The best encryption/access control scheme
I have become in charge of a small wireless ISP at my local marina and am looking for the best way to control access and encrypt for security. Currently I have a Linksys WRT54G router running DD-WRT firmware and a PC that I have now converted over to a linux box for freeradius, etc. The major stumbling block is that we have clients with equipment that cannot deal with WPA encryption, and so, I think, I am forced to use WEP key. Now, the main concern is access control, as in the past there have been those in the area abusing the open AP and draining all the bandwidth. So, what would be the best scheme to use for setting this up? Is a freeradius login/pass scheme with WEP key encryption the best that I can manage, or are there other options? Thanks. -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL authentication problem
radiusd: FreeRADIUS Version 1.1.3, for host i686-pc-linux-gnu, built on Dec 26 2006 at 01:46:55 mysql Ver 14.12 Distrib 5.0.30, for pc-linux-gnu (i686) using readline 5.2 I thought that I had everything configured properly for MySQL authentication, but when I try to do a test with radtest, the test user is not authenticated and there is no log of activity to the MySQL database. Anyway, here is the output of radiusd -X and, at the end, the population of my database: rad_recv: Access-Request packet from host 192.168.182.1:2053, id=7, length=55 User-Name = "ian" User-Password = "test" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "ian", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 radius_xlat: 'ian' rlm_sql (sql): sql_set_user escaped user --> 'ian' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'ian' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'ian' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'ian' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'ian' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Login incorrect: [ian/test] (from client brentwood port 1812) Delaying request 0 for 1 seconds Finished request 0 mysql> select * from radcheck -> ; ++--+---++---+ | id | UserName | Attribute | op | Value | ++--+---+----+---+ | 1 | Password | ==| te | | | 2 | ian | Password | == | test | ++--+---++---+ 2 rows in set (0.01 sec) Any thoughts on why this is not working would be greatly appreciated. -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL authentication problem
On Tue, 2007-01-02 at 09:37 -0300, Hernan Antolini wrote: > > ian, just review your radiusd.conf (authenticate and authorize > sections) because you sql IS going ok. > > modcall[authorize]: module "sql" returns ok for request 0 > > but your "unix" IS not > > modcall[authenticate]: module "unix" returns notfound for request 0 > > just leave "sql" in your auth section if you plan to do it tha way > > Hernan Antolini > Well, I only want authentication from the MySQL database, so that should authenticate the user, if the sql section is working correctly. Why then, would the user not be authenticated, based on the information in the radcheck table (below)? mysql> select * from radcheck -> ; ++--+---++---+ | id | UserName | Attribute | op | Value | ++--+---++---+ | 1 | Password | ==| te | | | 2 | ian | Password | == | test | ++--+---++---+ 2 rows in set (0.01 sec) Sorry if I am being obtuse, but there is something that I am not quite getting here. Thanks for the help. -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL authentication problem
On Tue, 2007-01-02 at 09:37 -0300, Hernan Antolini wrote: > > ian, just review your radiusd.conf (authenticate and authorize > sections) because you sql IS going ok. > > modcall[authorize]: module "sql" returns ok for request 0 > > but your "unix" IS not > > modcall[authenticate]: module "unix" returns notfound for request 0 > > just leave "sql" in your auth section if you plan to do it tha way > > Hernan Antolini > BTW, I just noticed that while there is a section in authorize for sql, there is not one in authenticate. Is that correct? -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL authentication problem
On Tue, 2007-01-02 at 17:45 -0300, Hernan Antolini wrote: > > ian > "sql" goes in authorize section and accounting only; leave > "preprocess", "auth_log", "suffix" and "sql" uncommented there to > start. > what about your "ian" entry in your users file ?...and delete that > strange entry in your radcheck (id 1). > Okay, here is where I am unclear on the concept: If I need an entry in the users file, as well as radcheck database, then why am I using MySQL at all? I envisioned the sql authorization as negating the need to hard code a file on the system, but if I need both, then I don't really need MySQL. Would the sql database not make the users file unnecessary? The first entry in the radcheck table is me forgetting to add the null as the first collumn. -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL authentication problem
On Wed, 2007-01-03 at 17:01 -0800, Alan DeKok wrote: > Ian Truelsen wrote: > > > Okay, here is where I am unclear on the concept: If I need an entry in > > the users file, as well as radcheck database, > > You don't. The server is modular, which means any (or almost all) > modules are optional. > > > then why am I using MySQL > > at all? I envisioned the sql authorization as negating the need to hard > > code a file on the system, but if I need both, then I don't really need > > MySQL. Would the sql database not make the users file unnecessary? > > Yes. > Thanks for the clarification. Now, I still have the problem that, if I populate the users file with the same information that I have in my radcheck table, I get a positive authentication on the user. Without the users entry, I do not. Is there something else that needs to be populated in the radius database, like the group tables, or something? -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL authentication problem
On Thu, 2007-01-04 at 05:14 -0800, Alan DeKok wrote: > Ian Truelsen wrote: > > Thanks for the clarification. Now, I still have the problem that, if I > > populate the users file with the same information that I have in my > > radcheck table, I get a positive authentication on the user. Without the > > users entry, I do not. Is there something else that needs to be > > populated in the radius database, like the group tables, or something? > > No. > > Perhaps you could try describing what is going into the "users" file, > and what you think it should be doing. > All I did with the users file was to duplicate the entry in the radcheck table. So I have: ian Auth-Type := Local, User-Password == "test" added to my users file and with that, radtest authenticates user ian. Without it, user ian is not authenticated. The same information is stored in my radcheck table: mysql> select * from radcheck; ++--+---++---+ | id | UserName | Attribute | op | Value | ++--+---++---+ | 3 | ian | Password | == | test | +----+--+---++---+ 1 row in set (0.01 sec) -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL authentication problem
On 1/4/07, Alan DeKok <[EMAIL PROTECTED]> wrote: Ian Truelsen wrote: > All I did with the users file was to duplicate the entry in the radcheck > table. So I have: > > ian Auth-Type := Local, User-Password == "test" 1) Don't set Auth-Type by hand. It's not necessary. 2) Use ":=" for User-Password, not '=='. Alright, but that part of it works. It is the MySQL section that does not. Would these be related somehow? -- Ian Truelsen s/v Sting - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL authentication problem
On Thu, 2007-01-04 at 05:14 -0800, Alan DeKok wrote: > Ian Truelsen wrote: > > Thanks for the clarification. Now, I still have the problem that, if I > > populate the users file with the same information that I have in my > > radcheck table, I get a positive authentication on the user. Without the > > users entry, I do not. Is there something else that needs to be > > populated in the radius database, like the group tables, or something? > > No. > > Perhaps you could try describing what is going into the "users" file, > and what you think it should be doing. > It seems that I got it to work by setting the Default auth_type in /etc/raddb/users to Local as opposed to system. Not sure why that works, but it does. Many thanks for all the suggestions. -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Which authentication system?
I am trying to figure out the various authentication systems available and decide what is best for my setup. I am looking for advice. Here is what I want to do: This is for the marina that I am at and a group of 10 of us wanted internet, invested in the hardware and want to be able to access the system without logging in or anything like that. For this group, I was thinking of EAP-TLS as client side certificates would not be a problem. Being a marina, we get people in from time to time - mostly in the summer - who are only going to be there for a week or so and just want to check email or whatever. For these, I don't want to be dealing with client side certs as this raises the amount of time that I have to be administering the system exponentially. I was thinking of something along the lines of chillispot, but I have never been able to get that going, and I don't know whether the two systems can co-exist on the same AP. So, does anyone have any thoughts on what would be the best auth system to go with? I should also mention that I already have a varied group of systems to deal with, including Mac OS X, Win XP, linux and a couple of Win ME systems, so support has to be pretty broad. Thanks in advance. -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Anyone using dd-wrt for AP?
I am trying to set up dd-wrt to use freeradius for authentication with EAP-TLS, however, I have run into a problem: there doesn't seem to be an option under the WPA encryption system for entering the freeradius secret. If anyone has got this working, can you let me know the where and how? The dd-wrt forums have been pretty silent on the issue. -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Anyone using dd-wrt for AP?
On Sun, 2007-04-01 at 07:19 +0200, Alan DeKok wrote: > Ian Truelsen wrote: > > I am trying to set up dd-wrt to use freeradius for authentication with > > EAP-TLS, however, I have run into a problem: there doesn't seem to be an > > option under the WPA encryption system for entering the freeradius > > secret. If anyone has got this working, can you let me know the where > > and how? The dd-wrt forums have been pretty silent on the issue. > > If the box is sending RADIUS requests from itself to itself, the > secret should probably be hard-coded to something static, like "testing123". > Hopefully that is not the case. The freeradius server is on an external machine. I am trying to get the AP to authenticate against that server, but I am having trouble sorting out how to get it to do this. -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : Anyone using dd-wrt for AP?
On Mon, 2007-04-02 at 08:40 +, Eshun Benjamin wrote:
> The settings below will help:
snip
>
> Make sure you have your client(AP) information in radius: client.conf
> ( AP IP , MyWireless, Shared Key)
> configure eap.conf and radius.conf as well.
>
> All the best.
Thanks, but I am still having some problems.
I have the settings as you sent me, set up in the router. I have set
both the radius secret on the radius section of the router setup and the
WPA secret in the security section of the router as the same, namely:
testing456.
Now, I have this in my clients.conf:
client 192.168.1.115/24 {
nastype = other
secret = testing456
shortname = dd-wrt
}
However, when I try to connect using this router, I get the following
from the output of radiusd -X:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.3.115:3078, id=0,
length=137
Received packet from 192.168.3.115 with invalid Message-Authenticator!
(Shared secret is incorrect.) Dropping packet without response.
Finished request 0
I am sure that I am doing something basic wrong, but I can't see it.
Hopefully, some other eyes will spot the problem. Let me know if you
need any more information.
--
Ian Truelsen
s/v Sting
Email: [EMAIL PROTECTED]
AIM: ihtruelsen
MSN: [EMAIL PROTECTED]
Google Talk: [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : EAP/TTLS PEAP MSCHAP
On Wed, 2007-04-04 at 20:58 +0100, Arran Cudbard-Bell wrote: > According to the microsoft support article > (http://support.microsoft.com/kb/814394/en-us) > > "The IAS or the VPN server computer certificate is configured with the > Server Authentication purpose. The object identifier for Server > Authentication is 1.3.6.1.5.5.7.3.1." > > But I have no idea how to add it to the certificate, if you find out > please let me know :) > Check out this article: http://www.linuxjournal.com/article/8095 It explains how to get the MS attributes into the certificates. Hope this helps. -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : EAP/TTLS PEAP MSCHAP
On Wed, 2007-04-04 at 22:16 +0100, Arran Cudbard-Bell wrote: > Is it really just as simple as creating the certificate, signing it with > the right extensions, installing the proper rootCA on the windows > machines , and configuring the windows supplicant correctly ? > Pretty much. As long as you have the proper IP address for the AP in your clients.conf, which was my particular stupidity :) Still, it seems to work for me. > Which would be > > In authentication tab > Enable IEEE 802.1x authentication for this network > Setting EAP Type to PEAP > > In properties > Validate server certificate > Authentication method EAP-MSCHAP v2 > Checking the Root CA the certificate was signed with . > > In Configure > Automatically use my windows logo name and password unchecked. > I am using both client and server certificates, so the logon and password is not currently needed -- for me. -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting question
When I connect to my AP, authenticated by freeradius using EAP-TLS, I get an entry into radpostauth, entries in /var/log/radius/radacct/192.168.3.115/detail-auth and detail-reply files, but I am not getting any entries into radacct. I don't know whether this is because the NAS is not sending any accounting packets or my setup is not correct. However, since I am getting the entries into radpostauth, I think I must have the setup correct. In what circumstances are accounting packets sent from the NAS? How can I test to see whether the packets are being sent? What sort of information is supposed to be stored in radacct? -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WEP only client
I have a client whose wifi adaptor (Linksys WUSB11) can only do wep key encryption and I was wondering whether it would be possible to use eap-tls or something similar given the restrictions. What is the most secure system that can be used with this type of adaptor? -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WEP only client
On Sat, 2007-04-14 at 17:54 +0100, [EMAIL PROTECTED] wrote: > Hi, > > > I have a client whose wifi adaptor (Linksys WUSB11) can only do wep key > > encryption and I was wondering whether it would be possible to use > > eap-tls or something similar given the restrictions. What is the most > > secure system that can be used with this type of adaptor? > > most secure would be to use VPN for data transit. ie the best > layer 2 you'd get is WEP - which isnt worth anything. so make > sure that the only way to pass the subnet gateway is via > VPN Any decent howto on setting this up? -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with mysql authorization
I am trying to set up mysql authorization, but am having some problems.
I have set up sql.conf which seems to be correct, based on the output:
-- Module: Loaded SQL
sql: driver = "rlm_sql_mysql"
sql: server = "localhost"
sql: port = ""
sql: login = "radius"
sql: password = ""
sql: radius_db = "radius"
sql: nas_table = "nas"
sql: sqltrace = no
sql: sqltracefile = "/var/log/radius/sqltrace.sql"
sql: readclients = no
sql: deletestalesessions = yes
sql: num_sql_socks = 5
sql: sql_user_name = "%{User-Name}"
sql: default_user_profile = ""
sql: query_on_not_found = no
sql: authorize_check_query = "SELECT id, UserName, Attribute, Value, op
FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER
BY id"
sql: authorize_reply_query = "SELECT id, UserName, Attribute, Value, op
FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER
BY id"
To me, that looks like it is correct.
I have added info to the radcheck table:
++--+---+++
| id | UserName | Attribute | Value | op |
++--+---+++
| 1 | ian | password | tester | == |
++--+---+++
Now, I try to test with radtest:
brentwood-internet ~ # radtest ian tester localhost 1812 testing123
Sending Access-Request of id 88 to 127.0.0.1 port 1812
User-Name = "ian"
User-Password = "tester"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=88, length=20
So, not so good.
rad_recv: Access-Request packet from host 127.0.0.1:2048, id=88, length=55
User-Name = "ian"
User-Password = "tester"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
That looks like the query is being processed as I would expect. The rest of the
output:
radius_xlat: 'ian'
rlm_sql (sql): sql_set_user escaped user --> 'ian'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username = 'ian' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'ian' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radreply WHERE Username = 'ian' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'ian' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_unix: [ian]: invalid password
modcall[authenticate]: module "unix" returns reject for request 0
modcall: leaving group authenticate (returns reject) for request 0
auth: Failed to validate the user.
Login incorrect: [ian/tester] (from client localhost port 1812)
So, I am not sure what is going on. When I run the command in mysql, I get the
correct output, as I would expect:
mysql> select id,
-> UserName, Attribute, Value, op from radcheck where Username = 'ian'
order by id;
++--+---+++
| id | UserName | Attribute | Value | op |
++--+---+++
| 1 | ian | password | tester | == |
++--+---+++
1 row in set (0.00 sec)
Any thoughts on what I missed here?
Ian Truelsen
s/v Sting
Email: [EMAIL PROTECTED]
AIM: ihtruelsen
MSN: [EMAIL PROTECTED]
Google Talk: [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with mysql authorization
On Tue, 2007-05-01 at 21:56 +0100, [EMAIL PROTECTED] wrote: > Check that it's not picking up the Auth-Type System from the users file. > Comment it out there and it should work. > That was the problem. Thanks. -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
