Re: EAP-TLS User-Name not matching

2010-01-21 Thread Huckle Berry 
Ok so I sent that last email off a little too prematurely, Some how in my
various remakings of my certs, I ended up with no xpextensions Don't
have time to test it now as I have to give the network back soon. Will
report later.

~Huckle Berry
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Blank Password Problem

2010-01-21 Thread Satyam Mathura 
Quick update.
Although the radius server no longer accepts blank passwords, i now have a
problem where users who belong to groups which are not allowed to access nas
devices in certain huntgroups can now do so.
Any ideas?

On Thu, Jan 21, 2010 at 7:14 PM, Satyam Mathura  wrote:

> The reason i had those configs was because they were outlined as steps to
> reject authentication by default in the guide i was using.
>
> http://wiki.freeradius.org/SQL_Huntgroup_HOWTO
>
> "Note: If you want to reject authentication by default then edit the
> raddb/users file and add this:
>
> DEFAULT   Auth-Type := Reject
>
> Then add Auth-Type Accept with := as op in radgroupcheck for each group"
>
>
> I've commented out the DEFAULT   Auth-Type := Reject in the users file
>
> and removed the Auth-Type  :=  Accept from the radgroupcheck table and the
> server no longer accepts a blank password.
>
>
> Guide is incorrect or needs updating?
>
> Thanks for the help guys.
>
>
>
>
>
>
> On Thu, Jan 21, 2010 at 6:58 PM, Bjørn Mork  wrote:
>
>> Satyam Mathura  writes:
>>
>> > Line 204 in my users file is the following:
>> > DEFAULT   Auth-Type := Reject
>>
>> You don't want that.  It removes the server's ability to figure it out
>> by itself.
>>
>>
>> > my radgroupcheck config:
>> > ++--++++
>> > | id | groupname| attribute  | op | value |
>> > ++--++++
>> > |  5 | engineeringadmin | Huntgroup-Name | == | admin |
>> > |  6 | engineeringadmin | Auth-Type  | := | Accept |
>>
>> Why? This will make the server act as you describe: Any username in the
>> engineeringadmin group will be accepted regardless of password.
>>
>>
>> Bjørn
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Blank Password Problem

2010-01-21 Thread Satyam Mathura 
The reason i had those configs was because they were outlined as steps to
reject authentication by default in the guide i was using.
http://wiki.freeradius.org/SQL_Huntgroup_HOWTO

"Note: If you want to reject authentication by default then edit the
raddb/users file and add this:

DEFAULT   Auth-Type := Reject

Then add Auth-Type Accept with := as op in radgroupcheck for each group"


I've commented out the DEFAULT   Auth-Type := Reject in the users file

and removed the Auth-Type  :=  Accept from the radgroupcheck table and the
server no longer accepts a blank password.


Guide is incorrect or needs updating?

Thanks for the help guys.






On Thu, Jan 21, 2010 at 6:58 PM, Bjørn Mork  wrote:

> Satyam Mathura  writes:
>
> > Line 204 in my users file is the following:
> > DEFAULT   Auth-Type := Reject
>
> You don't want that.  It removes the server's ability to figure it out
> by itself.
>
>
> > my radgroupcheck config:
> > ++--++++
> > | id | groupname| attribute  | op | value |
> > ++--++++
> > |  5 | engineeringadmin | Huntgroup-Name | == | admin |
> > |  6 | engineeringadmin | Auth-Type  | := | Accept |
>
> Why? This will make the server act as you describe: Any username in the
> engineeringadmin group will be accepted regardless of password.
>
>
> Bjørn
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Blank Password Problem

2010-01-21 Thread Bjørn Mork 
Satyam Mathura  writes:

> Line 204 in my users file is the following:
> DEFAULT   Auth-Type := Reject

You don't want that.  It removes the server's ability to figure it out
by itself.


> my radgroupcheck config:
> ++--++++
> | id | groupname| attribute  | op | value |
> ++--++++
> |  5 | engineeringadmin | Huntgroup-Name | == | admin |
> |  6 | engineeringadmin | Auth-Type  | := | Accept |

Why? This will make the server act as you describe: Any username in the
engineeringadmin group will be accepted regardless of password.


Bjørn

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS User-Name not matching

2010-01-21 Thread Huckle Berry 
On Thu, Jan 21, 2010 at 1:48 AM, Alan DeKok wrote:

>   If you're not going to bother reading the messages here, I don't see
> why you're asking questions.
>
>
>
I thought the golden rule around here was Don't Touch the Conf's, it should
just work. Using that information, I wanted to get everything working under
the default conf before I went making changes.

The other is issue is that this is a production environment I'm working in,
so I can only fiddle with it at night when no one's around and put it back
before morning, and even then it's only once or twice a week I can do this.
This is why I don't get to test every single suggestion the day it is
suggested. I will get to it eventually, but I have to guarantee no one is on
the network first. There is no funding for a test lab yet. So it may take a
few days for me to get output's for these.

So here is my current experiment, change "user" from the users file to read
"u...@example.com Proxy-To-Realm := LOCAL, Auth-Type: EAP". What this has
done for me. Now after [pap] has finished I see this output, which looks
promising:
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/tls
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 3085
EAP-Message = 0x010300060d20
Message-Authenticator = 0x
State = 0x5c8c8a805d8f877c3b23b024f6c52334
OR I see this after [pap] finishes:
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
  TLS Length 70
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0041], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 01cf], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 0088], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.1.1 port 3085
EAP-Message =
0x0104029a0d800290160301002a022603014b58d66df2beab...
EAP-Message =
0x654e66d7258c14a9f79bcf1c8ee70bd2b801f39057a0bcaa434ba517...
EAP-Message =
0x391081d76569059c3613f16442bc0edad9d95016030100880d80...
Message-Authenticator = 0x
State = 0x5c8c8a805e88877c3b23b024f6c52334
Finished request 42.

The Windows host now states "Attempting to authenticate" as opposed to
"Vailidating Identity"/"Failed to vaildate identity" as it did before. And
the [tls] module is running now so this is obviously a step in the right
direction. Adding or removing a Cleartext-Password or Reply-Message didn't
affect the output greatly.

~Huckle Berry
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Blank Password Problem

2010-01-21 Thread Satyam Mathura 
Line 204 in my users file is the following:
DEFAULT   Auth-Type := Reject

My MySQL databse also stores huntgroup information for the FreeRadius
server. I want to reject authentication by default on all my nas devices
unless the usergroup which the user belongs to is allowed to access that
huntgroup.
I've basically followed this guide:
http://wiki.freeradius.org/SQL_Huntgroup_HOWTO

my radhuntgroup config:
++---+++--+
| id | groupname | nasipaddress   | nasportid  | usergroup|
++---+++--+
|  1 | admin | 192.168.1.1   | tty| engineeringadmin
|


my radgroupcheck config:
++--++++
| id | groupname| attribute  | op | value |
++--++++
|  5 | engineeringadmin | Huntgroup-Name | == | admin |
|  6 | engineeringadmin | Auth-Type  | := | Accept |



On Thu, Jan 21, 2010 at 6:21 PM, Alan Buxey  wrote:

> Hi,
>
> > users: Matched entry DEFAULT at line 204
> > ++[files] returns ok
>
> whats on line 204 or your users file? the reason why I ask is because..
>
> > rlm_pap: Found existing Auth-Type, not changing it.
> > ++[pap] returns noop
> >   rad_check_password:  Found Auth-Type Accept
> >   rad_check_password: Auth-Type = Accept, accepting the user
> > Login OK: [john.doe] (from client routerA port 1 cli 192.168.1.1)
>
> see that? the system has been told that the Auth-Type is Accept.
> the only place it picked that yup from is the users file.
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Blank Password Problem

2010-01-21 Thread Alan Buxey 
Hi,

> users: Matched entry DEFAULT at line 204
> ++[files] returns ok

whats on line 204 or your users file? the reason why I ask is because..

> rlm_pap: Found existing Auth-Type, not changing it.
> ++[pap] returns noop
>   rad_check_password:  Found Auth-Type Accept
>   rad_check_password: Auth-Type = Accept, accepting the user
> Login OK: [john.doe] (from client routerA port 1 cli 192.168.1.1)

see that? the system has been told that the Auth-Type is Accept. 
the only place it picked that yup from is the users file.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: new ntlm_auth?

2010-01-21 Thread freeradius 

At 04:49 PM 1/21/2010, Alan Buxey wrote:

you should avoid just lurching your old configs across to new versions.
best to start witha  clean slate and then edit/add your logic as required


Perhaps. But having to rebuild everything to go from 2.1.7 to 2.1.8 
is excessive.



Rick

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: new ntlm_auth?

2010-01-21 Thread Alan Buxey 
Hi,

> If I just remove the exec from radiusd.conf ( and confiure the new 
> ntlm_auth module) everything should be ok?

you should avoid just lurching your old configs across to new versions.
best to start witha  clean slate and then edit/add your logic as required

(i've found that by keeping the old configs I've lost out on new features
and options and then got undone by eg new logging methods - the same is
very much true with ISC DHCPD and BIND)

you'll, of course, want to edit the module so that

/path/to/ntlm_auth actually points to your ntlm_auth binary too!

(I'm surprised this hasnt been set in the distro package as 
surely you'd be running the distro version of samba - which is a required
dependency. odd)

alan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Blank Password Problem

2010-01-21 Thread Satyam Mathura 
Guys,
I'm experiencing a strange problem. I use FreeRadius to control cmd line
access to my routers and switches and I've configured FreeRadius to use a
MySQL back-end and thus far it works fine except for one condition. If i
supply a blank password when authenticating, FreeRadius allows the request
and authenticates me once my username is correct. Why is this happening? Is
there any way to have FreeRadius keep on prompting if a blank password is
supplied or reject the request altogether?
Thanks for your help.
Radius debug is below:

Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.1 port 1645, id=215,
length=104
User-Name = "john.doe"
Reply-Message = "Password: "
User-Password = ""
NAS-Port = 1
NAS-Port-Id = "tty1"
NAS-Port-Type = Virtual
Calling-Station-Id = "192.168.1.1"
NAS-IP-Address = 192.168.1.1
+- entering group authorize
++[preprocess] returns ok
rlm_sql (sql): - sql_xlat
expand: %{User-Name} -> john.doe
rlm_sql (sql): sql_set_user escaped user --> 'john.doe'
expand: SELECT groupname FROM radhuntgroup WHERE
nasipaddress="%{NAS-IP-Address}" AND nasportid LIKE IF
(SUBSTRING("%{NAS-Port-Id}", 1, 3) = 'tty', 'tty', "%{NAS-Port-Id}") AND
usergroup IN (SELECT groupname FROM radusergroup where username LIKE
"%{User-Name}")  -> SELECT groupname FROM radhuntgroup WHERE
nasipaddress="192.168.1.1" AND nasportid LIKE IF (SUBSTRING("tty1", 1, 3) =
'tty', 'tty', "tty1") AND usergroup IN (SELECT groupname FROM radusergroup
where username LIKE "john.doe")
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): - sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
expand: %{sql:SELECT groupname FROM radhuntgroup WHERE
nasipaddress="%{NAS-IP-Address}" AND nasportid LIKE IF
(SUBSTRING("%{NAS-Port-Id}", 1, 3) = 'tty', 'tty', "%{NAS-Port-Id}") AND
usergroup IN (SELECT groupname FROM radusergroup where username LIKE
"%{User-Name}") } -> admin
++[request] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "john.doe", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
users: Matched entry DEFAULT at line 204
++[files] returns ok
expand: %{User-Name} -> john.doe
rlm_sql (sql): sql_set_user escaped user --> 'john.doe'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id, username, attribute, value, op   FROM
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER BY id
-> SELECT id, username, attribute, value, op   FROM
radcheck   WHERE username = 'john.doe'   ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op   FROM
radreply   WHERE username = '%{SQL-User-Name}'   ORDER BY id
-> SELECT id, username, attribute, value, op   FROM
radreply   WHERE username = 'john.doe'   ORDER BY id
expand: SELECT groupname   FROM radusergroup   WHERE
username = '%{SQL-User-Name}'   ORDER BY priority -> SELECT
groupname   FROM radusergroup   WHERE username =
'john.doe'   ORDER BY priority
expand: SELECT id, groupname, attribute,   Value,
op   FROM radgroupcheck   WHERE groupname =
'%{Sql-Group}'   ORDER BY id -> SELECT id, groupname,
attribute,   Value, op   FROM radgroupcheck   WHERE
groupname = 'engineeringadmin'   ORDER BY id
rlm_sql (sql): User found in group engineeringadmin
expand: SELECT id, groupname, attribute,   value,
op   FROM radgroupreply   WHERE groupname =
'%{Sql-Group}'   ORDER BY id -> SELECT id, groupname,
attribute,   value, op   FROM radgroupreply   WHERE
groupname = 'engineeringadmin'   ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Normalizing SHA-Password from hex encoding
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type Accept
  rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [john.doe] (from client routerA port 1 cli 192.168.1.1)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 215 to 192.168.1.1 port 1645
Service-Type := Administrative-User
Cisco-AVPair := "shell:priv-lvl=15"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 215 with timestamp +9
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: new ntlm_auth?

2010-01-21 Thread freeradius 


I think that breaks most of the current instructions out there, since 
the module seems to win out over what I have defined in radiusd.conf. 
Heck, it breaks my 2.1.7 ones, and the wiki 


If I just remove the exec from radiusd.conf ( and confiure the new 
ntlm_auth module) everything should be ok?


Rick



At 02:50 PM 1/21/2010, John Dennis wrote:

On 01/21/2010 02:31 PM, freerad...@corwyn.net wrote:




Did the recent upgrade of freeradius2 add a ntlm_auth module?


Yes, 2.1.8 added ntlm_auth.

Unfortunately doc/ChangeLog omitted this.

--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: new ntlm_auth?

2010-01-21 Thread John Dennis 

On 01/21/2010 02:31 PM, freerad...@corwyn.net wrote:




Did the recent upgrade of freeradius2 add a ntlm_auth module?


Yes, 2.1.8 added ntlm_auth.

Unfortunately doc/ChangeLog omitted this.

--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

new ntlm_auth?

2010-01-21 Thread freeradius 




Did the recent upgrade of freeradius2 add a ntlm_auth module?

I'm now seeing
Exec-Program output: Exec-Program: FAILED to execute 
/path/to/ntlm_auth: No such file or directory
Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute 
/path/to/ntlm_auth: No such file or directory

Exec-Program: returned: 1
++[ntlm_auth] returns reject
Failed to authenticate the user.
Login incorrect: [rsteeves] (from client 10.100.0.8 port 1 cli 10.20.31.17)


I went and looked, and there's a ntlm_auth module now where I don't 
think there was one before. . .


I had/have ntlm_auth defined in radiusd.conf
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth ntlm_auth 
--request-nt-key --domain=int.example.com 
--username=%{mschap:User-Name} --password=%{User-Password}"

}


Rick



Rick Steeves
http://www.sinister.net

In reality nothing is more damaging to the adventurous spirit within 
a man than a secure future -  Alexander Supertramp


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ldap machine accounts in good vlan

2010-01-21 Thread cd 
hello

I have 2 samba domains (with ldap backend)

Machine accounts are stored in ldap. 

I want to assign VLAN according to ldap server 

machine$ stored in ldap_server_1 must go in VLAN1
machine$ stored in ldap_server_2 must go in VLAN2


what is the method to assign VLAN on XP boot ?


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RES: Re: Defining Reply-Message for Access-Reject Packets

2010-01-21 Thread EasyHorpak.com 




Luiz Gustavo de Villa Scandelari wrote:

  
Thu, 21 Jan 2010 10:02:48 +0700 EasyHorpak.com wrote:

An HTML attachment was scrubbed...
URL:

  
  

Thanks so much EasyHorpak, it works now perfectly!

LUIZ GUSTAVO DE VILLA SCANDELARI
Skype: luiz.gustavo.wni



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  

Add RESOVLED man.

Please..

-- 
http://www.EasyHorpak.com
- ???,???,???,?,??
http://www.EasyZoneCorp.net
- ? internet ? Hotpsot ??? PPPoE ,Anti NetCut, Mac
spoof
http://www.thai-school.net
- ,? ? 
EasyZone
SuperLink  - ?? 



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RES: Re: Defining Reply-Message for Access-Reject Packets

2010-01-21 Thread Luiz Gustavo de Villa Scandelari 
>Thu, 21 Jan 2010 10:02:48 +0700 EasyHorpak.com wrote:
>
>An HTML attachment was scrubbed...
>URL:


Thanks so much EasyHorpak, it works now perfectly!

LUIZ GUSTAVO DE VILLA SCANDELARI
Skype: luiz.gustavo.wni



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Can't Assign IP address my users

2010-01-21 Thread Tevfik Ceydeliler 

Hi Alain,
>  Also, the proxy isn't returning an IP address:

>> Wed Jan 20 10:01:07 2010 : Info: [main_pool] Could not find Pool-Name 
>> attribute.
>> Wed Jan 20 10:01:07 2010 : Info: ++[main_pool] returns noop

That log is taken from test for static IP 
Here is the log for user who get IP address from pool :

rad_recv: Access-Request packet from host 10.65.8.100 port 65401, id=2, 
length=56
User-Name = "tevfikceydeliler"
User-Password = "172932808506"
+- entering group authorize {...}
++[preprocess] returns ok
expand: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d 
-> /var/log/freeradius/radacct/10.65.8.100/detail-20100121
[detail] /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands 
to /var/log/freeradius/radacct/10.65.8.100/detail-20100121
expand: %t -> Thu Jan 21 13:39:39 2010
++[detail] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tevfikceydeliler", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry tevfikceydeliler at line 216
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
+- entering group pre-proxy {...}
expand: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d 
-> /var/log/freeradius/radacct/10.65.8.100/detail-20100121
[detail] /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands 
to /var/log/freeradius/radacct/10.65.8.100/detail-20100121
expand: %t -> Thu Jan 21 13:39:39 2010
++[detail] returns ok
Sending Access-Request of id 236 to 10.1.1.51 port 1812
User-Name = "tevfikceydeliler"
User-Password = "172932808506"
NAS-IP-Address = 10.65.8.100
Proxy-State = 0x32
Proxying request 1 to home server 10.1.1.51 port 1812
Sending Access-Request of id 236 to 10.1.1.51 port 1812
User-Name = "tevfikceydeliler"
User-Password = "172932808506"
NAS-IP-Address = 10.65.8.100
Proxy-State = 0x32
Going to the next request
Waking up in 0.9 seconds.
OK > rad_recv: Access-Accept packet from host 
10.1.1.51 port 1812, id=236, length=23
Proxy-State = 0x32
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
+- entering group post-auth {...}
OK >++[main_pool] returns noop
expand: %{NAS-IP-Address} %{NAS-Port} -> 10.65.8.100 
OK >[birmas] MD5 on 'key' directive maps to: 
b6201c0efddb958ed955eb3c8b0d920a
[birmas] Searching for an entry for key: 'b6201c0efddb958ed955eb3c8b0d920a'
[birmas] Found a stale entry for ip: 172.30.64.95
[birmas] num: 0
rlm_ippool: Allocating ip to key: 'b6201c0efddb958ed955eb3c8b0d920a'
[birmas] num: 1
[birmas] Allocated ip 172.30.64.86 to client key: 
b6201c0efddb958ed955eb3c8b0d920a
++[birmas] returns ok
expand: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d 
-> /var/log/freeradius/radacct/10.65.8.100/detail-20100121
[detail] /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands 
to /var/log/freeradius/radacct/10.65.8.100/detail-20100121
expand: %t -> Thu Jan 21 13:39:39 2010
++[detail] returns ok
++[exec] returns noop
OK >Sending Access-Accept of id 2 to 10.65.8.100 
port 65401
OK >Framed-IP-Address = 172.30.64.86
OK >Framed-IP-Netmask = 255.255.240.0
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 2 with timestamp +44
Ready to process requests.

There is no manual about how to set user for static ip address. Mostly 
configurations use password. But i use OTP (realm) as password.
What is changed when user moved from pool so static ip?

Tevfik Ceydeliler
  



Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Can't Assign IP address my users

2010-01-21 Thread Tevfik Ceydeliler 



Hi again,
Should The Framed Ip ( assigned to the user, framed IP) be in the
main_pool in this case?
Tevfik Ceydeliler wrote:
>   Hi Alain,
> According your suggestion I delete " Packet-Type == Access-Request" -I
wrote down to config according to SecOvid manual-,

The manual is wrong.

> and,I dont think that problem is home server because home server
accept requests when user IP comes from IP pool.

  Read the debug output: the home server is rejecting the user.

  Also, the proxy isn't returning an IP address:

> Wed Jan 20 10:01:07 2010 : Info: [main_pool] Could not find Pool-Name
attribute.
> Wed Jan 20 10:01:07 2010 : Info: ++[main_pool] returns noop

  Go fix that.

  Alan DeKok.



Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP Session resumption && reply attributes

2010-01-21 Thread James J J Hooper 



--On Thursday, January 21, 2010 10:05:36 AM + Alexander Clouter 
 wrote:



James J J Hooper  wrote:
<

How did you get around the "my policy rejects you now, but i've already
sent a tunneled success TLV in the TLS tunnel and you're now ignoring my
EAP-Failure messages" issue... or are you just happily ignoring it/
encouraging adoption of TTLS-PAP like I was? :)


Our setup never changes its mind :-) Any valid credentials always get a
connection. ...only whether that connection is Internet/port
limited/captive redirect to web message server changes.


Arran is probably referring to that with EAP TLS reauth you are actually
using the authentication (and possibly authorisation) credentials from
a previous session that can even be a few days prior.

You might decide to do some user focused authorisation in the post-auth
section[1], for example you might reject a user if their user account
has been disabled, or if they are in the wrong group or maybe they have
been a Bad Bad Boy(tm) :)

You might then have them marked 'disabled' in your LDAP tree however the
EAP-TLS reauth bit never gets that farso you end up accepting them.


That's precisely what I meant, although I didn't explain it. If the 
credentials where initially valid, for the life of the connecting device 
being able to resume it's session, we always send back an Access-Accept 
(even if their account is now "disabled"). We then outer post-post auth to 
put them in a suitable network. (i.e. Naughty users get a only a WRD to say 
so.)


-James

--
James J J Hooper
Network Specialist
Information Services
University of Bristol
+44 (0)117 331 7080 (17080 internal)
--


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP Session resumption && reply attributes

2010-01-21 Thread Alexander Clouter 
James J J Hooper  wrote:
<
>> How did you get around the "my policy rejects you now, but i've already
>> sent a tunneled success TLV in the TLS tunnel and you're now ignoring my
>> EAP-Failure messages" issue... or are you just happily ignoring it/
>> encouraging adoption of TTLS-PAP like I was? :)
> 
> Our setup never changes its mind :-) Any valid credentials always get a 
> connection. ...only whether that connection is Internet/port 
> limited/captive redirect to web message server changes.
> 
Arran is probably referring to that with EAP TLS reauth you are actually 
using the authentication (and possibly authorisation) credentials from 
a previous session that can even be a few days prior.

You might decide to do some user focused authorisation in the post-auth 
section[1], for example you might reject a user if their user account 
has been disabled, or if they are in the wrong group or maybe they have 
been a Bad Bad Boy(tm) :)

You might then have them marked 'disabled' in your LDAP tree however the 
EAP-TLS reauth bit never gets that farso you end up accepting them.

Again, another reason not to do user based authorisation. :)

Cheers

[1] or indirectly in the authentication section via an amended LDAP 
filter where you only authenticate against user objects where 
'accountdisabled=false' or something

-- 
Alexander Clouter
.sigmonster says: Your aim is high and to the right.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Session-timeout and expiration problem

2010-01-21 Thread Fazal Ahmed Malik 
Hi,

I have installed Freeradius 2.0 along with mysql 5 and dialup_admin. I am 
having trouble with session-timeout ,expiration. On dialup_admin i have correct 
information for both attributes like user can login for 0 seconds and similarly 
for expiration like account expired. But users can still logon even after 
expiration date passed. For session timeout user get disconnected right after 
alocated quota but here again user can login. Both attribute are setup from 
dialupadmin with = operator for session timeout and := for expiration

Please help if i am missing some thing in config.


Best regards,


Fazal Ahmed -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP Session resumption && reply attributes

2010-01-21 Thread James J J Hooper 

On 20/01/2010 23:36, Arran Cudbard-Bell wrote:

On 1/17/2010 8:37 AM, Alexander Clouter wrote:

James J J Hooper wrote:

In order to also return e.g. VLAN IDs (that could be computed from the
inner User-Name in a non-session-resumption enabled config), I can move
the config that sets the VLAN to the outer tunnel post-auth&& ensure the
inner tunnel sets:
reply:outer User-Name to request:inner User-Name
and then key my VLAN computation (in outer post-auth) from
reply:User-Name.


We have been doing authorisation depending on the outer layer since
summer.


How did you get around the "my policy rejects you now, but i've already
sent a tunneled success TLV in the TLS tunnel and you're now ignoring my
EAP-Failure messages" issue... or are you just happily ignoring it/
encouraging adoption of TTLS-PAP like I was? :)

-Arran



Our setup never changes its mind :-) Any valid credentials always get a 
connection. ...only whether that connection is Internet/port 
limited/captive redirect to web message server changes.


This also avoids the 'wireless doesn't accept my password' queries at the 
helpdesk (which end up with the user messing around and perhaps turning 
off certificate validation to see if that "fixes it" etc). Instead 
facebook.com returns "you're a virus infected monster - use a different PC 
to read your email. We've sent you instructions" etc.


-James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html