Re: Question about Access-Challenge
On Fri, Jul 8, 2011 at 10:14 AM, Jamshid Abedi udptele...@gmail.com wrote: Hello, I've got Mobile OTP to work with FreeRadius, I'd like to take this one step further and turn this into a two phase process. The objective is to first take the pin, authenticate that and then communicate to the NAS with a challenge to receive the OTP from the user. I think this can be done via an access-challenge reply to the NAS. My question is how do I get FreeNAS to send an Access-Challenge once it has verified the PIN is correct? If anyone can kindly give me some hints or point me in the right direction. IMHO the simplest way would be just concatenate them together. e.g. if: - your pin is 4 digits - your OTP is 12 digits - you use PAP then you can ask your users to put the 4 digit pin followed by 12 digit OTP, so the password will be 16 digits. And since you use PAP, you get User-Password attribute in the request which can easly be split using unlang/regex into two components, which you can then verifiy. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: use_tunnel_reply not working in EAP-PEAP (Proxied as plain MSCHAPv2) in eap.conf
On 01:29 AM, Phil Mayers wrote: On 07/07/11 14:43, Nitin Bhardwaj wrote: Thanks Phil. I found this recent patch added to 2.x, regarding inner-MSCHAP broken: https://lists.freeradius.org/pipermail/freeradius-users/2011-April/msg00295.html Yes, that's what I was thinking of. I think this patch fixed the original issue, but the mschapv2 callback is not preserving *all* the attributes received from the home server. Any ideas on how to fix mschap_postproxy ? It is hard. When the plain MSCHAP response comes back (as an Access-Accept) it has to be turned into an EAP-MSCHAPv2 Access-Challenge. The PEAP attribute-saving code does not look at Access-Challenge packets - only Access-Accept. Basically, mschap_postproxy would need to save the attributes, then insert them in the final Access-Accept. Another thing, this patch is not carried over to the 3.x branch and mschap_postproxy in both 2.x and 3.x are almost same (except for some DEBUG statements), so there must be something else different between 2.x and 3.x - which makes this work in 3.x and not in 2.x!! Are you sure this is working in 3.x? If 3.x is missing the above patch, post-proxy should fail completely; the Access-Accept won't be re-written to an EAP-MSCHAP access-challenge, and EAP should fail. Phil, My mistake. I checked again - The 3.x is working only with the Intel's supplicant client (which even 2.x works with the patch applied), not with either native Windows' client (both on same Windows XP) or Juniper's Odyssey client ! I guess Intel's supplicant is more permissive (and non-conforming to the RFCs :). I had not tried more than one supplicants earlier with 3.x. Hence 2.x and 3.x behaviour is identical (failure!). The (untested) patch below might help on 2.1.x: https://github.com/philmayers/freeradius-server/commit/3c1ed71cde100268dba57cbd87953af2bfda6d87 ...or for 3.x: https://github.com/philmayers/freeradius-server/commit/6877b70f442536c93ed097f3c9f6d17d9c960b19 Thanks for the patches, I'll give them a shot and report back. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: use_tunnel_reply not working in EAP-PEAP (Proxied as plain MSCHAPv2) in eap.conf
On 01:29 AM, Nitin Bhardwaj wrote: On 01:29 AM, Phil Mayers wrote: The (untested) patch below might help on 2.1.x: https://github.com/philmayers/freeradius-server/commit/3c1ed71cde100268dba57cbd87953af2bfda6d87 ...or for 3.x: https://github.com/philmayers/freeradius-server/commit/6877b70f442536c93ed097f3c9f6d17d9c960b19 Thanks for the patches, I'll give them a shot and report back. Phil, the patch (2.x) is working like a charm :). (also confirmed that there is no mem-leak, by inserting a RDEBUG in free_data()). However, one doubt: Shouldn't this code be conditional based on whether use_tunneled_reply is yes/no. Presently the outer PEAP does take care of it, is this taken care of in this callback (mschap_postproxy) ? -- Nitin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: use_tunnel_reply not working in EAP-PEAP (Proxied as plain MSCHAPv2) in eap.conf
On 08/07/11 11:20, Nitin Bhardwaj wrote: However, one doubt: Shouldn't this code be conditional based on whether use_tunneled_reply is yes/no. Presently the outer PEAP does take care of it, is this taken care of in this callback (mschap_postproxy) ? No. The code doesn't need to be conditional, because copying of the attributes to the final, outer, access-accept is already conditional on use_tunneled_reply - that's what it does. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: use_tunnel_reply not working in EAP-PEAP (Proxied as plain MSCHAPv2) in eap.conf
Phil Mayers wrote: The (untested) patch below might help on 2.1.x: https://github.com/philmayers/freeradius-server/commit/3c1ed71cde100268dba57cbd87953af2bfda6d87 ...or for 3.x: https://github.com/philmayers/freeradius-server/commit/6877b70f442536c93ed097f3c9f6d17d9c960b19 Added, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: use_tunnel_reply not working in EAP-PEAP (Proxied as plain MSCHAPv2) in eap.conf
On 08/07/11 11:20, Nitin Bhardwaj wrote: However, one doubt: Shouldn't this code be conditional based on whether use_tunneled_reply is yes/no. Presently the outer PEAP does take care of it, is this taken care of in this callback (mschap_postproxy) ? No. The code doesn't need to be conditional, because copying of the attributes to the final, outer, access-accept is already conditional on use_tunneled_reply - that's what it does. Ok. So do you think this patch is fit to be brought into mainline-2.x ? I will try the 3.x patch too, and let you know soon. -- Nitin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Access-Challenge
Yes, it works this way. But the requirements are for a two phase authentication. Sent from my iPhone On Jul 8, 2011, at 2:11 AM, Fajar A. Nugraha l...@fajar.net wrote: On Fri, Jul 8, 2011 at 10:14 AM, Jamshid Abedi udptele...@gmail.com wrote: Hello, I've got Mobile OTP to work with FreeRadius, I'd like to take this one step further and turn this into a two phase process. The objective is to first take the pin, authenticate that and then communicate to the NAS with a challenge to receive the OTP from the user. I think this can be done via an access-challenge reply to the NAS. My question is how do I get FreeNAS to send an Access-Challenge once it has verified the PIN is correct? If anyone can kindly give me some hints or point me in the right direction. IMHO the simplest way would be just concatenate them together. e.g. if: - your pin is 4 digits - your OTP is 12 digits - you use PAP then you can ask your users to put the 4 digit pin followed by 12 digit OTP, so the password will be 16 digits. And since you use PAP, you get User-Password attribute in the request which can easly be split using unlang/regex into two components, which you can then verifiy. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: use_tunnel_reply not working in EAP-PEAP (Proxied as plain MSCHAPv2) in eap.conf
/
Phil Mayers wrote:
The (untested) patch below might help on 2.1.x:
https://github.com/philmayers/freeradius-server/commit/3c1ed71cde100268dba57cbd87953af2bfda6d87
...or for 3.x:
https://github.com/philmayers/freeradius-server/commit/6877b70f442536c93ed097f3c9f6d17d9c960b19
Added, thanks.
Alan DeKok.
/Alan,
Just did git pull (master branch), and tried - it failed - as described
by Phil in an earlier post, since mschapv2 callback is not called
snip-3.x log-
(19) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(19) group authenticate {
(19) - entering group authenticate {...}
(19) eap : Request found, released from the list
(19) eap : EAP/peap
(19) eap : processing type peap
(19) peap : processing EAP-TLS
(19) peap : eaptls_verify returned 7
(19) peap : Done initial handshake
(19) peap : eaptls_process returned 7
(19) peap : FR_TLS_OK
(19) peap : Session established. Decoding tunneled attributes.
(19) peap : Peap state send tlv success
(19) peap : Received EAP-TLV response.
(19) peap : Client rejected our response. The password is probably
incorrect.
(19) peap : We sent a success, but received something weird in return.
(19) eap : Handler failed in EAP/peap
(19) eap : Failed in EAP select
(19) [eap] = invalid
(19) Failed to authenticate the user.
(19) Using Post-Auth-Type Reject
-
Then tried with removing this patch:
https://lists.freeradius.org/pipermail/freeradius-users/2011-April/msg00295.html
and it is working properly like in 2.x branch. Hence I think, also you
need to remove this patch.
--
Nitin.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
auth fails
Hello everyone,
Im trying to use plain mac auth (
http://wiki.freeradius.org/Mac%20Auth#Plain+Mac-Auth) and at the radius
server says Login Ok , Acceptin user , but at the client says auth fails
(w7) here is the output of it :
Does any1 knows what might be the problem ?
Thanks ,
*rad_recv: Access-Request packet from host 172.20.0.11 port 1645, id=28,
length=139
User-Name = host/Bala-PC
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = 00-22-56-05-0C-8F
Calling-Station-Id = 00-1F-16-AD-16-0A
EAP-Message = 0x0202001101686f73742f42616c612d5043
Message-Authenticator = 0x082125c878f325cb3b54c88dbc6e2e82
NAS-Port-Type = Ethernet
NAS-Port = 50015
NAS-IP-Address = 172.20.0.11
+- entering group authorize {...}
++[preprocess] returns ok
++- entering policy rewrite_calling_station_id {...}
+++? if (Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)
? Evaluating (Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)
- TRUE
+++? if (Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)
- TRUE
+++- entering if (Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)
{...}
expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6} - 00-1F-16-AD-16-0A
[request] returns ok
+++- if (Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)
returns ok
+++ ... skipping else for request 2: Preceding if was taken
++- policy rewrite_calling_station_id returns ok
[authorized_macs] expand: %{Calling-Station-ID} - 00-1F-16-AD-16-0A
[authorized_macs] users: Matched entry 00-1F-16-AD-16-0A at line 3
++[authorized_macs] returns ok
++? if (!ok)
? Evaluating !(ok) - FALSE
++? if (!ok) - FALSE
++- entering else else {...}
+++[control] returns ok
++- else else returns ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [host/Bala-PC/via Auth-Type = Accept] (from client 4500 port
50015 cli 00-1F-16-AD-16-0A)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 28 to 172.20.0.11 port 1645
Reply-Message = OK
Finished request 2.*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: auth fails
Paulo Maia wrote: Im trying to use plain mac auth No, you're not. (http://wiki.freeradius.org/Mac%20Auth#Plain+Mac-Auth) and at the radius server says Login Ok , Acceptin user , but at the client says auth fails (w7) here is the output of it : Does any1 knows what might be the problem ? Thanks , rad_recv: Access-Request packet from host 172.20.0.11 port 1645, id=28, length=139 ... EAP-Message = 0x0202001101686f73742f42616c612d5043 That's EAP. You *MUST* do EAP authentication for it to work. i.e. configure a known user and password. You *cannot* do mac auth. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: auth fails
Ow i cannot authenticate just the mac-address ? i must have user and pass ? Did not knew that . Thanks Alan , On Fri, Jul 8, 2011 at 12:16 PM, Alan DeKok al...@deployingradius.comwrote: Paulo Maia wrote: Im trying to use plain mac auth No, you're not. (http://wiki.freeradius.org/Mac%20Auth#Plain+Mac-Auth) and at the radius server says Login Ok , Acceptin user , but at the client says auth fails (w7) here is the output of it : Does any1 knows what might be the problem ? Thanks , rad_recv: Access-Request packet from host 172.20.0.11 port 1645, id=28, length=139 ... EAP-Message = 0x0202001101686f73742f42616c612d5043 That's EAP. You *MUST* do EAP authentication for it to work. i.e. configure a known user and password. You *cannot* do mac auth. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: auth fails
On 08/07/11 16:30, Paulo Maia wrote: Ow i cannot authenticate just the mac-address ? i must have user and pass ? Yes. EAP is a challenge/response protocol. You must send correct responses, and this means you must know the password. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
