Re: FR2.1.3+LDAP+802.1x+PEAP

[Caius]

Hi Ivan,

my problem was that in LDAP i have the passwords save as SSHA, so i cant do 
802.1x with EAP/PEAP/mschap

as i dont wanna change my LDAP configuration to store the passwords in 
clear-text, or to use samba.scheme and to use NT hash. The only option 
remaining from my view point was to try and distinguish between normal 
authentication and 802.1x authentication

thats why i came up with this realm stuff, to be able to authenticate 802.1x 
users in the users file (where i have user/passwords in clear-text) and normal 
users in LDAP (SSHA)

thats why i was asking if, its possible, and if it functional, or maybe there 
is another solution then the one provided by Alan (to not use 802.1x) :D

thank you again for you feedback

Best Regards,
Caius Pargar


--- On Wed, 11/11/09, t...@kalik.net  wrote:

> From: t...@kalik.net 
> Subject: Re: FR2.1.3+LDAP+802.1x+PEAP
> To: "FreeRadius users mailing list" 
> Date: Wednesday, November 11, 2009, 1:06 AM
> > i was thinking at the
> following:
> > to do the normal user authentication in LDAP, based on
> the provided realm,
> > and if no realm present authenticate the users in
> users file.
> > Users which use 802.1x will be saved in clear-text in
> users file
> > and users used for authentication for other stuff,
> will be checked in LDAP
> > (@mydomain.com)
> >
> >
> > or can i switch this around? a user: myu...@dot1x.com
> will be based on the
> > real authenticated in users file for 802.1x and a user
> with no realm will
> > be authenticated in LDAP?
> >
> > please tell me your opinion on this, is it possible?
> 
> Use suffix and configure dot1x.com as local realm in
> proxy.conf:
> 
> realm dot1x.com {
> }
> 
> ... and you don't need multiple entries for the same user.
> Both users file
> and ldap module will use Stripped-User-Name for
> authentication by defauly.
> 
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FR2.1.3+LDAP+802.1x+PEAP

[Alan DeKok]

Caius wrote:
> regarding your tips:
> a) i dont wanna do, maybe if i have no other choice, ill have 2 password 
> attributes SSHA+NTLM, but its a clear no to clear-text, and a maybe to NT hash

  NTLM is largely a version of MSCHAP for Active Directory.

  If you want to do PEAP authentication, you need clear-text passwords,
or NT hashes.

> b)  need it, so not gonna happen 
> 
> so, as i need to proceed further with my investigation, what are my options 
> really? :D
> 
> i was thinking at the following:
> to do the normal user authentication in LDAP, based on the provided realm, 
> and if no realm present authenticate the users in users file.
> Users which use 802.1x will be saved in clear-text in users file
> and users used for authentication for other stuff, will be checked in LDAP 
> (@mydomain.com)
> 
> 
> or can i switch this around? a user: myu...@dot1x.com will be based on the 
> real authenticated in users file for 802.1x and a user with no realm will be 
> authenticated in LDAP?

  I would suggest using email addresses for 802.1X authentication.
Inventing fake realms is a bad idea.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

WiMAX-Capabilty proxy issue

[Ramon J. Castillo]

Dear all;

I'm having an issue when proxying an access-request message between two WiMAX 
networks.
I recently downloaded FR 2.1.8 and I'm in the middle of the messaging path.
The home network is using EAP-TLS but it should be transparent for the proxy 
right?
The issue is with the AVP WiMAX-Capability(1) please see below the packets 
captured (shown as in WireShark)

Sending network AVP before FR proxy as arrived:

AVP: l=17  t=Vendor-Specific(26) v=WiMAX(24757)
VSA: l=11 t=WiMAX-Capability(1) C=0x00: 2 TLV(s) inside
TLV: l=5  t=WiMAX-Release(1): 1.4
WiMAX-Release: 1.4
TLV: l=3  t=WiMAX-Accounting-Capabilities(2): No-Accounting(0)
WiMAX-Accounting-Capabilities: No-Accounting (0)

After proxy from FR to the Home network

AVP: l=17  t=Vendor-Specific(26) v=WiMAX(24757)
VSA: l=11 t=WiMAX-Capability(1) C=0x00: 
TLV: l=7  t=WiMAX-Release(1): 1.4\002\005
WiMAX-Release: 1.4\002\005
[Not enough room in packet for TLV header]


The home network AAA complains with the error message that can not decode the 
AVP WiMAX-Capabilty.

Any ideas why and what can I do to fix it are very much appreciated


Merci
Thanks a lot
Vielen Dank!
Gracias

Ramon-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius crashed on accounting load tests with 1000 concurrent?clients

[Alexander Clouter]

Alan DeKok  wrote:
> 
>> If I can not find something wrong caused by us, I will fill a bug
>> report. So far, nothing is found.
> 
>  All of the time you spend investigating things is WASTED.  The ONLY
> thing that will help is to follow the instructions in doc/bugs.
> 
>  Follow the instructions in doc/bugs, or stop posting messages on this
> list.
> 
For the love of God run it in GDB or leave us in peace!

http://lists.freeradius.org/pipermail/freeradius-users/2009-November/msg00081.html

Cheers

-- 
Alexander Clouter
.sigmonster says: Short people get rained on last.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius with 3COM

[Rafael Fernandes]

Yes, i used the guide. But it only informs to use vendor-specific attribute
but don´t say the value of this attribute.
I called to 3COM before sent this e-mail.
But my switch has more than 3 mounths, so the support can´t help me, because
the support guaranty already expired.

So, if anyone have any idea to help me.

Thanks

2009/11/10 

> > thanks. Now the 3COM is authenticationing on freeradius.
> > But i don´t know how to set diferent priorities to users;
> > My 3COM is 4210 and have 3 levels of priority.
> >
> > Does anybody know how to send the level of priority by freeradius?
>
> Have you tried the guide?
>
> >> Configuration guide 3com switch 4210 family:
> >>
> >>
> http://support.3com.com/documents/switches/4210/3Com_Switch4210_Configuration_Guide.pdf
>
> If it's not in there - ask 3Com. They should know how to configure their
> equipment. Probably some VSA.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
>  List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius with 3COM

[Rakotomandimby Mihamina]

11/11/2009 01:42 PM, Rafael Fernandes:

So, if anyone have any idea to help me.


http://www.google.com/search?q=3com+forum

--
  Architecte Informatique chez Blueline/Gulfsat:
   Administration Systeme, Recherche & Developpement
   +261 33 11 207 36
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

OpenSSL + Freeradius

[Peter Carlstedt]

Hello everyone.

I just wanted to thank you so much for your time.

I found a solution without having to modify the control & rules files in the 
debian folder.

So I got freeradius function with OpenSSL and PEAP now.

 

Now I only need to find a "know how" for configuring Freeradius so it will 
accept authentication from Mac and Windows machines. Can anyone of you 
recommend a good site? :)

 

 

Best regards/ Peter
  
_
Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail 
you.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

I need some help with freeradius 2.0.4

[Wagner Pereira]

Hi, guys.

Please, could someone read this output from freeradius' debugging mode to help 
me? Thanks in advance.

(I just omitted some informations such as IP, User-Password etc)

My scenario is:
- Server: Debian GNU/Linux lenny x86_64 kernel 2.6.26-2-amd64
- Freeradius 2.0.4
- MySQL 5.0.51a
- Calling Station: Windows XP Professional 32 bits SP3
- Software client: SSH Secure Shell 3.2.9
- NAS client: Cisco6500 Catalyst - IOS versão 12.2(17r)S4

Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 121 with timestamp +17
Ready to process requests.
rad_recv: Access-Request packet from host NAS-IP-Address port 21645, 
id=121, length=82

  NAS-IP-Address = NAS-IP-Address
  NAS-Port = 1
  NAS-Port-Type = Virtual
  User-Name = "User-Name"
  Calling-Station-Id = "Calling-Station-Id"
  User-Password = "User-Password"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
  rlm_realm: No '@' in User-Name = "User-Name", looking up realm NULL
  rlm_realm: Found realm "NULL"
  rlm_realm: Adding Stripped-User-Name = "User-Name"
  rlm_realm: Adding Realm = "NULL"
  rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
  expand: %{User-Name} -> User-Name
rlm_sql (sql): sql_set_user escaped user --> 'User-Name'
rlm_sql (sql): Reserving sql socket id: 3
  expand: SELECT id, username, attribute, value, op   FROM 
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER 
BY id -> SELECT id, username, attribute, value, op   FROM 
radcheck   WHERE username = 'User-Name'   ORDER BY id

rlm_sql (sql): User found in radcheck table
  expand: SELECT id, username, attribute, value, op   FROM 
radreply   WHERE username = '%{SQL-User-Name}'   ORDER 
BY id -> SELECT id, username, attribute, value, op   FROM 
radreply   WHERE username = 'User-Name'   ORDER BY id
  expand: SELECT groupname   FROM radusergroup   
WHERE username = '%{SQL-User-Name}'   ORDER BY priority -> 
SELECT groupname   FROM radusergroup   WHERE username = 
'User-Name'   ORDER BY priority
  expand: SELECT id, groupname, attribute,   Value, 
op   FROM radgroupcheck   WHERE groupname = 
'%{Sql-Group}'   ORDER BY id -> SELECT id, groupname, 
attribute,   Value, op   FROM radgroupcheck   
WHERE groupname = 'pop-sp'   ORDER BY id

rlm_sql (sql): User found in group pop-sp
  expand: SELECT id, groupname, attribute,   value, 
op   FROM radgroupreply   WHERE groupname = 
'%{Sql-Group}'   ORDER BY id -> SELECT id, groupname, 
attribute,   value, op   FROM radgroupreply   
WHERE groupname = 'pop-sp'   ORDER BY id

rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password:  Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "User-Password"
rlm_pap: Using CRYPT encryption.
rlm_pap: User authenticated successfully
++[pap] returns ok
Login OK: [User-Name/User-Password] (from client cisco6500 port 1 cli 
Calling-Station-Id)

+- entering group post-auth
rlm_sql (sql): Processing sql_postauth
  expand: %{User-Name} -> User-Name
rlm_sql (sql): sql_set_user escaped user --> 'User-Name'
  expand: %{User-Password} -> User-Password
  expand: INSERT INTO radpostauth   
(username, pass, reply, authdate)   VALUES 
(   '%{User-Name}',   
'%{%{User-Password}:-%{Chap-Password}}',   
'%{reply:Packet-Type}', '%S') -> INSERT INTO 
radpostauth   (username, pass, reply, 
authdate)   VALUES (   
'User-Name',   
'User-Password',   'Access-Accept', '2009-11-11 
11:33:27')
rlm_sql (sql) in sql_postauth: query is INSERT INTO 
radpostauth   (username, pass, reply, 
authdate)   VALUES (   
'User-Name',   
'User-Password',   'Access-Accept', '2009-11-11 
11:33:27')

rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 121 to NAS-IP-Address port 21645
  Framed-Compression := Van-Jacobson-TCP-IP
  Framed-Protocol := PPP
  Service-Type := Login-User
  Framed-MTU := 1500
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 121 with timestamp +23
Ready to process requests.




--

Re: [Fwd: I need some help with freeradius 2.0.4]

[Alan DeKok]

Wagner Pereira wrote:
> I think this output is more complete and useful. Thank you one more time.

  You haven't said what is going wrong, or what you want it to do.

  The debug log shows an Access-Accept.  What's wrong with that?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: OpenSSL + Freeradius

[Alan DeKok]

Peter Carlstedt wrote:
> Now I only need to find a "know how" for configuring Freeradius so it
> will accept authentication from Mac and Windows machines. Can anyone of
> you recommend a good site? :)

  http://deployingradius.com

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: OpenSSL + Freeradius

[Wagner Pereira]

Hey, Alan.

This is an interesting website! Will you intend to sell that
DeployingRADIUS' book soon? If yes, through which website? How can it
shipping to here, Brazil?
-- 

Wagner Pereira

PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo
http://www.pop-sp.rnp.br
(11) 3091-8902


Alan DeKok escreveu:

  Peter Carlstedt wrote:
  
  
Now I only need to find a "know how" for configuring Freeradius so it
will accept authentication from Mac and Windows machines. Can anyone of
you recommend a good site? :)

  
  
  http://deployingradius.com

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Fwd: I need some help with freeradius 2.0.4]

[Wagner Pereira]

Alan,

I've tried to authenticate an user (myself!) in a Cisco6500 router.
Then, in this router, I configured the necessary lines to authenticate
myself in other server, where the freeradius is. I set this freeradius
up to "talk" with my mysql database.

-- 

Wagner Pereira

PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo
http://www.pop-sp.rnp.br
(11) 3091-8902


Alan DeKok escreveu:

  Wagner Pereira wrote:
  
  
I think this output is more complete and useful. Thank you one more time.

  
  
  You haven't said what is going wrong, or what you want it to do.

  The debug log shows an Access-Accept.  What's wrong with that?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Send accounting packets to multiple proxy servers

[Patric]

Hi all,

FreeRADIUS 2.1.7

I currently have a server A that proxies accounting packets to server B.
I would like server A to proxy those same accounting packets to server C 
as well.


Currently this is my setup:

Server A

clients.conf:
-

client server_B_ip {
ipaddr = server_B_ip
secret = server_B_secret
require_message_authenticator = no
virtual_server = requests_from_server_B
}


sites-enabled/default:
--
...
accounting {
detail
detail-radrelay
}
...
server requests_from_server_B {
authorize {
files
}
preacct {
preprocess
acct_unique
}
accounting {
detail
sql
}
}

So as I understand it, all incoming accounting requests are written to 
the detail and the detail-radrelay files, except if its from server B, 
in which case it only writes to the detail file so that it is not 
reproxied, correct?


Then I have:

proxy.conf:
---

home_server copy-acct-to-home-server {
type = acct
ipaddr   = server_B_ip
port = 1813
secret   = server_B_secret
response_window  = 10
zombie_period= 20
no_response_fail = yes
}

home_server_pool my_acct_failover {
home_server = copy-acct-to-home-server
}

realm DEFAULT {
acct_pool = my_acct_failover
nostrip
}


sites-enabled/copy-acct-to-home-server:
---

server copy-acct-to-home-server {
listen {
type = detail
filename = ${radacctdir}/detail-combined
load_factor = 10
retry_interval = 10
}
preacct {
suffix
}
accounting {
   ok
}
}


What do I need to add to get the detail-combined entries sent to server 
C as well? Does my proxy.conf need to look like this?:


home_server copy-acct-to-home-server {
type = acct
ipaddr   = server_B_ip
port = 1813
secret   = server_B_secret
response_window  = 10
zombie_period= 20
no_response_fail = yes
}

home_server copy-acct-to-server-C {
type = acct
ipaddr   = server_C_ip
port = 1813
secret   = server_C_secret
response_window  = 10
zombie_period= 20
no_response_fail = yes
}

home_server_pool my_acct_failover {
home_server = copy-acct-to-home-server
home_server = copy-acct-to-server-C
}

realm DEFAULT {
acct_pool = my_acct_failover
nostrip
}


Im not too sure where to go here, any help would be much appreciated as 
always!


Many thanks,
Patric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Algum brasileiro nessa lista?

[Wagner Pereira]

Boa tarde,

Há algum brasileiro nessa lista querendo trocar experiência sobre 
freeradius+mysql?


--

Wagner Pereira

PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo
http://www.pop-sp.rnp.br
(11) 3091-8902

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]

[Wagner Pereira]

I think this picture can help YOU to help ME  : )

This represents how my radgroupreply table, on my MySQL database, was
set up.

 Mensagem original 

  

  Assunto: 
  Re: [Fwd: I need some help with freeradius 2.0.4]


  Data: 
  Wed, 11 Nov 2009 12:48:31 -0200


  De: 
  Wagner Pereira 


  Para: 
  FreeRadius users mailing list



  Referências: 
  <4afac98f.7070...@pop-sp.rnp.br>
<4afaca9c.9050...@deployingradius.com>

  





Alan,

I've tried to authenticate an user (myself!) in a Cisco6500 router.
Then, in this router, I configured the necessary lines to authenticate
myself in other server, where the freeradius is. I set this freeradius
up to "talk" with my mysql database.

-- 

Wagner Pereira

PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo
http://www.pop-sp.rnp.br
(11) 3091-8902


Alan DeKok escreveu:

  Wagner Pereira wrote:
  
  
I think this output is more complete and useful. Thank you one more time.

  
  
  You haven't said what is going wrong, or what you want it to do.

  The debug log shows an Access-Accept.  What's wrong with that?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  


-- 

Wagner Pereira

PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo
http://www.pop-sp.rnp.br
(11) 3091-8902


<>-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]

[John Dennis]

On 11/11/2009 12:12 PM, Wagner Pereira wrote:

I think this picture can help YOU to help ME  : )


Please do not send images to the list. Please use text instead.

--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Algum brasileiro nessa lista?

[Thiago Cesar]

Sim eu sou brasileiro e ultilizo essa lista.

Att.

On Wed, 11 Nov 2009 14:50:09 -0200, Wagner Pereira 
wrote:
> Boa tarde,
> 
> Há algum brasileiro nessa lista querendo trocar experiência sobre 
> freeradius+mysql?
> 
>
-- 
"A entrada de seus negócios para o mundo virtual" 
Thiago Cesar
Diretor TI 
MSN: thiago_rodrig...@hotmail.com
Skype: thiago_ceor 
---
http://www.kionux.com.br
Kionux Soluções em Internet LTDA. 
Av. Garibalde, 1114 - Sala 15 - Vila A CEP 85861-550 - Foz do Iguaçu - PR 
Telefone: +55 (45) 3572-5000

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Algum brasileiro nessa lista?

[Alisson]

tbm sou

2009/11/11 Thiago Cesar 

> Sim eu sou brasileiro e ultilizo essa lista.
>
> Att.
>
> On Wed, 11 Nov 2009 14:50:09 -0200, Wagner Pereira  >
> wrote:
> > Boa tarde,
> >
> > Há algum brasileiro nessa lista querendo trocar experiência sobre
> > freeradius+mysql?
> >
> >
> --
> "A entrada de seus negócios para o mundo virtual"
> Thiago Cesar
> Diretor TI
> MSN: thiago_rodrig...@hotmail.com
> Skype: thiago_ceor
> ---
> http://www.kionux.com.br
> Kionux Soluções em Internet LTDA.
> Av. Garibalde, 1114 - Sala 15 - Vila A CEP 85861-550 - Foz do Iguaçu - PR
> Telefone: +55 (45) 3572-5000
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Att.
Alisson F. Gonçalves
Sistemas de Informação - UFGD
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]

[Rakotomandimby Mihamina]

11/11/2009 08:12 PM, Wagner Pereira::

I think this picture


Uh???
Your computer doesnt let you copy/paste as text MySQL output???

--
  Architecte Informatique chez Blueline/Gulfsat:
   Administration Systeme, Recherche & Developpement
   +261 33 11 207 36
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]

[Wagner Pereira]

Ok, John. It's understood.

--

Wagner Pereira

PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo
http://www.pop-sp.rnp.br
(11) 3091-8902



John Dennis escreveu:

On 11/11/2009 12:12 PM, Wagner Pereira wrote:

I think this picture can help YOU to help ME  : )


Please do not send images to the list. Please use text instead.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]

[Wagner Pereira]

Hi, Rakotomandimby.

What you meant with "text MySQL output"? How should I do that?

--

Wagner Pereira

PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo
http://www.pop-sp.rnp.br
(11) 3091-8902



Rakotomandimby Mihamina escreveu:

11/11/2009 08:12 PM, Wagner Pereira::

I think this picture


Uh???
Your computer doesnt let you copy/paste as text MySQL output???


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Algum brasileiro nessa lista?

[yahmamotto yahmamotto]

Parabéns

>tbm sou
>
>2009/11/11 Thiago Cesar 
>
>> Sim eu sou brasileiro e ultilizo essa lista.
>>
>> Att.
>>
>> On Wed, 11 Nov 2009 14:50:09 -0200, Wagner Pereira <
wpere...@pop-sp.rnp.br
>> >
>> wrote:
>> > Boa tarde,
>> >
>> > Há algum brasileiro nessa lista querendo trocar experiência sobre
>> > freeradius+mysql?
>> >
>> >
>> --
>> "A entrada de seus negócios para o mundo virtual"
>> Thiago Cesar
>> Diretor TI
>> MSN: thiago_rodrig...@hotmail.com
>> Skype: thiago_ceor
>> ---
>> http://www.kionux.com.br
>> Kionux Soluções em Internet LTDA.
>> Av. Garibalde, 1114 - Sala 15 - Vila A CEP 85861-550 - Foz do Iguaçu - PR
>> Telefone: +55 (45) 3572-5000
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>
>--
>Att.
>Alisson F. Gonçalves
>Sistemas de Informação - UFGD
>-
>List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Algum brasileiro nessa lista?

[Wagner Pereira]

Olá, Thiago e Alisson.

Um prazer conhecê-los. Estou em busca de colegas que queiram trocar
experiências sobre implementação de freerasdius + mysql. Algum de vocês
já conseguiu autenticar usando o cenário abaixo?


    MySQL database
    ^
    |
    |
    |
|   |    freeradius server - debian x86_64
|   |
|   |
|   |

 ^
 |
 |
 |

    
|   | NAS client - Cisco 6500
|   |
|   |
|   |


 ^
 |   SSH connection- port 22
 |   
 |

 O
 /|\    user
 / \





-- 

Wagner Pereira

PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo
http://www.pop-sp.rnp.br
(11) 3091-8902


Alisson escreveu:
tbm sou
  
  2009/11/11 Thiago Cesar 
  Sim
eu sou brasileiro e ultilizo essa lista.

Att.

On Wed, 11 Nov 2009 14:50:09 -0200, Wagner Pereira 
wrote:
> Boa tarde,
>
> Há algum brasileiro nessa lista querendo trocar experiência sobre
> freeradius+mysql?
>
>
--

"A entrada de seus negócios para o mundo virtual"
Thiago Cesar
Diretor TI
MSN: thiago_rodrig...@hotmail.com
Skype: thiago_ceor
---
http://www.kionux.com.br
Kionux Soluções em Internet LTDA.
Av. Garibalde, 1114 - Sala 15 - Vila A CEP 85861-550 - Foz do Iguaçu -
PR
Telefone: +55 (45) 3572-5000


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  
  
  
  
  
-- 
Att.
Alisson F. Gonçalves
Sistemas de Informação - UFGD
  

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Algum brasileiro nessa lista?

[Thiago Cesar]

wagner Nesse espoco seu desenhado não, eu tenho freeradius
autenticando em ldap, tenho freeradius mysql sendo autenticado por nas
não da Cisco. 

Att. 
"A entrada de seus negócios para o mundo virtual" 
Thiago Cesar
Diretor TI 
MSN: thiago_rodrig...@hotmail.com
Skype: thiago_ceor 
---
http://www.kionux.com.br
Kionux Soluções em Internet LTDA. 
Av. Garibalde, 1114 - Sala 15 - Vila A CEP 85861-550 - Foz do Iguaçu
- PR 
Telefone: +55 (45) 3572-5000 
On Wed, 11 Nov 2009 16:19:21 -0200, Wagner Pereira  wrote:
 Olá, Thiago e Alisson.
 Um prazer conhecê-los. Estou em busca de colegas que queiram
trocar experiências sobre implementação de
freerasdius + mysql. Algum de vocês já conseguiu
autenticar usando o cenário abaixo?
 MySQL database
 ^
 |
 |
 |
 |   
   |freeradius server - debian x86_64
 |   |
 |   |
 |   |
 
  ^
  |
  |
  |
 
 |   | NAS client - Cisco 6500
 |   |
 |   |
 |   |
 
  ^
  |   SSH connection- port 22
  |   
  |
  O
  /|user
  / 
--  Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São
Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de
São Paulo http://www.pop-sp.rnp.br [1] (11) 3091-8902 
 Alisson escreveu: tbm sou
 2009/11/11 Thiago Cesar 
 Sim eu sou brasileiro e ultilizo essa lista.
 Att.
 On Wed, 11 Nov 2009 14:50:09 -0200, Wagner Pereira 
 wrote:
 > Boa tarde,
 >
 > Há algum brasileiro nessa lista querendo trocar
experiência sobre
 > freeradius+mysql?
 >
 >
 --
 "A entrada de seus negócios para o mundo virtual"
 Thiago Cesar
 Diretor TI
 MSN: thiago_rodrig...@hotmail.com [4]
 Skype: thiago_ceor

---
 http://www.kionux.com.br [5]
 Kionux Soluções em Internet LTDA.
 Av. Garibalde, 1114 - Sala 15 - Vila A CEP 85861-550 - Foz do
Iguaçu - PR
 Telefone: +55 (45) 3572-5000
 -
 List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html [6]
 -- 
 Att.
 Alisson F. Gonçalves
 Sistemas de Informação - UFGD
-
 - List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html [6]
 

Links:
--
[1] http://www.pop-sp.rnp.br
[2] mailto:thi...@kionux.com.br
[3] mailto:wpere...@pop-sp.rnp.br
[4] mailto:thiago_rodrig...@hotmail.com
[5] http://www.kionux.com.br
[6] http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: I need some help with freeradius 2.0.4

[tnt]

> Please, could someone read this output from freeradius' debugging mode to
> help me? Thanks in advance.
>
> My scenario is:
> - Server: Debian GNU/Linux lenny x86_64 kernel 2.6.26-2-amd64
> - Freeradius 2.0.4
> - MySQL 5.0.51a
> - Calling Station: Windows XP Professional 32 bits SP3
> - Software client: SSH Secure Shell 3.2.9
> - NAS client: Cisco6500 Catalyst - IOS versão 12.2(17r)S4
>
> Sending Access-Accept of id 121 to NAS-IP-Address port 21645
>Framed-Compression := Van-Jacobson-TCP-IP
>Framed-Protocol := PPP
>Service-Type := Login-User
>Framed-MTU := 1500

Freeradius is set up well. Reply attributes you configured are wrong for
ssh. You don't need any of those Framed attributes. And Service-Type
should be NAS-Prompt-User most likely. Read Cisco dokument on the wiki:

http://wiki.freeradius.org/Cisco#Shell_Access


Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]

[tnt]

> What you meant with "text MySQL output"? How should I do that?
>

By the amazing technique od copy/paste.


Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Algum brasileiro nessa lista?

[Wagner Pereira]

Ok, Thiago. Sem problema.

Estou começando a achar que o problema está na configuração do IOS,
pois o radtest me retorna um Access-Accept. Você concorda com isso?
-- 

Wagner Pereira

PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo
http://www.pop-sp.rnp.br
(11) 3091-8902


Thiago Cesar escreveu:

  wagner Nesse espoco seu desenhado não, eu tenho freeradius
autenticando em ldap, tenho freeradius mysql sendo autenticado por nas
não da Cisco.
  Att.
  
  "A entrada de seus negócios para o mundo virtual" 
Thiago Cesar
Diretor TI 
MSN: thiago_rodrig...@hotmail.com
Skype: thiago_ceor 
---
http://www.kionux.com.br
Kionux Soluções em Internet LTDA. 
Av. Garibalde, 1114 - Sala 15 - Vila A CEP 85861-550 - Foz do Iguaçu - PR 
Telefone: +55 (45) 3572-5000
  
On Wed, 11 Nov 2009 16:19:21 -0200, Wagner Pereira wrote:
  
  Olá,
Thiago e Alisson.

Um prazer conhecê-los. Estou em busca de colegas que queiram trocar
experiências sobre implementação de freerasdius + mysql. Algum de vocês
já conseguiu autenticar usando o cenário abaixo?


    MySQL database
    ^
    |
    |
    |
|   |    freeradius server - debian x86_64
|   |
|   |
|   |

 ^
 |
 |
 |

    
|   | NAS client - Cisco 6500
|   |
|   |
|   |


 ^
 |   SSH connection- port 22
 |   
 |

 O
 /|\    user
 / \





-- 

Wagner Pereira

PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo
http://www.pop-sp.rnp.br
(11) 3091-8902


Alisson escreveu:
tbm sou
  
  2009/11/11 Thiago Cesar 
  Sim
eu sou brasileiro e ultilizo essa lista.

Att.

On Wed, 11 Nov 2009 14:50:09 -0200, Wagner Pereira 
wrote:
> Boa tarde,
>
> Há algum brasileiro nessa lista querendo trocar experiência sobre
> freeradius+mysql?
>
>
--

"A entrada de seus negócios para o mundo virtual"
Thiago Cesar
Diretor TI
MSN: thiago_rodrig...@hotmail.com
Skype: thiago_ceor
---
http://www.kionux.com.br
Kionux Soluções em Internet LTDA.
Av. Garibalde, 1114 - Sala 15 - Vila A CEP 85861-550 - Foz do Iguaçu -
PR
Telefone: +55 (45) 3572-5000


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  
  
  
  
  
-- 
Att.
Alisson F. Gonçalves
Sistemas de Informação - UFGD
  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  
  
  
  
  
  

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]

[Wagner Pereira]

Funny!  : ) but what output should I copy/paste here? from freeradius
-X ? I already did that in my first message sent to freeradius-users.
If necessary, I can paste it again.
-- 

Wagner Pereira

PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo
http://www.pop-sp.rnp.br
(11) 3091-8902


t...@kalik.net escreveu:

  
What you meant with "text MySQL output"? How should I do that?


  
  
By the amazing technique od copy/paste.


Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FR2.1.3+LDAP+802.1x+PEAP

[tnt]

> my problem was that in LDAP i have the passwords save as SSHA, so i cant
> do 802.1x with EAP/PEAP/mschap
>
> as i dont wanna change my LDAP configuration to store the passwords in
> clear-text, or to use samba.scheme and to use NT hash. The only option
> remaining from my view point was to try and distinguish between normal
> authentication and 802.1x authentication
>
> thats why i came up with this realm stuff, to be able to authenticate
> 802.1x users in the users file (where i have user/passwords in clear-text)
> and normal users in LDAP (SSHA)

Ugh, how does that make sense? Why don't you want nt or clear passwords in
ldap? Security? But it's so much easier to read a plain text (users) file
than break into ldap.

> thats why i was asking if, its possible, and if it functional, or maybe
> there is another solution then the one provided by Alan (to not use
> 802.1x) :D

There is only one solution if you want to use 802.1x: store passwords that
peap can use.


Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]

[tnt]

> Funny!  : ) but what output should I copy/paste here? from freeradius
> -X ? I already did that in my first message sent to freeradius-users.
> If necessary, I can paste it again.
> --
>
> Wagner Pereira

For starters read this:

http://freeradius.org/list/users.html

particularly the bit "No HTML on the list."

You should have copied/pasted the bit you posted as an image. Please don't
post it again. We have seen what it is, and it is wrong. I have already
told you how to fix reply items in mysql.


Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: I need some help with freeradius 2.0.4

[Wagner Pereira]

Ivan,

I did what you recommended (I guess). See below:

mysql> select * from radgroupreply;
++---+++---+--+
| id | groupname | attribute  | op | value |
Prio |
++---+++---+--+
|  1 | pop-sp    | Framed-Compression | := | Van-Jacobson-TCP-IP  
|  | 
|  3 | pop-sp    | Service-Type   | := | NAS-Prompt   
|  | 
|  5 | reject    | reply-message  | := | Autenticação recusada |
NULL | 
++---+++---+--+
3 rows in set (0.00 sec)

But I can't authenticate yet.
-- 

Wagner Pereira

PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo
http://www.pop-sp.rnp.br
(11) 3091-8902


t...@kalik.net escreveu:

  
Please, could someone read this output from freeradius' debugging mode to
help me? Thanks in advance.

My scenario is:
- Server: Debian GNU/Linux lenny x86_64 kernel 2.6.26-2-amd64
- Freeradius 2.0.4
- MySQL 5.0.51a
- Calling Station: Windows XP Professional 32 bits SP3
- Software client: SSH Secure Shell 3.2.9
- NAS client: Cisco6500 Catalyst - IOS versão 12.2(17r)S4

Sending Access-Accept of id 121 to NAS-IP-Address port 21645
   Framed-Compression := Van-Jacobson-TCP-IP
   Framed-Protocol := PPP
   Service-Type := Login-User
   Framed-MTU := 1500

  
  
Freeradius is set up well. Reply attributes you configured are wrong for
ssh. You don't need any of those Framed attributes. And Service-Type
should be NAS-Prompt-User most likely. Read Cisco dokument on the wiki:

http://wiki.freeradius.org/Cisco#Shell_Access


Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Algum brasileiro nessa lista?

[Thiago Cesar]

Se o Freeradius assinala via radtest o Accept, com certeza deve ser
problema na config do seu IOS. 

Att. 
On Wed, 11 Nov 2009 16:42:59 -0200, Wagner Pereira  wrote:
 Ok, Thiago. Sem problema.
 Estou começando a achar que o problema está na
configuração do IOS, pois o radtest me retorna um
Access-Accept. Você concorda com isso?
--  Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São
Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de
São Paulo http://www.pop-sp.rnp.br [1] (11) 3091-8902 
 Thiago Cesar escreveu:  

wagner Nesse espoco seu desenhado não, eu tenho freeradius
autenticando em ldap, tenho freeradius mysql sendo autenticado por nas
não da Cisco. 

Att. 
"A entrada de seus negócios para o mundo virtual"  Thiago Cesar
Diretor TI  MSN: thiago_rodrig...@hotmail.com Skype: thiago_ceor 
---
http://www.kionux.com.br Kionux Soluções em Internet LTDA. 
Av.
Garibalde, 1114 - Sala 15 - Vila A CEP 85861-550 - Foz do Iguaçu - PR
 Telefone: +55 (45) 3572-5000 
 On Wed, 11 Nov 2009 16:19:21 -0200, Wagner Pereira wrote: Olá,
Thiago e Alisson.
 Um prazer conhecê-los. Estou em busca de colegas que queiram
trocar experiências sobre implementação de
freerasdius + mysql. Algum de vocês já conseguiu
autenticar usando o cenário abaixo?
 MySQL database
 ^
 |
 |
 |
 |   |freeradius server - debian x86_64
 |   |
 |   |
 |   |
 
  ^
  |
  |
  |
 
 |   | NAS client - Cisco 6500
 |   |
 |   |
 |   |
 
  ^
  |   SSH connection- port 22
  |   
  |
  O
  /|user
  / 
--  Wagner Pereira PoP-SP/RNP - Ponto de Presença da
RNP em São
Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de
São Paulo http://www.pop-sp.rnp.br [1] (11) 3091-8902 
 Alisson escreveu: tbm sou
 2009/11/11 Thiago Cesar 
 Sim eu sou brasileiro e ultilizo essa lista.
 Att.
 On Wed, 11 Nov 2009 14:50:09 -0200, Wagner Pereira 
 wrote:
 > Boa tarde,
 >
 > Há algum brasileiro nessa lista querendo trocar
experiência sobre
 > freeradius+mysql?
 >
 >
 --
 "A entrada de seus negócios para o mundo virtual"
 Thiago Cesar
 Diretor TI
 MSN: thiago_rodrig...@hotmail.com [4]
 Skype: thiago_ceor
 ---
 http://www.kionux.com.br [5]
 Kionux Soluções em Internet LTDA.
 Av. Garibalde, 1114 - Sala 15 - Vila A CEP 85861-550 - Foz do
Iguaçu - PR
 Telefone: +55 (45) 3572-5000
 -
 List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html [6]
 -- 
 Att.
 Alisson F. Gonçalves
 Sistemas de Informação -
UFGD
-
 - List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html [6]   
-
 - List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html [6]   

Links:
--
[1] http://www.pop-sp.rnp.br
[2] mailto:thi...@kionux.com.br
[3] mailto:wpere...@pop-sp.rnp.br
[4] mailto:thiago_rodrig...@hotmail.com
[5] http://www.kionux.com.br
[6] http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: I need some help with freeradius 2.0.4

[tnt]

> 

Enough with that HTML It produces extraordinary ammount of crap as you
can see:

> I did what you recommended (I guess). See below:

No, you didn't. But getting closer.
> |  1 | pop-sp    | Framed-Compression | := |
> Van-Jacobson-TCP-IP  

Remove *all* Framed attributes.

> |  3 | pop-sp    |
> Service-Type   | := |
> NAS-Prompt   
> |  | 

That should be NAS-Prompt-User.


Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]

[Wagner Pereira]

Dear colleagues,

I am introducing now a new information. Below is what is declared into
my IOS - Cisco 6500. Is this correct? 

aaa new-model
aaa group server radius admin
!
aaa authentication login default group radius local
aaa authentication enable default line enable
aaa authorization exec default none 
aaa accounting exec default start-stop group radius

ip radius source-interface Loopback0 
radius-server key 7 111D1C1603175A5E57

 Mensagem original 

  

  Assunto: 
  Re: [Fwd: I need some help with freeradius 2.0.4]


  Data: 
  Wed, 11 Nov 2009 12:48:31 -0200


  De: 
  Wagner Pereira 


  Para: 
  FreeRadius users mailing list



  Referências: 
  <4afac98f.7070...@pop-sp.rnp.br>
<4afaca9c.9050...@deployingradius.com>

  





Alan,

I've tried to authenticate an user (myself!) in a Cisco6500 router.
Then, in this router, I configured the necessary lines to authenticate
myself in other server, where the freeradius is. I set this freeradius
up to "talk" with my mysql database.

-- 

Wagner Pereira

PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo
http://www.pop-sp.rnp.br
(11) 3091-8902


Alan DeKok escreveu:

  Wagner Pereira wrote:
  
  
I think this output is more complete and useful. Thank you one more time.

  
  
  You haven't said what is going wrong, or what you want it to do.

  The debug log shows an Access-Accept.  What's wrong with that?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  


-- 

Wagner Pereira

PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo
http://www.pop-sp.rnp.br
(11) 3091-8902


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]

[Ivan Kalik]

Wagner Pereira wrote:

Dear colleagues,

I am introducing now a new information. Below is what is declared into my IOS - 
Cisco 6500. Is this correct?
  

Why don't you just read the cisco wiki page.


Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: I need some help with freeradius 2.0.4

[Wagner Pereira]

Ok, Ivan. I guess I removed that HTML craps now  : )

Below is my new radgroupreply:

mysql> select * from radgroupreply;
++---+---++---+--+
| id | groupname | attribute | op | value | Prio |
++---+---++---+--+
|  3 | pop-sp| Service-Type  | := | NAS-Prompt-User   |  |
|  5 | reject| reply-message | := | Autenticação recusada | NULL |
++---+---++---+--+
2 rows in set (0.00 sec)

Hugs,

--

Wagner Pereira

PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo
http://www.pop-sp.rnp.br
(11) 3091-8902



t...@kalik.net escreveu:





Enough with that HTML It produces extraordinary ammount of crap as you
can see:

  

I did what you recommended (I guess). See below:



No, you didn't. But getting closer.
  

|  1 | pop-sp    | Framed-Compression | := |
Van-Jacobson-TCP-IP  



Remove *all* Framed attributes.

  

|  3 | pop-sp    |
Service-Type   | := |
NAS-Prompt   
|  | 



That should be NAS-Prompt-User.


Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]

[Wagner Pereira]

Ivan,

I already read the Cisco wiki page and I implemented what they 
recommend, but it's not working yet.


--

Wagner Pereira

PoP-SP/RNP - Ponto de Presença da RNP em São Paulo
CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo
http://www.pop-sp.rnp.br
(11) 3091-8902



Ivan Kalik escreveu:

Wagner Pereira wrote:

Dear colleagues,

I am introducing now a new information. Below is what is declared 
into my IOS - Cisco 6500. Is this correct?
  

Why don't you just read the cisco wiki page.


Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]

[tnt]

> I already read the Cisco wiki page and I implemented what they
> recommend, but it's not working yet.

Does the debug now show Nas-Prompt-User in Access-Accept packet? If it
does - it's some problem on the router - debug ip ssh.


Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SSL renegotiation ?

[John]

Hi,
I found  a new man-in-the-middle attack with SSL.  
http://www.sslshopper.com/article-ssl-and-tls-renegotiation-vulnerability-discovered.html
 
I am afraid if freeRADIUS use SSL renegotiation?  The freeRADIUS version is 
1.1.6. We use EAP-TLS and the backend OpenLDAP server with TLS connection. 
Does  freeRADIUS use SSL renegotiation ?
 
Thanks.
John


  ___ 
  好玩贺卡等你发，邮箱贺卡全新上线！ 
http://card.mail.cn.yahoo.com/-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius with 3COM

[Guk Victor]

Hi All, thanks. Now the 3COM is authenticationing on freeradius. But i 
don?t know how to set diferent priorities to users; My 3COM is 4210 
and have 3 levels of priority. Does anybody know how to send the level 
of priority by freeradius? Thanks.
If I got it right you, you need access to the switch for a management: 
console, telnet, web. Then do the following:

#
local-user admin
password simple YOUR_PASSWPRD
service-type ssh telnet terminal
level 3
#
user-interface aux 0 7
authentication-mode password
set authentication password simple YOUR_PASSWPRD
user-interface vty 0 4
authentication-mode password
user privilege level 3
set authentication password simple YOUR_PASSWPRD
#
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Microsoft: SmardCard or Certificate Auth

[swatzy]

Hi:

I'm trying to configure a FreeRadius server to perform a certification
authentication from a Windows Laptop.
I have follow the steps at
http://wiki.freeradius.org/WPA_HOWTO#HOWTO_Do_It:_An_Outline
But when I try to do the connection, it never ends... and I get peridical
messeges at the FreeRadius server ouput in this way...

rad_recv: Access-Request packet from host 160.103.180.252:32769, id=0,
length=176
User-Name = "radiusserv"
Calling-Station-Id = "00-1d-e0-7f-c7-bd"
Called-Station-Id = "00-26-cb-4c-f7-c0:Bidon"
NAS-Port = 13
NAS-IP-Address = 160.103.180.252
NAS-Identifier = "wlc01"
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "82"
EAP-Message = 0x0202000f0172616469757373657276
Message-Authenticator = 0x978d232412c863306539d3ad92c9d6b8
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "radiusserv", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
users: Matched entry DEFAULT at line 179
  modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
 rlm_eap_tls: Requiring client certificate
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 0 to 160.103.180.252 port 32769
EAP-Message = 0x010300060d20
Message-Authenticator = 0x
State = 0xc321c12ede0c59624273d465195058be
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 160.103.180.252:32769, id=1,
length=300
User-Name = "radiusserv"
Calling-Station-Id = "00-1d-e0-7f-c7-bd"
Called-Station-Id = "00-26-cb-4c-f7-c0:Bidon"
NAS-Port = 13
NAS-IP-Address = 160.103.180.252
NAS-Identifier = "wlc01"
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "82"
EAP-Message =
0x020300790d80006f160301006a016603014af93134b45308b2252422bb395d6ce641bfdc48695e46696178ab4d4b40744218002f00350005000ac009c00ac013c01400320038001300040125000f000d0a72616469757373657276000a00080006001700180019000b00020100
State = 0xc321c12ede0c59624273d465195058be
Message-Authenticator = 0x209186e1eb149efd3ce2e8796100a977
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "radiusserv", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
users: Matched entry DEFAULT at line 179
  modcall[authorize]: module "files" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 006a], ClientHello
TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0283], Certificate
TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0085], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A

Re: SSL renegotiation ?

[Alan DeKok]

John wrote:
> I found  a new man-in-the-middle attack with SSL. 
> http://www.sslshopper.com/article-ssl-and-tls-renegotiation-vulnerability-discovered.html

  It's a nice attack on SSL.

> I am afraid if freeRADIUS use SSL renegotiation?  The freeRADIUS version
> is 1.1.6. We use EAP-TLS and the backend OpenLDAP server with TLS
> connection. 
> 
> Does  freeRADIUS use SSL renegotiation ?

  Yes and no.  Yes, it uses OpenSSL, with all of the functionality of
OpenSSL.  No, I don't see a way for SSL renegotiation to attack RADIUS.

  The attack involves a MITM who (mostly) terminates the SSL connection
from the client, and opens a connection to the server.  All RADIUS
relationships require a shared secret, so MITM attacks aren't possible
at the RADIUS layer.

  The only place this attack *might* occur is if the MITM spoofs an
802.1X enabled access point.  But the attacker can't send RADIUS
packets, because he doesn't know the shared secret.

  The attacker then has to do a MITM at the EAPoL layer.  i.e. spoof an
AP to the client, and then turn around, and copy those packets to a
*real* AP.

  If this worries you, there is a new version of OpenSSL available that
isn't subject to the attack.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FR2.1.3+LDAP+802.1x+PEAP

[Caius]

Hi Ivan,

i know about the restrictions,
but do you know how weak that NT hash is? 
from what i know its MD4 hashing, where is that use nowadays? not even MD5 is 
used anymore ... 
the MD4 algorithm was one of the earliest MD algorithms ... made in '90, and 
MD5 came as a improvement and is to this day the most popular. MD5 should be 
the most secure of the MD bunch but even so it has been shown to be abnormally 
susceptible to collisions, and its use is now actively discouraged

so i cant afford to make all my user password hash weak... also i need to 
respect some security guidelines in my system.

i could go to use only clear-text for 802.1x users, have a exception for this 
kid of users.

thats why im thinking to try some filtering... based on the NAS-ID or NAS-IP i 
might authenticate the users in users file or LDAP, right? :D


thank you again for your thoughts on this

Best Regards,
Caius Pargar


--- On Wed, 11/11/09, t...@kalik.net  wrote:

> From: t...@kalik.net 
> Subject: Re: FR2.1.3+LDAP+802.1x+PEAP
> To: "FreeRadius users mailing list" 
> Date: Wednesday, November 11, 2009, 8:53 PM
> > my problem was that in LDAP i
> have the passwords save as SSHA, so i cant
> > do 802.1x with EAP/PEAP/mschap
> >
> > as i dont wanna change my LDAP configuration to store
> the passwords in
> > clear-text, or to use samba.scheme and to use NT hash.
> The only option
> > remaining from my view point was to try and
> distinguish between normal
> > authentication and 802.1x authentication
> >
> > thats why i came up with this realm stuff, to be able
> to authenticate
> > 802.1x users in the users file (where i have
> user/passwords in clear-text)
> > and normal users in LDAP (SSHA)
> 
> Ugh, how does that make sense? Why don't you want nt or
> clear passwords in
> ldap? Security? But it's so much easier to read a plain
> text (users) file
> than break into ldap.
> 
> > thats why i was asking if, its possible, and if it
> functional, or maybe
> > there is another solution then the one provided by
> Alan (to not use
> > 802.1x) :D
> 
> There is only one solution if you want to use 802.1x: store
> passwords that
> peap can use.
> 
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> 


  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html