Question about differences between possibilities of authentication

2013-04-11 Thread Bas Penris
Hi All,
 
The last week I've had my first encounter with FreeRADIUS as we were supposed 
to deploy eduroam. I had a lot of fun doing it although I have dreamt about the 
config files after a couple of days :)
 
Everything is working as it should so no worries there, but I'm curious about 
something. I configured the proxies and the local realm. When I did a radtest 
like this:
radtest che...@localdomain.nl password 127.0.0.1 1 secret
I would get an Accept-Accept. The debug output would show that first a bind and 
then an LDAP search is performed in our eDirectory. Okay! Fun times I thought, 
let's try it on my mobile phone because a test account I got from an academic 
institution in the UK worked so local authentication should work as well! I 
entered the credentials but now comes the difference. Using a Wifi device made 
the LDAP search fail because it tried to authenticate the u...@domain.nl in 
stead of stripping the suffix.
 
I've been staring at the config files to see if I got the LDAP-filter defined 
two times somewhere but that doesn't seem to be the case. Now, this wasn't a 
really big problem because users can be pretty stupid and we decided to let 
them authenticate using their email address in stead of their username@domain 
which would to too much confusion for them.
 
The LDAP filter was:
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
Is now:
filter = "(|(cn=%{Stripped-User-Name:-%{User-Name}})(mail=%{User-Name}))"
The proxy.conf lines right before it's defaulted to eduroam:
realm ettyhillesumlyceum.nl {
}
 
Anyone has an idea why radtest would behave differently from an 802.1x login?
 
Regards,
 
Bas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius +LDAP + Samba integrates to Active Derectory

2013-04-11 Thread John
Hi all,
 
We deploy freeradius integrated to Active Directory, but the AD enabled 
"Require signing" option (see the attachement).
 
net join is OK after we set "LDAP SASL wrapping" to 'sign'. But LDAP search 
failed.  Is there a way to let LDAP search work? Can someone show me some 
reference or guide?
 
Thanks,
John<>-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question on certificates before deep dive into EAP-TLS

2013-04-11 Thread Mathieu Simon
Hi

Am 11.04.2013 20:08, schrieb Alan DeKok:
> 
>> The real-life example would be that people could use PEAP-MSCHAPv2 for
>> credential-based logins (server certificate being signed by a "trusted"
>> external CA)
>   While that works, it's not recommended.  It means that the client will
> trust *any* certificate signed by that CA, for network access.
>
>   It's usually a bad idea.
Correct, that for sure isn't what I'd want :-)

certificate_file - the server-side certificate - would contain the
certificate
(and it's trust chain) by the "trusted" CA.

CA_file would only contain the internal CA, such as that only those signed
by the one internal CA IT has control over it, would be accepted by FR.
(oh and I'd want to have a regularly up-to-date revocation list...)
> 
>
>   You don't need one CA per EAP method.
Sure, I am only looking for the server-side certificate
(certificate_file) being
signed by a CA that most devices trust - since most of the users are
going to use
PEAP-MSCHAPv2 with devices not under direct controll of IT.

Telling students how to install a internal CA root isn't going to work,
it already
didn't work for teachers in the past ...

But allowing only (internal) devices with certs from the internal CA
through CA_file
would allow us to more easily integrate those non-personal but
school-owned devices.

I just hope I'm not telling complete bullshit... ;-)

Thank you Alan for your time to answer!

-- Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Radius Squid authentication REJECT

2013-04-11 Thread Iftakhul Anwar
Hi All

Thanks i've successfull configure squid using radius authentification.

Actually i need install squid from source with parameter  bellow when
compile that source (
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Radius)

*--enable-basic-auth-helpers="squid_radius_auth"*

Previously i used squid3 from apt-get .


Thanks :)


*
*
*
*

*
*


On Fri, Apr 12, 2013 at 12:36 AM, Alan DeKok wrote:

> Iftakhul Anwar wrote:
> > This is response log from radiusd -X when i try long using usr:alice
> > password: password
>
>   No, it's not.
>
>   You need to follow instructions.  If you ask questions and ignore the
> answers, that's rude.
>
>   Either follow instructions, or stop posting the same questions.
>
>   If you don't follow instructions, you will be unsubscribed and banned
> from the list.
>
>   Following instructions shouldn't be hard.  Do it, or else.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
*M.Iftakhul Anwar*
Meruvian Integrator
High Performance Computing / Cloud Computing (HPC/CC)


Office Phone  : 021-93586577
Mobile Phone : 085215331477
Blog   :  http://blog.mervpolis.com/roller/anwar
FB :  http://www.facebook.com/troya.adromeda
Website : www.meruvian.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Performing an additional check on the credentials

2013-04-11 Thread Alan DeKok
Romeo Mihalcea wrote:
> I successfully managed to deploy a freeradius server and created a
> python script which does an additional check on the user (incoming
> request). I checked the internet (resources for freeradius are pretty
> horrible)

  Well... the server comes with a lot of documentation.  Searching
random pages on the internet isn't a good idea.

> and only found a thread which explains some basics about
> adding a python script to the process.

  That isn't well documented because no one has contributed documentation.

> Right now I have it inside /etc/freeradius/sites-enabled/default under
> the authorize section:
> 
> update control {
>Auth-Type := `/usr/bin/python /etc/test.py '%{User-Name}'
> '%{User-Password}'`
> }

  While that works, I wouldn't recommend doing it.  It's just using
python as an external script.  i.e. there's no python-specific
documentation needed.  You could use `/bin/echo Accept` to get much the
same affect.

> My test.py file spits Reject or Accept. I also have sql authentication

  No... the SQL module does authorization checks.  They really are
different, and the difference is important.  See the wiki for more
discussion on this topic.

> setup with freeradius and the problem is that, if my script returns
> Accept any other authorization request under is ignored; response will
> still be an Accept even if sql check rejects the user.

  Yes, that's what you told it to do.  Which is why the FAQ says to
*not* set Auth-Type.  It's almost always wrong.

> From what I understand I should pass a noop instead of Accept to allow
> freeradius to continue and only pass Reject if I need to reject the user
> but If I respond with noop the server complains (probably because it
> expects a reply for Auth-Type as I coded it).

  No.  "noop" isn't an authentication type.  You're mixing multiple
topics without a clear understanding of any of them.

> Someone on serverfault suggested I shouldnt use unlang to call a python
> script and I should use rlm_python but I really have no idea how to even
> start calling my script.
> 
> Any ideas? Maybe I need to add my code to the Authentication. section? How?

  What you want to do?  Please explain what you have, and what you want.

  Right now you're describing a "solution" that doesn't work.  You're
not describing a problem.  There's really no point in trying to fix the
solution until the problem is clear.  If we do, we'll be stuck on
miscommunication and misunderstanding.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Performing an additional check on the credentials

2013-04-11 Thread Romeo Mihalcea
I successfully managed to deploy a freeradius server and created a python
script which does an additional check on the user (incoming request). I
checked the internet (resources for freeradius are pretty horrible) and
only found a thread which explains some basics about adding a python script
to the process.

Right now I have it inside /etc/freeradius/sites-enabled/default under the
authorize section:

update control {
   Auth-Type := `/usr/bin/python /etc/test.py '%{User-Name}'
'%{User-Password}'`
}
My test.py file spits Reject or Accept. I also have sql authentication
setup with freeradius and the problem is that, if my script returns Accept
any other authorization request under is ignored; response will still be an
Accept even if sql check rejects the user.

>From what I understand I should pass a noop instead of Accept to allow
freeradius to continue and only pass Reject if I need to reject the user
but If I respond with noop the server complains (probably because it
expects a reply for Auth-Type as I coded it).

Someone on serverfault suggested I shouldnt use unlang to call a python
script and I should use rlm_python but I really have no idea how to even
start calling my script.

Any ideas? Maybe I need to add my code to the Authentication. section? How?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question on certificates before deep dive into EAP-TLS

2013-04-11 Thread Alan DeKok
Mathieu Simon wrote:
> Usually I've seen example for EAP-TLS setups that used a server-side
> certificate
> issued from the same CA as the one it should allow EAP-TLS clients who
> present
> their certificate to FR.

  Yes.

> Am I guessing correctly that CA_file can contain a different list of CA(s)
> than the server certificate that is shown to the client?

  Yes.  It contains a list of valid CAs.

> The real-life example would be that people could use PEAP-MSCHAPv2 for
> credential-based logins (server certificate being signed by a "trusted"
> external CA)

  While that works, it's not recommended.  It means that the client will
trust *any* certificate signed by that CA, for network access.

  It's usually a bad idea.

> while some devices could login using EAP-TLS but only when they present
> a certificate from an internal CA (that usually isn't being trusted by
> devices
> outside of control of IT department).

  That works.  The client will need *both* CAs.

  But why be this complicated?  Just use one CA, which is for both
EAP-TLS and PEAP.  It can issue client certs to some machines, and *not*
issue client certs to others.

  You don't need one CA per EAP method.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: freeRadius 2.1.10 PEAP/MSCHAPv2 w/ Active Directory

2013-04-11 Thread Alan DeKok
trevor_marq...@selinc.com wrote:
> Hello all,
> 
> I'm new to freeRadius and am using freeRadius version 2.1.10

  Upgrade to 2.2.0.  It has a number of issues fixed.

> for some
> lab testing.  I've got freeradius extracting users and passwords from an
> Active Directory database.  I'm using PEAP/MSCHAPv2.  All configs have
> been working until about a week or so ago.  All of a sudden, my mschapv2
> challenge/response is not correct.
> 
> Not sure where exactly the problem is occurring so I've posted the debug
> output below.  If other config files are necessary, I can post them too.

  Well... the debug output seems pretty clear.

> *Exec-Program output: Access denied (0xc022)*
> *Exec-Program-Wait: plaintext: Access denied (0xc022)*
...
> *Login incorrect (mschap: External script says Access denied

  What is unclear about that?

  ntlm_auth is running, and AD is returning that error.  No amount of
poking FreeRADIUS will fix an AD access issue.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


freeRadius 2.1.10 PEAP/MSCHAPv2 w/ Active Directory

2013-04-11 Thread trevor_marquis
Hello all,

I'm new to freeRadius and am using freeRadius version 2.1.10 for some lab 
testing.  I've got freeradius extracting users and passwords from an 
Active Directory database.  I'm using PEAP/MSCHAPv2.  All configs have 
been working until about a week or so ago.  All of a sudden, my mschapv2 
challenge/response is not correct.

Not sure where exactly the problem is occurring so I've posted the debug 
output below.  If other config files are necessary, I can post them too.

Thank for any help.  Trevor



rad_recv: Access-Request packet from host 127.0.0.1 port 50066, id=2, 
length=81
User-Name = "TheAdmin"
NAS-Port = 0
NAS-IP-Address = 127.0.0.1
EAP-Message = 0x021001747265766f7261646d696e
Message-Authenticator = 0x1f8e3dc1fcbafac6481c9fe22c8449e5
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "TheAdmin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 16
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
  [ldap] Entering ldap_groupcmp()
[files] expand: dc=commslab,dc=local -> dc=commslab,dc=local
[files] expand: %{Stripped-User-Name} ->
[files] ... expanding second conditional
[files] expand: %{User-Name} -> TheAdmin
[files] expand: 
(&(objectclass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}*)) 
-> (&(objectclass=user)(sAMAccountName=TheAdmin*))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=commslab,dc=local, with filter 
(&(objectclass=user)(sAMAccountName=TheAdmin*))
  [ldap] ldap_release_conn: Release Id: 0
[files] expand: 
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
 
-> 
(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=commslab,dc=local, with filter 
(&(cn=Commslab_Domain_Users)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=
  [ldap] object not found
  [ldap] ldap_release_conn: Release Id: 0
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in 
CN=TheAdmin,OU=Users,OU=commslab,DC=commslab,DC=local, with filter 
(objectclass=*)
  [ldap] performing search in 
CN=Commslab_Enterprise_Admins,OU=Groups,OU=commslab,DC=commslab,DC=local, 
with filter (cn=Commslab_Domain_Users)
  [ldap] object not found
  [ldap] performing search in CN=Domain 
Admins,CN=Users,DC=commslab,DC=local, with filter 
(cn=Commslab_Domain_Users)
  [ldap] object not found
rlm_ldap::groupcmp: Group Commslab_Domain_Users not found or user not a 
member
  [ldap] ldap_release_conn: Release Id: 0
  [ldap] Entering ldap_groupcmp()
[files] expand: dc=commslab,dc=local -> dc=commslab,dc=local
[files] expand: 
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
 
-> 
(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=commslab,dc=local, with filter 
(&(cn=Commslab_Enterprise_Admins)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=
  [ldap] object not found
  [ldap] ldap_release_conn: Release Id: 0
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in 
CN=TheAdmin,OU=Users,OU=commslab,DC=commslab,DC=local, with filter 
(objectclass=*)
  [ldap] performing search in 
CN=Commslab_Enterprise_Admins,OU=Groups,OU=commslab,DC=commslab,DC=local, 
with filter (cn=Commslab_Enterprise_Admins)
rlm_ldap::ldap_groupcmp: User found in group Commslab_Enterprise_Admins
  [ldap] ldap_release_conn: Release Id: 0
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication 
may fail because of this.
++[pap] returns noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate  --- Not sure why were trying TLS
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 2 to 127.0.0.1 port 50066
EAP-Message = 0x010100061920
Message-Authenticator = 0x
State = 0

Re: Radius Squid authentication REJECT

2013-04-11 Thread Alan DeKok
Iftakhul Anwar wrote:
> This is response log from radiusd -X when i try long using usr:alice
> password: password

  No, it's not.

  You need to follow instructions.  If you ask questions and ignore the
answers, that's rude.

  Either follow instructions, or stop posting the same questions.

  If you don't follow instructions, you will be unsubscribed and banned
from the list.

  Following instructions shouldn't be hard.  Do it, or else.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Radius Squid authentication REJECT

2013-04-11 Thread A . L . M . Buxey
Hi,

>Hi,
>I'm sorry, 
>This is response log from radiusd -X when i try long using usr:alice

one more time.

please do not send us what you feel like sending us.

please just simply send us the output of "radiusd -X"
FROM THE VERY START right up to where is says 'Ready to process requests"

do not send us the authentication attempt or anything else. 

everything else is pointless to send.


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Radius Squid authentication REJECT

2013-04-11 Thread Iftakhul Anwar
Hi,

I'm sorry,

This is response log from radiusd -X when i try long using usr:alice
password: password


Cleaning up request 3 ID 4 with timestamp +116
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4,
length=63
User-Name = "alice"
User-Password = "\335\307-\245#ˎ!7\036f\023\217\3630\257"
NAS-Port = 111
NAS-Port-Type = Async
NAS-IP-Address = 192.168.2.3
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "alice", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} -> alice
[sql] sql_set_user escaped user --> 'alice'
rlm_sql (sql): Reserving sql socket id: 0
[sql] expand: SELECT id, username, attribute, value, op   FROM
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER BY
id -> SELECT id, username, attribute, value, op   FROM radcheck
  WHERE username = 'alice'   ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op   FROM
radreply   WHERE username = '%{SQL-User-Name}'   ORDER BY
id -> SELECT id, username, attribute, value, op   FROM radreply
  WHERE username = 'alice'   ORDER BY id
[sql] expand: SELECT groupname   FROM radusergroup   WHERE
username = '%{SQL-User-Name}'   ORDER BY priority -> SELECT
groupname   FROM radusergroup   WHERE username = 'alice'
ORDER BY priority
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "\DD\C7-\A5#\CB?!7?f??\F30\AF"
[pap] Using clear text password "password"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
  WARNING: Unprintable characters in the password.  Double-check the shared
secret on the server and the NAS!
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> alice
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 4 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 4
Sending Access-Reject of id 4 to 192.168.2.3 port 55467
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4,
length=63
Sending duplicate reply to client localprivate port 55467 - ID: 4
Sending Access-Reject of id 4 to 192.168.2.3 port 55467
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4,
length=63
Sending duplicate reply to client localprivate port 55467 - ID: 4
Sending Access-Reject of id 4 to 192.168.2.3 port 55467
Waking up in 3.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4,
length=63
Sending duplicate reply to client localprivate port 55467 - ID: 4
Sending Access-Reject of id 4 to 192.168.2.3 port 55467
Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4,
length=63
Sending duplicate reply to client localprivate port 55467 - ID: 4
Sending Access-Reject of id 4 to 192.168.2.3 port 55467
Waking up in 1.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4,
length=63
Sending duplicate reply to client localprivate port 55467 - ID: 4
Sending Access-Reject of id 4 to 192.168.2.3 port 55467
Waking up in 0.9 seconds.
Cleaning up request 4 ID 4 with timestamp +122
Ready to process requests.


On Thu, Apr 11, 2013 at 11:22 PM,  wrote:

> Hi,
> >Hi, previously i've attached my log as attachment :)
>
> no, you havent :-(
>
> all you have attached is the stuff that you felt you wanted to send.
> without sending
> the FULL output of radiusd -X FROM THE START we cannot see where you have
> gone wrong.
>
> HOW can we help if you dont give us the information we request?
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
*M.Iftakhul Anwar*
Meruvian Integrator
High Performance Computing / Cloud Computing (HPC/CC)


Office Phone  : 021-93586577
Mobile Phone : 085215331477
Blog   :  http://blog.mervpolis.com/roller/anwar
FB :  http://www.facebook.com/troya.adromeda
Website : www.meruvian.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Squid authentication REJECT

2013-04-11 Thread A . L . M . Buxey
Hi,
>Hi, previously i've attached my log as attachment :)

no, you havent :-(

all you have attached is the stuff that you felt you wanted to send. without 
sending
the FULL output of radiusd -X FROM THE START we cannot see where you have gone 
wrong.

HOW can we help if you dont give us the information we request?  

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Radius Squid authentication REJECT

2013-04-11 Thread A . L . M . Buxey
Hi,

>Actually my shared password is default using testing123.This is my
>configuration on my squid_rad_auth.conf

as previously discussed, you are not sending full output of radiusd -X
and so we are having to guess.  we cannot guess your problems away
at least send us your clients.conf from FreeRADIUS

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Question on certificates before deep dive into EAP-TLS

2013-04-11 Thread Mathieu Simon
G'day

As a (hopefully) answer-able question to those experienced with EAP-TLS
that I've
been twisting my brain:

Usually I've seen example for EAP-TLS setups that used a server-side
certificate
issued from the same CA as the one it should allow EAP-TLS clients who
present
their certificate to FR.

Am I guessing correctly that CA_file can contain a different list of CA(s)
than the server certificate that is shown to the client? (Taken from
Debian's FR 2.1.12)

eap.conf:
  tls {
 [...]
 certificate_file = "/etc/freeradius/ssl/cert.p

 #  Trusted Root CA list
 CA_file = "/etc/univention/ssl/ucsCA/CAcert.pem"
[...]

The real-life example would be that people could use PEAP-MSCHAPv2 for
credential-based logins (server certificate being signed by a "trusted"
external CA)
while some devices could login using EAP-TLS but only when they present
a certificate from an internal CA (that usually isn't being trusted by
devices
outside of control of IT department).

Best regards
Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Radius Squid authentication REJECT

2013-04-11 Thread Iftakhul Anwar
I'm sorry i really newbie.

Actually my shared password is default using testing123.This is my
configuration on my squid_rad_auth.conf


squid_rad_auth.conf
-
server 192.168.2.3
secret testing123

and this is my configuration on squid.conf

#  TAG: auth_param
#auth_param basic program /etc/squid3/squid_radius_auth -f
/etc/squid3/squid_rad_auth.conf
auth_param basic program /etc/squid3/squid_radius_auth -f
/usr/local/squid/etc/squid_radius_auth.conf
auth_param basic children 5
auth_param basic realm web-proxy
auth_param basic credentialsttl 5 minutes
auth_param basic casesensitive off
acl radius-auth proxy_auth REQUIRED

#  TAG: http_access
http_access allow radius-auth
http_access allow localhost


any something wrong ?

i suspicious in log:

[pap] login attempt with password “b9?I? +�(�Ч�Y�?”
[pap] Using clear text password “password”
[pap] Passwords don’t match


Is it because of different authentification method between squid and radius
?




On Thu, Apr 11, 2013 at 10:35 PM,  wrote:

> Hi,
>
> look:
>
> WARNING: Unprintable characters in the password.  Double-check the shared
> secret on the server and the NAS!
>
>
> there. incorrect shared secret...as already said several times in this
> thread...OR the
> squid code is broken.
>
> if this is working fine, then because its PAP you will see the password in
> User-Password
> clear as day. you dont, its all corrupted, because incorrect shared secret.
>
> put eg radtest onto the squid box and check that you can fire off a dumb
> RADIUS
> query to your FR box from the squid box
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
*M.Iftakhul Anwar*
Meruvian Integrator
High Performance Computing / Cloud Computing (HPC/CC)


Office Phone  : 021-93586577
Mobile Phone : 085215331477
Blog   :  http://blog.mervpolis.com/roller/anwar
FB :  http://www.facebook.com/troya.adromeda
Website : www.meruvian.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Squid authentication REJECT

2013-04-11 Thread A . L . M . Buxey
Hi,

look:

WARNING: Unprintable characters in the password.  Double-check the shared 
secret on the server and the NAS!


there. incorrect shared secret...as already said several times in this 
thread...OR the
squid code is broken.

if this is working fine, then because its PAP you will see the password in 
User-Password
clear as day. you dont, its all corrupted, because incorrect shared secret.

put eg radtest onto the squid box and check that you can fire off a dumb RADIUS
query to your FR box from the squid box

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: compile with ldap support

2013-04-11 Thread John Dennis

On 04/10/2013 10:24 PM, Alan DeKok wrote:

Chris Taylor wrote:

How do I check that I have them installed I have the openldap rpm installed.


   This is really a question for your OS vendor.  How about "man rpm"?
Or google?


If you're working on a Fedora/RHEL/CentOS etc. type system then 
yum-builddep is your friend. I know you're trying to build from source 
and not build an RPM but if you have a srpm or spec file you can use 
yum-builddep to get your build dependencies installed. Or you can look 
at a spec file and find all the BuildRequires and install those.


Think of a rpm spec file as a "recipe" for building. If you're not sure 
what ingredients you need then consult the recipe.



--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Need both Local (MySQL database) and Active directory authentications.

2013-04-11 Thread Alan DeKok
ffgch2 wrote:
> I have set up Freeradius  (v.2.1.10)

  Upgrade to v2.2.0.

> to do password authentication from
> MySQL database and it works fine but now I need to make some users be
> able to authenticate against Active directory accounts. I’ve setup
> winbind to authenticate windows accounts and it works but as a result
> freeradius lost ability to authenticate by local database.

  You need to figure out when users will be checked against SQL, and
when they will be checked against AD.  Right now, you've configured
FreeRADIUS to use both.  Which isn't what you want.

> So if I comment the line:

  Don't randomly change things.  It won't work.

> Is there a way to tell mschap to use ntlm_auth depending on field in
> MySQL table and use the internal mechanisms if plain text passwords
> available in the MySQL table?

  No.  There are better ways.

  See raddb/modules/mschap.  You can control when ntlm_auth is called.

  See "man unlang".  You can configure policies.  Read the debug output.

  What you want is this:

authorize {
...
sql
if (ok) {
update control {
"MS-CHAP-Use-NTLM-Auth := No
}

}
...
}

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Radius Squid authentication REJECT

2013-04-11 Thread Alan DeKok
Iftakhul Anwar wrote:
> This attachment log of radiusd -X output when i try to login using user
> = alice with passwrod=password

  You need to read it, and the responses to your messages.

  You've been told what's wrong, and how to fix it.  Stop thinking you
understand it, and read the responses.  Stop thinking that you've got it
configured correctly, and go fix it.

  It's not hard.  The only reason it doesn't work is because you're not
following instructions.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Radwho doesn't show full name

2013-04-11 Thread mkeram
Hello,
Could you please check and confirm whether it works for you in freeradius 2?
Best regards
Marek
Dnia 5 kwietnia 2013 0:47 mkeram  napisał(a):
Hello,
I have installed Debian Squeeze 6.0 with freeradius 2.1.10 + accel-ppp
(PPPoE). Everything is working fine, but radwho and radwho -s doesn't
return full username fetched from /etc/passwd. 
All users have real linux account and proper entry in
/etc/freeradius/users. All details login and passwords are included in
users file.
In old freeradius 1.1.3 I got radwho output:
zycha AnetaZych PPP S338 Sun 16:28 127.0.0.1 192.168.1.223 -where AnetaZych
is full name fetched from /etc/passwd
in new I have:
zycha zycha PPP S338 Sun 16:28 127.0.0.1 192.168.1.223
Could you please advice where should I change configuration? I have made
strace on radwho and I didn't find and information for checking file
/etc/passwd.
Please advice
Best regards
Marek
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Squid authentication REJECT

2013-04-11 Thread Iftakhul Anwar
Hi Adam,

I'm sorry my previous attachment too large,

This attachment log of radiusd -X output when i try to login using user =
alice with passwrod=password

Thanks


On Thu, Apr 11, 2013 at 8:02 PM, Iftakhul Anwar  wrote:

> Hi Adam,
>
> This attachment log of radiusd -X output when i try to login using user =
> alice with passwrod=password
>
>
> On Thu, Apr 11, 2013 at 4:55 PM, Adam Bishop  wrote:
>
>> On 11 Apr 2013, at 10:35, Iftakhul Anwar  wrote:
>> >
>> > I just use enter after my shared secret.
>> >
>> > Any suggestions ?
>>
>> There are three possibilities
>>
>>  * The shared secret is wrong in the squid radius file
>>  * The shared secret is wrong in the freeradius clients file
>>  * Squid is broken (I think this unlikely)
>>
>> As you've not posted a full debug log, all we can do is guess.
>>
>> My guess is that radtest is using the secret defined in
>> clients.conf:client 127.0.0.1/8 and squid is using the secret defined in
>> clients.conf:client 192.168.2.3
>>
>> Post a full log, and we can probably do more than guess.
>>
>> Adam Bishop
>>
>>  gpg: 0x6609D460
>>
>> Janet, the UK's research and education network.
>>
>>
>>
>> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
>> not-for-profit company which is registered in England under No. 2881024
>> and whose Registered Office is at Lumen House, Library Avenue,
>> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>
> --
> *M.Iftakhul Anwar*
> Meruvian Integrator
> High Performance Computing / Cloud Computing (HPC/CC)
>
>
> Office Phone  : 021-93586577
> Mobile Phone : 085215331477
> Blog   :  http://blog.mervpolis.com/roller/anwar
> FB :  http://www.facebook.com/troya.adromeda
> Website : www.meruvian.org
>
>


-- 
*M.Iftakhul Anwar*
Meruvian Integrator
High Performance Computing / Cloud Computing (HPC/CC)


Office Phone  : 021-93586577
Mobile Phone : 085215331477
Blog   :  http://blog.mervpolis.com/roller/anwar
FB :  http://www.facebook.com/troya.adromeda
Website : www.meruvian.org
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file 
/usr/local/etc/raddb/modules/acct_unique
  acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, 
NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating module "detail" from file 
/usr/local/etc/raddb/modules/detail
  detail {
detailfile = 
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
  }
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module "attr_filter.accounting_response" from file 
/usr/local/etc/raddb/modules/attr_filter
  attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
  }
reading pairlist file /usr/local/etc/raddb/attrs.accounting_response
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file 
/usr/local/etc/raddb/modules/radutmp
  radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
  }
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module "attr_filter.access_reject" from file 
/usr/local/etc/raddb/modules/attr_filter
  attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
  }
reading pairlist file /usr/local/etc/raddb/attrs.access_reject
 } # modules
} # server
server inner-tunnel { # from file 
/usr/local/etc/raddb/sites-enabled/inner-tunnel
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Checking session {...} for more modules to load
 Module: Checking post-

Need both Local (MySQL database) and Active directory authentications.

2013-04-11 Thread ffgch2
Hi all,

I have set up Freeradius  (v.2.1.10) to do password authentication from
MySQL database and it works fine but now I need to make some users be able
to authenticate against Active directory accounts. I’ve setup winbind to
authenticate windows accounts and it works but as a result freeradius lost
ability to authenticate by local database.

So if I comment the line:



ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

in /modules/mschap file then local database authentication works fine but
Active directory doesn’t. With uncommented ntlm_auth Active directory works
but local database doesn’t.

The WiFi access points that queries the radius using WPA-Enterprise, so
passwords encrypted in EAP messages and so there is no another way to
validate the passwords, it have to go through mschap module anyway.
Is there a way to tell mschap to use ntlm_auth depending on field in MySQL
table and use the internal mechanisms if plain text passwords available in
the MySQL table?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Squid authentication REJECT

2013-04-11 Thread Adam Bishop
On 11 Apr 2013, at 10:35, Iftakhul Anwar  wrote:
> 
> I just use enter after my shared secret.
> 
> Any suggestions ?

There are three possibilities

 * The shared secret is wrong in the squid radius file
 * The shared secret is wrong in the freeradius clients file
 * Squid is broken (I think this unlikely)

As you've not posted a full debug log, all we can do is guess.

My guess is that radtest is using the secret defined in clients.conf:client 
127.0.0.1/8 and squid is using the secret defined in clients.conf:client 
192.168.2.3

Post a full log, and we can probably do more than guess.

Adam Bishop

 gpg: 0x6609D460

Janet, the UK's research and education network.



Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
not-for-profit company which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Radius Squid authentication REJECT

2013-04-11 Thread Matthias Nagel
Hello,

perhaps it is an encoding problem between the browser and squid. You should 
check what kind of encoding squid expects the browser to use and what encoding 
the browser actually uses. But this is not a radius problem, hence I cannot 
help you on that problem.

Anyway, somewhere on the link "browser <-> squid <-> radius" the password gets 
screwed up. If the problem was between the browser and squid, the user name 
likely would screwed up, too. Hence, I still believe the problem is between 
squid and radius. But if a wrong secret isn't the solution, I am out. Sorry.

Regards, Matthias

Am Donnerstag 11 April 2013, 16:35:33 schrieb Iftakhul Anwar:
> I just use enter after my shared secret.
> 
> Any suggestions ?
> 
> 
> On Thu, Apr 11, 2013 at 4:17 PM, Matthias Nagel
> wrote:
> 
> > Hello,
> >
> > Am Donnerstag 11 April 2013, 16:07:08 schrieb Iftakhul Anwar:
> > > Hi Matthias,
> > >
> > > I don't use " " on my squid_rad_auth.conf
> >
> > I know, that is the reason why I asked you to check for non-printable
> > characters AFTER your shared secret.
> >
> > > No space on my scret.
> >
> > And what is between the last printable character of your secret and the
> > new line?
> >
> > Matthias
> >
> >
> > > This is my squid_rad_auth.conf
> > >
> > > server 192.168.2.3
> > > secret testing123
> > >
> > > On my radcheck, i also using Cleartext-Password on my racheck table
> > >
> > > Any another clue ?
> > >
> > > Thanks
> > >
> > >
> > >
> > > On Thu, Apr 11, 2013 at 3:59 PM, Matthias Nagel
> > > wrote:
> > >
> > > > Hello,
> > > >
> > > > did you do what the warning says and double checked the shared secret?
> > > >
> > > > As far as I see the squid_rad_auth.conf does not use quotation marks
> > ("")
> > > > to delimit the shared secret. Hence, perhaps you have trailing white
> > spaces
> > > > or something like that at the end of the line. Delete the line
> > "secret" in
> > > > squid_rad_auth.conf and type it again. I really mean to delete it in
> > order
> > > > to get rid of unprintable characters you might not see.
> > > >
> > > > Matthias
> > > >
> > > > Am Donnerstag 11 April 2013, 15:47:33 schrieb Iftakhul Anwar:
> > > > > Hi All,
> > > > >
> > > > >
> > > > > I have successfully configure freeradius with mysql. i can radtest
> > using
> > > > > command :
> > > > >
> > > > > sudo radtest alice password 192.168.2.3 1812 testing123
> > > > > Sending Access-Request of id 187 to 192.168.2.3 port 1812
> > > > > User-Name = "alice"
> > > > > User-Password = "password"
> > > > > NAS-IP-Address = 127.0.1.1
> > > > > NAS-Port = 1812
> > > > > Message-Authenticator = 0x
> > > > >
> > > > > rad_recv: Access-Accept packet from host 192.168.2.3 port 1812,
> > > > > id=187, length=20
> > > > >
> > > > > Now i try squid using radius authentication.
> > > > >
> > > > > i followed step by step from :
> > > > >
> > > > >
> > http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043
> > > > >
> > > > > But i got error message log on cache.log
> > > > >
> > > > > Warning: Received invalid reply digest from server
> > > > > Warning: Received invalid reply digest from server
> > > > > Warning: Received invalid reply digest from server
> > > > > squid_rad_auth: No response from RADIUS server
> > > > >
> > > > > On radius -X debug there is error message like bellow :
> > > > >
> > > > > Sending duplicate reply to client localprivate port 42003 – ID: 2
> > > > > Sending Access-Reject of id 2 to 192.168.2.3 port 42003
> > > > > Waking up in 2.9 seconds.
> > > > > rad_recv: Access-Request packet from host 192.168.2.3 port 42003,
> > > > > id=2, length=63
> > > > > Sending duplicate reply to client localprivate port 42003 – ID: 2
> > > > > Sending Access-Reject of id 2 to 192.168.2.3 port 42003
> > > > > Waking up in 0.9 seconds.
> > > > > Found Auth-Type = PAP
> > > > > # Executing group from file
> > /usr/local/etc/raddb/sites-enabled/default
> > > > > +- entering group PAP {…}
> > > > > [pap] login attempt with password “b9?I? +�(�Ч�Y�?”
> > > > > [pap] Using clear text password “password”
> > > > > [pap] Passwords don’t match
> > > > > ++[pap] returns reject
> > > > > Failed to authenticate the user.
> > > > > WARNING: Unprintable characters in the password. Double-check the
> > > > > shared secret on the server and the NAS!
> > > > > Using Post-Auth-Type REJECT
> > > > >
> > > > > What is that error ? How i can solve this
> > > > >
> > > > > Thanks
> > > > >
> > > > >
> > > > --
> > > > Matthias Nagel
> > > > Willy-Andreas-Allee 1, Zimmer 506
> > > > 76131 Karlsruhe
> > > >
> > > > Telefon: +49-721-8695-1506
> > > > Mobil: +49-151-15998774
> > > > e-Mail: matthias.h.na...@gmail.com
> > > > ICQ: 499797758
> > > > Skype: nagmat84
> > > >
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > > http://www.freeradius.org/list/users.html
> > >
> > >
> > >
> > >
> > >
> > --

Re: Radius Squid authentication REJECT

2013-04-11 Thread Iftakhul Anwar
I just use enter after my shared secret.

Any suggestions ?


On Thu, Apr 11, 2013 at 4:17 PM, Matthias Nagel
wrote:

> Hello,
>
> Am Donnerstag 11 April 2013, 16:07:08 schrieb Iftakhul Anwar:
> > Hi Matthias,
> >
> > I don't use " " on my squid_rad_auth.conf
>
> I know, that is the reason why I asked you to check for non-printable
> characters AFTER your shared secret.
>
> > No space on my scret.
>
> And what is between the last printable character of your secret and the
> new line?
>
> Matthias
>
>
> > This is my squid_rad_auth.conf
> >
> > server 192.168.2.3
> > secret testing123
> >
> > On my radcheck, i also using Cleartext-Password on my racheck table
> >
> > Any another clue ?
> >
> > Thanks
> >
> >
> >
> > On Thu, Apr 11, 2013 at 3:59 PM, Matthias Nagel
> > wrote:
> >
> > > Hello,
> > >
> > > did you do what the warning says and double checked the shared secret?
> > >
> > > As far as I see the squid_rad_auth.conf does not use quotation marks
> ("")
> > > to delimit the shared secret. Hence, perhaps you have trailing white
> spaces
> > > or something like that at the end of the line. Delete the line
> "secret" in
> > > squid_rad_auth.conf and type it again. I really mean to delete it in
> order
> > > to get rid of unprintable characters you might not see.
> > >
> > > Matthias
> > >
> > > Am Donnerstag 11 April 2013, 15:47:33 schrieb Iftakhul Anwar:
> > > > Hi All,
> > > >
> > > >
> > > > I have successfully configure freeradius with mysql. i can radtest
> using
> > > > command :
> > > >
> > > > sudo radtest alice password 192.168.2.3 1812 testing123
> > > > Sending Access-Request of id 187 to 192.168.2.3 port 1812
> > > > User-Name = "alice"
> > > > User-Password = "password"
> > > > NAS-IP-Address = 127.0.1.1
> > > > NAS-Port = 1812
> > > > Message-Authenticator = 0x
> > > >
> > > > rad_recv: Access-Accept packet from host 192.168.2.3 port 1812,
> > > > id=187, length=20
> > > >
> > > > Now i try squid using radius authentication.
> > > >
> > > > i followed step by step from :
> > > >
> > > >
> http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043
> > > >
> > > > But i got error message log on cache.log
> > > >
> > > > Warning: Received invalid reply digest from server
> > > > Warning: Received invalid reply digest from server
> > > > Warning: Received invalid reply digest from server
> > > > squid_rad_auth: No response from RADIUS server
> > > >
> > > > On radius -X debug there is error message like bellow :
> > > >
> > > > Sending duplicate reply to client localprivate port 42003 – ID: 2
> > > > Sending Access-Reject of id 2 to 192.168.2.3 port 42003
> > > > Waking up in 2.9 seconds.
> > > > rad_recv: Access-Request packet from host 192.168.2.3 port 42003,
> > > > id=2, length=63
> > > > Sending duplicate reply to client localprivate port 42003 – ID: 2
> > > > Sending Access-Reject of id 2 to 192.168.2.3 port 42003
> > > > Waking up in 0.9 seconds.
> > > > Found Auth-Type = PAP
> > > > # Executing group from file
> /usr/local/etc/raddb/sites-enabled/default
> > > > +- entering group PAP {…}
> > > > [pap] login attempt with password “b9?I? +�(�Ч�Y�?”
> > > > [pap] Using clear text password “password”
> > > > [pap] Passwords don’t match
> > > > ++[pap] returns reject
> > > > Failed to authenticate the user.
> > > > WARNING: Unprintable characters in the password. Double-check the
> > > > shared secret on the server and the NAS!
> > > > Using Post-Auth-Type REJECT
> > > >
> > > > What is that error ? How i can solve this
> > > >
> > > > Thanks
> > > >
> > > >
> > > --
> > > Matthias Nagel
> > > Willy-Andreas-Allee 1, Zimmer 506
> > > 76131 Karlsruhe
> > >
> > > Telefon: +49-721-8695-1506
> > > Mobil: +49-151-15998774
> > > e-Mail: matthias.h.na...@gmail.com
> > > ICQ: 499797758
> > > Skype: nagmat84
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> >
> >
> >
> >
> >
> --
> Matthias Nagel
> Willy-Andreas-Allee 1, Zimmer 506
> 76131 Karlsruhe
>
> Telefon: +49-721-8695-1506
> Mobil: +49-151-15998774
> e-Mail: matthias.h.na...@gmail.com
> ICQ: 499797758
> Skype: nagmat84
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
*M.Iftakhul Anwar*
Meruvian Integrator
High Performance Computing / Cloud Computing (HPC/CC)


Office Phone  : 021-93586577
Mobile Phone : 085215331477
Blog   :  http://blog.mervpolis.com/roller/anwar
FB :  http://www.facebook.com/troya.adromeda
Website : www.meruvian.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Squid authentication REJECT

2013-04-11 Thread Matthias Nagel
Hello,

Am Donnerstag 11 April 2013, 16:07:08 schrieb Iftakhul Anwar:
> Hi Matthias,
> 
> I don't use " " on my squid_rad_auth.conf

I know, that is the reason why I asked you to check for non-printable 
characters AFTER your shared secret.

> No space on my scret.

And what is between the last printable character of your secret and the new 
line?

Matthias


> This is my squid_rad_auth.conf
> 
> server 192.168.2.3
> secret testing123
> 
> On my radcheck, i also using Cleartext-Password on my racheck table
> 
> Any another clue ?
> 
> Thanks
> 
> 
> 
> On Thu, Apr 11, 2013 at 3:59 PM, Matthias Nagel
> wrote:
> 
> > Hello,
> >
> > did you do what the warning says and double checked the shared secret?
> >
> > As far as I see the squid_rad_auth.conf does not use quotation marks ("")
> > to delimit the shared secret. Hence, perhaps you have trailing white spaces
> > or something like that at the end of the line. Delete the line "secret" in
> > squid_rad_auth.conf and type it again. I really mean to delete it in order
> > to get rid of unprintable characters you might not see.
> >
> > Matthias
> >
> > Am Donnerstag 11 April 2013, 15:47:33 schrieb Iftakhul Anwar:
> > > Hi All,
> > >
> > >
> > > I have successfully configure freeradius with mysql. i can radtest using
> > > command :
> > >
> > > sudo radtest alice password 192.168.2.3 1812 testing123
> > > Sending Access-Request of id 187 to 192.168.2.3 port 1812
> > > User-Name = "alice"
> > > User-Password = "password"
> > > NAS-IP-Address = 127.0.1.1
> > > NAS-Port = 1812
> > > Message-Authenticator = 0x
> > >
> > > rad_recv: Access-Accept packet from host 192.168.2.3 port 1812,
> > > id=187, length=20
> > >
> > > Now i try squid using radius authentication.
> > >
> > > i followed step by step from :
> > >
> > > http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043
> > >
> > > But i got error message log on cache.log
> > >
> > > Warning: Received invalid reply digest from server
> > > Warning: Received invalid reply digest from server
> > > Warning: Received invalid reply digest from server
> > > squid_rad_auth: No response from RADIUS server
> > >
> > > On radius -X debug there is error message like bellow :
> > >
> > > Sending duplicate reply to client localprivate port 42003 – ID: 2
> > > Sending Access-Reject of id 2 to 192.168.2.3 port 42003
> > > Waking up in 2.9 seconds.
> > > rad_recv: Access-Request packet from host 192.168.2.3 port 42003,
> > > id=2, length=63
> > > Sending duplicate reply to client localprivate port 42003 – ID: 2
> > > Sending Access-Reject of id 2 to 192.168.2.3 port 42003
> > > Waking up in 0.9 seconds.
> > > Found Auth-Type = PAP
> > > # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> > > +- entering group PAP {…}
> > > [pap] login attempt with password “b9?I? +�(�Ч�Y�?”
> > > [pap] Using clear text password “password”
> > > [pap] Passwords don’t match
> > > ++[pap] returns reject
> > > Failed to authenticate the user.
> > > WARNING: Unprintable characters in the password. Double-check the
> > > shared secret on the server and the NAS!
> > > Using Post-Auth-Type REJECT
> > >
> > > What is that error ? How i can solve this
> > >
> > > Thanks
> > >
> > >
> > --
> > Matthias Nagel
> > Willy-Andreas-Allee 1, Zimmer 506
> > 76131 Karlsruhe
> >
> > Telefon: +49-721-8695-1506
> > Mobil: +49-151-15998774
> > e-Mail: matthias.h.na...@gmail.com
> > ICQ: 499797758
> > Skype: nagmat84
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> 
> 
> 
> 
> 
--
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe

Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
e-Mail: matthias.h.na...@gmail.com
ICQ: 499797758
Skype: nagmat84

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Squid authentication REJECT

2013-04-11 Thread Iftakhul Anwar
Hi Matthias,

I don't use " " on my squid_rad_auth.conf.No space on my scret.
This is my squid_rad_auth.conf

server 192.168.2.3
secret testing123



On my radcheck, i also using Cleartext-Password on my racheck table

Any another clue ?

Thanks



On Thu, Apr 11, 2013 at 3:59 PM, Matthias Nagel
wrote:

> Hello,
>
> did you do what the warning says and double checked the shared secret?
>
> As far as I see the squid_rad_auth.conf does not use quotation marks ("")
> to delimit the shared secret. Hence, perhaps you have trailing white spaces
> or something like that at the end of the line. Delete the line "secret" in
> squid_rad_auth.conf and type it again. I really mean to delete it in order
> to get rid of unprintable characters you might not see.
>
> Matthias
>
> Am Donnerstag 11 April 2013, 15:47:33 schrieb Iftakhul Anwar:
> > Hi All,
> >
> >
> > I have successfully configure freeradius with mysql. i can radtest using
> > command :
> >
> > sudo radtest alice password 192.168.2.3 1812 testing123
> > Sending Access-Request of id 187 to 192.168.2.3 port 1812
> > User-Name = "alice"
> > User-Password = "password"
> > NAS-IP-Address = 127.0.1.1
> > NAS-Port = 1812
> > Message-Authenticator = 0x
> >
> > rad_recv: Access-Accept packet from host 192.168.2.3 port 1812,
> > id=187, length=20
> >
> > Now i try squid using radius authentication.
> >
> > i followed step by step from :
> >
> > http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043
> >
> > But i got error message log on cache.log
> >
> > Warning: Received invalid reply digest from server
> > Warning: Received invalid reply digest from server
> > Warning: Received invalid reply digest from server
> > squid_rad_auth: No response from RADIUS server
> >
> > On radius -X debug there is error message like bellow :
> >
> > Sending duplicate reply to client localprivate port 42003 – ID: 2
> > Sending Access-Reject of id 2 to 192.168.2.3 port 42003
> > Waking up in 2.9 seconds.
> > rad_recv: Access-Request packet from host 192.168.2.3 port 42003,
> > id=2, length=63
> > Sending duplicate reply to client localprivate port 42003 – ID: 2
> > Sending Access-Reject of id 2 to 192.168.2.3 port 42003
> > Waking up in 0.9 seconds.
> > Found Auth-Type = PAP
> > # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> > +- entering group PAP {…}
> > [pap] login attempt with password “b9?I? +�(�Ч�Y�?”
> > [pap] Using clear text password “password”
> > [pap] Passwords don’t match
> > ++[pap] returns reject
> > Failed to authenticate the user.
> > WARNING: Unprintable characters in the password. Double-check the
> > shared secret on the server and the NAS!
> > Using Post-Auth-Type REJECT
> >
> > What is that error ? How i can solve this
> >
> > Thanks
> >
> >
> --
> Matthias Nagel
> Willy-Andreas-Allee 1, Zimmer 506
> 76131 Karlsruhe
>
> Telefon: +49-721-8695-1506
> Mobil: +49-151-15998774
> e-Mail: matthias.h.na...@gmail.com
> ICQ: 499797758
> Skype: nagmat84
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html




-- 
*M.Iftakhul Anwar*
Meruvian Integrator
High Performance Computing / Cloud Computing (HPC/CC)


Office Phone  : 021-93586577
Mobile Phone : 085215331477
Blog   :  http://blog.mervpolis.com/roller/anwar
FB :  http://www.facebook.com/troya.adromeda
Website : www.meruvian.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius Squid authentication REJECT

2013-04-11 Thread Matthias Nagel
Hello,

did you do what the warning says and double checked the shared secret?

As far as I see the squid_rad_auth.conf does not use quotation marks ("") to 
delimit the shared secret. Hence, perhaps you have trailing white spaces or 
something like that at the end of the line. Delete the line "secret" in 
squid_rad_auth.conf and type it again. I really mean to delete it in order to 
get rid of unprintable characters you might not see.

Matthias

Am Donnerstag 11 April 2013, 15:47:33 schrieb Iftakhul Anwar:
> Hi All,
> 
> 
> I have successfully configure freeradius with mysql. i can radtest using
> command :
> 
> sudo radtest alice password 192.168.2.3 1812 testing123
> Sending Access-Request of id 187 to 192.168.2.3 port 1812
> User-Name = "alice"
> User-Password = "password"
> NAS-IP-Address = 127.0.1.1
> NAS-Port = 1812
> Message-Authenticator = 0x
> 
> rad_recv: Access-Accept packet from host 192.168.2.3 port 1812,
> id=187, length=20
> 
> Now i try squid using radius authentication.
> 
> i followed step by step from :
> 
> http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043
> 
> But i got error message log on cache.log
> 
> Warning: Received invalid reply digest from server
> Warning: Received invalid reply digest from server
> Warning: Received invalid reply digest from server
> squid_rad_auth: No response from RADIUS server
> 
> On radius -X debug there is error message like bellow :
> 
> Sending duplicate reply to client localprivate port 42003 – ID: 2
> Sending Access-Reject of id 2 to 192.168.2.3 port 42003
> Waking up in 2.9 seconds.
> rad_recv: Access-Request packet from host 192.168.2.3 port 42003,
> id=2, length=63
> Sending duplicate reply to client localprivate port 42003 – ID: 2
> Sending Access-Reject of id 2 to 192.168.2.3 port 42003
> Waking up in 0.9 seconds.
> Found Auth-Type = PAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group PAP {…}
> [pap] login attempt with password “b9?I? +�(�Ч�Y�?”
> [pap] Using clear text password “password”
> [pap] Passwords don’t match
> ++[pap] returns reject
> Failed to authenticate the user.
> WARNING: Unprintable characters in the password. Double-check the
> shared secret on the server and the NAS!
> Using Post-Auth-Type REJECT
> 
> What is that error ? How i can solve this
> 
> Thanks
> 
> 
--
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe

Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
e-Mail: matthias.h.na...@gmail.com
ICQ: 499797758
Skype: nagmat84

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Radius Squid authentication REJECT

2013-04-11 Thread Iftakhul Anwar
Hi All,


I have successfully configure freeradius with mysql. i can radtest using
command :

sudo radtest alice password 192.168.2.3 1812 testing123
Sending Access-Request of id 187 to 192.168.2.3 port 1812
User-Name = "alice"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x

rad_recv: Access-Accept packet from host 192.168.2.3 port 1812,
id=187, length=20

Now i try squid using radius authentication.

i followed step by step from :

http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043

But i got error message log on cache.log

Warning: Received invalid reply digest from server
Warning: Received invalid reply digest from server
Warning: Received invalid reply digest from server
squid_rad_auth: No response from RADIUS server

On radius -X debug there is error message like bellow :

Sending duplicate reply to client localprivate port 42003 – ID: 2
Sending Access-Reject of id 2 to 192.168.2.3 port 42003
Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.3 port 42003,
id=2, length=63
Sending duplicate reply to client localprivate port 42003 – ID: 2
Sending Access-Reject of id 2 to 192.168.2.3 port 42003
Waking up in 0.9 seconds.
Found Auth-Type = PAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {…}
[pap] login attempt with password “b9?I? +�(�Ч�Y�?”
[pap] Using clear text password “password”
[pap] Passwords don’t match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the
shared secret on the server and the NAS!
Using Post-Auth-Type REJECT

What is that error ? How i can solve this

Thanks

-- 
*M.Iftakhul Anwar*
Meruvian Integrator
High Performance Computing / Cloud Computing (HPC/CC)


Office Phone  : 021-93586577
Mobile Phone : 085215331477
Blog   :  http://blog.mervpolis.com/roller/anwar
FB :  http://www.facebook.com/troya.adromeda
Website : www.meruvian.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html