Usernames with spaces

[Joeven Rex Dizon]

I'm a relatively new freeradius user so I am not really an expert
with it.

I have two users in the racheck table:
"admin" and "d6 40 1a 98". Both with passwords "admin198".

Doing this:
*radtest admin admin198 localhost 0 testing123*
..returns an Access-Accept packet.

But doing this:
*radtest "d6 40 1a 87" admin198 localhost 0 testing123*
..returns an Access-Reject packet.

I wonder why the user with spaces in the username is being rejected.

I've read somewhere that I need to specify "nospace_user". Can I edit that
in the radiusd.conf? What should the value be: before, after or no?

Our installed version is 2.1.0+dfsg-0ubuntu2, running on Ubuntu 8.10.
The backend database we used is MySql.

Thanks in advance.

Joeven Rex L. Dizon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

[Andrew Hood]

a.l.m.bu...@lboro.ac.uk wrote:

> chown -R radiusd:radiusd /etc/raddb
> 
> chmod -R 755 /etc/raddb/certs

Yuck - marking data files executable. I'd start with:

 find /etc/raddb/certs -type d -exec chmod 755 {} \;
 find /etc/raddb/certs \! -type d -exec chmod 644 {} \;

and fix any program file that should be 755

-- 
REALITY.SYS not found: Universe halted.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP authentication issue

[Alan Cooper]

On Fri, Mar 20, 2009 at 6:57 PM, Alan DeKok  wrote:

>> My users file entry looks like this:
>>
>> # saf1...@lumisondsl2.co.uk ADSL:
>> saf1975 Cleartext-Password = "mypassword", NAS-IP-Address = 193.29.223.253
>
>  Use Cleartext-Password :=



Many thanks Alan - I will try this over the weekend.

Can you indulge my curiousity and point out (or point me at the docs
that explain) what changed? As someone who has to dip in now & again
to keep a RADIUS platform operational, I'm finding the docs a bit
bewildering and the differences in configs between versions difficult
to locate and understand.


Kind Regards,
Alan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Allow PEAP and TTLS, but reject TLS

[usawebbox]

I'm using Freeradius 2.1.1. My setup has been successfully
authenticating TLS, TTLS, and PEAP for a while. Now I would like to deny
TLS in the EAP negotiation, although the users will still have client
certificates. I don't know how to reject TLS without breaking PEAP/TTLS.
Those methods require the TLS block, which must then have the CA cert to
validate the server certificate, and the server continues to use that to
validate user certs.

Problem: PEAP is my default EAP-type, but the client can nak it and
choose EAP-TLS instead.

I saw this comment in eap.conf:

"If you do not use client certificates, and you do not want to permit
EAP-TLS
authentication, then delete this configuration item" (referring to
CA_file)

Unfortunately, this is not literally true. It sounded like a simple way
to use the TLS block only to enable PEAP and TTLS, but if the CA cert is
in "certificate_file" and the "CA_file" configuration item is deleted,
EAP-TLS is still permitted as an authentication method.

Note: I have read all the comments in this file, not just the one I
quoted.

If someone knows a way to do this, I would appreciate the knowledge.  I
suppose I would be willing to restrict the EAP-type only PEAP (or only
TTLS) if that is the only way to reject EAP-TLS. Thank you.
-- 
  
  usaweb...@fastmail.fm

-- 
http://www.fastmail.fm - Faster than the air-speed velocity of an
  unladen european swallow

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

[Bruno Noronha]

Thanks man, this commands solved my problem!!

Bruno

2009/3/20 

> Hi,
>
> > RADIUS:/etc/raddb/certs # ls -l
> > total 104
> > -rwxrwxrwx 1 root root4210 Mar 17 10:49 01.pem
> > -rwxrwxrwx 1 root root4441 Nov 19 14:20 Makefile
> > -rwxrwxrwx 1 root root5343 Nov 19 14:20 README
> > -rwxrwxrwx 1 root radiusd  462 Nov 19 14:20 bootstrap
> > -rwxrwxrwx 1 root radiusd 1288 Nov 19 14:20 ca.cnf
> > -rwxrwxrwx 1 root root1195 Mar 17 10:49 ca.der
> > -rwxrwxrwx 1 root root1743 Mar 17 10:49 ca.key
> > -rwxrwxrwx 1 root root1675 Mar 17 10:49 ca.pem
> > -rwxrwxrwx 1 root radiusd 1109 Nov 19 14:20 client.cnf
> > -rwxrwxrwx 1 root root 466 Mar 19 15:10 dh
> > -rwxrwxrwx 1 root root 120 Mar 17 10:49 index.txt
> > -rwxrwxrwx 1 root root  21 Mar 17 10:49 index.txt.attr
> > -rwxrwxrwx 1 root root   0 Mar 17 10:49 index.txt.old
> > -rwxrwxrwx 1 root root1024 Mar 19 15:11 random
> > -rwxrwxrwx 1 root root   3 Mar 17 10:49 serial
> > -rwxrwxrwx 1 root root   3 Mar 17 10:49 serial.old
> > -rwxrwxrwx 1 root radiusd 1123 Nov 19 14:20 server.cnf
> > -rwxrwxrwx 1 root root4210 Mar 17 10:49 server.crt
> > -rwxrwxrwx 1 root root1062 Mar 17 10:49 server.csr
> > -rwxrwxrwx 1 root root1743 Mar 17 10:49 server.key
> > -rwxrwxrwx 1 root root2533 Mar 17 10:49 server.p12
> > -rwxrwxrwx 1 root root3495 Mar 17 10:49 server.pem
> > -rwxrwxrwx 1 root root 578 Nov 19 14:20 xpextensions
>
> chown -R radiusd:radiusd /etc/raddb
>
> chmod -R 755 /etc/raddb/certs
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Perl/Peap-MSChapV2 Issues

[Adam W. Sewell]

Yep, that was it. Thanks so much for your help!

-Original Message-
From: t...@kalik.net [mailto:t...@kalik.net] 
Sent: Friday, March 20, 2009 3:08 PM
To: FreeRadius users mailing list
Subject: RE: Perl/Peap-MSChapV2 Issues

>Yes, I have $RAD_REPLY{'Filter-Id'} = $filterId; in the perl script.
>
>In the log, it says:
>
>rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=Student
>
>But shouldn't that show up in the Access-Accept also?

You probably need to set use_tunneled_reply to yes in peap section of
eap.conf. This is slightly older server version which doesn't show
tunneled reply so can't be sure.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Perl/Peap-MSChapV2 Issues

[tnt]

>Yes, I have $RAD_REPLY{'Filter-Id'} = $filterId; in the perl script.
>
>In the log, it says:
>
>rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=Student
>
>But shouldn't that show up in the Access-Accept also?

You probably need to set use_tunneled_reply to yes in peap section of
eap.conf. This is slightly older server version which doesn't show
tunneled reply so can't be sure.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP authentication issue

[Alan DeKok]

Alan Cooper wrote:
> I am trying to migrate from a working Freeradius 1.1.3 installation to
> a 2.1.x (currently trying .4) and I'm hitting problem getting CHAP
> authentication to work. I use the users file to authenticate DSL users
> via a Cisco LNS device - chap doesn't think it's getting the password
> from the users file in plaintext.
> 
> My users file entry looks like this:
> 
> # saf1...@lumisondsl2.co.uk ADSL:
> saf1975 Cleartext-Password = "mypassword", NAS-IP-Address = 193.29.223.253

  Use Cleartext-Password :=

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: dear everyone..

[Luciano Afranllie]

On Thu, Mar 19, 2009 at 6:20 AM,   wrote:
> Hi,
>> iam a new bie freeradius user, i have a duty from my lecture to build a 
>> hotspot captive portal using chillispot and freeradius. now i make it, 
>> chilispot and freeradius working well on ubuntu machine, but the problem is 
>> my lecture want me to do stress test on the radius server to make sure that 
>> the system is still working well in any condition..
>>
>> i still confused how to perform the stress test...anyone help me 
>> please..thank you for your attentionsorry for bad english :D
>
> there are a couple of scripts supplied with the server to allow
> benchmarking which hit the server fast and hard. run a couple
> of those whilst eg flood pinging the system.  but 'any condition'
> is hardly any kind of scientific or useful phrase. for example,
> is the system working well if half the packets get lost? does

if you want to test what happen under network problem scenarios you
can try netem or nistnet

http://www.linuxfoundation.org/en/Net:Netem
http://snad.ncsl.nist.gov/nistnet/

Regards
Luciano

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

CHAP authentication issue

[Alan Cooper]

I am trying to migrate from a working Freeradius 1.1.3 installation to
a 2.1.x (currently trying .4) and I'm hitting problem getting CHAP
authentication to work. I use the users file to authenticate DSL users
via a Cisco LNS device - chap doesn't think it's getting the password
from the users file in plaintext.

My users file entry looks like this:

# saf1...@lumisondsl2.co.uk ADSL:
saf1975 Cleartext-Password = "mypassword", NAS-IP-Address = 193.29.223.253
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 84.19.252.194,
Framed-IP-Netmask = 255.255.255.255,
Cisco-AVPair = "ip:dns-servers=212.20.226.130 212.20.226.194",
Cisco-AVPair += "ip:route#1=84.19.253.96 255.255.255.224 84.19.252.194",
Cisco-AVPair += "ip:route#2=84.19.255.64 255.255.255.224 84.19.252.194",
Cisco-AVPair += "ip:route#3=217.30.117.96 255.255.255.248 84.19.252.194"

As I'm dealing with multiple domains, I strip out the domain names
coming in from the LNS in proxy.conf.


Can anyone explain why CHAP isn't getting a plaintext password and
what I need to do to resolve? It appears to come through plaintext to
the other 1.1.3 server...

Debug output:-

Ready to process requests.
rad_recv: Access-Request packet from host 193.29.223.253 port 1645,
id=8, length=123
Framed-Protocol = PPP
User-Name = "saf1...@lumisondsl2.co.uk"
CHAP-Password = 0x015912a2d9f792df9c9b61107520a7967d
NAS-Port-Type = Virtual
NAS-Port = 2208
NAS-Port-Id = "Uniq-Sess-ID2208"
Connect-Info = "1696000"
Service-Type = Framed-User
NAS-IP-Address = 193.29.223.253
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix] Looking up realm "lumisondsl2.co.uk" for User-Name =
"saf1...@lumisondsl2.co.uk"
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "saf1975"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
Invalid operator for item Group: reverting to '=='
[files] users: Matched entry DEFAULT at line 22474
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by "saf1975" with CHAP password
[chap] Cleartext-Password is required for authentication
++[chap] returns invalid
Failed to authenticate the user.
Login incorrect (rlm_chap: Clear text password not available):
[saf1...@lumisondsl2.co.uk/] (from client dsl-gw port
2208)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->
saf1...@lumisondsl2.co.uk
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 4 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 4
Sending Access-Reject of id 8 to 193.29.223.253 port 1645
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius and mikrotik auth problem pppoe error 691

[orion]

i had the same problem when i wanted to authenticate the hotspot`s user with
freeradius.
the solution was to make a static mapping on IP - HOTSPOT - IP BINDINGS

MAC address :  THE MAC OF THE SERVER
ADDRESS :   THE IP ADDRESS OF THE SERVER
TO ADDRESS : THE SAME AS ABOVE
SERVER : ALL
TYPE :  REGULAR or BYPASSED

and than it worked. it was related since the hotspot connections are passed
to the mikrotik`s webproxy ( capture portal/page )

2009/3/19 Fajar A. Nugraha 

> 2009/3/19 Lazar Cherveniakov :
> > Everything looks fine in IP addresses, but the problem is still the same.
>
> Looks like you got exactly the problem I described. See here :
>
> > Mikrotik debug log
> > 01:33:40 radius,debug sending 53:02 to 192.168.200.2:1812
>
> Mikrotik thinks radius IP is 192.168.200.2
>
> > radius server ip`s
> > # ifconfig
> > eth0  Link encap:Ethernet  HWaddr 00:19:66:4E:F4:E8
> >   inet addr:192.168.200.3  Bcast:192.168.200.255
>  Mask:255.255.255.0
> > eth0:1Link encap:Ethernet  HWaddr 00:19:66:4E:F4:E8
> >   inet addr:192.168.200.2  Bcast:192.168.200.255
>  Mask:255.255.255.0
>
> ... while that IP is secondary IP on the radius server. Do a tcpdump
> on radius and you should see that radius replies comes from
> 192.168.200.3 (which mikrotik discards, because it's not the IP it
> sends the request to).
>
> There are several ways to fix this (one of them involves recompiling
> freeradius with --with-udpfromto, see
>
> http://wiki.freeradius.org/index.php/FAQ#Why_does_the_NAS_ignore_the_RADIUS_server.27s_reply.3F
> ), but the easiest way is simply change mikrotik's config to use
> 192.168.200.3 as radius IP address.
>
> Regards,
>
> Fajar
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Modify User-Name to upper Case (rewrite/unlang)

[Eric Martell]

Hi,
  I am searching through the forum and did not got a right suggestion. 

I am doing LDAP authentication and getting macaddress as User-Name in the 
following format.

User-Name = "001e.5283.34aa"

I want to convert that to  "001E528334AA" => convert to uppercase.and remove 
the dots.

Is there any function I can use such as, 
 ldap {

   User-Name := User-Name.toUpperCase().replace('.','');

}

Please guide me to the documentation.

Thanks and Regards.
Eric.







  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Bandwidth limit

[orion]

hi,
if you want to limit the upload/download speed then you must have an entry
on radreply/radgroupreply

insert into radreply
values('','USERNAME','Mikrotik-Rate-Limit',':=','256K/512K');

in this case the upload is 256Kbps and download is 512Kbps

keep in mind that the same USERNAME must be in the radcheck
insert into radcheck
values('','USERNAME','Cleartext-Password',':=','password1234');



2009/3/19 

> >Thanks Ivan,
> >
> >Actually I've installed Mikrotik Router OS in single pc and Freeradius +
> >Mysql server in other. I want to shape the client bandwidth with mysql
> >database. If you have any idea then please send me.
> >
>
> Vendor attributes are just like any other - you put them in radreply or
> radgroupreply.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unlang question

[Bruce_M_Richardson]

> $ man unlang
> 
>   Everything following the "if" statement MUST be all on one line of 
text.
> 
>   Alan DeKok.
> -

Ok thanks, I don't think that is clear on 
http://freeradius.org/radiusd/man/unlang.html . 

I now have ...

if("%{request:Stripped-User-Name}" !~ 
/visitor[0-9]?[0-9]/i) {
reject
}

and radiusd will start now. 

Thanks to all

Bruce



 Please consider the environment - do you really need to print this email?





This e-mail and any attachments are confidential and solely for the use of the 
intended recipient.  They may contain material protected by legal professional 
or other privilege. If you receive it in error, please delete it from your 
system, make no copies of it, do not disclose its contents to any third party 
or use it for your own or any other person's benefit. Please advise the sender 
of its receipt as soon as possible. Although this email and its attachments are 
believed to be free of any virus or other defect, it is the responsibility of 
the recipient to ensure that they are virus free and no responsibility is 
accepted by the company for any loss or damage arising from receipt or use 
thereof. Any opinions expressed that do not relate to the official business of 
the company are those of the author, not the United Biscuits group of companies.

United Biscuits (UK) Limited Registered in England number 2506007 Registered 
Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

[Alan DeKok]

Bruno Noronha wrote:
> Leighton, tks for help me. I agree with you, the messages are a little
> bit confusing for me too.
> That's what I thought, problems wich permission. That's why I did chmod
> 777, even knowing that it's not recommended. After doing this, the issue
> persist...I'm using the newest available version of freeradius.org
> .

  For the LAST time: This is not a FreeRADIUS problem.

  Fix your OS so that it lets FreeRADIUS read the configuration files.
> Here follows the output of Makefile.
> 
> /etc/raddb/certs/Makefile
> /etc/raddb/certs/Makefile: line 12: DH_KEY_SIZE: command not found
> grep: server.cnf: No such file or directory

  Uh... you do know that you can't execute Makefiles like shell scripts?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unlang question

[Alan DeKok]

bruce_m_richard...@biscuits.com wrote:
> if("%{request:Stripped-User-Name}" !~
> /visitor[0-9]?[0-9]/i) {
>  reject
> }
> 
> and got this ...
> 
> /usr/local/etc/raddb/sites-enabled/all[156]: Parse error in condition
> at: "%{request:Stripped-User-Name}" !~
> 
> any ideas ?

$ man unlang

  Everything following the "if" statement MUST be all on one line of text.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unlang question

[Bruce_M_Richardson]

> Don't open and close brackets on the same line. Have a look at Arran's
> statement.

Ok I tried this ...


if("%{request:Stripped-User-Name}" !~
/visitor[0-9]?[0-9]/i) {
 reject
}

and got this ...

/usr/local/etc/raddb/sites-enabled/all[156]: Parse error in condition at: 
"%{request:Stripped-User-Name}" !~

any ideas ?

Bruce


 Please consider the environment - do you really need to print this email?





This e-mail and any attachments are confidential and solely for the use of the 
intended recipient.  They may contain material protected by legal professional 
or other privilege. If you receive it in error, please delete it from your 
system, make no copies of it, do not disclose its contents to any third party 
or use it for your own or any other person's benefit. Please advise the sender 
of its receipt as soon as possible. Although this email and its attachments are 
believed to be free of any virus or other defect, it is the responsibility of 
the recipient to ensure that they are virus free and no responsibility is 
accepted by the company for any loss or damage arising from receipt or use 
thereof. Any opinions expressed that do not relate to the official business of 
the company are those of the author, not the United Biscuits group of companies.

United Biscuits (UK) Limited Registered in England number 2506007 Registered 
Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Perl/Peap-MSChapV2 Issues

[Adam W. Sewell]

Yes, I have $RAD_REPLY{'Filter-Id'} = $filterId; in the perl script.

In the log, it says:

rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=Student

But shouldn't that show up in the Access-Accept also?

-Original Message-
From: t...@kalik.net [mailto:t...@kalik.net] 
Sent: Friday, March 20, 2009 11:01 AM
To: FreeRadius users mailing list
Subject: RE: Perl/Peap-MSChapV2 Issues

>I believe the only thing left is that it needs to return a Filter-Id
>along with the access-accept?
>

Is you perl script adding it to $RAD_REPLY? I can't see it in the reply.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unlang question

[tnt]

>> if(("%{request:Service-Type}" == 'whatever') &&
>> ("%{request:Stripped-User-Name}" !~
>> /visitor[0-9]?[0-9]/i)) {
>>reject
>> }
>
># Just the Visitors please !!
>if("%{request:Stripped-User-Name}" !~
>/visitor[0-9]?[0-9]/i) {reject}

Don't open and close brackets on the same line. Have a look at Arran's
statement.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Perl/Peap-MSChapV2 Issues

[tnt]

>I believe the only thing left is that it needs to return a Filter-Id
>along with the access-accept?
>

Is you perl script adding it to $RAD_REPLY? I can't see it in the reply.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

[A . L . M . Buxey]

Hi,

> RADIUS:/etc/raddb/certs # ls -l
> total 104
> -rwxrwxrwx 1 root root4210 Mar 17 10:49 01.pem
> -rwxrwxrwx 1 root root4441 Nov 19 14:20 Makefile
> -rwxrwxrwx 1 root root5343 Nov 19 14:20 README
> -rwxrwxrwx 1 root radiusd  462 Nov 19 14:20 bootstrap
> -rwxrwxrwx 1 root radiusd 1288 Nov 19 14:20 ca.cnf
> -rwxrwxrwx 1 root root1195 Mar 17 10:49 ca.der
> -rwxrwxrwx 1 root root1743 Mar 17 10:49 ca.key
> -rwxrwxrwx 1 root root1675 Mar 17 10:49 ca.pem
> -rwxrwxrwx 1 root radiusd 1109 Nov 19 14:20 client.cnf
> -rwxrwxrwx 1 root root 466 Mar 19 15:10 dh
> -rwxrwxrwx 1 root root 120 Mar 17 10:49 index.txt
> -rwxrwxrwx 1 root root  21 Mar 17 10:49 index.txt.attr
> -rwxrwxrwx 1 root root   0 Mar 17 10:49 index.txt.old
> -rwxrwxrwx 1 root root1024 Mar 19 15:11 random
> -rwxrwxrwx 1 root root   3 Mar 17 10:49 serial
> -rwxrwxrwx 1 root root   3 Mar 17 10:49 serial.old
> -rwxrwxrwx 1 root radiusd 1123 Nov 19 14:20 server.cnf
> -rwxrwxrwx 1 root root4210 Mar 17 10:49 server.crt
> -rwxrwxrwx 1 root root1062 Mar 17 10:49 server.csr
> -rwxrwxrwx 1 root root1743 Mar 17 10:49 server.key
> -rwxrwxrwx 1 root root2533 Mar 17 10:49 server.p12
> -rwxrwxrwx 1 root root3495 Mar 17 10:49 server.pem
> -rwxrwxrwx 1 root root 578 Nov 19 14:20 xpextensions

chown -R radiusd:radiusd /etc/raddb

chmod -R 755 /etc/raddb/certs

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Perl/Peap-MSChapV2 Issues

[Adam W. Sewell]

I believe the only thing left is that it needs to return a Filter-Id 
along with the access-accept?

-Original Message-
From: t...@kalik.net [mailto:t...@kalik.net] 
Sent: Friday, March 20, 2009 10:43 AM
To: FreeRadius users mailing list
Subject: RE: Perl/Peap-MSChapV2 Issues

>I removed the DEFAULT Auth-Type = Perl since you said it wasn't use.
>
>I removed the update control from the authorize in inner-tunnel.
>
>Here's the new log. Thanks for the help.
>

What now? It works:

>Login OK: [testUser] (from client DORMTEST2_M80 port 0 via TLS tunnel)
>  PEAP: Tunneled authentication was successful.
>  rlm_eap_peap: SUCCESS
..
>Login OK: [testUser] (from client DORMTEST2_M80 port 4 cli
>00-16-D3-30-E5-74)
>+- entering group post-auth
>++[exec] returns noop
>Sending Access-Accept of id 244 to 192.168.240.78 port 3085
>MS-MPPE-Recv-Key =
>0xc19c41b6b90a8a2fd163fd01b2063947b0d92633fd05fdce97f314dd267e05c6
>MS-MPPE-Send-Key =
>0x4a11b9ee8d9de1506569176d11bf97823ba21771a97e79fea82e427acad442a2
>EAP-Message = 0x030a0004
>Message-Authenticator = 0x
>User-Name = "testUser"
>Finished request 10.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

[Bruno Noronha]

Leighton, tks for help me. I agree with you, the messages are a little bit
confusing for me too.
That's what I thought, problems wich permission. That's why I did chmod 777,
even knowing that it's not recommended. After doing this, the issue
persist...I'm using the newest available version of freeradius.org.

Here follows the output of Makefile.

/etc/raddb/certs/Makefile
/etc/raddb/certs/Makefile: line 12: DH_KEY_SIZE: command not found
grep: server.cnf: No such file or directory
/etc/raddb/certs/Makefile: line 17: PASSWORD_SERVER: command not found
grep: ca.cnf: No such file or directory
/etc/raddb/certs/Makefile: line 18: PASSWORD_CA: command not found
grep: client.cnf: No such file or directory
/etc/raddb/certs/Makefile: line 19: PASSWORD_CLIENT: command not found
grep: client.cnf: No such file or directory
/etc/raddb/certs/Makefile: line 21: USER_NAME: command not found
/etc/raddb/certs/Makefile: line 28: .PHONY:: command not found
/etc/raddb/certs/Makefile: line 29: all:: command not found
/etc/raddb/certs/Makefile: line 31: .PHONY:: command not found
/etc/raddb/certs/Makefile: line 32: client:: command not found
/etc/raddb/certs/Makefile: line 34: .PHONY:: command not found
/etc/raddb/certs/Makefile: line 35: ca:: command not found
/etc/raddb/certs/Makefile: line 37: .PHONY:: command not found
/etc/raddb/certs/Makefile: line 38: server:: command not found
/etc/raddb/certs/Makefile: line 45: dh:: command not found
/etc/raddb/certs/Makefile: line 46: DH_KEY_SIZE: command not found

And the outpug of ls -ls on certs directory:

RADIUS:/etc/raddb/certs # ls -l
total 104
-rwxrwxrwx 1 root root4210 Mar 17 10:49 01.pem
-rwxrwxrwx 1 root root4441 Nov 19 14:20 Makefile
-rwxrwxrwx 1 root root5343 Nov 19 14:20 README
-rwxrwxrwx 1 root radiusd  462 Nov 19 14:20 bootstrap
-rwxrwxrwx 1 root radiusd 1288 Nov 19 14:20 ca.cnf
-rwxrwxrwx 1 root root1195 Mar 17 10:49 ca.der
-rwxrwxrwx 1 root root1743 Mar 17 10:49 ca.key
-rwxrwxrwx 1 root root1675 Mar 17 10:49 ca.pem
-rwxrwxrwx 1 root radiusd 1109 Nov 19 14:20 client.cnf
-rwxrwxrwx 1 root root 466 Mar 19 15:10 dh
-rwxrwxrwx 1 root root 120 Mar 17 10:49 index.txt
-rwxrwxrwx 1 root root  21 Mar 17 10:49 index.txt.attr
-rwxrwxrwx 1 root root   0 Mar 17 10:49 index.txt.old
-rwxrwxrwx 1 root root1024 Mar 19 15:11 random
-rwxrwxrwx 1 root root   3 Mar 17 10:49 serial
-rwxrwxrwx 1 root root   3 Mar 17 10:49 serial.old
-rwxrwxrwx 1 root radiusd 1123 Nov 19 14:20 server.cnf
-rwxrwxrwx 1 root root4210 Mar 17 10:49 server.crt
-rwxrwxrwx 1 root root1062 Mar 17 10:49 server.csr
-rwxrwxrwx 1 root root1743 Mar 17 10:49 server.key
-rwxrwxrwx 1 root root2533 Mar 17 10:49 server.p12
-rwxrwxrwx 1 root root3495 Mar 17 10:49 server.pem
-rwxrwxrwx 1 root root 578 Nov 19 14:20 xpextensions

2009/3/20 Leighton Man 

>
>
>
>There is nothing related to eap to comment out in these files...
>Should I create a certificate? Is it compulsory?
>
>
>
> Hi,
> I've just struggled through all this so it's nice to try and help. Always
> take note of the FIRST error message in the debug. The later ones can be
> confusing if you don't understand what's going on.
> Your problem seems to be that the server can't read the certificate files.
> If they aren't there, it won't be able to. When I compiled freeradius it
> generated test certificates itself (after tweaking the Makefile). Are you
> using the latest version?
>
> You must have certificates to do SSL. They live in the raddb/certs
> directory.
>
> Regards,
>
> Leighton
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Perl/Peap-MSChapV2 Issues

[tnt]

>I removed the DEFAULT Auth-Type = Perl since you said it wasn't use.
>
>I removed the update control from the authorize in inner-tunnel.
>
>Here's the new log. Thanks for the help.
>

What now? It works:

>Login OK: [testUser] (from client DORMTEST2_M80 port 0 via TLS tunnel)
>  PEAP: Tunneled authentication was successful.
>  rlm_eap_peap: SUCCESS
..
>Login OK: [testUser] (from client DORMTEST2_M80 port 4 cli
>00-16-D3-30-E5-74)
>+- entering group post-auth
>++[exec] returns noop
>Sending Access-Accept of id 244 to 192.168.240.78 port 3085
>MS-MPPE-Recv-Key =
>0xc19c41b6b90a8a2fd163fd01b2063947b0d92633fd05fdce97f314dd267e05c6
>MS-MPPE-Send-Key =
>0x4a11b9ee8d9de1506569176d11bf97823ba21771a97e79fea82e427acad442a2
>EAP-Message = 0x030a0004
>Message-Authenticator = 0x
>User-Name = "testUser"
>Finished request 10.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

[Alan DeKok]

Bruno Noronha wrote:
> Reading this tutorial, http://wiki.freeradius.org/Cisco, it seems to be
> so simple! Is there any possibility of OS incompatibity with freeRADIUS?

  No.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius+Java application api call and authenticate

[tnt]

>http://coova.org/wiki/index.php/JRadius/WithFreeRADIUS
>http://coova.org/wordpress/index.php/2007/04/07/integrating-radius-with-your-java-enterprise/
>
>i can find only these two urls for documentation? anywhere else as a
>reference?
>

Ask them, not us.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

[Bruno Noronha]

Dawg, I have all default installation files. I read eap.conf and it seems to
be okay, I either changed any file, including adding new users! Everything
remains the same...

I know that "chmod 777" is not recommended. I did it just to make sure that
what I have isn't a permission issue.

Here is the output for id radiusd command:
uid=108(radiusd) gid=109(radiusd) groups=109(radiusd)

Reading this tutorial, http://wiki.freeradius.org/Cisco, it seems to be so
simple! Is there any possibility of OS incompatibity with freeRADIUS?

tks!



2009/3/20 

> Hi,
> > There is nothing related to eap to comment out in these files...
> > Should I create a certificate? Is it compulsory?
>
> hang on - do you actually HAVE any EAP cert/CA files that you are
> referencing in eap.conf?
>
> read eap.conf - see what files it is trying to read (cert, CA , pkcs12,
> random, etc)
> and check you actually HAVE those files.  if you have those files, then
> ensure that the
> permissions for the directory and files are suitable for reading - you DONT
> EVER want 777
>
> with 777 i could own your server and take over your infrastructure - you
> only want read
> permissions on the files...for the relavant user that the freeradius daemon
> is running as
> (usually radiusd)
>
> what does
>
> id radiusd
>
>
> give as output?
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Login to Cisco devices through freeradius

[Leighton Man]

 

There is nothing related to eap to comment out in these files...
Should I create a certificate? Is it compulsory?


  
Hi,
I've just struggled through all this so it's nice to try and help. Always take 
note of the FIRST error message in the debug. The later ones can be confusing 
if you don't understand what's going on. 
Your problem seems to be that the server can't read the certificate files. If 
they aren't there, it won't be able to. When I compiled freeradius it generated 
test certificates itself (after tweaking the Makefile). Are you using the 
latest version?

You must have certificates to do SSL. They live in the raddb/certs directory.

Regards,

Leighton
 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius+Java application api call and authenticate

[sollunga]

http://coova.org/wiki/index.php/JRadius/WithFreeRADIUS
http://coova.org/wordpress/index.php/2007/04/07/integrating-radius-with-your-java-enterprise/

i can find only these two urls for documentation? anywhere else as a
reference?




tnt-4 wrote:
> 
>>finally i had some luck i guess, now the radius do authentication, but
>>jradius simulator say's timedout, could be ACS is not passing the
>>information to simulator i feel. though i am using ACS proxy distributin
>>table, still simulator is not getting the response back, any clues will be
>>greatly appreciated sir/mam.
> 
> Debug ACS.
> 
>>
>>once after this is up, how do i proceed to forward/receive  these info
>>(username,password, token pass)to be confirmed for the java based
>>application
> 
> jradius module will pass request attributes (all, not just username and
> password) to jradius server. You need to read jradius documentation to
> see how to process them and configure reply.
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Freeradius%2BJava-application-api-call-and-authenticate-tp22449820p22620632.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

[Alan DeKok]

Bruno Noronha wrote:
> Sorry but what you said doesn't make any sense to me. The default config
> didn't work.

Then something on *your* system is preventing it from working.

> How can you explain the same alarms even after changing the
> permissions to everyone? 

  I don't.  It's *your* system.  FreeRADIUS isn't generating those
errors.  The OS on your system is telling FreeRADIUS that it can't read
those files.

  If you don't understand how your OS works, then you need to solve that
problem before you spend any more time with FreeRADIUS.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unlang question

[Bruce_M_Richardson]

> if(("%{request:Service-Type}" == 'whatever') && 
> ("%{request:Stripped-User-Name}" !~
> /visitor[0-9]?[0-9]/i)) {
>reject
> }

> I don't think naked attribute names were supported in 2.0.5..

Thanks Ivan and Arran , in fact there is only one Service-Type (Login-User
).

so I changed my authorize section to ...

authorize {
#
preprocess
prefix
eap {
ok = return
}
ldap
# Just the Visitors please !!
if("%{request:Stripped-User-Name}" !~ 
/visitor[0-9]?[0-9]/i) {reject}
expiration
logintime
}

and now radiusd will not start .. 

/usr/local/etc/raddb/sites-enabled/all[182]: EOF reached without closing 
brace for section server starting at line 115
Errors reading /usr/local/etc/raddb/radiusd.conf

I've also tried Ivan's version with the same results. 

Commenting out the 'if' statement fixes the issue, and I can't see any 
missing braces. 
Am I putting it in the wrong place, or is the syntax wrong ?

Bruce


 Please consider the environment - do you really need to print this email?





This e-mail and any attachments are confidential and solely for the use of the 
intended recipient.  They may contain material protected by legal professional 
or other privilege. If you receive it in error, please delete it from your 
system, make no copies of it, do not disclose its contents to any third party 
or use it for your own or any other person's benefit. Please advise the sender 
of its receipt as soon as possible. Although this email and its attachments are 
believed to be free of any virus or other defect, it is the responsibility of 
the recipient to ensure that they are virus free and no responsibility is 
accepted by the company for any loss or damage arising from receipt or use 
thereof. Any opinions expressed that do not relate to the official business of 
the company are those of the author, not the United Biscuits group of companies.

United Biscuits (UK) Limited Registered in England number 2506007 Registered 
Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Perl/Peap-MSChapV2 Issues

[Adam W. Sewell]

I removed the DEFAULT Auth-Type = Perl since you said it wasn't use.

I removed the update control from the authorize in inner-tunnel.

Here's the new log. Thanks for the help.

Ready to process requests.
rad_recv: Accounting-Request packet from host 192.168.240.78 port 3083, 
id=11, length=101
Acct-Status-Type = Stop
Acct-Session-Id = "0005"
User-Name = "testUser"
NAS-IP-Address = 192.168.240.78
NAS-Port = 4
Calling-Station-Id = "00-16-D3-30-E5-74"
Acct-Delay-Time = 0
Acct-Session-Time = 72
Acct-Authentic = RADIUS
Acct-Terminate-Cause = Lost-Carrier
+- entering group preacct
++[preprocess] returns ok
rlm_acct_unique: Hashing 'NAS-Port = 4,Client-IP-Address = 
192.168.240.78,NAS-IP-Address = 192.168.240.78,Acct-Session-Id = 
"0005",User-Name = "testUser"'
rlm_acct_unique: Acct-Unique-Session-ID = "4675a10eb3ec92c2".
++[acct_unique] returns ok
++[files] returns noop
+- entering group accounting
expand: 
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> 
/var/log/radius/radacct/192.168.240.78/detail-20090320
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d 
expands to /var/log/radius/radacct/192.168.240.78/detail-20090320
expand: %t -> Fri Mar 20 07:52:25 2009
++[detail] returns ok
++[unix] returns ok
expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
expand: %{User-Name} -> testUser
++[radutmp] returns ok
expand: %{User-Name} -> testUser
 attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 11 to 192.168.240.78 port 3083
Finished request 0.
Cleaning up request 0 ID 11 with timestamp +3
Going to the next request
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.240.78 port 3085, 
id=235, length=152
Message-Authenticator = 0x7d2d05eba9f44b4f560221d152a604d6
User-Name = "testUser"
NAS-IP-Address = 192.168.240.78
NAS-Port = 4
NAS-Port-Type = Ethernet
Calling-Station-Id = "00-16-D3-30-E5-74"
EAP-Message = 0x0201000d016c6a61636b736f6e
Framed-MTU = 1000
Called-Station-Id = "0001F4-B6-1B-80\0004"
NAS-Identifier = "HOKDORM_01953_M48"
NAS-Port-Id = "fe.0.4"
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 1 length 13
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 235 to 192.168.240.78 port 3085
EAP-Message = 0x010200061920
Message-Authenticator = 0x
State = 0x01bfa13001bdb807fc4539ef1278734e
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.240.78 port 3085, 
id=236, length=249
Message-Authenticator = 0xae6d806c5e45d7aa21bbaee13239c841
User-Name = "testUser"
State = 0x01bfa13001bdb807fc4539ef1278734e
NAS-IP-Address = 192.168.240.78
NAS-Port = 4
NAS-Port-Type = Ethernet
Calling-Station-Id = "00-16-D3-30-E5-74"
Called-Station-Id = "00-01-F4-B6-1B-80"
Framed-MTU = 1000
EAP-Message = 
0x0202005c19001603010051014d030149c3987c0e37eb6c0bac727f1287e3f6cd86
2647f846d214e820432669caf4482600390038003500160013000a00330032002f00
050004001500120009001400110008000600030100
NAS-Identifier = "HOKDORM_01953_M48"
NAS-Port-Id = "fe.0.4"
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 2 length 92
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
(other): before/accept initialization
TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0051], ClientHello
TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate
TLS_accept: SSLv3 write certificate A
  rlm_ea

Re: Login to Cisco devices through freeradius

[A . L . M . Buxey]

Hi,
> There is nothing related to eap to comment out in these files...
> Should I create a certificate? Is it compulsory?

hang on - do you actually HAVE any EAP cert/CA files that you are referencing 
in eap.conf?

read eap.conf - see what files it is trying to read (cert, CA , pkcs12, random, 
etc)
and check you actually HAVE those files.  if you have those files, then ensure 
that the 
permissions for the directory and files are suitable for reading - you DONT 
EVER want 777

with 777 i could own your server and take over your infrastructure - you only 
want read
permissions on the files...for the relavant user that the freeradius daemon is 
running as
(usually radiusd)

what does 

id radiusd


give as output?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

[Bruno Noronha]

There is nothing related to eap to comment out in these files...
Should I create a certificate? Is it compulsory?

2009/3/20 sollunga 

>
> try commenting out the eap module in both radiusd.conf and
> sites-available/default, inner-tunnel, then try starting radiusd -X
>
>
>
> tnt-4 wrote:
> >
> >>Sorry but what you said doesn't make any sense to me. The default config
> >>didn't work. How can you explain the same alarms even after changing the
> >>permissions to everyone? The message containing "permission denied"
> >>remains..It's strange, unless I have forgotten to change permission of a
> >>directory. I was expecting something like "unsecure permissions" which
> >>didn't happen.
> >>
> >
> > Do you have something like selinux preventing access?
> >
> > Ivan Kalik
> > Kalik Informatika ISP
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/Login-to-Cisco-devices-through-freeradius-tp22610096p22619667.html
> Sent from the FreeRadius - User mailing list archive at Nabble.com.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius+Java application api call and authenticate

[tnt]

>finally i had some luck i guess, now the radius do authentication, but
>jradius simulator say's timedout, could be ACS is not passing the
>information to simulator i feel. though i am using ACS proxy distributin
>table, still simulator is not getting the response back, any clues will be
>greatly appreciated sir/mam.

Debug ACS.

>
>once after this is up, how do i proceed to forward/receive  these info
>(username,password, token pass)to be confirmed for the java based
>application

jradius module will pass request attributes (all, not just username and
password) to jradius server. You need to read jradius documentation to
see how to process them and configure reply.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

[sollunga]

try commenting out the eap module in both radiusd.conf and
sites-available/default, inner-tunnel, then try starting radiusd -X



tnt-4 wrote:
> 
>>Sorry but what you said doesn't make any sense to me. The default config
>>didn't work. How can you explain the same alarms even after changing the
>>permissions to everyone? The message containing "permission denied"
>>remains..It's strange, unless I have forgotten to change permission of a
>>directory. I was expecting something like "unsecure permissions" which
>>didn't happen.
>>
> 
> Do you have something like selinux preventing access?
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Login-to-Cisco-devices-through-freeradius-tp22610096p22619667.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unlang question

[Arran Cudbard-Bell]

On 20/3/09 12:25, t...@kalik.net wrote:

I do not want visitors to be able to get onto the original service, and I
do not want normal users to get onto the visitor service.

My thoughts are to set up a new virtual server and add an 'if' statement
to look for the visitor user names, and reject or allow as necessary.

something like this in the new virtual server

if ( Stripped-User-Name != /visitor[0-9]?[0-9]/i ) { reject }

and the inverse for the old service.

if ( Stripped-User-Name =~ /visitor[0-9]?[0-9]/i ) { reject }

Is this syntax correct ? and where do I put it?


What about the service? You probably want:



if(("%{request:Service-Type}" == 'whatever') && 
("%{request:Stripped-User-Name}" !~

/visitor[0-9]?[0-9]/i)) {
reject
}

I don't think naked attribute names were supported in 2.0.5..




That goes in authorize section.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

[Bruno Noronha]

I don't think so.I'm using SUSE 11.0, is there any problem with that?

2009/3/20 

> >Sorry but what you said doesn't make any sense to me. The default config
> >didn't work. How can you explain the same alarms even after changing the
> >permissions to everyone? The message containing "permission denied"
> >remains..It's strange, unless I have forgotten to change permission of a
> >directory. I was expecting something like "unsecure permissions" which
> >didn't happen.
> >
>
> Do you have something like selinux preventing access?
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius+Java application api call and authenticate

[sollunga]

finally i had some luck i guess, now the radius do authentication, but
jradius simulator say's timedout, could be ACS is not passing the
information to simulator i feel. though i am using ACS proxy distributin
table, still simulator is not getting the response back, any clues will be
greatly appreciated sir/mam.

once after this is up, how do i proceed to forward/receive  these info
(username,password, token pass)to be confirmed for the java based
application

i know i am in total confusion mode, but some kind of help will be helpful
for me to look towards right direction..



rlm_jradius: reading attribute: type=1259012097; len=1
rlm_jradius: Released JRadius socket id: 6
++[jradius] returns updated
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
[files] users: Matched entry d...@mydomain.com at line 90
[files] expand: Hello, %{User-Name} -> Hello, d...@mydomain.com
++[files] returns ok
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by "d...@mydomain.com" with CHAP password
[chap] Using clear text password "hello" for user d...@mydomain.com
authentication.
[chap] chap user d...@mydomain.com authenticated succesfully
++[chap] returns ok
Login OK: [...@mydomain.com/] (from client mydomain port 0)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 2 to 192.168.0.50 port 2773
Reply-Message = "Hello, d...@mydomain.com"
Proxy-State = 0x434953434f3a30
Finished request 1.
Going to the next request
Waking up in 1.9 seconds.
Cleaning up request 1 ID 2 with timestamp +13
Ready to process requests.




sollunga wrote:
> 
> thanks ivan for the quick reply, will get back to you shortly
> 
> 
> 
> sollunga wrote:
>> 
>> i am using Cisco ACS for authenticating my vpn users, now i thought of
>> using two factor auth in place against the direct authentication by ACS,
>> on this process one of the googling guided me to try proxying the ACS to
>> Freeradius and call some scripts to talk to the java application. now by
>> making the ACS to do proxying at network configuration, i can see the
>> request is flowing to freeradius from ACS, and the freeradius does 
>> 
>> ""
>> [chap] rlm_chap: Attribute "User-Name" is required for authentication.
>> ++[chap] returns invalid
>> Failed to authenticate the user.
>> Using Post-Auth-Type Reject
>> +- entering group REJECT {...}
>> [attr_filter.access_reject] expand: %{User-Name} ->
>> ++[attr_filter.access_reject] returns noop
>> Delaying reject of request 27 for 1 seconds
>> 
>> ""
>> 
>> after a while it says
>> 
>> ""
>> [pap] Found existing Auth-Type, not changing it.
>> ++[pap] returns noop
>> Found Auth-Type = CHAP
>> +- entering group CHAP {...}
>> [chap] login attempt by "Doe" with CHAP password
>> [chap] Using clear text password "hello" for user Doe authentication.
>> [chap] chap user Doe authenticated succesfully
>> ++[chap] returns ok
>> +- entering group post-auth {...}
>> ++[exec] returns noop
>> Sending Access-Accept of id 63 to
>> 
>> ""
>> i am trying to figure out where could be the issue
>> 
>> once after this process, i need to send the same to a java application
>> and get a success status from there and authenticate this user.
>> 
>> could it be possible?
>> 
>> team i am a newbie here, i am just a sys admin, and now trying extend my
>> knowledge, please help me.
>> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Freeradius%2BJava-application-api-call-and-authenticate-tp22449820p22619518.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unlang question

[tnt]

>I do not want visitors to be able to get onto the original service, and I
>do not want normal users to get onto the visitor service.
>
>My thoughts are to set up a new virtual server and add an 'if' statement
>to look for the visitor user names, and reject or allow as necessary.
>
>something like this in the new virtual server
>
>if ( Stripped-User-Name != /visitor[0-9]?[0-9]/i ) { reject }
>
>and the inverse for the old service.
>
>if ( Stripped-User-Name =~ /visitor[0-9]?[0-9]/i ) { reject }
>
>Is this syntax correct ? and where do I put it?

What about the service? You probably want:

if( Service-Type == whatever && Stripped-User-Name !=
/visitor[0-9]?[0-9]/i ) {
 reject
}

That goes in authorize section.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

[tnt]

>Sorry but what you said doesn't make any sense to me. The default config
>didn't work. How can you explain the same alarms even after changing the
>permissions to everyone? The message containing "permission denied"
>remains..It's strange, unless I have forgotten to change permission of a
>directory. I was expecting something like "unsecure permissions" which
>didn't happen.
>

Do you have something like selinux preventing access?

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Login to Cisco devices through freeradius

[Bruno Noronha]

Sorry but what you said doesn't make any sense to me. The default config
didn't work. How can you explain the same alarms even after changing the
permissions to everyone? The message containing "permission denied"
remains..It's strange, unless I have forgotten to change permission of a
directory. I was expecting something like "unsecure permissions" which
didn't happen.

2009/3/20 Alan DeKok 

> Bruno Noronha wrote:
> > I issued "chmod 777 *" in every directory related to freeradius.
>
>   Don't do that.  Ever.
>
>  The server comes with a default configuration that WORKS.  The only
> reason that it doesn't have permission to read those files is because
> YOU changed the configuration so that the server doesn't have permission.
>
>  Why are so many people insistent on breaking the working
> configuration?  Where else do we need to document "DON'T BREAK IT" ?
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

unlang question

[Bruce_M_Richardson]

Hi,

I have freeRADIUS 2.0.5 authenticating against LDAP via eap and this has 
been working perfectly since last year. 
Now a I have a new requirement to authenticate another set of users in the 
same LDAP tree onto a different service. 
These users will be visitors to our site and will have the user names 
Visitor1 ... Visitor(nn)

I do not want visitors to be able to get onto the original service, and I 
do not want normal users to get onto the visitor service.

My thoughts are to set up a new virtual server and add an 'if' statement 
to look for the visitor user names, and reject or allow as necessary. 

something like this in the new virtual server

if ( Stripped-User-Name != /visitor[0-9]?[0-9]/i ) { reject }

and the inverse for the old service. 

if ( Stripped-User-Name =~ /visitor[0-9]?[0-9]/i ) { reject }

Is this syntax correct ? and where do I put it?

Thanks for your time ...regards,

Bruce Richardson



 Please consider the environment - do you really need to print this email?





This e-mail and any attachments are confidential and solely for the use of the 
intended recipient.  They may contain material protected by legal professional 
or other privilege. If you receive it in error, please delete it from your 
system, make no copies of it, do not disclose its contents to any third party 
or use it for your own or any other person's benefit. Please advise the sender 
of its receipt as soon as possible. Although this email and its attachments are 
believed to be free of any virus or other defect, it is the responsibility of 
the recipient to ensure that they are virus free and no responsibility is 
accepted by the company for any loss or damage arising from receipt or use 
thereof. Any opinions expressed that do not relate to the official business of 
the company are those of the author, not the United Biscuits group of companies.

United Biscuits (UK) Limited Registered in England number 2506007 Registered 
Office: Hayes Park, Hayes End Road, Hayes, Middlesex, UB4 8EE
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

modules instance name restrictions

[Thibault Le Meur]

Hi,

I recently came up with a small issue concerning modules instances name 
(especially when they set Auth-Type).


* I defined my own pap module with the name 'pap-myorg' and expected it 
to set Auth-Type to PAP-MYORG, but in fact it wasn't setting the 
Auth-Type at all (moreover I saw no notice in the log about not beeing 
able to set the Auth-Type).
* I changed the instance name to 'papmyorg' and now the module sets the 
Auth-Type to PAPMYORG.


I tried to find in the doc where the restrictions on module instances 
names were defined, but didn't found any reference to this. And given 
the fact that some standard modules have specific chars such as '_' or 
'-', I thought there was little constraints.


Is there any module instance naming convention written somewhere in the 
provided documentation (or online)?
Maybe be it could be interresting to have a warning in the radius debug 
log in order to notice the administrator that Auth-Type wasn't set due 
to module naming restrictions?


Best regards,
Thibault



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radclient: problem with exit code 0 and 1

[oz]

Hello,

Alan DeKok wrote:

  I've committed a fix that will be in the next release of the server.
If you need this functionality, upgrade.


I tried your git repository as described on freeradius.org. I do not understand 
the versioning scheme, but I downloaded the fixed stable tree (upcoming 2.1.5?) 
and built it without 'make install' on my AMD64-Machine. The problem in 
radclient is fixed, thank you Alan!


I just had to append the new dictionary path in my scripts, because the 
dictionaries of my old inst do not work with the new radclient:


./radclient -d /usr/local/src/radiusd/share -f /home/me/radpacket -x 
192.168.X.X:1812 auth secret123


Thanks for your fast help!

oz

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html