Re: Radius and VPN configurations
Dear Maqbool Hashim, --Monday, June 28, 2004, 5:50:19 PM, you wrote to [EMAIL PROTECTED]: MH settings every time. So this will mean that customers who want to MH set up home users to be able to vpn into the firewall, will only MH have to add these users on the radius server and we won't have to do MH anything on the firewall. It's possible if your VPN server supports PPTP with MPPE encryption (or another tunneling protocol) and RADIUS authentication. Read your router documentation. -- ~/ZARAZA Ïîêà âû âî âëàñòè ïðîâèäåíèÿ, âàì íå óäàñòñÿ óìåðåòü ðàíüøå ñðîêà. (Òâåí) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_passwd
Dear Tarek Ismail, see doc/rlm_passwd and raddb/radiusd.conf.in --Monday, June 28, 2004, 7:35:43 PM, you wrote to [EMAIL PROTECTED]: TI hello TI how can i configure rlm_passwd to work with radius server -- ~/ZARAZA ... . () - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows NT Binaries Request
Dear Kim Premuda, FreeRADIUS will not run as native Windows NT service. You first need Cygwin environment (http://sources.redhat.com/cygwin/) to compile and run FreeRADIUS under Windows. For Cygwin FreeRADIUS compilation and installation is nearly same as for Unix (see doc/CYGWIN) - gcc compiler is included in Cygwin distribution. This solution is not recommended for production environment. --Monday, June 7, 2004, 9:33:47 AM, you wrote to [EMAIL PROTECTED]: KP I am new to FreeRADIUS and this list. KP I need to replace our aging IEA RADIUS server (circa 1996) that KP currently runs as a service on a Windows NT server. Is there anyone KP out there that has FreeRADIUS running on Windows NT that could KP provide me with the latest compiled binaries (as recommended per the KP FreeRADIUS FAQ)? My understanding is that the binaries will run on KP Windows 98, Windows NT, WIndows 2000, and Windows XP...is that KP correct? Also, any tips or suggestions to keep me on track during KP the FreeRADIUS installation would be greatly appreciated. KP Thanks in advance for the help! KP -- KP -- KP Kim W. Premuda KP FastWave Internet Services KP San Diego, CA KP -- KP - KP List info/subscribe/unsubscribe? See KP http://www.freeradius.org/list/users.html -- ~/ZARAZA . - , , ,. () - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: FreeRADIUS and mschapv2 problems
Dear Alan DeKok, there is bug in MS-CHAPv2 if do_ntlm_auth configured: /* * Update the NT hash hash, from the NT key. */ if (hex2bin(buffer + 8, nthashhash, 16) != 16) { Buffer hash nthash, additional md4() is required to get nthashhash from nthash. I don't understand why nthashhash computation is moved to do_mschap, because it's only required in MS-CHAPv2. I have no chance to test, so I do not risk to apply patch by myself. This bug have nothing to do with problems discussed. --Thursday, May 27, 2004, 6:36:49 PM, you wrote to [EMAIL PROTECTED]: AD Dinko Korunic [EMAIL PROTECTED] wrote: Unfortunately, I can confirm that I've been unsucessful with 4 different Windows boxes using MSCHAPv2 which have been using Java RADIUS client as well as XP supplicant (as well as SecureW2 supplicant). Yet, they're all working fine with MD5/CHAP/MSCHAPv1/PAP.. It could be my mistake, but I'm slightly running out of ideas what to do. AD I've tested with the latest CVS snapshot, using a copy of an AD MS-CHAPv2 session I've had sitting around for months, and which was AD taken from a non-FreeRADIUS client. It works for me. AD Are you sure you're running the latest CVS snapshot? AD Alan DeKok. AD - AD List info/subscribe/unsubscribe? See AD http://www.freeradius.org/list/users.html -- ~/ZARAZA , - ! () - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: FreeRADIUS and mschapv2 problems
Dear Dinko Korunic, --Thursday, May 27, 2004, 4:31:17 PM, you wrote to [EMAIL PROTECTED]: DK User-Name (1), Length: 6, Data: [test], [# 1952805748] / [IP DK 116.101.115.116], 0 x74657374 Look at Length carefully. It must be 4 bytes, not 6, probably it's a bug of your client. Unlike MS-CHAPv1, MS-CHAPv2 uses username in response calculation. Your client adds some noise (probably nulls) to username, and probably uses additional bytes in response calculation (Java uses no NULLs in strings) while FreeRADIUS ignores trailing NULLs. -- ~/ZARAZA ... . () - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: FreeRADIUS and mschapv2 problems
Dear Dinko Korunic, --Thursday, May 27, 2004, 4:31:17 PM, you wrote to [EMAIL PROTECTED]: DK NAS-IP-Address (4), Length: 6, Data: [# 3251018014] / [IP 127.0.0.2], 0xC1C DK 6991E DK User-Name (1), Length: 6, Data: [test], [# 1952805748] / [IP 116.101.115.116], 0 DK x74657374 DK How that *invalid* IP happened to be there? Isn't that a bug? From all the DK info, seems that latest rlm_chap isn't working properly with MSCHAPv2. Is there DK anything I can do? It's same problem. NAS-IP-Address has a length of 6 bytes, but it must be 4. Ask client software developers to correct this. -- ~/ZARAZA , . () - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[3]: FreeRADIUS and mschapv2 problems
Dear 3APA3A, --Thursday, May 27, 2004, 8:29:05 PM, you wrote to [EMAIL PROTECTED]: 3 Buffer hash nthash, additional md4() is required to get nthashhash from 3 nthash. Typo. I mean buffer _has_ (contains) nthash, to convert nthash to nthashhash additional MD4 is required. -- ~/ZARAZA , . () - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-Chap Ldap
Dear Daniel Holtkamp, DH rlm_ldap: Added password AF70J6480BF89440F4A4591063EF3215 in check items sambaNTPassword must be added as NT-Password, not as Password. --Monday, April 26, 2004, 2:05:38 PM, you wrote to [EMAIL PROTECTED]: DH Hi ! DH After searching the Web and this list and reading a LOT of DH radius-documentary i still can?t figure out how to get this to work ... DH Following Setup: DH Samba 3.0 Domain DH LDAP-Directory for centralized administration DH Freeradius-Server DH Windows 2003 Server for RAS DH The Samba accounts and everything is stored within the LDAP-Directory. DH Now we want to remove our old NT4 Server who is providing RAS-Services DH until now so we decided to use Windows 2003 (Don?t ask, the RAS thing is DH just a nice side-feature we want to use). The Windows 2003 RAS-Service DH allows authentication with RADIUS. So i set up a freeradius-server and DH configured the W2K3 to use it. For testing purpose i entered my username DH and cleartext-password to the users-file and i can login fine. But i DH don?t want to use the users-file (Who would, with a nice LDAP Directory DH at hand ;) ) DH So i configured LDAP into this whole thingy ... i got TLS and everything DH to work, ldap-access itself seems to be running nicely. DH My Problem: DH The userPassword stored in the LDAP Directory is crypted (MD5) for DH security purpose. So this one can?t be used i guess. DH BUT: We got a nice sambaLMPassword and a sambaNTPassword for every user DH which imho should be enough for radius, right ? DH I tried this: DH This is how i configured the LDAP-Module: DH --- SNIP DH ldap { DH server = ldap.test.com DH identity = uid=ldaproot DH password = blabla DH basedn = dc=test,dc=com DH filter = (uid=%{Stripped-User-Name:-%{User-Name}}) DH start_tls = yes DH dictionary_mapping = ${raddbdir}/ldap.attrmap DH ldap_connections_number = 5 DH password_header = DH password_attribute = sambaNTPassword DH timeout = 4 DH timelimit = 3 DH net_timeout = 1 DH } DH --- SNIP DH This fetches me the correct hash out of the directory DH The server gives me this output: DH --- SNIP DH rlm_ldap: performing search in dc=test,dc=com, with filter DH (uid=testuser) DH rlm_ldap: Added password AF70J6480BF89440F4A4591063EF3215 in check items DH rlm_ldap: looking for check items in directory... DH rlm_ldap: looking for reply items in directory... DH rlm_ldap: user holtkamp authorized to use remote access DH ldap_release_conn: Release Id: 0 DH modcall[authorize]: module ldap returns ok for request 10 DH modcall: group authorize returns ok for request 10 DH rad_check_password: Found Auth-Type MS-CHAP DH auth: type MS-CHAP DH modcall: entering group Auth-Type for request 10 DH rlm_mschap: doing MS-CHAPv2 with NT-Password DH rlm_mschap: FAILED: MS-CHAP2-Response is incorrect DH modcall[authenticate]: module mschap returns reject for request 10 DH modcall: group Auth-Type returns reject for request 10 DH auth: Failed to validate the user. DH Login incorrect: [testuser/no User-Password attribute] (from client DH w2k3-ras-server port 128 cli 192.168.0.55) DH --- SNIP DH Now WHY is the Respone incorrect ? Any ideas what i am missing here ? DH If you need more information just ask, i got everything here :) DH radiusd.conf DH --- SNIP DH authorize { DH preprocess DH mschap DH ldap DH } DH authenticate { DH Auth-Type MS-CHAP { DH mschap DH } DH } DH --- SNIP -- ~/ZARAZA , . () - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RV: rlm_mschap:Cannot create LM-Password. Cannot create NT-Password.
Dear Alejandro Martínez Marcos, In order to use rlm_mschap with LDAP you must store either cleartext or NT or LM password in LDAP schema. See ldap.attrmap, doc/ldap_howto.txt and doc/rlm_ldap. --Wednesday, April 21, 2004, 3:16:40 PM, you wrote to [EMAIL PROTECTED]: AMM Hi again, AMMI keep on trying to solve this problem. I have realized that the problem AMM only occurs when I use LDAP to authorize. It seems that freeradius is unable AMM to retrieve the attribute User-Password from LDAP. AMMWhen I use the users file, in that case it goes ok. I just added the users AMM to the users file like this, as I have seen in a previous e-mail from Alan AMM DeKok. For example: AMMtunnel-user User-Password = password AMMUnfortunately, I MUST use LDAP...Please help!! AMM Best regards, AMMAlejandro AMM -Mensaje original- AMM De: [EMAIL PROTECTED] AMM [mailto:[EMAIL PROTECTED] nombre de AMM Alejandro Martínez Marcos AMM Enviado el: miércoles, 21 de abril de 2004 10:05 AMM Para: Lista Freeradius AMM Asunto: rlm_mschap:Cannot create LM-Password. Cannot create NT-Password. AMM Hello, AMMI am trying to authenticate using PEAP against a LDAP server. I am getting AMM the following errors: AMM rlm_mschap: No User-Password configured. Cannot create LM-Password. AMM rlm_mschap: No User-Password configured. Cannot create NT-Password. AMMCould anyone tell me what are these passwords? I don't know whether I have AMM a problem with the client configuration or if I have missing fields in LDAP AMM (but I do have a userPassword one). AMM thanks in advance, AMMAlejandro AMM - AMM List info/subscribe/unsubscribe? See AMM http://www.freeradius.org/list/users.html AMM - AMM List info/subscribe/unsubscribe? See AMM http://www.freeradius.org/list/users.html -- ~/ZARAZA Èòàê, ÿ áóäó êðàòîê. (Òâåí) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius capable of using NTLM authentication?
Dear Gerry Gysbers, There are 2 different things: NTLM authentication of remote access (it's, in fact, MS-CHAP) and authentication against Windows NT domain. FreeRADIUS supports each one, but not together. --Wednesday, March 3, 2004, 6:00:43 PM, you wrote to [EMAIL PROTECTED]: GG A vendor has expressed interest in providing dial-up access for our GG institution. They would provide their own proxy-radius server, which GG would then talk to our radius server (not installed yet), for GG authentication. Our radius server would need to cut log records (session GG times) and authenticate against an existing NT domain. Is FreeRADIUS an GG appropriate product to use for this scenario (we'd use the latest GG version - 0.9.3)? If not, can someone suggest a more suitable radius GG server product for this situation (either open source or commercial)? GG Ideally, we'd like to run the server under Solaris. GG Thanks, GG Gerry Gysbers GG [EMAIL PROTECTED] GG - GG List info/subscribe/unsubscribe? See GG http://www.freeradius.org/list/users.html -- ~/ZARAZA -. () - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_passwd usage?
Dear Dan Hollis, --Thursday, January 22, 2004, 2:15:24 AM, you wrote to [EMAIL PROTECTED]: DH If I have a flatfile of the format DH user:unix-crypted-password:someotherstuff:morestuff DH The proper format would be DH format = DH *User-name:Crypt-Password:Some-Other-Attributes:More-Attributes It depends on how you want Some-Other-Attributes and More-Attributes to be used later. If you want to add Some-Other-Attributes to reply items, you need =Some-Other-Attributes in format string. -- ~/ZARAZA . () - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html