Re: Freeradius issue : Active Directory Integration
Hi,
Hello,
I am facing issue with MS CHAP authentication in Ubuntu 13.04 . Also
NTLM Authentication takes place when putting 'wait = no' in
/etc/freeradius/modules/ntlm_auth
is ntml_auth on the command line working?
Please provide some debug output.
regards
-andreas
--
___
FACHHOCHSCHULE SALZBURG GmbH
Salzburg University of Applied Sciences
Andreas Sartori
Systems Engineer
IS - Information Services
Lecturer
ITS - Information Technology and Systems Management
MMT - Multimedia Technology
Urstein Süd 1 | 5412 Puch/Salzburg | Austria
fon: +43 (0)50-2211-1655 | fax: -1699
web: www.fh-salzburg.ac.at
Gerichtsstand Salzburg | FN166054y
___
- Original Message -
From: Shameek Bhattacharya shamee...@gmail.com
To: freeradius-users@lists.freeradius.org
Sent: Friday, October 4, 2013 8:02:59 AM
Subject: Freeradius issue : Active Directory Integration
Hello,
I am facing issue with MS CHAP authentication in Ubuntu 13.04 . Also
NTLM Authentication takes place when putting 'wait = no' in
/etc/freeradius/modules/ntlm_auth
ie
exec ntlm_auth {
wait = no
program = “/usr/bin/ntlm_auth -request-nt-key
-username=%{mschap:User-Name} -password=%{User-Password}”
}
But MS CHAP fails completely . Tried all options but not working at
all . I have another Freeradius Server with same configuration which
is working perfectly. The only difference is that the faulty Radius
Server was joined to Domain with a backup administrator account ,
not with the default Domain Administrator account . Is this creating
the issue ? Please suggest . I have attached the debug output.
Regards,
Shameek
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting pakets on layer 2
Hello! Excuse me please, if this is the wrong list for my question! If I have an AccessPoint working on layer 2 like the ALL0278, how are accounting pakets generated and sent to the radius-server on port 1813. Which application is responsible for generating those pakets? Thank you! Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting pakets on layer 2
Hello! Michael Schwartzkopff mi...@schwartzkopff.org wrote: Hello! Excuse me please, if this is the wrong list for my question! If I have an AccessPoint working on layer 2 like the ALL0278, how are accounting pakets generated and sent to the radius-server on port 1813. Which application is responsible for generating those pakets? Thank you! Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html See section Security Settings - WPA-802.1x or section Security Settings - 802.1x of the ALLNET manual. I don't have the ALL0278 here. Is this manual available somewhere online? Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Abwesenheit (was: Freeradius Installation Challenges)
Klaus Klein k.kl...@gmx.de wrote:
Am 29.07.2012 09:45, schrieb George Innocent:
I'm using nano for the editors
Take a copy of the backup of your original client.conf and start over with
that.
(You did save the original before you modified it, did you?)
As already said, all you wanted to put in there is already there.
The only difference:
Out of the 'client.conf' file
# Each client has a short name that is used to distinguish it from
# other clients.
#
# In version 1.x, the string after the word client was the IP
# address of the client. In 2.0, the IP address is configured via
# the ipaddr or ipv6addr fields. For compatibility, the 1.x
# format is still accepted.
You used version 1.x style
client 127.0.0.1 {
In 2.x it looks like this
client localhost {
ipaddr = 127.0.0.1
In his client.conf there is also a line require_message_authenticator = no
not commented out in the client localhost section that may throw the warning
with the braces.
Andreas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radacct is not filled up
Hello!
Fajar A. Nugraha l...@fajar.net wrote:
On Tue, Jul 17, 2012 at 5:59 AM, Andreas Meyer anme...@anup.de wrote:
Hello!
I authenticate a users against a mysql-db and everything is fine. Get
entries
in the radpostauth table but the radacct table stays emtpy, instead the
logging is done in /usr/var/log/radius/radacct/192.168.1.254
I cannot find the place where in a configurationfile I can change
the value to log into the radacct table.
Did you read http://wiki.freeradius.org/SQL-HOWTO ?
Search for accounting
Yes, I read the SQL-Howto. Made a change in the dialup.conf from
sql_user_name = %{User-Name} to
sql_user_name = %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
and the debug output shows that the radiusd is using stripped user-name.
But the radacct is not filled up. All is written to the logfile in
/usr/var/log/radius/radacct/192.168.1.254
I wonder if it might have something to do with the buffered-sql in
/usr/etc/raddb/sites-available. I made no changes to that file.
mysql use radius;
Database changed
mysql show tables;
+--+
| Tables_in_radius |
+--+
| badusers |
| mtotacct |
| nas |
| radacct |
| radcheck |
| radgroupcheck|
| radgroupreply|
| radpostauth |
| radreply |
| radusergroup |
| totacct |
| userinfo |
+--+
12 rows in set (0.01 sec)
Everything is fine and radcheck and radpostauth and userinfo and so on is
written to the database exept for the radacct information.
Andreas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radacct is not filled up
Hello!
Fajar A. Nugraha l...@fajar.net wrote:
I wonder if it might have something to do with the buffered-sql in
/usr/etc/raddb/sites-available. I made no changes to that file.
Re-read the wiki page. If you HAVE read it correctly, you would've
seen that you need to change something in that file.
Hm, no luck with this one. I changed buffered.sql to log to sql, but it
does not.
accounting {
#
# Log traffic to an SQL database.
#
# See Accounting queries in sql.conf
sql
# Cisco VoIP specific bulk accounting
# pgsql-voip
}
...
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /usr/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
[reply_log] expand:
/usr/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -
/usr/var/log/radius/radacct/192.168.1.254/reply-detail-20120717
[reply_log]
/usr/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to
/usr/var/log/radius/radacct/192.168.1.254/reply-detail-20120717
[reply_log] expand: %t - Tue Jul 17 10:57:08 2012
++[reply_log] returns ok
[sql] expand: %{Stripped-User-Name} -
[sql] ... expanding second conditional
[sql] expand: %{User-Name} - bitcorner-1
...
If I understand the buffered.sql right, logging is done to the detail file
but how is it written to the database? Or how is the buffered.sql respected?
Andreas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radacct is not filled up
Hello!
Fajar A. Nugraha l...@fajar.net wrote:
On Tue, Jul 17, 2012 at 4:08 PM, Andreas Meyer anme...@anup.de wrote:
Hm, no luck with this one. I changed buffered.sql to log to sql, but it
Did I EVER mention anything about buffered.sql?
Was it EVER mentioned in the wiki page?
accounting {
sql
}
so accounting section has sql. That's good.
# Executing section post-auth from file /usr/etc/raddb/sites-enabled/default
See that? That's post-auth. That section is called after
access-request packets are processed.
Ok
+- entering group post-auth {...}
[reply_log] expand:
/usr/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -
/usr/var/log/radius/radacct/192.168.1.254/reply-detail-20120717
[reply_log]
/usr/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /usr/var/log/radius/radacct/192.168.1.254/reply-detail-20120717
[reply_log] expand: %t - Tue Jul 17 10:57:08 2012
++[reply_log] returns ok
[sql] expand: %{Stripped-User-Name} -
[sql] ... expanding second conditional
[sql] expand: %{User-Name} - bitcorner-1
... and you didn't have ANYTHING in the log about accounting.
Does your NAS send accounting packets? Accounting section is only
called when radius receive accounting packets.
I fear the AP is not sending accounting packets at all. The only
thing I can configure at the TP-Link AP is that it can communicate
with the radiusserver at port 1812 for auth packets.
Or is it that you want to log some data to sql in post-auth, instead
of accounting? If so, then you need to modify the correct section
not that I know of
I have a section in radisud.conf to listen for type = acct
(i.e. post-auth, not accounting). And the table modified will NOT be
radacct, but radpostauth. See sql.conf and sql/mysql/dialup.conf for
details, look for postauth. You CAN change what's logged, and where,
by editing the queries.
I must say I am not sure, what information belongs to post-auth exactly
and why. I promise I read the FAQ!
Andreas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radacct is not filled up
Fajar A. Nugraha l...@fajar.net wrote: On Tue, Jul 17, 2012 at 4:54 PM, Andreas Meyer anme...@anup.de wrote: I must say I am not sure, what information belongs to post-auth exactly and why. I promise I read the FAQ! FR is very configurable. It's one of those things where the hardest part is making sure you know what you really want, and whether is technically possible (using ANY software). After that, translating it to configuration items is usually easier. Ok, thank you! I see this stuff is very complex and getting an overview is what I need to do. A good book about FR would come in handy. Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radacct is not filled up
Hello! I authenticate a users against a mysql-db and everything is fine. Get entries in the radpostauth table but the radacct table stays emtpy, instead the logging is done in /usr/var/log/radius/radacct/192.168.1.254 # itx:/usr/var/log/radius/radacct/192.168.1.254 # ll insgesamt 284 -rw--- 1 root root 12420 12. Jul 16:38 auth-detail-20120712 -rw--- 1 root root 12420 13. Jul 19:35 auth-detail-20120713 -rw--- 1 root root 6210 14. Jul 23:21 auth-detail-20120714 -rw--- 1 root root 9078 15. Jul 17:06 auth-detail-20120715 -rw--- 1 root root 180883 16. Jul 17:26 auth-detail-20120716 -rw--- 1 root root 12640 17. Jul 00:43 auth-detail-20120717 -rw--- 1 root root 1242 3. Jul 22:35 reply-detail-20120703 -rw--- 1 root root 2008 12. Jul 16:38 reply-detail-20120712 -rw--- 1 root root 2008 13. Jul 19:35 reply-detail-20120713 -rw--- 1 root root 1004 14. Jul 23:21 reply-detail-20120714 -rw--- 1 root root 1004 15. Jul 13:39 reply-detail-20120715 -rw--- 1 root root 5041 16. Jul 17:26 reply-detail-20120716 -rw--- 1 root root 2016 17. Jul 00:43 reply-detail-20120717 I cannot find the place where in a configurationfile I can change the value to log into the radacct table. This is what I have in sql.conf: acct_table1 = radacct acct_table2 = radacct postauth_table = radpostauth authcheck_table = radcheck authreply_table = radreply groupcheck_table = radgroupcheck groupreply_table = radgroupreply usergroup_table = radusergroup Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: working with vouchers
Fajar A. Nugraha l...@fajar.net wrote: On Thu, Jul 5, 2012 at 11:05 PM, Andreas Meyer anme...@anup.de wrote: Is there a big picture somewhere available for the freeradius-server like it is for postfix for example? I want to understand the contiguities between proxiing, outer-tunnel, inner-tunnel for example. That's a different topic than what you asked before. And if you're only using a captive portal, you won't be using any of those anyway, you'd be only using the default virtual server. See http://wiki.freeradius.org/Concepts on for-dummies explanation on how it works. Ok, thank you for the hints! Everything is getting clearer by and by. I just found out that I get entry into the WLAN with an android smartphone by just using the username and password without using the ca.crt with PEAP/MSchap2. I read in the protocols-table that only with EAP-TLS certificates are used. For how proxy works, see http://wiki.freeradius.org/Proxy If I have a users file and a sql-database, where does freeradius look first and Depending on how you configure it. In other words, depends on the order on authorize section. what if there is an entry in both databases but they differ in the password used. So many questions. If the attribute is the same one, the one listed later should overwrite the former. CMIIW. Thanks! -- Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: working with vouchers
Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Yrs, if you don't care about security and verification of server cert, then just username and password will work with PEAP. Some clients will throw up warning messages (that users ignore)..messages can be reduced by using a CA that is known by the clients. The above is not best practice under any security front Oh yes, I just read the wikipedia about all that stuff about chap and pap and PEAP and MS-chapv2 and EAP and TLS and so on. This is heavy rock. Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: working with vouchers
Hi! alan buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, Hello! Without considering any security is it possible to hand out a voucher to a client with just the ESSID, the username and the password written down and this client can authenticate to the radiusserver over the authenticator? Please be patient with me! depends on the methods used, server configuration and the client involved In the simpliest environment I want to see what is possible and how it can be done. I don't really know what methods to use for an easy authentication without EAP. I think maybe the server can be configured to look into the users database whether there is an entry for that user and says ok to the authenticator. This is all because I want to learn what and how can be done with the server. At the moment I am testing all this with an openSUSE 11.3. A Windows XP I have only available in a VBox-environment. So testing with a Linux would be enough for me a the moment. Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: working with vouchers
Fajar A. Nugraha l...@fajar.net wrote: On Thu, Jul 5, 2012 at 3:43 PM, Andreas Meyer anme...@anup.de wrote: Without considering any security is it possible to hand out a voucher to a client with just the ESSID, the username and the password written down and this client can authenticate to the radiusserver over the authenticator? Please be patient with me! depends on the methods used, server configuration and the client involved In the simpliest environment I want to see what is possible and how it can be done. I don't really know what methods to use for an easy authentication without EAP. One option would be captive portal, e.g. chillispot and derivatives. Yes, I have heard of that and shall try pfSense for example. But I want to understand the contiguities of what method pfSense is using to talk to the Radiusserver to be able to create vouchers. Is there a big picture somewhere available for the freeradius-server like it is for postfix for example? I want to understand the contiguities between proxiing, outer-tunnel, inner-tunnel for example. If I have a users file and a sql-database, where does freeradius look first and what if there is an entry in both databases but they differ in the password used. So many questions. Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
a question about the connection to the server
Hello! If some machine is in the same subnet as the radiusd and the AP, how do I prevent it from sniffing the secret for authentication to the server? Regards Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenication with certifiactes
Hello! alan buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, I have no luck with this. I read in some articles to make an AP with Radius-Authentication, one should create cerificates with 'make all' in the certs-directory after editing the ca.cnf and server.cnf and copy the ca.pem to the client. ..that would be to ensure that you can configure the client to trust the RADIUS server - as they are both signed by the same CA OK Where can I read what other possibilites there are to authorize a client for an AP using a radiusserver as backend. it depends what you want to do. you were talking about authenticating using a certificate - that would be EAP-TLS (or EAP-PEAP/TLS or EAP-TTLS/TLS) which means the client uses a certificate OK I wonder what other possibilities than certificates there are to authorize a client to a network using WLAN. Like Hotspots, internet cafes and hotels for example. I mean, handing over a certifacte to a client on an USB-stick seems unpracticable to me. [ ... snipp ] But I do not get a lease from the AP. thats because, as you can read, you never got an Access-Accept. the flow above shows that your request arrived at the serverthe server is configured to use MD5 by default in the inner-tunnel (so change that to the method you will use most eg TTLS) and so the server send a NAK. the client was then put through using TTLS but the server sent an Access-Challenge that never got answeredwhich is in the FAQ - the client doesnt trust the server. you need to ensure that you have added the CA in the right certificate store on the client. as this is 802.1X a quick hint - do a google search for 'eduroam configuring client' you should find countless examples from Universities worldwide on how to configure a client for doing this sort of thingsome sites will have step by step instructions so you can see how to do it on windows XP/Vista/7 OSX 10.6 etc ..and a favour in return..if you find any sites that DONT tell the users to check the CA and put the right name in the verification box, then please email me ;-) Strange, where can I read about this? EAP-TLS HOWTO, or google for EAP-TLS - I find it quite worrying that people are blocked from internet search engines 4) EAP-TLS is plain/simple method - thus checking against SQL for passwords is wrong Ok, disabled SQL and made entries in the users file. ..but from what you said above (using TTLS) - there is nothing wrong with using MySQL/postgreSQL etc though we DO advise people to start simple. start with users file rather than some fancy backend storage. once you see things working and have things in a working state, THEN bring in the good stuff(tm) 5) upgrade - 2.1.9 is hideously old, 2.1.12 contains bug fixes and security fixes. allright, will do that if I can see some land in this ocean I would start with the upgrade first - the cerfificate make files got some fixes and improvements too! ;-) So I followed your hint and compiled and installed freeradius-server-2.1.12. Created new certificates and changed md5 to ttls in eap.conf and the client.conf to accept my client. I configured the Linux-Client with Yast to connect to the AP using the ca.pem. The handshake works and I get a lease. Now this is great! The NetworkManager didn't do it. alan Thank you very much for your initial help! Now I can go on examinng the server. Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenication with certifiactes
Hello!
Iliya Peregoudov iperegu...@cboss.ru wrote:
Hello Andreas,
Your supplicant have rejected EAP-MD5 method proposed by freeradius and
have requested for EAP-TTLS method. freeradius have sent EAP-TTLS/Start
request. But your supplicant have never replied. The problem seems to be
in supplicant (AP is transparent for EAP methods anyway). What
supplicant do you use?
Thanks for the info!
Well, yesterday I tried with NetworkManager only. After installing
the new version of freeradius tonight I tried with NetworkManager
again with no luck. Then I decided to use Yast of the openSUSE I
use and that made it.
With the NetworkManager I had this compatibilityproblems described
for Windows OIDs. The NetworkManager didn't like the server.
Andreas Meyer wrote:
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 4 to 192.168.1.254 port 2048
EAP-Message = 0x010200061520
Message-Authenticator = 0x
State = 0x4fb647db4eb45230423119a23041222a
Andreas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenication with certifiactes
Hello!
# radiusd -v
radiusd: FreeRADIUS Version 2.1.9, for host i686-pc-linux-gnu
I could need some help with authenticating users per certificate
to a freeradius server.
I created the certificates and copied the ca.pem the testing supplicant.
Startet freeradius with radius -X and a local executed
radtest miles davis45 192.168.1.220 1812 testing123 gives this result:
Sending Access-Request of id 206 to 192.168.1.220 port 1812
User-Name = miles
User-Password = davis45
NAS-IP-Address = 192.168.3.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 192.168.1.220 port 1812, id=206,
length=20
I have this in the sqltrace.sql then:
INSERT INTO radpostauth (username, pass, reply, authdate) VALUES (
'miles', 'davis45',
'Access-Accept', '2012-07-02 19:31:45');
I tried all kind of settings on the supplicant but I cannot get access using
the ca.pem
and get no lease from the DHCP-Server of the AP, TL-WA901ND
I post the following output of a radius -X session:
rad_recv: Access-Request packet from host 192.168.1.254 port 2048, id=155,
length=153
User-Name = andreas
NAS-IP-Address = 192.168.1.254
NAS-Port = 0
Called-Station-Id = B0-48-7A-F8-A1-19:gehackt
Calling-Station-Id = 00-22-B0-E7-EF-98
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11
EAP-Message = 0x020c01616e6472656173
Message-Authenticator = 0xcfc9907d0444926482192aafdcaba630
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = andreas, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 0 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql] expand: %{User-Name} - andreas
[sql] sql_set_user escaped user -- 'andreas'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'andreas' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'andreas' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'andreas' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'andreas' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname
FROM radusergroup WHERE username = 'andreas' ORDER
BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'andreas' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 155 to 192.168.1.254 port 2048
EAP-Message = 0x010100160410627ca484105a5653ea83eec8c5b0
Message-Authenticator = 0x
State = 0x0f58029d0f5906e7a9d59b95861c72dd
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 2048, id=156,
length=165
User-Name = andreas
NAS-IP-Address = 192.168.1.254
NAS-Port = 0
Called-Station-Id = B0-48-7A-F8-A1-19:gehackt
Calling-Station-Id = 00-22-B0-E7-EF-98
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11
EAP-Message = 0x020100060315
State = 0x0f58029d0f5906e7a9d59b95861c72dd
Message-Authenticator = 0x764f23c23137bd2125a294f54ca21ac1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = andreas, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql] expand: %{User-Name} - andreas
[sql] sql_set_user escaped user -- 'andreas'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id
Re: Authenication with certifiactes
for your help with this! I am a bit lost. Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging User Accounts
Hello, I try to log users if they connect to radius, is it possible to track that without all other informations from debug mode? So best would be I only see that: [TIME]: foobar logged in Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Connection Lost, tls resumption error
Hi, in my enviroment I got three AP's runnning, all with the same essid, after a while the connection seems lost and a reconnection starts to another AP and then I get the resumption error but I have no idea why I lost the connection. No Errors in radius debug and a good reception is given. The resumption error can be only avoid with restarting the wirless device. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connection Lost, tls resumption error
Am 30.11.2011 15:53, schrieb Alan DeKok: Andreas Rudat wrote: in my enviroment I got three AP's runnning, all with the same essid, after a while the connection seems lost WHAT connection? If it's the connection between the AP and the PC, this isn't a RADIUS issue. I only saw that came in a new challange from the other AP. and a reconnection starts to another AP and then I get the resumption error but I have no idea why I lost the connection. No Errors in radius debug and a good reception is given. The AP is responsible for sending RADIUS packets saying a connection is down. If it doesn't send those packets, buy an AP which does send them. The resumption error can be only avoid with restarting the wirless device. Sounds like an AP problem to me. Alan DeKok. perhaps. I tried it now with three devices and three users and it works fine for an hour, no connection problem again, it could be that I used one user name twice before. So i hope it is solved with that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/EAP-TLS with freeRADIUS
Am 27.11.2011 10:17, schrieb Phil Mayers: On 11/27/2011 12:51 AM, Mr Dash Four wrote: No, the shared secret is not transmitted over the wire. For additinal information see RFC2865, §2: When a password is present, it is hidden using a method based on the RSA Message Digest Algorithm MD5. (see RFC131). MD5 is broken. but I understand it correctly, the shared_secret is just using as trusted AP password? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/EAP-TLS with freeRADIUS
Am 26.11.2011 22:04, schrieb Mr Dash Four: I ma trying to set up freeRADIUS server implementing (wireless) user authentication (running wpa_supplicant) via AP (running hostapd). After reading various howto's and documentation as well as looking at numerous sources on the Internet, I can't see a way in which the AP is authenticated to the RADIUS server by using only its certificate attributes (CN, Subject, Issuer etc) - it seems that freeRADIUS always needs some sort of password or shared secret specified. so it is, you can only protect your AP client with the shared secret key. Is it possible *not* to use this and rely solely on the strength/culpability (depending on the way one looks at it) of PKI? If so, how do I achieve that? A very simple configuration file example would suffice! In relation to that - another question: the rlm_eap text file (in the doc/ directory) distributed with the source code (I am using 2.1.12) states that Currently Freeradius supports only 2 EAP-Types (EAP-MD5, EAP-TLS). (line 78). Is that so? As for the actual EAP-TTLS/EAP-TLS authentication process I have another query - my understanding of the theory behind this method is that the authentication/authorisation process is done in two distinct phases - outer and inner authentication. This also allows for the use of two distinct sets of (client, server, ca) certificates to be specified in each phase. If that is so, how is this configured/specified in the eap.conf configuration file (or elsewhere)? Many thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -END PGP PUBLIC KEY BLOCK- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question at certificates
Hi, I'm a little bit confused, I configure radius with self signed cert, peap+mschap, so if I tried to connect with an android or apple device I get the question if I want to accept the server cert, thats ok, but with windows or linux I get the error that there is no cert, but it still works, why these clients don't download the cert? I can manually add them sure but why is that so different? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing Wlan
Am 20.11.2011 13:05, schrieb Alan DeKok: Andreas Rudat wrote: thats what I tried, but I get no info from the other client, only if I them ping each other. Encryption is wpa+aes and what I should see if it is encrypted? tls infos? This is a network connectivity problem. It isn't a RADIUS problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html But which? I tried my wlan on monitor mode and sniffing with wireshark I found traffic between the APs but wireshark shows only thats the wlan protocol and I dont see any clear traffic. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Technical paper how Freeradius works?
Hi, are there any and I don't see them, besides man pages/config files? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Technical paper how Freeradius works?
Am 24.11.2011 16:04, schrieb Alan Buxey: Hi, Hi, are there any and I don't see them, besides man pages/config files? what is it that you are after? what do you define by 'technical' ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html for example how does exactly auth. works or the radius protocol works Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Technical paper how Freeradius works?
Am 24.11.2011 16:33, schrieb Alan DeKok: Andreas Rudat wrote: for example how does exactly auth. works or the radius protocol works We don't document RADIUS. See the RFCs for that. As for how the server works, see the doc directory. There are a lot of files there describing how the server works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ok thanks. Andreas -- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -END PGP PUBLIC KEY BLOCK- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing Wlan
Am 20.11.2011 12:08, schrieb Alan Buxey: Hi, is there any possibility to test if two machines with the same login can sniff each others traffic? yes you can test that. though depending on what wireless configuration you have and method of encryption you might not get what you think. get one machine to browse the internet and get the other to run wireshark alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi, thats what I tried, but I get no info from the other client, only if I them ping each other. Encryption is wpa+aes and what I should see if it is encrypted? tls infos? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius + SambaPDC + offline login
Hi, perhaps it is the wrong mailing list but I try it :) my samba pdc is running in a different subnet than my radius clients. So, samba ist running x.x.15.x and my Wlan+Radius users using x.x.16.x I use wins instead of dns. I joined with my client the domain successfully, but if I try to login I get the msg domain not reachable, sure, because I'm not online at that moment, but is there anyway to be that? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
getting sometimes TLS error
Hi, I get the error from time to time, I use one self signed cert for alle clients and some times I get this error from one ubuntu client, do you have any idea? so self+signed cert + mschapv2 TLS Alert read:fatal:bad certificate Sat Nov 19 18:52:30 2011 : Error: TLS_accept:failed in SSLv3 read client certificate A Sat Nov 19 18:52:30 2011 : Error: rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate Sat Nov 19 18:52:30 2011 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. Sat Nov 19 18:52:30 2011 : Debug: TLS receive handshake failed during operation its not the password problem, how I said, the same cert works fine on two different machines, windows + linux the other got archlinux and xp running Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: getting sometimes TLS error
realy strange the machine where ubuntu AND xp is running both failes and windows is saying the zertificate is invalid/expired?? both are using the same one! Am 19.11.2011 19:17, schrieb Andreas Rudat: Hi, I get the error from time to time, I use one self signed cert for alle clients and some times I get this error from one ubuntu client, do you have any idea? so self+signed cert + mschapv2 TLS Alert read:fatal:bad certificate Sat Nov 19 18:52:30 2011 : Error: TLS_accept:failed in SSLv3 read client certificate A Sat Nov 19 18:52:30 2011 : Error: rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate Sat Nov 19 18:52:30 2011 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. Sat Nov 19 18:52:30 2011 : Debug: TLS receive handshake failed during operation its not the password problem, how I said, the same cert works fine on two different machines, windows + linux the other got archlinux and xp running Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[solved] Re: getting sometimes TLS error
Am 19.11.2011 19:37, schrieb Andreas Rudat: realy strange the machine where ubuntu AND xp is running both failes and windows is saying the zertificate is invalid/expired?? both are using the same one! Am 19.11.2011 19:17, schrieb Andreas Rudat: Hi, I get the error from time to time, I use one self signed cert for alle clients and some times I get this error from one ubuntu client, do you have any idea? so self+signed cert + mschapv2 TLS Alert read:fatal:bad certificate Sat Nov 19 18:52:30 2011 : Error: TLS_accept:failed in SSLv3 read client certificate A Sat Nov 19 18:52:30 2011 : Error: rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate Sat Nov 19 18:52:30 2011 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. Sat Nov 19 18:52:30 2011 : Debug: TLS receive handshake failed during operation its not the password problem, how I said, the same cert works fine on two different machines, windows + linux the other got archlinux and xp running Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html it was the clock of the test machine ... local date 2002 vs certificate of 2011 != good Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Testing Wlan
Hi, is there any possibility to test if two machines with the same login can sniff each others traffic? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Deleting user accounts in windows xp
Hi Alan, much thanks for that info! Andreas Am 18.11.2011 23:59, schrieb Alan Buxey: Hi, Hi, hope anyone knows that, if I connect successfully with an xp client, I have never again to put in my login data, so windows has to save my login stuff anywhere but where? I would like to delete my login data. stored as a special hash in the registry. you want to remove? use this regedit REGEDIT4 [-HKEY_CURRENT_USER\Software\Microsoft\Eapol\UserEapInfo] alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -END PGP PUBLIC KEY BLOCK- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP/MSCHAP
Am 12.11.2011 23:00, schrieb Sven Hartge: Sven Hartge s...@svenhartge.de wrote: Andreas Rudat ru...@endstelle.de wrote: Am 11.11.2011 03:56, schrieb Fajar A. Nugraha: On Fri, Nov 11, 2011 at 8:29 AM, Gary Gatten ggat...@waddell.com wrote: I agree with Jake, in that I *think* it would be possible to have a plugin or whatever interface with LDAP/AD in the same manner ntlm_auth does. I don't think one *needs* a cleartext password, but does need some way to compare apples-to-apples. That's exactly what Alan is saying: store your passwords in the LDAP as NT-Password or LM-Password But if that works, why then all are saying that you can just work with plaintext? Its realy confusing. NT/LM-Password is special. This is why it works with MSCHAPv2, both being a MicroSoft invention. To be precise: MSCHAPv2 works with the NT/LM-Password as input to the Challenge-Handshake and not the raw cleartext password. This is why this works. FreeRADIUS converts a cleartext password into the needed NT-Hash and then applies this to the MSCHAPv2 handshake. Or it uses a pre-existing NT-Hash from LDAP/MySQL/whatever. Quote from http://en.wikipedia.org/wiki/NTLM , | The NTLM protocol uses one or both of two hashed password values, both | of which are also stored on the server (or domain controller), and which | are password equivalent, meaning that if you grab the hash value from | the server, you can authenticate without knowing the actual password. ` This also means you have to protect those Hashes inside your database like a raw cleartext password, as you can authenticate to any Windows box with the knowledge of the NT/LM-Hash. This has been exploitet by several Windows trojan horses, which grabbed to NT-Hash from the Administrator user to login into other boxes on the network using the same password (or worse: the domain controller). Grüße, S Ah much thanks for that clearing, so both is bad no matter which mechnism is used. Andreas -- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -END PGP PUBLIC KEY BLOCK- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP/MSCHAP
Am 11.11.2011 03:56, schrieb Fajar A. Nugraha: On Fri, Nov 11, 2011 at 8:29 AM, Gary Gatten ggat...@waddell.com wrote: I agree with Jake, in that I *think* it would be possible to have a plugin or whatever interface with LDAP/AD in the same manner ntlm_auth does. I don't think one *needs* a cleartext password, but does need some way to compare apples-to-apples. That's exactly what Alan is saying: store your passwords in the LDAP as NT-Password or LM-Password But if that works, why then all are saying that you can just work with plaintext? Its realy confusing. Andreas ... although in my expreiments NT-Password alone is enough, but LM-Password alone is useless. How can you create NT-Password? One way to do that is by hijacking the process where user enters password as plaintext (e.g. from the password prompt when user change their password) and use smbencrypt (part of freeradius) Where do you store NT-Password in LDAP? In ntPassword or sambaNtPassword LDAP attribute (or any other attribute of your choice, as long as you remember to update raddb/ldap.attrmap as well) If you have NT-Password, then you don't need user's cleartext password anymore, and you don't even need any helper tool. -- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -END PGP PUBLIC KEY BLOCK- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth reconnection without login data?
Am 27.10.2011 22:57, schrieb Alan DeKok: Andreas Rudat wrote: if I connect to my radius server, I don't need my password anymore, also if I restart radius or my workstation. But why? The PC caches the credentials. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hm ok, but radius, too? Cause I don't see there any reaction, too. Andreas -- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -END PGP PUBLIC KEY BLOCK- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth reconnection without login data?
Am 28.10.2011 08:33, schrieb Fajar A. Nugraha: On Fri, Oct 28, 2011 at 1:18 PM, Andreas Rudat ru...@endstelle.de wrote: Am 27.10.2011 22:57, schrieb Alan DeKok: Andreas Rudat wrote: if I connect to my radius server, I don't need my password anymore, also if I restart radius or my workstation. But why? The PC caches the credentials. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hm ok, but radius, too? Cause I don't see there any reaction, too. What do you mean by connect to my radius server? ssh? What do you mean by don't see any reaction? If you want clear answer, start by posting clear questions. Asking Tarzan-like questions will get you Tarzan-like answers. For example, you could write I'm trying to connect to my radius server, running Centos 5.x, using ssh with putty, as root. However it didn't ask password, and simply lets me log in. Obviously that's just an example. Also, be clear how it's connected to FR. Do you use pam_radius? Do you use 802.1x? Hi, sorry for that. I use 802.1x and I'm wondering if I connect again at radius, I don't see any reactions in my debug output of radius, so at the first time you see how the peap tunnel is getting up, challange response and so on. Radius is running on Pfsense 2.0 and the clients are connecting with wpa2 Windows/Linux Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth reconnection without login data?
Am 28.10.2011 08:55, schrieb Fajar A. Nugraha: On Fri, Oct 28, 2011 at 1:46 PM, Andreas Rudat ru...@endstelle.de wrote: sorry for that. I use 802.1x 802.1 wired? wireless? and I'm wondering if I connect again What do you mean by connect again? unplug the cable and plug it again? Trun off the wireless adapter and turn it on again? Logout and login? at radius, I don't see any reactions in my debug output of radius, so at the first time you see how the peap tunnel is getting up, challange response and so on. Radius is running on Pfsense 2.0 and the clients are connecting with wpa2 Windows/Linux From your (very brief) description, the best answer I can give is ask the NAS. FR debug would preety print much print out everything it does. If it doesn't print anything, it's not doing anything. Not even accepting any packets. Why didn't it recive any packet? Probably because the NAS doesn't send anything (which is why I said ask the NAS). Why didn't the NAS send any packet? There are several possible options. Namely: - the NAS cache authentication result - the session was never terminated So, ask the NAS. I'm GUESSING that you were never disconnected in the first place. It seems it is the NAS, it is AP with openwrt on it, but cannot find any thing there what could be the problem. -- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -END PGP PUBLIC KEY BLOCK- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth reconnection without login data?
ah, I see, if I disconnect from wlan, there is also no response from radius no disconnect response. Am 28.10.2011 15:49, schrieb Andreas Rudat: Am 28.10.2011 08:55, schrieb Fajar A. Nugraha: On Fri, Oct 28, 2011 at 1:46 PM, Andreas Rudat ru...@endstelle.de wrote: sorry for that. I use 802.1x 802.1 wired? wireless? and I'm wondering if I connect again What do you mean by connect again? unplug the cable and plug it again? Trun off the wireless adapter and turn it on again? Logout and login? at radius, I don't see any reactions in my debug output of radius, so at the first time you see how the peap tunnel is getting up, challange response and so on. Radius is running on Pfsense 2.0 and the clients are connecting with wpa2 Windows/Linux From your (very brief) description, the best answer I can give is ask the NAS. FR debug would preety print much print out everything it does. If it doesn't print anything, it's not doing anything. Not even accepting any packets. Why didn't it recive any packet? Probably because the NAS doesn't send anything (which is why I said ask the NAS). Why didn't the NAS send any packet? There are several possible options. Namely: - the NAS cache authentication result - the session was never terminated So, ask the NAS. I'm GUESSING that you were never disconnected in the first place. It seems it is the NAS, it is AP with openwrt on it, but cannot find any thing there what could be the problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth reconnection without login data?
Hi, if I connect to my radius server, I don't need my password anymore, also if I restart radius or my workstation. But why? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[solved] Re: ntlm_auth fails @radius-debug
I edit the wrong site... sorry Am 26.10.2011 15:48, schrieb Andreas Rudat: Hello, I work with this tutorial http://deployingradius.com/documents/configuration/active_directory.html all works fine, since I try to use ntlm_auth with radius directly I added a user tester / testen users: at the top DEFAULT Auth-Type := ntlm_auth tester Cleartext-Password := testen and added to inner-site -authenticate ntlm_auth then, if if I try radtest tester testen localhost 0 testing123 I get this Found Auth-Type = ntlm_auth WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. Failed to authenticate the user. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -END PGP PUBLIC KEY BLOCK- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius + ldap + ntlm
Hello, I understand it correctly, that I can't use peap + mschapv2 with ldap? Im realy confused atm, what I can realy use, everytime I think its fine, I found another unsecure thing :/ Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius + ldap + ntlm
Am 23.10.2011 17:26, schrieb James J J Hooper: On 23/10/2011 16:02, Andreas Rudat wrote: Hello, I understand it correctly, that I can't use peap + mschapv2 with ldap? Im realy confused atm, what I can realy use, everytime I think its fine, I found another unsecure thing :/ To use PEAP/MS-CHAPv2, LDAP has to provide FR with either a plain text password, or the NTLM hash of the password. If your LDAP directly has plain text passwords, or NTLM hashes, then you can use it for authentication. You can use LDAP for authorization in any case. Regards, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ok, thank you. For further things I think I have to configure the ldap modul for that, right? Thanks Andreas -- -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v2.0.17 (MingW32) mQGNBE6jHfABDACyzFkn6k+OtbRANjKZ6NEQOxnnsBSBSs6sT9EBF0U3MnnYW3/p YTW+7aUa/1FZTOWt9wb9H7t0SOqpgqUBmRo/sPteepXblnDaGEh8tzIWfaC9MKc1 QobU5zK9KcDKrs3SyGXEPOOQM8QdtE8KfSJFdUxfanFJUbfTbxq5Gqz1eaU4cWxp gR6GeVYnd11J8AdDDwkjPjx4ZJ5guZ+D646Qi3CT7KT6y8sXVPwpNA3CvGweYX0r STKyBf+nlQtOtByrgZW7BiSAxilYUL4mGE4KmuYAadJ+O6X7NOtz3OQaWgSGjqxH YxDu6orTzL4/csjoVXS9dgeGkhLJgAg72a2yxA4tx/8IXrGp3JVGYGEY2kYcq3k9 jq5hJezoy6s1N//mgm5KaB84zrU5cUcu8kXDppmnp7eXUPnBqj2g2O82buBNa48S wAtnbY4K5fbcnog8g6ouYXpAJo9yHcj+wraQ8+TNFx5nbkg3fZKuf3UeyL3dPKXf wsKehnZ3Ipqkb08AEQEAAbQiQW5kcmVhcyBSdWRhdCA8cnVkYXRAZW5kc3RlbGxl LmRlPokBuAQTAQIAIgUCTqMd8AIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA CgkQBw5gh+kRIv+yGQv5AQCRZt8wR2McgsTurZEZXz5UpxEPZB/dA/iXtPzZXJih XLRZFqcdT+c8DCLbhXjO5aLndOCIDwWmsnqX2fuGAjlM4GJAAUEARSNtWY7V+rUt PhdOz/flCZo/+p7wBi0XOJcWhysS7DV/ssSYdnuJvONUBXCQ/MpJsVXuKdgPa9IR hvi37Ang1Cxb7htKHIuA4wCuqz1/4VGNez/65qwjuYakbB4/rXkKWb17XqCZrtoo YiQSxPU7fP5lM4ybQXxP1qrptmaF9EqGTnj/xAU3tCE+PhB3baoVw6VG9nr9xYwh bqCGtTbtrkmYlgioC2fFHDgg3U1GVBIbi0AoddXSs5OekgSvt827OcyWVSyjobyn tH4/jwb8X8iOM/x8RZhzwKhpHA0k7ltTm7qXApARcL1tV6y4GIKwuy1RLZqkpNh1 teqYaxAKlxC77s6gftxqr7G6NCssgCCy2Y50LSvcQbZDPZeBdrPoGI/xAWNy4Otv 33k4P9hxJKHNqLYJN+Gn =UaS9 -END PGP PUBLIC KEY BLOCK- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius + ldap + ntlm
Am 23.10.2011 17:48, schrieb Andreas Rudat: Am 23.10.2011 17:26, schrieb James J J Hooper: On 23/10/2011 16:02, Andreas Rudat wrote: Hello, I understand it correctly, that I can't use peap + mschapv2 with ldap? Im realy confused atm, what I can realy use, everytime I think its fine, I found another unsecure thing :/ To use PEAP/MS-CHAPv2, LDAP has to provide FR with either a plain text password, or the NTLM hash of the password. If your LDAP directly has plain text passwords, or NTLM hashes, then you can use it for authentication. You can use LDAP for authorization in any case. Regards, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ok, thank you. For further things I think I have to configure the ldap modul for that, right? Thanks Andreas another problem, I tried to test the connection with ntlm_auth --request-nt-key --domain=foo.bar --username=test --password=test and get the message NT_STATUS_INVALID_HANDLE: Invalid handle (0xc008) is it perhaps a problem with samba? I'm using 3.4.14, same with wbinfo my smb.conf [global] workgroup = foo.bar security = server password server = bar.foo.bar wins server = bar.foo.bar on my samba+ldap machine wbinfo and ntml_auth are working fine. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius + ldap + ntlm
Am 23.10.2011 22:04, schrieb Phil Mayers: On 10/23/2011 06:03 PM, Andreas Rudat wrote: another problem, I tried to test the connection with ntlm_auth --request-nt-key --domain=foo.bar --username=test --password=test and get the message NT_STATUS_INVALID_HANDLE: Invalid handle (0xc008) Samba problem. Consult the samba docs or support list. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html hm I dont know it that helped https://bugzilla.samba.org/show_bug.cgi?id=7481 but it works, how ever... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius + SAMBA PDC + LDAP
Hi, I'm using samba as pdc and ldap as user database. That all works fine. Now I want to use the ldap database for user auth. for radius. But when I'm looking here http://deployingradius.com/documents/configuration/active_directory.html and some other sources, I read everywhere the same. Konfiguration of Kerberos but why? I think it should also with ntlm only? And does this paper is the correct for me? Caus if I understand it correctly in that scenario they are using a MS AD? Thanks Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius + SAMBA PDC + LDAP
Am 21.10.2011 18:28, schrieb Phil Mayers: On 21/10/11 17:03, Andreas Rudat wrote: Hi, I'm using samba as pdc and ldap as user database. That all works fine. Now I want to use the ldap database for user auth. for radius. But when I'm looking here http://deployingradius.com/documents/configuration/active_directory.html and some other sources, I read everywhere the same. Konfiguration of Kerberos but why? I think it should also with ntlm only? And does this paper is the correct for me? Caus if I understand it correctly in that scenario they are using a MS AD? If you are using a Samba PDC with LDAP storage, you should be able to make FreeRADIUS extract the ntPassword LDAP attribute, and you will not need to interact with Samba at all. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ok, thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius for Lan
Hello, I use radius for my wlan auth but I also want it for lan but how? I use pfsense with radius 2.x It works fine with wlan but how I use it for lan? If I connect via lan port on my AP I can reach everything without radius auth. Thanks Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius for Lan
Am 02.10.2011 17:46, schrieb yzy-oui-fi: Hello, if you are using PFsense 2 and captiv portal, go to your captiv portal admininistration, hit maj+ select LAN on Interface Field, this will have as result to add an Interface to your captiv portal instead of replacing the one available Note, this is not really a freeradius Issue Thanks, but I dont want to use captive portal. It would be great if I could tell radius that user can only connect if it used min. one Radius Client, for example the AP. Andreas Le dimanche 02 octobre 2011 à 17:31 +0200, Andreas Rudat a écrit : Hello, I use radius for my wlan auth but I also want it for lan but how? I use pfsense with radius 2.x It works fine with wlan but how I use it for lan? If I connect via lan port on my AP I can reach everything without radius auth. Thanks Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius + Samba + Mysql?
Am 25.09.2011 23:07, schrieb Alan DeKok: Andreas Rudat wrote: HI Alan, yes that is what I want, but my ldap doesn't work atm ;-) See the FAQ for it doesn't work Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html sorry, you miss understood me, I meant MY LDAP doesn't work atm, independently by radius :) Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius + Samba + Mysql?
Hi, is that combination possible? Radius and Samba should use the same sql database for accounting. Are there any problems or hints? Thanks Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius + Samba + Mysql?
Hi again, erm it should work if I use mysql for samba accounts and using ntlm_auth + ms-chap on radius? Am 25.09.2011 13:03, schrieb Andreas Rudat: Hi, is that combination possible? Radius and Samba should use the same sql database for accounting. Are there any problems or hints? Thanks Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius + Samba + Mysql?
Am 25.09.2011 13:43, schrieb Fajar A. Nugraha: Should work if you have enough knowledge about all three components. The main problem would be that FR and samba uses different schema for storing user passwords, but if you're familiar with triggers then it should be possible. Just try it. yeah thats the problem I thought. No I'm not realy familiar with triggers and sql One other thing to note however, ntlm_auth is only necessary if your backend (usually AD) don't give out clear-text or nt-hash. If you have one of those available (in the case of mysql-backed samba, it's nt-hash), you don't need ntlm_auth. Thats also bad only nt-hash is not good, I tried to set up Ad but got heavy problems with setting it up. But it would be the best thing for auth samba and fr users I think? Last way would be perhaps of using smbpasswd. Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius + Samba + Mysql?
HI Alan, yes that is what I want, but my ldap doesn't work atm ;-) But thanks. Andreas Am 25.09.2011 17:02, schrieb Alan DeKok: Andreas Rudat wrote: Thats also bad only nt-hash is not good, I tried to set up Ad but got heavy problems with setting it up. I have no idea why. See my web page: http://deployingradius.com It has complete documentation on AD integration, including what configuration to change, how to debug it, and what to expect. If you follow the directions it *will* work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
anyone tried SSH tunneling for user auth?
Hello, I want to use a ssh tunnel between radius and my user database on another machine, anyone tried that? I think it should work port forwarding on port 139 of samba or sql port? Thanks Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authention Failure when putting NAS in private network.
Am 22.09.2011 03:23, schrieb 2394263740: Hello, Here is my freeradius enviroment. The freeradius is used for WIFI users access authentication. OS: Linux Enterprise Server 6.1 Radius: free radius server 2.1.11 Database: Mysql The freeradius server was put on internet. Sometime, the WIFI router need be put on the private network, which connect to Internet through a gateway. When we put the WIFI router on the private network, the WIFI user authentication always fail. Checked both the server and client side, we found the server is sending packet to WIFI router(NAS), but the packet didn't reach the WIFI router. The packet was dropped by the gateway. Can anyone advise a solution for this? Thanks! Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi, if needed, have u changed or added the new client to radius? Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Confusion between Freeradius + MSCHAPv2 + Samba
Hello, I have two machines. Freeradius + Samba as PDC. I auth. wlan clients against Radius and I want to store any user data on my Samba. The client auth, will be realized with PEAP+MSCHAPv2. So the problem is the bad thing with MSCHAPv2 and NTLMv1. So an other way could be kerberos and I read this howto http://deployingradius.com/documents/configuration/active_directory.html but is it usefull to use kerberos with two machines? I think it would be a contradiction of kerberos and would it work without AD/ldap? And could I use a sql database to save the encrypted passwords by using ntlm and the rlm_mschap module? Thanks! Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Confusion between Freeradius + MSCHAPv2 + Samba
Am 21.09.2011 22:09, schrieb Alan DeKok: Andreas Rudat wrote: but is it usefull to use kerberos with two machines? Most of the time: no. I think it would be a contradiction of kerberos and would it work without AD/ldap? I have no idea what that means. And could I use a sql database to save the encrypted passwords by using ntlm and the rlm_mschap module? You can use SQL to store anything, include NT-Passwords. Alan DeKok. - ok, thanks for the info. Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-SIM Broker?
Hi Guys, does someone know a way to do real EAP-SIM authentication with (through!) freeradius? Most if not all GSM-Carriers have radius-servers for their own WiFi-Hotspots, but obviously they wont give anyone access to them but only Hotspot-Roaming-Providers like iPass or WeRoam. Is there some sort of broker-service that would allow this? I would imagine a concept where i pre-filter the authentication requests and only pass the imsi's i want to be able to access our wireless network to the broker for real authentication... This is for my employer, so no problem if there's a fee for this service involved... Regards, Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius on MacOS X Server
Do you have any other idea, after I sent out the logs of both servers, the one where everything works and the other server where it don't work? Am 17.08.10 21:56, schrieb Alan DeKok: Andreas Hubert wrote: I dont know if updating is such a good idea. Mac OS X comes with 2.1.3 and another mailinglist reader told me that everything in his environment with Snow Leopard Server works So I guess this thing should work somehow with Mac OS X Servers freeradius 2.1.3 implementation together with Apple Airport Extreme It should. But the problems you're seeing are very strange. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius on MacOS X Server
Okay, I just found out I messed something with the eap.conf on my first
server, I accidental out commented these options:
fragment_size = 1024
include_length = yes
check_crl = yes
CA_path = /path/to/directory/with/ca_certs/and/crls/
check_cert_cn = %{User-Name}
But now the eap.conf is on both servers nearly the same (without certificate
paths).
I tried to make the problem happen again, mabye now it is easier in the log
files to see the difference.
Or should I maybe add here my complete config folder of booth servers? I
already diffed every file in them.
Am 18.08.10 12:05, schrieb Andreas Hubert:
Do you have any other idea, after I sent out the logs of both servers, the
one where everything works and the other server where it don't work?
Am 17.08.10 21:56, schrieb Alan DeKok:
Andreas Hubert wrote:
I dont know if updating is such a good idea. Mac OS X comes with 2.1.3 and
another mailinglist reader told me that everything in his environment with
Snow Leopard Server works
So I guess this thing should work somehow with Mac OS X Servers freeradius
2.1.3 implementation together with Apple Airport Extreme
It should. But the problems you're seeing are very strange.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked
rlm_sql (sql): Attempting to connect to rad...@localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #0
rlm_sql_sqlite: Opening sqlite database
/private/etc/raddb/sqlite_radius_client_database for #0
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #1
rlm_sql_sqlite: Opening sqlite database
/private/etc/raddb/sqlite_radius_client_database for #1
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #2
rlm_sql_sqlite: Opening sqlite database
/private/etc/raddb/sqlite_radius_client_database for #2
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #3
rlm_sql_sqlite: Opening sqlite database
/private/etc/raddb/sqlite_radius_client_database for #3
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #4
rlm_sql_sqlite: Opening sqlite database
/private/etc/raddb/sqlite_radius_client_database for #4
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT
id,nasname,shortname,type,secret FROM nas
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_sqlite: sqlite3_prepare() = 0
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry nasname=192.168.214.100,shortname=ahus WLAN
Test,secret=test123
rlm_sql (sql): Adding client 192.168.214.100 (ahus WLAN Test, server=none) to
clients list
rlm_sql_sqlite: sqlite3_step = 101
rlm_sql_sqlite: sqlite3_finalize() = 0
rlm_sql (sql): Released sql socket id: 4
radiusd: Opening IP addresses and Ports
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.214.100 port 65527, id=14,
length=151
User-Name = ahu
NAS-IP-Address = 192.168.214.100
NAS-Port = 0
Called-Station-Id = 00-1C-B3-AD-38-07:ahu WLAN Test
Calling-Station-Id = 00-25-00-41-AD-F3
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11
EAP-Message = 0x020801616875
Message-Authenticator = 0xf784a159cfe693d10bd30de18988d026
rlm_opendirectory: The host 192.168.214.100 does not have an access group.
rlm_opendirectory: User ahu is authorized.
Sending Access-Challenge of id 14 to 192.168.214.100 port 65527
EAP-Message = 0x010100061520
Message-Authenticator = 0x
State = 0x3d59114e3d5804266eaf1e978c8c2b4d
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.214.100 port 65527, id=13,
length=151
User-Name = ahu
NAS-IP-Address = 192.168.214.100
NAS-Port = 0
Called-Station-Id = 00-1C-B3-AD-38-07:ahu WLAN Test
Calling-Station-Id = 00-25-00-41-AD-F3
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11
EAP-Message = 0x0283000801616875
Message-Authenticator = 0x8d0cd8f9ff69b0b46eee276c1ead0a9d
rlm_opendirectory: The host 192.168.214.100
Re: FreeRadius on MacOS X Server
Use an AP that works. Use a client PC that works. The strange thing is, both work, but only together with the second server, not with the first one. On the AP I can enter two RADIUS servers, in case one gets down, what I also want to use. I also switched them in the configuration with no effect, it's always the same server I cant connect to. I tried to figure more about it with tcpdump and the only difference is see, is that the AP is sending one more information to the first server: There is an EAP-Message Last Segment on both and only the first server gets also an EAP-Message Segment, for what reason ever. I really have no clue, why the AP and client should work with the second server and not with the first one :( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius on MacOS X Server
But all packets are coming trough, I think. Both servers are on the same subnet, with same gateway. Am 18.08.10 15:53, schrieb Alan DeKok: Andreas Hubert wrote: I really have no clue, why the AP and client should work with the second server and not with the first one :( It's a networking issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html server1.pcap Description: Binary data server2.pcap Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius on MacOS X Server
Like it is always: Tue Aug 17 17:42:48 2010 : Auth: rlm_opendirectory: User ahu is authorized. Tue Aug 17 17:42:57 2010 : Error: rlm_eap: No EAP session matching the State variable. Tue Aug 17 17:44:21 2010 : Auth: rlm_opendirectory: User ahu is authorized. Tue Aug 17 17:44:30 2010 : Error: rlm_eap: No EAP session matching the State variable. Can you please specify how it is all together configured in your environment that it works? Thanks Am 13.08.10 17:12, schrieb Theparanoidone Theparanoidone: Fri Aug 13 14:46:50 2010 : Auth: rlm_opendirectory: User ahu is authorized. Fri Aug 13 14:46:59 2010 : Error: rlm_eap: No EAP session matching the State variable. Greetings~ Did you turn EAP on for the network connection on the computer/laptop with the wifi card? Perhaps you need to turn on an 802.1x profile with TTLS or etc: System Preferences - Network - Select The Airport adapter in the left column -- Click Advanced (bottom right corner next to the help ?) Select the 802.1x tab Click the + to add a profile Add a User Profile Name it test or whatever Enter your OpenDirectory login and password (local account prob won't work?) Try TTLS Select your network Click ok Not sure if this will fix your issue, but give it a try We are using Snow Leopard Server radius for a corporate deployment on wired switches and wireless devices (so with a little patience and configuration, I'm sure you'll get it to go) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius on MacOS X Server
I dont know if updating is such a good idea. Mac OS X comes with 2.1.3 and another mailinglist reader told me that everything in his environment with Snow Leopard Server works So I guess this thing should work somehow with Mac OS X Servers freeradius 2.1.3 implementation together with Apple Airport Extreme Am 13.08.10 18:33, schrieb Alan DeKok: Andreas Hubert wrote: I also activated the debug mode and it came out this: ... rad_recv: Access-Request packet from host 192.168.214.100 port 65527, id=37, length=510 ... Sending Access-Challenge of id 37 to 192.168.214.100 port 65527 EAP-Message = 0x01ee00451580003b1403010001011603010030bbda33956ff9087b5291d1bf33e7bd7783b7e5a8334901c991146359bea1295b708aacf8a4f66486889750fe3f6c8969 Message-Authenticator = 0x State = 0x7643105974ad05ff18e41e4ad6d190e3 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.214.100 port 65527, id=37, length=510 Sending Access-Challenge of id 37 to 192.168.214.100 port 65527 Waking up in 1.9 seconds. Ready to process requests. rad_recv: Access-Request packet from host 192.168.214.100 port 65527, id=37, length=510 The NAS isn't receiving the Access-Challenge, or is ignoring it. The request is being retransmitted. For some reason, it's being re-processed, rather than having a cached reply returned. Does anyone know what could be wrong here? I hope I can find here some helpful people here rather than in the Apple discussion forum, where nobody know deeply stuff. Install 2.1.9 and try that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius on MacOS X Server
I attached the log with debug mode. And I read the instructions and did this: System Preferences - Network - Select The Airport adapter in the left column -- Click Advanced (bottom right corner next to the help ?) Select the 802.1x tab Click the + to add a profile Add a User Profile Name it test or whatever Enter your OpenDirectory login and password (local account prob won't work?) Try TTLS Select your network Click ok I did not updated to 2.1.9 Am 17.08.10 17:59, schrieb Alan DeKok: Andreas Hubert wrote: Like it is always: Tue Aug 17 17:42:48 2010 : Auth: rlm_opendirectory: User ahu is authorized. Tue Aug 17 17:42:57 2010 : Error: rlm_eap: No EAP session matching the State variable. Tue Aug 17 17:44:21 2010 : Auth: rlm_opendirectory: User ahu is authorized. Tue Aug 17 17:44:30 2010 : Error: rlm_eap: No EAP session matching the State variable. And as always, run the server in debugging mode as suggested in the FAQ, README, man page, and daily on this list. Can you please specify how it is all together configured in your environment that it works? Read the previous responses to your message on this list. The instructions are there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked rlm_sql (sql): Attempting to connect to rad...@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #0 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #0 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #1 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #1 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #2 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #2 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #3 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #3 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #4 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #4 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id,nasname,shortname,type,secret FROM nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_sqlite: sqlite3_prepare() = 0 rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=192.168.214.100,shortname=ahus WLAN Test,secret=*** rlm_sql (sql): Adding client 192.168.214.100 (ahus WLAN Test, server=none) to clients list rlm_sql_sqlite: sqlite3_step = 101 rlm_sql_sqlite: sqlite3_finalize() = 0 rlm_sql (sql): Released sql socket id: 4 radiusd: Opening IP addresses and Ports Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.214.100 port 64954, id=6, length=146 User-Name = ahu NAS-IP-Address = 192.168.214.100 NAS-Port = 0 Called-Station-Id = 00-1C-B3-AD-38-07:ahu WLAN Calling-Station-Id = 00-25-00-41-AD-F3 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 0Mbps 802.11 EAP-Message = 0x0294000801616875 Message-Authenticator = 0x921047de6d65faf9504e1ca2aad257e5 rlm_opendirectory: The host 192.168.214.100 does not have an access group. rlm_opendirectory: User ahu is authorized. Sending Access-Challenge of id 6 to 192.168.214.100 port 64954 EAP-Message = 0x019500061520 Message-Authenticator = 0x State = 0xac419076acd48591d4924416ee09f473 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.214.100 port 64954, id=7, length=320 User-Name = ahu NAS-IP-Address = 192.168.214.100 NAS-Port = 0 Called-Station-Id = 00-1C-B3-AD-38-07:ahu WLAN Calling-Station-Id = 00-25-00-41-AD-F3 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 0Mbps 802.11 EAP-Message = 0x029500a41580009a1603010095019103014c6ab4cddfea477b096c1a93b3696f6f1d9c09bbaaa98d4fbdde1f4ecfa88d5956c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110
Re: FreeRadius on MacOS X Server
After a bit more investigating, I think I come closer to the problem and can locate it on somewhere with Mac OS X Server Access Control List for services. We have a second server here, which is Open Directory Replica and the RADIUS connection with this server works! I attach logfile from server1 - radiusd-1.log where I have the problem and server2 - radiusd-2.log where it works. So there are two more problems to solve: - How to fix this rights problem on server1 - Why don't I get an IP address by the airport after authenticating with server2? :( But I guess the freeradius mailinglist is the wrong place for non-radius related problems :( Maybe anyone here with more MacOS X Server and Airport/RADIUS experience who may help me? Am 17.08.10 17:59, schrieb Alan DeKok: Andreas Hubert wrote: Like it is always: Tue Aug 17 17:42:48 2010 : Auth: rlm_opendirectory: User ahu is authorized. Tue Aug 17 17:42:57 2010 : Error: rlm_eap: No EAP session matching the State variable. Tue Aug 17 17:44:21 2010 : Auth: rlm_opendirectory: User ahu is authorized. Tue Aug 17 17:44:30 2010 : Error: rlm_eap: No EAP session matching the State variable. And as always, run the server in debugging mode as suggested in the FAQ, README, man page, and daily on this list. Can you please specify how it is all together configured in your environment that it works? Read the previous responses to your message on this list. The instructions are there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked rlm_sql (sql): Attempting to connect to rad...@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #0 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #0 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #1 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #1 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #2 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #2 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #3 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #3 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #4 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #4 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id,nasname,shortname,type,secret FROM nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_sqlite: sqlite3_prepare() = 0 rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=192.168.214.100,shortname=ahus WLAN Test,secret=** rlm_sql (sql): Adding client 192.168.214.100 (ahus WLAN Test, server=none) to clients list rlm_sql_sqlite: sqlite3_step = 101 rlm_sql_sqlite: sqlite3_finalize() = 0 rlm_sql (sql): Released sql socket id: 4 radiusd: Opening IP addresses and Ports Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.214.100 port 65527, id=37, length=146 User-Name = ahu NAS-IP-Address = 192.168.214.100 NAS-Port = 0 Called-Station-Id = 00-1C-B3-AD-38-07:ahu WLAN Calling-Station-Id = 00-25-00-41-AD-F3 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 0Mbps 802.11 EAP-Message = 0x0256000801616875 Message-Authenticator = 0xcc601addd69d936900b1af411db61511 rlm_opendirectory: The SACL group com.apple.access_radius does not exist on this system. rlm_opendirectory: The host 192.168.214.100 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. Sending Access-Challenge of id 37 to 192.168.214.100 port 65527 EAP-Message = 0x015700061520 Message-Authenticator = 0x State = 0x44cd768a449a6388eb2d24455d69bb6d Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.214.100 port 65527, id=36, length=146 User-Name = ahu NAS-IP-Address = 192.168.214.100 NAS-Port = 0 Called-Station-Id = 00-1C-B3-AD-38-07:ahu WLAN Calling-Station-Id = 00-25
Re: FreeRadius on MacOS X Server
Okay sorry again, I tried it completely fresh, with empty logs and debug mode. This time I don't get the error with missing com.apple.access_radius group on booth servers. Can anyone see, why who what's the problem and difference between these servers? They are boot configured the same, Airport has same configuration, client uses same configuration, but if the first server is up, it does not work and if the second server is up it works. See logs attached. -2 works -1 does not work Am 17.08.10 19:01, schrieb Andreas Hubert: After a bit more investigating, I think I come closer to the problem and can locate it on somewhere with Mac OS X Server Access Control List for services. We have a second server here, which is Open Directory Replica and the RADIUS connection with this server works! I attach logfile from server1 - radiusd-1.log where I have the problem and server2 - radiusd-2.log where it works. So there are two more problems to solve: - How to fix this rights problem on server1 - Why don't I get an IP address by the airport after authenticating with server2? :( But I guess the freeradius mailinglist is the wrong place for non-radius related problems :( Maybe anyone here with more MacOS X Server and Airport/RADIUS experience who may help me? Am 17.08.10 17:59, schrieb Alan DeKok: Andreas Hubert wrote: Like it is always: Tue Aug 17 17:42:48 2010 : Auth: rlm_opendirectory: User ahu is authorized. Tue Aug 17 17:42:57 2010 : Error: rlm_eap: No EAP session matching the State variable. Tue Aug 17 17:44:21 2010 : Auth: rlm_opendirectory: User ahu is authorized. Tue Aug 17 17:44:30 2010 : Error: rlm_eap: No EAP session matching the State variable. And as always, run the server in debugging mode as suggested in the FAQ, README, man page, and daily on this list. Can you please specify how it is all together configured in your environment that it works? Read the previous responses to your message on this list. The instructions are there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked rlm_sql (sql): Attempting to connect to rad...@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #0 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #0 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #1 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #1 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #2 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #2 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #3 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #3 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #4 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #4 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id,nasname,shortname,type,secret FROM nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_sqlite: sqlite3_prepare() = 0 rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=192.168.214.100,shortname=ahus WLAN Test,secret=** rlm_sql (sql): Adding client 192.168.214.100 (ahus WLAN Test, server=none) to clients list rlm_sql_sqlite: sqlite3_step = 101 rlm_sql_sqlite: sqlite3_finalize() = 0 rlm_sql (sql): Released sql socket id: 4 radiusd: Opening IP addresses and Ports Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.214.100 port 65507, id=19, length=146 User-Name = ahu NAS-IP-Address = 192.168.214.100 NAS-Port = 0 Called-Station-Id = 00-1C-B3-AD-38-07:ahu WLAN Calling-Station-Id = 00-25-00-41-AD-F3 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 0Mbps 802.11 EAP-Message = 0x027e000801616875 Message-Authenticator = 0xc85244a17194d215e1d031ab7a9c0478 rlm_opendirectory: The host 192.168.214.100 does not have an access group. rlm_opendirectory
FreeRadius on MacOS X Server
Hi all, I need help with the freeradius 2.1.3 in MacOS X Server. At the Apple discussion forum I don't get any answer. :( Using this version: radiusd: FreeRADIUS Version 2.1.3, for host i386-apple-darwin10.0, built on Feb 11 2010 at 02:25:02 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. In short terms, Apple is trying to make it easy, with the serveradmin you can just add an Apple Airport and it will be configured automatically for radius authentication with the open directory server. If I then try to connect to the WLAN, I see this message in the RADIUS log: Fri Aug 13 14:46:50 2010 : Auth: rlm_opendirectory: User ahu is authorized. Fri Aug 13 14:46:59 2010 : Error: rlm_eap: No EAP session matching the State variable. I also activated the debug mode and it came out this: radiusd: Opening IP addresses and Ports Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.214.100 port 65527, id=35, length=162 User-Name = ahu NAS-IP-Address = 192.168.214.100 NAS-Port = 0 Called-Station-Id = 00-1C-B3-AD-38-07:Andreas Huberts Netzwerk Calling-Station-Id = 00-25-00-41-AD-F3 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 0Mbps 802.11 EAP-Message = 0x02eb000801616875 Message-Authenticator = 0xbf4e12e4c08fe497d93f036e78d9629d rlm_opendirectory: The host 192.168.214.100 does not have an access group. rlm_opendirectory: User ahu is authorized. Sending Access-Challenge of id 35 to 192.168.214.100 port 65527 EAP-Message = 0x01ec00061520 Message-Authenticator = 0x State = 0x7643105976af05ff18e41e4ad6d190e3 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.214.100 port 65527, id=36, length=336 User-Name = ahu NAS-IP-Address = 192.168.214.100 NAS-Port = 0 Called-Station-Id = 00-1C-B3-AD-38-07:Andreas Huberts Netzwerk Calling-Station-Id = 00-25-00-41-AD-F3 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 0Mbps 802.11 EAP-Message = 0x02ec00a41580009a1603010095019103014c65432b508949d3aa234f3918396b1fcd3fc7210ed299f0517fadf848a1e03556c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010112000a00080006001700180019000b00020100 State = 0x7643105976af05ff18e41e4ad6d190e3 Message-Authenticator = 0x8d68f17c3a5ee3cd61864c91fddc73be Sending Access-Challenge of id 36 to 192.168.214.100 port 65527 EAP-Message = 0x01ed035a15800350160301002a022603014c65432bf1c8143b2611d52b71758554023eb6d883ed38f8b702c5fefdc1f9222f0016030103130b00030f00030c00030930820305308201eda003020102020101300b06092a864886f70d01010530313122302006035504030c197873657276652d706172612d312e63656e73686172652e6465310b3009060355040613024445301e170d3039303932353134353334335a170d3130303932353134353334335a30313122302006035504030c197873657276652d706172612d312e63656e73686172652e6465310b300906035504061302444530820122300d06092a864886f70d01010105 EAP-Message = 0x000382010f003082010a0282010100b4b403f2e1b82e661ad564ed3b1c3953e5a71d922072239d7d0a739a2642ebb8dc193e610c34f4d06def71c8a9c081f37d6ef34d470eaed391cb21c2363c32c9712844156aed85a0a839d93452113fb915fc70ad9bce2f0d11a70c71311c125e6f66e6d6373cbbd2553d088f60db92e59d168d87c28309f73e10f5485fd5c2c60451297ec618f4261e9441ab4e7992cfc72b1f555e7a3597936dcc894601a5c2168e3a672febc7e69a343045ac62bc8d0fb5f7d87a93a99e4c9f18e24e281b5ea6c5533b4785c1954f35fdecfa64a3017af4f9ae8331eb7245d8912ae70750320cb801673874a568b25ad5c3a586 EAP-Message = 0x6e9dd6c58969b5dbeaa46a208e9208ce0dcd0203010001a32a3028300e0603551d0f0101ff04040302029430160603551d250101ff040c300a06082b06010505070301300d06092a864886f70d01010505000382010100262f875e3f0a16e09ca6df3ce3fafe205f9d943c1dfeba61376d4a5920413e6b0d4624c76544e015c8816ae1dca1aa840eb46eb692477976e9a782f035f2b96a0c4e214c42593bebd70d72e3c08afe877de86d9257a4395dfaabbc3ce8cf76f22bbfa4b4726821763f14dca93d707ebd916f36bddb0dadda01ceb37fc84175c5ee15701b0f4627d7f46beb3b39e4b9ab2ec881677c36ec591f2d39e998dc69c14a8983e14575 EAP-Message = 0x83749dba69683b8f0974b4744e39aa1dba0cf926299a0d3f6e674d90fc70398fb49e2523dbbb00dcd54da3ec354dab350c190b5f3b7b2b2e032f63bf898e8ba323724abc12b4baad64938e8d1baebafebf9715debd36a2f7c59816030100040e00 Message-Authenticator = 0x State = 0x7643105977ae05ff18e41e4ad6d190e3 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host
Re: reauth-problem with WPA2-tls
Hello! Problem is fixed! Your missing a ssl-option when setting up SSL. Since SSL version 0.9.8j, openssl supports stateless session resumption. This means, no session_id is created in the server, if both, client and server, support it. I'm using on both sides openssl 0.9.8k, the server generates no session-key (which you need for saving resume-data). See: http://www.mail-archive.com/openssl-us...@openssl.org/msg56976.html. Setting ctx_options |= SSL_OP_NO_TICKET ; in rlm_eap_tls.c is needed, to get a working sessionhandling in freeradius with openssl 0.9.8i. It was good to have a lot of comments in the code and to have a lot of debug messages. So I could follow what's going on in detail. Kind regards, Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reauth-problem with WPA2-tls
Alan DeKok schrieb: Andreas Hartmann wrote: See http://bugs.freeradius.org/bugzilla/show_bug.cgi?id=81 Where you file a bug against FreeRADIUS for an OpenSSL issue. I understand that FreeRADIUS is affected. But... It does not work for me. There seem to be problems with the session-handling, which should be checked, explained and, if necessary, fixed. FreeRADIUS does not create, update, or maintain the session_id variable. It's created by OpenSSL. If has different values for the same session, then file a bug against OpenSSL. Until I don't have a comprehensibly explanation for the reported session-ID behavior, the current version (and 2.1.8) of freeradius is highly insecure. I have no idea why you think that's true. Failing to find a previous session means that the new request will be rejected. There are no security issues with rejecting users. That's right. But: 1. There could be a security issue with parallel handled users during initial login, because they probably have all the same empty session id's at the same time. 2. Session handling does definitely not work at this point (I tried to find the reason today but couldn't get it yet). Why should I believe that it works error free at the other places in freeradius? 3. You are right, that there are probably no security issues with rejected users. But why are you sure, that every session-id you get, does belong to the user you think that it belongs to? It could be the data from another user too. 4. I can't say, if it's an exploitable scenario. May be - may be not. The session-handling in freeradius does not allways work as expected and until now the cause for the not allways working session-handling is unknown. Or in other words: The session-handling works not predictable (sometimes it works as expected - sometimes not - but you can't define sometimes - or I didn't found it yet). Unpredictable behavior and security is a contradiction. It's your application that suffers - it's not openssls one. Therefore I can't understand why you don't set everything to get a real solution? And no, I don't want to bash you. I'm willing to help, but I need your support to try to understand what's going on. I am willing to help you to find and fix the problem - even if it is not a bug in freeradius. It is all the same to me, if it's a bug in openssl or in freeradius. I do have just one goal: freeradius should work predictable in that case. That's all and this goal can't be bad for you! I can't file a bug for openssl. What should I wrote? The session handling in openssl does not work with freeradius? They will say: ok, openssl has been patched for EAP or they will ask detailed things about the handling of SSL in freeradius. I think that you are the best person to answer these questions! BTW: During my investigations today, I detected, that the defined callback cbtls_new_session never gets called during an initial session. That corresponds to the thing, that I can't see any session-ID during initial login. I would like to know, why the client suddenly has a session-ID at resumption time? Where do they come from? Kind regards, Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reauth-problem with WPA2-tls
Alan DeKok schrieb: Andreas Hartmann wrote: Now, I looked at the SSL-session_id. tls_session-ssl-session-session_id is empty when the data is saved to the session. At the time the data is fetched from the session during reauth, the session_id is not empty (means: there is another id). shrug OpenSSL is weird. The fast re-auth worked when I tested it with TTLS PEAP. Others have tested it to work. See http://bugs.freeradius.org/bugzilla/show_bug.cgi?id=81 It does not work for me. There seem to be problems with the session-handling, which should be checked, explained and, if necessary, fixed. Until I don't have a comprehensibly explanation for the reported session-ID behavior, the current version (and 2.1.8) of freeradius is highly insecure. Kind regards, Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reauth-problem with WPA2-tls
Alan DeKok schrieb: Andreas Hartmann wrote: well, I thought about the problem with reauth: Why must there be passwords in the session? There shouldn't be passwords in the session. There should be a *name* in the session. That's why it shouldn't be necessary to have these Keys in the Session or in the response (the client didn't send any password, too). At the moment of adding the Password to the session, the handshake has been done already. I have no idea why you think it's adding passwords to the session. It's not. I derived it from the PW_ prefix of the variable name, which is wrong. I know it meanwhile. Therefore, I did the following change (- for testing only This should be used only with EAP/tls for testing - no warranty!): That change removes the fix added in 2.1.8. It *will* break your system. I know that it was added because of another reported bug. And I know, that my test-change can't be a solution (as I wrote myself). The problem seems to be much deeper. Kind regards, Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reauth-problem with WPA2-tls
Alan DeKok schrieb:
Andreas Hartmann wrote:
I have one basic question:
There are now two different caches: one in eap (based on ssl) and the
extern cache, rlm_caching.
rlm_caching has nothing to do with EAP.
If I want to use fast_reauth, is it necessary to enable both caches or
must the ssl-cache in eap.conf be disabled to run fast_reauth
successfully with rlm_caching?
The EAP configuration explains what you need to do for fast re-auth.
Meanwhile, I have a configuration, which does a User-Name-based
rlm_caching at the end of the last fragment of the initial
authentication with an originaly empty database.
What is it supposed to do?
But the problem is:
If the user reconnects or wants to connect initial again, the process is
stopped (with success returned) at the moment, the client sends the
User-Name.
This is wrong. The process can't be interrupted before the key exchange
has been done successfully.
How can this be written in the config-file (authorize-section)?
What do you want to do?
I have no idea why you configured the caching module, and you haven't
explained why you configured it.
Thanks for your reply,
I configured it, because fast-reauth doesn't work for me.
- In the wpa_supplicant, fast_reauth is switched to 1.
- In eap.conf, the cache under tls is enabled.
Now, wpa_supplicant is started and the client got authenticated. But
there is a warning nearly at the end of the successfull authentication:
Fri Jun 4 09:42:11 2010 : Info: [tls] eaptls_verify returned 3
Fri Jun 4 09:42:11 2010 : Info: [tls] eaptls_process returned 3
Fri Jun 4 09:42:11 2010 : Info: [tls] Adding user data to cached session
Fri Jun 4 09:42:11 2010 : Info: [tls] Saving response in the cache
Fri Jun 4 09:42:11 2010 : Info: [tls] WARNING: No information to
^^
cache: session caching will be disabled for this session.
Fri Jun 4 09:42:11 2010 : Info: [eap] Freeing handler
Fri Jun 4 09:42:11 2010 : Info: ++[eap] returns ok
Fri Jun 4 09:42:11 2010 : Auth: Login OK: [myu...@mydom] (from client
WAP610N port 0 cli 00-13-.)
Fri Jun 4 09:42:11 2010 : Info: +- entering group post-auth {...}
Fri Jun 4 09:42:11 2010 : Info: ++[exec] returns noop
Sending Access-Accept of id 238 to 192.168 port 2048
Some time later, the fast_reauth follows, which breaks, because of
missing datas in the cache.
My question is: How must the client or the server be configured, that
there are cached datas in order to get a working fast_reauth?
rad_recv: Access-Request packet from host 192.168.1.9 port 2048, id=240,
length=177
User-Name = myu...@mydom
NAS-Port = 0
Called-Station-Id = 00-25-...:mywlan
Calling-Station-Id = 00-13-
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 0x0217016e6f7465626f6f6b31406d6179612e6f7267
Message-Authenticator = 0xc7d7831bf74eb29cc2862fbf9c1164f8
Fri Jun 4 10:05:37 2010 : Info: +- entering group authorize {...}
Fri Jun 4 10:05:37 2010 : Info: ++[preprocess] returns ok
Fri Jun 4 10:05:37 2010 : Info: [suffix] Looking up realm mydom for
User-Name = myu...@mydom
Fri Jun 4 10:05:37 2010 : Info: [suffix] No such realm mydom
Fri Jun 4 10:05:37 2010 : Info: ++[suffix] returns noop
Fri Jun 4 10:05:37 2010 : Info: [eap] EAP packet type response id 0
length 23
Fri Jun 4 10:05:37 2010 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Fri Jun 4 10:05:37 2010 : Info: ++[eap] returns updated
Fri Jun 4 10:05:37 2010 : Info: ++[unix] returns notfound
Fri Jun 4 10:05:37 2010 : Info: [files] users: Matched entry
myu...@mydom at line 203
Fri Jun 4 10:05:37 2010 : Info: ++[files] returns ok
Fri Jun 4 10:05:37 2010 : Info: ++[expiration] returns noop
Fri Jun 4 10:05:37 2010 : Info: ++[logintime] returns noop
Fri Jun 4 10:05:37 2010 : Info: Found Auth-Type = EAP
Fri Jun 4 10:05:37 2010 : Info: +- entering group authenticate {...}
Fri Jun 4 10:05:37 2010 : Info: [eap] EAP Identity
Fri Jun 4 10:05:37 2010 : Info: [eap] processing type tls
Fri Jun 4 10:05:37 2010 : Info: [tls] Requiring client certificate
Fri Jun 4 10:05:37 2010 : Info: [tls] Initiate
Fri Jun 4 10:05:37 2010 : Info: [tls] Start returned 1
Fri Jun 4 10:05:37 2010 : Info: ++[eap] returns handled
Sending Access-Challenge of id 240 to 192.168 port 2048
EAP-Message = 0x010100060d20
Message-Authenticator = 0x
State = 0xbc40ebedbc41e6950bd358ee7ea3ba57
Fri Jun 4 10:05:37 2010 : Info: Finished request 9.
Fri Jun 4 10:05:37 2010 : Debug: Going to the next request
Fri Jun 4 10:05:37 2010 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168. port 2048,
id=241, length=1516
User-Name = myu...@mydom
NAS-Port = 0
Called
Re: reauth-problem with WPA2-tls
Andreas Hartmann schrieb:
Alan DeKok schrieb:
Andreas Hartmann wrote:
I have one basic question:
There are now two different caches: one in eap (based on ssl) and the
extern cache, rlm_caching.
rlm_caching has nothing to do with EAP.
If I want to use fast_reauth, is it necessary to enable both caches or
must the ssl-cache in eap.conf be disabled to run fast_reauth
successfully with rlm_caching?
The EAP configuration explains what you need to do for fast re-auth.
Meanwhile, I have a configuration, which does a User-Name-based
rlm_caching at the end of the last fragment of the initial
authentication with an originaly empty database.
What is it supposed to do?
But the problem is:
If the user reconnects or wants to connect initial again, the process is
stopped (with success returned) at the moment, the client sends the
User-Name.
This is wrong. The process can't be interrupted before the key exchange
has been done successfully.
How can this be written in the config-file (authorize-section)?
What do you want to do?
I have no idea why you configured the caching module, and you haven't
explained why you configured it.
Thanks for your reply,
I configured it, because fast-reauth doesn't work for me.
- In the wpa_supplicant, fast_reauth is switched to 1.
- In eap.conf, the cache under tls is enabled.
Now, wpa_supplicant is started and the client got authenticated. But
there is a warning nearly at the end of the successfull authentication:
Fri Jun 4 09:42:11 2010 : Info: [tls] eaptls_verify returned 3
Fri Jun 4 09:42:11 2010 : Info: [tls] eaptls_process returned 3
Fri Jun 4 09:42:11 2010 : Info: [tls] Adding user data to cached session
Fri Jun 4 09:42:11 2010 : Info: [tls] Saving response in the cache
Fri Jun 4 09:42:11 2010 : Info: [tls] WARNING: No information to
^^
cache: session caching will be disabled for this session.
Meanwhile, I defined a realm (I didn't had any until now). This seems to
make the initial session caching working!
Jun 4 11:12:43 2010 : Info: [tls] ACK handshake is finished
Fri Jun 4 11:12:43 2010 : Info: [tls] eaptls_verify returned 3
Fri Jun 4 11:12:43 2010 : Info: [tls] eaptls_process returned 3
Fri Jun 4 11:12:43 2010 : Info: [tls] Adding user data to cached
^^
session
^^^
Fri Jun 4 11:12:43 2010 : Info: [tls] Saving response in the cache
Fri Jun 4 11:12:43 2010 : Info: [eap] Freeing handler
Fri Jun 4 11:12:43 2010 : Info: ++[eap] returns ok
Fri Jun 4 11:12:43 2010 : Auth: Login OK: [myu...@mydom] (from client
WAP610N port 0 cli 00-13-)
But the following fast-reauth doesn't work nevertheless:
Fri Jun 4 11:22:48 2010 : Info: [tls] Done initial handshake
Fri Jun 4 11:22:48 2010 : Info: [tls] TLS 1.0 ChangeCipherSpec
[length 0001]
Fri Jun 4 11:22:48 2010 : Info: [tls] TLS 1.0 Handshake [length
0010], Finished
Fri Jun 4 11:22:48 2010 : Info: [tls] TLS_accept: SSLv3 read finished A
Fri Jun 4 11:22:48 2010 : Info: [tls] (other): SSL negotiation
finished successfully
Fri Jun 4 11:22:48 2010 : Debug: SSL Connection Established
Fri Jun 4 11:22:48 2010 : Debug: SSL Application Data
Fri Jun 4 11:22:48 2010 : Info: [tls] eaptls_process returned 3
Fri Jun 4 11:22:48 2010 : Info: [tls] Retrieved session data from
cached session
Fri Jun 4 11:22:48 2010 : Info: [tls] WARNING: No information in
^
cached session!
^^^
Fri Jun 4 11:22:48 2010 : Info: [eap] Freeing handler
Fri Jun 4 11:22:48 2010 : Info: ++[eap] returns reject
Fri Jun 4 11:22:48 2010 : Info: Failed to authenticate the user.
Fri Jun 4 11:22:48 2010 : Auth: Login incorrect: [myu...@mydom] (from
client WAP610N port 0 cli 00-13-)
Fri Jun 4 11:22:48 2010 : Info: Using Post-Auth-Type Reject
Fri Jun 4 11:22:48 2010 : Info: +- entering group REJECT {...}
Fri Jun 4 11:22:48 2010 : Info: [attr_filter.access_reject]expand:
%{User-Name} - myu...@mydom
Fri Jun 4 11:22:48 2010 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Fri Jun 4 11:22:48 2010 : Info: ++[attr_filter.access_reject] returns
updated
Fri Jun 4 11:22:48 2010 : Info: Delaying reject of request 11 for 1 seconds
What does it mean: No information in cached session? Couldn't the key be
found (what's the key? The username myuser or myu...@mydom or
soemthing else - do I have the chance to debug it?) or was the key
found, but there was no data associated?
Kind regards,
Andreas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reauth-problem with WPA2-tls
Bjørn Mork schrieb:
Andreas Hartmann andihartm...@01019freenet.de writes:
Fri Jun 4 11:22:48 2010 : Info: [tls] WARNING: No information in
^
cached session!
^^^
Fri Jun 4 11:22:48 2010 : Info: [eap] Freeing handler
Fri Jun 4 11:22:48 2010 : Info: ++[eap] returns reject
Fri Jun 4 11:22:48 2010 : Info: Failed to authenticate the user.
Fri Jun 4 11:22:48 2010 : Auth: Login incorrect: [myu...@mydom] (from
client WAP610N port 0 cli 00-13-)
Fri Jun 4 11:22:48 2010 : Info: Using Post-Auth-Type Reject
Fri Jun 4 11:22:48 2010 : Info: +- entering group REJECT {...}
Fri Jun 4 11:22:48 2010 : Info: [attr_filter.access_reject]expand:
%{User-Name} - myu...@mydom
Fri Jun 4 11:22:48 2010 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Fri Jun 4 11:22:48 2010 : Info: ++[attr_filter.access_reject] returns
updated
Fri Jun 4 11:22:48 2010 : Info: Delaying reject of request 11 for 1 seconds
What does it mean: No information in cached session? Couldn't the key be
found (what's the key? The username myuser or myu...@mydom or
soemthing else - do I have the chance to debug it?) or was the key
found, but there was no data associated?
I wondered about the same... You can find the session store and
retrieve code in src/modules/rlm_eap/libeap/eap_tls.c :
} else if (!SSL_session_reused(tls_session-ssl)) {
RDEBUG2(Saving response in the cache);
vp = paircopy2(request-reply-vps, PW_USER_NAME);
pairadd(vps, vp);
vp = paircopy2(request-packet-vps, PW_STRIPPED_USER_NAME);
pairadd(vps, vp);
if (vps) {
SSL_SESSION_set_ex_data(tls_session-ssl-session,
eaptls_session_idx, vps);
} else {
RDEBUG2(WARNING: No information to cache: session
caching will be disabled for this session.);
SSL_CTX_remove_session(tls_session-ctx,
tls_session-ssl-session);
}
/*
* Else the session WAS allowed. Copy the cached
* reply.
*/
} else {
vp = SSL_SESSION_get_ex_data(tls_session-ssl-session,
eaptls_session_idx);
if (!vp) {
RDEBUG(WARNING: No information in cached session!);
return eaptls_fail(handler, peap_flag);
} else {
RDEBUG(Adding cached attributes to the reply:);
debug_pair_list(vp);
pairadd(request-reply-vps, paircopy(vp));
/*
* Mark the request as resumed.
*/
vp = pairmake(EAP-Session-Resumed, 1, T_OP_SET);
if (vp) pairadd(request-packet-vps, vp);
}
}
So I guess the warning means that either SSL_SESSION_set_ex_data() or
SSL_SESSION_get_ex_data() failed. A useful change would be testing the
return value of SSL_SESSION_set_ex_data() and print a warning if it
fails, possibly using ERR_get_error() and ERR_error_string() or similar
to get the actual error. The latter would also be useful in the
SSL_SESSION_get_ex_data() failure case
Debugging of SSL_SESSION_set_ex_data()
The returncode of the function is 1 (don't know, if it should be 0 - but
it could be correct too, if it means, that one pair has been stored).
vps, which SSL_SESSION_set_ex_data() is given as argument, consists of
one NULL element.
request-packet-vps-name gives User-Name, request-reply-vps is null
(should be PW_USER_NAME). But there cant be any password, because there
exists no password, because the authentication is done exclusively with
keys.
Could this problem be solved by a configuration entry or must it be
hacked? Is it possible to give wpa_supplicant a dummy password?
Debugging of SSL_SESSION_get_ex_data()
At resuming, Index is 2 (eaptls_session_idx). This would be ok. Seems,
that the returncode 1 from SSL_SESSION_set_ex_data() means, that nothing
has been saved.
I would be happy to get some more hints :-).
Kind regards,
Andreas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reauth-problem with WPA2-tls
Andreas Hartmann schrieb:
Bjørn Mork schrieb:
Andreas Hartmann andihartm...@01019freenet.de writes:
Fri Jun 4 11:22:48 2010 : Info: [tls] WARNING: No information in
^
cached session!
^^^
Fri Jun 4 11:22:48 2010 : Info: [eap] Freeing handler
Fri Jun 4 11:22:48 2010 : Info: ++[eap] returns reject
Fri Jun 4 11:22:48 2010 : Info: Failed to authenticate the user.
Fri Jun 4 11:22:48 2010 : Auth: Login incorrect: [myu...@mydom] (from
client WAP610N port 0 cli 00-13-)
Fri Jun 4 11:22:48 2010 : Info: Using Post-Auth-Type Reject
Fri Jun 4 11:22:48 2010 : Info: +- entering group REJECT {...}
Fri Jun 4 11:22:48 2010 : Info: [attr_filter.access_reject]expand:
%{User-Name} - myu...@mydom
Fri Jun 4 11:22:48 2010 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Fri Jun 4 11:22:48 2010 : Info: ++[attr_filter.access_reject] returns
updated
Fri Jun 4 11:22:48 2010 : Info: Delaying reject of request 11 for 1 seconds
What does it mean: No information in cached session? Couldn't the key be
found (what's the key? The username myuser or myu...@mydom or
soemthing else - do I have the chance to debug it?) or was the key
found, but there was no data associated?
I wondered about the same... You can find the session store and
retrieve code in src/modules/rlm_eap/libeap/eap_tls.c :
} else if (!SSL_session_reused(tls_session-ssl)) {
RDEBUG2(Saving response in the cache);
vp = paircopy2(request-reply-vps, PW_USER_NAME);
pairadd(vps, vp);
vp = paircopy2(request-packet-vps, PW_STRIPPED_USER_NAME);
pairadd(vps, vp);
if (vps) {
SSL_SESSION_set_ex_data(tls_session-ssl-session,
eaptls_session_idx, vps);
} else {
RDEBUG2(WARNING: No information to cache: session
caching will be disabled for this session.);
SSL_CTX_remove_session(tls_session-ctx,
tls_session-ssl-session);
}
/*
* Else the session WAS allowed. Copy the cached
* reply.
*/
} else {
vp = SSL_SESSION_get_ex_data(tls_session-ssl-session,
eaptls_session_idx);
if (!vp) {
RDEBUG(WARNING: No information in cached session!);
return eaptls_fail(handler, peap_flag);
} else {
RDEBUG(Adding cached attributes to the reply:);
debug_pair_list(vp);
pairadd(request-reply-vps, paircopy(vp));
/*
* Mark the request as resumed.
*/
vp = pairmake(EAP-Session-Resumed, 1, T_OP_SET);
if (vp) pairadd(request-packet-vps, vp);
}
}
So I guess the warning means that either SSL_SESSION_set_ex_data() or
SSL_SESSION_get_ex_data() failed. A useful change would be testing the
return value of SSL_SESSION_set_ex_data() and print a warning if it
fails, possibly using ERR_get_error() and ERR_error_string() or similar
to get the actual error. The latter would also be useful in the
SSL_SESSION_get_ex_data() failure case
Debugging of SSL_SESSION_set_ex_data()
The returncode of the function is 1 (don't know, if it should be 0 - but
it could be correct too, if it means, that one pair has been stored).
vps, which SSL_SESSION_set_ex_data() is given as argument, consists of
one NULL element.
request-packet-vps-name gives User-Name, request-reply-vps is null
(should be PW_USER_NAME). But there cant be any password, because there
exists no password, because the authentication is done exclusively with
keys.
Could this problem be solved by a configuration entry or must it be
hacked? Is it possible to give wpa_supplicant a dummy password?
Well,
SSL_SESSION_set_ex_data-Error: error::lib(0):func(0):reason(0) -
SSL couldn't find an error.
Debugging of SSL_SESSION_get_ex_data()
At resuming, Index is 2 (eaptls_session_idx). This would be ok. Seems,
that the returncode 1 from SSL_SESSION_set_ex_data() means, that nothing
has been saved.
But: no error has been detected:
SSL_SESSION_get_ex_data-Error: error::lib(0):func(0):reason(0)
Now, I looked at the SSL-session_id.
tls_session-ssl-session-session_id is empty when the data is saved to
the session.
At the time the data is fetched from the session during reauth, the
session_id is not empty (means: there is another id).
I tested to unload the datas after they have been saved - there was no
problem! The data could be retrieved again.
Could there be a problem
Re: reauth-problem with WPA2-tls
)); /* * Mark the request as resumed. */ vp = pairmake(EAP-Session-Resumed, 1, T_OP_SET); if (vp) pairadd(request-packet-vps, vp); } } --- That's what is sent to the client after this process: Sending Access-Accept of id 52 to 192.168.1.9 port 2048 MS-MPPE-Recv-Key = 0x MS-MPPE-Send-Key = 0x EAP-Message = 0x03020004 Message-Authenticator = 0x User-Name = myu...@mydom.it Kind regards, Andreas Hartmann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reauth-problem with WPA2-tls
Alexander Clouter schrieb:
Bjørn Mork bj...@mork.no wrote:
Andreas Hartmann andihartm...@01019freenet.de writes:
Yes, you're right - I meant option eap - tls - cache - enable is
switched _on_ and fast_reauth is on too on the supplicant. My wrong :-(.
You can see it at this log entry at the initial login:
Wed Jun 2 20:29:14 2010 : Info: [tls] Adding user data to cached session
Wed Jun 2 20:29:14 2010 : Info: [tls] Saving response in the cache
Wed Jun 2 20:29:14 2010 : Info: [tls] WARNING: No information to cache:
session caching will be disabled for this session.
And then the reauth:
Wed Jun 2 20:39:18 2010 : Info: [tls] Retrieved session data from
cached session
Wed Jun 2 20:39:18 2010 : Info: [tls] WARNING: No information in cached
session!
FWIW I've seen exactly the same with FR 2.1.8. Ended up disabling
caching. But I would like to know the cause of this No information to
cache warning. The resulting failure to retrieve cached data is of
course to be expected, but the warning itself doesn't make any sense to
me. There must be information to cache since the authentication is
sucessful.
The 'No information to cache' means you do not have anything useful
(for example 'User-Name') in the reply packet.
In the post-auth of my inner-eap virtual server I have added:
post-auth {
...
# needed for TTLS cache
update reply {
User-Name := %{request:User-Name}
}
...
}
Ok, I'm using exclusivly certificates for authorization. Therefore, I
dont't have any inner-eap, if I got it right.
I have one basic question:
There are now two different caches: one in eap (based on ssl) and the
extern cache, rlm_caching.
If I want to use fast_reauth, is it necessary to enable both caches or
must the ssl-cache in eap.conf be disabled to run fast_reauth
successfully with rlm_caching?
Meanwhile, I have a configuration, which does a User-Name-based
rlm_caching at the end of the last fragment of the initial
authentication with an originaly empty database.
The entry is the following in /etc/raddb/modules/caching
caching {
filename = ${db_dir}/db.cache
cache-ttl = 1d
hit-ratio = 1000
key = %{User-Name}
# post-auth = %{User-Name}
cache-size = 20
# cache-rejects = yes
}
I'm not sure, if User-Name is the best key for this purpose.
In /etc/raddb/sites-enabled/defaults, caching has the following entries:
authorize {
caching {
ok = return
}
}
post-auth {
caching
if (updated) {
update reply {
User-Name := %{User-Name}
}
}
}
With this config, the key is written to the caching database at the end
of the inital login.
But the problem is:
If the user reconnects or wants to connect initial again, the process is
stopped (with success returned) at the moment, the client sends the
User-Name.
This is wrong. The process can't be interrupted before the key exchange
has been done successfully.
How can this be written in the config-file (authorize-section)?
Kind regards,
Andreas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reauth-problem with WPA2-tls
in SSLv3 read client hello C Wed Jun 2 21:04:16 2010 : Error: rlm_eap: SSL error error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized Wed Jun 2 21:04:16 2010 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Wed Jun 2 21:04:16 2010 : Debug: TLS receive handshake failed during operation If fast_reauth in wpa_supplicant is disabled, the reauthentication works fine, but the connection between the AP and the supplicant ist interrupted for about 20 seconds - much to long :-). Do you have any idea how to solve this problem? Thanks for you help, Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reauth-problem with WPA2-tls
Alan DeKok schrieb:
Andreas Hartmann wrote:
In eap.conf, the option eap - tls - cache - enable is switched off
and fast_reauth in wpa_supplicant is enabled.
Uh... that makes no sense.
Yes, you're right - I meant option eap - tls - cache - enable is
switched _on_ and fast_reauth is on too on the supplicant. My wrong :-(.
You can see it at this log entry at the initial login:
Wed Jun 2 20:29:14 2010 : Info: [tls] Adding user data to cached session
Wed Jun 2 20:29:14 2010 : Info: [tls] Saving response in the cache
Wed Jun 2 20:29:14 2010 : Info: [tls] WARNING: No information to cache:
session caching will be disabled for this session.
And then the reauth:
Wed Jun 2 20:39:18 2010 : Info: [tls] Retrieved session data from
cached session
Wed Jun 2 20:39:18 2010 : Info: [tls] WARNING: No information in cached
session!
Wed Jun 2 20:39:18 2010 : Info: [eap] Freeing handler
Wed Jun 2 20:39:18 2010 : Info: ++[eap] returns reject
Wed Jun 2 20:39:18 2010 : Info: Failed to authenticate the user.
Wed Jun 2 20:39:18 2010 : Auth: Login incorrect: [myu...@mydom] (from
client WAP610N port 0 cli 00-13-...)
Wed Jun 2 20:39:18 2010 : Info: Using Post-Auth-Type Reject
Wed Jun 2 20:39:18 2010 : Info: +- entering group REJECT {...}
Wed Jun 2 20:39:18 2010 : Info: [attr_filter.access_reject]expand:
%{User-Name} - myu...@mydom
Wed Jun 2 20:39:18 2010 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Wed Jun 2 20:39:18 2010 : Info: ++[attr_filter.access_reject] returns
updated
Wed Jun 2 20:39:18 2010 : Info: Delaying reject of request 13 for 1 seconds
Wed Jun 2 20:39:18 2010 : Debug: Going to the next request
Wed Jun 2 20:39:18 2010 : Debug: Waking up in 0.9 seconds.
Wed Jun 2 20:39:19 2010 : Info: Sending delayed reject for request 13
Sending Access-Reject of id 55 to 192.168.1.9 port 2048
EAP-Message = 0x040c0004
Message-Authenticator = 0x
It's strangely, that the supplicant couldn't be authorized but the AP
doesn't lock the connection anyway :-). I would have resoected, that the
connection would have been locked afterwards. Instead of, the supplicant
reauths from now on every minute, using this broken fast reauth.
If I do a full reauthentication, the authentication succeeds, but I'm
getting locked anywhere - that makes no sense to me.
If fast_reauth in wpa_supplicant is disabled, the reauthentication
works fine, but the connection between the AP and the supplicant ist
interrupted for about 20 seconds - much to long :-).
Do you have any idea how to solve this problem?
Find out why the supplicant is taking 20s for authentication.
How much time should be ok for the full reauthentication?
I traced the authentication and could see, that the part with the
radiusserver takes less than a second. Most of the time is needed until
the AP sends the new keys for the encryption of the session.
Ok, sometimes it's a little bit faster (9 seconds).
Thanks for your help,
Andreas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reauth-problem with WPA2-tls
David Mitchell schrieb:
Alan DeKok wrote:
Andreas Hartmann wrote:
In eap.conf, the option eap - tls - cache - enable is switched off
and fast_reauth in wpa_supplicant is enabled.
Uh... that makes no sense.
You've disabled caching (i.e fast re-auth) on the server, and enabled
it on the client. Why are you surprised that fast re-auth isn't working?
I've seen similar problems between FreeRadius and wpa_supplicant both
with and without the cache enabled. Getting wpa_supplicant to restart
seems to clear it temporarily.
Well, I took your realization to implement the following workaround:
Caching is enabled in freeradius, fast_reauth is switched on in
wpa_supplicant.
I set the reauth-timeout of the AP to 2 hours. On the supplicant, I
started a cronjob, which HUP's the supplicant each 59 minutes. That's
the way how the supplicant is prevented to do a fast reauth (which
doesn't really work). A full reauth isn't necessary too, because of the
sig hup all 59 minutes, which is done like this:
rad_recv: Accounting-Request packet from host 192.168.1.9 port 2049,
id=112, length=177
Acct-Session-Id = 001B-0007
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
User-Name = myu...@mydom
NAS-Port = 0
Called-Station-Id = 00-25-...:mylan
Calling-Station-Id = 00-13-...
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
Acct-Session-Time = 358
Event-Timestamp = Jan 1 1970 02:26:18 CET
Acct-Terminate-Cause = User-Request
Thu Jun 3 05:41:43 2010 : Info: +- entering group preacct {...}
Thu Jun 3 05:41:43 2010 : Info: ++[preprocess] returns ok
Thu Jun 3 05:41:43 2010 : Info: [acct_unique] Hashing 'NAS-Port =
0,Client-IP-Address = 192.168.1.9,NAS-IP-Address =
192.168.1.9,Acct-Session-Id = 001B-0007,User-Name =
myu...@mydom'
Thu Jun 3 05:41:43 2010 : Info: [acct_unique] Acct-Unique-Session-ID =
aba6339d45d8fab1.
Thu Jun 3 05:41:43 2010 : Info: ++[acct_unique] returns ok
Thu Jun 3 05:41:43 2010 : Info: [suffix] Looking up realm mydom for
User-Name = myu...@mydom
Thu Jun 3 05:41:43 2010 : Info: [suffix] No such realm mydom
Thu Jun 3 05:41:43 2010 : Info: ++[suffix] returns noop
Thu Jun 3 05:41:43 2010 : Info: ++[files] returns noop
Thu Jun 3 05:41:43 2010 : Info: +- entering group accounting {...}
Thu Jun 3 05:41:43 2010 : Info: [detail] expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radius/radacct/192.168.1.9/detail-20100603
Thu Jun 3 05:41:43 2010 : Info: [detail]
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radius/radacct/192.168.1.9/detail-20100603
Thu Jun 3 05:41:43 2010 : Info: [detail] expand: %t - Thu Jun 3
05:41:43 2010
Thu Jun 3 05:41:43 2010 : Info: ++[detail] returns ok
Thu Jun 3 05:41:43 2010 : Info: ++[unix] returns ok
Thu Jun 3 05:41:43 2010 : Info: [radutmp] expand:
/var/log/radius/radutmp - /var/log/radius/radutmp
Thu Jun 3 05:41:43 2010 : Info: [radutmp] expand: %{User-Name} -
myu...@mydom
Thu Jun 3 05:41:43 2010 : Info: ++[radutmp] returns ok
Thu Jun 3 05:41:43 2010 : Info: [attr_filter.accounting_response]
expand: %{User-Name} - myu...@mydom
Thu Jun 3 05:41:43 2010 : Debug: attr_filter: Matched entry DEFAULT at
line 12
Thu Jun 3 05:41:43 2010 : Info: ++[attr_filter.accounting_response]
returns updated
Sending Accounting-Response of id 112 to 192.168.1.9 port 2049
Thu Jun 3 05:41:43 2010 : Info: Finished request 111.
Thu Jun 3 05:41:43 2010 : Info: Cleaning up request 111 ID 112 with
timestamp +5054
Thu Jun 3 05:41:43 2010 : Debug: Going to the next request
Thu Jun 3 05:41:43 2010 : Info: Ready to process requests.
rad_recv: Accounting-Request packet from host 192.168.1.9 port 2049,
id=113, length=159
Acct-Session-Id = 001B-0008
Acct-Status-Type = Start
Acct-Authentic = RADIUS
User-Name = myu...@mydom
NAS-Port = 0
Called-Station-Id = 00-25-...:mylan
Calling-Station-Id = 00-13-...
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
Thu Jun 3 05:41:44 2010 : Info: +- entering group preacct {...}
Thu Jun 3 05:41:44 2010 : Info: ++[preprocess] returns ok
Thu Jun 3 05:41:44 2010 : Info: [acct_unique] Hashing 'NAS-Port =
0,Client-IP-Address = 192.168.1.9,NAS-IP-Address =
192.168.1.9,Acct-Session-Id = 001B-0008,User-Name =
myu...@mydom'
Thu Jun 3 05:41:44 2010 : Info: [acct_unique] Acct-Unique-Session-ID =
efac47a366ac188f.
Thu Jun 3 05:41:44 2010 : Info: ++[acct_unique] returns ok
Thu Jun 3 05:41:44 2010 : Info: [suffix] Looking up realm mydom for
User-Name = myu...@mydom
Thu Jun 3 05:41:44 2010 : Info: [suffix] No such realm mydom
Thu Jun 3 05:41:44 2010 : Info: ++[suffix] returns noop
Thu Jun 3 05:41:44 2010 : Info: ++[files] returns noop
Thu Jun 3 05:41:44 2010 : Info: +- entering group accounting {...}
Thu Jun 3 05:41:44 2010 : Info: [detail
Re: reauth-problem with WPA2-tls
Andreas Hartmann schrieb: David Mitchell schrieb: Alan DeKok wrote: Andreas Hartmann wrote: In eap.conf, the option eap - tls - cache - enable is switched off and fast_reauth in wpa_supplicant is enabled. Uh... that makes no sense. You've disabled caching (i.e fast re-auth) on the server, and enabled it on the client. Why are you surprised that fast re-auth isn't working? I've seen similar problems between FreeRadius and wpa_supplicant both with and without the cache enabled. Getting wpa_supplicant to restart seems to clear it temporarily. Well, I took your realization to implement the following workaround: Caching is enabled in freeradius, fast_reauth is switched on in wpa_supplicant. I set the reauth-timeout of the AP to 2 hours. On the supplicant, I started a cronjob, which HUP's the supplicant each 59 minutes. That's the way how the supplicant is prevented to do a fast reauth (which doesn't really work). A full reauth isn't necessary too, because of the sig hup all 59 minutes, which is done like this: rad_recv: Accounting-Request packet from host 192.168.1.9 port 2049, id=112, length=177 Acct-Session-Id = 001B-0007 Acct-Status-Type = Stop Acct-Authentic = RADIUS User-Name = myu...@mydom NAS-Port = 0 Called-Station-Id = 00-25-...:mylan Calling-Station-Id = 00-13-... NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b Acct-Session-Time = 358 Event-Timestamp = Jan 1 1970 02:26:18 CET Hmmm, where does this funny Event-Timestamp comes from? All my times of client and server are ok. Otherwise, I can't find any way to set the time at the AP (linksys WAP610N)? Is there any way? clueless ... Kind regards, Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Server Certs with xp extensiosn
Hello, i have a working wlan environment with WPA/PEAP MSCHAPv2 and self signed certificates with xp server extensions included. Now we received a certificate from Thawte and i want to use it as server certificate for the radius server, but there are no xp extensions in there, because with self signed it is working but not with the Thawte cert. Does anyone know, how to include the xp extension into the Thawte certificate ? best regards, Andreas M. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users authentication problem
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
...we recently upgraded vom freeradius 0.9 to freeradius 2.1.4. Unfortunately
local users cannot be authenticated anymore.
This morning I used the default configuration files from 2.1.4 and started
from scratch. My first objective was to get any valid response from the
freeradiusd - but unluckily, without success.
In the users file, I enabled the following line:
lameuserAuth-Type := Reject
Reply-Message = Your account has been disabled.
one entry in clients.conf for localhost testing:
client localhost {
ipaddr = 127.0.0.1
secret = testing123
require_message_authenticator = no
nastype = other
virtual_server = default
}
sites-enabled/default:
authorize {
chap
suffix
eap {
ok = return
}
files
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
files
}
I think that must be the main configuration items for my very basic test. Then
I run freeradiusd -X -xx and test the user via radclient:
echo User-Name=lameuser, Password=bla, NAS-IP-Address=127.0.0.1 | radclient
- -r 1 -x -s 127.0.0.1 auth 'testing123'
results in:
Sending Access-Request of id 20 to 127.0.0.1 port 1812
User-Name = lameuser
Password = bla
NAS-IP-Address = 127.0.0.1
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=20, length=20
Total approved auths: 0
Total denied auths: 1
Total lost auths: 0
The radiusd logs the following:
Tue May 12 11:31:58 2009 : Debug: Listening on authentication address * port
1812
Tue May 12 11:31:58 2009 : Debug: Listening on accounting address * port 1813
Tue May 12 11:31:58 2009 : Debug: Listening on command file
/var/run/freeradius/run/radiusd/radiusd.sock
Tue May 12 11:31:58 2009 : Debug: Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 33013, id=5,
length=54
User-Name = lameuser
User-Password = bla
NAS-IP-Address = 127.0.0.1
Tue May 12 11:32:04 2009 : Info: server default {
Tue May 12 11:32:04 2009 : Info: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Tue May 12 11:32:04 2009 : Info: Failed to authenticate the user.
Tue May 12 11:32:04 2009 : Info: } # server default
- - the user gets rejected, but not because of the Auth-Type := Reject setting
in the users file. This is the same behaviour we observer when configuring
real user accounts having a password associated, like the following:
testuser Auth-Type := Local, Cleartext-Password == blabla
server log says:
Tue May 12 11:35:50 2009 : Info: server default {
Tue May 12 11:35:50 2009 : Info: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Tue May 12 11:35:50 2009 : Info: Failed to authenticate the user.
Tue May 12 11:35:50 2009 : Info: } # server default
Thanks for any hints troubleshooting this!
Regards,
Andy
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoJQ+MACgkQRrny/uOBVy7sggCfRfAjnhIkHwQbElEUwwZWPM4L
DIEAniJziPLwpdyQKAWpa/vJvGAftmq1
=4Tih
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users authentication problem
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
On Tuesday 12 May 2009 11:57:14 Alan DeKok wrote:
Andreas Bourges wrote:
- the user gets rejected, but not because of the Auth-Type := Reject
setting in the users file. This is the same behaviour we observer when
configuring real user accounts having a password associated, like the
following:
testuser Auth-Type := Local, Cleartext-Password == blabla
See the FAQ for the *CORRECT* configuration:
Jep, sorry - should have had a look there, first. But even the simplest
example from the FAQ doesn't work:
bob Cleartext-Password := bob
Reply-Message = Hello, bob
rad_recv: Access-Request packet from host 127.0.0.1 port 33026, id=225,
length=55
User-Name = bob
User-Password = bob
NAS-IP-Address = 10.0.0.206
NAS-Port = 0
Tue May 12 13:25:55 2009 : Info: server default {
Tue May 12 13:25:55 2009 : Info: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Tue May 12 13:25:55 2009 : Info: Failed to authenticate the user.
Tue May 12 13:25:55 2009 : Info: } # server default
testuser Cleartext-Password := blabla
Thanks for the tip, but it didn't help, same msg from radiusd as before.
Do NOT set Auth-Type.
I must be doing something very basic wrong, I guess. Could it be a build
problem (compiled freeradius from source on my own). Where can I look further?
thanks for any hint,
Andy
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoJXb4ACgkQRrny/uOBVy4iAwCdHRdd3Kk8bZe+Fb1QfKCar1V2
A7oAoMKKJFqTYyr47Mx/nTbAH+K41ihs
=PYiY
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users authentication problem
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
...I would have bet that I had done exactly these steps this morning. But
nevertheless I tried it another time and - succeeded.
Thanks for pushing my nose on this again and again - it finally helped :) I
will try to find the differences between the two versions...
thanks and regards,
Andy
On Tuesday 12 May 2009 13:37:07 Ivan Kalik wrote:
sites-enabled/default:
authorize {
chap
suffix
eap {
ok = return
}
files
expiration
logintime
pap
}
...
Tue May 12 11:35:50 2009 : Info: server default {
Tue May 12 11:35:50 2009 : Info: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
I can't see any of the authorize modules being used. Why don't you first
use the default configuration. Just add the user entry at the top of the
users file.
Ivan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoJZQMACgkQRrny/uOBVy57hACgjlsNGxq8naeWGD7W6tY3JvSq
5dkAoJhatzqx9IJR0LjvVg9amIK6WCIr
=ek/G
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco NAS and 4GB Problem
Hello, i have some troubles with a cisco NAS, with a 4GB problem in the Accounting Data. First i have gigawords enabled, also the sql queries, but this is not the reason. I have also accounting for the upstream interface enabled, but the error exists only for users, that are connected via virtual-interfaces (pptp dialup). Maybe this problem is not realy radius related, but i hope to find an answer. I included some log entries and config examples, maybe someone has any experience with this errors. regards, Andreas M. Here is the last interim update: Tue Apr 15 23:23:46 2008 Acct-Session-Id = 0006 Tunnel-Medium-Type:0 = IPv4 Tunnel-Assignment-Id:0 = 1 Tunnel-Server-Auth-Id:0 = A_Router Acct-Tunnel-Connection = 40682 Framed-Protocol = PPP Framed-IP-Address = 10.1.0.1 User-Name = 6543765 Acct-Session-Time = 28088 Acct-Input-Octets = 18615686 Acct-Output-Octets = 218389141 Acct-Input-Packets = 226199 Acct-Output-Packets = 305451 Acct-Authentic = RADIUS Acct-Status-Type = Interim-Update NAS-Port-Type = Virtual NAS-Port = 3 NAS-Port-Id = Uniq-Sess-ID3 Service-Type = Framed-User NAS-IP-Address = 192.168.1.11 Acct-Delay-Time = 0 Client-IP-Address = 192.168.1.11 Acct-Unique-Session-Id = ba144af9c3c26fc1 Timestamp = 1208294626 Here is the last stop record from the nas: Tue Apr 15 23:26:28 2008 Acct-Session-Id = 0006 Tunnel-Medium-Type:0 = IPv4 Tunnel-Assignment-Id:0 = 1 Tunnel-Server-Auth-Id:0 = A_Router Acct-Tunnel-Connection = 40682 Framed-Protocol = PPP Framed-IP-Address = 10.1.0.1 User-Name = 6543765 Acct-Authentic = RADIUS Acct-Session-Time = 28250 Acct-Input-Octets = 4294967295 Acct-Output-Octets = 4294966951 Acct-Input-Packets = 0 Acct-Output-Packets = 4294967290 Acct-Terminate-Cause = NAS-Error Acct-Status-Type = Stop NAS-Port-Type = Virtual NAS-Port = 3 NAS-Port-Id = Uniq-Sess-ID3 Service-Type = Framed-User NAS-IP-Address = 192.168.1.11 Acct-Delay-Time = 0 Client-IP-Address = 192.168.1.11 Acct-Unique-Session-Id = ba144af9c3c26fc1 Timestamp = 1208294788 Cisco config: System image file is flash:c180x-advipservicesk9-mz.124-11.XW6.bin A_Router#sh aaa attributes | inc giga Type=118 Name=input-giga-words Format=Ulong Type=250 Name=output-giga-words Format=Ulong aaa new-model ! ! aaa authentication login default local aaa authentication ppp default group radius local aaa authorization exec default local aaa authorization commands 15 default local aaa authorization network default group radius local aaa accounting delay-start aaa accounting nested aaa accounting update periodic 3 aaa accounting network default start-stop group radius interface Virtual-Template1 ip unnumbered Loopback0 ip nat inside no ip virtual-reassembly no logging event link-status no snmp trap link-status ppp encrypt mppe 128 required ppp authentication ms-chap ms-chap-v2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco NAS and 4GB Problem
Hello, yes i rebooted the router, i was also not able to find similiar proplems on cisco pages. Maybe it is easier to report this to cisco, i thought anyone had same troubles. thanks so far. r, Andreas M. Stefan Winter schrieb: I never saw the gigaword attribute, i think they are only send, when it is necessary, or is this wrong ? I'm not sure. I think I saw them filled with 0 as appropriate. Did IOS tell you to reboot the NAS before the setting takes effect? Did you do that? If that doesn't help, read your NAS documentation. I'm not a Cisco employee and will not do their work. Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- g, Andreas M. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ascend-Data-Filter with srcip from ippool
Hello Alan,
as I see your result I better understand unlang and the mighty of it.
Thx for your patience. All working perfectly well now.
Kind Regards,
Andreas
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Alan DeKok
Sent: Mittwoch, 2. April 2008 08:19
To: FreeRadius users mailing list
Subject: Re: Ascend-Data-Filter with srcip from ippool
Andreas Kalb (akalb) wrote:
Now I'm back to my original problem, where I wanted to use an
Ascend-filter with entries matching IP-address from pool. I still
don't know, how to change order of modules to make the IP-address
known to the files-module and appreciated your uidance again.
You don't have to. You can add the ascend data filter via unlang,
in the post-auth section, right after the test_pool module is
called:
post-auth {
...
test-pool
if (ok) {
update reply {
...
Ascend-Data-Filter := ip in forward srcip
%{reply:Framed-IP-Address}/32 dstip 1.1.1.2/32
...
}
}
Again, this is documented. See man unlang, and the examples.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ascend-Data-Filter with srcip from ippool
Hello Alan,
I started from that by adding my own ippool to radiusd.conf after
main_pool (line 1800, ippool test_pool {...). I understood from your
reply, that I need to call it from sites-available/default and added
test_pool right after main_pool in sites-available/default (in
sections accounting and post-auth, as specified in radiusd.conf), but
when starting the deamon I got:
/usr/local/etc/raddb/radiusd.conf[1800]: Invalid version in module
'rlm_ippool'
/usr/local/etc/raddb/sites-enabled/default[308]: Failed to find module
test_pool.
/usr/local/etc/raddb/sites-enabled/default[285]: Errors parsing
accounting section.
That mades me think I need to move the pool there either, sorry.
Kind Regards,
Andreas
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Alan DeKok
Sent: Dienstag, 1. April 2008 07:46
To: FreeRadius users mailing list
Subject: Re: Ascend-Data-Filter with srcip from ippool
Andreas Kalb (akalb) wrote:
I'm unfortunately still not getting it to work anymore after upgrade
to 2.0.3.
I added the following to sites-available/default at top of document:
server bb-10k {
I'm not sure why. As the documentation suggests, starting with the
default configuration is the best idea.
accounting {
...
post-auth {
And no authorize or authenticate section.
ippool test_pool {
range-start = 172.16.100.1
Module configurations belong in the modules section of radiusd.conf.
They do NOT go in a server section.
and then get:
/usr/local/etc/raddb/sites-enabled/default[70]: Failed to find module
test_pool.
/usr/local/etc/raddb/sites-enabled/default[66]: Errors parsing
accounting section.
So now I wonder how to specify the ippool section there.
You don't.
Again, start with the default configuration. Add ONE module:
test_pool. Configure it, and get it to assign IP addresses. Then, once
that works, configure the ascend filter attributes AFTER the test_pool
module has been run in the post-auth section.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ascend-Data-Filter with srcip from ippool
Hello again,
based on the last experience having different servers existing, I build
the system from scratch and stood as closely as possible to defaults.
All is working well concerning the ip-pool. It was the duplicated
server, Alan pointed out.
Now I'm back to my original problem, where I wanted to use an
Ascend-filter with entries matching IP-address from pool. I still don't
know, how to change order of modules to make the IP-address known to the
files-module and appreciated your uidance again.
Kind Regards,
Andreas
users:
DEFAULT User-Name := test_..., Pool-Name := test_pool,
Cleartext-Password := cisco
Service-Type == Framed-User,
Framed-Protocol = PPP,
Session-Timeout = 65000,
Idle-Timeout = 3600,
Ascend-Maximum-Time = 64000,
Ascend-Idle-Limit = 3600,
Ascend-Data-Filter := ip in forward srcip
%{reply:Framed-IP-Address}/32 dstip 1.1.1.2/32
debugs:
...
++[unix] returns notfound
users: Matched entry DEFAULT at line 125
expand: ip in forward srcip %{reply:Framed-IP-Address}/32 dstip
1.1.1.2/32 - ip in forward srcip /32 dstip 1.1.1.2/32
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type PAP
+- entering group PAP
rlm_pap: login attempt with password cisco
rlm_pap: Using clear text password cisco
rlm_pap: User authenticated successfully
++[pap] returns ok
Login OK: [test_001/cisco] (from client bb-10k port 808583209)
+- entering group post-auth
expand: %{NAS-IP-Address} %{NAS-Port} - 172.16.1.7 808583209
rlm_ippool: MD5 on 'key' directive maps to:
4c8d9b7e94410e9a58cd8ec24b47f8b1
rlm_ippool: Searching for an entry for key:
'4c8d9b7e94410e9a58cd8ec24b47f8b1'
rlm_ippool: Allocating ip to key: '4c8d9b7e94410e9a58cd8ec24b47f8b1'
rlm_ippool: num: 1
rlm_ippool: Allocated ip 172.16.100.69 to client key:
4c8d9b7e94410e9a58cd8ec24b47f8b1
++[test_pool] returns ok
Service-Type == Framed-User
Framed-Protocol = PPP
Session-Timeout = 65000
Idle-Timeout = 3600
Ascend-Maximum-Time = 64000
Ascend-Idle-Limit = 3600
Ascend-Data-Filter := ip in forward dstip 1.1.1.2/32 0
Framed-IP-Address = 172.16.100.69
Framed-IP-Netmask = 255.255.255.0
Finished request 1.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ascend-Data-Filter with srcip from ippool
Hello,
I'm trying to use Ascend-data-filters together with IP-pool
DEFAULT Pool-Name := test_pool
Fall-Through = Yes
DEFAULT User-Name := test_..., Cleartext-Password := test
Service-Type = Framed-User,
Framed-Protocol = PPP,
Session-Timeout = 65000,
Idle-Timeout = 3600,
Ascend-Maximum-Time = 64000,
Ascend-Idle-Limit = 3600,
Ascend-Data-Filter := ip in forward srcip
%{Framed-IP-Address}/32 dstip 1.1.1.2/32
The pool is working well, but the filter doesn't:
Login OK: [test_001/test] (from client bb-10k port 808583209)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
rlm_ippool: Searching for an entry for nas/port: 172.16.1.7/808583209
rlm_ippool: Found a stale entry for ip/port: 172.16.100.135/808583209
rlm_ippool: num: 0
rlm_ippool: Searching for an entry for nas/port: 172.16.1.7/808583209
rlm_ippool: Allocating ip to nas/port: 172.16.1.7/808583209
rlm_ippool: num: 1
rlm_ippool: Allocated ip 172.16.103.107 to client on nas 172.16.1.7,port
808583209
modcall[post-auth]: module test_pool returns ok for request 0
modcall: leaving group post-auth (returns ok) for request 0
Sending Access-Accept of id 195 to 172.16.1.7 port 21646
Service-Type = Framed-User
Framed-Protocol = PPP
Session-Timeout = 65000
Idle-Timeout = 3600
Ascend-Maximum-Time = 64000
Ascend-Idle-Limit = 3600
Ascend-Data-Filter := ip in forward dstip 1.1.1.2/32 0
Framed-IP-Address = 172.16.103.107
Framed-IP-Netmask = 255.255.255.0
Looks like IP is taken from pool after users-file got processed. I
wouldn't know how to change that order or where to add the filter then.
Pls let me know whether this should work in some way and how to
configure it then?
Kind Regards,
Andreas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ascend-Data-Filter with srcip from ippool
Hello Alan,
pls see my response inline akalb. Thx for your quick feedback.
Kind Regards,
Andreas
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Montag, 31. März 2008 16:29
To: FreeRadius users mailing list
Subject: Re: Ascend-Data-Filter with srcip from ippool
Andreas Kalb (akalb) wrote:
I'm trying to use Ascend-data-filters together with IP-pool
...
DEFAULT User-Name := test_..., Cleartext-Password := test
...
Ascend-Data-Filter := ip in forward srcip
%{Framed-IP-Address}/32 dstip 1.1.1.2/32
The pool is working well, but the filter doesn't:
Because there's no Framed-IP-Address attribute in the request. Use
%{reply:Framed-IP-Address}. For version 1.x, this is documented in
doc/variables.txt.
akalb Had a try with:
akalb
akalbAscend-Data-Filter := ip in forward srcip
%{reply:Framed-IP-Address}/32 dstip 1.1.1.2/32
akalb
akalb also, no difference. I expect because of order of modules you mentioned
later.
Login OK: [test_001/test] (from client bb-10k port 808583209)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
...
rlm_ippool: Allocated ip 172.16.103.107 to client on nas
172.16.1.7,port
808583209
Which runs after the files module. So the files module doesn't have
access to the IP address.
akalb Not sure how to see/change this:
# Livingston-style 'users' file
files {
...
ippool test_pool {
...
files
files
...
Looks like IP is taken from pool after users-file got processed. I
wouldn't know how to change that order or where to add the filter then.
Read the documentation and see the examples. The modules are processed in
the order that they are listed in radiusd.conf.
akalb I tried to look it up, but was unable so far, sorry. I need to mention
that I'm new to FreeRadius at all, sorry.
Pls let me know whether this should work in some way and how to
configure it then?
It's pretty easy to do in 2.0. See man unlang.
I suggest you upgrade. What you want to do will be a LOT easier in 2.0.
akalb I'll do right away.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ascend-Data-Filter with srcip from ippool
Hello,
sorry for my ignorance, I'm still a novice on FreeRadius :-( After installing
2.0.3 I'm even facing more trouble (most likely because parts of radiusd.conf
are split now and I'm unsure how to get the ippool called).
Where was the related functionality moved to?
Kind Regards,
Andreas
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Montag, 31. März 2008 16:29
To: FreeRadius users mailing list
Subject: Re: Ascend-Data-Filter with srcip from ippool
Andreas Kalb (akalb) wrote:
I'm trying to use Ascend-data-filters together with IP-pool
...
DEFAULT User-Name := test_..., Cleartext-Password := test
...
Ascend-Data-Filter := ip in forward srcip
%{Framed-IP-Address}/32 dstip 1.1.1.2/32
The pool is working well, but the filter doesn't:
Because there's no Framed-IP-Address attribute in the request. Use
%{reply:Framed-IP-Address}. For version 1.x, this is documented in
doc/variables.txt.
Login OK: [test_001/test] (from client bb-10k port 808583209)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
...
rlm_ippool: Allocated ip 172.16.103.107 to client on nas
172.16.1.7,port
808583209
Which runs after the files module. So the files module doesn't have
access to the IP address.
Looks like IP is taken from pool after users-file got processed. I
wouldn't know how to change that order or where to add the filter then.
Read the documentation and see the examples. The modules are processed in
the order that they are listed in radiusd.conf.
Pls let me know whether this should work in some way and how to
configure it then?
It's pretty easy to do in 2.0. See man unlang.
I suggest you upgrade. What you want to do will be a LOT easier in 2.0.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ascend-Data-Filter with srcip from ippool
Hello,
I'm unfortunately still not getting it to work anymore after upgrade to 2.0.3.
I added the following to sites-available/default at top of document:
server bb-10k {
client 172.16.1.6 {
...
...
accounting {
detail
unix
radutmp
test_pool
}
...
post-auth {
test_pool
}
...
ippool test_pool {
range-start = 172.16.100.1
range-stop = 172.16.103.254
...
and then get:
/usr/local/etc/raddb/sites-enabled/default[70]: Failed to find module
test_pool.
/usr/local/etc/raddb/sites-enabled/default[66]: Errors parsing accounting
section.
So now I wonder how to specify the ippool section there.
Kind Regards,
Andreas
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Montag, 31. März 2008 19:59
To: FreeRadius users mailing list
Subject: Re: Ascend-Data-Filter with srcip from ippool
Andreas Kalb (akalb) wrote:
Hello,
sorry for my ignorance, I'm still a novice on FreeRadius :-( After installing
2.0.3 I'm even facing more trouble (most likely because parts of radiusd.conf
are split now and I'm unsure how to get the ippool called).
Where was the related functionality moved to?
raddb/sites-available/default
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with Prefix
On Sat, 12 Jan 2008, Alan DeKok wrote: The hints file contains the following lines, which seem to at least somewhat work as the P is stripped and authentication succeeds. Note that this updates the *request*, not the *reply*. Ahh. Okay. Thanks, this helps understanding the problem somewhat. And in fact, it seems to work after some major refactoring of the users file. userPassword == whatever Please use: Cleartext-Password := ... About the := operator, is it only needed for Cleartext-Password? What about Crypt-Password? There it seems to work with == as well as with :=. regards, andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with Prefix
Hi, I'm trying to migrate our old livingston radius (from around '96) user-file to a newly installed freeradius 1.1.7 server. Our general setup is, that dialing in with user should rlogin the user to a shell-server. If the username is prefixed by a P, a PPP-Session should be started. Reading the docs, this setup should be pretty straight-forward, using the hints file. Unfortunately, it does not really work as expected. The hints file contains the following lines, which seem to at least somewhat work as the P is stripped and authentication succeeds. DEFAULT Prefix == P, Strip-User-Name = Yes Hint = PPP, Service-Type = Framed-User, Framed-Protocol = PPP The users file has users configured with the following structure: userPassword == whatever Service-Type = Login-User, Login-IP-Host = 192.168.1.1, Login-Service = Rlogin, Port-Limit = 2, Filter-Id = dialin, Framed-IP-Address = 192.168.2.123 My understanding of the documentation (http://freeradius.org/radiusd/man/users.html) is, that the Service-Type should _not_ be set to Login-User when authenticating as Puser as it has been previously set as configured in the hints file. Unfortunately, this seems to be incorrect. [EMAIL PROTECTED] raddb]# radtest Puser whatever localhost 0 testing123 Sending Access-Request of id 214 to 127.0.0.1 port 1812 User-Name = Puser User-Password = whatever NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=214, length=59 Service-Type = Login-User Login-IP-Host = 192.168.1.1 Login-Service = Rlogin Port-Limit = 2 Filter-Id = dialin Framed-IP-Address = 192.168.2.123 Any suggestions how to correctly get the Service-Type set to Framed-User when authenticating as Puser? thx, andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
