Re: pre-proxy automatically added NAS-IP-Address
On 10/21/2010 03:34 AM, ichiro tanaka wrote: Hi. i have a problem proxy. Proxying to auth-server, and NAS-IP-Address was automatically added by proxy. can I stop it? It was probably added by the preprocess module, if memory serves. Why would you want to stop it? If you do, just remove the preprocess module from the authorize section - but it does a lot of other processing and cleanups too. The better option is to use attr_filter in the pre-proxy section, like so: pre-proxy { attr_filter.preproxy } ...then in /etc/raddb/attrs.pre-proxy, edit the sample entries to permit/deny attributes you want/don't want to send. You probably want the postproxy filter too, in case your upstream proxy sends you junk you can't / don't want to handle. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Active Directory
On 10/20/2010 10:59 PM, Rowley, Mathew wrote: I was able to configure FreeRadius/AD differently than most tutorials – just using Kerberos as an authentication mechanism (sorry for any weird formatting, coming from a wiki): (For the archives) The reason it's different than most tutorials, to be clear, is that this config can only check PAP requests, so is not useful for the common case of PEAP/MS-CHAP for wireless/wired 802.1x. Obviously if you use EAP-TTLS/PAP for 802.1x, or just PAP for some other service (as CLI login to switches/routers usually is) it'll work fine. (People seem to get very confused about this topic, so it's worth noting ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x host/machine authentication
On 10/21/2010 08:55 AM, Chidanand Gangur wrote: I have collected logs for full session of host authentication, log is pasted below. As mentioned in my previous mail I just want to proxy the host authentication request to the home server, is it possible? You didn't mention that in your original email. As I've said - the host/foo syntax is NOT an IPASS username. It may have the same format, but you do not want to process it using that realm. If you want to proxy these requests, I would recommend doing the following: 1. Define the realm you are proxying to in proxy.conf 2. In authorize, do the following: authorize { ... # N.B do not have the IPASS, suffix or ntdomain ... # modules before this point, they'll confuse things if (User-Name =~ /^host\//) { update control { Proxy-To-Realm := THEREALM } } ... } ...then FreeRadius will do the right thing. Out of interest, why do you want to proxy them? You are presumably aware that FreeRadius can, if correctly setup, perform the machine authentication itself? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius proxy can't recognize Delegated-IPv6-Prefix attribute
ichiro tanaka wrote: My freeradius proxy already includes dictionary.rfc4818. Do I need something? No idea. Maybe the attribute isn't in the correct format. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: pre-proxy automatically added NAS-IP-Address
thanks a lot Phil. It was probably added by the preprocess module, if memory serves. Why would you want to stop it? If you do, just remove the preprocess module from the authorize section - but it does a lot of other processing and cleanups too. The better option is to use attr_filter in the pre-proxy section, like so: pre-proxy { attr_filter.preproxy } ...then in /etc/raddb/attrs.pre-proxy, edit the sample entries to permit/deny attributes you want/don't want to send. You probably want the postproxy filter too, in case your upstream proxy sends you junk you can't / don't want to handle. Oh, I see. Surely I didn't think that preprocess added NAS-IP-Address. I used attr_filter, and could stop it. my settings... --- /etc/raddb/attrs.pre-proxy example.jp User-Name =* ANY, User-Password =* ANY, NAS-IP-Address !* ANY DEFAULT User-Name =* ANY, User-Password =* ANY, ... --- thanks for your help ichiro tanaka - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x host/machine authentication
Thanks Phil, thanks a lot It worked. I have multiple home servers configured so I am using your logic like this if (%{User-Name}=~ /^host\/.*testad1.com$/) { update control { Proxy-To-Realm := testad1.com } } elsif (%{User-Name}=~ /^host\/.*si-test.dssc.com$/) { update control { Proxy-To-Realm := si-test.dssc.com } } Thanks, Chidanand On Thu, Oct 21, 2010 at 1:52 PM, Phil Mayers p.may...@imperial.ac.uk wrote: On 10/21/2010 08:55 AM, Chidanand Gangur wrote: I have collected logs for full session of host authentication, log is pasted below. As mentioned in my previous mail I just want to proxy the host authentication request to the home server, is it possible? You didn't mention that in your original email. As I've said - the host/foo syntax is NOT an IPASS username. It may have the same format, but you do not want to process it using that realm. If you want to proxy these requests, I would recommend doing the following: 1. Define the realm you are proxying to in proxy.conf 2. In authorize, do the following: authorize { ... # N.B do not have the IPASS, suffix or ntdomain ... # modules before this point, they'll confuse things if (User-Name =~ /^host\//) { update control { Proxy-To-Realm := THEREALM } } ... } ...then FreeRadius will do the right thing. Out of interest, why do you want to proxy them? You are presumably aware that FreeRadius can, if correctly setup, perform the machine authentication itself? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Chidanand Gangur Pune. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x host/machine authentication
On 21/10/10 10:54, Chidanand Gangur wrote: Thanks Phil, thanks a lot It worked. I have multiple home servers configured so I am using your logic like this Excellent, glad to hear you solved it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Active Directory
Ah, that is true. I never though that deeply into it, and only did a POC. Is the downfall of doing things this way that passwords must be sent in the clear? On 10/21/10 1:59 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 10/20/2010 10:59 PM, Rowley, Mathew wrote: I was able to configure FreeRadius/AD differently than most tutorials just using Kerberos as an authentication mechanism (sorry for any weird formatting, coming from a wiki): (For the archives) The reason it's different than most tutorials, to be clear, is that this config can only check PAP requests, so is not useful for the common case of PEAP/MS-CHAP for wireless/wired 802.1x. Obviously if you use EAP-TTLS/PAP for 802.1x, or just PAP for some other service (as CLI login to switches/routers usually is) it'll work fine. (People seem to get very confused about this topic, so it's worth noting ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Active Directory
On 21/10/10 15:50, Rowley, Mathew wrote: Ah, that is true. I never though that deeply into it, and only did a POC. Is the downfall of doing things this way that passwords must be sent in the clear? Not really. The User-Password radius field is encrypted with the shared secret, which is reasonable (though not excellent) security. For wireless/wired 802.1x users, the issue is that the windows supplicant does not *support* EAP-TTLS/PAP. It only supports EAP-PEAP/MS-CHAP, so rlm_krb5 is no use in this (common) case. As I say, if you're just checking PAP it may meet your needs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cisco log entry
What does this error mean on a cisco switch? I only get it on a certain model of switch with a certain ios image (a newer image doesn't give the error). It happens when the configuration is saved. Oct 18 16:40:21.365 EDT: %PARSER-3-BADSUBCMD: Unrecognized subcommand 32 in sg-radius command 'load-balance' I'm going to upgrade the ios on the last few switches soon so probably won't see the error again, but I'm just curious if it's something I should care about. This is with 2 Ubuntu Lucid servers using FreeRADIUS version 2.1.8. I used the per user privilege level user example and the Config Sample #1 cisco device example from http://wiki.freeradius.org/Cisco (which was VERY helpful). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Active Directory
I am kind of confused - one of our use cases is having our wireless infrastructure authenticating through freeradius and in the end AD. Why would it matter that freeradius uses rlm_krb5? Wouldn¹t it look something like: UserAPControllerfreeradiusAD Anything-authradius kerberos Controller configured On 10/21/10 9:16 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 21/10/10 15:50, Rowley, Mathew wrote: Ah, that is true. I never though that deeply into it, and only did a POC. Is the downfall of doing things this way that passwords must be sent in the clear? Not really. The User-Password radius field is encrypted with the shared secret, which is reasonable (though not excellent) security. For wireless/wired 802.1x users, the issue is that the windows supplicant does not *support* EAP-TTLS/PAP. It only supports EAP-PEAP/MS-CHAP, so rlm_krb5 is no use in this (common) case. As I say, if you're just checking PAP it may meet your needs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Active Directory
On 10/21/2010 06:40 PM, Rowley, Mathew wrote: I am kind of confused - one of our use cases is having our wireless infrastructure authenticating through freeradius and in the end AD. Why would it matter that freeradius uses rlm_krb5? Wouldn¹t it look something like: UserAPControllerfreeradiusAD Anything-authradius kerberos Controller configured This is an FAQ, and you can find plenty of discussion on the list, or see here: http://deployingradius.com/documents/protocols/compatibility.html Suffice to say that there are many different ways to interact with AD, and the different protocols (kerberos, ldap, NT domain RPCs) have very different capabilities. Only one method can authenticate 802.1x from stock windows clients against Active Directory using username/password credentials, and that is the mschap module using Samba domain RPCs via the ntlm_auth helper binary. This is a fundamental cryptographic property of the EAP-PEAP/MSCHAP protocols which windows supports. If you install additional 802.1x supplicant software on your windows clients, you can use another eap method which does send plaintext passwords to the server (e.g. EAP-TTLS/PAP) and rlm_krb5 will be able to process those. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 Ascend Data Filter
Thanks its working..After coverting it into hex format (start with 0x) and modifying the attribute type to octets. On Wed, Oct 20, 2010 at 12:38 PM, Alan DeKok al...@deployingradius.comwrote: janardhan madabattula wrote: Hi, I am trying to create IPv6 Ascend Data Filter in Free radius. but unfortunately its not happening. Any help? See the FAQ for it doesn't work. I have created Ascend-Data-Filter 242 abinary attribute in dictinary filter. Why? The attribute is already defined in the default dictionaries. I am following this URL to create ADF. http://www.juniper.net/techpubs/software/erx/junose100/sw-rn-erx1001/html/sw-rn-erx-1001-rli4249-adf-support-for-ipv63.html#324522 Uh... that isn't FreeRADIUS documentation. You can specify the attribute as hex, but you will need to change the data type from abinary to octets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
are there any characters not allowed in a password used with LDAP bind as user?
Hi, For a couple of years I've been successfully using FreeRADIUS to authenticate some users against Active Directory using cleartext passwords, a Perl script to do some department checking, and a simple LDAP bind as user. I've now got at least one user who fails authentication, and I'm wondering if the problem is a backslash in their password. The password is... w[)xg=\7k2 I can use the same username and password to successfully LDAP bind to AD using a tool like ldapsearch from my Linux based RADIUS server, but using RADIUS itself fails. If it helps here's the -X debug trace: Wed Oct 20 15:36:19 2010 : Debug: Ready to process requests. rad_recv: Access-Request packet from host 172.16.80.3 port 20002, id=9, length=135 User-Name = bill Calling-Station-Id = 00-24-D7-40-8C-8C Called-Station-Id = 00-0B-0E-DE-AB-80 NAS-Port = 52340 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 172.16.80.3 User-Password = w[)xg=\\7k2 Wed Oct 20 15:39:10 2010 : Info: +- entering group authorize {...} Wed Oct 20 15:39:10 2010 : Info: ++[preprocess] returns ok Wed Oct 20 15:39:10 2010 : Info: [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radius/radacct/172.16.80.3/auth-detail-20101020 Wed Oct 20 15:39:10 2010 : Info: [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.16.80.3/auth-detail-20101020 Wed Oct 20 15:39:10 2010 : Info: [auth_log] expand: %t - Wed Oct 20 15:39:10 2010 Wed Oct 20 15:39:10 2010 : Info: ++[auth_log] returns ok Wed Oct 20 15:39:10 2010 : Info: [ldap] performing user authorization for bill Wed Oct 20 15:39:10 2010 : Info: [ldap] WARNING: Deprecated conditional expansion :-. See man unlang for details Wed Oct 20 15:39:10 2010 : Info: [ldap] expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) - (sAMAccountName=bill) Wed Oct 20 15:39:10 2010 : Info: [ldap] expand: dc=fed,dc=foo,dc=ac,dc=uk - dc=fed,dc=foo,dc=ac,dc=uk Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: attempting LDAP reconnection Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: (re)connect to logonserv.fed.foo.ac.uk:389, authentication 0 Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: bind as / to logonserv.fed.foo.ac.uk:389 Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: waiting for bind result ... Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: Bind was successful Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: performing search in dc=fed,dc=foo,dc=ac,dc=uk, with filter (sAMAccountName=bill) Wed Oct 20 15:39:10 2010 : Info: [ldap] looking for check items in directory... Wed Oct 20 15:39:10 2010 : Info: [ldap] looking for reply items in directory... Wed Oct 20 15:39:10 2010 : Debug: WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? Wed Oct 20 15:39:10 2010 : Info: [ldap] Setting Auth-Type = LDAP Wed Oct 20 15:39:10 2010 : Info: [ldap] user bill authorized to use remote access Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Wed Oct 20 15:39:10 2010 : Info: ++[ldap] returns ok Wed Oct 20 15:39:10 2010 : Info: ++[expiration] returns noop Wed Oct 20 15:39:10 2010 : Info: ++[logintime] returns noop Wed Oct 20 15:39:10 2010 : Info: [pap] WARNING! No known good password found for the user. Authentication may fail because of this. Wed Oct 20 15:39:10 2010 : Info: ++[pap] returns noop Wed Oct 20 15:39:10 2010 : Info: ++? if (control:Auth-Type == LDAP) Wed Oct 20 15:39:10 2010 : Info: ? Evaluating (control:Auth-Type == LDAP) - TRUE Wed Oct 20 15:39:10 2010 : Info: ++? if (control:Auth-Type == LDAP) - TRUE Wed Oct 20 15:39:10 2010 : Info: ++- entering if (control:Auth-Type == LDAP) {...} Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair Called-Station-Id = 00-0B-0E-DE-AB-80 Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair Calling-Station-Id = 00-24-D7-40-8C-8C Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair User-Name = bill Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair NAS-Identifier = Trapeze Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair User-Password = w[)xg=\\7k2 Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair NAS-Port = 52340 Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair NAS-IP-Address = 172.16.80.3 Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair Auth-Type = LDAP Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair Ldap-UserDn = CN=bill,OU=Facility Users,OU=FBU,DC=fed,DC=foo,DC=ac,DC=uk Wed Oct 20
freeradius with NTLM authentication
I have configured freeradius version 2.1.9 with mySQL backend and Active Directory integration (NTLM) for the purpose of using it to authenticate users against firewall protected policies. So far it’s all working. When a user hits a firewall protected policy he is prompted to authenticate after which the radius query the AD for the username and password. If the user credentials are correct access is granted. The bit that I cannot figure out is how to let the Radius use NTLM to check if the user is already logged in the domain controller and if so not to prompt him for his username and password via the firewall captive portal. Is that doable or I missed the idea behind the Active Directory integration? thank you Ramzi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: are there any characters not allowed in a password used with LDAP bind as user?
On 10/21/2010 08:52 PM, mark.le...@stfc.ac.uk wrote: I don't know whether the problem lies with me (for allowing a backslash in the password in the first place) the NAS for appearing to 'escape' the backslash (with a backslash) rlm_ldap accesses the raw string value of the request-password AVP, so it shouldn't be anything inside FreeRadius. What is the NAS? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: are there any characters not allowed in a password used with LDAP bind as user?
On 10/21/2010 10:27 PM, Phil Mayers wrote: On 10/21/2010 08:52 PM, mark.le...@stfc.ac.uk wrote: I don't know whether the problem lies with me (for allowing a backslash in the password in the first place) the NAS for appearing to 'escape' the backslash (with a backslash) rlm_ldap accesses the raw string value of the request-password AVP, so it shouldn't be anything inside FreeRadius. What is the NAS? Hmm. I've just tried this locally and I don't seem to get the same results as you; I see the backslash doubled in the initial FreeRadius dump (as expected - FreeRadius writes the debug output as you would write config files): rad_recv: Access-Request packet from host 127.0.0.1 port 53973, id=123, length=44 User-Name = pjm3 User-Password = foo\\bar ...and I then see: [ldap] login attempt by pjm3 with password foo\bar [ldap] user DN: CN=pjm3,... [ldap] (re)connect to icads1.ic.ac.uk:389, authentication 1 [ldap] bind as CN=pjm3,.../foo\bar to icads1.ic.ac.uk:389 [ldap] waiting for bind result ... ...note the backslash just appears singly here; the rlm_ldap debugging output code writes the raw value out. You however have two backslashes by this point, so it must be your rlm_perl module. Can you prevent the perl module touching the User-Password attribute, and see if that helps? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with NTLM authentication
On 10/21/2010 10:40 PM, Ramzi Abdallah wrote: I have configured freeradius version 2.1.9 with mySQL backend and Active Directory integration (NTLM) for the purpose of using it to authenticate users against firewall protected policies. So far it’s all working. When a user hits a firewall protected policy he is prompted to authenticate after which the radius query the AD for the username and password. If the user credentials are correct access is granted. What is prompting here? How is the firewall asking the user for a password? Is this web intercept? If so, then the NAS is the firewall, and when a user makes an HTTP request, it is asking for their credentials via some kind of HTTP auth, then sending them to the radius server, yes? Also, FreeRadius can't be querying AD for the password. The LDAP server embedded into Active Directory will not give up the password. How have you got FreeRadius configured - be precise, or better yet, post the debug output of a successful request. The bit that I cannot figure out is how to let the Radius use NTLM to check if the user is already logged in the domain controller and if so not to prompt him for his username and password via the firewall captive portal. Is that doable or I missed the idea behind the Active Directory integration? I'm not sure I really understand what you want, but if I do, it's impossible. If you can give more details about your setup I can answer further, but basically the firewall is doing the prompting - the firewall would have to implement NTLM auth, not FreeRadius. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: freeradius proxy can't recognize Delegated-IPv6-Prefix attribute
Thanks Alan. ichiro tanaka wrote: My freeradius proxy already includes dictionary.rfc4818. Do I need something? No idea. Maybe the attribute isn't in the correct format. I see. Auth-server is freeradius-2.1.10. I captuared radius packet by wireshark, and compared to rfc4818(sec.3) format. Delegated-IPv6-Prefix attribute that auth-server replied and reply_log looks correct. http://tools.ietf.org/html/rfc4818 Proxy-Server recognition was repaired, if proxy-server did not include dictionary.ascend. --- auth-server [[ users ]] --- u...@example.jp Cleartext-Password := password Delegated-IPv6-Prefix := 1234:5678:90ab:cdef::/64 --- auth-server [[ radiusd -X ]] --- Sending Access-Accept of id 250 to 10.233.36.101 port 11814 Delegated-IPv6-Prefix := 1234:5678:90ab:cdef::/64 Proxy-State = 0x34 Thu Oct 21 19:00:08 2010 : Info: Finished request 0. --- auth-server [[ reply_log ]] --- Wed Oct 20 16:56:18 2010 Packet-Type = Access-Accept Delegated-IPv6-Prefix := 1234:5678:90ab:cdef::/64 --- proxy-server [[ radiusd -X ]] --- rad_recv: Access-Accept packet from host 10.233.36.100 port 1812, id=76, length= 44 Attr-123 = 0x00401234567890abcdef Proxy-State = 0x3135 --- proxy-server [[ post_proxy_log ]] --- Fri Oct 22 11:07:20 2010 Packet-Type = Access-Accept Attr-123 = 0x00401234567890abcdef Proxy-State = 0x37 --- proxy-server [[ not inlucde dictionary.ascend radiusd -X ]] --- rad_recv: Access-Accept packet from host 10.233.36.100 port 1812, id=118, length =44 Delegated-IPv6-Prefix = 1234:5678:90ab:cdef::/64 Proxy-State = 0x3134 --- proxy-server [[ not inlucde dictionary.ascend post_proxy_log ]] --- Fri Oct 22 11:26:41 2010 Packet-Type = Access-Accept Delegated-IPv6-Prefix = 1234:5678:90ab:cdef::/64 Proxy-State = 0x3133 ichiro tanaka - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html