Re: EAP-PEAP + Windows 7 with SSO and Password change
CD DD wrote: >> The MSCHAP password change code looks for the string "Password expired" >> in the output of the ntlm_auth command. If your ntlm_auth is printing >> something different, it'll just assume it's a regular failure. > > Sure, here are the Debug output: Which doesn't contain the string "Password expired". That's why it's failing. > Exec-Program output: Must change password (0xc224) > Exec-Program-Wait: plaintext: Must change password (0xc224) > Exec-Program: returned: 1 Phil already explained this. The debug log (while large) is pretty clear on this. I'll take a look to see if it can be fixed before the next release. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Behavior on LDAP outage
Ok, here is probably a use case for silently dropping rejects. That way your NAS will behave okaybut you only want to do this if the LDAP is down...so need to base it on that condition. That's if you want to keep it all in the server, you could have an external cronjob or such that checks LDAP and stops/starts the radius daemon alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl module not executing authenticate
Diego Matute wrote: > What is the best practice for this? Should the Auth-Type be set in > /etc/raddb/users, within the module, /etc/raddb/sites-available/*? It should be set wherever you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Backend
On Wed, Jun 13, 2012 at 5:08 AM, Rampage wrote: > acctstoptime seems to be the timestamp of when the NAS sends the stop, still > the entry from the db is not deleted, so i have an entry for each session > start, That's the default setup. Most people will need the historical accounting records for e.g. calculating remaining usage for quota-based users, or simply for reporting. > i'm worried that this might cause an infinite database grouth in the > future when the service goes in production environment. You need to maintain it :) If you DON'T need accounting records, then either: - don't use sql on accounting section, OR - modify the queries (sql/mysql/dialup.conf) to do what you want (e.g. delete the record on acct stop) > the NAS is the PfSense captive portal, which afaik is a chillispot. Chillispot should work fine. Depending on what you need, you might want to turn on interim update (via Acct-Interim-Interval reply attribute). Make sure it's larger than 60 seconds though, otherwise chillispot will ignore it. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl module not executing authenticate
On Wed, Jun 13, 2012 at 6:01 AM, Diego Matute wrote: >> > 2/ How does Auth-Type get set? I've read a bunch of forum threads and it >> > looks like best practice nowadays is to let the server figure it out and >> > not set it explicitly in /etc/raddb/users, however it isn't being set. >> >> It isn't being set because the default distribution doesn't use rlm_perl. >> >> If you want to *force* usage of rlm_perl, you need to set Auth-Type. >> If you want to let the server just do the right thing, leave everything >> alone. >> > > What is the best practice for this? Should the Auth-Type be set in > /etc/raddb/users, within the module, /etc/raddb/sites-available/*? Why do you want to set Auth-Type? As Alan already said, if you want to let the server just do the right thing, leave everything alone. Meaning, you leave auth-type alone, use rlm_perl to supply user data (e.g. cleartext-password) as needed during authorization, and let the default authentication methods (pap, mschap, etc) does its job. If you force set auth-type, then you're not following best practice. That being said, from within rlm_perl you could probably set the attribute on %RAD_CHECK (or is it %RAD_CONFIG?). If ALL your users will use perl to authenticate then something like the default section on /etc/raddb/users should do. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Behavior on LDAP outage
hi all, I had an issue today where an LDAP server being relied upon by FreeRadius was unreachable, however FreeRadius returned the default authentication status for the user. The problem is, the NAS authenticating the users against FreeRadius considered the default authentication response (reject) to be a sign that FreeRadius on the server was OK and didn't fail over to the secondary server. I was expecting it to return unreachable or just time out, instead of running the default auth behavior, but maybe I've missed a configuration option or have incorrect assumptions. The setup is 2x servers, each running Radius and LDAP with LDAP replication in place. If the primary server is entirely unreachable, the NASes being used have no issue failing over to the secondary. It only didn't fail over because the NAS believed that the primary was working. :-( Example of a test run when the LDAP server on the host is stopped: # radtest test test123 127.0.0.1 0 testing1234 Sending Access-Request of id 108 to 127.0.0.1 port 1812 User-Name = "test" User-Password = "test123" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0x rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=108, length=108 Reply-Message = "Authentication denied - user does not belong to any suitable groups to access this NAS" End of the users file, showing the default reject behavior defined: # tail /etc/raddb/users DEFAULT Huntgroup-Name == admins, Ldap-Group == "cn=admins,ou=Group,dc=example,dc=com", User-Profile := "cn=admins,ou=Group,dc=example,dc=com" Fall-Through = no DEFAULT Auth-Type := Reject Reply-Message = "Authentication denied - user does not belong to any suitable groups to access this NAS" And of course, relevant radius logs: # tail /var/log/radius/radius.log Wed Jun 13 11:33:14 2012 : Auth: Invalid user: [test] (from client localhost port 0) Wed Jun 13 11:34:48 2012 : Error: [ldap] could not start TLS Can't contact LDAP server Wed Jun 13 11:34:48 2012 : Error: [ldap] (re)connection attempt failed Wed Jun 13 11:34:48 2012 : Error: [ldap] could not start TLS Can't contact LDAP server Wed Jun 13 11:34:48 2012 : Error: [ldap] (re)connection attempt failed Aside from "make sure your LDAP server doesn't die", ;-) can anyone make any recommendations around the best approach to take, so that in event of an LDAP outage on one host, FreeRadius returns a result (or nothing at all) that causes the NAS to fail over to the secondary host? Using FreeRadius 2.1.12. many thanks, jethro -- Jethro Carr www.jethrocarr.com signature.asc Description: This is a digitally signed message part - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl module not executing authenticate
Thanks for the quick response. Inline. On Tue, Jun 12, 2012 at 10:44 AM, Alan DeKok wrote: > Diego Matute wrote: > > I've installed freeradius and other packages on a vanilla amazon ec2 > > instance and am trying to get the rlm_perl module working. Ultimately > > the authenticate function in the perl script is not being run. Here are > > the details. > ... > > 1/ Request comes in and authorize is being called within rlm_perl. The > > print statement is not outputting on the server side? > > The modules aren't permitted to print to STDOUT or STDERR. > Got it. > > > 2/ How does Auth-Type get set? I've read a bunch of forum threads and it > > looks like best practice nowadays is to let the server figure it out and > > not set it explicitly in /etc/raddb/users, however it isn't being set. > > It isn't being set because the default distribution doesn't use rlm_perl. > > If you want to *force* usage of rlm_perl, you need to set Auth-Type. > If you want to let the server just do the right thing, leave everything > alone. > > What is the best practice for this? Should the Auth-Type be set in /etc/raddb/users, within the module, /etc/raddb/sites-available/*? > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type :- Reject in users file matches inner tunnel request but sends Access-Accept
On 12/06/2012 14:08 PDT, Alan DeKok wrote: > Note that everything BUT the Reply-Message belongs on the first line > with the "DEFAULT". The Reply-Message belongs on the second line. *sigh*, moving the Auth-Type :- Reject to the first line fixed this. I thought that Auth-Type was a reply item and therefore went on the second line. Thank you for your assistance. Michael -- http://michael.gorven.za.net PGP Key ID 1E016BE8 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Backend
Il 12/06/2012 23:11, Alan DeKok ha scritto: Rampage wrote: i also noticed that the radacct table contains one account for each time i perform a login for the specific user, is it normal? That's what your NAS is telling it to do. The NAS is sending an accounting "start" for each login. And probably no "stop" Thanks for your reply, actually i think a stop is sent because it's registered in the radacct table: mysql> select * from radacct\G *** 1. row *** radacctid: 1 acctsessionid: e1dcb98e63c83cb5 acctuniqueid: f258863473f21879 username: ciccio groupname: realm: nasipaddress: 192.168.10.1 nasportid: 2 nasporttype: Ethernet acctstarttime: 2012-06-12 11:28:00 acctstoptime: 2012-06-12 12:28:00 acctsessiontime: 3600 acctauthentic: RADIUS connectinfo_start: connectinfo_stop: acctinputoctets: 5347401 acctoutputoctets: 66632775 calledstationid: 192.168.10.1 callingstationid: 00-0c-29-70-97-19 acctterminatecause: Session-Timeout servicetype: Login-User framedprotocol: framedipaddress: 192.168.10.103 acctstartdelay: 0 acctstopdelay: 0 xascendsessionsvrkey: acctstoptime seems to be the timestamp of when the NAS sends the stop, still the entry from the db is not deleted, so i have an entry for each session start, i'm worried that this might cause an infinite database grouth in the future when the service goes in production environment. the NAS is the PfSense captive portal, which afaik is a chillispot. thanks Francesco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP + Windows 7 with SSO and Password change
On 06/12/2012 06:47 PM, CD DD wrote:
Exec-Program output: Must change password (0xc224)
Exec-Program-Wait: plaintext: Must change password (0xc224)
Ok. ntlm_auth is returning something different to what I saw in testing.
Have you set the "must change password at next login" bit, as opposed to
"expired" bit?
Try this:
1. Edit src/modules/rlm_mschap/rlm_mschap.c about line 1100, where it
says:
if (strstr(buffer, "Password expired")) {
...to read:
if (strstr(buffer, "Password expired") ||
strstr(buffer, "Must change password")) {
2. Re-compile and re-install
3. Test again
There's no great way to parse the output of ntlm_auth. I guess we could
make the string a regexp comparison against the output, and at least
make it an item in the config file (with a sensible default) so that if
more such cases come up, or Samba change their output, it can be fixed
without a recompile.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Backend
Rampage wrote: > Let's say i successfully managed to bind freeRADIUS to mysql, i can > connect it and no errors are present, i created all proper tables, and > database accounts to have freeRADIUS talk to mysql. > > the problem is.. ok but now, which informations do i put where? See doc/rlm_sql. > i'd start from a simple example.. > > let's say i have the user > > "testuser" > "cleartext-password" > := > "testpassword" > > if i add this values in the radcheck table, i can successfully > authenticate testuser from my NAS. That's how it works. > Now let's say i'd like to limit the user for using the service for only > 1 hour a day. > if i recall correctly there is a parameter that says: > > Max-Daily-Session := 3600 (seconds) > > but, where do i have to add this value? still to the radcheck? or > radreply? or where else? In radcheck. > i also noticed that the radacct table contains one account for each time > i perform a login for the specific user, is it normal? That's what your NAS is telling it to do. The NAS is sending an accounting "start" for each login. And probably no "stop" > is there a table that contains usernames in a unique manner? Only if you create it. > so that i > can eventually link it to another table containing further informations > about the user (name, surname etc?) Only if you create it. The default schema does what's needed for RADIUS. It doesn't do anything else. > sorry if i ask here but really i couldn't understand this from the wiki :( It's good to ask *specific* questions. Like " I read page X paragraph Y, and didn't understand concept Z". That lets us help you with the details. Saying "I didn't understand things" means our response is "What part of the documentation is unclear?" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type :- Reject in users file matches inner tunnel request but sends Access-Accept
Michael Gorven wrote: > I have setup WPA2-EAP authentication using FreeRADIUS 2.1.8 on Ubuntu > 10.04.4 with an OpenLDAP backend, and can successfully authenticate > using PEAP/MSCHAPv2, TTLS/MSCHAPv2 and TTLS/PAP (both via the AP and > using eapol_test). I am now trying to restrict access to specific SSIDs > based on the LDAP groups which users belong to. Write down in plain English what you want to happen. Not "I want to restrict access", but "when X happens and Y happens, then do Z" > From what I can gather, I need to add appropriate rules to > /etc/freeradius/users which matches the SSID/group combinations, and > rejects everything else. The problem I'm having is with the default > reject, not the SSID/group matching. > > My first attempt was this: > > DEFAULT Ldap-Group == "employees" This says "match the LDAP group employees". Note it *doesn't* say do anything else. > DEFAULT Auth-Type := Reject This says "always reject the user". > But this immediately rejects the Access-Request in the outer tunnel, > because the "anonymous" user is not in the "employees" group. I then > modified it to this so that it only matches inner tunnel requests: > > DEFAULT Ldap-Group == "employees" > DEFAULT FreeRADIUS-Proxied-To == "127.0.0.1" > Auth-Type := Reject, Reply-Message = "User does not belong to > any groups which may access this SSID." That is very wrong on many levels. You've switched the "Auth-Type := Reject" from the first line to the second. That WILL NOT WORK. This is documented. Read "man users", and the comments in the default "users" file. There is extensive documentation on the format, and how it works. > The inner tunnel Access-Request is now sent and members of the > "employees" group are accepted, but non-members are not actually > rejected. I see the users entry being matched, and the Reply-Message is > even set, but the server responds with Access-Accept and eapol_test > reports SUCCESS. Because that's what you told it to do. > Behaviour is the same with PEAP/MSCHAPv2 and TTLS/PAP. I tried setting > copy_request_to_tunnel and use_tunneled_reply to yes in the PEAP and > TTLS sections, but this didn't make a difference. How do I actually > reject an inner tunnel request? Edit raddb/sites-available/inner-tunnel. See "man unlang" for the format. Or, read "man users", and create a *good* entry in the "users" file: DEFAULT Ldap-Group != "employees", FreeRADIUS-Proxied-To == "127.0.0.1", Auth-Type := Reject Reply-Message = "User does not belong to any groups which may access this SSID." Note that everything BUT the Reply-Message belongs on the first line with the "DEFAULT". The Reply-Message belongs on the second line. Again, this is extensively documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth-Type :- Reject in users file matches inner tunnel request but sends Access-Accept
Hi I have setup WPA2-EAP authentication using FreeRADIUS 2.1.8 on Ubuntu 10.04.4 with an OpenLDAP backend, and can successfully authenticate using PEAP/MSCHAPv2, TTLS/MSCHAPv2 and TTLS/PAP (both via the AP and using eapol_test). I am now trying to restrict access to specific SSIDs based on the LDAP groups which users belong to. From what I can gather, I need to add appropriate rules to /etc/freeradius/users which matches the SSID/group combinations, and rejects everything else. The problem I'm having is with the default reject, not the SSID/group matching. My first attempt was this: DEFAULT Ldap-Group == "employees" DEFAULT Auth-Type := Reject But this immediately rejects the Access-Request in the outer tunnel, because the "anonymous" user is not in the "employees" group. I then modified it to this so that it only matches inner tunnel requests: DEFAULT Ldap-Group == "employees" DEFAULT FreeRADIUS-Proxied-To == "127.0.0.1" Auth-Type := Reject, Reply-Message = "User does not belong to any groups which may access this SSID." The inner tunnel Access-Request is now sent and members of the "employees" group are accepted, but non-members are not actually rejected. I see the users entry being matched, and the Reply-Message is even set, but the server responds with Access-Accept and eapol_test reports SUCCESS. Debug: rlm_ldap::ldap_groupcmp: Group employees not found or user is not a member. Info: [files] users: Matched entry DEFAULT at line 209 Info: ++[files] returns ok ... Auth: Login OK: [mgorven] (from client test port 0 cli 02-00-00-00-00-01 via TLS tunnel) Info: WARNING: Empty section. Using default return values. ... Info: [peap] Got tunneled reply code 2 Auth-Type := Reject Reply-Message = "User does not belong to any groups which may access this SSID." ... Info: [peap] Got tunneled reply RADIUS code 2 Auth-Type := Reject Reply-Message = "User does not belong to any groups which may access this SSID." ... Info: [peap] Tunneled authentication was successful. Info: [peap] SUCCESS Info: [peap] Saving tunneled attributes for later ... Sending Access-Accept of id 11 to 172.16.2.44 port 60746 Reply-Message = "User does not belong to any groups which may access this SSID." User-Name = "mgorven" eapol_test receives an Access-Accept with the Reply-Message set. RADIUS message: code=2 (Access-Accept) identifier=11 length=233 Attribute 18 (Reply-Message) length=64 Value: 'User does not belong to any groups which may access this SSID.' Attribute 1 (User-Name) length=9 Value: 'mgorven' ... SUCCESS Behaviour is the same with PEAP/MSCHAPv2 and TTLS/PAP. I tried setting copy_request_to_tunnel and use_tunneled_reply to yes in the PEAP and TTLS sections, but this didn't make a difference. How do I actually reject an inner tunnel request? Michael -- http://michael.gorven.za.net PGP Key ID 1E016BE8 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL Backend
Hello everyone, I need a lil advice from you FreeRADIUS gurus, as i'm having a bit of trouble in understanding the database structure from the examples and schema available on the project wiki. Let's say i successfully managed to bind freeRADIUS to mysql, i can connect it and no errors are present, i created all proper tables, and database accounts to have freeRADIUS talk to mysql. the problem is.. ok but now, which informations do i put where? i'd start from a simple example.. let's say i have the user "testuser" "cleartext-password" := "testpassword" if i add this values in the radcheck table, i can successfully authenticate testuser from my NAS. Now let's say i'd like to limit the user for using the service for only 1 hour a day. if i recall correctly there is a parameter that says: Max-Daily-Session := 3600 (seconds) but, where do i have to add this value? still to the radcheck? or radreply? or where else? i also noticed that the radacct table contains one account for each time i perform a login for the specific user, is it normal? is there a table that contains usernames in a unique manner? so that i can eventually link it to another table containing further informations about the user (name, surname etc?) sorry if i ask here but really i couldn't understand this from the wiki :( thanks in advice. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : Re: EAP processing
Billot wrote:
> A first question : the default file says
>
> eap {
> return ok
> }
>
> EAP request comes with EAP message and is so captured by the eap
> authorize section, right ?
> It returns an update of the original request with Auth-Type = EAP
Yes.
> I can't understand why there is then one second authorize check.
I explained. See my previous message. The "inner-tunnel" server is
run. This means a second authorize check.
It's not that complicated. Read the debug output. It tells you
what's going on. There's no magic.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Re: EAP processing
Le 12/06/12, Alan DeKok a écrit :
> Emmanuel BILLOT wrote:
> > Could you explain what is the difference between the default file and
> > the inner-tunnel file in /etc/raddb/site-enabled ?
>
> This is documented in the comments at the top of the files.
>
> The "default" virtual server handles normal RADIUS traffic. However,
> some EAP types set up a TLS tunnel between the PC and the RADIUS server.
> The data *inside* of the TLS tunnel has to be authenticated.
>
> So... it's run through the "inner-tunnel" virtual server.
>
Hi,
Ok that's what i read from you on another post.
>
>
> > When running in debug mode, i see sometimes
> > # Executing section authorize from file /etc/raddb/sites-enabled/default
> > and
> > sometimes
> > # Executing section authorize from file
> > /etc/raddb/sites-enabled/inner-tunnel
>
> Not "sometimes". That is a very bad way to think about it. The debug
> log shows *exactly* what the server is doing. Read it slowly, it will
> make sense.
>
Sorry i didn't use correct words. I tried to follow each line in a radiusd -X
output.
It begins with a a complete request, and the authorize section.
Parsing each authorize mechanism, only eap doesn't return "noops".
A first question : the default file says
eap {
return ok
}
EAP request comes with EAP message and is so captured by the eap authorize
section, right ?
It returns an update of the original request with Auth-Type = EAP
I can't understand why there is then one second authorize check.
>
>
> > Is there any docs about the complete processing of EAP authentication ?
>
> Nope.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
--
Emmanuel BILLOT
CATEL - Dpt. Système et Réseaux
Rectorat - Académie d'Orléans-Tours
10, rue Molière - 45000 Orléans
Tél : 02 38 79 45 57
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-PEAP + Windows 7 with SSO and Password change
Hi Phil,
>> But i got from the ntlm_auth Error 691 which are send back to client.
>
>Please post full debugging output i.e. run "radiusd -X" and post the
>output to the list.
>
>Better yet, gather the debug output and READ IT carefully first, to see
>if you can spot the problem.
>
>The MSCHAP password change code looks for the string "Password expired"
>in the output of the ntlm_auth command. If your ntlm_auth is printing
>something different, it'll just assume it's a regular failure.
Sure, here are the Debug output:
FreeRADIUS Version 3.0.0, for host x86_64-portbld-freebsd9.0, built on Jun 12
2012 at 13:31:44
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/wimax
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/attr_rewrite
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/checkval
including configuration file /usr/local/etc/raddb/mods-enabled/counter
including configuration file /usr/local/etc/raddb/mods-enabled/cui
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/inner-eap
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including configuration file /usr/local/etc/raddb/mods-enabled/acct_unique
including configuration file /usr/local/etc/raddb/mods-enabled/ldap
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
security {
allow_core_dumps = no
}
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/var"
sbindir = "/usr/local/sbin"
logdir = "/var/log"
run_dir = "/var/run/radiusd"
libdir = "/usr/local/lib/freeradius-3.0.0"
radacctdir = "/var/log/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all
Re: EAP processing
Emmanuel BILLOT wrote: > Could you explain what is the difference between the default file and > the inner-tunnel file in /etc/raddb/site-enabled ? This is documented in the comments at the top of the files. The "default" virtual server handles normal RADIUS traffic. However, some EAP types set up a TLS tunnel between the PC and the RADIUS server. The data *inside* of the TLS tunnel has to be authenticated. So... it's run through the "inner-tunnel" virtual server. > When running in debug mode, i see sometimes > # Executing section authorize from file /etc/raddb/sites-enabled/default > and > sometimes > # Executing section authorize from file > /etc/raddb/sites-enabled/inner-tunnel Not "sometimes". That is a very bad way to think about it. The debug log shows *exactly* what the server is doing. Read it slowly, it will make sense. > Is there any docs about the complete processing of EAP authentication ? Nope. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP + Windows 7 with SSO and Password change
On 12/06/12 17:09, CD DD wrote: But i got from the ntlm_auth Error 691 which are send back to client. Please post full debugging output i.e. run "radiusd -X" and post the output to the list. Better yet, gather the debug output and READ IT carefully first, to see if you can spot the problem. The MSCHAP password change code looks for the string "Password expired" in the output of the ntlm_auth command. If your ntlm_auth is printing something different, it'll just assume it's a regular failure. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP + Windows 7 with SSO and Password change
Hi Alan, >CD DD wrote: >> Hi Alan, >> >> >> i'm sorry to bother you again. >> >> I compiled now the "GIT" version (it's the same as download version), >and i >> got the same results. >> >> The FR is really 3.0.0. you can see that in the debug log. >> There is no differences in the results as before i did. >> >> So what's wrong ? >> I used also a cleaned config base (remove the old, and install the git >> >config). But all the time the same: > > Did you read raddb/mods-available/mschap? > > It contains instructions for configuring password changes. You need >to configure the "passchange" subsection with the right paths, and then >allow retries, and give it a retry message. > > Alan DeKok. Yes, as you can see in the mschap config the passchange subsection is configured, as well as the retry and retry message. send errors are also enabled in the mschapv2 config from eap section. But i got from the ntlm_auth Error 691 which are send back to client. Normaly there must be error core 648, or not ? regards, C. -- NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone! Jetzt informieren: http://mobile.1und1.de/?ac=OM.PW.PW003K20328T7073a - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP processing
Hi, Could you explain what is the difference between the default file and the inner-tunnel file in /etc/raddb/site-enabled ? When running in debug mode, i see sometimes # Executing section authorize from file /etc/raddb/sites-enabled/default and sometimes # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel Is there any docs about the complete processing of EAP authentication ? BR, -- Emmanuel BILLOT CATEL - Dpt. Système et Réseaux Rectorat - Académie d'Orléans-Tours 10, rue Molière - 45000 Orléans Tél : 02 38 79 45 57 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-PEAP/TTLS and MAC filtering
Hi, Could you explain what is the difference between the default file and the inner-tunnel file in /etc/raddb/site-enabled ? When running in debug mode, i see sometimes # Executing section authorize from file /etc/raddb/sites-enabled/default and sometimes # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel Is there any docs about the complete processing of EAP authentication ? BR, -- Emmanuel BILLOT CATEL - Dpt. Système et Réseaux Rectorat - Académie d'Orléans-Tours 10, rue Molière - 45000 Orléans Tél : 02 38 79 45 57 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: buffer overflow on mschap reject
Hi, > Matt Richards wrote: if you send me the small bits of mschap config you have made i'll run it on my debug/testing platform alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP + Windows 7 with SSO and Password change
CD DD wrote: > Hi Alan, > > > i'm sorry to bother you again. > > I compiled now the "GIT" version (it's the same as download version), and i > got the same results. > > The FR is really 3.0.0. you can see that in the debug log. > There is no differences in the results as before i did. > > So what's wrong ? > I used also a cleaned config base (remove the old, and install the git > config). But all the time the same: Did you read raddb/mods-available/mschap? It contains instructions for configuring password changes. You need to configure the "passchange" subsection with the right paths, and then allow retries, and give it a retry message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-PEAP + Windows 7 with SSO and Password change
Hi Alan, i'm sorry to bother you again. I compiled now the "GIT" version (it's the same as download version), and i got the same results. The FR is really 3.0.0. you can see that in the debug log. There is no differences in the results as before i did. So what's wrong ? I used also a cleaned config base (remove the old, and install the git config). But all the time the same: Exec-Program output: Must change password (0xc224) Exec-Program-Wait: plaintext: Must change password (0xc224) Exec-Program: returned: 1 (8) mschap : External script failed. (8) mschap : FAILED: MS-CHAP2-Response is incorrect (8) [mschap] = reject rlm_eap_mschapv2: No MS-CHAPv2-Success or MS-CHAP-Error was found. (8) eap : Handler failed in EAP/mschapv2 (8) eap : Failed in EAP select (8) [eap] = invalid (8) Failed to authenticate the user. } # server inner-tunnel (8) peap : Got tunneled reply code 3 MS-CHAP-Error = "\271E=691 R=1" EAP-Message = 0x04b90004 : : And on the Client side i get failed login, and no Password Change window ! regards, C. >> well, i downloaded the zip file, because the server did not have git >> protocoll allowed per firewall. > > *Your* firewall is blocking git. > > You do realize that github allows HTTP replication, right? > > There's a button labelled "HTTP" on: > >https://github.com/alandekok/freeradius-server > > Click it. > >> But i checked the git version against the zip downloaded version, and it >is >> the same version. > > Then you need to fix that. Release 2.1.7 does NOT have the >functionality you want. I really don't know how else to say that. It >doesn't do MS-CHAP password changes. > > Only the "master" branch has it. It should take you all of 5 minutes >to go to github and download the master branch using HTTP. > > Alan DeKok. -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl module not executing authenticate
Diego Matute wrote: > I've installed freeradius and other packages on a vanilla amazon ec2 > instance and am trying to get the rlm_perl module working. Ultimately > the authenticate function in the perl script is not being run. Here are > the details. ... > 1/ Request comes in and authorize is being called within rlm_perl. The > print statement is not outputting on the server side? The modules aren't permitted to print to STDOUT or STDERR. > 2/ How does Auth-Type get set? I've read a bunch of forum threads and it > looks like best practice nowadays is to let the server figure it out and > not set it explicitly in /etc/raddb/users, however it isn't being set. It isn't being set because the default distribution doesn't use rlm_perl. If you want to *force* usage of rlm_perl, you need to set Auth-Type. If you want to let the server just do the right thing, leave everything alone. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: buffer overflow on mschap reject
Matt Richards wrote: > Hello, > > I have got radius setup to authenticate wireless clients using MS-CHAP > and everything works correctly if the entered user / pass is correct. > > If the password is wrong, however, I get a buffer overflow error and > radiusd dies. You probably set the "retry_msg" to a very long string. >> *** buffer overflow detected ***: radiusd terminated >> === Backtrace: = Reading doc/bugs would help here. > I can replicate this issue with radtest. Do you have a minimal config which could help? > Does anybody know why this might be happening? If you require any > additional info please let me know. One thing I was thinking about > trying it going back a few versions of ntlm_auth and tring again. Its > interesting how I don't seem to be able to find any information relating > to this on the Internet. The error path here is very small. i.e. ~15 lines of code. Running the server under "valgrind" would help, too. But first build it with debugging symbols. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP + Windows 7 with SSO and Password change
CD DD wrote: > well, i downloaded the zip file, because the server did not have git > protocoll allowed per firewall. *Your* firewall is blocking git. You do realize that github allows HTTP replication, right? There's a button labelled "HTTP" on: https://github.com/alandekok/freeradius-server Click it. > But i checked the git version against the zip downloaded version, and it is > the same version. Then you need to fix that. Release 2.1.7 does NOT have the functionality you want. I really don't know how else to say that. It doesn't do MS-CHAP password changes. Only the "master" branch has it. It should take you all of 5 minutes to go to github and download the master branch using HTTP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
buffer overflow on mschap reject
Hello,
I have got radius setup to authenticate wireless clients using MS-CHAP
and everything works correctly if the entered user / pass is correct.
If the password is wrong, however, I get a buffer overflow error and
radiusd dies.
I get the follow on the console when this happens ...
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] Creating challenge hash with username: rer
> [mschap] Told to do MS-CHAPv2 for rer with NT-Password
> [mschap]expand: --username=%{mschap:User-Name:-None} -> --username=rer
> [mschap] No NT-Domain was found in the User-Name.
> [mschap]expand: %{mschap:NT-Domain} ->
> [mschap]... expanding second conditional
> [mschap]expand: --domain=%{%{mschap:NT-Domain}:-WC1} -> --domain=WC1
> [mschap] mschap2: 5f
> [mschap] Creating challenge hash with username: rer
> [mschap]expand: --challenge=%{mschap:Challenge:-00} ->
> --challenge=a20a6c5d363dd4b6
> [mschap]expand: --nt-response=%{mschap:NT-Response:-00} ->
> --nt-response=5182a275d21751ab7007e8de241d8d516215a95d3384ccf9
> Exec-Program output: Logon failure (0xc06d)
> Exec-Program-Wait: plaintext: Logon failure (0xc06d)
> Exec-Program: returned: 1
> [mschap] External script failed.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
> *** buffer overflow detected ***: radiusd terminated
> === Backtrace: =
> /lib/libc.so.6(__fortify_fail+0x37)[0x7fea6d97c427]
> /lib/libc.so.6(+0xe8150)[0x7fea6d97a150]
> /lib/libc.so.6(+0xe76eb)[0x7fea6d9796eb]
> /lib/libc.so.6(__snprintf_chk+0x7b)[0x7fea6d9795bb]
> /usr/lib64/freeradius/rlm_mschap-2.1.11.so(+0x31bb)[0x7fea6c24a1bb]
> radiusd(modcall+0xb4b)[0x41c4bb]
> radiusd(indexed_modcall+0xd3)[0x418b53]
> /usr/lib64/freeradius/rlm_eap_mschapv2-2.1.11.so(+0x166a)[0x7fea696d366a]
> /usr/lib64/freeradius/rlm_eap-2.1.11.so(+0x2f76)[0x7fea6bc39f76]
> /usr/lib64/freeradius/rlm_eap-2.1.11.so(eaptype_select+0x176)[0x7fea6bc3a926]
> /usr/lib64/freeradius/rlm_eap-2.1.11.so(+0x2739)[0x7fea6bc39739]
> radiusd(modcall+0xb4b)[0x41c4bb]
> radiusd(indexed_modcall+0xd3)[0x418b53]
> radiusd(rad_authenticate+0x985)[0x40a075]
> /usr/lib64/freeradius/rlm_eap_peap-2.1.11.so(eappeap_process+0x976)[0x7fea698d8f26]
> /usr/lib64/freeradius/rlm_eap_peap-2.1.11.so(+0x1825)[0x7fea698d7825]
> /usr/lib64/freeradius/rlm_eap-2.1.11.so(+0x2f76)[0x7fea6bc39f76]
> /usr/lib64/freeradius/rlm_eap-2.1.11.so(eaptype_select+0x176)[0x7fea6bc3a926]
> /usr/lib64/freeradius/rlm_eap-2.1.11.so(+0x2739)[0x7fea6bc39739]
> radiusd(modcall+0xb4b)[0x41c4bb]
> radiusd(indexed_modcall+0xd3)[0x418b53]
> radiusd(rad_authenticate+0x985)[0x40a075]
> radiusd(radius_handle_request+0x52)[0x424d42]
> radiusd(thread_pool_addrequest+0x9)[0x425039]
> radiusd[0x4269e6]
> /usr/lib/libfreeradius-radius-2.1.11.so(fr_event_loop+0x33b)[0x7fea6e04860b]
> radiusd(main+0x55a)[0x41cd2a]
> /lib/libc.so.6(__libc_start_main+0xe6)[0x7fea6d8b0ba6]
> radiusd[0x408fe9]
The version of freeradius i'm running is ...
FreeRADIUS Version 2.1.11, for host x86_64-pc-linux-gnu, built on Jun 11
2012 at 11:10:29
I can replicate this issue with radtest.
Does anybody know why this might be happening? If you require any
additional info please let me know. One thing I was thinking about
trying it going back a few versions of ntlm_auth and tring again. Its
interesting how I don't seem to be able to find any information relating
to this on the Internet.
Thanks,
Matt.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP + Windows 7 with SSO and Password change
Hi Alan, well, i downloaded the zip file, because the server did not have git protocoll allowed per firewall. But i checked the git version against the zip downloaded version, and it is the same version. >> yes, i tried now the latest freeradius version from git master: >> (alandekok-freeradius-server-release_2_1_7-1596-g3ce9b29.zip) > Where did you get that from? Release 2.1.7? Really? >> But i have still the same issue, that the password change is not handled. >> I added my config files and the debug output as attachment, maybe i missed >> some parameter. > Use "git" to grab the "master" branch. It isn't hard. There are instructions on http://git.freeradius.org, and on github. > Alan DeKok. -- NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone! Jetzt informieren: http://mobile.1und1.de/?ac=OM.PW.PW003K20328T7073a - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS-PAP-LDAP
On Jun 12, 2012, at 9:06 AM, akkouche wrote: > how to put the parameters in which files, to set up the TTLS / PAP ? greetings, way to many options out there. keep reading. use the Default FreeRadius + ldap module, ensure ssh is in order. -j smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP + Windows 7 with SSO and Password change
CD DD wrote: > yes, i tried now the latest freeradius version from git master: > (alandekok-freeradius-server-release_2_1_7-1596-g3ce9b29.zip) Where did you get that from? Release 2.1.7? Really? > But i have still the same issue, that the password change is not handled. > I added my config files and the debug output as attachment, maybe i missed > some parameter. Use "git" to grab the "master" branch. It isn't hard. There are instructions on http://git.freeradius.org, and on github. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS-PAP-LDAP
how to put the parameters in which files, to set up the TTLS / PAP ? -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-TTLS-PAP-LDAP-tp2752336p5713663.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-PEAP + Windows 7 with SSO and Password change
Hi Alan, yes, i tried now the latest freeradius version from git master: (alandekok-freeradius-server-release_2_1_7-1596-g3ce9b29.zip) But i have still the same issue, that the password change is not handled. I added my config files and the debug output as attachment, maybe i missed some parameter. Thanks for any help. > You are running latest version of freeradius? > You have read the inner-tunnel virtual server config file near the end? > And > the MSCHAP module file near the end? > alan -- NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone! Jetzt informieren: http://mobile.1und1.de/?ac=OM.PW.PW003K20328T7073a config_plus_debug.tgz Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding Attribute
On 06/12/2012 12:48 PM, Awais wrote: I want to use an integer value which i send from ntradping and get this value in rlm_sql.c, but my boss said me that do not use a new attribute, use from vendor specific dictionary, rfc2866. why do you need to customize it in the source code? Have you checked that this is really needed? If someone really has hacked it into the source, you can easily find the changes and adept them.. But no support here ;) -- Jens Weibler IT-Services Hochschule Darmstadt www.h-da.de University of Applied Sciences Fachbereich Informatik www.fbi.h-da.de Schöfferstr. 8b D-64295 Darmstadt Tel +49 6151 16-8425 Fax +49 6151 16-8935 jens.weib...@h-da.de smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding Attribute
On 12/06/12 11:48, Awais wrote: I want to use an integer value which i send from ntradping and get this value in rlm_sql.c, but my boss said me that do not use a new attribute, use from vendor specific dictionary, rfc2866. I don't understand, because what you are saying does not make sense. Please explain what you are trying to achieve, NOT how you have decided to do it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding Attribute
I want to use an integer value which i send from ntradping and get this value
in rlm_sql.c, but my boss said me that do not use a new attribute, use from
vendor specific dictionary, rfc2866.
if i send value like 12345
if ((pair = pairfind(request->packet->vps,Acct_link_count)) == 12345)
{
}
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Adding-Attribute-tp5713657p5713659.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding Attribute
On 12/06/12 10:48, Awais wrote: I want to add an attribute in rlm_sql.c, Acct-Link-Count from What does this mean? You don't need to add attributes into the source code. You just change the SQL queries in the config file. dictionary.rfc2866. I dun know how to use vendor specific attribute, can any body help me how to do this??? "use" where? how? You need to ask better questions. Be specific. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding Attribute
I want to add an attribute in rlm_sql.c, Acct-Link-Count from dictionary.rfc2866. I dun know how to use vendor specific attribute, can any body help me how to do this??? We are already using Acct-Status-Type and other attributes but that was done by my senior and he isn't here any more. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Adding-Attribute-tp5713657.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
