Re: Freeradius issue : Active Directory Integration
Hi,
> Hello,
> I am facing issue with MS CHAP authentication in Ubuntu 13.04 . Also
> NTLM Authentication takes place when putting 'wait = no' in
> /etc/freeradius/modules/ntlm_auth
>
is ntml_auth on the command line working?
Please provide some debug output.
regards
-andreas
--
___
FACHHOCHSCHULE SALZBURG GmbH
Salzburg University of Applied Sciences
Andreas Sartori
Systems Engineer
IS - Information Services
Lecturer
ITS - Information Technology and Systems Management
MMT - Multimedia Technology
Urstein Süd 1 | 5412 Puch/Salzburg | Austria
fon: +43 (0)50-2211-1655 | fax: -1699
web: www.fh-salzburg.ac.at
Gerichtsstand Salzburg | FN166054y
___
- Original Message -
> From: "Shameek Bhattacharya"
> To: freeradius-users@lists.freeradius.org
> Sent: Friday, October 4, 2013 8:02:59 AM
> Subject: Freeradius issue : Active Directory Integration
>
>
>
>
>
>
> Hello,
> I am facing issue with MS CHAP authentication in Ubuntu 13.04 . Also
> NTLM Authentication takes place when putting 'wait = no' in
> /etc/freeradius/modules/ntlm_auth
>
> ie
> exec ntlm_auth {
> wait = no
> program = “/usr/bin/ntlm_auth -request-nt-key
> -username=%{mschap:User-Name} -password=%{User-Password}”
> }
>
>
>
>
>
> But MS CHAP fails completely . Tried all options but not working at
> all . I have another Freeradius Server with same configuration which
> is working perfectly. The only difference is that the faulty Radius
> Server was joined to Domain with a backup administrator account ,
> not with the default Domain Administrator account . Is this creating
> the issue ? Please suggest . I have attached the debug output.
>
>
> Regards,
>
> Shameek
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting pakets on layer 2
Hello! Michael Schwartzkopff wrote: > > Hello! > > > > Excuse me please, if this is the wrong list for my question! If I have > > an AccessPoint working on layer 2 like the ALL0278, how are accounting > > pakets generated and sent to the radius-server on port 1813. Which > > application is responsible for generating those pakets? > > > > Thank you! > > > > Andreas > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > See section "Security Settings - WPA-802.1x" or section "Security Settings - > 802.1x" of the ALLNET manual. I don't have the ALL0278 here. Is this manual available somewhere online? Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting pakets on layer 2
Hello! Excuse me please, if this is the wrong list for my question! If I have an AccessPoint working on layer 2 like the ALL0278, how are accounting pakets generated and sent to the radius-server on port 1813. Which application is responsible for generating those pakets? Thank you! Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Abwesenheit (was: Freeradius Installation Challenges)
Klaus Klein wrote:
> Am 29.07.2012 09:45, schrieb George Innocent:
> > I'm using nano for the editors
>
> Take a copy of the backup of your original client.conf and start over with
> that.
> (You did save the original before you modified it, did you?)
>
> As already said, all you wanted to put in there is already there.
>
> The only difference:
>
> Out of the 'client.conf' file
>
> # Each client has a "short name" that is used to distinguish it from
> # other clients.
> #
> # In version 1.x, the string after the word "client" was the IP
> # address of the client. In 2.0, the IP address is configured via
> # the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
> # format is still accepted.
>
> You used version 1.x style
> client 127.0.0.1 {
>
> In 2.x it looks like this
> client localhost {
> ipaddr = 127.0.0.1
In his client.conf there is also a line require_message_authenticator = no
not commented out in the client localhost section that may throw the warning
with the braces.
Andreas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radacct is not filled up
"Fajar A. Nugraha" wrote: > On Tue, Jul 17, 2012 at 4:54 PM, Andreas Meyer wrote: > > I must say I am not sure, what information belongs to post-auth exactly > > and why. I promise I read the FAQ! > > FR is very configurable. It's one of those things where the hardest > part is making sure you know what you really want, and whether is > technically possible (using ANY software). After that, translating it > to configuration items is usually easier. Ok, thank you! I see this stuff is very complex and getting an overview is what I need to do. A good book about FR would come in handy. Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radacct is not filled up
Hello!
"Fajar A. Nugraha" wrote:
> On Tue, Jul 17, 2012 at 4:08 PM, Andreas Meyer wrote:
>
> > Hm, no luck with this one. I changed buffered.sql to log to sql, but it
>
> Did I EVER mention anything about buffered.sql?
> Was it EVER mentioned in the wiki page?
>
> >accounting {
> > sql
> > }
>
> so accounting section has sql. That's good.
>
> > # Executing section post-auth from file /usr/etc/raddb/sites-enabled/default
>
> See that? That's post-auth. That section is called after
> access-request packets are processed.
Ok
>
> > +- entering group post-auth {...}
> > [reply_log] expand:
> > /usr/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d ->
> > /usr/var/log/radius/radacct/192.168.1.254/reply-detail-20120717
> > [reply_log]
> > /usr/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
> > expands to /usr/var/log/radius/radacct/192.168.1.254/reply-detail-20120717
> > [reply_log] expand: %t -> Tue Jul 17 10:57:08 2012
> > ++[reply_log] returns ok
> > [sql] expand: %{Stripped-User-Name} ->
> > [sql] ... expanding second conditional
> > [sql] expand: %{User-Name} -> bitcorner-1
>
> ... and you didn't have ANYTHING in the log about accounting.
>
> Does your NAS send accounting packets? Accounting section is only
> called when radius receive accounting packets.
I fear the AP is not sending accounting packets at all. The only
thing I can configure at the TP-Link AP is that it can communicate
with the radiusserver at port 1812 for auth packets.
> Or is it that you want to log some data to sql in post-auth, instead
> of accounting? If so, then you need to modify the correct section
not that I know of
I have a section in radisud.conf to listen for type = acct
> (i.e. post-auth, not accounting). And the table modified will NOT be
> radacct, but radpostauth. See sql.conf and sql/mysql/dialup.conf for
> details, look for "postauth". You CAN change what's logged, and where,
> by editing the queries.
I must say I am not sure, what information belongs to post-auth exactly
and why. I promise I read the FAQ!
Andreas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radacct is not filled up
Hello!
"Fajar A. Nugraha" wrote:
> > I wonder if it might have something to do with the buffered-sql in
> > /usr/etc/raddb/sites-available. I made no changes to that file.
>
> Re-read the wiki page. If you HAVE read it correctly, you would've
> seen that you need to change something in that file.
>
Hm, no luck with this one. I changed buffered.sql to log to sql, but it
does not.
accounting {
#
# Log traffic to an SQL database.
#
# See "Accounting queries" in sql.conf
sql
# Cisco VoIP specific bulk accounting
# pgsql-voip
}
...
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /usr/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
[reply_log] expand:
/usr/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d ->
/usr/var/log/radius/radacct/192.168.1.254/reply-detail-20120717
[reply_log]
/usr/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to
/usr/var/log/radius/radacct/192.168.1.254/reply-detail-20120717
[reply_log] expand: %t -> Tue Jul 17 10:57:08 2012
++[reply_log] returns ok
[sql] expand: %{Stripped-User-Name} ->
[sql] ... expanding second conditional
[sql] expand: %{User-Name} -> bitcorner-1
...
If I understand the buffered.sql right, logging is done to the detail file
but how is it written to the database? Or how is the buffered.sql respected?
Andreas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radacct is not filled up
Hello!
"Fajar A. Nugraha" wrote:
> On Tue, Jul 17, 2012 at 5:59 AM, Andreas Meyer wrote:
> > Hello!
> >
> > I authenticate a users against a mysql-db and everything is fine. Get
> > entries
> > in the radpostauth table but the radacct table stays emtpy, instead the
> > logging is done in /usr/var/log/radius/radacct/192.168.1.254
> > I cannot find the place where in a configurationfile I can change
> > the value to log into the radacct table.
>
> Did you read http://wiki.freeradius.org/SQL-HOWTO ?
>
> Search for "accounting"
Yes, I read the SQL-Howto. Made a change in the dialup.conf from
sql_user_name = "%{User-Name}" to
sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}"
and the debug output shows that the radiusd is using stripped user-name.
But the radacct is not filled up. All is written to the logfile in
/usr/var/log/radius/radacct/192.168.1.254
I wonder if it might have something to do with the buffered-sql in
/usr/etc/raddb/sites-available. I made no changes to that file.
mysql> use radius;
Database changed
mysql> show tables;
+--+
| Tables_in_radius |
+--+
| badusers |
| mtotacct |
| nas |
| radacct |
| radcheck |
| radgroupcheck|
| radgroupreply|
| radpostauth |
| radreply |
| radusergroup |
| totacct |
| userinfo |
+--+
12 rows in set (0.01 sec)
Everything is fine and radcheck and radpostauth and userinfo and so on is
written to the database exept for the radacct information.
Andreas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radacct is not filled up
Hello! I authenticate a users against a mysql-db and everything is fine. Get entries in the radpostauth table but the radacct table stays emtpy, instead the logging is done in /usr/var/log/radius/radacct/192.168.1.254 # itx:/usr/var/log/radius/radacct/192.168.1.254 # ll insgesamt 284 -rw--- 1 root root 12420 12. Jul 16:38 auth-detail-20120712 -rw--- 1 root root 12420 13. Jul 19:35 auth-detail-20120713 -rw--- 1 root root 6210 14. Jul 23:21 auth-detail-20120714 -rw--- 1 root root 9078 15. Jul 17:06 auth-detail-20120715 -rw--- 1 root root 180883 16. Jul 17:26 auth-detail-20120716 -rw--- 1 root root 12640 17. Jul 00:43 auth-detail-20120717 -rw--- 1 root root 1242 3. Jul 22:35 reply-detail-20120703 -rw--- 1 root root 2008 12. Jul 16:38 reply-detail-20120712 -rw--- 1 root root 2008 13. Jul 19:35 reply-detail-20120713 -rw--- 1 root root 1004 14. Jul 23:21 reply-detail-20120714 -rw--- 1 root root 1004 15. Jul 13:39 reply-detail-20120715 -rw--- 1 root root 5041 16. Jul 17:26 reply-detail-20120716 -rw--- 1 root root 2016 17. Jul 00:43 reply-detail-20120717 I cannot find the place where in a configurationfile I can change the value to log into the radacct table. This is what I have in sql.conf: acct_table1 = "radacct" acct_table2 = "radacct" postauth_table = "radpostauth" authcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "radusergroup" Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: working with vouchers
Alan Buxey wrote: > Yrs, if you don't care about security and verification of server cert, then > just username and password will work with PEAP. Some clients will throw up > warning messages (that users ignore)..messages can be reduced by using a CA > that is known by the clients. > > The above is not best practice under any security front Oh yes, I just read the wikipedia about all that stuff about chap and pap and PEAP and MS-chapv2 and EAP and TLS and so on. This is heavy rock. Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: working with vouchers
"Fajar A. Nugraha" wrote: > On Thu, Jul 5, 2012 at 11:05 PM, Andreas Meyer wrote: > > > > Is there a big picture somewhere available for the freeradius-server > > like it is for postfix for example? I want to understand the contiguities > > between proxiing, outer-tunnel, inner-tunnel for example. > > That's a different topic than what you asked before. And if you're > only using a captive portal, you won't be using any of those anyway, > you'd be only using the default virtual server. See > http://wiki.freeradius.org/Concepts on for-dummies explanation on how > it works. Ok, thank you for the hints! Everything is getting clearer by and by. I just found out that I get entry into the WLAN with an android smartphone by just using the username and password without using the ca.crt with PEAP/MSchap2. I read in the protocols-table that only with EAP-TLS certificates are used. > For how proxy works, see http://wiki.freeradius.org/Proxy > > > If I have > > a users file and a sql-database, where does freeradius look first and > > Depending on how you configure it. In other words, depends on the > order on authorize section. > > > what if there is an entry in both databases but they differ in the > > password used. So many questions. > > If the attribute is the same one, the one listed later should > overwrite the former. CMIIW. Thanks! -- Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: working with vouchers
"Fajar A. Nugraha" wrote: > On Thu, Jul 5, 2012 at 3:43 PM, Andreas Meyer wrote: > >> > Without considering any security is it possible to hand out a > >> > voucher to a client with just the ESSID, the username and the > >> > password written down and this client can authenticate to the > >> > radiusserver over the authenticator? Please be patient with me! > >> > >> > >> depends on the methods used, server configuration and the client involved > > > > In the simpliest environment I want to see what is possible and > > how it can be done. I don't really know what methods to use for an > > easy authentication without EAP. > > One option would be captive portal, e.g. chillispot and derivatives. Yes, I have heard of that and shall try pfSense for example. But I want to understand the contiguities of what method pfSense is using to talk to the Radiusserver to be able to create vouchers. Is there a big picture somewhere available for the freeradius-server like it is for postfix for example? I want to understand the contiguities between proxiing, outer-tunnel, inner-tunnel for example. If I have a users file and a sql-database, where does freeradius look first and what if there is an entry in both databases but they differ in the password used. So many questions. Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: working with vouchers
Hi! alan buxey wrote: > Hi, > > Hello! > > > > Without considering any security is it possible to hand out a > > voucher to a client with just the ESSID, the username and the > > password written down and this client can authenticate to the > > radiusserver over the authenticator? Please be patient with me! > > > depends on the methods used, server configuration and the client involved In the simpliest environment I want to see what is possible and how it can be done. I don't really know what methods to use for an easy authentication without EAP. I think maybe the server can be configured to look into the users database whether there is an entry for that user and says ok to the authenticator. This is all because I want to learn what and how can be done with the server. At the moment I am testing all this with an openSUSE 11.3. A Windows XP I have only available in a VBox-environment. So testing with a Linux would be enough for me a the moment. Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
a question about the connection to the server
Hello! If some machine is in the same subnet as the radiusd and the AP, how do I prevent it from sniffing the secret for authentication to the server? Regards Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stuck on very basic freeradius setup
Hello!
Tiago wrote:
> Hello,
> I've just installed freeradius 2.x on an ubuntu server 12.04 with apt-get.
>
> I've follow documentation and I'm stuck on a very basic setup (pap auth).
> Basically I'm testing the default config using the users file to test auth
> with radtest.
>
> So, here is the thing:
>
> *users file - first line:
> teste Cleartext-Password:="teste"*
My entry in the user file looks like this:
miles<-><-->Cleartext-Password := "davis45"
<--><-->Reply-Message = "Hello, %{User-Name}"
Does this help?
Andreas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenication with certifiactes
Hello!
Iliya Peregoudov wrote:
> Hello Andreas,
>
> Your supplicant have rejected EAP-MD5 method proposed by freeradius and
> have requested for EAP-TTLS method. freeradius have sent EAP-TTLS/Start
> request. But your supplicant have never replied. The problem seems to be
> in supplicant (AP is transparent for EAP methods anyway). What
> supplicant do you use?
Thanks for the info!
Well, yesterday I tried with NetworkManager only. After installing
the new version of freeradius tonight I tried with NetworkManager
again with no luck. Then I decided to use Yast of the openSUSE I
use and that made it.
With the NetworkManager I had this compatibilityproblems described
for Windows OIDs. The NetworkManager didn't like the server.
>
> Andreas Meyer wrote:
> > Found Auth-Type = EAP
> > +- entering group authenticate {...}
> > [eap] Request found, released from the list
> > [eap] EAP NAK
> > [eap] EAP-NAK asked for EAP-Type/ttls
> > [eap] processing type tls
> > [tls] Initiate
> > [tls] Start returned 1
> > ++[eap] returns handled
> > Sending Access-Challenge of id 4 to 192.168.1.254 port 2048
> > EAP-Message = 0x010200061520
> > Message-Authenticator = 0x
> > State = 0x4fb647db4eb45230423119a23041222a
Andreas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenication with certifiactes
Hello! alan buxey wrote: > Hi, > > > I have no luck with this. I read in some articles to make an AP with > > Radius-Authentication, one should create cerificates with 'make all' > > in the certs-directory after editing the ca.cnf and server.cnf and > > copy the ca.pem to the client. > > ..that would be to ensure that you can configure the client to trust the > RADIUS server - as they are both signed by the same CA OK > > > Where can I read what other possibilites there are to authorize a client > > for an AP using a radiusserver as backend. > > it depends what you want to do. you were talking about authenticating > using a certificate - that would be EAP-TLS (or EAP-PEAP/TLS or EAP-TTLS/TLS) > which means the client uses a certificate OK I wonder what other possibilities than certificates there are to authorize a client to a network using WLAN. Like Hotspots, internet cafes and hotels for example. I mean, handing over a certifacte to a client on an USB-stick seems unpracticable to me. [ ... snipp ] > > But I do not get a lease from the AP. > > thats because, as you can read, you never got an Access-Accept. the flow above > shows that > your request arrived at the serverthe server is configured to use MD5 by > default > in the inner-tunnel (so change that to the method you will use most eg TTLS) > and > so the server send a NAK. the client was then put through using TTLS but the > server > sent an Access-Challenge that never got answeredwhich is in the FAQ - the > client > doesnt trust the server. you need to ensure that you have added the CA in the > right > certificate store on the client. as this is 802.1X a quick hint - do a > google > search for 'eduroam configuring client' you should find countless examples > from Universities > worldwide on how to configure a client for doing this sort of thingsome > sites will > have step by step instructions so you can see how to do it on windows > XP/Vista/7 OSX 10.6 etc > > ..and a favour in return..if you find any sites that DONT tell the users to > check the CA > and put the right name in the verification box, then please email me ;-) > > > Strange, where can I read about this? > > EAP-TLS HOWTO, or google for EAP-TLS - I find it quite worrying that people > are > blocked from internet search engines > > > > 4) EAP-TLS is plain/simple method - thus checking against SQL for > > > passwords is wrong > > > > Ok, disabled SQL and made entries in the users file. > > ..but from what you said above (using TTLS) - there is nothing wrong with > using MySQL/postgreSQL > etc > > though we DO advise people to start simple. start with users file rather than > some fancy backend > storage. once you see things working and have things in a working state, THEN > bring in the good stuff(tm) > > > > 5) upgrade - 2.1.9 is hideously old, 2.1.12 contains bug fixes and > > > security fixes. > > > > allright, will do that if I can see some land in this ocean > > I would start with the upgrade first - the cerfificate make files got some > fixes > and improvements too! ;-) So I followed your hint and compiled and installed freeradius-server-2.1.12. Created new certificates and changed md5 to ttls in eap.conf and the client.conf to accept my client. I configured the Linux-Client with Yast to connect to the AP using the ca.pem. The handshake works and I get a lease. Now this is great! The NetworkManager didn't do it. > > alan Thank you very much for your initial help! Now I can go on examinng the server. Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenication with certifiactes
gt;Cleartext-Password := "davis45" christiane<>Cleartext-Password := "chr17!" > > 5) upgrade - 2.1.9 is hideously old, 2.1.12 contains bug fixes and security > fixes. allright, will do that if I can see some land in this ocean > > alan Thank you for your help with this! I am a bit lost. Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenication with certifiactes
Hello!
# radiusd -v
radiusd: FreeRADIUS Version 2.1.9, for host i686-pc-linux-gnu
I could need some help with authenticating users per certificate
to a freeradius server.
I created the certificates and copied the ca.pem the testing supplicant.
Startet freeradius with radius -X and a local executed
radtest miles davis45 192.168.1.220 1812 testing123 gives this result:
Sending Access-Request of id 206 to 192.168.1.220 port 1812
User-Name = "miles"
User-Password = "davis45"
NAS-IP-Address = 192.168.3.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 192.168.1.220 port 1812, id=206,
length=20
I have this in the sqltrace.sql then:
INSERT INTO radpostauth (username, pass, reply, authdate) VALUES (
'miles', 'davis45',
'Access-Accept', '2012-07-02 19:31:45');
I tried all kind of settings on the supplicant but I cannot get access using
the ca.pem
and get no lease from the DHCP-Server of the AP, TL-WA901ND
I post the following output of a radius -X session:
rad_recv: Access-Request packet from host 192.168.1.254 port 2048, id=155,
length=153
User-Name = "andreas"
NAS-IP-Address = 192.168.1.254
NAS-Port = 0
Called-Station-Id = "B0-48-7A-F8-A1-19:gehackt"
Calling-Station-Id = "00-22-B0-E7-EF-98"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x020c01616e6472656173
Message-Authenticator = 0xcfc9907d0444926482192aafdcaba630
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "andreas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql] expand: %{User-Name} -> andreas
[sql] sql_set_user escaped user --> 'andreas'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'andreas' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'andreas' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id ->
SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'andreas' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'andreas' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname
FROM radusergroup WHERE username = 'andreas' ORDER
BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'andreas' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 155 to 192.168.1.254 port 2048
EAP-Message = 0x010100160410627ca484105a5653ea83eec8c5b0
Message-Authenticator = 0x00000000
State = 0x0f58029d0f5906e7a9d59b95861c72dd
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 2048, id=156,
length=165
User-Name = "andreas"
NAS-IP-Address = 192.168.1.254
NAS-Port = 0
Called-Station-Id = "B0-48-7A-F8-A1-19:gehackt"
Calling-Station-Id = "00-22-B0-E7-EF-98"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x020100060315
State = 0x0f58029d0f5906e7a9d59b95861c72dd
Message-Authenticator = 0x764f23c23137bd2125a294f54ca21ac1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "andreas", looking up realm NU
Logging User Accounts
Hello, I try to log users if they connect to radius, is it possible to track that without all other informations from debug mode? So best would be I only see that: [TIME]: foobar logged in Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connection Lost, tls resumption error
Am 30.11.2011 15:53, schrieb Alan DeKok: > Andreas Rudat wrote: >> in my enviroment I got three AP's runnning, all with the same essid, >> after a while the connection seems lost > WHAT connection? > > If it's the connection between the AP and the PC, this isn't a RADIUS > issue. I only saw that came in a new challange from the other AP. >> and a reconnection starts to >> another AP and then I get the resumption error but I have no idea why I >> lost the connection. No Errors in radius debug and a good reception is >> given. > The AP is responsible for sending RADIUS packets saying a connection > is down. If it doesn't send those packets, buy an AP which does send them. > >> The resumption error can be only avoid with restarting the wirless device. > Sounds like an AP problem to me. > > Alan DeKok. perhaps. I tried it now with three devices and three users and it works fine for an hour, no connection problem again, it could be that I used one user name twice before. So i hope it is solved with that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Connection Lost, tls resumption error
Hi, in my enviroment I got three AP's runnning, all with the same essid, after a while the connection seems lost and a reconnection starts to another AP and then I get the resumption error but I have no idea why I lost the connection. No Errors in radius debug and a good reception is given. The resumption error can be only avoid with restarting the wirless device. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/EAP-TLS with freeRADIUS
Am 27.11.2011 10:17, schrieb Phil Mayers: > On 11/27/2011 12:51 AM, Mr Dash Four wrote: >> >>> No, the shared secret is not transmitted over the wire. >>> For additinal information see RFC2865, §2: >>> >>> "When a password is present, it is hidden using a method based on the >>> RSA Message Digest Algorithm MD5. (see RFC131). >> MD5 is broken. but I understand it correctly, the shared_secret is just using as trusted "AP" password? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/EAP-TLS with freeRADIUS
Am 26.11.2011 22:04, schrieb Mr Dash Four: > I ma trying to set up freeRADIUS server implementing (wireless) user > authentication (running wpa_supplicant) via AP (running hostapd). > > After reading various howto's and documentation as well as looking at > numerous sources on the Internet, I can't see a way in which the AP is > authenticated to the RADIUS server by using only its certificate > attributes (CN, Subject, Issuer etc) - it seems that freeRADIUS always > needs some sort of "password" or "shared secret" specified. > so it is, you can only protect your AP client with the shared secret key. > Is it possible *not* to use this and rely solely on the > strength/culpability (depending on the way one looks at it) of PKI? If > so, how do I achieve that? A very simple configuration file example > would suffice! In relation to that - another question: the rlm_eap > text file (in the doc/ directory) distributed with the source code (I > am using 2.1.12) states that "Currently Freeradius supports only 2 > EAP-Types (EAP-MD5, EAP-TLS)." (line 78). Is that so? > > As for the actual EAP-TTLS/EAP-TLS authentication process I have > another query - my understanding of the theory behind this method is > that the authentication/authorisation process is done in two distinct > phases - outer and inner authentication. This also allows for the use > of two distinct sets of (client, server, ca) certificates to be > specified in each phase. If that is so, how is this > configured/specified in the eap.conf configuration file (or elsewhere)? > > Many thanks! > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -END PGP PUBLIC KEY BLOCK- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Technical paper how Freeradius works?
Am 24.11.2011 16:33, schrieb Alan DeKok: > Andreas Rudat wrote: >> for example how does exactly auth. works or the radius protocol works > We don't document RADIUS. See the RFCs for that. > > As for how the server works, see the doc directory. There are a lot > of files there describing how the server works. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > ok thanks. Andreas -- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -END PGP PUBLIC KEY BLOCK- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Technical paper how Freeradius works?
Am 24.11.2011 16:04, schrieb Alan Buxey: > Hi, >> Hi, >> >> are there any and I don't see them, besides man pages/config files? > what is it that you are after? what do you define by 'technical' ? > > alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > for example how does exactly auth. works or the radius protocol works Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Technical paper how Freeradius works?
Hi, are there any and I don't see them, besides man pages/config files? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing Wlan
Am 20.11.2011 13:05, schrieb Alan DeKok: > Andreas Rudat wrote: >> thats what I tried, but I get no info from the other client, only if I >> them ping each other. Encryption is wpa+aes and what I should see if it >> is encrypted? tls infos? > This is a network connectivity problem. It isn't a RADIUS problem. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > But which? I tried my wlan on monitor mode and sniffing with wireshark I found traffic between the APs but wireshark shows only thats the wlan protocol and I dont see any clear traffic. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question at certificates
Hi, I'm a little bit confused, I configure radius with self signed cert, peap+mschap, so if I tried to connect with an android or apple device I get the question if I want to accept the server cert, thats ok, but with windows or linux I get the error that there is no cert, but it still works, why these clients don't download the cert? I can manually add them sure but why is that so different? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing Wlan
Am 20.11.2011 12:08, schrieb Alan Buxey: > Hi, > >> is there any possibility to test if two machines with the same login can >> sniff each others traffic? > yes you can test that. though depending on what wireless configuration you > have > and method of encryption you might not get what you think. > > > get one machine to browse the internet and get the other to run wireshark > > alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Hi, thats what I tried, but I get no info from the other client, only if I them ping each other. Encryption is wpa+aes and what I should see if it is encrypted? tls infos? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Testing Wlan
Hi, is there any possibility to test if two machines with the same login can sniff each others traffic? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[solved] Re: getting sometimes TLS error
Am 19.11.2011 19:37, schrieb Andreas Rudat: > realy strange the machine where ubuntu AND xp is running both failes and > windows is saying the zertificate is invalid/expired?? both are using > the same one! > > > Am 19.11.2011 19:17, schrieb Andreas Rudat: >> Hi, >> I get the error from time to time, I use one self signed cert for alle >> clients and some times I get this error from one ubuntu client, do you >> have any idea? >> >> so self+signed cert + mschapv2 >> >> TLS Alert read:fatal:bad certificate >> Sat Nov 19 18:52:30 2011 : Error: TLS_accept:failed in SSLv3 read >> client certificate A >> Sat Nov 19 18:52:30 2011 : Error: rlm_eap: SSL error error:14094412:SSL >> routines:SSL3_READ_BYTES:sslv3 alert bad certificate >> Sat Nov 19 18:52:30 2011 : Error: SSL: SSL_read failed inside of TLS >> (-1), TLS session fails. >> Sat Nov 19 18:52:30 2011 : Debug: TLS receive handshake failed during >> operation >> >> >> its not the password problem, how I said, the same cert works fine on >> two different machines, windows + linux >> >> the other got archlinux and xp running >> Thanks >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > it was the clock of the test machine ... local date 2002 vs certificate of 2011 != good Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: getting sometimes TLS error
realy strange the machine where ubuntu AND xp is running both failes and windows is saying the zertificate is invalid/expired?? both are using the same one! Am 19.11.2011 19:17, schrieb Andreas Rudat: > Hi, > I get the error from time to time, I use one self signed cert for alle > clients and some times I get this error from one ubuntu client, do you > have any idea? > > so self+signed cert + mschapv2 > > TLS Alert read:fatal:bad certificate > Sat Nov 19 18:52:30 2011 : Error: TLS_accept:failed in SSLv3 read > client certificate A > Sat Nov 19 18:52:30 2011 : Error: rlm_eap: SSL error error:14094412:SSL > routines:SSL3_READ_BYTES:sslv3 alert bad certificate > Sat Nov 19 18:52:30 2011 : Error: SSL: SSL_read failed inside of TLS > (-1), TLS session fails. > Sat Nov 19 18:52:30 2011 : Debug: TLS receive handshake failed during > operation > > > its not the password problem, how I said, the same cert works fine on > two different machines, windows + linux > > the other got archlinux and xp running > Thanks > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
getting sometimes TLS error
Hi, I get the error from time to time, I use one self signed cert for alle clients and some times I get this error from one ubuntu client, do you have any idea? so self+signed cert + mschapv2 TLS Alert read:fatal:bad certificate Sat Nov 19 18:52:30 2011 : Error: TLS_accept:failed in SSLv3 read client certificate A Sat Nov 19 18:52:30 2011 : Error: rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate Sat Nov 19 18:52:30 2011 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. Sat Nov 19 18:52:30 2011 : Debug: TLS receive handshake failed during operation its not the password problem, how I said, the same cert works fine on two different machines, windows + linux the other got archlinux and xp running Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius + SambaPDC + "offline" login
Hi, perhaps it is the wrong mailing list but I try it :) my samba pdc is running in a different subnet than my radius clients. So, samba ist running x.x.15.x and my Wlan+Radius users using x.x.16.x I use wins instead of dns. I joined with my client the domain successfully, but if I try to login I get the msg "domain not reachable", sure, because I'm not online at that moment, but is there anyway to be that? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Deleting user accounts in windows xp
Hi Alan, much thanks for that info! Andreas Am 18.11.2011 23:59, schrieb Alan Buxey: > Hi, >> Hi, >> >> hope anyone knows that, if I connect successfully with an xp client, I >> have never again to put in my login data, so windows has to save my >> login stuff anywhere but where? I would like to delete my login data. > stored as a special hash in the registry. you want to remove? use this regedit > > REGEDIT4 > > [-HKEY_CURRENT_USER\Software\Microsoft\Eapol\UserEapInfo] > > > > alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -END PGP PUBLIC KEY BLOCK- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Deleting user accounts in windows xp
Hi, hope anyone knows that, if I connect successfully with an xp client, I have never again to put in my login data, so windows has to save my login stuff anywhere but where? I would like to delete my login data. Thanks Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP/MSCHAP
Am 12.11.2011 23:00, schrieb Sven Hartge: > Sven Hartge wrote: >> Andreas Rudat wrote: >>> Am 11.11.2011 03:56, schrieb Fajar A. Nugraha: >>>> On Fri, Nov 11, 2011 at 8:29 AM, Gary Gatten wrote: >>>>> I agree with Jake, in that I *think* it would be possible to have a >>>>> plugin or whatever interface with LDAP/AD in the same manner >>>>> ntlm_auth does. I don't think one *needs* a cleartext password, >>>>> but does need some way to compare apples-to-apples. >>>> That's exactly what Alan is saying: " store your passwords in the >>>> LDAP as NT-Password or LM-Password " >>> But if that works, why then all are saying that you can just work >>> with plaintext? Its realy confusing. >> NT/LM-Password is "special". This is why it works with MSCHAPv2, both >> being a MicroSoft "invention". > To be precise: MSCHAPv2 works with the NT/LM-Password as input to the > Challenge-Handshake and not the "raw" cleartext password. This is why > this works. > > FreeRADIUS converts a cleartext password into the needed NT-Hash and > then applies this to the MSCHAPv2 handshake. Or it uses a pre-existing > NT-Hash from LDAP/MySQL/whatever. > > Quote from http://en.wikipedia.org/wiki/NTLM > , > | The NTLM protocol uses one or both of two hashed password values, both > | of which are also stored on the server (or domain controller), and which > | are password equivalent, meaning that if you grab the hash value from > | the server, you can authenticate without knowing the actual password. > ` > > This also means you have to protect those Hashes inside your database > like a raw cleartext password, as you can authenticate to any Windows > box with the knowledge of the NT/LM-Hash. > > This has been exploitet by several Windows trojan horses, which grabbed > to NT-Hash from the Administrator user to login into other boxes on the > network using the same password (or worse: the domain controller). > > Grüße, > S Ah much thanks for that clearing, so both is bad no matter which mechnism is used. Andreas -- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -END PGP PUBLIC KEY BLOCK- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP/MSCHAP
Am 11.11.2011 03:56, schrieb Fajar A. Nugraha: > On Fri, Nov 11, 2011 at 8:29 AM, Gary Gatten wrote: >> I agree with Jake, in that I *think* it would be possible to have a plugin >> or whatever interface with LDAP/AD in the same manner ntlm_auth does. I >> don't think one *needs* a cleartext password, but does need some way to >> compare apples-to-apples. > That's exactly what Alan is saying: > " > store your passwords in the LDAP as NT-Password or LM-Password > " But if that works, why then all are saying that you can just work with plaintext? Its realy confusing. Andreas > ... although in my expreiments NT-Password alone is enough, but > LM-Password alone is useless. > > How can you create NT-Password? One way to do that is by hijacking the > process where user enters password as plaintext (e.g. from the > password prompt when user change their password) and use smbencrypt > (part of freeradius) > > Where do you store NT-Password in LDAP? In ntPassword or > sambaNtPassword LDAP attribute (or any other attribute of your choice, > as long as you remember to update raddb/ldap.attrmap as well) > > If you have NT-Password, then you don't need user's cleartext password > anymore, and you don't even need any helper tool. > -- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -END PGP PUBLIC KEY BLOCK- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth reconnection without login data?
ah, I see, if I disconnect from wlan, there is also no response from radius no disconnect response. Am 28.10.2011 15:49, schrieb Andreas Rudat: > Am 28.10.2011 08:55, schrieb Fajar A. Nugraha: >> On Fri, Oct 28, 2011 at 1:46 PM, Andreas Rudat wrote: >>> sorry for that. I use 802.1x >> 802.1 wired? wireless? >> >>> and I'm wondering if I connect again >> What do you mean by "connect again"? unplug the cable and plug it >> again? Trun off the wireless adapter and turn it on again? Logout and >> login? >> >>> at >>> radius, I don't see any reactions in my debug output of radius, so at >>> the first time you see how the peap tunnel is getting up, challange >>> response and so on. >>> >>> Radius is running on Pfsense 2.0 and the clients are connecting with >>> wpa2 Windows/Linux >> >From your (very brief) description, the best answer I can give is "ask the >> >NAS". >> >> FR debug would preety print much print out everything it does. If it >> doesn't print anything, it's not doing anything. Not even accepting >> any packets. >> >> Why didn't it recive any packet? Probably because the NAS doesn't send >> anything (which is why I said "ask the NAS"). >> >> Why didn't the NAS send any packet? There are several possible options. >> Namely: >> - the NAS cache authentication result >> - the session was never terminated >> >> So, ask the NAS. I'm GUESSING that you were never disconnected in the >> first place. >> > It seems it is the NAS, it is AP with openwrt on it, but cannot find any > thing there what could be the problem. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth reconnection without login data?
Am 28.10.2011 08:55, schrieb Fajar A. Nugraha: > On Fri, Oct 28, 2011 at 1:46 PM, Andreas Rudat wrote: >> sorry for that. I use 802.1x > 802.1 wired? wireless? > >> and I'm wondering if I connect again > What do you mean by "connect again"? unplug the cable and plug it > again? Trun off the wireless adapter and turn it on again? Logout and > login? > >> at >> radius, I don't see any reactions in my debug output of radius, so at >> the first time you see how the peap tunnel is getting up, challange >> response and so on. >> >> Radius is running on Pfsense 2.0 and the clients are connecting with >> wpa2 Windows/Linux > >From your (very brief) description, the best answer I can give is "ask the > >NAS". > > FR debug would preety print much print out everything it does. If it > doesn't print anything, it's not doing anything. Not even accepting > any packets. > > Why didn't it recive any packet? Probably because the NAS doesn't send > anything (which is why I said "ask the NAS"). > > Why didn't the NAS send any packet? There are several possible options. > Namely: > - the NAS cache authentication result > - the session was never terminated > > So, ask the NAS. I'm GUESSING that you were never disconnected in the > first place. > It seems it is the NAS, it is AP with openwrt on it, but cannot find any thing there what could be the problem. -- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -END PGP PUBLIC KEY BLOCK- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth reconnection without login data?
Am 28.10.2011 08:33, schrieb Fajar A. Nugraha: > On Fri, Oct 28, 2011 at 1:18 PM, Andreas Rudat wrote: >> Am 27.10.2011 22:57, schrieb Alan DeKok: >>> Andreas Rudat wrote: >>>> if I connect to my radius server, I don't need my password anymore, also >>>> if I restart radius or my workstation. But why? >>> The PC caches the credentials. >>> >>> Alan DeKok. >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >>> >> Hm ok, but radius, too? Cause I don't see there any reaction, too. > What do you mean by "connect to my radius server"? ssh? > What do you mean by "don't see any reaction"? > > If you want clear answer, start by posting clear questions. Asking > Tarzan-like questions will get you Tarzan-like answers. > > For example, you could write "I'm trying to connect to my radius > server, running Centos 5.x, using ssh with putty, as root. However it > didn't ask password, and simply lets me log in". Obviously that's just > an example. > > Also, be clear how it's connected to FR. Do you use pam_radius? Do you > use 802.1x? > Hi, sorry for that. I use 802.1x and I'm wondering if I connect again at radius, I don't see any reactions in my debug output of radius, so at the first time you see how the peap tunnel is getting up, challange response and so on. Radius is running on Pfsense 2.0 and the clients are connecting with wpa2 Windows/Linux Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth reconnection without login data?
Am 27.10.2011 22:57, schrieb Alan DeKok: > Andreas Rudat wrote: >> if I connect to my radius server, I don't need my password anymore, also >> if I restart radius or my workstation. But why? > The PC caches the credentials. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Hm ok, but radius, too? Cause I don't see there any reaction, too. Andreas -- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -END PGP PUBLIC KEY BLOCK- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth reconnection without login data?
Hi, if I connect to my radius server, I don't need my password anymore, also if I restart radius or my workstation. But why? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[solved] Re: ntlm_auth fails @radius-debug
I edit the wrong site... sorry Am 26.10.2011 15:48, schrieb Andreas Rudat: > Hello, > > I work with this tutorial > http://deployingradius.com/documents/configuration/active_directory.html > > all works fine, since I try to use ntlm_auth with radius directly > > > I added a user tester / testen > > users: > at the top DEFAULT Auth-Type := ntlm_auth > > tester Cleartext-Password := "testen" > > and added to inner-site ->authenticate > ntlm_auth > > then, if if I try > radtest tester testen localhost 0 testing123 > > I get this > Found Auth-Type = ntlm_auth > WARNING: Unknown value specified for Auth-Type. Cannot perform > requested action. > Failed to authenticate the user. > > Thanks > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -END PGP PUBLIC KEY BLOCK- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth fails @radius-debug
Hello, I work with this tutorial http://deployingradius.com/documents/configuration/active_directory.html all works fine, since I try to use ntlm_auth with radius directly I added a user tester / testen users: at the top DEFAULT Auth-Type := ntlm_auth tester Cleartext-Password := "testen" and added to inner-site ->authenticate ntlm_auth then, if if I try radtest tester testen localhost 0 testing123 I get this Found Auth-Type = ntlm_auth WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. Failed to authenticate the user. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius + ldap + ntlm
Am 23.10.2011 22:04, schrieb Phil Mayers: > On 10/23/2011 06:03 PM, Andreas Rudat wrote: > >> another problem, I tried to test the connection with >> >> ntlm_auth --request-nt-key --domain=foo.bar --username=test >> --password=test >> >> and get the message >> NT_STATUS_INVALID_HANDLE: Invalid handle (0xc008) > > Samba problem. Consult the samba docs or support list. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > hm I dont know it that helped https://bugzilla.samba.org/show_bug.cgi?id=7481 but it works, how ever... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius + ldap + ntlm
Am 23.10.2011 17:48, schrieb Andreas Rudat: > Am 23.10.2011 17:26, schrieb James J J Hooper: >> On 23/10/2011 16:02, Andreas Rudat wrote: >>> Hello, >>> >>> I understand it correctly, that I can't use peap + mschapv2 with >>> ldap? Im realy confused atm, what I can realy use, everytime I think >>> its fine, I found another unsecure thing :/ >> To use PEAP/MS-CHAPv2, LDAP has to provide FR with either a plain text >> password, or the NTLM hash of the password. >> >> If your LDAP directly has plain text passwords, or NTLM hashes, then >> you can use it for authentication. >> >> You can use LDAP for authorization in any case. >> >> Regards, >> James >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > ok, thank you. For further things I think I have to configure the ldap > modul for that, right? > > Thanks > Andreas > another problem, I tried to test the connection with ntlm_auth --request-nt-key --domain=foo.bar --username=test --password=test and get the message NT_STATUS_INVALID_HANDLE: Invalid handle (0xc008) is it perhaps a problem with samba? I'm using 3.4.14, same with wbinfo my smb.conf [global] workgroup = foo.bar security = server password server = bar.foo.bar wins server = bar.foo.bar on my samba+ldap machine wbinfo and ntml_auth are working fine. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius + ldap + ntlm
Am 23.10.2011 17:26, schrieb James J J Hooper: > On 23/10/2011 16:02, Andreas Rudat wrote: >> >> Hello, >> >> I understand it correctly, that I can't use peap + mschapv2 with >> ldap? Im realy confused atm, what I can realy use, everytime I think >> its fine, I found another unsecure thing :/ > > To use PEAP/MS-CHAPv2, LDAP has to provide FR with either a plain text > password, or the NTLM hash of the password. > > If your LDAP directly has plain text passwords, or NTLM hashes, then > you can use it for authentication. > > You can use LDAP for authorization in any case. > > Regards, > James > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > ok, thank you. For further things I think I have to configure the ldap modul for that, right? Thanks Andreas -- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -END PGP PUBLIC KEY BLOCK- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius + ldap + ntlm
Hello, I understand it correctly, that I can't use peap + mschapv2 with ldap? Im realy confused atm, what I can realy use, everytime I think its fine, I found another unsecure thing :/ Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius + SAMBA PDC + LDAP
Am 21.10.2011 18:28, schrieb Phil Mayers: On 21/10/11 17:03, Andreas Rudat wrote: Hi, I'm using samba as pdc and ldap as user database. That all works fine. Now I want to use the ldap database for user auth. for radius. But when I'm looking here http://deployingradius.com/documents/configuration/active_directory.html and some other sources, I read everywhere the same. "Konfiguration of Kerberos" but why? I think it should also with ntlm only? And does this paper is the correct for me? Caus if I understand it correctly in that scenario they are using a MS AD? If you are using a Samba PDC with LDAP storage, you should be able to make FreeRADIUS extract the ntPassword LDAP attribute, and you will not need to interact with Samba at all. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ok, thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius + SAMBA PDC + LDAP
Hi, I'm using samba as pdc and ldap as user database. That all works fine. Now I want to use the ldap database for user auth. for radius. But when I'm looking here http://deployingradius.com/documents/configuration/active_directory.html and some other sources, I read everywhere the same. "Konfiguration of Kerberos" but why? I think it should also with ntlm only? And does this paper is the correct for me? Caus if I understand it correctly in that scenario they are using a MS AD? Thanks Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius for Lan
Am 02.10.2011 20:54, schrieb yzy-oui-fi: How would you manage with PFSENSE and Freeradius, without using captiv portal for Lan Interface Auth??? Squid Proxy? VPN ? That was my question :) But its solved, I dont need lan. Thanks Le dimanche 02 octobre 2011 à 18:22 +0200, Andreas Rudat a écrit : Thanks, but I dont want to use captive portal. It would be great if I could tell radius that user can only connect if it used min. one Radius Client, for example the AP. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius for Lan
Am 02.10.2011 17:46, schrieb yzy-oui-fi: Hello, if you are using PFsense 2 and captiv portal, go to your captiv portal admininistration, hit maj+ select LAN on Interface Field, this will have as result to add an Interface to your captiv portal instead of replacing the one available Note, this is not really a freeradius Issue Thanks, but I dont want to use captive portal. It would be great if I could tell radius that user can only connect if it used min. one Radius Client, for example the AP. Andreas Le dimanche 02 octobre 2011 à 17:31 +0200, Andreas Rudat a écrit : Hello, I use radius for my wlan auth but I also want it for lan but how? I use pfsense with radius 2.x It works fine with wlan but how I use it for lan? If I connect via lan port on my AP I can reach everything without radius auth. Thanks Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius for Lan
Hello, I use radius for my wlan auth but I also want it for lan but how? I use pfsense with radius 2.x It works fine with wlan but how I use it for lan? If I connect via lan port on my AP I can reach everything without radius auth. Thanks Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius + Samba + Mysql?
Am 25.09.2011 23:07, schrieb Alan DeKok: Andreas Rudat wrote: HI Alan, yes that is what I want, but my ldap doesn't work atm ;-) See the FAQ for "it doesn't work" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html sorry, you miss understood me, I meant MY LDAP doesn't work atm, independently by radius :) Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius + Samba + Mysql?
HI Alan, yes that is what I want, but my ldap doesn't work atm ;-) But thanks. Andreas Am 25.09.2011 17:02, schrieb Alan DeKok: Andreas Rudat wrote: Thats also bad only nt-hash is not good, I tried to set up Ad but got heavy problems with setting it up. I have no idea why. See my web page: http://deployingradius.com It has complete documentation on AD integration, including what configuration to change, how to debug it, and what to expect. If you follow the directions it *will* work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius + Samba + Mysql?
Am 25.09.2011 13:43, schrieb Fajar A. Nugraha: Should work if you have enough knowledge about all three components. The main "problem" would be that FR and samba uses different schema for storing user passwords, but if you're familiar with triggers then it should be possible. Just try it. yeah thats the problem I thought. No I'm not realy familiar with triggers and sql One other thing to note however, ntlm_auth is only necessary if your backend (usually AD) don't give out clear-text or nt-hash. If you have one of those available (in the case of mysql-backed samba, it's nt-hash), you don't need ntlm_auth. Thats also bad only nt-hash is not good, I tried to set up Ad but got heavy problems with setting it up. But it would be the best thing for auth samba and fr users I think? Last way would be perhaps of using smbpasswd. Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius + Samba + Mysql?
Hi again, erm it should work if I use mysql for samba accounts and using ntlm_auth + ms-chap on radius? Am 25.09.2011 13:03, schrieb Andreas Rudat: Hi, is that combination possible? Radius and Samba should use the same sql database for accounting. Are there any problems or hints? Thanks Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius + Samba + Mysql?
Hi, is that combination possible? Radius and Samba should use the same sql database for accounting. Are there any problems or hints? Thanks Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
anyone tried SSH tunneling for user auth?
Hello, I want to use a ssh tunnel between radius and my user database on another machine, anyone tried that? I think it should work port forwarding on port 139 of samba or sql port? Thanks Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authention Failure when putting NAS in private network.
Am 22.09.2011 03:23, schrieb 2394263740: Hello, Here is my freeradius enviroment. The freeradius is used for WIFI users access authentication. OS: Linux Enterprise Server 6.1 Radius: free radius server 2.1.11 Database: Mysql The freeradius server was put on internet. Sometime, the WIFI router need be put on the private network, which connect to Internet through a gateway. When we put the WIFI router on the private network, the WIFI user authentication always fail. Checked both the server and client side, we found the server is sending packet to WIFI router(NAS), but the packet didn't reach the WIFI router. The packet was dropped by the gateway. Can anyone advise a solution for this? Thanks! Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi, if needed, have u changed or added the new client to radius? Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Confusion between Freeradius + MSCHAPv2 + Samba
Am 21.09.2011 22:09, schrieb Alan DeKok: Andreas Rudat wrote: but is it usefull to use kerberos with two machines? Most of the time: no. I think it would be a contradiction of kerberos and would it work without AD/ldap? I have no idea what that means. And could I use a sql database to save the encrypted passwords by using ntlm and the rlm_mschap module? You can use SQL to store anything, include NT-Passwords. Alan DeKok. - ok, thanks for the info. Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Confusion between Freeradius + MSCHAPv2 + Samba
Hello, I have two machines. Freeradius + Samba as PDC. I auth. wlan clients against Radius and I want to store any user data on my Samba. The client auth, will be realized with PEAP+MSCHAPv2. So the problem is the bad thing with MSCHAPv2 and NTLMv1. So an other way could be kerberos and I read this howto http://deployingradius.com/documents/configuration/active_directory.html but is it usefull to use kerberos with two machines? I think it would be a contradiction of kerberos and would it work without AD/ldap? And could I use a sql database to save the encrypted passwords by using ntlm and the rlm_mschap module? Thanks! Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-SIM Broker?
Hi Guys, does someone know a way to do real EAP-SIM authentication with (through!) freeradius? Most if not all GSM-Carriers have radius-servers for their own WiFi-Hotspots, but obviously they wont give anyone access to them but only Hotspot-Roaming-Providers like iPass or WeRoam. Is there some sort of broker-service that would allow this? I would imagine a concept where i pre-filter the authentication requests and only pass the imsi's i want to be able to access our wireless network to the broker for real authentication... This is for my employer, so no problem if there's a fee for this service involved... Regards, Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius on MacOS X Server
But all packets are coming trough, I think. Both servers are on the same subnet, with same gateway. Am 18.08.10 15:53, schrieb Alan DeKok: > Andreas Hubert wrote: >> I really have no clue, why the AP and client should work with the second >> server and not with the first one :( > It's a networking issue. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html server1.pcap Description: Binary data server2.pcap Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius on MacOS X Server
> Use an AP that works. > > Use a client PC that works. > The strange thing is, both work, but only together with the second server, not with the first one. On the AP I can enter two RADIUS servers, in case one gets down, what I also want to use. I also switched them in the configuration with no effect, it's always the same server I cant connect to. I tried to figure more about it with tcpdump and the only difference is see, is that the AP is sending one more information to the first server: There is an EAP-Message Last Segment on both and only the first server gets also an EAP-Message Segment, for what reason ever. I really have no clue, why the AP and client should work with the second server and not with the first one :( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius on MacOS X Server
Okay, I just found out I messed something with the eap.conf on my first
server, I accidental out commented these options:
fragment_size = 1024
include_length = yes
check_crl = yes
CA_path = /path/to/directory/with/ca_certs/and/crls/
check_cert_cn = %{User-Name}
But now the eap.conf is on both servers nearly the same (without certificate
paths).
I tried to make the problem happen again, mabye now it is easier in the log
files to see the difference.
Or should I maybe add here my complete config folder of booth servers? I
already diffed every file in them.
Am 18.08.10 12:05, schrieb Andreas Hubert:
> Do you have any other idea, after I sent out the logs of both servers, the
> one where everything works and the other server where it don't work?
>
> Am 17.08.10 21:56, schrieb Alan DeKok:
>> Andreas Hubert wrote:
>>> I dont know if updating is such a good idea. Mac OS X comes with 2.1.3 and
>>> another mailinglist reader told me that everything in his environment with
>>> Snow Leopard Server works
>>> So I guess this thing should work somehow with Mac OS X Servers freeradius
>>> 2.1.3 implementation together with Apple Airport Extreme
>> It should. But the problems you're seeing are very strange.
>>
>> Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked
rlm_sql (sql): Attempting to connect to rad...@localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #0
rlm_sql_sqlite: Opening sqlite database
/private/etc/raddb/sqlite_radius_client_database for #0
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #1
rlm_sql_sqlite: Opening sqlite database
/private/etc/raddb/sqlite_radius_client_database for #1
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #2
rlm_sql_sqlite: Opening sqlite database
/private/etc/raddb/sqlite_radius_client_database for #2
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #3
rlm_sql_sqlite: Opening sqlite database
/private/etc/raddb/sqlite_radius_client_database for #3
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #4
rlm_sql_sqlite: Opening sqlite database
/private/etc/raddb/sqlite_radius_client_database for #4
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT
id,nasname,shortname,type,secret FROM nas
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_sqlite: sqlite3_prepare() = 0
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry nasname=192.168.214.100,shortname=ahus WLAN
Test,secret=test123
rlm_sql (sql): Adding client 192.168.214.100 (ahus WLAN Test, server=) to
clients list
rlm_sql_sqlite: sqlite3_step = 101
rlm_sql_sqlite: sqlite3_finalize() = 0
rlm_sql (sql): Released sql socket id: 4
radiusd: Opening IP addresses and Ports
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.214.100 port 65527, id=14,
length=151
User-Name = "ahu"
NAS-IP-Address = 192.168.214.100
NAS-Port = 0
Called-Station-Id = "00-1C-B3-AD-38-07:ahu WLAN Test"
Calling-Station-Id = "00-25-00-41-AD-F3"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x020801616875
Message-Authenticator = 0xf784a159cfe693d10bd30de18988d026
rlm_opendirectory: The host 192.168.214.100 does not have an access group.
rlm_opendirectory: User is authorized.
Sending Access-Challenge of id 14 to 192.168.214.100 port 65527
EAP-Message = 0x010100061520
Message-Authenticator = 0x
State = 0x3d59114e3d5804266eaf1e978c8c2b4d
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.214.100 port 65527, id=13,
length=151
User-Name = "ahu"
NAS-IP-Address = 192.168.214.100
NAS-Port = 0
Called-Station-Id = "00-1C-B3-AD-38-07:ahu WLAN Test"
Calling-Station-Id = "00-25-00-41-AD-F3"
Framed-MTU = 1400
Re: FreeRadius on MacOS X Server
Do you have any other idea, after I sent out the logs of both servers, the one where everything works and the other server where it don't work? Am 17.08.10 21:56, schrieb Alan DeKok: > Andreas Hubert wrote: >> I dont know if updating is such a good idea. Mac OS X comes with 2.1.3 and >> another mailinglist reader told me that everything in his environment with >> Snow Leopard Server works >> So I guess this thing should work somehow with Mac OS X Servers freeradius >> 2.1.3 implementation together with Apple Airport Extreme > It should. But the problems you're seeing are very strange. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius on MacOS X Server
Okay sorry again, I tried it completely fresh, with empty logs and debug mode. This time I don't get the error with missing com.apple.access_radius group on booth servers. Can anyone see, why who what's the problem and difference between these servers? They are boot configured the same, Airport has same configuration, client uses same configuration, but if the first server is up, it does not work and if the second server is up it works. See logs attached. -2 works -1 does not work Am 17.08.10 19:01, schrieb Andreas Hubert: > After a bit more investigating, I think I come closer to the problem and can > locate it on somewhere with Mac OS X Server Access Control List for services. > We have a second server here, which is Open Directory Replica and the RADIUS > connection with this server works! > I attach logfile from server1 - radiusd-1.log where I have the problem and > server2 - radiusd-2.log where it works. > So there are two more problems to solve: > - How to fix this rights problem on server1 > - Why don't I get an IP address by the airport after authenticating with > server2? :( > > But I guess the freeradius mailinglist is the wrong place for non-radius > related problems :( > Maybe anyone here with more MacOS X Server and Airport/RADIUS experience who > may help me? > > Am 17.08.10 17:59, schrieb Alan DeKok: >> Andreas Hubert wrote: >>> Like it is always: >>> >>> Tue Aug 17 17:42:48 2010 : Auth: rlm_opendirectory: User is >>> authorized. >>> Tue Aug 17 17:42:57 2010 : Error: rlm_eap: No EAP session matching the >>> State variable. >>> Tue Aug 17 17:44:21 2010 : Auth: rlm_opendirectory: User is >>> authorized. >>> Tue Aug 17 17:44:30 2010 : Error: rlm_eap: No EAP session matching the >>> State variable. >> And as always, run the server in debugging mode as suggested in the >> FAQ, README, "man page", and daily on this list. >> >>> Can you please specify how it is all together configured in your >>> environment that it works? >> Read the previous responses to your message on this list. The >> instructions are there. >> >> Alan DeKok. >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked rlm_sql (sql): Attempting to connect to rad...@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #0 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #0 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #1 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #1 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #2 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #2 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #3 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #3 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #4 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #4 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id,nasname,shortname,type,secret FROM nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_sqlite: sqlite3_prepare() = 0 rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=192.168.214.100,shortname=ahus WLAN Test,secret=** rlm_sql (sql): Adding client 192.168.214.100 (ahus WLAN Test, server=) to clients list rlm_sql_sqlite: sqlite3_step = 101 rlm_sql_sqlite: sqlite3_finalize() = 0 rlm_sql (sql): Released sql socket id: 4 radiusd: Opening IP addresses and Ports Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.214.100 port 65507, id=19, length=146 User-Name = "ahu" NAS-IP-Address = 192.168.214.100 NAS-Port = 0 Called-Station-Id = "0
Re: FreeRadius on MacOS X Server
After a bit more investigating, I think I come closer to the problem and can locate it on somewhere with Mac OS X Server Access Control List for services. We have a second server here, which is Open Directory Replica and the RADIUS connection with this server works! I attach logfile from server1 - radiusd-1.log where I have the problem and server2 - radiusd-2.log where it works. So there are two more problems to solve: - How to fix this rights problem on server1 - Why don't I get an IP address by the airport after authenticating with server2? :( But I guess the freeradius mailinglist is the wrong place for non-radius related problems :( Maybe anyone here with more MacOS X Server and Airport/RADIUS experience who may help me? Am 17.08.10 17:59, schrieb Alan DeKok: > Andreas Hubert wrote: >> Like it is always: >> >> Tue Aug 17 17:42:48 2010 : Auth: rlm_opendirectory: User is authorized. >> Tue Aug 17 17:42:57 2010 : Error: rlm_eap: No EAP session matching the State >> variable. >> Tue Aug 17 17:44:21 2010 : Auth: rlm_opendirectory: User is authorized. >> Tue Aug 17 17:44:30 2010 : Error: rlm_eap: No EAP session matching the State >> variable. > And as always, run the server in debugging mode as suggested in the > FAQ, README, "man page", and daily on this list. > >> Can you please specify how it is all together configured in your environment >> that it works? > Read the previous responses to your message on this list. The > instructions are there. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked rlm_sql (sql): Attempting to connect to rad...@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #0 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #0 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #1 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #1 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #2 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #2 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #3 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #3 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #4 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #4 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id,nasname,shortname,type,secret FROM nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_sqlite: sqlite3_prepare() = 0 rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=192.168.214.100,shortname=ahus WLAN Test,secret=** rlm_sql (sql): Adding client 192.168.214.100 (ahus WLAN Test, server=) to clients list rlm_sql_sqlite: sqlite3_step = 101 rlm_sql_sqlite: sqlite3_finalize() = 0 rlm_sql (sql): Released sql socket id: 4 radiusd: Opening IP addresses and Ports Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.214.100 port 65527, id=37, length=146 User-Name = "ahu" NAS-IP-Address = 192.168.214.100 NAS-Port = 0 Called-Station-Id = "00-1C-B3-AD-38-07:ahu WLAN" Calling-Station-Id = "00-25-00-41-AD-F3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x0256000801616875 Message-Authenticator = 0xcc601addd69d936900b1af411db61511 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 192.168.214.100 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. Sending Access-Challenge of id 37 to 192.168.214.100 port 65527 EAP-Message = 0x015700061520 Message-Authenticator = 0x State = 0x44cd768a449a6388eb2d24455d69bb6d Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.214.100 port 65527, id=36,
Re: FreeRadius on MacOS X Server
I attached the log with debug mode. And I read the instructions and did this: System Preferences -> Network -> Select The Airport adapter in the left column --> Click "Advanced" (bottom right corner next to the help ?) Select the 802.1x tab Click the "+" to add a profile Add a User Profile Name it "test" or whatever Enter your OpenDirectory login and password (local account prob won't work?) Try TTLS Select your network Click ok I did not updated to 2.1.9 Am 17.08.10 17:59, schrieb Alan DeKok: > Andreas Hubert wrote: >> Like it is always: >> >> Tue Aug 17 17:42:48 2010 : Auth: rlm_opendirectory: User is authorized. >> Tue Aug 17 17:42:57 2010 : Error: rlm_eap: No EAP session matching the State >> variable. >> Tue Aug 17 17:44:21 2010 : Auth: rlm_opendirectory: User is authorized. >> Tue Aug 17 17:44:30 2010 : Error: rlm_eap: No EAP session matching the State >> variable. > And as always, run the server in debugging mode as suggested in the > FAQ, README, "man page", and daily on this list. > >> Can you please specify how it is all together configured in your environment >> that it works? > Read the previous responses to your message on this list. The > instructions are there. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked rlm_sql (sql): Attempting to connect to rad...@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #0 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #0 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #1 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #1 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #2 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #2 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #3 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #3 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #4 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #4 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id,nasname,shortname,type,secret FROM nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_sqlite: sqlite3_prepare() = 0 rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=192.168.214.100,shortname=ahus WLAN Test,secret=*** rlm_sql (sql): Adding client 192.168.214.100 (ahus WLAN Test, server=) to clients list rlm_sql_sqlite: sqlite3_step = 101 rlm_sql_sqlite: sqlite3_finalize() = 0 rlm_sql (sql): Released sql socket id: 4 radiusd: Opening IP addresses and Ports Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.214.100 port 64954, id=6, length=146 User-Name = "ahu" NAS-IP-Address = 192.168.214.100 NAS-Port = 0 Called-Station-Id = "00-1C-B3-AD-38-07:ahu WLAN" Calling-Station-Id = "00-25-00-41-AD-F3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x0294000801616875 Message-Authenticator = 0x921047de6d65faf9504e1ca2aad257e5 rlm_opendirectory: The host 192.168.214.100 does not have an access group. rlm_opendirectory: User is authorized. Sending Access-Challenge of id 6 to 192.168.214.100 port 64954 EAP-Message = 0x019500061520 Message-Authenticator = 0x State = 0xac419076acd48591d4924416ee09f473 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.214.100 port 64954, id=7, length=320 User-Name = "ahu" NAS-IP-Address = 192.168.214.100 NAS-Port = 0 Called-Station-Id = "00-1C-B3-
Re: FreeRadius on MacOS X Server
I dont know if updating is such a good idea. Mac OS X comes with 2.1.3 and another mailinglist reader told me that everything in his environment with Snow Leopard Server works So I guess this thing should work somehow with Mac OS X Servers freeradius 2.1.3 implementation together with Apple Airport Extreme Am 13.08.10 18:33, schrieb Alan DeKok: > Andreas Hubert wrote: >> I also activated the debug mode and it came out this: > ... >> rad_recv: Access-Request packet from host 192.168.214.100 port 65527, id=37, >> length=510 > ... >> Sending Access-Challenge of id 37 to 192.168.214.100 port 65527 >> EAP-Message = >> 0x01ee00451580003b1403010001011603010030bbda33956ff9087b5291d1bf33e7bd7783b7e5a8334901c991146359bea1295b708aacf8a4f66486889750fe3f6c8969 >> Message-Authenticator = 0x >> State = 0x7643105974ad05ff18e41e4ad6d190e3 >> Waking up in 4.9 seconds. >> rad_recv: Access-Request packet from host 192.168.214.100 port 65527, id=37, >> length=510 >> Sending Access-Challenge of id 37 to 192.168.214.100 port 65527 >> Waking up in 1.9 seconds. >> Ready to process requests. >> rad_recv: Access-Request packet from host 192.168.214.100 port 65527, id=37, >> length=510 > The NAS isn't receiving the Access-Challenge, or is ignoring it. The > request is being retransmitted. For some reason, it's being > re-processed, rather than having a cached reply returned. > >> Does anyone know what could be wrong here? >> I hope I can find here some helpful people here rather than in the Apple >> discussion forum, where nobody know deeply stuff. > Install 2.1.9 and try that. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius on MacOS X Server
Like it is always: Tue Aug 17 17:42:48 2010 : Auth: rlm_opendirectory: User is authorized. Tue Aug 17 17:42:57 2010 : Error: rlm_eap: No EAP session matching the State variable. Tue Aug 17 17:44:21 2010 : Auth: rlm_opendirectory: User is authorized. Tue Aug 17 17:44:30 2010 : Error: rlm_eap: No EAP session matching the State variable. Can you please specify how it is all together configured in your environment that it works? Thanks Am 13.08.10 17:12, schrieb Theparanoidone Theparanoidone: >>> Fri Aug 13 14:46:50 2010 : Auth: rlm_opendirectory: User >>> is authorized. >>> Fri Aug 13 14:46:59 2010 : Error: rlm_eap: No EAP session matching the >>> State >>> variable. > Greetings~ > > Did you turn EAP on for the network connection on the computer/laptop with > the > wifi card? Perhaps you need to turn on an 802.1x profile with TTLS or etc: > > System Preferences -> > Network -> > Select The Airport adapter in the left column --> > Click "Advanced" (bottom right corner next to the help ?) > Select the 802.1x tab > Click the "+" to add a profile > Add a User Profile > Name it "test" or whatever > Enter your OpenDirectory login and password (local account prob won't work?) > Try TTLS > Select your network > Click ok > > Not sure if this will fix your issue, but give it a try > > We are using Snow Leopard Server radius for a corporate deployment on wired > switches and wireless devices (so with a little patience and configuration, > I'm > sure you'll get it to go) > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius on MacOS X Server
Hi all, I need help with the freeradius 2.1.3 in MacOS X Server. At the Apple discussion forum I don't get any answer. :( Using this version: radiusd: FreeRADIUS Version 2.1.3, for host i386-apple-darwin10.0, built on Feb 11 2010 at 02:25:02 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. In short terms, Apple is trying to make it easy, with the serveradmin you can just add an Apple Airport and it will be configured automatically for radius authentication with the open directory server. If I then try to connect to the WLAN, I see this message in the RADIUS log: Fri Aug 13 14:46:50 2010 : Auth: rlm_opendirectory: User is authorized. Fri Aug 13 14:46:59 2010 : Error: rlm_eap: No EAP session matching the State variable. I also activated the debug mode and it came out this: radiusd: Opening IP addresses and Ports Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.214.100 port 65527, id=35, length=162 User-Name = "ahu" NAS-IP-Address = 192.168.214.100 NAS-Port = 0 Called-Station-Id = "00-1C-B3-AD-38-07:Andreas Huberts Netzwerk" Calling-Station-Id = "00-25-00-41-AD-F3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02eb000801616875 Message-Authenticator = 0xbf4e12e4c08fe497d93f036e78d9629d rlm_opendirectory: The host 192.168.214.100 does not have an access group. rlm_opendirectory: User is authorized. Sending Access-Challenge of id 35 to 192.168.214.100 port 65527 EAP-Message = 0x01ec00061520 Message-Authenticator = 0x State = 0x7643105976af05ff18e41e4ad6d190e3 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.214.100 port 65527, id=36, length=336 User-Name = "ahu" NAS-IP-Address = 192.168.214.100 NAS-Port = 0 Called-Station-Id = "00-1C-B3-AD-38-07:Andreas Huberts Netzwerk" Calling-Station-Id = "00-25-00-41-AD-F3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02ec00a41580009a1603010095019103014c65432b508949d3aa234f3918396b1fcd3fc7210ed299f0517fadf848a1e03556c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010112000a00080006001700180019000b00020100 State = 0x7643105976af05ff18e41e4ad6d190e3 Message-Authenticator = 0x8d68f17c3a5ee3cd61864c91fddc73be Sending Access-Challenge of id 36 to 192.168.214.100 port 65527 EAP-Message = 0x01ed035a15800350160301002a022603014c65432bf1c8143b2611d52b71758554023eb6d883ed38f8b702c5fefdc1f9222f0016030103130b00030f00030c00030930820305308201eda003020102020101300b06092a864886f70d01010530313122302006035504030c197873657276652d706172612d312e63656e73686172652e6465310b3009060355040613024445301e170d3039303932353134353334335a170d3130303932353134353334335a30313122302006035504030c197873657276652d706172612d312e63656e73686172652e6465310b300906035504061302444530820122300d06092a864886f70d01010105 EAP-Message = 0x000382010f003082010a0282010100b4b403f2e1b82e661ad564ed3b1c3953e5a71d922072239d7d0a739a2642ebb8dc193e610c34f4d06def71c8a9c081f37d6ef34d470eaed391cb21c2363c32c9712844156aed85a0a839d93452113fb915fc70ad9bce2f0d11a70c71311c125e6f66e6d6373cbbd2553d088f60db92e59d168d87c28309f73e10f5485fd5c2c60451297ec618f4261e9441ab4e7992cfc72b1f555e7a3597936dcc894601a5c2168e3a672febc7e69a343045ac62bc8d0fb5f7d87a93a99e4c9f18e24e281b5ea6c5533b4785c1954f35fdecfa64a3017af4f9ae8331eb7245d8912ae70750320cb801673874a568b25ad5c3a586 EAP-Message = 0x6e9dd6c58969b5dbeaa46a208e9208ce0dcd0203010001a32a3028300e0603551d0f0101ff04040302029430160603551d250101ff040c300a06082b06010505070301300d06092a864886f70d01010505000382010100262f875e3f0a16e09ca6df3ce3fafe205f9d943c1dfeba61376d4a5920413e6b0d4624c76544e015c8816ae1dca1aa840eb46eb692477976e9a782f035f2b96a0c4e214c42593bebd70d72e3c08afe877de86d9257a4395dfaabbc3ce8cf76f22bbfa4b4726821763f14dca93d707ebd916f36bddb0dadda01ceb37fc84175c5ee15701b0f4627d7f46beb3b39e4b9ab2ec881677c36ec591f2d39e998dc69c14a8983e14575 EAP-Message = 0x83749dba69683b8f0974b4744e39aa1dba0cf926299a0d3f6e674d90fc70398fb49e2523dbbb00dcd54da3ec354dab350c190b5f3b7b2b2e032f63bf898e8ba323724abc12b4baad64938e8d1baebafebf9715debd36a2f7c59816030100040e00 Message-Authenticator = 0x State = 0x7643105977ae05f
Re: reauth-problem with WPA2-tls
Hello! Problem is fixed! Your missing a ssl-option when setting up SSL. Since SSL version 0.9.8j, openssl supports stateless session resumption. This means, no session_id is created in the server, if both, client and server, support it. I'm using on both sides openssl 0.9.8k, the server generates no session-key (which you need for saving resume-data). See: http://www.mail-archive.com/openssl-us...@openssl.org/msg56976.html. Setting ctx_options |= SSL_OP_NO_TICKET ; in rlm_eap_tls.c is needed, to get a working sessionhandling in freeradius with openssl > 0.9.8i. It was good to have a lot of comments in the code and to have a lot of debug messages. So I could follow what's going on in detail. Kind regards, Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reauth-problem with WPA2-tls
Alan DeKok schrieb: > Andreas Hartmann wrote: >> See http://bugs.freeradius.org/bugzilla/show_bug.cgi?id=81 > > Where you file a bug against FreeRADIUS for an OpenSSL issue. > > I understand that FreeRADIUS is affected. But... > >> It does not work for me. There seem to be problems with the >> session-handling, which should be checked, explained and, if necessary, >> fixed. > > FreeRADIUS does not create, update, or maintain the "session_id" > variable. It's created by OpenSSL. If has different values for the > "same" session, then file a bug against OpenSSL. > >> Until I don't have a comprehensibly explanation for the reported >> session-ID behavior, the current version (and 2.1.8) of freeradius is >> highly insecure. > > I have no idea why you think that's true. Failing to find a previous > session means that the new request will be rejected. There are no > security issues with rejecting users. That's right. But: 1. There could be a security issue with parallel handled users during initial login, because they probably have all the same empty session id's at the same time. 2. Session handling does definitely not work at this point (I tried to find the reason today but couldn't get it yet). Why should I believe that it works error free at the other places in freeradius? 3. You are right, that there are probably no security issues with rejected users. But why are you sure, that every session-id you get, does belong to the user you think that it belongs to? It could be the data from another user too. 4. I can't say, if it's an exploitable scenario. May be - may be not. The session-handling in freeradius does not allways work as expected and until now the cause for the not allways working session-handling is unknown. Or in other words: The session-handling works not predictable (sometimes it works as expected - sometimes not - but you can't define "sometimes" - or I didn't found it yet). Unpredictable behavior and security is a contradiction. It's your application that suffers - it's not openssls one. Therefore I can't understand why you don't set everything to get a real solution? And no, I don't want to bash you. I'm willing to help, but I need your support to try to understand what's going on. I am willing to help you to find and fix the problem - even if it is not a bug in freeradius. It is all the same to me, if it's a bug in openssl or in freeradius. I do have just one goal: freeradius should work predictable in that case. That's all and this goal can't be bad for you! I can't file a bug for openssl. What should I wrote? The session handling in openssl does not work with freeradius? They will say: ok, openssl has been patched for EAP or they will ask detailed things about the handling of SSL in freeradius. I think that you are the best person to answer these questions! BTW: During my investigations today, I detected, that the defined callback cbtls_new_session never gets called during an initial session. That corresponds to the thing, that I can't see any session-ID during initial login. I would like to know, why the client suddenly has a session-ID at resumption time? Where do they come from? Kind regards, Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reauth-problem with WPA2-tls
Alan DeKok schrieb: > Andreas Hartmann wrote: >> well, I thought about the problem with reauth: Why must there be passwords >> in the session? > > There shouldn't be passwords in the session. There should be a *name* > in the session. > >> That's why it shouldn't be necessary to have these Keys in the Session or >> in the response (the client didn't send any password, too). >> >> At the moment of adding the Password to the session, the handshake has been >> done already. > > I have no idea why you think it's adding passwords to the session. > It's not. I derived it from the PW_ prefix of the variable name, which is wrong. I know it meanwhile. >> Therefore, I did the following change (-> for testing only >> This should be used only with EAP/tls for testing - no warranty!): > > That change removes the fix added in 2.1.8. It *will* break your system. I know that it was added because of another reported bug. And I know, that my test-change can't be a solution (as I wrote myself). The problem seems to be much deeper. Kind regards, Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reauth-problem with WPA2-tls
Alan DeKok schrieb: > Andreas Hartmann wrote: >> Now, I looked at the SSL-session_id. >> >> tls_session->ssl->session->session_id is empty when the data is saved to >> the session. >> >> At the time the data is fetched from the session during reauth, the >> session_id is not empty (means: there is another id). > > OpenSSL is weird. > > The fast re-auth worked when I tested it with TTLS && PEAP. Others > have tested it to work. See http://bugs.freeradius.org/bugzilla/show_bug.cgi?id=81 It does not work for me. There seem to be problems with the session-handling, which should be checked, explained and, if necessary, fixed. Until I don't have a comprehensibly explanation for the reported session-ID behavior, the current version (and 2.1.8) of freeradius is highly insecure. Kind regards, Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reauth-problem with WPA2-tls
return eaptls_fail(handler, peap_flag);
}
} else {
RDEBUG("Adding cached attributes to the reply:");
debug_pair_list(vp);
pairadd(&request->reply->vps, paircopy(vp));
/*
* Mark the request as resumed.
*/
vp = pairmake("EAP-Session-Resumed", "1", T_OP_SET);
if (vp) pairadd(&request->packet->vps, vp);
}
}
---
That's what is sent to the client after this process:
Sending Access-Accept of id 52 to 192.168.1.9 port 2048
MS-MPPE-Recv-Key =
0x
MS-MPPE-Send-Key =
0x
EAP-Message = 0x03020004
Message-Authenticator = 0x
User-Name = "myu...@mydom.it"
Kind regards,
Andreas Hartmann
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reauth-problem with WPA2-tls
Andreas Hartmann schrieb:
> Bjørn Mork schrieb:
>> Andreas Hartmann writes:
>>
>>> Fri Jun 4 11:22:48 2010 : Info: [tls] WARNING: No information in
>>> ^
>>> cached session!
>>> ^^^
>>>
>>> Fri Jun 4 11:22:48 2010 : Info: [eap] Freeing handler
>>> Fri Jun 4 11:22:48 2010 : Info: ++[eap] returns reject
>>> Fri Jun 4 11:22:48 2010 : Info: Failed to authenticate the user.
>>> Fri Jun 4 11:22:48 2010 : Auth: Login incorrect: [myu...@mydom] (from
>>> client WAP610N port 0 cli 00-13-)
>>> Fri Jun 4 11:22:48 2010 : Info: Using Post-Auth-Type Reject
>>> Fri Jun 4 11:22:48 2010 : Info: +- entering group REJECT {...}
>>> Fri Jun 4 11:22:48 2010 : Info: [attr_filter.access_reject]expand:
>>> %{User-Name} -> myu...@mydom
>>> Fri Jun 4 11:22:48 2010 : Debug: attr_filter: Matched entry DEFAULT at
>>> line 11
>>> Fri Jun 4 11:22:48 2010 : Info: ++[attr_filter.access_reject] returns
>>> updated
>>> Fri Jun 4 11:22:48 2010 : Info: Delaying reject of request 11 for 1 seconds
>>>
>>>
>>> What does it mean: No information in cached session? Couldn't the key be
>>> found (what's the key? The username "myuser" or "myu...@mydom" or
>>> soemthing else - do I have the chance to debug it?) or was the key
>>> found, but there was no data associated?
>>
>> I wondered about the same... You can find the session store and
>> retrieve code in src/modules/rlm_eap/libeap/eap_tls.c :
>>
>> } else if (!SSL_session_reused(tls_session->ssl)) {
>> RDEBUG2("Saving response in the cache");
>>
>> vp = paircopy2(request->reply->vps, PW_USER_NAME);
>> pairadd(&vps, vp);
>>
>> vp = paircopy2(request->packet->vps, PW_STRIPPED_USER_NAME);
>> pairadd(&vps, vp);
>>
>> if (vps) {
>> SSL_SESSION_set_ex_data(tls_session->ssl->session,
>> eaptls_session_idx, vps);
>> } else {
>> RDEBUG2("WARNING: No information to cache: session
>> caching will be disabled for this session.");
>> SSL_CTX_remove_session(tls_session->ctx,
>> tls_session->ssl->session);
>> }
>>
>> /*
>> * Else the session WAS allowed. Copy the cached
>> * reply.
>> */
>>
>> } else {
>>
>> vp = SSL_SESSION_get_ex_data(tls_session->ssl->session,
>> eaptls_session_idx);
>> if (!vp) {
>> RDEBUG("WARNING: No information in cached session!");
>> return eaptls_fail(handler, peap_flag);
>> } else {
>> RDEBUG("Adding cached attributes to the reply:");
>> debug_pair_list(vp);
>> pairadd(&request->reply->vps, paircopy(vp));
>>
>> /*
>> * Mark the request as resumed.
>> */
>> vp = pairmake("EAP-Session-Resumed", "1", T_OP_SET);
>> if (vp) pairadd(&request->packet->vps, vp);
>> }
>> }
>>
>>
>> So I guess the warning means that either SSL_SESSION_set_ex_data() or
>> SSL_SESSION_get_ex_data() failed. A useful change would be testing the
>> return value of SSL_SESSION_set_ex_data() and print a warning if it
>> fails, possibly using ERR_get_error() and ERR_error_string() or similar
>> to get the actual error. The latter would also be useful in the
>> SSL_SESSION_get_ex_data() failure case
>
> Debugging of SSL_SESSION_set_ex_data()
>
> The returncode of the function is 1 (don't know, if it should be 0 - but
> it could be correct too, if it means, that one pair has been stored).
>
> vps, which SSL_SESSION_set_ex_data() is given as argument, consists of
> one NULL element.
>
> request->packet->vps->name gives User-Name, request->reply-vps is null
> (should be PW_USER_NAME). But there cant be any password, because there
> exists no password, because the authen
Re: reauth-problem with WPA2-tls
Bjørn Mork schrieb:
> Andreas Hartmann writes:
>
>> Fri Jun 4 11:22:48 2010 : Info: [tls] WARNING: No information in
>> ^
>> cached session!
>> ^^^
>>
>> Fri Jun 4 11:22:48 2010 : Info: [eap] Freeing handler
>> Fri Jun 4 11:22:48 2010 : Info: ++[eap] returns reject
>> Fri Jun 4 11:22:48 2010 : Info: Failed to authenticate the user.
>> Fri Jun 4 11:22:48 2010 : Auth: Login incorrect: [myu...@mydom] (from
>> client WAP610N port 0 cli 00-13-)
>> Fri Jun 4 11:22:48 2010 : Info: Using Post-Auth-Type Reject
>> Fri Jun 4 11:22:48 2010 : Info: +- entering group REJECT {...}
>> Fri Jun 4 11:22:48 2010 : Info: [attr_filter.access_reject]expand:
>> %{User-Name} -> myu...@mydom
>> Fri Jun 4 11:22:48 2010 : Debug: attr_filter: Matched entry DEFAULT at
>> line 11
>> Fri Jun 4 11:22:48 2010 : Info: ++[attr_filter.access_reject] returns
>> updated
>> Fri Jun 4 11:22:48 2010 : Info: Delaying reject of request 11 for 1 seconds
>>
>>
>> What does it mean: No information in cached session? Couldn't the key be
>> found (what's the key? The username "myuser" or "myu...@mydom" or
>> soemthing else - do I have the chance to debug it?) or was the key
>> found, but there was no data associated?
>
> I wondered about the same... You can find the session store and
> retrieve code in src/modules/rlm_eap/libeap/eap_tls.c :
>
> } else if (!SSL_session_reused(tls_session->ssl)) {
> RDEBUG2("Saving response in the cache");
>
> vp = paircopy2(request->reply->vps, PW_USER_NAME);
> pairadd(&vps, vp);
>
> vp = paircopy2(request->packet->vps, PW_STRIPPED_USER_NAME);
> pairadd(&vps, vp);
>
> if (vps) {
> SSL_SESSION_set_ex_data(tls_session->ssl->session,
> eaptls_session_idx, vps);
> } else {
> RDEBUG2("WARNING: No information to cache: session
> caching will be disabled for this session.");
> SSL_CTX_remove_session(tls_session->ctx,
> tls_session->ssl->session);
> }
>
> /*
>* Else the session WAS allowed. Copy the cached
>* reply.
>*/
>
> } else {
>
> vp = SSL_SESSION_get_ex_data(tls_session->ssl->session,
>eaptls_session_idx);
> if (!vp) {
> RDEBUG("WARNING: No information in cached session!");
> return eaptls_fail(handler, peap_flag);
> } else {
> RDEBUG("Adding cached attributes to the reply:");
> debug_pair_list(vp);
> pairadd(&request->reply->vps, paircopy(vp));
>
> /*
>* Mark the request as resumed.
>*/
> vp = pairmake("EAP-Session-Resumed", "1", T_OP_SET);
> if (vp) pairadd(&request->packet->vps, vp);
> }
> }
>
>
> So I guess the warning means that either SSL_SESSION_set_ex_data() or
> SSL_SESSION_get_ex_data() failed. A useful change would be testing the
> return value of SSL_SESSION_set_ex_data() and print a warning if it
> fails, possibly using ERR_get_error() and ERR_error_string() or similar
> to get the actual error. The latter would also be useful in the
> SSL_SESSION_get_ex_data() failure case
Debugging of SSL_SESSION_set_ex_data()
The returncode of the function is 1 (don't know, if it should be 0 - but
it could be correct too, if it means, that one pair has been stored).
vps, which SSL_SESSION_set_ex_data() is given as argument, consists of
one NULL element.
request->packet->vps->name gives User-Name, request->reply-vps is null
(should be PW_USER_NAME). But there cant be any password, because there
exists no password, because the authentication is done exclusively with
keys.
Could this problem be solved by a configuration entry or must it be
hacked? Is it possible to give wpa_supplicant a dummy password?
Debugging of SSL_SESSION_get_ex_data()
At resuming, Index is 2 (eaptls_session_idx). This would be ok. Seems,
that the returncode 1 from SSL_SESSION_set_ex_data() means, that nothing
has been saved.
I would be happy to get some more hints :-).
Kind regards,
Andreas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reauth-problem with WPA2-tls
Andreas Hartmann schrieb:
> Alan DeKok schrieb:
>> Andreas Hartmann wrote:
>>> I have one basic question:
>>> There are now two different caches: one in eap (based on ssl) and the
>>> extern cache, rlm_caching.
>>
>> rlm_caching has nothing to do with EAP.
>>
>>> If I want to use fast_reauth, is it necessary to enable both caches or
>>> must the ssl-cache in eap.conf be disabled to run fast_reauth
>>> successfully with rlm_caching?
>>
>> The EAP configuration explains what you need to do for fast re-auth.
>>
>>> Meanwhile, I have a configuration, which does a User-Name-based
>>> rlm_caching at the end of the last fragment of the initial
>>> authentication with an originaly empty database.
>>
>> What is it supposed to do?
>>
>>> But the problem is:
>>>
>>> If the user reconnects or wants to connect initial again, the process is
>>> stopped (with success returned) at the moment, the client sends the
>>> User-Name.
>>> This is wrong. The process can't be interrupted before the key exchange
>>> has been done successfully.
>>> How can this be written in the config-file (authorize-section)?
>>
>> What do you want to do?
>>
>> I have no idea why you configured the caching module, and you haven't
>> explained why you configured it.
>
> Thanks for your reply,
>
> I configured it, because fast-reauth doesn't work for me.
>
> - In the wpa_supplicant, fast_reauth is switched to 1.
> - In eap.conf, the cache under tls is enabled.
>
> Now, wpa_supplicant is started and the client got authenticated. But
> there is a warning nearly at the end of the successfull authentication:
>
> Fri Jun 4 09:42:11 2010 : Info: [tls] eaptls_verify returned 3
> Fri Jun 4 09:42:11 2010 : Info: [tls] eaptls_process returned 3
> Fri Jun 4 09:42:11 2010 : Info: [tls] Adding user data to cached session
> Fri Jun 4 09:42:11 2010 : Info: [tls] Saving response in the cache
> Fri Jun 4 09:42:11 2010 : Info: [tls] WARNING: No information to
> ^^
> cache: session caching will be disabled for this session.
>
Meanwhile, I defined a realm (I didn't had any until now). This seems to
make the initial session caching working!
Jun 4 11:12:43 2010 : Info: [tls] ACK handshake is finished
Fri Jun 4 11:12:43 2010 : Info: [tls] eaptls_verify returned 3
Fri Jun 4 11:12:43 2010 : Info: [tls] eaptls_process returned 3
Fri Jun 4 11:12:43 2010 : Info: [tls] Adding user data to cached
^^
session
^^^
Fri Jun 4 11:12:43 2010 : Info: [tls] Saving response in the cache
Fri Jun 4 11:12:43 2010 : Info: [eap] Freeing handler
Fri Jun 4 11:12:43 2010 : Info: ++[eap] returns ok
Fri Jun 4 11:12:43 2010 : Auth: Login OK: [myu...@mydom] (from client
WAP610N port 0 cli 00-13-)
But the following fast-reauth doesn't work nevertheless:
Fri Jun 4 11:22:48 2010 : Info: [tls] Done initial handshake
Fri Jun 4 11:22:48 2010 : Info: [tls] <<< TLS 1.0 ChangeCipherSpec
[length 0001]
Fri Jun 4 11:22:48 2010 : Info: [tls] <<< TLS 1.0 Handshake [length
0010], Finished
Fri Jun 4 11:22:48 2010 : Info: [tls] TLS_accept: SSLv3 read finished A
Fri Jun 4 11:22:48 2010 : Info: [tls] (other): SSL negotiation
finished successfully
Fri Jun 4 11:22:48 2010 : Debug: SSL Connection Established
Fri Jun 4 11:22:48 2010 : Debug: SSL Application Data
Fri Jun 4 11:22:48 2010 : Info: [tls] eaptls_process returned 3
Fri Jun 4 11:22:48 2010 : Info: [tls] Retrieved session data from
cached session
Fri Jun 4 11:22:48 2010 : Info: [tls] WARNING: No information in
^
cached session!
^^^
Fri Jun 4 11:22:48 2010 : Info: [eap] Freeing handler
Fri Jun 4 11:22:48 2010 : Info: ++[eap] returns reject
Fri Jun 4 11:22:48 2010 : Info: Failed to authenticate the user.
Fri Jun 4 11:22:48 2010 : Auth: Login incorrect: [myu...@mydom] (from
client WAP610N port 0 cli 00-13-)
Fri Jun 4 11:22:48 2010 : Info: Using Post-Auth-Type Reject
Fri Jun 4 11:22:48 2010 : Info: +- entering group REJECT {...}
Fri Jun 4 11:22:48 2010 : Info: [attr_filter.access_reject]expand:
%{User-Name} -> myu...@mydom
Fri Jun 4 11:22:48 2010 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Fri Jun 4 11:22:48 2010 : Info: ++[attr_filter.access_reject] returns
updated
Fri Jun 4 11:22:48 2010 : Info: Delaying reject of request 11 for 1 seconds
What does it mean: No information in cached session? Couldn't the key be
found (what's the key? The username "myuser" or "myu...@mydom" or
soemthing else - do I have the chance to debug it?) or was the key
found, but there was no data associated?
Kind regards,
Andreas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reauth-problem with WPA2-tls
Alan DeKok schrieb:
> Andreas Hartmann wrote:
>> I have one basic question:
>> There are now two different caches: one in eap (based on ssl) and the
>> extern cache, rlm_caching.
>
> rlm_caching has nothing to do with EAP.
>
>> If I want to use fast_reauth, is it necessary to enable both caches or
>> must the ssl-cache in eap.conf be disabled to run fast_reauth
>> successfully with rlm_caching?
>
> The EAP configuration explains what you need to do for fast re-auth.
>
>> Meanwhile, I have a configuration, which does a User-Name-based
>> rlm_caching at the end of the last fragment of the initial
>> authentication with an originaly empty database.
>
> What is it supposed to do?
>
>> But the problem is:
>>
>> If the user reconnects or wants to connect initial again, the process is
>> stopped (with success returned) at the moment, the client sends the
>> User-Name.
>> This is wrong. The process can't be interrupted before the key exchange
>> has been done successfully.
>> How can this be written in the config-file (authorize-section)?
>
> What do you want to do?
>
> I have no idea why you configured the caching module, and you haven't
> explained why you configured it.
Thanks for your reply,
I configured it, because fast-reauth doesn't work for me.
- In the wpa_supplicant, fast_reauth is switched to 1.
- In eap.conf, the cache under tls is enabled.
Now, wpa_supplicant is started and the client got authenticated. But
there is a warning nearly at the end of the successfull authentication:
Fri Jun 4 09:42:11 2010 : Info: [tls] eaptls_verify returned 3
Fri Jun 4 09:42:11 2010 : Info: [tls] eaptls_process returned 3
Fri Jun 4 09:42:11 2010 : Info: [tls] Adding user data to cached session
Fri Jun 4 09:42:11 2010 : Info: [tls] Saving response in the cache
Fri Jun 4 09:42:11 2010 : Info: [tls] WARNING: No information to
^^
cache: session caching will be disabled for this session.
Fri Jun 4 09:42:11 2010 : Info: [eap] Freeing handler
Fri Jun 4 09:42:11 2010 : Info: ++[eap] returns ok
Fri Jun 4 09:42:11 2010 : Auth: Login OK: [myu...@mydom] (from client
WAP610N port 0 cli 00-13-.)
Fri Jun 4 09:42:11 2010 : Info: +- entering group post-auth {...}
Fri Jun 4 09:42:11 2010 : Info: ++[exec] returns noop
Sending Access-Accept of id 238 to 192.168 port 2048
Some time later, the fast_reauth follows, which breaks, because of
missing datas in the cache.
My question is: How must the client or the server be configured, that
there are cached datas in order to get a working fast_reauth?
rad_recv: Access-Request packet from host 192.168.1.9 port 2048, id=240,
length=177
User-Name = "myu...@mydom"
NAS-Port = 0
Called-Station-Id = "00-25-...:mywlan"
Calling-Station-Id = "00-13-"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0217016e6f7465626f6f6b31406d6179612e6f7267
Message-Authenticator = 0xc7d7831bf74eb29cc2862fbf9c1164f8
Fri Jun 4 10:05:37 2010 : Info: +- entering group authorize {...}
Fri Jun 4 10:05:37 2010 : Info: ++[preprocess] returns ok
Fri Jun 4 10:05:37 2010 : Info: [suffix] Looking up realm "mydom" for
User-Name = "myu...@mydom"
Fri Jun 4 10:05:37 2010 : Info: [suffix] No such realm "mydom"
Fri Jun 4 10:05:37 2010 : Info: ++[suffix] returns noop
Fri Jun 4 10:05:37 2010 : Info: [eap] EAP packet type response id 0
length 23
Fri Jun 4 10:05:37 2010 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Fri Jun 4 10:05:37 2010 : Info: ++[eap] returns updated
Fri Jun 4 10:05:37 2010 : Info: ++[unix] returns notfound
Fri Jun 4 10:05:37 2010 : Info: [files] users: Matched entry
myu...@mydom at line 203
Fri Jun 4 10:05:37 2010 : Info: ++[files] returns ok
Fri Jun 4 10:05:37 2010 : Info: ++[expiration] returns noop
Fri Jun 4 10:05:37 2010 : Info: ++[logintime] returns noop
Fri Jun 4 10:05:37 2010 : Info: Found Auth-Type = EAP
Fri Jun 4 10:05:37 2010 : Info: +- entering group authenticate {...}
Fri Jun 4 10:05:37 2010 : Info: [eap] EAP Identity
Fri Jun 4 10:05:37 2010 : Info: [eap] processing type tls
Fri Jun 4 10:05:37 2010 : Info: [tls] Requiring client certificate
Fri Jun 4 10:05:37 2010 : Info: [tls] Initiate
Fri Jun 4 10:05:37 2010 : Info: [tls] Start returned 1
Fri Jun 4 10:05:37 2010 : Info: ++[eap] returns handled
Sending Access-Challenge of id 240 to 192.168 port 2048
EAP-Message = 0x010100060d20
Message-Authenticator = 0x
State = 0xbc40ebedbc41e6950bd358ee7ea3ba57
Fri Jun 4 10:05:37 2
Re: reauth-problem with WPA2-tls
Alexander Clouter schrieb:
> Bjørn Mork wrote:
>> Andreas Hartmann writes:
>>
>>> Yes, you're right - I meant option eap -> tls -> cache -> enable is
>>> switched _on_ and fast_reauth is on too on the supplicant. My wrong :-(.
>>>
>>> You can see it at this log entry at the initial login:
>>> Wed Jun 2 20:29:14 2010 : Info: [tls] Adding user data to cached session
>>> Wed Jun 2 20:29:14 2010 : Info: [tls] Saving response in the cache
>>> Wed Jun 2 20:29:14 2010 : Info: [tls] WARNING: No information to cache:
>>> session caching will be disabled for this session.
>>>
>>> And then the reauth:
>>>
>>> Wed Jun 2 20:39:18 2010 : Info: [tls] Retrieved session data from
>>> cached session
>>> Wed Jun 2 20:39:18 2010 : Info: [tls] WARNING: No information in cached
>>> session!
>>
>> FWIW I've seen exactly the same with FR 2.1.8. Ended up disabling
>> caching. But I would like to know the cause of this "No information to
>> cache" warning. The resulting failure to retrieve cached data is of
>> course to be expected, but the warning itself doesn't make any sense to
>> me. There must be information to cache since the authentication is
>> sucessful.
>>
> The 'No information to cache' means you do not have anything useful
> (for example 'User-Name') in the reply packet.
>
> In the post-auth of my inner-eap virtual server I have added:
>
> post-auth {
> ...
> # needed for TTLS cache
> update reply {
> User-Name := "%{request:User-Name}"
> }
> ...
> }
>
Ok, I'm using exclusivly certificates for authorization. Therefore, I
dont't have any inner-eap, if I got it right.
I have one basic question:
There are now two different caches: one in eap (based on ssl) and the
extern cache, rlm_caching.
If I want to use fast_reauth, is it necessary to enable both caches or
must the ssl-cache in eap.conf be disabled to run fast_reauth
successfully with rlm_caching?
Meanwhile, I have a configuration, which does a User-Name-based
rlm_caching at the end of the last fragment of the initial
authentication with an originaly empty database.
The entry is the following in /etc/raddb/modules/caching
caching {
filename = ${db_dir}/db.cache
cache-ttl = 1d
hit-ratio = 1000
key = "%{User-Name}"
# post-auth = "%{User-Name}"
cache-size = 20
# cache-rejects = yes
}
I'm not sure, if User-Name is the best key for this purpose.
In /etc/raddb/sites-enabled/defaults, caching has the following entries:
authorize {
caching {
ok = return
}
}
post-auth {
caching
if (updated) {
update reply {
User-Name := "%{User-Name}"
}
}
}
With this config, the key is written to the caching database at the end
of the inital login.
But the problem is:
If the user reconnects or wants to connect initial again, the process is
stopped (with success returned) at the moment, the client sends the
User-Name.
This is wrong. The process can't be interrupted before the key exchange
has been done successfully.
How can this be written in the config-file (authorize-section)?
Kind regards,
Andreas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reauth-problem with WPA2-tls
Andreas Hartmann schrieb: > David Mitchell schrieb: >> Alan DeKok wrote: >>> Andreas Hartmann wrote: >>>> In eap.conf, the option eap -> tls -> cache -> enable is switched off >>>> and fast_reauth in wpa_supplicant is enabled. >>> >>> Uh... that makes no sense. >>> >>> You've disabled caching (i.e fast re-auth) on the server, and enabled >>> it on the client. Why are you surprised that fast re-auth isn't working? >> >> I've seen similar problems between FreeRadius and wpa_supplicant both >> with and without the cache enabled. Getting wpa_supplicant to restart >> seems to clear it temporarily. > > Well, I took your realization to implement the following workaround: > > Caching is enabled in freeradius, fast_reauth is switched on in > wpa_supplicant. > > I set the reauth-timeout of the AP to 2 hours. On the supplicant, I > started a cronjob, which HUP's the supplicant each 59 minutes. That's > the way how the supplicant is prevented to do a fast reauth (which > doesn't really work). A full reauth isn't necessary too, because of the > sig hup all 59 minutes, which is done like this: > > rad_recv: Accounting-Request packet from host 192.168.1.9 port 2049, > id=112, length=177 > Acct-Session-Id = "001B-0007" > Acct-Status-Type = Stop > Acct-Authentic = RADIUS > User-Name = "myu...@mydom" > NAS-Port = 0 > Called-Station-Id = "00-25-...:mylan" > Calling-Station-Id = "00-13-..." > NAS-Port-Type = Wireless-802.11 > Connect-Info = "CONNECT 11Mbps 802.11b" > Acct-Session-Time = 358 > Event-Timestamp = "Jan 1 1970 02:26:18 CET" Hmmm, where does this funny Event-Timestamp comes from? All my times of client and server are ok. Otherwise, I can't find any way to set the time at the AP (linksys WAP610N)? Is there any way? clueless ... Kind regards, Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reauth-problem with WPA2-tls
David Mitchell schrieb:
> Alan DeKok wrote:
>> Andreas Hartmann wrote:
>>> In eap.conf, the option eap -> tls -> cache -> enable is switched off
>>> and fast_reauth in wpa_supplicant is enabled.
>>
>> Uh... that makes no sense.
>>
>> You've disabled caching (i.e fast re-auth) on the server, and enabled
>> it on the client. Why are you surprised that fast re-auth isn't working?
>
> I've seen similar problems between FreeRadius and wpa_supplicant both
> with and without the cache enabled. Getting wpa_supplicant to restart
> seems to clear it temporarily.
Well, I took your realization to implement the following workaround:
Caching is enabled in freeradius, fast_reauth is switched on in
wpa_supplicant.
I set the reauth-timeout of the AP to 2 hours. On the supplicant, I
started a cronjob, which HUP's the supplicant each 59 minutes. That's
the way how the supplicant is prevented to do a fast reauth (which
doesn't really work). A full reauth isn't necessary too, because of the
sig hup all 59 minutes, which is done like this:
rad_recv: Accounting-Request packet from host 192.168.1.9 port 2049,
id=112, length=177
Acct-Session-Id = "001B-0007"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
User-Name = "myu...@mydom"
NAS-Port = 0
Called-Station-Id = "00-25-...:mylan"
Calling-Station-Id = "00-13-..."
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
Acct-Session-Time = 358
Event-Timestamp = "Jan 1 1970 02:26:18 CET"
Acct-Terminate-Cause = User-Request
Thu Jun 3 05:41:43 2010 : Info: +- entering group preacct {...}
Thu Jun 3 05:41:43 2010 : Info: ++[preprocess] returns ok
Thu Jun 3 05:41:43 2010 : Info: [acct_unique] Hashing 'NAS-Port =
0,Client-IP-Address = 192.168.1.9,NAS-IP-Address =
192.168.1.9,Acct-Session-Id = "001B-0007",User-Name =
"myu...@mydom"'
Thu Jun 3 05:41:43 2010 : Info: [acct_unique] Acct-Unique-Session-ID =
"aba6339d45d8fab1".
Thu Jun 3 05:41:43 2010 : Info: ++[acct_unique] returns ok
Thu Jun 3 05:41:43 2010 : Info: [suffix] Looking up realm "mydom" for
User-Name = "myu...@mydom"
Thu Jun 3 05:41:43 2010 : Info: [suffix] No such realm "mydom"
Thu Jun 3 05:41:43 2010 : Info: ++[suffix] returns noop
Thu Jun 3 05:41:43 2010 : Info: ++[files] returns noop
Thu Jun 3 05:41:43 2010 : Info: +- entering group accounting {...}
Thu Jun 3 05:41:43 2010 : Info: [detail] expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/192.168.1.9/detail-20100603
Thu Jun 3 05:41:43 2010 : Info: [detail]
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radius/radacct/192.168.1.9/detail-20100603
Thu Jun 3 05:41:43 2010 : Info: [detail] expand: %t -> Thu Jun 3
05:41:43 2010
Thu Jun 3 05:41:43 2010 : Info: ++[detail] returns ok
Thu Jun 3 05:41:43 2010 : Info: ++[unix] returns ok
Thu Jun 3 05:41:43 2010 : Info: [radutmp] expand:
/var/log/radius/radutmp -> /var/log/radius/radutmp
Thu Jun 3 05:41:43 2010 : Info: [radutmp] expand: %{User-Name} ->
myu...@mydom
Thu Jun 3 05:41:43 2010 : Info: ++[radutmp] returns ok
Thu Jun 3 05:41:43 2010 : Info: [attr_filter.accounting_response]
expand: %{User-Name} -> myu...@mydom
Thu Jun 3 05:41:43 2010 : Debug: attr_filter: Matched entry DEFAULT at
line 12
Thu Jun 3 05:41:43 2010 : Info: ++[attr_filter.accounting_response]
returns updated
Sending Accounting-Response of id 112 to 192.168.1.9 port 2049
Thu Jun 3 05:41:43 2010 : Info: Finished request 111.
Thu Jun 3 05:41:43 2010 : Info: Cleaning up request 111 ID 112 with
timestamp +5054
Thu Jun 3 05:41:43 2010 : Debug: Going to the next request
Thu Jun 3 05:41:43 2010 : Info: Ready to process requests.
rad_recv: Accounting-Request packet from host 192.168.1.9 port 2049,
id=113, length=159
Acct-Session-Id = "001B-0008"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
User-Name = "myu...@mydom"
NAS-Port = 0
Called-Station-Id = "00-25-...:mylan"
Calling-Station-Id = "00-13-..."
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
Thu Jun 3 05:41:44 2010 : Info: +- entering group preacct {...}
Thu Jun 3 05:41:44 2010 : Info: ++[preprocess] returns ok
Thu Jun 3 05:41:44 2010 : Info: [acct_unique] Hashing 'NAS-Port =
0,Client-IP-Address = 192.168.1.9,NAS-IP-Address =
192.168.1.9,Acct-Session-Id = "001B-0008",User-Name =
"myu...@mydom"'
Thu Jun 3 05:41:44 2010 : Info: [acct_unique] Acct-Unique-Session-ID =
"efac47a366ac188f".
Thu Jun 3 05:41:4
Re: reauth-problem with WPA2-tls
Alan DeKok schrieb:
> Andreas Hartmann wrote:
>> In eap.conf, the option eap -> tls -> cache -> enable is switched off
>> and fast_reauth in wpa_supplicant is enabled.
>
> Uh... that makes no sense.
Yes, you're right - I meant option eap -> tls -> cache -> enable is
switched _on_ and fast_reauth is on too on the supplicant. My wrong :-(.
You can see it at this log entry at the initial login:
Wed Jun 2 20:29:14 2010 : Info: [tls] Adding user data to cached session
Wed Jun 2 20:29:14 2010 : Info: [tls] Saving response in the cache
Wed Jun 2 20:29:14 2010 : Info: [tls] WARNING: No information to cache:
session caching will be disabled for this session.
And then the reauth:
Wed Jun 2 20:39:18 2010 : Info: [tls] Retrieved session data from
cached session
Wed Jun 2 20:39:18 2010 : Info: [tls] WARNING: No information in cached
session!
Wed Jun 2 20:39:18 2010 : Info: [eap] Freeing handler
Wed Jun 2 20:39:18 2010 : Info: ++[eap] returns reject
Wed Jun 2 20:39:18 2010 : Info: Failed to authenticate the user.
Wed Jun 2 20:39:18 2010 : Auth: Login incorrect: [myu...@mydom] (from
client WAP610N port 0 cli 00-13-...)
Wed Jun 2 20:39:18 2010 : Info: Using Post-Auth-Type Reject
Wed Jun 2 20:39:18 2010 : Info: +- entering group REJECT {...}
Wed Jun 2 20:39:18 2010 : Info: [attr_filter.access_reject]expand:
%{User-Name} -> myu...@mydom
Wed Jun 2 20:39:18 2010 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Wed Jun 2 20:39:18 2010 : Info: ++[attr_filter.access_reject] returns
updated
Wed Jun 2 20:39:18 2010 : Info: Delaying reject of request 13 for 1 seconds
Wed Jun 2 20:39:18 2010 : Debug: Going to the next request
Wed Jun 2 20:39:18 2010 : Debug: Waking up in 0.9 seconds.
Wed Jun 2 20:39:19 2010 : Info: Sending delayed reject for request 13
Sending Access-Reject of id 55 to 192.168.1.9 port 2048
EAP-Message = 0x040c0004
Message-Authenticator = 0x
It's strangely, that the supplicant couldn't be authorized but the AP
doesn't lock the connection anyway :-). I would have resoected, that the
connection would have been locked afterwards. Instead of, the supplicant
reauths from now on every minute, using this broken fast reauth.
If I do a full reauthentication, the authentication succeeds, but I'm
getting locked anywhere - that makes no sense to me.
>> If fast_reauth in wpa_supplicant is disabled, the reauthentication >>
works fine, but the connection between the AP and the supplicant ist
>> interrupted for about 20 seconds - much to long :-).
>>
>>
>> Do you have any idea how to solve this problem?
>
> Find out why the supplicant is taking 20s for authentication.
How much time should be ok for the full reauthentication?
I traced the authentication and could see, that the part with the
radiusserver takes less than a second. Most of the time is needed until
the AP sends the new keys for the encryption of the session.
Ok, sometimes it's a little bit faster (9 seconds).
Thanks for your help,
Andreas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reauth-problem with WPA2-tls
Info: [tls] Done initial handshake Wed Jun 2 21:04:16 2010 : Info: [tls] (other): before/accept initialization Wed Jun 2 21:04:16 2010 : Info: [tls] TLS_accept: before/accept initialization Wed Jun 2 21:04:16 2010 : Info: [tls] <<< TLS 1.0 Handshake [length 050b], ClientHello Wed Jun 2 21:04:16 2010 : Error: TLS_accept:error in SSLv3 read client hello C Wed Jun 2 21:04:16 2010 : Error: rlm_eap: SSL error error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized Wed Jun 2 21:04:16 2010 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Wed Jun 2 21:04:16 2010 : Debug: TLS receive handshake failed during operation If fast_reauth in wpa_supplicant is disabled, the reauthentication works fine, but the connection between the AP and the supplicant ist interrupted for about 20 seconds - much to long :-). Do you have any idea how to solve this problem? Thanks for you help, Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Default Proxy and Domain
Hello,
i have a working setup but following question:
In my proxy.conf i have one entry with our company nt domain (for wlan auth)
realm ZB {
type= radius
authhost= LOCAL
accthost= LOCAL
strip
}
Why does it not work, if i configure the same with "realm DEFAULT", does the
DEFAULT realm not match
all realms, known or unknown ?
regards,
Andreas M.
--
g,
Andreas M.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Server Certs with xp extensiosn
Hello, i have a working wlan environment with WPA/PEAP MSCHAPv2 and self signed certificates with xp server extensions included. Now we received a certificate from Thawte and i want to use it as server certificate for the radius server, but there are no xp extensions in there, because with self signed it is working but not with the Thawte cert. Does anyone know, how to include the xp extension into the Thawte certificate ? best regards, Andreas M. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users authentication problem
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
...I would have bet that I had done exactly these steps this morning. But
nevertheless I tried it another time and - succeeded.
Thanks for pushing my nose on this again and again - it finally helped :) I
will try to find the differences between the two versions...
thanks and regards,
Andy
On Tuesday 12 May 2009 13:37:07 Ivan Kalik wrote:
> > sites-enabled/default:
> >
> >
> > authorize {
> > chap
> > suffix
> > eap {
> > ok = return
> > }
> > files
> > expiration
> > logintime
> > pap
> > }
>
> ...
>
> > Tue May 12 11:35:50 2009 : Info: server default {
> > Tue May 12 11:35:50 2009 : Info: No authenticate method (Auth-Type)
> > configuration found for the request: Rejecting the user
>
> I can't see any of the authorize modules being used. Why don't you first
> use the default configuration. Just add the user entry at the top of the
> users file.
>
> Ivan
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoJZQMACgkQRrny/uOBVy57hACgjlsNGxq8naeWGD7W6tY3JvSq
5dkAoJhatzqx9IJR0LjvVg9amIK6WCIr
=ek/G
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users authentication problem
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
On Tuesday 12 May 2009 11:57:14 Alan DeKok wrote:
> Andreas Bourges wrote:
> > -> the user gets rejected, but not because of the Auth-Type := Reject
> > setting in the users file. This is the same behaviour we observer when
> > configuring "real" user accounts having a password associated, like the
> > following:
> >
> > testuser Auth-Type := Local, Cleartext-Password == "blabla"
>
> See the FAQ for the *CORRECT* configuration:
Jep, sorry - should have had a look there, first. But even the simplest
example from the FAQ doesn't work:
bob Cleartext-Password := "bob"
Reply-Message = "Hello, bob"
rad_recv: Access-Request packet from host 127.0.0.1 port 33026, id=225,
length=55
User-Name = "bob"
User-Password = "bob"
NAS-IP-Address = 10.0.0.206
NAS-Port = 0
Tue May 12 13:25:55 2009 : Info: server default {
Tue May 12 13:25:55 2009 : Info: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Tue May 12 13:25:55 2009 : Info: Failed to authenticate the user.
Tue May 12 13:25:55 2009 : Info: } # server default
>
> testuser Cleartext-Password := "blabla"
Thanks for the tip, but it didn't help, same msg from radiusd as before.
>
> Do NOT set Auth-Type.
>
I must be doing something very basic wrong, I guess. Could it be a build
problem (compiled freeradius from source on my own). Where can I look further?
thanks for any hint,
Andy
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoJXb4ACgkQRrny/uOBVy4iAwCdHRdd3Kk8bZe+Fb1QfKCar1V2
A7oAoMKKJFqTYyr47Mx/nTbAH+K41ihs
=PYiY
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users authentication problem
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
...we recently upgraded vom freeradius 0.9 to freeradius 2.1.4. Unfortunately
local users cannot be authenticated anymore.
This morning I used the default configuration files from 2.1.4 and started
from scratch. My first objective was to get any valid response from the
freeradiusd - but unluckily, without success.
In the users file, I enabled the following line:
lameuserAuth-Type := Reject
Reply-Message = "Your account has been disabled."
one entry in clients.conf for localhost testing:
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
nastype = other
virtual_server = default
}
sites-enabled/default:
authorize {
chap
suffix
eap {
ok = return
}
files
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
files
}
I think that must be the main configuration items for my very basic test. Then
I run freeradiusd -X -xx and test the user via radclient:
echo "User-Name=lameuser, Password=bla, NAS-IP-Address=127.0.0.1" | radclient
- -r 1 -x -s 127.0.0.1 auth 'testing123'
results in:
Sending Access-Request of id 20 to 127.0.0.1 port 1812
User-Name = "lameuser"
Password = "bla"
NAS-IP-Address = 127.0.0.1
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=20, length=20
Total approved auths: 0
Total denied auths: 1
Total lost auths: 0
The radiusd logs the following:
Tue May 12 11:31:58 2009 : Debug: Listening on authentication address * port
1812
Tue May 12 11:31:58 2009 : Debug: Listening on accounting address * port 1813
Tue May 12 11:31:58 2009 : Debug: Listening on command file
/var/run/freeradius/run/radiusd/radiusd.sock
Tue May 12 11:31:58 2009 : Debug: Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 33013, id=5,
length=54
User-Name = "lameuser"
User-Password = "bla"
NAS-IP-Address = 127.0.0.1
Tue May 12 11:32:04 2009 : Info: server default {
Tue May 12 11:32:04 2009 : Info: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Tue May 12 11:32:04 2009 : Info: Failed to authenticate the user.
Tue May 12 11:32:04 2009 : Info: } # server default
- -> the user gets rejected, but not because of the Auth-Type := Reject setting
in the users file. This is the same behaviour we observer when configuring
"real" user accounts having a password associated, like the following:
testuser Auth-Type := Local, Cleartext-Password == "blabla"
server log says:
Tue May 12 11:35:50 2009 : Info: server default {
Tue May 12 11:35:50 2009 : Info: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Tue May 12 11:35:50 2009 : Info: Failed to authenticate the user.
Tue May 12 11:35:50 2009 : Info: } # server default
Thanks for any hints troubleshooting this!
Regards,
Andy
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoJQ+MACgkQRrny/uOBVy7sggCfRfAjnhIkHwQbElEUwwZWPM4L
DIEAniJziPLwpdyQKAWpa/vJvGAftmq1
=4Tih
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco NAS and 4GB Problem
Hello, yes i rebooted the router, i was also not able to find similiar proplems on cisco pages. Maybe it is easier to report this to cisco, i thought anyone had same troubles. thanks so far. r, Andreas M. Stefan Winter schrieb: I never saw the gigaword attribute, i think they are only send, when it is necessary, or is this wrong ? I'm not sure. I think I saw them filled with 0 as appropriate. Did IOS tell you to reboot the NAS before the setting takes effect? Did you do that? If that doesn't help, read your NAS documentation. I'm not a Cisco employee and will not do their work. Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- g, Andreas M. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco NAS and 4GB Problem
Hello, i´ve done this already twice, but why does this happen only on virtual access interfaces and not on the upstream interface ?! I never saw the gigaword attribute, i think they are only send, when it is necessary, or is this wrong ? r, Andreas M. Stefan Winter schrieb: > Hi, > > your accounting packets don't include the Gigawords attributes. Try adding > aaa accounting gigawords > > to your IOS config. This may require a NAS reboot on some IOS versions(!!!). > > Greetings, > > Stefan Winter > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Stefan Winter schrieb: Hi, your accounting packets don't include the Gigawords attributes. Try adding aaa accounting gigawords to your IOS config. This may require a NAS reboot on some IOS versions(!!!). Greetings, Stefan Winter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- g, Andreas M. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco NAS and 4GB Problem
Hello, i have some troubles with a cisco NAS, with a 4GB problem in the Accounting Data. First i have gigawords enabled, also the sql queries, but this is not the reason. I have also accounting for the upstream interface enabled, but the error exists only for users, that are connected via virtual-interfaces (pptp dialup). Maybe this problem is not realy radius related, but i hope to find an answer. I included some log entries and config examples, maybe someone has any experience with this errors. regards, Andreas M. Here is the last interim update: Tue Apr 15 23:23:46 2008 Acct-Session-Id = "0006" Tunnel-Medium-Type:0 = IPv4 Tunnel-Assignment-Id:0 = "1" Tunnel-Server-Auth-Id:0 = "A_Router" Acct-Tunnel-Connection = "40682" Framed-Protocol = PPP Framed-IP-Address = 10.1.0.1 User-Name = "6543765" Acct-Session-Time = 28088 Acct-Input-Octets = 18615686 Acct-Output-Octets = 218389141 Acct-Input-Packets = 226199 Acct-Output-Packets = 305451 Acct-Authentic = RADIUS Acct-Status-Type = Interim-Update NAS-Port-Type = Virtual NAS-Port = 3 NAS-Port-Id = "Uniq-Sess-ID3" Service-Type = Framed-User NAS-IP-Address = 192.168.1.11 Acct-Delay-Time = 0 Client-IP-Address = 192.168.1.11 Acct-Unique-Session-Id = "ba144af9c3c26fc1" Timestamp = 1208294626 Here is the last stop record from the nas: Tue Apr 15 23:26:28 2008 Acct-Session-Id = "0006" Tunnel-Medium-Type:0 = IPv4 Tunnel-Assignment-Id:0 = "1" Tunnel-Server-Auth-Id:0 = "A_Router" Acct-Tunnel-Connection = "40682" Framed-Protocol = PPP Framed-IP-Address = 10.1.0.1 User-Name = "6543765" Acct-Authentic = RADIUS Acct-Session-Time = 28250 Acct-Input-Octets = 4294967295 Acct-Output-Octets = 4294966951 Acct-Input-Packets = 0 Acct-Output-Packets = 4294967290 Acct-Terminate-Cause = NAS-Error Acct-Status-Type = Stop NAS-Port-Type = Virtual NAS-Port = 3 NAS-Port-Id = "Uniq-Sess-ID3" Service-Type = Framed-User NAS-IP-Address = 192.168.1.11 Acct-Delay-Time = 0 Client-IP-Address = 192.168.1.11 Acct-Unique-Session-Id = "ba144af9c3c26fc1" Timestamp = 1208294788 Cisco config: System image file is "flash:c180x-advipservicesk9-mz.124-11.XW6.bin" A_Router#sh aaa attributes | inc giga Type=118 Name=input-giga-words Format=Ulong Type=250 Name=output-giga-words Format=Ulong aaa new-model ! ! aaa authentication login default local aaa authentication ppp default group radius local aaa authorization exec default local aaa authorization commands 15 default local aaa authorization network default group radius local aaa accounting delay-start aaa accounting nested aaa accounting update periodic 3 aaa accounting network default start-stop group radius interface Virtual-Template1 ip unnumbered Loopback0 ip nat inside no ip virtual-reassembly no logging event link-status no snmp trap link-status ppp encrypt mppe 128 required ppp authentication ms-chap ms-chap-v2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ascend-Data-Filter with srcip from ippool
Hello Alan,
as I see your result I better understand unlang and the mighty of it.
Thx for your patience. All working perfectly well now.
Kind Regards,
Andreas
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Alan DeKok
Sent: Mittwoch, 2. April 2008 08:19
To: FreeRadius users mailing list
Subject: Re: Ascend-Data-Filter with srcip from ippool
Andreas Kalb (akalb) wrote:
> Now I'm back to my original problem, where I wanted to use an
> Ascend-filter with entries matching IP-address from pool. I still
> don't know, how to change order of modules to make the IP-address
> known to the files-module and appreciated your uidance again.
You don't have to. You can add the ascend data filter via "unlang",
in the "post-auth" section, right after the "test_pool" module is
called:
post-auth {
...
test-pool
if (ok) {
update reply {
...
Ascend-Data-Filter := "ip in forward srcip
%{reply:Framed-IP-Address}/32 dstip 1.1.1.2/32"
...
}
}
Again, this is documented. See "man unlang", and the examples.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ascend-Data-Filter with srcip from ippool
Hello again,
based on the last experience having different servers existing, I build
the system from scratch and stood as closely as possible to defaults.
All is working well concerning the ip-pool. It was the duplicated
server, Alan pointed out.
Now I'm back to my original problem, where I wanted to use an
Ascend-filter with entries matching IP-address from pool. I still don't
know, how to change order of modules to make the IP-address known to the
files-module and appreciated your uidance again.
Kind Regards,
Andreas
users:
DEFAULT User-Name := "test_...", Pool-Name := test_pool,
Cleartext-Password := cisco
Service-Type == Framed-User,
Framed-Protocol = PPP,
Session-Timeout = 65000,
Idle-Timeout = 3600,
Ascend-Maximum-Time = 64000,
Ascend-Idle-Limit = 3600,
Ascend-Data-Filter := "ip in forward srcip
%{reply:Framed-IP-Address}/32 dstip 1.1.1.2/32"
debugs:
...
++[unix] returns notfound
users: Matched entry DEFAULT at line 125
expand: ip in forward srcip %{reply:Framed-IP-Address}/32 dstip
1.1.1.2/32 -> ip in forward srcip /32 dstip 1.1.1.2/32
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "cisco"
rlm_pap: Using clear text password "cisco"
rlm_pap: User authenticated successfully
++[pap] returns ok
Login OK: [test_001/cisco] (from client bb-10k port 808583209)
+- entering group post-auth
expand: %{NAS-IP-Address} %{NAS-Port} -> 172.16.1.7 808583209
rlm_ippool: MD5 on 'key' directive maps to:
4c8d9b7e94410e9a58cd8ec24b47f8b1
rlm_ippool: Searching for an entry for key:
'4c8d9b7e94410e9a58cd8ec24b47f8b1'
rlm_ippool: Allocating ip to key: '4c8d9b7e94410e9a58cd8ec24b47f8b1'
rlm_ippool: num: 1
rlm_ippool: Allocated ip 172.16.100.69 to client key:
4c8d9b7e94410e9a58cd8ec24b47f8b1
++[test_pool] returns ok
Service-Type == Framed-User
Framed-Protocol = PPP
Session-Timeout = 65000
Idle-Timeout = 3600
Ascend-Maximum-Time = 64000
Ascend-Idle-Limit = 3600
Ascend-Data-Filter := "ip in forward dstip 1.1.1.2/32 0"
Framed-IP-Address = 172.16.100.69
Framed-IP-Netmask = 255.255.255.0
Finished request 1.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ascend-Data-Filter with srcip from ippool
Hello Alan,
I started from that by adding my own ippool to radiusd.conf after
main_pool (line 1800, ippool test_pool {...). I understood from your
reply, that I need to call it from sites-available/default and added
"test_pool" right after main_pool in sites-available/default (in
sections accounting and post-auth, as specified in radiusd.conf), but
when starting the deamon I got:
/usr/local/etc/raddb/radiusd.conf[1800]: Invalid version in module
'rlm_ippool'
/usr/local/etc/raddb/sites-enabled/default[308]: Failed to find module
"test_pool".
/usr/local/etc/raddb/sites-enabled/default[285]: Errors parsing
accounting section.
That mades me think I need to move the pool there either, sorry.
Kind Regards,
Andreas
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Alan DeKok
Sent: Dienstag, 1. April 2008 07:46
To: FreeRadius users mailing list
Subject: Re: Ascend-Data-Filter with srcip from ippool
Andreas Kalb (akalb) wrote:
> I'm unfortunately still not getting it to work anymore after upgrade
to 2.0.3.
>
> I added the following to sites-available/default at top of document:
>
> server bb-10k {
I'm not sure why. As the documentation suggests, starting with the
default configuration is the best idea.
> accounting {
> ...
> post-auth {
And no "authorize" or "authenticate" section.
> ippool test_pool {
> range-start = 172.16.100.1
Module configurations belong in the "modules" section of radiusd.conf.
They do NOT go in a server section.
> and then get:
> /usr/local/etc/raddb/sites-enabled/default[70]: Failed to find module
"test_pool".
> /usr/local/etc/raddb/sites-enabled/default[66]: Errors parsing
accounting section.
>
> So now I wonder how to specify the ippool section there.
You don't.
Again, start with the default configuration. Add ONE module:
test_pool. Configure it, and get it to assign IP addresses. Then, once
that works, configure the ascend filter attributes AFTER the "test_pool"
module has been run in the "post-auth" section.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
