Re: Authorize mac addresses with dbm only
Thanks a lot, works like a charm.
Am 06.03.2012 um 18:42 schrieb Alan DeKok:
> Christoph Litauer wrote:
>> ... I don't think this is what I need.
>
> Yes, it is.
>
>> I want some kind of requests (the ones including Colubris-AVPair =
>> "ssid:tsunami") to _only_ be handled by dbm, successful or not. I read your
>> suggestion as "check against dbm. If successful return, if not check against
>> ldap"
>
> $ man unlang
>
> if (Colubris-AVPair == "ssid:tsunami") {
> dbm
> ...
> }
> else {
> ldap
> }
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kind regards
Christoph
_
Christoph Litauer
Uni Koblenz, Computing Centre, Office A 022
Postfach 201602, 56016 Koblenz
Fon: +49 261 287-1311, Fax: -100 1311
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorize mac addresses with dbm only
Alan,
thanks for your quick response!
Am 06.03.2012 um 16:21 schrieb Alan DeKok:
> Christoph Litauer wrote:
>> maybe you can help me with a - probably simple - problem in authorizing wlan
>> users. I am using freeradius 1.1.7 (on SLES 10sp4).
>
> Upgrade to 2.1.12.
Ah, OK. I think I will try that, but ...
>
>> My working configuration is able to authorize users with modules dbm and
>> ldap. Dbm is used for mac-authentication, ldap for 802.1x-authentication.
>> For some reason I need to reduce the number of requests our ldap server(s)
>> gets. The actual configuration checks a mac address against dbm at first and
>> then against ldap. I want mac-addresses exclusively checked against dbm.
>
>
> In 2.1.12:
>
> dbm
> if (notfound) {
> ldap
> }
>
... I don't think this is what I need. I want some kind of requests (the ones
including Colubris-AVPair = "ssid:tsunami") to _only_ be handled by dbm,
successful or not. I read your suggestion as "check against dbm. If successful
return, if not check against ldap"
--
Freundliche Grüße
Christoph
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorize mac addresses with dbm only
Dear freeradius users, maybe you can help me with a - probably simple - problem in authorizing wlan users. I am using freeradius 1.1.7 (on SLES 10sp4). My working configuration is able to authorize users with modules dbm and ldap. Dbm is used for mac-authentication, ldap for 802.1x-authentication. For some reason I need to reduce the number of requests our ldap server(s) gets. The actual configuration checks a mac address against dbm at first and then against ldap. I want mac-addresses exclusively checked against dbm. I can detect mac-authentication requests using the following hint: DEFAULT Colubris-AVPair == "ssid=tsunami" Hint = "DBM" Also I inserted a new DEFAULT entry in users: DEFAULT Hint == DBM Fall-Through = 0 Sending the following Radius-Request: User-Name = 001e52c90573 User-Password = 001e52c90573 Colubris-AVPair = "ssid=tsunami" results in the attached debug output. As you can see, rlm_dbm is used first (with success) but after that, rlm_ldap is used, too. Is it possible to configure radius so that mac-address authorizations are checked against dbm only (whether successful or not)? -- Kind regards Christoph rad_recv: Access-Request packet from host 141.26.71.252:42454, id=114, length=72 User-Name = "001e52c90573" User-Password = "001e52c90573" Colubris-AVPair = "ssid=tsunami" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 hints: Matched DEFAULT at 36 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "001e52c90573", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "001e52c90573" rlm_realm: Proxying request from user 001e52c90573 to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 3 users: Matched entry DEFAULT at line 149 users: Matched entry DEFAULT at line 160 modcall[authorize]: module "files" returns ok for request 3 rlm_dbm: try open database file: /etc/raddb/wlan rlm_dbm: Call parse_user: sm_parse_user.c: check for loops Add 001e52c90573 to user list sm_parse_user: start parsing: user: 001e52c90573 parse buffer: <> rlm_dbm: recod parsed process pattern rlm_dbm: Pattern matched, look for request parse buffer: <> rlm_dbm: recod parsed rlm_dbm: Reply found Remove 001e52c90573 from user list modcall[authorize]: module "dbm" returns ok for request 3 rlm_ldap: - authorize rlm_ldap: performing user authorization for 001e52c90573 radius_xlat: '(uid=001e52c90573)' radius_xlat: 'dc=uni-koblenz,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=uni-koblenz,dc=de, with filter (uid=001e52c90573) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 3 modcall: leaving group authorize (returns ok) for request 3 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [001e52c90573] (from client test port 0) _ Christoph Litauer Uni Koblenz, Computing Centre, Office A 022 Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error authenticating wireless user
Alan DeKok schrieb: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: Manually adding certificates to 100's of laptops does not sound like my cup of tea. Each laptop has to have a copy of the server certificate for PEAP to work. There really isn't any alternative. And because it's Windows, it's difficult to impossible to automate the process of adding certificates. You can't fully automate the import but you can make it easy. Just put the certificate in der-format on a webserver (don't forget to add the fingerprints!) and tell your windows users to click on that link using internet explorer. Anything else is straightforward. -- Regards Christoph ________ Christoph Litauer [EMAIL PROTECTED] Uni Koblenz, Rechenzentrum,http://www.uni-koblenz.de/~litauer Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311 PGP-Key: http://www.uni-koblenz.de/~litauer/public-key.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using realm ntdomain fails
Michael Griego schrieb: Are you using "with_ntdomain_hack" in the preprocess module? I tried this, too. The effect was the one I described: I can see my username without the domain is added to the users list. But while authenticating I get the error message: rlm_eap: Identity does not match User-Name, setting from EAP Identity. -- Regards Christoph ____ Christoph Litauer [EMAIL PROTECTED] Uni Koblenz, Rechenzentrum,http://www.uni-koblenz.de/~litauer Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311 PGP-Key: http://www.uni-koblenz.de/~litauer/public-key.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using realm ntdomain fails
Alan DeKok schrieb: Christoph Litauer <[EMAIL PROTECTED]> wrote: Please read "proxy.conf". Well, reading proxy.conf I found the following section: ... The whole purpose of "proxy.conf" is to define realms. There are examples in it of doing exactly what you want. If you're only going to read PART of "proxy.conf", then it would appear you're not prepared to solve your problem. DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL Don't set Proxy-To-Realm. You don't need to. READ "proxy.conf". ALL OF IT. Hint: look for "bla.com". I don't thinks that "LAPLITAUER\litauer" is a LOCAL realm, is it? You said that you wanted the server to handle requests containing the realm "LAPLITAUER". Since you're not proxying it, that makes it a local realm. Seems as if I am a little bit dull-witted ... I still can't get it working. And yes, I read lots of manuals, docs, comments in configuration files, etc. Sorry for asking again. I tried several possibilities to ignore the domain-part of the username. (realm, hints). This stripped username is added to the user list. But every time it should be authenticated, radius complains: rlm_eap: Identity does not match User-Name, setting from EAP Identity. ... which is correct because e.g. litauer doesn't match ANYDOMAIN\litauer. Now I wonder if my intended configuration is feasible at all. Alan said "yes", so I still believe it is ... I googled for the error message and found a discussion in this mailing list about just my problem, but no solution was given (http://www.mail-archive.com/[EMAIL PROTECTED]/msg01274.html). Any tips are greatly appreciated ... -- Regards Christoph Christoph Litauer [EMAIL PROTECTED] Uni Koblenz, Rechenzentrum,http://www.uni-koblenz.de/~litauer Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311 PGP-Key: http://www.uni-koblenz.de/~litauer/public-key.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using realm ntdomain fails
Alan DeKok schrieb:
Christoph Litauer <[EMAIL PROTECTED]> wrote:
So... did you define that realm in "proxy.conf", or in the "realms"
file? I'd bet that the answer is "no".
Thank you Alan, seems as if I still haven't understood who to handle
realms.
Please read "proxy.conf".
Well, reading proxy.conf I found the following section:
#
# This realm is used mainly to cancel proxying. You can have
# the "realm suffix" module configured to proxy all requests for
# a realm, and then later cancel the proxying, based on other
# configuration.
#
# For example, you want to terminate PEAP or EAP-TTLS locally,
# you can add the following to the "users" file:
#
# DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL
#
realm LOCAL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
As stated I changed my users to:
#
# First setup all accounts to be checked against the UNIX /etc/passwd.
# (Unless a password was already given earlier in this file).
#
DEFAULT Auth-Type = System
Fall-Through = 1
DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL
[...]
Now my debug log says:
Thread 1 handling request 20, (5 handled so far)
User-Name = "LAPLITAUER\\litauer"
Cisco-AVPair = "ssid=Uni-Koblenz-EAP"
NAS-IP-Address = 141.26.92.10
Called-Station-Id = "004096442c99"
Calling-Station-Id = "000423795461"
NAS-Identifier = "ap-a-e-n"
NAS-Port = 37
Framed-MTU = 1400
State = 0x7bc87798bb2c806d025d128404407406
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x027600261900170301001b540a4e2f3db14854be881c8776f8e5ed30aa22fa98b38394e53fef
Message-Authenticator = 0x6e4556cb40fe7d761ad6ebce4a6a4611
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 20
modcall[authorize]: module "preprocess" returns ok for request 20
modcall[authorize]: module "chap" returns noop for request 20
modcall[authorize]: module "mschap" returns noop for request 20
rlm_realm: No '@' in User-Name = "LAPLITAUER\litauer", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 20
rlm_eap: EAP packet type response id 118 length 38
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 20
users: Matched DEFAULT at 151
users: Matched DEFAULT at 154
modcall[authorize]: module "files" returns ok for request 20
modcall: group authorize returns updated for request 20
WARNING: You set Proxy-To-Realm = LOCAL, but it is a LOCAL realm!
Cancelling invalid proxy request.
I don't thinks that "LAPLITAUER\litauer" is a LOCAL realm, is it?
Please help ...
--
Regards
Christoph
Christoph Litauer [EMAIL PROTECTED]
Uni Koblenz, Rechenzentrum,http://www.uni-koblenz.de/~litauer
Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311
PGP-Key: http://www.uni-koblenz.de/~litauer/public-key.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using realm ntdomain fails
Alan DeKok schrieb: Christoph Litauer <[EMAIL PROTECTED]> wrote: I want to use realm ntdomin, but had no success so far. Debug output always says: modcall[authorize]: module "ntdomain" returns noop for request 47 OK rlm_realm: Looking up realm "LAPLITAUER" for User-Name = "LAPLITAUER\litauer" rlm_realm: No such realm "LAPLITAUER" So... did you define that realm in "proxy.conf", or in the "realms" file? I'd bet that the answer is "no". Alan DeKok. Thank you Alan, seems as if I still haven't understood who to handle realms. So if you please could give a short tip how to handle the following situation: I want to authenticate my wlan users via PEAP using ntlm_auth. This works if the windows users configure an authentication with an empty domain. I still want users to be able to use their windows logon and password. Unfortunatly this case prefixes the username with the domain (e.g. LAPLITAUER\litauer). I want to discard the domain part. Is it possible? Do I have to use realms? Thanks in advance. -- Regards Christoph Christoph Litauer [EMAIL PROTECTED] Uni Koblenz, Rechenzentrum,http://www.uni-koblenz.de/~litauer Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311 PGP-Key: http://www.uni-koblenz.de/~litauer/public-key.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using realm ntdomain fails
Øystein Gåsdal schrieb: What is realm used for anyway? Is it just for proxying? Do we even need to configure that to use ntlm authentication? Yes, I want to use ntlm_auth with the stripped username (username without nt domain). -- Regards Christoph Christoph Litauer [EMAIL PROTECTED] Uni Koblenz, Rechenzentrum,http://www.uni-koblenz.de/~litauer Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311 PGP-Key: http://www.uni-koblenz.de/~litauer/public-key.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using realm ntdomain fails
Hi, I want to use realm ntdomin, but had no success so far. Debug output always says: modcall[authorize]: module "ntdomain" returns noop for request 47 What am I doing wrong? Please help ... Many thansk in advance! radius.conf is attached. The relevant part of my debug log is: rad_recv: Access-Request packet from host 141.26.92.10:1276, id=213, length=212 User-Name = "LAPLITAUER\\litauer" Cisco-AVPair = "ssid=Uni-Koblenz-EAP" NAS-IP-Address = 141.26.92.10 Called-Station-Id = "004096442c99" Calling-Station-Id = "000423795461" NAS-Identifier = "ap-a-e-n" NAS-Port = 37 Framed-MTU = 1400 State = 0x02d3d6576ad9e1ab0317238591165914 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x02b500261900170301001b3b902ed4aa01a324bbefc6b4ad5f33165666e1acf66513406e864e Message-Authenticator = 0xd1baa9b216e1771c5cec6cbb373c63e5 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 47 modcall[authorize]: module "preprocess" returns ok for request 47 rlm_realm: Looking up realm "LAPLITAUER" for User-Name = "LAPLITAUER\litauer" rlm_realm: No such realm "LAPLITAUER" modcall[authorize]: module "ntdomain" returns noop for request 47 modcall[authorize]: module "chap" returns noop for request 47 modcall[authorize]: module "mschap" returns noop for request 47 rlm_realm: No '@' in User-Name = "LAPLITAUER\litauer", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 47 rlm_eap: EAP packet type response id 181 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 47 users: Matched DEFAULT at 151 modcall[authorize]: module "files" returns ok for request 47 modcall: group authorize returns updated for request 47 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 47 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 47 modcall: group authenticate returns invalid for request 47 auth: Failed to validate the user. -- Regards Christoph Christoph Litauer [EMAIL PROTECTED] Uni Koblenz, Rechenzentrum,http://www.uni-koblenz.de/~litauer Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311 PGP-Key: http://www.uni-koblenz.de/~litauer/public-key.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP with pam?
Alan DeKok schrieb: Christoph Litauer <[EMAIL PROTECTED]> wrote: Then I will ask from the other point of view: Is it possible to use EAP-PEAP with an authentication method other than cleartext passwords in users? Yes. Clear-text passwords can be stored in any database. Or, NT-Passwords can be stored in any database. - DES-encrypted passwords via NIS or LDAP No. - Windows domain controller Yes, via ntlm_auth. Will try this. Thanks a lot. -- Regards Christoph ____ Christoph Litauer [EMAIL PROTECTED] Uni Koblenz, Rechenzentrum,http://www.uni-koblenz.de/~litauer Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311 PGP-Key: http://www.uni-koblenz.de/~litauer/public-key.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP with pam?
Alan DeKok schrieb: Christoph Litauer <[EMAIL PROTECTED]> wrote: after I got my EAP-PEAP working with cleartext passwords in users, I want to configure pam authentication. First question: Is it possible for PEAP? No. Thanks. Then I will ask from the other point of view: Is it possible to use EAP-PEAP with an authentication method other than cleartext passwords in users? What I have is: - DES-encrypted passwords via NIS or LDAP - Windows domain controller I would prefer authentication against the NIS passwords. And if it's not too much: How do I configure radius for one of these? Thanks in advance. -- Regards Christoph ____ Christoph Litauer [EMAIL PROTECTED] Uni Koblenz, Rechenzentrum,http://www.uni-koblenz.de/~litauer Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311 PGP-Key: http://www.uni-koblenz.de/~litauer/public-key.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-PEAP with pam?
Hi, after I got my EAP-PEAP working with cleartext passwords in users, I want to configure pam authentication. First question: Is it possible for PEAP? Second question: How do I configure radius (1.0.1) with pam support? doc/rlm_pam reads: Compile and install freeradius with pam support (./configure --help will tell you how) But configure --help don't tell me anything about pam ... Thanks in advance! -- Regads Christoph Christoph Litauer [EMAIL PROTECTED] Uni Koblenz, Rechenzentrum,http://www.uni-koblenz.de/~litauer Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311 PGP-Key: http://www.uni-koblenz.de/~litauer/public-key.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WEP key rotation
Hi, I want to use automativ wep key rotation using an EAP-TLS setup. My NAS (Cisco AP 340) supports an option named "Broadcast WEP Key rotation interval (sec)". Setting this value to 300 I expected that my radius debug log reports new requests every 5 minutes. But I can see no requests at all (except for the first EAP-TLS authentication). I am a newbie to radius, so I wonder if I should see those "rotation-requests"? -- Regards Christoph Litauer ________ Christoph Litauer [EMAIL PROTECTED] Uni Koblenz, Rechenzentrum,http://www.uni-koblenz.de/~litauer Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311 PGP-Key: http://www.uni-koblenz.de/~litauer/public-key.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Howto for EAP-TTLS/PEAP?
Hi, I want to setup EAP-TTLS/PEAP for my wlan. I can find lots of howtos for setting up EAP-TLS with freeradius. But is there any howto for EAP-TTLS or PEAP? -- Regards Christoph Christoph Litauer [EMAIL PROTECTED] Uni Koblenz, Rechenzentrum,http://www.uni-koblenz.de/~litauer Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311 PGP-Key: http://www.uni-koblenz.de/~litauer/public-key.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
