how to decode CHAP and MS-CHAP passwords

[shivashankar]

hi,

i want to decode both(CHAP and MS-CHAP) passwords.

why i want to do this is?

i am sending username and password to java file to test authentication.there
it is unable to understand that chap and ms-cahp encrypted data.

before going to java file i will decode and convert to plain-text .so that
java file can understand.

plz help me
-- 
View this message in context: 
http://old.nabble.com/how-to-decode-CHAP-and-MS-CHAP-passwords-tp26525242p26525242.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unexpected "Exiting normally" 2.1.8?

[Bjørn Mork]

Alan DeKok  writes:
> Bjørn Mork wrote:
>> I am now seeing this very same problem, and strongly suspect it to be
>> related to dead proxy home servers.  I was able to provoke the "Exiting
>> normally" on a server with *no* traffic at all, by doing a couple of
>> requests for a realm with dead home servers and then waiting:
>> 
>>  Wed Nov 25 18:03:56 2009 : Error: PROXY: Marking home server 88.a.b.158 
>> port 1812 as zombie (it looks like it is dead).
>>  Wed Nov 25 18:04:35 2009 : Error: PROXY: Marking home server 84.c.d.222 
>> port 1812 as zombie (it looks like it is dead).
>>  Wed Nov 25 19:38:13 2009 : Info: Exiting normally.
>> 
>> No requests at all were sent to this server between the two last log
>> lines.
>
>   Hmm... the "exiting normally" means that it received a signal to exit
> (internal or external).  Otherwise, it just keeps running.
>
>   Try using gdb, and:
>
> (gdb) break event_loop_exit
> (gdb) break radius_signal_self
> (gdb) cond 1 (flag == 2)
>
> (gdb) run
>
>   And then when it stops:
>
> (gdb) thread apply all bt full
>
>   That *should* catch the stack trace where it exits.

Will do.  Thanks

>> I was planning to use the 2.1.7 release, but hit the recursive mutex
>> problem.
>
>   Ugh.  Some systems don't support recursive mutexes, and even better,
> don't complain when you try to use them!
>
>>  Now, adding the two facts, I'm starting to wonder whether the
>> "Exiting normally" bug might be related to the fix for the recursive
>> mutexes?  They are both related to dead home servers.  Makes me
>> suspicious...
>
>   Quite possibly, yes.  But the fact that it exits a minute and a half
> after the last packet is odd.

Note that it's an hour and a half.  Which I guess is even more odd.

This is todays events for the server which is in production:

 server ~ 1004$ grep Exit log/radius.log
 Thu Nov 26 02:08:20 2009 : Info: Exiting normally.
 Thu Nov 26 04:16:52 2009 : Info: Exiting normally.
 Thu Nov 26 05:52:20 2009 : Info: Exiting normally.
 Thu Nov 26 07:40:19 2009 : Info: Exiting normally.


Notice the pattern.  There's 1.5 ~ 2 hours between each restart.  


Bjørn

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unexpected "Exiting normally" 2.1.8?

[Alan DeKok]

Bjørn Mork wrote:
> I am now seeing this very same problem, and strongly suspect it to be
> related to dead proxy home servers.  I was able to provoke the "Exiting
> normally" on a server with *no* traffic at all, by doing a couple of
> requests for a realm with dead home servers and then waiting:
> 
>  Wed Nov 25 18:03:56 2009 : Error: PROXY: Marking home server 88.a.b.158 port 
> 1812 as zombie (it looks like it is dead).
>  Wed Nov 25 18:04:35 2009 : Error: PROXY: Marking home server 84.c.d.222 port 
> 1812 as zombie (it looks like it is dead).
>  Wed Nov 25 19:38:13 2009 : Info: Exiting normally.
> 
> No requests at all were sent to this server between the two last log
> lines.

  Hmm... the "exiting normally" means that it received a signal to exit
(internal or external).  Otherwise, it just keeps running.

  Try using gdb, and:

(gdb) break event_loop_exit
(gdb) break radius_signal_self
(gdb) cond 1 (flag == 2)

(gdb) run

  And then when it stops:

(gdb) thread apply all bt full

  That *should* catch the stack trace where it exits.

> I was planning to use the 2.1.7 release, but hit the recursive mutex
> problem.

  Ugh.  Some systems don't support recursive mutexes, and even better,
don't complain when you try to use them!

>  Now, adding the two facts, I'm starting to wonder whether the
> "Exiting normally" bug might be related to the fix for the recursive
> mutexes?  They are both related to dead home servers.  Makes me
> suspicious...

  Quite possibly, yes.  But the fact that it exits a minute and a half
after the last packet is odd.

> And I'm wondering what my other options are wrt the mutex problem.  I am
> pretty much stuch with RHEL on these servers (not my choice).  Is this a
> glibc 2.5 problem?  Should I demand an upgrade to a more modern OS?

  Let's wait for the back trace.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[Ivan Kalik]

freerad...@corwyn.net wrote:

At 06:15 PM 11/25/2009, you wrote:
There are dozens of them there. Just save what is quoted in the guide 
(with adjusted text) as a file into raddb/modules directory.


Yeah, and in tinkering with module files I clearly haven't had success.

so you're saying create a (adjusted for my environment) file in 
../modules:

rick_ntlm {

exec rick_ntlm {
ntlm_auth = "/path/to/ntlm_auth --request-nt-key 
--username=%{mschap:User-Name:-None} 
--domain=%{mschap:NT-Domain:-MYDOMAIN} 
--challenge=%{mschap:Challenge:-00} 
--nt-response=%{mschap:NT-Response:-00}"


}
No, that's for mschap. Forget that section. You just want the first 
section for pap requests.
and it should work?  In part I ask because the examples for 
radiusd.conf and mschap.conf are different.


Yes they are. One is for processing pap and other for processing mschap 
requests.
I suspect I also have to put the reference to that new file (ntlm_rick 
in this case) into inner-tunnel as well? And in the virtual server 
config? In both the authorize{} and authenticate {} sections?

Just authenticate and default virtual server. Inner tunnel is for peap.

Ivan Kalik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[freeradius]

At 06:15 PM 11/25/2009, you wrote:
There are dozens of them there. Just save what is quoted in the 
guide (with adjusted text) as a file into raddb/modules directory.


Yeah, and in tinkering with module files I clearly haven't had success.

so you're saying create a (adjusted for my environment) file in ../modules:
rick_ntlm {
ntlm_auth = "/path/to/ntlm_auth --request-nt-key 
--username=%{mschap:User-Name:-None} 
--domain=%{mschap:NT-Domain:-MYDOMAIN} 
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"


}

and it should work?  In part I ask because the examples for 
radiusd.conf and mschap.conf are different.


I suspect I also have to put the reference to that new file 
(ntlm_rick in this case) into inner-tunnel as well? And in the 
virtual server config? In both the authorize{} and authenticate {} sections?




Rick



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[freeradius]

At 06:24 PM 11/25/2009, you wrote:
Configure AD as ldap server in ldap module (.raddb/modules/ldap). 
Then add to users file:


DEFAULT Ldap-Group == "max_priv_level" or whatever is your group called
 Service-Type = NAS-Prompt-User,
 cisco-avpair = "shell:priv-lvl=15"



Excellent. Thank you.

Rick
PS Noticed earlier that if I put a space in front of DEFAULT the 
behaviour changes. quirky.


PPS I noticed in the guide for radiusd.conf it suggests:
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth ntlm_auth 
--request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} 
--password=%{User-Password}"

}

yet I think it should be   (an extra ntlm_auth?)
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key 
--domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"

}


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[Ivan Kalik]

freerad...@corwyn.net wrote:

Perhaps my question is how to integrate

Per User Privilege Level

You can also send the privilege level (enable mode is level 15) for 
individual users as a reply item to automatically put them into that 
level with cisco-avpair = "shell:priv-lvl=15"


You can do this with an entry in your users file similar to the following

youruser   Cleartext-Password := "somepass"
   Service-Type = NAS-Prompt-User,
   cisco-avpair = "shell:priv-lvl=15"


into the AD part, instead of into the users file?  I had planned to 
just use AD security groups 
Configure AD as ldap server in ldap module (.raddb/modules/ldap). Then 
add to users file:


DEFAULT Ldap-Group == "max_priv_level" or whatever is your group called
 Service-Type = NAS-Prompt-User,
 cisco-avpair = "shell:priv-lvl=15"

Ivan Kalik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[freeradius]

At 05:57 PM 11/25/2009, Rick Steeves wrote:
I have the cisco configured per that guide already . However, I 
don't want to put user / password info in the users file, because 
that would defeat part of the model of centralized authentication to 
AD.  So I want that to feed authentication back to radius > AD as well.


Perhaps my question is how to integrate

Per User Privilege Level

You can also send the privilege level (enable mode is level 15) for 
individual users as a reply item to automatically put them into that 
level with cisco-avpair = "shell:priv-lvl=15"


You can do this with an entry in your users file similar to the following

youruser   Cleartext-Password := "somepass"
   Service-Type = NAS-Prompt-User,
   cisco-avpair = "shell:priv-lvl=15"


into the AD part, instead of into the users file?  I had planned to 
just use AD security groups 


rick






Rick




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[Ivan Kalik]

freerad...@corwyn.net wrote:

At 05:04 PM 11/25/2009, t...@kalik.net wrote:

> At 02:54 PM 11/25/2009, you wrote:
>>Just make it anothe file in the modules directory (like all the 
others).
>>Any file placed in that directory is authomatically included as a 
module.

>
> Can you provide an example of that file?

Example for exec ntlm_auth is in the guide.


In the guide there are two separate ntlm_auth lines. The first one 
says it should go in radiusd.conf.  Where does that relate to a module?

That's a leftover from old version. Modules now go into raddb/modules.


It would be helpful to see what the module file would look like.
There are dozens of them there. Just save what is quoted in the guide 
(with adjusted text) as a file into raddb/modules directory.


Ivan Kalik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[Alan Buxey]

Hi,

> In the guide there are two separate ntlm_auth lines. The first one 
> says it should go in radiusd.conf.  Where does that relate to a module?

in latest 2.1.x you will find ntlm_auth living in the mschap module - 
you can coopy/read that method and command line

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[freeradius]

At 05:04 PM 11/25/2009, t...@kalik.net wrote:

> At 02:54 PM 11/25/2009, you wrote:
>>Just make it anothe file in the modules directory (like all the others).
>>Any file placed in that directory is authomatically included as a module.
>
> Can you provide an example of that file?

Example for exec ntlm_auth is in the guide.


In the guide there are two separate ntlm_auth lines. The first one 
says it should go in radiusd.conf.  Where does that relate to a module?


It would be helpful to see what the module file would look like.

Rick


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[tnt]

> At 10:45 AM 11/25/2009, Alan DeKok wrote:
>>   What part of the instructions is not working for you?
>
> well for me at least, I have authentication working.
> radtest account password localhost 0 m3H1hc4Z1OtpNC2ZLX3A
> works fine.
> rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=164,
> length=20
>
> However, when I try the same thing from the Cisco client, I get
> Authorization failed
> back from the cisco.  Better, because I originally got back
> Authentication Failed, so I figure I'm one step farther.
>
> If I disable Authorization on the Cisco, or change it back over to my
> old tacacs+ server, I can log in successfully, so my problem
> is  somewhere in the authorization process, which isn't really (to
> me) in that document.

It isn't. Because you couldn't possible include all the authoriztion
scenarios for all possible NAS devices. Authorization is NAS and service
specific and you should read NAS documentation in order to find out how
should that work.

> Yet the results from the log show freeradius sending back
> Sending Access-Accept of id 121 to 10.100.0.8 port 1812
>
> Sending Access-Accept of id 121 to 10.100.0.8 port 1812

Which is empty. You most likely need to include at least Service-Type.
That looked like telnet request so most likely NAS-Prompt-User. You have a
cisco document on the wiki with some examples:

http://wiki.freeradius.org/Cisco#Shell_Access

Ivan Kalik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[tnt]

> At 02:54 PM 11/25/2009, you wrote:
>>Just make it anothe file in the modules directory (like all the others).
>>Any file placed in that directory is authomatically included as a module.
>
> Can you provide an example of that file?

Example for exec ntlm_auth is in the guide.

> Also, on the web page for AD config it has:
> ntlm_auth = "/path/to/ntlm_auth --request-nt-key
> --username=%{mschap:User-Name:-None}
> --domain=%{mschap:NT-Domain:-MYDOMAIN}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>
> the "-" is bolded in the NT-Domain such that it indicates that it
> should be replaced, but should it be
> --domain=%{mschap:NT-Domain:example.com}
> or
> --domain=%{mschap:NT-Domain:-example.com}

The second one. But that's for mschap requests.

Ivan Kalik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[freeradius]

At 10:45 AM 11/25/2009, Alan DeKok wrote:

  What part of the instructions is not working for you?


well for me at least, I have authentication working.
radtest account password localhost 0 m3H1hc4Z1OtpNC2ZLX3A
works fine.
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=164, length=20

However, when I try the same thing from the Cisco client, I get
Authorization failed
back from the cisco.  Better, because I originally got back 
Authentication Failed, so I figure I'm one step farther.


If I disable Authorization on the Cisco, or change it back over to my 
old tacacs+ server, I can log in successfully, so my problem 
is  somewhere in the authorization process, which isn't really (to 
me) in that document.


Yet the results from the log show freeradius sending back
Sending Access-Accept of id 121 to 10.100.0.8 port 1812

rad_recv: Access-Request packet from host 10.100.0.8 port 1812, 
id=121, length=79

NAS-IP-Address = 10.100.0.8
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "username"
Calling-Station-Id = "10.20.31.17"
User-Password = "password"
server server_cisco {
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "username", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the 
user.  Authentication may fail because of this.

++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=username
[ntlm_auth] expand: --password=%{User-Password} -> --password=password
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
Login OK: [rsteeves] (from client Cisco port 1 cli 10.20.31.17)
+- entering group post-auth {...}
++[exec] returns noop
} # server server_cisco
Sending Access-Accept of id 121 to 10.100.0.8 port 1812

Rick



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[freeradius]

At 02:54 PM 11/25/2009, you wrote:

Just make it anothe file in the modules directory (like all the others).
Any file placed in that directory is authomatically included as a module.


Can you provide an example of that file?

Also, on the web page for AD config it has:
ntlm_auth = "/path/to/ntlm_auth --request-nt-key 
--username=%{mschap:User-Name:-None} 
--domain=%{mschap:NT-Domain:-MYDOMAIN} 
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"


the "-" is bolded in the NT-Domain such that it indicates that it 
should be replaced, but should it be

--domain=%{mschap:NT-Domain:example.com}
or
--domain=%{mschap:NT-Domain:-example.com}


Rick



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unexpected "Exiting normally" 2.1.8?

[Bjørn Mork]

I am now seeing this very same problem, and strongly suspect it to be
related to dead proxy home servers.  I was able to provoke the "Exiting
normally" on a server with *no* traffic at all, by doing a couple of
requests for a realm with dead home servers and then waiting:

 Wed Nov 25 18:03:56 2009 : Error: PROXY: Marking home server 88.a.b.158 port 
1812 as zombie (it looks like it is dead).
 Wed Nov 25 18:04:35 2009 : Error: PROXY: Marking home server 84.c.d.222 port 
1812 as zombie (it looks like it is dead).
 Wed Nov 25 19:38:13 2009 : Info: Exiting normally.

No requests at all were sent to this server between the two last log
lines.  This server is running the latest stable git, i.e. up to
 commit 2df19cf0024fd23d2906c13c0b01067076540871

I was planning to use the 2.1.7 release, but hit the recursive mutex
problem.  Now, adding the two facts, I'm starting to wonder whether the
"Exiting normally" bug might be related to the fix for the recursive
mutexes?  They are both related to dead home servers.  Makes me
suspicious...

And I'm wondering what my other options are wrt the mutex problem.  I am
pretty much stuch with RHEL on these servers (not my choice).  Is this a
glibc 2.5 problem?  Should I demand an upgrade to a more modern OS?


Bjørn

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unexpected "Exiting normally" 2.1.8?

[Alan DeKok]

Craig Campbell wrote:
> Ok,
>can anyone identify a certain "GOOD" build to use for the git bisect?
> (Say where 2.1.7 was released?)
> 
> I looked through the logs and have arbitrarily selected,
> 134f314c57d67b56bab93db4089c25e956ad6cf2] Lots of notes prior to 2.1.7
> 
> I do not know how to force git to build that revision so I could
> actually verify it is good.

  You could always try building it by hand.

  Also, when running it in gdb, try:

(gdb) break radius_signal_self
(gdb) cond 1 (flag == 2)

(gdb) run

  That should catch the case where it's been told to exit.  That should
be the *only* case where it exits the event loop.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[tnt]

> Help again please!
> I've read the doc at
> http://deployingradius.com/documents/configuration/active_directory.html
> and I'm now confused again.
> I'm running version 2.1.7 so module configurations are now in a separate
> directory rather than modules.conf.
>
> I have an access request packet containing User-name and User-Password.
> Where do I configure the ntlm_auth command so I can authenticate against
> Active Directory (which, by the way, is giving me more pain than anything
> else I've dealt with for quite a while!!)

Just make it anothe file in the modules directory (like all the others).
Any file placed in that directory is authomatically included as a module.

Ivan Kalik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP auth in two sources

[tnt]

> radiusd: FreeRADIUS Version 1.1.3, for host
> x86_64-redhat-linux-gnu, built on Apr 25 2007 at 09:04:23

Upgrade.

http://wiki.freeradius.org/Red_Hat_FAQ#Current_Pre-built_RPM.27s_for_RHEL_5_and_CentOS_5

> I need to make an authorization of some RADIUS clients in
> LDAP by RADIUS. Clients need only to check passwords. I can
> check this in ONE LDAP server at a time without problems.
> It's work fine. But i need some different.
>
> I need to check user/password in TWO different LDAP server.
> If ANY of LDAPs tell "password is ok" RADIUS must accept
> this userid/passwd pair. Userlists in this two LDAP have
> some overlap. Most (but not all) of the users presents in
> BOTH of LDAP servers. Passwords between LDAP servers are
> different.
>
> With curent configuration i get this:
>
> if username aren't found in first LDAP lets proceed to the
> next
> if username aren't found in second LDAP lets DENY access

You probably don't need that after upgrade. Just force Auth-Type LDAP in
users file.

> if username is found in first LDAP and password is accepted
> by first LDAP lets ALLOW access.
> if username is found in first LDAP and password aren't
> accepted by first LDAP lets DENY access.
>
> RADIUS doesn't check password in the second LDAP server. I
> know why but i doesn't know how to change this behavior.

Create failover inside Auth-Type LDAP:

Auth-Type LDAP {
 tam {
  reject = 2
  }
 if(reject) {
  lotus
 }
}

Ivan Kalik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius-Users Digest, Vol 55, Issue 113

[tnt]

>> You *can* have multiple entries (rows) for each user. You don't have to
>> cram everything into a single row.
>
> Okay, but I don´t think it makes any sense that you have multiple inputs
> of the same user in a table?

It doesn't make sense - to you. Everybody else is quite OK with that. You
evidently don't know much about databases: relations can be one to one,
one to many, many to many, ... Find a book and learn something about
things before you express views about what does and what doesn't make
sense.

> Say for example that you have like 200 different users and every user have
> to have like 3 different attributes. The table would get extremly large.

Please! What you are describing is laughably small.

>  What I want to do is to through MySQL link a user to a specific group and
> in that way start up the segmentation. So depending on what group you are
> a member in you get into different VLANs etc. That´s why I hoped that I
> could use "radusergroup" to link a user to a group and then in
> "radgroupcheck" add group specific attributes like NAS-Port-Id´s or
> Called-Station-Id´s and in that way being able to do a segmentation on
> SSID or WLAN.

You can use it for that. In your last post you were asking if the user
that doesn't match any group will be rejected. That won't happen. User
will still get authenticated (using data from radcheck) and since he will
have no VLAN information in the reply NAS will most likely place him in a
default VLAN.

> What I need is a GUI where you can search for a specific group and add a
> new user or edit a user in that group.
> I really dont want to see a list of all the users there is and then have
> to search through 200 users to find the one i wish to edit.
> So is it possible with dialupadmin to add a user and link that user to a
> group so you can only list that groups users?
> Also is it possible in anyway to make group specific attributes so I wont
> have to add SSID restrictions on user level?
>
> I have seen in the source of Freeradius that dialup admin comes with it.
> I´ve started to think about testing it.
> So do I need to build dialupadmin in the same way I did with OpenSSL and
> FreeRadius or did it get installed at the same time as I installed
> Freeradius?
> Also is there anywhere I can read about how to link dialup admin to MySQL
> etc.?

Start with README file in dialup_admin directory and:

http://freeradius.org/dialupadmin.html

That should answer most of your questions.

Ivan Kalik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Tie up user to specific NAS

[tnt]

> How do I tie up user to specific NAS so that they can log in from that
> location only? I have different hotspots in different locations and
> using dynamic-clients? After a quick search, I found "NAS-Identifier"
> attribute. Is this the solution? If yes
>
> NAS-Identifier = ? (IP, MAC, Name)

You will have to read NAS documentation in order to find out. On many
devices you can set NAS-Identifier to be whatever you want. On some
devices it can have only a certain default value.

Ivan Kalik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: showing NAS-IP of 127.0.01 instead of

[Matt Ashfield]

I just figured that out via a sniff. Thanks for the note. I'll go after the
requesting software now.

 

From: Garber, Neal [mailto:neal.gar...@energyeast.com] 
Sent: November 25, 2009 2:27 PM
To: 'm...@unb.ca'; 'FreeRadius users mailing list'
Subject: RE: showing NAS-IP of 127.0.01 instead of 

 

> The problem is that although the Access-Request packet is shown as coming
from the correct host, 

> that host's ip address is not showing up as the NAS-IP-Address for that
request. Instead, it's showing 
> as 127.0.0.1 as seen below:

> I'm wondering what could cause this? Any help is appreciated.

 

The NAS is sending that attribute within the request - ask the NAS vendor
why they are sending 127.0.0.1.  I've seen this issue with Lantronix console
servers (not sure if that's the NAS you are using).  They eventually updated
their firmware to use the correct address.  As a workaround, I did the
following in the authorize section of the default server (before preprocess
if you want huntgroup name lookup to work properly):

 

if (NAS-IP-Address == "127.0.0.1") {

   update request {

NAS-IP-Address := "%{Client-IP-Address}"

   }

}

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: showing NAS-IP of 127.0.01 instead of

[Garber, Neal]

> The problem is that although the Access-Request packet is shown as coming 
> from the correct host,
> that host's ip address is not showing up as the NAS-IP-Address for that 
> request. Instead, it's showing
> as 127.0.0.1 as seen below:
> I'm wondering what could cause this? Any help is appreciated.

The NAS is sending that attribute within the request - ask the NAS vendor why 
they are sending 127.0.0.1.  I've seen this issue with Lantronix console 
servers (not sure if that's the NAS you are using).  They eventually updated 
their firmware to use the correct address.  As a workaround, I did the 
following in the authorize section of the default server (before preprocess if 
you want huntgroup name lookup to work properly):

if (NAS-IP-Address == "127.0.0.1") {
   update request {
NAS-IP-Address := "%{Client-IP-Address}"
   }
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

showing NAS-IP of 127.0.01 instead of

[Matt Ashfield]

Hi,

 

I'm running  FreeRADIUS Version 2.1.5. We are trying to do system
authentication for some users. Doing this by creating huntgroups based on
NAS-IP-Address, and then telling that huntgroup to use System for
authentication.

 

The problem is that although the Access-Request packet is shown as coming
from the correct host, that host's ip address is not showing up as the
NAS-IP-Address for that request. Instead, it's showing as 127.0.0.1 as seen
below:

 

rad_recv: Access-Request packet from host 192.168.27.7 port 53201, id=130,
length=51

User-Name = "xm7z1"

User-Password = "abc.123"

NAS-IP-Address = 127.0.0.1

 

I'm wondering what could cause this? Any help is appreciated.

 

Thanks

 

Matt

 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[Alan DeKok]

Leighton Man wrote:
> I've read the doc at 
> http://deployingradius.com/documents/configuration/active_directory.html and 
> I'm now confused again.
> I'm running version 2.1.7 so module configurations are now in a separate 
> directory rather than modules.conf.

  That change is just re-organization.  It doesn't affect the way the
server runs.

> I have an access request packet containing User-name and User-Password. Where 
> do I configure the ntlm_auth command so I can authenticate against Active 
> Directory (which, by the way, is giving me more pain than anything else I've 
> dealt with for quite a while!!)

  What part of the instructions is not working for you?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem with EAP-TLS

[_Stefan_H]

I want to configure EAP-TLS on freeradius but it doesn’t work I hope the
information below is enough.
I am using freeradius 2.1.1. (openSUSE11.1), first I configured PAP using
this tutorial(
http://en.opensuse.org/RadiusServerHOWTO#Configuring_file_based_authentication
http://en.opensuse.org/RadiusServerHOWTO#Configuring_file_based_authentication
) and it works with an xp supplicant. Then I wanted to configure EAP-TLS.

Well the tutorials I found said that there is not much to do and I guess
that's wrong.
I only edited pap to tls in the eap.conf:

eap {
default_eap_type = tls

The Cisco2950 Switch was added in the clients.conf while the pap tutorial:

client 192.168.5.3 {
secret  = testing123
shortname   = cisco
}

Well I added some kind of attributes in the users file because of dynamic
vlans but I think that's not relevant now, isn't it?:

oss-radius  Cleartext-Password:="hello"
Auth-Type :=EAP,
Tunnel-Type= 13,
Tunnel-Medium-Type= 6,
Tunnel-Private-Group-Id= 5

For testing i created the standard certificates from freeradius with this
commands:
cd /etc/raddb/certs/
make all 
make client.pem  

Before I did this I changed the commonName and the email address in the
client.cnf:

[client]
countryName = FR
stateOrProvinceName = Radius
localityName= Somewhere
organizationName= Example Inc.
emailAddress= oss-radius
commonName  = oss-radius

I imported the ca.der and the client.p12 on the XP Client and at last I
configured the XP Client using EAP-TLS:
http://old.nabble.com/file/p26515010/zertifikateinstellung.jpg 

The authentication doesn't work and that is the debugging output:

rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=3,
length=110   
NAS-IP-Address = 192.168.5.3

NAS-Port = 50012

NAS-Port-Type = Ethernet

User-Name = "oss-radius"

Calling-Station-Id = "00-0B-6A-2B-DA-78"

Service-Type = Framed-User  

EAP-Message = 0x0201000f016f73732d726164697573  

Message-Authenticator = 0xf68cf58770b7aca2671434c718bc4fb9  

+- entering group authorize {...}   

++[preprocess] returns ok   

++[chap] returns noop   

++[mschap] returns noop 

[suffix] No '@' in User-Name = "oss-radius", looking up realm NULL  

[suffix] No such realm "NULL"   

++[suffix] returns noop 

[eap] EAP packet type response id 1 length 15   

[eap] No EAP Start, assuming it's an on-going EAP conversation  

++[eap] returns updated 

++[unix] returns notfound   

[files] users: Matched entry oss-radius at line 204 

++[files] returns ok

++[expiration] returns noop 

++[logintime] returns noop  

[pap] Found existing Auth-Type, not changing it.

++[pap] returns noop

Found Auth-Type = EAP   

+- entering group authenticate {...}

[eap] EAP Identity  

[eap] processing type tls   

[tls] Requiring client certificate  

[tls] Initiate  

[tls] Start returned 1  

++[eap] returns handled 

Sending Access-Challenge of id 3 to 192.168.5.3 port 1812   

Tunnel-Type:0 = VLAN

Tunnel-Medium-Type:0 = IEEE-802 

Tunnel

Re: Free Radius accounting and duplicate session entries in radacct with different output/input octets

[Alan DeKok]

Ade Slade wrote:
> Firstly, is the accounting part of FreeRadius used by major
> organisations?

  http://freeradius.org/press/survey.html

  If by "major", you mean "10 million or more users", yes.

> Due to the possibility and indeed occurrence of duplicate
> sessions appearing in the radacct table and other issues I've found, it
> doesn't seem to be all that robust a solution. I realise freeradius is
> just reporting what it is sent from the NAS and so is not to blame.

  RADIUS is a robust solution if you (a) buy a reasonable NAS, and (b)
understand its limitations.

> Secondly, I've experienced duplicate accounting sessions appearing which
> report different input/output octets. Over the set of the data, it has
> happened infrequently but it is undesirable. Comparing the data inserted
> into the radacct table and the logs, one (or more) of the duplicate
> sessions will reflect the logs and one of the duplicates will show
> completely different input/output octets. It's worth noting that these
> duplicate sessions share the same AcctSessionTime, AcctSessionId,
> AcctUniqueId and UserName. Any ideas on what the cause of this could be?

  Your NAS is broken.  Buy a real NAS.

  *ALL* of the data in an accounting packet is generated by the NAS.  If
it sends two packets for the same user with the same session time,
session Id, and username, BUT different input/output octets, then it's
BROKEN.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Free Radius accounting and duplicate session entries in radacct with different output/input octets

[Ade Slade]

Hey,

Firstly, is the accounting part of FreeRadius used by major organisations?
Due to the possibility and indeed occurrence of duplicate sessions appearing
in the radacct table and other issues I've found, it doesn't seem to be all
that robust a solution. I realise freeradius is just reporting what it is
sent from the NAS and so is not to blame.

Secondly, I've experienced duplicate accounting sessions appearing which
report different input/output octets. Over the set of the data, it has
happened infrequently but it is undesirable. Comparing the data inserted
into the radacct table and the logs, one (or more) of the duplicate sessions
will reflect the logs and one of the duplicates will show completely
different input/output octets. It's worth noting that these duplicate
sessions share the same AcctSessionTime, AcctSessionId, AcctUniqueId and
UserName. Any ideas on what the cause of this could be?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Exec and ntlm_auth

[Leighton Man]

Hi
Help again please!
I've read the doc at 
http://deployingradius.com/documents/configuration/active_directory.html and 
I'm now confused again.
I'm running version 2.1.7 so module configurations are now in a separate 
directory rather than modules.conf.

I have an access request packet containing User-name and User-Password. Where 
do I configure the ntlm_auth command so I can authenticate against Active 
Directory (which, by the way, is giving me more pain than anything else I've 
dealt with for quite a while!!)

Thanks,

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP auth in two sources

[Vladimir Mendelevich]

Hello!

radiusd: FreeRADIUS Version 1.1.3, for host
x86_64-redhat-linux-gnu, built on Apr 25 2007 at 09:04:23

I need to make an authorization of some RADIUS clients in
LDAP by RADIUS. Clients need only to check passwords. I can
check this in ONE LDAP server at a time without problems.
It's work fine. But i need some different.

I need to check user/password in TWO different LDAP server.
If ANY of LDAPs tell "password is ok" RADIUS must accept
this userid/passwd pair. Userlists in this two LDAP have
some overlap. Most (but not all) of the users presents in
BOTH of LDAP servers. Passwords between LDAP servers are
different.

With curent configuration i get this:

if username aren't found in first LDAP lets proceed to the
next
if username aren't found in second LDAP lets DENY access
if username is found in first LDAP and password is accepted
by first LDAP lets ALLOW access.
if username is found in first LDAP and password aren't
accepted by first LDAP lets DENY access.

RADIUS doesn't check password in the second LDAP server. I
know why but i doesn't know how to change this behavior.

this is how looks users:

---
LDAP1: uid=userid,o=org1
LDAP2: uid=userid,o=org2
---

As you can see organization is different in this two LDAP
servers.

I check this with "radtest" utility.


/etc/raddb/radiusd.conf

--
modules {
ldap tam {
server = "ldap1.ts"
basedn = "o=org1"
filter = "(uid=%{User-Name})"
authtype = tam
start_tls = no
dictionary_mapping =
${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
compare_check_items = no
do_xlat = no
access_attr_used_for_allow = no
set_auth_type = yes
}
ldap lotus {
server = "ldap2.ts"
basedn = "o=org2"
filter = "(uid=%{User-Name})"
authtype = lotus
start_tls = no
dictionary_mapping =
${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
compare_check_items = no
do_xlat = no
access_attr_used_for_allow = no
set_auth_type = yes
}
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
   }
detail {
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
#suppress {
# User-Password
#}
}
}
authorize {
group ldap {
tam {
notfound = 1
noop= 2
fail = 3
reject = 4
ok = return
}
lotus {
notfound = 1
noop= 2
fail = 3
reject = 4
ok = return
}
handled
}
}
authenticate {
Auth-Type tam {
tam {
notfound = 1
noop= 2
fail = 3
reject = 4
ok = return
}
handled
}
Auth-Type lotus {
lotus {
notfound = 1
noop= 2
fail = 3
reject = 4
ok = return
}
handled

}
}
--

logfiles:

user exist in LDAP1 and password is good in LDAP1
---
rad_recv: Access-Request packet from host
192.168.110.3:49867, id=21, length=64
User-Name = "vmendelevich"
User-Password = ""
NAS-IP-Address = 192.168.110.3
NAS-Port = 10
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall: entering group ldap for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for vmendelevich
radius_xlat: '(uid=vmendelevich)'
radius_xlat: 'o=org1'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap1.ts:389, authentication 0
rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option
to allow
rlm_ldap: bind as / to ldap1.kmz.ts:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=org1, with filter
(uid=vmendelevich)
rlm_ldap: looking for che

Re: Unexpected "Exiting normally" 2.1.8?

[Bjørn Mork]

"Craig Campbell"  writes:

>can anyone identify a certain "GOOD" build to use for the git
> bisect? (Say where 2.1.7 was released?)
>
> I looked through the logs and have arbitrarily selected,
> 134f314c57d67b56bab93db4089c25e956ad6cf2] Lots of notes prior to 2.1.7
>
> I do not know how to force git to build that revision so I could
> actually verify it is good.

Not sure if I understand the question...

"git tag" will give you a list of tags.  "release_2_1_7" looks like a
good choice.  You could use "git log" or "git show" or something like
that to get the hash, but you really don't need to. If you know the
2.1.7 release was good, the you can just do

 "git bisect good release_2_1_7"




Bjørn

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius-Users Digest, Vol 55, Issue 113

[Peter Carlstedt]

> -- next part --
> An HTML attachment was scrubbed...
> URL: 
> 
> 
> --
> 
> Message: 2
> Date: Tue, 24 Nov 2009 19:35:17 - (UTC)
> From: t...@kalik.net
> Subject: Re: The MySQL databases for Freeradius
> To: "FreeRadius users mailing list"
>   
> Message-ID: <64909.87.194.16.13.1259091317.squir...@www.kalik.net>
> Content-Type: text/plain;charset=iso-8859-1
> 
> > I am sitting here trying to figure out how FreeRadius works towards MySQL.
> >
> > The database "radcheck" is for a singeluser if I have understood it
> > correctly.
> >
> > What I want to do is that through MS Access make a form where I can add
> > several attributes to the same row in the table.
> >
> > But since radcheck only seem to work with one attribute per row for one
> > user I dont really know how to do.
> 
> You *can* have multiple entries (rows) for each user. You don't have to
> cram everything into a single row.

Okay, but I don´t think it makes any sense that you have multiple inputs of the 
same user in a table?
Say for example that you have like 200 different users and every user have to 
have like 3 different attributes. The table would get extremly large.
 What I want to do is to through MySQL link a user to a specific group and in 
that way start up the segmentation. So depending on what group you are a member 
in you get into different VLANs etc. That´s why I hoped that I could use 
"radusergroup" to link a user to a group and then in "radgroupcheck" add group 
specific attributes like NAS-Port-Id´s or Called-Station-Id´s and in that way 
being able to do a segmentation on SSID or WLAN. 
> 
> > What I mean is that if I have a user called "test-user" and want to have
> > two attributes for that user, in this case "Cleartext-Password" &
> > "NAS-Port-Id" I need to have two rows for that user.
> 
> Tes, you do.
> 
> > radcheck:
> >
> > --
> >
> > |id|username   |attribute  |op |value |
> >
> > |1 |user-test   |Cleartext-Password|== |test-pass   |
> 
> That should be :=.
> 
> > |2 |user-test   |NAS-Port-Id  |== |raket |
> >
> > ---
> >
> > The reason I want to make a form is because I want others than me being
> > able to add new users and have them connected to the correct group which
> > then will have a separate VLAN and SSID.
> 
> The form you generate with MS Access will put data into - MS Access
> backend. You can't connect that form to MySQL. If you are a fan of Windows
> use Windows (ASP.NET) forms or webforms which can place data into MySQL.

I have actually being able to do changes to the MySQL table by using MS Access 
and ODBC.
But I have had some problems making a form that works towards radcheck though.
I´m not really a windows fan, but I need a Backend that restricts the admins 
for messing up the Freeradius server.
What I need is a GUI where you can search for a specific group and add a new 
user or edit a user in that group.
I really dont want to see a list of all the users there is and then have to 
search through 200 users to find the one i wish to edit.
So is it possible with dialupadmin to add a user and link that user to a group 
so you can only list that groups users?
Also is it possible in anyway to make group specific attributes so I wont have 
to add SSID restrictions on user level?

I have seen in the source of Freeradius that dialup admin comes with it. I´ve 
started to think about testing it.
So do I need to build dialupadmin in the same way I did with OpenSSL and 
FreeRadius or did it get installed at the same time as I installed Freeradius?
Also is there anywhere I can read about how to link dialup admin to MySQL etc.?
> 
> Freeradius comes with it's own admin GUI - dialup admin. There are also
> outside projects like daloRadius. Or you can make your own using things
> like PHP.
> 
> > So then I thought that if i use the table called "radusergroup" and link
> > the user to a specific group it should work in a way that all members of
> > this group may only connect to the network if they try to connect to the
> > correct SSID. It seems that did not work either.
> 
> No, it will not work. Groups in sql emulate DEFAULT entries in users file
> - if chack doesn't match, replies are ignored - user is not rejected.
> 
> > I am at a loss here and
> > dont really know what I should do.
> 
> If you want user to get rejected if SSID doesn't match, you will need to
> make it an entry in radcheck table. As long as the password is there too
> user will be rejected.
> 
> Ivan Kalik

Thank you for your time.

Best regards/ Peter Carlstedt
> 
> 
> 
> *
  
_

DHCP-Relay-Agent-Information in reply

[Alexandr Sviridov]

Hello

I'm playing with freeradius dhcp support, and get the following problem.

Freeradius 2.1.7, option 82, for dhcp snooping to work I have not only get 
DHCP-Relay-Agent-Information (option 82) in request but send it back to dhcp 
relay.

Just test examle (radiusd in debug mode):
DHCP-Discover:
DHCP-Opcode = Client-Message
DHCP-Hardware-Type = Ethernet
...skip...
DHCP-Parameter-Request-List = DHCP-Domain-Name-Server
DHCP-Relay-Agent-Information = 0x010600040001000202080006001e589e836f
DHCP-Offer:
Sending DHCP-Offer of id 69dd544f from 1.1.1.1:67 to 1.1.1.2:67
DHCP-Opcode = Server-Message
DHCP-Hardware-Type = Ethernet
...skip...
DHCP-IP-Address-Lease-Time = 3600
DHCP-Relay-Agent-Information = 0x010600040001000202080006001e589e836f

So far, so good, but tcpdump shows me:
DHCP-Discover:
   Agent-Information Option 82, length 18:
  Circuit-ID SubOption 1, length 6: \000\004\000\001\000\002
  Unknown SubOption 2, length 8:
0x:  0006 001e 589e 836f
DHCP-Offer:
Agent-Information Option 82, length 20:
  Unknown SubOption 0, length 18:

So as I can see option 82 length is 20 instead of 18. Why?



--
Alexandr Sviridov
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Unexpected "Exiting normally" 2.1.8?

[Craig Campbell]

Ok,
   can anyone identify a certain "GOOD" build to use for the git bisect? 
(Say where 2.1.7 was released?)


I looked through the logs and have arbitrarily selected,
134f314c57d67b56bab93db4089c25e956ad6cf2] Lots of notes prior to 2.1.7

I do not know how to force git to build that revision so I could actually 
verify it is good.


Thanks,
-craig
- Original Message - 
From: "Craig Campbell" 

To: "FreeRadius users mailing list" 
Sent: Tuesday, November 24, 2009 7:28 AM
Subject: Re: Unexpected "Exiting normally" 2.1.8?



Thanks for the correction.

I have rebuilt and am re-running my test.  I just hope I didn't somehow 
taint the bisect work and provide misleading information to Alan.


I should know some time today if I need to redo the bisection.
For my previous work I had done,

$git bisect start
$git bisect bad
$git bisect good 321c0ae58641f709d115526bb564cbd8c4dab71d<- I do 
not have full confidence in this


Followed by loops of ,
$./conf
$CFLAGS='-O0 -g' ./configure
$make clean
$find . -name "*.o"<- sometimes I found lingering .o 
files - not certain why.  I would delete any I discovered at this point

$make
$git bisect skip|bad|good<- depending on if build failed, binary 
crashed or other error (skip), had error (bad), or succeeded(good)
$git pull  <- I THINK this may be 
unnecessary..  but not certain.  Docs I found on git were not entirely 
clear


If I need to re-bisect, could you perhaps spoon feed me the commands to 
ensure I'm doing it correctly?  Specifically, how can I acquire and verify 
I have my first "good" build?  And then the incantation to perform 
iterative bisections until I run out.


I truly hope I haven't provided misleading info.

Thanks,
-craig
- Original Message - 
From: "Alexander Clouter" 

To: 
Sent: Monday, November 23, 2009 8:13 AM
Subject: Re: Unexpected "Exiting normally" 2.1.8?



Hi,

Craig Campbell  wrote:


   I re -acquired the source, but there seems to be a (minor I think) 
error.


   $git clone git://git.freeradius.org/freeradius-server.git
   $cd freeradius-server
   $git fetch origin stable:stable
   $git pull   <- should be 'git checkout stable'
   $make clean
   $CFLAGS='-O0 -g' ./configure
   $make


Otherwise if I am reading that right you are trying to compile off the
unstable branch.

Cheers

--
Alexander Clouter
.sigmonster says: BOFH excuse #169:
 broadcast packets on wrong frequency

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 4630 (20091123) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus 
signature database 4632 (20091124) __


The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


__ Information from ESET Smart Security, version of virus 
signature database 4632 (20091124) __


The message was checked by ESET Smart Security.

http://www.eset.com






__ Information from ESET Smart Security, version of virus signature 
database 4635 (20091125) __

The message was checked by ESET Smart Security.

http://www.eset.com



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Groups of NASs by IP

[Leighton Man]

> I used to use huntgroups to do this, however recently
> discovered in the mailing list archives that the clients.conf
> file can be used to better effect with grouping:
> 
> client 2.3.4.0/24 {
> shortname   = switch
> secret  = blar
> }
> client 3.4.5.0/24 {
>   shortname   = switch
>   secret  = hoot
>
>   vendor  = allied-telesis
> }
> client 1.2.3.0/28 {
> shortname   = console
> secret  = honk
> }
> 
>
> Then in your virtual server you can use something like:
> 
> authorize {
>
> 
>
>   update request {
>   # NAS-Vendor is a local custom dict addition
>   NAS-Vendor  := "%{client:vendor}"
>   NAS-Identifier  := "%{client:shortname}"
>   }
>
> 
>
>   files
>
> 
>
> }
> 
>
> Your 'users' file then has:
> 
> DEFAULT NAS-Identifier == switch, NAS-Vendor ==
> allied-telesis, LDAP-Group == netref
> Service-Type = Administrative-User DEFAULT
> NAS-Identifier == switch, LDAP-Group == netref
> Service-Type = NAS-Prompt-User, Cisco-AVPair =
> "shell:priv-lvl=15"
> DEFAULT NAS-Identifier == switch, Auth-Type := Reject
> 
>
> You can actually add *anything* to the client subsections
> ('shortname'
> and 'secret' are the only FreeRADIUS variables in there, the 'vendor'
> bit is not known to FreeRADIUS) and FreeRADIUS will simply
> ignore it but it is accessible via '%{client:NAME}'.
>
> The advantage with this approach is that you are doing the
> NAS grouping in the clients.conf file rather than potentially
> duplicating it in the 'hints' and/or huntgroups file.
>
> Cheers
>

Many many thanks for this. Strangely enough, I already have the major groups in 
clients.conf for other reasons and the ultimate goal is to control logins on 
our cisco infrastructure and thus retire ACS. You've given me a lot of help.
Thanks,

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Groups of NASs by IP

[Alexander Clouter]

Leighton Man  wrote:
> 
> I would like to group NASs by ip address but as I have a few hundred, 
> I don't want to maintain a list.
> 
> Can I configure ip address ranges in huntgroups eg. Group1 
> NAS-IP-Address == 192.168.1.101 - 105 If not, can I use regular 
> expressions?
> 
> How else can I do this? What is the best way?
> 
I used to use huntgroups to do this, however recently discovered in the 
mailing list archives that the clients.conf file can be used to better 
effect with grouping:

client 2.3.4.0/24 {
shortname   = switch
secret  = blar
}
client 3.4.5.0/24 {
shortname   = switch
secret  = hoot

vendor  = allied-telesis
}
client 1.2.3.0/28 {
shortname   = console
secret  = honk
}


Then in your virtual server you can use something like:

authorize {



  update request {
  # NAS-Vendor is a local custom dict addition
  NAS-Vendor  := "%{client:vendor}"
  NAS-Identifier  := "%{client:shortname}"
  }



  files



}


Your 'users' file then has:

DEFAULT NAS-Identifier == switch, NAS-Vendor == allied-telesis, LDAP-Group == 
netref
Service-Type = Administrative-User
DEFAULT NAS-Identifier == switch, LDAP-Group == netref
Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:priv-lvl=15"
DEFAULT NAS-Identifier == switch, Auth-Type := Reject


You can actually add *anything* to the client subsections ('shortname' 
and 'secret' are the only FreeRADIUS variables in there, the 'vendor' 
bit is not known to FreeRADIUS) and FreeRADIUS will simply ignore it but 
it is accessible via '%{client:NAME}'.

The advantage with this approach is that you are doing the NAS grouping 
in the clients.conf file rather than potentially duplicating it in the 
'hints' and/or huntgroups file.

Cheers

-- 
Alexander Clouter
.sigmonster says: Your boyfriend takes chocolate from strangers.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Rejecting auth from a specific realm

[Alexander Clouter]

Ben Carbery  wrote:
>
> I am using freeradius to proxy eduroam requests. These could be for any
> number of different realms so I only have a DEFAULT realm configured.
>
I'm a 'DEFAULT' kinda guy, however there seems to be in the .ac.uk world 
a push to get people to 'nudge' (using 'Proxy-to-Realm') eduroam 
authentications and not have a DEFAULT at allfortuantely FreeRADIUS 
lets you do things however it suits you.

I opted for the 'DEFAULT' approach as I personally like how it fills the 
'eduroam' requirement alongside the realm blacklisting.
 
> I now want to reject authentication to one specific realm (my own) but pass
> all others. The proxy server can't do this for me so I need to do it before
> proxying. I have been reading all the man pages but can't figure this
> out..how where is this done?
> 
In my proxy.conf file I have something like:

realm auth-reject.virtual {
virtual_server  = auth-reject
}

# you *must* reject realm-less 'eduroam' queries, even for your
# local users, otherwise you will run into operational issues
# when your own users try to roam.  If you want more details do 
# contact me off list.
realm NULL {
virtual_server  = auth-reject

nostrip
}

realm soas.ac.uk {
#  authhost = LOCAL  # not strictly necessary
#  accthost = LOCAL  # not strictly necessary
}

realm DEFAULT {
# snipped our pool definition
pool= eduroam

nostrip
}

# blackhole routing
realm myabc.com {
virtual_server  = auth-reject

nostrip
}
realm "~\\.3gppnetwork\\.org$" {
virtual_server  = auth-reject

nostrip
}



authorize {
preprocess

suffix

# handle blackhole'd (and NULL) realms
if (Realm != "soas.ac.uk" && Realm != "DEFAULT") {
handled
}

validate_username


}


Our 'auth-reject' virtual server is:

server auth-reject {
authorize {
suffix

switch "%{Realm}" {
case "NULL" {
update reply {
Reply-Message := "No Realm"
}
}

# we should not get here
case "DEFAULT" {
update reply {
Reply-Message := "ERROR"
}
}

# we *really* should not get here
case "soas.ac.uk" {
update reply {
Reply-Message := "BIG ERROR"
}
}

case {
update reply {
Reply-Message := "Realm Blackholed"
}
}
}

reject
}
}


As a side note, 'validate_username' is a policy.conf definition I 
created to make sure the username looks vaguely sane.  I recommend you 
use it :)

# only needs to be close enough to catch unroutable guff
# FIXME seems to permit 'space' through, for example 
'xwfmnc02qnabzlq9wi9...@globalsign Root CA'
validate_username {
# HACK remove once 'space' regex bug is fixed
if (User-Name =~ /[[:space:]]/) {
update reply {
Reply-Message := "Invalid User-Name Syntax"
}
reject
}

if (User-Name !~ /@/ \
|| ( \
   User-Name !~ /@.*@/ \
   && User-Name =~ 
/^[[:graph:]]*@([-[:alnum:]]+\.)+[[:alpha:]]{2,}$/ \
) \
) {
ok
}
else {
update reply {
Reply-Message := "Invalid User-Name Syntax"
}
reject
}
}


Once set up, once cooked you simply add more realms to proxy.conf to 
blackhole and it keeps you main configuration generally rather simple.

Cheers

-- 
Alexander Clouter
.sigmonster says: Many people are unenthusiastic about their work.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Tie up user to specific NAS

[Deepak]

Hi,

How do I tie up user to specific NAS so that they can log in from that
location only? I have different hotspots in different locations and
using dynamic-clients? After a quick search, I found "NAS-Identifier"
attribute. Is this the solution? If yes

NAS-Identifier = ? (IP, MAC, Name)

Thanks
Deepak

-- 
==
Registered Linux User #460714
Currently Using Fedora 10, CentOS 5.3
==
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Rejecting auth from a specific realm

[Ana Gallardo]

Sorry,

if (Realm == 'your.realm')  {
   update control {
   Auth-Type = Reject
   }
}

  

 Ana Gallardo Gómez

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Groups of NASs by IP

[Leighton Man]

Hi,

I would like to group NASs by ip address but as I have a few hundred, I don't 
want to maintain a list.

Can I configure ip address ranges in huntgroups eg. Group1 NAS-IP-Address == 
192.168.1.101 - 105
If not, can I use regular expressions?

How else can I do this? What is the best way?

Thanks in advance,

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: default linelog Accounting-Request handling broken?

[Josip Rodin]

On Wed, Nov 25, 2009 at 08:50:32AM +0100, Alan DeKok wrote:
> > I made my own instance of linelog and configured it just like the default,
> > i.e. it has:
> > 
> > format = "..."
> > reference = "%{%{Packet-Type}:-format}"
> 
>   That's used for logging per-packet information.
> 
> > Accounting-Request {
> > Start = "..."
> > unknown = "..."
> > }
> 
>   See the comments right above that entry for the *correct* reference to
> use for accounting requests.

OK, that actually makes sense. But it makes no sense to have that commented
out while the below block is *not* commented out. Please either uncomment it
both or comment it both, this makes for one confusing example :)

-- 
 2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CUI

[Alan DeKok]

Humberto Cardoza wrote:
> I am a new user with Freeradius, now i have it configured with Mysql
> but, the problem that i have is that the cui table it is not pupulated
> with information of the active sessions. i get configured the
> sql/mysql/cui.conf and all the stuff that i found that is necessary, but
> it simply doesn't work.

  The CUI functionality is still a work in progress.  We expect to have
more docs, etc. in 2.1.8

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html