Escaping regex + character
Hi All, Just a quick question - I've compiled FR3 with pcre regex libraries and it's working ok. I just can't get it to escape plusses ( + ) though I've tried between 0 and 6(!) backslashes but all result in: ERROR: Failed compiling regular expression: bad range inside [] at offset 10 (0) ERROR: Condition evluation failed because the value of an operand could not be determined It's the + in the character class I'm trying to escape. This is with two backslashes (what I'd expect to work as it does with dots - \\. (0)? if ("%{Email-Address}" =~ /^[a-z0-9_-\+]+(\.[a-z0-9_-\\\+])*@[a-z0-9_-\\\+]+(\.[a-z0-9_-\\\+]+)*(\ .[a-z]{2,4})$/) (0) expand: "%{Email-Address}" -> 'a...@c.de' ERROR: Failed compiling regular expression: bad range inside [] at offset 10 (0) ERROR: Condition evluation failed because the value of an operand could not be determined The regex works ok without the plusses, if not including them in the subject.. Thanks Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On Thu, Aug 22, 2013 at 10:30:54AM +0100, Phil Mayers wrote: > Matthew Newton wrote: > >On Wed, Aug 21, 2013 at 09:52:14PM +0200, Martin Kraus wrote: > >> well looking at man wpa_supplicant I can see > >> > >> EAP-PEAP/TLS > > > >I think that should be PEAP/EAP-TLS. Otherwise I'm not sure what > >it's talking about. > > > Huh, and I thought MS-PEAP specified only soh and mschap as valid inners. > Nice to see ms honouring their own specs ;o) Or maybe they updated it since I > last read it. We've been doing it for ~18 months now. Works fine (when the fragment sizes have been set up correctly) so we get domain managed certs and soh. Just a shame you can't do user auth as well at the same time. m. -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl issue
On 22/08/13 16:46, Dean, Barry wrote: Anyone want to throw in 2 cents/pennies worth to this? Yep, don't do it like this. Instead, write the user/ip entries to a file using the "linelog" module, and use a long-running perl process to tail the file (using File::Tail) and post them to the PAN. This will likely be more performant and avoid the hassles of a random module interfering with FreeRADIUS. You probably want to write a timestamp to the file, and have the long-running process ignore lines >X old, in case it lags behind e.g. because it hangs, gets shutdown and restarted much later, etc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth not respected
On 22/08/13 15:14, Chris Parker wrote: Exec-Program output: Reading winbind reply failed! (0xc001) Check the permissions on the winbind socket directory, specifically that the freeradius daemon user can access it; this is usually at: /var/cache/samba/winbindd_privileged or /var/lib/samba/winbindd_privileged - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth not respected
Sorry for the individual emails, but I got things working with MSCHAP (w/ ntlm_auth) and WPA-EAP. My issue was that when I got the two winbind errors, I did some more searching and there's the potential that the freerad user did not have access to pipe named: /var/run/samba/winbindd That pipe is owned as follows: drwxr-x--- 2 root winbindd_priv 60 Aug 22 11:15 winbindd_privileged/ That being the case, you need to add the user freerad to that group, so it can execute with the right privileges. Sending Access-Request of id 52 to 127.0.0.1 port 1812 User-Name = "wyse1" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 MS-CHAP-Challenge = 0xf38d9f1a3dcb27e9 MS-CHAP-Response = 0x0001941d3ff95601f8f335e7eff7c97e1abf28df15abd28b7fda rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=52, length=84 MS-CHAP-MPPE-Keys = 0xd22b3a1df401aa61a721c8a31ba91082 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Now, is it safe to disable modules (by commenting them out of the sites-enabled files) that aren't related to the MSCHAP process? This is just in passing curiosity. On Aug 22, 2013, at 10:14 AM, Chris Parker wrote: > Thank you for setting me on the right track; I have followed the directions > on http://deployingradius.com/documents/configuration/active_directory.html > (the bottom section on MSCHAP) and have ntlm_auth in the authenticate {} - as > per those directions. > When I run the ntlm_auth command manually, it works find / as does running > wbinfo -a > > root@leopard:/etc/freeradius# wbinfo -a wyse1%K503D > plaintext password authentication succeeded > challenge/response password authentication succeeded > > > Ready to process requests. > rad_recv: Access-Request packet from host 127.0.0.1 port 60046, id=111, > length=113 > User-Name = "wyse1" > NAS-IP-Address = 127.0.1.1 > NAS-Port = 1812 > MS-CHAP-Challenge = 0xe07a375bed09f1f7 > MS-CHAP-Response = > 0x0001065b157b183b4d29d455414b184c57af4912b1d74f4ed726 > # Executing section authorize from file /etc/freeradius/sites-enabled/default > +- entering group authorize {...} > ++[preprocess] returns ok > ++[chap] returns noop > [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' > ++[mschap] returns ok > ++[digest] returns noop > [suffix] No '@' in User-Name = "wyse1", looking up realm NULL > [suffix] No such realm "NULL" > ++[suffix] returns noop > [eap] No EAP-Message, not doing EAP > ++[eap] returns noop > ++[files] returns noop > ++[expiration] returns noop > ++[logintime] returns noop > [pap] WARNING! No "known good" password found for the user. Authentication > may fail because of this. > ++[pap] returns noop > Found Auth-Type = MSCHAP > # Executing group from file /etc/freeradius/sites-enabled/default > +- entering group MS-CHAP {...} > [mschap] Told to do MS-CHAPv1 with NT-Password > [mschap] expand: %{Stripped-User-Name} -> > [mschap] ... expanding second conditional > [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" > for details > [mschap] expand: %{User-Name:-None} -> wyse1 > [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} > -> --username=wyse1 > [mschap] mschap1: e0 > [mschap] expand: --challenge=%{mschap:Challenge:-00} -> > --challenge=e07a375bed09f1f7 > [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> > --nt-response=065b157b183b4d29d455414b184c57af4912b1d74f4ed726 > Exec-Program output: Reading winbind reply failed! (0xc001) > Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc001) > Exec-Program: returned: 1 > [mschap] External script failed. > [mschap] MS-CHAP-Response is incorrect. > ++[mschap] returns reject > Failed to authenticate the user. > Login incorrect (mschap: External script says Reading winbind reply failed! > (0xc001)): [wyse1/] (from client localhost port > 1812) > Using Post-Auth-Type Reject > # Executing group from file /etc/freeradius/sites-enabled/default > +- entering group REJECT {...} > [attr_filter.access_reject] expand: %{User-Name} -> wyse1 > attr_filter: Matched entry DEFAULT at line 11 > ++[attr_filter.access_reject] returns updated > Delaying reject of request 0 for 1 seconds > Going to the next request > Waking up in 0.9 seconds. > Sending delayed reject for request 0 > Sending Access-Reject of id 111 to 127.0.0.1 port 60046 > Waking up in 4.9 seconds. > Cleaning up request 0 ID 111 with timestamp +15 > Ready to process requests. > > On Aug 22, 2013, at 5:50 AM, Phil Mayers wrote: > >> On 21/08/13 23:44, Chris Parker wrote: >>> Okay, pardon my confusion then. I had been following a howto online >>> and it reported that the command when run manually will produce the >>> key. >>> >>> Either way,
rlm_perl issue
An interesting one for the list ... We are installing a Palo Alto firewall and it has a way to pass Username/IP mappings from FreeRADIUS to a Windows "User ID Agent", which is then queried by the firewall. The method employed is to use a Perl module (PAN::API), which has a simple API, basically: $var = PAN::API::UID-new( "ip of server" ); $var->add( "type ", username, Framed-IP-Address ); $var-submit(); which is added in the "sub preacct ()" of the perl module... then call this in preacct {} There are a couple of issues with this module that I am going to try and address: 1) Connections "new" only instantiates an empty object "add" adds the values to a hash "submit" opens an TCP SSL connection, sends the hash as XML, then closes the connection. With all the work being done in "submit" you have to create and tear down an SSL TCP connection for EVERY accounting record! Which is a lot at my site! 2) Errors If the socket set-up fails, the PAN::API module calls croak(), which on my system terminated FreeRADIUS, which seems like what would happen? Thu Aug 22 13:53:03 2013 : Error: rlm_perl: perl_embed:: module = /etc/raddb/perl.pl , func = preacct exit status= Unable to connect socket. at /etc/raddb/perl.pl line 474 Socket setup failed I am guessing because of all the open/close socket activity? Looks like the Windows 2008R2 server either blocked this as a suspected DOS or the agent failed to cope with this kind of TCP activity? Obviously for problem 1, a better model would be to implement new methods on the object to open and close the SSL connection, then use a pattern like: { # Static block start my $object = PAN::API::UID->new( "" ); $object->connectssl(); sub preacct { $object->add( ); $object->submit(); } } closing the SSL would not be needed in effect as we run "forever", and I wouldn't know where to place it as there is no function called on an rlm_perl module when FreeRADIUS is about to terminate, unless I am missing something. For problem 2, are there rules about what you should not do in an rlm_perl module? I would have thought exit(), die(), croak() etc are all bad and that returning quietly, optionally setting an error code, would be better? Then back in "sub preacct ()" you could check the error and log with &radiusd::radlog() and do a "return RLM_MODULE_NOOP"? Would you expect FreeRADIUS to terminate if an rlm_perl module called croak()? Anyone want to throw in 2 cents/pennies worth to this? Thanks in advance, as always, for your time ... Barry Dean Principal Programmer/Analyst Networks Team Computing Service Department - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth not respected
Thank you for setting me on the right track; I have followed the directions on http://deployingradius.com/documents/configuration/active_directory.html (the bottom section on MSCHAP) and have ntlm_auth in the authenticate {} - as per those directions. When I run the ntlm_auth command manually, it works find / as does running wbinfo -a root@leopard:/etc/freeradius# wbinfo -a wyse1%K503D plaintext password authentication succeeded challenge/response password authentication succeeded Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 60046, id=111, length=113 User-Name = "wyse1" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 MS-CHAP-Challenge = 0xe07a375bed09f1f7 MS-CHAP-Response = 0x0001065b157b183b4d29d455414b184c57af4912b1d74f4ed726 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "wyse1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv1 with NT-Password [mschap]expand: %{Stripped-User-Name} -> [mschap]... expanding second conditional [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap]expand: %{User-Name:-None} -> wyse1 [mschap]expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=wyse1 [mschap] mschap1: e0 [mschap]expand: --challenge=%{mschap:Challenge:-00} -> --challenge=e07a375bed09f1f7 [mschap]expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=065b157b183b4d29d455414b184c57af4912b1d74f4ed726 Exec-Program output: Reading winbind reply failed! (0xc001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc001) Exec-Program: returned: 1 [mschap] External script failed. [mschap] MS-CHAP-Response is incorrect. ++[mschap] returns reject Failed to authenticate the user. Login incorrect (mschap: External script says Reading winbind reply failed! (0xc001)): [wyse1/] (from client localhost port 1812) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> wyse1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 111 to 127.0.0.1 port 60046 Waking up in 4.9 seconds. Cleaning up request 0 ID 111 with timestamp +15 Ready to process requests. On Aug 22, 2013, at 5:50 AM, Phil Mayers wrote: > On 21/08/13 23:44, Chris Parker wrote: >> Okay, pardon my confusion then. I had been following a howto online >> and it reported that the command when run manually will produce the >> key. >> >> Either way, I'm still having a failure in MSCHAP with radtest that >> I'm not quite grasping. > > Well, as I explained in my other email, mschap == challenge/response, > "modules/ntlm_auth" != challenge/response. > > To reiterate, "modules/ntlm_auth" is almost certainly not what you want, and > is not intended to be used as-is. I would unconfigure it and concentrate on > getting "modules/mschap" working. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User get after few minute
Sokphak TOUCH wrote: > I have issue with configure radius. I have one Juniper MX80 for doing as > LNS in my lab and FreeRADIUS Version 2.1.12 installed. I can see there > is successful connected log to radius but after around 1mn it connect > again and again. I have check in MX80 but has no any significant log. > Below is the full log in debug mode of radius during connect. Please advice Read your NAS documentation. The NAS is hanging up the connection, not FreeRADIUS. You may need to add a Session-Timeout attribute to the reply. Again, read your NAS documentation to see which attributes it needs in the Access-Accept. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
Phil Mayers wrote: > PEAP/MSCHAP is *always* PEAP/EAP-MSCHAPv2 IIRC. Unlike TTLS there's no > "bare" MSCHAP variant, because there's no spec for how to derive the > MSCHAP challenge from the TLS master secret. FWIW: PEAP is TLS + inner EAP. That's why there's no PAP / CHAP / MS-CHAP inside the tunnel. It *has* to be EAP. > Microsoft could solve a lot of problems right now by providing an API to > execute EAP-PWD with the NT-hash variant of the secret against an AD > controller. Instead, we're all flailing around with the very best of > early 90s crypto protecting our wireless :o( Pretty much. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On 22/08/13 10:54, Alan Buxey wrote: TLS in PEAP. Yes I've seen it. And EAP-MSCHAPV2 in PEAP PEAP/MSCHAP is *always* PEAP/EAP-MSCHAPv2 IIRC. Unlike TTLS there's no "bare" MSCHAP variant, because there's no spec for how to derive the MSCHAP challenge from the TLS master secret. The EAP methods are all a pile of crap; it's truly disappointing how many hoops you have to jump through just because Microsoft gifted us a crappy EAP method, and everyone else slavishly implemented it. Microsoft could solve a lot of problems right now by providing an API to execute EAP-PWD with the NT-hash variant of the secret against an AD controller. Instead, we're all flailing around with the very best of early 90s crypto protecting our wireless :o( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
TLS in PEAP. Yes I've seen it. And EAP-MSCHAPV2 in PEAP alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth not respected
On 21/08/13 23:44, Chris Parker wrote: Okay, pardon my confusion then. I had been following a howto online and it reported that the command when run manually will produce the key. Either way, I'm still having a failure in MSCHAP with radtest that I'm not quite grasping. Well, as I explained in my other email, mschap == challenge/response, "modules/ntlm_auth" != challenge/response. To reiterate, "modules/ntlm_auth" is almost certainly not what you want, and is not intended to be used as-is. I would unconfigure it and concentrate on getting "modules/mschap" working. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
Matthew Newton wrote: >On Wed, Aug 21, 2013 at 09:52:14PM +0200, Martin Kraus wrote: >> well looking at man wpa_supplicant I can see >> >> EAP-PEAP/TLS > >I think that should be PEAP/EAP-TLS. Otherwise I'm not sure what >it's talking about. > Huh, and I thought MS-PEAP specified only soh and mschap as valid inners. Nice to see ms honouring their own specs ;o) Or maybe they updated it since I last read it. -- Sent from my phone with, please excuse brevity and typos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On Wed, Aug 21, 2013 at 01:28:08PM +0100, Matthew Newton wrote: > On Wed, Aug 21, 2013 at 01:17:02PM +0200, Martin Kraus wrote: > > I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer > > TLS tunnel is established: > > On the assumption that your certificates are OK... > > Have you updated the fragment_size so that the outer is larger > than the inner? > > I did a write-up on getting this to work (see > http://q.asd.me.uk/pet ) - fragment_size was the biggest gotcha > IIRC. And that solved the problem:-) I had the fragment size the same in both configs, now it's working just like the EAP-TTLS/EAP-TLS. Thank you so much. Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On Wed, Aug 21, 2013 at 11:45:11PM +0100, Matthew Newton wrote: > If that's all you're doing, forget about PEAP and just go for > straight EAP-TLS. All PEAP really gives you on top is the SoH > support, and may cause problems with other non-Windows clients. > EAP-TLS should work on more devices. I'm still hoping I'll be able to use the outer and inner TLS for privacy reasons and because right now the radius configuration is doing what I want and merging default and inner-tunnel servers would make the configuration even uglier then it already is:-) > Some devices you'll be stuck with PEAP/MSCHAPv2 though (or > TTLS/MSCHAPv2). I'm pretty sure there are some phones that can't > do EAP-TLS. > > You do realise that EAP-TLS is certificate based, not > user/password? So you need a full certificate management system to > go with it as well to issue certs to your users. You can't get > user-based auth with EAP-TLS by doing PEAP/EAP-TLS - it's still > certificate (machine auth) only. Yes, all our users have a certificate issued for our internal wifi so that's not a problem. I'm actually hoping to phase out passwords for network logons. > My advice would be to stick with PEAP/EAP-MSCHAPv2 and use > deployment tools to get the devices configured correctly. We don't have control over the client devices. We just have to hope that the users know what to do and what their devices are doing. The main problem is that I'm currently not allowed to go on with a migration to 802.1x until the mschap problem is solved. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html