Re: PEAP against Samba PDC through auth_ntlm
Well, I solved my problem by setting this: ntlm_auth = "/usr/local/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Thanks to everybody. Jeremy Jérémy Cluzel wrote: -- Message: 1 Date: Fri, 19 May 2006 16:01:38 +0200 From: J?r?my Cluzel <[EMAIL PROTECTED]> Subject: PEAP against Samba PDC through auth_ntlm To: freeradius-users@lists.freeradius.org Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Well, I search for "PEAP Machine Authentication", and I only found some of my posts concerning how to make machine auth working against a windows AD... nothing concerning a samba acting as PDC... As I said, PEAP auth (both machine and user) work against an AD, the problem only concerns the samba PDC. I found some posts where logins like "host\mahine_name" seem to be converted as "machine_name$" (like http://lists.freeradius.org/pipermail/freeradius-users/2006-March/051487.html), but none explains how to do this: hints file ? proxy.conf ? realms ? ntdomain_hack ? Regards, Jeremy On May 19, 2006, at 2:00 AM, Michael Griego wrote: > Search through the list archives for "PEAP Machine Authentication" > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP against Samba PDC through auth_ntlm
Well, I search for "PEAP Machine Authentication", and I only found some of my posts concerning how to make machine auth working against a windows AD... nothing concerning a samba acting as PDC... As I said, PEAP auth (both machine and user) work against an AD, the problem only concerns the samba PDC. I found some posts where logins like "host\mahine_name" seem to be converted as "machine_name$" (like http://lists.freeradius.org/pipermail/freeradius-users/2006-March/051487.html), but none explains how to do this: hints file ? proxy.conf ? realms ? ntdomain_hack ? Regards, Jeremy On May 19, 2006, at 2:00 AM, Michael Griego wrote: > Search through the list archives for "PEAP Machine Authentication" > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP against Samba PDC through auth_ntlm
Hello, I try to secure my wireless LAN with freeradius. I managed to do PEAP (with auth_ntlm) against a windows 2003 server AD. Both machines and users auth work. Now, I try to do the same (still PEAP) against a samba server acting as PDC (not AD). But, I have a problem, the machine (which belong the domain) still try to authenticate itself as "host\machine_name"... I try to use "hints" file to remove the "host\" and change it to "machine_name$", but I was not able to do it... If someone knows if it can be done and how... Regards, Jeremy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: PEAP ntlm_auth strange behaviour
James J J Hooper a écrit : Radius is working fine ... ntlm_auth is returning 'Logon failure' i.e either samba / your 2003 AD thinks the password is wrong (look at the event viewer on the domain controller) or you do not have permission to authenticate. Well, I know that the password typed is good. Moreover, if I run "ntlm_auth --request-nt-key --domain=CHRT --username=jpbrunain" with the good password, I got this message: "NT_STATUS_OK: Success (0x0)"... So I think I have permission to authenticate. you could also try running the ntlm_auth command on its own without specifying the domain: /usr/local/bin/ntlm_auth --request-nt-key --username=jpbrunain --challenge=d8a9272386722a12 --nt-response=db063bdf850cff582568f32a83da83315bac0a1c2adc19a2 I tried it and it failed, the error code returned was: "Logon failure (0xc06d)". Where do these parameters (challenge and nt-response) come from ? As far as I remember, I tried the following commands: /usr/local/bin/ntlm_auth --request-nt-key --username=jpbrunain --challenge=d8a9272386722a12 This one succeeded after entering the good password. /usr/local/bin/ntlm_auth --request-nt-key --username=jpbrunain --nt-response=db063bdf850cff582568f32a83da83315bac0a1c2adc19a2 The second one not, even with the good password... what does it mean ? How to solve this ? and see if it works! (i have had problems when specifying the domain on the command line before) Regards, James Thanks for your time. Jeremy -- James J J Hooper, Information Services University of Bristol -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: rlm_sql_mysql search path Bug ?
Hello, I'm under FreeBSD 6.0 - Freeradius 1.0.5 I did an install from the port (/usr/ports/net/freeradius) with rlm_sql_mysql enabled. I set radiusd_enable="YES" in "rc.conf" But when I reboot, radius doesn't start and I got this in my "/var/log/radius.log": Sat Jan 28 00:39:55 2006 : Error: rlm_sql (sql): Could not link driver rlm_sql_mysql: Shared object "libmysqlclient.so.14" not found, required by "rlm_sql_mysql-1.0.5.so" Sat Jan 28 00:39:55 2006 : Error: rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. Sat Jan 28 00:39:55 2006 : Error: radiusd.conf[14]: sql: Module instantiation failed. Very curiously, if I did a "/usr/local/etc/rc.d/radiusd.sh start" then, everything goes fine... may I miss something to do ? Regards, Jeremy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html As I can see the problem is that you dont have shared-mysql and client-libraries installed, try to install them and then run the radius. -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 9, Issue 112 -> http://www.freeradius.org/faq/#4.14 Sorry Alan :-) Thanks for all. Jeremy Cluzel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql_mysql search path Bug ?
Hello, I'm under FreeBSD 6.0 - Freeradius 1.0.5 I did an install from the port (/usr/ports/net/freeradius) with rlm_sql_mysql enabled. I set radiusd_enable="YES" in "rc.conf" But when I reboot, radius doesn't start and I got this in my "/var/log/radius.log": Sat Jan 28 00:39:55 2006 : Error: rlm_sql (sql): Could not link driver rlm_sql_mysql: Shared object "libmysqlclient.so.14" not found, required by "rlm_sql_mysql-1.0.5.so" Sat Jan 28 00:39:55 2006 : Error: rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. Sat Jan 28 00:39:55 2006 : Error: radiusd.conf[14]: sql: Module instantiation failed. Very curiously, if I did a "/usr/local/etc/rc.d/radiusd.sh start" then, everything goes fine... may I miss something to do ? Regards, Jeremy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP Machine Auth without NTLM or LDAP
Hello, I want to do machine auth with PEAP for my laptop before windows logon. I managed to do it with "ntlm_auth" before, but this time, I've another problem, there is no PDC. So, is it possible to use the "users" file instead like this: "computer_name" User-Password == "" (As far as I remember it was impossible...) Any suggestions ? Regards, Jeremy Cluzel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP Machine Authentication
Hi, I'm trying to set a PEAP Authentication with the rlm_mschap.c / cli_netlogon.c hacks provided by M. Griego. The user auth still working (as before), but the computer still not... (a copy of the debug log. is in attachement) According to the log, the rlm_mschap seems to be effective, but is there any way to check that the samba patch is effective too ? I use a "patched" FR 1.0.5 and a "patched" samba-3.0.20b,1 under FreeBSD 5.3-RELEASE Regards, Jeremy Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/eap.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "/usr/local/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain:-DEFAULTDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Initializing the thread pool... thread: start_servers = 5 thread: max_servers = 32 thread: min_spare_servers = 3 thread: max_spare_servers = 10 thread: max_requests_per_server = 0 thread: cleanup_delay = 5 Thread spawned new child 1. Total threads in pool: 1 Thread spawned new child 2. Total threads in pool: 2 Thread spawned new child 3. Total threads in pool: 3 Thread spawned new child 4. Total threads in pool: 4 Thread spawned new child 5. Total threads in pool: 5 Thread pool initialized Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. Thread 1 waiting to be assigned a request Thread 2 waiting to be assigned a request Thread 3 waiting to be assigned a request Thread 4 waiting to be assigned a request Thread 5 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.0.241:6001, id=78, length=183 --- Walking the entire request list --- Waking up in 31 seconds... Threads: total/active/spare threads = 5/0/5 Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) User-Name = "host/portable" NAS-IP-Address = 192.168.0.241 Called-Station-Id = "00-20-a6-56-73-76:TEST" Calling-Station-Id = "00-20-a6-57-83-f2" NAS-Identifier = "AP01" State = 0x63444a5a8824a6668f0c4039b3fa9564 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020900261900170301001
PEAP Machine Authentication
Hi, I looked in the samba 3.0.20 source code and I only found 2 calls to the "init_id_info2()" function in the "samba/source/rpc_client/cli_netlogon.c" file: In the "cli_netlogon_sam_logon()" function: 701 init_id_info2(&ctr.auth.id2, lp_workgroup(), 702 0, /* param_ctrl */ 703 0xdead, 0xbeef, /* LUID? */ 704 username, cli->clnt_name_slash, chal, 705 local_lm_response, 24, local_nt_response, 24); And in the "rpccli_netlogon_sam_network_logon()" function: 802 init_id_info2(&ctr.auth.id2, domain, 803 0, /* param_ctrl */ 804 0xdead, 0xbeef, /* LUID? */ 805 username, workstation_name_slash, (const uchar*)chal, 806 lm_response.data, lm_response.length, nt_response.data, nt_response.length); But nothing in the "cli_netlogon_sam_network_logon()" function... Regards, Jeremy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows XP supplicant limitation ?
Hi, > Hi, > > > - user auth after the doain controler has accepted logon. > > Does anybody know if the windows XP supplicant is able to do this ? > > Do I need a better supplicant ? aegis? secureW2? Funk Odissey ? > i believe it wont do anything useful or multifunctional like > you require. a good option would be to use the supplicant > so authenticate the system, then use something like pGina > to do the user authentication - that can then authenticate > the user against a RADIUS server > > pgina - http://pgina.xpasystems.com/info/ > > > alan In fact, XP supplicant seems to allow only one auth method (EAP-TLS or PEAP). If I use TLS machine auth will be OK, so I can log on my domain and get my roaming profile. But If want to keep my network connection, I have to use a user cert too or do the registry hack (AuthMode set to 2). If I choose to use PEAP, computer auth, as far as I understood, will never work, so I won't be able to log on my domain... A solution may be a supplicant which first tries to make a network connection (using username/password), and then, if it succeeds, tries to authenticate user against the domain. I don't see how pgina will help me... sorry. Regards, Jeremy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows XP supplicant limitation ?
Hi, I want to use - EAP-TLS for machine auth (with cert.) then - EAP-PEAP for the user auth (with login/password) I managed to make both to work alone but not together... I just want to follow the xp supplicant behaviour: - computer auth. before logon to gain network access to the domain controler. - user auth after the doain controler has accepted logon. Does anybody know if the windows XP supplicant is able to do this ? Do I need a better supplicant ? aegis? secureW2? Funk Odissey ? Thanks Jeremy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Removing prefix and suffix from User-Name
Hi, I want to convert the User-Name recieved: "\host\login.server.domain.com" to "username". What's the best way to do this ? - using preprocess module and "hints" file: DEFAULTPrefix == "/host", Strip-User-Name = Yes DEFAULTSuffix == ".server.domain.com", Strip-User-Name = Yes - using "proxy.conf" file: realm server.domain.com { type= radius authhost= LOCAL accthost= LOCAL } - using realm module: realm test { format = suffix delimiter = "." ignore_default = no ignore_null = no } - using attr_rewrite module: attr_rewrite saneUserName { attribute = User-Name searchin = packet searchfor = "^(+.).server.domain.com" replacewith = "%{1}" ignore_case = yes new_attribute = no max_matches = 1 append = no } - or using preprocess module and "hints" file: DEFAULTPrefix == "/host", Strip-User-Name = Yes DEFAULTSuffix == ".server.domain.com", Strip-User-Name = Yes Regards, Jeremy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Client Authentification bevore Domain logon
Hi Guy, Do you know working supplicants with a GINA module ? aegis ? secureW2 ? Regards, Jeremy [EMAIL PROTECTED] a écrit : Date: Thu, 1 Sep 2005 17:10:14 +0100 From: "Guy Davies" <[EMAIL PROTECTED]> Subject: RE: Windows Client Authentification bevore Domain logon To: "FreeRadius users mailing list" Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="iso-8859-1" Hi Marc, The only way to do this with the supplicant included with XP is to use machine auth. This must use the same method used by the individual (i.e. EAP-TLS or PEAP/MS-CHAPv2). There is a checkbox that says something like "Use machine credentials if available". Check that and the machine will authenticate before the user. Once the user authenticates, the machine auth is killed and the user's auth is used. This requires that the machine has either a PEAP/MS-CHAPv2 username/password or an EAP-TLS certificate. These are stored in AD so you have to backoff your request to AD. If you want to do that for PEAP/MS-CHAPv2, you'll need NTLM access to the AD server, LDAP won't do because it can't get the cleartext password (unless it is replicated to a non-standard attribute). A better method, in my experience, is to use a supplicant with a GINA module. That stops the windows login process immediately after the user has entered the credentials, takes the user's credentials and uses them to login to the network, then it returns control to the windows login process. This doesn't require any authentication of the machine. Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Marc-Henri Boisis-delavaud Sent: 01 September 2005 15:19 To: FreeRadius users mailing list Subject: Re: Windows Client Authentification bevore Domain logon Le 31 août 05 à 18:53, Alan DeKok a écrit : =?ISO-8859-1?Q?J=E9r=E9my_Cluzel?= <[EMAIL PROTECTED]> wrote: Sorry, but I didn't find any references of this OID in the creation scripts in the "scripts" directory (Ca.all, CA.certs...). The only OID added seem to be 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2 (in "xpextensions"). Is there any way to do this without patching openssl (like explained there http://lists.cistron.nl/pipermail/freeradius-users/ 2004-July/034141.html) ? You can use that OID just like the other ones. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Can you explain how we can activate 802.1x authentification before logon on xp. And what are the prerequisites ? Marc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows Client Authentification bevore Domain logon
Sorry, but I didn't find any references of this OID in the creation scripts in the "scripts" directory (Ca.all, CA.certs...). The only OID added seem to be 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2 (in "xpextensions"). Is there any way to do this without patching openssl (like explained there http://lists.cistron.nl/pipermail/freeradius-users/2004-July/034141.html) ? Regards, Jeremy Alan DeKok http://lists.freeradius.org/mailman/listinfo/freeradius-users>> wrote: / / / / That OID is added by the cert creation script in the "scripts" / /directory, but it should be made more prominent in eap.conf, too. / / / / Alan DeKok. / / - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows Client Authentification bevore Domain logon
How can I add this OID to my machine certs ? using CA.certs script and xpextensions file ? Regards, Jeremy Ben Waldingwrote: > I also found using machine certificates to be hit and miss (some > machines they'd be picked up, others they wouldn't - all XP SP2 with > appropriate patches). > > And then I stumbled on this > > http://lists.cistron.nl/pipermail/freeradius-users/2004-July/034141.html > > 1.3.6.1.4.1.311.17.2 > > After I started adding that OID to my machine certs, everything > started working wonderfully. > > I shook my fist at Microsoft that day! > > Cheers, > > Ben > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
limited accounts
Hi, I'm trying to setup a system which allow users to login for a specific period (1 month, or 1 week, it depends on the type of the account) since their first connection. I manage to do this by a cron script which removes them from database, but it's (really) crap... Is there any proper way to do this ? counter module ? I think this could better by modifying sql queries in "sql.conf" to calculate remaining time (until the end of this period) and send it as "Max-All-Session" attribute to the NAS, but I don't know if it's possible... Moreover, I wish to use a "max consecutive time" too, which allow me to create user account valid for a limited period (1 month for ex.), with limited session time (3 hours max), and with a maximum "duration time" (10 hours). Is there any specific module to do this ? Finally, if I want to limit access depending on the day of the week, or the hour, what's the best approach ? Sorry for all these questions, I don't expect a complete solution from this forum (it's my work to find one), but simply some advices (or clues) on how it could (would ?) be done. Regards, Jeremy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
attr_rewrite & regexp
Hi, I try to rewrite User-Name attr. from "COMPUTER_NAME\\User-Name" to "User-Name". I prefer not to use the "proxy.conf" file because I've a lots of differents "COMPUTER_NAME". I think attr_rewrite will do the job, but I don't know (I'm not very good at regexp...) Thanks Jeremy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authenticate machine accounts with ntlm_auth
Hi, Is it possible to authenticate a machine account with ntlm_auth ? When a machine tries to authencate itself, the username looks like this: "host/hostname.domain.org" I don't know if ntlm_auth is able to understand this format... Regards Jeremy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP and NT domain logon problem
Hi, I have a freebsd box with a working freeradius 1.0.4 on it. PEAP works fine but I have to be logged before... Here is my problem, when I try to log on my domain, Windows complains about the fact that it is "unable to find my profile on the server" (or sometimes that "the domain X is unreachable"). Is there any solution to tell windows XP supplicant to wait for auth before trying to download profile ? I think this will be solve by switching to EAP/TLS or EAP/TTLS... but I'm not sure. Regards, Jeremy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html