Re: Dropping requests when no authentication possible
On Sat, Mar 14, 2009 at 8:08 AM, Alan DeKok al...@deployingradius.comwrote: Chris Phillips wrote: Thanks, frustrating this, maybe I'll need to revert to ideas about a cron job to do some housekeeping checks... One more thought: authorize { ... redundant { redundant { ldap1 ldap2 } group { update control { Response-Packet-Type = Do-Not-Respond } handled # i.e. not ok } } ... } The handled return code says stop processing right now... Yahooo! that's the one! Debug instantly said that it will stop processing the request and no response is to be sent. Brilliant. Is there an angle to filter out the Access-Type field in the packet that gets sent back? Would a useless packet have the same effect as no packet at all? What's Access-Type? It's me not remembering RADIUS correctly. I just wondered if it was possible to send a packet back that was not an accept, reject or anything useful at all. Irrelevant now anyway, thanks for your help. Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: trying to use Post-Auth-Type REJECT to insert users
The high level goal is to have a new radius server slurp all the users on a DSL ATM aggregation link into a SQL database. We are taking over a bunch of users from a defunct ISP and don't have the UserName / Password data. What I'm thinking is that there should be a way to have Post-Auth-Type REJECT do two SQL insert commands. Then when the user tries to auth again there will be a valid user. Will this work ?? Only for PAP requests. They will have both username and clear text password in them. It won't work with any other authentication method. How to have two SQL statements run when this event is triggered??? See man unlang. Is there a better way ?? Don't they have a backup of their user database on a tape/DVD? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dropping requests when no authentication possible
Chris Phillips wrote: Yahooo! that's the one! Debug instantly said that it will stop processing the request and no response is to be sent. Brilliant. OK. In order for this to work properly, you WILL need to grab the latest stable branch from git.freeradius.org. It has another fix that prevents the server from responding on client re-transmits. I've also added a sample policy in raddb/policy.conf. You can now do: ... redundant { ldap1 do_not_respond } ... Which says if ldap1 fails, do not respond That's a lot easier to understand. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: trying to use Post-Auth-Type REJECT to insert users
On Sun, Mar 15, 2009 at 4:35 PM, t...@kalik.net wrote: Is there a better way ?? Don't they have a backup of their user database on a tape/DVD? Unlikely. We had a similar situation once (also with DSL ATM), and the only user data we got was usernames and encrypted (with some unknown encryption) passwords. We ended up doing it the hard way, full migration (which involves giving out new usernames and passwords). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap not working for windows XP client
[suffix] No '@' in User-Name = ITDEPT.COM\scoe, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop You left username as it is. the username i am using is scoe,the domain name is ITDEPT.COM,the password is testing .. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack? [mschap] Told to do MS-CHAPv2 for ITDEPT.COM\scoe with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. Where is password for the user suposed to be? Is password under ITDEPT.COM\scoe or just scoe? If you need to strip out the domain you need to enable ntdomain (in authorize), add domain as local realm in proxy.conf and nt_domain_hack (in reddb/modules/mschap). i am using a single access point as client and i am not using any proxy server. Is it still necessary to make the changes in proxy.conf file?? I ve understood my mistake in the mschap module. -- View this message in context: http://www.nabble.com/peap-not-working-for-windows-XP-client-tp22473441p22525386.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap not working for windows XP client
the username i am using is scoe,the domain name is ITDEPT.COM,the password is testing So, you need to strip out the domain. i am using a single access point as client and i am not using any proxy server. Is it still necessary to make the changes in proxy.conf file?? Yes, you won't be proxying anything. It will be a local realm. I ve understood my mistake in the mschap module. I a way - yes. It doesn't know what is DOMAIN\username (but it did warn that User-Name looks like that). So, enable ntdomain (in authorize just under suffix), ntdomain hack (in raddb/modules/mschap) and enter your domain as local realm in proxy.conf: realm ITDEPT.COM { } Server will then look for username scoe (not ITDEPT.COM\scoe), find the password and authenticate the user. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap authentication works on v1.1.4 but fails on 2.1.3
18:07:11 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Sun Mar 15 18:07:11 2009 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0 Sun Mar 15 18:07:11 2009 : Debug: modcall[authorize]: module ldap returns ok for request 0 Sun Mar 15 18:07:11 2009 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 0 Sun Mar 15 18:07:11 2009 : Debug: rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. Sun Mar 15 18:07:11 2009 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 0 Sun Mar 15 18:07:11 2009 : Debug: modcall[authorize]: module pap returns noop for request 0 Sun Mar 15 18:07:11 2009 : Debug: modcall: leaving group authorize (returns ok) for request 0 Sun Mar 15 18:07:11 2009 : Debug: rad_check_password: Found Auth-Type ldap Sun Mar 15 18:07:11 2009 : Debug: auth: type LDAP Sun Mar 15 18:07:11 2009 : Debug: Processing the authenticate section of radiusd.conf Sun Mar 15 18:07:11 2009 : Debug: modcall: entering group LDAP for request 0 Sun Mar 15 18:07:11 2009 : Debug: modsingle[authenticate]: calling ldap (rlm_ldap) for request 0 Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: - authenticate Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: login attempt by bill with password blahblah Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: user DN: CN=bill,dc=foo,dc=ac,dc=uk Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: (re)connect to ad.foo.ac.uk:389, authentication 1 Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: bind as CN=bill,dc=foo,dc=ac,dc=uk/blahblah to ad.foo.ac.uk:389 Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: waiting for bind result ... Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: Bind was successful Sun Mar 15 18:07:11 2009 : Debug: rlm_ldap: user bill authenticated succesfully Sun Mar 15 18:07:11 2009 : Debug: modsingle[authenticate]: returned from ldap (rlm_ldap) for request 0 Sun Mar 15 18:07:11 2009 : Debug: modcall[authenticate]: module ldap returns ok for request 0 Sun Mar 15 18:07:11 2009 : Debug: modcall: leaving group LDAP (returns ok) for request 0 Sun Mar 15 18:07:11 2009 : Auth: Login OK: [bill] (from client localNas port 0) Sending Access-Accept of id 216 to 127.0.0.1 port 56359 Sun Mar 15 18:07:11 2009 : Debug: Finished request 0 Sun Mar 15 18:07:11 2009 : Debug: Going to the next request Sun Mar 15 18:07:11 2009 : Debug: --- Walking the entire request list --- Sun Mar 15 18:07:11 2009 : Debug: Waking up in 6 seconds... Sun Mar 15 18:07:17 2009 : Debug: --- Walking the entire request list --- Sun Mar 15 18:07:17 2009 : Debug: Cleaning up request 0 ID 216 with timestamp 49bd43cf Sun Mar 15 18:07:17 2009 : Debug: Nothing to do. Sleeping until we see a request. And this is the debug output for version 2.1.3... rad_recv: Access-Request packet from host 127.0.0.1 port 32787, id=186, length=27 User-Name = bill Sun Mar 15 17:59:37 2009 : Info: +- entering group authorize {...} Sun Mar 15 17:59:37 2009 : Info: ++[preprocess] returns ok Sun Mar 15 17:59:37 2009 : Info: [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radius/radacct/127.0.0.1/auth-detail-20090315 Sun Mar 15 17:59:37 2009 : Info: [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20090315 Sun Mar 15 17:59:37 2009 : Info: [auth_log] expand: %t - Sun Mar 15 17:59:37 2009 Sun Mar 15 17:59:37 2009 : Info: ++[auth_log] returns ok Sun Mar 15 17:59:37 2009 : Info: [ldap] performing user authorization for bill Sun Mar 15 17:59:37 2009 : Info: [ldap] WARNING: Deprecated conditional expansion :-. See man unlang for details Sun Mar 15 17:59:37 2009 : Info: [ldap] expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) - (sAMAccountName=bill) Sun Mar 15 17:59:37 2009 : Info: [ldap] expand: dc=foo,dc=ac,dc=uk - dc=foo,dc=ac,dc=uk Sun Mar 15 17:59:37 2009 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Sun Mar 15 17:59:37 2009 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Sun Mar 15 17:59:37 2009 : Debug: rlm_ldap: attempting LDAP reconnection Sun Mar 15 17:59:37 2009 : Debug: rlm_ldap: (re)connect to logon02.fed.cclrc.ac.uk:389, authentication 0 Sun Mar 15 17:59:38 2009 : Debug: rlm_ldap: bind as / to logon02.fed.cclrc.ac.uk:389 Sun Mar 15 17:59:38 2009 : Debug: rlm_ldap: waiting for bind result ... Sun Mar 15 17:59:38 2009 : Debug: rlm_ldap: Bind was successful Sun Mar 15 17:59:38 2009 : Debug: rlm_ldap: performing search in dc=foo,dc=ac,dc=uk, with filter
Re: ldap authentication works on v1.1.4 but fails on 2.1.3
I've been successfully using FreeRADIUS 1.1.4 to authenticate users against Active Directory using LDAP and a plaintext password. In the authorize section FreeRADIUS anonymously binds to our LDAP server (Active Directory) and searches for the user identified in the Access-Request (in my case we change the default search filter to 'sAMAccountName' as our AD doesn't contain 'uid'). If a match is found I think the user's full Distinguised Name (e.g. CN=bill,DC=foo,DC=ac,DC=uk) is added to the list of check items, and Auth-Type is set to 'ldap'. In the authenticate section, FreeRADIUS binds to the LDAP server using the user's full DN and the password supplied in the Access-Request. If the bind is successful, the user is authenticated because the password must have been correct. I've recently updated a server to FreeRADIUS 2.1.3 and all authentications now fail. LDAP is not set as the authentication method during the authorize section. I don't know why as I can't seen any configuration options which I've set differently between the two versions. I still get the debug message Info: [ldap] user username authorized to use remote access in the authorize section, so this suggests that the anonymous bind and search work ok. Does any one have any ideas? Have I made a stupid configuration error, or did I miss something in the latest documentation? Uncomment set_auth_type = yes in raddb/modules/ldap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: trying to use Post-Auth-Type REJECT to insert users
Hi, Their isnt' a backup. So I'm having problems with: postauth_query = INSERT INTO ${authcheck_table} VALUES (NULL,'%{User-Name}','Password', '==', '%{User-Password:-Chap-Password}'); postauth_query = INSERT INTO ${usergroup_table} values ('%{User-Name}','Dynamic',''); I want BOTH SQL statements to insert data. At present the first INSERT runs, but the second one doesn't. I cant seem to sort out how to do in unlang. help ?? thanks 2009/3/15 Fajar A. Nugraha fa...@fajar.net: On Sun, Mar 15, 2009 at 4:35 PM, t...@kalik.net wrote: Is there a better way ?? Don't they have a backup of their user database on a tape/DVD? Unlikely. We had a similar situation once (also with DSL ATM), and the only user data we got was usernames and encrypted (with some unknown encryption) passwords. We ended up doing it the hard way, full migration (which involves giving out new usernames and passwords). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to have freeradius/unlang do two or more SQL statements at one time
Hi, When Post-Auth-Type REJECT is executed I need to insert two or more rows into a SQL data base. here is what I have at present sites-enabled/default Post-Auth-Type REJECT { sql } sql.conf - sql/mysql/dialup.conf postauth_query = INSERT INTO ${authcheck_table} VALUES (NULL,'%{User-Name}','Password', '==', '%{User-Password:-Chap-Password}'); postauth_query = INSERT INTO ${usergroup_table} values ('%{User-Name}','Dynamic',''); The FIRST insert runs, but the second one doesn't. mucho thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol
Did you try RE-BUILDING the server when you only had one version of OpenSSL installed? I did that and the SSL_CTX_ERROR message is now gone and radiusd runs successfully. However it won't accept encrypted authentication requests: rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to secureldapcentral.stvincents.com.au:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: could not set LDAP_OPT_X_TLS option Success rlm_ldap: setting TLS CACert File to certs/SVMHS_CA_SSL_Server.pem rlm_ldap: could not set LDAP_OPT_X_TLS_CACERTFILE option to certs/SVMHS_CA_SSL_Server.pem rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as cn=freeradius,ou=services,ou=Darlinghurst,ou=NSW,o=SCHS,c=AU/abc123 to secureldapcentral.stvincents.com.au:636 rlm_ldap: waiting for bind result ... rlm_ldap: ldap_result() rlm_ldap: cn=freeradius,ou=services,ou=Darlinghurst,ou=NSW,o=SCHS,c=AU bind to secureldapcentral.stvincents.com.au:636 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed I can authenticate to the ldap backend with an ldap client using port 636 but not with freeradius. The complete -X output: radius02:/etc/freeradius# radiusd -X FreeRADIUS Version 2.1.3, for host i686-pc-linux-gnu, built on Mar 16 2009 at 11:45:16 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/roles_search including configuration file /etc/freeradius/modules/patient_search including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/people_search including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including dictionary file /etc/freeradius/dictionary main { prefix = /etc localstatedir = /var logdir = /var/log/radius libdir = /usr/lib/freeradius radacctdir =