date:20101020

pre-proxy automatically added "NAS-IP-Address"

2010-10-20 Thread ichiro tanaka


Hi.

i have a problem proxy.
Proxying to auth-server, and "NAS-IP-Address" was automatically added by proxy.
can I stop it?

I used ntradping-1.5 and freeradius-2.1.10.

--hosts--
ntradping-1.5 10.233.55.200
proxy (freeradius-2.1.10) 10.233.36.101
auth-server (freeradius-2.1.10) 10.233.36.100

--debug log--
FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu, built on Oct 20 
2010 at 15:43:53
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /tmp/radius/etc/raddb/radiusd.conf
including configuration file /tmp/radius/etc/raddb/proxy.conf
including configuration file /tmp/radius/etc/raddb/clients.conf
including files in directory /tmp/radius/etc/raddb/modules/
including configuration file /tmp/radius/etc/raddb/modules/radutmp
including configuration file /tmp/radius/etc/raddb/modules/passwd
including configuration file /tmp/radius/etc/raddb/modules/cui
including configuration file /tmp/radius/etc/raddb/modules/opendirectory
including configuration file /tmp/radius/etc/raddb/modules/dynamic_clients
including configuration file /tmp/radius/etc/raddb/modules/ippool
including configuration file /tmp/radius/etc/raddb/modules/realm
including configuration file /tmp/radius/etc/raddb/modules/pam
including configuration file /tmp/radius/etc/raddb/modules/ldap
including configuration file /tmp/radius/etc/raddb/modules/always
including configuration file /tmp/radius/etc/raddb/modules/counter
including configuration file /tmp/radius/etc/raddb/modules/smbpasswd
including configuration file /tmp/radius/etc/raddb/modules/sql_log
including configuration file /tmp/radius/etc/raddb/modules/logintime
including configuration file /tmp/radius/etc/raddb/modules/wimax
including configuration file /tmp/radius/etc/raddb/modules/detail.example.com
including configuration file /tmp/radius/etc/raddb/modules/policy
including configuration file /tmp/radius/etc/raddb/modules/unix
including configuration file /tmp/radius/etc/raddb/modules/mschap
including configuration file /tmp/radius/etc/raddb/modules/
sqlcounter_expire_on_login
including configuration file /tmp/radius/etc/raddb/modules/files
including configuration file /tmp/radius/etc/raddb/modules/otp
including configuration file /tmp/radius/etc/raddb/modules/inner-eap
including configuration file /tmp/radius/etc/raddb/modules/perl
including configuration file /tmp/radius/etc/raddb/modules/etc_group
including configuration file /tmp/radius/etc/raddb/modules/linelog
including configuration file /tmp/radius/etc/raddb/modules/mac2vlan
including configuration file /tmp/radius/etc/raddb/modules/attr_rewrite
including configuration file /tmp/radius/etc/raddb/modules/digest
including configuration file /tmp/radius/etc/raddb/modules/sradutmp
including configuration file /tmp/radius/etc/raddb/modules/expr
including configuration file /tmp/radius/etc/raddb/modules/expiration
including configuration file /tmp/radius/etc/raddb/modules/attr_filter
including configuration file /tmp/radius/etc/raddb/modules/mac2ip
including configuration file /tmp/radius/etc/raddb/modules/pap
including configuration file /tmp/radius/etc/raddb/modules/detail
including configuration file /tmp/radius/etc/raddb/modules/detail.log
including configuration file /tmp/radius/etc/raddb/modules/smsotp
including configuration file /tmp/radius/etc/raddb/modules/krb5
including configuration file /tmp/radius/etc/raddb/modules/acct_unique
including configuration file /tmp/radius/etc/raddb/modules/echo
including configuration file /tmp/radius/etc/raddb/modules/ntlm_auth
including configuration file /tmp/radius/etc/raddb/modules/exec
including configuration file /tmp/radius/etc/raddb/modules/preprocess
including configuration file /tmp/radius/etc/raddb/modules/chap
including configuration file /tmp/radius/etc/raddb/modules/checkval
including configuration file /tmp/radius/etc/raddb/eap.conf
including configuration file /tmp/radius/etc/raddb/policy.conf
including files in directory /tmp/radius/etc/raddb/sites-enabled/
including configuration file /tmp/radius/etc/raddb/sites-enabled/control-socket
including configuration file /tmp/radius/etc/raddb/sites-enabled/default
including configuration file /tmp/radius/etc/raddb/sites-enabled/inner-tunnel
including dictionary file /tmp/radius/etc/raddb/dictionary
main {
prefix = "/tmp/radius"
localstatedir = "/tmp/radius/var"
logdir = "/tmp/radius/var/log/radius"
libdir = "/tmp/radius/lib"
radacctdir = "/tmp/radius/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/tmp/radius/var/run/radiusd/radiusd.pid"
checkrad = "/tmp/radius/sbin/checkrad"
debug_leve

Re: freeradius proxy can't recognize Delegated-IPv6-Prefix attribute

2010-10-20 Thread ichiro tanaka


thanks Alan.

(i couldn't get your reply to my mailbox. so, i made a new mail. sorry...)

>  Fix the proxy so that it's using the dictionaries from 2.1.10.  The
>debug *claims* it's 2.1.10, but the Delegated-IPv6-Prefix attribute *is*
>defined in the dictionaries for 2.1.10.
>
>  Alan DeKok.

My freeradius proxy already includes "dictionary.rfc4818".
Do I need something?

[[ radiusd -X ]]
including configuration file /tmp/radius/etc/raddb/sites-enabled/default
including configuration file /tmp/radius/etc/raddb/sites-enabled/inner-tunnel
including dictionary file /tmp/radius/etc/raddb/dictionary
main {
prefix = "/tmp/radius"
localstatedir = "/tmp/radius/var"


[[ /tmp/radius/etc/raddb/dictionary ]]
$INCLUDE/tmp/radius/share/freeradius/dictionary


[[ /tmp/radius/share/freeradius/dictionary ]]
$INCLUDE dictionary.rfc4679
$INCLUDE dictionary.rfc4818
~~~
$INCLUDE dictionary.rfc4849


[[ dictionary.rfc4818 ]]
ATTRIBUTE   Delegated-IPv6-Prefix   123 ipv6prefix
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + Active Directory

2010-10-20 Thread Rowley, Mathew

I was able to configure FreeRadius/AD differently than most tutorials – just 
using Kerberos as an authentication mechanism (sorry for any weird formatting, 
coming from a wiki):

All sample configuration will be for cada dev ula environment

*Pre-Requisite:*
# You have a keytab file for the Kerberos server located at 
/etc/freeradius/radius.keytab
# Your Kerberos principal username is 
'freeradius/mat-desktop.security.lab.company.net'


{code:title=Define kerberos configurations. (/etc/krb5.conf)}
[realms]
 COMPANY.NET = {
  kdc = kdc01.security.lab.company.net:88
  kdc = kdc02.security.lab.company.net:88
  admin_server = kdc01.security.lab.company.net:749
 }
 company.net = {
  kdc = kdc01.security.lab.company.net:88
  kdc = kdc02.security.lab.company.net:88
  admin_server = kdc01.security.lab.company.net:749
 }
{code}
_Note: The hostnames MUST resolve through DNS (not /etc/hosts)_

{code:title=Configure the FreeRadius kdc plugin 
(FREERADIUS_CONFIG_DIR/modules/kdc.conf)}
krb5 {
keytab = /etc/freeradius/radius.keytab
service_principal =freeradius/mat-desktop.security.lab.company.net
}
{code}

{code:title=Add your domain for FreeRadius. (FREERADIUS_CONFIG_DIR/proxy.conf)}
realm company.net {
}
realm COMPANY.NET {
}
{code}

{code:title=Add Kerberos to possible authentication subsystems. 
(FREERADIUS_CONFIG_DIR/sites-available/default)}
authenticate {
Auth-Type Kerberos {
krb5
}
{code}
_Note: 'Kerberos' is the string used for 'Auth-Type' RADIUS key; it can be 
anything, but must be matched with RADIUS attribute 'Auth-Type'_

{code:title=Set your Auth-Type for the realm to authenticate against Kerberos 
(FREERADIUS_CONFIG_DIR/users)}
DEFAULT Realm == "company.net", Auth-Type := Kerberos

DEFAULT Realm == "COMPANY.NET", Auth-Type := Kerberos
{code}
_Note: The ':=' means that the user MUST authenticate using Kerberos_
_Note2: Syntax for users file_
_key \[comparison to request list, assignments to control list\]_
_assignments to reply list #1,_
_assignments to reply list #2,_
_etc._
_Setting "Auth-Type := Kerberos" on the 1st line sets a control item._
_Setting it on the 2nd or subsequent lines sets it in the reply items,_
_where it's meaningless._




Mathew Rowley
IIS Network Security Architecture

From: Rashard Roberts mailto:grrobe...@gmail.com>>
Reply-To: FreeRadius users mailing list 
mailto:freeradius-users@lists.freeradius.org>>
Date: Wed, 20 Oct 2010 17:38:30 -0400
To: 
mailto:freeradius-de...@lists.freeradius.org>>
Cc: 
mailto:freeradius-users@lists.freeradius.org>>
Subject: Freeradius + Active Directory

Hello

I am trying to get Freeradius to authenticate end-user using Active Directory.  
The end-user will be using be there AD username and password to login to 
network devices.  Would some please help me?  I have embedded a copy of the 
debug log from the radius server.

rad_recv: Access-Request packet from host 
192.168.168.252:1645, id=94, length=92
User-Name = "svc-ldap...@corp-test"
User-Password = "WindowsXP!"
Service-Type = NAS-Prompt-User
NAS-IP-Address = 192.168.168.252
NAS-Port = 10
Calling-Station-Id = "192.168.168.194"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: Looking up realm "corp-test" for User-Name = 
"svc-ldap...@corp-test"
rlm_realm: No such realm "corp-test"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 152
  modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type System
auth: type "System"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  modcall[authenticate]: module "unix" returns notfound for request 0
modcall: leaving group authenticate (returns notfound) for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 94 to 192.168.168.252 port 1645
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 94 with timestamp 4cbf5aee
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host 
192.168.168.252:1645, id=95, length=104
User-Name = 
"svc-ldap...@corp-test.weather.com

Re: Freeradius + Active Directory

2010-10-20 Thread John Dennis


On 10/20/2010 05:38 PM, Rashard Roberts wrote:

Hello

I am trying to get Freeradius to authenticate end-user using Active
Directory.  The end-user will be using be there AD username and password
to login to network devices.  Would some please help me?  I have
embedded a copy of the debug log from the radius server.


Read the howto's here and follow the instructions:

http://deployingradius.com

Then read the Active Directory documentation here and follow the 
instructions:


http://deployingradius.com/documents/configuration/active_directory.html



--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius + Active Directory

2010-10-20 Thread Rashard Roberts

Hello

I am trying to get Freeradius to authenticate end-user using Active
Directory.  The end-user will be using be there AD username and password to
login to network devices.  Would some please help me?  I have embedded a
copy of the debug log from the radius server.

rad_recv: Access-Request packet from host 192.168.168.252:1645, id=94,
length=92
User-Name = "svc-ldap...@corp-test"
User-Password = "WindowsXP!"
Service-Type = NAS-Prompt-User
NAS-IP-Address = 192.168.168.252
NAS-Port = 10
Calling-Station-Id = "192.168.168.194"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: Looking up realm "corp-test" for User-Name =
"svc-ldap...@corp-test"
rlm_realm: No such realm "corp-test"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 152
  modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type System
auth: type "System"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  modcall[authenticate]: module "unix" returns notfound for request 0
modcall: leaving group authenticate (returns notfound) for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 94 to 192.168.168.252 port 1645
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 94 with timestamp 4cbf5aee
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host 192.168.168.252:1645, id=95,
length=104
User-Name = "svc-ldap...@corp-test.weather.com"
User-Password = "WindowsXP!"
Service-Type = NAS-Prompt-User
NAS-IP-Address = 192.168.168.252
NAS-Port = 10
Calling-Station-Id = "192.168.168.194"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: Looking up realm "corp-test.weather.com" for User-Name = "
svc-ldap...@corp-test.weather.com"
rlm_realm: No such realm "corp-test.weather.com"
  modcall[authorize]: module "suffix" returns noop for request 1
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 1
users: Matched entry DEFAULT at line 152
  modcall[authorize]: module "files" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
  rad_check_password:  Found Auth-Type System
auth: type "System"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  modcall[authenticate]: module "unix" returns notfound for request 1
modcall: leaving group authenticate (returns notfound) for request 1
auth: Failed to validate the user.
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 95 to 192.168.168.252 port 1645
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 95 with timestamp 4cbf5b25
Nothing to do.  Sleeping until we see a request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IPv6 Ascend Data Filter

2010-10-20 Thread Alan DeKok

janardhan madabattula wrote:
> Hi,
>  
> I am trying to create IPv6 Ascend Data Filter in Free radius. but
> unfortunately its not happening. Any help?

  See the FAQ for "it doesn't work".

> I have created Ascend-Data-Filter  242 abinary attribute in dictinary
> filter.

  Why?  The attribute is already defined in the default dictionaries.

> I am following this URL to create ADF.
> http://www.juniper.net/techpubs/software/erx/junose100/sw-rn-erx1001/html/sw-rn-erx-1001-rli4249-adf-support-for-ipv63.html#324522

  Uh... that isn't FreeRADIUS documentation.

  You can specify the attribute as hex, but you will need to change the
data type from "abinary" to "octets".

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

One virtual server for MS-chapv2 against Active Directory, the other one agaist ldap ntpasswd?

2010-10-20 Thread schilling

Hi All,

Can I have one virtual server listening on 1812/1813 for
authenticating with ms-chapv2 against AD, and then another virtual
server listening on 1814/1815 authenticating with ms-chapv2 against
LDAP with ntpassword hash?

We are able to get a instance running for against AD, but not able to
get it working against LDAP.  The user will continue try the AD.

Thanks,

Shiling
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: A tale of 2 WiMax NAS

2010-10-20 Thread Alan DeKok

David Peterson wrote:
> OK here is the debug output from the NAS requiring those two entries
> commented out.  The CPE are authenticated and the Framed-Filter-Id is sent
> back properly but the subscribers never receive service.  

  Does this mean you're willing to read the debug output to see what the
differences are?

  Or should we do it?

  If it's not important enough for you to read the output, it isn't
important enough for us to read it, either.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

IPv6 Ascend Data Filter

2010-10-20 Thread janardhan madabattula

Hi,

I am trying to create IPv6 Ascend Data Filter in Free radius. but
unfortunately its not happening. Any help?

I have created Ascend-Data-Filter  242 abinary attribute in dictinary
filter.


Following is the record I am trying to parse.


ipv6 Password := test
Service-Type = Framed-User,
Framed-IP-Netmask = 255.255.255.255,
Framed-Protocol = PPP,
Session-Timeout = 86400,
Idle-Timeout = 36000,
Framed-IP-Address = 115.2.255.253,
Framed-IPv6-Prefix = 3001:1:2:::/64,
Delegated-IPv6-Prefix = 6001:1:2:::/64,
 Ascend-Data-Filter =
"0300300182ab102087ec200182ab102087ec1234091734150012408011000C120002",


===

I am following this URL to create ADF.
http://www.juniper.net/techpubs/software/erx/junose100/sw-rn-erx1001/html/sw-rn-erx-1001-rli4249-adf-support-for-ipv63.html#324522
Thanks,
Jana
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 802.1x host/machine authentication

2010-10-20 Thread Chidanand Gangur

Thanks Phil.
I am still not clear.. I just want to proxy the host authentication request
to the actual RADIUS server which is Microsoft AD. In such cases what
configuration is required on proxy server? Can it be done?

Well I mentioned realm type as IPASS  as IPASS type is of format
realm/username as mentioned in modules/realm file.

Hence forth I will post full logs.

Thanks,
Chidanand


On Wed, Oct 20, 2010 at 7:47 PM, Phil Mayers wrote:

> On 20/10/10 12:22, Chidanand Gangur wrote:
>
>> Hi,
>>
>> I have following setup
>>
>> where windows host  is connected to Cisco 2960  which is connected to
>> Microsoft AD via RADIUS proxy
>>
>> Windows host (XP SP3) -> Cisco 2960 -> freeRADIUS proxy (2.1.10) ->
>> Microsoft AD (2003)
>>
>> In the above setup user authentication goes fine. I am using PEAP v1
>> authentication.
>>
>> I am struggling hard to make host authentication successful.
>>
>> When the machine boots I see radius Access-Request with User-Name =
>> "host/radhost1.testad1.com" which
>> qualifies to IPASS type realm and searches for realm as "host" and
>> things do not work.
>>
>
> No - it's not an IPASS realm. You need to disable the IPASS module.
>
> host/machine.domain.com
>
> corresponds to:
>
> DOMAIN\machine$
>
> i.e. the machine account.
>
> The "mschap" module can expand this, for example if you have the
> "ntlm_auth" helper to authenticate MS-CHAP against a windows domain using
> samba as a helper:
>
> ntlm_auth = "... --username=%{mschap:User-Name} ..."
>
> ...will do the right thing.
>
>
>
>> Please point me to links/docs or give me pointer where/how to start.
>>
>
> Post the full debug output, not an edited version.
>
>
>  Wed Oct 20 07:27:48 2010 : Info: [eap] EAP Identity
>> Wed Oct 20 07:27:48 2010 : Info: [eap] processing type md5
>> Wed Oct 20 07:27:48 2010 : Debug: rlm_eap_md5: Issuing Challenge
>>
>
> This is EAP-MD5. You have not configured your windows client correctly.
> Configure it correctly for PEAP/MS-CHAP.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Chidanand Gangur
Pune.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: confused with unlang

2010-10-20 Thread Wayne Lee

>  You're doing "greater than or equal" checks on a string?
I was due to my lack of understanding, using the regex now and it's
working much better.

>  It's always better *not* add attributes, rather than adding them and
> later deleting them.
>
>> The provider is sending "foo" or "bar" (depends on the LTS) and a ID
>> number in the calling-station-id which is why I used ">=".
>
>  Regexes are better at string matches than numerical comparison operators.
Understood, again lack of understanding on my part.

>  Use regexes.  Run the server in debugging mode to see what is being
> matched, and why.

Was running in debug anyways but knew the problem was due to my
understanding of code/regex.

Thanks for the clue stick. All is now running fine.

Wayne

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: A tale of 2 WiMax NAS

2010-10-20 Thread David Peterson

I am not 100% sure why this happens.  I will see if I can capture some debug
information, but I do know that if I don't comment that  text out of
sites-available/default then the one NAS just retries the auth over and over
again.  The inverse is true on the other NAS if it is commented out.

David

-Original Message-
From: Alan DeKok [mailto:al...@deployingradius.com] 
Sent: Wednesday, October 20, 2010 12:15 PM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: Re: A tale of 2 WiMax NAS

David Peterson wrote:
> I have 2 NAS with different requirements in their WiMax handling.  One 
> requires me to have:
...
> Enabled in order to work and the other requires those commented out.  
> Is there a way to identify the NAS type to  elegantly have those properly
set?

  What is different between the requests that are sent by the two NAS
devices?

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: A tale of 2 WiMax NAS

2010-10-20 Thread Alan DeKok

David Peterson wrote:
> I have 2 NAS with different requirements in their WiMax handling.  One
> requires me to have:
...
> Enabled in order to work and the other requires those commented out.  Is
> there a way to identify the NAS type to  elegantly have those properly set?

  What is different between the requests that are sent by the two NAS
devices?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Counter SQL Calculation

2010-10-20 Thread Neville


Hi everyone,

I have a small problem where the counter is not working how I would like it 
two work.


sqlcounter monthlytraffic {
counter-name = Monthly-Traffic
   check-name = Max-Monthly-Traffic
   reply-name = Session-Octets-Limit
   sqlmod-inst = sql
   key = User-Name
   reset = monthly
query = "SELECT 
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM radacct WHERE 
username='%{%k}' AND Month(acctstoptime) =(Month(NOW())) AND 
Year(acctstoptime) = Year(NOW())"

}

The problem with this, is that it the SELECT statement returns a value Less 
than the value of Max-Monthly-Traffic, then sets Session-Octets-Limit is set 
to equal Max-Monthly-Traffic.


What I need it to do is to populate Session-Octets-Limit with the VALUE of 
Max-Monthly-Traffic, then subtract the VALUE of the Select Statement.


E.G. if Max-Monthy-Traffic is set to 250Mb or 26210, and the SELECT 
returns a result of 5243 being 50Mb of usage, then Session-Octets-Limit 
should be set to 26210 - 523 being 25687


Can anyone point in the right direction on this please.

Thx
Nev 



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: confused with unlang

2010-10-20 Thread Alan DeKok

Wayne Lee wrote:
> I'm getting myself confused with unlang and hoping somebody can help.
> I have read the docs but just don't fully get it.

  "unlang" is just a simple set of comparisons and logic.

> I'm trying to filter requests by part of the calling-station-id and
> update/rewrite the reply depending on what group it is in. The below
> is what I've got in the config
> 
> 
> post-auth {
> 
> if(Calling-Station-Id >= "foo") {

  You're doing "greater than or equal" checks on a string?

> if(SQL-Group == "SR1"){
> update reply {
> Tunnel-Server-Endpoint := 192.168.1.1
> Tunnel-Type := L2TP
> Tunnel-Medium-Type := IP
> Cisco-AVPair := vpdn:tunnel-id=provider.net
> Cisco-AVPair := vpdn:l2tp-tunnel-password=abc
> Framed-Protocol -= PPP
> Service-Type -= Framed-User
> Port-Limit -= 32

  It's always better *not* add attributes, rather than adding them and
later deleting them.

> The provider is sending "foo" or "bar" (depends on the LTS) and a ID
> number in the calling-station-id which is why I used ">=".

  Regexes are better at string matches than numerical comparison operators.

> Further to that, when the provider sends bar and the user is not in
> group SR1 i need to reply with a different tunnel-server-endpoint.
> I understand why it's not working due to the use of ">=" but I don't
> know how to fix it, I've tried using else statements/clauses but I'm
> lost. We are using multiple LNS's (some dedicated for customers or
> service).

  Use regexes.  Run the server in debugging mode to see what is being
matched, and why.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: No authenticate method (Auth-Type) configuration found

2010-10-20 Thread Alan DeKok

Bereos OHG Michael Spinnenhirn wrote:
> I can see the difference between the working one on the server and the
> other one from the remote client. But I executed the same command on
> both machines.
> 
> echo "User-Name=guest,Password=guest" | radclient 172.16.30.6:1812 auth
> radiussecret
> 
> I have tried it from another debian server, too, with success. So it has
> to be a problem with the radclient on the openwrt box, doesn't it?

  Yes.  Check the dictionaries, and make the clients send the same packets.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

confused with unlang

2010-10-20 Thread Wayne Lee

Hello

I'm getting myself confused with unlang and hoping somebody can help.
I have read the docs but just don't fully get it.
I'm trying to filter requests by part of the calling-station-id and
update/rewrite the reply depending on what group it is in. The below
is what I've got in the config


post-auth {

if(Calling-Station-Id >= "foo") {
if(SQL-Group == "SR1"){
update reply {
Tunnel-Server-Endpoint := 192.168.1.1
Tunnel-Type := L2TP
Tunnel-Medium-Type := IP
Cisco-AVPair := vpdn:tunnel-id=provider.net
Cisco-AVPair := vpdn:l2tp-tunnel-password=abc
Framed-Protocol -= PPP
Service-Type -= Framed-User
Port-Limit -= 32
}
}
}


if(Calling-Station-Id >= "bar") {
if(SQL-Group == "SR1"){
update reply {
Tunnel-Server-Endpoint := 192.168.1.2
Tunnel-Type := L2TP
Tunnel-Medium-Type := IP
Cisco-AVPair := vpdn:tunnel-id=provider.net
Cisco-AVPair := vpdn:l2tp-tunnel-password=abc
Framed-Protocol -= PPP
Service-Type -= Framed-User
Port-Limit -= 32
}
}
}

The provider is sending "foo" or "bar" (depends on the LTS) and a ID
number in the calling-station-id which is why I used ">=". The request
is accepted and the reply is updated as expected. The trouble I'm
having now is that if the users are not in group SR1 I need to reply
with the below.

Tunnel-Server-Endpoint := 172.16.1.1
Tunnel-Type := L2TP
Tunnel-Medium-Type := IP
Cisco-AVPair := vpdn:tunnel-id=provider.net
Cisco-AVPair := vpdn:l2tp-tunnel-password=abc
Framed-Protocol -= PPP
Service-Type -= Framed-User
Port-Limit -= 32

Further to that, when the provider sends bar and the user is not in
group SR1 i need to reply with a different tunnel-server-endpoint.
I understand why it's not working due to the use of ">=" but I don't
know how to fix it, I've tried using else statements/clauses but I'm
lost. We are using multiple LNS's (some dedicated for customers or
service).

Also is it possible to define multiple groups in the SQL-Group section
otherwise I can see the config becoming a mess?

Thanks for reading


Wayne
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

A tale of 2 WiMax NAS

2010-10-20 Thread David Peterson

I have 2 NAS with different requirements in their WiMax handling.  One
requires me to have:

 

   update request {

  WiMAX-MN-NAI = "%{User-Name}"

   }

   update reply {

   WiMax-MN-NAI = "%{User-Name}"

   WiMax-IP-Technology = "CMIP4"

   WiMAX-FA-RK-Key = 0x00

   WiMAX-MSK = "%{EAP-MSK}"

 }

 

Enabled in order to work and the other requires those commented out.  Is
there a way to identify the NAS type to  elegantly have those properly set?

 

David

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: {Spam?} Re: Freeradius 1.2.3 and Windows 7

2010-10-20 Thread Sallee, Stephen (Jake)

It may be just me, but when they told you to upgrade they probably meant
to the latest 2.X release.

Is there a specific reason that you need to stay on a 1.X release?   I
only ask because you may be needlessly complicating your life by using
ancient software.

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221

-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Krzysztof Srokowski
Sent: Wednesday, October 20, 2010 9:16 AM
To: 'FreeRadius users mailing list'
Subject: RE: {Spam?} Re: Freeradius 1.2.3 and Windows 7

Ok. i made an upgrade, but when i test it without certificate
verification Windows 7 is not asking me for user and password, but sends
"host/name_of_the_host". I unchecked in connect properities to use same
login and password as I log in into machine..

-Original Message-
From:
freeradius-users-bounces+k.srokowski=gdansk.gda...@lists.freeradius.org
[mailto:freeradius-users-bounces+k.srokowski=gdansk.gda...@lists.freerad
ius.
org] On Behalf Of Alan DeKok
Sent: Wednesday, October 20, 2010 9:03 AM
To: FreeRadius users mailing list
Subject: {Spam?} Re: Freeradius 1.2.3 and Windows 7

Krzysztof Srokowski wrote:
> I`m sorry, I`m using pfSense release 1.2.3, with freeradius package
1.1.2_1 (latest)

  Uh... upgrade.  1.1.2 is *very* old.  It's very likely that it won't
work with recent versions of Windows.  Fixes to work around Windows
"issues" went into later versions of the server, and aren't in 1.1.2.

> Below I describe my configuration;
> 
> 1. pfSense with freeradius 1.1.2_1
> 2. Access Point Linksys WRT54G
> 3. Clients Windows XP SP3 and Windows 7
> 
> My goal was to create WiFi access with WPA2 (AES) +
EAP-PEAP(MSCHAPv2).
For tests I generated server certificate from my own CA. Both
certificates CA certificate, and server certificate was transferred to
freeradius server and configured in eap.conf file in tls section. I made
also other configurations to use peap protocol and mschapv2. 
>
> The second step was the clients. My root CA certificate was installed 
> to
certificate repo in system. I checked all required options in connection
properities like (use WPA2 with AES, PEAP, verify server certificate
also with root CA certificate which was imported before). When I tried
to connect from XP client everything is fine, client is authorized and
connection works without problem. But from Windows 7 client its not.
Same configuration, same settings, and I get error in radius.log:
> 
> 
> " Tue Oct 19 13:01:06 2010 : Error: TLS Alert read:fatal:unknown CA
> Tue Oct 19 13:01:06 2010 : Error: TLS_accept:failed in SSLv3 read
> client certificate A
> Tue Oct 19 13:01:06 2010 : Error: rlm_eap: SSL error 
> error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Tue Oct 19 13:01:06 2010
:
Error: rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session
fails.
> Tue Oct 19 13:01:06 2010 : Auth: Login incorrect:
> [host/um4910142413/] (from client WRT54G 
> port
35 cli 000e2e950bbd) "

Those error messages are pretty definitive.

  In any case, I wouldn't bother trying to track down the problem.
Install 2.1.10, and then follow the EAP / Windows instructions on my web
site: http://deployingradius.com

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 802.1x host/machine authentication

2010-10-20 Thread Phil Mayers


On 20/10/10 12:22, Chidanand Gangur wrote:

Hi,

I have following setup

where windows host  is connected to Cisco 2960  which is connected to
Microsoft AD via RADIUS proxy

Windows host (XP SP3) -> Cisco 2960 -> freeRADIUS proxy (2.1.10) ->
Microsoft AD (2003)

In the above setup user authentication goes fine. I am using PEAP v1
authentication.

I am struggling hard to make host authentication successful.

When the machine boots I see radius Access-Request with User-Name =
"host/radhost1.testad1.com" which
qualifies to IPASS type realm and searches for realm as "host" and
things do not work.


No - it's not an IPASS realm. You need to disable the IPASS module.

host/machine.domain.com

corresponds to:

DOMAIN\machine$

i.e. the machine account.

The "mschap" module can expand this, for example if you have the 
"ntlm_auth" helper to authenticate MS-CHAP against a windows domain 
using samba as a helper:


ntlm_auth = "... --username=%{mschap:User-Name} ..."

...will do the right thing.



Please point me to links/docs or give me pointer where/how to start.


Post the full debug output, not an edited version.


Wed Oct 20 07:27:48 2010 : Info: [eap] EAP Identity
Wed Oct 20 07:27:48 2010 : Info: [eap] processing type md5
Wed Oct 20 07:27:48 2010 : Debug: rlm_eap_md5: Issuing Challenge


This is EAP-MD5. You have not configured your windows client correctly. 
Configure it correctly for PEAP/MS-CHAP.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: {Spam?} Re: Freeradius 1.2.3 and Windows 7

2010-10-20 Thread Krzysztof Srokowski

Ok. i made an upgrade, but when i test it without certificate verification
Windows 7 is not asking me for user and password, but sends
"host/name_of_the_host". I unchecked in connect properities to use same
login and password as I log in into machine..

-Original Message-
From:
freeradius-users-bounces+k.srokowski=gdansk.gda...@lists.freeradius.org
[mailto:freeradius-users-bounces+k.srokowski=gdansk.gda...@lists.freeradius.
org] On Behalf Of Alan DeKok
Sent: Wednesday, October 20, 2010 9:03 AM
To: FreeRadius users mailing list
Subject: {Spam?} Re: Freeradius 1.2.3 and Windows 7

Krzysztof Srokowski wrote:
> I`m sorry, I`m using pfSense release 1.2.3, with freeradius package
1.1.2_1 (latest)

  Uh... upgrade.  1.1.2 is *very* old.  It's very likely that it won't
work with recent versions of Windows.  Fixes to work around Windows
"issues" went into later versions of the server, and aren't in 1.1.2.

> Below I describe my configuration;
> 
> 1. pfSense with freeradius 1.1.2_1
> 2. Access Point Linksys WRT54G
> 3. Clients Windows XP SP3 and Windows 7
> 
> My goal was to create WiFi access with WPA2 (AES) + EAP-PEAP(MSCHAPv2).
For tests I generated server certificate from my own CA. Both certificates
CA certificate, and server certificate was transferred to freeradius server
and configured in eap.conf file in tls section. I made also other
configurations to use peap protocol and mschapv2. 
>
> The second step was the clients. My root CA certificate was installed to
certificate repo in system. I checked all required options in connection
properities like (use WPA2 with AES, PEAP, verify server certificate also
with root CA certificate which was imported before). When I tried to connect
from XP client everything is fine, client is authorized and connection works
without problem. But from Windows 7 client its not. Same configuration, same
settings, and I get error in radius.log:
> 
> 
> " Tue Oct 19 13:01:06 2010 : Error: TLS Alert read:fatal:unknown CA
> Tue Oct 19 13:01:06 2010 : Error: TLS_accept:failed in SSLv3 read
> client certificate A
> Tue Oct 19 13:01:06 2010 : Error: rlm_eap: SSL error error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Tue Oct 19 13:01:06 2010 :
Error: rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails.
> Tue Oct 19 13:01:06 2010 : Auth: Login incorrect:
> [host/um4910142413/] (from client WRT54G port
35 cli 000e2e950bbd) "

Those error messages are pretty definitive.

  In any case, I wouldn't bother trying to track down the problem.
Install 2.1.10, and then follow the EAP / Windows instructions on my web
site: http://deployingradius.com

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: No authenticate method (Auth-Type) configuration found

2010-10-20 Thread Bereos OHG Michael Spinnenhirn

I can see the difference between the working one on the server and the other one 
from the remote client. But I executed the same command on both machines.


echo "User-Name=guest,Password=guest" | radclient 172.16.30.6:1812 auth 
radiussecret

I have tried it from another debian server, too, with success. So it has to be a 
problem with the radclient on the openwrt box, doesn't it?



Alan DeKok schrieb:

Bereos OHG Michael Spinnenhirn wrote:

The remote radclient gives the following debug output:

rad_recv: Access-Request packet from host 172.16.20.10 port 56195,
id=36, length

User-Name = "guest"


You're not including a User-Password in the request.  It needs
one.


What else could be wrong here?


  Look at the packets the server is receiving from the two clients:
they're different.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 802.1x host/machine authentication

2010-10-20 Thread Chidanand Gangur

Hi,

Is it fine to do some jugglery with the user-name and convert it to a format
which can be proxied to home server ?

Thanks,
Chidanand

On Wed, Oct 20, 2010 at 4:52 PM, Chidanand Gangur <
chidanand.gan...@gmail.com> wrote:

> Hi,
>
> I have following setup
>
> where windows host  is connected to Cisco 2960  which is connected to
> Microsoft AD via RADIUS proxy
>
> Windows host (XP SP3) -> Cisco 2960 -> freeRADIUS proxy (2.1.10) ->
> Microsoft AD (2003)
>
> In the above setup user authentication goes fine. I am using PEAP v1
> authentication.
>
> I am struggling hard to make host authentication successful.
>
> When the machine boots I see radius Access-Request with User-Name = "host/
> radhost1.testad1.com" which qualifies to IPASS type realm and searches for
> realm as "host" and things do not work.
>
> Please point me to links/docs or give me pointer where/how to start.
>
> rad_recv: Access-Request packet from host 192.168.6.200 port 1645, id=141,
> length=165
> User-Name = "host/radhost1.testad1.com"
> Service-Type = Framed-User
> Framed-MTU = 1500
> Called-Station-Id = "00-21-D7-00-51-89"
> Calling-Station-Id = "00-13-20-38-33-27"
> EAP-Message =
> 0x021a001e01686f73742f726164686f7374312e746573746164312e636f6d
> Message-Authenticator = 0x2deded3294b409a59441b3e5777a9a87
> NAS-Port-Type = Ethernet
> NAS-Port = 50009
> NAS-IP-Address = 192.168.6.200
> Wed Oct 20 07:27:48 2010 : Info: # Executing section authorize from file
> /usr/local/etc/raddb/sites-enabled/default
> Wed Oct 20 07:27:48 2010 : Info: +- entering group authorize {...}
> Wed Oct 20 07:27:48 2010 : Info: ++[preprocess] returns ok
> Wed Oct 20 07:27:48 2010 : Info: ++[chap] returns noop
> Wed Oct 20 07:27:48 2010 : Info: ++[mschap] returns noop
> Wed Oct 20 07:27:48 2010 : Info: [IPASS] Looking up realm "host" for
> User-Name = "host/radhost1.testad1.com"
> Wed Oct 20 07:27:48 2010 : Info: [IPASS] Found realm "DEFAULT"
> Wed Oct 20 07:27:48 2010 : Info: [IPASS] Adding Stripped-User-Name = "
> radhost1.testad1.com"
> Wed Oct 20 07:27:48 2010 : Info: [IPASS] Adding Realm = "DEFAULT"
> Wed Oct 20 07:27:48 2010 : Info: [IPASS] Authentication realm is LOCAL.
> Wed Oct 20 07:27:48 2010 : Info: ++[IPASS] returns ok
> Wed Oct 20 07:27:48 2010 : Info: [suffix] Request already proxied.
> Ignoring.
> Wed Oct 20 07:27:48 2010 : Info: ++[suffix] returns ok
> Wed Oct 20 07:27:48 2010 : Info: [ntdomain] Request already proxied.
> Ignoring.
> Wed Oct 20 07:27:48 2010 : Info: ++[ntdomain] returns ok
> Wed Oct 20 07:27:48 2010 : Info: [realmpercent] Request already proxied.
> Ignoring.
> Wed Oct 20 07:27:48 2010 : Info: ++[realmpercent] returns ok
> Wed Oct 20 07:27:48 2010 : Info: [eap] EAP packet type response id 26
> length 30
> Wed Oct 20 07:27:48 2010 : Info: [eap] No EAP Start, assuming it's an
> on-going EAP conversation
> Wed Oct 20 07:27:48 2010 : Info: ++[eap] returns updated
> Wed Oct 20 07:27:48 2010 : Info: ++[unix] returns notfound
> Wed Oct 20 07:27:48 2010 : Info: ++[files] returns noop
> Wed Oct 20 07:27:48 2010 : Info: ++[expiration] returns noop
> Wed Oct 20 07:27:48 2010 : Info: ++[logintime] returns noop
> Wed Oct 20 07:27:48 2010 : Info: [pap] WARNING! No "known good" password
> found for the user. Authentication may fail because of this.
> Wed Oct 20 07:27:48 2010 : Info: ++[pap] returns noop
> Wed Oct 20 07:27:48 2010 : Info: Found Auth-Type = EAP
> Wed Oct 20 07:27:48 2010 : Info: # Executing group from file
> /usr/local/etc/raddb/sites-enabled/default
> Wed Oct 20 07:27:48 2010 : Info: +- entering group authenticate {...}
> Wed Oct 20 07:27:48 2010 : Info: [eap] EAP Identity
> Wed Oct 20 07:27:48 2010 : Info: [eap] processing type md5
> Wed Oct 20 07:27:48 2010 : Debug: rlm_eap_md5: Issuing Challenge
> Wed Oct 20 07:27:48 2010 : Info: ++[eap] returns handled
> Sending Access-Challenge of id 141 to 192.168.6.200 port 1645
> EAP-Message = 0x011b001604100675c546c11b2ad0f1a7341b757af909
> Message-Authenticator = 0x
> State = 0x6d4e1d1a6d5519217cdc7f95e535c25b
> Wed Oct 20 07:27:48 2010 : Info: Finished request 48.
> Wed Oct 20 07:27:48 2010 : Debug: Going to the next request
> Wed Oct 20 07:27:48 2010 : Debug: Waking up in 4.9 seconds.
>
>
> Thanks & Regards
>
> --
> Chidanand Gangur
> Pune.
>



-- 
Chidanand Gangur
Pune.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: No authenticate method (Auth-Type) configuration found

2010-10-20 Thread Alan DeKok

Bereos OHG Michael Spinnenhirn wrote:
> The remote radclient gives the following debug output:
> 
> rad_recv: Access-Request packet from host 172.16.20.10 port 56195,
> id=36, length
>
> User-Name = "guest"

You're not including a User-Password in the request.  It needs
one.

> What else could be wrong here?

  Look at the packets the server is receiving from the two clients:
they're different.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Cisco routers vty sessions accounting with freeradius + MySQL

2010-10-20 Thread Esteban TALAVERA

Hi

I use freeradius to authenticate the VTY sessions to Cisco devices (Switch &
router)  with Freeradius & MySQL. The server authenticates the users but do
not create an accounting info.

Thera is a Howto guide to configure the freeradius server to creates MySql
entrys with accounting info.

I configured the router

aaa accounting exec RAD_GRP start-stop group radius
aaa accounting connection RAD_GRP start-stop group radius

line vty 0 4
 exec-timeout 5 0
 login authentication RAD_GRP

Thanks

-- 

*Esteban Talavera*

*
*

*Proyectos ITW C.A.

*

Tel.+(58)212 7623035

+(58)212 7620504

Cel. +(58)412 2892006

Fax   +(58)212 7615965
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius+MySql+EAP_TLS: authentication without MySQl Entry [SOLVED]

2010-10-20 Thread Esteban TALAVERA

On Wed, Oct 20, 2010 at 9:22 AM, Esteban TALAVERA wrote:

> Thanks!
>
>
> On Wed, Oct 20, 2010 at 9:19 AM, Alan DeKok wrote:
>
>> Esteban TALAVERA wrote:
>> > My freeradius + MySQL + EAP_TLS is working, but I have a problem.
>> >
>> > I assumed that without an entry in MySQl database, the client can not
>> > authenticate,
>>
>>   That's not how EAP-TLS works.
>>
>> > but I forgot to create one user's database entry and the
>> > laptop was able to join the network.
>> >
>> > It is possible a client authentication without a database entry, just
>> > with the certificates
>>
>>   That's how EAP-TLS works.
>>
>>  If you want to reject the user, configure the server to look up the
>> username in the DB, and reject if they're not found.  Or, use TLS as it
>> was intended to be used: revoke the client certificate.
>>
>>  Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>
> --
>
> *Esteban Talavera*
>
> *
> *
>
> *Proyectos ITW C.A.
>
> *
>
> Tel.+(58)212 7623035
>
> +(58)212 7620504
>
> Cel. +(58)412 2892006
>
> Fax   +(58)212 7615965
>
>
>
>


-- 

*Esteban Talavera*

*
*

*Proyectos ITW C.A.

*

Tel.+(58)212 7623035

+(58)212 7620504

Cel. +(58)412 2892006

Fax   +(58)212 7615965
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius+MySql+EAP_TLS: authentication without MySQl Entry

2010-10-20 Thread Esteban TALAVERA

Thanks!


On Wed, Oct 20, 2010 at 9:19 AM, Alan DeKok wrote:

> Esteban TALAVERA wrote:
> > My freeradius + MySQL + EAP_TLS is working, but I have a problem.
> >
> > I assumed that without an entry in MySQl database, the client can not
> > authenticate,
>
>   That's not how EAP-TLS works.
>
> > but I forgot to create one user's database entry and the
> > laptop was able to join the network.
> >
> > It is possible a client authentication without a database entry, just
> > with the certificates
>
>   That's how EAP-TLS works.
>
>  If you want to reject the user, configure the server to look up the
> username in the DB, and reject if they're not found.  Or, use TLS as it
> was intended to be used: revoke the client certificate.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 

*Esteban Talavera*

*
*

*Proyectos ITW C.A.

*

Tel.+(58)212 7623035

+(58)212 7620504

Cel. +(58)412 2892006

Fax   +(58)212 7615965
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: No authenticate method (Auth-Type) configuration found

2010-10-20 Thread Bereos OHG Michael Spinnenhirn


I did delete the client from clients.conf and tried radclient from the remote 
host:

echo "User-Name=guest,Password=guest" | radclient 172.
16.30.6:1812 auth radiussecret

I get the following error.

Ignoring request to authentication address * port 1812 from unknown client 
172.16.20.10 port 36735

Ready to process requests

Then I re-entered (manually) the following lines to clients.conf:

client 172.16.20.10 {
secret = radiussecret
require_message_authenticator = no
}

client 172.16.30.6 {
secret = radiussecret
require_message_authenticator = no
}


The remote radclient gives the following debug output:

rad_recv: Access-Request packet from host 172.16.20.10 port 56195, id=36, length
=27
User-Name = "guest"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "guest", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} -> guest
rlm_sql (sql): sql_set_user escaped user --> 'guest'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id, username, attribute, value, op   FROM radchec
k   WHERE username = '%{SQL-User-Name}'   ORDER BY id -> SELECT
id, username, attribute, value, op   FROM radcheck   WHERE usern
ame = 'guest'   ORDER BY id
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op   FROM radrepl
y   WHERE username = '%{SQL-User-Name}'   ORDER BY id -> SELECT
id, username, attribute, value, op   FROM radreply   WHERE usern
ame = 'guest'   ORDER BY id
expand: SELECT groupname   FROM radusergroup   WHERE use
rname = '%{SQL-User-Name}'   ORDER BY priority -> SELECT groupname
 FROM radusergroup   WHERE username = 'guest'   ORDER BY pri
ority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: No clear-text password in the request.  Not performing PAP.
++[pap] returns noop
!!!
!!!Replacing User-Password in config items with Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the "known good"   !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Login incorrect: [guest/] (from client 172.16.20.10
port 0)
  Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> guest
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 36 to 172.16.20.10 port 56195
Waking up in 4.9 seconds.
Cleaning up request 0 ID 36 with timestamp +10
Ready to process requests.



while the radclient on the local radius server receives no error:

rad_recv: Access-Request packet from host 172.16.30.6 port 42677, id=105, 
length=45
User-Name = "guest"
User-Password = "guest"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "guest", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} -> guest
rlm_sql (sql): sql_set_user escaped user --> 'guest'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id, username, attribute, value, op   FROM 
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER BY id -> 
SELECT id, username, attribute, value, op   FROM radcheck 
WHERE username = 'guest'   ORDER BY id

WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op   FROM 
radreply   WHERE username = '%{SQL-User-Name}'   ORDER BY id -> 
SELECT id, username, attribute, value, op   FROM radreply 
WHERE username = 'guest'   ORDER BY id
expand: SELECT groupname   FROM raduserg

Re: Freeradius+MySql+EAP_TLS: authentication without MySQl Entry

2010-10-20 Thread Alan DeKok

Esteban TALAVERA wrote:
> My freeradius + MySQL + EAP_TLS is working, but I have a problem. 
> 
> I assumed that without an entry in MySQl database, the client can not
> authenticate,

  That's not how EAP-TLS works.

> but I forgot to create one user's database entry and the
> laptop was able to join the network.
> 
> It is possible a client authentication without a database entry, just
> with the certificates

  That's how EAP-TLS works.

  If you want to reject the user, configure the server to look up the
username in the DB, and reject if they're not found.  Or, use TLS as it
was intended to be used: revoke the client certificate.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius+MySql+EAP_TLS: authentication without MySQl Entry

2010-10-20 Thread Esteban TALAVERA

Hi

My freeradius + MySQL + EAP_TLS is working, but I have a problem.

I assumed that without an entry in MySQl database, the client can not
authenticate, but I forgot to create one user's database entry and the
laptop was able to join the network.

It is possible a client authentication without a database entry, just with
the certificates

Thanks

-- 

*Esteban Talavera*

*
*

*Proyectos ITW C.A.

*

Tel.+(58)212 7623035

+(58)212 7620504

Cel. +(58)412 2892006

Fax   +(58)212 7615965
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Matching a value within an IP subnet

2010-10-20 Thread Alan DeKok

Brian Candler wrote:
> This was more of a "wish" than an actual usage. The question I meant was: is
> there any sort of operator to match an IP address against a subnet?

  No.

  As always, patches are welcome.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius proxy can't recognize Delegated-IPv6-Prefix attribute

2010-10-20 Thread Alan DeKok

ichiro tanaka wrote:
> auth-server reply attribute "Delegated-IPv6-Prefix", but proxy recognize 
> "Attr-123 = 0x00401234567890abcdef".

  Fix the proxy so that it's using the dictionaries from 2.1.10.  The
debug *claims* it's 2.1.10, but the Delegated-IPv6-Prefix attribute *is*
defined in the dictionaries for 2.1.10.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: No authenticate method (Auth-Type) configuration found

2010-10-20 Thread Alan DeKok

Bereos OHG Michael Spinnenhirn wrote:
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
> auth: Failed to validate the user.
> Login incorrect: [guest/MM\250f\375 \241Ñ?\247\007\242Ë?i\316] (from
> client nas01 port 2 cli 00-0C-29-00-71-20)
>   WARNING: Unprintable characters in the password.Double-check
> the shared secret on the server and the NAS!
> 
> I allready checked the secret. It's the same in chilli config and
> client.conf on the server.

  That message is pretty definitive.

  I suggest *deleting* the client.  Then send the server packets.
Verify that the server complains about "unknown client".  Then, add the
client again.  This time re-entering all of the data, rather than
copying it from your existing configuration.

  Also try "radtest" (or radclient) from the remote machine.  There's no
need to depend on Chillispot config when you can use the FreeRADIUS
software to do the tests.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 802.1x host/machine authentication

2010-10-20 Thread James S. Smith

This isn't a comment on FreeRadius, but in our recent experiences with 802.1x 
and Windows XP clients it was a total waste of time. The built-in XP dot1x 
client is not up to the job. We had contractors in trying to make it work and 
everything was perfect on the network setup. In the end, Windows XP simple had 
issues authenticating 100% of the time (probably closer to 65%). When you do 
get it to authenticate properly you'll run into problems with anyone else doing 
an RDP to the Windows server (say your helpdesk folks) because 
re-authentication will kick in and drop the connection.

Your best bets are: Windows 7 for the improved dot1x client; scrap dot1x and do 
port-based access-lists; do VMPS with FreeRadius.


From: freeradius-users-bounces+jsmith=windmobile...@lists.freeradius.org 

To: FreeRadius users mailing list 
Sent: Wed Oct 20 07:22:56 2010
Subject: 802.1x host/machine authentication

Hi,

I have following setup

where windows host  is connected to Cisco 2960  which is connected to Microsoft 
AD via RADIUS proxy

Windows host (XP SP3) -> Cisco 2960 -> freeRADIUS proxy (2.1.10) -> Microsoft 
AD (2003)

In the above setup user authentication goes fine. I am using PEAP v1 
authentication.

I am struggling hard to make host authentication successful.

When the machine boots I see radius Access-Request with User-Name = 
"host/radhost1.testad1.com" which qualifies to 
IPASS type realm and searches for realm as "host" and things do not work.

Please point me to links/docs or give me pointer where/how to start.

rad_recv: Access-Request packet from host 192.168.6.200 port 1645, id=141, 
length=165
User-Name = "host/radhost1.testad1.com"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-21-D7-00-51-89"
Calling-Station-Id = "00-13-20-38-33-27"
EAP-Message = 0x021a001e01686f73742f726164686f7374312e746573746164312e636f6d
Message-Authenticator = 0x2deded3294b409a59441b3e5777a9a87
NAS-Port-Type = Ethernet
NAS-Port = 50009
NAS-IP-Address = 192.168.6.200
Wed Oct 20 07:27:48 2010 : Info: # Executing section authorize from file 
/usr/local/etc/raddb/sites-enabled/default
Wed Oct 20 07:27:48 2010 : Info: +- entering group authorize {...}
Wed Oct 20 07:27:48 2010 : Info: ++[preprocess] returns ok
Wed Oct 20 07:27:48 2010 : Info: ++[chap] returns noop
Wed Oct 20 07:27:48 2010 : Info: ++[mschap] returns noop
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Looking up realm "host" for User-Name 
= "host/radhost1.testad1.com"
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Found realm "DEFAULT"
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Adding Stripped-User-Name = 
"radhost1.testad1.com"
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Adding Realm = "DEFAULT"
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Authentication realm is LOCAL.
Wed Oct 20 07:27:48 2010 : Info: ++[IPASS] returns ok
Wed Oct 20 07:27:48 2010 : Info: [suffix] Request already proxied. Ignoring.
Wed Oct 20 07:27:48 2010 : Info: ++[suffix] returns ok
Wed Oct 20 07:27:48 2010 : Info: [ntdomain] Request already proxied. Ignoring.
Wed Oct 20 07:27:48 2010 : Info: ++[ntdomain] returns ok
Wed Oct 20 07:27:48 2010 : Info: [realmpercent] Request already proxied. 
Ignoring.
Wed Oct 20 07:27:48 2010 : Info: ++[realmpercent] returns ok
Wed Oct 20 07:27:48 2010 : Info: [eap] EAP packet type response id 26 length 30
Wed Oct 20 07:27:48 2010 : Info: [eap] No EAP Start, assuming it's an on-going 
EAP conversation
Wed Oct 20 07:27:48 2010 : Info: ++[eap] returns updated
Wed Oct 20 07:27:48 2010 : Info: ++[unix] returns notfound
Wed Oct 20 07:27:48 2010 : Info: ++[files] returns noop
Wed Oct 20 07:27:48 2010 : Info: ++[expiration] returns noop
Wed Oct 20 07:27:48 2010 : Info: ++[logintime] returns noop
Wed Oct 20 07:27:48 2010 : Info: [pap] WARNING! No "known good" password found 
for the user. Authentication may fail because of this.
Wed Oct 20 07:27:48 2010 : Info: ++[pap] returns noop
Wed Oct 20 07:27:48 2010 : Info: Found Auth-Type = EAP
Wed Oct 20 07:27:48 2010 : Info: # Executing group from file 
/usr/local/etc/raddb/sites-enabled/default
Wed Oct 20 07:27:48 2010 : Info: +- entering group authenticate {...}
Wed Oct 20 07:27:48 2010 : Info: [eap] EAP Identity
Wed Oct 20 07:27:48 2010 : Info: [eap] processing type md5
Wed Oct 20 07:27:48 2010 : Debug: rlm_eap_md5: Issuing Challenge
Wed Oct 20 07:27:48 2010 : Info: ++[eap] returns handled
Sending Access-Challenge of id 141 to 192.168.6.200 port 1645
EAP-Message = 0x011b001604100675c546c11b2ad0f1a7341b757af909
Message-Authenticator = 0x
State = 0x6d4e1d1a6d5519217cdc7f95e535c25b
Wed Oct 20 07:27:48 2010 : Info: Finished request 48.
Wed Oct 20 07:27:48 2010 : Debug: Going to the next request
Wed Oct 20 07:27:48 2010 : Debug: Waking up in 4.9 seconds.


Thanks & Regards

--
Chidanand Gangur
Pune.


This message cont

No authenticate method (Auth-Type) configuration found

2010-10-20 Thread Bereos OHG Michael Spinnenhirn


Hi,

I've got some trouble with freeradius 2.0.4 and mysql on debian when i want to 
connect from a remote host. Locally I can do following command successfully:


radtest guest guest 127.0.0.1 0 radiussecret

When I connect from my NAS using chilli on openwrt I get the following error:

auth: No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user

auth: Failed to validate the user.
Login incorrect: [guest/MM\250f\375 \241Ñ?\247\007\242Ë?i\316] (from client 
nas01 port 2 cli 00-0C-29-00-71-20)
  WARNING: Unprintable characters in the password.Double-check the 
shared secret on the server and the NAS!


I allready checked the secret. It's the same in chilli config and client.conf on 
the server. I also tried a user with Cleartext-Passwort without success. When I 
do the select on radcheck manually on the command line, the user gets found. So 
I think it's only a small configuration error on server site but I can't find it.



Here you can see the hole debug output. Any help would be appreciated.

FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep  7 2008 at 
23:35:34

Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/snmp.conf
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/mysql/dialup.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/freeradius/freeradius.pid"
user = "freerad"
group = "freerad"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
 security {
max_attributes = 200
reject_delay = 1
status_server = yes
 }
}
 client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "radiussecret"
nastype = "other"
 }
 client 172.16.20.10 {
require_message_authenticator = no
secret = "radiussecret"
shortname = "nas01"
 }
radiusd:  Loading Realms and Home Servers 
 proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
 }
 home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "radiussecret"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
 }
 home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
 }
 realm example.com {
auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd:  Instantiating modules 
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
wait = yes
input_pairs = "request"
shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 Module: Linked to module rlm_expiration
 Module: Instantiating expiration
  expiration {
reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating logintime
  logintime {
reply-message = "You are calling outside your allowed timespan  "
minimum-timeout = 60
  }
 }
radiusd:  Loading Virtual Servers 
server inner-tunnel {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
encryption_scheme = "auto"
auto_header = yes
  }
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
use_mppe = yes
require_encryption = no

802.1x host/machine authentication

2010-10-20 Thread Chidanand Gangur

Hi,

I have following setup

where windows host  is connected to Cisco 2960  which is connected to
Microsoft AD via RADIUS proxy

Windows host (XP SP3) -> Cisco 2960 -> freeRADIUS proxy (2.1.10) ->
Microsoft AD (2003)

In the above setup user authentication goes fine. I am using PEAP v1
authentication.

I am struggling hard to make host authentication successful.

When the machine boots I see radius Access-Request with User-Name = "host/
radhost1.testad1.com" which qualifies to IPASS type realm and searches for
realm as "host" and things do not work.

Please point me to links/docs or give me pointer where/how to start.

rad_recv: Access-Request packet from host 192.168.6.200 port 1645, id=141,
length=165
User-Name = "host/radhost1.testad1.com"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-21-D7-00-51-89"
Calling-Station-Id = "00-13-20-38-33-27"
EAP-Message = 0x021a001e01686f73742f726164686f7374312e746573746164312e636f6d
Message-Authenticator = 0x2deded3294b409a59441b3e5777a9a87
NAS-Port-Type = Ethernet
NAS-Port = 50009
NAS-IP-Address = 192.168.6.200
Wed Oct 20 07:27:48 2010 : Info: # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
Wed Oct 20 07:27:48 2010 : Info: +- entering group authorize {...}
Wed Oct 20 07:27:48 2010 : Info: ++[preprocess] returns ok
Wed Oct 20 07:27:48 2010 : Info: ++[chap] returns noop
Wed Oct 20 07:27:48 2010 : Info: ++[mschap] returns noop
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Looking up realm "host" for
User-Name = "host/radhost1.testad1.com"
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Found realm "DEFAULT"
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Adding Stripped-User-Name = "
radhost1.testad1.com"
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Adding Realm = "DEFAULT"
Wed Oct 20 07:27:48 2010 : Info: [IPASS] Authentication realm is LOCAL.
Wed Oct 20 07:27:48 2010 : Info: ++[IPASS] returns ok
Wed Oct 20 07:27:48 2010 : Info: [suffix] Request already proxied. Ignoring.
Wed Oct 20 07:27:48 2010 : Info: ++[suffix] returns ok
Wed Oct 20 07:27:48 2010 : Info: [ntdomain] Request already proxied.
Ignoring.
Wed Oct 20 07:27:48 2010 : Info: ++[ntdomain] returns ok
Wed Oct 20 07:27:48 2010 : Info: [realmpercent] Request already proxied.
Ignoring.
Wed Oct 20 07:27:48 2010 : Info: ++[realmpercent] returns ok
Wed Oct 20 07:27:48 2010 : Info: [eap] EAP packet type response id 26 length
30
Wed Oct 20 07:27:48 2010 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Wed Oct 20 07:27:48 2010 : Info: ++[eap] returns updated
Wed Oct 20 07:27:48 2010 : Info: ++[unix] returns notfound
Wed Oct 20 07:27:48 2010 : Info: ++[files] returns noop
Wed Oct 20 07:27:48 2010 : Info: ++[expiration] returns noop
Wed Oct 20 07:27:48 2010 : Info: ++[logintime] returns noop
Wed Oct 20 07:27:48 2010 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.
Wed Oct 20 07:27:48 2010 : Info: ++[pap] returns noop
Wed Oct 20 07:27:48 2010 : Info: Found Auth-Type = EAP
Wed Oct 20 07:27:48 2010 : Info: # Executing group from file
/usr/local/etc/raddb/sites-enabled/default
Wed Oct 20 07:27:48 2010 : Info: +- entering group authenticate {...}
Wed Oct 20 07:27:48 2010 : Info: [eap] EAP Identity
Wed Oct 20 07:27:48 2010 : Info: [eap] processing type md5
Wed Oct 20 07:27:48 2010 : Debug: rlm_eap_md5: Issuing Challenge
Wed Oct 20 07:27:48 2010 : Info: ++[eap] returns handled
Sending Access-Challenge of id 141 to 192.168.6.200 port 1645
EAP-Message = 0x011b001604100675c546c11b2ad0f1a7341b757af909
Message-Authenticator = 0x
State = 0x6d4e1d1a6d5519217cdc7f95e535c25b
Wed Oct 20 07:27:48 2010 : Info: Finished request 48.
Wed Oct 20 07:27:48 2010 : Debug: Going to the next request
Wed Oct 20 07:27:48 2010 : Debug: Waking up in 4.9 seconds.


Thanks & Regards

-- 
Chidanand Gangur
Pune.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AD authenication issue with machine authentication

2010-10-20 Thread Phil Mayers


On 10/19/2010 10:37 PM, Cannady, Mike wrote:


Our AD (2003) setup has the domain name as "htc.com".  The pre-windows
2000 domain name is "HORRY".


Uh oh. Then I think you're going to have problems. ntlm_auth when it 
expands %{mschap:NT-Domain} assumes that the username will be of the form:


host/machinename.prewin2kname.domain.com

That is, that the downlevel domain is the first component of the new 
domain. You can either hardcode the domain, or write some unlang/regexp 
to extract the domain yourself e.g.


if (User-Name =~ /host\/([^.]+)\.(.+)/) {
  update request {
User-Name = "%{1}$"
Tmp-String-0 = "%{2}"
  }
  if (Tmp-String-0 =~ /.*\.htc\.com/i) {
update config {
  My-Mschap-Domain := "HTC.COM"
}
  }
}

...and set your ntlm_auth command to contain:

  ... --domain=%{%{My-Mschap-Domain}:-%{mschap:NT-Domain}}

...making sure to define the My-Mschap-Domain in /etc/raddb/dictionary:

ATTRIBUTE My-Mschap-Domain 3000 string

TBH I'm not sure what the "right" approach for FreeRadius to take is. 
It's possible for the host/name syntax to contain lots of stuff e.g. DNS 
names which are children of (or completely unrelated to) either the 
downlevel or win2k-style domain. Short of hard-coding the domain or 
doing something like above, it's difficult to see how FreeRadius could 
handle this. I wonder what Microsoft NPS does?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius proxy can't recognize Delegated-IPv6-Prefix attribute

2010-10-20 Thread ichiro tanaka


Hi.
 
auth-server reply attribute "Delegated-IPv6-Prefix", but proxy recognize 
"Attr-123 = 0x00401234567890abcdef".
 
I used ntradping-1.5 and freeradius-2.1.10.
 
--hosts--
ntradping-1.5 10.233.55.200
proxy (freeradius-2.1.10) 10.233.36.101
auth-server (freeradius-2.1.10) 10.233.36.100
 
FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu, built on Oct 20 
2010 at 15:43:53
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /tmp/radius/etc/raddb/radiusd.conf
including configuration file /tmp/radius/etc/raddb/proxy.conf
including configuration file /tmp/radius/etc/raddb/clients.conf
including files in directory /tmp/radius/etc/raddb/modules/
including configuration file /tmp/radius/etc/raddb/modules/radutmp
including configuration file /tmp/radius/etc/raddb/modules/passwd
including configuration file /tmp/radius/etc/raddb/modules/cui
including configuration file /tmp/radius/etc/raddb/modules/opendirectory
including configuration file /tmp/radius/etc/raddb/modules/dynamic_clients
including configuration file /tmp/radius/etc/raddb/modules/ippool
including configuration file /tmp/radius/etc/raddb/modules/realm
including configuration file /tmp/radius/etc/raddb/modules/pam
including configuration file /tmp/radius/etc/raddb/modules/ldap
including configuration file /tmp/radius/etc/raddb/modules/always
including configuration file /tmp/radius/etc/raddb/modules/counter
including configuration file /tmp/radius/etc/raddb/modules/smbpasswd
including configuration file /tmp/radius/etc/raddb/modules/sql_log
including configuration file /tmp/radius/etc/raddb/modules/logintime
including configuration file /tmp/radius/etc/raddb/modules/wimax
including configuration file /tmp/radius/etc/raddb/modules/detail.example.com
including configuration file /tmp/radius/etc/raddb/modules/policy
including configuration file /tmp/radius/etc/raddb/modules/unix
including configuration file /tmp/radius/etc/raddb/modules/mschap
including configuration file 
/tmp/radius/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /tmp/radius/etc/raddb/modules/files
including configuration file /tmp/radius/etc/raddb/modules/otp
including configuration file /tmp/radius/etc/raddb/modules/inner-eap
including configuration file /tmp/radius/etc/raddb/modules/perl
including configuration file /tmp/radius/etc/raddb/modules/etc_group
including configuration file /tmp/radius/etc/raddb/modules/linelog
including configuration file /tmp/radius/etc/raddb/modules/mac2vlan
including configuration file /tmp/radius/etc/raddb/modules/attr_rewrite
including configuration file /tmp/radius/etc/raddb/modules/digest
including configuration file /tmp/radius/etc/raddb/modules/sradutmp
including configuration file /tmp/radius/etc/raddb/modules/expr
including configuration file /tmp/radius/etc/raddb/modules/expiration
including configuration file /tmp/radius/etc/raddb/modules/attr_filter
including configuration file /tmp/radius/etc/raddb/modules/mac2ip
including configuration file /tmp/radius/etc/raddb/modules/pap
including configuration file /tmp/radius/etc/raddb/modules/detail
including configuration file /tmp/radius/etc/raddb/modules/detail.log
including configuration file /tmp/radius/etc/raddb/modules/smsotp
including configuration file /tmp/radius/etc/raddb/modules/krb5
including configuration file /tmp/radius/etc/raddb/modules/acct_unique
including configuration file /tmp/radius/etc/raddb/modules/echo
including configuration file /tmp/radius/etc/raddb/modules/ntlm_auth
including configuration file /tmp/radius/etc/raddb/modules/exec
including configuration file /tmp/radius/etc/raddb/modules/preprocess
including configuration file /tmp/radius/etc/raddb/modules/chap
including configuration file /tmp/radius/etc/raddb/modules/checkval
including configuration file /tmp/radius/etc/raddb/eap.conf
including configuration file /tmp/radius/etc/raddb/policy.conf
including files in directory /tmp/radius/etc/raddb/sites-enabled/
including configuration file /tmp/radius/etc/raddb/sites-enabled/control-socket
including configuration file /tmp/radius/etc/raddb/sites-enabled/default
including configuration file /tmp/radius/etc/raddb/sites-enabled/inner-tunnel
including dictionary file /tmp/radius/etc/raddb/dictionary
main {
    prefix = "/tmp/radius"
    localstatedir = "/tmp/radius/var"
    logdir = "/tmp/radius/var/log/radius"
    libdir = "/tmp/radius/lib"
    radacctdir = "/tmp/radius/var/log/radius/radacct"
    hostname_lookups = no
    max_request_time = 30
    cleanup_delay = 5
    max_requests = 1024
    pidfile = "/tmp/radius/var/run/radiusd/radiusd.pid"
    checkrad = "/tmp/radius/sbin/checkrad"
    debug_level

RE: Re: Proxying question for Eduroam

2010-10-20 Thread Peter Kruppa

Hi,

>  what is your MTU set to for EAP packets - you may need to reduce this
to eg 1024
>  to stop UDP fragmentation of such traffic

Bingo, thanks Alan

Best regards, Peter

-Oorspronkelijk bericht-
Date: Thu, 14 Oct 2010 09:35:25 +0100
From: Alan Buxey 
Subject: Re: Proxying question for Eduroam
To: FreeRadius users mailing list

Message-ID: <20101014083525.ga4...@lboro.ac.uk>
Content-Type: text/plain; charset=utf-8

Hi,

>I managed to reproduce that situation by using eapol_test, in that
case
>requests to IAS aren?t logged and it never replies with a
>Access-Challenge.

if you run wireshark on the IAS host - of eg RSPAN its port to sniff
traffic,
fo you see the RADIUS traffic going to the IAS box and its daemon? 

does nothing log at all in IAS?

what is your MTU set to for EAP packets - you may need to reduce this to
eg 1024
to stop UDP fragmentation of such traffic

..and, finally, is 'Framed-MTU' RADIUS attribute being proxied through
or is it being filtered?

alan




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 1.2.3 and Windows 7

2010-10-20 Thread Alan DeKok

Krzysztof Srokowski wrote:
> I`m sorry, I`m using pfSense release 1.2.3, with freeradius package 1.1.2_1 
> (latest)

  Uh... upgrade.  1.1.2 is *very* old.  It's very likely that it won't
work with recent versions of Windows.  Fixes to work around Windows
"issues" went into later versions of the server, and aren't in 1.1.2.

> Below I describe my configuration;
> 
> 1. pfSense with freeradius 1.1.2_1
> 2. Access Point Linksys WRT54G
> 3. Clients Windows XP SP3 and Windows 7
> 
> My goal was to create WiFi access with WPA2 (AES) + EAP-PEAP(MSCHAPv2). For 
> tests I generated server certificate from my own CA. Both certificates CA 
> certificate, and server certificate was transferred to freeradius server and 
> configured in eap.conf file in tls section. I made also other configurations 
> to use peap protocol and mschapv2. 
>
> The second step was the clients. My root CA certificate was installed to 
> certificate repo in system. I checked all required options in connection 
> properities like (use WPA2 with AES, PEAP, verify server certificate also 
> with root CA certificate which was imported before). When I tried to connect 
> from XP client everything is fine, client is authorized and connection works 
> without problem. But from Windows 7 client its not. Same configuration, same 
> settings, and I get error in radius.log:
> 
> 
> " Tue Oct 19 13:01:06 2010 : Error: TLS Alert read:fatal:unknown CA
> Tue Oct 19 13:01:06 2010 : Error: TLS_accept:failed in SSLv3 read
> client certificate A
> Tue Oct 19 13:01:06 2010 : Error: rlm_eap: SSL error error:14094418:SSL 
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Tue Oct 19 13:01:06 2010 : 
> Error: rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails.
> Tue Oct 19 13:01:06 2010 : Auth: Login incorrect:
> [host/um4910142413/] (from client WRT54G port 35 
> cli 000e2e950bbd) "

Those error messages are pretty definitive.

  In any case, I wouldn't bother trying to track down the problem.
Install 2.1.10, and then follow the EAP / Windows instructions on my web
site: http://deployingradius.com

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

40 matches

Mail list logo