Re: FreeRadius 2.1.12, why is EAP AKA support in eap2 module

[Phil Mayers]

On 03/15/2012 12:36 PM, Altaf Husain wrote:

Hi,
We are using FreeRadius ver 2.1.12, I had query regarding EAP-AKA
support in eap2 module, its mentioned in FreeRadius website that
"This module is experimental, and may not be ready for use in a
production environment", Is it still in experimental state, can't it
be used as EAP-SIM, is performance tested for EAP-AKA. I am waiting
for response so that we supporting EAP-AKA in our product using
FreeRadius, any specific reason for keeping it in eap2 module rather
then mainline eap module.


You don't understand how the eap2 module works.

There is not much code in eap2; eap2 just passes all the EAP requests to 
the codebase in hostapd.


You can't just "move" EAP-AKA from the eap2 module to eap, because there 
isn't actually any EAP-AKA code there - it's all in hostapd, which is a 
completely different codebase with a different API, different coding 
conventions, different build infrastructure, etc.


If you want EAP-AKA support in the main "eap" module, you'll have to 
write it, or pay someone to write it, from scratch. I guess the EAP-AKA 
code in eap2/hostapd could be used as a reference, but that's about it.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius 2.1.12, why is EAP AKA support in eap2 module

[Altaf Husain]

Thanks Phil this information was helpful

On Fri, Mar 16, 2012 at 2:58 PM, Phil Mayers wrote:

> On 03/15/2012 12:36 PM, Altaf Husain wrote:
>
>>Hi,
>>We are using FreeRadius ver 2.1.12, I had query regarding EAP-AKA
>>support in eap2 module, its mentioned in FreeRadius website that
>>"This module is experimental, and may not be ready for use in a
>>production environment", Is it still in experimental state, can't it
>>be used as EAP-SIM, is performance tested for EAP-AKA. I am waiting
>>for response so that we supporting EAP-AKA in our product using
>>FreeRadius, any specific reason for keeping it in eap2 module rather
>>then mainline eap module.
>>
>
> You don't understand how the eap2 module works.
>
> There is not much code in eap2; eap2 just passes all the EAP requests to
> the codebase in hostapd.
>
> You can't just "move" EAP-AKA from the eap2 module to eap, because there
> isn't actually any EAP-AKA code there - it's all in hostapd, which is a
> completely different codebase with a different API, different coding
> conventions, different build infrastructure, etc.
>
> If you want EAP-AKA support in the main "eap" module, you'll have to write
> it, or pay someone to write it, from scratch. I guess the EAP-AKA code in
> eap2/hostapd could be used as a reference, but that's about it.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html 
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius 2.1.12, why is EAP AKA support in eap2 module

[Alan DeKok]

Altaf Husain wrote:

> What do u mean by native code hasn't been written, we do have EAP
> AKA support in eap 2 module in free radius??

  No.  See Phil's response for details.

> Regarding code submission and pay to someone, we already have code
> to support EAP AKA, but wanted to avoid having changes in freeradius
> with our code, if its all available form FreeRadius that would be
> eazy for us to maintain and if performance and functionality is
> already well tested then good for us

  Yes, that would be good.

  But my previous answer is still correct.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP Search Questions

[ryuukuu]

Can someone throw me a bone here? This is really the last step in my process
in getting FreeRadius production ready.

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/LDAP-Search-Questions-tp5565845p5571520.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Add Users in MySQL database

[ryuukuu]

What is the one that is included with FreeRadius? I am trying to use
DaloRadius and imho its terrible. 

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Add-Users-in-MySQL-database-tp5559384p5571530.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Add Users in MySQL database

[Alan Buxey]

Hi,
> What is the one that is included with FreeRadius? I am trying to use
> DaloRadius and imho its terrible. 

dialup_admin IIRC.  whats wrong with DoloRADIUS? give the author
feedback and your problems/issues might be worked on.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP Search Questions

[Alan Buxey]

Hi,
> Can someone throw me a bone here? This is really the last step in my process
> in getting FreeRadius production ready.

i'd advise getting a basic grasp of LDAP and terminology before using
it as a tool - plenty of free resources out there. you have a group
RADIUS that you want to check membership of - so when you talk to the LDAP
you need to filter for the user you are dealing with - so have appropriate
filter line (you know your DN/CN/DC etc to get the right tree/branch)
and then do the correct attribute match (be that memberOf etc).


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

md5 passwords in mysql database

[pamela pomary]

Hello

Please I have a challenge encrypting passwords using md5 in MySQL database
for radius users. When I do a radtest like this:  radtest test password
localhost 0 key
for user test with md5(password) in MySQL database it is successful.
However when do this :  radtest -t mschap testmd5 password localhost 0 key,
I get MS-CHAP Error


Sending delayed reject for request 0
Sending Access-Reject of id 143 to 127.0.0.1 port 55008
MS-CHAP-Error = "\000E=691 R=1"

I read online,it is not possible to do md5 with MS-CHAP. I don't want to
save users passwords in clear text. How can I achieve encrypting user's
passwords in MySQL database. I have Freeradius2.1.12 installed. Please I
will be grateful for suggestions.

I have the following in modules


 /etc/raddb/modules/pap ###

pap {
auto_header = yes
   encryption_scheme = md5
}


 /etc/raddb/modules/mschap ###

mschap {

use_mppe = yes
require_encryption = yes
}


Any help will be very much appreciated


Thank You



Pamela Pomary
ICTD, University of Ghana.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP Search Questions

[Phil Mayers]

On 14/03/12 19:04, ryuukuu wrote:

Hello All,

I've got a question about the settings for limiting access/authenticating to
a specific LDAP group. I have setup a group on my OpenLDAP called "RADIUS"
and I want the users in there to be the only ones that have access. The
problem I am having is with the filters. Below is my /etc/raddb/modules/ldap
(given I cleaned up alot of the comments just for posting reasons)


What is the question?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: md5 passwords in mysql database

[Phil Mayers]

On 16/03/12 16:14, pamela pomary wrote:


I read online,it is not possible to do md5 with MS-CHAP. I don't want to


This is correct.


save users passwords in clear text. How can I achieve encrypting user's
passwords in MySQL database. I have Freeradius2.1.12 installed. Please I
will be grateful for suggestions.


To do MSCHAP, you MUST store either the plaintext password, or the NT 
hash (MD4 of little-endian UTF-16 form password)


See here:

http://deployingradius.com/documents/protocols/compatibility.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius crash with two radclient

[fulvio fabiani]

Hi all,

i’ve a problem with concurrent accounting requests with free radius 2.1.11.

In details:

I’ve 2 free radius servers balanced by bigip f5 through roundrobin
algorithm. I use to send account request using radclient on a machine
placed in the same sub-netmask of f5, and it forward the request on the
another net (which is the servers).

If I launch two or more rad client that inject traffic to free radius
server (always through f5), the free radius servers kill.



Under the same conditions but free radius starts with –X (debug) mode, two,
three and more rad client all works fine.



Because I’ve read that the debug mode starts the server with single thread
 but not the normal mode, I suppose that there is something concurrency
that kills my radius servers.





Anyone had the same issue? Any ideas to resolve?



We are running freeradius on Redhat 5.6 VM on VMVare VSphere 5
infrastructure



Thanks in advice
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius crash with two radclient

[Phil Mayers]

On 16/03/12 16:57, fulvio fabiani wrote:

Hi all,

i’ve a problem with concurrent accounting requests with free radius 2.1.11.


Upgrade to 2.1.12 and try again.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxy server goes deaf after "Client has closed connection" (RadSec to home server)

[Alan DeKok]

Brian Julin wrote:
> request_proxy_anew was assuming its argument would be installed in the
> proxy_list, which wasn't the case, so it was removing it twice causing 
> .num_outgoing counters to roll over.  Then, request_proxy was not expecting
> the case where the argument was already in the proxy_list (put there by
> request_proxy_anew) and was failing when attempting to add it a second
> time.  The latter makes me wonder why or if request_proxy_anew works at all.

  It was tested at one point.  But the code has changed since then.

  It's nice to know that code was understandable.  The state machine in
process.c is complicated enough that I try not to touch it too much.

> The attached patch seems to do the trick.  Some caveats:
> 
> This bypasses (for certain situations) the attempts to make sure that
> a duplicate packet does not reuse the proxy_list ID of its predecessor.
> Not knowing the reasoning behind that, I don't know if that's important
> or not.

  It's not important.

> request_proxy has a "retransmit" flag as a parameter, which might be the
> better test to avoid inserting the entry twice, or might not be.

  I think that flag is independent of the issue you found.

> Off topic, JOOC, while reading through the source I was left wondering what
> prevents proxy_wait_for_reply from entering master-only functions from a
> non-master thread when it falls through the DUP case into the TIMER case.

  Whoops.  You're right.  I'll go commit a fix for that.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: proxy server goes deaf after "Client has closed connection" (RadSec to home server)

[Brian Julin]

 

Alan DeKok Wrote
> Brian Julin wrote:
> > The latter makes me wonder why or if request_proxy_anew works at all.
> 
>   It was tested at one point.  But the code has changed since then.

Given the complexity of RADIUS state management, automating a comprehensive
test suite for it would be a very interesting endeavor.  It might even be
worthy of a GSoC project proposal, to get an aspiring coder to flesh out
src/tests, firing up test servers and VMs/fragrouters to really work the
corner cases and cover previous issues from the ML/git-log against regressions.

Not sure how far they would get, but they'd sure learn a lot about application
internetworking by trying, and the resulting framework would probably be
applicable to other heavily-interfaced server suites.

>   It's nice to know that code was understandable.

That... took a while.  I even had to draw pictures.  :-)  If I ever do
that again, maybe I'll finish them enough to submit them as devel docs.

Thanks again for holding it all together, Alan.

--
Brian
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Add Users in MySQL database

[Fabricio Flores]

I want to know if there is a module that I can add users in the database
before AAA... I can add users with daloRadius but is important that the
user and password in the captive portal be added in the database before
authentication...

El 16 de marzo de 2012 10:44, Alan Buxey  escribió:

> Hi,
> > What is the one that is included with FreeRadius? I am trying to use
> > DaloRadius and imho its terrible.
>
> dialup_admin IIRC.  whats wrong with DoloRADIUS? give the author
> feedback and your problems/issues might be worked on.
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Fabricio A. Flores G.
Egresado en Ingeniería en Sistemas

MSN: fabri_flor...@hotmail.com
Google: fabriflor...@gmail.com
Twitter: fabricioflores
Skype: fabriciofloresgallardo

Blog Personal 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Add Users in MySQL database

[Alan Buxey]

Hi,
>I want to know if there is a module that I can add users in the database
>before AAA... I can add users with daloRadius but is important that the
>user and password in the captive portal be added in the database before
>authentication...

yes. you keep on saying this - but you are not being clear what you mean.

do you mean that you want to add people to the DB so that they can authenticate
via a captive portal 

OR

do you mean you want a system where whatever the user adds to the login screen 
gets added
to the DB and then they are just allowed to login?

if the latter - and it sounds stupid and horrible, then all you need to do is 
run an INSERT
command using sql and unlang BEFORE you call the sql authroize module

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

IF-MAP Support

[Francois Gaudreault]

Hello,

I believe some work have been done on this topic lately with external 
log modules to populate an IF-MAP database, correct?


I am wandering if there is a "working
-as-PoC" piece of code available somewhere?  We are interested in 
testing and add the support for IF-MAP in PacketFence (long term project).


Thanks!

--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IF-MAP Support

[Alan DeKok]

Francois Gaudreault wrote:
> I believe some work have been done on this topic lately with external
> log modules to populate an IF-MAP database, correct?

  I've heard rumors.

> I am wandering if there is a "working
> -as-PoC" piece of code available somewhere?  We are interested in
> testing and add the support for IF-MAP in PacketFence (long term project).

  I haven't seen code.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Question on logging EAP/PEAP authentication rejections

[Josh Hiner]

Hello. Im running freeradius 2.1.6 and logging to /var/log/radius in
file/detail format. Currently connection logging is working if the user
authenticates correctly. I cant get access rejects to log though. Ive
turned on reply detail but that is only showing successful attempts too.

I have : use_tunneled_reply = yes and copy_request_to_tunnel = yes in
eap.conf (need that to do group checking in the users file) but this does
not seem to effect the issue of no rejected logins being logged. Searched
this email list as well as online. Sorry to bother.

Any info would be great. I appreciate your time. Thanks!!!

-Josh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question on logging EAP/PEAP authentication rejections

[Alan DeKok]

Josh Hiner wrote:
> Hello. Im running freeradius 2.1.6 and logging to /var/log/radius in
> file/detail format. Currently connection logging is working if the user
> authenticates correctly. I cant get access rejects to log though. Ive
> turned on reply detail but that is only showing successful attempts too.

  Read raddb/sites-available/default.  Look for Post-Auth-Type Reject.

  This is documented.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Two-Factor Auth using FreeRADIUS

[Ryon Day]

Hello all, long-time reader, first time poster to this list. I've watched many 
posters go down in flames on this list, so I'm going to try to learn from their 
mistakes and be as precise as possible; I'm also going to make it known at the 
outset that I have read all the documentation that I can get my hands on and I 
am running FreeRADIUS -X to start it in debug mode!

I am attempting to implement two-factor authentication with LDAP combined with 
FreeRADIUS. As you probably know at this point, many SSL-VPN and network 
control devices only offer both LDAP/AD and RADIUS authentication for their 
devices (some have native SecurID support as well). The client is 
authenticating users with Active Directory as the first-level auth. It is on 
the second-level auth that I have questions.

The authentication mechanism that we are using for the second-factor 
authentication is a one-time password sent to the user via an out-of-band 
mechanism. Therefore, this requires two different interactions with the RADIUS 
server: 

1: Access-Request: SSL-VPN -> FreeRADIUS. This sends the username (and another 
piece of data that I am currently putting in the password field) to the RADIUS 
server.
  *At this point, I have written a JRadius component:
    * On the SSL-VPN side I have PAP authentication selected. That is because 
as above, I am using the password field to transfer another piece of data (the 
delivery method) to RADIUS.
    * It resides in the "authorize" stage of the "default" site in FreeRADIUS
    * It looks the user up in LDAP (again) to obtain his/her E-Mail address to 
send. It then sends the OTP to the e-mail address. This part works perfectly!
    * Then, I construct a new Access-Challenge packet in JRadius, creating a 
new State and copying the initial Access-Request packet's identifier, and 
return from the JRadius handler. This part also works perfectly.

2: Access-Challenge: FreeRADIUS -> SSL-VPN device
This step is where the wheels are falling off the bus. FreeRADIUS does not seem 
to want to send out my Access-Challenge packet; it automatically changes it to 
an Access-Reject. I have even put another handler in the post-auth reject 
handler to change it BACK to a Access-Challenge. At that point if I do that, 
FreeRADIUS' debug mode reports that it is sending an Access-Request packet to 
the IP address of the NAS (or my RADIUS test program)! 


3: Access-Request (original Using state and Packet ID so I can identify the 
request on the back-end JRadius component)
  * Compare passed OTP to stored OTP for that "session". Act accordingly.
  * Obviously this step does not yet work!

I have tried many permutations of Auth-Methods. Since I am using PAP 
authentication on the SSL-VPN side, I initially chose that module, however it 
really does not like my sending that Access-Challenge packet out. I have tried 
commenting lots of things out, even using jradius in the 'PAP' handler of the 
authentication section. At that point, even though the PAP module is not 
running, FreeRADIUS puts the kibosh on my Access-Challenge packet.

This leads me to believe that FreeRADIUS has a very rigid idea of what these 
packets should be depending on auth method. Is there really no use case at all 
for PAP where you would ever send an access challenge?  Are there any "dummy" 
auth methods that just, well, let me do whatever the hell I want? Is it 
possible to implement a new Auth method like this?

Questions:
* Is there any way with current functionality, I can Implement a custom 
challenge flow like the one I am describing? 
* Are there examples of this kind of functionality out there "in the wild" that 
I can look at and use as a model? 
* I greatly enjoy working with JRadius in spite of its occasional wonkiness, 
but I can dust off my C if necessary. Is some sort of JRadius handler combined 
with C FreeRADIUS mods possible? I do not mind writing code if it is necessary, 
but of course I'd prefer not to if it's at all avoidable! (Is this a question 
better posed to the dev list?)


Thank you for any help or guidance you can give me in this matter!

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IF-MAP Support

[Alan Buxey]

Hi,

> I believe some work have been done on this topic lately with external 
> log modules to populate an IF-MAP database, correct?
> 
> I am wandering if there is a "working
> -as-PoC" piece of code available somewhere?  We are interested in 
> testing and add the support for IF-MAP in PacketFence (long term project).

we wrote a perl script to log into an IF-MAP instance - since that code was
written the IF-MAP stuff has been updated to latest specand since we wrote
the code the IF-MAP instance we used has been turned off and we have no current
plans to use IF-MAP presently (for what it was used for a bit of syslog into 
a nice syslogNG server with DB backend would do just as well (and be more 
usuable
by other systems - IMHO) )

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Two-Factor Auth using FreeRADIUS

[Alan Buxey]

Hi,
> Hello all, long-time reader, first time poster to this list. I've watched 
> many posters go down in flames on this list, so I'm going to try to learn 
> from their mistakes and be as precise as possible; I'm also going to make it 
> known at the outset that I have read all the documentation that I can get my 
> hands on and I am running FreeRADIUS -X to start it in debug mode!

...so close! all the details and ideasand what was missing? the output of 
'radiusd -X'   ;-)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AP->FR->LDAP authentication

[Julie]

I'm new to FreeRadius and trying to setup the server to authenticate using
LDAP. I'm having some problem and hope to get some help from the list. 

I'm trying to setup AP->FR->LDAP.  Both FreeRadius and LDAP are new
installation on CentOS. I tried to follow the installation for FR and test
each steps. test accounts are created in both user file and LDAP database.
radtest are successful with both accounts.

The problem is when I try to authenticate through AP. The debug log shows
Failed to authenticate the user. here is the log file.

# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = "julietest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[ldap] performing user authorization for julietest
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> julietest
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=julietest)
[ldap]  expand: ou=xxx,dc=,dc=xxx,dc=xxx -> ou=xxx,dc=xxx,dc=xxx,dc=xxx
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=xxx,dc=xxx,dc=xxx,dc=xxx, with filter
(uid=julietest)
[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header ==
"{crypt}$1$svVH/H.V$S02th.oBG7iQV0UtFBcVx1"
[ldap] looking for reply items in directory...
[ldap] user julietest authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: julietest
[mschap] Told to do MS-CHAPv2 for julietest with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
MS-CHAP-Error = "\202E=691 R=1"
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}

Thank you very much for your time and help.

Best,
Julie

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/AP-FR-LDAP-authentication-tp5572785p5572785.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: IF-MAP Support

[Francois Gaudreault]

Hi,


we wrote a perl script to log into an IF-MAP instance - since that code was
written the IF-MAP stuff has been updated to latest specand since we wrote
the code the IF-MAP instance we used has been turned off and we have no current
plans to use IF-MAP presently (for what it was used for a bit of syslog into
a nice syslogNG server with DB backend would do just as well (and be more 
usuable
by other systems - IMHO) )
I see.  Well I will try to do something on my side then.  I believe it 
is not that complicated using their perl framework.


Thanks!

--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Add Users in MySQL database

[Fabricio Flores]

Mmm I have a web service so I have users and password... So If somebody
wants to login in the captive portal first i want to see in the web service
if ther is this user, and if the user exists i add the user in the mysql
database and freeradius athenticate thes user from the mysql database...
El 16/03/2012 19:37, "Alan Buxey"  escribió:
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Two-Factor Auth using FreeRADIUS

[Ryon Day]

>:-( Sometimes it's tough being *almost* perfect.

Will reply back later with an exhaustive list of things I have tried that 
didn't work, their sites-enabled/default configurations, and the debug output!



From: Alan Buxey 
To: Ryon Day ; FreeRadius users mailing list 
 
Sent: Friday, March 16, 2012 4:54 PM
Subject: Re: Two-Factor Auth using FreeRADIUS

Hi,
> Hello all, long-time reader, first time poster to this list. I've watched 
> many posters go down in flames on this list, so I'm going to try to learn 
> from their mistakes and be as precise as possible; I'm also going to make it 
> known at the outset that I have read all the documentation that I can get my 
> hands on and I am running FreeRADIUS -X to start it in debug mode!

...so close! all the details and ideasand what was missing? the output of 
'radiusd -X'   ;-)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Add Users in MySQL database

[Fajar A. Nugraha]

On Sat, Mar 17, 2012 at 7:55 AM, Fabricio Flores  wrote:
> Mmm I have a web service so I have users and password... So If somebody
> wants to login in the captive portal first i want to see in the web service
> if ther is this user, and if the user exists i add the user in the mysql
> database and freeradius athenticate thes user from the mysql database...

I'm pretty sure there was a similar thread earlier about this.

Anyway, for that purpose you do NOT want daloradius/dialupadmin/whatever.

Instead, what you need is:
- a captive portal login page, that supports dynamic processing, that
you can customize (e.g. http://net-mai.net/files/hotspotlogin.php.txt
)
- knowledge on that particular programing laguange (e.g.
http://php.net/docs.php )
- knowledge on how to create users on FR's sql table. (e.g.
http://wiki.freeradius.org/rlm_sql )

The "i want to see in the web service if ther is this user" part can
be easily done by modifying the hotspotlogin page, and "add the user
in the mysql
database" part is basically you modify the hostspotlogin page to just
create an entry in radcheck with (randomly-created) cleartext-password
attribute, and possibly another entry with Exipration attribute.

After that set the hotspotlogin to redirect to the captive portal
(e.g. chillispot) with the correct generated username and password.
Users don't even need to know what the generated password is. The
process between captive portal and radius is then just another normal
NAS <-> radius AAA process, nothing special about it.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Two-Factor Auth using FreeRADIUS

[Alan DeKok]

Ryon Day wrote:
> Hello all, long-time reader, first time poster to this list. I've watched 
> many posters go down in flames on this list, so I'm going to try to learn 
> from their mistakes and be as precise as possible; I'm also going to make it 
> known at the outset that I have read all the documentation that I can get my 
> hands on and I am running FreeRADIUS -X to start it in debug mode!

  It's easy to avoid "flames".  Be honest, be clear, and follow
instructions.

> The authentication mechanism that we are using for the second-factor 
> authentication is a one-time password sent to the user via an out-of-band 
> mechanism. Therefore, this requires two different interactions with the 
> RADIUS server: 
> 
> 1: Access-Request: SSL-VPN -> FreeRADIUS. This sends the username (and 
> another piece of data that I am currently putting in the password field) to 
> the RADIUS server.
>   *At this point, I have written a JRadius component:
> * On the SSL-VPN side I have PAP authentication selected. That is because 
> as above, I am using the password field to transfer another piece of data 
> (the delivery method) to RADIUS.
> * It resides in the "authorize" stage of the "default" site in FreeRADIUS
> * It looks the user up in LDAP (again) to obtain his/her E-Mail address 
> to send. It then sends the OTP to the e-mail address. This part works 
> perfectly!
> * Then, I construct a new Access-Challenge packet in JRadius, creating a 
> new State and copying the initial Access-Request packet's identifier, and 
> return from the JRadius handler. This part also works perfectly.

  You can't create an Access-Challenge packet in jradius.  You can only
create a reply.  If the user isn't accepted, the reply is automatically
a reject.

> 2: Access-Challenge: FreeRADIUS -> SSL-VPN device
> This step is where the wheels are falling off the bus. FreeRADIUS does not 
> seem to want to send out my Access-Challenge packet; it automatically changes 
> it to an Access-Reject. I have even put another handler in the post-auth 
> reject handler to change it BACK to a Access-Challenge. At that point if I do 
> that, FreeRADIUS' debug mode reports that it is sending an Access-Request 
> packet to the IP address of the NAS (or my RADIUS test program)! 

  You need to set the "request->reply->code = PW_ACCESS_CHALLENGE" for
challenges to work.  See rlm_example.

  It's just not set up to do manually created challenges.  The reason is
that 99.% of people get it wrong, and it's not necessary.

> 3: Access-Request (original Using state and Packet ID so I can identify the 
> request on the back-end JRadius component)
>   * Compare passed OTP to stored OTP for that "session". Act accordingly.
>   * Obviously this step does not yet work!

  Does the SSL-VPN even support Access-Challenge?  Some don't.

> This leads me to believe that FreeRADIUS has a very rigid idea of what these 
> packets should be depending on auth method. Is there really no use case at 
> all for PAP where you would ever send an access challenge?  Are there any 
> "dummy" auth methods that just, well, let me do whatever the hell I want? Is 
> it possible to implement a new Auth method like this?

  There are many cases where you can send an Access-Challenge.
HOWEVER... most of them are mandated by the authentication method.  EAP,
MS-CHAP, etc.

> Questions:
> * Is there any way with current functionality, I can Implement a custom 
> challenge flow like the one I am describing? 

  Yes.  See rlm_example.

  You *can't* do it via unlang.

> * Are there examples of this kind of functionality out there "in the wild" 
> that I can look at and use as a model? 
> * I greatly enjoy working with JRadius in spite of its occasional wonkiness, 
> but I can dust off my C if necessary. Is some sort of JRadius handler 
> combined with C FreeRADIUS mods possible? I do not mind writing code if it is 
> necessary, but of course I'd prefer not to if it's at all avoidable! (Is this 
> a question better posed to the dev list?)

  See rlm_example.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AP->FR->LDAP authentication

[Alan DeKok]

Julie wrote:
> The problem is when I try to authenticate through AP. The debug log shows
> Failed to authenticate the user. here is the log file.
...
> [mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
...
>   [ldap] userPassword -> Password-With-Header ==
> "{crypt}$1$svVH/H.V$S02th.oBG7iQV0UtFBcVx1"

  You CANNOT do MS-CHAP with crypt'd passwords.  It's impossible.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Any body here?Please help me to test my server.

[ZhenJoey]

Hello every body:
I just set up a freeradius server right now,
Please help me to test it by run
$radtest snan4love 123456 119.127.12.6 1812 12345678
I will be waiting here.

BTW,i do a test my self via a NAS not radtest, it doesnt work. is there 
something like TimeOut in NAS when it try to connect the radius server?
Thank you very much 
Joey
  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Add Users in MySQL database

[Fabricio Flores]

Ok you really help me... Thank you very much...
El 17/03/2012 02:42, "Fajar A. Nugraha"  escribió:

> On Sat, Mar 17, 2012 at 7:55 AM, Fabricio Flores 
> wrote:
> > Mmm I have a web service so I have users and password... So If somebody
> > wants to login in the captive portal first i want to see in the web
> service
> > if ther is this user, and if the user exists i add the user in the mysql
> > database and freeradius athenticate thes user from the mysql database...
>
> I'm pretty sure there was a similar thread earlier about this.
>
> Anyway, for that purpose you do NOT want daloradius/dialupadmin/whatever.
>
> Instead, what you need is:
> - a captive portal login page, that supports dynamic processing, that
> you can customize (e.g. http://net-mai.net/files/hotspotlogin.php.txt
> )
> - knowledge on that particular programing laguange (e.g.
> http://php.net/docs.php )
> - knowledge on how to create users on FR's sql table. (e.g.
> http://wiki.freeradius.org/rlm_sql )
>
> The "i want to see in the web service if ther is this user" part can
> be easily done by modifying the hotspotlogin page, and "add the user
> in the mysql
> database" part is basically you modify the hostspotlogin page to just
> create an entry in radcheck with (randomly-created) cleartext-password
> attribute, and possibly another entry with Exipration attribute.
>
> After that set the hotspotlogin to redirect to the captive portal
> (e.g. chillispot) with the correct generated username and password.
> Users don't even need to know what the generated password is. The
> process between captive portal and radius is then just another normal
> NAS <-> radius AAA process, nothing special about it.
>
> --
> Fajar
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: AP->FR->LDAP authentication

[Julie Chen]

Yes, I understand that. But I'm having little problem figure out right 
configuration.  Would someone please advice on the configuration file?

[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel

I'm using the default inner-tunnel just added ldap at the authorize.

Thanks
Julie

From: freeradius-users-bounces+chenj=ssc.ucla@lists.freeradius.org 
[freeradius-users-bounces+chenj=ssc.ucla@lists.freeradius.org] on behalf of 
Alan DeKok [al...@deployingradius.com]
Sent: Friday, March 16, 2012 8:02 PM
To: FreeRadius users mailing list
Subject: Re: AP->FR->LDAP authentication

Julie wrote:
> The problem is when I try to authenticate through AP. The debug log shows
> Failed to authenticate the user. here is the log file.
...
> [mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
...
>   [ldap] userPassword -> Password-With-Header ==
> "{crypt}$1$svVH/H.V$S02th.oBG7iQV0UtFBcVx1"

  You CANNOT do MS-CHAP with crypt'd passwords.  It's impossible.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html