RE: PEAP Inner-tunnel can't match a user in the users file with some check attributes
Absolutely no excuse... I should have read about it... Next time I will read more carefully. Anyway everything works now! Thank you very much Alan Dekok! Difan -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org] On Behalf Of Alan DeKok Sent: November-19-11 1:37 AM To: FreeRadius users mailing list Subject: Re: PEAP Inner-tunnel can't match a user in the users file with some check attributes Difan Zhao wrote: I have an issue that whenever I have check attributes such as NAS-IP-Address or NAS-Port-Type, my PEAP fails… Read raddb/eap.conf. Look for copy_request_to_tunnel Everything works once I removed *NAS-IP-Address == 10.143.115.14*. However I do need to check against from which switch/NAS the request is coming from… It seems that those attributes are outside of the “tunnel”. How can I copy them in the “tunnel” (does this make sense to you guys)?? Read the configuration files. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can I group users in the users file like in the SQL database?
Alan thank you so much for your helps not only on this one but all others as well! -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org] On Behalf Of Alan DeKok Sent: March-04-11 2:00 AM To: FreeRadius users mailing list Subject: Re: Can I group users in the users file like in the SQL database? Difan Zhao wrote: Another quick question: Can I group users in the users file and assign the group reply attributes instead of to each individual user? No. See man rlm_passwd for examples of creating server-side groups. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: Use Hint file to proxy
Hi Alan Dekok or anyone,
I haven't got a reply on this one yet... I was able to do it before but not
anymore... I'm really curious to know why...
Thank you!
Difan
From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org
[mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org]
On Behalf Of Difan Zhao
Sent: March-02-11 9:01 AM
To: FreeRadius users mailing list
Subject: Use Hint file to proxy
Hi experts,
Long time no talk!
I have another dilemma. For some reasons I want to try to use the hints file to
do Proxy (the normal way of configuring realm and proxy.conf file works). So
the following is my config:
=== hints ===
DEFAULT User-Name =~ ^host\/.*\.gtcorp\.com$
Hint = Marriott
=== users ===
DEFAULT Hint == Marriott, Proxy-To-Realm := ~\.gtcorp\.com$
=== proxy.conf ===
realm ~\.gtcorp\.com$ {
nostrip
auth_pool = Marriott_Auth_Pool
acct_pool = Marriott_Acct_Pool
}
== module/realm
realm Marriott {
format = suffix
delimiter = /
}
Then I commented out the Marriott realm in the authorize section in the
default server so the settings in the realm file shouldn't do anything.
= sites-available/default ==
authorize {
...
# Marriott
...
}
In the radius -X log I do see the requests are sent to the proxy server but I
also see the following abnormal logs. The complete log is also attached.
[eap] No pre-existing handler found
...
rlm_eap: No EAP session matching the State variable.
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
So is it possible to use the hints file to do proxy or I'm totally out of my
mind?? If it's possible where I could do wrong?
Thanks a lot!
[cid:image003.gif@01CBDA45.6D237530]Difan Zhao M.Eng | CCNA CCNP CCSP | Network
Engineer
T: 403-509-1010 ext 3048 | M: 403-689-7514 | F: 403.509.1011
difan.z...@guest-tek.commailto:difan.z...@guest-tek.com |
www.guest-tek.comhttp://www.guest-tek.com
The contents of this email are confidential and intended for the recipient
only. If you have received this email in error, please notify us, and destroy
all copies.
inline: image002.gifinline: image003.gifinline: image001.gifrad_recv: Access-Request packet from host 10.143.115.6 port 1645, id=163,
length=194
User-Name = host/NetEng-D410.gtcorp.com
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = AC-A0-16-0E-9E-11
Calling-Station-Id = 00-14-22-FD-DD-98
EAP-Message =
0x0201002001686f73742f4e6574456e672d443431302e6774636f72702e636f6d
Message-Authenticator = 0x47efeb7485cf2f710b658ba828be5735
NAS-Port-Type = Ethernet
NAS-Port = 50117
NAS-Port-Id = GigabitEthernet1/0/17
NAS-IP-Address = 10.143.115.6
+- entering group authorize {...}
[preprocess]expand: %{User-Name} - host/NetEng-D410.gtcorp.com
[preprocess] hints: Matched DEFAULT at 36
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 1 length 32
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
WARNING: Empty section. Using default return values.
Sending Access-Request of id 218 to 10.26.105.105 port 1812
User-Name = host/NetEng-D410.gtcorp.com
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = AC-A0-16-0E-9E-11
Calling-Station-Id = 00-14-22-FD-DD-98
EAP-Message =
0x0201002001686f73742f4e6574456e672d443431302e6774636f72702e636f6d
Message-Authenticator = 0x
NAS-Port-Type = Ethernet
NAS-Port = 50117
NAS-Port-Id = GigabitEthernet1/0/17
NAS-IP-Address = 10.143.115.6
Proxy-State = 0x313633
Proxying request 0 to home server 10.26.105.105 port 1812
Sending Access-Request of id 218 to 10.26.105.105 port 1812
User-Name = host/NetEng-D410.gtcorp.com
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = AC-A0-16-0E-9E-11
Calling-Station-Id = 00-14-22-FD-DD-98
EAP-Message =
0x0201002001686f73742f4e6574456e672d443431302e6774636f72702e636f6d
Message-Authenticator = 0x
NAS-Port-Type = Ethernet
NAS-Port = 50117
NAS-Port-Id = GigabitEthernet1/0/17
NAS-IP-Address = 10.143.115.6
Proxy-State = 0x313633
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Challenge packet from host 10.26.105.105 port 1812, id=218
Cleartext-Password := %{User-Name} in the users file. Possible?
Hi experts,
I want to try another way to authenticate devices by their MAC addresses. I
don't really care about the security and just try to make the configuration
easy. Here is my configuration:
hints =
DEFAULT User-Name =~ 001422.*
Hint = STB
= users =
DEFAULT Hint == STB, Cleartext-Password := %{User-Name}
Then I use the radtest program to test the setup and it failed...
radtest 00142211 00142211 localhost 1812 test123
Both lines in the hints and users file are match based on the radius -X output.
However the password in the check attribute is not replaced with the
username... Please help, thanks!
Here is the radius -X output:
rad_recv: Access-Request packet from host 127.0.0.1 port 16011, id=123,
length=64
User-Name = 00142211
User-Password = 00142211
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
+- entering group authorize {...}
[preprocess]expand: %{User-Name} - 00142211
[preprocess] hints: Matched DEFAULT at 1
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[Marriott] No '/' in User-Name = 00142211, looking up realm NULL
[Marriott] No such realm NULL
++[Marriott] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password 00142211
[pap] Using clear text password %{User-Name}
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed):
[00142211/00142211] (from client 127.0.0.1/32 port 1812)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - 00142211
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 123 to 127.0.0.1 port 16011
Waking up in 4.9 seconds.
[cid:image002.gif@01CBD982.DFF851C0]Difan Zhao M.Eng | CCNA CCNP CCSP | Network
Engineer
T: 403-509-1010 ext 3048 | M: 403-689-7514 | F: 403.509.1011
difan.z...@guest-tek.commailto:difan.z...@guest-tek.com |
www.guest-tek.comhttp://www.guest-tek.com
The contents of this email are confidential and intended for the recipient
only. If you have received this email in error, please notify us, and destroy
all copies.
inline: image001.gifinline: image002.gif-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cleartext-Password := %{User-Name} in the users file. Possible?
Thanks Phil! It works! It definitely fits what I need! However just be curious,
why my setting won't work?
Thanks!
-Original Message-
From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org
[mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org]
On Behalf Of Phil Mayers
Sent: March-03-11 9:16 AM
To: FreeRadius users mailing list
Subject: Re: Cleartext-Password := %{User-Name} in the users file. Possible?
On 03/03/11 16:10, Difan Zhao wrote:
Hi experts,
I want to try another way to authenticate devices by their MAC
addresses. I don't really care about the security and just try to make
the configuration easy. Here is my configuration:
hints =
DEFAULT User-Name =~ 001422.*
Hint = STB
= users =
DEFAULT Hint == STB, Cleartext-Password := %{User-Name}
Why bother with a password at all?
DEFAULT Hint == STB, Auth-Type := Accept
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can I group users in the users file like in the SQL database?
Hi experts, Another quick question: Can I group users in the users file and assign the group reply attributes instead of to each individual user? I tried the following config but failed (which maybe completely nonsense)... test Cleartext-Password := test Group := abc Fall-Through = yes abc Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 851 Tunnel-Preference:0 = 0 Thanks! [cid:image003.gif@01CBD9A2.44D721B0]Difan Zhao M.Eng | CCNA CCNP CCSP | Network Engineer T: 403-509-1010 ext 3048 | M: 403-689-7514 | F: 403.509.1011 difan.z...@guest-tek.commailto:difan.z...@guest-tek.com | www.guest-tek.comhttp://www.guest-tek.com The contents of this email are confidential and intended for the recipient only. If you have received this email in error, please notify us, and destroy all copies. inline: image003.gifinline: image001.gif- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to add attributes on the reply from the home server
Hi guys, Sorry for so many questions ... Everything was working fine until I was told to not use the SQL DB but use the users file instead... That's why I start to have all these questions... Anyway I need to proxy some requests to remote home server. I also need to assign the users to specific VLANs (with some attributes) if they are successfully authenticated by the remote home server. When I was using the SQL Alan told me to uncomment sql.authorize in the post-auth section in the sites-available/default server configuration. Now I have to use the users file. Is there a way to achieve the same result? Right now my server just forwards the Access-accept to the switch and ignores all the VLAN attributes associated with the username set in my users file... Please help! Thanks! [cid:image003.gif@01CBD9B9.1BD2FB60]Difan Zhao M.Eng | CCNA CCNP CCSP | Network Engineer T: 403-509-1010 ext 3048 | M: 403-689-7514 | F: 403.509.1011 difan.z...@guest-tek.commailto:difan.z...@guest-tek.com | www.guest-tek.comhttp://www.guest-tek.com The contents of this email are confidential and intended for the recipient only. If you have received this email in error, please notify us, and destroy all copies. inline: image003.gifinline: image001.gif- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Use Hint file to proxy
Hi experts,
Long time no talk!
I have another dilemma. For some reasons I want to try to use the hints file to
do Proxy (the normal way of configuring realm and proxy.conf file works). So
the following is my config:
=== hints ===
DEFAULT User-Name =~ ^host\/.*\.gtcorp\.com$
Hint = Marriott
=== users ===
DEFAULT Hint == Marriott, Proxy-To-Realm := ~\.gtcorp\.com$
=== proxy.conf ===
realm ~\.gtcorp\.com$ {
nostrip
auth_pool = Marriott_Auth_Pool
acct_pool = Marriott_Acct_Pool
}
== module/realm
realm Marriott {
format = suffix
delimiter = /
}
Then I commented out the Marriott realm in the authorize section in the
default server so the settings in the realm file shouldn't do anything.
= sites-available/default ==
authorize {
...
# Marriott
...
}
In the radius -X log I do see the requests are sent to the proxy server but I
also see the following abnormal logs. The complete log is also attached.
[eap] No pre-existing handler found
...
rlm_eap: No EAP session matching the State variable.
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
So is it possible to use the hints file to do proxy or I'm totally out of my
mind?? If it's possible where I could do wrong?
Thanks a lot!
[cid:image002.gif@01CBD8B8.490E09F0]Difan Zhao M.Eng | CCNA CCNP CCSP | Network
Engineer
T: 403-509-1010 ext 3048 | M: 403-689-7514 | F: 403.509.1011
difan.z...@guest-tek.commailto:difan.z...@guest-tek.com |
www.guest-tek.comhttp://www.guest-tek.com
The contents of this email are confidential and intended for the recipient
only. If you have received this email in error, please notify us, and destroy
all copies.
inline: image001.gifinline: image002.gifrad_recv: Access-Request packet from host 10.143.115.6 port 1645, id=163,
length=194
User-Name = host/NetEng-D410.gtcorp.com
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = AC-A0-16-0E-9E-11
Calling-Station-Id = 00-14-22-FD-DD-98
EAP-Message =
0x0201002001686f73742f4e6574456e672d443431302e6774636f72702e636f6d
Message-Authenticator = 0x47efeb7485cf2f710b658ba828be5735
NAS-Port-Type = Ethernet
NAS-Port = 50117
NAS-Port-Id = GigabitEthernet1/0/17
NAS-IP-Address = 10.143.115.6
+- entering group authorize {...}
[preprocess]expand: %{User-Name} - host/NetEng-D410.gtcorp.com
[preprocess] hints: Matched DEFAULT at 36
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 1 length 32
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
WARNING: Empty section. Using default return values.
Sending Access-Request of id 218 to 10.26.105.105 port 1812
User-Name = host/NetEng-D410.gtcorp.com
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = AC-A0-16-0E-9E-11
Calling-Station-Id = 00-14-22-FD-DD-98
EAP-Message =
0x0201002001686f73742f4e6574456e672d443431302e6774636f72702e636f6d
Message-Authenticator = 0x
NAS-Port-Type = Ethernet
NAS-Port = 50117
NAS-Port-Id = GigabitEthernet1/0/17
NAS-IP-Address = 10.143.115.6
Proxy-State = 0x313633
Proxying request 0 to home server 10.26.105.105 port 1812
Sending Access-Request of id 218 to 10.26.105.105 port 1812
User-Name = host/NetEng-D410.gtcorp.com
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = AC-A0-16-0E-9E-11
Calling-Station-Id = 00-14-22-FD-DD-98
EAP-Message =
0x0201002001686f73742f4e6574456e672d443431302e6774636f72702e636f6d
Message-Authenticator = 0x
NAS-Port-Type = Ethernet
NAS-Port = 50117
NAS-Port-Id = GigabitEthernet1/0/17
NAS-IP-Address = 10.143.115.6
Proxy-State = 0x313633
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Challenge packet from host 10.26.105.105 port 1812, id=218,
length=69
EAP-Message = 0x010200061920
Message-Authenticator = 0x7abdaa6fe15ef1c04eef592da305896a
State = 0x1c559d961c578475dc9c2542f1f8a48c
Proxy-State = 0x313633
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Sending Access-Challenge of id 163 to 10.143.115.6 port 1645
EAP-Message = 0x010200061920
Message-Authenticator = 0x
State
radius.log records individual client IP. Possible??
Hi experts, I'm wondering if it's possible for the radius.log file to show the NAS IP instead of the client name (which is IP range in my case). Currently the log looks like: Thu Jan 27 11:53:15 2011 : Auth: Login incorrect: [08000f513f60/08000f513f60] (from client 10.143.115.0/24 port 50303 cli 08-00-0F-51-3F-60) It'd be ideal if it can show the IP of the NAS where the request is coming from. I know I could configure the client file to have individual IP for each client instead of entire subnet. However just wondering if there is easy switch to turn it on lol Thanks! Difan Zhao, M.Eng Network Engineer Guest-Tek Interactive Entertainment Inc. Email: difan.z...@guest-tek.commailto:difan.z...@guest-tek.com Office: +1 (403) 509 1010 ext 3048 Cell: +1 (403) 689 7514 www.guest-tek.comhttp://www.guest-tek.com [http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/Logo.jpg] INTERNET | MEDIA | VOICE [http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/image004.jpg] The contents of this email are confidential and intended for the recipient only. If you have received this email in error, please notify us, and destroy all copies. inline: image001.jpginline: image002.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to configure proxy server to send a copy of acct to remote/home server
Dear experts, I configured my Freeradius2.1.7 server to be a proxy server which will forward the PEAP authentication packages to a remote server. The authentication part works great. I configured my switch to send accounting information to the proxy server. The proxy server is using MySQL to store the acct info. This part works fine too. However I'm requested to also send a copy of the acct info to the remote server... I'm still checking my switch (Cisco) and see if it can send two copies of acct info to two different servers at the same time. However, is it possible to make FreeRadius to automatically forward a copy to the remote server?? Thanks! Difan Zhao, M.Eng Network Engineer Guest-Tek Interactive Entertainment Inc. Email: difan.z...@guest-tek.com Office: +1 (403) 509 1010 ext 3048 Cell: +1 (403) 689 7514 www.guest-tek.com INTERNET | MEDIA | VOICE The contents of this email are confidential and intended for the recipient only. If you have received this email in error, please notify us, and destroy all copies. image001.jpgimage002.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: After server rebuild the PEAP against Windows AD is not workingany more!
Hi Alan, Thank you for the info! I downgraded the samba to 3.0.33 and it works fine now! Thanks, Difan Zhao, M.Eng Network Engineer Guest-Tek Interactive Entertainment Inc. www.guest-tek.com Email: difan.z...@guest-tek.com Office: +1 (403) 509 1010 ext 3048 Cell: +1 (403) 689 7514 http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/Logo.jpg INTERNET | MEDIA | VOICE http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/image004.jp g The contents of this email are confidential and intended for the recipient only. If you have received this email in error, please notify us, and destroy all copies. -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Alan DeKok Sent: September-11-10 12:18 AM To: FreeRadius users mailing list Subject: Re: After server rebuild the PEAP against Windows AD is not workingany more! Difan Zhao wrote: I'm getting really frustrated on this... I had the server rebuilt with REHL 5 and FreeRadius2.1.7. It was running REHL 4 with FreeRadius2.1.6. It looks like the server will send the last challenge and the client won't reply anymore... If you're using Samba, it's a samba bug. See the comments in eap.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
After server rebuild the PEAP against Windows AD is not working any more!
Hi experts,
I'm getting really frustrated on this... I had the server rebuilt with
REHL 5 and FreeRadius2.1.7. It was running REHL 4 with FreeRadius2.1.6.
It looks like the server will send the last challenge and the client
won't reply anymore... The ntlm_auth part should be working right
because when I do radtest 'gtcorp\\dzhao' password localhost 0
test123 it works fine...
Sending Access-Request of id 119 to 127.0.0.1 port 1812
User-Name = gtcorp\\dzhao
User-Password = password
NAS-IP-Address = 10.26.105.105
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=119,
length=41
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 3
Tunnel-Preference:0 = 0
However it's not working when I have a laptop plugged in doing
PEAP/802.1x with the same user account... The debug output is attached.
Please help!! Thanks!!!
Difan Zhao, M.Eng
Network Engineer
Guest-Tek Interactive Entertainment Inc.
Email: difan.z...@guest-tek.com
Office: +1 (403) 509 1010 ext 3048
Cell: +1 (403) 689 7514
www.guest-tek.com
INTERNET | MEDIA | VOICE
The contents of this email are confidential and intended for the
recipient only. If you have received this email in error, please notify
us, and destroy all copies.
image001.jpgimage002.jpg
rad_recv: Access-Request packet from host 207.230.255.43 port 1645, id=125,
length=158
User-Name = GTCORP\\dzhao
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = EC-30-91-AD-28-82
Calling-Station-Id = 00-11-43-FE-80-19
EAP-Message = 0x02010011014754434f52505c647a68616f
Message-Authenticator = 0x2ed3d2e16385e7d5226183633663f17c
NAS-Port-Type = Ethernet
NAS-Port = 50002
NAS-Port-Id = FastEthernet0/2
NAS-IP-Address = 172.17.254.60
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = GTCORP\dzhao, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 1 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name} - GTCORP\dzhao
[sql] sql_set_user escaped user -- 'GTCORP\dzhao'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'GTCORP=5Cdzhao' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -
SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'GTCORP=5Cdzhao' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname
FROM radusergroup WHERE username = 'GTCORP=5Cdzhao'
ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 125 to 207.230.255.43 port 1645
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := 3
Tunnel-Preference:0 := 0
EAP-Message = 0x010200061920
Message-Authenticator = 0x
State = 0xc5d7c069c5d5d925bfc9a54021651b76
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 207.230.255.43 port 1645, id=126,
length=246
User-Name = GTCORP\\dzhao
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = EC-30-91-AD-28-82
Calling-Station-Id = 00-11-43-FE-80-19
EAP-Message =
0x020200571980004d1603010048014403014c8aa8c3bb5003761e89606041e23e7cdc1ae7d698dcd04f60a27241ada1d2c51600040005000a000900640062000300060013001200630105ff01000100
Message-Authenticator = 0xdbc118e3fce352d35a250a534014091f
NAS-Port-Type = Ethernet
NAS-Port = 50002
NAS-Port-Id = FastEthernet0/2
State = 0xc5d7c069c5d5d925bfc9a54021651b76
NAS-IP-Address = 172.17.254.60
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap
RE: Wildcard in realm name? possible??
Hi Alan,
Thank you for the quick response! I read again and tried and this one
worked!!
realm ~\.gtcorp\.com
However I did try the one which is same syntax as the example in the
proxy.conf file:
realm ~*\\.gtcorp\\.com$
The radiusd -X can't start and I got this.
realm ~*\.gtcorp\.com$ {
/etc/raddb/proxy.conf[33]: Invalid regex in realm ~*\.gtcorp\.com$
} # realm ~*\.gtcorp\.com$
I tried many other syntax and I found that I can't put ~ and * together
and if I did the process won't start...
I guess my problem is solved! This is just FYI! Thanks again for your
help!
Difan Zhao, M.Eng
Network Engineer
Guest-Tek Interactive Entertainment Inc.
www.guest-tek.com
Email: difan.z...@guest-tek.com
Office: +1 (403) 509 1010 ext 3048
Cell: +1 (403) 689 7514
http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/Logo.jpg
INTERNET | MEDIA | VOICE
http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/image004.jp
g
The contents of this email are confidential and intended for the
recipient only. If you have received this email in error, please notify
us, and destroy all copies.
-Original Message-
From:
freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org
[mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi
us.org] On Behalf Of Alan DeKok
Sent: September-09-10 4:16 AM
To: FreeRadius users mailing list
Subject: Re: Wildcard in realm name? possible??
Difan Zhao wrote:
So I guess my first question is that, is it possible to have wildcard
(e.g. *) in the realm name?
Read raddb/proxy.conf. Look for regex
realm *~*.gtcorp.com* {
That isn't the correct syntax.
Go back and read the example in proxy.conf again.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wildcard in realm name? possible??
Dear developers/experts,
I haven't bugged you guys for too long so I decided to come back with a
strange question so you know that I'm still your loyal user.
I need to proxy requests with the following username pattern to a remote
server.
host/PC name.gtcorp.com
This is what the username looks like when the Windows PC is doing PEAP
with use of the PC's name instead of the actual user's username. Don't
know why but seems to be strange!
So I guess my first question is that, is it possible to have wildcard
(e.g. *) in the realm name?
I did read all the docs I could possibly found and I tested the configs
as well but I couldn't get it to work... Here is the debug while I'm
doing testing with radtest program. As you see that it always matches
the DEFAULT realm but not the *.gtcorp.com that I defined... I'm using
2.1.6 on RHEL4. So! Help help!
[r...@ne_ovi ~]# radtest 'host/difan.gtcorp.com' localhost 0
test123
Sending Access-Request of id 163 to 127.0.0.1 port 1812
User-Name = host/difan.gtcorp.com
User-Password =
NAS-IP-Address = 66.150.161.140
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=163,
length=20
rad_recv: Access-Request packet from host 127.0.0.1 port 15676, id=163,
length=73
User-Name = host/difan.gtcorp.com
User-Password =
NAS-IP-Address = 66.150.161.140
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[GTCORP] Looking up realm difan.gtcorp.com for User-Name =
host/difan.gtcorp.com
[GTCORP] Found realm DEFAULT
[GTCORP] Adding Realm = DEFAULT
[GTCORP] Proxying request from user host to realm DEFAULT
[GTCORP] Preparing to proxy authentication request to realm DEFAULT
++[GTCORP] returns updated
[suffix] Request already proxied. Ignoring.
++[suffix] returns ok
...
The followings are my relevant configs:
==
/etc/raddb/proxy.conf (I did try many other realm names such as
*.gtcorp.com as well)
==
proxy server {
default_fallback = no
}
###
home_server GTK_Radius_Auth {
type = auth
ipaddr = 1.1.1.1
port = 1812
secret =
}
home_server GTK_Radius_Acct {
type = acct
ipaddr = 1.1.1.1
port = 1813
secret =
}
home_server_pool GTK_Radius_Auth_Pool {
type = fail-over
home_server = GTK_Radius_Auth
}
home_server_pool GTK_Radius_Acct_Pool {
type = fail-over
home_server = GTK_Radius_Acct
}
realm ~*.gtcorp.com {
nostrip
auth_pool = GTK_Radius_Auth_Pool
acct_pool = GTK_Radius_Acct_Pool
}
#
# This realm is for requests which don't have an explicit realm
# prefix or suffix. User names like bob will match this one.
#
realm NULL {
nostrip
auth_pool = GTK_Radius_Auth_Pool
acct_pool = GTK_Radius_Acct_Pool
}
#
# This realm is for ALL OTHER requests.
#
realm DEFAULT {
nostrip
auth_pool = GTK_Radius_Auth_Pool
acct_pool = GTK_Radius_Acct_Pool
}
===
/etc/raddb/modules/realm
===
realm GTCORP {
format = suffix
delimiter = /
}
==
/etc/raddb/sites-available/default
==
...
authorize {
preprocess
chap
mschap
GTCORP
Suffix
...
}
Thanks!!
Difan Zhao, M.Eng
Network Engineer
Guest-Tek Interactive Entertainment Inc.
Email: difan.z...@guest-tek.com mailto:difan.z...@guest-tek.com
Office: +1 (403) 509 1010 ext 3048
Cell: +1 (403) 689 7514
www.guest-tek.com http://www.guest-tek.com
http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/Logo.jpght
tp://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/Logo.jpg
INTERNET | MEDIA | VOICE
http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/image004.jp
ghttp://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/image004.
jpg
The contents of this email are confidential and intended for the
recipient only. If you have received this email in error, please notify
us, and destroy all copies.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.6: \ in %{SQL-User-Name}
Good morning guys!
I asked a question earlier but haven't heard back a reply yet... I guess
I am not supposed to include the question in the answer of another
question lol.
So here is the question again:
I am using my Freeradius 2.1.6 to do PEAP for Windows XP clients. The
usernames are in format 'Domain_name\username'
I am using postgresql and my safe-characters in the dialup.conf is set
to:
safe-characters =
\...@abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789.-_:
/
My radcheck table looks like:
id | username | attribute | op |value
4 | GTCORP\dzhao | Auth-Type | = | ntlm_auth
When I try to authenticate, in the debug, I see this:
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT
id, UserName, Attribute, Value, Op FROM radcheck WHERE Username =
'GTCORP\dzhao' ORDER BY id
However this query returns nothing from the postgresql DB because the DB
treats the \ as an escape character. In order to test I added another
entry in the table:
11 | GTCORPdzhao | Auth-Type | = | ntlm_auth
And the query worked and found it.
I also tried the following query in PostSQL and it found the orginal
entry successfully...
select * from radcheck where username = 'GTCORP\\dzhao'
I am wondering if there is a setting to automatically add another \ in
the %{SQL-User-Name} if there is already a \ in it??
Thanks!
Difan Zhao, M.Eng
Network Engineer
difan.z...@guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius 2.1.6: Store Cisco device enable passwordinPostgresql DB
Sorry guys... I need to change my question a little bit! Please ignore
my last emails.
I am using my Freeradius 2.1.6 to do PEAP for Windows XP clients. The
usernames are in format 'Domain_name\username'
I am using postgresql and my safe-characters in the dialup.conf is set
to:
safe-characters =
\...@abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789.-_:
/
My radcheck table looks like:
id | username | attribute | op |value
4 | GTCORP\dzhao | Auth-Type | = | ntlm_auth
When I try to authenticate, in the debug, I see this:
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT
id, UserName, Attribute, Value, Op FROM radcheck WHERE Username =
'GTCORP\dzhao' ORDER BY id
However this query returns nothing from the postgresql DB because the DB
treats the \ as an escape character. In order to test I added another
entry in the table:
11 | GTCORPdzhao | Auth-Type | = | ntlm_auth
And the query worked and found it.
I also tried a query on the DB and this one found the orginal entry
successfully...
select * from radcheck where username = 'GTCORP\\dzhao'
I am wondering if there is a setting to automatically add another \ in
the %{SQL-User-Name} if there is already a \ in it??
Thanks!
Difan Zhao, M.Eng
Network Engineer
difan.z...@guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
-Original Message-
From:
freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org
[mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi
us.org] On Behalf Of Difan Zhao
Sent: Wednesday, May 05, 2010 12:21 PM
To: FreeRadius users mailing list
Subject: RE: Freeradius 2.1.6: Store Cisco device enable
passwordinPostgresql DB
Thank you very much Alan! I added the $ in the safe-characters and it
works great now. However I also added \ but it doesn't seem to work...
My FreeRadius is also setup to handle PEAP for Windows XP PCs and they
use domain\username format. In debug I see:
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT
id, UserName, Attribute, Value, Op FROM radcheck WHERE Username =
'GTCORP=5Cdzhao' ORDER BY id
As you can see the username GTCORP\dzhao becomes GTCORP=5Cdzhao...
I do have \ in the safe-character list:
safe-characters =
\...@abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789.-_:
/
Any ideas? Thank you!
Difan Zhao, M.Eng
Network Engineer
difan.z...@guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
-Original Message-
From:
freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org
[mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi
us.org] On Behalf Of Alan DeKok
Sent: Wednesday, May 05, 2010 1:53 AM
To: FreeRadius users mailing list
Subject: Re: Freeradius 2.1.6: Store Cisco device enable password
inPostgresql DB
Difan Zhao wrote:
And it doesn't work. Then I am checking the debug and I found that the
$ in the username was interpreted to something like =24:
Read raddb/sql/postgresql/dialup.conf, and look for safe-characters
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius 2.1.6: Store Cisco device enable password inPostgresql DB
Thank you very much Alan! I added the $ in the safe-characters and it
works great now. However I also added \ but it doesn't seem to work...
My FreeRadius is also setup to handle PEAP for Windows XP PCs and they
use domain\username format. In debug I see:
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT
id, UserName, Attribute, Value, Op FROM radcheck WHERE Username =
'GTCORP=5Cdzhao' ORDER BY id
As you can see the username GTCORP\dzhao becomes GTCORP=5Cdzhao...
I do have \ in the safe-character list:
safe-characters =
\...@abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789.-_:
/
Any ideas? Thank you!
Difan Zhao, M.Eng
Network Engineer
difan.z...@guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
-Original Message-
From:
freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org
[mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi
us.org] On Behalf Of Alan DeKok
Sent: Wednesday, May 05, 2010 1:53 AM
To: FreeRadius users mailing list
Subject: Re: Freeradius 2.1.6: Store Cisco device enable password
inPostgresql DB
Difan Zhao wrote:
And it doesn't work. Then I am checking the debug and I found that the
$ in the username was interpreted to something like =24:
Read raddb/sql/postgresql/dialup.conf, and look for safe-characters
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.6: Store Cisco device enable password in Postgresql DB
Hey guys,
This should be a quick one.
When I enable on a Cisco device, it sends a request with username $enab15$.
rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=92,
length=84
NAS-IP-Address = 172.17.254.100
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = $enab15$
Calling-Station-Id = 172.17.1.1
User-Password = password
Service-Type = Administrative-User
I used to store the username and password in the users file and it was
working fine:
$enab15$ Cleartext-Password := password
Now I am trying to move this user from the file to the postgresql DB and my
radcheck table looks like:
radius=# select * from radcheck;
id | username | attribute | op | value
+--+++---
1 | $enab15$ | Cleartext-Password | := | password
And it doesn't work. Then I am checking the debug and I found that the $ in
the username was interpreted to something like =24:
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id - SELECT id, UserName,
Attribute, Value, Op FROM radcheck WHERE Username = '=24enab15=24' ORDER
BY id
Then I changed the username to this =24enab15=24 and now it works.
I am just curious how freeradius or %{SQL-User-Name} treats special characters
in username... Is there a way to treat them AS-IS?
Thank you!
Difan Zhao, M.Eng
Network Engineer
Guest-Tek Interactive Entertainment Inc.
www.guest-tek.com
Email: difan.z...@guest-tek.com
Office: +1 (403) 509 1010 ext 3048
Cell: +1 (403) 689 7514
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: VLAN Attribute ?
Actually I found these attributes from Cisco switch configuration manual and I just pasted them in and they worked... However I just did a search again and I found the attribute is in this dictionary file: dictionary.rfc3580:VALUETunnel-TypeVLAN 13 BTW I also got a question for you. It has a :0 following the Tunnel-Type. What is it for? I just removed it and it still works. However in the Radius -X debug it still has the :0 appending the attribute name. Any idea?? Thanks, Difan Zhao M.Eng Network Engineer difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Fabien COMBERNOUS Sent: Wednesday, April 21, 2010 3:12 AM To: FreeRadius users mailing list Subject: Re: VLAN Attribute ? Difan Zhao wrote: You have to send some attributes to the switch. I am using Cisco switches and here are the attributes that I need to send to the switch to switch the port to VLAN 3: bob Cleartext-Password := test Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = 3, Tunnel-Preference = 0x00 Other switch vendor may use different attributes. Thank you for your input. I'm using HP procurve core switch. I used the following values : Tunnel-Type = 13 Tunnel-Medium-Type = 6 Tunnel-Private-Group-ID =4 It works. In radius log i get the display you given. ie VLAN instead of 13, IEEE-802 instead of 6. I will make some tests to use directly your input. It is easier to read. But i am surprise. In the rfc the value 13 does not exist about Tunnel-Type : http://freeradius.org/rfc/rfc2868.html#Tunnel-Type Where is decided the value of 13 ? Best regards, -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: VLAN Attribute ?
You have to send some attributes to the switch. I am using Cisco switches and here are the attributes that I need to send to the switch to switch the port to VLAN 3: bob Cleartext-Password := test Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = 3, Tunnel-Preference = 0x00 Other switch vendor may use different attributes. I add these attributes in the users file. I am not using SQL. Don't know how to pull the attributes via sql... Hope it helps, Difan Zhao M.Eng Network Engineer difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Fabien COMBERNOUS Sent: Tuesday, April 20, 2010 9:06 AM To: freeradius-users@lists.freeradius.org Subject: VLAN Attribute ? Hi, I'm seting up a FreeRadius Server using SQL backend to store informations about NAS, Users and Groups. I search the Attribute to use to allow a group in a VLAN of my switch. My setup permit to authenticate a user and the group of the user. But what is the attribute to use in table radreply or radgroupreply to put the port of my switch in the good vlan ? Best regards, -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authenticate computers with their hostnames
Phil, thank you very much for reply! I think you are right. I just tried to change the authentication type to MD5 and then the laptop doesn't even try to authenticate with hostname anymore. It seems it has to use PEAP for this type of authentication. I will try setup NTLM and see if that works. Thanks again! Difan Zhao Network Engineer difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Phil Mayers Sent: Sunday, April 18, 2010 3:54 AM To: freeradius-users@lists.freeradius.org Subject: Re: Authenticate computers with their hostnames On 04/16/2010 10:37 PM, Difan Zhao wrote: Users file: host/neteng-sp1.gtcorp.com Auth-Type := Accept That won't work I think. The hosts are expecting to do EAP/PEAP+MS-CHAP (or EAP-TLS) and you'll need appropriate server-side auth mechanisms to issue the correct challenge/response values. That is, you need to setup auth against their machine account credentials or certificates. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticate computers with their hostnames
Good afternoon,
Sorry to bother you guys again! I am trying to authenticate Windows XP
PCs (sp2) with their hostnames. It looks like PC will try to use its
hostname (in format host/computer_name.domainname) to authenticate
when no user is logged in.
I configured the users file and also the post-auth section of
default file to force accepting the request. In the debug it shows it
does accept and send back the response. I also captured the packets in
the wireshark. However the NAS (Cisco 3750 switch with newest firmware)
doesn't take it and simply ignored it and send the request again. It
repeated three times and eventually failed...
Users file:
host/neteng-sp1.gtcorp.com Auth-Type := Accept
Tunnel-Type:0 = VLAN,
Tunnel-Medium-Type:0 = IEEE-802,
Tunnel-Private-Group-Id:0 = 3,
Tunnel-Preference = 0x00
Sites-available/default file:
post-auth {
...
if(request:User-Name == host/neteng-sp1.gtcorp.com){
update reply {
Auth-Type := Accept
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-ID = 3
Tunnel-Preference = 0
}
}
...
}
Actually it doesn't look like it's Freeradiusd's problem since it did
send back the response. It's the NAS which doesn't process the reply...
However does anybody know why? Did I miss any attributes? Anyway to work
around this problem?
Alan, I think you told me once that it's not easy to fool the NAS to
accept all requests... Is this one of the case we are talking about??
Thank you and have a good weekend!
Difan Zhao
Network Engineer
difan.z...@guest-tek.com
www.guest-tek.com http://www.guest-tek.com/
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
Guest-tek(tm) delivers broadband networking solutions to businesses
serving mobile users. Our products provide fast and easy plug-and-play
Internet access, IP Video-on-Demand, and Voice over IP to end users.
Through our superior implementation and support services, our partners
gain a sustainable competitive edge. With headquarters in Calgary and
Irvine, Guest-tek(tm) has been serving hospitality and related
industries since 1996. The contents of this email are confidential and
intended for the recipient only. If you have received this email in
error, please notify us, and destroy all copies.
image001.jpgimage002.jpgrad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=126,
length=188
User-Name = host/neteng-sp1.gtcorp.com
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = 00-1D-E5-9C-29-04
Calling-Station-Id = 00-14-22-FD-DD-98
EAP-Message =
0x0201001f01686f73742f6e6574656e672d7370312e6774636f72702e636f6d
Message-Authenticator = 0x2cdc1301e3132d89a4de120ea3d788bc
NAS-Port-Type = Ethernet
NAS-Port = 50102
NAS-Port-Id = FastEthernet1/0/2
NAS-IP-Address = 172.17.254.100
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = host/neteng-sp1.gtcorp.com, looking up realm
NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 1 length 31
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry host/neteng-sp1.gtcorp.com at line 69
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
++- entering policy rewrite_calling_station_id {...}
+++? if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i)
? Evaluating (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - FALSE
+++? if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - FALSE
+++? elsif (request:Calling-Station-Id =~
/00-21-F8-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i)
? Evaluating (request:Calling-Station-Id =~
/00-21-F8-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - FALSE
+++? elsif (request:Calling-Station-Id =~
/00-21-F8-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - FALSE
+++? elsif (request:Calling-Station-Id =~
/00-09-6E-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i)
? Evaluating (request:Calling-Station-Id =~
/00-09-6E-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - FALSE
+++? elsif (request:Calling-Station-Id =~
/00-09-6E-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - FALSE
+++- entering else else {...}
[noop] returns noop
+++- else else returns noop
++- policy rewrite_calling_station_id returns noop
++? if ((Service-Type == 'Call-Check') (User-Name =~
/00a008([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})/i) (User-Name =~
/%{Calling
Question: How do I forcibly accept all rest requests??
Good afternoon guys!
I am running version 2.1.6. The server is currently doing 802.1x authentication
for network devices. Some devices are PCs and users use their Windows domain
user/password to login. The rest are special network equipments and I use MAC
address authentication bypass to authenticate them.
Now I have a dilemma that I need to make all other devices (guest devices from
out of my company) to be authenticated as well...
Currently if these devices (usually laptop running Windows XP) support 802.1x,
they will fail and they will be put in an Auth-failed VLAN. The VLAN itself is
fine and they can do whatever they want on this VLAN. However it's just that
annoying icon on their laptops. It pops up from time to time to notify users
that they failed authentication and even prompted for username and password if
configured to do so...
So I want to make all rest devices to be authenticated. It will be even better
if I can assign them to a specific VLAN. I was reading
./sites-avaliable/default and I found that forcibly accept the user (Auth-Type
:= Accept). Where do I put it? I tried:
post-auth {
Post-Auth-Type REJECT {
# attr_filter.access_reject
Auth-Type := Accept
}
}
And obviously it's not working... Any ideas how I should configure it? Thank
you!
Difan Zhao
Network Engineer
difan.z...@guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question: How do I forcibly accept all rest requests??
Alan,
Thank you for quick reply!
However if you can fool the NAS to let it believe that the device is
authenticated, will the switch also send an EAP success message to the
laptop to fool him as well?
If the laptop is configured to use PEAP and to validate certificate,
then you are right, there is nothing we can do.
If the laptop is configured not to validate the certificate, then when
the Server (freeradiusd) sends a challenge in the TLS tunnel and
received a hashed reply, can it be configured to simply send a success
back anyway?
If the laptop is configured to use MD5, then I think it's even easier to
make this happen...?
I apologize if I got any EAP/Radius theory totally wrong...
The company I work for serves hotels. They want their staff to be put in
right VLAN for admin management purpose while guests put in guest VLAN.
Now my setup is pissing some guests off because they don't like to see
failed on their laptops. It's kind of important... I will really
appreciate if you can come up with a solution for it...
Thank you!
Guest-tek, Difan Zhao
difan.z...@guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
-Original Message-
From:
freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org
[mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi
us.org] On Behalf Of Alan DeKok
Sent: Tuesday, March 30, 2010 4:43 PM
To: FreeRadius users mailing list
Subject: Re: Question: How do I forcibly accept all rest requests??
Difan Zhao wrote:
So I want to make all rest devices to be authenticated. It will be
even better if I can assign them to a specific VLAN. I was reading
./sites-avaliable/default and I found that forcibly accept the user
(Auth-Type := Accept). Where do I put it? I tried:
post-auth {
Post-Auth-Type REJECT {
# attr_filter.access_reject
Auth-Type := Accept
}
}
It's too late to over-ride the reject at that point.
And I doubt that this will prevent the icon from appearing on their
desktop. The icon means that the *PC* believes it wasn't authenticated.
The config above tells the *NAS* to allow them in, but does not
convince the *PC* that it has been authenticated.
There is no substitute for running the authentication protocol
correctly.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question: How do I forcibly accept all rest requests??
Uh... Guess you are right... I thought it was something easy but looks like it's not! I will let the hotel know that there is nothing we can do. I guess the hotel will give up after I tell them that I have consulted with the programmer lol. BTW this Freeradius is awesome program. Very flexible and I like it a lot! Your support is also very much appreciated! Thanks a lot Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Alan DeKok Sent: Tuesday, March 30, 2010 5:47 PM To: FreeRadius users mailing list Subject: Re: Question: How do I forcibly accept all rest requests?? Difan Zhao wrote: However if you can fool the NAS to let it believe that the device is authenticated, will the switch also send an EAP success message to the laptop to fool him as well? No. Even if it does, the laptop will ignore it. There is no substitute for running the authentication protocol correctly. If the laptop is configured to use PEAP and to validate certificate, then you are right, there is nothing we can do. If the laptop is configured not to validate the certificate, then when the Server (freeradiusd) sends a challenge in the TLS tunnel and received a hashed reply, can it be configured to simply send a success back anyway? That's not the way PEAP works. So no, it's impossible. If the laptop is configured to use MD5, then I think it's even easier to make this happen...? It's still impossible. I apologize if I got any EAP/Radius theory totally wrong... The company I work for serves hotels. They want their staff to be put in right VLAN for admin management purpose while guests put in guest VLAN. Now my setup is pissing some guests off because they don't like to see failed on their laptops. It's kind of important... I will really appreciate if you can come up with a solution for it... shrug That's the way networks work. And you expect me to come up with a solution (for free) that you're charging for? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mschap2 over peap, how to use cleartext password defined on the freeradius server instead of using Windows AD?
Greetings!
I did read the mschap module file and I did see that in order to use a
cleartext password, I need to set MS-CHAP-Use-NTLM-Auth := No however
I don't know where to set it.
I tried to set it in hints file like the following. I added it to the
beginning of the file and the rest is just default.
enseo_stb
MS-CHAP-Use-NTLM-Auth := No
The enseo_stb is the username. I do see that it matched the line in
the preprocess in the debug however the authentication still failed. I
don't have this user account set in Windows AD. I do have it set in my
users file.
Enseo_stb Cleartext-Password := password
Any advice?? Thank you!!
Difan Zhao
Network Engineer
difan.z...@guest-tek.com
www.guest-tek.com http://www.guest-tek.com/
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
image002.jpg
rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=30,
length=152
User-Name = enseo_stb
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = 00-1D-E5-9C-29-05
Calling-Station-Id = 00-21-F8-00-24-B3
EAP-Message = 0x0202000e01656e73656f5f737462
Message-Authenticator = 0x8ba26525d2f95b1d79a0c62d87f854de
NAS-Port-Type = Ethernet
NAS-Port = 50103
NAS-Port-Id = FastEthernet1/0/3
NAS-IP-Address = 172.17.254.100
+- entering group authorize {...}
[preprocess] hints: Matched enseo_stb at 36
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = enseo_stb, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 2 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry enseo_stb at line 34
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
++- entering policy rewrite_calling_station_id {...}
+++? if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i)
? Evaluating (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - FALSE
+++? if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - FALSE
+++- entering else else {...}
[noop] returns noop
+++- else else returns noop
++- policy rewrite_calling_station_id returns noop
++? if ((Service-Type == 'Call-Check') (User-Name =~
/^%{Calling-Station-ID}$/i))
?? Evaluating (Service-Type == 'Call-Check') - FALSE
?? Skipping (User-Name =~ /^%{Calling-Station-ID}$/i)
++? if ((Service-Type == 'Call-Check') (User-Name =~
/^%{Calling-Station-ID}$/i)) - FALSE
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 30 to 172.17.254.100 port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x
State = 0xf13fdb9cf13cc2e40d991f43b28399d7
Finished request 1.
Going to the next request
Waking up in 3.9 seconds.
rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=31,
length=370
User-Name = enseo_stb
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = 00-1D-E5-9C-29-05
Calling-Station-Id = 00-21-F8-00-24-B3
EAP-Message =
0x020300d6190016030100cb01c70301386d438ca276cc49f14dfbd77fc35c74edf79c4fb7a13e77365d80e4db3ff4e15ac014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc00200050004001500120009001400110008000600030144000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f00100011001200130014001500160017001800190023
Message-Authenticator = 0xf22b9ef298b95a509e7aa414d6bda163
NAS-Port-Type = Ethernet
NAS-Port = 50103
NAS-Port-Id = FastEthernet1/0/3
State = 0xf13fdb9cf13cc2e40d991f43b28399d7
NAS-IP-Address = 172.17.254.100
+- entering group authorize {...}
[preprocess] hints: Matched enseo_stb at 36
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = enseo_stb, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 3 length 214
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] TLS 1.0 Handshake [length 00cb], ClientHello
[peap] TLS_accept: SSLv3
RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfileto include multiple MAC addresses??
Hey guys,
I am still waiting for a possible solution for this problem that I
have... Please let me know even there is no easy fix.
To refresh your memory, I am doing MAC address authentication bypass. It
looks to me that the users file takes precedence than
sites-available/default. Whenever there is a default entry in the
users file, freeradius server doesn't try to run the module/function
in the authentication section... I have attached the debug for the
both cases. Please take a look whenever you can. Thank you!
Difan
From:
freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org
[mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi
us.org] On Behalf Of Difan Zhao
Sent: Wednesday, December 30, 2009 12:19 PM
To: FreeRadius users mailing list
Subject: RE: MAC authentication bypass --- How
amIsupposedto?edit?theusersfileto include multiple MAC addresses??
Hey guys,
Since I have asked so many questions regarding to this topic I guess you
all know my situation very well so I won't go through the whole thing
again and save your time!
So I found that if I add a Default line at the bottom of the users
file, like:
...
DEFAULTAuth-Type = ntlm_auth
The server will always use ntlm for authentication... even I have
updated the auth-type to Auth-NHSTB, it doesn't use it. I have attached
both debug files. What should I do if I want a Default line in the
user file while still use the special authentication that I defined for
MAC authentication bypass? Thanks!
Policy.conf:
policy {
...
rewrite_calling_station_id {
if(request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {
update request {
Calling-Station-Id :=
00a008%{1}%{2}%{3}
}
}
else {
noop
}
}
}
Default:
authorize {
...
rewrite_calling_station_id
if((Service-Type == 'Call-Check') (User-Name =~
/^%{Calling-Station-ID}$/i)){
update control {
Auth-Type = 'Auth-NHSTB'
}
}
}
authenticate {
...
Auth-Type Auth-NHSTB {
if(request:User-Name == %{request:User-Password}) {
ok
}
else{
reject
}
}
}
Guest-tek, Difan Zhao
difan.z...@guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=9,
length=157
User-Name = 00a0080806bd
User-Password = 00a0080806bd
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = 00-1D-E5-9C-29-04
Calling-Station-Id = 00-A0-08-08-06-BD
Message-Authenticator = 0xa3f41ca6cd54f096c389dbcbd9ba73ec
NAS-Port-Type = Ethernet
NAS-Port = 50102
NAS-Port-Id = FastEthernet1/0/2
NAS-IP-Address = 172.17.254.100
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = 00a0080806bd, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 38
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
++- entering policy rewrite_calling_station_id {...}
+++? if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i)
? Evaluating (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - TRUE
+++? if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - TRUE
+++- entering if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {...}
expand: 00a008%{1}%{2}%{3} - 00a0080806BD
[request] returns noop
+++- if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) returns noop
+++ ... skipping else for request 1: Preceding if was taken
++- policy rewrite_calling_station_id returns noop
++? if ((Service-Type == 'Call-Check') (User-Name =~
/^%{Calling-Station-ID}$/i))
?? Evaluating (Service-Type == 'Call-Check') - TRUE
expand: ^%{Calling-Station-ID}$ - ^00a0080806BD$
?? Evaluating (User-Name =~ /^%{Calling-Station-ID}$/i) - TRUE
++? if ((Service-Type == 'Call-Check') (User-Name =~
/^%{Calling-Station-ID}$/i)) - TRUE
++- entering if ((Service-Type == 'Call-Check') (User-Name =~
/^%{Calling-Station-ID
RE: MAC authentication bypass ---How amIsupposedto?edit?theusersfileto include multiple MAC addresses??
Lol Alan you found the problem again!
I just read the manual of users and unlang again and now I know
clearly what the problem was... Thank you very much for the help!
So radiusd -X won't show whether a check attribute was updated or not?
Here is my radiusd -X output. It's the same no matter I use : or := ...
...
++? if ((Service-Type == 'Call-Check') (User-Name =~
/^%{Calling-Station-ID}$/i)) - TRUE
++- entering if ((Service-Type == 'Call-Check') (User-Name =~
/^%{Calling-Station-ID}$/i)) {...}
+++[control] returns noop
...
It's supposed to update the auth-type value but nothing is shown
whether the value has been successfully updated or not... Is this about
right or it's actually showing at somewhere else and I am looking at the
wrong place?? Thank you!
Guest-tek, Difan Zhao
difan.z...@guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
-Original Message-
From:
freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org
[mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi
us.org] On Behalf Of Alan DeKok
Sent: Monday, January 04, 2010 4:10 PM
To: FreeRadius users mailing list
Subject: Re: MAC authentication bypass ---How
amIsupposedto?edit?theusersfileto include multiple MAC addresses??
Difan Zhao wrote:
To refresh your memory, I am doing MAC address authentication bypass.
It
looks to me that the users file takes precedence than
sites-available/default.
No. You are setting Auth-Type = ... in the users file, and then
trying to se Auth-Type = ... *again* elsewhere.
See man unlang for the meaning of the operators. If you want to
over-ride a previous value, use :=, not =.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Recall: MAC authentication bypass ---How?am?Isupposedto?edit?theusersfile to include multiple MACaddresses??
So I assume that none of you guys use MS Exchange server then... Do you guys all hate MS and support open source?? I am a windows guy but I am on your side!! Arran, you found the problem! Now it works! Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Alexander Clouter Sent: Wednesday, December 30, 2009 5:52 AM To: freeradius-users@lists.freeradius.org Subject: Re: Recall: MAC authentication bypass ---How?am?Isupposedto?edit?theusersfile to include multiple MACaddresses?? Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote: On 29/12/2009 14:45, Difan Zhao wrote: Difan Zhao would like to recall the message, MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??. I've often wondered what that means... Is it some weird outlook feature that is meant to 'unsend' email? Yep, only works if you have a MS Exchange server apparently (maybe it works with Outlook-Outlook). Meanwhile the rest of the world just laughs and smiles. :) Cheers -- Alexander Clouter .sigmonster says: And on the seventh day, He exited from append mode. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??
Hey guys,
Since I have asked so many questions regarding to this topic I guess you
all know my situation very well so I won't go through the whole thing
again and save your time!
So I found that if I add a Default line at the bottom of the users
file, like:
...
DEFAULTAuth-Type = ntlm_auth
The server will always use ntlm for authentication... even I have
updated the auth-type to Auth-NHSTB, it doesn't use it. I have attached
both debug files. What should I do if I want a Default line in the
user file while still use the special authentication that I defined for
MAC authentication bypass? Thanks!
Policy.conf:
policy {
...
rewrite_calling_station_id {
if(request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {
update request {
Calling-Station-Id :=
00a008%{1}%{2}%{3}
}
}
else {
noop
}
}
}
Default:
authorize {
...
rewrite_calling_station_id
if((Service-Type == 'Call-Check') (User-Name =~
/^%{Calling-Station-ID}$/i)){
update control {
Auth-Type = 'Auth-NHSTB'
}
}
}
authenticate {
...
Auth-Type Auth-NHSTB {
if(request:User-Name == %{request:User-Password}) {
ok
}
else{
reject
}
}
}
Guest-tek, Difan Zhao
difan.z...@guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=9,
length=157
User-Name = 00a0080806bd
User-Password = 00a0080806bd
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = 00-1D-E5-9C-29-04
Calling-Station-Id = 00-A0-08-08-06-BD
Message-Authenticator = 0xa3f41ca6cd54f096c389dbcbd9ba73ec
NAS-Port-Type = Ethernet
NAS-Port = 50102
NAS-Port-Id = FastEthernet1/0/2
NAS-IP-Address = 172.17.254.100
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = 00a0080806bd, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 38
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
++- entering policy rewrite_calling_station_id {...}
+++? if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i)
? Evaluating (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - TRUE
+++? if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - TRUE
+++- entering if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {...}
expand: 00a008%{1}%{2}%{3} - 00a0080806BD
[request] returns noop
+++- if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) returns noop
+++ ... skipping else for request 1: Preceding if was taken
++- policy rewrite_calling_station_id returns noop
++? if ((Service-Type == 'Call-Check') (User-Name =~
/^%{Calling-Station-ID}$/i))
?? Evaluating (Service-Type == 'Call-Check') - TRUE
expand: ^%{Calling-Station-ID}$ - ^00a0080806BD$
?? Evaluating (User-Name =~ /^%{Calling-Station-ID}$/i) - TRUE
++? if ((Service-Type == 'Call-Check') (User-Name =~
/^%{Calling-Station-ID}$/i)) - TRUE
++- entering if ((Service-Type == 'Call-Check') (User-Name =~
/^%{Calling-Station-ID}$/i)) {...}
+++[control] returns noop
++- if ((Service-Type == 'Call-Check') (User-Name =~
/^%{Calling-Station-ID}$/i)) returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} -
--username=00a0080806bd
[ntlm_auth] expand: --password=%{User-Password} - --password=00a0080806bd
Exec-Program output: NT_STATUS_NO_SUCH_USER: No such user (0xc064)
Exec-Program-Wait: plaintext: NT_STATUS_NO_SUCH_USER: No such user (0xc064)
Exec-Program: returned: 1
++[ntlm_auth] returns reject
Failed to authenticate the user.
Login incorrect: [00a0080806bd/00a0080806bd] (from client switches port 50102
cli 00a0080806BD)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - 00a0080806bd
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1
RE: MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??
Greetings,
I hope you all had a wonderful Christmas holidays!
So I continued my work this morning. It looks like it can authenticate
the devices (with the certain MAC address pattern) however from the
Radius -X output (which I attached here) it doesn't seem to authenticate
it the way I want it.
Let me repeat my logic here: if the MAC addresses match the pattern, use
the User-Name (or Calling-station-ID, since I rewrite it to be the
same as the User-name) and the password (which is made to be the same as
the User-name as well) to authenticate the device.
However it looks like my if conditions are all matched during the
process however they all returned noop instead of updating the
information I wanted it to.
Here are the configurations I made in the policy.conf and
/sites-avaliable/default files
Policy.conf:
policy {
...
rewrite_calling_station_id {
if(request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {
update request {
Calling-Station-Id :=
00a008%{1}%{2}%{3}
}
}
else {
noop
}
}
}
Default:
authorize {
...
rewrite_calling_station_id
if((Service-Type == 'Call-Check') (User-Name =~
/^%{Calling-Station-ID}$/i)){
update control {
Auth-Type = 'Auth-NHSTB'
}
}
}
authenticate {
...
Auth-Type Auth-NHSTB {
if(Chap-Password){
update control {
Cleartext-Password := %{User-Name}
}
chap
}
else{
ok
}
}
}
It seems to me that the last ok authenticated the device, instead of
using chap and the Cleartext-Password that I assigned. Any ideas?
Thank you!
Guest-tek, Difan Zhao
difan.z...@guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=45,
length=157
User-Name = 00a0080806bd
User-Password = 00a0080806bd
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = 00-1D-E5-9C-29-04
Calling-Station-Id = 00-A0-08-08-06-BD
Message-Authenticator = 0x7e1fb3874de8f8f7c98b237aa1778647
NAS-Port-Type = Ethernet
NAS-Port = 50102
NAS-Port-Id = FastEthernet1/0/2
NAS-IP-Address = 172.17.254.100
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = 00a0080806bd, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
++- entering policy rewrite_calling_station_id {...}
+++? if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i)
? Evaluating (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - TRUE
+++? if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - TRUE
+++- entering if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {...}
expand: 00a008%{1}%{2}%{3} - 00a0080806BD
[request] returns noop
+++- if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) returns noop
+++ ... skipping else for request 1: Preceding if was taken
++- policy rewrite_calling_station_id returns noop
++? if ((Service-Type == 'Call-Check') (User-Name =~
/^%{Calling-Station-ID}$/i))
?? Evaluating (Service-Type == 'Call-Check') - TRUE
expand: ^%{Calling-Station-ID}$ - ^00a0080806BD$
?? Evaluating (User-Name =~ /^%{Calling-Station-ID}$/i) - TRUE
++? if ((Service-Type == 'Call-Check') (User-Name =~
/^%{Calling-Station-ID}$/i)) - TRUE
++- entering if ((Service-Type == 'Call-Check') (User-Name =~
/^%{Calling-Station-ID}$/i)) {...}
+++[control] returns noop
++- if ((Service-Type == 'Call-Check') (User-Name =~
/^%{Calling-Station-ID}$/i)) returns noop
Found Auth-Type = Auth-NHSTB
+- entering group Auth-NHSTB {...}
++? if (Chap-Password)
? Evaluating (Chap-Password) - FALSE
++? if (Chap-Password) - FALSE
++- entering else else {...}
+++[ok] returns ok
++- else else returns ok
Login OK: [00a0080806bd/00a0080806bd] (from client switches port 50102 cli
00a0080806BD)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id
Recall: MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??
Difan Zhao would like to recall the message, MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??
I apologize for the previous spam! I kind of figured out my problem.
Then I tried to fix it and now I have a new problem!!
So I want to authenticate devices when both User-Name and User-Password
are the same and are both the MAC of the device. My default files look
like:
authorize {
...
if((Service-Type == 'Call-Check') (User-Name =~
/^%{Calling-Station-ID}$/i)){
update control {
Auth-Type = 'Auth-NHSTB'
}
}
}
...
authenticate {
Auth-Type Auth-NHSTB {
if(%{request:User-Password} == %{request:User-Name}) {
ok
}
else{
noop
}
}
}
However when I try to run Radius I keep getting this error:
Expected regular expression at: request:User-Password)
/etc/raddb/sites-enabled/default[308]: Failed to parse if subsection.
Errors initializing modules
I also tried I lot other syntax and different operators as well but the
error is still there... What is the right syntax?? Thank you!
Guest-tek, Difan Zhao
difan.z...@guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
From:
freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org
[mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi
us.org] On Behalf Of Difan Zhao
Sent: Tuesday, December 29, 2009 11:09 AM
To: FreeRadius users mailing list
Subject: RE: MAC authentication bypass --- How
amIsupposedto?edit?theusersfile to include multiple MAC addresses??
Greetings,
I hope you all had a wonderful Christmas holidays!
So I continued my work this morning. It looks like it can authenticate
the devices (with the certain MAC address pattern) however from the
Radius -X output (which I attached here) it doesn't seem to authenticate
it the way I want it.
Let me repeat my logic here: if the MAC addresses match the pattern, use
the User-Name (or Calling-station-ID, since I rewrite it to be the
same as the User-name) and the password (which is made to be the same as
the User-name as well) to authenticate the device.
However it looks like my if conditions are all matched during the
process however they all returned noop instead of updating the
information I wanted it to.
Here are the configurations I made in the policy.conf and
/sites-avaliable/default files
Policy.conf:
policy {
...
rewrite_calling_station_id {
if(request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) {
update request {
Calling-Station-Id :=
00a008%{1}%{2}%{3}
}
}
else {
noop
}
}
}
Default:
authorize {
...
rewrite_calling_station_id
if((Service-Type == 'Call-Check') (User-Name =~
/^%{Calling-Station-ID}$/i)){
update control {
Auth-Type = 'Auth-NHSTB'
}
}
}
authenticate {
...
Auth-Type Auth-NHSTB {
if(Chap-Password){
update control {
Cleartext-Password := %{User-Name}
}
chap
}
else{
ok
}
}
}
It seems to me that the last ok authenticated the device, instead of
using chap and the Cleartext-Password that I assigned. Any ideas?
Thank you!
Guest-tek, Difan Zhao
difan.z...@guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC authentication bypass --- How am I supposedto?edit?theusers file to include multiple MAC addresses??
Hey guys,
So I finally started configuring this MAC auth bypass thing... I am
editing the raddb/policy.conf to include the
rewrite_calling_station_id function/module however when I am trying to
run the radiusd -X I got this error:
/etc/raddb/policy.conf[72]: Parse error in condition at:
request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) error
Here is what I added in the policy.conf. I appended to the back of the
file. I never changed anything else in this file.
rewrite_calling_station_id {
if(request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i)
{
update request {
Calling-Station-Id :=
%{1}-%{2}-%{3}-%{4}-%{5}-%{6}
}
}
else
{
noop
}
}
My Calling-Station-Id is MAC addresses which are made of numbers and
capital letters and - between octets. However my User-Name is all lower
case letters and numbers and there is no - or :. I want to rewrite the
calling station id to be the same as the User-Name. Am I doing it right?
How can I convert it to lower cases or do I need to do it at all??
PS the MAC addresses will all start with 00-A0-08.
Thank you and merry Christmas!!
Guest-tek, Difan Zhao
difan.z...@guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC authentication bypass --- How am I supposedto?edit?theusersfile to include multiple MAC addresses??
Lol Thank you Arran... You found the problem! Now it's good. Thanks
again!
Guest-tek, Difan Zhao
difan.z...@guest-tek.com
www.guest-tek.com
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
-Original Message-
From:
freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org
[mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi
us.org] On Behalf Of Arran Cudbard-Bell
Sent: Thursday, December 24, 2009 1:13 PM
To: FreeRadius users mailing list
Subject: Re: MAC authentication bypass --- How am I
supposedto?edit?theusersfile to include multiple MAC addresses??
Difan Zhao wrote:
Hey guys,
So I finally started configuring this *MAC auth bypass* thing... I am
editing the *raddb/policy.conf* to include the
*rewrite_calling_station_id* function/module however when I am
trying to run the *radiusd -X* I got this error:
/etc/raddb/policy.conf[72]: Parse error in condition at:
request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) error
Here is what I added in the policy.conf. I appended to the back of the
file. I never changed anything else in this file.
Curly braces need to be inline... don't assume the parser is clever.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NTLM, Kerberos 5 or LDAP
Greetings, I am trying to authenticate my network against Windows 2003 Active Directory. With help from Ivan Kalik, I was able to use NTLM to communicate with Windows 2003 server and authenticate EAP clients. On the EAP side I am using PEAP since they are mostly windows XP clients and I don't think there is another choice (please correct me if I am wrong). However on the Radius server side, I seem to have options. It seems that I can use NTLM, Kerberos 5 or LDAP to authenticate with Windows Domain Controller. So my questions are: Can I use any of them? If yes, could you send me helpful links about how to use Kerberos 5 and LDAP? Which one is the most recommended and why? You may have noticed that I have posted several questions these days and I really appreciate your help! Now I am really a fan of FreeRadius. I really want to learn it well and understand what it's capable of. I am a Cisco guy and I have some Linux experience but no programming experience. Can any of you recommend me a book about how to use FreeRadius? I think that will stop me asking stupid questions... Thank you! Difan Zhao Network Engineer difan.z...@guest-tek.com www.guest-tek.com http://www.guest-tek.com/ Office: 403-509-1010 ext 3048 Cell: 403-689-7514 image002.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How am I supposed to?edit?theusersfile to include multiple MAC addresses??
So...,
Alan suggested using unlang. I am actually reading un-language (5). If I
use it, where or what file do I put your script in?
=Script that Alan
wrote
authorise {
if(%{User-Name} =~ /[0-9a-z]{12}/i %{Huntgroup-Name} ==
MAB-switches){
update control {
Auth-Type := MAB
}
ok = return
}
}
authenticate {
Auth-Type MAB {
ok
}
}
I do understand that I need to revise it to make it only authenticate
the right MAC addresses and only respond if the request meets certain
criteria or have certain attributes. Can I include these logics in
unlang such as User-Name == Calling-Station-Id or Service-Type ==
Call-Check? In addition, I want to assign these devices to a specific
VLAN. Can I add the attributes here as well? Is this vlan assignment
part of authentication or authorization?
Alexander, I did read the links you gave me very carefully and I guess I
understand the logic... However it seems that I have to edit many files.
I am new to the FreeRadius and I don't have any programming
experience... Is there a document which can tell me briefly what these
files are for and how FreeRadius is using them? I don't really want to
edit those files when I don't know enough about them...
Thank you both for your advice!
Difan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC authentication bypass --- How am I supposed to edit theusers file to include multiple MAC addresses??
Hi Alan, Thank you very much for quick response! Actually you are right. The password is in MD5 hash, not in clear text! I may not be able to use the guest VLAN (the vlan the device will be put in after failed or timeout 802.1x request) because I need to use this vlan for some other devices! For these 00a008 device, my real purpose actually is NOT to Authenticate them but rather assign them to a specific VLAN by using dynamic vlan assignment feature of the switch. I have figured it out and tested it. I just have to put in special attributes under each user (in this case the MAC of the device) in the users file. If I use AD or SQL, can I write a script to accomplish the logic I need so I don't have to type in each individual MAC as UN/PW in the database? It still sounds like I need to (for example in AD) manully input each of them in the database. Can you please give me details about how to implement it in this case? BTW I'd rather not to use the SQL because I know pretty much nothing about it lol I appreciate your advice! Thank you! Difan From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org on behalf of Alan Buxey Sent: Sat 12/19/2009 2:34 AM To: FreeRadius users mailing list Subject: Re: MAC authentication bypass --- How am I supposed to edit theusers file to include multiple MAC addresses?? Hi, The way how it works is that (I figured it out by running debug on the switch and by using wireshark), if the supplicant device doesn't support 802.1x, the switch (172.17.254.100) sends a access request to the freeradius server (172.17.1.1) with username and password both are the MAC address of the device! correct - with the MAC in very plain format... ie all symbols stripped so its just, as you wrote 00a0080806bd (rather than eg 00a0.0808.06bd or 00:a0:08:08:06:bd or 00-a0-08-08-06-bd) by the way, depending on what IOS you've got, this will change - the new IOS and this can be configured too on some previous versions - will send the password int he form of the MD5 of the MAC address! That brings my dilemma! I have like 200 devices like this. I don't want to edit my users file with each of the MAC address as the UN/PW. Is there an easy way to write a script like thing to include all of them? The mac addresses are all start with 00:a0:08. I want a logic like: many ways to do this - you certainly dont need to play with the users file - you might want to eg, put them into AD/LDAP or put them into SQL. in SQL you can set User-Name Attribute Op Value 00a0080806bdCleartext-Password := 00a0080806bd if you KNOW that the addresses are valid, then you could scrape them...alternatively, set the fail/quest VLAN to be behind a captive portal box and then the users get to see a 'login page' and when they click login, you can grab their IP address and therefore their MAC address and then insert that into SQL. just a quick idea...monday morning project. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html winmail.dat- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic VLAN assignment works on EAP-MD5, but not EAP-PEAP!!!
Hey Ivan, Thank you very much for your help! Now it works beautifully! My next step is to integrate FreeRadius with my Windows domain to use Windows AD for authentication. I am sure I will more questions for you guys! Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of t...@kalik.net Sent: Thursday, December 17, 2009 6:53 PM To: FreeRadius users mailing list Subject: Re: Dynamic VLAN assignment works on EAP-MD5, but not EAP-PEAP!!! I have figured out how to configure attributes. Here is my user file: test Cleartext-Password := test Tunnel-Type = 16777229, Tunnel-Medium-Type = 16777222, Tunnel-Private-Group-ID = 3 When I use MD5-Challenge, I got put in the right vlan I wanted. However if I choose PEAP, I can be authenticated but the vlan thing won't work. I checked the Radius -X output very carefully and I don't see the server is sending any attributes, as it did when the MD5 is used... I chose different types of authentication on the windows box. It seems I don't have to change any configuration on the radius server for both authentications to work. I will attach both radius -X output for both types. You have those attributes in the tunneled reply. You should enable use_tunnled_reply in peap section of eap.conf. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC authentication bypass --- How am I supposed to edit the users file to include multiple MAC addresses??
Hey experts!!
I am having another dilemma here. I am trying to configure MAC
authentication bypass feature on my Cisco 3750 switch to authenticate
some devices which don't support 802.1x.
The way how it works is that (I figured it out by running debug on the
switch and by using wireshark), if the supplicant device doesn't support
802.1x, the switch (172.17.254.100) sends a access request to the
freeradius server (172.17.1.1) with username and password both are the
MAC address of the device!
That brings my dilemma! I have like 200 devices like this. I don't want
to edit my users file with each of the MAC address as the UN/PW. Is
there an easy way to write a script like thing to include all of them?
The mac addresses are all start with 00:a0:08. I want a logic like:
If a request is for a user with first 3 octets like the above one, use
its MAC address (in this case will be also its username) as the password
and grant the access.
Is it possible to do it in FreeRadius 2.1.6?? I have attached the output
of a success authentication for a device with MAC: 00a0080806bd. Of
course I manually added this user in my users file. My users file looks
like:
00a0080806bdCleartext-Password := 00a0080806bd
I appreciate any advice!! Thank you guys!!
Difan Zhao, CCNP
Network Engineer
difan.z...@guest-tek.com
www.guest-tek.com http://www.guest-tek.com/
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
image001.jpgrad_recv: Accounting-Request packet from host 172.17.254.100 port 1646, id=32,
length=127
Acct-Session-Id = 001C
Acct-Authentic = RADIUS
Acct-Terminate-Cause = Lost-Carrier
Acct-Session-Time = 4093
Acct-Input-Octets = 16040
Acct-Output-Octets = 384527
Acct-Input-Packets = 169
Acct-Output-Packets = 2946
Acct-Status-Type = Stop
NAS-Port-Type = Ethernet
NAS-Port = 50102
NAS-Port-Id = FastEthernet1/0/2
Service-Type = Framed-User
NAS-IP-Address = 172.17.254.100
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] WARNING: Attribute User-Name was not found in request, unique ID
MAY be inconsistent
[acct_unique] Hashing 'NAS-Port = 50102,Client-IP-Address =
172.17.254.100,NAS-IP-Address = 172.17.254.100,Acct-Session-Id = 001C,'
[acct_unique] Acct-Unique-Session-ID = 8ac0763679e7418b.
++[acct_unique] returns ok
[suffix] Proxy reply, or no User-Name. Ignoring.
++[suffix] returns ok
++[files] returns noop
+- entering group accounting {...}
[detail]expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -
/var/log/radius/radacct/172.17.254.100/detail-20091218
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/radius/radacct/172.17.254.100/detail-20091218
[detail]expand: %t - Fri Dec 18 16:10:23 2009
++[detail] returns ok
++[unix] returns noop
[radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -
++[radutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -
++[attr_filter.accounting_response] returns noop
Sending Accounting-Response of id 32 to 172.17.254.100 port 1646
Finished request 0.
Cleaning up request 0 ID 32 with timestamp +10
Going to the next request
Ready to process requests.
rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=90,
length=157
User-Name = 00a0080806bd
User-Password = 00a0080806bd
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = 00-1D-E5-9C-29-04
Calling-Station-Id = 00-A0-08-08-06-BD
Message-Authenticator = 0xd8bb55e55d3239af2a93e5db8df80960
NAS-Port-Type = Ethernet
NAS-Port = 50102
NAS-Port-Id = FastEthernet1/0/2
NAS-IP-Address = 172.17.254.100
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = 00a0080806bd, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry 00a0080806bd at line 28
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password 00a0080806bd
[pap] Using clear text password 00a0080806bd
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [00a0080806bd/00a0080806bd] (from client switches port 50102 cli
00-A0-08-08-06-BD)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 90 to 172.17.254.100 port 1645
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 20
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from
