RE: PEAP Inner-tunnel can't match a user in the users file with some check attributes
Absolutely no excuse... I should have read about it... Next time I will read more carefully. Anyway everything works now! Thank you very much Alan Dekok! Difan -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org] On Behalf Of Alan DeKok Sent: November-19-11 1:37 AM To: FreeRadius users mailing list Subject: Re: PEAP Inner-tunnel can't match a user in the users file with some check attributes Difan Zhao wrote: I have an issue that whenever I have check attributes such as NAS-IP-Address or NAS-Port-Type, my PEAP fails… Read raddb/eap.conf. Look for copy_request_to_tunnel Everything works once I removed *NAS-IP-Address == 10.143.115.14*. However I do need to check against from which switch/NAS the request is coming from… It seems that those attributes are outside of the “tunnel”. How can I copy them in the “tunnel” (does this make sense to you guys)?? Read the configuration files. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can I group users in the users file like in the SQL database?
Alan thank you so much for your helps not only on this one but all others as well! -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org] On Behalf Of Alan DeKok Sent: March-04-11 2:00 AM To: FreeRadius users mailing list Subject: Re: Can I group users in the users file like in the SQL database? Difan Zhao wrote: Another quick question: Can I group users in the users file and assign the group reply attributes instead of to each individual user? No. See man rlm_passwd for examples of creating server-side groups. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: Use Hint file to proxy
Hi Alan Dekok or anyone, I haven't got a reply on this one yet... I was able to do it before but not anymore... I'm really curious to know why... Thank you! Difan From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org] On Behalf Of Difan Zhao Sent: March-02-11 9:01 AM To: FreeRadius users mailing list Subject: Use Hint file to proxy Hi experts, Long time no talk! I have another dilemma. For some reasons I want to try to use the hints file to do Proxy (the normal way of configuring realm and proxy.conf file works). So the following is my config: === hints === DEFAULT User-Name =~ ^host\/.*\.gtcorp\.com$ Hint = Marriott === users === DEFAULT Hint == Marriott, Proxy-To-Realm := ~\.gtcorp\.com$ === proxy.conf === realm ~\.gtcorp\.com$ { nostrip auth_pool = Marriott_Auth_Pool acct_pool = Marriott_Acct_Pool } == module/realm realm Marriott { format = suffix delimiter = / } Then I commented out the Marriott realm in the authorize section in the default server so the settings in the realm file shouldn't do anything. = sites-available/default == authorize { ... # Marriott ... } In the radius -X log I do see the requests are sent to the proxy server but I also see the following abnormal logs. The complete log is also attached. [eap] No pre-existing handler found ... rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. So is it possible to use the hints file to do proxy or I'm totally out of my mind?? If it's possible where I could do wrong? Thanks a lot! [cid:image003.gif@01CBDA45.6D237530]Difan Zhao M.Eng | CCNA CCNP CCSP | Network Engineer T: 403-509-1010 ext 3048 | M: 403-689-7514 | F: 403.509.1011 difan.z...@guest-tek.commailto:difan.z...@guest-tek.com | www.guest-tek.comhttp://www.guest-tek.com The contents of this email are confidential and intended for the recipient only. If you have received this email in error, please notify us, and destroy all copies. inline: image002.gifinline: image003.gifinline: image001.gifrad_recv: Access-Request packet from host 10.143.115.6 port 1645, id=163, length=194 User-Name = host/NetEng-D410.gtcorp.com Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = AC-A0-16-0E-9E-11 Calling-Station-Id = 00-14-22-FD-DD-98 EAP-Message = 0x0201002001686f73742f4e6574456e672d443431302e6774636f72702e636f6d Message-Authenticator = 0x47efeb7485cf2f710b658ba828be5735 NAS-Port-Type = Ethernet NAS-Port = 50117 NAS-Port-Id = GigabitEthernet1/0/17 NAS-IP-Address = 10.143.115.6 +- entering group authorize {...} [preprocess]expand: %{User-Name} - host/NetEng-D410.gtcorp.com [preprocess] hints: Matched DEFAULT at 36 ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [eap] EAP packet type response id 1 length 32 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty section. Using default return values. Sending Access-Request of id 218 to 10.26.105.105 port 1812 User-Name = host/NetEng-D410.gtcorp.com Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = AC-A0-16-0E-9E-11 Calling-Station-Id = 00-14-22-FD-DD-98 EAP-Message = 0x0201002001686f73742f4e6574456e672d443431302e6774636f72702e636f6d Message-Authenticator = 0x NAS-Port-Type = Ethernet NAS-Port = 50117 NAS-Port-Id = GigabitEthernet1/0/17 NAS-IP-Address = 10.143.115.6 Proxy-State = 0x313633 Proxying request 0 to home server 10.26.105.105 port 1812 Sending Access-Request of id 218 to 10.26.105.105 port 1812 User-Name = host/NetEng-D410.gtcorp.com Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = AC-A0-16-0E-9E-11 Calling-Station-Id = 00-14-22-FD-DD-98 EAP-Message = 0x0201002001686f73742f4e6574456e672d443431302e6774636f72702e636f6d Message-Authenticator = 0x NAS-Port-Type = Ethernet NAS-Port = 50117 NAS-Port-Id = GigabitEthernet1/0/17 NAS-IP-Address = 10.143.115.6 Proxy-State = 0x313633 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Challenge packet from host 10.26.105.105 port 1812, id=218
Cleartext-Password := %{User-Name} in the users file. Possible?
Hi experts, I want to try another way to authenticate devices by their MAC addresses. I don't really care about the security and just try to make the configuration easy. Here is my configuration: hints = DEFAULT User-Name =~ 001422.* Hint = STB = users = DEFAULT Hint == STB, Cleartext-Password := %{User-Name} Then I use the radtest program to test the setup and it failed... radtest 00142211 00142211 localhost 1812 test123 Both lines in the hints and users file are match based on the radius -X output. However the password in the check attribute is not replaced with the username... Please help, thanks! Here is the radius -X output: rad_recv: Access-Request packet from host 127.0.0.1 port 16011, id=123, length=64 User-Name = 00142211 User-Password = 00142211 NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 +- entering group authorize {...} [preprocess]expand: %{User-Name} - 00142211 [preprocess] hints: Matched DEFAULT at 1 ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [Marriott] No '/' in User-Name = 00142211, looking up realm NULL [Marriott] No such realm NULL ++[Marriott] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password 00142211 [pap] Using clear text password %{User-Name} [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Login incorrect (rlm_pap: CLEAR TEXT password check failed): [00142211/00142211] (from client 127.0.0.1/32 port 1812) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - 00142211 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 123 to 127.0.0.1 port 16011 Waking up in 4.9 seconds. [cid:image002.gif@01CBD982.DFF851C0]Difan Zhao M.Eng | CCNA CCNP CCSP | Network Engineer T: 403-509-1010 ext 3048 | M: 403-689-7514 | F: 403.509.1011 difan.z...@guest-tek.commailto:difan.z...@guest-tek.com | www.guest-tek.comhttp://www.guest-tek.com The contents of this email are confidential and intended for the recipient only. If you have received this email in error, please notify us, and destroy all copies. inline: image001.gifinline: image002.gif- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cleartext-Password := %{User-Name} in the users file. Possible?
Thanks Phil! It works! It definitely fits what I need! However just be curious, why my setting won't work? Thanks! -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org] On Behalf Of Phil Mayers Sent: March-03-11 9:16 AM To: FreeRadius users mailing list Subject: Re: Cleartext-Password := %{User-Name} in the users file. Possible? On 03/03/11 16:10, Difan Zhao wrote: Hi experts, I want to try another way to authenticate devices by their MAC addresses. I don't really care about the security and just try to make the configuration easy. Here is my configuration: hints = DEFAULT User-Name =~ 001422.* Hint = STB = users = DEFAULT Hint == STB, Cleartext-Password := %{User-Name} Why bother with a password at all? DEFAULT Hint == STB, Auth-Type := Accept - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can I group users in the users file like in the SQL database?
Hi experts, Another quick question: Can I group users in the users file and assign the group reply attributes instead of to each individual user? I tried the following config but failed (which maybe completely nonsense)... test Cleartext-Password := test Group := abc Fall-Through = yes abc Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 851 Tunnel-Preference:0 = 0 Thanks! [cid:image003.gif@01CBD9A2.44D721B0]Difan Zhao M.Eng | CCNA CCNP CCSP | Network Engineer T: 403-509-1010 ext 3048 | M: 403-689-7514 | F: 403.509.1011 difan.z...@guest-tek.commailto:difan.z...@guest-tek.com | www.guest-tek.comhttp://www.guest-tek.com The contents of this email are confidential and intended for the recipient only. If you have received this email in error, please notify us, and destroy all copies. inline: image003.gifinline: image001.gif- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to add attributes on the reply from the home server
Hi guys, Sorry for so many questions ... Everything was working fine until I was told to not use the SQL DB but use the users file instead... That's why I start to have all these questions... Anyway I need to proxy some requests to remote home server. I also need to assign the users to specific VLANs (with some attributes) if they are successfully authenticated by the remote home server. When I was using the SQL Alan told me to uncomment sql.authorize in the post-auth section in the sites-available/default server configuration. Now I have to use the users file. Is there a way to achieve the same result? Right now my server just forwards the Access-accept to the switch and ignores all the VLAN attributes associated with the username set in my users file... Please help! Thanks! [cid:image003.gif@01CBD9B9.1BD2FB60]Difan Zhao M.Eng | CCNA CCNP CCSP | Network Engineer T: 403-509-1010 ext 3048 | M: 403-689-7514 | F: 403.509.1011 difan.z...@guest-tek.commailto:difan.z...@guest-tek.com | www.guest-tek.comhttp://www.guest-tek.com The contents of this email are confidential and intended for the recipient only. If you have received this email in error, please notify us, and destroy all copies. inline: image003.gifinline: image001.gif- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Use Hint file to proxy
Hi experts, Long time no talk! I have another dilemma. For some reasons I want to try to use the hints file to do Proxy (the normal way of configuring realm and proxy.conf file works). So the following is my config: === hints === DEFAULT User-Name =~ ^host\/.*\.gtcorp\.com$ Hint = Marriott === users === DEFAULT Hint == Marriott, Proxy-To-Realm := ~\.gtcorp\.com$ === proxy.conf === realm ~\.gtcorp\.com$ { nostrip auth_pool = Marriott_Auth_Pool acct_pool = Marriott_Acct_Pool } == module/realm realm Marriott { format = suffix delimiter = / } Then I commented out the Marriott realm in the authorize section in the default server so the settings in the realm file shouldn't do anything. = sites-available/default == authorize { ... # Marriott ... } In the radius -X log I do see the requests are sent to the proxy server but I also see the following abnormal logs. The complete log is also attached. [eap] No pre-existing handler found ... rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. So is it possible to use the hints file to do proxy or I'm totally out of my mind?? If it's possible where I could do wrong? Thanks a lot! [cid:image002.gif@01CBD8B8.490E09F0]Difan Zhao M.Eng | CCNA CCNP CCSP | Network Engineer T: 403-509-1010 ext 3048 | M: 403-689-7514 | F: 403.509.1011 difan.z...@guest-tek.commailto:difan.z...@guest-tek.com | www.guest-tek.comhttp://www.guest-tek.com The contents of this email are confidential and intended for the recipient only. If you have received this email in error, please notify us, and destroy all copies. inline: image001.gifinline: image002.gifrad_recv: Access-Request packet from host 10.143.115.6 port 1645, id=163, length=194 User-Name = host/NetEng-D410.gtcorp.com Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = AC-A0-16-0E-9E-11 Calling-Station-Id = 00-14-22-FD-DD-98 EAP-Message = 0x0201002001686f73742f4e6574456e672d443431302e6774636f72702e636f6d Message-Authenticator = 0x47efeb7485cf2f710b658ba828be5735 NAS-Port-Type = Ethernet NAS-Port = 50117 NAS-Port-Id = GigabitEthernet1/0/17 NAS-IP-Address = 10.143.115.6 +- entering group authorize {...} [preprocess]expand: %{User-Name} - host/NetEng-D410.gtcorp.com [preprocess] hints: Matched DEFAULT at 36 ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [eap] EAP packet type response id 1 length 32 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty section. Using default return values. Sending Access-Request of id 218 to 10.26.105.105 port 1812 User-Name = host/NetEng-D410.gtcorp.com Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = AC-A0-16-0E-9E-11 Calling-Station-Id = 00-14-22-FD-DD-98 EAP-Message = 0x0201002001686f73742f4e6574456e672d443431302e6774636f72702e636f6d Message-Authenticator = 0x NAS-Port-Type = Ethernet NAS-Port = 50117 NAS-Port-Id = GigabitEthernet1/0/17 NAS-IP-Address = 10.143.115.6 Proxy-State = 0x313633 Proxying request 0 to home server 10.26.105.105 port 1812 Sending Access-Request of id 218 to 10.26.105.105 port 1812 User-Name = host/NetEng-D410.gtcorp.com Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = AC-A0-16-0E-9E-11 Calling-Station-Id = 00-14-22-FD-DD-98 EAP-Message = 0x0201002001686f73742f4e6574456e672d443431302e6774636f72702e636f6d Message-Authenticator = 0x NAS-Port-Type = Ethernet NAS-Port = 50117 NAS-Port-Id = GigabitEthernet1/0/17 NAS-IP-Address = 10.143.115.6 Proxy-State = 0x313633 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Challenge packet from host 10.26.105.105 port 1812, id=218, length=69 EAP-Message = 0x010200061920 Message-Authenticator = 0x7abdaa6fe15ef1c04eef592da305896a State = 0x1c559d961c578475dc9c2542f1f8a48c Proxy-State = 0x313633 +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Sending Access-Challenge of id 163 to 10.143.115.6 port 1645 EAP-Message = 0x010200061920 Message-Authenticator = 0x State
radius.log records individual client IP. Possible??
Hi experts, I'm wondering if it's possible for the radius.log file to show the NAS IP instead of the client name (which is IP range in my case). Currently the log looks like: Thu Jan 27 11:53:15 2011 : Auth: Login incorrect: [08000f513f60/08000f513f60] (from client 10.143.115.0/24 port 50303 cli 08-00-0F-51-3F-60) It'd be ideal if it can show the IP of the NAS where the request is coming from. I know I could configure the client file to have individual IP for each client instead of entire subnet. However just wondering if there is easy switch to turn it on lol Thanks! Difan Zhao, M.Eng Network Engineer Guest-Tek Interactive Entertainment Inc. Email: difan.z...@guest-tek.commailto:difan.z...@guest-tek.com Office: +1 (403) 509 1010 ext 3048 Cell: +1 (403) 689 7514 www.guest-tek.comhttp://www.guest-tek.com [http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/Logo.jpg] INTERNET | MEDIA | VOICE [http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/image004.jpg] The contents of this email are confidential and intended for the recipient only. If you have received this email in error, please notify us, and destroy all copies. inline: image001.jpginline: image002.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to configure proxy server to send a copy of acct to remote/home server
Dear experts, I configured my Freeradius2.1.7 server to be a proxy server which will forward the PEAP authentication packages to a remote server. The authentication part works great. I configured my switch to send accounting information to the proxy server. The proxy server is using MySQL to store the acct info. This part works fine too. However I'm requested to also send a copy of the acct info to the remote server... I'm still checking my switch (Cisco) and see if it can send two copies of acct info to two different servers at the same time. However, is it possible to make FreeRadius to automatically forward a copy to the remote server?? Thanks! Difan Zhao, M.Eng Network Engineer Guest-Tek Interactive Entertainment Inc. Email: difan.z...@guest-tek.com Office: +1 (403) 509 1010 ext 3048 Cell: +1 (403) 689 7514 www.guest-tek.com INTERNET | MEDIA | VOICE The contents of this email are confidential and intended for the recipient only. If you have received this email in error, please notify us, and destroy all copies. image001.jpgimage002.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: After server rebuild the PEAP against Windows AD is not workingany more!
Hi Alan, Thank you for the info! I downgraded the samba to 3.0.33 and it works fine now! Thanks, Difan Zhao, M.Eng Network Engineer Guest-Tek Interactive Entertainment Inc. www.guest-tek.com Email: difan.z...@guest-tek.com Office: +1 (403) 509 1010 ext 3048 Cell: +1 (403) 689 7514 http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/Logo.jpg INTERNET | MEDIA | VOICE http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/image004.jp g The contents of this email are confidential and intended for the recipient only. If you have received this email in error, please notify us, and destroy all copies. -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Alan DeKok Sent: September-11-10 12:18 AM To: FreeRadius users mailing list Subject: Re: After server rebuild the PEAP against Windows AD is not workingany more! Difan Zhao wrote: I'm getting really frustrated on this... I had the server rebuilt with REHL 5 and FreeRadius2.1.7. It was running REHL 4 with FreeRadius2.1.6. It looks like the server will send the last challenge and the client won't reply anymore... If you're using Samba, it's a samba bug. See the comments in eap.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
After server rebuild the PEAP against Windows AD is not working any more!
Hi experts, I'm getting really frustrated on this... I had the server rebuilt with REHL 5 and FreeRadius2.1.7. It was running REHL 4 with FreeRadius2.1.6. It looks like the server will send the last challenge and the client won't reply anymore... The ntlm_auth part should be working right because when I do radtest 'gtcorp\\dzhao' password localhost 0 test123 it works fine... Sending Access-Request of id 119 to 127.0.0.1 port 1812 User-Name = gtcorp\\dzhao User-Password = password NAS-IP-Address = 10.26.105.105 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=119, length=41 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 3 Tunnel-Preference:0 = 0 However it's not working when I have a laptop plugged in doing PEAP/802.1x with the same user account... The debug output is attached. Please help!! Thanks!!! Difan Zhao, M.Eng Network Engineer Guest-Tek Interactive Entertainment Inc. Email: difan.z...@guest-tek.com Office: +1 (403) 509 1010 ext 3048 Cell: +1 (403) 689 7514 www.guest-tek.com INTERNET | MEDIA | VOICE The contents of this email are confidential and intended for the recipient only. If you have received this email in error, please notify us, and destroy all copies. image001.jpgimage002.jpg rad_recv: Access-Request packet from host 207.230.255.43 port 1645, id=125, length=158 User-Name = GTCORP\\dzhao Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = EC-30-91-AD-28-82 Calling-Station-Id = 00-11-43-FE-80-19 EAP-Message = 0x02010011014754434f52505c647a68616f Message-Authenticator = 0x2ed3d2e16385e7d5226183633663f17c NAS-Port-Type = Ethernet NAS-Port = 50002 NAS-Port-Id = FastEthernet0/2 NAS-IP-Address = 172.17.254.60 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = GTCORP\dzhao, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 1 length 17 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} - GTCORP\dzhao [sql] sql_set_user escaped user -- 'GTCORP\dzhao' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'GTCORP=5Cdzhao' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'GTCORP=5Cdzhao' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'GTCORP=5Cdzhao' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 125 to 207.230.255.43 port 1645 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := 3 Tunnel-Preference:0 := 0 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0xc5d7c069c5d5d925bfc9a54021651b76 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 207.230.255.43 port 1645, id=126, length=246 User-Name = GTCORP\\dzhao Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = EC-30-91-AD-28-82 Calling-Station-Id = 00-11-43-FE-80-19 EAP-Message = 0x020200571980004d1603010048014403014c8aa8c3bb5003761e89606041e23e7cdc1ae7d698dcd04f60a27241ada1d2c51600040005000a000900640062000300060013001200630105ff01000100 Message-Authenticator = 0xdbc118e3fce352d35a250a534014091f NAS-Port-Type = Ethernet NAS-Port = 50002 NAS-Port-Id = FastEthernet0/2 State = 0xc5d7c069c5d5d925bfc9a54021651b76 NAS-IP-Address = 172.17.254.60 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap
RE: Wildcard in realm name? possible??
Hi Alan, Thank you for the quick response! I read again and tried and this one worked!! realm ~\.gtcorp\.com However I did try the one which is same syntax as the example in the proxy.conf file: realm ~*\\.gtcorp\\.com$ The radiusd -X can't start and I got this. realm ~*\.gtcorp\.com$ { /etc/raddb/proxy.conf[33]: Invalid regex in realm ~*\.gtcorp\.com$ } # realm ~*\.gtcorp\.com$ I tried many other syntax and I found that I can't put ~ and * together and if I did the process won't start... I guess my problem is solved! This is just FYI! Thanks again for your help! Difan Zhao, M.Eng Network Engineer Guest-Tek Interactive Entertainment Inc. www.guest-tek.com Email: difan.z...@guest-tek.com Office: +1 (403) 509 1010 ext 3048 Cell: +1 (403) 689 7514 http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/Logo.jpg INTERNET | MEDIA | VOICE http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/image004.jp g The contents of this email are confidential and intended for the recipient only. If you have received this email in error, please notify us, and destroy all copies. -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Alan DeKok Sent: September-09-10 4:16 AM To: FreeRadius users mailing list Subject: Re: Wildcard in realm name? possible?? Difan Zhao wrote: So I guess my first question is that, is it possible to have wildcard (e.g. *) in the realm name? Read raddb/proxy.conf. Look for regex realm *~*.gtcorp.com* { That isn't the correct syntax. Go back and read the example in proxy.conf again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wildcard in realm name? possible??
Dear developers/experts, I haven't bugged you guys for too long so I decided to come back with a strange question so you know that I'm still your loyal user. I need to proxy requests with the following username pattern to a remote server. host/PC name.gtcorp.com This is what the username looks like when the Windows PC is doing PEAP with use of the PC's name instead of the actual user's username. Don't know why but seems to be strange! So I guess my first question is that, is it possible to have wildcard (e.g. *) in the realm name? I did read all the docs I could possibly found and I tested the configs as well but I couldn't get it to work... Here is the debug while I'm doing testing with radtest program. As you see that it always matches the DEFAULT realm but not the *.gtcorp.com that I defined... I'm using 2.1.6 on RHEL4. So! Help help! [r...@ne_ovi ~]# radtest 'host/difan.gtcorp.com' localhost 0 test123 Sending Access-Request of id 163 to 127.0.0.1 port 1812 User-Name = host/difan.gtcorp.com User-Password = NAS-IP-Address = 66.150.161.140 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=163, length=20 rad_recv: Access-Request packet from host 127.0.0.1 port 15676, id=163, length=73 User-Name = host/difan.gtcorp.com User-Password = NAS-IP-Address = 66.150.161.140 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [GTCORP] Looking up realm difan.gtcorp.com for User-Name = host/difan.gtcorp.com [GTCORP] Found realm DEFAULT [GTCORP] Adding Realm = DEFAULT [GTCORP] Proxying request from user host to realm DEFAULT [GTCORP] Preparing to proxy authentication request to realm DEFAULT ++[GTCORP] returns updated [suffix] Request already proxied. Ignoring. ++[suffix] returns ok ... The followings are my relevant configs: == /etc/raddb/proxy.conf (I did try many other realm names such as *.gtcorp.com as well) == proxy server { default_fallback = no } ### home_server GTK_Radius_Auth { type = auth ipaddr = 1.1.1.1 port = 1812 secret = } home_server GTK_Radius_Acct { type = acct ipaddr = 1.1.1.1 port = 1813 secret = } home_server_pool GTK_Radius_Auth_Pool { type = fail-over home_server = GTK_Radius_Auth } home_server_pool GTK_Radius_Acct_Pool { type = fail-over home_server = GTK_Radius_Acct } realm ~*.gtcorp.com { nostrip auth_pool = GTK_Radius_Auth_Pool acct_pool = GTK_Radius_Acct_Pool } # # This realm is for requests which don't have an explicit realm # prefix or suffix. User names like bob will match this one. # realm NULL { nostrip auth_pool = GTK_Radius_Auth_Pool acct_pool = GTK_Radius_Acct_Pool } # # This realm is for ALL OTHER requests. # realm DEFAULT { nostrip auth_pool = GTK_Radius_Auth_Pool acct_pool = GTK_Radius_Acct_Pool } === /etc/raddb/modules/realm === realm GTCORP { format = suffix delimiter = / } == /etc/raddb/sites-available/default == ... authorize { preprocess chap mschap GTCORP Suffix ... } Thanks!! Difan Zhao, M.Eng Network Engineer Guest-Tek Interactive Entertainment Inc. Email: difan.z...@guest-tek.com mailto:difan.z...@guest-tek.com Office: +1 (403) 509 1010 ext 3048 Cell: +1 (403) 689 7514 www.guest-tek.com http://www.guest-tek.com http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/Logo.jpght tp://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/Logo.jpg INTERNET | MEDIA | VOICE http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/image004.jp ghttp://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/image004. jpg The contents of this email are confidential and intended for the recipient only. If you have received this email in error, please notify us, and destroy all copies. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.6: \ in %{SQL-User-Name}
Good morning guys! I asked a question earlier but haven't heard back a reply yet... I guess I am not supposed to include the question in the answer of another question lol. So here is the question again: I am using my Freeradius 2.1.6 to do PEAP for Windows XP clients. The usernames are in format 'Domain_name\username' I am using postgresql and my safe-characters in the dialup.conf is set to: safe-characters = \...@abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789.-_: / My radcheck table looks like: id | username | attribute | op |value 4 | GTCORP\dzhao | Auth-Type | = | ntlm_auth When I try to authenticate, in the debug, I see this: [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'GTCORP\dzhao' ORDER BY id However this query returns nothing from the postgresql DB because the DB treats the \ as an escape character. In order to test I added another entry in the table: 11 | GTCORPdzhao | Auth-Type | = | ntlm_auth And the query worked and found it. I also tried the following query in PostSQL and it found the orginal entry successfully... select * from radcheck where username = 'GTCORP\\dzhao' I am wondering if there is a setting to automatically add another \ in the %{SQL-User-Name} if there is already a \ in it?? Thanks! Difan Zhao, M.Eng Network Engineer difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius 2.1.6: Store Cisco device enable passwordinPostgresql DB
Sorry guys... I need to change my question a little bit! Please ignore my last emails. I am using my Freeradius 2.1.6 to do PEAP for Windows XP clients. The usernames are in format 'Domain_name\username' I am using postgresql and my safe-characters in the dialup.conf is set to: safe-characters = \...@abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789.-_: / My radcheck table looks like: id | username | attribute | op |value 4 | GTCORP\dzhao | Auth-Type | = | ntlm_auth When I try to authenticate, in the debug, I see this: [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'GTCORP\dzhao' ORDER BY id However this query returns nothing from the postgresql DB because the DB treats the \ as an escape character. In order to test I added another entry in the table: 11 | GTCORPdzhao | Auth-Type | = | ntlm_auth And the query worked and found it. I also tried a query on the DB and this one found the orginal entry successfully... select * from radcheck where username = 'GTCORP\\dzhao' I am wondering if there is a setting to automatically add another \ in the %{SQL-User-Name} if there is already a \ in it?? Thanks! Difan Zhao, M.Eng Network Engineer difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Difan Zhao Sent: Wednesday, May 05, 2010 12:21 PM To: FreeRadius users mailing list Subject: RE: Freeradius 2.1.6: Store Cisco device enable passwordinPostgresql DB Thank you very much Alan! I added the $ in the safe-characters and it works great now. However I also added \ but it doesn't seem to work... My FreeRadius is also setup to handle PEAP for Windows XP PCs and they use domain\username format. In debug I see: [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'GTCORP=5Cdzhao' ORDER BY id As you can see the username GTCORP\dzhao becomes GTCORP=5Cdzhao... I do have \ in the safe-character list: safe-characters = \...@abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789.-_: / Any ideas? Thank you! Difan Zhao, M.Eng Network Engineer difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Alan DeKok Sent: Wednesday, May 05, 2010 1:53 AM To: FreeRadius users mailing list Subject: Re: Freeradius 2.1.6: Store Cisco device enable password inPostgresql DB Difan Zhao wrote: And it doesn't work. Then I am checking the debug and I found that the $ in the username was interpreted to something like =24: Read raddb/sql/postgresql/dialup.conf, and look for safe-characters Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius 2.1.6: Store Cisco device enable password inPostgresql DB
Thank you very much Alan! I added the $ in the safe-characters and it works great now. However I also added \ but it doesn't seem to work... My FreeRadius is also setup to handle PEAP for Windows XP PCs and they use domain\username format. In debug I see: [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'GTCORP=5Cdzhao' ORDER BY id As you can see the username GTCORP\dzhao becomes GTCORP=5Cdzhao... I do have \ in the safe-character list: safe-characters = \...@abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789.-_: / Any ideas? Thank you! Difan Zhao, M.Eng Network Engineer difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Alan DeKok Sent: Wednesday, May 05, 2010 1:53 AM To: FreeRadius users mailing list Subject: Re: Freeradius 2.1.6: Store Cisco device enable password inPostgresql DB Difan Zhao wrote: And it doesn't work. Then I am checking the debug and I found that the $ in the username was interpreted to something like =24: Read raddb/sql/postgresql/dialup.conf, and look for safe-characters Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.6: Store Cisco device enable password in Postgresql DB
Hey guys, This should be a quick one. When I enable on a Cisco device, it sends a request with username $enab15$. rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=92, length=84 NAS-IP-Address = 172.17.254.100 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = $enab15$ Calling-Station-Id = 172.17.1.1 User-Password = password Service-Type = Administrative-User I used to store the username and password in the users file and it was working fine: $enab15$ Cleartext-Password := password Now I am trying to move this user from the file to the postgresql DB and my radcheck table looks like: radius=# select * from radcheck; id | username | attribute | op | value +--+++--- 1 | $enab15$ | Cleartext-Password | := | password And it doesn't work. Then I am checking the debug and I found that the $ in the username was interpreted to something like =24: [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '=24enab15=24' ORDER BY id Then I changed the username to this =24enab15=24 and now it works. I am just curious how freeradius or %{SQL-User-Name} treats special characters in username... Is there a way to treat them AS-IS? Thank you! Difan Zhao, M.Eng Network Engineer Guest-Tek Interactive Entertainment Inc. www.guest-tek.com Email: difan.z...@guest-tek.com Office: +1 (403) 509 1010 ext 3048 Cell: +1 (403) 689 7514 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: VLAN Attribute ?
Actually I found these attributes from Cisco switch configuration manual and I just pasted them in and they worked... However I just did a search again and I found the attribute is in this dictionary file: dictionary.rfc3580:VALUETunnel-TypeVLAN 13 BTW I also got a question for you. It has a :0 following the Tunnel-Type. What is it for? I just removed it and it still works. However in the Radius -X debug it still has the :0 appending the attribute name. Any idea?? Thanks, Difan Zhao M.Eng Network Engineer difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Fabien COMBERNOUS Sent: Wednesday, April 21, 2010 3:12 AM To: FreeRadius users mailing list Subject: Re: VLAN Attribute ? Difan Zhao wrote: You have to send some attributes to the switch. I am using Cisco switches and here are the attributes that I need to send to the switch to switch the port to VLAN 3: bob Cleartext-Password := test Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = 3, Tunnel-Preference = 0x00 Other switch vendor may use different attributes. Thank you for your input. I'm using HP procurve core switch. I used the following values : Tunnel-Type = 13 Tunnel-Medium-Type = 6 Tunnel-Private-Group-ID =4 It works. In radius log i get the display you given. ie VLAN instead of 13, IEEE-802 instead of 6. I will make some tests to use directly your input. It is easier to read. But i am surprise. In the rfc the value 13 does not exist about Tunnel-Type : http://freeradius.org/rfc/rfc2868.html#Tunnel-Type Where is decided the value of 13 ? Best regards, -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: VLAN Attribute ?
You have to send some attributes to the switch. I am using Cisco switches and here are the attributes that I need to send to the switch to switch the port to VLAN 3: bob Cleartext-Password := test Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = 3, Tunnel-Preference = 0x00 Other switch vendor may use different attributes. I add these attributes in the users file. I am not using SQL. Don't know how to pull the attributes via sql... Hope it helps, Difan Zhao M.Eng Network Engineer difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Fabien COMBERNOUS Sent: Tuesday, April 20, 2010 9:06 AM To: freeradius-users@lists.freeradius.org Subject: VLAN Attribute ? Hi, I'm seting up a FreeRadius Server using SQL backend to store informations about NAS, Users and Groups. I search the Attribute to use to allow a group in a VLAN of my switch. My setup permit to authenticate a user and the group of the user. But what is the attribute to use in table radreply or radgroupreply to put the port of my switch in the good vlan ? Best regards, -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authenticate computers with their hostnames
Phil, thank you very much for reply! I think you are right. I just tried to change the authentication type to MD5 and then the laptop doesn't even try to authenticate with hostname anymore. It seems it has to use PEAP for this type of authentication. I will try setup NTLM and see if that works. Thanks again! Difan Zhao Network Engineer difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Phil Mayers Sent: Sunday, April 18, 2010 3:54 AM To: freeradius-users@lists.freeradius.org Subject: Re: Authenticate computers with their hostnames On 04/16/2010 10:37 PM, Difan Zhao wrote: Users file: host/neteng-sp1.gtcorp.com Auth-Type := Accept That won't work I think. The hosts are expecting to do EAP/PEAP+MS-CHAP (or EAP-TLS) and you'll need appropriate server-side auth mechanisms to issue the correct challenge/response values. That is, you need to setup auth against their machine account credentials or certificates. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticate computers with their hostnames
Good afternoon, Sorry to bother you guys again! I am trying to authenticate Windows XP PCs (sp2) with their hostnames. It looks like PC will try to use its hostname (in format host/computer_name.domainname) to authenticate when no user is logged in. I configured the users file and also the post-auth section of default file to force accepting the request. In the debug it shows it does accept and send back the response. I also captured the packets in the wireshark. However the NAS (Cisco 3750 switch with newest firmware) doesn't take it and simply ignored it and send the request again. It repeated three times and eventually failed... Users file: host/neteng-sp1.gtcorp.com Auth-Type := Accept Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = 3, Tunnel-Preference = 0x00 Sites-available/default file: post-auth { ... if(request:User-Name == host/neteng-sp1.gtcorp.com){ update reply { Auth-Type := Accept Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-ID = 3 Tunnel-Preference = 0 } } ... } Actually it doesn't look like it's Freeradiusd's problem since it did send back the response. It's the NAS which doesn't process the reply... However does anybody know why? Did I miss any attributes? Anyway to work around this problem? Alan, I think you told me once that it's not easy to fool the NAS to accept all requests... Is this one of the case we are talking about?? Thank you and have a good weekend! Difan Zhao Network Engineer difan.z...@guest-tek.com www.guest-tek.com http://www.guest-tek.com/ Office: 403-509-1010 ext 3048 Cell: 403-689-7514 Guest-tek(tm) delivers broadband networking solutions to businesses serving mobile users. Our products provide fast and easy plug-and-play Internet access, IP Video-on-Demand, and Voice over IP to end users. Through our superior implementation and support services, our partners gain a sustainable competitive edge. With headquarters in Calgary and Irvine, Guest-tek(tm) has been serving hospitality and related industries since 1996. The contents of this email are confidential and intended for the recipient only. If you have received this email in error, please notify us, and destroy all copies. image001.jpgimage002.jpgrad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=126, length=188 User-Name = host/neteng-sp1.gtcorp.com Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-1D-E5-9C-29-04 Calling-Station-Id = 00-14-22-FD-DD-98 EAP-Message = 0x0201001f01686f73742f6e6574656e672d7370312e6774636f72702e636f6d Message-Authenticator = 0x2cdc1301e3132d89a4de120ea3d788bc NAS-Port-Type = Ethernet NAS-Port = 50102 NAS-Port-Id = FastEthernet1/0/2 NAS-IP-Address = 172.17.254.100 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = host/neteng-sp1.gtcorp.com, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 1 length 31 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry host/neteng-sp1.gtcorp.com at line 69 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop ++- entering policy rewrite_calling_station_id {...} +++? if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) ? Evaluating (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - FALSE +++? if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - FALSE +++? elsif (request:Calling-Station-Id =~ /00-21-F8-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) ? Evaluating (request:Calling-Station-Id =~ /00-21-F8-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - FALSE +++? elsif (request:Calling-Station-Id =~ /00-21-F8-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - FALSE +++? elsif (request:Calling-Station-Id =~ /00-09-6E-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) ? Evaluating (request:Calling-Station-Id =~ /00-09-6E-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - FALSE +++? elsif (request:Calling-Station-Id =~ /00-09-6E-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - FALSE +++- entering else else {...} [noop] returns noop +++- else else returns noop ++- policy rewrite_calling_station_id returns noop ++? if ((Service-Type == 'Call-Check') (User-Name =~ /00a008([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})/i) (User-Name =~ /%{Calling
Question: How do I forcibly accept all rest requests??
Good afternoon guys! I am running version 2.1.6. The server is currently doing 802.1x authentication for network devices. Some devices are PCs and users use their Windows domain user/password to login. The rest are special network equipments and I use MAC address authentication bypass to authenticate them. Now I have a dilemma that I need to make all other devices (guest devices from out of my company) to be authenticated as well... Currently if these devices (usually laptop running Windows XP) support 802.1x, they will fail and they will be put in an Auth-failed VLAN. The VLAN itself is fine and they can do whatever they want on this VLAN. However it's just that annoying icon on their laptops. It pops up from time to time to notify users that they failed authentication and even prompted for username and password if configured to do so... So I want to make all rest devices to be authenticated. It will be even better if I can assign them to a specific VLAN. I was reading ./sites-avaliable/default and I found that forcibly accept the user (Auth-Type := Accept). Where do I put it? I tried: post-auth { Post-Auth-Type REJECT { # attr_filter.access_reject Auth-Type := Accept } } And obviously it's not working... Any ideas how I should configure it? Thank you! Difan Zhao Network Engineer difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question: How do I forcibly accept all rest requests??
Alan, Thank you for quick reply! However if you can fool the NAS to let it believe that the device is authenticated, will the switch also send an EAP success message to the laptop to fool him as well? If the laptop is configured to use PEAP and to validate certificate, then you are right, there is nothing we can do. If the laptop is configured not to validate the certificate, then when the Server (freeradiusd) sends a challenge in the TLS tunnel and received a hashed reply, can it be configured to simply send a success back anyway? If the laptop is configured to use MD5, then I think it's even easier to make this happen...? I apologize if I got any EAP/Radius theory totally wrong... The company I work for serves hotels. They want their staff to be put in right VLAN for admin management purpose while guests put in guest VLAN. Now my setup is pissing some guests off because they don't like to see failed on their laptops. It's kind of important... I will really appreciate if you can come up with a solution for it... Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Alan DeKok Sent: Tuesday, March 30, 2010 4:43 PM To: FreeRadius users mailing list Subject: Re: Question: How do I forcibly accept all rest requests?? Difan Zhao wrote: So I want to make all rest devices to be authenticated. It will be even better if I can assign them to a specific VLAN. I was reading ./sites-avaliable/default and I found that forcibly accept the user (Auth-Type := Accept). Where do I put it? I tried: post-auth { Post-Auth-Type REJECT { # attr_filter.access_reject Auth-Type := Accept } } It's too late to over-ride the reject at that point. And I doubt that this will prevent the icon from appearing on their desktop. The icon means that the *PC* believes it wasn't authenticated. The config above tells the *NAS* to allow them in, but does not convince the *PC* that it has been authenticated. There is no substitute for running the authentication protocol correctly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question: How do I forcibly accept all rest requests??
Uh... Guess you are right... I thought it was something easy but looks like it's not! I will let the hotel know that there is nothing we can do. I guess the hotel will give up after I tell them that I have consulted with the programmer lol. BTW this Freeradius is awesome program. Very flexible and I like it a lot! Your support is also very much appreciated! Thanks a lot Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Alan DeKok Sent: Tuesday, March 30, 2010 5:47 PM To: FreeRadius users mailing list Subject: Re: Question: How do I forcibly accept all rest requests?? Difan Zhao wrote: However if you can fool the NAS to let it believe that the device is authenticated, will the switch also send an EAP success message to the laptop to fool him as well? No. Even if it does, the laptop will ignore it. There is no substitute for running the authentication protocol correctly. If the laptop is configured to use PEAP and to validate certificate, then you are right, there is nothing we can do. If the laptop is configured not to validate the certificate, then when the Server (freeradiusd) sends a challenge in the TLS tunnel and received a hashed reply, can it be configured to simply send a success back anyway? That's not the way PEAP works. So no, it's impossible. If the laptop is configured to use MD5, then I think it's even easier to make this happen...? It's still impossible. I apologize if I got any EAP/Radius theory totally wrong... The company I work for serves hotels. They want their staff to be put in right VLAN for admin management purpose while guests put in guest VLAN. Now my setup is pissing some guests off because they don't like to see failed on their laptops. It's kind of important... I will really appreciate if you can come up with a solution for it... shrug That's the way networks work. And you expect me to come up with a solution (for free) that you're charging for? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mschap2 over peap, how to use cleartext password defined on the freeradius server instead of using Windows AD?
Greetings! I did read the mschap module file and I did see that in order to use a cleartext password, I need to set MS-CHAP-Use-NTLM-Auth := No however I don't know where to set it. I tried to set it in hints file like the following. I added it to the beginning of the file and the rest is just default. enseo_stb MS-CHAP-Use-NTLM-Auth := No The enseo_stb is the username. I do see that it matched the line in the preprocess in the debug however the authentication still failed. I don't have this user account set in Windows AD. I do have it set in my users file. Enseo_stb Cleartext-Password := password Any advice?? Thank you!! Difan Zhao Network Engineer difan.z...@guest-tek.com www.guest-tek.com http://www.guest-tek.com/ Office: 403-509-1010 ext 3048 Cell: 403-689-7514 image002.jpg rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=30, length=152 User-Name = enseo_stb Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-1D-E5-9C-29-05 Calling-Station-Id = 00-21-F8-00-24-B3 EAP-Message = 0x0202000e01656e73656f5f737462 Message-Authenticator = 0x8ba26525d2f95b1d79a0c62d87f854de NAS-Port-Type = Ethernet NAS-Port = 50103 NAS-Port-Id = FastEthernet1/0/3 NAS-IP-Address = 172.17.254.100 +- entering group authorize {...} [preprocess] hints: Matched enseo_stb at 36 ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = enseo_stb, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 2 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry enseo_stb at line 34 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop ++- entering policy rewrite_calling_station_id {...} +++? if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) ? Evaluating (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - FALSE +++? if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - FALSE +++- entering else else {...} [noop] returns noop +++- else else returns noop ++- policy rewrite_calling_station_id returns noop ++? if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) ?? Evaluating (Service-Type == 'Call-Check') - FALSE ?? Skipping (User-Name =~ /^%{Calling-Station-ID}$/i) ++? if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) - FALSE Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 30 to 172.17.254.100 port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0xf13fdb9cf13cc2e40d991f43b28399d7 Finished request 1. Going to the next request Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=31, length=370 User-Name = enseo_stb Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-1D-E5-9C-29-05 Calling-Station-Id = 00-21-F8-00-24-B3 EAP-Message = 0x020300d6190016030100cb01c70301386d438ca276cc49f14dfbd77fc35c74edf79c4fb7a13e77365d80e4db3ff4e15ac014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc00200050004001500120009001400110008000600030144000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f00100011001200130014001500160017001800190023 Message-Authenticator = 0xf22b9ef298b95a509e7aa414d6bda163 NAS-Port-Type = Ethernet NAS-Port = 50103 NAS-Port-Id = FastEthernet1/0/3 State = 0xf13fdb9cf13cc2e40d991f43b28399d7 NAS-IP-Address = 172.17.254.100 +- entering group authorize {...} [preprocess] hints: Matched enseo_stb at 36 ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = enseo_stb, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 3 length 214 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] TLS 1.0 Handshake [length 00cb], ClientHello [peap] TLS_accept: SSLv3
RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfileto include multiple MAC addresses??
Hey guys, I am still waiting for a possible solution for this problem that I have... Please let me know even there is no easy fix. To refresh your memory, I am doing MAC address authentication bypass. It looks to me that the users file takes precedence than sites-available/default. Whenever there is a default entry in the users file, freeradius server doesn't try to run the module/function in the authentication section... I have attached the debug for the both cases. Please take a look whenever you can. Thank you! Difan From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Difan Zhao Sent: Wednesday, December 30, 2009 12:19 PM To: FreeRadius users mailing list Subject: RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfileto include multiple MAC addresses?? Hey guys, Since I have asked so many questions regarding to this topic I guess you all know my situation very well so I won't go through the whole thing again and save your time! So I found that if I add a Default line at the bottom of the users file, like: ... DEFAULTAuth-Type = ntlm_auth The server will always use ntlm for authentication... even I have updated the auth-type to Auth-NHSTB, it doesn't use it. I have attached both debug files. What should I do if I want a Default line in the user file while still use the special authentication that I defined for MAC authentication bypass? Thanks! Policy.conf: policy { ... rewrite_calling_station_id { if(request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) { update request { Calling-Station-Id := 00a008%{1}%{2}%{3} } } else { noop } } } Default: authorize { ... rewrite_calling_station_id if((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)){ update control { Auth-Type = 'Auth-NHSTB' } } } authenticate { ... Auth-Type Auth-NHSTB { if(request:User-Name == %{request:User-Password}) { ok } else{ reject } } } Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=9, length=157 User-Name = 00a0080806bd User-Password = 00a0080806bd Service-Type = Call-Check Framed-MTU = 1500 Called-Station-Id = 00-1D-E5-9C-29-04 Calling-Station-Id = 00-A0-08-08-06-BD Message-Authenticator = 0xa3f41ca6cd54f096c389dbcbd9ba73ec NAS-Port-Type = Ethernet NAS-Port = 50102 NAS-Port-Id = FastEthernet1/0/2 NAS-IP-Address = 172.17.254.100 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = 00a0080806bd, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 38 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ++- entering policy rewrite_calling_station_id {...} +++? if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) ? Evaluating (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - TRUE +++? if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - TRUE +++- entering if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {...} expand: 00a008%{1}%{2}%{3} - 00a0080806BD [request] returns noop +++- if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) returns noop +++ ... skipping else for request 1: Preceding if was taken ++- policy rewrite_calling_station_id returns noop ++? if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) ?? Evaluating (Service-Type == 'Call-Check') - TRUE expand: ^%{Calling-Station-ID}$ - ^00a0080806BD$ ?? Evaluating (User-Name =~ /^%{Calling-Station-ID}$/i) - TRUE ++? if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) - TRUE ++- entering if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID
RE: MAC authentication bypass ---How amIsupposedto?edit?theusersfileto include multiple MAC addresses??
Lol Alan you found the problem again! I just read the manual of users and unlang again and now I know clearly what the problem was... Thank you very much for the help! So radiusd -X won't show whether a check attribute was updated or not? Here is my radiusd -X output. It's the same no matter I use : or := ... ... ++? if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) - TRUE ++- entering if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) {...} +++[control] returns noop ... It's supposed to update the auth-type value but nothing is shown whether the value has been successfully updated or not... Is this about right or it's actually showing at somewhere else and I am looking at the wrong place?? Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Alan DeKok Sent: Monday, January 04, 2010 4:10 PM To: FreeRadius users mailing list Subject: Re: MAC authentication bypass ---How amIsupposedto?edit?theusersfileto include multiple MAC addresses?? Difan Zhao wrote: To refresh your memory, I am doing MAC address authentication bypass. It looks to me that the users file takes precedence than sites-available/default. No. You are setting Auth-Type = ... in the users file, and then trying to se Auth-Type = ... *again* elsewhere. See man unlang for the meaning of the operators. If you want to over-ride a previous value, use :=, not =. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Recall: MAC authentication bypass ---How?am?Isupposedto?edit?theusersfile to include multiple MACaddresses??
So I assume that none of you guys use MS Exchange server then... Do you guys all hate MS and support open source?? I am a windows guy but I am on your side!! Arran, you found the problem! Now it works! Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Alexander Clouter Sent: Wednesday, December 30, 2009 5:52 AM To: freeradius-users@lists.freeradius.org Subject: Re: Recall: MAC authentication bypass ---How?am?Isupposedto?edit?theusersfile to include multiple MACaddresses?? Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote: On 29/12/2009 14:45, Difan Zhao wrote: Difan Zhao would like to recall the message, MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??. I've often wondered what that means... Is it some weird outlook feature that is meant to 'unsend' email? Yep, only works if you have a MS Exchange server apparently (maybe it works with Outlook-Outlook). Meanwhile the rest of the world just laughs and smiles. :) Cheers -- Alexander Clouter .sigmonster says: And on the seventh day, He exited from append mode. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??
Hey guys, Since I have asked so many questions regarding to this topic I guess you all know my situation very well so I won't go through the whole thing again and save your time! So I found that if I add a Default line at the bottom of the users file, like: ... DEFAULTAuth-Type = ntlm_auth The server will always use ntlm for authentication... even I have updated the auth-type to Auth-NHSTB, it doesn't use it. I have attached both debug files. What should I do if I want a Default line in the user file while still use the special authentication that I defined for MAC authentication bypass? Thanks! Policy.conf: policy { ... rewrite_calling_station_id { if(request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) { update request { Calling-Station-Id := 00a008%{1}%{2}%{3} } } else { noop } } } Default: authorize { ... rewrite_calling_station_id if((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)){ update control { Auth-Type = 'Auth-NHSTB' } } } authenticate { ... Auth-Type Auth-NHSTB { if(request:User-Name == %{request:User-Password}) { ok } else{ reject } } } Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=9, length=157 User-Name = 00a0080806bd User-Password = 00a0080806bd Service-Type = Call-Check Framed-MTU = 1500 Called-Station-Id = 00-1D-E5-9C-29-04 Calling-Station-Id = 00-A0-08-08-06-BD Message-Authenticator = 0xa3f41ca6cd54f096c389dbcbd9ba73ec NAS-Port-Type = Ethernet NAS-Port = 50102 NAS-Port-Id = FastEthernet1/0/2 NAS-IP-Address = 172.17.254.100 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = 00a0080806bd, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 38 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ++- entering policy rewrite_calling_station_id {...} +++? if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) ? Evaluating (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - TRUE +++? if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - TRUE +++- entering if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {...} expand: 00a008%{1}%{2}%{3} - 00a0080806BD [request] returns noop +++- if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) returns noop +++ ... skipping else for request 1: Preceding if was taken ++- policy rewrite_calling_station_id returns noop ++? if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) ?? Evaluating (Service-Type == 'Call-Check') - TRUE expand: ^%{Calling-Station-ID}$ - ^00a0080806BD$ ?? Evaluating (User-Name =~ /^%{Calling-Station-ID}$/i) - TRUE ++? if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) - TRUE ++- entering if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) {...} +++[control] returns noop ++- if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) returns noop Found Auth-Type = ntlm_auth +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} - --username=00a0080806bd [ntlm_auth] expand: --password=%{User-Password} - --password=00a0080806bd Exec-Program output: NT_STATUS_NO_SUCH_USER: No such user (0xc064) Exec-Program-Wait: plaintext: NT_STATUS_NO_SUCH_USER: No such user (0xc064) Exec-Program: returned: 1 ++[ntlm_auth] returns reject Failed to authenticate the user. Login incorrect: [00a0080806bd/00a0080806bd] (from client switches port 50102 cli 00a0080806BD) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - 00a0080806bd attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1
RE: MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??
Greetings, I hope you all had a wonderful Christmas holidays! So I continued my work this morning. It looks like it can authenticate the devices (with the certain MAC address pattern) however from the Radius -X output (which I attached here) it doesn't seem to authenticate it the way I want it. Let me repeat my logic here: if the MAC addresses match the pattern, use the User-Name (or Calling-station-ID, since I rewrite it to be the same as the User-name) and the password (which is made to be the same as the User-name as well) to authenticate the device. However it looks like my if conditions are all matched during the process however they all returned noop instead of updating the information I wanted it to. Here are the configurations I made in the policy.conf and /sites-avaliable/default files Policy.conf: policy { ... rewrite_calling_station_id { if(request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) { update request { Calling-Station-Id := 00a008%{1}%{2}%{3} } } else { noop } } } Default: authorize { ... rewrite_calling_station_id if((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)){ update control { Auth-Type = 'Auth-NHSTB' } } } authenticate { ... Auth-Type Auth-NHSTB { if(Chap-Password){ update control { Cleartext-Password := %{User-Name} } chap } else{ ok } } } It seems to me that the last ok authenticated the device, instead of using chap and the Cleartext-Password that I assigned. Any ideas? Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=45, length=157 User-Name = 00a0080806bd User-Password = 00a0080806bd Service-Type = Call-Check Framed-MTU = 1500 Called-Station-Id = 00-1D-E5-9C-29-04 Calling-Station-Id = 00-A0-08-08-06-BD Message-Authenticator = 0x7e1fb3874de8f8f7c98b237aa1778647 NAS-Port-Type = Ethernet NAS-Port = 50102 NAS-Port-Id = FastEthernet1/0/2 NAS-IP-Address = 172.17.254.100 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = 00a0080806bd, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop ++- entering policy rewrite_calling_station_id {...} +++? if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) ? Evaluating (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - TRUE +++? if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - TRUE +++- entering if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {...} expand: 00a008%{1}%{2}%{3} - 00a0080806BD [request] returns noop +++- if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) returns noop +++ ... skipping else for request 1: Preceding if was taken ++- policy rewrite_calling_station_id returns noop ++? if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) ?? Evaluating (Service-Type == 'Call-Check') - TRUE expand: ^%{Calling-Station-ID}$ - ^00a0080806BD$ ?? Evaluating (User-Name =~ /^%{Calling-Station-ID}$/i) - TRUE ++? if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) - TRUE ++- entering if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) {...} +++[control] returns noop ++- if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) returns noop Found Auth-Type = Auth-NHSTB +- entering group Auth-NHSTB {...} ++? if (Chap-Password) ? Evaluating (Chap-Password) - FALSE ++? if (Chap-Password) - FALSE ++- entering else else {...} +++[ok] returns ok ++- else else returns ok Login OK: [00a0080806bd/00a0080806bd] (from client switches port 50102 cli 00a0080806BD) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id
Recall: MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??
Difan Zhao would like to recall the message, MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??
I apologize for the previous spam! I kind of figured out my problem. Then I tried to fix it and now I have a new problem!! So I want to authenticate devices when both User-Name and User-Password are the same and are both the MAC of the device. My default files look like: authorize { ... if((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)){ update control { Auth-Type = 'Auth-NHSTB' } } } ... authenticate { Auth-Type Auth-NHSTB { if(%{request:User-Password} == %{request:User-Name}) { ok } else{ noop } } } However when I try to run Radius I keep getting this error: Expected regular expression at: request:User-Password) /etc/raddb/sites-enabled/default[308]: Failed to parse if subsection. Errors initializing modules I also tried I lot other syntax and different operators as well but the error is still there... What is the right syntax?? Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Difan Zhao Sent: Tuesday, December 29, 2009 11:09 AM To: FreeRadius users mailing list Subject: RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses?? Greetings, I hope you all had a wonderful Christmas holidays! So I continued my work this morning. It looks like it can authenticate the devices (with the certain MAC address pattern) however from the Radius -X output (which I attached here) it doesn't seem to authenticate it the way I want it. Let me repeat my logic here: if the MAC addresses match the pattern, use the User-Name (or Calling-station-ID, since I rewrite it to be the same as the User-name) and the password (which is made to be the same as the User-name as well) to authenticate the device. However it looks like my if conditions are all matched during the process however they all returned noop instead of updating the information I wanted it to. Here are the configurations I made in the policy.conf and /sites-avaliable/default files Policy.conf: policy { ... rewrite_calling_station_id { if(request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) { update request { Calling-Station-Id := 00a008%{1}%{2}%{3} } } else { noop } } } Default: authorize { ... rewrite_calling_station_id if((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)){ update control { Auth-Type = 'Auth-NHSTB' } } } authenticate { ... Auth-Type Auth-NHSTB { if(Chap-Password){ update control { Cleartext-Password := %{User-Name} } chap } else{ ok } } } It seems to me that the last ok authenticated the device, instead of using chap and the Cleartext-Password that I assigned. Any ideas? Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC authentication bypass --- How am I supposedto?edit?theusers file to include multiple MAC addresses??
Hey guys, So I finally started configuring this MAC auth bypass thing... I am editing the raddb/policy.conf to include the rewrite_calling_station_id function/module however when I am trying to run the radiusd -X I got this error: /etc/raddb/policy.conf[72]: Parse error in condition at: request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) error Here is what I added in the policy.conf. I appended to the back of the file. I never changed anything else in this file. rewrite_calling_station_id { if(request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) { update request { Calling-Station-Id := %{1}-%{2}-%{3}-%{4}-%{5}-%{6} } } else { noop } } My Calling-Station-Id is MAC addresses which are made of numbers and capital letters and - between octets. However my User-Name is all lower case letters and numbers and there is no - or :. I want to rewrite the calling station id to be the same as the User-Name. Am I doing it right? How can I convert it to lower cases or do I need to do it at all?? PS the MAC addresses will all start with 00-A0-08. Thank you and merry Christmas!! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC authentication bypass --- How am I supposedto?edit?theusersfile to include multiple MAC addresses??
Lol Thank you Arran... You found the problem! Now it's good. Thanks again! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Arran Cudbard-Bell Sent: Thursday, December 24, 2009 1:13 PM To: FreeRadius users mailing list Subject: Re: MAC authentication bypass --- How am I supposedto?edit?theusersfile to include multiple MAC addresses?? Difan Zhao wrote: Hey guys, So I finally started configuring this *MAC auth bypass* thing... I am editing the *raddb/policy.conf* to include the *rewrite_calling_station_id* function/module however when I am trying to run the *radiusd -X* I got this error: /etc/raddb/policy.conf[72]: Parse error in condition at: request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) error Here is what I added in the policy.conf. I appended to the back of the file. I never changed anything else in this file. Curly braces need to be inline... don't assume the parser is clever. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NTLM, Kerberos 5 or LDAP
Greetings, I am trying to authenticate my network against Windows 2003 Active Directory. With help from Ivan Kalik, I was able to use NTLM to communicate with Windows 2003 server and authenticate EAP clients. On the EAP side I am using PEAP since they are mostly windows XP clients and I don't think there is another choice (please correct me if I am wrong). However on the Radius server side, I seem to have options. It seems that I can use NTLM, Kerberos 5 or LDAP to authenticate with Windows Domain Controller. So my questions are: Can I use any of them? If yes, could you send me helpful links about how to use Kerberos 5 and LDAP? Which one is the most recommended and why? You may have noticed that I have posted several questions these days and I really appreciate your help! Now I am really a fan of FreeRadius. I really want to learn it well and understand what it's capable of. I am a Cisco guy and I have some Linux experience but no programming experience. Can any of you recommend me a book about how to use FreeRadius? I think that will stop me asking stupid questions... Thank you! Difan Zhao Network Engineer difan.z...@guest-tek.com www.guest-tek.com http://www.guest-tek.com/ Office: 403-509-1010 ext 3048 Cell: 403-689-7514 image002.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How am I supposed to?edit?theusersfile to include multiple MAC addresses??
So..., Alan suggested using unlang. I am actually reading un-language (5). If I use it, where or what file do I put your script in? =Script that Alan wrote authorise { if(%{User-Name} =~ /[0-9a-z]{12}/i %{Huntgroup-Name} == MAB-switches){ update control { Auth-Type := MAB } ok = return } } authenticate { Auth-Type MAB { ok } } I do understand that I need to revise it to make it only authenticate the right MAC addresses and only respond if the request meets certain criteria or have certain attributes. Can I include these logics in unlang such as User-Name == Calling-Station-Id or Service-Type == Call-Check? In addition, I want to assign these devices to a specific VLAN. Can I add the attributes here as well? Is this vlan assignment part of authentication or authorization? Alexander, I did read the links you gave me very carefully and I guess I understand the logic... However it seems that I have to edit many files. I am new to the FreeRadius and I don't have any programming experience... Is there a document which can tell me briefly what these files are for and how FreeRadius is using them? I don't really want to edit those files when I don't know enough about them... Thank you both for your advice! Difan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC authentication bypass --- How am I supposed to edit theusers file to include multiple MAC addresses??
Hi Alan, Thank you very much for quick response! Actually you are right. The password is in MD5 hash, not in clear text! I may not be able to use the guest VLAN (the vlan the device will be put in after failed or timeout 802.1x request) because I need to use this vlan for some other devices! For these 00a008 device, my real purpose actually is NOT to Authenticate them but rather assign them to a specific VLAN by using dynamic vlan assignment feature of the switch. I have figured it out and tested it. I just have to put in special attributes under each user (in this case the MAC of the device) in the users file. If I use AD or SQL, can I write a script to accomplish the logic I need so I don't have to type in each individual MAC as UN/PW in the database? It still sounds like I need to (for example in AD) manully input each of them in the database. Can you please give me details about how to implement it in this case? BTW I'd rather not to use the SQL because I know pretty much nothing about it lol I appreciate your advice! Thank you! Difan From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org on behalf of Alan Buxey Sent: Sat 12/19/2009 2:34 AM To: FreeRadius users mailing list Subject: Re: MAC authentication bypass --- How am I supposed to edit theusers file to include multiple MAC addresses?? Hi, The way how it works is that (I figured it out by running debug on the switch and by using wireshark), if the supplicant device doesn't support 802.1x, the switch (172.17.254.100) sends a access request to the freeradius server (172.17.1.1) with username and password both are the MAC address of the device! correct - with the MAC in very plain format... ie all symbols stripped so its just, as you wrote 00a0080806bd (rather than eg 00a0.0808.06bd or 00:a0:08:08:06:bd or 00-a0-08-08-06-bd) by the way, depending on what IOS you've got, this will change - the new IOS and this can be configured too on some previous versions - will send the password int he form of the MD5 of the MAC address! That brings my dilemma! I have like 200 devices like this. I don't want to edit my users file with each of the MAC address as the UN/PW. Is there an easy way to write a script like thing to include all of them? The mac addresses are all start with 00:a0:08. I want a logic like: many ways to do this - you certainly dont need to play with the users file - you might want to eg, put them into AD/LDAP or put them into SQL. in SQL you can set User-Name Attribute Op Value 00a0080806bdCleartext-Password := 00a0080806bd if you KNOW that the addresses are valid, then you could scrape them...alternatively, set the fail/quest VLAN to be behind a captive portal box and then the users get to see a 'login page' and when they click login, you can grab their IP address and therefore their MAC address and then insert that into SQL. just a quick idea...monday morning project. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html winmail.dat- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic VLAN assignment works on EAP-MD5, but not EAP-PEAP!!!
Hey Ivan, Thank you very much for your help! Now it works beautifully! My next step is to integrate FreeRadius with my Windows domain to use Windows AD for authentication. I am sure I will more questions for you guys! Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of t...@kalik.net Sent: Thursday, December 17, 2009 6:53 PM To: FreeRadius users mailing list Subject: Re: Dynamic VLAN assignment works on EAP-MD5, but not EAP-PEAP!!! I have figured out how to configure attributes. Here is my user file: test Cleartext-Password := test Tunnel-Type = 16777229, Tunnel-Medium-Type = 16777222, Tunnel-Private-Group-ID = 3 When I use MD5-Challenge, I got put in the right vlan I wanted. However if I choose PEAP, I can be authenticated but the vlan thing won't work. I checked the Radius -X output very carefully and I don't see the server is sending any attributes, as it did when the MD5 is used... I chose different types of authentication on the windows box. It seems I don't have to change any configuration on the radius server for both authentications to work. I will attach both radius -X output for both types. You have those attributes in the tunneled reply. You should enable use_tunnled_reply in peap section of eap.conf. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC authentication bypass --- How am I supposed to edit the users file to include multiple MAC addresses??
Hey experts!! I am having another dilemma here. I am trying to configure MAC authentication bypass feature on my Cisco 3750 switch to authenticate some devices which don't support 802.1x. The way how it works is that (I figured it out by running debug on the switch and by using wireshark), if the supplicant device doesn't support 802.1x, the switch (172.17.254.100) sends a access request to the freeradius server (172.17.1.1) with username and password both are the MAC address of the device! That brings my dilemma! I have like 200 devices like this. I don't want to edit my users file with each of the MAC address as the UN/PW. Is there an easy way to write a script like thing to include all of them? The mac addresses are all start with 00:a0:08. I want a logic like: If a request is for a user with first 3 octets like the above one, use its MAC address (in this case will be also its username) as the password and grant the access. Is it possible to do it in FreeRadius 2.1.6?? I have attached the output of a success authentication for a device with MAC: 00a0080806bd. Of course I manually added this user in my users file. My users file looks like: 00a0080806bdCleartext-Password := 00a0080806bd I appreciate any advice!! Thank you guys!! Difan Zhao, CCNP Network Engineer difan.z...@guest-tek.com www.guest-tek.com http://www.guest-tek.com/ Office: 403-509-1010 ext 3048 Cell: 403-689-7514 image001.jpgrad_recv: Accounting-Request packet from host 172.17.254.100 port 1646, id=32, length=127 Acct-Session-Id = 001C Acct-Authentic = RADIUS Acct-Terminate-Cause = Lost-Carrier Acct-Session-Time = 4093 Acct-Input-Octets = 16040 Acct-Output-Octets = 384527 Acct-Input-Packets = 169 Acct-Output-Packets = 2946 Acct-Status-Type = Stop NAS-Port-Type = Ethernet NAS-Port = 50102 NAS-Port-Id = FastEthernet1/0/2 Service-Type = Framed-User NAS-IP-Address = 172.17.254.100 Acct-Delay-Time = 0 +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] WARNING: Attribute User-Name was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing 'NAS-Port = 50102,Client-IP-Address = 172.17.254.100,NAS-IP-Address = 172.17.254.100,Acct-Session-Id = 001C,' [acct_unique] Acct-Unique-Session-ID = 8ac0763679e7418b. ++[acct_unique] returns ok [suffix] Proxy reply, or no User-Name. Ignoring. ++[suffix] returns ok ++[files] returns noop +- entering group accounting {...} [detail]expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d - /var/log/radius/radacct/172.17.254.100/detail-20091218 [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/172.17.254.100/detail-20091218 [detail]expand: %t - Fri Dec 18 16:10:23 2009 ++[detail] returns ok ++[unix] returns noop [radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp [radutmp] expand: %{User-Name} - ++[radutmp] returns ok [attr_filter.accounting_response] expand: %{User-Name} - ++[attr_filter.accounting_response] returns noop Sending Accounting-Response of id 32 to 172.17.254.100 port 1646 Finished request 0. Cleaning up request 0 ID 32 with timestamp +10 Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=90, length=157 User-Name = 00a0080806bd User-Password = 00a0080806bd Service-Type = Call-Check Framed-MTU = 1500 Called-Station-Id = 00-1D-E5-9C-29-04 Calling-Station-Id = 00-A0-08-08-06-BD Message-Authenticator = 0xd8bb55e55d3239af2a93e5db8df80960 NAS-Port-Type = Ethernet NAS-Port = 50102 NAS-Port-Id = FastEthernet1/0/2 NAS-IP-Address = 172.17.254.100 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = 00a0080806bd, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry 00a0080806bd at line 28 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password 00a0080806bd [pap] Using clear text password 00a0080806bd [pap] User authenticated successfully ++[pap] returns ok Login OK: [00a0080806bd/00a0080806bd] (from client switches port 50102 cli 00-A0-08-08-06-BD) +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 90 to 172.17.254.100 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 20 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from