Re: clone break freeradius
hi, you must ensure you 'sign out' of the AD before you clone as otherwise both objects are the same...and, as you have found, doing something with the cloen breaks the first server. or just dont bind to the AD before cloning. to fix, you need to ensure that both machines have their own identity (eg /etc/hosts and $HOSTNAME all refer to a unique name per machine) and that there is nothing in the AD referencing either system. THEN net ads join each boxbut this isnt a freeradius question. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: clone break freeradius
Did you also change the MAC address for the network adapter in the VMWare settings? Otherwise VMWare believes (and possibly your network too) the two machines are the same. After changing the MAC address, reconfigure your network settings on the clone and reboot. Delete the trust (computer) account for the original machine from Active Directory. Then retry the net join command for both machines. Stefan From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of trevor obba Sent: 11 October 2013 00:38 To: freeradius-users@lists.freeradius.org Subject: clone break freeradius I configured freeradius version 2.2.0 running on Ubuntu 12.04 to authenticate against active directory and it is working fine until I decide to clone (vmware) the machine. Once the machine is clone I changed the IP address, hostname in (/etc/hosts and /etc/hostname) and also changed the name in /etc/samba/smb.conf Finally I tried to join the clone machine using “net join –U administrator” unfortunately this break the original freeradius machine by no longer authenticating to active directory and the clone machine will not join the Domain also. I think the clone machine is still referring the original machine which breaks the original machine unfortunately I do not know how to fix it. How do I fix the original machine? What else do I change on the clone machine so that I can successfully join it to domain with breaking the original machine? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Case statement error
Hi again. I'm confused now. I've recompiled, renamed all old folder under /usr/local and done a complete reinstall. I've pared it all down and simply put switch %{control:Tmp-String-0} { case { update control { Tmp-String-0 := new value } } } In the default VS. I still get # Loading authorize {...} /usr/local/etc/raddb/sites-enabled/default[222]: case statements may only appear within a switch section /usr/local/etc/raddb/sites-enabled/default[222]: Failed to parse case subsection. /usr/local/etc/raddb/sites-enabled/default[220]: Errors parsing authorize section. I'm running git #57e69c9 Sorry, but I can't see what I'm doing wrong! Thanks Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Alan DeKok Sent: 09 October 2013 15:26 To: FreeRadius users mailing list Subject: Re: Case statement error Franks Andy (RLZ) IT Systems Engineer wrote: Trying version #d166290 results in Which is old. The bug has already been fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic VLAN assignment depending on LDAP user group and MAC address
} expiration logintime pap } authenticate { Auth-Type PAP { pap } eap } preacct { preprocess acct_unique suffix } accounting { sql { fail = 1 } } session { radutmp sql { fail = 1 } } post-auth { rewrite_calling_station_id authorized_macs if (!ok) { update reply { Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 36 } } sql { fail = 1 } exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } root@ops-radius01:/srv/etc/freeradius# cat sites-available/inner-tunnel | grep -v '#' | sed '/^$/d' server inner-tunnel { listen { ipaddr = 127.0.0.1 port = 18120 type = auth } authorize { update control { Proxy-To-Realm := LOCAL } eap { ok = return } files ldap pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } eap } session { radutmp } post-auth { sql { fail = 1 } ldap Post-Auth-Type REJECT { attr_filter.access_reject } if (LDAP-Group == cn=dept_tech_corporate_it,ou=Groups,c=gb,dc=mindcandy,dc=com) { update reply { Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 40 } } elsif (LDAP-Group == cn=dept_tech_infrastructure,ou=Groups,c=gb,dc=mindcandy,dc=com) { update reply { Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 40 } } elsif (LDAP-Group == cn=dept_tech_bi,ou=Groups,c=gb,dc=mindcandy,dc=com) { update reply { Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 41 } } elsif (LDAP-Group == cn=dept_tech_development,ou=Groups,c=gb,dc=mindcandy,dc=com) { update reply { Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 42 } } elsif (LDAP-Group == cn=dept_finance,ou=Groups,c=gb,dc=mindcandy,dc=com) { update reply { Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 44 } } else { update reply { Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 34 } } } pre-proxy { } post-proxy { eap } And here is an authentication example, with a device not listed in authorized_macs: (...) rad_recv: Access-Request packet from host 192.168.59.202 port 32769, id=129, length=345 User-Name = fabrizio.vecchi Calling-Station-Id = 60-fa-cd-47-1a-44 Called-Station-Id = 24-01-c7-28-aa-d0:MindCandyAuth NAS-Port = 1 Cisco-AVPair = audit-session-id=ca3ba8c000dede1c5852 NAS-IP-Address = 192.168.59.202 NAS-Identifier = Cisco_6e:1f:4f Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 36 EAP-Message = 0x0206005f1580005517030100506509e5008fb8b33c992bdddc007472c4f5d210aa8d535f747241bc99c4cb8785066c7ef4f262c470986626e1d31efc71f0d3b42b80663afc9fdc68715d1ee49c02af509c6b12de0bca5bf5501cba State = 0xf1f3e6cbf5f5f3adc22ef694ca5dfcba Message-Authenticator = 0xeff670953d883040f13b8dfc42d39849 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/freeradius/radacct/192.168.59.202/auth-detail-20131011 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.59.202/auth-detail-20131011 [auth_log] expand: %t - Fri Oct 11 17:12:54 2013 ++[auth_log] returns ok [suffix] No '@' in User-Name = fabrizio.vecchi, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 6 length 95 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 85 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled
Eaps TTLS and Plain Text
I have a Free Radius Server (2.1.10-5 packaged with CentOS 6) that is configured to handle radius authentication eaps ttls in a tunnel (Motorola/Cambium Canopy Product). I want to be able to authenticate plain text requests from other devices that do not support eaps. Can Free Radius handle both encrypted and unencrypted connections at the same time? If it can, can someone lead me down the correct path? Cambium EAPS settings for Free Radius default_eap_type = ttls copy_request_to_tunnel=yes use_tunnel_reply=yes Thank you, Gilbert T. Gutierrez, Jr. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eaps TTLS and Plain Text
Gilbert T. Gutierrez, Jr. wrote: I have a Free Radius Server (2.1.10-5 packaged with CentOS 6) that is configured to handle radius authentication eaps ttls in a tunnel (Motorola/Cambium Canopy Product). I want to be able to authenticate plain text requests from other devices that do not support eaps. Can Free Radius handle both encrypted and unencrypted connections at the same time? If it can, can someone lead me down the correct path? Yes. And there's nothing to do. Just configure a user with a password. *All* authentication types will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic VLAN assignment depending on LDAP user group and MAC address
-%Y%m%d - /var/log/freeradius/radacct/192.168.59.202/auth-detail-20131011 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.59.202/auth-detail-20131011 [auth_log] expand: %t - Fri Oct 11 17:12:54 2013 ++[auth_log] returns ok [suffix] No '@' in User-Name = fabrizio.vecchi, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 6 length 95 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 85 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = fabrizio.vecchi User-Password = password FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = fabrizio.vecchi User-Password = password FreeRADIUS-Proxied-To = 127.0.0.1 Calling-Station-Id = 60-fa-cd-47-1a-44 Called-Station-Id = 24-01-c7-28-aa-d0:MindCandyAuth NAS-Port = 1 Cisco-AVPair = audit-session-id=ca3ba8c000dede1c5852 NAS-IP-Address = 192.168.59.202 NAS-Identifier = Cisco_6e:1f:4f Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 36 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[control] returns notfound [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [ldap] performing user authorization for fabrizio.vecchi [ldap] expand: %{Stripped-User-Name} - [ldap] ... expanding second conditional [ldap] expand: %{User-Name} - fabrizio.vecchi [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=fabrizio.vecchi) [ldap] expand: c=gb,dc=mindcandy,dc=com - c=gb,dc=mindcandy,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 192.168.50.41:389, authentication 0 [ldap] bind as cn=admin,dc=mindcandy,dc=com/4kaZi638uSFurX to 192.168.50.41:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in c=gb,dc=mindcandy,dc=com, with filter (uid=fabrizio.vecchi) [ldap] Added User-Password = {SSHA}mhuhx35skdNyJ7BrJuviLnMt2iDI3lFs in check items [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword - Password-With-Header == {SSHA}mhuhx35skdNyJ7BrJuviLnMt2iDI3lFs [ldap] sambaNtPassword - NT-Password == 0x3730424545463943433843443839414435374133463731413541354446333742 [ldap] looking for reply items in directory... [ldap] user fabrizio.vecchi authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [pap] Normalizing NT-Password from hex encoding [pap] Normalizing SSHA1-Password from base64 encoding [pap] Normalizing SSHA1-Password from base64 encoding ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group PAP {...} [pap] login attempt with password password [pap] Using NT encryption. [pap] expand: %{User-Password} - password [pap] NT-Hash of password = 70beef9cc8cd89ad57a3f71a5a5df37b [pap] expand: %{mschap:NT-Hash %{User-Password}} - 70beef9cc8cd89ad57a3f71a5a5df37b [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group post-auth {...} [sql] expand: %{User-Name} - fabrizio.vecchi [sql] sql_set_user escaped user -- 'fabrizio.vecchi' [sql] expand: %{User-Password} - password [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') - INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'fabrizio.vecchi', 'password', 'Access-Accept', '2013-10-11 17:12:54') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'fabrizio.vecchi', 'password', 'Access-Accept', '2013-10-11 17:12:54') rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[ldap] returns noop ++? if (LDAP-Group == cn=dept_tech_corporate_it,ou=Groups,c=gb,dc=mindcandy
MSCHAPv2 use_tunneling_reply problem
Hi all! I have a problem with users using the anonymous identity field during connecting. It turned out that for privacy reasons it is hidden outside of the tunnel. I found that by setting use_tunneling_reply to yes i can transfer the inner username outside of the tunnel, and the correct (not anonymous) username will appear in the accounting records. I've uncommented even the update outer.reply... part in the sites-enabled/inner-tunnel file. Unfortunatelly it does not work. Is there anything else, what i need to do to get it work? I use coovachilli for nas. Thanks for you help, all the best Dávid - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAPv2 use_tunneling_reply problem
So what you're saying is that even though the users are using anonymous outerid and want anonymity you want to release their id to the site they are at? -- Sent from my Android device with K-9 Mail. Please excuse my brevity.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html