sun Mar 15 17:59:37 2009 : Info: [ldap] performing user
authorization for bill
Sun Mar 15 17:59:37 2009 : Info: [ldap] WARNING: Deprecated
conditional expansion :-. See man unlang for details
Sun Mar 15 17:59:37 2009 : Info: [ldap] expand:
(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -
(sAMAccountName=bill)
Sun Mar 15 17:59:37 2009 : Info: [ldap] expand:
dc=foo,dc=ac,dc=uk - dc=foo,dc=ac,dc=uk
Sun Mar 15 17:59:37 2009 : Debug: rlm_ldap: ldap_get_conn:
Checking Id: 0
Sun Mar 15 17:59:37 2009 : Debug: rlm_ldap: ldap_get_conn: Got
Id: 0
Sun Mar 15 17:59:37 2009 : Debug: rlm_ldap: attempting LDAP
reconnection
Sun Mar 15 17:59:37 2009 : Debug: rlm_ldap: (re)connect to
logon02.fed.cclrc.ac.uk:389, authentication 0
Sun Mar 15 17:59:38 2009 : Debug: rlm_ldap: bind as / to
logon02.fed.cclrc.ac.uk:389
Sun Mar 15 17:59:38 2009 : Debug: rlm_ldap: waiting for bind
result ...
Sun Mar 15 17:59:38 2009 : Debug: rlm_ldap: Bind was successful
Sun Mar 15 17:59:38 2009 : Debug: rlm_ldap: performing search in
dc=foo,dc=ac,dc=uk, with filter
Re: ldap authentication works on v1.1.4 but fails on 2.1.3
I've been successfully using FreeRADIUS 1.1.4 to authenticate users against Active Directory using LDAP and a plaintext password. In the authorize section FreeRADIUS anonymously binds to our LDAP server (Active Directory) and searches for the user identified in the Access-Request (in my case we change the default search filter to 'sAMAccountName' as our AD doesn't contain 'uid'). If a match is found I think the user's full Distinguised Name (e.g. CN=bill,DC=foo,DC=ac,DC=uk) is added to the list of check items, and Auth-Type is set to 'ldap'. In the authenticate section, FreeRADIUS binds to the LDAP server using the user's full DN and the password supplied in the Access-Request. If the bind is successful, the user is authenticated because the password must have been correct. I've recently updated a server to FreeRADIUS 2.1.3 and all authentications now fail. LDAP is not set as the authentication method during the authorize section. I don't know why as I can't seen any configuration options which I've set differently between the two versions. I still get the debug message Info: [ldap] user username authorized to use remote access in the authorize section, so this suggests that the anonymous bind and search work ok. Does any one have any ideas? Have I made a stupid configuration error, or did I miss something in the latest documentation? Uncomment set_auth_type = yes in raddb/modules/ldap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: trying to use Post-Auth-Type REJECT to insert users
Hi,
Their isnt' a backup.
So I'm having problems with:
postauth_query = INSERT INTO ${authcheck_table} VALUES
(NULL,'%{User-Name}','Password', '==',
'%{User-Password:-Chap-Password}');
postauth_query = INSERT INTO ${usergroup_table} values
('%{User-Name}','Dynamic','');
I want BOTH SQL statements to insert data. At present the first
INSERT runs, but the second one doesn't. I cant seem to sort out how
to do in unlang.
help ?? thanks
2009/3/15 Fajar A. Nugraha fa...@fajar.net:
On Sun, Mar 15, 2009 at 4:35 PM, t...@kalik.net wrote:
Is there a better way ??
Don't they have a backup of their user database on a tape/DVD?
Unlikely. We had a similar situation once (also with DSL ATM), and the
only user data we got was usernames and encrypted (with some unknown
encryption) passwords. We ended up doing it the hard way, full
migration (which involves giving out new usernames and passwords).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to have freeradius/unlang do two or more SQL statements at one time
Hi,
When Post-Auth-Type REJECT is executed I need to insert two or more
rows into a SQL data base.
here is what I have at present
sites-enabled/default
Post-Auth-Type REJECT {
sql
}
sql.conf - sql/mysql/dialup.conf
postauth_query = INSERT INTO ${authcheck_table} VALUES
(NULL,'%{User-Name}','Password', '==',
'%{User-Password:-Chap-Password}');
postauth_query = INSERT INTO ${usergroup_table} values
('%{User-Name}','Dynamic','');
The FIRST insert runs, but the second one doesn't.
mucho thanks in advance
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol
Did you try RE-BUILDING the server when you only had one version of
OpenSSL installed?
I did that and the SSL_CTX_ERROR message is now gone and radiusd runs
successfully. However it won't accept encrypted authentication requests:
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to secureldapcentral.stvincents.com.au:636, authentication
0
rlm_ldap: setting TLS mode to 1
rlm_ldap: could not set LDAP_OPT_X_TLS option Success
rlm_ldap: setting TLS CACert File to certs/SVMHS_CA_SSL_Server.pem
rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTFILE option to
certs/SVMHS_CA_SSL_Server.pem
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: bind as
cn=freeradius,ou=services,ou=Darlinghurst,ou=NSW,o=SCHS,c=AU/abc123 to
secureldapcentral.stvincents.com.au:636
rlm_ldap: waiting for bind result ...
rlm_ldap: ldap_result()
rlm_ldap: cn=freeradius,ou=services,ou=Darlinghurst,ou=NSW,o=SCHS,c=AU bind to
secureldapcentral.stvincents.com.au:636 failed: Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
I can authenticate to the ldap backend with an ldap client using port 636 but
not
with freeradius.
The complete -X output:
radius02:/etc/freeradius# radiusd -X
FreeRADIUS Version 2.1.3, for host i686-pc-linux-gnu, built on Mar 16 2009 at
11:45:16
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/roles_search
including configuration file /etc/freeradius/modules/patient_search
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/people_search
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including dictionary file /etc/freeradius/dictionary
main {
prefix = /etc
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib/freeradius
radacctdir =
