Re: How to fix the proxy source port
> Chuang Okis wrote: > > I think you misunderstanding my point a bit. Maybe I don't express it clear > enough. > > I only need fixing my *source port* instead of random port, I don't care IP > address at all. > > Ah, OK. > > > Actually, due to some maintenance issue, we want to know that could we fix > our arc port while our freeRADIUS AS A ROAMING CENTER. We are trying > reducing the number of firewall logs. That's why we want to keep src port the > same. > > No there's no way to fix the source port. > > Even if you did, the server would dynamically open *new* source ports > when it gets busy. That's how UDP applications work. > Ok, now I've saved lots of time finding any possible way to do this. Thanks for being so concise about this issue. > It should be OK to have a firewall rule which allows packets FROM the > proxy IP, TO the home server IP and home server port. Adding the source > port is pretty much pointless. > > Alan DeKok. > Hmm. That sounds making sense. I'll discuss with our firewall policy manager about it. However, thank you very much Alan. Okis. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and Huntgroups
On Tue, Apr 30, 2013 at 4:31 AM, Grégoire Leroy wrote: > Maybe I was not clear enough above. > > What I want is : > 1) Set the password for the user > 2) Authentication of the user > 3) X is always added to the reply if the user is authenticated > 4) Moreover, Y is added to the reply for NAS, still if the user is > authenticated > > I use radreply for X, the issue here is step 4. The how-to on the wiki about > huntgroups and SQL > recommends to use unlang in the authorize section. So, I update the request > to assign the Huntgroup- > Name attribute, and use unlang to add the Y configuration (user dependent) if > the huntgroupname is > "one_huntgroup_name". That's not what the wiki said. Well, you can do that, but it doesn't say that you can ONLY do that. You can do other stuff as well. http://wiki.freeradius.org/guide/SQL-Huntgroup-HOWTO#More-examples It pretty much said that: - you need to add an entry to radgroupcheck, so that when Huntgroup-Name matches a value (site_a), an SQL group (site_a_admins) will be assigned - you add entries to radgroupreply to return whatever-attribute-value-pairs-you-want for site_a_admins group. > That's why I maintain a seperate table, for Y configuration, and I would like > to be able to > dynamically update my request with the attributes,op,values of the user. > > Is it possible ? Read the wiki. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant-load-balance for AD ntlmauth
Thank you I'll check with the samba people and get a better understanding
of how ntlm_auth works.
On 29 Apr 2013 13:58, "Alan DeKok" wrote:
> FreeRadius List wrote:
> > I use redundant-load-balance for ldap user auth to authenticate users to
> > a pool of active directory servers for one service. That seems to work
> well.
>
> Because the LDAP module maintains a long-lived connection to the LDAP
> server.
>
> > I'm trying to think why I don't do that for ntlmauth (used inside mschap
> > inner-tunnel) for another other service.
>
> It won't work for ntlm_auth. That re-connects to Samba every time.
>
> Samba is responsible for maintaining long-lived connections to AD. If
> ntlm_auth fails, it's because (a) Samba is down, or (b) the AD server is
> down.
>
> > I've knocked that up to test it with mschap modules like (with N being
> > 1,2,3,4,5)
> >
> > mschap mschapadN {
> > with_ntdomain_hack = yes
> > ntlm_auth = "/usr/local/bin/mschap-ntlm_auth --request-nt-key
> > --username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
> > --challenge=%{mschap:Challenge:-00}
> > --nt-response=%{mschap:NT-Response:-00}
> > --configfile=/etc/samba/smb-adN.conf"
> > }
> >
> > where /etc/samba/smb-adN.conf is the same as the others except for
> > "password server = adN.domain"
>
> I'm not sure that will work. You'll have to check with the Samba people.
>
> > Is this along the lines that others follow?
>
> No. I've never seen this before.
>
> > if not how does ntlmauth handle the AD server being down. Does
> ntlmauth/winbind handle AD being
> > down so freeradius does not have to?
>
> Samba handles it.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and Huntgroups
Hi, Le Monday 29 April 2013 20:30:15, a.l.m.bu...@lboro.ac.uk a écrit : > Hi, > > > The thing is, I don't know how many attributes I have. It could be > > 1, 4, 10 and not always the same. That's why I want to retrieve from > > the database the value, the op and the attribute. > > just use authorize_group_reply_query and the "groupreply_table = > "radgroupreply"" part of sql.conf ? Maybe I was not clear enough above. What I want is : 1) Set the password for the user 2) Authentication of the user 3) X is always added to the reply if the user is authenticated 4) Moreover, Y is added to the reply for NAS, still if the user is authenticated I use radreply for X, the issue here is step 4. The how-to on the wiki about huntgroups and SQL recommends to use unlang in the authorize section. So, I update the request to assign the Huntgroup- Name attribute, and use unlang to add the Y configuration (user dependent) if the huntgroupname is "one_huntgroup_name". That's why I maintain a seperate table, for Y configuration, and I would like to be able to dynamically update my request with the attributes,op,values of the user. Is it possible ? If not, I could just put my X+Y configuration in radreply and using unlang, delete Y if the request is not from the right NAS. But I don't like add something to delete it after, if possible. Thank you for your help, Regards, Grégoire Leroy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wireshart shows wrong information
Hi, >Hi Alan, i m sorry i m sorry if i m not being clear enough, but please >consider the example from my last reply: ...you've written this 3 or 4 times. its clear. we see what you are saying but you are not taking the answers given to you. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wireshart shows wrong information
Hi Alan, i m sorry i m sorry if i m not being clear enough, but please consider
the example from my last reply: this is the code in the
module:pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-QuotaIDentifier","1",
T_OP_EQ));
and this is what travels on the wire:
subtype = 01 (3GPP2-Prepaid-Acct-Quota-QuotaIDentifier)subtype-length = 06
value = f3 08 48 12
as you see, the value in value is expected it to be 0001 and not f3 08 48
12 . maybe is a misunderstanding from me. i m using freeradius stable 2.2 and
wireshark 1.8.6.
thanks!
From: jpablolorenze...@hotmail.com
To: freeradius-users@lists.freeradius.org
Subject: RE: wireshart shows wrong information
Date: Fri, 26 Apr 2013 14:22:20 +
i realise now that i may have not been very clear in my explanation of the
problem, that problem is that all values for the fields are the wrong values,
for example, this is my code:
pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-QuotaIDentifier","1",
T_OP_EQ));
and this is what travels on the wire:
subtype = 01 (3GPP2-Prepaid-Acct-Quota-QuotaIDentifier)subtype-length = 06
value = f3 08 48 12
and this happens for all values ... i might be missing something thanks!
From: jpablolorenze...@hotmail.com
To: freeradius-users@lists.freeradius.org
Subject: RE: wireshart shows wrong information
Date: Thu, 25 Apr 2013 21:00:51 +
i m sorry i accidentally press the wrong combination of keys and the mail left
resuming my message below .
this is the data that tcpdump show as being transmitted for this attribute:
type = 1a length = 1a vendor = 00 00 15 9f vendor-type = 5a vendor-length = 14
subtype = 01 (3GPP2-Prepaid-Acct-Quota-QuotaIDentifier)subtype-length = 06
value = f3 08 48 12 subtype = 02
(3GPP2-Prepaid-Acct-Quota-VolumeQuota)subtype-length=06value = 00 00 00 00
subtype = 04 (3GPP2-Prepaid-Acct-Quota-VolumeThreshold)length = 06 value = 00
00 88 fa
i dont see where i m doing wrong ... any help will be appreciated.
From: jpablolorenze...@hotmail.com
To: freeradius-users@lists.freeradius.org
Subject: wireshart shows wrong information
Date: Thu, 25 Apr 2013 20:53:58 +
Hi, i m implementing a module in which i m using some TLV for which i modified
the dictionary.3gpp2 as very well suggested in a different thread, but i see
that the data for those TLV fields are not encoded properly or at least that is
what wireshark is showing even thou debugging freeradius it shows that the data
being sent is the correct it differs from the data captured using tcpdump ...
here is my dictionary entry:
ATTRIBUTE 3GPP2-Prepaid-Acct-Quota90 tlvBEGIN-TLV
3GPP2-Prepaid-Acct-QuotaATTRIBUTE
3GPP2-Prepaid-Acct-Quota-QuotaIDentifier1 integerATTRIBUTE
3GPP2-Prepaid-Acct-Quota-VolumeQuota2 integerATTRIBUTE
3GPP2-Prepaid-Acct-Quota-VolumeThreshold4 integerEND-TLV
3GPP2-Prepaid-Acct-Quota
and for that i m writing the following code:
pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-QuotaIDentifier","1",
T_OP_EQ));pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-VolumeQuota","100",
T_OP_EQ));pairadd(&request->reply->vps,pairmake("3GPP2-Prepaid-Acct-Quota-VolumeThreshold","100",
T_OP_EQ));
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and Huntgroups
Hi, > The thing is, I don't know how many attributes I have. It could be > 1, 4, 10 and not always the same. That's why I want to retrieve from > the database the value, the op and the attribute. just use authorize_group_reply_query and the "groupreply_table = "radgroupreply"" part of sql.conf ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to fix the proxy source port
Chuang Okis wrote: > I think you misunderstanding my point a bit. Maybe I don't express it clear > enough. > I only need fixing my *source port* instead of random port, I don't care IP > address at all. Ah, OK. > Actually, due to some maintenance issue, we want to know that could we fix > our arc port while our freeRADIUS AS A ROAMING CENTER. We are trying reducing > the number of firewall logs. That's why we want to keep src port the same. No there's no way to fix the source port. Even if you did, the server would dynamically open *new* source ports when it gets busy. That's how UDP applications work. It should be OK to have a firewall rule which allows packets FROM the proxy IP, TO the home server IP and home server port. Adding the source port is pretty much pointless. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about EAP-TTLS session resumption
> The user 'bob' does not exist, so FreeRADIUS does the correct thing (i.e. > rejecting the user). This has not been in doubt at all. > Instantiate a new EAPTTLSAuthenticator() for each authentication session and you should be fine. The Authenticator class is there to maintain a context through a single authentication session, generally. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Username with spaces (MySQL)
Hi Guys, I have another Cuestion. How can I convert the username to UPPERCASE in the authorization section? Or how can I Authorize only the Username wittren in UPPERCASE? Thanks 2013/4/19 Andres Gomez Ruiz > Thanks a lot guys! > > Both methods work. Finally I used the regex in the Authorize section. > > Best regards. > Andrés > -- * **C. Andres * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question about EAP-TTLS session resumption
Thanks again for the confirmation, Alan. :-) Stefan -Original Message- From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 29 April 2013 15:35 To: FreeRadius users mailing list Subject: Re: Question about EAP-TTLS session resumption stefan.pae...@diamond.ac.uk wrote: > However, when you go to the bottom of the output, where the request for user > 'steve' (who is a valid user, and for whom a correct password was supplied) > is sent, the request fails. The session for 'steve' is partial and stops > prematurely, which leads me to believe that the EAP-TTLS client (the JRadius > EAPTTLSAuthenticator bean) is not complying with the RFC, i.e. restart the > EAP session, negotiate a fresh tunnel, and then attempt to authenticate the > valid user 'steve' with the given password. Except it's not a request for "steve": User-Name = "steve" EAP-Message = 0x020801626f62 The EAP-Message says that the EAP Identity is for user "bob". The EAP client you're using is broken. Fix that before you try anything else. > Based on the debug output, it appears that the client simply re-uses > the existing tunnel, which, according to the RFC and your > confirmation, is not correct. So thanks for confirming that part of > the theory. :-) Likely, yes. > To prove that, I've just had a bit more of a play-around with the Java > webapp, and when we restart it between authentication requests, the correct > process is followed, i.e. establish an EAP session, negotiate a tunnel, > attempt authentication, and every session is complete. I'll have a word with > David over at Coova about the bean in question. Sounds like a plan. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about EAP-TTLS session resumption
stefan.pae...@diamond.ac.uk wrote: > However, when you go to the bottom of the output, where the request for user > 'steve' (who is a valid user, and for whom a correct password was supplied) > is sent, the request fails. The session for 'steve' is partial and stops > prematurely, which leads me to believe that the EAP-TTLS client (the JRadius > EAPTTLSAuthenticator bean) is not complying with the RFC, i.e. restart the > EAP session, negotiate a fresh tunnel, and then attempt to authenticate the > valid user 'steve' with the given password. Except it's not a request for "steve": User-Name = "steve" EAP-Message = 0x020801626f62 The EAP-Message says that the EAP Identity is for user "bob". The EAP client you're using is broken. Fix that before you try anything else. > Based on the debug output, it appears that the client simply re-uses the > existing tunnel, which, according to the RFC and your confirmation, is not > correct. So thanks for confirming that part of the theory. :-) Likely, yes. > To prove that, I've just had a bit more of a play-around with the Java > webapp, and when we restart it between authentication requests, the correct > process is followed, i.e. establish an EAP session, negotiate a tunnel, > attempt authentication, and every session is complete. I'll have a word with > David over at Coova about the bean in question. Sounds like a plan. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and Huntgroups
Hello,
if (Huntgroup-Name == 'one_huntgroup_name') {
update reply {
attribute1 := "%{sql:SELECT blah blah}
attribute2 := "%{sql:SELECT blah blah}
attribute3 := "%{sql:SELECT blah blah}
attribute4 := "%{sql:SELECT blah blah}
}
}
The thing is, I don't know how many attributes I have. It could be 1,
4, 10 and not always the same. That's why I want to retrieve from the
database the value, the op and the attribute.
Thanks,
Regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to fix the proxy source port
I think you misunderstanding my point a bit. Maybe I don't express it clear enough. I only need fixing my *source port* instead of random port, I don't care IP address at all. Actually, due to some maintenance issue, we want to know that could we fix our arc port while our freeRADIUS AS A ROAMING CENTER. We are trying reducing the number of firewall logs. That's why we want to keep src port the same. Hope my illustration being clear enough! : p Okis > Re: How to fix the proxy source port - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Grab request password with ASCII character
Mehdi Ravanbakhsh wrote: > first one that is not huge that is one NAS in local network . and i > have just 4 question in general and in all of them i read , test and try > by any document that be available for freeradius first. > > but if my question nuisance you , i apologize for that . Don't apologize. Instead, do more work for yourself. You're asking a LOT of questions. Most of those questions show you haven't bothered to read or think about the existing documentation. That's a problem. If you don't care enough to do any work, then we won't do any work to help you. You're trying to build a large complicated system. But you're not prepared to understand what you're building. So... your system probably won't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and Huntgroups
Hi,
> The thing I want to be added by radius in the reply :
> if (Huntgroup-Name == 'one_huntgroup_name') {
>Attribute1 op1 value1
>Attribute2 op2 value2
>...
>Attributei opi valuei
> }
> Given that Attribute,op,value 1...i are in the MySQL table.
> if (Huntgroup-Name == 'one_huntgroup_name') {
update reply {
attribute1 := "%{sql:SELECT blah blah}
attribute2 := "%{sql:SELECT blah blah}
attribute3 := "%{sql:SELECT blah blah}
attribute4 := "%{sql:SELECT blah blah}
}
}
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL and Huntgroups
For the step 4, I have to :
1) Retrieve the huntgroup
2) Compare it with what the user sends
3) If it matches, give him his specific statement.
So, if I understand correctly in the authorize section, I have to
maintain a radipusers table for my IP/users and do something like :
1)
update request {
Huntgroup-Name := "%{sql:SELECT groupname FROM radhuntgroup WHERE
nasipaddress='%{NAS-IP-Address}'}"
}
2)
if Huntgroup-Name == 'one_huntgroup_name' {
3)
Framed-IP-Address = "%{sql:SELECT ip FROM radipusers WHERE
user='%{username}'}"
}
Is there something wrong in what I just said ?
I'm really not sure.
All I can say is try it, and see if it works.
I tried it and it worked.
However, it worked only because the specific statement was :
"Framed-IP-Address = IP.ADD.RE.SS"
(Remind : the wanted behaviour is
I want the following behaviour :
1) Set the password for the user
2) Authentication of the user
3) X is always added to the reply if the user is authenticated
4) Moreover, Y is added to the reply for NAS, still if the user is
authenticated.)
What I would like instead of my dumb radipusers table (id | username |
ip), is a table which looks like radreply (id | username | attribute |
op | value) I could use with unlang.
The thing I want to be added by radius in the reply :
if (Huntgroup-Name == 'one_huntgroup_name') {
Attribute1 op1 value1
Attribute2 op2 value2
...
Attributei opi valuei
}
Given that Attribute,op,value 1...i are in the MySQL table.
Is it possible to get that by unlang / SQL ? I've read the unlang
manpage, and I don't see any information which would enable me to do
that.
I've tried something without so much hope, and without success :
"%{sql:SELECT attribute from radreply where
username='%{request:User-Name}'}" = "%{sql:SELECT value from radreply
where username='%{User-Name}'}"
Thank you for your help,
Regards,
Grégoire Leroy
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Grab request password with ASCII character
dear A.L.M.Buxe first one that is not huge that is one NAS in local network . and i have just 4 question in general and in all of them i read , test and try by any document that be available for freeradius first. but if my question nuisance you , i apologize for that . On Mon, Apr 29, 2013 at 6:18 PM, wrote: > hi, > > are you one person or a while team? looking through my emails you have > asked multiple > questins every day. thsi seems like a big project you are tackling here > but using the > users mailing list for all your help/advice. thats abuse. > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Grab request password with ASCII character
hi, are you one person or a while team? looking through my emails you have asked multiple questins every day. thsi seems like a big project you are tackling here but using the users mailing list for all your help/advice. thats abuse. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Grab request password with ASCII character
Hi Alll
i need to Grab request password to insert in database if
Cleartext-Password is "import" so i write this unlang script in
authenticate section :
Auth-Type PAP {
pap {
reject = 1
}
if (reject) {
if ("%{control:Cleartext-Password}"=="import" ) {
ok
update control {
password-import = "%{sql:SELECT
change_impoprt_password
('%{User-Name}'::varchar,'%{User-Password}'::varchar)}"
Log-State := "New Password Is Imported"
}
}
else {
if (("%{control:Bad-Password-Pool}") &&
("%{control:Bad-Password-Pool}" != "" ) ) {
ok
update control {
Auth-Type := "Accept"
Pool-Name := "%{control:Bad-Password-Pool}"
Log-State := "PAP Password Is Not Correct"
}
update reply {
Reply-Message = "Your Password in not correct
in system"
}
}
else {
update control {
Log-State := "PAP Password Is Not Correct -
Reject"
Auth-Type := "Reject"
}
update reply {
Reply-Message := "Your Password in not correct
in system"
}
}
}
ok
}
}
but if user use symbols like ! @#& or any character that is based on ASCII
character i can not get real password character for example :
import password is : "test!@#"
request:user-password is : "test=21@=23"
do we have any way to get or convert request:user-password to none ASCII .
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question about EAP-TTLS session resumption
Alan, The user 'bob' does not exist, so FreeRADIUS does the correct thing (i.e. rejecting the user). This has not been in doubt at all. However, when you go to the bottom of the output, where the request for user 'steve' (who is a valid user, and for whom a correct password was supplied) is sent, the request fails. The session for 'steve' is partial and stops prematurely, which leads me to believe that the EAP-TTLS client (the JRadius EAPTTLSAuthenticator bean) is not complying with the RFC, i.e. restart the EAP session, negotiate a fresh tunnel, and then attempt to authenticate the valid user 'steve' with the given password. Based on the debug output, it appears that the client simply re-uses the existing tunnel, which, according to the RFC and your confirmation, is not correct. So thanks for confirming that part of the theory. :-) To prove that, I've just had a bit more of a play-around with the Java webapp, and when we restart it between authentication requests, the correct process is followed, i.e. establish an EAP session, negotiate a tunnel, attempt authentication, and every session is complete. I'll have a word with David over at Coova about the bean in question. Regards Stefan -Original Message- From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 29 April 2013 14:08 To: FreeRadius users mailing list Subject: Re: Question about EAP-TTLS session resumption stefan.pae...@diamond.ac.uk wrote: > We're trying to put together an EAP-TTLS authentication solution with another > open-source authentication server (Jasig CAS). We've found that only the > first authentication process succeeds, but everything else after fails. In > order for us to pinpoint whether this is a problem in the CAS software or the > JRadius implementation of the EAP-TTLS Radius authenticator, I'd just like to > confirm with the Radius experts on the list that I have some things right. Well, TTLS session resumption works with wpa_supplicant, Windows, Macs, etc. > As far as I understand RFC5281 (the EAP-TTLS RFC) in general and Section 15.3 > (session resumption) more in particular, the EAP-TTLS session should only be > resumed if the client was successfully authenticated with the server. So am I > correct in saying that if an EAP-TTLS session was established and a username > and password were passed through the tunnel that were not successfully > authenticated (i.e. the password was incorrect), the session cannot be > resumed and should start again, i.e. a new tunnel session should be > negotiated and the authentication request retried? Yes. > What we've seen is that the radiusd -X output shows a full EAP-TTLS session > negotiation the first time, but then only a resumption (or at least that's > what FreeRADIUS assumes, based on the debug output) of the session to > continue. FreeRADIUS then sees the EAP handler fail. It sees more than that. There's no point in reading only *one* message out of many. The reason the other debug messages exist is because they're *useful*. > Should that session (i.e. 'request 7 ID 9') have been renegotiated and > restarted because the user-password combination of 'bob' and 'test' is > invalid? The debug log *doesn't* show session resumption. If it did, it would have text about "session resumption". > -- begin of debug output -- Which shows that the inner-tunnel configuration is incapable of authenticating a user "bob" with password "test". This has nothing to do with session resumption. Your inner-tunnel configuration is wrong. You haven't configured a "known good" password for the user. So how is the server supposed to check that "bob/test" is a valid user/password? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www
Re: Question about EAP-TTLS session resumption
stefan.pae...@diamond.ac.uk wrote: > We're trying to put together an EAP-TTLS authentication solution with another > open-source authentication server (Jasig CAS). We've found that only the > first authentication process succeeds, but everything else after fails. In > order for us to pinpoint whether this is a problem in the CAS software or the > JRadius implementation of the EAP-TTLS Radius authenticator, I'd just like to > confirm with the Radius experts on the list that I have some things right. Well, TTLS session resumption works with wpa_supplicant, Windows, Macs, etc. > As far as I understand RFC5281 (the EAP-TTLS RFC) in general and Section 15.3 > (session resumption) more in particular, the EAP-TTLS session should only be > resumed if the client was successfully authenticated with the server. So am I > correct in saying that if an EAP-TTLS session was established and a username > and password were passed through the tunnel that were not successfully > authenticated (i.e. the password was incorrect), the session cannot be > resumed and should start again, i.e. a new tunnel session should be > negotiated and the authentication request retried? Yes. > What we've seen is that the radiusd -X output shows a full EAP-TTLS session > negotiation the first time, but then only a resumption (or at least that's > what FreeRADIUS assumes, based on the debug output) of the session to > continue. FreeRADIUS then sees the EAP handler fail. It sees more than that. There's no point in reading only *one* message out of many. The reason the other debug messages exist is because they're *useful*. > Should that session (i.e. 'request 7 ID 9') have been renegotiated and > restarted because the user-password combination of 'bob' and 'test' is > invalid? The debug log *doesn't* show session resumption. If it did, it would have text about "session resumption". > -- begin of debug output -- Which shows that the inner-tunnel configuration is incapable of authenticating a user "bob" with password "test". This has nothing to do with session resumption. Your inner-tunnel configuration is wrong. You haven't configured a "known good" password for the user. So how is the server supposed to check that "bob/test" is a valid user/password? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant-load-balance for AD ntlmauth
FreeRadius List wrote:
> I use redundant-load-balance for ldap user auth to authenticate users to
> a pool of active directory servers for one service. That seems to work well.
Because the LDAP module maintains a long-lived connection to the LDAP
server.
> I'm trying to think why I don't do that for ntlmauth (used inside mschap
> inner-tunnel) for another other service.
It won't work for ntlm_auth. That re-connects to Samba every time.
Samba is responsible for maintaining long-lived connections to AD. If
ntlm_auth fails, it's because (a) Samba is down, or (b) the AD server is
down.
> I've knocked that up to test it with mschap modules like (with N being
> 1,2,3,4,5)
>
> mschap mschapadN {
> with_ntdomain_hack = yes
> ntlm_auth = "/usr/local/bin/mschap-ntlm_auth --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}
> --configfile=/etc/samba/smb-adN.conf"
> }
>
> where /etc/samba/smb-adN.conf is the same as the others except for
> "password server = adN.domain"
I'm not sure that will work. You'll have to check with the Samba people.
> Is this along the lines that others follow?
No. I've never seen this before.
> if not how does ntlmauth handle the AD server being down. Does
> ntlmauth/winbind handle AD being
> down so freeradius does not have to?
Samba handles it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to fix the proxy source port
Okis Chuang wrote: > Yeah…Actually I almost k knew it that I cannot achieve this hope > while seeing the document. Huh? You *can* set the source IP address. Go read the proxy.conf file. This is documented. In great detail. Including *how* to do it. If your proxy.conf doesn't have a reference to "src_ipaddr", it's because you're running an old version of the software. Upgrade. > But…I just want to know is there any other way to get this done? Read the documentation? > I know this demand is not too much common. But it’s really a > real demand in our case. > > Any idea? Read the documentation? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS server is dumping core
ramakrishna wrote: > I have not used any of the 1.x versions of freeradius. However I have > used 2.1.12 initially and finally migrated to 2.2. Could you please > lemme know how to trace any incompatibilities if any between the two > versions? My point was that's hard to do. Instead, ensure you have only ONE version installed. > Also please find the attached file which has only memory access errors > which are leading to dump finally. Could you please suggest some way to > get rid of those errors? Do what I said: ensure you have only one version installed. There is no point trying to track down hundreds of errors. They all have the same root cause: incompatible binaries and libraries. Go fix that. Nothing else will solve it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about EAP-TTLS session resumption
Hi,
We're trying to put together an EAP-TTLS authentication solution with another
open-source authentication server (Jasig CAS). We've found that only the first
authentication process succeeds, but everything else after fails. In order for
us to pinpoint whether this is a problem in the CAS software or the JRadius
implementation of the EAP-TTLS Radius authenticator, I'd just like to confirm
with the Radius experts on the list that I have some things right.
As far as I understand RFC5281 (the EAP-TTLS RFC) in general and Section 15.3
(session resumption) more in particular, the EAP-TTLS session should only be
resumed if the client was successfully authenticated with the server. So am I
correct in saying that if an EAP-TTLS session was established and a username
and password were passed through the tunnel that were not successfully
authenticated (i.e. the password was incorrect), the session cannot be resumed
and should start again, i.e. a new tunnel session should be negotiated and the
authentication request retried?
What we've seen is that the radiusd -X output shows a full EAP-TTLS session
negotiation the first time, but then only a resumption (or at least that's what
FreeRADIUS assumes, based on the debug output) of the session to continue.
FreeRADIUS then sees the EAP handler fail.
Should that session (i.e. 'request 7 ID 9') have been renegotiated and
restarted because the user-password combination of 'bob' and 'test' is invalid?
-- begin of debug output --
Ready to process requests.
rad_recv: Access-Request packet from host 172.23.6.33 port 49802, id=2,
length=53
User-Name = "bob"
EAP-Message = 0x020801626f62
Message-Authenticator = 0xeec2f0280b8274f92fc902a15122729c
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 2 to 172.23.6.33 port 49802
EAP-Message = 0x010100061520
Message-Authenticator = 0x
State = 0xee0ac522ee0bd0bfaaf533badfdea46d
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.23.6.33 port 49802, id=3,
length=135
User-Name = "bob"
State = 0xee0ac522ee0bd0bfaaf533badfdea46d
EAP-Message =
0x020100481500160301003d01390301517e66cc1774b02aba3b0067774c719d9a7c24c36fb94a5d97f862a59f866bd3120039003800330032001600130035002f000a0100
Message-Authenticator = 0x93d337adcf53e180ece72e8e881f3022
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 72
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 003d], ClientHello
[ttls] TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[ttls] TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 085e], Certificate
[ttls] TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[ttls] TLS_accept: SSLv3 write key exchange A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls] TLS_accept: SSLv3 write server done A
[ttls] TLS_accept: SSLv3 flush data
[ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 3 to 172.23.6.33 port 49802
EAP-Message =
0x
redundant-load-balance for AD ntlmauth
Hello
I use redundant-load-balance for ldap user auth to authenticate users to a
pool of active directory servers for one service. That seems to work well.
I'm trying to think why I don't do that for ntlmauth (used inside mschap
inner-tunnel) for another other service.
I've knocked that up to test it with mschap modules like (with N being
1,2,3,4,5)
mschap mschapadN {
with_ntdomain_hack = yes
ntlm_auth = "/usr/local/bin/mschap-ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
--configfile=/etc/samba/smb-adN.conf"
}
where /etc/samba/smb-adN.conf is the same as the others except for
"password server = adN.domain"
and then in the inner-tunnel site I have
authenticate {
Auth-Type MS-CHAP {
redundant-load-balance {
mschapad1
mschapad2
..
mschapadN
}
}
}
Is this along the lines that others follow? if not how does ntlmauth
handle the AD server being down. Does ntlmauth/winbind handle AD being
down so freeradius does not have to?
Thanks,
Neil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS server is dumping core
On Mon, Apr 29, 2013 at 5:02 PM, ramakrishna wrote: > Also please find the attached file which has only memory access errors which > are leading to dump finally. Could you please suggest some way to get rid of > those errors? Have you tried installing on a fresh solaris box, or using prebuilt packages, e.g. http://www.opencsw.org/package/freeradius/ , or even try the same setup on a linux box ? While it should be possible to find the problems in YOUR particular setup, doing so would require lots of effort. Remember, whatever help you might find on this list is provided for free, given as-is, by people willing to give up whatever small part of their own free time. Thus you shouldn't ask for something like "I don't really care whether it runs well on linux-or-whatever-platform-you-develop-on, I just want you to fix the problem on my system". -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authentification ldap subgroup
I have found the solution just add this group membership filter in
/etc/raddb/modules/ldap file.
groupmembership_filter =
"(&(objectcategory=group)(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn}))"
From: tche...@hotmail.com
To: freeradius-users@lists.freeradius.org
Subject: authentification ldap subgroup
Date: Wed, 24 Apr 2013 10:49:42 +0200
Hello all !
I have configured freeradius 2.1.12-4 with ldap group authorization. My problem
is it's doesn't work with subgroup.
I have a group with subgroup and when ldap verify group of user it doesn't see
subgroup of user.
my ldap configuration modules :
ldap {#Note that this needs to match the name in the LDAP#Server certificate,
if you.re usin ldaps.server = "192.168.1.3"identity =
"cn=user_ldap,ou=users,dc=toto,dc=local"password = Toto1basedn =
"dc=toto,dc=local"#filter =
"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))"filter =
"(&(objectclass=user)(objectcategory=user)(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}*))"
# Group membership checking. Disabled by default.
#groupname_attribute = cngroupmembership_filter =
"(|(&(objectClass=group)(member=%Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{Ldap-UserDn})))"groupmembership_attribute
= memberOf
chase_referrals = yesrebind = yes}
Anyone can help me ?
Thanks in advance !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS server is dumping core
Hi Alan, Thanks for your suggestions. I have not used any of the 1.x versions of freeradius. However I have used 2.1.12 initially and finally migrated to 2.2. Could you please lemme know how to trace any incompatibilities if any between the two versions? Also please find the attached file which has only memory access errors which are leading to dump finally. Could you please suggest some way to get rid of those errors? Thanks a lot, On Sat, Apr 27, 2013 at 2:22 AM, Alan DeKok wrote: > ramakrishna wrote: > > I have tried to find the access errors using dbx debugger in solaris. > > > > Please find the attached file for the access errors. > > > > We are facing dump quite frequently because of these access errors. > > > > Could you give us some idea where it might be going wrong? > > Your system is completely broken. There seem to be tons of errors > which should never occur. > > My guess is that you're using incompatible versions of software. i.e. > FreeRADIUS 1.x with a library from 2.x, or something like that. > > Double-check that you have only ONE version of the server installed. > Maybe try doing an install on a new Solaris machine. > > The server gets regular scans through valgrind && static analysis > tools. There is *no way* that it could have a large number of errors, > as shown by the Solaris dbx tool. There's something wrong with the > binaries. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Best Regards, M.Rama Krishna Prasad, radius_2.errs_2504_1 Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiply Cisco-AVPair request attribute process by regular expression
Hi,
>i test it , but if i use Cisco-AVPair[0] and Cisco-AVPair[1] first one
>and second one is not working.
you need to check which attribute is which.
>Do i need to to move them in some variable then use regular exertion
>?(soothing like this) :
>
>value0 := %{Cisco-AVPair[0]}
>value1 := %{Cisco-AVPair[1]}
you could so, but it makes no real differenceand you'd also have to use a
variable
which makes sense to the server eg Tmp-String-0
as already pointed out, Cisco-AVPair[1] appears to mean nothing to you, its
Cisco-AVPair[2]
which contains the circuit-id-tag request that you want.but if you actually
ran in
full debug mode and posted the output of that then that would be obvious. you
sill havent posted
the radiusd -X output as requested many times so help ends here
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about freeradius
Hi, >I am just wondering if I can use freeradius for hotspot and dial up >accounts on same box or does it have to be separate box for hotspot and >dial up accounts? that would depend on how you configured it and had each function isolated when not needing same resources etc. we use ours for 802.1X federated access, local 802.1X, captive portal, router/switch admin login, VLAN allocations via VMPS, VPN login etc - each function is undertaken by seperate virtual server definitions in sites-enabled (with different policies applied) and seperate module calls when different requirements for authentications are needed. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiply Cisco-AVPair request attribute process by regular expression
Dear Olivier
thanks for your information
On Mon, Apr 29, 2013 at 11:36 AM, Olivier Beytrison
wrote:
> On 28.04.2013 23:30, Mehdi Ravanbakhsh wrote:
> > DearOlivier
> >
> > I am try to test it but why first one is working ?!!! do you check my
> > regular expression in second one ? i do it correctly ?
>
> I'm quoting the man page.
>
> man unlang :
> %{Attribute-Name[index]}
> Reference the N'th occurance of the given attribute. The syntax
> %{:Attribute-Name[index]} may also be used. The indexes start at
> zero. This feature is NOT available for non-attribute dynamic
> translations, like %{sql:...}.
>
> For example, %{User-Name[0]} is the same as %{User-Name}
>
> The variable %{Cisco-AVPair[2]} will reference the value of the THIRD
> Cisco-AVPair attribute (if it exists) in the request packet,
>
> In your request you have 3 Cisco-AVPair. I don't know if they always
> come in the same order or what, but looking at your request
> %{Cisco-AVPair[0]} = "client-mac-address=90f6.52d2.384f"
> %{Cisco-AVPair[1]} = "connect-progress=LAN Ses Up"
> %{Cisco-AVPair[2]} = "circuit-id-tag=Azadegan-1 atm 2/16:251:0.35"
>
> Please NOTE the %{ } surrounding the attribute and its index.
>
> > and is version 3 stable enough to use ? (your opinion )
>
> Version 3 is a living thing. It can be stable one day and buggy the next
> one.
> I'm running Version 3 in production. I've froze the branch, tested it
> carefully, cherry-picked the fix I needed, and deployed it. Version 3
> brings some nice things and an important performance improvement.
>
> Olivier
>
> --
>
> Olivier Beytrison
> Network & Security Engineer, HES-SO Fribourg
> Mail: oliv...@heliosnet.org
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiply Cisco-AVPair request attribute process by regular expression
On 28.04.2013 23:30, Mehdi Ravanbakhsh wrote:
> DearOlivier
>
> I am try to test it but why first one is working ?!!! do you check my
> regular expression in second one ? i do it correctly ?
I'm quoting the man page.
man unlang :
%{Attribute-Name[index]}
Reference the N'th occurance of the given attribute. The syntax
%{:Attribute-Name[index]} may also be used. The indexes start at
zero. This feature is NOT available for non-attribute dynamic
translations, like %{sql:...}.
For example, %{User-Name[0]} is the same as %{User-Name}
The variable %{Cisco-AVPair[2]} will reference the value of the THIRD
Cisco-AVPair attribute (if it exists) in the request packet,
In your request you have 3 Cisco-AVPair. I don't know if they always
come in the same order or what, but looking at your request
%{Cisco-AVPair[0]} = "client-mac-address=90f6.52d2.384f"
%{Cisco-AVPair[1]} = "connect-progress=LAN Ses Up"
%{Cisco-AVPair[2]} = "circuit-id-tag=Azadegan-1 atm 2/16:251:0.35"
Please NOTE the %{ } surrounding the attribute and its index.
> and is version 3 stable enough to use ? (your opinion )
Version 3 is a living thing. It can be stable one day and buggy the next
one.
I'm running Version 3 in production. I've froze the branch, tested it
carefully, cherry-picked the fix I needed, and deployed it. Version 3
brings some nice things and an important performance improvement.
Olivier
--
Olivier Beytrison
Network & Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
