Re: update reply problem
Hello again,
I can't reolve my problem and I don't know if is a bug o a configuration
error...
update reply {
Codigo-Reject = Imposible-Contactar-Backend
}
Operator = act like :=
¿ideas?
thanks very much
:: Ana Gallardo Gómez ::
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC-Auth issues with rlm_perl
On 03/26/2012 10:01 AM, Glen Harris wrote:
Server: Debian 6 (Squeeze) 2.6.32-5-amd64
FreeRadius: 2.1.10 (Debian package)
Client: HP E-MSM460 AP (MSCHAPv2, Use message authenticator)
Authentication methods for the MSM460 are: MSCHAPv2, MSCHAP, CHAP, EAP
MD5 and PAP.
I'm trying to set up a simple MAC-Auth based network using HP 2610
switches and MSM640 wireless APs as radius clients. I've added the AP to
This is a matter of choice, but personally I would advise against using
MAC-auth on wireless. It provides illusory security, and 802.1x is
pretty easy on modern equipment. You call however.
the clients.conf and configured the AP to use MAC-based authentication
and it appears to be talking to FreeRadius using MSCHAPv2 correctly.
Well, see below for more on this; IMO it's not correct to use MSCHAPv2
for mac-auth. It's a hack, presumably created for people with dumb
radius servers that assume ever authentication is tied to something with
a username/password.
We only have a few dozen clients, so I'm using the perl module to read
and cache a text file of MAC addresses. My script watches the file's
mtime and re-loads it as necessary. I've followed the instructions on
http://wiki.freeradius.org/Rlm_perl, but I get the following error:
/etc/freeradius/users[204]: Parse error (check) for entry DEFAULT:
Unknown value Perl for attribute Auth-Type
Why are you trying to set Auth-Type to Perl? Since the requests are
MSCHAP, unless you've written a full MSCHAP implementation in Perl, you
won't be able to authenticate them.
If you just want to whitelist MACs, run perl in authorize.
After some trial and error, I found that adding perl to the authorize
and authenticate sections of sites-available/inner-tunnel would get rid
of the error, but I have no idea if that solved the problem or merely
masked it and caused he next one.
There appears to be something seriously wrong with the way this config
is working, because rlm_perl is calling the AUTHORIZE function but not
AUTHENTICATE. I've pasted the debug of an authentication attempt below.
It appears to be taking the CLIENT mschap authentication and somehow
applying those attributes to mangle USER authentication.
I don't understand this paragraph. What do you mean by client mschap
authentication and mangle user authentication.
In any event - the problems are all spelt out in the debug if you read
carefully:
rad_recv: Access-Request packet from host 192.168.0.29 port 35063,
id=48, length
=275
Acct-Session-Id = 1ca83cd8-00013b2c
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
NAS-Identifier = CN18D332BD
NAS-IP-Address = 192.168.0.29
User-Name = 984b4af5bf40
Calling-Station-Id = 98:4b:4a:f5:bf:40
Called-Station-Id = 2c:41:38:f4:f5:c0
Service-Type = Login-User
MS-CHAP-Challenge = 0x5ec43b8666ef945c1db7a14cc42da516
MS-CHAP2-Response = 0x3000f12947d93103bfe476001a4f8d6fcc6800
00fe6dae7fbe3907cbb43186ffcc0ed0f6f16a31b47731bdba
Colubris-AVPair = ssid=TSV-UC
Colubris-AVPair = phytype=IEEE802dot11n
Message-Authenticator = 0xf6affdfe1901c35141d3128eed2c515e
The above is an MSCHAP request. However, the username appears to be a
MAC address, so maybe the NAS is trying to do MSCHAP mac auth. Sigh.
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
The mschap module sets Auth-Type to itself, correctly.
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = 984b4af5bf40, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 204
snip
++[perl] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
Auth-Type is still MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
No password is set, therefore auth is going to fail...
[mschap] Creating challenge hash with username: 984b4af5bf40
[mschap] Told to do MS-CHAPv2 for 984b4af5bf40 with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
...and auth fails.
I am going to take a wild guess, that your NAS does MAC-auth via an
mschap request. I am going to guess the password it uses is either the
same as the username, or a fixed value.
You could try adding lines like this to the users file:
984b4af5bf40Cleartext-Password := 984b4af5bf40
Or, if your NAS can be made to do so, disable the dumb lets do MAC-auth
by simulating
Re: newbiie
Hello there, I am now progressing - i think. but got stucked. I enabled the ldap plugin. radiusd -X display all the correct info. but when try to connect vpn from windows client. here is the error i get. Maybe you guys have some tips on it. GRE: read(fd=6,buffer=611860,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs Mar 26 10:58:10 blade201 pptpd[21153]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7) Mar 26 10:58:10 blade201 pptpd[21153]: CTRL: Client 192.168.1.1 control connection finished Mar 26 10:58:14 blade201 pptpd[21162]: CTRL: Client 192.168.1.1 control connection started Mar 26 10:58:14 blade201 pptpd[21162]: CTRL: Starting call (launching pppd, opening GRE) Mar 26 10:58:14 blade201 pppd[21163]: Plugin radius.so loaded. Mar 26 10:58:14 blade201 pppd[21163]: RADIUS plugin initialized. Mar 26 10:58:14 blade201 pppd[21163]: Plugin radattr.so loaded. Mar 26 10:58:14 blade201 pppd[21163]: RADATTR plugin initialized. Mar 26 10:58:14 blade201 pppd[21163]: Plugin /usr/lib64/pptpd/pptpd-logwtmp.so loaded. Mar 26 10:58:14 blade201 pppd[21163]: pppd 2.4.5 started by root, uid 0 Mar 26 10:58:14 blade201 pppd[21163]: Using interface ppp0 Mar 26 10:58:14 blade201 pppd[21163]: Connect: ppp0 -- /dev/pts/1 Mar 26 10:58:17 blade201 pptpd[21162]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Mar 26 10:58:17 blade201 pppd[21163]: rc_read_dictionary: unknown vendor on line 22 of dictionary /etc/radiusclient-ng/dictionary.microsoft Mar 26 10:58:17 blade201 pppd[21163]: RADIUS: Can't read dictionary file /etc/radiusclient-ng/dictionary Mar 26 10:58:17 blade201 pppd[21163]: Peer nema...@hi.is failed CHAP authentication Mar 26 10:58:17 blade201 pppd[21163]: Connection terminated. Mar 26 10:58:17 blade201 pppd[21163]: Exit. Mar 26 10:58:17 blade201 pptpd[21162]: GRE: read(fd=6,buffer=611860,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs Mar 26 10:58:17 blade201 pptpd[21162]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7) it seems i need some lines in my dictonary.microsoft file for pppd. How do i add this ? all I am trying to do here is pppd to delegate ip pool for client and radius to authentication for user via ldap. where I am missing thing ? Any help would be appreciated. K On Fri, Mar 23, 2012 at 10:53 PM, Khapare Joshi khapar...@gmail.com wrote: Thanks guys, I should have search for it :) I configured the ldap section that fits to my environment. Now, how to load this ldap module in radiusd.conf file so it will use ldap authentication ? also where can i add the redundant ldap server in the ldap module ? sorry for too many my early beginners questions. K On Fri, Mar 23, 2012 at 9:17 PM, Alan Buxey a.l.m.bu...@lboro.ac.ukwrote: Hi, I just checked in modules directory but could not find anything with ldap. This is what is in my /etc/raddb: you installed via package manager? you've probably got a freeradius-ldap package you need to install alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbiie
Khapare Joshi wrote: I am now progressing - i think. but got stucked. I enabled the ldap plugin. radiusd -X display all the correct info. but when try to connect vpn from windows client. here is the error i get. Maybe you guys have some tips on it. ... Mar 26 10:58:17 blade201 pppd[21163]: rc_read_dictionary: unknown vendor on line 22 of dictionary /etc/radiusclient-ng/dictionary.microsoft Mar 26 10:58:17 blade201 pppd[21163]: RADIUS: Can't read dictionary file /etc/radiusclient-ng/dictionary What is unclear about that message? It looks like you edited the dictionary file, and broke it. Don't do that. it seems i need some lines in my dictonary.microsoft file for pppd. How do i add this ? all I am trying to do here is pppd to delegate ip pool for client and radius to authentication for user via ldap. where I am missing thing ? You don't edit the dictionaries. All of the configuration is done in FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TCP/TLS - radsec / application
I am a little concerned about the 'save some EAP stuff that I'm not using and was able to disable around' - you will need to ensure that OpenSSL-devel packages are installed so that you can compile in the TLS support. The EAP stuff was related to EAP-Pwd or something. It was a runtime problem (bug), not a compile problem. I have no use for the EAP-Pwd option in my environment and can't test, so I'll leave that to someone else to report/repair. I was able to get the TCP/TLS working as expected with the provided sample certs. Thanks for pointing me in the right direction. It was pretty simple once I saw a working example. Jason Rohm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: update reply problem
Ana Gallardo Gómez wrote:
I can't reolve my problem and I don't know if is a bug o a configuration
error...
update reply {
Codigo-Reject = Imposible-Contactar-Backend
}
Is this only in Post-Auth-Type Reject?
Operator = act like :=
¿ideas?
What does radiusd -Xxx say ?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
load balancing and if statements
FR 2.1.10 on Linux
I want to load balance my LDAP servers, but I also want to do some
checking for group membership. Reading the documentation at
http://wiki.freeradius.org/Load-balancing#Interaction+with+%22if%22+and+%22
else%22 makes me think I can use if and elsif statements in a load
balancing block, as long as the rules in the table are followed. However,
when I try to do this, I get the following errors in my log:
/etc/freeradius/sites-enabled/default[173]: load-balance sections cannot
contain a if statement
Here is the configuration I am attempting:
load-balance {
ldap1
if (Ldap-Group == NET Staff) {
if (NAS-IP-Address == 10.52.6.5 || NAS-IP-Address ==
10.52.6.4) {
update reply {
Passport-Access-Priority = 6
}
}
}
# Reject everyone else to the routers
elsif (NAS-IP-Address == 10.52.6.5 || NAS-IP-Address ==
10.52.6.4 || NAS-IP-Address == 10.51.0.1 || NAS-IP-Address ==
10.51.0.2) {
reject
}
ldap2
if (Ldap-Group == NET Staff) {
if (NAS-IP-Address == 10.52.6.5 || NAS-IP-Address ==
10.52.6.4) {
update reply {
Passport-Access-Priority = 6
}
}
}
# Reject everyone else to the routers
elsif (NAS-IP-Address == 10.52.6.5 || NAS-IP-Address ==
10.52.6.4 || NAS-IP-Address == 10.51.0.1 || NAS-IP-Address ==
10.51.0.2) {
reject
}
}
If I can't use if statements in a load balance block, can anyone suggest
another way to go about accomplishing what I want to do here?
Thank you,
Scott
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: load balancing and if statements
Scott McLane Gardner Wrote:
Here is the configuration I am attempting:
load-balance {
ldap1
if (Ldap-Group == NET Staff) {
I cannot answer your question about if statements, but this
much is clear: the Ldap-Group check attribute will query
the ldap module that was instantiated last. If you want
to query a specific module, you have to use modulename-Ldap-Group.
Similarly for ldap xlats, you have to use the module name.
(A sensible wishlist item might be to have load-balance sections
in the instantiate section register the same hooks as their
submodules, then you'd be able to name the load-balance and
use lbr-modulename-Ldap-Group. But that sounds mildly
hairy to implement.)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: load balancing and if statements
hi, a quick glance at your question and i'd say you be better off using simple entries in the users file - simple check items (use huntgroups for your NAS addresses) with LDAP groups. match the good stuff, set reply match the bad stuff, set reject. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
