group authorization and ldap
list members, i am working on having radius perform authorization based on group membership in ldap. i am able to authenticate the user using the kerberos module, and can attach to ldap using the ldap module. what i would like to do is have a group in ldap that provides a radiusReplyItem value, instead of having the radiusReplyItem as a users attribute. effectively what i am attempting to accomplish is: by placing a user in the group, the authorization string provided in the radiusReplyItem would be given to hosts, removing the need to supply the radiusReplyItem on a per-user basis. i have found this write up: http://www.clearfoundation.com/docs/howtos/setting_up_radius_to_use_ldap but it does not work. i am using freeradius v 2.2.0 on fedora 16, with openldap 2.4.26 and kerberos5 1.9.4. the device pointing at radius is a cisco sg300-28. i am able to sign in right now, pointing at kerberos for auth, and providing the authorization string out of my user object in ldap. any pointers towards how i can accomplish this would be appreciated. thanks in advance, brendan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius using linux user passwd
On 2013-07-09 at 00:52, Alan DeKok (al...@deployingradius.com) wrote: > Julian Macassey wrote: > > So, I put it back in. I took it out earlier as 1. I > > couldn't connect with it. 2. My understanding from reading the > > docs was that pap alone would do the job. > > (1) No, and (2) Not for 8021.X > > > I'm just trying to do a bog standard username and > > password for OS X and Linux users on laptops - Plus the > > ubiquitous smartphones of course. I have no Microsoft gear on the > > LAN. > > > > Here is my latest output: > > Which indicates that you didn't tell the server what the *good* > password is for the user. Why not? In the Wifi sign on window of both a Macbook and an iPhone, I enter the username and the password. So, from my sign on I have told the server both. > > Read the FAQ. It has instructions for configuring a sample user. > When you've done that, it *will* authenticate that user. I have done that, if you mean putting username and password, plus shared secret in the /etc/freeradius/users file. Using radtest as described in the documentation I have done it and it works. What doesn't work is getting a Macbook to connect to a Netgear N600 WiFi Router using WPA2 Enterprise and freeradius using the username and login available to any user logging into the freeradius machine via the conole or ssh. > > Getting 802.1X to work requires a number of steps. You've missed > some. My guide goes through this in detail, and following it will > *always* work: > > http://deployingradius.com/ I have read and followed http://deployingradius.com/documents/configuration/setup.html What I haven't yet done is replace the "snake oil" certs with production certs: http://deployingradius.com/documents/configuration/certificates.html But get the output I have sent before. The instructions above are for Microsoft Windows, but Linux and Mac OSX should be pretty standard. Yours - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius using linux user passwd
Julian Macassey wrote: > So, I put it back in. I took it out earlier as 1. I > couldn't connect with it. 2. My understanding from reading the > docs was that pap alone would do the job. (1) No, and (2) Not for 8021.X > I'm just trying to do a bog standard username and > password for OS X and Linux users on laptops - Plus the > ubiquitous smartphones of course. I have no Microsoft gear on the > LAN. > > Here is my latest output: Which indicates that you didn't tell the server what the *good* password is for the user. Why not? Read the FAQ. It has instructions for configuring a sample user. When you've done that, it *will* authenticate that user. Getting 802.1X to work requires a number of steps. You've missed some. My guide goes through this in detail, and following it will *always* work: http://deployingradius.com/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius using linux user passwd
On 2013-07-08 at 22:16, Matthew Newton (m...@leicester.ac.uk) wrote: > On Mon, Jul 08, 2013 at 01:49:47PM -0700, Julian Macassey wrote: > > I have a Netgear WiFi router set up for WPA2 Enterprise. > > It is pointed at a freeradius server. I am trying to use the > > username and password of that server to authenticate. It fails > > consistenty with: > > > > [pap] WARNING! No "known good" password found for the user. > > Authentication may fail because of this. > > ++[pap] returns noop > > ERROR: No authenticate method (Auth-Type) found for the request: > > Rejecting the user > > Failed to authenticate the user. > > It looks like you've removed 'eap' from your default server > configuration. As WPA uses eap, you won't get far without it. So, I put it back in. I took it out earlier as 1. I couldn't connect with it. 2. My understanding from reading the docs was that pap alone would do the job. > > However, if you want to authenticate using the system > (/etc/passwd or shadow) database, then the only EAP type that's > going to work is EAP-TTLS/PAP. Now it, and everything else, seems to be there. > Windows older than Win8 don't > support that without a 3rd party supplicant, which is a barrier > for many people wanting to use it, so most dont. > > In short the most likely things you want to do after adding eap > back in again are to use either a database with cleartext > passwords in it or use mschap (NTLM hash) passwords. I'm just trying to do a bog standard username and password for OS X and Linux users on laptops - Plus the ubiquitous smartphones of course. I have no Microsoft gear on the LAN. Here is my latest output: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 24 2012 at 17:58:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freera
Re: freeradius using linux user passwd
On Mon, Jul 08, 2013 at 01:49:47PM -0700, Julian Macassey wrote: > I have a Netgear WiFi router set up for WPA2 Enterprise. > It is pointed at a freeradius server. I am trying to use the > username and password of that server to authenticate. It fails > consistenty with: > > [pap] WARNING! No "known good" password found for the user. > Authentication may fail because of this. > ++[pap] returns noop > ERROR: No authenticate method (Auth-Type) found for the request: > Rejecting the user > Failed to authenticate the user. It looks like you've removed 'eap' from your default server configuration. As WPA uses eap, you won't get far without it. However, if you want to authenticate using the system (/etc/passwd or shadow) database, then the only EAP type that's going to work is EAP-TTLS/PAP. Windows older than Win8 don't support that without a 3rd party supplicant, which is a barrier for many people wanting to use it, so most dont. In short the most likely things you want to do after adding eap back in again are to use either a database with cleartext passwords in it or use mschap (NTLM hash) passwords. Matthew > rad_recv: Access-Request packet from host 10.1.1.211 port 35032, id=73, > length=162 > User-Name = "evergreen" > NAS-IP-Address = 192.168.1.1 > NAS-Port = 0 > Called-Station-Id = "28-C6-8E-A4-2B-6A:plum-radius" > Calling-Station-Id = "00-1F-5B-C1-AB-24" > Framed-MTU = 1400 > NAS-Port-Type = Wireless-802.11 > Connect-Info = "CONNECT 0Mbps 802.11b" > EAP-Message = 0x02b1000e0165766572677265656e > Message-Authenticator = 0x6f0e884ab22ca3b623c88cb2a8bab823 > # Executing section authorize from file /etc/freeradius/sites-enabled/default > +- entering group authorize {...} > ++[preprocess] returns ok > ++[digest] returns noop > [suffix] No '@' in User-Name = "evergreen", looking up realm NULL > [suffix] No such realm "NULL" > ++[suffix] returns noop > ++[unix] returns notfound > ++[files] returns noop > ++[expiration] returns noop > ++[logintime] returns noop > [pap] WARNING! No "known good" password found for the user. Authentication > may fail because of this. > ++[pap] returns noop > ERROR: No authenticate method (Auth-Type) found for the request: Rejecting > the user > Failed to authenticate the user. > Using Post-Auth-Type Reject > # Executing group from file /etc/freeradius/sites-enabled/default > +- entering group REJECT {...} > [attr_filter.access_reject] expand: %{User-Name} -> evergreen > attr_filter: Matched entry DEFAULT at line 11 > ++[attr_filter.access_reject] returns updated > Delaying reject of request 0 for 1 seconds > Going to the next request > Waking up in 0.9 seconds. > Sending delayed reject for request 0 > Sending Access-Reject of id 73 to 10.1.1.211 port 35032 > Waking up in 4.9 seconds. -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius using linux user passwd
I have a Netgear WiFi router set up for WPA2 Enterprise. It is pointed at a freeradius server. I am trying to use the username and password of that server to authenticate. It fails consistenty with: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. -- FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 24 2012 at 17:58:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/plumgrid-radius1/plumgrid-radius1.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_de
RE: MS-CHAP2 fails - samba version?
Sending Access-Accept of id 203 to 127.0.0.1 port 42549 MS-CHAP-MPPE-Keys = 0xb0ea48246e549461af612741d64404e4 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Finished request 0. Works both on the CLI and from a Windows wireless client. Thanks, Phil and Mathieu... that did the trick! Steve -Original Message- From: freeradius-users-bounces+steven.lovaas=colostate@lists.freeradius.org [mailto:freeradius-users-bounces+steven.lovaas=colostate@lists.freeradius.org] On Behalf Of Mathieu Simon Sent: Monday, July 08, 2013 8:44 AM To: FreeRadius users mailing list Subject: Re: MS-CHAP2 fails - samba version? Am 08.07.2013 16:30, schrieb Phil Mayers: > On 08/07/13 14:59, Lovaas,Steven wrote: > >> >> Exec-Program output: Reading winbind reply failed! (0xc001) > > Check the permissions on the winbind socket, which usually lives in > either /var/cache/samba/winbindd_privileged or > /var/lib/samba/winbindd_privileged I guess Debian wheezy is mostly same as Ubuntu (|wher it is: /var/run/samba/winbindd_privileged|). I had to add the freeradius user to this privileged group using: 'sudo adduser freerad winbindd_priv' to make it work, I hope that helps. -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2 fails - samba version?
Am 08.07.2013 16:30, schrieb Phil Mayers: > On 08/07/13 14:59, Lovaas,Steven wrote: > >> >> Exec-Program output: Reading winbind reply failed! (0xc001) > > Check the permissions on the winbind socket, which usually lives in > either /var/cache/samba/winbindd_privileged or > /var/lib/samba/winbindd_privileged I guess Debian wheezy is mostly same as Ubuntu (|wher it is: /var/run/samba/winbindd_privileged|). I had to add the freeradius user to this privileged group using: 'sudo adduser freerad winbindd_priv' to make it work, I hope that helps. -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2 fails - samba version?
On 08/07/13 14:59, Lovaas,Steven wrote: Exec-Program output: Reading winbind reply failed! (0xc001) Check the permissions on the winbind socket, which usually lives in either /var/cache/samba/winbindd_privileged or /var/lib/samba/winbindd_privileged - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAP2 fails - samba version?
Hello everyone, I’m trying to bring up a fresh instance using 2.2.0, rather than just cloning old 1.x configs as has been done in previous upgrades. In building a new Ubuntu server, I grabbed the latest available build of samba (3.6.3); I’ve read that a version of at least version 3.5.4 is required to work with Windows Server 2008 r2 AD. Compatibility with 2008 r2 is what is driving this upgrade. Working from the Deploying Radius site, I’ve made good progress. So far, the directions have been clear and everything has worked well. I even took the opportunity to learn mercurial along the way… thanks ☺. I also created two virtual servers, to support different policies for our main campus wireless and eduroam. That also seems to be working well, with one SSID pointing to each virtual server… slick! Ntlm works: /usr/bin/ntlm_auth --request-nt-key --domain=COLOSTATE --username=slovaas password: NT_STATUS_OK: Success (0x0) root@freerad13:/etc/freeradius/modules# Winbind looks OK, though only the challenge/response version of authentication… that’s normal?: wbinfo -a slovaas Enter slovaas's password: plaintext password authentication failed Could not authenticate user slovaas with plaintext password Enter slovaas's password: challenge/response password authentication succeeded root@freerad13:/etc/freeradius# And with a forced default ntlm_auth in the users file, I can authenticate with radtest. But here’s where I’m stuck. When I remove the default ntlm_auth line in the users file and put the ntlm_auth line in mschap, I no longer get access_accept. The debug of the request is pasted below. But I wondered… basic authentication is working (with ntlm_auth) but mschap doesn’t get what it wants back (using ntlm_auth), which sounds like an issue that was around in earlier versions of samba. Before I go downgrading samba, though, I was wondering if anyone saw anything I missed or had any other suggestions. Thanks, Steve =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.07.08 07:43:48 =~=~=~=~=~=~=~=~=~=~=~= rad_recv: Access-Request packet from host 127.0.0.1 port 35685, id=59, length=133 User-Name = "slovaas" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x160e7734756ad5899a83bbc504bd937c MS-CHAP-Challenge = 0x105268b03ae9b2ee MS-CHAP-Response = 0x00013487554c3d3f147c69f03fcc12fd5535dff2c0be3d5bbc10 server eid-dot11i { # Executing section authorize from file /etc/freeradius/sites-enabled/eid-dot11i +- entering group authorize {...} ++- entering policy filter_username_csu {...} +++? if (User-Name != "%{tolower:%{User-Name}}") expand: %{User-Name} -> slovaas expand: %{tolower:%{User-Name}} -> slovaas ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE +++? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE +++? if (User-Name =~ / /) ? Evaluating (User-Name =~ / /) -> FALSE +++? if (User-Name =~ / /) -> FALSE +++? if (User-Name =~ /@(.+)?@/i ) ? Evaluating (User-Name =~ /@(.+)?@/i) -> FALSE +++? if (User-Name =~ /@(.+)?@/i ) -> FALSE +++? if (User-Name =~ /\\.\\./ ) ? Evaluating (User-Name =~ /\\.\\./) -> FALSE +++? if (User-Name =~ /\\.\\./ ) -> FALSE ++- policy filter_username_csu returns notfound ++[preprocess] returns ok [auth_log] expand: %{Packet-Src-IP-Address} -> 127.0.0.1 [auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20130708 [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20130708 [auth_log] expand: %t -> Mon Jul 8 07:45:04 2013 ++[auth_log] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "slovaas", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/freeradius/sites-enabled/eid-dot11i +- entering group MS-CHAP {...} [mschap] Client is using MS-CHAPv1 with NT-Password [mschap] expand: %{Stripped-User-Name} -> [mschap] ... expanding second conditional [mschap] expand: %{User-Name} -> slovaas [mschap] expand: %{%{User-Name}:-None} -> slovaas [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=slovaas [mschap] mschap1: 10 [mschap] expand: %{mschap:Challenge} -> 105268b03ae9b2ee [mschap] expand: --challenge=%{%{m
Re: Re[2]: acct_users
Yes, issues can appear in new code as well as get fixed. Known problems in 2.2.0 will be solved in 2.2.1 which is near/ready for release alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: acct_users
My old server all ok. Problem after upgrade, on last version 2.2.0 [root@aaa-db1 raddb]# radiusd -v radiusd: FreeRADIUS Version 2.2.0, for host x86_64-unknown-linux-gnu, built on Jun 26 2013 at 10:04:20 Copyright (C) 1999-2011 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. >Upgrade freeradius version. >There was problem with parsing attributes ( witch starts with number ) in the >code. > >From: freeradius-users-bounces+peter.balsianok=orange...@lists.freeradius.org [mailto:freeradius-users-bounces+peter.balsianok=orange...@lists.freeradius.org] On Behalf Of >Sent: Monday, July 08, 2013 1:01 PM >To: freeradius-users@lists.freeradius.org >Subject: acct_users > > >Тема: acct_users >Hi >Have some proublem with accounting files on version 2.2.0 . I use standard >dictionary 3GPP2, but attribut 3GPP2-PCF-IP-Address was ignored in acct_users >file. > >etc/acct_users >DEFAULT Acct-Session-Time == "0", Acct-Type := TEST0 >DEFAULT Framed-IP-Address =~ "172.16", Acct-Type := BLOCKED >DEFAULT 3GPP2-PCF-IP-Address =~ "10.223.[45]", NAS-IP-Address =~ >"10.123.66.5", Acct-Type := ASREVDO >DEFAULT 3GPP2-PCF-IP-Address =~ "10.123.65", NAS-IP-Address =~ "10.123.66", >Acct-Type := KUB >DEFAULT Acct-Type := OTHER > >etc/modules/detail > >detail TEST { > detailfile = ${radacctdir}/files/blocked/blocked.%Y%m > detailperm = 0640 > locking = yes > } > > >detail TEST0 { > detailfile = ${radacctdir}/files/nullsession/nullsession.%Y%m > detailperm = 0640 > locking = yes > } > detail KUB { > detailfile = ${radacctdir}/files/onex/kub.aaadb1.onex > detailperm = 0640 > locking = yes > } > > detail ASREVDO { > detailfile = ${radacctdir}/files/evdoasr/kubasr.aaadb1.evdo > detailperm = 0640 > locking = yes > } > > detail OTHER { > detailfile = >${radacctdir}/files/other/%{NAS-IP-Address}_other/other.%{NAS-IP-Address}.%Y%m > detailperm = 0640 > locking = yes > } > >My accounting files was created as OTHER, but there must have been in >ASREVDO. >For example, radclient: >[root@aaa-db1 radtest]# ./radtestacct.sh |more >Sending Accounting-Request of id 7 to 127.0.0.1 port 1813 > User-Name = "mobile" > Calling-Station-Id = "250091000211350" > NAS-IP-Address = 10.123.66.5 > Acct-Status-Type = Interim-Update > Acct-Session-Id = "50D406FD" > 3GPP2-Correlation-Id = "o095O8hM" > NAS-Identifier = "asr5k-krd" > SN-Software-Version = "10.0 (36820)" > 3GPP2-BSID = "2D0C00010701" > 3GPP2-Attr-41 = 0x000b32c1 > 3GPP2-Service-Option = 59 > 3GPP2-User-Id = 0 > 3GPP2-ESN = "0159E33E" > Service-Type = Framed-User > Framed-Protocol = PPP > NAS-Port-Type = Wireless-Other > 3GPP2-PCF-IP-Address = 10.223.4.6 > Acct-Authentic = RADIUS > SN-Local-IP-Address = 77.243.240.221 > SN-Primary-DNS-Server = 77.243.240.230 > SN-Secondary-DNS-Server = 77.243.240.231 > SN-VPN-Name = "ISP" > SN-Primary-NBNS-Server = 0.0.0.0 > SN-Secondary-NBNS-Server = 0.0.0.0 > Framed-Compression = None > SN-PPP-Data-Compression = None > SN-VPN-ID = 3 > 3GPP2-IP-Technology = 1 > 3GPP2-Compulsory-Tunnel-Indicator = 0 > SN-Proxy-MIP = 0 > Framed-MTU = 1500 > 3GPP2-Attr-78 = 0x > SN-PPP-Data-Compression-Mode = Normal > 3GPP2-Forward-FCH-Mux-Option = 0 > 3GPP2-Reverse-FCH-Mux-Option = 0 > 3GPP2-Forward-Traffic-Type = 0 > 3GPP2-Reverse-Traffic-Type = 0 > 3GPP2-FCH-Frame-Size = 0 > 3GPP2-Forward-FCH-RC = 0 > 3GPP2-Reverse-FCH-RC = 0 > 3GPP2-Airlink-Priority = 0 > 3GPP2-Airlink-Sequence-Number = 5 > 3GPP2-Airlink-Record-Type = 2 > 3GPP2-Bad-PPP-Frame-Count = 0 > 3GPP2-Number-Active-Transitions = 130 > 3GPP2-Terminating-SDB-Octet-Count = 0 > 3GPP2-Originating-SDB-OCtet-Count = 0 > 3GPP2-Terminating-Number-SDBs = 0 > 3GPP2-Originating-Number-SDBs = 0 > 3GPP2-Received-HDLC-Octets = 14106 > 3GPP2-Active-Time = 2040 > Acct-Input-Packets = 109 > Acct-Output-Packets = 268 > 3GPP2-Attr-162 = 0x > 3GPP2-Attr-163 = 0x > 3GPP2-Attr-164 = 0x > 3GPP2-Attr-165 = 0x > SNA-PPP-Unfr-data-In-Oct = 11438 > SNA-PPP-Unfr-data-Out-Oct = 35850 > Acct-Session-Time = 3600 > 3GP
Using DirName from CRLDP extension as search filter
Greetings, novice at freeradius here. I would like to use the ldap module in Freeradius to check certs against CRLS, nothing special there. What I'm wondering is how, if it is in fact possible, can I take the DN provided by the cert to filter the ldap search done by the module. All I really need to filter on is the CN part of the DirName. Example: DirName: C = US, O = XXX, CN = CRLXXX There are quite a few CRLs on the ldap server and it seems that having more than one result returned results in an ambiguous search and a subsequent failure. Is what I'm looking to do possible? Somewhat related question about CRLs, in my testing I've run across the error "Different CRL scope". It seems that the CRLs have the UsersOnly flag set, but I can still successfully verify that a revoked certificate that fails in this fashion is indeed revoked by using openssl verify. My suspicion is that openssl verify doesn't care about scope, but I haven't found anything that says one or the other. I'm running freeradius 2.1.12 from the debian wheezy repo, openssl 1.0.1e from the same, if this is relevant. Regards, Joacim Kosonen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
acct_users
Тема: acct_users Hi Have some proublem with accounting files on version 2.2.0 . I use standard dictionary 3GPP2, but attribut 3GPP2-PCF-IP-Address was ignored in acct_users file. etc/acct_users DEFAULT Acct-Session-Time == "0", Acct-Type := TEST0 DEFAULT Framed-IP-Address =~ "172.16", Acct-Type := BLOCKED DEFAULT 3GPP2-PCF-IP-Address =~ "10.223.[45]", NAS-IP-Address =~ "10.123.66.5", Acct-Type := ASREVDO DEFAULT 3GPP2-PCF-IP-Address =~ "10.123.65", NAS-IP-Address =~ "10.123.66", Acct-Type := KUB DEFAULT Acct-Type := OTHER etc/modules/detail detail TEST { detailfile = ${radacctdir}/files/blocked/blocked.%Y%m detailperm = 0640 locking = yes } detail TEST0 { detailfile = ${radacctdir}/files/nullsession/nullsession.%Y%m detailperm = 0640 locking = yes } detail KUB { detailfile = ${radacctdir}/files/onex/kub.aaadb1.onex detailperm = 0640 locking = yes } detail ASREVDO { detailfile = ${radacctdir}/files/evdoasr/kubasr.aaadb1.evdo detailperm = 0640 locking = yes } detail OTHER { detailfile = ${radacctdir}/files/other/%{NAS-IP-Address}_other/other.%{NAS-IP-Address}.%Y%m detailperm = 0640 locking = yes } My accounting files was created as OTHER, but there must have been in ASREVDO. For example, radclient: [root@aaa-db1 radtest]# ./radtestacct.sh |more Sending Accounting-Request of id 7 to 127.0.0.1 port 1813 User-Name = "mobile" Calling-Station-Id = "250091000211350" NAS-IP-Address = 10.123.66.5 Acct-Status-Type = Interim-Update Acct-Session-Id = "50D406FD" 3GPP2-Correlation-Id = "o095O8hM" NAS-Identifier = "asr5k-krd" SN-Software-Version = "10.0 (36820)" 3GPP2-BSID = "2D0C00010701" 3GPP2-Attr-41 = 0x000b32c1 3GPP2-Service-Option = 59 3GPP2-User-Id = 0 3GPP2-ESN = "0159E33E" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port-Type = Wireless-Other 3GPP2-PCF-IP-Address = 10.223.4.6 Acct-Authentic = RADIUS SN-Local-IP-Address = 77.243.240.221 SN-Primary-DNS-Server = 77.243.240.230 SN-Secondary-DNS-Server = 77.243.240.231 SN-VPN-Name = "ISP" SN-Primary-NBNS-Server = 0.0.0.0 SN-Secondary-NBNS-Server = 0.0.0.0 Framed-Compression = None SN-PPP-Data-Compression = None SN-VPN-ID = 3 3GPP2-IP-Technology = 1 3GPP2-Compulsory-Tunnel-Indicator = 0 SN-Proxy-MIP = 0 Framed-MTU = 1500 3GPP2-Attr-78 = 0x SN-PPP-Data-Compression-Mode = Normal 3GPP2-Forward-FCH-Mux-Option = 0 3GPP2-Reverse-FCH-Mux-Option = 0 3GPP2-Forward-Traffic-Type = 0 3GPP2-Reverse-Traffic-Type = 0 3GPP2-FCH-Frame-Size = 0 3GPP2-Forward-FCH-RC = 0 3GPP2-Reverse-FCH-RC = 0 3GPP2-Airlink-Priority = 0 3GPP2-Airlink-Sequence-Number = 5 3GPP2-Airlink-Record-Type = 2 3GPP2-Bad-PPP-Frame-Count = 0 3GPP2-Number-Active-Transitions = 130 3GPP2-Terminating-SDB-Octet-Count = 0 3GPP2-Originating-SDB-OCtet-Count = 0 3GPP2-Terminating-Number-SDBs = 0 3GPP2-Originating-Number-SDBs = 0 3GPP2-Received-HDLC-Octets = 14106 3GPP2-Active-Time = 2040 Acct-Input-Packets = 109 Acct-Output-Packets = 268 3GPP2-Attr-162 = 0x 3GPP2-Attr-163 = 0x 3GPP2-Attr-164 = 0x 3GPP2-Attr-165 = 0x SNA-PPP-Unfr-data-In-Oct = 11438 SNA-PPP-Unfr-data-Out-Oct = 35850 Acct-Session-Time = 3600 3GPP2-Session-Continue = 1 3GPP2-Last-User-Activity-Time = 1373257676 SNA-PPP-Ctrl-Input-Octets = 23602 SNA-PPP-Ctrl-Output-Octets = 28240 SNA-PPP-Ctrl-Input-Packets = 2346 SNA-PPP-Ctrl-Output-Packets = 2347 SNA-PPP-Framed-Input-Octets = 6446541 SNA-PPP-Framed-Output-Octets = 93404564 SNA-PPP-Discards-Input = 107 SNA-PPP-Errors-Input = 107 SNA-PPP-Bad-FCS = 107 SNA-PPP-Echo-Req-Input = 2335 SNA-PPP-Echo-Rsp-Output = 2335 SNA-RPRRQ-Rcvd-Total = 4448 SNA-RPRRQ-Rcvd-Acc-Reg = 4448 SNA-RPRRQ-Rcvd-Acc-Dereg = 39 SNA-RPRAK-Rcvd-Total = 60 SNA-RPRAK-Rcvd-Acc-Ack = 40 SNA-RPRAK-Rcvd-Mis-ID = 20 SNA-RP-Reg-Reply-Sent-Total = 4448 SNA-RP-Reg-Reply-Sent-Acc-Reg = 4448 SNA-RP-Reg-Reply-Sent-Acc-Dereg = 39 SNA-RP-Reg-Upd-Sent = 60 SNA-RP-Reg-Upd-Re-Sent = 20 Event-Timestamp = "Jul 8 2013 08:28:23 MSK" 3GPP2-Service-Reference-Id = 0x0104000102040001 Framed-I
Re: pulling dn for User-Profile from ldap
On Thu, Jul 04, 2013 at 07:05:09PM +0100, Arran Cudbard-Bell wrote: > Don't try and use the users file for complex stuff like this. > > In your profile objects add an attribute for preferredNetwork. > > Use ldap xlat to search in the directory for an profile object with a > preferredNetwork attribute which matches the stripped path of the username, > specify DN as the attribute to retrieve. > > Something like: > > authorize { > update control { > User-Profile := "%{ldap:ldap:/// dn>?DN?sub?prefferedNetwork=%{}}" > } > > if (!control:User-Profile) { > reject # or whatever you want to do for this case > } > > ldap > } Hi. Thanks for the pointers. I actually needed to search for group membership as well as the group name: User-Profile := "%{ldap-main:ldap:///ou=groups,dc=wuji,dc=cz?seeAlso?sub?(&(cn=%{Preferred-Network})(uniqueMember=%{control:Ldap-UserDn}))}" This checks whether the current user is a member of the group he/she sent as preferred and returns the pointer to the group radius profile. I'm of course hitting a problem with eap where it complains that the eap identity is different from the User-Name, because I'm changing User-Name in hints file but I'll work around it somehow. thanks again Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS for switch authentication
Hi, >(Sorry if this is OT) As I understand, I couldn't use 802.1x >authentication on just the switches themselves? Since a client must have >certificates to authenticate to a server. What i just wanted to accomplish >is to authenticate the switches only on the radius server, so this md5 >encryption I had setup should be sufficient? what you do is up to you. a standard NAS will have several configuration options - allowing RADIUS for admin access or RADIUS for host/client access or both. why cant you just do 802.1X on thw switch? yes, clients need certs but thats the same as WiFi - you could get a RADIU server cert signed by a known CA in the OS (which isnt best but would allow thigns to just work) >Last question, could I just create a single user to be used by multiple >switches? Is there any conflict going to happen? Switch count on branches >ranges from 15-50. once again, depends on config. why do you think you cant? do you have strong user authorization/session checks? its just a user alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS for switch authentication
Hi, thanks for the reply. (Sorry if this is OT) As I understand, I couldn't use 802.1x authentication on just the switches themselves? Since a client must have certificates to authenticate to a server. What i just wanted to accomplish is to authenticate the switches only on the radius server, so this md5 encryption I had setup should be sufficient? Last question, could I just create a single user to be used by multiple switches? Is there any conflict going to happen? Switch count on branches ranges from 15-50. Mucho thanks. On Mon, Jul 8, 2013 at 3:19 PM, wrote: > Hi, > > >Sending Access-Accept of id 0 to 10.141.1.129 port 49154 > ^^ > > Access-Accept sent from the server. the RADIUS server has done > its thing. if the NAS isnt working then you have missed some > configuration option on the NAS > > alan > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS for switch authentication
Hi, >Sending Access-Accept of id 0 to 10.141.1.129 port 49154 ^^ Access-Accept sent from the server. the RADIUS server has done its thing. if the NAS isnt working then you have missed some configuration option on the NAS alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS for switch authentication
Hi, >Ready to process requests. >rad_recv: Accounting-Request packet from host 10.141.1.129 port 49154, >id=0, length=84 thats an accounting packet alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS for switch authentication
Sorry for not including it in the first post, freeradius version used is the latest in CentOS repo. The output on the first post is for the web-based login, I forgot that I only configured it on console login Here is the output: Ready to process requests. rad_recv: Access-Request packet from host 10.141.1.129 port 49154, id=0, length=91 User-Name = "md5password" User-Password = "qwerty" Cisco-AVPair = "shell:priv-lvl=1" NAS-IP-Address = 10.141.1.129 Acct-Session-Id = "0522" # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "md5password", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> md5password [sql] sql_set_user escaped user --> 'md5password' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'md5password' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'md5password' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'md5password' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing MD5-Password from hex encoding ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "qwerty" [pap] Using MD5 encryption. [pap] User authenticated successfully ++[pap] returns ok Login OK: [md5password] (from client MAAX port 0) # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 0 to 10.141.1.129 port 49154 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 10.141.1.129 port 49154, id=0, length=88 User-Name = "md5password" NAS-IP-Address = 10.141.1.129 Called-Station-Id = "10.141.1.129" Calling-Station-Id = "10.141.59.3" Acct-Status-Type = Start Acct-Session-Id = "0522" Acct-Authentic = RADIUS # Executing section preacct from file /etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing ',Client-IP-Address = 10.141.1.129,NAS-IP-Address = 10.141.1.129,Acct-Session-Id = "0522",User-Name = "md5password"' [acct_unique] Acct-Unique-Session-ID = "ca6b399649f9703b". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "md5password", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /etc/raddb/sites-enabled/default +- entering group accounting {...} [detail]expand: %{Packet-Src-IP-Address} -> 10.141.1.129 [detail]expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.141.1.129/detail-20130708 [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.141.1.129/detail-20130708 [detail]expand: %t -> Mon Jul 8 14:55:20 2013 ++[detail] returns ok ++[unix] returns noop [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp [radutmp] expand: %{User-Name} -> md5password rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! ++[radutmp] returns noop [sql] expand: %{User-Name} -> md5password [sql] sql_set_user escaped user --> 'md5password' [sql] expand: %{Acct-Delay-Time} -> [sql] ... expanding second conditional [sql] expand:INSERT INTO radacc