Re: Authentication with Active Directory with CHAP Passwords
Luiz Gustavo de Villa Scandelari wrote: > I would like to receive some help on authentication with AD using CHAP > Passwords. http://deployingradius.com/documents/protocols/compatibility.html It's impossible. Use a real LDAP server. > I suppose that happens because I cannot read the AD user password, > right? Yes. > The important is that works with LDAP authentication. No. It works with *clear-text password* authentication. > The problem > is that I have a system that sends Access-Requests with Username and > CHAP-Passwords (CoovaChilli), so radius authorize the user but cannot > authenticate it. Then fix it to send User-Password. > > > I´ve already read the Allan´s webpage > (http://deployingradius.com/documents/configuration/active_directory.html) > about integration of AD and RADIUS but I still have some questions. Can > I use CHAP with SAMBA ntlm_auth method The web page lists what's possible. Using Samba won't help. > or should i need to change the > password encryption to another protocol such as PAP or MS-CHAP? If I > modify the coovachilli to send PAP passwords, am I going to be able to > use ldap for authorization and authentication or do I need just plain? You will be able to use LDAP is Chilli sends PAP requests. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying accounting to create a 'tee'
vol...@ufamts.ru wrote: > Alan DeKok wrote: >> Yes. Just configure "sql" in the accounting section, *and* configure >> it to proxy. >> >> Alan DeKok. > But if proxy does not respond, FR will insert duplicate records into SQL > table :( Is there some way to avoid it? What do you mean "duplicate records"? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MSCHAP Authentication Issue
> Well... that's a good reason to make sure we do it right. Any day > where we can replace another RADIUS server with FreeRADIUS is a good day. My feelings exactly :) > I suspect that it will. The mschap module should also pass the Name > field when calling ntlm_auth, too. And maybe print a warning if the > fields are different. I constructed a test program by extracting challenge_hash from rlm_mschap.c (and all supporting functions). I then extracted the peer challenge, authenticator challenge and NT-Response from the debug output of a failed request (User-Name was all lowercase, Name field was mixed case). I called challenge_hash with the all lowercase userid (to ensure it generated the same challenge as the failed request) - the challenge was identical. I then generated another challenge with the userid from the Name field in the response. Then, I executed ntlm_auth manually with the original challenge and the new challenge. The original failed (as I expected) and, low and behold, the new challenge (created using the Name field's userid) succeeded! I will now proceed to create a patch. I was planning to do a strncasecmp to ensure the only difference between the userid part of User-Name and the userid part of the Name field is case. If there are non-case differences, do you think a RLM_REJECT is in order or do you think it should just warn and use whatever is present (I can't think of a normal case where this would occur, but if you think this is better, then I would definitely use the Name field for the username parameter too)? I was thinking of rejecting the request, in this case, so this couldn't be used to bypass authorization. Interestingly, I copied the challenge and response from a successful and failed attempt and manually called ntlm_auth varying the case of the --username parameter and it didn't affect the results. In other words, --username=MYUSER or --username=myuser or --username=MyuseR all behave the same if the --challenge and --nt-response are correct). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stale Session and Simultaneous-Use Question
me either, i am use simulatineous-use attribute and got same problem like u, but i disconnect user that using simultaneous-use attribut manually from radius server using this command radview this command will show connected user. the user using simultaneous-use attribut that forget to log off will still listed as connected user and will be printed by radview command. select one of the user that failed to loggin, because RADIUS recognize that it is still connected, and then run this command echo "user1" I radclient -x (i forgot the command, just google it.) --- On Fri, 8/14/09, Deepak wrote: From: Deepak Subject: Stale Session and Simultaneous-Use Question To: "FreeRadius users mailing list" Date: Friday, August 14, 2009, 1:50 PM Hi, I am simulating the problem on what if the AP goes down (due to various reasons). I observed that user is not properly disconnected and result is stale session. When the AP is up and when the previous user tries to log in he/she gets login failed message because "Simultaneous-Use" is in effect while previous session is still ticking. I am trying to find how to detect this problem automatically. Did some google and found this http://bisagunsara.blogspot.com/2007/03/stale-wifi-sessions-and-simultaneous.html Before getting my hands dirty, I want to know if this is the correct way to solve this problem in freeradius2 since the article is quite old. Or I am just missing something that needs to tweak few configs and is supported out of the box in freeradius2. It is suggested in the article that it will not work together with Simultaneous-Use enabled. I want to know how others have solved this problem. Need some suggestions Thanks -- == Registered Linux User #460714 Currently Using Fedora 10, CentOS 5.3 == - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how i can match the number that is calling to me
Hello I am new with freeradius ,I wan to know if is posible to restrict an acces to the network using the telelephon number of who is calling for the acces to the network by the ppp conection How I can use radius for match user password and telephone number combination as conditions for acces to my network I will be very grateful if somebody can help me -- Este mensaje le ha llegado mediante el servicio de correo electronico que ofrece Infomed para respaldar el cumplimiento de las misiones del Sistema Nacional de Salud. La persona que envia este correo asume el compromiso de usar el servicio a tales fines y cumplir con las regulaciones establecidas Infomed: http://www.sld.cu/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying accounting to create a 'tee'
On 14/08/2009 20:43, vol...@ufamts.ru wrote: John Morrissey wrote: I'm looking to process RADIUS accounting locally (SQL) as well as proxy it to a remote host (to some third party software that also wants to receive a copy of all accounting). Is this possible with FreeRADIUS? Yes. Works great. Log the Accounting-Request using the 'detail' module, and write the request to your DB using the SQL module. Then use the detail file listener (check the example file listed earlier in this thread), to proxy the Accounting-Requests off to the remote server. So the accounting request comes in, is written to the flat file, is written to your SQL DB, if both modules return ok an Accounting-Response is sent to the NAS. The virtual server tailing the flat file, reads the request out and proxies it to the home server, if all goes well the request is removed from the file and the next request is processed. This also has the advantage of buffering requests in case of the remote server goes down. For additional Tees into other DBs,Remote server just create additional detail writer/reader pairs. Regards, Arran -- Arran Cudbard-Bell , Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying accounting to create a 'tee'
> But if *proxy* does not respond, FR will insert duplicate records into SQL > table :( Is there some way to avoid it? > Sorry, of course I meant "Home server does not respond" Best regards, Denis Volkov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying accounting to create a "tee"
On Fri, Aug 14, 2009 at 09:43:05PM +0200, Alan DeKok wrote: > John Morrissey wrote: > > I'm looking to process RADIUS accounting locally (SQL) as well as proxy > > it to a remote host (to some third party software that also wants to > > receive a copy of all accounting). > > Yes. Just configure "sql" in the accounting section, *and* configure > it to proxy. ach, I was presuming that local processing precluded proxying (and vice versa). Thanks, Alan. john -- John Morrissey _o/\ __o j...@horde.net_-< \_ / \ < \, www.horde.net/__(_)/_(_)/\___(_) /_(_)__ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication with Active Directory with CHAP Passwords
Hello everyone, I would like to receive some help on authentication with AD using CHAP Passwords. I´ve already configured the radius (v 2.1.6) to authenticate in the AD (Microsoft) using LDAP and clear-text passwords, until now it works perfectly, but in the radius debug appear the following message: rad_recv: Access-Request packet from host 192.168.0.100 port 64871, id=7, length=50 User-Name = "1000700025" User-Password = "123456" +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "1000700025", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ldap] performing user authorization for 1000700025 [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=1000700025) [ldap] expand: dc=pedagogico,dc=net -> dc=pedagogico,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 172.17.16.4:389, authentication 0 rlm_ldap: bind as w...@pedagogico.net/w...@2009 to 172.17.16.4:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=pedagogico,dc=net, with filter (sAMAccountName=1000700025) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... è WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? ç [ldap] Setting Auth-Type = LDAP [ldap] user 1000700025 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = LDAP +- entering group LDAP {...} [ldap] login attempt by "1000700025" with password "123456" [ldap] user DN: CN=LUIZ RICARDO DE VILLA SCANDELARI,OU=Users,OU=UNIFAE,OU=Users and Computers,DC=PEDAGOGICO,DC=NET rlm_ldap: (re)connect to 172.17.16.4:389, authentication 1 rlm_ldap: bind as CN=LUIZ RICARDO DE VILLA SCANDELARI,OU=Users,OU=UNIFAE,OU=Users and Computers,DC=PEDAGOGICO,DC=NET/123456 to 172.17.16.4:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful [ldap] user 1000700025 authenticated succesfully ++[ldap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 7 to 192.168.0.100 port 64871 Finished request 0. I suppose that happens because I cannot read the AD user password, right? The important is that works with LDAP authentication. The problem is that I have a system that sends Access-Requests with Username and CHAP-Passwords (CoovaChilli), so radius authorize the user but cannot authenticate it. I´ve already read the Allan´s webpage (http://deployingradius.com/documents/configuration/active_directory.html) about integration of AD and RADIUS but I still have some questions. Can I use CHAP with SAMBA ntlm_auth method or should i need to change the password encryption to another protocol such as PAP or MS-CHAP? If I modify the coovachilli to send PAP passwords, am I going to be able to use ldap for authorization and authentication or do I need just plain? I hope somebody can help me. Thanks, LUIZ GUSTAVO SCANDELARI Skype: luiz.gustavo.wni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying accounting to create a 'tee'
Alan DeKok wrote: > > Yes. Just configure "sql" in the accounting section, *and* configure > it to proxy. > > Alan DeKok. But if proxy does not respond, FR will insert duplicate records into SQL table :( Is there some way to avoid it? Best regards, Denis Volkov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying accounting to create a 'tee'
John Morrissey wrote: > I'm looking to process RADIUS accounting locally (SQL) as well as proxy it > to a remote host (to some third party software that also wants to receive a > copy of all accounting). > > Is this possible with FreeRADIUS? Check sites-available/copy-acct-to-home-server Best regards, Denis Volkov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying accounting to create a "tee"
John Morrissey wrote: > I'm looking to process RADIUS accounting locally (SQL) as well as proxy it > to a remote host (to some third party software that also wants to receive a > copy of all accounting). > > Is this possible with FreeRADIUS? Yes. Just configure "sql" in the accounting section, *and* configure it to proxy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAP Authentication Issue
Garber, Neal wrote: > I don’t profess to be an MS-CHAP expert, so what I’m about to say may be > completely off-base.. After performing many tests (see below) and > reviewing RFC2579 and the code in rlm_mschap.c, I’m hypothesizing that > the problem is with how rlm_mschap calculates the challenge hash that is > passed to ntlm_auth. Specifically, rlm_mschap uses the User-Name > attribute as part of the calculation of the hash. What I’m finding is > that, in some cases, the User-Name attribute doesn’t match the case of > the Name field in the MS-CHAP response (i.e., the userid is the same, it > just differs in case). That seems to be a good explanation for it. > Does this seem like a plausible explanation for what’s happening? Yes. > If > not, does anyone have any other ideas? I need to resolve this in order > to retire two old and cranky (and fairly useless because they don’t > really do authorization) ACS servers! Well... that's a good reason to make sure we do it right. Any day where we can replace another RADIUS server with FreeRADIUS is a good day. > I’m going to try a change to > rlm_mschap so it passes the Name field from the MS-CHAP response to the > challenge_hash function (as opposed to the User-Name attribute) to see > if that resolves the issue. I suspect that it will. The mschap module should also pass the Name field when calling ntlm_auth, too. And maybe print a warning if the fields are different. > I realize that ultimately it’s Windows > fault that it doesn’t pass the userid with consistent case (i.e., > Identity vs. MS-CHAP response); but, I don’t want the ACS server to be > seen as a better, more tolerant solution. So, it would be great to make > FR more tolerant of this aberrant behaviour. Hmm... Microsoft is aberrant. I agree. :) And it gets a lot worse. What do you do when the password is internationalized? Even the Microsoft people I talk to say "good luck". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MSCHAP Authentication Issue
I realize that this issue has been brought up many times in the past. However, I believe I have new information that I haven't seen reported before.. I'm having a problem with Windows XP supplicant authenticating to FR with PEAP/MSCHAPv2 where authentication fails "sometimes" depending upon various factors. The same device I'm using to test wireless authentication, never has an issue authenticating to my old dain-bramaged Cisco ACS servers. As a result, I decided to investigate what might be different about FreeRadius (perhaps Samba I thought, but didn't want to make assumptions). I don't profess to be an MS-CHAP expert, so what I'm about to say may be completely off-base.. After performing many tests (see below) and reviewing RFC2579 and the code in rlm_mschap.c, I'm hypothesizing that the problem is with how rlm_mschap calculates the challenge hash that is passed to ntlm_auth. Specifically, rlm_mschap uses the User-Name attribute as part of the calculation of the hash. What I'm finding is that, in some cases, the User-Name attribute doesn't match the case of the Name field in the MS-CHAP response (i.e., the userid is the same, it just differs in case). In the tests I've performed, when these userids don't match in case, I get a Logon Failure from ntlm_auth. I'd really like this to "just work" as is commonly said around these parts without additional gymnastics (such as changing all userids to lowercase). Does this seem like a plausible explanation for what's happening? If not, does anyone have any other ideas? I need to resolve this in order to retire two old and cranky (and fairly useless because they don't really do authorization) ACS servers! I'm going to try a change to rlm_mschap so it passes the Name field from the MS-CHAP response to the challenge_hash function (as opposed to the User-Name attribute) to see if that resolves the issue. I realize that ultimately it's Windows fault that it doesn't pass the userid with consistent case (i.e., Identity vs. MS-CHAP response); but, I don't want the ACS server to be seen as a better, more tolerant solution. So, it would be great to make FR more tolerant of this aberrant behaviour. Thanks in advance for any advice/help/suggestions you can provide.. Here's what I tested and what I observed that caused me to draw the above conclusion: Background: Windows XP SP3 laptop using std. Windows wireless supplicant EAP/PEAP/MS-CHAPv2 -> Cisco 1232AP -> FR 2.1.6 (with rlm_perl patch) running on FreeBSD 7.2. In all the tests below, the same SSID, wireless network configuration on the laptop, AP, userid and password were used (the domain and user listed below are contrived, but are representative of the case I saw in the debug output). Laptop Logon Method Wireless Credentials Passed Man/Auto MS-CHAP Response Packet Name field User-Name Request Attribute ntlm_auth Authentication Result Domain logon (via Ethernet) with all lowercase userid entered on gina Manually entered all lowercase userid when supplicant prompted MYDOMAIN\myuser MYDOMAIN\myuser SUCCESS Domain logon (via Ethernet) with all lowercase userid entered on gina Supplicant configured to auto. pass Windows credentials MYDOMAIN\MyuseR MYDOMAIN\myuser Logon failure (0xc06d) Locally cached credentials (on laptop) with all lowercase userid entered on gina Manually entered all uppercase userid when supplicant prompted MYUSER MYUSER SUCCESS Locally cached credentials (on laptop) with all lowercase userid entered on gina Manually entered all lowercase userid when supplicant prompted myuser myuser SUCCESS Locally cached credentials (on laptop) with all lowercase userid entered on gina Supplicant configured to auto. pass Windows credentials MYDOMAIN\MyuseR MYDOMAIN\MyuseR SUCCESS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying accounting to create a "tee"
I'm looking to process RADIUS accounting locally (SQL) as well as proxy it to a remote host (to some third party software that also wants to receive a copy of all accounting). Is this possible with FreeRADIUS? john -- John Morrissey _o/\ __o j...@horde.net_-< \_ / \ < \, www.horde.net/__(_)/_(_)/\___(_) /_(_)__ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Escaping things
Stun Box wrote: > The mystery is why there is two backslash for each "User-Name" > excepted in the accounting request ? (I ask, because it does the mess > in my sql base for accounting). Because the server understands \t, ", and \n in strings. For this to work, it has to treat the backslash character as special. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP / mschapv2 Error Messages
> Depends on the NAS. But yeah, doing this breaks things. The best thing you > > can do is log the error in the post-auth section. In V1 of FR, the rlm_mschap module used to create a Module-Failure-Message request attribute containing the output of ntlm_auth, if ntlm_auth failed (rlm_ldap does this too on user not found). This code was removed in V2. I've tried adding it back in but it doesn't work because in V2 another trip occurs after the failure. So, the Module-Failure-Message attribute no longer exists when the reject is issued. I'd like to capture the ntlm_auth output for logging purposes and need it available when the reject is sent. I've thought about storing it in the eap handler so it survives the next trip; but, I'm not sure if this is the best alternative. Does this seem like a reasonable solution or can you think of a better approach? Just to be clear, I'm not proposing sending this info back to the NAS, just capturing it for logging (so that if the user calls our help desk, they can determine why the authentication failed by looking in the log). Thanks for your advice.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Escaping things
Hello everybody, I'm doing some tests with wpa_supplicant(freebsd) + aironet 1252 + freeradius2.1.6 (freebsd portage). And I have a mystery I can not explain. I test 2 user with a domain. This is my configuration files for wpa_supplicant. They have just their first user letter mismatching. USER_TEST == network={ ssid="test_wifi" scan_ssid=1 key_mgmt=WPA-EAP eap=PEAP identity="DOMAIN\test" password="test" } USER_NEST == network={ ssid="test_wifi" scan_ssid=1 key_mgmt=WPA-EAP eap=PEAP identity="DOMAIN\nest" password="test" } And this is the access and accounting request for both of them : USER_TEST ACCESS-REQ = rad_recv: Access-Request packet from host 192.168.9.30 port 1645, id=232, length=231 User-Name = "DOMAIN\\test" Framed-MTU = 1400 ... USER_TEST ACCOUNT-REQ == rad_recv: Accounting-Request packet from host 192.168.9.30 port 1646, id=144, length=229 Acct-Session-Id = "02F0" Called-Station-Id = "00-24-97-B6-86-40" Calling-Station-Id = "00-19-5B-35-D0-96" Cisco-AVPair = "ssid=test_wifi" Cisco-AVPair = "vlan-id=568" Cisco-AVPair = "nas-location=unspecified" User-Name = "DOMAIN\\test" ... USER_NEST ACCESS-REQ = rad_recv: Access-Request packet from host 192.168.9.30 port 1645, id=222, length=231 User-Name = "DOMAIN\\nest" Framed-MTU = 1400 ... USER_NEST ACCOUNT-REQ == rad_recv: Accounting-Request packet from host 192.168.9.30 port 1646, id=146, length=233 Acct-Session-Id = "02F2" Called-Station-Id = "00-24-97-B6-86-40" Calling-Station-Id = "00-19-5B-35-D0-96" Cisco-AVPair = "ssid=test_wifi" Cisco-AVPair = "vlan-id=14" Cisco-AVPair = "nas-location=unspecified" User-Name = "DOMAIN\nest" ... The mystery is why there is two backslash for each "User-Name" excepted in the accounting request ? (I ask, because it does the mess in my sql base for accounting). Thanks for reading, G. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication with mschap
I forgot a couple of lines to the debugging I want to add. It almost seems like to me that Radius isn't getting the password from the client. - Original Message - From: "Eric Bourkland" To: "FreeRadius users mailing list" Sent: Friday, August 14, 2009 9:40:08 AM GMT -05:00 US/Canada Eastern Subject: Authentication with mschap Need some help pointing me in the right direction. I think I know what the problem is but I don't know where to look. I think the problem is my freeRadius server and openLDAP server are not talking perfectly. I am trying to do MS-chapv2 authentication so that windows machines can connect to out access point without having to install additional software. One of the glaring things that jumps out at me is that in the logs/debugging it says message-Authenticator = 0x00... It looks like it is trying the correct authentication ... No Cleartext-Password configured. Cannot create LM-Password No Cleartext-Password configured. Cannot create NT-Password Told to do MS-CHAPv2 for test.user with NT-Password FAILED: No NT/LM-Password. Cannot perform authentication. FAILED: MS-CHAP2-Response is incorrect. ... and then error message peap got tunnel reply code3 MS-CHAP-Error = "\007E=691 R=1" Okay that message is pretty clear to me, but I do have an NT-Password in sambaNTPassword and is populate/stored in NT hash format and there is a maping in ldap.attrmap checkItem NT-Password sambaNtPassword I haven't done anything funky with the config files like setting Authe-Type = to anything I've read enough that it is a big no no. The only thing I've done is uncomment a few things so that it will use ldap. And everything works when I use radtest so I know my connection to my ldap server is okay but radtest is using a different protocol as I've been learning through this whole experience. If anyone can point me in the right direction I would greatly appreciate it. Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication with mschap
Need some help pointing me in the right direction. I think I know what the problem is but I don't know where to look. I think the problem is my freeRadius server and openLDAP server are not talking perfectly. I am trying to do MS-chapv2 authentication so that windows machines can connect to out access point without having to install additional software. One of the glaring things that jumps out at me is that in the logs/debugging it says message-Authenticator = 0x00... It looks like it is trying the correct authentication ... Told to do MS-CHAPv2 for test.user with NT-Password FAILED: No NT/LM-Password. Cannot perform authentication. FAILED: MS-CHAP2-Response is incorrect. ... and then error message peap got tunnel reply code3 MS-CHAP-Error = "\007E=691 R=1" Okay that message is pretty clear to me, but I do have an NT-Password in sambaNTPassword and is populate/stored in NT hash format and there is a maping in ldap.attrmap checkItem NT-Password sambaNtPassword I haven't done anything funky with the config files like setting Authe-Type = to anything I've read enough that it is a big no no. The only thing I've done is uncomment a few things so that it will use ldap. And everything works when I use radtest so I know my connection to my ldap server is okay but radtest is using a different protocol as I've been learning through this whole experience. If anyone can point me in the right direction I would greatly appreciate it. Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP / mschapv2 Error Messages
On 14/08/2009 07:51, Alan DeKok wrote: Michael Bryant wrote: unlang? set a variable to the value of MS-CHAP-Error and then set the Reply-Message to be some text with that variable in it. Unfortunately, this sends it back in the next packet, which is an Access-Challenge, not in the final Access-Reject. Sending Reply-Message in an Access-Reject is not permitted for EAP sessions. It is also not supported by any NAS. Sending a Reply-Message is not permitted in any packet where an EAP-Message attribute is included. What you want to do is impossible. Even if you get FreeRADIUS to send a Reply-Message, it will get ignored by the NAS and the client PC. As a result, the message will do *nothing* useful. Depends on the NAS. But yeah, doing this breaks things. The best thing you can do is log the error in the post-auth section. If you want the users to fix the issues themselves, then it'd be pretty easy to write a small web app to look through the failure codes and convert them into something humanly readable. Arran -- Arran Cudbard-Bell , Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MAC authorization..(again)
On 14/08/2009 07:57, Alan DeKok wrote: Sunardo Panjaitan wrote: This the output of radiusd -X : rad_recv: Access-Request packet from host 10.1.0.6 port 1024, id=5, length=139 ... EAP-Message = 0x0201000501 ... Found Auth-Type = Accept Auth-Type = Accept, accepting the user You can't do that for EAP. It might work sometimes, but not regularly. Indeed. And if you do that, you need to return an EAP-Success in the Access-Accept. But the client can't connect.Anybody can help me??? You're short-circuiting an EAP exchange, which really won't work. The examples were meant for pure RADIUS based mac-auth. If you're using EAP, you really want mac-authz. Please advise on what EAP method you're using PEAP/TTLS etc... and we may be able to help you further. Manufacturing accepts will work with some eap methods such as EAP-MD5 and EAP-TTLS-PAP. But not with methods such as EAP-TTLS-MSCHAPv2 or EAP-PEAP. Regards, Arran -- Arran Cudbard-Bell , Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem authenticating cleartext-passwords locally and proxy realms
Hello. I want freeradius to authenticate users with Cleartext-Password locally and proxy others with realms. I use SQL for users, groups, nas and huntgroups. The problem: When logging in with the user with Cleartext-Password all passwords are accepted. The proxied users need the correct password. What am i missing? Please help. My set up consists of: AAA Client -> Freeradius 2.1.6 with MySQL -> RADIUS-server ##sites-enabled/default authorize section # SQL query huntgroups update request { Huntgroup-Name := "%{sql:select groupname from radhuntgroup where nasipaddress=\"%{NAS-IP-Address}\"}" } # # # SQL query Proxy-To-Realm # update control { Proxy-To-Realm := "%{sql:select authserver from authmethod where username =\"%{User-Name}\"}" } radhuntgroup table: mysql> select * from radhuntgroup; ++-+--+---+ | id | groupname | nasipaddress | nasportid | ++-+--+---+ | 4 | VPN-service | x.x.x.x | NULL | radgroupcheck table: mysql> select * from radgroupcheck; ++---+++-+ | id | groupname | attribute | op | value | ++---+++-+ | 8 | VPN-AUTH | Huntgroup-Name | == | VPN-Service | | 9 | VPN-AUTH | Auth-Type | := | Accept | usergroup table; mysql> select * from usergroup; +--+---+--+ | UserName | GroupName | priority | +--+---+--+ | testuser | VPN-AUTH |0 | | safewordtest | VPN-AUTH |0 | +--+---+--+ users-file # On no match, the user is denied access. DEFAULT Auth-Type := Reject Users are defined in radcheck. testuser is to be authenticated locally safewordtest is to be proxied (table authmethod). mysql> select * from radcheck; ++--+++--+ | id | username | attribute | op | value| ++--+++--+ | 33 | testuser | Cleartext-Password | := | testuser | | 39 | safewordtest | Cleartext-Password | := | testttsd | ++--+++--+ mysql> select * from authmethod; +--++--+ | username | authserver | priority | +--++--+ | safewordtest | Safeword |1 | +--++--+ Debug: Incorrect username/password. rad_recv: Access-Request packet from host x.x.x.x port 1812, id=38, length=70 User-Name = "testuser" User-Password = "wrongpasswordibelieve"NAS-IP-Address = x.x.x.x +- entering group authorize {...} ++[preprocess] returns ok sql_xlat expand: %{User-Name} -> testuser sql_set_user escaped user --> 'testuser' expand: select groupname from radhuntgroup where nasipaddress="%{NAS-IP-Address}" -> select groupname from radhuntgroup where nasipaddress="x.x.x.x" rlm_sql (sql): Reserving sql socket id: 3 sql_xlat finished rlm_sql (sql): Released sql socket id: 3 expand: %{sql:select groupname from radhuntgroup where nasipaddress="%{NAS-IP-Address}"} -> VPN-Service ++[request] returns ok sql_xlat expand: %{User-Name} -> testuser sql_set_user escaped user --> 'testuser' expand: select authserver from authmethod where username ="%{User-Name}" -> select authserver from authmethod where username ="testuser" rlm_sql (sql): Reserving sql socket id: 2 SQL query did not return any results rlm_sql (sql): Released sql socket id: 2 expand: %{sql:select authserver from authmethod where username ="%{User-Name}"} -> ++[control] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 204 ++[files] returns ok [sql] expand: %{User-Name} -> testuser [sql] sql_set_user escaped user --> 'testuser' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testuser' ORDER BY id [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM u
Re: Stale Session and Simultaneous-Use Question
Search this list.. We already discuss about simultaneous use and closing connections. Deepak wrote: Hi, I am simulating the problem on what if the AP goes down (due to various reasons). I observed that user is not properly disconnected and result is stale session. When the AP is up and when the previous user tries to log in he/she gets login failed message because "Simultaneous-Use" is in effect while previous session is still ticking. I am trying to find how to detect this problem automatically. Did some google and found this http://bisagunsara.blogspot.com/2007/03/stale-wifi-sessions-and-simultaneous.html Before getting my hands dirty, I want to know if this is the correct way to solve this problem in freeradius2 since the article is quite old. Or I am just missing something that needs to tweak few configs and is supported out of the box in freeradius2. It is suggested in the article that it will not work together with Simultaneous-Use enabled. I want to know how others have solved this problem. Need some suggestions Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html