Re: freeradius outer identity

2013-06-27 Thread Alan Buxey 
Don't do such authorization checks on the outer id

if EAP dont run ldap in the outer the current default config is set up in 
such a way

alan






 Original message 
From: val john valjohn1...@gmail.com
Date: 27/06/2013 04:58 (GMT+00:00)
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject: freeradius outer identity


Hi guys ,

i have freeradius server that authenticate with LDAP and set up was working 
fine ,

but when the client specifies the outer identity (some dummy user name ) Radius 
server taking that dummy user name as actual username , because of that LDAP 
authentication fails .

(Authentication proceeds working file  if the client not specifying any outer 
identity)

Can you guys please advice , how to fix this issue

Thank You
John
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authenticate without password or wrong password

2013-06-27 Thread Omer Faruk SEN 
Sorry for the vague information. It will be a CHAP Authentication and will
be based on Calling-Station-Id

I think
http://freeradius.1045715.n5.nabble.com/freeradius-Calling-Station-Id-td5715153.html

Calling-Station-Id = 12345, Auth-Type := Accept

will do.




On Wed, Jun 26, 2013 at 4:25 PM, Phil Mayers p.may...@imperial.ac.ukwrote:

 On 26/06/13 12:54, Omer Faruk SEN wrote:

 User Authentication for UserPassword


 That's not a type of authentication.

 For example, are you using EAP for 802.1x/Wi-Fi, and if so, which EAP
 outer and inner methods?

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/**
 list/users.html http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authenticate without password or wrong password

2013-06-27 Thread Omer Faruk SEN 
Calling-Station-Id and Username is equal so is it ok to do (Where 555
is UserName and Calling-Station-Id)

 select * from radreply;
++--+---++---+
| id | username | attribute | op | value |
++--+---++---+
|  1 | 555| Auth-Type  | :=  |  Accept  |


Sorry it had been  a while since I have last played with FreeRadius so it
may take time to remember.

Regards.


On Thu, Jun 27, 2013 at 3:07 PM, Omer Faruk SEN omerf...@gmail.com wrote:

 Sorry for the vague information. It will be a CHAP Authentication and will
 be based on Calling-Station-Id

 I think
 http://freeradius.1045715.n5.nabble.com/freeradius-Calling-Station-Id-td5715153.html

 Calling-Station-Id = 12345, Auth-Type := Accept

 will do.




 On Wed, Jun 26, 2013 at 4:25 PM, Phil Mayers p.may...@imperial.ac.ukwrote:

 On 26/06/13 12:54, Omer Faruk SEN wrote:

 User Authentication for UserPassword


 That's not a type of authentication.

 For example, are you using EAP for 802.1x/Wi-Fi, and if so, which EAP
 outer and inner methods?

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/**
 list/users.html http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authenticate without password or wrong password

2013-06-27 Thread Arran Cudbard-Bell 

 It will be a CHAP Authentication and will be based on Calling-Station-Id
 
 I think 
 http://freeradius.1045715.n5.nabble.com/freeradius-Calling-Station-Id-td5715153.html
 
 Calling-Station-Id = 12345, Auth-Type := Accept 
 

So you just want to do Mac-Auth basically?

http://wiki.freeradius.org/guide/Mac%20Auth

Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authenticate without password or wrong password

2013-06-27 Thread Omer Faruk SEN 
We want some certain users to directly authenticate and others must provide
password and they provide their identity and then they are authenticated.
So I think i must change

http://wiki.freeradius.org/guide/Mac%20Auth

  if (!ok) {
*reject*  (is there a statement like authenticate rather then
directly rejecting them and if they fail to authenticate and then
reject)
  }
  else {
# accept
update control {
  Auth-Type := Accept
}
  }
}




On Thu, Jun 27, 2013 at 3:35 PM, Arran Cudbard-Bell 
a.cudba...@freeradius.org wrote:


  It will be a CHAP Authentication and will be based on Calling-Station-Id
 
  I think
 http://freeradius.1045715.n5.nabble.com/freeradius-Calling-Station-Id-td5715153.html
 
  Calling-Station-Id = 12345, Auth-Type := Accept
 

 So you just want to do Mac-Auth basically?

 http://wiki.freeradius.org/guide/Mac%20Auth

 Arran Cudbard-Bell a.cudba...@freeradius.org
 FreeRADIUS Development Team

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

eap sim authentication for multiple clients

2013-06-27 Thread raptor raptor 
Hi,


i have tried with one client and it's success to authenticate and access
internet in wlan
i just try one client and success but when i use another client and it fails

first, i connect with one client and it's success
(until Finished request 2 in debug log)

and then in next request, i try with different supplicant/client to
authenticate and i have input identitiy (IMSI, RAND, SRES,KC) in to
simtriplets.dat and users also

my simtriplets.dat format
1510019760806391,326258E6F77C40f3866DB25DEA60AE4D,DD287535,7F743521EBabb000
1510019760806391,FD9989BD90AD4a03962E6C08C000C14B,BFf89ad2,1C7098005Fea8c00
1510019760806391,26CC8DB02C9848c7BBCC2790E3F0913B,17172cc6,BF34bf34D4ca4c00

1510080325656501,5A8F4C0677DE4930B47825B55534CC79,94d66001,AC85d79439b564c0
1510080325656501,8E29A03F8E13466fBF84D12F6A9D4734,E284e39e,13a524d040094ef4
1510080325656501,BC5D3CEB1EAC4164AA463E289222C450,AE8bdfc6,B0354bf3402e42ed

my users format

1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org EAP-Type := SIM
EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE4D,
EAP-Sim-SRES1 = 0x DD287535,
EAP-Sim-KC1 = 0x 7F743521EBabb000,
EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C14B,
EAP-Sim-SRES2 = 0x BFf89ad2,
EAP-Sim-KC2 = 0x 1C7098005Fea8c00,
EAP-Sim-Rand3 = 0x 26CC8DB02C9848c7BBCC2790E3F0913B,
EAP-Sim-SRES3 = 0x 17172cc6,
EAP-Sim-KC3 = 0x BF34bf34D4ca4c00

1510080325656...@wlan.mnc008.mcc510.3gppnetwork.org EAP-Type := SIM
EAP-Sim-Rand1 = 0x 5A8F4C0677DE4930B47825B55534CC79,
EAP-Sim-SRES1 = 0x 94d66001,
EAP-Sim-KC1 = 0x AC85d79439b564c0,
EAP-Sim-Rand2 = 0x 8E29A03F8E13466fBF84D12F6A9D4734,
EAP-Sim-SRES2 = 0x E284e39e,
EAP-Sim-KC2 = 0x 13a524d040094ef4,
EAP-Sim-Rand3 = 0x BC5D3CEB1EAC4164AA463E289222C450,
EAP-Sim-SRES3 = 0x AE8bdfc6,
EAP-Sim-KC3 = 0x B0354bf3402e42ed

and also add patch as in :

http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120914/13b2c044/attachment.ksh


and this is my debug log

rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1,
length=215

User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org


NAS-IP-Address = 192.168.2.1

Called-Station-Id = 48f8b315461a

Calling-Station-Id = 1814563e5189

NAS-Identifier = 48f8b315461a

NAS-Port = 38

Framed-MTU = 1400

NAS-Port-Type = Wireless-802.11

EAP-Message =
0x0238013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267

Message-Authenticator = 0x509abafbd92ee8417dcb22095d89059d

# Executing section authorize from file
/etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] Looking up realm wlan.mnc001.mcc510.3gppnetwork.org for
User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org

[suffix] No such realm wlan.mnc001.mcc510.3gppnetwork.org

++[suffix] returns noop

rlm_sim_files: authorized user/imsi
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org

rlm_sim_files: Adding EAP-Type: eap-sim

++[sim_files] returns ok

[eap] EAP packet type response id 0 length 56

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

[files] users: Matched entry
1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 1

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No known good password found for the user.  Authentication
may fail because of this.

++[pap] returns noop

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group authenticate {...}

[eap] EAP Identity

[eap] processing type sim

[eap] Underlying EAP-Type set EAP ID to 161

++[eap] returns handled

Sending Access-Challenge of id 1 to 192.168.2.1 port 2048

EAP-Message = 0x01a10014120a0f020002000111010100

Message-Authenticator = 0x

State = 0x86406e6686e17cf5f398cb77ce20781c

Finished request 0.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1,
length=265

Cleaning up request 0 ID 1 with timestamp +25

User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org


NAS-IP-Address = 192.168.2.1

Called-Station-Id = 48f8b315461a

Calling-Station-Id = 1814563e5189

NAS-Identifier = 48f8b315461a

NAS-Port = 38

Framed-MTU = 1400

State = 0x86406e6686e17cf5f398cb77ce20781c

NAS-Port-Type = Wireless-802.11

EAP-Message =