Re: Relation between NAS and FreeRADIUS
The problem is that i follow a tutorial that setup freeradius and chillispot in the same computer. so that made some problem for me. now i want to seperate freeradius from nas. I installed freeradius in a seperate computer. then add mikrotik as NAS. I have internet in a cable and now I don't know how to tell nas that this is internet. another problem is i made up network of this. I installed pppoe server on mikrotik and add my radius in mikrotik. when someone wants to connect, after the user is authenticated(correctly entered username and password) the connection does not get ip so it'll be disconnected. when i run freeradius -X ,the user is authenticated and even it add it in radpostauth. now the question are these : 1. how can i tell mikrotik the internet is this(cable) 2. how can i config (i don't know it is duty of nas or freeradius) to reply ip after valid username and password -- View this message in context: http://freeradius.1045715.n5.nabble.com/Relation-between-NAS-and-FreeRADIUS-tp4407443p4408718.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Thank's Alan, it works! We had the same issue with python auths being serialized that we had with pam, but running out of debug mode fixed the issue. Pam probably would have worked if we tried that, but it was a pam_python module anyway so it is better going directly to python. Thanks again, Jim On Wed, May 18, 2011 at 1:44 AM, Alan DeKok wrote: > Jim Whitescarver wrote: >> The only thing we want is python authentication. I just commented out >> everything else. I will start again and try to minimize edits. I am >> rather clueless about the nature the minimum edits should have. > > Add what you need. The default configuration *works*. > >> It seems that every configuration file needs python in every section >> for it to be recognized. > > No. You need to list "python" everywhere you want it to be *used*. > >> I don't think we want to use the "users" file. We only want to call >> the python module for any request. > > That's just rude. > > The first message you posted showed a "users" file entry, and wondered > why it didn't work. Now you say you don't want to use it. > > Figure out what you want to do. The majority of the issues you're > having are due to inconsistency. > >> It's not clear why we would leave other stuff in if we are not using >> anything but the python module. > > Because you don't understand what it does. If you don't understand > it, deleting it is wrong. > > "Hey, I don't understand what this widget is on my car engine. I'll > just rip it off. Hmm, my car no longer works. I know... I'll blame the > mechanic!" > > You wouldn't do that to a car mechanic. Don't do it here. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication issues with Win7 and WPA/WPA2 Enterprise
Initial test results passing PEAP et al to FR (vs. Aruba terminating PEAP) and "proxying" MSCHAP APPEAR to work well. Testing is by no means 100% complete, but so far so good. Scenarios that used to result in a reject are now working as expected. I had an initial problem 'cause I installed this to /devel/ to test with and I mucked something up and many files and dirs ended up directly unders /devel instead of for instance /devel/raddb/. I created raddb and copied certs there and it was more happy. FWIW: We are NOT using client certs at this time, we are using the PEAP/MSCHAPv2 and "use my windows credentials" option. Thanks! Gary -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Gary Gatten Sent: Wednesday, May 18, 2011 12:41 PM To: 'freeradius-users@lists.freeradius.org' Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise I have a 2.1.10 server we are tesing with, but I thought the patch you mentioned wasn't in 2.1.10, I think Alan said he'd put it in 3.x? We will be testing passing the entire *eap session to FR this afternoon. - Original Message - From: Phil Mayers [mailto:p.may...@imperial.ac.uk] Sent: Wednesday, May 18, 2011 12:29 PM To: freeradius-users@lists.freeradius.org Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 17:10, Gary Gatten wrote: > I would LOVE if W7 just worked! People here are blaming FR and I'm > trying to convince them it has nothing to do with it, but since the > MSCHAP challenges / responses are hashed I can't PROVE it to them. As per previous posts: Your Aruba wireless equipment is: a. Terminating the outer EAP-PEAP b. Translating the inner EAP-MSCHAPv2 to plain MS-CHAPv2 I strongly suspect this will be causing the problems you are having, and I even suspect I know how - I think it's probably clients typing in their username in mIxEd-CaSe, which will cause cryptographich (hash) mismatches at client and server without careful preservation of the EAP payload. As per Neal Garber's post of 10th May, even FreeRADIUS had problems with this prior to 2.1.10 Are you / have you been able to: 1. stop terminating the PEAP on the Aruba 2. upgrade to FreeRADIUS 2.1.10 ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Relation between NAS and FreeRADIUS
I would think usually the answer is neither. The internet connection is usually supplied by a third box on the network. The NAS is the point of contact and the RADIUS server is the box that handles the authentication requests. If authentication succeeds the client is allowed to connect through the NAS on to the network. Once on the network it is free to make DHCP requests or whatever and then get routed accordingly. Only then does it get default gateway information that it can use to connect to the internet so to speak. I think that is correct. Mike On Wed, May 18, 2011 at 2:16 PM, googerdi wrote: > Hi > It is possible that my question is low level but it is key for me. I want to > ask that NAS provide internet or FreeRADIUS. I mean i should connect > internet connection to NAS or FreeRADIUS. > Does NAS just use FreeRADIUS or any Radius Server to authenticate user and > register accounting data in Radius. > > Thanks > > > > -- > View this message in context: > http://freeradius.1045715.n5.nabble.com/Relation-between-NAS-and-FreeRADIUS-tp4407443p4407443.html > Sent from the FreeRadius - User mailing list archive at Nabble.com. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Michael MacKenna mpmacke...@gmail.com Got Chrome? http://www.google.com/chrome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Relation between NAS and FreeRADIUS
> I want to ask that NAS provide internet or FreeRADIUS. What does that mean? > I mean i should connect internet connection to NAS or FreeRADIUS. Try rephrasing your question and provide more background on what you are trying to accomplish.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Relation between NAS and FreeRADIUS
Hi It is possible that my question is low level but it is key for me. I want to ask that NAS provide internet or FreeRADIUS. I mean i should connect internet connection to NAS or FreeRADIUS. Does NAS just use FreeRADIUS or any Radius Server to authenticate user and register accounting data in Radius. Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/Relation-between-NAS-and-FreeRADIUS-tp4407443p4407443.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
Phil Mayers wrote: > On 18/05/11 17:10, Gary Gatten wrote: >> I would LOVE if W7 just worked! People here are blaming FR and I'm >> trying to convince them it has nothing to do with it, but since the >> MSCHAP challenges / responses are hashed I can't PROVE it to them. > Are you / have you been able to: > 1. stop terminating the PEAP on the Aruba > 2. upgrade to FreeRADIUS 2.1.10 I can at least confirm the following from my Aruba setup here: a) _not_ terminating the outer EAP-PEAP in the Aruba and b) passing the whole thing to FR 2.1.10 works with any Windows I have so far encountered. (as far as the other things like server certificate chain, etc. are correct.) So the setup Win7->Aruba->FR _will_ work, if you don't let the Aruba gear fiddle with your EAP. Grüße, Sven. -- Sigmentation fault. Core dumped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 18/05/11 18:41, Gary Gatten wrote: I have a 2.1.10 server we are tesing with, but I thought the patch you mentioned wasn't in 2.1.10, I think Alan said he'd put it in 3.x? The patch which handles mixed-case client username in PEAP/MSCHAP was written by Neal Garber, and is in 2.1.10. The patches I've written recently are not related to this. They're new functionality for other things. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
I have a 2.1.10 server we are tesing with, but I thought the patch you mentioned wasn't in 2.1.10, I think Alan said he'd put it in 3.x? We will be testing passing the entire *eap session to FR this afternoon. - Original Message - From: Phil Mayers [mailto:p.may...@imperial.ac.uk] Sent: Wednesday, May 18, 2011 12:29 PM To: freeradius-users@lists.freeradius.org Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 17:10, Gary Gatten wrote: > I would LOVE if W7 just worked! People here are blaming FR and I'm > trying to convince them it has nothing to do with it, but since the > MSCHAP challenges / responses are hashed I can't PROVE it to them. As per previous posts: Your Aruba wireless equipment is: a. Terminating the outer EAP-PEAP b. Translating the inner EAP-MSCHAPv2 to plain MS-CHAPv2 I strongly suspect this will be causing the problems you are having, and I even suspect I know how - I think it's probably clients typing in their username in mIxEd-CaSe, which will cause cryptographich (hash) mismatches at client and server without careful preservation of the EAP payload. As per Neal Garber's post of 10th May, even FreeRADIUS had problems with this prior to 2.1.10 Are you / have you been able to: 1. stop terminating the PEAP on the Aruba 2. upgrade to FreeRADIUS 2.1.10 ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 18/05/11 17:35, Gary Gatten wrote: That's what I was afraid of... Can you expand on this: "You *can* check that a given response is valid for a given challenge, if you know the password or nt hash." At length, but I would be here all day ;o) Basically, I've got a python script that performs the MS-CHAP crypto. I'll see if I can stick it somewhere people can make use of it. But FreeRADIUS does this "right". There's no need for an external script (unless you're fiddling with the MS-CHAP module guts, which I was when I wrote it). If FreeRADIUS is telling you the mschap response is wrong, it's wrong. Either: 1. The client is sending wrong data 2. The server has wrong data (password/hash) 3. Something is fiddling with the data in transit Since we *know* your Aruba kit is doing some fiddling, it - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 18/05/11 17:10, Gary Gatten wrote: I would LOVE if W7 just worked! People here are blaming FR and I'm trying to convince them it has nothing to do with it, but since the MSCHAP challenges / responses are hashed I can't PROVE it to them. As per previous posts: Your Aruba wireless equipment is: a. Terminating the outer EAP-PEAP b. Translating the inner EAP-MSCHAPv2 to plain MS-CHAPv2 I strongly suspect this will be causing the problems you are having, and I even suspect I know how - I think it's probably clients typing in their username in mIxEd-CaSe, which will cause cryptographich (hash) mismatches at client and server without careful preservation of the EAP payload. As per Neal Garber's post of 10th May, even FreeRADIUS had problems with this prior to 2.1.10 Are you / have you been able to: 1. stop terminating the PEAP on the Aruba 2. upgrade to FreeRADIUS 2.1.10 ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active directory groups
On 18/05/11 17:22, Gary Gatten wrote:
If one has (just for example) 1000 groups, this is a lot of overhead
Sure (I did see your query the other day - I just haven't had a chance
to write up a reply, but see below)
- checking every group. Also, what if they belong to several groups?
Well, you have to decide some order of precedence. FreeRADIUS can't do
that for you
The last group checked would be the only one that matters - unless of
course you account for that somehow in your code.
Is there a way to reference the users "primary" group - does LDAP /
AD support such a concept?
Yes, but it's got a list of caveats a mile long. I would avoid it. In brief:
Primary group is encoded in LDAP in a really unhelpful manner:
primaryGroupID:
...the number is a RID. You need to find the domain SID, append the RID,
encode the SID to binary, then do a lookup on objectSid. It's tedious.
In addition, the tools to control which group is "primary" are (IMHO)
weak because
You've also got the problem that the "primary" group does NOT appear in
the "memberOf" attribute for a user, and group members who are primary
do not appear in the "member" attribute of the group, meaning you can't
check them over LDAP using the "normal" route either.
In most domains, the primary group of a user ends up being "Domain
Users". My advice: don't fiddle with that, and avoid using primary
group. We've had endless troubles with this.
Or, "fetch" their full distinguished name using just their common /
logon name, such that?
The "ldap" module already extracts the DN for you:
authorize {
..
ldap
if (control:Ldap-UserDN =~ /^CN=[^,]+,OU=([^,]+)/) {
update control {
Tmp-String-0 := "%{1}"
}
}
switch (control:Tmp-String-0) {
case "neteng" {
update reply {
..
}
}
}
}
The other option would be to pull *all* the LDAP groups into a radius
attribute, like so:
/etc/raddb/dictionary:
ATTRIBUTE My-Groups 3001string
/etc/raddb/ldap.attrmap
checkItem My-Groups memberOf
/etc/raddb/sites-enabled/XXX:
authorize {
ldap
if (control:My-Groups == CN=group,OU=bar,DC=domain,DC=com) {
...
}
}
...but it's messy, because memberOf is an LDAP DN, and LDAP DNs are messy.
It also doesn't handle nested groups well, but nested groups over LDAP
are a nightmare.
Frankly, the best way to handle this might be a perl/python
module/script. Or better yet, extract all the groups from AD/LDAP and
put them into a user:group file and read it with rlm_passwd, or into an
SQL group cache (we do this).
Basically, extracting group data from AD over LDAP is a non-trivial
amount of work for almost all non-trivial cases.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication issues with Win7 and WPA/WPA2 Enterprise
That's what I was afraid of... Can you expand on this: "You *can* check that a given response is valid for a given challenge, if you know the password or nt hash." TIA G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, May 18, 2011 11:27 AM To: freeradius-users@lists.freeradius.org Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 17:10, Gary Gatten wrote: > I would LOVE if W7 just worked! People here are blaming FR and I'm > trying to convince them it has nothing to do with it, but since the > MSCHAP challenges / responses are hashed I can't PROVE it to them. > > I have FR debugs of a working auth and a rejected auth. I'd like to > "unhash" the MSCHAP stuff to see in clear text what's getting sent > back and forth so I can get a better idea of why the request is being > rejected. That isn't really how it works. MS-CHAP is a (reasonably) cryptographically secure protocol. You can't go backwards from: MS-CHAP-Challenge = xxx MS-CHAP2-Response = yyy ...to anything meaningful. You *can* check that a given response is valid for a given challenge, if you know the password or nt hash. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 18/05/11 17:10, Gary Gatten wrote: I would LOVE if W7 just worked! People here are blaming FR and I'm trying to convince them it has nothing to do with it, but since the MSCHAP challenges / responses are hashed I can't PROVE it to them. I have FR debugs of a working auth and a rejected auth. I'd like to "unhash" the MSCHAP stuff to see in clear text what's getting sent back and forth so I can get a better idea of why the request is being rejected. That isn't really how it works. MS-CHAP is a (reasonably) cryptographically secure protocol. You can't go backwards from: MS-CHAP-Challenge = xxx MS-CHAP2-Response = yyy ...to anything meaningful. You *can* check that a given response is valid for a given challenge, if you know the password or nt hash. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication issues with Win7 and WPA/WPA2 Enterprise
I don't recall doing anything with server certs either - but this was LONG ago. Plus, you are FAR more knowledgeable than I in these matters so I defer to you and stand corrected. The next sound you hear is my tail dragging on the ground as walk away, head down, in shame -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, May 18, 2011 11:10 AM To: freeradius-users@lists.freeradius.org Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 16:59, Gary Gatten wrote: > One point of clarification: > > "PEAP uses TLS. PEAP needs certs too." > > Not *all* peap uses TLS and hence needs certs. The MS PEAP/MSCHAPv2 is a > common example. Incorrect. PEAP *requires* a server certificate. The client does not need one. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active directory groups
If one has (just for example) 1000 groups, this is a lot of overhead - checking
every group. Also, what if they belong to several groups? The last group
checked would be the only one that matters - unless of course you account for
that somehow in your code.
Is there a way to reference the users "primary" group - does LDAP / AD support
such a concept?
Or, "fetch" their full distinguished name using just their common / logon name,
such that?
- Login name is ggatten
- Get DN for ggatten
- DN is ggatten.neteng.msd.waddell.com
Once I have DN I can write some code to extract the parent OU for the user, in
this case "neteng".
Then, can I do something like:
Vlan-Attribute := "Ldap-group.neteng.someattribute"
I realize the syntax herein is TOTALLY wrong, I'm just looking for some
validation on the concept.
G
-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On
Behalf Of Phil Mayers
Sent: Wednesday, May 18, 2011 10:58 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Active directory groups
On 18/05/11 16:21, Doty, Seth wrote:
> So far I have the ldap component querying AD correctly and I have the
> ntlm_auth component doing the same and each individually passing from a
> radtest. My question now revolves around passing the groups in our
> setup and if this is even possible using the protocols listed above.
> Unfortunately, we don't have the option to move away from these
> protocols in our environment. I'm a bit of a freeradius noob so any
> help is appreciated.
I don't really understand what you want, so I'm going to guess.
You have multiple groups. You want to read those from AD via LDAP, and
then set reply variables.
The main way to do this is to use unlang or a files module to check each
group in turn. For example, in /etc/raddb/sites-enabled/inner-tunnel:
post-auth {
...
if (Ldap-Group == staff) {
update reply {
Vlan-Attribute := 123
}
}
elsif (Ldap-Group == students) {
..
}
else {
..
}
}
Is this what you want? If not, can you explain why not?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication issues with Win7 and WPA/WPA2 Enterprise
I would LOVE if W7 just worked! People here are blaming FR and I'm trying to convince them it has nothing to do with it, but since the MSCHAP challenges / responses are hashed I can't PROVE it to them. I have FR debugs of a working auth and a rejected auth. I'd like to "unhash" the MSCHAP stuff to see in clear text what's getting sent back and forth so I can get a better idea of why the request is being rejected. G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, May 18, 2011 11:01 AM To: freeradius-users@lists.freeradius.org Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 16:50, Gary Gatten wrote: > I can't comment on your problem right now, but be aware there seem to > be MANY issues with Windows 7. Our config works PERFECT with XP, > Apple IOS, and other "basic" stuff. When we started testing Windows > 7 (WPA2 Enterprise) we ran into all kinds of weirdness. And just > when we think we have a working config and have a few users start > testing it breaks. > > The web is littered with people having problems with Windows 7. I'm > convinced the W7 Supplicant is really broken. In our environment FR > doesn't even see the PEAP, just an MSCHAP, and that even fails! We have no problems with Windows 7. It works just fine. There don't seem to be significant differences between it and Windows XP SP3 from our point of view. > > Anyway... Maybe if someone knows of a tool to dehash/decrypt the > MSCHAP stuff I could actually see what's different in the requests > between a working auth and a rejected auth. Right now we're grasping > at straws and can't figure out why MS is essentially doing nothing > about this... Can you be more specific about what kind of "script" you want? I've got a bunch of python tools I use for testing here. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 18/05/11 16:59, Gary Gatten wrote: One point of clarification: "PEAP uses TLS. PEAP needs certs too." Not *all* peap uses TLS and hence needs certs. The MS PEAP/MSCHAPv2 is a common example. Incorrect. PEAP *requires* a server certificate. The client does not need one. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 18/05/11 16:50, Gary Gatten wrote: I can't comment on your problem right now, but be aware there seem to be MANY issues with Windows 7. Our config works PERFECT with XP, Apple IOS, and other "basic" stuff. When we started testing Windows 7 (WPA2 Enterprise) we ran into all kinds of weirdness. And just when we think we have a working config and have a few users start testing it breaks. The web is littered with people having problems with Windows 7. I'm convinced the W7 Supplicant is really broken. In our environment FR doesn't even see the PEAP, just an MSCHAP, and that even fails! We have no problems with Windows 7. It works just fine. There don't seem to be significant differences between it and Windows XP SP3 from our point of view. Anyway... Maybe if someone knows of a tool to dehash/decrypt the MSCHAP stuff I could actually see what's different in the requests between a working auth and a rejected auth. Right now we're grasping at straws and can't figure out why MS is essentially doing nothing about this... Can you be more specific about what kind of "script" you want? I've got a bunch of python tools I use for testing here. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication issues with Win7 and WPA/WPA2 Enterprise
One point of clarification: "PEAP uses TLS. PEAP needs certs too." Not *all* peap uses TLS and hence needs certs. The MS PEAP/MSCHAPv2 is a common example. G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, May 18, 2011 10:52 AM To: freeradius-users@lists.freeradius.org Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 16:26, Simon L. wrote: > Using WPA2-Enterprise results in Access-Rejects after one Request. That is not normal. WPA2 should be the same as WPA at the radius level. > Using WPA-Enterprise results in about nine different Access-Challanges > and one final Access-Accept - that cant be right. That is normal. EAP exchanges are usually 9/10 request/challenge pairs followed by a final request/accept. What exactly is your problem? > > I have set up a testing scenario with the local test user bob. If local > authentication works properly i want to proxy all requests without EAP > to another freeradius server. I will have questions to that later :) > > radtest from localhost an remotehost succeeded. Sorry - radtest does not do EAP. radtest is not a valid test. > I dont get a clue if the Problem is Windows, Certificates, Network oder > simply misconfigured freeradius. You haven't told us what the problem is. WPA-Enterprise is working for you - the radius server is sending an access-accept. What problem are you experiencing? > > certificates: > - i build the certs with and without that windows extension OID in > server.cnf with make from ../raddb/certs Why? You MUST include the OID. > - 2048 bit > > Windows 7: > - installed ca.der as root cert in win7 and configured it for the > desired WiFi network > - for my eyes no difference in debug logs if validate server cert or not. "Validate server cert" is done on the client. You won't see any difference on the server. > - unchecked using windows user or domain for auth > - EAP comes with PEAP/MSCHAPv2 as default - but the certs are for eap - > tls right? PEAP uses TLS. PEAP needs certs too. > > WAP: > - WPA2 Enterprise with AES no accept packet possible until now As above - that's not normal. The debug you sent contains no reject. Please send a debug for this case. > - WPA Enterprise with AES results in that 9-times Challenges until accept As above - this is normal Access-Accept means everything is working. If you are still having problems after the Access-Accept, you need to describe what those problems are. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active directory groups
On 18/05/11 16:21, Doty, Seth wrote:
So far I have the ldap component querying AD correctly and I have the
ntlm_auth component doing the same and each individually passing from a
radtest. My question now revolves around passing the groups in our
setup and if this is even possible using the protocols listed above.
Unfortunately, we don't have the option to move away from these
protocols in our environment. I'm a bit of a freeradius noob so any
help is appreciated.
I don't really understand what you want, so I'm going to guess.
You have multiple groups. You want to read those from AD via LDAP, and
then set reply variables.
The main way to do this is to use unlang or a files module to check each
group in turn. For example, in /etc/raddb/sites-enabled/inner-tunnel:
post-auth {
...
if (Ldap-Group == staff) {
update reply {
Vlan-Attribute := 123
}
}
elsif (Ldap-Group == students) {
..
}
else {
..
}
}
Is this what you want? If not, can you explain why not?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 18/05/11 16:26, Simon L. wrote: Using WPA2-Enterprise results in Access-Rejects after one Request. That is not normal. WPA2 should be the same as WPA at the radius level. Using WPA-Enterprise results in about nine different Access-Challanges and one final Access-Accept - that cant be right. That is normal. EAP exchanges are usually 9/10 request/challenge pairs followed by a final request/accept. What exactly is your problem? I have set up a testing scenario with the local test user bob. If local authentication works properly i want to proxy all requests without EAP to another freeradius server. I will have questions to that later :) radtest from localhost an remotehost succeeded. Sorry - radtest does not do EAP. radtest is not a valid test. I dont get a clue if the Problem is Windows, Certificates, Network oder simply misconfigured freeradius. You haven't told us what the problem is. WPA-Enterprise is working for you - the radius server is sending an access-accept. What problem are you experiencing? certificates: - i build the certs with and without that windows extension OID in server.cnf with make from ../raddb/certs Why? You MUST include the OID. - 2048 bit Windows 7: - installed ca.der as root cert in win7 and configured it for the desired WiFi network - for my eyes no difference in debug logs if validate server cert or not. "Validate server cert" is done on the client. You won't see any difference on the server. - unchecked using windows user or domain for auth - EAP comes with PEAP/MSCHAPv2 as default - but the certs are for eap - tls right? PEAP uses TLS. PEAP needs certs too. WAP: - WPA2 Enterprise with AES no accept packet possible until now As above - that's not normal. The debug you sent contains no reject. Please send a debug for this case. - WPA Enterprise with AES results in that 9-times Challenges until accept As above - this is normal Access-Accept means everything is working. If you are still having problems after the Access-Accept, you need to describe what those problems are. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication issues with Win7 and WPA/WPA2 Enterprise
I can't comment on your problem right now, but be aware there seem to be MANY issues with Windows 7. Our config works PERFECT with XP, Apple IOS, and other "basic" stuff. When we started testing Windows 7 (WPA2 Enterprise) we ran into all kinds of weirdness. And just when we think we have a working config and have a few users start testing it breaks. The web is littered with people having problems with Windows 7. I'm convinced the W7 Supplicant is really broken. In our environment FR doesn't even see the PEAP, just an MSCHAP, and that even fails! Anyway... Maybe if someone knows of a tool to dehash/decrypt the MSCHAP stuff I could actually see what's different in the requests between a working auth and a rejected auth. Right now we're grasping at straws and can't figure out why MS is essentially doing nothing about this... G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Simon L. Sent: Wednesday, May 18, 2011 10:27 AM To: FreeRadius users mailing list Subject: Authentication issues with Win7 and WPA/WPA2 Enterprise Dear Users, I hope you will be patient with me, its my first time with freeradius. I have problems to authenticate Windows 7 Clients with freeradius. Using WPA2-Enterprise results in Access-Rejects after one Request. Using WPA-Enterprise results in about nine different Access-Challanges and one final Access-Accept - that cant be right. I have set up a testing scenario with the local test user bob. If local authentication works properly i want to proxy all requests without EAP to another freeradius server. I will have questions to that later :) radtest from localhost an remotehost succeeded. Setting: Win7_Client<-WLAN->WAP LinksysWRT54gl<--MPLS-Network over PPPoE--->FreeRADIUS_proxy(<>FreeRADIUS_main) Windows 7 dd-wrt v24 SP2 Ubuntu Server 10.4.2, freeradius 2.1.10 generic 10.73.108.254 internal: 10.0.73.1 external: 213.x.x.x I dont get a clue if the Problem is Windows, Certificates, Network oder simply misconfigured freeradius. certificates: - i build the certs with and without that windows extension OID in server.cnf with make from ../raddb/certs - 2048 bit Windows 7: - installed ca.der as root cert in win7 and configured it for the desired WiFi network - for my eyes no difference in debug logs if validate server cert or not. - unchecked using windows user or domain for auth - EAP comes with PEAP/MSCHAPv2 as default - but the certs are for eap - tls right? WAP: - WPA2 Enterprise with AES no accept packet possible until now - WPA Enterprise with AES results in that 9-times Challenges until accept freeRADIUS: - compiled with installed openSSL dev lib - default config as it comes out of the box, exept: added user bob with cleartext password in users, added the WAP as client in clients.conf, changed default_eap_type = "peap" and private_key_password = "MYSECRET_FROM_SERVER_CERT" in eap.conf configuration and stuff pls look at attached debug.log from running radiusd -X debug.log contains the output of radiusd -X with Access-Requests over WPA-Enterprise. I hope you got a hint for me. Thanks ! Simon "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active directory groups
> So far I have the ldap component querying AD correctly and I have the
> ntlm_auth component doing the same and each individually passing from a
> radtest. My question now revolves around passing the groups in our
> setup and if this is even possible using the protocols listed above.
> Unfortunately, we don't have the option to move away from these
> protocols in our environment. I'm a bit of a freeradius noob so any
> help is appreciated.
I'm not using NTLM for auth, but I am enforcing AD Group access
What I did was fairly simple. I wanted users to either be admins or not
(and this is just an example usage):
users:
DEFAULT Ldap-Group == "grp-admin-admin", Auth-Type = pam
Reply-Message = "Hello (admin), %{User-Name}",
Fall-Through = No
DEFAULT Ldap-Group == "Operator", Auth-Type = pam
Reply-Message = "Hello (operator), %{User-Name}",
Fall-Through = No
DEFAULT Auth-Type := Reject
Reply-Message = "you are not authorized"
My ldap module config looks like (I have a patched version for exec callouts on
string fields.
The patch can be found posted to the list):
ldap {
server = "myDC"
port = 636
identity = "exec:/path/to/passgetter LDAP.user"
password = "exec:/path/to/passgetter LDAP.pwd"
basedn = "dc=myorg,dc=myco,dc=org"
filter = "(CN=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls_mode= yes
tls {
start_tls = no
cacertfile = /path/to/my/cacerts
require_cert= "never"
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupmembership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))"
groupmembership_attribute = "memberOf"
chase_referrals = no
rebind = no
set_auth_type = no
ldap_debug = 0x8000
}
And then my authorize config (in my site-enabled/default):
authorize {
preprocess
auth_log
files
ldap
}
R. Marc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Active directory groups
I have looked on the list for this a few times but there doesn't appear to be a "how to", just an "it might work". We are wanting to use freeradius with our wireless controller for .1x termination. It will need to authenticate to AD and based on the returned group hand back different attributes to the wireless controller. I don't have any way to do a static group request because the options are rather large here. AD needs to pass it back and then i can probably do a match in the freeradius users file and pass the controller an attribute (I think). We are using PEAP/MSCHAPv2 for this currently. We were going to just proxy this to a microsoft NPS but it appears that that option hands back attributes in the "wrong" place and overall just seems terrible. So far I have the ldap component querying AD correctly and I have the ntlm_auth component doing the same and each individually passing from a radtest. My question now revolves around passing the groups in our setup and if this is even possible using the protocols listed above. Unfortunately, we don't have the option to move away from these protocols in our environment. I'm a bit of a freeradius noob so any help is appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multuple ldap freeradius ssid
seb2020 wrote:
>
> I have test your solution like that :
>
> # defaults
> update reply {
> Tunnel-Type := VLAN
> Tunnel-Medium-Type := IEEE-802
> Tunnel-Private-Group-Id := "unauthorised"
>
> Termination-Action := RADIUS-Request
> Session-Timeout := 300
>
> Acct-Interim-Interval := 3600
> }
>
> if (request:User-Name =~ /^.{3,4}$/) {
> update reply {
>Tunnel-Private-Group-Id := "staff"
> }
> }
> elsif (request:User-Name =~ /^.{7,8}$/) {
> update reply {
>Tunnel-Private-Group-Id := "student"
> }
> }
>
> if (reply:Tunnel-Private-Group-Id != "unauthorised") {
> update reply {
># Cisco only support a max of 65535
>Session-Timeout := 64800
> }
> }
>
> But, if I test with this account : "aaa" (7 letters), I have a reponse
> like that : Tunnel-Private-Group-Id:0 = "staff". This is not correct
>
> And I have place this code in this file /site-enabled/default in the section
> post-auth. Is that correct ?
>
Without the output from 'radiusd -X', I cannot help you.
Regards
--
Alexander Clouter
.sigmonster says: Am I accompanied by a PARENT or GUARDIAN?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multuple ldap freeradius ssid
Hi,
I have test your solution like that :
# defaults
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := "unauthorised"
Termination-Action := RADIUS-Request
Session-Timeout := 300
Acct-Interim-Interval := 3600
}
if (request:User-Name =~ /^.{3,4}$/) {
update reply {
Tunnel-Private-Group-Id := "staff"
}
}
elsif (request:User-Name =~ /^.{7,8}$/) {
update reply {
Tunnel-Private-Group-Id := "student"
}
}
if (reply:Tunnel-Private-Group-Id != "unauthorised") {
update reply {
# Cisco only support a max of 65535
Session-Timeout := 64800
}
}
But, if I test with this account : "aaa" (7 letters), I have a reponse
like that : Tunnel-Private-Group-Id:0 = "staff". This is not correct
And I have place this code in this file /site-enabled/default in the section
post-auth. Is that correct ?
Thanks
-
>From Switzerland
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Multiple-ldap-freeradius-ssid-tp4399529p4405854.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Access-Accept packet just access-request
On 05/17/2011 06:25 PM, John Corps wrote: this on both freeradius debug and also in my packet captures. On server2 that is the exact same config of freeradius etc, the user authenticates with the wifi ap, i can see the access-request in the packet capture, on server2 running tcpdump i see the capture showing it has sent the access-accept packet, but on the laptop i have It must be a network thing. Check firewalls, routing, etc. Nothing to do with FreeRADIUS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_detail issue (bug report + patch).
I think, this module needs a little patch.
This will prevent uncontrolled situation, when no space left on
device.
At this moment, if there are no space left, then rlm_detail doesn't
return any error, when he cannot flush buffered information to the
file. Client continue sending accounting to the primary server, but
server cannot save it. As a result - accounting info can be lost.
Just meet this problem and it was solved with this code change.
--- rlm_detail.c2011-05-18 09:37:28.0 +0300
+++ rlm_detail.c.new2011-05-18 09:41:26.0 +0300
@@ -185,6 +185,7 @@
int lock_count;
struct timeval tv;
VALUE_PAIR *pair;
+ int fpf;
struct detail_instance *inst = instance;
@@ -463,7 +464,11 @@
RDEBUG2("Released filelock");
}
- fclose(outfp);
+ fpf = fclose(outfp);
+ if (fpf == EOF) {
+ radlog(L_ERR,"rlm_detail: cannot close the file!
(%s)", strerror(errno));
+ return RLM_MODULE_FAIL;
+ }
/*
* And everything is fine.
rlm_detail.patch
Description: Binary data
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
