Re: Radius and VPN configurations

2004-06-28 Thread 3APA3A 
Dear Maqbool Hashim,


--Monday, June 28, 2004, 5:50:19 PM, you wrote to [EMAIL PROTECTED]:


MH settings  every  time.  So this will mean that customers who want to
MH set  up  home  users  to be able to vpn into the firewall, will only
MH have to add these users on the radius server and we won't have to do
MH anything on the firewall.

It's  possible if your VPN server supports PPTP with MPPE encryption (or
another  tunneling protocol) and RADIUS authentication. Read your router
documentation.


-- 
~/ZARAZA
Ïîêà âû âî âëàñòè ïðîâèäåíèÿ, âàì íå óäàñòñÿ óìåðåòü ðàíüøå ñðîêà. (Òâåí)


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_passwd

2004-06-28 Thread 3APA3A 
Dear Tarek Ismail,

see doc/rlm_passwd and raddb/radiusd.conf.in

--Monday, June 28, 2004, 7:35:43 PM, you wrote to [EMAIL PROTECTED]:

TI hello
TI how can i configure rlm_passwd to work with radius server


-- 
~/ZARAZA
...   . ()


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Windows NT Binaries Request

2004-06-07 Thread 3APA3A 
Dear Kim Premuda,

FreeRADIUS  will  not  run  as native Windows NT service. You first need
Cygwin  environment  (http://sources.redhat.com/cygwin/)  to compile and
run  FreeRADIUS  under  Windows.  For  Cygwin FreeRADIUS compilation and
installation  is nearly same as for Unix (see doc/CYGWIN) - gcc compiler
is included in Cygwin distribution. This solution is not recommended for
production environment.

--Monday, June 7, 2004, 9:33:47 AM, you wrote to [EMAIL PROTECTED]:

KP I am new to FreeRADIUS and this list.

KP I need to replace our aging IEA RADIUS server (circa 1996) that
KP currently runs as a service on a Windows NT server. Is there anyone
KP out there that has FreeRADIUS running on Windows NT that could
KP provide me with the latest compiled binaries (as recommended per the
KP FreeRADIUS FAQ)? My understanding is that the binaries will run on
KP Windows 98, Windows NT, WIndows 2000, and Windows XP...is that
KP correct? Also, any tips or suggestions to keep me on track during
KP the FreeRADIUS installation would be greatly appreciated.

KP Thanks in advance for the help!


KP --
KP --
KP Kim W. Premuda
KP FastWave Internet Services
KP San Diego, CA

KP --

KP - 
KP List info/subscribe/unsubscribe? See
KP http://www.freeradius.org/list/users.html


-- 
~/ZARAZA
 .   -
, ,  ,. ()


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[2]: FreeRADIUS and mschapv2 problems

2004-05-27 Thread 3APA3A 
Dear Alan DeKok,

there is bug in MS-CHAPv2 if do_ntlm_auth configured:

/*
 *  Update the NT hash hash, from the NT key.
 */  
if (hex2bin(buffer + 8, nthashhash, 16) != 16) {

Buffer  hash nthash, additional md4() is required to get nthashhash from
nthash.

I  don't  understand  why  nthashhash computation is moved to do_mschap,
because it's only required in MS-CHAPv2.

I have no chance to test, so I do not risk to apply patch by myself.

This bug have nothing to do with problems discussed.

--Thursday, May 27, 2004, 6:36:49 PM, you wrote to [EMAIL PROTECTED]:

AD Dinko Korunic [EMAIL PROTECTED] wrote:
 Unfortunately, I can confirm that I've been unsucessful with 4 different
 Windows boxes using MSCHAPv2 which have been using Java RADIUS client as
 well as XP supplicant (as well as SecureW2 supplicant). Yet, they're all
 working fine with MD5/CHAP/MSCHAPv1/PAP.. It could be my mistake, but
 I'm slightly running out of ideas what to do.

AD   I've tested with the latest CVS snapshot, using a copy of an
AD MS-CHAPv2 session I've had sitting around for months, and which was
AD taken from a non-FreeRADIUS client.  It works for me.

AD   Are you sure you're running the latest CVS snapshot?

AD   Alan DeKok.

AD - 
AD List info/subscribe/unsubscribe? See
AD http://www.freeradius.org/list/users.html


-- 
~/ZARAZA
,   - !  ()


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[2]: FreeRADIUS and mschapv2 problems

2004-05-27 Thread 3APA3A 
Dear Dinko Korunic,

--Thursday, May 27, 2004, 4:31:17 PM, you wrote to [EMAIL PROTECTED]:

DK User-Name  (1),  Length:  6,  Data:  [test],  [#  1952805748]  / [IP
DK 116.101.115.116], 0 x74657374

Look at Length carefully. It must be 4 bytes, not 6, probably it's a bug
of  your  client.  Unlike MS-CHAPv1, MS-CHAPv2 uses username in response
calculation.  Your  client adds some noise (probably nulls) to username,
and probably uses additional bytes in response calculation (Java uses no
NULLs in strings) while FreeRADIUS ignores trailing NULLs.

-- 
~/ZARAZA
  ...   . ()


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[2]: FreeRADIUS and mschapv2 problems

2004-05-27 Thread 3APA3A 
Dear Dinko Korunic,

--Thursday, May 27, 2004, 4:31:17 PM, you wrote to [EMAIL PROTECTED]:

DK NAS-IP-Address (4), Length: 6, Data: [# 3251018014] / [IP 127.0.0.2], 0xC1C
DK 6991E

DK User-Name (1), Length: 6, Data: [test], [# 1952805748] / [IP 116.101.115.116], 0
DK x74657374

DK How that *invalid* IP happened to be there? Isn't that a bug? From all the
DK info, seems that latest rlm_chap isn't working properly with MSCHAPv2. Is there
DK anything I can do?

It's  same  problem. NAS-IP-Address has a length of 6 bytes, but it must
be 4. Ask client software developers to correct this.


-- 
~/ZARAZA
   ,   . ()


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re[3]: FreeRADIUS and mschapv2 problems

2004-05-27 Thread 3APA3A 
Dear 3APA3A,

--Thursday, May 27, 2004, 8:29:05 PM, you wrote to [EMAIL PROTECTED]:


3 Buffer  hash nthash, additional md4() is required to get nthashhash from
3 nthash.

Typo.  I  mean  buffer  _has_  (contains)  nthash,  to convert nthash to
nthashhash additional MD4 is required.

-- 
~/ZARAZA
,  . ()


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MS-Chap Ldap

2004-04-26 Thread 3APA3A 
Dear Daniel Holtkamp,

DH rlm_ldap: Added password AF70J6480BF89440F4A4591063EF3215 in check items

sambaNTPassword must be added as NT-Password, not as Password.

--Monday, April 26, 2004, 2:05:38 PM, you wrote to [EMAIL PROTECTED]:

DH Hi !

DH After searching the Web and this list and reading a LOT of
DH radius-documentary i still can?t figure out how to get this to work ...

DH Following Setup:

DH Samba 3.0 Domain
DH LDAP-Directory for centralized administration
DH Freeradius-Server
DH Windows 2003 Server for RAS

DH The Samba accounts and everything is stored within the LDAP-Directory.

DH Now we want to remove our old NT4 Server who is providing RAS-Services
DH until now so we decided to use Windows 2003 (Don?t ask, the RAS thing is
DH just a nice side-feature we want to use). The Windows 2003 RAS-Service
DH allows authentication with RADIUS. So i set up a freeradius-server and
DH configured the W2K3 to use it. For testing purpose i entered my username
DH and cleartext-password to the users-file and i can login fine. But i
DH don?t want to use the users-file (Who would, with a nice LDAP Directory
DH at hand ;) )

DH So i configured LDAP into this whole thingy ... i got TLS and everything
DH to work, ldap-access itself seems to be running nicely.

DH My Problem:
DH The userPassword stored in the LDAP Directory is crypted (MD5) for
DH security purpose. So this one can?t be used i guess.

DH BUT: We got a nice sambaLMPassword and a sambaNTPassword for every user
DH which imho should be enough for radius, right ?

DH I tried this:

DH This is how i configured the LDAP-Module:
DH --- SNIP 
DH  ldap {
DH server = ldap.test.com
DH identity = uid=ldaproot
DH password = blabla
DH basedn = dc=test,dc=com
DH filter = (uid=%{Stripped-User-Name:-%{User-Name}})
DH start_tls = yes
DH dictionary_mapping = ${raddbdir}/ldap.attrmap
DH ldap_connections_number = 5
DH password_header = 
DH password_attribute = sambaNTPassword
DH timeout = 4
DH timelimit = 3
DH net_timeout = 1
DH }

DH --- SNIP 

DH This fetches me the correct hash out of the directory

DH The server gives me this output:

DH --- SNIP 
DH rlm_ldap: performing search in dc=test,dc=com, with filter
DH (uid=testuser)
DH rlm_ldap: Added password AF70J6480BF89440F4A4591063EF3215 in check items
DH rlm_ldap: looking for check items in directory...
DH rlm_ldap: looking for reply items in directory...
DH rlm_ldap: user holtkamp authorized to use remote access
DH ldap_release_conn: Release Id: 0
DH   modcall[authorize]: module ldap returns ok for request 10
DH modcall: group authorize returns ok for request 10
DH   rad_check_password:  Found Auth-Type MS-CHAP
DH auth: type MS-CHAP
DH modcall: entering group Auth-Type for request 10
DH   rlm_mschap: doing MS-CHAPv2 with NT-Password
DH   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
DH   modcall[authenticate]: module mschap returns reject for request 10
DH modcall: group Auth-Type returns reject for request 10
DH auth: Failed to validate the user.
DH Login incorrect: [testuser/no User-Password attribute] (from client
DH w2k3-ras-server port 128 cli 192.168.0.55)
DH --- SNIP 

DH Now WHY is the Respone incorrect ? Any ideas what i am missing here ?

DH If you need more information just ask, i got everything here :)

DH radiusd.conf
DH --- SNIP 
DH authorize {
DH preprocess
DH mschap
DH ldap
DH }

DH authenticate {
DH Auth-Type MS-CHAP {
DH mschap
DH }
DH }
DH --- SNIP 




-- 
~/ZARAZA
   ,   . ()


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RV: rlm_mschap:Cannot create LM-Password. Cannot create NT-Password.

2004-04-21 Thread 3APA3A 
Dear Alejandro Martínez Marcos,

In  order to use rlm_mschap with LDAP you must store either cleartext or
NT  or  LM password in LDAP schema. See ldap.attrmap, doc/ldap_howto.txt
and doc/rlm_ldap.

--Wednesday, April 21, 2004, 3:16:40 PM, you wrote to [EMAIL PROTECTED]:


AMM Hi again,

AMMI keep on trying to solve this problem. I have realized that the problem
AMM only occurs when I use LDAP to authorize. It seems that freeradius is unable
AMM to retrieve the attribute User-Password from LDAP.
AMMWhen I use the users file, in that case it goes ok. I just added the users
AMM to the users file like this, as I have seen in a previous e-mail from Alan
AMM DeKok. For example:
AMMtunnel-user  User-Password = password

AMMUnfortunately, I MUST use LDAP...Please help!!

AMM Best regards,

AMMAlejandro



AMM -Mensaje original-
AMM De: [EMAIL PROTECTED]
AMM [mailto:[EMAIL PROTECTED] nombre de
AMM Alejandro Martínez Marcos
AMM Enviado el: miércoles, 21 de abril de 2004 10:05
AMM Para: Lista Freeradius
AMM Asunto: rlm_mschap:Cannot create LM-Password. Cannot create NT-Password.


AMM Hello,

AMMI am trying to authenticate using  PEAP against a LDAP server. I am getting
AMM the following errors:

AMM   rlm_mschap: No User-Password configured.  Cannot create LM-Password.
AMM   rlm_mschap: No User-Password configured.  Cannot create NT-Password.

AMMCould anyone tell me what are these passwords? I don't know whether I have
AMM a problem with the client configuration or if I have missing fields in LDAP
AMM (but I do have a userPassword one).

AMM thanks in advance,

AMMAlejandro


AMM -
AMM List info/subscribe/unsubscribe? See
AMM http://www.freeradius.org/list/users.html


AMM -
AMM List info/subscribe/unsubscribe? See
AMM http://www.freeradius.org/list/users.html


-- 
~/ZARAZA
Èòàê, ÿ áóäó êðàòîê. (Òâåí)


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius capable of using NTLM authentication?

2004-03-03 Thread 3APA3A 
Dear Gerry Gysbers,

There  are  2  different  things:  NTLM  authentication of remote access
(it's,  in  fact, MS-CHAP) and authentication against Windows NT domain.
FreeRADIUS supports each one, but not together.

--Wednesday, March 3, 2004, 6:00:43 PM, you wrote to [EMAIL PROTECTED]:


GG A vendor has expressed interest in providing dial-up access for our 
GG institution.  They would provide their own proxy-radius server, which
GG would then talk to our radius server (not installed yet), for 
GG authentication. Our radius server would need to cut log records (session
GG times) and authenticate against an existing NT domain. Is FreeRADIUS an
GG appropriate product to use for this scenario (we'd use the latest 
GG version - 0.9.3)? If not, can someone suggest a more suitable radius
GG server product for this situation (either open source or commercial)?
GG Ideally, we'd like to run the server under Solaris.

GG Thanks,

GG Gerry Gysbers

GG [EMAIL PROTECTED]


GG - 
GG List info/subscribe/unsubscribe? See
GG http://www.freeradius.org/list/users.html


-- 
~/ZARAZA
 -. ()


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_passwd usage?

2004-01-22 Thread 3APA3A 
Dear Dan Hollis,



--Thursday, January 22, 2004, 2:15:24 AM, you wrote to [EMAIL PROTECTED]:


DH If I have a flatfile of the format

DH user:unix-crypted-password:someotherstuff:morestuff

DH The proper format would be

DH format =
DH *User-name:Crypt-Password:Some-Other-Attributes:More-Attributes 

It  depends on how you want Some-Other-Attributes and More-Attributes to
be  used later. If you want to add Some-Other-Attributes to reply items,
you need =Some-Other-Attributes in format string.

-- 
~/ZARAZA
   .  ()


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html