Debug show cleartext password
Hi All i am getting a problem on Freeradius installed on CentOS. When i set the service Radiusd in debug mode and send an access request (default type PAP) through Radtest the debug show the password in cleartext. Is there an option to do not show the fiedl User-Password in cleartext? Many Thanks Marco Aresu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debug show cleartext password
On 11 Sep 2013, at 07:52, Marco Aresu marcoar...@gmail.com wrote: Hi All i am getting a problem on Freeradius installed on CentOS. When i set the service Radiusd in debug mode and send an access request (default type PAP) through Radtest the debug show the password in cleartext. Is there an option to do not show the fiedl User-Password in cleartext? no. I guess we should do something with it to make it FIPS compliant but it's not a big priority. You're welcome to submit a patch. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debug show cleartext password
Hi, i am getting a problem on Freeradius installed on CentOS. When i set the service Radiusd in debug mode and send an access request (default type PAP) through Radtest the debug show the password in cleartext. Is there an option to do not show the fiedl User-Password in cleartext? debug shows all. the RADIUS server knows all. the point of debug is to debug..and you might have eg incorrect password. this question is asked frequently - a quick look at mailing list history would show you.and the answer is no. dont run in debug if you dont want to see debug. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debug show cleartext password
Hi, no. I guess we should do something with it to make it FIPS compliant but it's not a big priority. You're welcome to submit a patch. ..you mean sniffable by NSA? it passes that requirement already ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debug show cleartext password
On 11 Sep 2013, at 08:43, a.l.m.bu...@lboro.ac.uk wrote: Hi, i am getting a problem on Freeradius installed on CentOS. When i set the service Radiusd in debug mode and send an access request (default type PAP) through Radtest the debug show the password in cleartext. Is there an option to do not show the fiedl User-Password in cleartext? debug shows all. the RADIUS server knows all. the point of debug is to debug..and you might have eg incorrect password. this question is asked frequently - a quick look at mailing list history would show you.and the answer is no. dont run in debug if you dont want to see debug. Sure, but radtest should probably have a password argument where it does a secure read from stdin. FreeRADIUS shouldn't obfuscate passwords in debug, that'd be stupid. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radclient error
Hi All I have this Error when using radclient: radclient: Nothing to send. radclient:: Expected end of line or comma I do not know what is means ? (radclient is run by PlPerl script in my postgresql database engine) Best regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient error
On 11 Sep 2013, at 11:03, Mehdi Ravanbakhsh baba...@gmail.com wrote: Hi All I have this Error when using radclient: radclient: Nothing to send. radclient:: Expected end of line or comma I do not know what is means ? It means you've not specified any input pairs, use the -f option, or pipe them through to stdin. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: free radius setup
The alternative is getting your users to install something like SecureW2 (which I believe requires a license now), and using EAP-TTLS- PAP which submits the users password in plaintext, or I believe more recent flavours of Windows support EAP-TTLS too. If I remember correctly, when using EAP-TTLS-PAP, the top-level default_eap_type should be ttls, and then the default_eap_type in the TTLS section should be gtc (which uses PAP by default). AFAIK (and please correct me if I'm wrong), you cannot set the TTLS default_eap_type setting to PAP. Regards Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient error
thanks Arran It is solved Best regards. On Wed, Sep 11, 2013 at 3:03 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 11 Sep 2013, at 11:03, Mehdi Ravanbakhsh baba...@gmail.com wrote: Hi All I have this Error when using radclient: radclient: Nothing to send. radclient:: Expected end of line or comma I do not know what is means ? It means you've not specified any input pairs, use the -f option, or pipe them through to stdin. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius setup
On 11/09/13 12:05, stefan.pae...@diamond.ac.uk wrote: The alternative is getting your users to install something like SecureW2 (which I believe requires a license now), and using EAP-TTLS- PAP which submits the users password in plaintext, or I believe more recent flavours of Windows support EAP-TTLS too. If I remember correctly, when using EAP-TTLS-PAP, the top-level default_eap_type should be ttls, and then the default_eap_type in the TTLS section should be gtc (which uses PAP by default). AFAIK (and please correct me if I'm wrong), you cannot set the TTLS default_eap_type setting to PAP. That's because EAP-TTLS/PAP doesn't use EAP on the inner tunnel. Just PAP. So default_eap_type is irrelevant. You support EAP-TTLS/PAP by ensuring PAP is working in the inner tunnel - by populating a cleartext or hashed password and calling the pap module in the authorize/authenticate section, or other more specialised configs. EAP-TTLS/EAP-GTC is a different thing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius DHCP against LDAP
On 31/8/2013 5:57 μμ, Nikolaos Milas wrote: I'll look into DHCP... Looking at the sites-available/dhcp example setup (on v2.2.0) I see that the DHCP code is not production-ready. Based on user feedback and on your involvement with next FreeRadius release(s) development, do you expect the DHCP module to be production ready in the next release? I can surely experiment now with the current experimental release, but it would be important to have a roadmap as to when the software will be production-ready, so as to prepare some type of deployment schedule. Thanks and regards, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius DHCP against LDAP
On 11 Sep 2013, at 14:49, Nikolaos Milas nmi...@noa.gr wrote: On 31/8/2013 5:57 μμ, Nikolaos Milas wrote: I'll look into DHCP... Looking at the sites-available/dhcp example setup (on v2.2.0) I see that the DHCP code is not production-ready. Based on user feedback and on your involvement with next FreeRadius release(s) development, do you expect the DHCP module to be production ready in the next release? I can surely experiment now with the current experimental release, but it would be important to have a roadmap as to when the software will be production-ready, so as to prepare some type of deployment schedule. Define production-ready... Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: free radius setup
That's because EAP-TTLS/PAP doesn't use EAP on the inner tunnel. Just PAP. So default_eap_type is irrelevant. You support EAP-TTLS/PAP by ensuring PAP is working in the inner tunnel - by populating a cleartext or hashed password and calling the pap module in the authorize/authenticate section, or other more specialised configs. Phil, Your email made me look at this configuration again. Turns out that setting set_auth_type in the ldap module to no, leaving copy_request_to_tunnel unset (i.e. set to the default no), and allowing LDAP authentication only in the inner tunnel made things work the same way as what it had been with gtc set. Thanks for that! Another thing to add to the cook book. :-) Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius DHCP against LDAP
On 11 Sep 2013, at 15:37, Nikolaos Milas nmi...@noa.gr wrote: On 11/9/2013 5:05 μμ, Arran Cudbard-Bell wrote: Define production-ready... Production-ready DHCP Server: A DHCP Server that can be used as such in a real-life, mission-critical, organizational environment, i.e. in a network where clients (hosts) will only get an IP address if and only if the DHCP Server behaves as expected. That you will need to verify yourself. I was referring to the: # WARNING # # This code is experimental, and SHOULD NOT be used in a # production system. It is intended for validation and # experimentation ONLY. My understanding is that the term production system implies the definition above. Does the reference to code apply to the configuration file only (sites-available/dhcp) or to the DHCP FreeRadius module (as I have probably misunderstood)? The code is in use on a number of 'production' systems. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius DHCP against LDAP
On 11/9/2013 5:05 μμ, Arran Cudbard-Bell wrote: Define production-ready... Production-ready DHCP Server: A DHCP Server that can be used as such in a real-life, mission-critical, organizational environment, i.e. in a network where clients (hosts) will only get an IP address if and only if the DHCP Server behaves as expected. I was referring to the: # WARNING # # This code is experimental, and SHOULD NOT be used in a # production system. It is intended for validation and # experimentation ONLY. My understanding is that the term production system implies the definition above. Does the reference to code apply to the configuration file only (sites-available/dhcp) or to the DHCP FreeRadius module (as I have probably misunderstood)? Please, clarify. Thanks, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius DHCP against LDAP
Nikolaos Milas wrote: My understanding is that the term production system implies the definition above. It's just a warning. If it works for you, it works. Does the reference to code apply to the configuration file only (sites-available/dhcp) or to the DHCP FreeRadius module (as I have probably misunderstood)? code means code, not configuration files Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
