Re: Help with Freeradius and implementing time based One-Time-Passwords
I have implemented this exact solution with a Polish application (I'm based in Poland). And it worked. Although mine was using mysql for the user storage, but ldap was also an option. Mine runs with a Java application on the mobile phone, which I've set to allow 60 second timings for the password validity. The application that is providing the one-time password functionality should integrate with the radius server without any major config changes. You fail to mention the application your trying to use? Ian Walker On 09/12/06, Peter Urban <[EMAIL PROTECTED]> wrote: Hi there, i am trying to setup a time based one time password with the freeradius. (no challange response !!) i have a mobile phone that produces a token. the token is a md5-hash of a shared-secret and the actual time in ms. now i want to configure the freeradius server the following way: the user has to enter his uername and the produced token from the mobile phone. this information is sent to the freeradius-server. the server is connected to a ldap-database and looks up if the user exists. if the user exists, he gets the shared-secret from the ldap. now the freeradius has to calculate some tokens (cause time on server and mobile are not the same). md5 of the shared secret from the user from ldap and actual time. after that he has to compare the calculated tokens with the token that was provided by the user. on positiv matches the user is authenticated. Can it be implemented? Is there literature that I need to have a look at? Is there already a plugin that supports time based one time passwords? Can anyone help me with setting up this scenario??? best regards peter urban _ Sie suchen E-Mails, Dokumente oder Fotos? Die neue MSN Suche Toolbar mit Windows-Desktopsuche liefert in sekundenschnelle Ergebnisse. Jetzt neu! http://desktop.msn.de/ Jetzt gratis downloaden! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem authenticating with Checkpoint Integrity.
>>Ian Walker wrote: > >> I'm attempting 802.1x authentication with Checkpoint Integrity. I > have > >> it working with peap no problems and usings mschapv2. However, when > I > >> attempt with Integrity, I have to choose "Zone Labs Cooperative > >> Enforcement" within the Windows 802.1x authentication options. I've > >> then chosen peap/mschapv2 here, but an additional setting is eap-type > >> "44" of which I'm unable to change on the client. > > > Which is proprietary to ZoneLabs, and which is otherwise unknown. > > >> The main bit of this being the EAP NAK and "NAK asked for bad type > 44". > >> I'm unsure of how I'm supposed to configure freeradius to use this > type, > >> as in the IANA numbers, type 44 is shown as: > >> > >> 44 ZoneLabs EAP (ZLXEAP) > >> > >> Any ideas on what I can do to get this working? > > > Ask Zone Labs for documentation on how it works, and on an > >implementation that you can submit to FreeRADIUS. Tell them that if > >their EAP type is implemented in FreeRADIUS, then it will be available > >in the most widely used RADIUS server on the planet. :) > > > Alan DeKok. We got it working in the end with FreeRadius. Because of the hardware we were using (HP), we had to use HP's IDM software, and it all authenticated perfectly. The way we configured previously was wrong, which was why we were getting the problems. Ian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem starting freeradius 1.1.3
>>Ian Walker wrote: >> I used the "rpmbuild -ta" command to build an rpm of freeradius-1.1.3 >> and all went well with the build. I then installed the rpm, and I'm >> getting the following error message after running radiusd -X. >>... >> radiusd: symbol lookup error: radiusd: undefined symbol: udpfromto_init > You probably have two versions of the server installed. This error is >coming from the one that's not part of the RPM build, I think. >> I'm not sure what to do to get around the problem of the undefined >> symbol udpfromto_init error. Has anyone any ideas on what I can do to >> get freeradius working? > Double-check how many versions you have installed. > Use the correct libraries. "udpfromto_init" is part of the RADIUS >library that comes with the server. If the daemon references that >function, then the library includes that function. > Alan DeKok. You are correct. I had an original compiled version installed which I had renamed which I had thought solved this issue, unfortunately it didn't. I made a new Red Hat system and installed the rpm I made and it worked perfectly fine :-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem starting freeradius 1.1.3
I used the "rpmbuild -ta" command to build an rpm of freeradius-1.1.3 and all went well with the build. I then installed the rpm, and I'm getting the following error message after running radiusd -X. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: symbol lookup error: radiusd: undefined symbol: udpfromto_init I'm not sure what to do to get around the problem of the undefined symbol udpfromto_init error. Has anyone any ideas on what I can do to get freeradius working? Regards Ian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem authenticating with Checkpoint Integrity.
On 21/11/06, Alan DeKok <[EMAIL PROTECTED]> wrote: Ian Walker wrote: >> I'm attempting 802.1x authentication with Checkpoint Integrity. I have >> it working with peap no problems and usings mschapv2. However, when I >> attempt with Integrity, I have to choose "Zone Labs Cooperative >> Enforcement" within the Windows 802.1x authentication options. I've >> then chosen peap/mschapv2 here, but an additional setting is eap-type >> "44" of which I'm unable to change on the client. > Which is proprietary to ZoneLabs, and which is otherwise unknown. >> The main bit of this being the EAP NAK and "NAK asked for bad type 44". >> I'm unsure of how I'm supposed to configure freeradius to use this type, >> as in the IANA numbers, type 44 is shown as: >> >> 44 ZoneLabs EAP (ZLXEAP) >> >> Any ideas on what I can do to get this working? > Ask Zone Labs for documentation on how it works, and on an >implementation that you can submit to FreeRADIUS. Tell them that if >their EAP type is implemented in FreeRADIUS, then it will be available >in the most widely used RADIUS server on the planet. :) > Alan DeKok. I sent an email to them yesterday, and chased it again today to find out what we can do here with this. I'll update this post once I know some more. Ian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems getting eap-mschapv2 working.
I tested this morning, and now have it working. Previously I just had the mschapv2 outside of the peap section and it didn't work.However, I added the mschap stanza to the modules stanza outside of eap. I also added mschap to authorize and authenticate stanzas. Not sure if this was needed, so not entirely sure which bit did it, or whether all of it was required. Thank you all for your input in helping me get this resolved :-)RegardsIanOn 04/09/06, Alan DeKok < [EMAIL PROTECTED]> wrote:"Ian Walker" < [EMAIL PROTECTED]> wrote:> however, there is no default/sample config that tells me how mschapv2 should> be configured. The default configuration of mschapv2 works. Massive edits to the configuration will almost always break it. http://deployingradius.com/documents/configuration/setup.html Small changes, with tests, will almost always get it to work Alan DeKok.-- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems getting eap-mschapv2 working.
> You have some items misplaced. Check against the default configuration that> came with the server. In particular, mschapv2 and the contents of that
> stanza.I've now re-written the stanza and placed it correctly, so it appears like this:peap { default_eap_type=mschapv2}mschapv2 {}however, there is no default/sample config that tells me how mschapv2 should be configured. With this config, which I tried previously, it didn't work, which was why I thought maybe it should exist in the peap stanza.
Zoltan Ori-List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems getting eap-mschapv2 working.
> Did you generate the certificates that are mentioned
there? The one's that ship with the server > are expired, you have to
generate your own certificate.I generated the certificates myself, these are working fine. I can use md5 no problem, but peap complains about mschapv2.
> What version of FreeRADIUS. Version
1.1.1 fixed alot
of little PEAP things.
> Version 1.1.3 of course is what you should be
running.Using the latest version 1.1.3, compiled with all options enabled. > Also, it looks like your actual problem is that you have
re-written the eap section... and missed > >a
ParenThey are all there, checked this morning, nothing missing.
> This is Mine. In yours you have included mschapv2
inside of PEAP. It is its own section, > outside of the PEAP
section.I did have it like this originally, and it still didn't work.Any ideas appreciated.
From:
freeradius-users-bounces+mking=[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
] On
Behalf Of Ian WalkerSent: Friday, September 01, 2006 8:36
AMTo: freeradius-users@lists.freeradius.orgSubject:
Problems getting eap-mschapv2 working.
Been trying to get eap working with peap/mschapv2 but it doesn't
seem to work.This is my radiusd.conf file:
prefix = /usr/localexec_prefix = ${prefix}sysconfdir = ${prefix}/etclocalstatedir = /var/runsbindir = ${exec_prefix}/sbinlogdir = /var/lograddbdir = ${sysconfdir}/raddbradacctdir = ${logdir}/radacct
confdir = ${raddbdir}run_dir = ${localstatedir}/radiusdlog_file = ${logdir}/radius.loglibdir = ${exec_prefix}/libpidfile = ${run_dir}/radiusd.pidmax_request_time = 30delete_blocked_requests = no
cleanup_delay = 5max_requests = 1024bind_address = *port = 0hostname_lookups = noallow_core_dumps = noregular_expressions = yesextended_expressions = yeslog_stripped_names = nolog_auth = no
log_auth_badpass = nolog_auth_goodpass = nousercollide = nolower_user = nolower_pass = nonospace_user = nonospace_pass = nocheckrad = ${sbindir}/checkradsecurity { max_attributes = 200
reject_delay = 1 status_server = no}$INCLUDE ${confdir}/clients.confthread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0
}modules { eap { default_eap_type = md5 timer_expire = 60 md5 { } tls { private_key_password = private_key_file = /usr/local/etc/raddb/new.cert.key certificate_file = /usr/local/etc/raddb/new.cert.cert
CA_file = /usr/local/etc/raddb/cacert.pem dh_file = /dev/urandom random_file = /dev/urandom fragment_size = 1024 include_length = yes } peap { default_eap_type = mschapv2
mschapv2 {authtype = mschapv2use_mppe = yesrequire_encryption = yesrequire_strong = yes } } } files { usersfile = ${confdir}/users compat = no } exec cerb {
wait = yes program = "/usr/local/bin/cerbauth -e freeradius" input_pairs = request output_pairs = reply } preprocess { }}authorize { preprocess eap files
}authenticate { Auth-Type eap { eap } Auth-Type CERB { cerb }}as you can see, I'm currently working with md5 and this works
perfectly well. But when I set the client and configure the server to
default for peap/tls, then it fails saying:"No such EAP type mschapv2"
I believe if I can get passed this, that my system will authenticate
with peap/mschapv2 successfully.Hope you can
help.RegardsIan
-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems getting eap-mschapv2 working.
Been trying to get eap working with peap/mschapv2 but it doesn't seem to work.This is my radiusd.conf file:
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var/run
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
$INCLUDE ${confdir}/clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
eap {
default_eap_type = md5
timer_expire = 60
md5 {
}
tls {
private_key_password =
private_key_file = /usr/local/etc/raddb/new.cert.key
certificate_file = /usr/local/etc/raddb/new.cert.cert
CA_file = /usr/local/etc/raddb/cacert.pem
dh_file = /dev/urandom
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = mschapv2
mschapv2 {
authtype = mschapv2
use_mppe = yes
require_encryption = yes
require_strong = yes
}
}
}
files {
usersfile = ${confdir}/users
compat = no
}
exec cerb {
wait = yes
program = "/usr/local/bin/cerbauth -e freeradius"
input_pairs = request
output_pairs = reply
}
preprocess {
}
}
authorize {
preprocess
eap
files
}
authenticate {
Auth-Type eap {
eap
}
Auth-Type CERB {
cerb
}
}
as you can see, I'm currently working with md5 and this works perfectly well. But when I set the client and configure the server to default for peap/tls, then it fails saying:"No such EAP type mschapv2"
I believe if I can get passed this, that my system will authenticate with peap/mschapv2 successfully.Hope you can help.RegardsIan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
