Re: AP> FR> LDAP authentication reject
On 28.12.2012 08:39, Thanakorn Rattanatikul wrote:
> In LDAP server , for user "sun" , store password in clear-text in this test
So if you have a clear-text password in the ldap, use the ldap
attribute-map to add it in the control list. Looking at the logs I guess
you are running version 2.x, then you should have a file called
/etc/raddb/ldap.attrmap, add a line with
checkitem Cleartext-Password
And reference the ldap.attrmap in the ldap module (if not already done)
dictionary_mapping = ${confdir}/ldap.attrmap
And finally you need to ensure that the user defined in the ldap module
(identity) has sufficient rights in the LDAP to retrieve the attribute
containing the clear text password.
Olivier
--
Olivier Beytrison
Network & Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: AP> FR> LDAP authentication reject
In LDAP server , for user "sun" , store password in clear-text in this test. Thank you very much for your time and help. thanakorn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AP> FR> LDAP authentication reject
On 28.12.2012 06:17, Thanakorn Rattanatikul wrote:
> I'm trying to setup the server to authenticate using LDAP. I'm having
> some problem and hope to get some help from the list.
>
> I'm trying to setup AP->FR->LDAP. FreeRadius is new installation on
> CentOS. LDAP is Sun Java System Directory Server.
> I'm trying radtest ->FR->LDAP pass but AP->FR->LDAP not pass.
It works with radtest because it does pap. The password is sent in
cleartext in the request. Freeradius can then bind to the LDAP with the
user/password supplied to authenticate the user.
With your Access Point, you're doing EAP-PEAP with MSCHAPv2, which mean
you need the clear text password or a NT/LM_Password in your backend, or
via NTLM_Auth. If Freeradius doesn't have them, it can't do the
challenge/response. You have Plenty of warning that this will happen ...
> [ldap] expand: ou=guest,dc=ku,dc=ac,dc=th -> ou=guest,dc=ku,dc=ac,dc=th
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] attempting LDAP reconnection
> [ldap] (re)connect to 158.108.8.214:389, authentication 0
> [ldap] bind as uid=thanakorn,ou=guest,dc=ku,dc=ac,dc=th/testtest to
> 158.108.8.214:389
> [ldap] waiting for bind result ...
> [ldap] Bind was successful
> [ldap] performing search in ou=guest,dc=ku,dc=ac,dc=th, with filter
> (uid=sun)
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
See here ?
> WARNING: No "known good" password was found in LDAP. Are you sure that
> the user is configured correctly?
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
Or Here ?
> [pap] WARNING! No "known good" password found
> for the user. Authentication may fail because of this.
> ++[pap] returns noop
And those ?
> [mschapv2] # Executing group from file /etc/raddb/sites-enabled/default
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
> [mschap] No Cleartext-Password configured. Cannot create NT-Password.
> [mschap] Creating challenge hash with username: sun
> [mschap] Told to do MS-CHAPv2 for sun wit! h NT-Password
> [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
And here again ...
> [peap] The users session was previously rejected: returning reject (again.)
> [peap] *** This means you need to read the PREVIOUS messages in the
> debug output
> [peap] *** to find out the reason why the user was rejected.
> [peap] *** Look for "reject" or "fail". Those earlier messages will
> tell you.
> [peap] *** what went wrong, and how to fix the problem.
> [eap] Handler failed in EAP/peap
> [eap] Failed in EAP select
> ++[eap] returns invalid
In the default LDAP configuration file, it's clearly stated that :
# However, LDAP can be used for authentication ONLY when the
# Access-Request packet contains a clear-text User-Password
# attribute. LDAP authentication will NOT work for any other
# authentication method.
# This means that LDAP servers don't understand EAP. If you
# force "Auth-Type = LDAP", and then send the server a
# request containing EAP authentication, then authentication
# WILL NOT WORK.
You need either the clear-text password in your LDAP, Store the user
password in the userfile, or use another way of getting the password
(sql database, ntlm_auth to active directory).
Read the comments in the default configuration, and look for Warning and
error in the debug output. It tells you what goes wrong, and what you
should do. In your case : Provide a Cleartext-Password
Olivier
--
Olivier Beytrison
Network & Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x computer authentication config issue/question
@Phil,
Thank you very much for the code snippet - only had to make minor
mods for it to work perfectly ("noop" instead of "notfound" in the
reject code within the sites-enabled routine). Also I had to do an
$INCLUDE in the users file that points to the tls_clients file
otherwise I get unpredictable behavior - other than that working as
envisioned. Next phase, a remote database for clients (LDAP or
SQLnot sure which yet - thats for 2013)
Again, many, many thanks for the help - Happy Holidays...
On Thu, 27 Dec 2012 10:40:15 -0500 "Phil Mayers"
wrote:
>On 12/27/2012 03:19 PM, spartan1...@hushmail.com wrote:
>
>> ...but if not then ok I was simply trying to figure out if I was
>> able to control machine-only 802.1x authentication against
>> FreeRADIUS in a manner similar to how "simple" user
>authentication
>> appears to be done (via the users file). From your response, it
>> appears that the answer is "NO" and that an LDAP configuration /
>> LDAP groups will be required.
>
>Not so - that's not what Alan said. You mentioned LDAP - he
>naturally
>assumed you were looking in that direction.
>
>You can use the "users" file; but you need to alter the config
>slightly,
>and due to the way EAP-TLS runs in 2.x, you need to use it in a
>particular way.
>
>Try this:
>
>/etc/raddb/modules/tls_clients:
>
>files tls_clients {
> key = "%{TLS-Client-Cert-Common-Name}"
> usersfile = "/etc/raddb/tls_clients"
>}
>
>/etc/raddb/sites-enabled/default
>
>post-auth {
> ...
> if (TLS-Client-Cert-Common-Name) {
> tls_clients.authorize
> if (notfound) {
> # reject unknown users
> reject
> }
> }
> ...
>}
>
>Modify as appropriate for your needs.
>
>>
>> I'll look into that as time allows...and while I appreciate your
>> quick response, I think that your comment below is a bit
>> unwarranted - one of the points of user groups is to be able to
>ask
>> the question "I don't know how...at least this has been the case
>> for the last 15 years that I have been doing this stuff."
>
>Unfortunately, the FreeRADIUS community does not have the depth
>and
>breadth to provide the level of support and documentation that
>something
>like Apache or Samba does. This means there is more onus on you to
>be
>specific.
>
>I have my theories about *why* this difference exists -
>specifically,
>that FR is a complex infrastructure daemon, which people set up
>and
>forget, as opposed to a framework that they constantly use. You
>see
>similar issues on other projects (ISC bind, for example) that have
>these
>attributes. But whatever the reason, most people post to this list
>a few
>times, then vanish - they don't answer questions to people who
>follow
>them, write docs or wiki articles, or contribute code.
>
>This leads to a relatively small pool of people who can answer,
>and to
>the expectation that you be specific so those people can use their
>time
>efficiently. Don't take it personally - it's just a function of
>the
>community size.
>
>Cheers,
>Phil
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x computer authentication config issue/question
@Phil,
Thanks for the example - I'll do some work with it. Appreciate the
additional information too...I imagine that there is a huge amount
of variation within FR configurations so I get it that requests for
assistance need to be as concise as possibledon't always know
"exactly" what to ask sometimes though :)
Thanks again
On Thu, 27 Dec 2012 10:40:15 -0500 "Phil Mayers"
wrote:
>On 12/27/2012 03:19 PM, spartan1...@hushmail.com wrote:
>
>> ...but if not then ok I was simply trying to figure out if I was
>> able to control machine-only 802.1x authentication against
>> FreeRADIUS in a manner similar to how "simple" user
>authentication
>> appears to be done (via the users file). From your response, it
>> appears that the answer is "NO" and that an LDAP configuration /
>> LDAP groups will be required.
>
>Not so - that's not what Alan said. You mentioned LDAP - he
>naturally
>assumed you were looking in that direction.
>
>You can use the "users" file; but you need to alter the config
>slightly,
>and due to the way EAP-TLS runs in 2.x, you need to use it in a
>particular way.
>
>Try this:
>
>/etc/raddb/modules/tls_clients:
>
>files tls_clients {
> key = "%{TLS-Client-Cert-Common-Name}"
> usersfile = "/etc/raddb/tls_clients"
>}
>
>/etc/raddb/sites-enabled/default
>
>post-auth {
> ...
> if (TLS-Client-Cert-Common-Name) {
> tls_clients.authorize
> if (notfound) {
> # reject unknown users
> reject
> }
> }
> ...
>}
>
>Modify as appropriate for your needs.
>
>>
>> I'll look into that as time allows...and while I appreciate your
>> quick response, I think that your comment below is a bit
>> unwarranted - one of the points of user groups is to be able to
>ask
>> the question "I don't know how...at least this has been the case
>> for the last 15 years that I have been doing this stuff."
>
>Unfortunately, the FreeRADIUS community does not have the depth
>and
>breadth to provide the level of support and documentation that
>something
>like Apache or Samba does. This means there is more onus on you to
>be
>specific.
>
>I have my theories about *why* this difference exists -
>specifically,
>that FR is a complex infrastructure daemon, which people set up
>and
>forget, as opposed to a framework that they constantly use. You
>see
>similar issues on other projects (ISC bind, for example) that have
>these
>attributes. But whatever the reason, most people post to this list
>a few
>times, then vanish - they don't answer questions to people who
>follow
>them, write docs or wiki articles, or contribute code.
>
>This leads to a relatively small pool of people who can answer,
>and to
>the expectation that you be specific so those people can use their
>time
>efficiently. Don't take it personally - it's just a function of
>the
>community size.
>
>Cheers,
>Phil
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x computer authentication config issue/question
spartan1...@hushmail.com wrote: > Thanks you for the...quick reply - thought I had spelled out what I > was trying to figure out in fairly clear terms: Yes, but you didn't saw *how* you wanted this done. You needed to do user group checking. OK, FreeRADIUS isn't a database. I asked you a *specific* question about where the groups were stored. You failed to answer the question. Do you know why the question and answer were important? You have to get away from the Microsoft thinking of "the product has one UI to do everything". And get to the Unix thinking of "a RADIUS server does RADIUS. A database stores data". > ...but if not then ok I was simply trying to figure out if I was > able to control machine-only 802.1x authentication against > FreeRADIUS in a manner similar to how "simple" user authentication > appears to be done (via the users file). From your response, it > appears that the answer is "NO" and that an LDAP configuration / > LDAP groups will be required. No. You can store groups in LDAP, SQL, flat-text files, etc. The documentation contains examples for EACH of those. Just (a) read it, and (b) follow the instructions. It's not hard. And You CAN control EAP-TLS via the "users" file. Just look at the debug output. Take the fields from their (User-Name, etc.), and enter them into the "users" file, with whatever policy you want. Read the "users" file documentation for how to create policies with it. LDAP is *only* to make your life easier. > I'll look into that as time allows...and while I appreciate your > quick response, I think that your comment below is a bit > unwarranted - one of the points of user groups is to be able to ask > the question "I don't know how...at least this has been the case > for the last 15 years that I have been doing this stuff." I asked you specific questions about what you wanted to do, and what you already had. You didn't answer them. So... I'm trying to engage you in a conversation, and you're stone-walling me. As a hint: I've been doing this for 15 years. If I ask a question, it's because the answer HELPS ME HELP YOU. Whining about my response is ridiculous, and just annoys the people who are trying to help you. If you're not going to follow instructions, you will be unsubscribed and banned. I've had 15 years of trying to convince people to REALLY READ THE DOCUMENTATION, and also to REALLY FOLLOW INSTRUCTIONS. I have no more patience for people who can't be bothered to help themselves. Make no mistake, we *are* here to help. But this is a free support list. We assume that you can (a) describe the problem you're having, (b) read the documentation, and (c) follow instructions to fix it. That's all we ask. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x computer authentication config issue/question
@Phil, Thanks for the info - appreciate the professional responseI'll do some additional research. On Thu, 27 Dec 2012 10:13:43 -0500 "Phil Mayers" wrote: >On 12/27/2012 02:32 PM, spartan1...@hushmail.com wrote: > >> I played around with the users file in FreeRADIUS but it didn't >> seem to have any effect unless I put a DEFAULT Auth-Type Reject >in >> the file which blocked everyone regardless of what else I had in >> the users file. I've Googled around a bit but haven't found any >> definitive guides on how I would do a FreeRADIUS analog to >Windows >> IAS/NPS policies other than having to include ldap servers >and/or >> other types of external authentication systems which I'm not >really >> interested (at this point) in doing. > >LDAP is not an authentication system (not really). It's a >directory, >which is a form of database. > >You are, obviously, going to need some form of "database" in which >your >policy "memberships" are stored; FreeRADIUS provides several built- >in >modules (LDAP, SQL, files, passwd-style) that can do this. > >However - you're going to run into the fact that EAP-TLS as >implemented >in the 2.x branch doesn't offer very much in the way of >authorization - >the only place you can run a database lookup and be sure you have >the >TLS cert details is post-auth (a virtual server step was added in >master/3.x). > >Basically: > > 1. Define a local attribute in raddb/dictionary to hold your >groups. >Note carefully the stuff in the default dictionary file about >local >attribute numbers. > > 2. Configure one of the various data lookup modules (passwd and >files >are the simplest but least flexible) to lookup the groups based on >the >TLS cert attributes (see below) > > 3. Run this module in the post-auth section, and act on the >result. > >raddb/sites-available/default contains comments to this effect in >post-auth - search for "TLS-Client" in that file, which also tells >you >the various TLS cert attributes you can use. > >About the only difficult bit is step 2; I thought I'd written >something >in the wiki about this, but I can't find it (and I can't log in >anymore). > >If you've got a more specific question, I'll try to reply, but >you'll >need to do a bit of research into the various "database" modules >and >decide which one you want to use first. >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki requires email?
Phil Mayers wrote: > I can no longer log into the wiki with my github account - seems the > wiki now requires that I expose an email publicly in my github profile > (something I am not going to do). Is this intentional? What's the > rationale? Too many retards destroying the Wiki. There were weekly page deletions, so that's been forbidden. There were nearly daily edits of "ha ha, I can change this". Instead of trying to control and ban people, we just publish their stupidity. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x computer authentication config issue/question
On 12/27/2012 03:19 PM, spartan1...@hushmail.com wrote:
...but if not then ok I was simply trying to figure out if I was
able to control machine-only 802.1x authentication against
FreeRADIUS in a manner similar to how "simple" user authentication
appears to be done (via the users file). From your response, it
appears that the answer is "NO" and that an LDAP configuration /
LDAP groups will be required.
Not so - that's not what Alan said. You mentioned LDAP - he naturally
assumed you were looking in that direction.
You can use the "users" file; but you need to alter the config slightly,
and due to the way EAP-TLS runs in 2.x, you need to use it in a
particular way.
Try this:
/etc/raddb/modules/tls_clients:
files tls_clients {
key = "%{TLS-Client-Cert-Common-Name}"
usersfile = "/etc/raddb/tls_clients"
}
/etc/raddb/sites-enabled/default
post-auth {
...
if (TLS-Client-Cert-Common-Name) {
tls_clients.authorize
if (notfound) {
# reject unknown users
reject
}
}
...
}
Modify as appropriate for your needs.
I'll look into that as time allows...and while I appreciate your
quick response, I think that your comment below is a bit
unwarranted - one of the points of user groups is to be able to ask
the question "I don't know how...at least this has been the case
for the last 15 years that I have been doing this stuff."
Unfortunately, the FreeRADIUS community does not have the depth and
breadth to provide the level of support and documentation that something
like Apache or Samba does. This means there is more onus on you to be
specific.
I have my theories about *why* this difference exists - specifically,
that FR is a complex infrastructure daemon, which people set up and
forget, as opposed to a framework that they constantly use. You see
similar issues on other projects (ISC bind, for example) that have these
attributes. But whatever the reason, most people post to this list a few
times, then vanish - they don't answer questions to people who follow
them, write docs or wiki articles, or contribute code.
This leads to a relatively small pool of people who can answer, and to
the expectation that you be specific so those people can use their time
efficiently. Don't take it personally - it's just a function of the
community size.
Cheers,
Phil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x computer authentication config issue/question
On 12/27/2012 02:32 PM, spartan1...@hushmail.com wrote: I played around with the users file in FreeRADIUS but it didn't seem to have any effect unless I put a DEFAULT Auth-Type Reject in the file which blocked everyone regardless of what else I had in the users file. I've Googled around a bit but haven't found any definitive guides on how I would do a FreeRADIUS analog to Windows IAS/NPS policies other than having to include ldap servers and/or other types of external authentication systems which I'm not really interested (at this point) in doing. LDAP is not an authentication system (not really). It's a directory, which is a form of database. You are, obviously, going to need some form of "database" in which your policy "memberships" are stored; FreeRADIUS provides several built-in modules (LDAP, SQL, files, passwd-style) that can do this. However - you're going to run into the fact that EAP-TLS as implemented in the 2.x branch doesn't offer very much in the way of authorization - the only place you can run a database lookup and be sure you have the TLS cert details is post-auth (a virtual server step was added in master/3.x). Basically: 1. Define a local attribute in raddb/dictionary to hold your groups. Note carefully the stuff in the default dictionary file about local attribute numbers. 2. Configure one of the various data lookup modules (passwd and files are the simplest but least flexible) to lookup the groups based on the TLS cert attributes (see below) 3. Run this module in the post-auth section, and act on the result. raddb/sites-available/default contains comments to this effect in post-auth - search for "TLS-Client" in that file, which also tells you the various TLS cert attributes you can use. About the only difficult bit is step 2; I thought I'd written something in the wiki about this, but I can't find it (and I can't log in anymore). If you've got a more specific question, I'll try to reply, but you'll need to do a bit of research into the various "database" modules and decide which one you want to use first. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x computer authentication config issue/question
Hi, Thanks you for the...quick reply - thought I had spelled out what I was trying to figure out in fairly clear terms: > or can guide me in how to do local (to the RADIUS server) > machine policies - I just want to be able to say "laptop1234...", > etc are part of a local group and are authorized (provided that > they are properly provisioned with certs, etc). ...but if not then ok I was simply trying to figure out if I was able to control machine-only 802.1x authentication against FreeRADIUS in a manner similar to how "simple" user authentication appears to be done (via the users file). From your response, it appears that the answer is "NO" and that an LDAP configuration / LDAP groups will be required. I'll look into that as time allows...and while I appreciate your quick response, I think that your comment below is a bit unwarranted - one of the points of user groups is to be able to ask the question "I don't know how...at least this has been the case for the last 15 years that I have been doing this stuff." Regards... On Thu, 27 Dec 2012 09:50:03 -0500 "Alan DeKok" wrote: >spartan1...@hushmail.com wrote: >> 802.1x appears to be working; any laptop with the certs/config >is >> able to access the wired and/or wireless network and any laptop >> without is denied access. However, in my previous experience >with >> RADIUS (IAS/NPS in the Windows world), I am able to control >access >> at a policy level as well; any machine not part of a specific >group >> is denied access, regardless of what certificate is installed >and >> what configuration is present on the laptop. > > You can do that in FreeRADIUS, too. You can do LDAP group >comparisons: > >http://wiki.freeradius.org/modules/Rlm_ldap > >> I played around with the users file in FreeRADIUS but it didn't >> seem to have any effect unless I put a DEFAULT Auth-Type Reject >in >> the file which blocked everyone regardless of what else I had in > >> the users file. > > Well... playing around isn't useful. You need to first define >the >problem, and then look for a solution. The problem here seems to >be >looking up groups in LDAP, right? > > So... configure the LDAP module. Read it's documentation. > >> I've Googled around a bit but haven't found any >> definitive guides on how I would do a FreeRADIUS analog to >Windows >> IAS/NPS policies other than having to include ldap servers >and/or >> other types of external authentication systems which I'm not >really >> interested (at this point) in doing. > > Are groups are stored in LDAP? If so, you need to configure >FreeRADIUS to talk to the LDAP server. > >> Guessing that I'm missing something so hoping that someone elss >has >> done this or can guide me in how to do local (to the RADIUS >server) >> machine policies - I just want to be able to say >"laptop1234...", >> etc are part of a local group and are authorized (provided that >> they are properly provisioned with certs, etc). > > Where are those groups defined? > > Right now, your question is "I want to do stuff but I don't know >how". > You need to describe what you want to do, in detail. > > Alan DeKok. >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wiki requires email?
I can no longer log into the wiki with my github account - seems the wiki now requires that I expose an email publicly in my github profile (something I am not going to do). Is this intentional? What's the rationale? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x computer authentication config issue/question
spartan1...@hushmail.com wrote: > 802.1x appears to be working; any laptop with the certs/config is > able to access the wired and/or wireless network and any laptop > without is denied access. However, in my previous experience with > RADIUS (IAS/NPS in the Windows world), I am able to control access > at a policy level as well; any machine not part of a specific group > is denied access, regardless of what certificate is installed and > what configuration is present on the laptop. You can do that in FreeRADIUS, too. You can do LDAP group comparisons: http://wiki.freeradius.org/modules/Rlm_ldap > I played around with the users file in FreeRADIUS but it didn't > seem to have any effect unless I put a DEFAULT Auth-Type Reject in > the file which blocked everyone regardless of what else I had in > the users file. Well... playing around isn't useful. You need to first define the problem, and then look for a solution. The problem here seems to be looking up groups in LDAP, right? So... configure the LDAP module. Read it's documentation. > I've Googled around a bit but haven't found any > definitive guides on how I would do a FreeRADIUS analog to Windows > IAS/NPS policies other than having to include ldap servers and/or > other types of external authentication systems which I'm not really > interested (at this point) in doing. Are groups are stored in LDAP? If so, you need to configure FreeRADIUS to talk to the LDAP server. > Guessing that I'm missing something so hoping that someone elss has > done this or can guide me in how to do local (to the RADIUS server) > machine policies - I just want to be able to say "laptop1234...", > etc are part of a local group and are authorized (provided that > they are properly provisioned with certs, etc). Where are those groups defined? Right now, your question is "I want to do stuff but I don't know how". You need to describe what you want to do, in detail. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x computer authentication config issue/question
Hi, First post and new to FreeRadius though have been using RADIUS in the Windows world for many years. I have a small network with a Linux server and a mix of Windows XP and Windows 7 laptops that I am trying to run 802.1x authentication on. I only want to use computer/machine auth (user auth handled elsewhere) so I have FreeRADIUS set up to use EAP-TLS. I have the CA cert and the appropriate client certs installed on the laptops and appropriate client configurations for the switch and AP. I've also config'd the laptops to use machine auth only. 802.1x appears to be working; any laptop with the certs/config is able to access the wired and/or wireless network and any laptop without is denied access. However, in my previous experience with RADIUS (IAS/NPS in the Windows world), I am able to control access at a policy level as well; any machine not part of a specific group is denied access, regardless of what certificate is installed and what configuration is present on the laptop. I played around with the users file in FreeRADIUS but it didn't seem to have any effect unless I put a DEFAULT Auth-Type Reject in the file which blocked everyone regardless of what else I had in the users file. I've Googled around a bit but haven't found any definitive guides on how I would do a FreeRADIUS analog to Windows IAS/NPS policies other than having to include ldap servers and/or other types of external authentication systems which I'm not really interested (at this point) in doing. Guessing that I'm missing something so hoping that someone elss has done this or can guide me in how to do local (to the RADIUS server) machine policies - I just want to be able to say "laptop1234...", etc are part of a local group and are authorized (provided that they are properly provisioned with certs, etc). Any thoughts - thanks in advance :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about the behavior of sql.conf
On 12/27/2012 06:00 AM, ichiro tanaka wrote: Hello I'm using freeradius 2.1.12. I'm trying to set up sql.conf. But there is one question. I made a set of 'safe-character' connection config of the sql.conf. However,the safe-character's being used in connection is the last(B) (When I use the A.but B will be used in this case) Do you think there is a reason what is this? This is a limitation of 2.x It is fixed in the "master" branch, which will become 3.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about the behavior of sql.conf
On 12/27/2012 06:20 AM, Fajar A. Nugraha wrote: On Thu, Dec 27, 2012 at 1:00 PM, ichiro tanaka wrote: I made a set of 'safe-character' connection config of the sql.conf. However,the safe-character's being used in connection is the last(B) (When I use the A.but B will be used in this case) Do you think there is a reason what is this? Short version: known problem, hard to fix. http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg72933.html Actually - not any more! Fixed in HEAD/3.0. We re-worked the xlat stuff to pass "context" arguments to xlat functions. So, safe-characters is now per-instance. I need to add SQL driver-based escaping next. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: FW:
Arpit Jain wrote: > I am sending an Access-Request packet using radeapclient without > password, Which is allowed. > But server is sending Access-Reject to the request. > > Following are the logs of radeapclient: So... you're trying to debug the server, but looking at what the client is doing. How about instead running the server in debugging mode, as suggested in the FAQ, README, "man" page, web pages, and daily on this list? > But EAP RFC3579 and RFC2869 states that User-Password should not be part > of a radius packet containing EAP-Message attribute, You're debugging the server by reading the RFCs. Is that right? > Please let me know if any specific configuration need to be done on the > server so that server sends Access-Accept. Read the documentation. It's not hard. Read my web site: http://deployingradius.com If it takes you more than 5 minutes to get an Access-Accept, you're not following instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
Arpit Jain wrote: > Hi, > > can we send accounting request using radeapclient ?? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Hi, can we send accounting request using radeapclient ?? I am getting the following error: ** ** radeapclient -x 172.168.200.15 acct testing123 User-Name= " testuser " EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = " testuser " Message-Authenticator = 0x00 ** ** ** ** +++> About to send encoded packet: User-Name = " testuser " EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = " testuser " Message-Authenticator = 0x00 rlm_eap: EAP-Message not found <+++ EAP decoded packet: ** Regards, Arpit - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: FW:
Hi,
I am sending an Access-Request packet using radeapclient without password,**
**
I am giving the following attributes in radeapclient:
User-Name= "testuser"
EAP-Code = Response
EAP-Id = 210
EAP-Type-Identity = " testuser "
Message-Authenticator = 0x00
** **
** **
But server is sending Access-Reject to the request.
Following are the logs of radeapclient:
** **
User-Name= "testuser"
EAP-Code = Response
EAP-Id = 210
EAP-Type-Identity = "testuser"
Message-Authenticator = 0x00
** **
** **
+++> About to send encoded packet:
User-Name = "testuser"
EAP-Code = Response
EAP-Id = 210
EAP-Type-Identity = "testuser"
Message-Authenticator = 0x00
<+++ EAP decoded packet:
EAP-Message = 0x01d3001604107b44069aa80b67319a536bfd4f8ac713
Message-Authenticator = 0xb4499f3ee54742d9dd8469980720dcf6
State = 0x8a52e3488a81e7f33f4b54075fcd3936
EAP-Id = 211
EAP-Code = Request
EAP-Type-MD5 = 0x107b44069aa80b67319a536bfd4f8ac713
** **
+++> About to send encoded packet:
User-Name = "testuser"
EAP-Code = Response
EAP-Id = 211
Message-Authenticator = 0x
EAP-Type-MD5 = 0x10d2c45d5e328b2b2db8bd66c7d171635d
State = 0x8a52e3488a81e7f33f4b54075fcd3936
<+++ EAP decoded packet:
EAP-Message = 0x04d30004
Message-Authenticator = 0xf6f7e2707ef22ea86a660a4ddce7fb30
EAP-Id = 211
EAP-Code = Failure
** **
On further investigation, i found an example to test eap-md5 in the source
code{ freeradius-2.1.8 } in src/tests
** **
Example is :
** **
echo 'User-Name = "eapmd5"'
echo 'Cleartext-Password = "md5md5"'
echo 'NAS-IP-Address = marajade.sandelman.ottawa.on.ca'
echo 'EAP-Code = Response'
echo 'EAP-Id = 210'
echo 'EAP-Type-Identity = "eapsim'
echo 'Message-Authenticator = 0'
echo 'NAS-Port = 0' )
** **
** **
But EAP RFC3579 and RFC2869 states that User-Password should not be part of
a radius packet containing EAP-Message attribute,
** **
it written that “An Access-Request that contains either a User-Password or**
**
CHAP-Password or ARAP-Password or one or more EAP-Message attributes
MUST NOT contain more than one type of those four attributes. If it
does not contain any of those four attributes, it SHOULD contain a
Message-Authenticator. If any packet type contains an EAP-Message
attribute it MUST also contain a Message-Authenticator.”
** **
** **
Please let me know if any specific configuration need to be done on the
server so that server sends Access-Accept.
** **
Thanks in advance.
Arpit
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
