Re: Freeradius + MySQL + WiFi PEAP authorisation only to a group of users
I found the sollution some time ago.
This might be helpful for beginners like me.
The PEAP authentication is done using the site-enable/inner-tunnel virtual
server configuration by default.
So in the site-enabled/inner-tunnel in the section authorize add these:
==
sql
if (SQL-Group == "wifi") {
# ok to login
}
else {
reject
}
==
My original goal was to distinguish between wifi users and openvpn users.
Openvpn users gets authenticated using the radiusplugin with username and
password.
I use the radius server just for wifi and openvpn so I just need the
site-enabled/default config
sql
if (NAS-Identifier == "OpenVpn") { #Nas-identifier is set in
radiusplugin.cnf
if (SQL-Group == "openvpn") {
}
else {
reject
}
}
=
And one last note - PEAP is using MSCHAPv2 and so the passwords must be
stored in cleartext (or nthash)!
I use for administration DiapUPAdmin - very nice and easy.
Hopefully this will help to somebody who was lost like me.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Freeradius-MySQL-WiFi-PEAP-authorisation-only-to-a-group-of-users-tp4685928p5163539.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP and Freeradius authentication
On Sat, Jan 21, 2012 at 11:14 PM, Dhiraj Gaur wrote: > The version of radtest on my system doesnt support the -t option, hence even > after doing radtest -h I could not find anything. I settled for jradius > client to achieve the same effect already. It doesn't really matter which client you use, IF you're familiar-enough with it and know how to use it. However, your posted log still shows you use pap. So that either means: - you don't know how to send mschap request using that client, or - you haven't got pap working correctly, or - you don't know the difference between pap and mschap - you posted the wrong debug output which is it? > Have tried upgrading the package but its already in the latest version. You could always compile from source, or build your own package. If you use debian or ubuntu my ppa has the latest stable freeradius version: https://launchpad.net/~freeradius/+archive/stable Lucid version should fit debian installations just fine. > The PAP things is already working fine as I mentioned earlier and have > followed every bit of Alans guide. Would redo the things again if it works. I take your word for it > >> >> - Also on Alan's page, there's the section 'Configuring FreeRADIUS to >> use ntlm_auth for MS-CHAP'. That pretty much answers the last part of >> your question, but ONLY if you already got pap working properly. > > > > Attaching the inner tunnel and default file, please go through the same and > point out if something is amiss. Re-read that section, and do what it says. If you do it correctly, AND send mschap request (using whatever client you're familiar with), there should be NO debug line that says "ntlm_auth" with "User-Password" together. That's because mschap does NOT send User-Password attribute, and the ntlm_auth line is adjusted accordingly per instructions on the site. If you STILL have problems after doing that, post the updated debug logs. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP and Freeradius authentication
Dhiraj Gaur wrote: > The version of radtest on my system doesnt support the -t option, hence > even after doing radtest -h I could not find anything. Upgrade. It really helps. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP and Freeradius authentication
hi Fajar
I did read the replies as well as Alan's page. Being a newbie to FR i
actually started with that only.
On Sat, Jan 21, 2012 at 7:44 PM, Fajar A. Nugraha wrote:
> Did you REALLY read the replies sent to this list?
> Did you REALLY read Alan's page,
> http://deployingradius.com/documents/configuration/active_directory.html
> to the end?
>
>
The version of radtest on my system doesnt support the -t option, hence
even after doing radtest -h I could not find anything. I settled for
jradius client to achieve the same effect already. Have tried upgrading the
package but its already in the latest version.
> If yes, you'd know that:
> - radtest can send mschap request as well (see 'radtest -h')
>
The only changes I have done to default config is in the inner tunnel or
default file. Attaching the same if you may have a look. I have never
blamed Alan that his recipe is flawed.
> - Alan's page, up to 'Configuring FreeRADIUS to use ntlm_auth',
> contains detailed instruction on how to make FR works with AD and pap.
> If you can't get it to work, that means you're doing something wrong.
> Probably editing some entries you shouldn't, since your ntlm_auth
> result is OK (which means samba + AD part is working correctly). It's
> perfectly fine to be creative and edit the config file as you see fit,
> but ONLY if you know what you're doing. If you're given a recipe, and
> choose to stray from it, and messed up, don't blame the guy who
> created the recipe.
>
The PAP things is already working fine as I mentioned earlier and have
followed every bit of Alans guide. Would redo the things again if it works.
> - Also on Alan's page, there's the section 'Configuring FreeRADIUS to
> use ntlm_auth for MS-CHAP'. That pretty much answers the last part of
> your question, but ONLY if you already got pap working properly.
>
Attaching the inner tunnel and default file, please go through the same and
point out if something is amiss.
Default File
--
authorize {
preprocess
#auth_log
chap
mschap
#digest
#wimax
#IPASS
suffix
#ntdomain
eap {
ok = return
}
#unix
#files
#sql
ntlm_auth
#etc_smbpasswd
#ldap
#checkval
expiration
logintime
pap
#if(!control:Auth-Type) {
#update control {
#Auth-Type = "ntlm_auth"
#}
#}
#Autz-Type Status-Server {
#
#}
}
authenticate {
Auth-Type NTLM_AUTH {
ntlm_auth
}
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
#digest
#pam
#unix
#Auth-Type LDAP {
#ldap
#}
eap
#Auth-Type eap {
#eap {
#handled = 1
#}
#if (handled && (Response-Packet-Type == Access-Challenge)) {
#attr_filter.access_challenge.post-auth
#handled # override the "updated" code from attr_filter
#}
#}
}
INNER TUNNEL FILE
--
server inner-tunnel {
#listen {
# ipaddr = 127.0.0.1
# port = 18120
# type = auth
#}
authorize {
chap
mschap
#unix
#IPASS
suffix
#ntdomain
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
#sql
ntlm_auth
#etc_smbpasswd
#ldap
#daily
#checkval
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
#pam
ntlm_auth
#unix
#Auth-Type LDAP {
#ldap
#}
eap
}
--
Regards
Dhiraj Gaur
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP and Freeradius authentication
Il 20/01/2012 21:46, Alan DeKok ha scritto: > Yeah, I've gone and fixed that. "git" is nice for updating web pages. Uh... forgot... When using ntlm_auth with a password, --request-nt-key seems to have no effect. Tested in different distros. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP and Freeradius authentication
Il 20/01/2012 21:46, Alan DeKok ha scritto: > Yeah, I've gone and fixed that. "git" is nice for updating web pages. Still there's "Then, fine the mschap module". s/fine/find/ :) BTW, in a real AD setup, with AD servers used as DNS, there should be no need to setup /etc/krb5.conf: samba can auto detect the needed settings. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP and Freeradius authentication
On Sat, Jan 21, 2012 at 8:58 PM, Dhiraj Gaur wrote:
> rad_recv: Access-Request packet from host 127.0.0.1 port 54347, id=2,
> length=57
>
> User-Name = "01546"
> User-Password = ""
The presence of User-Password means you're still using pap.
> Sat Jan 21 19:21:08 2012 : Info: [ntlm_auth] expand:
> --username=%{mschap:User-Name} -> --username=01546
> Sat Jan 21 19:21:08 2012 : Info: [ntlm_auth] expand:
> --password=%{User-Password} -> --password=x
> So means that ntlm_auth is still wokring good bt some access control triggers
> the Access-Reject.
>
> I am still directionless as to where should I head next, I mean how to make
> tht EAP client and MSCHAP authentication work. Would appreciate if I could
> get some handy quick and dirty list of works to do next OR some URL/mailing
> list entry etc which explains the same.
Did you REALLY read the replies sent to this list?
Did you REALLY read Alan's page,
http://deployingradius.com/documents/configuration/active_directory.html
to the end?
If yes, you'd know that:
- radtest can send mschap request as well (see 'radtest -h')
- Alan's page, up to 'Configuring FreeRADIUS to use ntlm_auth',
contains detailed instruction on how to make FR works with AD and pap.
If you can't get it to work, that means you're doing something wrong.
Probably editing some entries you shouldn't, since your ntlm_auth
result is OK (which means samba + AD part is working correctly). It's
perfectly fine to be creative and edit the config file as you see fit,
but ONLY if you know what you're doing. If you're given a recipe, and
choose to stray from it, and messed up, don't blame the guy who
created the recipe.
- Also on Alan's page, there's the section 'Configuring FreeRADIUS to
use ntlm_auth for MS-CHAP'. That pretty much answers the last part of
your question, but ONLY if you already got pap working properly.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP and Freeradius authentication
Hi
I did my tests and after removing that custom block of authorize section
the following is the output.
rad_recv: Access-Request packet from host 127.0.0.1 port 54347, id=2,
length=57
User-Name = "01546"
User-Password = ""
NAS-IP-Address = 192.168.0.99
NAS-Port = 0
Sat Jan 21 19:21:08 2012 : Info: +- entering group authorize {...}
Sat Jan 21 19:21:08 2012 : Info: ++[preprocess] returns ok
Sat Jan 21 19:21:08 2012 : Info: ++[chap] returns noop
Sat Jan 21 19:21:08 2012 : Info: ++[mschap] returns noop
Sat Jan 21 19:21:08 2012 : Info: [suffix] No '@' in User-Name = "01546",
looking up realm NULL
Sat Jan 21 19:21:08 2012 : Info: [suffix] No such realm "NULL"
Sat Jan 21 19:21:08 2012 : Info: ++[suffix] returns noop
Sat Jan 21 19:21:08 2012 : Info: [eap] No EAP-Message, not doing EAP
Sat Jan 21 19:21:08 2012 : Info: ++[eap] returns noop
Sat Jan 21 19:21:08 2012 : Info: [ntlm_auth]expand:
--username=%{mschap:User-Name} -> --username=01546
Sat Jan 21 19:21:08 2012 : Info: [ntlm_auth]expand:
--password=%{User-Password} -> --password=x
Sat Jan 21 19:21:08 2012 : Debug: Exec-Program output: NT_STATUS_OK:
Success (0x0)
Sat Jan 21 19:21:08 2012 : Debug: Exec-Program-Wait: plaintext:
NT_STATUS_OK: Success (0x0)
Sat Jan 21 19:21:08 2012 : Debug: Exec-Program: returned: 0
Sat Jan 21 19:21:08 2012 : Info: ++[ntlm_auth] returns ok
Sat Jan 21 19:21:08 2012 : Info: ++[expiration] returns noop
Sat Jan 21 19:21:08 2012 : Info: ++[logintime] returns noop
Sat Jan 21 19:21:08 2012 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.
Sat Jan 21 19:21:08 2012 : Info: ++[pap] returns noop
Sat Jan 21 19:21:08 2012 : Info: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Sat Jan 21 19:21:08 2012 : Info: Failed to authenticate the user.
Sat Jan 21 19:21:08 2012 : Info: Using Post-Auth-Type Reject
Sat Jan 21 19:21:08 2012 : Info: +- entering group REJECT {...}
Sat Jan 21 19:21:08 2012 : Info: [attr_filter.access_reject]expand:
%{User-Name} -> 01546
Sat Jan 21 19:21:08 2012 : Debug: attr_filter: Matched entry DEFAULT at
line 11
-
So means that ntlm_auth is still wokring good bt some access control
triggers the Access-Reject.
I am still directionless as to where should I head next, I mean how to make
tht EAP client and MSCHAP authentication work. Would appreciate if I could
get some handy quick and dirty list of works to do next OR some URL/mailing
list entry etc which explains the same.
I am reading a FreeRadius book (Packet Publishing) which just might help.
Regards
Dhiraj Gaur
On Sat, Jan 21, 2012 at 7:12 PM, Dhiraj Gaur wrote:
> Thanks ndk and alan I lll give it a fresh try to the testbed. I have
> already deleted the DEFAULT entry from the users file and updated mschap as
> indicated. I think what might be forcing NTLM_AUTH is an entry which i made
> to the authorize section of default file after which ntlm_auth strated to
> work for me
>
> if(!control:Auth-Type) {
> update control {
> Auth-Type = "ntlm_auth"
> }
> }
> I ll try removing the same and then need to see how mschap thing will
> work. Would appreciate if you may point me to a further howto on the same.
> I aim to connect and eap client through radius without the use of
> certificates for which MSCHAP seems to be an option.
>
> I think I ll write a howto or add a wiki entry if I can make it work fine.
>
> regards
> Dhiraj Gaur
>
>
> On Sat, Jan 21, 2012 at 2:16 AM, Alan DeKok wrote:
>
>> NdK wrote:
>> >> The radclient program has since been updated.
>> > Then it could be better to update that page, since it's the reference
>> > for all newbies that try to make it work.
>>
>> Yeah, I've gone and fixed that. "git" is nice for updating web pages.
>>
>> > "It *should* work" is more correct :(
>> > There still are many things that can go wrong.
>>
>> If it doesn't work, the web pages explain which part to blame. 99% of
>> the time, it's a bug in someone else's software.
>>
>> Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>
> --
> Regards
>
> Dhiraj Gaur
>
>
>
>
--
Regards
Dhiraj Gaur
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with MSCHAP and Freeradius authentication
Thanks ndk and alan I lll give it a fresh try to the testbed. I have
already deleted the DEFAULT entry from the users file and updated mschap as
indicated. I think what might be forcing NTLM_AUTH is an entry which i made
to the authorize section of default file after which ntlm_auth strated to
work for me
if(!control:Auth-Type) {
update control {
Auth-Type = "ntlm_auth"
}
}
I ll try removing the same and then need to see how mschap thing will work.
Would appreciate if you may point me to a further howto on the same. I aim
to connect and eap client through radius without the use of certificates
for which MSCHAP seems to be an option.
I think I ll write a howto or add a wiki entry if I can make it work fine.
regards
Dhiraj Gaur
On Sat, Jan 21, 2012 at 2:16 AM, Alan DeKok wrote:
> NdK wrote:
> >> The radclient program has since been updated.
> > Then it could be better to update that page, since it's the reference
> > for all newbies that try to make it work.
>
> Yeah, I've gone and fixed that. "git" is nice for updating web pages.
>
> > "It *should* work" is more correct :(
> > There still are many things that can go wrong.
>
> If it doesn't work, the web pages explain which part to blame. 99% of
> the time, it's a bug in someone else's software.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Regards
Dhiraj Gaur
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS & Billing MVTS Pro
Please note that it's rude to cross-post. This is a 'users' question, not a
'developers' question.
On Fri, Jan 20, 2012 at 03:18:53PM +0200, Mohamed Daif wrote:
>all calls must be checked firstly from two tables then go to Specific
>Gateways like below :
...
>how can i add both tables to FreeRADIUS and make configuration to check
>before sending calls to MVTS Servers.
What database backend are you using?
If you are using mysql (possibly others) then you can use stored procedures.
Each one must return a single result set, with 5 columns in the correct
order. However is can take as many arguments as you like. e.g.
authorize_check_query = "Call getCheck('%{User-Name}');"
authorize_reply_query = "Call getReply('%{User-Name}');"
group_membership_query = "Call getGroups('%{User-Name}');"
authorize_group_check_query = "Call getGroupCheck('%{Sql-Group}');"
authorize_group_reply_query = "Call getGroupReply('%{Sql-Group}');"
So you write the logic within the stored procedure to query as many
different tables as you like, in whatever order you like.
The other option is to have multiple instances of rlm_sql, and call them at
different points as required. (However each instance of the module might
keep its own pool of connections to your SQL database)
sql sql_blacklist {
... blacklist queries go here
}
sql sql_whitelist {
... whitelist queries go here
}
Then you can call both sql_blacklist and sql_whitelist at whatever points
you require in your authorize { ... } block.
HTH,
Brian.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
