Re: freeRADIUS for switch authentication
Sorry for not including it in the first post, freeradius version used is
the latest in CentOS repo.
The output on the first post is for the web-based login, I forgot that I
only configured it on console login
Here is the output:
Ready to process requests.
rad_recv: Access-Request packet from host 10.141.1.129 port 49154, id=0,
length=91
User-Name = md5password
User-Password = qwerty
Cisco-AVPair = shell:priv-lvl=1
NAS-IP-Address = 10.141.1.129
Acct-Session-Id = 0522
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = md5password, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} - md5password
[sql] sql_set_user escaped user -- 'md5password'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id - SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'md5password' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY
id - SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'md5password' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT
groupname FROM radusergroup WHERE username =
'md5password' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing MD5-Password from hex encoding
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password qwerty
[pap] Using MD5 encryption.
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [md5password] (from client MAAX port 0)
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 0 to 10.141.1.129 port 49154
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.141.1.129 port 49154,
id=0, length=88
User-Name = md5password
NAS-IP-Address = 10.141.1.129
Called-Station-Id = 10.141.1.129
Calling-Station-Id = 10.141.59.3
Acct-Status-Type = Start
Acct-Session-Id = 0522
Acct-Authentic = RADIUS
# Executing section preacct from file /etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] WARNING: Attribute NAS-Port was not found in request, unique
ID MAY be inconsistent
[acct_unique] Hashing ',Client-IP-Address = 10.141.1.129,NAS-IP-Address =
10.141.1.129,Acct-Session-Id = 0522,User-Name = md5password'
[acct_unique] Acct-Unique-Session-ID = ca6b399649f9703b.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = md5password, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file /etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail]expand: %{Packet-Src-IP-Address} - 10.141.1.129
[detail]expand:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
- /var/log/radius/radacct/10.141.1.129/detail-20130708
[detail]
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/radius/radacct/10.141.1.129/detail-20130708
[detail]expand: %t - Mon Jul 8 14:55:20 2013
++[detail] returns ok
++[unix] returns noop
[radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp
[radutmp] expand: %{User-Name} - md5password
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad will probably not work!
++[radutmp] returns noop
[sql] expand: %{User-Name} - md5password
[sql] sql_set_user escaped user -- 'md5password'
[sql] expand: %{Acct-Delay-Time} -
[sql] ... expanding second conditional
[sql] expand:INSERT INTO radacct
(acctsessionid,acctuniqueid, username,
realm,nasipaddress, nasportid,
nasporttype, acctstarttime,acctstoptime,
acctsessiontime, acctauthentic,connectinfo_start,
connectinfo_stop, acctinputoctets, acctoutputoctets,
calledstationid, callingstationid, acctterminatecause,
servicetype, framedprotocol
Re: freeRADIUS for switch authentication
Hi, Ready to process requests. rad_recv: Accounting-Request packet from host 10.141.1.129 port 49154, id=0, length=84 snip thats an accounting packet alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS for switch authentication
Hi, Sending Access-Accept of id 0 to 10.141.1.129 port 49154 ^^ Access-Accept sent from the server. the RADIUS server has done its thing. if the NAS isnt working then you have missed some configuration option on the NAS alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS for switch authentication
Hi, thanks for the reply. (Sorry if this is OT) As I understand, I couldn't use 802.1x authentication on just the switches themselves? Since a client must have certificates to authenticate to a server. What i just wanted to accomplish is to authenticate the switches only on the radius server, so this md5 encryption I had setup should be sufficient? Last question, could I just create a single user to be used by multiple switches? Is there any conflict going to happen? Switch count on branches ranges from 15-50. Mucho thanks. On Mon, Jul 8, 2013 at 3:19 PM, a.l.m.bu...@lboro.ac.uk wrote: Hi, Sending Access-Accept of id 0 to 10.141.1.129 port 49154 ^^ Access-Accept sent from the server. the RADIUS server has done its thing. if the NAS isnt working then you have missed some configuration option on the NAS alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS for switch authentication
Hi, (Sorry if this is OT) As I understand, I couldn't use 802.1x authentication on just the switches themselves? Since a client must have certificates to authenticate to a server. What i just wanted to accomplish is to authenticate the switches only on the radius server, so this md5 encryption I had setup should be sufficient? what you do is up to you. a standard NAS will have several configuration options - allowing RADIUS for admin access or RADIUS for host/client access or both. why cant you just do 802.1X on thw switch? yes, clients need certs but thats the same as WiFi - you could get a RADIU server cert signed by a known CA in the OS (which isnt best but would allow thigns to just work) Last question, could I just create a single user to be used by multiple switches? Is there any conflict going to happen? Switch count on branches ranges from 15-50. once again, depends on config. why do you think you cant? do you have strong user authorization/session checks? its just a user alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pulling dn for User-Profile from ldap
On Thu, Jul 04, 2013 at 07:05:09PM +0100, Arran Cudbard-Bell wrote:
Don't try and use the users file for complex stuff like this.
In your profile objects add an attribute for preferredNetwork.
Use ldap xlat to search in the directory for an profile object with a
preferredNetwork attribute which matches the stripped path of the username,
specify DN as the attribute to retrieve.
Something like:
authorize {
update control {
User-Profile := %{ldap:ldap:///base
dn?DN?sub?prefferedNetwork=%{your_preferred_network_attr}}
}
if (!control:User-Profile) {
reject # or whatever you want to do for this case
}
ldap
}
Hi.
Thanks for the pointers.
I actually needed to search for group membership as well as the group name:
User-Profile :=
%{ldap-main:ldap:///ou=groups,dc=wuji,dc=cz?seeAlso?sub?((cn=%{Preferred-Network})(uniqueMember=%{control:Ldap-UserDn}))}
This checks whether the current user is a member of the group he/she sent as
preferred and returns the pointer to the group radius profile.
I'm of course hitting a problem with eap where it complains that the eap
identity is different from the User-Name, because I'm changing User-Name
in hints file but I'll work around it somehow.
thanks again
Martin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
acct_users
Тема: acct_users
Hi
Have some proublem with accounting files on version 2.2.0 . I use standard
dictionary
3GPP2, but attribut 3GPP2-PCF-IP-Address was ignored in acct_users file.
etc/acct_users
DEFAULT Acct-Session-Time == 0, Acct-Type := TEST0
DEFAULT Framed-IP-Address =~ 172.16, Acct-Type := BLOCKED
DEFAULT 3GPP2-PCF-IP-Address =~ 10.223.[45], NAS-IP-Address =~ 10.123.66.5,
Acct-Type := ASREVDO
DEFAULT 3GPP2-PCF-IP-Address =~ 10.123.65, NAS-IP-Address =~ 10.123.66,
Acct-Type := KUB
DEFAULT Acct-Type := OTHER
etc/modules/detail
detail TEST {
detailfile = ${radacctdir}/files/blocked/blocked.%Y%m
detailperm = 0640
locking = yes
}
detail TEST0 {
detailfile = ${radacctdir}/files/nullsession/nullsession.%Y%m
detailperm = 0640
locking = yes
}
detail KUB {
detailfile = ${radacctdir}/files/onex/kub.aaadb1.onex
detailperm = 0640
locking = yes
}
detail ASREVDO {
detailfile = ${radacctdir}/files/evdoasr/kubasr.aaadb1.evdo
detailperm = 0640
locking = yes
}
detail OTHER {
detailfile =
${radacctdir}/files/other/%{NAS-IP-Address}_other/other.%{NAS-IP-Address}.%Y%m
detailperm = 0640
locking = yes
}
My accounting files was created as OTHER, but there must have been in ASREVDO.
For example, radclient:
[root@aaa-db1 radtest]# ./radtestacct.sh |more
Sending Accounting-Request of id 7 to 127.0.0.1 port 1813
User-Name = mobile
Calling-Station-Id = 250091000211350
NAS-IP-Address = 10.123.66.5
Acct-Status-Type = Interim-Update
Acct-Session-Id = 50D406FD
3GPP2-Correlation-Id = o095O8hM
NAS-Identifier = asr5k-krd
SN-Software-Version = 10.0 (36820)
3GPP2-BSID = 2D0C00010701
3GPP2-Attr-41 = 0x000b32c1
3GPP2-Service-Option = 59
3GPP2-User-Id = 0
3GPP2-ESN = 0159E33E
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port-Type = Wireless-Other
3GPP2-PCF-IP-Address = 10.223.4.6
Acct-Authentic = RADIUS
SN-Local-IP-Address = 77.243.240.221
SN-Primary-DNS-Server = 77.243.240.230
SN-Secondary-DNS-Server = 77.243.240.231
SN-VPN-Name = ISP
SN-Primary-NBNS-Server = 0.0.0.0
SN-Secondary-NBNS-Server = 0.0.0.0
Framed-Compression = None
SN-PPP-Data-Compression = None
SN-VPN-ID = 3
3GPP2-IP-Technology = 1
3GPP2-Compulsory-Tunnel-Indicator = 0
SN-Proxy-MIP = 0
Framed-MTU = 1500
3GPP2-Attr-78 = 0x
SN-PPP-Data-Compression-Mode = Normal
3GPP2-Forward-FCH-Mux-Option = 0
3GPP2-Reverse-FCH-Mux-Option = 0
3GPP2-Forward-Traffic-Type = 0
3GPP2-Reverse-Traffic-Type = 0
3GPP2-FCH-Frame-Size = 0
3GPP2-Forward-FCH-RC = 0
3GPP2-Reverse-FCH-RC = 0
3GPP2-Airlink-Priority = 0
3GPP2-Airlink-Sequence-Number = 5
3GPP2-Airlink-Record-Type = 2
3GPP2-Bad-PPP-Frame-Count = 0
3GPP2-Number-Active-Transitions = 130
3GPP2-Terminating-SDB-Octet-Count = 0
3GPP2-Originating-SDB-OCtet-Count = 0
3GPP2-Terminating-Number-SDBs = 0
3GPP2-Originating-Number-SDBs = 0
3GPP2-Received-HDLC-Octets = 14106
3GPP2-Active-Time = 2040
Acct-Input-Packets = 109
Acct-Output-Packets = 268
3GPP2-Attr-162 = 0x
3GPP2-Attr-163 = 0x
3GPP2-Attr-164 = 0x
3GPP2-Attr-165 = 0x
SNA-PPP-Unfr-data-In-Oct = 11438
SNA-PPP-Unfr-data-Out-Oct = 35850
Acct-Session-Time = 3600
3GPP2-Session-Continue = 1
3GPP2-Last-User-Activity-Time = 1373257676
SNA-PPP-Ctrl-Input-Octets = 23602
SNA-PPP-Ctrl-Output-Octets = 28240
SNA-PPP-Ctrl-Input-Packets = 2346
SNA-PPP-Ctrl-Output-Packets = 2347
SNA-PPP-Framed-Input-Octets = 6446541
SNA-PPP-Framed-Output-Octets = 93404564
SNA-PPP-Discards-Input = 107
SNA-PPP-Errors-Input = 107
SNA-PPP-Bad-FCS = 107
SNA-PPP-Echo-Req-Input = 2335
SNA-PPP-Echo-Rsp-Output = 2335
SNA-RPRRQ-Rcvd-Total = 4448
SNA-RPRRQ-Rcvd-Acc-Reg = 4448
SNA-RPRRQ-Rcvd-Acc-Dereg = 39
SNA-RPRAK-Rcvd-Total = 60
SNA-RPRAK-Rcvd-Acc-Ack = 40
SNA-RPRAK-Rcvd-Mis-ID = 20
SNA-RP-Reg-Reply-Sent-Total = 4448
SNA-RP-Reg-Reply-Sent-Acc-Reg = 4448
SNA-RP-Reg-Reply-Sent-Acc-Dereg = 39
SNA-RP-Reg-Upd-Sent = 60
SNA-RP-Reg-Upd-Re-Sent = 20
Event-Timestamp = Jul 8 2013 08:28:23 MSK
3GPP2-Service-Reference-Id = 0x0104000102040001
Framed-IP-Address = 94.77.22.81
Using DirName from CRLDP extension as search filter
Greetings, novice at freeradius here. I would like to use the ldap module in Freeradius to check certs against CRLS, nothing special there. What I'm wondering is how, if it is in fact possible, can I take the DN provided by the cert to filter the ldap search done by the module. All I really need to filter on is the CN part of the DirName. Example: DirName: C = US, O = XXX, CN = CRLXXX There are quite a few CRLs on the ldap server and it seems that having more than one result returned results in an ambiguous search and a subsequent failure. Is what I'm looking to do possible? Somewhat related question about CRLs, in my testing I've run across the error Different CRL scope. It seems that the CRLs have the UsersOnly flag set, but I can still successfully verify that a revoked certificate that fails in this fashion is indeed revoked by using openssl verify. My suspicion is that openssl verify doesn't care about scope, but I haven't found anything that says one or the other. I'm running freeradius 2.1.12 from the debian wheezy repo, openssl 1.0.1e from the same, if this is relevant. Regards, Joacim Kosonen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: acct_users
My old server all ok. Problem after upgrade, on last version 2.2.0
[root@aaa-db1 raddb]# radiusd -v
radiusd: FreeRADIUS Version 2.2.0, for host x86_64-unknown-linux-gnu, built on
Jun 26 2013 at 10:04:20
Copyright (C) 1999-2011 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Upgrade freeradius version.
There was problem with parsing attributes ( witch starts with number ) in the
code.
From: freeradius-users-bounces+peter.balsianok=orange...@lists.freeradius.org
[mailto:freeradius-users-bounces+peter.balsianok=orange...@lists.freeradius.org]
On Behalf Of
Sent: Monday, July 08, 2013 1:01 PM
To: freeradius-users@lists.freeradius.org
Subject: acct_users
Тема: acct_users
Hi
Have some proublem with accounting files on version 2.2.0 . I use standard
dictionary 3GPP2, but attribut 3GPP2-PCF-IP-Address was ignored in acct_users
file.
etc/acct_users
DEFAULT Acct-Session-Time == 0, Acct-Type := TEST0
DEFAULT Framed-IP-Address =~ 172.16, Acct-Type := BLOCKED
DEFAULT 3GPP2-PCF-IP-Address =~ 10.223.[45], NAS-IP-Address =~
10.123.66.5, Acct-Type := ASREVDO
DEFAULT 3GPP2-PCF-IP-Address =~ 10.123.65, NAS-IP-Address =~ 10.123.66,
Acct-Type := KUB
DEFAULT Acct-Type := OTHER
etc/modules/detail
detail TEST {
detailfile = ${radacctdir}/files/blocked/blocked.%Y%m
detailperm = 0640
locking = yes
}
detail TEST0 {
detailfile = ${radacctdir}/files/nullsession/nullsession.%Y%m
detailperm = 0640
locking = yes
}
detail KUB {
detailfile = ${radacctdir}/files/onex/kub.aaadb1.onex
detailperm = 0640
locking = yes
}
detail ASREVDO {
detailfile = ${radacctdir}/files/evdoasr/kubasr.aaadb1.evdo
detailperm = 0640
locking = yes
}
detail OTHER {
detailfile =
${radacctdir}/files/other/%{NAS-IP-Address}_other/other.%{NAS-IP-Address}.%Y%m
detailperm = 0640
locking = yes
}
My accounting files was created as OTHER, but there must have been in
ASREVDO.
For example, radclient:
[root@aaa-db1 radtest]# ./radtestacct.sh |more
Sending Accounting-Request of id 7 to 127.0.0.1 port 1813
User-Name = mobile
Calling-Station-Id = 250091000211350
NAS-IP-Address = 10.123.66.5
Acct-Status-Type = Interim-Update
Acct-Session-Id = 50D406FD
3GPP2-Correlation-Id = o095O8hM
NAS-Identifier = asr5k-krd
SN-Software-Version = 10.0 (36820)
3GPP2-BSID = 2D0C00010701
3GPP2-Attr-41 = 0x000b32c1
3GPP2-Service-Option = 59
3GPP2-User-Id = 0
3GPP2-ESN = 0159E33E
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port-Type = Wireless-Other
3GPP2-PCF-IP-Address = 10.223.4.6
Acct-Authentic = RADIUS
SN-Local-IP-Address = 77.243.240.221
SN-Primary-DNS-Server = 77.243.240.230
SN-Secondary-DNS-Server = 77.243.240.231
SN-VPN-Name = ISP
SN-Primary-NBNS-Server = 0.0.0.0
SN-Secondary-NBNS-Server = 0.0.0.0
Framed-Compression = None
SN-PPP-Data-Compression = None
SN-VPN-ID = 3
3GPP2-IP-Technology = 1
3GPP2-Compulsory-Tunnel-Indicator = 0
SN-Proxy-MIP = 0
Framed-MTU = 1500
3GPP2-Attr-78 = 0x
SN-PPP-Data-Compression-Mode = Normal
3GPP2-Forward-FCH-Mux-Option = 0
3GPP2-Reverse-FCH-Mux-Option = 0
3GPP2-Forward-Traffic-Type = 0
3GPP2-Reverse-Traffic-Type = 0
3GPP2-FCH-Frame-Size = 0
3GPP2-Forward-FCH-RC = 0
3GPP2-Reverse-FCH-RC = 0
3GPP2-Airlink-Priority = 0
3GPP2-Airlink-Sequence-Number = 5
3GPP2-Airlink-Record-Type = 2
3GPP2-Bad-PPP-Frame-Count = 0
3GPP2-Number-Active-Transitions = 130
3GPP2-Terminating-SDB-Octet-Count = 0
3GPP2-Originating-SDB-OCtet-Count = 0
3GPP2-Terminating-Number-SDBs = 0
3GPP2-Originating-Number-SDBs = 0
3GPP2-Received-HDLC-Octets = 14106
3GPP2-Active-Time = 2040
Acct-Input-Packets = 109
Acct-Output-Packets = 268
3GPP2-Attr-162 = 0x
3GPP2-Attr-163 = 0x
3GPP2-Attr-164 = 0x
3GPP2-Attr-165 = 0x
SNA-PPP-Unfr-data-In-Oct = 11438
SNA-PPP-Unfr-data-Out-Oct = 35850
Acct-Session-Time = 3600
3GPP2-Session-Continue = 1
3GPP2-Last-User-Activity-Time = 1373257676
SNA-PPP-Ctrl-Input-Octets = 23602
SNA-PPP-Ctrl-Output-Octets =
Re: Re[2]: acct_users
Yes, issues can appear in new code as well as get fixed. Known problems in 2.2.0 will be solved in 2.2.1 which is near/ready for release alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAP2 fails - samba version?
Hello everyone,
I’m trying to bring up a fresh instance using 2.2.0, rather than just cloning
old 1.x configs as has been done in previous upgrades. In building a new Ubuntu
server, I grabbed the latest available build of samba (3.6.3); I’ve read that a
version of at least version 3.5.4 is required to work with Windows Server 2008
r2 AD. Compatibility with 2008 r2 is what is driving this upgrade.
Working from the Deploying Radius site, I’ve made good progress. So far, the
directions have been clear and everything has worked well. I even took the
opportunity to learn mercurial along the way… thanks ☺. I also created two
virtual servers, to support different policies for our main campus wireless and
eduroam. That also seems to be working well, with one SSID pointing to each
virtual server… slick!
Ntlm works:
/usr/bin/ntlm_auth --request-nt-key --domain=COLOSTATE --username=slovaas
password:
NT_STATUS_OK: Success (0x0)
root@freerad13:/etc/freeradius/modules#
Winbind looks OK, though only the challenge/response version of authentication…
that’s normal?:
wbinfo -a slovaas
Enter slovaas's password:
plaintext password authentication failed
Could not authenticate user slovaas with plaintext password
Enter slovaas's password:
challenge/response password authentication succeeded
root@freerad13:/etc/freeradius#
And with a forced default ntlm_auth in the users file, I can authenticate with
radtest.
But here’s where I’m stuck. When I remove the default ntlm_auth line in the
users file and put the ntlm_auth line in mschap, I no longer get access_accept.
The debug of the request is pasted below. But I wondered… basic authentication
is working (with ntlm_auth) but mschap doesn’t get what it wants back (using
ntlm_auth), which sounds like an issue that was around in earlier versions of
samba. Before I go downgrading samba, though, I was wondering if anyone saw
anything I missed or had any other suggestions.
Thanks,
Steve
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.07.08 07:43:48 =~=~=~=~=~=~=~=~=~=~=~=
rad_recv: Access-Request packet from host 127.0.0.1 port 35685, id=59,
length=133
User-Name = slovaas
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x160e7734756ad5899a83bbc504bd937c
MS-CHAP-Challenge = 0x105268b03ae9b2ee
MS-CHAP-Response =
0x00013487554c3d3f147c69f03fcc12fd5535dff2c0be3d5bbc10
server eid-dot11i {
# Executing section authorize from file /etc/freeradius/sites-enabled/eid-dot11i
+- entering group authorize {...}
++- entering policy filter_username_csu {...}
+++? if (User-Name != %{tolower:%{User-Name}})
expand: %{User-Name} - slovaas
expand: %{tolower:%{User-Name}} - slovaas
? Evaluating (User-Name != %{tolower:%{User-Name}}) - FALSE
+++? if (User-Name != %{tolower:%{User-Name}}) - FALSE
+++? if (User-Name =~ / /)
? Evaluating (User-Name =~ / /) - FALSE
+++? if (User-Name =~ / /) - FALSE
+++? if (User-Name =~ /@(.+)?@/i )
? Evaluating (User-Name =~ /@(.+)?@/i) - FALSE
+++? if (User-Name =~ /@(.+)?@/i ) - FALSE
+++? if (User-Name =~ /\\.\\./ )
? Evaluating (User-Name =~ /\\.\\./) - FALSE
+++? if (User-Name =~ /\\.\\./ ) - FALSE
++- policy filter_username_csu returns notfound
++[preprocess] returns ok
[auth_log] expand: %{Packet-Src-IP-Address} - 127.0.0.1
[auth_log] expand:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
- /var/log/freeradius/radacct/127.0.0.1/auth-detail-20130708
[auth_log]
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20130708
[auth_log] expand: %t - Mon Jul 8 07:45:04 2013
++[auth_log] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = slovaas, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/eid-dot11i
+- entering group MS-CHAP {...}
[mschap] Client is using MS-CHAPv1 with NT-Password
[mschap] expand: %{Stripped-User-Name} -
[mschap] ... expanding second conditional
[mschap] expand: %{User-Name} - slovaas
[mschap] expand: %{%{User-Name}:-None} - slovaas
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -
--username=slovaas
[mschap] mschap1: 10
[mschap] expand: %{mschap:Challenge} - 105268b03ae9b2ee
[mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -
--challenge=105268b03ae9b2ee
[mschap] expand: %{mschap:NT-Response} -
3487554c3d3f147c69f03fcc12fd5535dff2c0be3d5bbc10
[mschap] expand: --nt-response=%{%{mschap:NT
Re: MS-CHAP2 fails - samba version?
On 08/07/13 14:59, Lovaas,Steven wrote: Exec-Program output: Reading winbind reply failed! (0xc001) Check the permissions on the winbind socket, which usually lives in either /var/cache/samba/winbindd_privileged or /var/lib/samba/winbindd_privileged - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2 fails - samba version?
Am 08.07.2013 16:30, schrieb Phil Mayers: On 08/07/13 14:59, Lovaas,Steven wrote: Exec-Program output: Reading winbind reply failed! (0xc001) Check the permissions on the winbind socket, which usually lives in either /var/cache/samba/winbindd_privileged or /var/lib/samba/winbindd_privileged I guess Debian wheezy is mostly same as Ubuntu (|wher it is: /var/run/samba/winbindd_privileged|). I had to add the freeradius user to this privileged group using: 'sudo adduser freerad winbindd_priv' to make it work, I hope that helps. -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS-CHAP2 fails - samba version?
Sending Access-Accept of id 203 to 127.0.0.1 port 42549 MS-CHAP-MPPE-Keys = 0xb0ea48246e549461af612741d64404e4 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Finished request 0. Works both on the CLI and from a Windows wireless client. Thanks, Phil and Mathieu... that did the trick! Steve -Original Message- From: freeradius-users-bounces+steven.lovaas=colostate@lists.freeradius.org [mailto:freeradius-users-bounces+steven.lovaas=colostate@lists.freeradius.org] On Behalf Of Mathieu Simon Sent: Monday, July 08, 2013 8:44 AM To: FreeRadius users mailing list Subject: Re: MS-CHAP2 fails - samba version? Am 08.07.2013 16:30, schrieb Phil Mayers: On 08/07/13 14:59, Lovaas,Steven wrote: Exec-Program output: Reading winbind reply failed! (0xc001) Check the permissions on the winbind socket, which usually lives in either /var/cache/samba/winbindd_privileged or /var/lib/samba/winbindd_privileged I guess Debian wheezy is mostly same as Ubuntu (|wher it is: /var/run/samba/winbindd_privileged|). I had to add the freeradius user to this privileged group using: 'sudo adduser freerad winbindd_priv' to make it work, I hope that helps. -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius using linux user passwd
I have a Netgear WiFi router set up for WPA2 Enterprise.
It is pointed at a freeradius server. I am trying to use the
username and password of that server to authenticate. It fails
consistenty with:
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
--
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 24 2012
at 17:58:57
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
user = freerad
group = freerad
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/plumgrid-radius1/plumgrid-radius1.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
Re: freeradius using linux user passwd
On Mon, Jul 08, 2013 at 01:49:47PM -0700, Julian Macassey wrote:
I have a Netgear WiFi router set up for WPA2 Enterprise.
It is pointed at a freeradius server. I am trying to use the
username and password of that server to authenticate. It fails
consistenty with:
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user
Failed to authenticate the user.
It looks like you've removed 'eap' from your default server
configuration. As WPA uses eap, you won't get far without it.
However, if you want to authenticate using the system
(/etc/passwd or shadow) database, then the only EAP type that's
going to work is EAP-TTLS/PAP. Windows older than Win8 don't
support that without a 3rd party supplicant, which is a barrier
for many people wanting to use it, so most dont.
In short the most likely things you want to do after adding eap
back in again are to use either a database with cleartext
passwords in it or use mschap (NTLM hash) passwords.
Matthew
rad_recv: Access-Request packet from host 10.1.1.211 port 35032, id=73,
length=162
User-Name = evergreen
NAS-IP-Address = 192.168.1.1
NAS-Port = 0
Called-Station-Id = 28-C6-8E-A4-2B-6A:plum-radius
Calling-Station-Id = 00-1F-5B-C1-AB-24
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11b
EAP-Message = 0x02b1000e0165766572677265656e
Message-Authenticator = 0x6f0e884ab22ca3b623c88cb2a8bab823
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = evergreen, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - evergreen
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 73 to 10.1.1.211 port 35032
Waking up in 4.9 seconds.
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius using linux user passwd
On 2013-07-08 at 22:16, Matthew Newton (m...@leicester.ac.uk) wrote: On Mon, Jul 08, 2013 at 01:49:47PM -0700, Julian Macassey wrote: I have a Netgear WiFi router set up for WPA2 Enterprise. It is pointed at a freeradius server. I am trying to use the username and password of that server to authenticate. It fails consistenty with: [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. It looks like you've removed 'eap' from your default server configuration. As WPA uses eap, you won't get far without it. So, I put it back in. I took it out earlier as 1. I couldn't connect with it. 2. My understanding from reading the docs was that pap alone would do the job. However, if you want to authenticate using the system (/etc/passwd or shadow) database, then the only EAP type that's going to work is EAP-TTLS/PAP. Now it, and everything else, seems to be there. Windows older than Win8 don't support that without a 3rd party supplicant, which is a barrier for many people wanting to use it, so most dont. In short the most likely things you want to do after adding eap back in again are to use either a database with cleartext passwords in it or use mschap (NTLM hash) passwords. I'm just trying to do a bog standard username and password for OS X and Linux users on laptops - Plus the ubiquitous smartphones of course. I have no Microsoft gear on the LAN. Here is my latest output: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 24 2012 at 17:58:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/ntlm_auth including
Re: freeradius using linux user passwd
Julian Macassey wrote: So, I put it back in. I took it out earlier as 1. I couldn't connect with it. 2. My understanding from reading the docs was that pap alone would do the job. (1) No, and (2) Not for 8021.X I'm just trying to do a bog standard username and password for OS X and Linux users on laptops - Plus the ubiquitous smartphones of course. I have no Microsoft gear on the LAN. Here is my latest output: Which indicates that you didn't tell the server what the *good* password is for the user. Why not? Read the FAQ. It has instructions for configuring a sample user. When you've done that, it *will* authenticate that user. Getting 802.1X to work requires a number of steps. You've missed some. My guide goes through this in detail, and following it will *always* work: http://deployingradius.com/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius using linux user passwd
On 2013-07-09 at 00:52, Alan DeKok (al...@deployingradius.com) wrote: Julian Macassey wrote: So, I put it back in. I took it out earlier as 1. I couldn't connect with it. 2. My understanding from reading the docs was that pap alone would do the job. (1) No, and (2) Not for 8021.X I'm just trying to do a bog standard username and password for OS X and Linux users on laptops - Plus the ubiquitous smartphones of course. I have no Microsoft gear on the LAN. Here is my latest output: Which indicates that you didn't tell the server what the *good* password is for the user. Why not? In the Wifi sign on window of both a Macbook and an iPhone, I enter the username and the password. So, from my sign on I have told the server both. Read the FAQ. It has instructions for configuring a sample user. When you've done that, it *will* authenticate that user. I have done that, if you mean putting username and password, plus shared secret in the /etc/freeradius/users file. Using radtest as described in the documentation I have done it and it works. What doesn't work is getting a Macbook to connect to a Netgear N600 WiFi Router using WPA2 Enterprise and freeradius using the username and login available to any user logging into the freeradius machine via the conole or ssh. Getting 802.1X to work requires a number of steps. You've missed some. My guide goes through this in detail, and following it will *always* work: http://deployingradius.com/ I have read and followed http://deployingradius.com/documents/configuration/setup.html What I haven't yet done is replace the snake oil certs with production certs: http://deployingradius.com/documents/configuration/certificates.html But get the output I have sent before. The instructions above are for Microsoft Windows, but Linux and Mac OSX should be pretty standard. Yours - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
group authorization and ldap
list members, i am working on having radius perform authorization based on group membership in ldap. i am able to authenticate the user using the kerberos module, and can attach to ldap using the ldap module. what i would like to do is have a group in ldap that provides a radiusReplyItem value, instead of having the radiusReplyItem as a users attribute. effectively what i am attempting to accomplish is: by placing a user in the group, the authorization string provided in the radiusReplyItem would be given to hosts, removing the need to supply the radiusReplyItem on a per-user basis. i have found this write up: http://www.clearfoundation.com/docs/howtos/setting_up_radius_to_use_ldap but it does not work. i am using freeradius v 2.2.0 on fedora 16, with openldap 2.4.26 and kerberos5 1.9.4. the device pointing at radius is a cisco sg300-28. i am able to sign in right now, pointing at kerberos for auth, and providing the authorization string out of my user object in ldap. any pointers towards how i can accomplish this would be appreciated. thanks in advance, brendan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
