Re: FreeRadius + MySql + Crypt-Password unable to authenticate
Marcel Kraan wrote: > I'am marcel kraan from Holland and i have a problem with Crypt-passwords > in the mysql table. > FreeRadius is working really great with "Cleartext-Password" but it does > not authenticate with "Crypt-password" You can't use Crypt-Password and MS-CHAP. http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySql + Crypt-Password unable to authenticate
Yes i want to use "PAP" (?) but where do i change that? into my Wifi router ? or in the Freeradius config? On 29 jul. 2013, at 13:52, Alan DeKok wrote: > Marcel Kraan wrote: >> I'am marcel kraan from Holland and i have a problem with Crypt-passwords >> in the mysql table. >> FreeRadius is working really great with "Cleartext-Password" but it does >> not authenticate with "Crypt-password" > > You can't use Crypt-Password and MS-CHAP. > > http://deployingradius.com/documents/protocols/compatibility.html > > Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySql + Crypt-Password unable to authenticate
Marcel Kraan wrote: > Yes i want to use "PAP" (?) but where do i change that? > into my Wifi router ? or in the Freeradius config? No. You're doing 802.1X to the WiFi router. You *cannot* use PAP. You cannot pick an authentication protocol and demand that everyone use it. The AP, client PC, etc. have already made choices which you cannot control. You have to live within that framework. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySql + Crypt-Password unable to authenticate
I very clear understands.. thanks for the help On 29 jul. 2013, at 14:07, Alan DeKok wrote: > Marcel Kraan wrote: >> Yes i want to use "PAP" (?) but where do i change that? >> into my Wifi router ? or in the Freeradius config? > > No. > > You're doing 802.1X to the WiFi router. You *cannot* use PAP. > > You cannot pick an authentication protocol and demand that everyone > use it. The AP, client PC, etc. have already made choices which you > cannot control. You have to live within that framework. > > Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySql + Crypt-Password unable to authenticate
By default PAP, CHAP.. are enabled in FR. You may need to change the authentication settings in your client. i.e Wifi Router to send PAP enabled access-request. On Mon, Jul 29, 2013 at 5:25 PM, Marcel Kraan wrote: > Yes i want to use "PAP" (?) but where do i change that? > into my Wifi router ? or in the Freeradius config? > > > > On 29 jul. 2013, at 13:52, Alan DeKok wrote: > > > Marcel Kraan wrote: > >> I'am marcel kraan from Holland and i have a problem with Crypt-passwords > >> in the mysql table. > >> FreeRadius is working really great with "Cleartext-Password" but it does > >> not authenticate with "Crypt-password" > > > > You can't use Crypt-Password and MS-CHAP. > > > > http://deployingradius.com/documents/protocols/compatibility.html > > > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- br, Navodit Bhardwaj Hughes Systique Corporation - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySql + Crypt-Password unable to authenticate
On 29/07/13 12:55, Marcel Kraan wrote: Yes i want to use "PAP" (?) but where do i change that? into my Wifi router ? or in the Freeradius config? On the client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySql + Crypt-Password unable to authenticate
Thanks… i think my wifi router does not have that option… On 29 jul. 2013, at 14:15, Navodit Bhardwaj wrote: > By default PAP, CHAP.. are enabled in FR. > You may need to change the authentication settings in your client. i.e Wifi > Router to send PAP enabled access-request. > > > > On Mon, Jul 29, 2013 at 5:25 PM, Marcel Kraan wrote: > Yes i want to use "PAP" (?) but where do i change that? > into my Wifi router ? or in the Freeradius config? > > > > On 29 jul. 2013, at 13:52, Alan DeKok wrote: > > > Marcel Kraan wrote: > >> I'am marcel kraan from Holland and i have a problem with Crypt-passwords > >> in the mysql table. > >> FreeRadius is working really great with "Cleartext-Password" but it does > >> not authenticate with "Crypt-password" > > > > You can't use Crypt-Password and MS-CHAP. > > > > http://deployingradius.com/documents/protocols/compatibility.html > > > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > -- > br, > Navodit Bhardwaj > Hughes Systique Corporation > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySql + Crypt-Password unable to authenticate
On Mon, Jul 29, 2013 at 7:39 PM, Marcel Kraan wrote: > Thanks… i think my wifi router does not have that option… > > On 29 jul. 2013, at 14:15, Navodit Bhardwaj > wrote: > > By default PAP, CHAP.. are enabled in FR. > You may need to change the authentication settings in your client. i.e > Wifi Router to send PAP enabled access-request. > > > > On Mon, Jul 29, 2013 at 5:25 PM, Marcel Kraan wrote: > >> Yes i want to use "PAP" (?) but where do i change that? >> into my Wifi router ? or in the Freeradius config? >> >> As Phil said, you need to change it in the client. If you have windows 8 clients, IIRC it has built-in support for PEAP-GTC and TTLS-PAP (which is also supported by linux, android, macs). In both cases the client passes cleartext password inside encrypted tunnel, so crypt passwords on FR side should work fine. If you have older windows clients, and don't have third-party PEAP-GTC/TTLS-PAP-capable supplicant, then you're stuck with EAP-MSCHAP, so you need to store password as clear text or nt-hash. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + MySql + Crypt-Password unable to authenticate
Thanks. I have a genius en202 outdoor wifi router and i don't think i can change it to use PAP. So i'am only able to use ClearText-Password? If i'am wrong i will be very happy -- Marcel Kraan +31654378837 > On 29 jul. 2013, at 15:04, "Fajar A. Nugraha" wrote: > >> On Mon, Jul 29, 2013 at 7:39 PM, Marcel Kraan wrote: >> Thanks… i think my wifi router does not have that option… >> >>> On 29 jul. 2013, at 14:15, Navodit Bhardwaj >>> wrote: >>> >>> By default PAP, CHAP.. are enabled in FR. >>> You may need to change the authentication settings in your client. i.e Wifi >>> Router to send PAP enabled access-request. >>> >>> >>> On Mon, Jul 29, 2013 at 5:25 PM, Marcel Kraan wrote: Yes i want to use "PAP" (?) but where do i change that? into my Wifi router ? or in the Freeradius config? > > > As Phil said, you need to change it in the client. > > If you have windows 8 clients, IIRC it has built-in support for PEAP-GTC and > TTLS-PAP (which is also supported by linux, android, macs). In both cases the > client passes cleartext password inside encrypted tunnel, so crypt passwords > on FR side should work fine. > > If you have older windows clients, and don't have third-party > PEAP-GTC/TTLS-PAP-capable supplicant, then you're stuck with EAP-MSCHAP, so > you need to store password as clear text or nt-hash. > > -- > Fajar > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WiMAX TLV value correct in debug but not correct in packet capture
Version info: radiusd: FreeRADIUS Version 2.2.0, for host i686-redhat-linux-gnu, built on Oct 9 2012 at 17:47:30 Copyright (C) 1999-2011 The FreeRADIUS server project and contributors. Hello Everyone, I've probably missed something or buggered an option, but I've searched and searched and cannot find an answer to this. This is for a WiMAX deployment and am using the built in dictionaries. The issue is with the WiMAX-Packet-Flow-Descriptor tlv . Below is what's configured in my DB: id | groupname | attribute | op | value -+---+++--- 100 | Business | Session-Timeout| := | 86400 101 | Business | Acct-Interim-Interval | := | 60 110 | Business | WiMAX-Packet-Data-Flow-Id | := | 14 111 | Business | WiMAX-Service-Data-Flow-Id | := | 14 112 | Business | WiMAX-Service-Profile-Id | := | 14 120 | Business | WiMAX-Packet-Data-Flow-Id | += | 17 121 | Business | WiMAX-Service-Data-Flow-Id | += | 17 122 | Business | WiMAX-Service-Profile-Id | += | 17 >From a debug I get this (relevant section): Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake is finished [ttls] eaptls_verify returned 3 [ttls] eaptls_process returned 3 [ttls] Using saved attributes from the original Access-Accept Session-Timeout := 86400 Acct-Interim-Interval := 60 WiMAX-Packet-Data-Flow-Id := 14 WiMAX-Service-Data-Flow-Id := 14 WiMAX-Service-Profile-Id := 14 WiMAX-Packet-Data-Flow-Id += 17 WiMAX-Service-Data-Flow-Id += 17 WiMAX-Service-Profile-Id += 17 [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop [wimax] MIP-RK = 0x00b0ce41e978a30ec9b196bdea7bd74def743761ddc81add6cb19ca577056e59ea814c5b54891482a045773e861657260658939502a9babd7c0a59a92a99cf87 [wimax] MIP-SPI = 42f4fa35 [wimax] WARNING: WiMAX-MN-NAI was not found in the request or in the reply. [wimax] WARNING: We cannot calculate MN-HA keys. [wimax] WARNING: WiMAX-IP-Technology not found in reply. [wimax] WARNING: Not calculating MN-HA keys ++[wimax] returns updated Sending Access-Accept of id 2 to 10.199.20.240 port 6219 Session-Timeout := 86400 Acct-Interim-Interval := 60 WiMAX-Packet-Data-Flow-Id := 14 WiMAX-Service-Data-Flow-Id := 14 WiMAX-Service-Profile-Id := 14 WiMAX-Packet-Data-Flow-Id += 17 WiMAX-Service-Data-Flow-Id += 17 WiMAX-Service-Profile-Id += 17 MS-MPPE-Recv-Key = 0x6b033615247e78ea0e225bea745bba8c33634e0bf28ea0388174965a980b1642 MS-MPPE-Send-Key = 0x1a21679697b923cc88f4b4ba4fa37ded7f00c035811cd6ff18b4fb4e64956077 EAP-Message = 0x03070004 Message-Authenticator = 0x User-Name = "1320cd7377dcb1aa6bacbbad1a23a...@undisclosed.com" Finished request 14. Everything looks good but on a pcap / radsniff I get this: Access-Accept Id 2 10.199.10.14:1812 -> 10.199.20.240:6219 +31.411 Session-Timeout = 86400 Acct-Interim-Interval = 60 WiMAX-Packet-Data-Flow-Id = 17079 <-- WiMAX-Service-Data-Flow-Id = 13496<-- WiMAX-Service-Profile-Id = 918034516 <-- WiMAX-Packet-Data-Flow-Id = 17079 <-- WiMAX-Service-Data-Flow-Id = 17079<-- WiMAX-Service-Profile-Id = 884473856 <-- Microsoft-Attr-17 = 0x812038c3de66aec29f91928f3e5346f5911aa110d4c33dfd5556b1aebeb7c637b53c2420b3cd73763eb7c06f5386e6cef612 MS-MPPE-Send-Key = 0x1be2107278 EAP-Message = 0x03070004 Message-Authenticator = 0x70f2a2f9037b10be87a6ad954a205159 User-Name = "1320cd7377dcb1aa6bacbbad1a23a...@undisclosed.com" As can be seen, Session-Timeout and Acct-Interim-Interval all match up, but the others don't, and even change from time to time without anything other than a restart of radiusd. I see the definition in the wimax dictionary is "short" Anyhow, if there's a bug / solution / setting that I've blatantly missed, please let me know. I am attaching more debug below. Thanks, James Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 10.199.20.240 port 6216, id=0, length=274 User-Name = "1320cd7377dcb1aa6bacbbad1a23a...@undisclosed.com" Chargeable-User-Identity = "null" NAS-IP-Address = 10.199.20.240 NAS-Port = 5 NAS-Port-Type = Wireless-802.16 Framed-MTU = 1400 NAS-Identifier = "test" Calling-Station-Id = "\000&\202g\023p" Service-Type = Framed-User WiMAX-GMT-Timezone-offset = 0 WiMAX-B
Authenticate against one module, if fail attempt authentication against another
I currently have two auth types (NTLM_AUTH and PAM) in my default site configuration (using FreeRadius version 2.1.12) - although I would like to achieve the following: If the user authenticates against to radius server and fails NTLM_AUTH, the request will then be authenticated against PAM and if it still fails it will be rejected. Now I presume this could be done via the "users" file? I have read the documentation for the users file on the wiki without much luck. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate against one module, if fail attempt authentication against another
Hi, >If the user authenticates against to radius server and fails NTLM_AUTH, >the request will then be authenticated against PAM and if it still fails >it will be rejected. use a bit of the unlang construct with the failover method. http://wiki.freeradius.org/config/Fail%20over so, try ntlm_auth, if that fails, 'ignore' the result and fire off PAM etc etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html