dropped request after ldap constraint violating
Hi, From radius.log, the symptom of the failure goes as follow 1. rlm_ldap receives constraint violation reply from ldap. 2. other authentication requests immediately followed the constraint violation reply failed with incorrect login sample radius log - Jan 12 13:44:05 : rlm_ldap: lblempnum=012345, ou=people, o=LBL, c=US bind to ldap:636 failed Constraint violation Jan 12 13:44:05 : Login incorrect: [012345] (from client XXX port 24772 cli 0017.abcd.3fe0 via TLS tunnel) Jan 12 13:44:12 : Login incorrect: [test-account] (from client XXX port 0) - At my site, I run radiusd with the -s flag. Freeradius operation with the backend ldap server is monitored by nagios running check_radius. I also have cacti checking the round trip transaction time between radiusd and ldap in five minutes interval. For trouble shooting purposes, I obtained a copy of the ldap log around the same time frame. The ldap log showed that the user account 012345 has exceeded the failed login attempts and the account was locked out, thus the constraint violation. However, there was no ldap log entry indicating any bind operation request from the radiusd for the [test-account]. Nagios run the radius monitoring in 1 minute interval, and it usually recover the next minute or so. Cacti showed average radiusd-ldap rtt was under 500ms. Can anybody shed some light on this failure scenario? Thanks Cedric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to supress error log : TLS_accept:error in SSLv3 read client certificate ?
I am running both TTLS and PEAP. Everything seems ok but the radius.log is filling up fast with these error messages. Is the error log configurable? Thu Apr 12 09:14:51 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Thu Apr 12 09:14:51 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Thu Apr 12 09:14:52 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Capturing the inner authentication ID for Radius
CHui [EMAIL PROTECTED] wrote:
Although it seems to work for me, I am not sure about the use of
attribute
Class for tracking user ID would interfere with other operation (like the
one attribute Class was originally designed for)?
It was designed for local sites to do whatever they wanted. So you're
doing the right thing.
Also, the attribute Class is of type Octet. Does anyone know of a way to
convert it to text in SQL?
Edit the dictionary, and change octets to string.
Alan DeKok.
Never thought of simply changing the attribute type in the dictionary file.
Works great. Thanks.
I use the use_tunneled_reply = yes in eap.conf to capture the user name
inside of the tunnel. I have observed that the Class attribute now
contained both the outer identity and the user name from inside the tunnel.
From the debug output:
Sending Access-Accept of id 170 to 198.128.24.10:1645
Class = SomeoneElse
Cisco-AVPair = ssid=CiscoTestAP
Session-Timeout = 60
Class = chui.guest
MS-MPPE-Recv-Key = 0x...
MS-MPPE-Send-Key = 0x...
EAP-Message = 0x03070004
Message-Authenticator = 0x...
User-Name = SomeoneElse
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Accounting-Request packet from host 198.128.24.10:1646, id=112,
length=262
Acct-Session-Id = 06000204
Called-Station-Id = 0014.a800.44c0
Calling-Station-Id = 0002.2d27.05e2
Cisco-AVPair = ssid= CiscoTestAP
Cisco-AVPair = vlan-id=0
Cisco-AVPair = nas-location=unspecified
User-Name = SomeoneElse
Cisco-AVPair = connect-progress=Call Up
Acct-Authentic = RADIUS
Acct-Status-Type = Start
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = 708
NAS-Port = 708
Class = SomeoneElse
Class = chui.guest
Service-Type = Framed-User
NAS-IP-Address = 198.128.24.10
Acct-Delay-Time = 0
In the users file, I have the default entry as follows:
DEFAULT
Class = {User-Name},
Fall-Through = No
What should I do to get the Tunnel user name only instead of both send as
reply attribute Class?
Thanks
Cedric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Capturing the inner authentication ID for Radius accounting
I have been looking for a way to maintain accurate wireless access and usage
information for security auditing purposes. The problem I have is that
wireless network users may choose to provide an alternative identity by
providing an outer identity in the supplicant software. Although the user
still need a legitimate user id/password to pass the EAP TTLS
authentication. So far I could not find a standard way to track the user
identity via Radius accounting records. I do manage to configure the
FreeRadius to send the inner authentication user ID to the Cisco Aironet
Access point (IOS 12.3(7)JA) using the Radius attribute Class (ID 25).
For example, in my users file, the following is configured for guest access:
DEFAULT Hint == guest
Auth-Type = sql,
Class = %{User-Name},
Session-Timeout = 3600,
Fall-Through = No
The actual user id used in the EAP-TTLS authentication is passed to the
Cisco Aironet AP via the Class attribute. I have observed that both the
Radius start and stop records sent by the Cisco Aironet AP contained the
Class attribute with the actual user's ID. The reason I chose the Class
attribute is that it is the only attribute honored by the Aironet AP in
Access-Accept message and also included in the radius accounting send by the
Aironet AP according to the Cisco IOS Software Config Guide for Aironet APs.
Although it seems to work for me, I am not sure about the use of attribute
Class for tracking user ID would interfere with other operation (like the
one attribute Class was originally designed for)?
Also, the attribute Class is of type Octet. Does anyone know of a way to
convert it to text in SQL? I would like to convert it to text before
writing it into the mySQL database, preferably by way of the
accounting_xx_query in the sql.conf file.
Thanks
Cedric
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Incorrect User-Name in details accounting records
I have observed that some of the accounting records in the detail-mmdd file contain User-Name value that does not match the ldap user name that was used in the 802.1x authentication. The details entries correspond to Mac clients were correct. But the Windows users running SecureW2 were not. The incorrect accounting records have either anonymous or an user supplied outer identity (configurable as EAP type property via the SecureW2 configuration interface). I am using Cisco Aironet 1231 and Proxim AP2000. Since the Radius accounting start-stop are sent by the access point, does it mean that the AP (Radius client) uses the outer identity for Radius accounting records? Could this be a Radius client configuration error? Though I dont recall seeing any configuration options related to Radius client function in the APs. Has anyone come across with similar situation? Regards Cedric
Use SecureW2 to support Windows client for ldap bind authentication
I would like to know if anyone has a work around to support PEAP (ms chap v2) client access authenticate against a LDAP server with bind operation. Currently, retrieving clear text password from LDAP is not an option. No this is not possible. Only way you can authenticate via LDAP bind is using TTLS with PAP as inner tunnel authentication. If you do need to use PEAP you will have to add NT/LM hashes in your LDAP directory. To do that extend the schema with Samba objects and download the smbldap-tools package. Of course this will involve users having to reset their passwords since you can't convert from MD5 to NT/LM. Vladimir Since modification to the LDAP is not an option and clear password is off limit, my only alternative is to seek a Windows EAP client that supports TTLS-PAP. The Open Source SecureW2 does just that. It supports TTLS-PAP and it integrates nicely with the Microsoft 802.1x client. http://www.securew2.com/uk/index.htm Thanks Cedric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
peap (ms-chap v2) + ldap bind
I would like to know if anyone has a work around to support PEAP (ms chap v2) client access authenticate against a LDAP server with bind operation. Currently, retrieving clear text password from LDAP is not an option. Thanks Cedric
