Re: Accounting problem
on 12/06/2006 18.21 Alan DeKok said the following: doc/Simultaneous-Use ok now I read the document It is possible to do accounting without the sql database? Yes. how do I have to configure the radiusd.conf to do accounting without sql db? thanks a lot Bye Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP check attributes
Ok, thanks... I'm searching for a solution ;-) bye antonio on 22/05/2006 20.11 Alan DeKok said the following: Antonio Matera [EMAIL PROTECTED] wrote: I haven't an EAP-Type entry and I don't understand where freeradius finds this attribute Neither do I. But the message isn't produced in the default configuration, even when LDAP is enabled. It's something you've changed in your configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP check attributes
Hallo, thanks for your answers. It's not in the conf files. Read the debug output. It's in LDAP. Ok, the problem in the log file is this: rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=vlan3) rlm_ldap: Added password vlan3 in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCiscoAVPair as Cisco-AVPair, value ssid=VLAN3 op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value VLAN op=11 rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id, value 3 op=11 rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value IEEE-802 op=11 Invalid operator for item EAP-Type: reverting to '==' rlm_ldap: Pairs do not match. Rejecting user. rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns reject for request 5 modcall: leaving group authorize (returns reject) for request 5 Invalid user (rlm_ldap: Pairs do not match): [vlan3/no User-Password attribute] (from client cn-radius port 276 cli 000c.f135.f1ba) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE but in the ldap.attrmap I added to the original file only: checkItemCisco-AVPairradiusCiscoAVPair and replyItemTunnel-Medium-TyperadiusTunnelMediumType replyItemTunnel-Private-Group-IdradiusTunnelPrivateGroupId replyItemTunnel-TyperadiusTunnelType my user in LDAP directory has the following attributes: # vlan3, people, create-net.org dn: sn=vlan3,ou=people,dc=create-net,dc=org objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: radiusprofile radiusTunnelPrivateGroupId: 3 radiusCiscoAVPair: ssid=VLAN3 sn: vlan3 uid: vlan3 radiusTunnelMediumType: IEEE-802 radiusTunnelType: VLAN cn: vlan3 userPassword:: dmxhbjM= I haven't an EAP-Type entry and I don't understand where freeradius finds this attribute Bye Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP check attributes
Hi! thanks for the answer. The problem is that I haven't set an EAP-Type in my configuration. Can it be an automatic configuration of PEAP? In my conf files I haven't an EAP-Type entry. Bye Antonio on 18/05/2006 18.41 Alan DeKok said the following: Antonio Matera [EMAIL PROTECTED] wrote: Invalid operator for item EAP-Type: reverting to '==' rlm_ldap: Pairs do not match. Rejecting user. rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns reject for request 5 Why do you have EAP-Type in your LDAP configuration? That is breaking the server. The solution would appear to be to *not* set EAP-Type. Also, you haven't explained what you're trying to do, or why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP check attributes
Hi, I write better my error in my log, the problem I suppose that is these lines: Invalid operator for item EAP-Type: reverting to '==' rlm_ldap: Pairs do not match. Rejecting user. rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns reject for request 5 Here I put the end of my log file: rad_recv: Access-Request packet from host 192.168.20.4:1645, id=97, length=240 User-Name = vlan3 Framed-MTU = 1400 Called-Station-Id = 0012.dacb.8420 Calling-Station-Id = 000c.f135.f1ba Cisco-AVPair = ssid=VLAN3 Service-Type = Login-User Message-Authenticator = 0xdc1ea9dbac4ed1f33ebb580a3c1c4a73 EAP-Message = 0x020600501900170301002088ea976b1bef6fd3a9bd5599650e83cd848cf424e51a204996c8941600f71b871703010020323a6993eede0a3f70fda756d35c73463b1f49efe677a830e25ab51d09220b6f NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = 276 NAS-Port = 276 State = 0xb0d694dd7c79d212c6f91ec33dceddf1 NAS-IP-Address = 192.168.20.4 NAS-Identifier = ap Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module preprocess returns ok for request 5 modcall[authorize]: module mschap returns noop for request 5 rlm_realm: No '@' in User-Name = vlan3, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 5 rlm_eap: EAP packet type response id 6 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 5 modcall[authorize]: module files returns notfound for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for vlan3 radius_xlat: '(uid=vlan3)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=vlan3) rlm_ldap: Added password vlan3 in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCiscoAVPair as Cisco-AVPair, value ssid=VLAN3 op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value VLAN op=11 rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id, value 3 op=11 rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value IEEE-802 op=11 rlm_ldap: user vlan3 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - vlan3 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled identity of vlan3 PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to vlan3 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module preprocess returns ok for request 5 modcall[authorize]: module mschap returns noop for request 5 rlm_realm: No '@' in User-Name = vlan3, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 5 rlm_eap: EAP packet type response id 6 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 5 modcall[authorize]: module files returns notfound for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for vlan3 radius_xlat: '(uid=vlan3)' radius_xlat: 'dc=create-net,dc=org' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=create-net,dc=org, with filter (uid=vlan3) rlm_ldap: Added password vlan3 in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusCiscoAVPair as Cisco-AVPair, value ssid=VLAN3 op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusTunnelType as Tunnel-Type, value VLAN op=11 rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id, value 3 op=11 rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type, value IEEE-802 op=11 Invalid operator for item EAP-Type: reverting to '==' rlm_ldap: Pairs do not match. Rejecting user. rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns reject for request
Re: LDAP check attributes
Hi, thanks a lot for your answer. Your solution works fine but I don't understand some things: 1 - If I insert the Cisco-AVPair in the filter and I haven't this attribute in my ldap user, I can't authenticate it. Is it possible to check the ssid only if it is in the list of the ldap user attributes? 2 - With this solution the following row in the ldap.attrmap is not necessary: checkItem Cisco-AVPairradiusCiscoAVPair whitout it the filter authentication works. It is not possible to use the ldap.attrmap file to inser a check item? In this file I have inserted 3 replyItem: replyItem Tunnel-Medium-Type radiusTunnelMediumType replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId replyItem Tunnel-Type radiusTunnelType if I insert these three attribute in my ldap user they work without other configuration. Why the checkItem doesn't work? 3 - the last question is a little different: if I insert in the user file this row: DEFAULT Auth-Type := LDAP the authentication doesn't work. It is normal or I have some mistakes in my configuration? Thanks a lot Bye Antonio on 17/05/2006 9.02 ludovic cailleau said the following: Hi fillter = ((uid=%{Stripped-User-Name:-%{User-Name}})(radiusCiscoAVpair=%{Cisco-AVPair})) regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP check attributes
My Ldap base contains attributes SSID for each users. Because my NAS sends its vendor-specific containing the SSID where wants to connect the users. And at each request for authentification, the module authorize (radiusd.conf) call Ldap (with the filter) to compare the `uid' and `SSID'. If the SSID sent by the NAS corresponds at the SSID stored in Ldap: freeradius sends ‘accept’, if not it sends a ‘reject’. But you want that it is the switch Cisco which redirects the user in such or such SSID according to SSID'S corresponding to the attributes Tunnel-Medium-Type, Tunnel-Private-Group-Id, Tunnel-Type.? My solution is similar to yours, but I haven't SSID attributes for each users. I use the replyItem to redirect the user connection to the correct VLAN. But if the replyItem works, why I can't do a check of one attribute with the checkItem? what is wrong in my configuration? For example, if I use the user file authentication without ldap with this users: test2 Cisco-AVPair == ssid=VLAN2, User-Password == passwd2 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN test3 User-Password == passwd3 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN test2 can connect to vlan2 only with ssid=VLAN2. test3 can connect to vlan3 with any ssid. This configuration works ed I want the same using only ldap module without user file. I hope that my explanation is clear. Bye Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP check attributes
Hallo, I do some test on my freeradius. If I set compare_check_items = yes the PEAP seassion fails and I receive this log: rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TVL response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejected rejected earlier in this seasion. rlm_eap: Handler failed in EAP/peap whitout it, all works fine. Why with the compare_check_items I have a error on PEAP? Thanks bye Antonio on 17/05/2006 14.11 Mitchell, Michael J said the following: Hi Antonio, ldap: compare_check_items = no You need to set compare_check_items = yes in the ldap module configuration? The default is no. regards, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP check attributes
Anyone can help me? Thanks, bye Antonio on 15/05/2006 11.06 Antonio Matera said the following: Hallo, I have a problem with the LDAP attributes. I want set an ssid check in my radius authentication. If I do it with the user file all works fine. Now I want to insert this attribute in the ldap schema. I have inserted a new attribute radiusCisco-AVpair in my schema with value ssid=VLAN3 and in the ldap.attrmap file I have inserted the following row: checkItemCisco-AVPairradiusCiscoAVpair and the ldap module is: ldap { server = localhost basedn = dc=create-net,dc=org password_attribute = userPassword start_tls = no ldap_connections_number = 5 } but with this configuration my LDAP user is always authenticate with any ssid. What is wrong? Thanks This is my log file: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: bind_address = 192.168.20.2 IP address [192.168.20.2] main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded LDAP ldap: server = localhost ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = (null) ldap: tls_cacertdir = (null) ldap: tls_certfile = (null) ldap: tls_keyfile = (null) ldap: tls_randfile = (null) ldap: tls_require_cert = allow ldap: password = ldap: basedn = dc=create-net,dc=org ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}}) ldap: base_filter = (objectclass=radiusprofile) ldap: default_profile = (null) ldap: profile_attribute = (null) ldap: password_header = (null) ldap: password_attribute = userPassword ldap: access_attr = (null) ldap: groupname_attribute = cn ldap: groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) ldap: groupmembership_attribute = (null) ldap: dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap-radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
Re: LDAP check attributes
Hi, thanks for the answer. I forgot my filter line in ldap module: filter = (uid=%{Stripped-User-Name:-%{User-Name}}) How I have to insert in this string to add the ssid check? Where I insert the Cisco-AVPair check? Thanks, bye Antonio on 16/05/2006 14.06 ludovic cailleau said the following: */Antonio Matera [EMAIL PROTECTED]/* a écrit : ldap { server = localhost basedn = dc=create-net,dc=org password_attribute = userPassword start_tls = no ldap_connections_number = 5 } You must use filter in Ldap module if you want check SSID. You’ll make filter with uid and Cisco-AVPair. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP check attributes
Hallo, I have a problem with the LDAP attributes. I want set an ssid check in my radius authentication. If I do it with the user file all works fine. Now I want to insert this attribute in the ldap schema. I have inserted a new attribute radiusCisco-AVpair in my schema with value ssid=VLAN3 and in the ldap.attrmap file I have inserted the following row: checkItem Cisco-AVPairradiusCiscoAVpair and the ldap module is: ldap { server = localhost basedn = dc=create-net,dc=org password_attribute = userPassword start_tls = no ldap_connections_number = 5 } but with this configuration my LDAP user is always authenticate with any ssid. What is wrong? Thanks This is my log file: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: bind_address = 192.168.20.2 IP address [192.168.20.2] main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded LDAP ldap: server = localhost ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = (null) ldap: tls_cacertdir = (null) ldap: tls_certfile = (null) ldap: tls_keyfile = (null) ldap: tls_randfile = (null) ldap: tls_require_cert = allow ldap: password = ldap: basedn = dc=create-net,dc=org ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}}) ldap: base_filter = (objectclass=radiusprofile) ldap: default_profile = (null) ldap: profile_attribute = (null) ldap: password_header = (null) ldap: password_attribute = userPassword ldap: access_attr = (null) ldap: groupname_attribute = cn ldap: groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) ldap: groupmembership_attribute = (null) ldap: dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap-radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to
Re: Active directory and MS-CHAP Authentication.
Hallo, ok now it works, there was a problem with the nt domain. one question: it is possible to configure in the same time a MS-CHAP module like this with nt-domain and another with LDAP? I have tried it but if I activate the MS-CHAP module the LDAP authentication doesn't work, whitout MS-CHAP, LDAP works. Any idea? Thanks a lot for your time Bye Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active directory and MS-CHAP Authentication.
I'm not sure I understand what you mean. Could you be more specific? Now I have the MS-CHAP module configured ad it works with the nt users authentication. I have a LDAP server where I have other users. I have configured the LDAP module on freeradius ad it works. The problem is that if I activate both modules, the LDAP authentication doesn't works, but if I remove MS-CHAP auth LDAP works fine. I suppose that there is a problem with the check of the correct user in the correct module. Thanks, bye Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Active directory and MS-CHAP Authentication.
Hi, I have a problem with the authentication of active directory users on freeradius. I correctly set up samba and kerberos and if I write: # ntlm_auth --request-nt-key --domain=mydomain --username=myuser if I insert the correct password I receive the authentication ok. My problem is to configure the mschap module on freeradius. My mschap config is: mschap { auth-type = MS-CHAP with_ntdomain_hack = yes ntlm_auth =/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} } If I insert in the users file DEFAULT Auth-Type := MS-CHAP, in the log file I read this error: rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NM-Password. rlm_mschap: No MS-CHAP-Challenge in the request If I remove the DAFAULT user in the users file in the log I can't find a mschap authentication and the user is reject. What is wrong? Thanks a lot Bye Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Default user in sql
Hi, I have this user file: TLS1 Cisco-AVPair == ssid=VLAN3 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN TLS2 Cisco-AVPair == ssid=cn-test Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN peap1Cisco-AVPair == ssid=VLAN3, User-Password == ciao1 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN peap2 Cisco-AVPair == ssid=cn-test, User-Password := ciao2 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject TLS1 and TLS2 are used for the EAP-TLS authentication with certificate. I want that TLS1 is authentucate only with the ssid=vlan3 and TLS2 with ssid=cn-test. The same for the users peap1 and peap2 but here I have a peap authentication with user and password. Without the DEFAULT user in the bottom of the user file with auth-type:=reject, if I try to authenticate TLS1 with a bad ssid, my user is authenticated without the attribute, but I don't want that this user is authenticate in this case. With DEFAULT user all works fine and the user is reject. The problem is to set a default user if I want to use the sql database. How can I do it? I need a default user that is matched only if the user that asks the authentication isn't in the sql database. I tried with the DEFAULT user in the sql.conf file but this is different because it is always the first user tested, and in my case I have always a reject authentication. Thanks a lot. Bye Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem in PEAP authentication with SSID check
Hi, I can't authenticate my client with PEAP when in the user I set the SSID check. My user is the following: cn-test Cisco-AVPair == ssid=cn-test, User-Password == ciao Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN I tried with User-Password := ciao but the result is the same. - If I remove the ssid check the authentication works fine. - If I set Cisco-AVPair := ssid=cn-test the user is authenticate with any SSID my PEAP configuration is: peap { default_eap_type = mschapv2 # copy_request_to_tunnel = no # use_tunneled_reply = no # proxy_tunneled_request_as_eap = yes } with my original user I have this log: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: bind_address = 192.168.9.191 IP address [192.168.9.191] main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded LDAP ldap: server = ldap.your.domain ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = (null) ldap: tls_cacertdir = (null) ldap: tls_certfile = (null) ldap: tls_keyfile = (null) ldap: tls_randfile = (null) ldap: tls_require_cert = allow ldap: password = ldap: basedn = o=My Org,c=UA ldap: filter = (uid=%{Stripped-User-Name:-%{User-Name}}) ldap: base_filter = (objectclass=radiusprofile) ldap: default_profile = (null) ldap: profile_attribute = (null) ldap: password_header = (null) ldap: password_attribute = (null) ldap: access_attr = dialupAccess ldap: groupname_attribute = cn ldap: groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) ldap: groupmembership_attribute = (null) ldap: dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap-radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped
Re: Problem in PEAP authentication with SSID check
It works! Thanks a lot for your answer! Bye Antonio on 19/04/2006 14.28 Phil Mayers said the following: You need to set: eap { # other stuff peap { # other stuff copy_request_to_tunnel = yes } } ...in the eap.conf file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Hi, I don't know how can i resolve my problem ... With this user: vlan3 Cisco-AVPair == ssid=VLAN3, User-Password := test Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN I have always the same problem... this is my log: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=29, length=240 User-Name = vlan3 Framed-MTU = 1400 Called-Station-Id = 0012.dacb.8420 Calling-Station-Id = 000c.f135.f1ba Cisco-AVPair = ssid=VLAN3 Service-Type = Login-User Message-Authenticator = 0x9873358109c27321d39f54fcaa44b983 EAP-Message = 0x0208005019001703010020abbfc50d6f7a13a8226e008a01441a4e94f2565c4eec010d12551692bfc9eea11703010020ea39080c7e56fafd97e7cb195e21a02a445b5632d50a356d96bf10a3082d53e2 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = 263 NAS-Port = 263 State = 0x1846e133758faf753fefeedfd54cc831 NAS-IP-Address = 192.168.9.104 NAS-Identifier = ap Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module preprocess returns ok for request 7 modcall[authorize]: module mschap returns noop for request 7 rlm_realm: No '@' in User-Name = vlan3, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 7 rlm_eap: EAP packet type response id 8 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 7 users: Matched entry vlan3 at line 24 modcall[authorize]: module files returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. Login incorrect: [vlan3/no User-Password attribute] (from client ap-test port 263 cli 000c.f135.f1ba) Delaying request 7 for 1 seconds Finished request 7 Going to the next request It is possibile that my problem is this? rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. I tried a lot of thing but I can't find a solution for my problem... Thanks, bye Antonio on 15/04/2006 20.03 Alan DeKok said the following: Bertrand Poulet [EMAIL PROTECTED] wrote: at line 66 of users files , i've got : bertrandCisco-AVPair == ssid=my_ssid, User-Password == bertrand Use := for User-Password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Hallo, sorry I had a bad configuration of my email client. I re-write my problem: I want to authenticate my users with different SSID on different VLAN. My objective is to authenticate an user only on a select SSID. With the wrong SSID the user shouldn't connect... I use PEAP-MS-CHAPv2 and the user is set as following: vlan3 Cisco-AVPair == ssid=VLAN3, User-Password == test Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN If I insert the check == in the Cisco-AVPair attribute, I have this log: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=21, length=240 User-Name = vlan3 Framed-MTU = 1400 Called-Station-Id = 0012.dacb.8420 Calling-Station-Id = 000c.f135.f1ba Cisco-AVPair = ssid=VLAN3 Service-Type = Login-User Message-Authenticator = 0x57cbe83313e35c36a3878a5151361c44 EAP-Message = 0x020900501900170301002029a86e41268c925e584b0924c058e045487523e0b2181541f520fe517e5fa67c1703010020ebe4e512af90e916f41fc666e138157bd279a6ed7f1ab44243f67e72d18ce012 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = 260 NAS-Port = 260 State = 0xbb09e1038e24af4dc9f4002adb7d6b0a NAS-IP-Address = 192.168.9.104 NAS-Identifier = ap Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module preprocess returns ok for request 8 modcall[authorize]: module mschap returns noop for request 8 rlm_realm: No '@' in User-Name = vlan3, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 8 rlm_eap: EAP packet type response id 9 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 8 users: Matched entry vlan3 at line 24 modcall[authorize]: module files returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 8 modcall: leaving group authenticate (returns invalid) for request 8 auth: Failed to validate the user. Login incorrect: [vlan3/no User-Password attribute] (from client ap-test port 260 cli 000c.f135.f1ba) Delaying request 8 for 1 seconds Finished request 8 The radius don't authenticate my user, but the SSID is correct! If I insert the check := in the Cisco-AVPair attribute, my user is authenticate on all my SSID I missed something in my configuration? Thanks a lot for your support... Antonio on 06/04/2006 23.05 Kevin Bonner said the following: On Thursday 06 April 2006 08:24, Antonio Matera wrote: !DOCTYPE html PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN Please stop using HTML when posting your messages. You just might get a few more useful responses from people who don't bother to read html-only messages. Kevin Bonner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Hallo, If I set Cisco-AVPair == "ssid=SSID1" in my user authentication, the authentication Fail with any ssid and user. If I set Cisco-AVPair := "ssid=SSID1" my users are always authenticated. Is there any other configuration to set in the radius or in the access point? In my access request there is the AVPair attribute: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, length=166 User-Name = "TEST4" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=VLAN3" Service-Type = Login-User Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "260" NAS-Port = 260 State = 0x0491685cf8ece3184d685dedfedbb3d4 NAS-IP-Address = 192.168.9.104 NAS-Identifier = "ap" but I don't understand if it works... Any idea? Thanks on 06/04/2006 11.39 Sergio Sagliocco said the following: Hi I think you have to try in this way (for example): TEST4 Cisco-AVPair == "ssid=SSID1" , Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject if uou want a password: TEST4 Cisco-AVPair == "ssid=SSID1" ,User-Password="", Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject Regards sergio Antonio Matera wrote: My goal is to have authenticate user only if the SSID is right! You know how can I do it? Thanks Antonio on 05/04/2006 17.33 Sergio Sagliocco said the following: Hello your goal is authenticate users only if the SSID is rght or to have different EAP Authentication method based on SSID? regards sergio Antonio Matera wrote: Hallo, thanks for the answer. With your solution my radius don't authenticate my users Is my configuration correct or I need other change in my radius files? Thanks bye on 05/04/2006 15.27 Sergio Sagliocco said the following: Hi I think you have to use == instead of := For example: DEFAULT Cisco-AVPair == "ssid=testLEAP" , EAP-Type := Cisco-LEAP Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Antonio Matera CREATE-NET Via Solteri, 38 - 38100 Trento e-mail: [EMAIL PROTECTED] phone: +39 0461 408400 ext. 305 fax: +39 0461 421157 www.create-net.org -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Hallo, I tried with EAP-TLS and PEAP/MS-CHAPv2. With the last, I have this user: vlan3 Cisco-AVPair == "ssid=VLAN3", User-Password == "test" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN If I insert the check == in the Cisco-AVPair attribute, I have this log: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=21, length=240 User-Name = "vlan3" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=VLAN3" Service-Type = Login-User Message-Authenticator = 0x57cbe83313e35c36a3878a5151361c44 EAP-Message = 0x020900501900170301002029a86e41268c925e584b0924c058e045487523e0b2181541f520fe517e5fa67c1703010020ebe4e512af90e916f41fc666e138157bd279a6ed7f1ab44243f67e72d18ce012 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "260" NAS-Port = 260 State = 0xbb09e1038e24af4dc9f4002adb7d6b0a NAS-IP-Address = 192.168.9.104 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "vlan3", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 9 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched entry vlan3 at line 24 modcall[authorize]: module "files" returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 8 modcall: leaving group authenticate (returns invalid) for request 8 auth: Failed to validate the user. Login incorrect: [vlan3/no User-Password attribute] (from client ap-test port 260 cli 000c.f135.f1ba) Delaying request 8 for 1 seconds Finished request 8 The radius don't authenticate my user, but the SSID is correct! I don't understand what is wrong. Thanks a lot for your support... Antonio on 06/04/2006 14.59 Guy Davies said the following: I don't think you should be setting the Auth-Type. Just let FreeRADIUS work that out. What are you doing with your Cisco AP? Are you doing PEAP/MS-CHAPv2? If so, then you must have a User-Password == "foo" in your user database and you *must not* set Auth-Type := EAP. You should do as Sergio says and use == in your Cisco-AVPair check item. This is a comparison. Rgds, Guy On 06/04/06, Antonio Matera [EMAIL PROTECTED] wrote: Hallo, If I set Cisco-AVPair == "ssid=SSID1" in my user authentication, the authentication Fail with any ssid and user. If I set Cisco-AVPair := "ssid=SSID1" my users are always authenticated. Is there any other configuration to set in the radius or in the access point? In my access request there is the AVPair attribute: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, length=166 User-Name = "TEST4" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=VLAN3" Service-Type = Login-User Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "260" NAS-Port = 260 State = 0x0491685cf8ece3184d685dedfedbb3d4 NAS-IP-Address = 192.168.9.104 NAS-Identifier = "ap" but I don't understand if it works... Any idea? Thanks on 06/04/2006 11.39 Sergio Sagliocco said the following: Hi I think you have to try in this way (for example): TEST4 Cisco-AVPair == "ssid=SSID1" , Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN DEFAULT Auth-Type := Reject if uou want a password: TEST4 Cisc
Problem with Cisco-AVPair
Hi all, I have a problem with the user authentication with EAP TLS or PEAP on different SSID and VLAN. My objective is to authenticate one user only on a select SSID. At the moment I have this user with EAP-TLS, but if I use PEAP and I insert a user password, the problem is the same: TEST4 Auth-Type := EAP, Cisco-AVPair := ssid=SSID1 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN user2Auth-Type := EAP, Cisco-AVPair := ssid=VLAN3 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN and the log is the following: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, length=166 User-Name = TEST4 Framed-MTU = 1400 Called-Station-Id = 0012.dacb.8420 Calling-Station-Id = 000c.f135.f1ba Cisco-AVPair = ssid=VLAN3 Service-Type = Login-User Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = 260 NAS-Port = 260 State = 0x0491685cf8ece3184d685dedfedbb3d4 NAS-IP-Address = 192.168.9.104 NAS-Identifier = ap Processing the authorize section of radiusd.conf modcall: entering group authorize for request 18 modcall[authorize]: module preprocess returns ok for request 18 modcall[authorize]: module mschap returns noop for request 18 rlm_realm: No '@' in User-Name = TEST4, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 18 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 18 users: Matched entry TEST4 at line 11 modcall[authorize]: module files returns ok for request 18 modcall: leaving group authorize (returns updated) for request 18 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 18 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 18 modcall: leaving group authenticate (returns ok) for request 18 Login OK: [TEST4/no User-Password attribute] (from client ap-test port 260 cli 000c.f135.f1ba) Sending Access-Accept of id 19 to 192.168.9.104 port 1645 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 2 Tunnel-Type:0 = VLAN MS-MPPE-Recv-Key = 0x9cb007ac1a5c0cc6da1deaf25177ef52e7f8c195d876f95b2d18ac6106b497da MS-MPPE-Send-Key = 0x5cbd4de84c364538ec07001adad683cbbf80a349d0299d4790f4f16389aff161 EAP-Message = 0x03060004 Message-Authenticator = 0x User-Name = TEST4 Finished request 18 The user TEST4 is authenticated with the bad SSID. the check Cisco-AVPair := ssid=SSID1 does't work. What is wrong? I read a lot of mail on this mailing list, I tried the option with_cisco_hack = yes in the radiusd.conf file but but the problem is always the same. I don't understand what is the problem... Can someone help me? Thanks a lot to all Bye Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
Hallo, thanks for the answer. With your solution my radius don't authenticate my users Is my configuration correct or I need other change in my radius files? Thanks bye on 05/04/2006 15.27 Sergio Sagliocco said the following: Hi I think you have to use == instead of := For example: DEFAULT Cisco-AVPair == ssid=testLEAP , EAP-Type := Cisco-LEAP Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Cisco-AVPair
My goal is to have authenticate user only if the SSID is right! You know how can I do it? Thanks Antonio on 05/04/2006 17.33 Sergio Sagliocco said the following: Hello your goal is authenticate users only if the SSID is rght or to have different EAP Authentication method based on SSID? regards sergio Antonio Matera wrote: Hallo, thanks for the answer. With your solution my radius don't authenticate my users Is my configuration correct or I need other change in my radius files? Thanks bye on 05/04/2006 15.27 Sergio Sagliocco said the following: Hi I think you have to use == instead of := For example: DEFAULT Cisco-AVPair == "ssid=testLEAP" , EAP-Type := Cisco-LEAP Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN and SSID
Anyone can help me please? Thanks, Antonio on 30/03/2006 17.39 Antonio Matera said the following: hi, ok, now the authentication request works (the problem was that if I restart the AP I lost this configuration. How can I save it using the web configuration?) Now the log is the following: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, length=166 User-Name = TEST4 Framed-MTU = 1400 Called-Station-Id = 0012.dacb.8420 Calling-Station-Id = 000c.f135.f1ba Cisco-AVPair = ssid=VLAN3 Service-Type = Login-User Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = 260 NAS-Port = 260 State = 0x0491685cf8ece3184d685dedfedbb3d4 NAS-IP-Address = 192.168.9.104 NAS-Identifier = ap Processing the authorize section of radiusd.conf modcall: entering group authorize for request 18 modcall[authorize]: module preprocess returns ok for request 18 modcall[authorize]: module mschap returns noop for request 18 rlm_realm: No '@' in User-Name = TEST4, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 18 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 18 users: Matched entry TEST4 at line 11 modcall[authorize]: module files returns ok for request 18 modcall: leaving group authorize (returns updated) for request 18 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 18 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 18 modcall: leaving group authenticate (returns ok) for request 18 Login OK: [TEST4/no User-Password attribute] (from client ap-test port 260 cli 000c.f135.f1ba) Sending Access-Accept of id 19 to 192.168.9.104 port 1645 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 2 Tunnel-Type:0 = VLAN MS-MPPE-Recv-Key = 0x9cb007ac1a5c0cc6da1deaf25177ef52e7f8c195d876f95b2d18ac6106b497da MS-MPPE-Send-Key = 0x5cbd4de84c364538ec07001adad683cbbf80a349d0299d4790f4f16389aff161 EAP-Message = 0x03060004 Message-Authenticator = 0x User-Name = TEST4 Finished request 18 and I have this users: TEST4 Auth-Type := EAP, Cisco-AVPair := ssid=SSID1 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN user2 Auth-Type := EAP, Cisco-AVPair := ssid=VLAN3 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN Now in the log there is Cisco-AVPair = ssid=VLAN3 but user TEST4 is authenticated on the incorrect SSID (VLAN3). I suppose that the Cisco-AVPair check doesn't work in my configuration Are there other mistakes? Thanks for your answers... Bye Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN and SSID
Hi to all, I have modified my users file: user1 Auth-Type := EAP, Cisco-AVPair := "ssid=SSID1" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN user2 Auth-Type := EAP, Cisco-AVPair := "ssid=SSID2" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN But in this way the radius authorize for example user2 on VLAN3 with SSID1 (second user with first SSID) In my log after the MAC address there isn't any information on the SSID. The log is similar to the last that I have posted: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=21, length=137 User-Name = "user1" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Service-Type = Login-User Message-Authenticator = 0x0b9afa834203d48273f35fee97e2df88 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 NAS-Port = 262 State = 0xd2c7600f31d580fb360e134fa4977735 NAS-IP-Address = 192.168.9.104 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "TEST4", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry user1 at line 12 modcall[authorize]: module "files" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 5 modcall: leaving group authenticate (returns ok) for request 5 Login OK: [user1/no User-Password attribute] (from client ap-test port 262 cli 000c.f135.f1ba) Sending Access-Accept of id 21 to 192.168.9.104 port 1645 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" Tunnel-Type:0 = VLAN MS-MPPE-Recv-Key = 0x9d39ad6e0574878bf7b25b981595db0b7781b06025feb14ec89a5d6d78c4653c MS-MPPE-Send-Key = 0xd68f501b1e8d569699674ddf3fc266185b2d269f9e455a4653aa126b5f3ba185 EAP-Message = 0x03060004 Message-Authenticator = 0x User-Name = "user1" Finished request 5 In the log i haven't information on the SSID but in my aP configuration I have the radius-server vsa send accounting: . radius-server attribute 32 include-in-access-req format %h radius-server host 192.168.9.193 auth-port 1812 acct-port 1813 key 7 131112011F41162B2F2D3D20 radius-server host 192.168.9.104 auth-port 1645 acct-port 1646 key 7 111D1C1603 radius-server host 192.168.9.191 auth-port 1812 acct-port 1813 key 7 104D1B1C0403174602013E663629373C3700 radius-server vsa send accounting bridge 1 route ip .. What is wrong? I don't understand of is the mistake. Thanks a lot Bye all Antonio So prevent that. The Calling-Station-Id *should* contain the SSID after the MAC address. Run the server in debug mode to see this. Then, use a regular _expression_ to match the SSID. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN and SSID
hi, ok, now the authentication request works (the problem was that if I restart the AP I lost this configuration. How can I save it using the web configuration?) Now the log is the following: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, length=166 User-Name = TEST4 Framed-MTU = 1400 Called-Station-Id = 0012.dacb.8420 Calling-Station-Id = 000c.f135.f1ba Cisco-AVPair = ssid=VLAN3 Service-Type = Login-User Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = 260 NAS-Port = 260 State = 0x0491685cf8ece3184d685dedfedbb3d4 NAS-IP-Address = 192.168.9.104 NAS-Identifier = ap Processing the authorize section of radiusd.conf modcall: entering group authorize for request 18 modcall[authorize]: module preprocess returns ok for request 18 modcall[authorize]: module mschap returns noop for request 18 rlm_realm: No '@' in User-Name = TEST4, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 18 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 18 users: Matched entry TEST4 at line 11 modcall[authorize]: module files returns ok for request 18 modcall: leaving group authorize (returns updated) for request 18 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 18 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 18 modcall: leaving group authenticate (returns ok) for request 18 Login OK: [TEST4/no User-Password attribute] (from client ap-test port 260 cli 000c.f135.f1ba) Sending Access-Accept of id 19 to 192.168.9.104 port 1645 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 2 Tunnel-Type:0 = VLAN MS-MPPE-Recv-Key = 0x9cb007ac1a5c0cc6da1deaf25177ef52e7f8c195d876f95b2d18ac6106b497da MS-MPPE-Send-Key = 0x5cbd4de84c364538ec07001adad683cbbf80a349d0299d4790f4f16389aff161 EAP-Message = 0x03060004 Message-Authenticator = 0x User-Name = TEST4 Finished request 18 and I have this users: TEST4 Auth-Type := EAP, Cisco-AVPair := ssid=SSID1 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN user2 Auth-Type := EAP, Cisco-AVPair := ssid=VLAN3 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN Now in the log there is Cisco-AVPair = ssid=VLAN3 but user TEST4 is authenticated on the incorrect SSID (VLAN3). I suppose that the Cisco-AVPair check doesn't work in my configuration Are there other mistakes? Thanks for your answers... Bye Antonio You misread my previous email you need: radius-server vsa send authentication ^^ this makes the cisco include the ssid in the AUTHENTICATION request which is what you need. Presently you only have: radius-server vsa send accounting so the SSID is only being sent in accounting packets. (having both is fine) Regards, James -- James J J Hooper, Information Services University of Bristol -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VLAN and SSID
Hallo, I have a problem with the authentication on different VLAN. I write for you my example: I have two VLAN (VLAN1 and VLAN2) conneccted to two SSID (SSID1 and SSID2) on my Cisco 1200 AP. I have the same authentication on both connection (EAP-TLS). In my users file I have two user: user1Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN user2Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN the authentication works fine but , for example, if I connect the WinXP client on the SSID1 with the certificate user of the VLAN2, I have this situation: The client is connected to the VLAN2 but the SSID of the wireless connection is SSID1. It is possible to prevent the connection to the select SSID if the certificate of the user is incorrect? Thanks, bye - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN and SSID
Hallo, thanks for the replies. If I insert only the Cisco-AVPair attribute, it doesn't work... Now I try the radius-server vsa send authentication command... It is a AP console command? It is possible to set this command from the AP web interface? I haven't experience with the console setting Another question: Where can I find the list of the user attributes for freeradius? Here http://www.freeradius.org/rfc/attributes.html for example I can't find the Cisco-AVPair attribute... Thanks a lot Bye Antonio James J J Hooper ha scritto: --On Wednesday, March 29, 2006 09:11:13 +0100 Guy Davies [EMAIL PROTECTED] wrote: You *may* need to change them from being check attributes to reply attributes if your AP doesn't actually send those attributes with an Access-Request. In that case, you send the Cisco-AVPair = SSID=SSIDn back to the AP and if it doesn't match, then it can locally fail to authorize the user. I don't think 1200's do send the attribute by default in the access-request. To make it do so, use this command: radius-server vsa send authentication Regards, James -- James J J Hooper, Information Services University of Bristol -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Antonio Matera CREATE-NET Via Solteri, 38 - 38100 Trento e-mail: [EMAIL PROTECTED] phone: +39 0461 408400 ext. 305 fax: +39 0461 421157 www.create-net.org -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN and SSID
Hallo, now I have the users configured as follow: user1Auth-Type := EAP Cisco-AVPair := ssid=SSID1, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN user2Auth-Type := EAP Cisco-AVPair := ssid=SSID2, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN The AP has the radius-server vsa send authentication, but when I connect for example to the SSID2 using user1, radius write this log for a big number of request: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=167, length=137 User-Name = user1 Framed-MTU = 1400 Called-Station-Id = .. Calling-Station-Id = .. Service-Type = Login-User Message-Authenticator = 0xd58071e7b7c3b158323ae6e2da5cf746 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 NAS-Port = 1215 State = 0x15f928ed12d8d4d1a278530b6dd26c21 NAS-IP-Address = 192.168.9.104 NAS-Identifier = ap Processing the authorize section of radiusd.conf modcall: entering group authorize for request 53 modcall[authorize]: module preprocess returns ok for request 53 modcall[authorize]: module mschap returns noop for request 53 rlm_realm: No '@' in User-Name = user1, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 53 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 53 users: Matched entry user1 at line 14 modcall[authorize]: module files returns ok for request 53 modcall: leaving group authorize (returns updated) for request 53 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 53 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 53 modcall: leaving group authenticate (returns ok) for request 53 Login OK: [user1/no User-Password attribute] (from client ap-test port 1215 cli 000c.f135.f1ba) Sending Access-Accept of id 167 to 192.168.9.104 port 1645 Cisco-AVPair := ssid=SSID1 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 2 Tunnel-Type:0 = VLAN MS-MPPE-Recv-Key = 0x4b79e8c8d51a317ecfc389ae1109e9cbf4fed548b081a3d9a207cb1673fb2011 MS-MPPE-Send-Key = 0x00c78f66a7706dbc37c2ef3a9cf1f4f183b28d840da50d583ae780041fe1f1d9 EAP-Message = 0x03060004 Message-Authenticator = 0x User-Name = user1 Finished request 53 The XP client tell that the SSID2 is connected, but if I try to navigate on the VLAN1 or VLAN2 i can't do it. Why the radius receive a big number of request from the client and it doesn't sent a failed authorization? It is possible to eliminate the requests after the first? It is possible to send to the XP client a failed authorization? At the moment the client doesn't understand if it is or isn't connected to the SSID. Thanks a lot for your time Bye Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html