Re: RADIUS reading LDAP attributes

[Sigurd Foshaug]

Thanks Alan,

I added an reply message item inside the authentication section which
expands the My-Local-LDAP-Comment attribute.
It now works as expected.

Thanks,
Sigurd

On Thu, Aug 26, 2010 at 11:53 AM, Alan DeKok wrote:

> Sigurd Foshaug wrote:
> > I have added the My-Local-LDAP-Comment into the raddb/dictionary file
> > like this:
> >
> > ATTRIBUTE   My-Local-LDAP-Comment   3000string
> ...
> > Now, what I am failing to understand is how I can get the proxy server
> > to receive the My-Local-LDAP-Comment attribute from RADIUS,
>
>   Read the comments in the dictionary file that you edited.  They
> explain why that attribute is not being placed in a RADIUS packet.
>
> > Any suggestions on what to do, or which documentation to read would be
> > appreciated.
>
> $ man dictionary
>
>  This is documented.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: detail configuration file: how to save lines

[Stefan A.]

Thank you, Alan,

that's what I've been looking for.



Regards
Stefan



>   read raddb/templates.conf
> 
>   Alan DeKok.
> -


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Problem with rlm_perl

[Nasser Heidari]

I've done it in test environment , problem is that same configuration is
not working in heavy load.
If NAS does not send MAC address , I update request with a
.. mac , but in production environment, users who does not
have mac address , RADIUS request updates with a wrong MAC that belongs
to another user !
Do you have any idea?


> -Original Message-
> From: freeradius-users-bounces+nasser=rasana@lists.freeradius.org
>
[mailto:freeradius-users-bounces+nasser=rasana@lists.freeradius.org]
On
> Behalf Of Alan DeKok
> Sent: Friday, September 03, 2010 18:20
> To: FreeRadius users mailing list
> Subject: Re: Problem with rlm_perl
> 
> Nasser Heidari wrote:
> > I wanted to capture users mac address, so I've added a perl module ,
> > and after parsing cisco-av-pair attribute , I save it to DB.
> > In normal situation everything works like a charm , but in some
cases,
> > If NAS doesn't send mac-address attribute, I expect to save a
> > .. mac address in DB , but no success.
> > There is a condition that I check if mac-address attribute exists in
> > request or not, if exist it's ok , if not it should update request
> > with a .. mac address.
> 
>   This can be done in the Perl script.  Just check if the attribute
exists in the request
> hash.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Configure PEAP on FreeRadius using openssl.

[Alan DeKok]

Stephane Brodeur wrote:
> I am trying to configure FreeRADIUS for the PEAP authentication method.

  In 2.1, just install the server and start as root: "radiusd -X"

> I am using the following link to set up the FreeRADIUS server:
> 
> http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO

  Hmm... that's pretty old, and out of date.  See my web page:

http://deployingradius.com

> I also would like to know if we can used something equivalent to CA.all
> script and how can we modify eap.conf accordingly. Any information on
> what CA.all script or any equivalent is all about would also be really
> helpful.

  See raddb/certs/README

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ..::Block username after 3 failed authentications::..

[Alfonso Alejandro Reyes Jiménez]

 Great, thanks for your advice.

El 03/09/2010 04:32 p.m., Alan DeKok escribió:

Alfonso Alejandro Reyes Jiménez wrote:

  Hi Everyone.

I was wondering if there's some way to block the brute force attack. for
example block the username after 3 invalid password attempts.

This could be possible? if it's possible how?

   Store password tries in a database, and reject the user if he tries
more than 3 logins within a time.

   i.e. store data in a database.  FreeRADIUS is not a database.  Make
FreeRADIUS put information into the database, and read information from
the database.

   Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ..::Block username after 3 failed authentications::..

[Alan DeKok]

Alfonso Alejandro Reyes Jiménez wrote:
>  Hi Everyone.
> 
> I was wondering if there's some way to block the brute force attack. for
> example block the username after 3 invalid password attempts.
> 
> This could be possible? if it's possible how?

  Store password tries in a database, and reject the user if he tries
more than 3 logins within a time.

  i.e. store data in a database.  FreeRADIUS is not a database.  Make
FreeRADIUS put information into the database, and read information from
the database.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: detail configuration file: how to save lines

[Alan DeKok]

Stefan A. wrote:
> I have a detail configuration file, which has several sections for different
> files, to be handled by different listener
> 
> As the NASses are GGSNs, which are sending more than 40 attributes, I will
> save space on HD and will remove unneeded attributes using suppress.
> Do I have to put every attribute in every detail-x configuration area or is
> there a kind of template to do this?

  read raddb/templates.conf

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Logging ntlm authentication

[Alan DeKok]

Sion wrote:
> This had actually crossed my mind but I had tried testing this in the
> post-auth section as well.
> 
> What section should I do this in? Would something like this work?
> 
> update outer {
>MS-CHAP-Error = "%{reply:MS-CHAP-Error}"
> }

  You need to refer to a *list*: outer.reply, or outer.control.  See
"man unlang", which has examples.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP Data Mangling

[Alan DeKok]

Kevin Ehlers wrote:
> Is it possible to modify attributes returned from ldap?  E.g. We're
> trying to do wpa-enterprise with peap-mschapv2.  We store our nt hash
> passwords as "{nthash}" instead of "{nt}".  It looks like
> the mschap module doesn't auto-detect the hash-type correctly, and says
> that it never received a valid password hash.  All authentication fails
> at this point.

  The PAP module is the one which does the password mangling.

> We store it as {nthash} because that's what our other radius servers
> (radiator) expect to see.

  I can add the {nthash} format for 2.1.10.  In the mean time, try
putting this into the "authorize" section, just before the "pap" module:

if (control:User-Password =~ /^{nthash}(.*)/) {
update control {
User-Password := "{nt}%{1}"
}
}

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Authentication

[Alan DeKok]

jorge88 wrote:
> Is it possible to configure freeradius to consult users in two different
> tables within the same database?

  Yes.

> Otherwise, is it possible to associate a user name to a NAS so it will not
> be logging in from another NAS differently?

  Yes.

  The SQL queries are text, and editable for precisely this reason: you
can go edit them to do what you want.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Best Authentication Method for Various Supplicant

[Alexander Clouter]

homyang cha  wrote:
>
> Now my issues are: in my networks there are various kinds of OS 
> running for supplicants. To name a few are Windows XP (SP2, SP3), 
> Windows Vista, Windows 7, Fedora, CentOS, Ubuntu and Mac OS X. I have 
> to configure AAA applicants systems in such a way all this systems are 
> supported. Can someone help me suggest or have any idea/experience on 
> this. What could be the best authentiation method that I can use so 
> that all this supplicants using different OS are supported. Also I use 
> wired connection as well as wireless connection in the network. Does 
> anybody throw some light on this matter?
> 
Here is a summary of my five years of experience being a network 
analyst at a UK university... :)  Mac OS X and Linux are really trivial 
and it is hard to write much about them, it is Microsoft that 
unsurprisingly once again excel at causing us so much pain.

For Windows XP[1]/Vista/Win7 you have two options:
 * PEAP
 * TTLS - involves purchasing SecureW2[3]

PEAP might seem appealing as it is built into Windows, however by the 
sounds of things all the workstations connecting are not part of your 
Microsoft AD (like ours) and so you cannot push out a group policy 
autoconfiguring everyones equipment.  This means you (or rather your 
helldesk minions) have to manually configure every workstation by hand 
which can lead to corners being cut (skipping certificate validation) 
and misconfiguration.

Until recently there was no way to avoid this nasty choice of either AD 
importing or manual configuration.  Fortunately, one of my counterparts 
working also in academentia put together a collection of scripts/tools 
and called it SU1X[4] that lets you autoconfigure PEAP behind a single 
EXE.

TTLS with SecureW2 is the other option and from day let you pre-seed the 
configuration so that everything got configured plus the handy popups 
and full customisation can be a nice touch if that sort of thing floats 
your boat, or rather your boss's.  Of course, SecureW2 comes with a 
price tag, we personally think a *very* good one when you think of the 
money in hours saved in your helpdesk team costs.  Things get even 
better when you wrap the lot up in a NSIS script like we have[5].

There is actually a technical reason that might force you to choose 
between PEAP and TTLS which boils down to how your passwords were stored 
in your backend database.  If you have an LDAP backend only (where the 
plaintext password is not extractable) then TTLS/PAP is really your 
*only* option.  If you have a Microsoft AD backend for your user 
accounts, then you can use PEAP/MS-CHAPv2 (or TTLS/MS-CHAPv2).

Originally we only had an LDAP backend database, but then 'upgraded' to 
using Novell's Universal Password so now we no longer have the TTLS 
constraint and can now offer TTLS/MS-CHAPv2 (but we actually choose 
*not* to offer PEAP).

So, why pick one or the other, technical reasons only.  SecureW2 handles 
certificate chaining a *lot* better than the PEAP and due to it's 
commercial nature it's hard for the helpdesk to cut corners and *not* 
use your official hand crafted blessed installer as they cannot source 
their own copy.  PEAP however will offer you Statement of Health; 
speaking to the SecureW2 author though he is keen to work on adding 
support for this.  One other win for SecureW2 is you get GTC support 
too, so you can do fancy things like use one time passwords (the 
changing key is generated by your mobile phone) which works nicely too; 
well it would work nicely if Alan accepted trivial patches to the GTC 
FreeRADIUS module (along with the LDAP one I posted...) 

Lucky for you SU1X is free to play with and you can also get a fully 
enabled trial for free of SecureW2 (man, I must sound like a sales 
droid).  Play with both and decide what you prefer.

As for the Mac OS X weenies I noticed as soon as I enabled 
TTLS/MS-CHAPv2 they (including the iPhones, iPads and iPods) started to 
automatically configure themselves.  No idea what they are like when 
confronted with PEAP but they would not autoconfigure TTLS/PAP :-/

The Linux users, well we are fine, you can see what we do destructions 
wise on our support website[6].  One of our students is slowly getting 
around to testing amendments I suggested to the Wicd template that 
should improve things further; I myself am a Debian wpa_supplicant kinda 
person.

As for your last question regarding simulateous wired and wireless 
access, look around the Internet and read up about 'routing metrics'.  
In short, make your wifi link have a higher (lower priority) routing 
metric; although this overlooks source based routing issues but that is 
not a FreeRADIUS problem or an issue that should be discussed here.

If you have any more questions then do ask.

Cheers

[1] I strongly recommend you just say no to SP2, hell Microsoft will no 
longer support it so why should you.  However, if you insist on 
punishing yourself make sure you fo

Configure PEAP on FreeRadius using openssl.

[Stephane Brodeur]

Hi,


I am trying to configure FreeRADIUS for the PEAP authentication method. I am 
using the following link to set up the FreeRADIUS server:

http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO

This documents indicates that the file radiusd.conf should include the 
following entry:

authtype = MS-CHAP

It also refers to the utilization of the CA.all script

The version of FreeRADIUS running on version 5.5 does not have any entry for 
authtype = MS-CHAP in radiusd.conf file and does not have CA.all script.

Is there anybody kind enough to tell me if it is possible that my version of 
FreeRADIUS, do not know how to find it, does not need the authtype = MS-CHAP 
entry in radiusd.conf file


I also would like to know if we can used something equivalent to CA.all script 
and how can we modify eap.conf accordingly. Any information on what CA.all 
script or any equivalent is all about would also be really helpful.

Thanks
Stephane
  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

..::Block username after 3 failed authentications::..

[Alfonso Alejandro Reyes Jiménez]

 Hi Everyone.

I was wondering if there's some way to block the brute force attack. for 
example block the username after 3 invalid password attempts.


This could be possible? if it's possible how?

Thanks in advance.

Regards.

Alfonso.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ..::Huntgroup Issues::..

[Alfonso Alejandro Reyes Jiménez]

 Thanks, now its working. I was trying to authenticate with the 
localhost, when I tried to use the device everything works great.


Thanks for your help.

Regards.

Alfonso.

El 03/09/2010 06:18 a.m., Carlos Eduardo Tavares Terra escribió:

Maybe the problem is here:

rad_recv: Access-Request packet from host 127.0.0.1 port 6729, id=139, 
length=58

User-Name = "steve2"
User-Password = "testing"
*NAS-IP-Address = 192.168.2.251*
NAS-Port = 10



2010/9/1 Alfonso Alejandro Reyes Jiménez >


Thanks for the advice to everyone.

As per your recomendation we changed the users file with the
following line:

steve2Cleartext-Password := "testing", Huntgroup-Name ==
"arcsight"

but we got the same result access-reject.

And we got the following output:

rad_recv: Access-Request packet from host 127.0.0.1 port 6729,
id=139, length=58
User-Name = "steve2"
User-Password = "testing"
NAS-IP-Address = 192.168.2.251
NAS-Port = 10
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "steve2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop

[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.

++[pap] returns noop
_/No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user/_
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> steve2
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds

Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 139 to 127.0.0.1 port 6729
Waking up in 4.9 seconds.
Cleaning up request 0 ID 139 with timestamp +5

I have a question, we remove the autentication value and the debug
shows that it is looking for it, why is that?

May be someone that has the huntgroups running can send the
examples of the users and huntgroups files, that may help a lot.

Thanks in advance.

Regards

Alfonso.

El 24/08/2010 04:46 a.m., Alan DeKok escribió:

Alfonso Alejandro Reyes Jiménez wrote:

Hi, I'm trying to use the huntgroup feature on the freeradius software
with out luck. I think I'm missing something that's why I'm sending this
email maybe you can help me.

   You should read the debug output of the server.  The answer is in there.


users file at the end:

alfonso  Auth-Type := Local, User-Password == "testing", Huntgroup-Name
== "squid"

  Don't set Auth-Type.  Use "Cleartext-Password := ...", and not
"User-Password == ..."


Here's the output of the debug, it seems that it doesn't find the config
file.

   No.  It finds the DEFAULT entry earlier in the file.

   Why?  This is documented.  Read the comments at the top of the "users"
file.  Read the "man users" page.  Read the FAQ for an example of how to
configure a test user.

   Alan DeKok.


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




--
Carlos Eduardo Tavares Terra
Red Hat Certified Engineer
Consultor em Administração de Redes Linux
GNU/Linux #413291 [http://counter.li.org]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

detail configuration file: how to save lines

[Stefan A.]

I have a detail configuration file, which has several sections for different
files, to be handled by different listener

As the NASses are GGSNs, which are sending more than 40 attributes, I will
save space on HD and will remove unneeded attributes using suppress.
Do I have to put every attribute in every detail-x configuration area or is
there a kind of template to do this?

Thank you.


detail detail-2{
detailfile = /var/log/acctopus/archive/2/detail.log
detailperm = 0600
dirperm = 0755
locking = yes
suppress {
User-Password
NAS-Port
... some more
}
}

detail detail-3{
detailfile = /var/log/acctopus/archive/3/detail.log
detailperm = 0600
dirperm = 0755
locking = yes
suppress {
User-Password
NAS-Port
... some more
}
}

detail detail-3{
detailfile = /var/log/acctopus/archive/3/detail.log
detailperm = 0600
dirperm = 0755
locking = yes
suppress {
User-Password
NAS-Port
... some more
}
}

Some more detail-x files





Regards
Stefan


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius not unescaping \ and "

[Murray Long]

Ok, debug logs and config files are attached.

It looks like the problem could be with rlm_perl.   as the proxying
happens correctly if we disable the perl module completely.
However, even with no logic happening in the perl script, additional
\'s are added to the attributes.

Please see the attached log of a login attempt for
Username: "murray/A\"
Password: "A\"

which is eventually proxied as
    User-Name = "A"
    User-Password = "A"

Thanks,
Murray

On Fri, Sep 3, 2010 at 3:33 PM, Alan DeKok  wrote:
>
> Murray Long wrote:
> > I am running the latest version provided by Ubuntu, 2.1.8+dfsg-1ubuntu1
> > Is this not considered recent?
> > I will try 2.1.9 from the freeradius site and see how that goes.
>
>  Well.. it works in the current 2.1.x branch.
>
>  How about posting debug logs?
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


perl_module.pm
Description: Perl program


radiusd.conf
Description: Binary data
FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan  5 2010 at 02:49:11
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
main {
	allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
	prefix = "/usr"
	localstatedir = "/var"
	logdir = "/var/log/freeradius"
	libdir = "/usr/lib/freeradius"
	radacctdir = "/var/log/freeradius/radacct"
	hostname_lookups = no
	max_request_time = 30
	cleanup_delay = 5
	max_requests = 1024
	pidfile = "/var/run/freeradius/freeradius.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = yes
 log sectiong {
	stripped_names = no
	auth = no
	auth_badpass = no
	auth_goodpass = no
 }
	log_auth = no
	log_auth_badpass = no
	log_auth_goodpass = no
	log_stripped_names = no
 security {
	max_attributes = 200
	reject_delay = 1
	status_server = yes
 }
}
radiusd:  Loading Realms and Home Servers 
 realm murray {
	authhost = 10.0.0.101:1812
	accthost = 10.0.0.101:1813
	secret = secret
 }
 realm NULL {
 }
 realm default {
 }
 realm default {
 } # realm default
radiusd:  Loading Clients 
 client 0.0.0.0/0 {
	require_message_authenticator = no
	secret = "secret"
	shortname = "swak"
 }
radiusd:  Instantiating modules 
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
	wait = yes
	input_pairs = "request"
	shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 }
radiusd:  Loading Virtual Servers 
server {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_perl
 Module: Instantiating perl
  perl {
	module = "/etc/freeradius/perl_module.pm"
	func_authorize = "authorize"
	func_authenticate = "authenticate"
	func_accounting = "accounting"
	func_preacct = "preacct"
	func_checksimul = "checksimul"
	func_detach = "detach"
	func_xlat = "xlat"
	func_pre_proxy = "pre_proxy"
	func_post_proxy = "post_proxy"
	func_post_auth = "post_auth"
	func_recv_coa = "recv_coa"
	func_send_coa = "send_coa"
  }
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
	encryption_scheme = "crypt"
	auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating preprocess
  preprocess {
	huntgroups = "/etc/freeradius/huntgroups"
	hints = "/etc/freeradius/hints"
	with_ascend_hack = no
	ascend_channels_per_line = 23
	with_ntdomain_hack = no
	with_specialix_jetstream_hack = no
	with_cisco_vsa_hack = no
	with_alvarion_vsa_hack = no
  }
 Module: Linked to module rlm_realm
 Module: Instantiating realm_prefix
  realm realm_prefix {
	format = "prefix"
	delimiter = "/"
	ignore_default = no
	ignore_null = no
  }
 Module: Linked to module rlm_detail
 Module: Instantiating detail
  detail {
	detailfile = "/var/log/freeradius/radacct/%{NAS-Identifier}/%Y-%m-%d"
	header = "%t"
	detailperm = 384
	dirperm = 493
	locking = no
	log_packet_header = no
  }
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating acct_unique
  acct_unique {
	key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd:  Opening IP addresses and Ports 
listen {
	type = "auth"
	ipaddr = *
	port = 1812
}
listen {
	type = "acct"
	ipaddr = *
	port = 1813
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 18

Re: Logging ntlm authentication

[Sion]

On Fri, Sep 3, 2010 at 4:25 PM, Alan DeKok  wrote:
> Sion wrote:
>> That was one of the first things I did after reading the debug output
>> originally - I've got 'linelog' in the post-auth section of the
>> "inner-tunnel" in addition to the "default" virtual server.
>
>  The post-auth section of "inner-tunnel" isn't used, unfortunately.

Ahh ok, that explains it.

>
>> If I take
>> linelog completely out of the default virtual server so that it's only
>> defined in the post-auth of the inner-tunnel no log is generated at
>> all.
>
> $ man unlang
>
>  You can use the inner-tunnel config to update the outer attributes,
> and then log them in the outer virtual server.

This had actually crossed my mind but I had tried testing this in the
post-auth section as well.

What section should I do this in? Would something like this work?

update outer {
   MS-CHAP-Error = "%{reply:MS-CHAP-Error}"
}

>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP Data Mangling

[Kevin Ehlers]

Hi,

Is it possible to modify attributes returned from ldap?  E.g. We're
trying to do wpa-enterprise with peap-mschapv2.  We store our nt hash
passwords as "{nthash}" instead of "{nt}".  It looks like
the mschap module doesn't auto-detect the hash-type correctly, and says
that it never received a valid password hash.  All authentication fails
at this point.

We store it as {nthash} because that's what our other radius servers
(radiator) expect to see.

I searched the archives, but was unable to find anything about that.

Thanks,

-- 
Kevin Ehlers
Network Engineer
University of Oregon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Logging ntlm authentication

[Alan DeKok]

Sion wrote:
> That was one of the first things I did after reading the debug output
> originally - I've got 'linelog' in the post-auth section of the
> "inner-tunnel" in addition to the "default" virtual server.

  The post-auth section of "inner-tunnel" isn't used, unfortunately.

> If I take
> linelog completely out of the default virtual server so that it's only
> defined in the post-auth of the inner-tunnel no log is generated at
> all.

$ man unlang

  You can use the inner-tunnel config to update the outer attributes,
and then log them in the outer virtual server.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius Authentication

[jorge88]

Good afternoon,

I wanted to make the following question to see if someone can help me.

Is it possible to configure freeradius to consult users in two different
tables within the same database?

Otherwise, is it possible to associate a user name to a NAS so it will not
be logging in from another NAS differently?

Thank you very much
-- 
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Freeradius-Authentication-tp2802389p2802389.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Best Authentication Method for Various Supplicant

[homyang cha]

Hello
I am running freeradius-2.17 on CentOS-5.5 box with mysql-5.0.77 as backend
and daloradius-0.9-8 as the web management. I have successfully configured
an tested EAP-MD5, PEAP and PAP authentication using windows 7 as supplicant
with wired 802.1x authentication (no certificates used) and NAS as a Huawei
Switch (Quidway S5600 Series) and seems to be working fine.

Now my issues are: in my networks there are various kinds of OS running for
supplicants. To name a few are Windows XP (SP2, SP3), Windows Vista, Windows
7, Fedora, CentOS, Ubuntu and Mac OS X. I have to configure AAA applicants
systems in such a way all this systems are supported. Can someone help me
suggest or have any idea/experience on this. What could be the best
authentiation method that I can use so that all this supplicants using
different OS are supported. Also I use wired connection as well as wireless
connection in the network. Does anybody throw some light on this matter?

Thanks in Advance

-- 
homyang (aka puran)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Logging ntlm authentication

[Sion]

On Fri, Sep 3, 2010 at 3:32 PM, Alan DeKok  wrote:
> Sion wrote:
>> Still no luck I'm afraid. Here's the output of radiusd -X in case it helps:
>
>  Reading it helps.
>
>  The MS-CHAP-Error is in the "inner-tunnel" virtual server.  You are
> trying to log it in the "default" virtual server.

That was one of the first things I did after reading the debug output
originally - I've got 'linelog' in the post-auth section of the
"inner-tunnel" in addition to the "default" virtual server. If I take
linelog completely out of the default virtual server so that it's only
defined in the post-auth of the inner-tunnel no log is generated at
all.

>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Logging ntlm authentication

[Alan DeKok]

Sion wrote:
> Still no luck I'm afraid. Here's the output of radiusd -X in case it helps:

  Reading it helps.

  The MS-CHAP-Error is in the "inner-tunnel" virtual server.  You are
trying to log it in the "default" virtual server.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Logging ntlm authentication

[Sion]

On Fri, Sep 3, 2010 at 12:58 PM, Alan DeKok  wrote:
> Sion wrote:
>> That's what I thought, but it my linelog log it shows it being empty.
>
>  The MS-CHAP-Error is in the reply.
>
>> I've tried putting 'linelog' in the post-auth sections of both the
>> default and inner-tunnel virtual servers but no joy. Am I missing
>> something obvious here?
>
>  See the "Post-Auth-Type Reject" block, too.
>

Still no luck I'm afraid. Here's the output of radiusd -X in case it helps:

rad_recv: Access-Request packet from host 192.168.196.13 port 32768,
id=9, length=181
User-Name = "anonymous"
Calling-Station-Id = "00-1B-77-94-57-72"
Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam"
NAS-Port = 29
NAS-IP-Address = 192.168.196.13
NAS-Identifier = "llwacA105"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "115"
EAP-Message = 0x0205000e01616e6f6e796d6f7573
Message-Authenticator = 0xe0aee197f906702cbcedda8c6fce7ab1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 9 to 192.168.196.13 port 32768
EAP-Message = 0x010600061920
Message-Authenticator = 0x
State = 0x70163a6b70102318926cb2671448dd5c
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.196.13 port 32768,
id=10, length=312
User-Name = "anonymous"
Calling-Station-Id = "00-1B-77-94-57-72"
Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam"
NAS-Port = 29
NAS-IP-Address = 192.168.196.13
NAS-Identifier = "llwacA105"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "115"
EAP-Message =
0x0206007f198000751603010070016c03014c80fc7750fabd6450dcb77c4605cbaab73a3c1e43bf175cfcee437c8275d0e118002f00350005000ac013c014c009c00a0032003800130004012b001700151264617573657268656c706465736b74657374000a0006000400170018000b00020100
State = 0x70163a6b70102318926cb2671448dd5c
Message-Authenticator = 0x1b3669861698384d471a2c44b8a9fda0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 127
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 117
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0070], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 06e5], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 10 to 192.168.196.13 port 32768
EAP-Message =
0x0107040019c00722160301002a022603014c80fc77269f43ae3e8f7344872f86f6066a22b315bdeaa4d71d1033ca071d722f0016030106e50b0006e10006de0003c1308203bd30820326a0030201020210571735f114d0297747dec8e1dc855028300d06092a864886f70d01010505003081c4310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e67206363

Re: Problem with rlm_perl

[Alan DeKok]

Nasser Heidari wrote:
> I wanted to capture users mac address, so I've added a perl module , and
> after parsing cisco-av-pair attribute , I save it to DB.
> In normal situation everything works like a charm , but in some cases,
> If NAS doesn't send mac-address attribute, I expect to save a
> .. mac address in DB , but no success.
> There is a condition that I check if mac-address attribute exists in
> request or not, if exist it's ok , if not it should update request with
> a .. mac address.

  This can be done in the Perl script.  Just check if the attribute
exists in the request hash.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius not unescaping \ and "

[Alan DeKok]

Murray Long wrote:
> I am running the latest version provided by Ubuntu, 2.1.8+dfsg-1ubuntu1
> Is this not considered recent?
> I will try 2.1.9 from the freeradius site and see how that goes.

  Well.. it works in the current 2.1.x branch.

  How about posting debug logs?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem with rlm_perl

[Nasser Heidari]

Dear Folks,

Apologies for previous unwanted / half complete email,

We are using a perl module to record and save clients MAC address to DB.
In situations that cisco-av-pair is not included in RADIUS packet, We
are replacing it with ... Everything is working just fine in
test environment but when running on production servers the recorded MAC
address for those clients without cisco-av-pair attribute in their
packet is not .. but it's a wrong MAC which belongs to
another packet received seconds ago. We even captured all the RADIUS
traffic sent form NASes and replayed it in our test environment but
everything was working fine again. The only difference is our test
environment is 32bit and production is 64bit. We suspect even something
wrong with 32/64 bit or a threading issue with perl module on 64 bit
platform. Anyone seen something like this before or anything special
regarding 64bit / perl multi-threading?

Current version:

radiusd: FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu,
built on Mar 31 2010 at 00:14:28

We also have perl compiled with multi-threading support : v5.8.8 built
for x86_64-linux-thread-multi

best regards,

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem with rlm_perl

[Nasser Heidari]

Dear Folks,


I'm using a perl module to record and save clients MAC address to DB. In
situations that cisco-av-pair is not included in RADIUS packet, I'm
replacing it with ... Everything is working just fine in
test environment but when running on production servers the recorded MAC
address for those clients without cisco-av-pair attribute in their
packet is not .. but it's a wrong MAC which belongs to
another packet received seconds ago. We even captured all the RADIUS
traffic sent form NASes and replayed it in our test environment but 



I wanted to capture users mac address, so I've added a perl module , and
after parsing cisco-av-pair attribute , I save it to DB.
In normal situation everything works like a charm , but in some cases,
If NAS doesn't send mac-address attribute, I expect to save a
.. mac address in DB , but no success.
There is a condition that I check if mac-address attribute exists in
request or not, if exist it's ok , if not it should update request with
a .. mac address.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius not unescaping \ and "

[Murray Long]

I am running the latest version provided by Ubuntu, 2.1.8+dfsg-1ubuntu1
Is this not considered recent?
I will try 2.1.9 from the freeradius site and see how that goes.
-Murray


On Fri, Sep 3, 2010 at 2:03 PM, Alan DeKok wrote:

> Murray Long wrote:
> > If I attempt a login with username "A\" The first freeradius server
> > recieves packets with UserName atribute = "A\\" and sends a packet to
> > the sencond radius server with username attribute = "A"  (as
> > reported by wireshark)
>
>   Upgrade to a recent version of the server.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius not unescaping \ and "

[Alan DeKok]

Murray Long wrote:
> If I attempt a login with username "A\" The first freeradius server
> recieves packets with UserName atribute = "A\\" and sends a packet to
> the sencond radius server with username attribute = "A"  (as
> reported by wireshark)

  Upgrade to a recent version of the server.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Logging ntlm authentication

[Alan DeKok]

Sion wrote:
> That's what I thought, but it my linelog log it shows it being empty.

 The MS-CHAP-Error is in the reply.

> I've tried putting 'linelog' in the post-auth sections of both the
> default and inner-tunnel virtual servers but no joy. Am I missing
> something obvious here?

  See the "Post-Auth-Type Reject" block, too.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Logging ntlm authentication

[Sion]

On Fri, Sep 3, 2010 at 11:47 AM, Alan DeKok  wrote:
>
> Sion wrote:
> > I've got freeradius 2.1.7 setup on a CentOS system working as an AAA
> > server for our WPA Enterprise based wireless network with clients
> > successfully authenticating using PEAP and TTLS. Now to my question,
> > I've configured linelog to log certain attributes but I also want it to
> > log either the Exec-Program output of ntlm_auth or the peap reply value
> > for the MS-CHAP-Error attribute but so far I've been unsuccessful in
> > doing this. Is this possible? if so can anybody give me any pointers?
>
>  You can't log the ntlm_auth output.  If it's important for you, write
> a shell script wrapper around the problem.
>
>  For MS-CHAP-Error, it's just an attribute.  You can log it, just like
> any other attribute.
>

That's what I thought, but it my linelog log it shows it being empty.
I've tried putting 'linelog' in the post-auth sections of both the
default and inner-tunnel virtual servers but no joy. Am I missing
something obvious here?

If it helps, my linelog config is as follows

linelog {
filename = ${logdir}/linelog
format =
"%S\t%{reply:Packet-Type}\t%{User-Name}\t%{Calling-Station-Id}\t%{Called-Station-Id}\t%{NAS-Identifier}\t%{Packet-Src-IP-Address}\t%{reply:Reply-Message}\t%{MS-CHAP-Error}\t%{reply:Tunnel-Type}
%{reply:Tunnel-Private-Group-Id}"
}

>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius not unescaping \ and "

[Murray Long]

I have the following setup:
CoovaChilli accepts user login requests and sends radius packets to
freeradius
freeradius then proxies the requests (based on realm) onto a second
freeradius server.

If I attempt a login with username "A\" The first freeradius server recieves
packets with UserName atribute = "A\\" and sends a packet to the sencond
radius server with username attribute = "A"  (as reported by wireshark)

So it looks like freeradius is not correctly unescaping the username
attribute.  (Or incorrectly re-escaping) before the proxy.

How is freeradius expected to behave when escaping backslash and quote
characters before proxying?  And is it possible to alter this behavior
though configuration?

Thanks,
Murray
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ..::Huntgroup Issues::..

[Carlos Eduardo Tavares Terra]

Maybe the problem is here:

rad_recv: Access-Request packet from host 127.0.0.1 port 6729, id=139,
length=58
User-Name = "steve2"
User-Password = "testing"
*NAS-IP-Address = 192.168.2.251*
NAS-Port = 10



2010/9/1 Alfonso Alejandro Reyes Jiménez 

>  Thanks for the advice to everyone.
>
> As per your recomendation we changed the users file with the following
> line:
>
> steve2Cleartext-Password := "testing", Huntgroup-Name == "arcsight"
>
> but we got the same result access-reject.
>
> And we got the following output:
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 6729, id=139,
> length=58
> User-Name = "steve2"
> User-Password = "testing"
> NAS-IP-Address = 192.168.2.251
> NAS-Port = 10
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "steve2", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
>
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.  Authentication
> may fail because of this.
> ++[pap] returns noop
> *No authenticate method (Auth-Type) configuration found for the request:
> Rejecting the user*
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} -> steve2
>  attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
>
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 0
> Sending Access-Reject of id 139 to 127.0.0.1 port 6729
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 139 with timestamp +5
>
> I have a question, we remove the autentication value and the debug shows
> that it is looking for it, why is that?
>
> May be someone that has the huntgroups running can send the examples of the
> users and huntgroups files, that may help a lot.
>
> Thanks in advance.
>
> Regards
>
> Alfonso.
>
> El 24/08/2010 04:46 a.m., Alan DeKok escribió:
>
> Alfonso Alejandro Reyes Jiménez wrote:
>
>  Hi, I'm trying to use the huntgroup feature on the freeradius software
> with out luck. I think I'm missing something that's why I'm sending this
> email maybe you can help me.
>
>You should read the debug output of the server.  The answer is in there.
>
>
>  users file at the end:
>
> alfonso  Auth-Type := Local, User-Password == "testing", Huntgroup-Name
> == "squid"
>
>  Don't set Auth-Type.  Use "Cleartext-Password := ...", and not
> "User-Password == ..."
>
>
>  Here's the output of the debug, it seems that it doesn't find the config
> file.
>
>No.  It finds the DEFAULT entry earlier in the file.
>
>   Why?  This is documented.  Read the comments at the top of the "users"
> file.  Read the "man users" page.  Read the FAQ for an example of how to
> configure a test user.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Carlos Eduardo Tavares Terra
Red Hat Certified Engineer
Consultor em Administração de Redes Linux
GNU/Linux #413291 [http://counter.li.org]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Logging ntlm authentication

[Alan DeKok]

Sion wrote:
> I've got freeradius 2.1.7 setup on a CentOS system working as an AAA
> server for our WPA Enterprise based wireless network with clients
> successfully authenticating using PEAP and TTLS. Now to my question,
> I've configured linelog to log certain attributes but I also want it to
> log either the Exec-Program output of ntlm_auth or the peap reply value
> for the MS-CHAP-Error attribute but so far I've been unsuccessful in
> doing this. Is this possible? if so can anybody give me any pointers?

  You can't log the ntlm_auth output.  If it's important for you, write
a shell script wrapper around the problem.

  For MS-CHAP-Error, it's just an attribute.  You can log it, just like
any other attribute.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Logging ntlm authentication

[Sion]

Hi,

I've got freeradius 2.1.7 setup on a CentOS system working as an AAA server
for our WPA Enterprise based wireless network with clients successfully
authenticating using PEAP and TTLS. Now to my question, I've configured
linelog to log certain attributes but I also want it to log either the
Exec-Program output of ntlm_auth or the peap reply value for the
MS-CHAP-Error attribute but so far I've been unsuccessful in doing this. Is
this possible? if so can anybody give me any pointers?

Regards,

Sion
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius-Users Digest, Vol 65, Issue 8

[t.drollin...@i-motion.de]

Ich bin von Freitag den 03.09.2010 bis Freitag den 24.09.2010 nicht im Haus und 
kann Ihre Nachricht erst am Montag den 27.09.2010 bearbeiten. 

In dringenden Fällen wenden Sie sich bitte an meinen Kollegen Herrn Böhm 
(E-Mail: r.bo...@i-motion.de). 

Mit freundlichen Grüßen
Tobias Drollinger

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html