RE: Repeating the same attribute in reply message
Hi, My problem is that the attributes I have entered in the users file (under the specific user) are not present inside the Access-Accept message replied to the ASN-GW/NAS. The scenario is the same also for the regular Wimax attributes. The += parameter just doesn't work, the second attribute which is identical to a previous one (and provisioned with +=) is not being inserted to the Access-Accept message. Thanks, Shai. -Original Message- From: freeradius-users-bounces+mizrachi.shai=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+mizrachi.shai=gmail@lists.freeradius.or g] On Behalf Of Alan DeKok Sent: Tuesday, May 31, 2011 8:19 AM To: FreeRadius users mailing list Subject: Re: Repeating the same attribute in reply message Shai Mizrachi wrote: > The users are configured inside /etc/raddb/users (no D.B is used). > All of the Wimax parameters are working fine, it is just the repeated > attributes which are failing (not sure this is related to Wimax ?) It would help if you said what was *actually* heppening. > I am attaching the output of the radiusd -X, followed by the user > configured in the users file. ... > R3-IF-Name += DHCP_Relay_SG, > PDFID += 2, These attributes are NOT in the dictionaries for 2.1.7. If the server doesn't complain about them, it's because you've edited the dictionaries. If you're going to use Alvarion (which is NOT standard WiMAX), you will need to use the "master" branch from http://git.freeradius.org And you will need to: - delete the standard wimax && alvarion dictionaries - enable the non-standard dictionary.wimax.alvarion, and dictionary.alvarion.wimax My $0.02 is that you should probably be asking Alvarion for help. They've gone out of their way to *not* implement the standard. Everything they do is broken, and they don't see a problem with that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Repeating the same attribute in reply message
Shai Mizrachi wrote: > The users are configured inside /etc/raddb/users (no D.B is used). > All of the Wimax parameters are working fine, it is just the repeated > attributes which are failing (not sure this is related to Wimax ?) It would help if you said what was *actually* heppening. > I am attaching the output of the radiusd -X, followed by the user > configured in the users file. ... > R3-IF-Name += DHCP_Relay_SG, > PDFID += 2, These attributes are NOT in the dictionaries for 2.1.7. If the server doesn't complain about them, it's because you've edited the dictionaries. If you're going to use Alvarion (which is NOT standard WiMAX), you will need to use the "master" branch from http://git.freeradius.org And you will need to: - delete the standard wimax && alvarion dictionaries - enable the non-standard dictionary.wimax.alvarion, and dictionary.alvarion.wimax My $0.02 is that you should probably be asking Alvarion for help. They've gone out of their way to *not* implement the standard. Everything they do is broken, and they don't see a problem with that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Invitation to connect on LinkedIn
LinkedIn rasito rasito requested to add you as a connection on LinkedIn: -- Glen, I'd like to add you to my professional network on LinkedIn. - rasito Accept invitation from rasito rasito http://www.linkedin.com/e/f5ihn8-goc97kqm-6v/ABSVWpZ1_sZ_yf9BG_W25ECMqsoijRbBG-E27EnW_z6-V09s3gIVpd3/blk/I145244672_9/pmpxnSRJrSdvj4R5fnhv9ClRsDgZp6lQs6lzoQ5AomZIpn8_elYOdPoQd38Rd359bS4Sl7pcolYUbP4ScPkMdP4Rc3cLrCBxbOYWrSlI/EML_comm_afe/ View invitation from rasito rasito http://www.linkedin.com/e/f5ihn8-goc97kqm-6v/ABSVWpZ1_sZ_yf9BG_W25ECMqsoijRbBG-E27EnW_z6-V09s3gIVpd3/blk/I145244672_9/0VnP8TdzgQczkQckALqnpPbOYWrSlI/svi/ -- DID YOU KNOW you can conduct a more credible and powerful reference check using LinkedIn? Enter the company name and years of employment or the prospective employee to find their colleagues that are also in your network. This provides you with a more balanced set of feedback to evaluate that new hire. http://www.linkedin.com/e/f5ihn8-goc97kqm-6v/rsr/inv-27/ -- (c) 2011, LinkedIn Corporation- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Invitation to connect on LinkedIn
LinkedIn Hafiz Pussah requested to add you as a connection on LinkedIn: -- Glen, I'd like to add you to my professional network on LinkedIn. - Hafiz Accept invitation from Hafiz Pussah http://www.linkedin.com/e/f5ihn8-gobqmngo-4v/ABSVWpZ1_sZ_yf9BG_W25ECMqsoijRbBG-E27EnW_z6-V09s3gIVpd3/blk/I145070601_9/pmpxnSRJrSdvj4R5fnhv9ClRsDgZp6lQs6lzoQ5AomZIpn8_elYNc3oMdP0Rd359bSJzuAl8nQBJbPsOdz4SejsQc3cLrCBxbOYWrSlI/EML_comm_afe/ View invitation from Hafiz Pussah http://www.linkedin.com/e/f5ihn8-gobqmngo-4v/ABSVWpZ1_sZ_yf9BG_W25ECMqsoijRbBG-E27EnW_z6-V09s3gIVpd3/blk/I145070601_9/0VnP4Mdz0Tc3kQckALqnpPbOYWrSlI/svi/ -- DID YOU KNOW you can conduct a more credible and powerful reference check using LinkedIn? Enter the company name and years of employment or the prospective employee to find their colleagues that are also in your network. This provides you with a more balanced set of feedback to evaluate that new hire. http://www.linkedin.com/e/f5ihn8-gobqmngo-4v/rsr/inv-27/ -- (c) 2011, LinkedIn Corporation- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating AP.
Please someone. Regards, Mrinal On Sun, May 29, 2011 at 12:52 PM, Mrinal K wrote: > Hello Everyone, > > I was trying to configure freeradius to authenticate users coming from > multiple APs and authenticate them on the basis of the AP the request is > coming from(e.g. if user A's request is sent by AP X then accept; if user > A's request comes from AP Y then reject; if user B's request comes from AP Y > then accept). > > One scheme for this to be achieved could be that client.conf has entry for > each AP individually and APs IP address and shared secret is used to > identify the AP; however the scenario I am considering has APs behind the > NATed gateways rendering this method useless. But if I configure > clients.conf over MAC-address instead of IP-address and use > Called-Station-ID with shared secret to identify AP then I think it should > work out. > > I am not sure how feasible will this be. I went through the old posts in > the forum but could not find anything specific, to point in this direction. > I would be extremely thankful if anyone could direct me in right direction. > > Thanks in advance. > > Regards, > > Kumar Mrinal > > > > -- > - > -- - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Hi, On 11-05-30 9:55 AM, Phil Mayers wrote: On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote: There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username. True. But I don't think it is possible to send a different Username in EAP-Identity and MSChap Username in the same EAP session since the second is derived from the first. I have seen such setup where you have two domain, RADIUS would use the Realm to differentiates the two. For a legit client, yes. A malicious client can send anything it wants. I completely agree with you on this. Is there a way we could work around this hard-coded check since in our case, we only have "one john"? Sure; the check is just one line; grep the source code for it and comment it out. What I really want to understand is, whether the check is too strict and FreeRADIUS should be fixed, or whether Windows XP is just buggy. I will try to check this tomorrow. e.g. maybe the check should be: if eap.username == mschap.username: ok elif not mschap.domain: if eap.stripped-user-name == mschap.username: ok reject else: reject I will try to investigate this tomorrow when I get back to the office. Aight. Keep us posted. -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
In my shop I see a mix of domain and non domain machines. Each type will send machine or user\localmachine for user's name depending on the configuration of the windows suplicant. Avoid having users logon to domain machines with local user accounts unless you have configured the windows suplicant from the default. Do the same with non domain machines. Here I check for the form "\full.windows.domain.name". If this is present, I use ntlm-auth. If it is not, I strip off the "\host" part in the inner tunnel and use that as a user in an ldap store which has mschap password hashes. In most cases this works for domain machines where users are logging in with local accounts or logging in locally with cached user credentials. The rest show up at the help desk. I am excited about the mschap patches talked about in recent posts. Sent from Verizon Wireless -Original Message- From: Phil Mayers Sender: freeradius-users-bounces+ironrake=yahoo@lists.freeradius.org Date: Mon, 30 May 2011 14:55:03 To: FreeRadius users mailing list Reply-To: FreeRadius users mailing list Subject: Re: Error: User-Name is not the same as MS-CHAP name On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote: >> >>There's no guarantee that STAFF\john and STUDENT\john at the same >>person; you can't just ignore the fact that the client has changed >>their username. >> >True. But I don't think it is possible to send a different Username in >EAP-Identity and MSChap Username in the same EAP session since the >second is derived from the first. I have seen such setup where you have >two domain, RADIUS would use the Realm to differentiates the two. For a legit client, yes. A malicious client can send anything it wants. > >Is there a way we could work around this hard-coded check since in our >case, we only have "one john"? Sure; the check is just one line; grep the source code for it and comment it out. What I really want to understand is, whether the check is too strict and FreeRADIUS should be fixed, or whether Windows XP is just buggy. I will try to check this tomorrow. e.g. maybe the check should be: if eap.username == mschap.username: ok elif not mschap.domain: if eap.stripped-user-name == mschap.username: ok reject else: reject I will try to investigate this tomorrow when I get back to the office. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Repeating the same attribute in reply message
Shai Mizrachi wrote: > I a trying to send in the Access-Accept the same attribute twice but > with different values (for Wimax QoS descriptor). > I am using the += operator but still, the reply message contains only > the first parameter and the second is just ignored. It should work. But maybe 2.1.7 doesn't have the required WiMAX magic. What does the debug output show? Where are the attributes defined? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Add more information to Logfile?
thomas.d...@24-7-it-services.de wrote: > Hi, > > I'm sorry, but I can't find any usefull informations > in (http://wiki.freeradius.org/Radiusd.conf). > > Please, can you give me a little bit more informations? Look for "msg_" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote: There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username. True. But I don't think it is possible to send a different Username in EAP-Identity and MSChap Username in the same EAP session since the second is derived from the first. I have seen such setup where you have two domain, RADIUS would use the Realm to differentiates the two. For a legit client, yes. A malicious client can send anything it wants. Is there a way we could work around this hard-coded check since in our case, we only have "one john"? Sure; the check is just one line; grep the source code for it and comment it out. What I really want to understand is, whether the check is too strict and FreeRADIUS should be fixed, or whether Windows XP is just buggy. I will try to check this tomorrow. e.g. maybe the check should be: if eap.username == mschap.username: ok elif not mschap.domain: if eap.stripped-user-name == mschap.username: ok reject else: reject I will try to investigate this tomorrow when I get back to the office. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add more information to Logfile?
On Mon, May 30, 2011 at 8:30 PM, wrote: > Hi, > > I'm sorry, but I can't find any usefull informations > in (http://wiki.freeradius.org/Radiusd.conf). > > Please, can you give me a little bit more informations? > It should be possible to disable auth logging (auth=no) on radiusd.conf and enable linelog module with your own logging format and filename https://github.com/alandekok/freeradius-server/blob/v2.1.x/raddb/modules/linelog Use the linelog module on authorize/authenticate/accounting section (whichever you need). Also, depending on your needs, it might be easier to create separate linelog module instance that will be called in different sections. You should be able to use either %{NAS-IP-Address} or %{Client-IP-Address} to record NAS IP address. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Add more information to Logfile?
Hi, I'm sorry, but I can't find any usefull informations in (http://wiki.freeradius.org/Radiusd.conf). Please, can you give me a little bit more informations? Thanks. Kind regards, Thomas Dohl > -Ursprüngliche Nachricht- > Von: freeradius-users-bounces+thomas.dohl=24-7-it- > services...@lists.freeradius.org [mailto:freeradius-users- > bounces+thomas.dohl=24-7-it-services...@lists.freeradius.org] Im Auftrag > von Alan DeKok > Gesendet: Montag, 30. Mai 2011 10:35 > An: FreeRadius users mailing list > Betreff: Re: Add more information to Logfile? > > thomas.d...@24-7-it-services.de wrote: > > It is possible to see the real client IP and the user IP in the log? > > Read radiusd.conf, and look for the "log" section. The messages can > be customized. > > This is documented. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
Hi Phil, Forget about all that. Adding Realm's and fiddling with the packet won't help; the check is hard-coded into the mschap module as a fairly obvious security measure. For example - suppose I have an environment with two separate domains: STAFF STUDENTS ...if the mschap module did *not* check this, I could rig my mschap client to send: EAP-Identity: STAFF\john MSCHAP-Name: STUDENT\john There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username. True. But I don't think it is possible to send a different Username in EAP-Identity and MSChap Username in the same EAP session since the second is derived from the first. I have seen such setup where you have two domain, RADIUS would use the Realm to differentiates the two. Is there a way we could work around this hard-coded check since in our case, we only have "one john"? Ah. I had assumed the machine was a domain member, because you were talking about machine auth (which requires domain membership). I take it there are two sets of machines - some in the domain, some not? I assume they all have the Novell client installed? Correct, the machines are not member of an AD domain. However, they have the Novell Client installed, and they are using a kind of AD tree in their eDirectory structure. So machine auth works the same as if it was an AD domain. The users are not member of that special tree. Usually, people only use "send username automatically" with machines which are in the domain. It's possible this is just a bug in Windows XP, and that no-one else has ever tried this, so it's never been seen. It is possible that in Windows XP, something is broken at the supplicant level. In windows 7, the OS is brilliant enough not to send the machine name. However, mainly 80% of his machines are Windows XP. -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Repeating the same attribute in reply message
Hi, I am using FreeRadius 2.1.7-7.el5 on CentOS 5.6. The RPM package is the one came with the CentOS system. I a trying to send in the Access-Accept the same attribute twice but with different values (for Wimax QoS descriptor). I am using the += operator but still, the reply message contains only the first parameter and the second is just ignored. I would appriciate some help The attributes are: WiMAX-QoS-Id += 1, WiMAX-Schedule-Type += Best-Effort, WiMAX-Traffic-Priority += 1, WiMAX-Maximum-Sustained-Traffic-Rate += 200, WiMAX-QoS-Id += 2, WiMAX-Schedule-Type += Best-Effort, WiMAX-Traffic-Priority += 1, WiMAX-Maximum-Sustained-Traffic-Rate += 200, but I get only (from the Radius -X): WiMAX-QoS-Id = 1 WiMAX-Schedule-Type = Best-Effort WiMAX-Traffic-Priority = 1 WiMAX-Maximum-Sustained-Traffic-Rate = 200 Many Thanks, Shai. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
On 05/29/2011 03:10 PM, Francois Gaudreault wrote: Hi Phil, On 11-05-29 6:16 AM, Phil Mayers wrote: Ok, so as before what we're seeing is that the host is sending STIC08862\TechRMC ...in the EAP-Identity response, but: TechRMC ...in the MSCHAP packet (the hex above decodes to that) This is obviously broken, but here's where I get confused: STIC08862 doesn't look like a domain name to me. It looks like a machine name. It is indeed a machine name. This is where we have problems, this does not happen using Windows 7. I tried to set a Realm for that machine name without success. The thing I don't understand is why MSCHAP complains about that. I mean, correct me if I am wrong, mschap:User-Name will *always* strip that part since it looks like a domain. Forget about all that. Adding Realm's and fiddling with the packet won't help; the check is hard-coded into the mschap module as a fairly obvious security measure. For example - suppose I have an environment with two separate domains: STAFF STUDENTS ...if the mschap module did *not* check this, I could rig my mschap client to send: EAP-Identity: STAFF\john MSCHAP-Name: STUDENT\john There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username. Is the machine a domain member or not? Is the user logging on locally or with a domain account? Or is this an artefact of the way Novell works? The machine is not member of the domain, and the user logs in Novell. So when the user logs in, it sends the username information to RADIUS just like if a local user logs in. Ah. I had assumed the machine was a domain member, because you were talking about machine auth (which requires domain membership). I take it there are two sets of machines - some in the domain, some not? I assume they all have the Novell client installed? What happens if you take an ordinary machine, without the Novell client installed, create a local user with the same username/password as a domain user, then use "send username automatically" We tried it, and the machine appears to be sending the machine name anyway. It will work only if we don't send the credentials automatically. Usually, people only use "send username automatically" with machines which are in the domain. It's possible this is just a bug in Windows XP, and that no-one else has ever tried this, so it's never been seen. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add more information to Logfile?
thomas.d...@24-7-it-services.de wrote: > It is possible to see the real client IP and the user IP in the log? Read radiusd.conf, and look for the "log" section. The messages can be customized. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Add more information to Logfile?
Hello Everyone, in my client config I use netmaskranges. f.e: ... ipaddr = 172.16.0.0 netmask = 12 shortname = swr01 ... Now I only see the following information: Sun May 29 01:52:44 2011 : Auth: Invalid user: [...] (from client swr01 port 417 cli 00-..-..-..-..-..) It is possible to see the real client IP and the user IP in the log? Thanks in advance. Kind regards, Thomas Dohl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html