setup service needed
Hi, Anyone here managed to setup a hotspot service using freeradius and a captive portal? I'd like to hire someone to do a setup for me. -- View this message in context: http://freeradius.1045715.n5.nabble.com/setup-service-needed-tp4315197p4315197.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setup service needed
On Wed, Apr 20, 2011 at 3:16 PM, danieln daniel.n...@gmail.com wrote: Hi, Anyone here managed to setup a hotspot service using freeradius and a captive portal? Sure. It's a common setup. A simple one would consist something like: - a captive-portal capable wireless AP, like one running dd-wrt with chillispot activated - a simple web page, something like hotspotlogin.php or hotspotlogin.pl (Google it) - freeradius, with users stored in users file, OS user, or database (e.g. mySQL) I'd like to hire someone to do a setup for me. Start by defining your requirements clearly. e.g. Something like I want to have a captive portal setup for wireless users with users on MySQL database would be different in complexity compared to I want to have a captive portal and 802.1x for both wireless and wired users with users stored in AD. http://networkradius.com/ can support new installation, so you might want to start there. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setup service needed
Hi Fajar, well my aim is to install hotspots for multiple places like cafes or condominiums. I'll need the AP to direct the users to my portal to signup for a new account or to login before they can use the internet line. so there will be many APs connecting to the server for authentication. I'll need you to help me setup the server also the firmware needed for the AP. currently I'm looking at these few models of APs to use TPLINK - 2.4GHz High Power Wireless Outdoor CPE TL-WA5210G Ubiquiti nanostaion M2 / nanostation2 loco will prefer to use mysql for the user's record as I can do up the login pages with php easier. You able to help me on this? On Wed, Apr 20, 2011 at 4:36 PM, Fajar A. Nugraha-2 [via FreeRadius] ml-node+4315238-450118854-199...@n5.nabble.com wrote: On Wed, Apr 20, 2011 at 3:16 PM, danieln [hidden email]http://user/SendEmail.jtp?type=nodenode=4315238i=0by-user=t wrote: Hi, Anyone here managed to setup a hotspot service using freeradius and a captive portal? Sure. It's a common setup. A simple one would consist something like: - a captive-portal capable wireless AP, like one running dd-wrt with chillispot activated - a simple web page, something like hotspotlogin.php or hotspotlogin.pl (Google it) - freeradius, with users stored in users file, OS user, or database (e.g. mySQL) I'd like to hire someone to do a setup for me. Start by defining your requirements clearly. e.g. Something like I want to have a captive portal setup for wireless users with users on MySQL database would be different in complexity compared to I want to have a captive portal and 802.1x for both wireless and wired users with users stored in AD. http://networkradius.com/ can support new installation, so you might want to start there. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/setup-service-needed-tp4315197p4315238.html To unsubscribe from setup service needed, click herehttp://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_codenode=4315197code=ZGFuaWVsLm5na2tAZ21haWwuY29tfDQzMTUxOTd8MTg1MzM2NjgxOQ==. -- View this message in context: http://freeradius.1045715.n5.nabble.com/setup-service-needed-tp4315197p4315246.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setup service needed
On Wed, Apr 20, 2011 at 3:38 PM, danieln daniel.n...@gmail.com wrote: Hi Fajar, well my aim is to install hotspots for multiple places like cafes or condominiums. I'll need the AP to direct the users to my portal to signup for a new account or to login before they can use the internet line. so there will be many APs connecting to the server for authentication. I'll need you to help me setup the server also the firmware needed for the AP. Are you working for an ISP? For wide-scale deployment, sometimes it's much easier to join a wireless alliance, something ilke Wireless@SG in Singapore. It'd save you lots of headache and initial cost. currently I'm looking at these few models of APs to use TPLINK - 2.4GHz High Power Wireless Outdoor CPE TL-WA5210G Ubiquiti nanostaion M2 / nanostation2 loco ... like this one, determining which AP to use and working out their compatibility. We ended up using supported version of dd-wrt in our implementation. That would reduce some headache since now we pretty much don't care what brand/model it is as long as it can run dd-wrt and fulfills some basic technical requirements (like vendor support, CPU speed, number of ports, etc.) will prefer to use mysql for the user's record as I can do up the login pages with php easier. You able to help me on this? Sorry mate. I don't provide implementation services. Again, start with the requirements, how you want it delivered (remotely or on-site), and probably some rough range of bounty. Hopefully others will be able to help you. Or contact one of the companies listed on http://freeradius.org/business/. Or contact some local companies in your area (your requirement is quite common, and it's usually easier to work with local companies) If you just need a working FR + MySQL + hotspotlogin.php, and can live with phpMyAdmin as your main GUI, many people should be able to install it for you remotely, for the right price. However if you need a working turn-key solution, complete with the sign-up page, prepaid voucher management, usage info page for users, AP testing, and an onsite implementation, that would be a different beast altogether. That being said, installing FR2 by itself is not hard if you follow the documentation. If you encounter a problem, start with http://wiki.freeradius.org/index.php/FAQ -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS+OpenLDAP integration issue
Hi All, Please help me to fix the below isse. The problem is related to the scenario, where a network server triggers first authentication over Radius and then a freeRadius server makes a LDAP query towards an openLDAP server containing the user password. After the successful authentication (Access-Accept received), the network server initiates an authorization request over LDAP. For the second request the OpenLDAP server requests the password for the second time (and the second request doesn't contain any user password). Thanks for all your help. Regards, Neo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + EAP-TLS + LDAP
Hi Folks, the question makes sense, I think I wrote it not understandible enough. 1. What I already do is: 1.1. Authenticating via EAP-TLS Computers/Workstations against my Switches 1.2. Users are authenticated with PEAP and Cleartext-Passwords in $RADDB/users 2. What I want to do is: 2.1. Upgrade to 2.1 2.2. Use my LDAP to collect and control authentification of Workstations and Users 3. What I have is: 3.1. Certs on all Computer/Workstations and an entry in $RADDB/users of the Computername wirh Authentification-Type = EAP 3.2. Users in my LDAP with crypted Passwords (MD5/crypt) AND Passwords for Samba (NT-Passwords). 3.3. All Computernames in my LDAP (because I run a Samba-NT4-Domain). 4. Question is: 4.1. Can I configure FR to lookup the Computername upon a request in the LDAP, and if it finds the entry to enter a EAP-TLS authentification, and if not to deny access? 4.2. To authenticate all users of a specific group which are in LDAP with their password which is stored crypted/hashed in LDAP using PEAP? I hope it's clear enough now. TIA Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + EAP TLS + MySQL + PPTP
Gregoire leroy wrote: I want to setup a PPTP server with EAP TLS and authentication by FreeRadius. I've seen in a documentation that we must set Auth-type, but the documentation is out-dated and on freeradius.org, it's specified that Auth-type shouldn't be set manually. So, I don't know which data I must set in which table, MySQL-side. Can anyone help me ? Don't set anything in SQL for EAP-TLS. Configure EAP-TLS as per the documentation. It will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + EAP-TLS + LDAP
On 04/20/2011 10:23 AM, Alexandros Gougousoudis wrote: 3.1. Certs on all Computer/Workstations and an entry in $RADDB/users of the Computername wirh Authentification-Type = EAP 3.2. Users in my LDAP with crypted Passwords (MD5/crypt) AND Passwords for Samba (NT-Passwords). Ah, good. If you have NT-Password, PEAP/MS-CHAP should work. 3.3. All Computernames in my LDAP (because I run a Samba-NT4-Domain). 4. Question is: 4.1. Can I configure FR to lookup the Computername upon a request in the LDAP, and if it finds the entry to enter a EAP-TLS authentification, and if not to deny access? Yes. There are lots of ways to do this, depending on what key you want to use for the lookup (machine account name, mac address, TLS cert subject) 4.2. To authenticate all users of a specific group which are in LDAP with their password which is stored crypted/hashed in LDAP using PEAP? Yes. You will need to configure FreeRADIUS to bind to LDAP with an account that has permission to read the ntPassword attrbute, but if you do that, it should just work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS+OpenLDAP integration issue
pradyumna dash wrote: Please help me to fix the below isse. Please follow the documentation and post the debug output. It doesn't help to post vague desscriptions of what you *think* mught be happening. It *does* help to post the debug output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The last piece of the puzzle - XP host authentication
On 04/19/2011 04:41 PM, East, Bill wrote:
-Original Message- From:
freeradius-users-bounces+eastb=pffcu@lists.freeradius.org
[mailto:freeradius-users-
bounces+eastb=pffcu@lists.freeradius.org] On Behalf Of Phil
Mayers Sent: Tuesday, April 19, 2011 11:15 AM To:
freeradius-users@lists.freeradius.org Subject: Re: The last piece
of the puzzle - XP host authentication
On 19/04/11 14:59, East, Bill wrote:
Have you made sure that your root cert is present in the right
stores - remember windows clients have both machine and
per-user cert stores. Machine auth requires it be in the
machine store.
Bah, I should have known that. It's fixed, now.
Cool
This looks highly promising.
I've got the syntax right in mschap now, I think, but the
challenge is still being created strangely (or is it supposed to
look like that?)
[mschapv2] # Executing group from file
/etc//raddb/sites-enabled/inner-tunnel [mschapv2] +- entering
group MS-CHAP {...} [mschap] Creating challenge hash with
username: host/LP-0010.pffcu.org [mschap] Told to do MS-CHAPv2
for host/LP-0010.pffcu.org with NT-Password [mschap]
expand: %{mschap:User-Name} - LP-0010$ [mschap]expand:
--username=%{%{mschap:User-Name}:-%{User-Name:-None}} - --
username=LP-0010$
[mschap] mschap2: ac [mschap] Creating challenge hash with
username: host/LP-0010.pffcu.org [mschap]expand:
--challenge=%{mschap:Challenge:-00} - --
challenge=cc01b9d88b911c44
[mschap]expand: --nt-response=%{mschap:NT-Response:-00}
- --nt-
response=0a186dec8193bed90f305cabfc6f48f5a3621c58672b98a8
This all looks right (I have spent a distressing amount of time
looking at MS-CHAP blobs this last week)
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
...but obviously this didn't work.
What version of Samba do you have? Some (much) older versions
didn't permit machine account login via ntlm_auth.
Latest and greatest, 3.5.8.
I'm wondering if this is the loopback checking issue from KB896861
and others. Since the hash is for host/machinename... I can modify
the registry on my domain controller but I'm going to have to wait
for our maintenance window to restart the damn thing.
I doubt that's it. We don't have that problem with machine auth. But
maybe it's worth a try.
The other alternative is to do something like:
smbcontrol winbind debug 10
...then have a look in /var/log/samba. The debug logs can be very, very
chatty but it might give some idea of why the machine account is failing
to auth.
I guess there's no possibility the machine account password is wrong or
out-of-sync? There is an entry in your domain for:
samaccountname=LP-0010$
...that's all valid and correct, right?
rant follows ;o
In fact the mschap response is calculated and checked against host$, and
the real SAM account name of the machines are host$ - it's never been
clear to me, given that, why the machines give their EAP-Identity as
host/name.domain.com. It's a dumb thing to do on a number of levels, not
least using the machines own (often incorrect) idea of it's DNS name in
authentication that typically takes place on a link before IP is active
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + EAP-TLS + LDAP
Hi Phil, Phil Mayers schrieb: Ah, good. If you have NT-Password, PEAP/MS-CHAP should work. Great! Yes. There are lots of ways to do this, depending on what key you want to use for the lookup (machine account name, mac address, TLS cert subject) Thanks, I'll start to do this. Machine account name should work for me. Any hints, or how to do this? Is there somewhere an example availlable to start with? I'am new to FR 2.1 and it's hard to make even my old config work on the test-maschine. bye Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + EAP-TLS + LDAP
Hi, Thanks, I'll start to do this. Machine account name should work for me. Any hints, or how to do this? Is there somewhere an example availlable to start with? I'am new to FR 2.1 and it's hard to make even my old config work on the test-maschine. after altering ntlm_auth command line in the default config, the default config just works with machine authentication(*), if you've edited things, or dropped an old config into the /etc/raddb config space then things will be 'interesting' alan (*) obviously clients.conf and ldap and eap config need to be edited as required ;-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + EAP-TLS + LDAP
On 04/20/2011 11:37 AM, Alexandros Gougousoudis wrote:
Hi Phil,
Phil Mayers schrieb:
Ah, good. If you have NT-Password, PEAP/MS-CHAP should work.
Great!
Yes. There are lots of ways to do this, depending on what key you want
to use for the lookup (machine account name, mac address, TLS cert
subject)
Thanks, I'll start to do this. Machine account name should work for me.
Any hints, or how to do this? Is there somewhere an example availlable
to start with?
Well, as I said - there are lots of ways of doing this.
The simplest possible way is to configure the LDAP module appropriately.
Since you're doing both user- and host-based auth, you will need to make
sure that the filter is correct:
raddb/modules/ldap:
...
# the mschap:User-Name will turn:
#
# domain\user - user
# host/name.domain - name$
filter = (samaccountname=%{mschap:User-Name})
...and then you just call the ldap module in your authorize section e.g.
raddb/sites-enabled/default:
authorize {
...
eap {
ok = return
}
ldap
if (notfound) {
reject
}
}
I'am new to FR 2.1 and it's hard to make even my old config work on the
test-maschine.
Unless you're a FreeRADIUS expert, you're going to find that hard. Start
with a clean slate. Put the config into version control. Make small
changes and test, then commit to version control when each change is
done. Build your config up that way.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy state attribute in accounting
It works fine, but when one of the server goes down of a long period,
It sends a lot of proxy state attributes.
Then you didn't follow the example. You configured it so that the
detail file reader would write packets *back* to the detail file in the
Post-Proxy-Type Fail section.
Don't do that.
Go read the sample robust-proxy-accounting file. This is documented.
OK thanks Alan, but please clear one confusion. Now if one of the
server goes down then this part
accounting {
update control {
Proxy-To-Realm := test_cpe.com
}
}
where in the pool I have fallback defined as
home_server_pool acct_pool.example.com {
type = load-balance # other types are OK, too.
home_server = home1.example.com
home_server = home2.example.com
fallback = acct_detail.example.com
virtual_server = home.example.com
}
will it update the detail file ?
Waqas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy state attribute in accounting
Waqas Toor wrote: OK thanks Alan, but please clear one confusion. Now if one of the server goes down then this part ... will it update the detail file ? I have no idea. Follow the example. It works. It's documented. It Does the Right Thing. If one of the home servers goes down, it Does the Right Thing. The documentation says this. I don't know what you've changed, and it doesn't really matter. If you're following the example, it will work. If not, it won't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ASCII NUL in NAS-Filter-Rule
Is my question about sending ascii nul in string attribute is wrong or nobody run into this situation ? Hi All My nas box can use attribute NAS-Filter-Rule from radius server to construct filter rules per subscriber on the fly. Accodingly to rfc 4849 this attribute should contain ascii NUL (0x00) as a delimiter between individual filter rules and at the end of rules. Freeradius define this attribute as a string and I do not know how to create valid string with nul character. I changed attribute type to octets and successfully add null character but a whole string converted to hex also and attribute was not readable. How to send nul character without changing attribute type ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ASCII NUL in NAS-Filter-Rule
Just a guess, but is sounds like a string array to me. char **string_array ; Look up malloc and related functions to designate space for additions to the array. This is NOT how you do it but this is the general idea : $string_array[0] = filter entry 1 ; $string_array[1] = filter entry 2 ; An automated way of creating a string array is to use a delimited the use index or rindex to find the delimiter then replace the delimiter with '\0'. If you have experienced programing in C, you should know how to find all the functions required to carry this out. On 2011-Apr-20, at 06:38, Ruslan Pustovoytov wrote: Is my question about sending ascii nul in string attribute is wrong or nobody run into this situation ? Hi All My nas box can use attribute NAS-Filter-Rule from radius server to construct filter rules per subscriber on the fly. Accodingly to rfc 4849 this attribute should contain ascii NUL (0x00) as a delimiter between individual filter rules and at the end of rules. Freeradius define this attribute as a string and I do not know how to create valid string with nul character. I changed attribute type to octets and successfully add null character but a whole string converted to hex also and attribute was not readable. How to send nul character without changing attribute type ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ASCII NUL in NAS-Filter-Rule
On 04/15/2011 09:05 AM, Ruslan Pustovoytov wrote:
Hi All
My nas box can use attribute NAS-Filter-Rule from radius server to
construct filter rules per subscriber on the fly.
Accodingly to rfc 4849 this attribute should contain ascii NUL (0x00) as
a delimiter between individual filter rules and at the end of rules.
Freeradius define this attribute as a string and I do not know how to
create valid string with nul character.
I changed attribute type to octets and successfully add null character
but a whole string converted to hex also and attribute was not readable.
How to send nul character without changing attribute type ?
Try this:
update reply {
NAS-Filter-Rule = string1\000string2
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Example of how to use caching (Cached-Session-Policy)?
I am apparently using the Caching improperly in regards to configuration in eap.conf. The first authentication works great (EAP-PEAP-MSChapv2) and DB lookups. The second time (with caching enabled) it appears to only be adding the User-Name attribute to the reply. I see the comments in the file eap.conf but they don't go very far into explaining how to get certain attributes saved INTO the cache or pulled out of it. Does anyone have an example of how to use this Cached-Session-Policy which is applied to the cached session? eap.conf cache section reads: The Cached-Session-Policy is the name of a policy which should be applied to the cached session. This policy can be used to assign VLANs, IP addresses, etc. It serves as a useful way to re-apply the policy from the original Access-Accept to the subsequent Access-Accept for the cached session. What exactly am I supposed to store into the attribute Cached-Session-Policy? Is this referring to a policy within the file policy.conf that will run and extract attributes according to the function there or is it something else? The notes also say: # You probably also want use_tunneled_reply = yes when using fast session resumption. And I have turned that on everywhere I could find, but it doesn't appear to be even saving the 1st values of Tunnel-Private-Group-Id. Debug output: First time that responds correctly given a VLAN. [snipped] [peap] Using saved attributes from the original Access-Accept Tunnel-Private-Group-Id:0 = 316 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 User-Name = jd187 [peap] Saving response in the cache [eap] Freeing handler ++[eap] returns ok WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /services/freeradius/etc/raddb//sites-enabled/dvlan-1x-working } # server dvlan-1x-test1 Sending Access-Accept of id 157 to 128.61.2.253 port 1645 Tunnel-Private-Group-Id:0 = 316 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 User-Name = jd187 MS-MPPE-Recv-Key = 0xbdc694a560b3fc4e37385fe08bb9876e11d215add69317c704fa374f462bcb0a MS-MPPE-Send-Key = 0xa039b0c10a7ef3511a68cdd837f13747c7a4adcb86dc5d73a8506f0105a9ced4 EAP-Message = 0x03080004 Message-Authenticator = 0x Finished request 7. Going to the next request After attempting a second auth which appears to bypass the logic to assign a VLAN but doesn't appear to be adding it to the response from the cache at all. [snipped] [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [peap] Adding cached attributes to the reply: User-Name = jd187 [eap] Freeing handler ++[eap] returns ok WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /services/freeradius/etc/raddb//sites-enabled/dvlan-1x-working } # server dvlan-1x-test1 Sending Access-Accept of id 161 to 128.61.2.253 port 1645 User-Name = jd187 MS-MPPE-Recv-Key = 0x0d398b0ed22899753eac37c8b308afb8a600a4be2b35d4260470148c6f4774cc MS-MPPE-Send-Key = 0x570045c77b56ef4d327189610f20f358038cea5bda215ded4ca32eefd2a72cf2 EAP-Message = 0x03040004 Message-Authenticator = 0x Finished request 11. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
I have been able to do some testing with the adjustments for MS-CHAP-V2 related to error and retires. There are two items I observed with testing: 1) If I sent a HUP signal to the server it appears to re-read the configuration files but for some reason does not re-read the mschap module - so changing this module while testing seemed to require a restart on the server. Is that the expected behavior? 2) If retry=yes then on Windows-7 on failure a notification is given if they click they are presented with a message indicating their username or password are incorrect and given an opportunity to re-enter only a password. If they enter the correct password the authentication fails and they have to re-connect to get a duologue box where they can enter both the username and password. I have not traced down to determine why the client thinks there is a failure (eg need to see if FRS thinks it is a failure or not). This I believe is not what should be happening. johnh... On Wed, 13 Apr 2011, john.hayw...@wheaton.edu wrote: Date: Wed, 13 Apr 2011 16:19:26 From: john.hayw...@wheaton.edu To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry First - thanks to the free radius group for all the work on this over the weekend. There have been some fixes and extensions to my original patches and I saw a commit on Friday before some fixes and extensions were in place. Can someone point me to exactly what I need to git to get the current version of freeradius with the patches so I can do some testing at our site? TIA. johnh... On Mon, 11 Apr 2011, Phil Mayers wrote: Date: Mon, 11 Apr 2011 08:45:13 From: Phil Mayers p.may...@imperial.ac.uk Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry On 11/04/11 11:22, Phil Mayers wrote: On 10/04/11 15:41, James J J Hooper wrote: This C=random needs to be saved and eventually make it's way in to data-challenge so that the line lower down: memcpy(challenge-vp_strvalue, data-challenge, MSCHAPV2_CHALLENGE_LEN); It's actually a bit more complex; the new challenge is being generated inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2 needs to know it, so that it can add it to the fake request which it then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute. This would also get us part of the way there to password change via mschap (Samba currently lacks the specific API call to do this, with the values available in an MSCHAP CPW packet, but it might be possible to compile a C helper which does it...) The attached patch against git v2.1.x branch makes EAP-MSCHAPV2 retry work for me. It needs a bit of work, specifically there should be a: num_retries ...parameter, and the EAP module should keep track of retry attempt counts, and stop when either: try_number num_retries or R=0 in the MS-CHAP-Error attribute Also, I pulled the EAP-MSCHAPV2 state machine to bits, so I'm not sure it should go into 2.1.11 - there's probably not enough testing time. It works for a Windows XP SP3 client here, as well as with a jury-rigged eapol_test/wpa_cli combo. I'll spin up an SSID and give it a try with real clients later today. Of note: this gets us nearer to MS-CHAP change-password functionality; I've looked into this a couple of times recently and Samba has almost all the bits required to make it work... However, that would require some infrastructure for the server to override the MS-CHAP error code, currently hard-coded at 691 - 648 is password expired and would need to be set, either by parsing the output of ntlm_auth (for those that use it) or from some SQL/database attribute (for those using Cleartext/NT-Password) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 04/20/2011 11:14 PM, john.hayw...@wheaton.edu wrote: I have been able to do some testing with the adjustments for MS-CHAP-V2 related to error and retires. There are two items I observed with testing: 1) If I sent a HUP signal to the server it appears to re-read the configuration files but for some reason does not re-read the mschap module - so changing this module while testing seemed to require a restart on the server. Is that the expected behavior? rlm_mschap doesn't implement a HUP handler AFAICT. It probably wouldn't be terribly hard to write one - the module is fairly stateless. It's probably best to just restart the server though. 2) If retry=yes then on Windows-7 on failure a notification is given if they click they are presented with a message indicating their username or password are incorrect and given an opportunity to re-enter only a password. If they enter the correct password the authentication fails and they have to re-connect to get a duologue box where they can enter both the username and password. I have not traced down to determine why the client thinks there is a failure (eg need to see if FRS thinks it is a failure or not). This I believe is not what should be happening. I think this is probably because the EAP-MSCHAP modules needs to parse and store the new challenge in the error message. If it doesn't, the server and client will disagree on the challenge/response value and auth will fail This patch implements the required behaviour (as part of the support password change code): https://github.com/philmayers/freeradius-server/commit/44a81366fb0b909d9165ec5650004bd979c0f9d9 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS Kerberos
Hello,
Using the above script I was able to get a clean install to contact my
kerberos server via 'inner-tunnel' and 802.1x. Unfortunately, Kerberos is
reporting that it needs the User-Password attribute. I've modified the
script to show that the User-Password is empty in 'inner-tunnel'. As usual,
the radtest to localhost works as expected. eap.conf only has
eap-default-type set to tls, client.conf has the access point loaded, and
'inner-tunnel' is as above, except that if (!User-Password) {...} is added.
All other files are clean reinstall on centos 5.
Below is the obligatory Debug -X file.
joe Apr 20 14:18:25 2011 : Info: Starting - reading configuration files ...
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/radiusd.conf
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/proxy.conf
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/clients.conf
Wed Apr 20 14:18:25 2011 : Debug: including files in directory
/etc/raddb/modules/
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/checkval
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/perl
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/radutmp
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/smbpasswd
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/inner-eap
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/always
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/sradutmp
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/krb5
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/realm
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/sql_log
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/passwd
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/echo
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/mschap
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/expr
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/pam
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/detail.example.com
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/otp
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/logintime
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/attr_rewrite
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/acct_unique
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/exec
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/unix
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/chap
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/policy
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/counter
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/sqlcounter_expire_on_login
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/detail.log
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/digest
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/files
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/attr_filter
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/ippool
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/pap
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/wimax
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/etc_group
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/linelog
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/cui
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/mac2vlan
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/expiration
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/detail
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/ldap
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/smsotp
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/preprocess
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/modules/mac2ip
Wed Apr 20 14:18:25 2011 : Debug: including configuration file
/etc/raddb/eap.conf
Wed Apr 20
Re: Example of how to use caching (Cached-Session-Policy)?
On 04/20/2011 10:13 PM, John Douglass wrote:
What exactly am I supposed to store into the attribute
Cached-Session-Policy? Is this referring to a policy within the file
policy.conf that will run and extract attributes according to the
function there or is it something else?
Based on a quick glance at the source: You store anything you want, and
then you write policy to act on it. The server doesn't do anything
specific with the attribute beyond storing it and allowing you to read it.
For example:
post-auth {
if (reply:Cached-Session-Policy =~ /group=(.+),building=(.+)/) {
update reply {
My-Vlan = %{sql:...some sql based on the %{1} and %{2} values}
}
} else {
# do your policy work, then
update reply {
Cached-Session-Policy := group=staff,building=admin
}
}
}
The notes also say:
# You probably also want use_tunneled_reply = yes when using fast
session resumption.
And I have turned that on everywhere I could find, but it doesn't appear
to be even saving the 1st values of Tunnel-Private-Group-Id.
Hmm.
AFAICT from the source, the common TLS code (used by EAP-TLS and
PEAP/TTLS too) will only cache User-Name, Stripped-User-Name and
Cached-Session-Policy. Arbitrary valuepairs aren't stored in the cache.
In some respects, this makes sense - you might set the VLAN based on the
switch they're on; you need to re-calculate those values because you
can't guarantee that session resumption takes place on the same switch.
Basically, if you set reply variables based on some kind of lookup (e.g.
SQL) the safe option is to store the key in Cached-Session-Policy,
then set the reply variables (vlan etc.) in post-auth based on the key.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS Kerberos
On 04/20/2011 11:56 PM, tod wrote:
Wed Apr 20 14:19:28 2011 : Debug: PEAP: Setting User-Name to joe
Sending tunneled request
EAP-Message = 0x0207000a01746f747465
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = joe
server inner-tunnel {
Wed Apr 20 14:19:28 2011 : Info: +- entering group authorize {...}
Wed Apr 20 14:19:28 2011 : Info: ++[expiration] returns noop
Wed Apr 20 14:19:28 2011 : Info: ++[logintime] returns noop
Wed Apr 20 14:19:28 2011 : Info: [pap] WARNING! No known good password
found for the user. Authentication may fail because of this.
Wed Apr 20 14:19:28 2011 : Info: ++[pap] returns noop
Wed Apr 20 14:19:28 2011 : Info: ++? if (User-Password)
Wed Apr 20 14:19:28 2011 : Info: ? Evaluating (User-Password) - FALSE
Wed Apr 20 14:19:28 2011 : Info: ++? if (User-Password) - FALSE
Wed Apr 20 14:19:28 2011 : Info: ++? if (!User-Password)
Wed Apr 20 14:19:28 2011 : Info: ? Evaluating !(User-Password) - TRUE
Wed Apr 20 14:19:28 2011 : Info: ++? if (!User-Password) - TRUE
Wed Apr 20 14:19:28 2011 : Info: ++- entering if (!User-Password) {...}
Wed Apr 20 14:19:28 2011 : Info: +++[control] returns noop
Wed Apr 20 14:19:28 2011 : Info: ++- if (!User-Password) returns noop
Wed Apr 20 14:19:28 2011 : Info: Found Auth-Type = Kerberos
Wed Apr 20 14:19:28 2011 : Info: +- entering group Kerberos {...}
Wed Apr 20 14:19:28 2011 : Auth: rlm_krb5: Attribute User-Password is
required for authentication.
Wed Apr 20 14:19:28 2011 : Info: ++[krb5] returns invalid
Wed Apr 20 14:19:28 2011 : Info: Failed to authenticate the user.
} # server inner-tunnel
This is PEAP, not TTLS as was discussed in the original thread. PEAP
uses MS-CHAP as the inner auth. rlm_krb5 cannot be used, because the
client does not supply plaintext passwords with PEAP. See:
http://deployingradius.com/documents/protocols/compatibility.html
Also, you've broken the config by removing modules from inner-tunnel.
Specifically, you've removed the eap module, meaning that the inner
EAP will never be handled.
Finally, this thread is months old. If you aren't the original poster,
and don't have the same problem (which you don't) please start a new thread.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Thanks for the patches - I've built a new server and hopefully will test tomorrow. On the re-reading of config I can live without the HUP not causing mschap to re-read it's config - just assumed that it would. johnh... On Wed, 20 Apr 2011, Phil Mayers wrote: Date: Wed, 20 Apr 2011 17:53:42 From: Phil Mayers p.may...@imperial.ac.uk Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry On 04/20/2011 11:14 PM, john.hayw...@wheaton.edu wrote: I have been able to do some testing with the adjustments for MS-CHAP-V2 related to error and retires. There are two items I observed with testing: 1) If I sent a HUP signal to the server it appears to re-read the configuration files but for some reason does not re-read the mschap module - so changing this module while testing seemed to require a restart on the server. Is that the expected behavior? rlm_mschap doesn't implement a HUP handler AFAICT. It probably wouldn't be terribly hard to write one - the module is fairly stateless. It's probably best to just restart the server though. 2) If retry=yes then on Windows-7 on failure a notification is given if they click they are presented with a message indicating their username or password are incorrect and given an opportunity to re-enter only a password. If they enter the correct password the authentication fails and they have to re-connect to get a duologue box where they can enter both the username and password. I have not traced down to determine why the client thinks there is a failure (eg need to see if FRS thinks it is a failure or not). This I believe is not what should be happening. I think this is probably because the EAP-MSCHAP modules needs to parse and store the new challenge in the error message. If it doesn't, the server and client will disagree on the challenge/response value and auth will fail This patch implements the required behaviour (as part of the support password change code): https://github.com/philmayers/freeradius-server/commit/44a81366fb0b909d9165ec5650004bd979c0f9d9 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
