Re: Microsoft PEAP-EAP-TLS support (certificate auth with SoH)?
Matthew Newton wrote: > Does anyone know if FreeRADIUS now supports Microsoft > PEAP/EAP-TLS, i.e. when you select PEAP with Certificates in > Windows (not plain EAP-TLS, or PEAP/MS-CHAPv2, which both work > fine)? This post from 2007 (and FR 1.0.1) indicates that it didn't > work then, wondered if that's changed at all? It might work. I recall doing some testing a while ago. It's not a widely used feature. You'll need to set up *two* instances of the EAP module. One for the outer PEAP session, and a separate one for the inner EAP. > Is it actually possible to do SoH with certificate-based > authentication, or do I have to look towards DHCP for this? No idea. Ask Microsoft how their software works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Run a module only during the first EAP-TLS handshake
Victor Tangendjaja wrote: > Is there a way to run a module only during the first EAP-TLS handshake? Track the information in a database. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Run a module only during the first EAP-TLS handshake
Hi everyone,
Is there a way to run a module only during the first EAP-TLS handshake?
for example:
authorize {
preprocess
if (??? == ???) {
echo
}
...
}
I simply want the 'echo' module to run once during thr first auth.
The reason being the 'echo' module may return an OK or a reject. But in
the event of the 'echo' module returns ok, I don't want it to stress the
module by running it multiple times during the complete TLS handshake.
please advise.
Thanks,
Victor
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Microsoft PEAP-EAP-TLS support (certificate auth with SoH)?
Hi, Does anyone know if FreeRADIUS now supports Microsoft PEAP/EAP-TLS, i.e. when you select PEAP with Certificates in Windows (not plain EAP-TLS, or PEAP/MS-CHAPv2, which both work fine)? This post from 2007 (and FR 1.0.1) indicates that it didn't work then, wondered if that's changed at all? https://lists.freeradius.org/pipermail/freeradius-users/2007-April/msg00841.html For the reasons in that e-mail, I similarly don't care about using it for auth, as EAP-TLS works fine. However, from the SoH documentation, it needs either PEAP or DHCP to work. I haven't ruled out DHCP yet, but it seems a lot tidier to do it in RADIUS if possible, which in turn just leaves PEAP. The 'normal' PEAP with MS-CHAPv2 works fine giving the SoH details, but has to be "user authentication" on the client. EAP-TLS works fine presenting the certificate to connect to the network (Microsoft's so-called "computer auth"), but doesn't, as far as I can tell, do SoH. Is it actually possible to do SoH with certificate-based authentication, or do I have to look towards DHCP for this? I'm using a very custom config at the moment (on the latest v2.1.x branch), and having tried all sorts can't get it to play. I'll probably try working from the default config later just in case I've missed something blindingly obvious, but if anyone could confirm if the above post is still true or there is no other way to do it then it will save me a lot of time trying! :) Cheers, Matthew (Wishing Microsoft would bother to support a few additional options in their built-in supplicant, rather than just the couple of odd combinations that they want.) -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to return Filter-ID attribute value for the users in Active Directory?
suggestme wrote: > Still trying to become more familiar with attributes and learning. > In my understanding there are different attributes list as :request, reply, > control, proxy-request, proxy-reply, outer.request, outer.reply, etc. As I said before, see "man unlang". This is documented in excruciating detail. > Is there any way to see what attributes request list contains ; or reply > list contains, etc. > When searching I see the following FreeRadius site lists the attribute > lists: > > http://freeradius.org/rfc/attributes.html Those are attributes which go into RADIUS packets, and which are standardized as part of the RADIUS specifications. > But, is there any way to know what attributes is contained by what list. For > example: Ldap-UserDN is inside control attribute list. How to figure out > this? (It is not in the attributes list mentioned in above site) > Is there any way to find it that I am unaware of ? The rlm_ldap documentation? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to return Filter-ID attribute value for the users in Active Directory?
Thank you so much Alan for pointing out the mistake & suggesting the solution. Using: if (control:Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/) *solved this issue.* Still trying to become more familiar with attributes and learning. In my understanding there are different attributes list as :request, reply, control, proxy-request, proxy-reply, outer.request, outer.reply, etc. Is there any way to see what attributes request list contains ; or reply list contains, etc. When searching I see the following FreeRadius site lists the attribute lists: http://freeradius.org/rfc/attributes.html But, is there any way to know what attributes is contained by what list. For example: Ldap-UserDN is inside control attribute list. How to figure out this? (It is not in the attributes list mentioned in above site) Is there any way to find it that I am unaware of ? Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-return-Filter-ID-attribute-value-for-the-users-in-Active-Directory-tp5155068p5158770.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to return Filter-ID attribute value for the users in Active Directory?
suggestme wrote:
> I tried to return the value of Filter-ID as:
>
> authorize {
>...
>ldap
>
> if (distinguishedName =~ /^[^,]+,OU=([^,]+),/) {
What's "distinguishedName" ?
It's not a RADIUS attribute. Read "man unlang", which explains how
the attributes && variables work.
> In my active directory I have the attribute named "distinguishedName" which
> I am using inside "if" statement.
Right... so FreeRADIUS magically knows to go query LDAP when you type
"distinguishedName"?
> If I use "Ldap-UserDN" attribute inside
> "if" statement (as suggested) it says: "No attribute named Ldap-UserDN".
Because it's a control attribute.
> *Why this "if" condition is being evaluated as FALSE?*
Because FreeRADIUS isn't an LDAP server, and doesn't have magic access
to the internals of AD.
> Please correct me If I am doing something wrong.
You need to query the LDAP server for information. The "rlm_ldap"
documentation should describe this.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to return Filter-ID attribute value for the users in Active Directory?
Hi,
I tried to return the value of Filter-ID as:
authorize {
...
ldap
if (distinguishedName =~ /^[^,]+,OU=([^,]+),/) {
update control {
Tmp-String-1 := "%{1}"
}
}
...
}
post-auth {
update reply {
Filter-Id := "Enterasys:version=1:policy=%{control:Tmp-String-1}"
}
}
In my active directory I have the attribute named "distinguishedName" which
I am using inside "if" statement. If I use "Ldap-UserDN" attribute inside
"if" statement (as suggested) it says: "No attribute named Ldap-UserDN".
*Example*: In Active Directory "distinguishedName" attribute for the user is
listed as:
CN=test,OU=Staff,OU=Employees,OU=Users,DC=example,DC=com
But, when I run in debug mode I see: while checking the "if" condition; it
shows:
++? if (distinguishedName =~ /^[^,]+,OU=([^,]+),/)
? Evaluating (distinguishedName =~ /^[^,]+,OU=([^,]+),/) -> FALSE
++? if (distinguishedName =~ /^[^,]+,OU=([^,]+),/) -> FALSE
*Why this "if" condition is being evaluated as FALSE?*
And it returns the post-auth value as:
Filter-Id = "Enterasys:version=1:policy="
It doesn't return anything as: staff, administrators, etc for policy.
The part of debug mode output and radtest are as shown below:
##Debug mode output:
#radiusd -X :
rad_recv: Access-Request packet from host 127.0.0.1 port 43666, id=225,
length=80
User-Name = "test"
User-Password = "hello"
NAS-IP-Address = IP Address
NAS-Port = 0
Message-Authenticator = 0x8ab06794e7069587309aa626d315269e
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[ldap] performing user authorization for test
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> test
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=test)
[ldap] expand: dc=example,dc=com -> dc=example,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to server.example.com:389, authentication 0
[ldap] bind as
cn=test,ou=Staff,ou=Employees,ou=Users,dc=example,dc=com/hello to
server.example.com:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=example,dc=com, with filter
(sAMAccountName=test)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] user test authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (distinguishedName =~ /^[^,]+,OU=([^,]+),/)
? Evaluating (distinguishedName =~ /^[^,]+,OU=([^,]+),/) -> FALSE
++? if (distinguishedName =~ /^[^,]+,OU=([^,]+),/) -> FALSE
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = LDAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by "test" with password "hello"
[ldap] user DN: CN=test,OU=Staff,OU=Employees,OU=Users,DC=example,DC=com
[ldap] (re)connect to server.example.com:389, authentication 1
[ldap] bind as
CN=test,OU=Staff,OU=Employees,OU=Users,DC=example,DC=com/hello to
server.example.com:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] user test authenticated succesfully
++[ldap] returns ok
Login OK: [test] (from client localhost port 0)
# Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
expand: Enterasys:version=1:policy=%{control:Tmp-String-1} ->
Enterasys:version=1:policy=
++[reply] returns noop
++[exec] returns noop
Sending Access-Accept of id 225 to 127.0.0.1 port 43666
Filter-Id = "Enterasys:version=1:policy="
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 225 with timestamp +8
Ready to process requests.
##radtest output:
#radtest test hello localhost 0 testing123
Sending Access-Request of id 225 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "hello"
NAS-IP-Address = IP Address
NAS-Port = 0
Message-Authenticator = 0x
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=225,
length=49
Filter-Id = "Enterasys:version=1:policy="
Please correct me If I am doing something wrong.
Thanks,
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/How-to-return-Filter-ID-attribute-value-for-the-users-in-Active-Directory-tp5155068p5158499.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
On 19/01/12 11:07, NdK wrote: Il 19/01/2012 10:03, Phil Mayers ha scritto: EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit MPPE keys OK: 0 mismatch: 1 FAILURE These (plus the timeout one) are the lines printed after FR have already cloded session. Yes. Hmm. I see from your original email that Samba& ntlm_auth are succeeding. Yup. I'm quite used to joining machines to AD... Already have about 100 clients and 5 servers, and this one is the one giving me troubles :( There are a couple of buggy version of Samba out there that return invalid response values, and generate these symptoms. Which version of Samba are you running, and on what OS? Samba 3.5.6 (latest packaged one) on Debian Squeeze. Once it's working, I'll have to move the config to a ZeroShell box with Samba 3.5.10. That version should be ok; we're on 3.5.4 I'm not sure what the problem is then. From your original post, the authentication is failing at the *client*, in the inner EAP section. This normally means the final MSCHAP response is invalid, which only happens if some crypto has gone wrong somewhere. Another problem I should fix is the fact that ZS's captive portal passes user@realm credentials instead of realm\user ... rewriting w/ a simple rule in hints file seems to block the rest, so I left it behind, for now. You can't alter usernames in EAP. They are usually mixed into the challenge/response data, and altering them in-flight means the challenge/response will fail. To be honest, there's too much going on in your setup; my advice would be to create a new server (running 2.1.12) and use the default setup. Test your EAP with eapol_test. Make small changes, storing the config into version control at each step. Identify exactly which point the failures start happening at. Most people don't see this problem, so it's something specific to your setup. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eduroam working ok, except for EAP
On Jan 19, 2012, at 11:00 AM, freeradius-users-requ...@lists.freeradius.org wrote: > > Message: 1 > Date: Thu, 19 Jan 2012 08:58:39 + > From: Phil Mayers > Subject: Re: eduroam working ok, except for EAP > To: freeradius-users@lists.freeradius.org > Message-ID: <4f17db3f.7040...@imperial.ac.uk> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > On 01/19/2012 12:46 AM, Rui Ribeiro wrote: >> Hi list, >> >> I have freeradius working in a EDUROAM federation, all PEAP-MSCHAPv2 >> and TTLS-EAP working locally, however when roaming to the federation, >> PEAP-MSCHAPv2 fails categorically and only TTLS-EAP works with >> success. > > This is exactly the same question you asked the other day, and I answered. > > Did you read my answer? Do you think it's no correct? > Hi Phil, I have receveid the digest *after* I have sent this other one; had I seen it earlier it would have saved me of a couple of hour of work, in fact. Thank for the reply. Rui- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
Il 19/01/2012 10:03, Phil Mayers ha scritto: >> EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit >> MPPE keys OK: 0 mismatch: 1 >> FAILURE These (plus the timeout one) are the lines printed after FR have already cloded session. > Hmm. I see from your original email that Samba & ntlm_auth are succeeding. Yup. I'm quite used to joining machines to AD... Already have about 100 clients and 5 servers, and this one is the one giving me troubles :( > There are a couple of buggy version of Samba out there that return > invalid response values, and generate these symptoms. Which version of > Samba are you running, and on what OS? Samba 3.5.6 (latest packaged one) on Debian Squeeze. Once it's working, I'll have to move the config to a ZeroShell box with Samba 3.5.10. Another problem I should fix is the fact that ZS's captive portal passes user@realm credentials instead of realm\user ... rewriting w/ a simple rule in hints file seems to block the rest, so I left it behind, for now. Tks, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Group assign to vlan after AD user authentication
Hi, I've successfully set up a radius server to support 802.1x authentication using peap mschapv2 and samba to authenticate users against AD. To do this I followed configuration on the freeradius.org website and the AD integration howto on deployingradius.com, thank you very much for writing these! I now need to assign the vlan due to membership of some group in AD and I understand that an ldap lookup is needed. Where in the configuration do I check this group and map it to a vlan? Can I do it as a default entry in the users file or is it needed somewhere else? Thank you very much, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eduroam working ok, except for EAP
Hi,
> freeradius -X
> FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 14
> 2010 at 20:41:03
a couple of thingsupgrade - 2.1.10 *will* die at some point when proxying
to a remote server
that doesnt respond
> [f_ticks] expand: %{reply:Packet-Type} -> Access-Accept
> [f_ticks] expand: f_ticks.%{%{reply:Packet-Type}:-format} ->
> f_ticks.Access-Accept
> [f_ticks] expand:
> F-TICKS/eduroam/1.0#REALM=%{Realm}#VISCOUNTRY=PT#VISINST=ISCTE#CSI=%{Calling-Station-Id}#RESULT=OK#
> ->
> F-TICKS/eduroam/1.0#REALM=DEFAULT#VISCOUNTRY=PT#VISINST=ISCTE#CSI=02-00-00-00-00-01#RESULT=OK#
^
this doesnt look right either - you will need to talk to your NRO to get some
further help - but because you are incorrectly just using DEFAULT for handing
foreign realms, this value is being copied here - you should be picking up the
actual
realm value from the user login request and populating that value instead.
I also note you are not adding Operator-Name to the request
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test giving up and win-like error?
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit MPPE keys OK: 0 mismatch: 1 FAILURE Hmm. I see from your original email that Samba & ntlm_auth are succeeding. There are a couple of buggy version of Samba out there that return invalid response values, and generate these symptoms. Which version of Samba are you running, and on what OS? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eduroam working ok, except for EAP
On 01/19/2012 12:46 AM, Rui Ribeiro wrote: Hi list, I have freeradius working in a EDUROAM federation, all PEAP-MSCHAPv2 and TTLS-EAP working locally, however when roaming to the federation, PEAP-MSCHAPv2 fails categorically and only TTLS-EAP works with success. This is exactly the same question you asked the other day, and I answered. Did you read my answer? Do you think it's no correct? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
