Re: freeradius outer identity
Don't do such authorization checks on the outer id if EAP dont run ldap in the outer the current default config is set up in such a way alan Original message From: val john valjohn1...@gmail.com Date: 27/06/2013 04:58 (GMT+00:00) To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: freeradius outer identity Hi guys , i have freeradius server that authenticate with LDAP and set up was working fine , but when the client specifies the outer identity (some dummy user name ) Radius server taking that dummy user name as actual username , because of that LDAP authentication fails . (Authentication proceeds working file if the client not specifying any outer identity) Can you guys please advice , how to fix this issue Thank You John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate without password or wrong password
Sorry for the vague information. It will be a CHAP Authentication and will be based on Calling-Station-Id I think http://freeradius.1045715.n5.nabble.com/freeradius-Calling-Station-Id-td5715153.html Calling-Station-Id = 12345, Auth-Type := Accept will do. On Wed, Jun 26, 2013 at 4:25 PM, Phil Mayers p.may...@imperial.ac.ukwrote: On 26/06/13 12:54, Omer Faruk SEN wrote: User Authentication for UserPassword That's not a type of authentication. For example, are you using EAP for 802.1x/Wi-Fi, and if so, which EAP outer and inner methods? - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate without password or wrong password
Calling-Station-Id and Username is equal so is it ok to do (Where 555 is UserName and Calling-Station-Id) select * from radreply; ++--+---++---+ | id | username | attribute | op | value | ++--+---++---+ | 1 | 555| Auth-Type | := | Accept | Sorry it had been a while since I have last played with FreeRadius so it may take time to remember. Regards. On Thu, Jun 27, 2013 at 3:07 PM, Omer Faruk SEN omerf...@gmail.com wrote: Sorry for the vague information. It will be a CHAP Authentication and will be based on Calling-Station-Id I think http://freeradius.1045715.n5.nabble.com/freeradius-Calling-Station-Id-td5715153.html Calling-Station-Id = 12345, Auth-Type := Accept will do. On Wed, Jun 26, 2013 at 4:25 PM, Phil Mayers p.may...@imperial.ac.ukwrote: On 26/06/13 12:54, Omer Faruk SEN wrote: User Authentication for UserPassword That's not a type of authentication. For example, are you using EAP for 802.1x/Wi-Fi, and if so, which EAP outer and inner methods? - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate without password or wrong password
It will be a CHAP Authentication and will be based on Calling-Station-Id I think http://freeradius.1045715.n5.nabble.com/freeradius-Calling-Station-Id-td5715153.html Calling-Station-Id = 12345, Auth-Type := Accept So you just want to do Mac-Auth basically? http://wiki.freeradius.org/guide/Mac%20Auth Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate without password or wrong password
We want some certain users to directly authenticate and others must provide password and they provide their identity and then they are authenticated. So I think i must change http://wiki.freeradius.org/guide/Mac%20Auth if (!ok) { *reject* (is there a statement like authenticate rather then directly rejecting them and if they fail to authenticate and then reject) } else { # accept update control { Auth-Type := Accept } } } On Thu, Jun 27, 2013 at 3:35 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: It will be a CHAP Authentication and will be based on Calling-Station-Id I think http://freeradius.1045715.n5.nabble.com/freeradius-Calling-Station-Id-td5715153.html Calling-Station-Id = 12345, Auth-Type := Accept So you just want to do Mac-Auth basically? http://wiki.freeradius.org/guide/Mac%20Auth Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap sim authentication for multiple clients
Hi, i have tried with one client and it's success to authenticate and access internet in wlan i just try one client and success but when i use another client and it fails first, i connect with one client and it's success (until Finished request 2 in debug log) and then in next request, i try with different supplicant/client to authenticate and i have input identitiy (IMSI, RAND, SRES,KC) in to simtriplets.dat and users also my simtriplets.dat format 1510019760806391,326258E6F77C40f3866DB25DEA60AE4D,DD287535,7F743521EBabb000 1510019760806391,FD9989BD90AD4a03962E6C08C000C14B,BFf89ad2,1C7098005Fea8c00 1510019760806391,26CC8DB02C9848c7BBCC2790E3F0913B,17172cc6,BF34bf34D4ca4c00 1510080325656501,5A8F4C0677DE4930B47825B55534CC79,94d66001,AC85d79439b564c0 1510080325656501,8E29A03F8E13466fBF84D12F6A9D4734,E284e39e,13a524d040094ef4 1510080325656501,BC5D3CEB1EAC4164AA463E289222C450,AE8bdfc6,B0354bf3402e42ed my users format 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org EAP-Type := SIM EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE4D, EAP-Sim-SRES1 = 0x DD287535, EAP-Sim-KC1 = 0x 7F743521EBabb000, EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C14B, EAP-Sim-SRES2 = 0x BFf89ad2, EAP-Sim-KC2 = 0x 1C7098005Fea8c00, EAP-Sim-Rand3 = 0x 26CC8DB02C9848c7BBCC2790E3F0913B, EAP-Sim-SRES3 = 0x 17172cc6, EAP-Sim-KC3 = 0x BF34bf34D4ca4c00 1510080325656...@wlan.mnc008.mcc510.3gppnetwork.org EAP-Type := SIM EAP-Sim-Rand1 = 0x 5A8F4C0677DE4930B47825B55534CC79, EAP-Sim-SRES1 = 0x 94d66001, EAP-Sim-KC1 = 0x AC85d79439b564c0, EAP-Sim-Rand2 = 0x 8E29A03F8E13466fBF84D12F6A9D4734, EAP-Sim-SRES2 = 0x E284e39e, EAP-Sim-KC2 = 0x 13a524d040094ef4, EAP-Sim-Rand3 = 0x BC5D3CEB1EAC4164AA463E289222C450, EAP-Sim-SRES3 = 0x AE8bdfc6, EAP-Sim-KC3 = 0x B0354bf3402e42ed and also add patch as in : http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120914/13b2c044/attachment.ksh and this is my debug log rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1, length=215 User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 1814563e5189 NAS-Identifier = 48f8b315461a NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0238013135313030313937363038303633393140776c616e2e6d6e633030312e6d63633531302e336770706e6574776f726b2e6f7267 Message-Authenticator = 0x509abafbd92ee8417dcb22095d89059d # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm wlan.mnc001.mcc510.3gppnetwork.org for User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org [suffix] No such realm wlan.mnc001.mcc510.3gppnetwork.org ++[suffix] returns noop rlm_sim_files: authorized user/imsi 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org rlm_sim_files: Adding EAP-Type: eap-sim ++[sim_files] returns ok [eap] EAP packet type response id 0 length 56 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type sim [eap] Underlying EAP-Type set EAP ID to 161 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.2.1 port 2048 EAP-Message = 0x01a10014120a0f020002000111010100 Message-Authenticator = 0x State = 0x86406e6686e17cf5f398cb77ce20781c Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=1, length=265 Cleaning up request 0 ID 1 with timestamp +25 User-Name = 1510019760806...@wlan.mnc001.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 1814563e5189 NAS-Identifier = 48f8b315461a NAS-Port = 38 Framed-MTU = 1400 State = 0x86406e6686e17cf5f398cb77ce20781c NAS-Port-Type = Wireless-802.11 EAP-Message =