Re: EAP-MD5 testing with radeapclient and eapol_test

2010-09-06 Thread Chidanand Gangur 
Thanks Phil, I would definitely explore on the pointer you mentioned. I am
sorry folks to ask IIS question on this mailing list I was little
frustrated.

Thanks,
Chidanand



On Mon, Sep 6, 2010 at 10:17 PM, Phil Mayers wrote:

> On 09/06/2010 03:00 PM, Chidanand Gangur wrote:
>
>> At present I have removed Proxy from my set up and have directly
>> connected my host to AD (IIS server)
>>
>
> This isn't a FreeRadius question. Ask on an NPS/IAS server mailing list.
>
> But...
>
> From distant memory, MD5 password support requires "reversible password
> encryption" to be enabled - a domain-wide option I think - and then for you
> to change the users passwords, so that AD can generate the new crypt.
>
> You should investigate this. FreeRadius can't help you.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Chidanand Gangur
Pune.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Save Passwords Encrypted in DB

2010-09-06 Thread Alan DeKok 
Nasser Heidari wrote:
> r...@tradius:~# cat /etc/raddb/users 
> DEFAULT Auth-Type := Local, Simultaneous-Use := 1
> Fall-Through = Yes

See the FAQ for how to set up a sample entry in the "users" file.

  Try also *reading* the debug log you posted.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Save Passwords Encrypted in DB

2010-09-06 Thread Nasser Heidari 
I've found the problem, it was a mistake in my users file. I just changes 
Auth-Type to PAP :
 
r...@tradius  :~# cat /etc/raddb/users 
DEFAULT Auth-Type := PAP, Simultaneous-Use := 1
Fall-Through = Yes
 
Thanks



From: freeradius-users-bounces+nasser=rasana@lists.freeradius.org on behalf 
of Nasser Heidari
Sent: Mon 9/6/2010 10:51 PM
To: FreeRadius users mailing list
Subject: RE: Save Passwords Encrypted in DB


r...@tradius:~# cat /etc/raddb/users 
DEFAULT Auth-Type := Local, Simultaneous-Use := 1
Fall-Through = Yes
 
--
 
r...@tradius:~# radtest nasser plainpass 127.0.0.1:1812 1700 adminsecret
Sending Access-Request of id 155 to 127.0.0.1 port 1812
User-Name = "nasser"
User-Password = "plainpass"
NAS-IP-Address = 192.168.7.254
NAS-Port = 1700
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=155, length=20

--

rad_recv: Access-Request packet from host 127.0.0.1 port 49986, id=155, 
length=65
User-Name = "nasser"
User-Password = "plainpass"
NAS-IP-Address = 192.168.7.254
NAS-Port = 1700
Tue Sep  7 10:39:22 2010 : Info: +- entering group authorize {...}
Tue Sep  7 10:39:22 2010 : Info: ++[preprocess] returns ok
Tue Sep  7 10:39:22 2010 : Info: [files] users: Matched entry DEFAULT at line 1
Tue Sep  7 10:39:22 2010 : Info: ++[files] returns ok
Tue Sep  7 10:39:22 2010 : Info: [suffix] No '@' in User-Name = "nasser", 
looking up realm NULL
Tue Sep  7 10:39:22 2010 : Info: [suffix] No such realm "NULL"
Tue Sep  7 10:39:22 2010 : Info: ++[suffix] returns noop
Tue Sep  7 10:39:22 2010 : Info: [sql] expand: %{User-Name} -> nasser
Tue Sep  7 10:39:22 2010 : Info: [sql] sql_set_user escaped user --> 'nasser'
Tue Sep  7 10:39:22 2010 : Debug: rlm_sql (sql): Reserving sql socket id: 19
Tue Sep  7 10:39:22 2010 : Info: [sql] expand: call 
usercheck('%{SQL-User-Name}') -> call usercheck('nasser')
Tue Sep  7 10:39:22 2010 : Debug: rlm_sql_mysql: query:  call 
usercheck('nasser')
Tue Sep  7 10:39:22 2010 : Info: [sql] User found in radcheck table
Tue Sep  7 10:39:22 2010 : Info: [sql] expand: call 
userreply('%{SQL-User-Name}') -> call userreply('nasser')
Tue Sep  7 10:39:22 2010 : Debug: rlm_sql_mysql: query:  call 
userreply('nasser')
Tue Sep  7 10:39:22 2010 : Debug: rlm_sql (sql): Released sql socket id: 19
Tue Sep  7 10:39:22 2010 : Info: ++[sql] returns ok
GOT CLONE -1219773760 0x86eea50
Tue Sep  7 10:39:22 2010 : Info: ++[logintime] returns noop
Tue Sep  7 10:39:22 2010 : Info: [reply_log]expand: 
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> 
/var/log/radius/radacct/127.0.0.1/reply-detail-20100907
Tue Sep  7 10:39:22 2010 : Info: [reply_log] 
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to 
/var/log/radius/radacct/127.0.0.1/reply-detail-20100907
Tue Sep  7 10:39:22 2010 : Info: [reply_log]expand: %t -> Tue Sep  7 
10:39:22 2010
Tue Sep  7 10:39:22 2010 : Info: ++[reply_log] returns ok
Tue Sep  7 10:39:22 2010 : Info: Found Auth-Type = Local
Tue Sep  7 10:39:22 2010 : Info: WARNING: Please update your configuration, and 
remove 'Auth-Type = Local'
Tue Sep  7 10:39:22 2010 : Info: WARNING: Use the PAP or CHAP modules instead.
Tue Sep  7 10:39:22 2010 : Info: User-Password in the request does NOT match 
"known good" password.
Tue Sep  7 10:39:22 2010 : Info: Failed to authenticate the user.
Tue Sep  7 10:39:22 2010 : Auth: Login incorrect: [nasser/plainpass] (from 
client admincheck port 1700)
Tue Sep  7 10:39:22 2010 : Info: Using Post-Auth-Type Reject
Tue Sep  7 10:39:22 2010 : Info: +- entering group REJECT {...}
Tue Sep  7 10:39:22 2010 : Info: ++[sql] returns ok
Tue Sep  7 10:39:22 2010 : Info: [reply_log]expand: 
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> 
/var/log/radius/radacct/127.0.0.1/reply-detail-20100907
Tue Sep  7 10:39:22 2010 : Info: [reply_log] 
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to 
/var/log/radius/radacct/127.0.0.1/reply-detail-20100907
Tue Sep  7 10:39:22 2010 : Info: [reply_log]expand: %t -> Tue Sep  7 
10:39:22 2010
Tue Sep  7 10:39:22 2010 : Info: ++[reply_log] returns ok
Tue Sep  7 10:39:22 2010 : Info: Delaying reject of request 0 for 3 seconds
Tue Sep  7 10:39:22 2010 : Debug: Going to the next request
Tue Sep  7 10:39:22 2010 : Debug: Waking up in 0.9 seconds.
Tue Sep  7 10:39:23 2010 : Debug: Waking up in 1.9 seconds.
Tue Sep  7 10:39:25 2010 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 155 to 127.0.0.1 port 49986
Tue Sep  7 10:39:25 2010 : Debug: Waking up in 9.9 seconds.
Tue Sep  7 10:39:35 2010 : Info: Cleaning up request 0 ID 155 with timestamp +17
Tue Sep  7 10:39:35 2010 : Info: Ready to process requests.
^C
r...@tradius:~# 



From: freeradius-users-bou

RE: Save Passwords Encrypted in DB

2010-09-06 Thread Nasser Heidari 
r...@tradius:~# cat /etc/raddb/users 
DEFAULT Auth-Type := Local, Simultaneous-Use := 1
Fall-Through = Yes
 
--
 
r...@tradius:~# radtest nasser plainpass 127.0.0.1:1812 1700 adminsecret
Sending Access-Request of id 155 to 127.0.0.1 port 1812
User-Name = "nasser"
User-Password = "plainpass"
NAS-IP-Address = 192.168.7.254
NAS-Port = 1700
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=155, length=20

--

rad_recv: Access-Request packet from host 127.0.0.1 port 49986, id=155, 
length=65
User-Name = "nasser"
User-Password = "plainpass"
NAS-IP-Address = 192.168.7.254
NAS-Port = 1700
Tue Sep  7 10:39:22 2010 : Info: +- entering group authorize {...}
Tue Sep  7 10:39:22 2010 : Info: ++[preprocess] returns ok
Tue Sep  7 10:39:22 2010 : Info: [files] users: Matched entry DEFAULT at line 1
Tue Sep  7 10:39:22 2010 : Info: ++[files] returns ok
Tue Sep  7 10:39:22 2010 : Info: [suffix] No '@' in User-Name = "nasser", 
looking up realm NULL
Tue Sep  7 10:39:22 2010 : Info: [suffix] No such realm "NULL"
Tue Sep  7 10:39:22 2010 : Info: ++[suffix] returns noop
Tue Sep  7 10:39:22 2010 : Info: [sql] expand: %{User-Name} -> nasser
Tue Sep  7 10:39:22 2010 : Info: [sql] sql_set_user escaped user --> 'nasser'
Tue Sep  7 10:39:22 2010 : Debug: rlm_sql (sql): Reserving sql socket id: 19
Tue Sep  7 10:39:22 2010 : Info: [sql] expand: call 
usercheck('%{SQL-User-Name}') -> call usercheck('nasser')
Tue Sep  7 10:39:22 2010 : Debug: rlm_sql_mysql: query:  call 
usercheck('nasser')
Tue Sep  7 10:39:22 2010 : Info: [sql] User found in radcheck table
Tue Sep  7 10:39:22 2010 : Info: [sql] expand: call 
userreply('%{SQL-User-Name}') -> call userreply('nasser')
Tue Sep  7 10:39:22 2010 : Debug: rlm_sql_mysql: query:  call 
userreply('nasser')
Tue Sep  7 10:39:22 2010 : Debug: rlm_sql (sql): Released sql socket id: 19
Tue Sep  7 10:39:22 2010 : Info: ++[sql] returns ok
GOT CLONE -1219773760 0x86eea50
Tue Sep  7 10:39:22 2010 : Info: ++[logintime] returns noop
Tue Sep  7 10:39:22 2010 : Info: [reply_log]expand: 
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> 
/var/log/radius/radacct/127.0.0.1/reply-detail-20100907
Tue Sep  7 10:39:22 2010 : Info: [reply_log] 
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to 
/var/log/radius/radacct/127.0.0.1/reply-detail-20100907
Tue Sep  7 10:39:22 2010 : Info: [reply_log]expand: %t -> Tue Sep  7 
10:39:22 2010
Tue Sep  7 10:39:22 2010 : Info: ++[reply_log] returns ok
Tue Sep  7 10:39:22 2010 : Info: Found Auth-Type = Local
Tue Sep  7 10:39:22 2010 : Info: WARNING: Please update your configuration, and 
remove 'Auth-Type = Local'
Tue Sep  7 10:39:22 2010 : Info: WARNING: Use the PAP or CHAP modules instead.
Tue Sep  7 10:39:22 2010 : Info: User-Password in the request does NOT match 
"known good" password.
Tue Sep  7 10:39:22 2010 : Info: Failed to authenticate the user.
Tue Sep  7 10:39:22 2010 : Auth: Login incorrect: [nasser/plainpass] (from 
client admincheck port 1700)
Tue Sep  7 10:39:22 2010 : Info: Using Post-Auth-Type Reject
Tue Sep  7 10:39:22 2010 : Info: +- entering group REJECT {...}
Tue Sep  7 10:39:22 2010 : Info: ++[sql] returns ok
Tue Sep  7 10:39:22 2010 : Info: [reply_log]expand: 
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> 
/var/log/radius/radacct/127.0.0.1/reply-detail-20100907
Tue Sep  7 10:39:22 2010 : Info: [reply_log] 
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to 
/var/log/radius/radacct/127.0.0.1/reply-detail-20100907
Tue Sep  7 10:39:22 2010 : Info: [reply_log]expand: %t -> Tue Sep  7 
10:39:22 2010
Tue Sep  7 10:39:22 2010 : Info: ++[reply_log] returns ok
Tue Sep  7 10:39:22 2010 : Info: Delaying reject of request 0 for 3 seconds
Tue Sep  7 10:39:22 2010 : Debug: Going to the next request
Tue Sep  7 10:39:22 2010 : Debug: Waking up in 0.9 seconds.
Tue Sep  7 10:39:23 2010 : Debug: Waking up in 1.9 seconds.
Tue Sep  7 10:39:25 2010 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 155 to 127.0.0.1 port 49986
Tue Sep  7 10:39:25 2010 : Debug: Waking up in 9.9 seconds.
Tue Sep  7 10:39:35 2010 : Info: Cleaning up request 0 ID 155 with timestamp +17
Tue Sep  7 10:39:35 2010 : Info: Ready to process requests.
^C
r...@tradius:~# 



From: freeradius-users-bounces+nasser=rasana@lists.freeradius.org on behalf 
of Alan DeKok
Sent: Mon 9/6/2010 7:49 PM
To: FreeRadius users mailing list
Subject: Re: Save Passwords Encrypted in DB



Nasser Heidari wrote:
> But no success, also I add Password-With-Header := "{crypt}" to my
> sql.conf but no success !
> Do I missing something ?

  See the FAQ for "it doesn't work"

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


<>-
List info/subscribe/u

Re: EAP-MD5 testing with radeapclient and eapol_test

2010-09-06 Thread Phil Mayers 

On 09/06/2010 03:00 PM, Chidanand Gangur wrote:

At present I have removed Proxy from my set up and have directly
connected my host to AD (IIS server)


This isn't a FreeRadius question. Ask on an NPS/IAS server mailing list.

But...

From distant memory, MD5 password support requires "reversible password 
encryption" to be enabled - a domain-wide option I think - and then for 
you to change the users passwords, so that AD can generate the new crypt.


You should investigate this. FreeRadius can't help you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Save Passwords Encrypted in DB

2010-09-06 Thread Alan DeKok 
Nasser Heidari wrote:
> But no success, also I add Password-With-Header := "{crypt}" to my
> sql.conf but no success !
> Do I missing something ?

  See the FAQ for "it doesn't work"

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 testing with radeapclient and eapol_test

2010-09-06 Thread Alan DeKok 
Chidanand Gangur wrote:
> My home server is an Microsoft IIS server, all I get from its logs is
> following: 

  Sorry, you need to ask Microsoft how to debug their software.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Save Passwords Encrypted in DB

2010-09-06 Thread Nasser Heidari 
Hi, 
I want to save encrypted passwords in DB. 
As I reviewed mailing list , it looks that I don't need major changes on
my Freeradius and DB records.
Currently my users password in database is like this :

++---+--++--
+
| id | UserName   | attribute   | op | value
|
++---+--++--
+
| 10001   | nasser| User-Password | := | plainpass
|
++---+--++--
+

And I authenticate users with pap module .

I've changed DB entry to this :

#  openssl passwd -1 plainpass
$1$n.cKdTKy$.N.o9XkpX.RkCHC5EbZds/


++---+--++--
--+
| id | UserName   | attribute   | op | value
|
++---+--++--
--+
| 10001   | nasser| Crypt-Password | := |
$1$n.cKdTKy$.N.o9XkpX.RkCHC5EbZds/|
++---+--++--
--+

But no success, also I add Password-With-Header := "{crypt}" to my
sql.conf but no success !
Do I missing something ?
What kind of changes do I need?

My Freeradius Version is 2.1.7

Thanks in advance.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 testing with radeapclient and eapol_test

2010-09-06 Thread Chidanand Gangur 
At present I have removed Proxy from my set up and have directly connected
my host to AD (IIS server)

I have configured "raduser" on it
I have added my host IP as its RADIUS client

and on issuing following command
eapol_test -c /tmp/eapol.conf -a 192.168.7.40 -p 1812 -s testing123


My home server is an Microsoft IIS server, all I get from its logs is
following:

127.0.0.1,raduser,09/06/2010,18:42:57,IAS,ROOTTESTLABAD,4128,192.168.6.134,4,127.0.0.1,31,02-00-00-00-00-01,12,1400,61,19,77,CONNECT
11Mbps 802.11b,4108,192.168.6.134,4116,0,4155,1,4154,dot1x,25,311 1
192.168.7.40 09/06/2010 13:08:43
6,4129,MYTEST\raduser,4127,5,4149,test-dot1x,4132,MD5-Challenge,4130,
mytest.com/Users/raduser,4136,1,4142,0

127.0.0.1,raduser,09/06/2010,18:42:57,IAS,ROOTTESTLABAD,4128,192.168.6.134,25,311
1 192.168.7.40 09/06/2010 13:08:43 6,4132,MD5-Challenge,4130,
mytest.com/Users/raduser,4149,test-dot1x,4108,192.168.6.134,4116,0,4127,5,4155,1,4154,dot1x,4129,MYTEST\raduser,4136,3,4142,19

When I repeat same test with freeRADIUS as my home server everything works
fine.
I have run out of ideas please guide me.

Thanks,
Chidanand








On Mon, Sep 6, 2010 at 4:02 PM, Alan Buxey  wrote:

> hi,
>
> I will repeat the advice given before - look at the logs of the
> RADIUS server which is actually doing the authentication. you cannot
> get joy anywhere else.
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Chidanand Gangur
Pune.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Logging ntlm authentication

2010-09-06 Thread Sion 
On Mon, Sep 6, 2010 at 12:54 PM, Alan DeKok  wrote:
> Sion wrote:
>> I've also tried outer.reply, but I'm still not seeing it show up in my logs.
>
>    And the debug log says... ?

rad_recv: Access-Request packet from host 192.168.196.13 port 32768,
id=113, length=175
User-Name = "cc0086"
Calling-Station-Id = "00-1B-77-94-57-72"
Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam"
NAS-Port = 29
NAS-IP-Address = 192.168.196.13
NAS-Identifier = "llwacA105"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "115"
EAP-Message = 0x0203000b01636330303836
Message-Authenticator = 0xfad76efcaaae1711153d00e8b66be682
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "cc0086", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 113 to 192.168.196.13 port 32768
EAP-Message = 0x010400061920
Message-Authenticator = 0x
State = 0xcd901d8ccd9404e11d6b7c064faf8b1f
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.196.13 port 32768,
id=114, length=297
User-Name = "cc0086"
Calling-Station-Id = "00-1B-77-94-57-72"
Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam"
NAS-Port = 29
NAS-IP-Address = 192.168.196.13
NAS-Identifier = "llwacA105"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "115"
EAP-Message =
0x02040073198000691603010064016003014c84aaed46f925dbf010684571f2a65f8665099d1535eb4dafd7b34ccf5c382c18002f00350005000ac013c014c009c00a0032003800130004011f000b000906636330303836000a0006000400170018000b00020100
State = 0xcd901d8ccd9404e11d6b7c064faf8b1f
Message-Authenticator = 0x723f90602e22add50d84204eb9c29fbb
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "cc0086", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 115
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 105
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0064], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 06e5], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 114 to 192.168.196.13 port 32768
EAP-Message =
0x0105040019c00722160301002a022603014c84aaeabbefb79f979e0bc448a7508f277b89b07cd68280544ad5af8234c25d2f0016030106e50b0006e10006de0003c1308203bd30820326a0030201020210571735f114d0297747dec8e1dc855028300d06092a864886f70d01010505003081c4310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e311930
EAP-Message =
0x1706035504031310546861777465205365727665722043413126302406092a864886f70d01090116177365727665722d6365727473407468617774652e636f6d301e170d3037303932383030303030305a170d3130303932373233353935395a3081d231293027060355040

Re: Pre release of 2.1.10

2010-09-06 Thread Alan Buxey 
Hi,

>   Please test it out, and give feedback on issues / benefits.  The file
> doc/ChangeLog contains all of the changes and new features in the server.


fails to compile on older redhats with python :

gmake[6]: Leaving directory 
`/usr/src/freeradius-server-2.1.10/src/modules/rlm_preprocess'
Making all in rlm_python...
/usr/bin/gmake -w -C rlm_python all
gmake[6]: Entering directory 
`/usr/src/freeradius-server-2.1.10/src/modules/rlm_python'
/usr/src/freeradius-server-2.1.10/libtool --mode=compile gcc  -g -O2 
-D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG 
-I/usr/src/freeradius-server-2.1.10/src  -I/usr/include/python2.2 -c 
rlm_python.c
mkdir .libs
 gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE 
-DNDEBUG -I/usr/src/freeradius-server-2.1.10/src -I/usr/include/python2.2 -c 
rlm_python.c  -fPIC -DPIC -o .libs/rlm_python.o
rlm_python.c: In function `python_error':
rlm_python.c:177: `PyGILState_STATE' undeclared (first use in this function)
rlm_python.c:177: (Each undeclared identifier is reported only once
rlm_python.c:177: for each function it appears in.)
rlm_python.c:177: syntax error before "__gstate"
rlm_python.c:195: warning: implicit declaration of function `PyGILState_Release'
rlm_python.c:195: `__gstate' undeclared (first use in this function)
rlm_python.c: In function `python_init':
rlm_python.c:215: warning: passing arg 2 of `PyModule_AddIntConstant' discards 
qualifiers from pointer target type
rlm_python.c: In function `python_function':
rlm_python.c:352: `PyGILState_STATE' undeclared (first use in this function)
rlm_python.c:352: syntax error before "gstate"
rlm_python.c:375: `gstate' undeclared (first use in this function)
rlm_python.c:375: warning: implicit declaration of function `PyGILState_Ensure'
rlm_python.c: In function `python_load_function':
rlm_python.c:484: `PyGILState_STATE' undeclared (first use in this function)
rlm_python.c:484: syntax error before "gstate"
rlm_python.c:486: `gstate' undeclared (first use in this function)
rlm_python.c: In function `python_objclear':
rlm_python.c:522: `PyGILState_STATE' undeclared (first use in this function)
rlm_python.c:522: syntax error before "__gstate"
rlm_python.c:524: `__gstate' undeclared (first use in this function)
gmake[6]: *** [rlm_python.lo] Error 1
gmake[6]: Leaving directory 
`/usr/src/freeradius-server-2.1.10/src/modules/rlm_python'
gmake[5]: *** [rlm_python] Error 2
gmake[5]: Leaving directory `/usr/src/freeradius-server-2.1.10/src/modules'
gmake[4]: *** [all] Error 2
gmake[4]: Leaving directory `/usr/src/freeradius-server-2.1.10/src/modules'
gmake[3]: *** [modules] Error 2
gmake[3]: Leaving directory `/usr/src/freeradius-server-2.1.10/src'
gmake[2]: *** [all] Error 2
gmake[2]: Leaving directory `/usr/src/freeradius-server-2.1.10/src'
gmake[1]: *** [src] Error 2
gmake[1]: Leaving directory `/usr/src/freeradius-server-2.1.10'
make: *** [all] Error 2


personally, I dont use python, so when i blow away src/modules/rlm_python (or 
disable it)
it compiles.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Pre release of 2.1.10

2010-09-06 Thread Alan DeKok 
  It's been a few weeks since the last "pre" release of 2.1.10.  I've
put another one up on the web at:

http://git.freeradius.org/pre/

  Please test it out, and give feedback on issues / benefits.  The file
doc/ChangeLog contains all of the changes and new features in the server.

  For a "stable" release, this one has an unfortunate number of feature
enhancements.  However, some have been demanded for a very long time,
and they could be added in an "isolated" fashion.

  The only change I see affecting anything is the handling of dead home
servers when proxying.  This was a bug fix to prevent the home servers
from being marked dead/alive/dead/alive in quick sequence.  This change
has been tested to work, but please give it additional scrutiny.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Logging ntlm authentication

2010-09-06 Thread Alan DeKok 
Sion wrote:
> I've also tried outer.reply, but I'm still not seeing it show up in my logs.

And the debug log says... ?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 testing with radeapclient and eapol_test

2010-09-06 Thread Alan Buxey 
hi,

I will repeat the advice given before - look at the logs of the
RADIUS server which is actually doing the authentication. you cannot
get joy anywhere else.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 testing with radeapclient and eapol_test

2010-09-06 Thread Alan Buxey 
Hi,

> I see following on my host on running eapol_test. Whay is NAS-IP-Address set 
> as 127.0.0.1 in this case?

you cannot debug and fix RADIUS issues by looking at the client.

NAS-IP-Address is 127.0.0.1 because thats what it is. you are a local machine.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 testing with radeapclient and eapol_test

2010-09-06 Thread Chidanand Gangur 
I do not have "raduser" configured in my proxy users file. If it is
configuration problem on the Home-Server why does it work if I use
radeapclient/radclient.

I see following on my host on running eapol_test. Whay is NAS-IP-Address set
as 127.0.0.1 in this case?

Reading configuration file '/tmp/eapol.conf'
Line: 1 - start of a new network block
key_mgmt: 0x4
eap methods - hexdump(len=16): 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00
00
identity - hexdump_ascii(len=21):
72 61 64 75 73 65 72 40 6e 65 76 69 73 74 65 73 radu...@mytes
74 2e 63 6f 6d t.com
password - hexdump_ascii(len=7):
70 61 73 73 31 32 33 pass123
Priority group 0
id=0 ssid=''
Authentication server 192.168.6.134:1812
RADIUS local address: 192.168.6.181:32771
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Sending fake EAP-Request-Identity
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=21):
72 61 64 75 73 65 72 40 6e 65 76 69 73 74 65 73 radu...@mytes
74 2e 63 6f 6d t.com
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=26)
TX EAP -> RADIUS - hexdump(len=26): 02 00 00 1a 01 72 61 64 75 73 65 72 40
6e 65 76 69 73 74 65 73 74 2e 63 6f 6d
Encapsulating EAP message into a RADIUS packet
Learned identity from EAP-Response-Identity - hexdump(len=21): 72 61 64 75
73 65 72 40 6e 65 76 69 73 74 65 73 74 2e 63 6f 6d
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=0 length=150
Attribute 1 (User-Name) length=23
Value: 'radu...@mytest.com'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=28
Value: 02 00 00 1a 01 72 61 64 75 73 65 72 40 6e 65 76 69 73 74 65 73 74 2e
63 6f 6d
Attribute 80 (Message-Authenticator) length=18
Value: cb 60 23 ea b3 e1 3d 7d 11 81 f1 02 53 39 5d e1
Next RADIUS client retransmit in 3 seconds

EAPOL: SUPP_BE entering state RECEIVE
Received 129 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=0 length=129
Attribute 27 (Session-Timeout) length=6
Value: 6
Attribute 79 (EAP-Message) length=37
Value: 01 01 00 23 04 10 b3 70 ee 1c 3c 59 73 f5 a2 4e 77 b7 a2 4d cb 01 52
4f 4f 54 54 45 53 54 4c 41 42 41 44
Attribute 24 (State) length=25
Value: 1a 35 02 b4 00 00 01 37 00 01 c0 a8 07 28 00 00 00 03 23 5c 23 3e 00
Attribute 80 (Message-Authenticator) length=18
Value: d8 fb 71 20 d9 1c ca 4d 61 a5 7d 7a e6 34 0c 4b
Attribute 1 (User-Name) length=23
Value: 'radu...@mytest.com'
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec

RADIUS packet matching with station
decapsulated EAP packet (code=1 id=1 len=35) from RADIUS server:
EAP-Request-MD5 (4)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=1 method=4 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
EAP: Initialize selected EAP method: vendor 0 method 4 (MD5)
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 4 (MD5) selected
EAP: EAP entering state METHOD
EAP-MD5: Challenge - hexdump(len=16): b3 70 ee 1c 3c 59 73 f5 a2 4e 77 b7 a2
4d cb 01
EAP-MD5: Generating Challenge Response
EAP-MD5: Response - hexdump(len=16): 26 f7 be 54 fc 4a 29 80 58 5c a6 65 69
02 2d 21
EAP: method process -> ignore=FALSE methodState=DONE decision=UNCOND_SUCC
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=22)
TX EAP -> RADIUS - hexdump(len=22): 02 01 00 16 04 10 26 f7 be 54 fc 4a 29
80 58 5c a6 65 69 02 2d 21
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=1 length=171
Attribute 1 (User-Name) length=23
Value: 'radu...@mytest.com'
Attribute 4 (N

Re: Logging ntlm authentication

2010-09-06 Thread Sion 
On Fri, Sep 3, 2010 at 10:30 PM, Alan DeKok  wrote:
> Sion wrote:
>> This had actually crossed my mind but I had tried testing this in the
>> post-auth section as well.
>>
>> What section should I do this in? Would something like this work?
>>
>> update outer {
>>                MS-CHAP-Error = "%{reply:MS-CHAP-Error}"
>> }
>
>  You need to refer to a *list*: outer.reply, or outer.control.  See
> "man unlang", which has examples.
>

Thanks for the pointers, in the inner-tunnel virtual server I've
changed the 'eap' line in the authenticate section to the following:

Auth-Type EAP {
eap
update outer.control {
MS-CHAP-Error = "%{reply:MS-CHAP-Error}"
}
}

I've also tried outer.reply, but I'm still not seeing it show up in my logs.

>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 testing with radeapclient and eapol_test

2010-09-06 Thread Alan Buxey 
Hi,



> Sending Access-Request of id 177 to 192.168.7.40 port 1812



> rad_recv: Access-Reject packet from host 192.168.7.40 port 1812, id=177, 
> length=47


seems quite simple. the home server that you proxied the request to has rejected
it. check the logs on that server to see why - i suspect its because you are
stripping the username and thus the EAP stuff wont be right


you seem to also have that user in your local users file...and you also seem to 
be setting
auth-type to accept - that wont work for EAP

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sqlcounter help

2010-09-06 Thread Alan DeKok 
Mordor Networks wrote:
> It is disconnecting the user if limit is reached but user can connect
> again like it is not stopping the account, now if i replace the query
> with #query = "SELECT (SUM(AcctInputOctets)+SUM(AcctOutputOctets)) FROM
> radacct WHERE UserName='%{%k}'" that will disconnect the account and it
> wont be able to connect again but the problem here with reset , how i
> will be able to reset daily?

  As always, run it in debugging mode to see what it's doing.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 testing with radeapclient and eapol_test

2010-09-06 Thread Alan DeKok 
Chidanand Gangur wrote:
> I have a proxy setup ( proxy server 192.168.6.134) where users are
> proxied to home server (192.168.7.40).
> Host IP address = 192.168.6.181
> FreeRADIUS  version 2.1.9
...
> I get following response on my proxy server

  Why not look on the home server to see what the problem is?

> I have never succedded with eapol_test. I doubt on NAS-IP-Address
> attribute in Access=Request which is 127.0.0.1.
> Can some body point me where am I going wrong? 

  You're trying to debug the home server by looking at the proxy.  This
won't work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-MD5 testing with radeapclient and eapol_test

2010-09-06 Thread Chidanand Gangur 
Hi All,

I have a proxy setup ( proxy server 192.168.6.134) where users are proxied
to home server (192.168.7.40).
Host IP address = 192.168.6.181
FreeRADIUS  version 2.1.9

User authentication using radclient works fine when I issue following
command

echo "user-name=radu...@mytest.com,Password=pass123" | radclient
192.168.6.134 auth testing123

I get following response on my proxy server

rad_recv: Access-Accept packet from host 192.168.7.40 port 1812, id=104,
length=68
Proxy-State = 0x3737
Framed-Protocol = PPP
Service-Type = Framed-User
Class = 0x52a505b101370001c0a8072801cb4d87ddbf246a0016

I try the same test to work out with EAP using following command:

echo "user-name=radu...@mytest.com
,Password=pass123,EAP-Code=Response,EAP-Id=210,EAP-Type-Identity=
radu...@mytest.com" | radeapclient -x 192.168.6.134 auth testing123

I see following output on proxy server:

rad_recv: Access-Request packet from host 192.168.6.181 port 32771, id=108,
length=107
User-Name = "radu...@mytest.com"
User-Password = "pass123"
EAP-Message = 0x02d2001a0172616475736572406e65766973746573742e636f6d
Message-Authenticator = 0xe61561c7667d60c2fbc37709b16e8193
Mon Sep 6 06:48:30 2010 : Info: +- entering group authorize {...}
Mon Sep 6 06:48:30 2010 : Info: ++[preprocess] returns ok
Mon Sep 6 06:48:30 2010 : Info: ++[chap] returns noop
Mon Sep 6 06:48:30 2010 : Info: ++[mschap] returns noop
Mon Sep 6 06:48:30 2010 : Info: [suffix] Looking up realm "mytest.com" for
User-Name = "radu...@mytest.com"
Mon Sep 6 06:48:30 2010 : Info: [suffix] Found realm "mytest.com"
Mon Sep 6 06:48:30 2010 : Info: [suffix] Adding Stripped-User-Name =
"raduser"
Mon Sep 6 06:48:30 2010 : Info: [suffix] Adding Realm = "mytest.com"
Mon Sep 6 06:48:30 2010 : Info: [suffix] Proxying request from user raduser
to realm mytest.com
Mon Sep 6 06:48:30 2010 : Info: [suffix] Preparing to proxy authentication
request to realm "mytest.com"
Mon Sep 6 06:48:30 2010 : Info: ++[suffix] returns updated
Mon Sep 6 06:48:30 2010 : Info: [eap] Request is supposed to be proxied to
Realm mytest.com. Not doing EAP.
Mon Sep 6 06:48:30 2010 : Info: ++[eap] returns noop
Mon Sep 6 06:48:30 2010 : Info: ++[unix] returns notfound
Mon Sep 6 06:48:30 2010 : Info: [files] users: Matched entry DEFAULT at line
195
Mon Sep 6 06:48:30 2010 : Info: [files] expand: %{User-Name} ->
radu...@mytest.com
Mon Sep 6 06:48:30 2010 : Info: ++[files] returns ok
Mon Sep 6 06:48:30 2010 : Info: ++[expiration] returns noop
Mon Sep 6 06:48:30 2010 : Info: ++[logintime] returns noop
Mon Sep 6 06:48:30 2010 : Info: ++[pap] returns noop
Mon Sep 6 06:48:30 2010 : Info: WARNING: Empty pre-proxy section. Using
default return values.

Mon Sep 6 06:48:30 2010 : Info: Proxying request 0 to home server
192.168.7.40 port 1812
Sending Access-Request of id 40 to 192.168.7.40 port 1812
User-Name = "raduser"
User-Password = "pass123"
EAP-Message = 0x02d2001a0172616475736572406e65766973746573742e636f6d
Message-Authenticator = 0x
NAS-IP-Address = 192.168.6.181
Proxy-State = 0x313038
Mon Sep 6 06:48:30 2010 : Debug: Going to the next request
Mon Sep 6 06:48:30 2010 : Debug: Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 192.168.7.40 port 1812, id=40,
length=69
Proxy-State = 0x313038
Framed-Protocol = PPP
Service-Type = Framed-User
Class = 0x52a605b201370001c0a8072801cb4d87ddbf246a0017
Mon Sep 6 06:48:30 2010 : Info: +- entering group post-proxy {...}
Mon Sep 6 06:48:30 2010 : Info: [force_username] expand: %{User-Name} ->
radu...@mytest.com
Mon Sep 6 06:48:30 2010 : Debug: force_username: Added attribute User-Name
with value 'radu...@mytest.com'
Mon Sep 6 06:48:30 2010 : Info: ++[force_username] returns ok
Mon Sep 6 06:48:30 2010 : Info: [eap] No pre-existing handler found
Mon Sep 6 06:48:30 2010 : Info: ++[eap] returns noop
Mon Sep 6 06:48:30 2010 : Info: Found Auth-Type = Accept
Mon Sep 6 06:48:30 2010 : Info: Auth-Type = Accept, accepting the user
Mon Sep 6 06:48:30 2010 : Info: +- entering group post-auth {...}
Mon Sep 6 06:48:30 2010 : Info: ++[exec] returns noop
Sending Access-Accept of id 108 to 192.168.6.181 port 32771
Framed-Protocol = PPP
Service-Type = Framed-User
Class = 0x52a605b201370001c0a8072801cb4d87ddbf246a0017
User-Name = "radu...@mytest.com"


When I use eapol_test client to using following command:
eapol_test -c /tmp/eapol.conf -a 192.168.6.134 -p 1812 -s testing123 -r 1

eapol.conf is as follows
network={
key_mgmt=NONE
eap=MD5
identity="radu...@mytest.com"
password="pass123"
}

I see following output on my proxy server:

Mon Sep 6 06:53:49 2010 : Info: Proxying request 0 to home server
192.168.7.40 port 1812
Sending Access-Request of id 166 to 192.168.7.40 port 1812
User-Name = "raduser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x021a0172616475736572406e65766973746573742e6