Re: How to prevent endless proxy looping
piston wrote: > I have a endless proxy looping problem. You probably haven't had it for long. If it's been looping packets for a long time, you would have noticed. > 1. problem username format: use...@my-realm@other-realm > 2. on the freeradius, i proxy (nostrip) suffix @other-realm to partner's > radiator radius server > 3. on my partner then proxy back (nostrip) the same username base on > @my-realm to my freeradius > 4. so this username use...@my-realm@other-realm is bouncing in between my > radius and my partner's radius endlessly > 5. both my & partner cannot change the way we proxy, because it will impact > on other proxy. Take a step back. You have described a solution, not a problem. Your solution doesn't work, and therefore also doesn't solve the problem. So... what is the problem you are trying to solve? Describe that. Odds are that there is a solution that is *different* from what you described above. And, that solution will likely not have the endless looping problem. > Is there has any parameter which i can configure to terminate such proxy > traffic? Don't configure it so that it loops. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply with group attribute
Alan DeKok wrote: Markus Wernig wrote: Could not find a place where to initialise the passwd module. You list it in the "authorize" section. This lead to errors (from memory: no config found for passwd module). I then used the etc_group module from the example, listed _that_ in authorize - and all is well. Thank you very much! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply with group attribute
t...@kalik.net wrote:
Did you read rlm_passwd man page?
It's "%{control:My-Group-Name}". Quotes, list and all.
Yes, that did it! Quotes were there, but the "control" list part wasn't.
Thank you for your help!
ps: It might be just me, but I was far from deducting that from the man
page: " ... The "control" list is the list of attributes maintainted
internally by the server that controls how the server processes the
request. ..." mislead me totally.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DNS suffix, DNS servers
Hello again Following up on the previous thread, I am looking for a possibility to assign different DNS servers and DNS suffixes to clients based on the Unix group they are in. I have found the MS-Primary-DNS-Server and MS-Secondary-DNS-Server attribute, which I assume will control the client's DNS server assignment, but I can't make out which attribute might contain the DNS suffix the client will get sent. Is there any? kind regards Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging the return code from the ldap authentication to SQL.
Augusto G. Andreollo wrote: > I must've been doing something wrong.. When I erased everything and > retyped it again, it's now returning OK as given. Weird... OK > My problem now is that it only returns correctly when the module returns > OK. If the LDAP returns anything else (fail, rejected, notfound), it > just completely skips over the IFs block and goes straight to Post-Auth. > Is that expected? Yes. In normal processing, failure means STOP. Don't keep bugging other modules with a request that failed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modifying EAP Messages
Arran Cudbard-Bell wrote: > Alan DeKok wrote: > A magical check box appeared in the XP SP3 and Vista supplicant > 'Enable Quarantine Checks'. It'd be a huge win if FR could expose > these values so that they were usable for policy decisions. Yup. > Hmm, could you sling it over my way as well. I'm interested to see > what constitutes bad code in C. OK. There are *lots* of examples of bad C code... too many, in fact. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS obtaining certificates email
Piotr Janusz wrote: > I have used an outside certificate authority and have few clients that > have the certicifates' subject similar to: > E = user-n...@domain.tld > CN = Some-constant-text > > CN is constant on all certificates. > Freeradius gets the User-name attribute set to CN. > > Any way to substitute the User-name attribute with the email? > > Or have it al least logged with other attributes in detailed log? Not really. The server requires code patches to look inside of the certificates. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Config Clarification
Jason Frisvold wrote: > I recently set up a new freeradius installation for VPN authentication. > This is my first foray into using the LDAP module and, while I am > successfully authenticating, I want to make sure that my config is both > correct and streamlined. I am seeing a few failed authentications due > to loss of LDAP connections, so I'm also trying to identify where that > problem exists. Likely because the LDAP connections time out, and are closed. > The radius server is currently very low use, handling only a few > requests an hour. This may increase later on, but I don't see it having > to handle more than a few requests per minute. However, I would like to > make sure those requests are handled efficiently and quickly. Yes... that little traffic will result in LDAP connection timeouts. > In our users file, we have the following : > > DEFAULT Auth-Type := Reject > Fall-Through = 1 Huh? Why? > DEFAULT Ldap-Group == "cn=vpn,ou=groups,o=myorg", Auth-Type := Accept > Fall-Through = 1 Do you really want to accept these users without checking their passwords? That's a *very* bad idea. > I was able to get this to work, but it appears that every group is > scanned to find the user rather than merely using the memberOf attribute > in the main LDAP record. Is there a way to trigger on that rather than > scanning the groups? The group membership configurations should ensure that it's using the memberOf attribute. > In the main radius config, can I remove all of the unused modules? I > don't believe we're using PAP/CHAP/MS-CHAP at all, nor are we using the > unix passwd file or EAP. Those can all be commented out to save > time/resources, correct? Why are you not checking passwords? That's a bad idea... If you don't use a module, you can delete all references to it. It will make some *minor* difference in performance. But if you're getting a few requests a minute, that difference will be miniscule. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Some help with the Users file
Josh Hiner wrote: > I want to make it so that users who use eap-peapv0 have to be in the > wireless group to logon. I have this set in the users file: > DEFAULTCalled-Station-Id =~ "CCISD-REMC1", Group != "wireless", > Auth-Type := Reject > > This works great buuut I have successfully setup eap-tls. What is the > appropriate way to continue to limit users to be in the wireless group > to connect? The above "users" file entry should be a good start. > I have the common name of the certificate set to the users login so if a > user logs in with the username "josh" then that is the common name of > the certificate. Will Freeradius use this same username to check against > the wireless group? It will use the User-Name in the Access-Request packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius and performance
>Are you using interim updates? No. This is ordinary dial-up. >If yes, is there any special method to >make it more efficient? On a DSL environment where users are mostly >auto-connect (i.e. modem redials automatically when disconnected) >interim updates seems to contribute most load. Do all updates come at the same time? Using buffered-sql or such virtual servers is designed for that. default will reply to the NAS instantly and then pass on the requst to buffered-sql to process the requests at it's own pace. That will even the load. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DNS suffix, DNS servers
Markus Wernig wrote: > Following up on the previous thread, I am looking for a possibility to > assign different DNS servers and DNS suffixes to clients based on the > Unix group they are in. A different question is: Will the NAS do anything with these attributes? The usual answer is... no. > I have found the MS-Primary-DNS-Server and MS-Secondary-DNS-Server > attribute, which I assume will control the client's DNS server > assignment, but I can't make out which attribute might contain the DNS > suffix the client will get sent. Is there any? Read the NAS documentation to see if it can assign DNS servers via RADIUS. If the documentation doesn't say it *is* possible, then you cannot do it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot authenticate using PEAPv0 and Windows XP SP3 native supplicant
>I spent 3 weeks trying to make FreeRadius work with PEAPv0 and WinXP SP3 >native supplicant. I can authenticate using local flat file or ntlm_auth but >authentication from WinXP doesn't work. > >++[mschap] returns ok >MSCHAP Success >++[eap] returns handled >} # server inner-tunnel >[peap] Got tunneled reply code 11 > Session-Timeout = 3600 > EAP-Message = >0x010900331a0308002e533d44433931383941374635313542394346464639383937373438323335334139383045384331343134 > Message-Authenticator = 0x > State = 0x8514698c841d73de6383db5f8319a5b1 >[peap] Got tunneled reply RADIUS code 11 > Session-Timeout = 3600 > EAP-Message = >0x010900331a0308002e533d44433931383941374635313542394346464639383937373438323335334139383045384331343134 > Message-Authenticator = 0x > State = 0x8514698c841d73de6383db5f8319a5b1 >[peap] Got tunneled Access-Challenge >++[eap] returns handled >Sending Access-Challenge of id 160 to 10.112.250.68 port 1645 > EAP-Message = >0x0109004a1900170301003f6145ec30002debef77be6fabe99fbe76b3510591ae8dfd4bb27523dbefd8970ce673f9bcd55ac41603f5163ef61aaba69c074a5cb60d0c7b9c23856fe47a96 > Message-Authenticator = 0x > State = 0xcdfe2065caf73973f250f474980ad2ad >Finished request 7. >Going to the next request >Waking up in 4.9 seconds. ntlm_auth authenticates the user but exchange can't complete after that. This was noted previously on the list. Most people resolved this by reverting to stable Samba version. Samba 3.2.x seem to be the problem. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius with Postgresql
Please link me to a resources on how to make FreeRadius to work with postgreSQL on Ubuntu 8.04 LTS? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Postgresql
>Please link me to a resources on how to make FreeRadius to work with >postgreSQL on Ubuntu 8.04 LTS? >- You configure raddb/sql.conf. And create the database with scripts in raddb/sql/postgresql/. Then uncomment sql where you need it (authorize, accounting, session, ...) in raddb/sites-enabled/default. http://wiki.freeradius.org/SQL_HOWTO Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Postgresql
> Please link me to a resources on how to make FreeRadius to work with > postgreSQL on Ubuntu 8.04 LTS? > > > You configure raddb/sql.conf. And create the database with scripts in > raddb/sql/postgresql/. Then uncomment sql where you need it (authorize, > accounting, session, ...) in raddb/sites-enabled/default. > > http://wiki.freeradius.org/SQL_HOWTO > > Ivan Kalik > Kalik Informatika ISP > I am currently looking into testing freeradius and started reading a couple of wiki/doc/man pages on the subject and ended on that SQL_HOWTO page. One of the prerequisite is to already have the NAS configured. Do you have any suggestion for a NAS running on a linux box ? Thank you. -- Philippe-Alexandre Lemelin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius and performance
On Tue, Mar 17, 2009 at 5:39 PM, wrote:
>>On a DSL environment where users are mostly
>>auto-connect (i.e. modem redials automatically when disconnected)
>>interim updates seems to contribute most load.
>
> Do all updates come at the same time? Using buffered-sql or such virtual
> servers is designed for that. default will reply to the NAS instantly
> and then pass on the requst to buffered-sql to process the requests at
> it's own pace. That will even the load.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
How does buffered-sql read the detail file? I see
filename = ${radacctdir}/detail
but it does not show (for example) what happens when freeradius is
stopped and restarted before all entries in the detail file processed
: Does it re-process everything, or does it ignore everything and only
process "new" detail log.
Regards,
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Postgresql
>I am currently looking into testing freeradius and started reading a couple >of wiki/doc/man pages on the subject and ended on that SQL_HOWTO page. One >of the prerequisite is to already have the NAS configured. Do you have any >suggestion for a NAS running on a linux box ? radtest is installed together with the server. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Postgresql
Hi, > Please link me to a resources on how to make FreeRadius to work with > postgreSQL on Ubuntu 8.04 LTS? follow the usual MySQL/SQL stuff - just use postgres instead - ie 1) install postgres 2) configure postgres 3) install FreeRADIUS with postgres support 4) configure FreeRADIUS part 4 will need the SQL tables etc as supplied in the freeradius source to populate the DB. you will then need to configure a suitable user access rule for your chosen DB user (in usual postgres way). then edit the sql.conf file etc to call postgres module. edit postgres files (eg dialup.conf) with correct user/pass/table details alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius and performance
Hi, > but it does not show (for example) what happens when freeradius is > stopped and restarted before all entries in the detail file processed > : Does it re-process everything, or does it ignore everything and only > process "new" detail log. if you run it, you'll see what it does and how it does it. data is appended until the detail module has dealt with it - ie nothing lost from detail file when stopping/starting the server alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Postgresql
Please come back later and tell us your experience with postgre.. :) On Tue, Mar 17, 2009 at 12:34 PM, wrote: > >I am currently looking into testing freeradius and started reading a > couple > >of wiki/doc/man pages on the subject and ended on that SQL_HOWTO page. One > >of the prerequisite is to already have the NAS configured. Do you have any > >suggestion for a NAS running on a linux box ? > > radtest is installed together with the server. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius and performance
>How does buffered-sql read the detail file? I see
>
>filename = ${radacctdir}/detail
>
>but it does not show (for example) what happens when freeradius is
>stopped and restarted before all entries in the detail file processed
>: Does it re-process everything, or does it ignore everything and only
>process "new" detail log.
>
It renames detail to detail.work and processes that file while the server
writes new requests to detail. When it's done processing detail.work it
renames detail again etc. Restarting the server doesn't wipe out detail
or detail.work.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius and performance
Sorry for bothering but what if detail file is on daily basis ...
detail-20090101 for example...
On Tue, Mar 17, 2009 at 12:43 PM, wrote:
> >How does buffered-sql read the detail file? I see
> >
> >filename = ${radacctdir}/detail
> >
> >but it does not show (for example) what happens when freeradius is
> >stopped and restarted before all entries in the detail file processed
> >: Does it re-process everything, or does it ignore everything and only
> >process "new" detail log.
> >
>
> It renames detail to detail.work and processes that file while the server
> writes new requests to detail. When it's done processing detail.work it
> renames detail again etc. Restarting the server doesn't wipe out detail
> or detail.work.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius and performance
>Sorry for bothering but what if detail file is on daily basis ... >detail-20090101 for example... > If you want to keep daily detail file then create two detail instances - one that is rotated daily and one that writes to a file with constant name. Point detail reader to one with the constant name. That file is deleted as buffered-sql processes it so there will be no record in files as records are inserted in sql. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius and performance
Hi, > >Sorry for bothering but what if detail file is on daily basis ... > >detail-20090101 for example... As Ivan says - if you are using buffered-sql and tking in that detail file, then there will be nothing to rotate or deal with - everything that is currently in the detail file get slurped into the SQL alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot authenticate using PEAPv0 and Windows XP SP3 nativesupplicant
ntlm_auth authenticates the user but exchange can't complete after that. This was noted previously on the list. Most people resolved this by reverting to stable Samba version. Samba 3.2.x seem to be the problem. Hi, Downgrade to 3.0.28 helped! Thanks, Mateusz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Relaying of accounting requests between Freeradius servers
Greetings list, I have finally been able to upgrade my secondary freeradius server to 2.1.3 and I must commend everyone on their hard work, the changes are great :) I am having some trouble but would like to clarify my understanding before posting all my problem details in case I have misunderstood something. My question is independent of server or platform version and addresses the fundamental mechanics of the relaying process. I am using a virtual server setup to proxy accounting requests between 2 servers for mirroring purposes. As I understand the process server 1 receives an accounting request, which it will process according to its accounting section (in my case inserted into a table via the sql module). If successful, it will then proxy the request to server 2, which will also process it according to its own accounting section. Server 2 will then attempt to proxy the request to server 1 as per its proxy configuration, but will fail on a duplicate record, which will stop duplication from occuring. Is my understanding in this correct, that server 1 will send the request to server 2, and server 2 will try to send it to server 1 again but will fail with a duplication error? Many thanks Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Relaying of accounting requests between Freeradius servers
Hi, > I have finally been able to upgrade my secondary freeradius server to > 2.1.3 and I must commend everyone on their hard work, the changes are > great :) any reason why not 2.1.4 ? :-) > Is my understanding in this correct, that server 1 will send the request > to server 2, and server 2 will try to send it to server 1 again but will > fail with a duplication error? it should refuse/ignore a packet its seen before.. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Config Clarification
On Mar 17, 2009, at 5:37 AM, Alan DeKok wrote:
Likely because the LDAP connections time out, and are closed.
Yes... that little traffic will result in LDAP connection timeouts.
Hrm...Ok, I can accept that. Is there a way to force a keepalive
or something?
In our users file, we have the following :
DEFAULT Auth-Type := Reject
Fall-Through = 1
Huh? Why?
I *thought* this was required, but apparently not?
Do you really want to accept these users without checking their
passwords? That's a *very* bad idea.
I agree. What am I missing? I thought the user passwords were
checked by the ldap module via the authentication section. Is that
not correct?
The group membership configurations should ensure that it's using the
memberOf attribute.
Can you give me an example please? I'm not sure I understand...
Why are you not checking passwords? That's a bad idea...
I thought I was... Do I need more than this?
authenticate {
Auth-Type LDAP {
ldap
}
}
If you don't use a module, you can delete all references to it. It
will make some *minor* difference in performance. But if you're
getting
a few requests a minute, that difference will be miniscule.
It's more of a "don't use it if you don't need it" philosophy,
really.. Cleans up debug output too, when I'm trying to figure out
what's going on ..
Alan DeKok.
Thanks for the help!
--
Jason 'XenoPhage' Frisvold
xenopha...@gmail.com
http://blog.godshell.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Relaying of accounting requests between Freeradius servers
>I have finally been able to upgrade my secondary freeradius server to
>2.1.3 and I must commend everyone on their hard work, the changes are
>great :)
>
>I am having some trouble but would like to clarify my understanding
>before posting all my problem details in case I have misunderstood
>something.
>My question is independent of server or platform version and addresses
>the fundamental mechanics of the relaying process.
>
>I am using a virtual server setup to proxy accounting requests between 2
>servers for mirroring purposes.
>
>As I understand the process server 1 receives an accounting request,
>which it will process according to its accounting section (in my case
>inserted into a table via the sql module).
>If successful, it will then proxy the request to server 2, which will
>also process it according to its own accounting section.
>Server 2 will then attempt to proxy the request to server 1 as per its
>proxy configuration, but will fail on a duplicate record, which will
>stop duplication from occuring.
Configure server 2 *not* to proxy requests coming from server 1 back to
it. And server 1 not to proxy requests coming from server 2 back to it.
There is no reason to send them back.
if (NAS-IP-Address != server1) {
update control {
Proxy-To-Realm := server1
}
}
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Relaying of accounting requests between Freeradius servers
a.l.m.bu...@lboro.ac.uk wrote: Hi, I have finally been able to upgrade my secondary freeradius server to 2.1.3 and I must commend everyone on their hard work, the changes are great :) any reason why not 2.1.4 ? :-) Because there isn't a valid 2.1.4 tar file? Which leads me to the question what's happening with it? The 2.1.4 file that's currently on the download server has a VERSION file specifying 2.1.5. So we've either need a 2.1.5 tar file or a 2.1.4 tar file with a 2.1.4 VERSION file. Hopefully the 2.1.4 tar file that's there now has the 2.1.4 build fixes which were reported (I think it does). -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Relaying of accounting requests between Freeradius servers
Fantastic Ivan, thats exactly what I was heading towards :)
Let me try this and see if my root problem is resolved!
Thanks
Configure server 2 *not* to proxy requests coming from server 1 back to
it. And server 1 not to proxy requests coming from server 2 back to it.
There is no reason to send them back.
if (NAS-IP-Address != server1) {
update control {
Proxy-To-Realm := server1
}
}
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Relaying of accounting requests between Freeradius servers
John Dennis wrote: > Because there isn't a valid 2.1.4 tar file? Which leads me to the > question what's happening with it? The 2.1.4 file that's currently on > the download server has a VERSION file specifying 2.1.5. So we've either > need a 2.1.5 tar file or a 2.1.4 tar file with a 2.1.4 VERSION file. > Hopefully the 2.1.4 tar file that's there now has the 2.1.4 build fixes > which were reported (I think it does). Give me a day or so and I'll release 2.1.5, with some other fixes. I've also started a "continuous integration" test system on git.freeradius.org. It's not public because it's still a hack. But I can now easily test the build process, and quickly release a "pre" version for people to use. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging the return code from the ldap authentication to SQL.
On Tue, 2009-03-17 at 10:11 +0100, Alan DeKok wrote: > > My problem now is that it only returns correctly when the module returns > > OK. If the LDAP returns anything else (fail, rejected, notfound), it > > just completely skips over the IFs block and goes straight to Post-Auth. > > Is that expected? > > Yes. > > In normal processing, failure means STOP. Don't keep bugging other > modules with a request that failed. Hmm.. thing is, the post-auth sql query is already being processed, to log the Access-Reject.. Is there any other way I could extract the rejection reason from the LDAP module, to add to this query? Thanks -- Augusto G. Andreollo CCUEC/DCNET/SREDE Universidade Estadual de Campinas - UNICAMP +55 19 3521-2276 -- "Wit beyond measure is men's greatest treasure." smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
strange problem with version 2.1.4
Hi all, Since several months ago, I've been developing two new freeradius modules, a non-eap module and a EAP module. I made my development in Freeradius 2.0.2 and all work fine, today I've decided to migrate my modules to the new Freeradius version 2.1.4, no problems with the migration. Compilation and installation successfully. After the installation, I run my modules but a strange error has appear. Whether I run my non-EAP module without load my EAP module it works fine but whether I load my EAP module the non-EAP module crash. Showing this message: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1212175680 (LWP 19702)] 0xb7c781ec in ?? () from /lib/tls/i686/cmov/libc.so.6 So, I don't know what is happening. The EAP module works properly with the non-EAP module loaded. The modules haven't dependencies between each other. What could be happening? Why when the EAP module is loaded the non-EAP module crash in libc.so.6?? Any ideas? In freeradius 2.0.2 works prefectly. why in 2.1.4 fails? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Dear All I hope anyone can help me with these errors I have in the radius.log file: Error: rlm_sql_getvpdata: database query error Error: rlm_sql (sql): SQL query error; rejecting user Error: rlm_sql (sql): Couldn't update SQL accounting ALIVE record - 0 I am using freeradius 1.1.7 with freetds and MSSQL 2005 as the backend database, the radius receives interim accounting update packets to calculate users utlized bandwidth and the data is inserted into the MSSQL database using SQL Procedures. Does anyone knows what may cause these errors to occure, note that when I run radius -X most of the update statements return with status ok and for the statements that return with this error, they run fine from the MSSQL console. Thanks in advance Ahmed Adel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strange problem with version 2.1.4
Fernando wrote: > After the installation, I run my modules but a strange error has appear. > Whether I run my non-EAP module without load my EAP module it works fine > but whether I load my EAP module the non-EAP module crash. Showing this > message: > > Program received signal SIGSEGV, Segmentation fault. > [Switching to Thread -1212175680 (LWP 19702)] > 0xb7c781ec in ?? () from /lib/tls/i686/cmov/libc.so.6 Did you re-build your module when you installed the latest source code? Also... doc/bugs contains an excellent description of how to track down the source of these problems. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging the return code from the ldap authentication to SQL.
Augusto G. Andreollo wrote: > Hmm.. thing is, the post-auth sql query is already being processed, to > log the Access-Reject.. Yes.. I know. But the return code from the LDAP module in the *authorize* section is lost by then. > Is there any other way I could extract the > rejection reason from the LDAP module, to add to this query? It's not in the LDAP module. See src/main/modcall.c for the code that handles calling modules, and the return codes. If you really need this functionality, send a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting error
Dear All I hope anyone can help me with these errors I have in the radius.log file: Error: rlm_sql_getvpdata: database query error Error: rlm_sql (sql): SQL query error; rejecting user Error: rlm_sql (sql): Couldn't update SQL accounting ALIVE record - 0 I am using freeradius 1.1.7 with freetds and MSSQL 2005 as the backend database, the radius receives interim accounting update packets to calculate users utlized bandwidth and the data is inserted into the MSSQL database using SQL Procedures. Does anyone knows what may cause these errors to occure, note that when I run radius -X most of the update statements return with status ok and for the statements that return with this error, they run fine from the MSSQL console. Thanks in advance Ahmed Adel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: strange problem with version 2.1.4
Alan DeKok wrote: Fernando wrote: After the installation, I run my modules but a strange error has appear. Whether I run my non-EAP module without load my EAP module it works fine but whether I load my EAP module the non-EAP module crash. Showing this message: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1212175680 (LWP 19702)] 0xb7c781ec in ?? () from /lib/tls/i686/cmov/libc.so.6 Did you re-build your module when you installed the latest source code? Yes, I did it. I copied the source code of the modules in the new Freeradius version, and I re-built it. Also... doc/bugs contains an excellent description of how to track down the source of these problems. Ok, I'll read it. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting error
> I hope anyone can help me with these errors I have in the >radius.log file: > >Error: rlm_sql_getvpdata: database query error >Error: rlm_sql (sql): SQL query error; rejecting user >Error: rlm_sql (sql): Couldn't update SQL accounting ALIVE record - >0 > > >I am using freeradius 1.1.7 with freetds and MSSQL 2005 as the >backend database, the radius receives interim accounting update packets >to calculate users utlized bandwidth and the data is inserted into the >MSSQL database using SQL Procedures. > >Does anyone knows what may cause these errors to occure, note that >when I run radius -X most of the update statements return with status >ok and for the statements that return with this error, they run fine >from the MSSQL console. > Post the radiusd -X output showing those errors. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modifying EAP Messages
On Mon, Mar 16, 2009 at 11:56 PM, Arran Cudbard-Bell wrote: > A magical check box appeared in the XP SP3 and Vista supplicant > 'Enable Quarantine Checks'. It'd be a huge win if FR could expose > these values so that they were usable for policy decisions. This requires bit more than just minor changes in parsing additional data and making it available. The PEAP server will need to ask the PEAP peer to start SoH to get the extra data. This needs at least minimal functionality to support sequence of EAP methods inside the PEAP tunnel, but with that done, you should be able to process the SoH TLVs in FreeRADIUS. There is specification available for all the needed functionality and you should be able to find example code on how to do this in hostapd (it has experimental support for SoH and it dumps the TLVs received from the client in debug info if you want to run a quick test to see what data is available). - Jouni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2 Failure
I've made no progress in finding a solution to my MSCHAP problem. To
summarize, Winbind and FreeRadius authenticate via PAP fine on both
servers (RedHat V5), but MSCHAP fails on one of the two (see below). I
tried tar'ing up the entire /etc/raddb directory and copied it to the
other machine, but it still fails. I also rejoined the Windows domain, but
nothing is working. Does MSCHAP have any other dependency on the system,
that PAP doesn't? I don't know where else to look.
-Mike
On Mon, 16 Mar 2009, Mike Diggins wrote:
I configured what I thought were two identical FreeRadus 2.1.3 servers. I'm
attempting to do MS-CHAP2 authentication on both, one is working, the other
is not. For the life of me I can't find any difference in their
configuration.
On my client, I switch the host name between the two servers, everything else
stays the same. One works, one fails, and I don't know why. Below is the
debug output for both the failure and success. PAP authentication works fine
on both with the same id. What the heck have I missed?
This is the one that fails:
rad_recv: Access-Request packet from host 192.168.2.15 port 2357, id=26,
length=127
NAS-Identifier = "test-cam1"
NAS-IP-Address = 192.168.2.15
MS-CHAP-Challenge = 0xbd4261d677c0d793ee781d7a032218df
MS-CHAP2-Response =
0xa300ac9567587df3e83b3799dc49a53f43307e0e6320a093349fbd0afc94436ed32e1258e26c5463147b
User-Name = "test26"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = "test26", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 5
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for test26 with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Login incorrect: [test26] (from client 192.168.2.15 port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> test26
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 26 to 192.168.2.15 port 2357
Waking up in 4.9 seconds.
Cleaning up request 7 ID 26 with timestamp +1885
Ready to process requests.
This one works:
rad_recv: Access-Request packet from host 192.168.2.15 port 2358, id=115,
length=127
NAS-Identifier = "test-cam1"
NAS-IP-Address = 192.168.2.15
MS-CHAP-Challenge = 0xfdd0ccd7059225f80093cea2929eb415
MS-CHAP2-Response =
0x780017ff811e7761fc6bd332fb45f4f6b3f5b6834efb6626804caf2aa055c5a157851e9bc927698cf23f
User-Name = "test26"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = "test26", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 5
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for test26 with NT-Password
[mschap]expand: --username=%{mschap:User-Name:-None} ->
--username=test26
[mschap] No NT-Domain was found in the User-Name.
[mschap]expand: --domain=%{mschap:NT-Domain:-ap1} -> --domain=ap1
[mschap] mschap2: fd
[mschap]expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=cc26ba941d6d9678
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=b6834efb6626804caf2aa055c5a157851e9bc927698cf23f
Exec-Program output: NT_KEY: D3D489B13ACA7C5E93887C212EFCCB0B
Exec-Program-Wait: plaintext: NT_KEY: D3D489B13ACA7C5E93887C212EFCCB0B
Exec-Program: returned: 0
++[mschap] re
Re: LDAP Config Clarification
>> Do you really want to accept these users without checking their
>> passwords? That's a *very* bad idea.
>
>I agree. What am I missing? I thought the user passwords were
>checked by the ldap module via the authentication section. Is that
>not correct?
>
Remove those entries in users file. They are bypassing password checking.
If you want to accept only some ldap groups use unlang. Something like:
if(Ldap-Group == something || Ldap-Group == something_else) {
ok
}
else {
update control {
Auth-Type := Reject
}
}
>> The group membership configurations should ensure that it's using the
>> memberOf attribute.
>
>Can you give me an example please? I'm not sure I understand...
>
Example is the default group membership query in raddb/modules/ldap.
>> Why are you not checking passwords? That's a bad idea...
>
>I thought I was... Do I need more than this?
>
>authenticate {
> Auth-Type LDAP {
> ldap
> }
>}
Yes. Auth-Type LDAP needs to be set. If you force Auth-Type Accept in
users file this will never be used.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2 Failure
>I've made no progress in finding a solution to my MSCHAP problem. To >summarize, Winbind and FreeRadius authenticate via PAP fine on both >servers (RedHat V5), but MSCHAP fails on one of the two (see below). I >tried tar'ing up the entire /etc/raddb directory and copied it to the >other machine, but it still fails. I also rejoined the Windows domain, but >nothing is working. Does MSCHAP have any other dependency on the system, >that PAP doesn't? I don't know where else to look. > In raddb/modules/mschap on the first system. ntlm_auth line is still commented out there. It's enabled on the second server. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2 Failure
Hi, > I've made no progress in finding a solution to my MSCHAP problem. To > summarize, Winbind and FreeRadius authenticate via PAP fine on both > servers (RedHat V5), but MSCHAP fails on one of the two (see below). I > tried tar'ing up the entire /etc/raddb directory and copied it to the > other machine, but it still fails. I also rejoined the Windows domain, > but nothing is working. Does MSCHAP have any other dependency on the > system, that PAP doesn't? I don't know where else to look. /etc/krb5.conf ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2 Failure
On Tue, 17 Mar 2009, t...@kalik.net wrote: I've made no progress in finding a solution to my MSCHAP problem. To summarize, Winbind and FreeRadius authenticate via PAP fine on both servers (RedHat V5), but MSCHAP fails on one of the two (see below). I tried tar'ing up the entire /etc/raddb directory and copied it to the other machine, but it still fails. I also rejoined the Windows domain, but nothing is working. Does MSCHAP have any other dependency on the system, that PAP doesn't? I don't know where else to look. In raddb/modules/mschap on the first system. ntlm_auth line is still commented out there. It's enabled on the second server. No, it's there and uncommented on both. In fact I blew away the entire /etc/raddb directory on the failing server, and replaced it with the contents of /etc/raddb from the working one, so the configs have to be identical, right? -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2 Failure
On Tue, 17 Mar 2009, a.l.m.bu...@lboro.ac.uk wrote: Hi, I've made no progress in finding a solution to my MSCHAP problem. To summarize, Winbind and FreeRadius authenticate via PAP fine on both servers (RedHat V5), but MSCHAP fails on one of the two (see below). I tried tar'ing up the entire /etc/raddb directory and copied it to the other machine, but it still fails. I also rejoined the Windows domain, but nothing is working. Does MSCHAP have any other dependency on the system, that PAP doesn't? I don't know where else to look. /etc/krb5.conf ? I didn't change the configuration on this file on either system, and both are identical. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Storing hashes in MySQL when using MS_CHAP
Hello,
I'm trying to conceal plain-text passwords from my radius.radcheck
database in order to it'll be useless if it's stolen.
My config is FreeBSD 7.0 + FreeRadius1.1.7 + mpd4 + MySQL-5.0.67
(windowsXP and Vista Clients)
Well, I found a solution here
http://www.usenet-forums.com/freeradius-users/280602-re-freeradius-mysql-crypt-passwrd-radcheck-table.html
written by Alan DeKok.
But I haven't got it working.
radcheck was :
++--+--++---+
| id | UserName | Attribute| op |
Value |
++--+--++---+
| 1 | user1| Password-With-Header | := |
{md5}c4ca4238a0b923820dcc509a6f75849b |
and raduis -X said :
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok for request 0
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type CHAP
auth: type "CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group CHAP for request 0
rlm_chap: login attempt by "user1" with CHAP password
rlm_chap: Could not find clear text password for user user1
modcall[authenticate]: module "chap" returns invalid for request 0
modcall: leaving group CHAP (returns invalid) for request 0
auth: Failed to validate the user.
radiusd's searching a plain-text password.
Then I googled a little bit more and found a combination with
Attribute='Auth-Type' and Value='Crypt-Local', generated a hash using
$ openssl passwd -1 1
$1$HR1R2p.2$7tsK8wE30pDf6AQ6KEi6d/
Unfortunately, it doesn't work too..
It that possible to get hashed passwords together with MS_CHAP?
--
Yuriy Grishin.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2 Failure
On 17/3/09 17:05, "Mike Diggins" wrote: > > > On Tue, 17 Mar 2009, a.l.m.bu...@lboro.ac.uk wrote: > >> Hi, >> >>> I've made no progress in finding a solution to my MSCHAP problem. To >>> summarize, Winbind and FreeRadius authenticate via PAP fine on both [ ... ] >> /etc/krb5.conf ? > > I didn't change the configuration on this file on either system, and both > are identical. System time? Clock skew will stop Kerberos in its tracks. -- John Hawkes-Reed Systems Administrator. Future Publishing. x 2526 -- Future Publishing Limited (registered company number 2008885) and Future Publishing (Overseas) Limited (registered company number 06202940) are wholly owned subsidiaries of Future plc (registered company number 3757874). Future Publishing Limited, Future Publishing (Overseas) Limited and Future plc are all incorporated in England and Wales and share the same registered address at Beauford Court, 30 Monmouth Street, Bath BA1 2BW. This email and any files transmitted with it are confidential. If you have received this email in error please notify the sender and then delete it immediately. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Future. The recipient should check this email and any attachments for the presence of viruses. Future accepts no liability for any damage caused by any virus transmitted by this email. Future may regularly and randomly monitor outgoing and incoming emails (including the content of them) and other telecommunications on its email and telecommunications systems. By replying to this email you give your consent to such monitoring. * Save resources: think before you print. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modifying EAP Messages
On 17/3/09 16:26, Jouni Malinen wrote: On Mon, Mar 16, 2009 at 11:56 PM, Arran Cudbard-Bell wrote: A magical check box appeared in the XP SP3 and Vista supplicant 'Enable Quarantine Checks'. It'd be a huge win if FR could expose these values so that they were usable for policy decisions. This requires bit more than just minor changes in parsing additional data and making it available. The PEAP server will need to ask the PEAP peer to start SoH to get the extra data. Yes I just found the appropriate article on MSDN. So 'Enable Quarantine Checks' just means that the supplicant is willing to participate in SoH, not that it will, unless explicitly requested to by the server. This needs at least minimal functionality to support sequence of EAP methods inside the PEAP tunnel, but with that done, you should be able to process the SoH TLVs in FreeRADIUS. There is specification available for all the needed functionality and you should be able to find example code on how to do this in hostapd Very interesting. Which version/ git branch is this available in ? (it has experimental support for SoH and it dumps the TLVs received from the client in debug info if you want to run a quick test to see what data is available). Just found an explanation of the other magical 'Crypto binding' check box. It appears it's used to check that the phase 1 and phase 2 endpoints were actually the same server. Have you done any work this feature ? Many thanks, Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Exec-Program-Wait w/ FreeRADIUS 2.1.3
I'm having trouble getting FreeRADIUS to run programs called by
Exec-Program-Wait in the newest version of FreeRADIUS (version 2.1.3).
I'm using a custom C script that used to work with all versions of
FreeRADIUS prior to version 2.
I have an entry like this in the users file which is matching my
access-requests:
DEFAULT Suffix == "@test.net", Auth-Type := Accept
Exec-Program-Wait = "/usr/local/sbin/checkradacct
%{Stripped-User-Name} %{Password}",
Ascend-Data-Filter += "ip in forward tcp est",
Ascend-Data-Filter += "ip in forward dstip 10.0.0.0/24 tcp",
Ascend-Data-Filter += "ip in drop tcp dstport = 25",
Ascend-Data-Filter += "ip in forward",
Fall-Through = No
Here is my debugging output when I attempt to authenticate (doesn't
appear to execute my program):
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.1.1.1 port 49411, id=74,
length=76
User-Name = "jmil...@test.net"
User-Password = "blah"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Framed-Protocol = PPP
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radacct/10.1.1.1/auth-detail-20090317
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radacct/10.1.1.1/auth-detail-20090317
[auth_log] expand: %t -> Tue Mar 17 13:58:23 2009
++[auth_log] returns ok
[suffix] Looking up realm "test.net" for User-Name = "jmil...@test.net"
[suffix] Found realm "test.net"
[suffix] Adding Stripped-User-Name = "jmillay"
[suffix] Adding Realm = "test.net"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files] users: Matched entry DEFAULT at line 26
[files] expand: /usr/local/sbin/checkradacct
%{Stripped-User-Name} %{Password} -> /usr/local/sbin/checkradacct
jmillay blah
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [jmil...@test.net] (from client 10.1.1.1 port 0)
Sending Access-Accept of id 74 to 10.1.1.1 port 49411
Ascend-Data-Filter += "ip in forward tcp est"
Ascend-Data-Filter += "ip in forward dstip 10.0.0.0/24 tcp"
Ascend-Data-Filter += "ip in drop tcp dstport = 25"
Ascend-Data-Filter += "ip in forward 0"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 74 with timestamp +21
Any suggestions? I read in the docs that Exec-Program and
Exec-Program-Wait are deprecated but I haven't found any clear
documentation on how to configure rlm_exec to duplicate what I am trying
to do.
Thanks in advance,
Jeremiah
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait w/ FreeRADIUS 2.1.3
>I'm having trouble getting FreeRADIUS to run programs called by >Exec-Program-Wait in the newest version of FreeRADIUS (version 2.1.3). >I'm using a custom C script that used to work with all versions of >FreeRADIUS prior to version 2. > Read comments in exec module configuration file (raddb/modules/exec). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Exec-Program-Wait w/ FreeRADIUS 2.1.3
Replying to myself... I missed uncommenting "exec" from the post-auth section of default site. Everything is working now. Sorry for the wasting your valuable mailbox space. Jeremiah - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Storing hashes in MySQL when using MS_CHAP
>It that possible to get hashed passwords together with MS_CHAP? > http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Storing hashes in MySQL when using MS_CHAP
Yuriy Grishin wrote:
> Hello,
>
>I'm trying to conceal plain-text passwords from my radius.radcheck
> database in order to it'll be useless if it's stolen.
That's admirable, but generally useless. And often counter-productive.
> | 1 | user1| Password-With-Header | := |
> {md5}c4ca4238a0b923820dcc509a6f75849b |
MD5 hashed passwords...
> and raduis -X said :
...
> modcall: leaving group authorize (returns ok) for request 0
> rad_check_password: Found Auth-Type CHAP
... are incompatible with CHAP.
http://deployingradius.com/documents/protocols/compatibility.html
What you want to do is impossible. You MUST have the clear-text
passwords in the DB in order to do CHAP.
> It that possible to get hashed passwords together with MS_CHAP?
You are doing CHAP, not MS-CHAP. They are very different.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Storing hashes in MySQL when using MS_CHAP
t...@kalik.net wrote: It that possible to get hashed passwords together with MS_CHAP? http://deployingradius.com/documents/protocols/compatibility.html Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius only works in debug mode
Hello all, My other email to the list from last week appears to have disappeared into the ether...probably too big with the whole config file. Hopefull someone can offer advice on this issue. If I start up radiusd (on SuSE/OES linux, install from Yast) with the standard script in init.d it doesn't open up the port or authenticate. However, if I add the debug parameter (-x) to that same script, it works just fine. For example, if I change this line in /etc/init.d/radiusd ... startproc $RADIUSD_BIN > /var/log/radius/radius.log ... to this ... startproc $RADIUSD_BIN -x > /var/log/radius/radius.log ... it authenticates beautifully. Googling around it looks like I'm not the only one with this problem, but the only solution seems to be a manual recompile. Help? Thanks in advance! Greg Webster This e-mail message and any attachments are confidential. Any dissemination or use of this information by a person other than the intended recipient is unauthorized. If you are not the intended recipient, please notify me by return e-mail, do not open any attachment and delete this communication and any copy. Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Config Clarification
t...@kalik.net wrote:
> Remove those entries in users file. They are bypassing password checking.
> If you want to accept only some ldap groups use unlang. Something like:
>
> if(Ldap-Group == something || Ldap-Group == something_else) {
> ok
> }
> else {
> update control {
> Auth-Type := Reject
> }
> }
Yeah.. that may be a problem. Does freeradius 1.1.3 support unlang?
This is a RHEL 5.3 install... I'm not aware of a trustable source for
2.x RPMs ...
> Example is the default group membership query in raddb/modules/ldap.
I *think* that's what I have already.
> Yes. Auth-Type LDAP needs to be set. If you force Auth-Type Accept in
> users file this will never be used.
Hrm... ok, understood.. So I need to figure out how to require the vpn
group and reject if it isn't there...
> Ivan Kalik
> Kalik Informatika ISP
--
---
Jason Frisvold
xenopha...@gmail.com
---
"I love deadlines. I like the whooshing sound they make as they fly by."
- Douglas Adams
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Storing hashes in MySQL when using MS_CHAP
Alan DeKok wrote:
Yuriy Grishin wrote:
Hello,
I'm trying to conceal plain-text passwords from my radius.radcheck
database in order to it'll be useless if it's stolen.
That's admirable, but generally useless. And often counter-productive.
You bet, I've spent all the day and the result is 0.
| 1 | user1| Password-With-Header | := |
{md5}c4ca4238a0b923820dcc509a6f75849b |
MD5 hashed passwords...
Yes. I did it that way :
mysql> Value=concat('{md5}', md5('1')) where ...;
and raduis -X said :
...
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type CHAP
... are incompatible with CHAP.
http://deployingradius.com/documents/protocols/compatibility.html
What you want to do is impossible. You MUST have the clear-text
passwords in the DB in order to do CHAP.
I suspected that it's impossible so I asked a good (correct) question.
It that possible to get hashed passwords together with MS_CHAP?
You are doing CHAP, not MS-CHAP. They are very different.
Yeah, you're right I'm doing CHAP.
Thanks a lot for the explanation!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Config Clarification
>> Remove those entries in users file. They are bypassing password checking.
>> If you want to accept only some ldap groups use unlang. Something like:
>>
>> if(Ldap-Group == something || Ldap-Group == something_else) {
>> ok
>> }
>> else {
>> update control {
>> Auth-Type := Reject
>> }
>> }
>
>Yeah.. that may be a problem. Does freeradius 1.1.3 support unlang?
>This is a RHEL 5.3 install... I'm not aware of a trustable source for
>2.x RPMs ...
>
1.1.3 doesn't support unlang. You need 2.x.
http://wiki.freeradius.org/Red_Hat_FAQ
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modifying EAP Messages
On Tue, Mar 17, 2009 at 7:40 PM, Arran Cudbard-Bell wrote: > On 17/3/09 16:26, Jouni Malinen wrote: >> There is specification available for all the needed functionality and >> you should be able to find example code on how to do this in hostapd > > Very interesting. Which version/ git branch is this available in ? TNC support (including experimental SoH code) was added in 0.6.x, so as far as releases are concerned, 0.6.8 would be the best start (or just use the git development branch if you want to get latest version, but I don't think there has been SoH related changes since 0.6.8). > Just found an explanation of the other magical 'Crypto binding' check box. > It appears it's used to check that the phase 1 and phase 2 endpoints were > actually the same server. Have you done any work this feature ? Yes, that is also supported in both hostapd (PEAPv0 server) and wpa_supplicant (PEAPv0 peer) version 0.6.8. That needed quite a bit of experimentation and guesses since the specification was not exactly correct (but could now be since I asked it to be fixed). Anyway, the source code in hostapd is known to interoperate with Windows XP SP3 and Vista supplicant, so that is probably a good place to look at if someone wants to add this to FreeRADIUS. - Jouni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cdv D has sent you a private message
Title: Private Message from Cdv Cdv D has sent you a private message Click to read messagePlease read it or Cdv will think you ignored this :( This message has been forwarded at the request of duraivel...@gmail.com. To block all emails from FanIQ, please click here. FanIQ is located at 604 mission St, Suite 600, San Francisco, CA 94105, USA. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with a redirect / splash page for sign up
Maybe not perfect for this list, but I gotta think somone on here has done this before. We just got handed over 500 DSL subscribers. Old ISP is dead, no records, no accounting data. Just the ATM PVC's are on our network. I'm trying to figure out how to do a one time redirect so that they sign up into our billing system and once thats done then they have internet access. I'm willing to pay reasonable $$ for somone that knows how to do this using open source tools and our cisco routers. Mucho thanks for the help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cdv D has sent you a private message
Title: Private Message from Cdv Cdv D has sent you a private message Click to read messagePlease read it or Cdv will think you ignored this :( This message has been forwarded at the request of duraivel...@gmail.com. To block all emails from FanIQ, please click here. FanIQ is located at 604 mission St, Suite 600, San Francisco, CA 94105, USA. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configuring eap2
Hello, could some one with a such experience to provide a STEP BY STEP procedure to configure eap2 module: which configuration files have to be update and how ? Thanks in advance, Leonid.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius only works in debug mode
Hi, > My other email to the list from last week appears to have disappeared into > the ether...probably too big with the whole config file. > > Hopefull someone can offer advice on this issue. If I start up radiusd (on > SuSE/OES linux, install from Yast) with the standard script in init.d it > doesn't open up the port or authenticate. > > However, if I add the debug parameter (-x) to that same script, it works > just fine. > > For example, if I change this line in /etc/init.d/radiusd ... > startproc $RADIUSD_BIN > /var/log/radius/radius.log > ... to this ... > startproc $RADIUSD_BIN -x > /var/log/radius/radius.log > ... it authenticates beautifully. > > Googling around it looks like I'm not the only one with this problem, but > the only solution seems to be a manual recompile. when run in debug, it runs with greater privs - check your eg /var/log/radius directory, your used tmp directories, /etc/raddb etc for their permissions - does the user/group you have defined in radiusd.conf have relevant read/write permissions other common issue is eg selinux daemon/service protection alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
