RE: Machine auth without cert - EAP-PEAP/MSCHAPV2

[Josh Howlett]

Hi Ryan,

What you're trying to do is impossible. MS-CHAPv2 is a mutual
authentication protocol, meaning that FreeRADIUS needs to demonstrate
knowledge of the password to the machine.

josh. 

> -Original Message-
> From: 
> [EMAIL PROTECTED]
> org 
> [mailto:[EMAIL PROTECTED]
eradius.org] On Behalf Of Ryan Kramer
> Sent: 25 February 2008 21:05
> To: [EMAIL PROTECTED]; FreeRadius users mailing list
> Subject: Machine auth without cert - EAP-PEAP/MSCHAPV2
> 
> I've been experimenting with machine auth without using a 
> cert, but I seem to be stuck on the fact that FreeRadius will 
> not authenticate a local user.
> 
> I see the request come across through debugging with a 
> username of "host/mymachine.mydomain.com", and no password, 
> and in my users file I have
> 
> "host/mymachine.mydomain.com" Cleartext-Password="", 
> Auth-Type := Local, MS-CHAP-Use-NTLM-Auth := 0
> Filter-ID = "WIRELESS-USER",
> Fall-Through = 0
> 
> but for some reason it never authenticates...  I've tried 
> every both without the MS-CHAP option, that doesn't seem to 
> change it.  Also tried User-Password instead of cleartext 
> password, no change.  Any suggestions?
> 
> Ryan
> 
> 
> 
> 
> 

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: eap-mschapv2

[Josh Howlett]

> auth: type "EAP"
> +- entering group authenticate
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/mschapv2
>   rlm_eap: processing type mschapv2
> +- entering group MS-CHAP
>   rlm_mschap: Told to do MS-CHAPv2 for user with NT-Password
> rlm_mschap: adding MS-CHAPv2 MPPE keys
> ++[mschap] returns ok
> MSCHAP Success
> ++[eap] returns handled
> Sending Access-Challenge of id 3 to x.x.x.x port 1812
> MS-CHAP2-Success = 
> 0x01533d46393635324645444542423338354535333743303338333739
> 41393735313330363134413336
> EAP-Message = 
> 0x010200331a0301002e533d4639363532464544454242333835453533
> 374330333833373941393735313330363134413336
> Message-Authenticator = 0x
> State = 0xabe2000baae01ac677bcdaf79192ae6c
> Finished request 1.

That looks like a bug to me. It's a violation of RFC2548:

2.3.3.  MS-CHAP2-Success

   Description

  This Attribute contains a 42-octet authenticator response string.
  This string MUST be included in the Message field of the MS-CHAP-
  V2 Success packet sent from the NAS to the peer.  This Attribute
  is only used in Access-Accept packets.

It might be worth checking the logic in the eap-mschap module; it should
be pretty obvious to see where it is going wrong.

josh.

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: eap-mschapv2

[Josh Howlett]

Post the debug ouput (radiusd -X).

josh. 

> -Original Message-
> From: 
> [EMAIL PROTECTED]
> org 
> [mailto:[EMAIL PROTECTED]
eradius.org] On Behalf Of Indira Keesara
> Sent: 15 January 2008 20:36
> To: freeradius-users@lists.freeradius.org
> Subject: eap-mschapv2
> 
> I am using freeradius to test the eap-mschapv2.
> 
> According to specs 
> 
> To the access-challenge reply radius should sent a 
> access-success with the mppe keys.
> 
> But what I see is to the reply radius is sending the 
> access-challenge request again with mschap-success similar to the 
> 
> Eap-tls.
> 
>  
> 
> I am not sure if I missed any configuration.
> 
> 

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: eap-mschapv2

[Josh Howlett]

Yes - although only as a tunelled method inside EAP-PEAP (I think, I may
be wrong). 

josh.

> -Original Message-
> From: 
> [EMAIL PROTECTED]
> org 
> [mailto:[EMAIL PROTECTED]
eradius.org] On Behalf Of Indira Keesara
> Sent: 15 January 2008 20:31
> To: freeradius-users@lists.freeradius.org
> Subject: eap-mschapv2
> 
> Does freeradius support eap-mschapv2 ?
> 
> 

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP Notification

[Josh Howlett]

That's certainly a feature of some Cisco WAPs.

If anyone knows of a supplicant that does anything *useful* with
EAP-Notification (like, you know, notify the user) then that would be
interesting to hear :-)

josh.

> -Original Message-
> From: 
> [EMAIL PROTECTED]
> org 
> [mailto:[EMAIL PROTECTED]
eradius.org] On Behalf Of Arran Cudbard-Bell
> Sent: 03 January 2008 12:50
> To: FreeRadius users mailing list
> Subject: EAP Notification
> 
> Hi,
> Running a packet capture of an EAP TTLS session against FR 
> cvs head, noticed EAP Notifcation packets are being sent.
> The type-data appears to match that of the Reply-Message. Is 
> this a feature of rlm_eap that I missed before, or is the NAS 
> being clever about it's interpretation of the Access-Accept  
> packet, and encapsulating the Reply-Message attribute in an 
> EAP-Request Notification packet ?
> 
> Either way it's pretty cool, and the message gets logged in 
> /var/log/system.log (On Mac OS X) which has the potential to 
> be useful for debugging...
> 
> Thanks,
> Arran
> 
> --
> Arran Cudbard-Bell ([EMAIL PROTECTED]) 
> Authentication, Authorisation and Accounting Officer 
> Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton
> EXT:01273 873900 | INT: 3900
> 
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: freeradius and active directory

[Josh Howlett]

> Using  Ntlm_auth from the samba server is not an option. I 
> want to access the AD with the ldap protocol for 
> compatibility reasons.

You can't.

> Next, I want to place the logged on 
> user is a specific VLAN. So I have to retrieve the user's 
> vlan from the AD. Is there any way to configure freeradius to 
> do so?

Yes, see the docs.

> Can you please provide me with the necessary steps to accomplish this?

Ditto.

josh.

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius and AD

[Josh Howlett]

See proxy.conf.

josh. 

> -Original Message-
> From: 
> [EMAIL PROTECTED]
> org 
> [mailto:[EMAIL PROTECTED]
eradius.org] On Behalf Of Dave Gibelli
> Sent: 11 December 2007 14:30
> To: freeradius-users@lists.freeradius.org
> Subject: Freeradius and AD
> 
> Hi
> 
> I am testing Freeradius within an 802.1x environment.
> 
> I want to send authentication request to 4 different AD DC's 
> depending on the Domain sent from the client to the Authenticator.
> 
> Can Freeradius forward request in this way?
> 
> Dave
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: freeradius support eap-fast?

[Josh Howlett]

 
Alan wrote:
> Josh Howlett wrote:
> > I saw this :-). I had a question: EAP-TNC is intended to be 
> bound to 
> > any tunneled EAP method but the last time I looked at the code the 
> > FreeRADIUS EAP state machine did not appear to support binding 
> > consecutive EAP methods in sequence to an arbitrary 
> tunneled EAP method.
> 
>   I'm not sure what that means... Does EAP-TNC go inside of a 
> tunneled method, or does it tunnel other methods?

It normally tunnels inside other methods.

>   If it goes inside of a tunneled method, then there's no 
> problem.  PEAP and TTLS already support tunneling EAP types.  

Sure, but do the FreeRADIUS PEAP and TTLS implementation support running
an EAP method for AuthN followed immediately by EAP-TNC within the same
tunnel?

The original EAP RFC (2284) didn't explicitly prohibit method
sequencing. However, this was obseleted by RFC 3748 which does prohibit
sequencing authentication methods (where this is defined as Type > 4,
excepting Notification).

Of course, an EAP method itself is free to do what it likes; so both
PEAP and TTLS support sequencing (although this isn't implemented much).

The difficulty that I saw when I looked at the code, IIRC, is that
FreeRADIUS re-uses the same functions (and therefore the same
assumptions of what is permitted and what isn't) for the 'outer' EAP
session as it does for the 'inner' session.

Did that make sense :-) ?

> > Does this EAP-TNC implementation therefore require the use of a 
> > specific tunneled EAP method, or have there been some 
> improvements to 
> > the EAP state machine to support this flexibility?
> 
>   If EAP-TNC can go only inside of TTLS/PEAP, then the code 
> likely needs to be updated to check for that, and enforce 
> that requirement.

That's not a requirement, but a likely deployment scenario. EAP-TNC has
no transport security, and depends on the transport layer for
confidentiality, etc.

josh.

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: freeradius support eap-fast?

[Josh Howlett]

>   In other news... I've added EAP-TNC.  It's a little rough, 
> but the concept is there.

I saw this :-). I had a question: EAP-TNC is intended to be bound to any
tunneled EAP method but the last time I looked at the code the
FreeRADIUS EAP state machine did not appear to support binding
consecutive EAP methods in sequence to an arbitrary tunneled EAP method.
Does this EAP-TNC implementation therefore require the use of a specific
tunneled EAP method, or have there been some improvements to the EAP
state machine to support this flexibility?

josh.

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FreeRadius and Clean Access Manager

[Josh Howlett]

> Hi,
> > But you are just using FreeRADIUS for authentication. I 
> didn't realise 
> > it was possible to separate posture assessment from 
> authentication in 
> > Cisco NAC. Interesting to hear that you can.
> 
> ..i guess we are all looking at development of EAP-TNC with interest..

You betcha!

josh.

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FreeRadius and Clean Access Manager

[Josh Howlett]

But you are just using FreeRADIUS for authentication. I didn't realise
it was possible to separate posture assessment from authentication in
Cisco NAC. Interesting to hear that you can.

josh. 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Dorota Kupis
> Sent: 31 October 2007 18:50
> To: FreeRadius users mailing list
> Subject: RE: FreeRadius and Clean Access Manager
> 
> Hello Josh,
> 
> Actually I give another try just after I wrote to the group 
> and I succeeded. I don't talk about TACACS+ here.
> Cisco Clean Access can have several authentication servers 
> defined. I do confirm it works with FreeRadius as well.
> 
> Dorota
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Josh Howlett
> Sent: Wednesday, October 31, 2007 11:35 AM
> To: FreeRadius users mailing list
> Cc: Josh Howlett
> Subject: RE: FreeRadius and Clean Access Manager
> 
> > Has anybody set up FreeRadius with Network Admission Control. 
> > I have a trouble to set up FreeRadius as an authentication 
> server in 
> > Clean Access Manager.
> 
> FreeRADIUS does not support Cisco NAC.
> 
> > It works perfectly with ACS.
> 
> This is because it is a Cisco proprietary protocol.
> 
> josh. 
> 
> JANET(UK) is a trading name of The JNT Association, a company 
> limited by guarantee which is registered in England under No. 
> 2881024 and whose Registered Office is at Lumen House, 
> Library Avenue, Harwell Science and Innovation Campus, 
> Didcot, Oxfordshire. OX11 0SG
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FreeRadius and Clean Access Manager

[Josh Howlett]

> Has anybody set up FreeRadius with Network Admission Control. 
> I have a trouble to set up FreeRadius as an authentication 
> server in Clean Access Manager.

FreeRADIUS does not support Cisco NAC.

> It works perfectly with ACS.

This is because it is a Cisco proprietary protocol.

josh. 

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: How to triger an application after a authentication done

[Josh Howlett]

rlm_exec

See radiusd.conf for examples.

josh. 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of ram
> Sent: 26 October 2007 07:50
> To: FreeRadius users mailing list
> Subject: How to triger an application after a authentication done
> 
> Hi
>  
> iam trying to make some iptables rules to trigger after 
> authentication done with Radius Server
>  
> here is my setup
>  
> userBRAS--Freeradius---Gateway 
> Router(Linux+iptables)--Internet
>  
> when the user intiate pppoe with BRAS, bras send the request to Radius
>  
> Radius checks the authentication and send to the user for the 
> authorisation.
> when use authenticated and authorised. and same time i want 
> to trigger  the script to open a Iptable rules and his 
> bandwidth with TC
>  
> can some one give me suggestion
>  
> how can i achieve this ?
>  
> ram
> 

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Proposed Freeradius - Kerberos authentication

[Josh Howlett]

David,

> I've been reading the FAQs, the man pages, and going over 
> mailing list archives, and also the info at 
> deployingradius.com.  I thought I should start by checking 
> that I'm heading in the right direction before trying 
> building stuff.  I'm proposing that we use Freeradius to 
> authenticate the connections to the wireless APs using the 
> MIT Kerberos server.  If this is possible, would it be done 
> using EAP-TTLS from the clients, and the Auth-Type would need 
> to be defaulted to Kerberos so that the
> rlm_krb5 module would be used?  I'm basing this on the 
> Protocols page in conjunction with a thread from earlier in 
> October about EAP-TTLS and Kerberos.

You're heading in the right direction.

Note that if the synced passwords all exist in the AD, you can also
consider the use of EAP-PEAP; the principal advantage being the use of
the Windows native supplicant; this does not support EAP-TTLS without
the use of third-party tools.

josh.

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Mutual Authentication with EAP-TTLS/MSCHAPv2

[Josh Howlett]

> 1. Does EAP-TTLS with MSCHAPv2 considered as a mutual 
> authentication method?

It is probably best if you read RFC4017 for a full discussion of mutual
authentication in the EAP context.

FWIW, the short answer is "yes, it can be used in this way".

> 2. I understand that the TTLS itself can be mutual, meaning:
> 
> a. The client authenticates the server (via server certificate)

Yes.

> b. A secured tunnel is created
> 
> c. The server authenticates the client (via client certificate)

Yes, this is possible but not necessary, because as you say...

> d. The client authenticates itself again using MSCHAPv2.

e. The server also authenticates itself using MSCHAPv2. A
challenge-response is piggy-backed on the MSCHAP exchange.

> Does FreeRadius support this kind of Authentication?

Yes.

> 3. I received a root-certificate and I want to create trusted 
> certificates. 
> 
> a. Which software can I use sign a certificate 
> with the root-certificate I received?

I doubt you received a root CA certificate. You probably got issued with
a certificate signed by the root or an intermediate CA. However, I'm
speculating - it is probably best to ask whomever provided the
certificate directly. It is essential to understand precisely what is
going on, because it is very easy to make mistakes with PKI...

best regards, josh.

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FreeRADIUS and iODBC

[Josh Howlett]

> What is the question?

There was no question :-) If I find out how to do something that is
poorly - or not - documented I post it to the mailing list so that it
can be indexed by Google, for the benefit of other people in the future
who might have the same problem. 

josh.

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxon OX11 0SG

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Vista Authentication

[Josh Howlett]

Ensure that you're using a recent version of samba. Search the list for
a value of 'recent'.

josh.

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Alan DeKok
> Sent: 23 September 2007 14:26
> To: FreeRadius users mailing list
> Subject: Re: Vista Authentication
> 
> Iain Ellis wrote:
> > Are there any known gotcha's concerning Vista clients 
> authenticating? 
> 
>   Not that I know of.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxon OX11 0SG

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRADIUS and iODBC

[Josh Howlett]

You must use a DSN of 'radius' in odbc.ini when using the iodbc SQL
module. You can't use any other name. I have this working against MSSQL.

josh.

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxon OX11 0SG

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius and Windows Vista

[Josh Howlett]

Make sure you're using a recent version of samba. Many distros still
shib with older versions that won't work.

josh. 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Alan DeKok
> Sent: 19 September 2007 17:09
> To: FreeRadius users mailing list
> Subject: Re: Freeradius and Windows Vista
> 
> Neal Bullins wrote:
> > I am running FR version 1.1.7 along with OpenSSL 0.9.8c on Debian. 
> > Authentication from XP works flawlessly and from what I 
> have been able 
> > to tell from, with these versions I should be able to have Vista do
> > PEAP/MSChapv2 authentication via Freeradius.  However, it 
> still seems 
> > that Vista stops the authentication process before the 
> ntlm_auth call 
> > is made.  Am I missing something obvious here?
> 
>   Nope.  Vista *should* work, other people have it working 
> with similar configurations.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxon OX11 0SG

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: RFC 3579 and Access-Accepts

[Josh Howlett]

Hi Stefan,

> Whereas RFC 3579 , chapter 2.6.5 says: 
> "An EAP-Message/EAP-Request/Notification SHOULD NOT be 
> included within an Access-Accept or Access-Reject packet."

I think this is a case of mis-reading the (confusing?) notation used by
the RFC.

What the RFC is saying is that you are not permitted to include a
Notification within an EAP-Request within an EAP-Message within an
Access-Accept.

It's not saying you're not allowed to include an EAP-Message attribute
_per se_.

FWIW, I don't think it would be possible to implement a compliant EAP
method without including an EAP-Message in the Access-Acccept; you need
to return an EAP-Success or EAP-Failure, and IIRC you can't do that in
an Access-Challenge.

josh.

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxon OX11 0SG

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Network Printers with freeradius? Anyway?

[Josh Howlett]

Do your printers support 802.1x?

josh. 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Sérgio Kojima
> Sent: 05 September 2007 18:58
> To: freeradius-users@lists.freeradius.org
> Subject: Network Printers with freeradius? Anyway?
> 
> Hello all.
> 
> Finaly my FreeRADIUS 2.0.0-pre2 is running with Samba PDC + 
> OpenLdap and foundry/dot1x switchs. Very well...
> Now, the next level is the printers. How to configure my 
> network printers with freeradius?
> No solicitation does not arrive when i run "radiusd -X".
> Printers are using DHCP.
> 
> See you!
> 
> 
> =
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Database Population problem with mysql

[Josh Howlett]

Not sure why this is failing; FWIW, according to the MySQL docs:

"The DATETIME type is used when you need values that contain both date
and time information. MySQL retrieves and displays DATETIME values in
'-MM-DD HH:MM:SS' format. The supported range is '1000-01-01
00:00:00' to '-12-31 23:59:59'. "

josh.

> -Original Message-
> From: ram [mailto:[EMAIL PROTECTED] 
> Sent: 21 August 2007 16:29
> To: FreeRadius users mailing list
> Cc: Josh Howlett
> Subject: Re: Database Population problem with mysql
> 
> 
> 
> On 8/21/07, Josh Howlett <[EMAIL PROTECTED]> wrote: 
> 
>   > (42000) at line 15: Invalid default value for 'AcctStartTime'
>   
>   Try using a valid value for this. 
> 
>  
> Hi
>  
> what is the correct value for that record
>  
> as per the document iam populating
>  
> iam using  mysql
>  
> mysql  Ver 14.12 Distrib 5.0.32, for pc-linux-gnu (i486) 
> using readline 5.2
>  
> on debian
>  
> any suggestions
>  
> ram
> 
> 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Database Population problem with mysql

[Josh Howlett]

Post mysql.sql to the list.

josh. 

> -Original Message-
> From: ram [mailto:[EMAIL PROTECTED] 
> Sent: 21 August 2007 16:29
> To: FreeRadius users mailing list
> Cc: Josh Howlett
> Subject: Re: Database Population problem with mysql
> 
> 
> 
> On 8/21/07, Josh Howlett <[EMAIL PROTECTED]> wrote: 
> 
>   > (42000) at line 15: Invalid default value for 'AcctStartTime'
>   
>   Try using a valid value for this. 
> 
>  
> Hi
>  
> what is the correct value for that record
>  
> as per the document iam populating
>  
> iam using  mysql
>  
> mysql  Ver 14.12 Distrib 5.0.32, for pc-linux-gnu (i486) 
> using readline 5.2
>  
> on debian
>  
> any suggestions
>  
> ram
> 
> 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Database Population problem with mysql

[Josh Howlett]

> (42000) at line 15: Invalid default value for 'AcctStartTime'

Try using a valid value for this.

josh.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: PAM Radius

[Josh Howlett]

Hi Sayan,

I think I have tried this previously, and it was possible (on
Linux/glibc anyway - YMMV with other unices).

TBH, I don't really see the point in using RADIUS when you'll (probably)
want to use LDAP anyway for nss resolution, so you might as well just
use LDAP for PAM.

josh. 

> -Original Message-
> From: 
> [EMAIL PROTECTED]
> org 
> [mailto:[EMAIL PROTECTED]
eradius.org] On Behalf Of Sayan S
> Sent: 20 August 2007 14:04
> To: FreeRadius users mailing list
> Subject: Re: PAM Radius
> 
> Thanks Alan for the quick response.
> I am referring to realm here, as RADIUS support realms, and 
> we are using RADIUS to authenticate the users to Linux, so 
> seems like we need to have all users contained in the same realm.
> 
> Is having username in [EMAIL PROTECTED] form a valid unix format? I 
> was thinking the first part of the [EMAIL PROTECTED] should be the 
> unix username though the radius request is sent as 
> [EMAIL PROTECTED] Otherwise we need to have a comprehensive 
> [EMAIL PROTECTED] to Unix-userid mapping.
> 
> regards,
> sayan
> 
> Alan DeKok <[EMAIL PROTECTED]> wrote:
> 
>   Sayan S wrote:
>   > Greetings, I am very new to RADIUS and PAM RADIUS.
>   > I am trying to configure PAM Radius to authenticate 
> users on a Linux
>   > host. I would like to know, how to configure PAM 
> Radius to authenticate
>   > users from different realms, as the current 
> configuration doesn't seem
>   > to take realm.
>   
>   You don't use realms in Unix logins.
>   
>   > please help me with this as I have configured users 
> to be part of
>   > different realms on radius server and now want to 
> authenticate all those
>   > users to the same Linux host.
>   
>   You just login as "[EMAIL PROTECTED]". That might work.
>   
>   Alan DeKok.
>   - 
>   List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>   
> 
> 
> 
> 
> Park yourself in front of a world of choices in alternative vehicles.
> Visit the Yahoo! Auto Green Center. 
> 
_ylc=X3oDMTE5cDF2bXZzBF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDZ
> 3JlZW4tY2VudGVy> 
> 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Ipsec EAP_TLS

[Josh Howlett]

> Does the current implementation of free radius provides 
> capability that these keys can be securely transfererred to 
> the VPN gateway ?

No.

josh.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: How to capture wireless EAP packets on Windows XP?

[Josh Howlett]

I usually find it simplest to use tcpdump on the RADIUS server, although
I've used Wireshark in the past on Windows supplicants.

josh. 

> -Original Message-
> From: 
> [EMAIL PROTECTED]
> org 
> [mailto:[EMAIL PROTECTED]
eradius.org] On Behalf Of Clark J. Wang
> Sent: 25 July 2007 03:48
> To: freeRadius Mailing List - users
> Subject: How to capture wireless EAP packets on Windows XP?
> 
> I'm testing FreeRADIUS's PEAP-EAP-MSCHAPv2 functionality with 
> a wireless USB adapter (D-Link AirPlus G DWL-G122) on Windows 
> XP (SP2). I tried to capture the EAP packets using Wireshark 
> 0.99.6a but I failed.
> 
> Anyone can help? Thanks.
> 
> 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: "Shared secret is incorrect" - but it is identical!

[Josh Howlett]

Hi Ken,

What happens if, using radtest, you specify the username *without* the
realm from the remote machine?

josh. 

> -Original Message-
> From: 
> [EMAIL PROTECTED]
> us.org 
> [mailto:[EMAIL PROTECTED]
freeradius.org] On Behalf Of ken
> Sent: 03 July 2007 22:02
> To: FreeRadius users mailing list
> Subject: "Shared secret is incorrect" - but it is identical!
> 
> I'm trying to get FreeRadius working on a Fedora Core 6 
> server with a view to eventually using it to authenticate 
> against Windows Active Directory via ntlm_auth for the Janet 
> Roaming Service. The first attempts at configuring it failed 
> rather drastically so I went back to the beginning and I'm 
> doing things one step at at time, making one-line changes to 
> configs then using radtest and/or radclient to  ensure it 
> still works. I can now authenticate a users defined in users 
> file, or in the Unix passwd file, from radtest on local 
> machine. (i.e. the same one the server is running on). Next 
> step is to check that I can use FreeRadius  over the network 
> by trying radclient on another machine.
> 
> It doesn't work from the networked machine. I see the 
> "invalid signature (err=2)!  (Shared secret is incorrect.)" message.
> 
> Debug log says to "double check the shared secret on the 
> server". I have more than double checked it. I'm using the 
> same shared secret on both machines.  I "know" the shared 
> secret is correct because it works from the local machine.  
> But obviously it isn't! Because the encrypted password can't 
> be read on the server. What can I do to make sure the shared 
> secret truly is correct?
> 
> The definitions for both hosts are identical in the 
> clients.conf file. At one point I  manually edited them to 
> swap the names of servers while leaving the secrets the same, 
> just in case there was some hidden unprintable character - 
> but the new local one still worked, proving that the two 
> entries in the clients.conf file are in fact identical.
> 
> The shared secrets used in the radtest command are identical. 
> I'm cutting and pasting the *same* radtest command in, not 
> retyping it.
> 
> To test for sure I put radclient commands in scripts on the 
> remote machine, where they failed. Then I  ftped them from 
> the machine they failed on to the  other one - where they 
> worked! So it *has* to be the same!  And if I alter it in any 
> way there then radtest fails so its not getting a free 
> passage just because its local.
> 
> I have a horrid fear I've missed something totally obvious 
> about how radclient works and that I'm doing something really 
> really stupid stupid - but I can't see what. And I've been 
> stuck here for over a week now. Any clues?
> 
>  From the local machine I get:
> 
> ===
> [EMAIL PROTECTED] ~]$ /usr/local/bin/radtest -d /etc/raddb 
> [EMAIL PROTECTED] password server.IP.addr 122 sharedsecret 
> Sending Access-Request of id 121 to server.IP.addr port 1812
>  User-Name = "[EMAIL PROTECTED]"
>  User-Password = "password"
>  NAS-IP-Address = 255.255.255.255
>  NAS-Port = 122
> rad_recv: Access-Accept packet from host server.IP.addr:1812, 
> id=121, length=20 ===
> 
> But when I try from the remote machine I get:
> 
> ===
>   /usr/local/bin/radtest -d /etc/raddb [EMAIL PROTECTED] 
> password server.IP.addr 122 sharedsecret Sending 
> Access-Request of id 184 to server.IP.addr port 1812
>  User-Name = "[EMAIL PROTECTED]"
>  User-Password = "password"
>  NAS-IP-Address = 255.255.255.255
>  NAS-Port = 122
> rad_recv: Access-Reject packet from host server.IP.addr:1812, 
> id=184, length=20
> rad_verify: Received Access-Reject packet from client 
> server.IP.addr port 1812 with invalid signature (err=2)! 
> (Shared secret is incorrect.)
> [EMAIL PROTECTED] ~]$ /usr/local/bin/radtest -d /etc/raddb 
> [EMAIL PROTECTED] password server.IP.addr 122 sharedsecret 
> Sending Access-Request of id 246 to server.IP.addr port 1812
>  User-Name = "[EMAIL PROTECTED]"
>  User-Password = "password"
>  NAS-IP-Address = 255.255.255.255
>  NAS-Port = 122
> rad_recv: Access-Reject packet from host server.IP.addr:1812, 
> id=246, length=20
> rad_verify: Received Access-Reject packet from client 
> server.IP.addr port 1812 with invalid signature (err=2)! 
> (Shared secret is incorrect.)
> [EMAIL PROTECTED] ~]$ /usr/local/bin/radtest -d /etc/raddb 
> [EMAIL PROTECTED] password server.IP.addr 122 sharedsecret 
> Sending Access-Request of id 7 to server.IP.addr port 1812
>  User-Name = "[EMAIL PROTECTED]"
>  User-Password = "password"
>  NAS-IP-Address = 255.255.255.255
>  NAS-Port = 122
> rad_recv: Access-Reject packet from host server.IP.addr:1812, 
> id=7, length=20
> rad_verify: Received Access-Reject packet from client 
> server.IP.addr port 1812 with invalid signature (err=2)! 
> (Shared secret is incorr

RE: RADIUS & PEAP

[Josh Howlett]

What you're attempting to do is impossible because MS-CHAP is a mutual
authentication protocol. If the RADIUS server does not demonstrate
knowledge of the password to the supplicant, a well-behaved the
supplicant *should* refuse the connection.

(I also wouldn't be surprised if the RADIUS server barfs because it
can't get a valid user-password in order to construct the authentication
response but I can't comment authoritatively on this).

Finally, you can't authenticate MS-CHAP against /etc/passwd or
/etc/shadow; MS-CHAP requires access to the cleartext password or its
NTLM hash.

josh.

> -Original Message-
> From: 
> [EMAIL PROTECTED]
> org 
> [mailto:[EMAIL PROTECTED]
eradius.org] On Behalf Of Adrienne Rau
> Sent: 03 July 2007 19:30
> To: freeradius-users@lists.freeradius.org
> Subject: RADIUS & PEAP
> 
> I am configuring a wireless network with EAP Authentication.  
> I can connect successfully with the following line in my users file.
> 
> testuser User-Password == "testing"
> 
> I would like to be able to authenticate with ANY password.  I 
> tried using the "!=" operand, but that causes an MS-CHAP 
> incorrect response error.  Is there any way to make EAP 
> authenticate with any password.  If not, how can I have it 
> authenticate against the /etc/passwd and /etc/shadow files?
> 
> Thank you for your help,
> Adrienne Rau
> 
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: [meta] admin tools and utilities

[Josh Howlett]

 

> -Original Message-
> From: 
> [EMAIL PROTECTED]
> org 
> [mailto:[EMAIL PROTECTED]
eradius.org] On Behalf Of Phil Mayers
> Sent: 29 June 2007 10:35
> To: FreeRadius users mailing list
> Subject: Re: [meta] admin tools and utilities
> 
> On Thu, 2007-06-28 at 12:16 -0500, Hugh Messenger wrote:
> > Forgive me if meta-discussions are frowned upon.
> > 
> >  
> > 
> > I was just wandering what tools and utilities (not shipped with
> > freeradius) people find useful in day to day admin and testing.
> 
> eapol_client from the wpa_supplicant distro was invaluable 
> for testing EAP I found

I agree with Phil, this is an invaluable tool for testing EAP; although
it's really called eapol_test :-)

josh.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Sending CA certificate during EAP-TLS

[Josh Howlett]

Hi Reimer, 

> How do you check if FreeRadius is actually sending the chain?

I find Wireshark useful for this. It re-assembles the fragmented TLS
handshake, which makes it much easier to understand...

josh.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Banning users in a nice way...

[Josh Howlett]

> Has anyone got any ideas ?
> 
> I'm assuming theres no way to do it..

Not that I can think of. You shouldn't be able to coax a supplicant onto
a network by munging authentication (this is a *good* thing).

josh.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Simultaneous-Use problem.

[Josh Howlett]

> On Monday 25 June 2007 11:42:08 Josh Howlett wrote:
> > I have a feeling that the answer is blindingly obvious, but I can't 
> > figure it out...
> >
> > The 'users' file consists of:
> >
> > DEFAULT Auth-Type = Accept
> > Simultaneous-Use := 1
>
> Because Simultaneous-Use is in the wrong place.  Make it a 
> check item and the session section should be processed.

That fixed it. As I thought, blindingly obvious; a case of needing
another pair of eyes...

Thanks, josh.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Simultaneous-Use problem.

[Josh Howlett]

I have a feeling that the answer is blindingly obvious, but I can't
figure it out...

The 'users' file consists of:

DEFAULT Auth-Type = Accept
Simultaneous-Use := 1

In radiusd.conf I also have:

session {
sql
}

authorize {
radius-user-auth
}

'radius-user-auth' is an rlm_exec instance that invokes a script used to
authenticate users. It works fine, but the 'session' section never gets
processed. Why?

josh.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: terminating EAP tunnels, proxy and realms

[Josh Howlett]

> > Nope; see RFC 3579 for the gory details:
> > 
> > "the NAS MUST copy the contents of the Type-Data field of the 
> > EAP-Response/Identity received from the peer into the User-Name 
> > attribute"
> > 
> 
> See thats what I suspected, else how could the User-Name 
> attribute be populated in the access requests...
> And indeed as the RFC states, the User-Identity needs to be 
> set in the access requests for none EAP aware proxies. I 
> suspect FreeRADIUS may count as one of these, as for all 
> intensive purposes as it provides no mechanism to proxy 
> arbitrary segments of an EAP conversation on inner identity alone.
> Unless I missed something ?

No, that's correct.

> > For the reason given above, it *does* need to understand the 
> > EAP-Identity-Response. But that's about it! The NAS is a 
> pretty dumb 
> > device.
> 
> Reason why I was asking is because most of the tests on the 
> JRS test website seem to break when you base the reply in 
> FreeRADIUS, on the inner identity as opposed to the outer identity.

I'm surprised at that, IIRC (and I did write the code originally :-) the
tests use the same name for inner and outer. Still, it would probably be
best if you raised a ticket with JANET Customer Services as this is a
bit OT for this list.

best regards, josh.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: terminating EAP tunnels, proxy and realms

[Josh Howlett]

Gah, my message bounced owing to change of email address...

Arran wrote:
> Can you clear something up for me with inner/outer identity. 
> The outer identity is in the User-Name attribute , it's a standard 
> RADIUS attribute... Inner identity is encoded in the EAP message, and 
> is pulled out by the EAP module prior to internal proxying and set as 
> the User-Name attribute (which should overwrite the User-Name 
> attribute in the request) ?

Correct.

> And it's standard practice to leave the outer identity as anonymous, 
> as the only communication between the NAS and the Supplicant is EAP 
> based when using EAPOL, and so the NAS would have to understand EAP to

> be able to extract  the User-Name string and write it into the 
> Access-Request packet ?

Nope; see RFC 3579 for the gory details:

"the NAS MUST copy the contents of the Type-Data field of the
EAP-Response/Identity received from the peer into the User-Name
attribute"

The use of "anonymous" is simply to preserve privacy; it's not a
technical requirement of any EAP method (that I know of).

An interesting tangent: note that "end-user identity hiding" is simply a
"requirement" of RFC 4017 ("EAP Method Requirements for Wireless LANs"),
which I think is a shame.

> So although the NAS  must send an EAP-Identity-Request when the client

> connects it's not required to understand the EAP-Identity-Response ?

For the reason given above, it *does* need to understand the
EAP-Identity-Response. But that's about it! The NAS is a pretty dumb
device.

josh.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: PHP issues with PHP 4.3.9 and dialup_admin

[Josh Howlett]

> On 6/16/07, Josh Howlett <[EMAIL PROTECTED]> wrote:
> > Ethan,
> >
> > Have you got the freeradius-mysql RPM installed?
> 
> I don't know if I remembered to post a followup or not, but, 
> "undefined constant" messages aside (which are caused by a 
> change to how PHP requires single quotes), my real problems 
> with dialup_admin not working at all (blank screens), was 
> caused by a missing rpm related to PHP and a 
> reported/documented "feature" that if you call a PHP function 
> that does not exist, you get no feedback in the way of error 
> messages - just total silence.

You were probably missing php-mysql, as I was. PHP does normally return
sensible error messages of the kind you mention, so I had the some
confusion as you. I'm not sure if there is an new option in php5 to
enable these, or if something has changed in dialup_admin to suppress
them...

josh.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius PEAP and Wireless

[Josh Howlett]

> rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is 
> required first.

You need to uncomment the tls section in eap.conf, even if yoo're not
intending to use EAP-TLS.

josh.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: PHP issues with PHP 4.3.9 and dialup_admin

[Josh Howlett]

Ethan,

Have you got the freeradius-mysql RPM installed?

josh. 

> -Original Message-
> From: 
> [EMAIL PROTECTED]
> us.org 
> [mailto:[EMAIL PROTECTED]
freeradius.org] On Behalf Of Ethan Dicks
> Sent: 20 March 2007 21:00
> To: freeradius-users@lists.freeradius.org
> Subject: PHP issues with PHP 4.3.9 and dialup_admin
> 
> I've been digging around all day and I've seen other people 
> describe the same symptoms I'm having, but the follow-ups 
> typical asy "Oh, I fixed it", but don't describe the fix.  It 
> seems that something resembling my symptoms goes back to the 
> version of dialup_admin that shipped with freeRADIUS 1.0.1, 
> so I am not convinced what I'm seeing is _specifically_ a PHP 
> 4.3 problem, but given the changes with registers_global from 
> 4.1.0 to 4.2.0, I thought it would be prudent to mention that.
> 
> My setup is...
>   CentOS 4.4.2 (RHEL 4 without the RedHat trademarks and graphics)
>   Apache 2.0.52
>   PHP 4.3.9
>   mysql 4.1.20
>   freeRADIUS 1.1.5
>   dialup_admin ? (CVS snapshot 20070320)
>   firefox 1.5.0.10
> 
> I have freeRADIUS installed and working with users stuffed 
> into a flat file, verified with 'radtest'.  I can get the 
> main page of dialup_admin to come up, but I get blank screens 
> and lots of PHP errors logged when I try to invoke nearly any 
> button.  My radius database has tables, but no rows, since I 
> was trying to set up dialup_admin to start inserting users 
> and groups.  I have set PHP's registers_global to 'on' via 
> /etc/php.ini and verified that it's on with phpinfo(), and I 
> still get dozens of errors per mouse-click...
> 
> Here's a typical example - the output is generated when 
> clicking on the 'new group' button: a long list of 'undefined 
> constant', 'undefined variable', and 'undefined index' 
> following the warning that there's no prefix on a function 
> call to say what its namespace is.
> I'm putting the error dump at the bottom to keep it from 
> creating a huge gulf between sections of this query.
> 
> I know it must look familar because I've found several 
> references to errors that look just like this in  the mailing 
> list archives.  What's lacking is the solution.
> 
> Am I just missing a setup step somewhere?  Am I running 
> servers and packages that are just too new and untested?
> 
> Thanks,
> 
> -ethan
> 
> 
> [client 127.0.0.1] PHP Notice:  import_request_variables(): 
> No prefix specified - possible security hazard in
> /usr/local/dialup_admin/conf/config.php3 on line 8, referer:
> http://localhost/dialup/buttons.php3
> [client 127.0.0.1] PHP Notice:  Use of undefined constant 
> general_use_session - assumed 'general_use_session' in
> /usr/local/dialup_admin/conf/config.php3 on line 66, referer:
> http://localhost/dialup/buttons.php3
> [client 127.0.0.1] PHP Notice:  Undefined variable:  login in
> /usr/local/dialup_admin/conf/config.php3 on line 73, referer:
> http://localhost/dialup/buttons.php3
> [client 127.0.0.1] PHP Notice:  Undefined variable:  login in
> /usr/local/dialup_admin/conf/config.php3 on line 76, referer:
> http://localhost/dialup/buttons.php3
> [client 127.0.0.1] PHP Notice:  Use of undefined constant 
> general_username_mappings_file - assumed 
> 'general_username_mappings_file' in
> /usr/local/dialup_admin/conf/config.php3 on line 86, referer:
> http://localhost/dialup/buttons.php3
> [client 127.0.0.1] PHP Notice:  Use of undefined constant 
> general_username_mappings_file - assumed 
> 'general_username_mappings_file' in
> /usr/local/dialup_admin/conf/config.php3 on line 87, referer:
> http://localhost/dialup/buttons.php3
> [client 127.0.0.1] PHP Notice:  Use of undefined constant 
> name - assumed 'name' in 
> /usr/local/dialup_admin/conf/config.php3 on line 100, 
> referer: http://localhost/dialup/buttons.php3
> [client 127.0.0.1] PHP Notice:  Use of undefined constant 
> name - assumed 'name' in 
> /usr/local/dialup_admin/conf/config.php3 on line 100, 
> referer: http://localhost/dialup/buttons.php3
> [client 127.0.0.1] PHP Notice:  Use of undefined constant 
> name - assumed 'name' in 
> /usr/local/dialup_admin/conf/config.php3 on line 100, 
> referer: http://localhost/dialup/buttons.php3
> [client 127.0.0.1] PHP Notice:  Use of undefined constant 
> name - assumed 'name' in 
> /usr/local/dialup_admin/conf/config.php3 on line 100, 
> referer: http://localhost/dialup/buttons.php3
> [client 127.0.0.1] PHP Notice:  Use of undefined constant 
> name - assumed 'name' in 
> /usr/local/dialup_admin/conf/config.php3 on line 100, 
> referer: http://localhost/dialup/buttons.php3
> [client 127.0.0.1] PHP Notice:  Use of undefined constant 
> name - assumed 'name' in 
> /usr/local/dialup_admin/conf/config.php3 on line 100, 
> referer: http://localhost/dialup/buttons.php3
> [client 127.0.0.1] PHP Notice:  Use of undefined constant 
> general_use_session - assumed 'general_use_session' in
> /usr/local/dialup_admin/conf/config.php3 on line 106, referer:
> http://localhost/dialup/buttons.php3

RE: Run 2 FreeRadius simultanously

[Josh Howlett]

Hi Jaume, 

> Can my machine run 2 FreeRadius at the same time? Each 
> FreeRadius in a diferent IP but simultanously in the same CPU 
> and O.S.? Somebody tell me thats possible if each radius is 
> reading from a diferent PATH...
> 
> Thanks for any documentacion, link or kind of help.

$ man radiusd
...
   -d config directory
  Defaults to /etc/raddb. Radiusd looks here for its
configuration files such as the dictionary and the users files.

You can start another instance of freeradius and point it to another
config directory.

> Jaume, trying to start eduRoam in Peru!

Excellent! There are plenty of other eduroamers on this list too :-)

josh.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: JRS Service configurations + Wiki

[Josh Howlett]

> > Alan D,
> > 
> > Would you mind having configuration documents for 3rd party 
> services 
> > like JRS on the FreeRADIUS wiki ?
> > 
> > Alan B,
> > 
> > Would JANET mind having configuration documents for  JRS on the 
> > FreeRADIUS wiki ?
> > 
> > It is meant to be a repository for everything FreeRADIUS 
> after all ... 
> > and it's easier if all this stuff is in one place.
> 
> personally I would prefer such configuration to be on the JRS 
> support / UKERNA document site. What should be on the main FR 
> wiki is the fundamental 'how to proxy' and 'how to attribute filter'
> type documents. I believe that special service cases could 
> otherwise overrun the freeradius site (as they do the 
> freeradius users list)

While UKERNA would have absolutely no problem with this, I empathise
with Alan B's view that such documentation might be 'clutter' on the
FreeRADIUS Wiki and might be better located on a JRS-specific website.
It might also be more visible to JRS participants. Perhaps a link from
the Wiki to the JRS website might be more appropriate?

If you'd like to contribute some JRS documentation formally, then please
get in touch with me directly! We're particularly interested in
documentation covering the 'complete solution' (auth db, radius, WAPs,
PR, etc). This is obviously a lot of work, but we should be able to
compensate your Institution for this effort.

best regards, josh.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: MAC OS X - wired 802.1x supplicant

[Josh Howlett]

See "Connecting to a network that requires 802.1X authentication" in
System Preferences Help.

josh.

> -Original Message-
> From: 
> [EMAIL PROTECTED]
> us.org 
> [mailto:[EMAIL PROTECTED]
freeradius.org] On Behalf Of Michael Messner
> Sent: 28 March 2007 12:46
> To: FreeRadius users mailing list
> Subject: OT: MAC OS X - wired 802.1x supplicant
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> hey all,
> 
>  not a freeRADIUS problem but I hope that someone can help me.
> I have no problem with my ibook to connect to a wireless 
> network via 802.1x but I can't find any possibility to make a 
> connection to a 802.1x-secured wired network!
> Am I blind or is this not supported from OSX? Any other 
> supplicants for OSX available?
> 
> thanks for every info
> 
> mIke
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.5 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFGClVuyUY4xkIcFVQRAlJQAKDiVymIOJat407bwe4ox/yhY14NUgCeOeRu
> n1WQAIFuiE+PLLw14UZ8pjY=
> =XoAX
> -END PGP SIGNATURE-
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: How to send the accounting messages

[Josh Howlett]

> Also can you please tell me how to send different accounting messages.

Consult your NAS documentation.

josh.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Simple EAP flow support!

[Josh Howlett]

You will need to modify the code.

josh. 

> -Original Message-
> From: 
> [EMAIL PROTECTED]
> us.org 
> [mailto:[EMAIL PROTECTED]
freeradius.org] On Behalf Of Diameter K
> Sent: 07 March 2007 18:53
> To: freeradius-users@lists.freeradius.org
> Subject: Simple EAP flow support!
> 
> Hi All,
>I want to configure free-radius to handle a simple EAP 
> described below.
> 
> 1. Radius receives a IDENTITY message. The IDENTITY message 
> contains a encrypted certificate.
> 2. The server decrypts and validates the Certificate and send 
> out a EAP-Success or EAP-Failure. 
> 
> Is there any way i can configure freeradius to achieve this 
> flow or would i have to modify the code.  As i understand the 
> standard flows are much more complicated(with challenge), 
> which i dont want.
> 
> 
> Thanks & Regards,
> Shiv
> 
> 
> 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Installing Free radius 1.1.4 on Server Running Centos 4.4

[Josh Howlett]

$ yum install freeradius 

Josh.

> -Original Message-
> From: 
> [EMAIL PROTECTED]
> us.org 
> [mailto:[EMAIL PROTECTED]
freeradius.org] On Behalf Of dataHosting Support
> Sent: 19 February 2007 07:28
> To: freeradius-users@lists.freeradius.org
> Subject: Installing Free radius 1.1.4 on Server Running Centos 4.4
> 
>  
> 
> Is there an easy step by step guide for beginners on 
> installing Free Radius 1.1.4. on Centos 4.4?
> 
>  
> 
> Have setup new Centos Server and now wanting to install Free Radius.
> 
>  
> 
>  
> 
> Regards,
> 
>  
> 
> David Willis
> 
>  
> 
>  
> 
> 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Expert Help Required

[Josh Howlett]

> Hi Guys,
>  
> Currently i am using cistron radius

This is the FreeRADIUS list; you might have more luck at the Cistron
list :-)

Josh.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: The EAP Saga continues.

[Josh Howlett]

> If you choose to use EAP-PEAP/MS-CHAPv2 you need 4 items:
> 
>   1. A server certificate, signed by a Cert Authority "serverCA"

...not forgetting the relevant OID extensions peculiar to EAP-PEAP :-)

Josh.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: LAN accounting

[Josh Howlett]

> >>>I'm newbie,I wanna know that can i use FreeRadius+Dialup_admin as a
> >>>LAN accounting?
> >>It means that i use them without dialing?
> > 
> > the name "dialup"_admin is a bit misleading. You can as 
> well manage LAN users 
> > with them.
> > It's a generic user management system.
> 
> agree if RADIUS is used to authenticate users,
> but they're asking about accounting.
> Besides there's no way to prevent connection to LAN switches 
> with RADIUS

Yes - 802.1x

> and restrict internal communication between local hosts.

Kinda - Dynamic VLAN allocation.

Josh.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: a freeradious/wireless solution for a school

[Josh Howlett]

(I'll bite to save Alan the déjà vu) 

An attacker sets up a captive portal system that looks exactly the same as 
yours (spoof). Users can't distinguish between the two captive portals, and so 
some users inevitably enter their credentials into the spoof portal. These 
credentials can be used by the attacker to gain network access through the 
authorised portal, or whatever else they're authorised for.

josh. 

> -Original Message-
> From: 
> [EMAIL PROTECTED]
> us.org 
> [mailto:[EMAIL PROTECTED]
freeradius.org] On Behalf Of Tas Dionisakos
> Sent: 23 January 2007 21:55
> To: FreeRadius users mailing list
> Subject: Re: a freeradious/wireless solution for a school
> 
> Please elaborate on how the system can be circumvented?
> 
> Tas.
> 
> [EMAIL PROTECTED] wrote:
> > Hi,
> >
> >   
> >>* Apache
> >>* Freeradius
> >>* Chillispot
> >>* Mysql
> >> 
> >
> > though note that captive portals are easy to mitigate/spoof and 
> > circumvent
> >
> > alan
> > -
> > List info/subscribe/unsubscribe? See 
> > http://www.freeradius.org/list/users.html
> >
> >   
> 
> 
> --
> *
> Tas Dionisakos
> IT Manager
> St Mary's College and Newman College
> The University of Melbourne
> T: 03 9342 1708
> M: 0439 655 565
> E: [EMAIL PROTECTED]
> C: (0o ()() o0)
> *
> 
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: AW: AW: PEAP+MSCHAP+AD (please help)

[Josh Howlett]

>   1. Does your password have odd (non-ascii) characters in it? That 
> should NOT matter for MS-CHAP since it's explicitly unicode aware

MS-CHAP is unicode aware, but FreeRADIUS' implementation is not. It
definitely borks on non-ASCII characters in passwords. (I submitted a
patch some time ago to fix this, check the archives).

(I've not been following this thread, so I don't know if pertinent or
not.)

Josh.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Problem with EAP/MD5 behind proxy

[Josh Howlett]

You're stripping the realm at the proxy; add "nostrip" to the realm
stanza defined in realms.conf for the server you're proxying to.

Josh. 

> -Original Message-
> From: 
> [EMAIL PROTECTED]
> us.org 
> [mailto:[EMAIL PROTECTED]
> freeradius.org] On Behalf Of Hans Bornemann
> Sent: 07 December 2006 10:57
> To: freeradius-users@lists.freeradius.org
> Subject: Problem with EAP/MD5 behind proxy
> 
> Hi,
> 
> I run into this problem:
> 
> Config:
> 
> 802.1x client (Windows XP with 802.1x / md5 ) --> freeradius-proxy -->
> freeradius-server
> 
> Same prg-version on both server (1.1.0)
> same radius.conf
> same users file
> 
> if i try to authenticate against the proxy without realm, 
> everything ist
> o.k.
> 
> if i try this with a realm the second radius-server shows this error:
> 
> rlm_eap: Identity does not match User-Name, setting from EAP Identity
> rlm_eap: Failed in handler
> 
> 
> any ideas?
> 
> Hans
> 
> 
> -- 
> Hans Bornemann
> Universitaet Dortmund - Hochschulrechenzentrum
> Tel. ++49 231 755 2132  Fax. ++49 231 755 2731
> 
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Windows Vista doing PEAP

[Josh Howlett]

Alan DeKok wrote:

"King, Michael" <[EMAIL PROTECTED]> wrote:

It seg faults when I do -X (or -sxx.  But not with -x)


  At this point, I have no clue why it's dying.

  I suggest editing the code yourself.  The issue is that a decision
is being made by the module to not continue processing the EAP
session, but I don't know why.  The patches were an attempt to have it
print out more information, soe we could see what information was
being used to make that wrong decision.

  Again, I have no idea why it's core dumping.  It shouldn't be.  I
don't have Vista, and I can't debug this issue myself.  It's up to you.


Sorry - I've come late to this thread. Do we have a general problem with 
Vista failing to authenticate against FR, or is this just one instance 
failing, and we know of other instances where it is working?


josh.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to create my own module in Freeradius !!!

[Josh Howlett]

[EMAIL PROTECTED] wrote:

Hi Techies,
 
I am a new bie to freeradius fraternity. So grasping lot of things from 
this mailing list ;)
 
I want to write my own module (which have a .c file prints out "Hello 
World" to a file).


You might want to subscribe to the freeradius-devel mailing list.

 Would any of you please tell me on how can i do this.

What all configurations are required?


Check out rlm_example (src/modules/rlm_example/)

josh.


I am using Freeradius-1.1.3 server version.
 
Regards

Vineet




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to return AV pairs from within an rlm module?

[Josh Howlett]

Add your attributes to the reply structure. FreeRADIUS will take care of 
the rest.


josh.

Ali Majdzadeh wrote:

Hi all
I want to return AV pairs (Cisco VoIP) from within an rlm module. I 
tried to printf them into stdout, but it didn't work.
Should I use the structures accessible within the rlm module? for 
example, REQUEST.

Then, how should I pass them to Cisco?

Regards
Ali




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: STORE PWD using MD5 and EAP-PEAP-MSCHAPv2 for the comunication-----------------------------------

[Josh Howlett]

ego seek wrote:




Does Anybody know HOW I can make radius WORK with md5-stored password in 
the db?


I use EAP-PEAP-MSCHAPv2, and if the system works great if the pwds are 
in clear in the mysqlDB


You can't authenticate EAP-PEAP/EAP-MSCHAP-v2 against MD5 passwords - 
it's impossible.


You must store passwords in either plain-text or NT-hash formats.

josh.

(Can someone please make this a FAQ entry, I've lost count of the number 
of times it's come up...)



best regards.


Nicola




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Proxy Control

[Josh Howlett]

Easier - create a policy in IAS to only authorise the users you want.

josh.

Josh wrote:

I have a VPN appliance authenticating users (~20
users) against my freeradius server.  I have another
radius server running on a windows box authenticating
users on local and trusted domains (250+ users).  For
technical reasons I can't point the VPN appliance to
the windows radius server.  However, I'm setting up a
proxy on the freeradius server to redirect auth
requests to the windows radius server (to authenticate
VPN users with active directory).  The problem now is
all 250+ users can essentially authenticate on the
VPN.  I'm wondering if there is a way to control which
users (the ~20 users) in freeradius can be proxied to
the windows radius server?  Almost like a list of
valid proxy users?

Josh

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TTLSv1 use or support

[Josh Howlett]

Hi Luigi,

Only v0 is supported at present, and I believe that adding v1 support 
would be non-trivial. v1 support would require either (1) OpenSSL to 
support the Inner Application TLS extension, or (2) FreeRADIUS to use 
GnuTLS instead.


best regards, josh.

luigi natalino wrote:

Hello,
I would to know if the last version of freeradius (1.1.2) use (or 
support) EAP-TTLSv1 or EAP-TTLSv0

(http://tools.ietf.org/wg/eap/draft-funk-eap-ttls-v1-01.txt).
And if for the moment only EAP-TTLSv0 is used,is foreseen for the future 
an updating of the version?


Thanks in advance
Regards,Luigi

_
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help required in gathering information regarding EAP protocols.

[Josh Howlett]

Here's a couple of documents, aimed at network administrators, that I've 
written that describe EAP and 802.1x at a fairly high level:


http://www.ja.net/services/publications/techsheets/index.html

I once saw an *excellent* document by Cisco on PEAP, explaining each 
individual step, but I've lost the URL.


The source-code of FreeRADIUS's EAP implementation, and that of 
wpa_supplicant, is also quite enlightening.


Also, Ethereal is a very useful tool for visualising the transactions.

josh.

[EMAIL PROTECTED] wrote:


Hi,

Could any body help me to know where can I get a detailed
operation info about EAP-TLS, EAP-TTLS:MD5, EAP-TTLS:MSCHAPV2 and
EAP-PEAP other than RFCs.

Can I get in the internet any sequence flow diagrams with each
step explained in detail for all the EAP protocols.

It would be very helpful for me if any body of u could send me any docs
which u already possess and u feel are very good.

Thanks in advance.

Cheers and Regards,
G MURALIDHAR RAJU,


The information contained in this electronic message and any attachments to 
this message are intended for the exclusive use of the addressee(s) and may 
contain proprietary, confidential or privileged information. If you are not the 
intended recipient, you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately and destroy all copies of this message and 
any attachments.

WARNING: Computer viruses can be transmitted via email. The recipient should 
check this email and any attachments for the presence of viruses. The company 
accepts no liability for any damage caused by any virus transmitted by this 
email.

www.wipro.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS and Postgres annoyance

[Josh Howlett]

Joe Warren-Meeks wrote:

(moral of the story, tcpdump -w out.dmp -A -nvi eth0 -s0 port 5432 plus 
ethereal is a good thing.)


Agreed, but you can make this a bit simpler by using tethereal.

josh.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP doest work with Cisco Catalyst 2950?

[Josh Howlett]

On 26 Jul 2006, at 12:11, Thai Duong wrote:


As you advise, I turned tracing on and found that the
SSL handshake was not completed, the client kept
sending "Client Hello" packet but got no response from
the server. But when looking at Ethereal's dump file,
I saw that the server actually sent its certificate in
the Access-Challenge packet. I even unchecked
"Validate server certificate" in the client setting
but still no luck. What am I supposed to do now? I'm
gonna be crazy  please help.


Is there a RADIUS or EAP timer set on the switch?

If it's set too low, the switch might be ignoring the Access- 
Challenge from the server.


best regards, josh.

Josh Howlett, Networking Specialist, University of Bristol.
email: [EMAIL PROTECTED] | phone: +44 (0)7867 907076 |  
internal: 7850




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Binding FreeRadius to the DHCP Server

[Josh Howlett]

On 26 Jul 2006, at 10:27, Stefan Winter wrote:
The RADIUS protocol doesn't interact with DHCP. FreeRADIUS doesn't  
do it.

There is no place to configure any such thing.


I'm sure I've seen at least a couple of other similar DHCP queries in  
the last couple of weeks. I wonder how difficult it would be to add a  
simple DHCP client to FreeRADIUS?


OTOH, I think these queries have been in the context of 802.1x in  
which case this doesn't help (or else we need an EAP-DHCP :-)


josh.

Josh Howlett, Networking Specialist, University of Bristol.
email: [EMAIL PROTECTED] | phone: +44 (0)7867 907076 |  
internal: 7850




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius + Dhcp Server

[Josh Howlett]

See your own subject line: you need a DHCP server.

josh.

On 5 Jul 2006, at 20:47, Emerson wrote:


Hi,

First freeradius user's i need to thank's a everyone, for help's.  
My freeradius is now workingand authing with eap-tls/ttls/ 
peap...everithing ok.

Now i need to deliver IP to my clients after auth.
Anyone  say to explain, if it work ? And how work..
Thank's.

Emerson
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ 
list/users.html


Josh Howlett, Networking Specialist, University of Bristol.
email: [EMAIL PROTECTED] | phone: +44 (0)7867 907076 |  
internal: 7850




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP and Windows 2003 AD LDAP

[Josh Howlett]

Hi Phil,

On 5 Jul 2006, at 17:43, Phil Mayers wrote:


Stefan Winter wrote:

Hi,

I'm trying to get a freeradius server (v1.0.1) to work with CHAP and
How about 1.1.2? Upgrading is easy, and it fixes at least one  
security bug.

querying a Windows 2003 Active Directory server using LDAP.

I've got LDAP working for PAP queries, but CHAP comes back with the
"rlm_chap: Could not find clear text password".
AD and LDAP-mode don't work together. The AD server will not give  
away the user's attribute. If you want CHAP to work, you will need  
to use ntlm_auth.


That is not correct. If you want to use *MS-CHAP* you must use  
ntlm_auth (or extract the NT hash another way).


If you want to use CHAP i.e. plain-old chap as implemented by the  
rlm_chap module listed above, you MUST have the users plaintext  
password which AD does not maintain by default and even if it is  
told to, cannot be persuaded to give up.


Any idea how IAS gets hold of it for CHAP?

josh.

Josh Howlett, Networking Specialist, University of Bristol.
email: [EMAIL PROTECTED] | phone: +44 (0)7867 907076 |  
internal: 7850




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: basic handling of multiple EAP-Methods by freerad

[Josh Howlett]

On 29 Jun 2006, at 17:23, Rainer Brinkmann wrote:

Hello,

we wonder, how a freeradius can request a client to use a fixed EAP- 
Method:

so its defined:
Client starts with EAP-Start-Msg
Radius wants EAP-Identity
Client answers with Username or Hostname NOT using a special EAP- 
Method


Radius now starts communiucating with the first EAP-Packet, using the
special EAP-Method

Question:

you run in your wireless LAN many SSIDs:
SSID1 shall use EAP-TTLS
SSID2 shall use EAP-TLS(high-secured Net like personal Data)


I'd personally question the assumption that TLS is any more secure  
than TTLS, but if you want to do this it is probably easiest to have  
a single SSID, and allocate a VLAN dynamically depending on whether  
they've used TTLS or TLS.


josh.


what logic starts the right inner-EAP-Protocol, cause neither the
AccessPoint(WLAN-Controller), nor the
radius server know, what Method to use, when there are many enabled.

e.g. on a cisco-Radius, that runs with enabled PEAP and TLS, but  
there's no

special attribute defined to control that


thanks for reply,
Rainer Brinkmann

University-Clinicum Hamburg / Germany


- List info/subscribe/unsubscribe? See http://www.freeradius.org/ 
list/users.html


Josh Howlett, Networking Specialist, University of Bristol.
email: [EMAIL PROTECTED] | phone: +44 (0)7867 907076 |  
internal: 7850




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication with Kerberos

[Josh Howlett]

thomas hahusseau wrote:

Hello,

I would like to set up that kind of configuration :

EAP-PEAP(Mschapv2) Request ---> AP ---> Freeradius > Kerberos 
authentication to an Active Directory


This isn't possible - EAP-PEAP requires access to the plaintext password 
or NTLM hash.


You should be able to do this with EAP-TTLS, however.

best regards, josh.

In fact i would like to use Kerberos (wich is supported by Active 
Directory) instead of ntlm_auth, in freeradius features list avalaible 
onf the official website I have found :


* authentication to a Windows Domain Controller (via ntlm_auth and
  winbindd)

* Kerberos authentication

Anyone can confirm this possibility to use Kerberos auth with freeradius 
and maybe any how-to or advices ?


thank you
Thomas Hahusseau






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentification link with PEAP + PAM + LDAP

[Josh Howlett]

On 7 Jun 2006, at 13:07, thomas hahusseau wrote:


Hello,

Finally my boss is not interested in an PEAP authentication due to
password and login stocked in clear in the OpenLDAP database, and he
doesn't want to use the ntlm_auth to ask a Active Directory Server.

So I wonder if that kind of authentication is possible.



PEAP(MsCHAP) request --> Freeradius server (extract the hashed
password ) --> Authentication request sent to PAM (login + Hashed
password ) via rlm_auth ---> OpenLDAP Server ( compare hashed password
received with the one stocked in database )


You don't need to use PAM - in fact, I don't think its possible.  
Store your users' passwords in the NTLM hash, and authenticate  
directly from FreeRADIUS to LDAP.


josh.

PAM is used as mediator to permit comparason with hashed stocked in  
OpenLDAP.


My boss only wants cipher/hashed password and login.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ 
list/users.html


Josh Howlett, Networking Specialist, University of Bristol.
email: [EMAIL PROTECTED] | phone: +44 (0)7867 907076 |  
interal: 7850




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Connecting two freeradius server ?

[Josh Howlett]

On 24 May 2006, at 08:46, Frank Bonnet wrote:


Hello

I use freeradius to authenticate Chillispot users using an Openldap
backend , everything works like a charm :-)

Another (friendly) site has quite the same configuration they do  
use freeradius too

to authenticate their wi-fi users.

Both sites have a permanent Internet access.

Now is it possible for "my" daemon to "communicate" with another  
freeradius
daemon which is running in another distant site to let all of our  
users
( my site + distant site ) authenticate transparently with their  
own site

logins/passwds on the two sites ?


Yes, this is possible with "proxy" authentication. You allocate a  
'realm' to each site (ie. 'franksite'), and users (typically) append  
the realm to their username in the format @ (ie.  
'[EMAIL PROTECTED]'). Take a look at proxy.conf, and google for  
"freeradius proxy".


josh.

Josh Howlett, Networking Specialist, University of Bristol.
email: [EMAIL PROTECTED] | phone: +44 (0)7867 907076 |  
interal: 7850




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WEP+802.1x is that possible?

[Josh Howlett]

Have you tried reading the Cisco documentation? - it's explained very  
clearly there.


josh.

On 23 May 2006, at 14:55, Konne wrote:


thx,

you know perhabs where i can get a config example for cisco  
aironets1200?


bye
Konne



Josh Howlett schrieb:



On 23 May 2006, at 14:05, Konne wrote:


but ive clients they cant do WPA, so is it possible to do

dynamic WEP with 802.1x PEAP/mschapv2 ??



Yes, this is a very common configuration.

josh.

Josh Howlett, Networking Specialist, University of Bristol.
email: [EMAIL PROTECTED] | phone: +44 (0)7867 907076 |   
interal: 7850




- List info/subscribe/unsubscribe? See http://www.freeradius.org/ 
list/users.html





- List info/subscribe/unsubscribe? See http://www.freeradius.org/ 
list/users.html


Josh Howlett, Networking Specialist, University of Bristol.
email: [EMAIL PROTECTED] | phone: +44 (0)7867 907076 |  
interal: 7850




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WEP+802.1x is that possible?

[Josh Howlett]

On 23 May 2006, at 14:05, Konne wrote:

but ive clients they cant do WPA, so is it possible to do

dynamic WEP with 802.1x PEAP/mschapv2 ??



Yes, this is a very common configuration.

josh.

Josh Howlett, Networking Specialist, University of Bristol.
email: [EMAIL PROTECTED] | phone: +44 (0)7867 907076 |  
interal: 7850




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: default vlan for ldap users

[Josh Howlett]

Nuno Reis wrote:

Hi,

Is there any way to make freeradius assign a vlan to any user that was
authenticated using active directory database? Something like, freeradius
asks active directory for user authenticity, and if accepted, freeradius
forwards always the same tunnel-pvt-group-id to NAS.


Add a DEFAULT entry into the "users" file specifying the attributes you 
want returned, and ensure that "files" is invoked in the "authorize" 
section of radiusd.conf.


best regards, josh.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Guest vlan for Cisco AP

[Josh Howlett]

Jefri bin Dahari wrote:

Hi all,

I plan to use only one ssid for wireless network. Users who do not 
configure 802.1x will get guest vlan. Has anybody done this?


It's not possible with one SSID.

josh.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question

[Josh Howlett]

Chad Stanphill wrote:
I have been running Freeradius for a while but It can only use CHAP and 
for some reason I can not get PAP to work.

I have the config set to the basic on most things.
Can anyone help me figure out if I am missing something
Thanks


Please run freeradius in debug mode (radiusd -X) and post the output.

best regards, josh.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How do I set up simple AD integration?

[Josh Howlett]

Burton, Steven wrote:



-Original Message-
From:
[EMAIL PROTECTED]
ists.freer
adius.org
[mailto:freeradius-users-bounces+sburton=shepherd-construction
[EMAIL PROTECTED]
ts.freeradius.org]On Behalf Of Alan DeKok
Sent: 11 April 2006 16:28
To: FreeRadius users mailing list
Subject: Re: How do I set up simple AD integration? 



"Burton, Steven" <[EMAIL PROTECTED]> wrote:
This stanza is a enclosed with the mschap section, still 

nothing ventured

I changed the line and unfolded it and ran radiusd -X. The first
request didn't match anything usefull and was rejected by System. I
tried again but ticked the box 'CHAP' on NTRadPing and got the
output:

  You can't do CHAP to MS AD.  It's impossible.

  Alan DeKok.


My bad! I'd been staring at mschap all day and I saw chap and thought mschap.
I still hope to get 802.1x working with FR before I'm told to stop wasting time 
and buy something :-) but after two and a half days (on and off) I'm no closer.


Steve,

I strongly suggest you start off doing PEAP against the 'users' file, 
and once that's working get the domain stuff working.


It sounds to me like you're trying to do too much at once, and too many 
things are broken for you to know where to start!


Once you've got PEAP working against the 'users' file, create a machine 
account in the AD for the RADIUS server (using the Samba tools) and then 
use the ntlm_auth program (that comes with Samba) to test standard 
authentication.


Once you've got that far, it's just a matter of configuring FreeRADIUS 
to use ntlm_auth. But you can worry about that later :-)


This isn't difficult, it's largely a matter of making sure you do the 
right steps in the right order...


best regards, josh.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How do I set up simple AD integration?

[Josh Howlett]

Steve,


#ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
--nt-response=%{mschap:NT-Response}"


This stanza is a enclosed with the mschap section, still nothing ventured
I changed the line and unfolded it and ran radiusd -X. The first request didn't 
match anything usefull and was rejected by System. I tried again but ticked the 
box 'CHAP' on NTRadPing and got the output:





  rad_check_password:  Found Auth-Type CHAP
auth: type "CHAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group CHAP for request 0
  rlm_chap: login attempt by "burst01" with CHAP password
  rlm_chap: Could not find clear text password for user burst01
  modcall[authenticate]: module "chap" returns invalid for request 0
modcall: leaving group CHAP (returns invalid) for request 0


You can't do this.

If you want to do ntlm_auth, you need to use an authentication protocol 
that provides FreeRADIUS with either the user's (1) cleartext 
credentials or (2) the user's NT credentials.


CHAP won't work - it's impossible. However PAP will work, as will 
MS-CHAP. CHAP is different from MS-CHAP.


best regards, josh.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Shared secret is wrong, except that it isn't?

[Josh Howlett]

Have you tried putting the secret in clients.conf? I thought the clients 
file was deprecated.


josh.

Peter Seebach wrote:

Okay, I'm sorta stumped here.  I'm getting the exact behavior described for
"shared secret is wrong", but I am pretty confident that it isn't.

FreeRadius 1.1.1, installed on NetBSD 3.0/amd64.

Synopsis:  No matter how cleverly I try to make sure I have the right shared
secret, I get garbage passwords.

My clients file says:
127.0.0.1   foobar
I'm using radtest:
radtest user pw localhost 10 foobar

I get:

auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_unix: [beta1]: invalid password
modcall[authenticate]: module "unix" returns reject for request 0
modcall: leaving group authenticate (returns reject) for request 0
auth: Failed to validate the user.
WARNING: Unprintable characters in the password. ?  Double-check the shared 
secret on the server and the NAS!

There are no unprintable characters in the password I'm sending.

So.  The one thing I can think of is the 64-bit environment, because an old
version of cistron-radiusd I was skimming once had a comment about assumptions
about the size of long and the size of (void *).  However, even then, I would
expect that a radtest and a radiusd built and running on the same server
would, even if they were doing it wrong, do it wrong in precisely compatible
ways!

So, uhm.  Where exactly is this encryption happening?  It looks like
lib/radius.c is the place where shared secrets are used, but the code seems
to be substantially different from the cistron code I vaguely remember from
way back when.  In particular, I don't remember this MD5 stuff...

-s
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PAP credentials against AD?

[Josh Howlett]

Hi Stefan,

We probably need a freeradius-eduroam list :-)


Is it possible to authenticate PAP credentials from the NAS against a
Windows domain using NTLM? I've tried using the mschap module, but it
expects to see a Challenge that the NAS doesn't provide.



If you want to authenticate against AD and have PAP credentials available, 
just treat the AD server like an LDAP server, i.e.: the ldap {} section is 
for you. It will use the credentials to bind as the user to AD, and if that 
succeeds the user is allowed in.


I didn't realise that AD allowed authenticated binds from users by 
default. Does it require some special tweaking? Our AD admin are *very* 
cautious about who talks to it... (probably very sensible).


best regards, josh.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

PAP credentials against AD?

[Josh Howlett]

Is it possible to authenticate PAP credentials from the NAS against a 
Windows domain using NTLM? I've tried using the mschap module, but it 
expects to see a Challenge that the NAS doesn't provide.


thanks, josh.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: attribute Password in an Access-Reject packet

[Josh Howlett]

Susana Macias wrote:


* Why the Password attribute does not appear in the
Access-Reject packet?


User-Password is not permitted in Access-Rejects; see the RFC.


* Why does the Password attribute (in the
Access-Accept packet) appear like User-Password?


That's how it's defined in the dictionary file.

josh.


Thank you very much
Susana





__ 
LLama Gratis a cualquier PC del Mundo. 
Llamadas a fijos y móviles desde 1 céntimo por minuto. 
http://es.voice.yahoo.com
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius client

[Josh Howlett]

San wrote:

Hallo everybody,

As far as i know, Freeradius only act as a AAA server.
so do you guys have preference for which radius client
that I can use?
Or can I use freeradius also as Radius client also?


FreeRADIUS ships with a radius client.

If you want to do EAP testing, my preferred tool is eapol_test from 
wpa_supplicant.


josh.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5, PEAP & TTLS

[Josh Howlett]

Jefri bin Dahari wrote:

Hi all,

I plan to implement 802.1x for wired and wireless users. For wired using 
EAP-MD5 and wireless using PEAP. From my reading, EAP-MD5 only support 
clear-text password and PEAP only support clear text and NT password. Am 
I correct on these facts?


Referencing the Subject header of your mail, if you use TTLS you have 
more flexibility with the password.


josh.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5, PEAP & TTLS

[Josh Howlett]

Jefri bin Dahari wrote:

Hi all,

I plan to implement 802.1x for wired and wireless users. For wired using 
EAP-MD5 and wireless using PEAP. From my reading, EAP-MD5 only support 
clear-text password and PEAP only support clear text and NT password. Am 
I correct on these facts?


Yes.

josh.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Peap and LDAP

[Josh Howlett]

Jefri bin Dahari wrote:

Hi all,

I try to implement wireless users with PEAP but I face problem. It works 
if password in LDAP in clear text.


With PEAP, the password *must* either be in clear-text or the NTLM hash.

josh.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Kerberos 5

[Josh Howlett]

John Metcalfe wrote:

Hello:

We are having trouble compiling freeRADIUS version 1.1.0 rlm_krb5 module. 
Is this required for RADIUS with TLS and PEAP?


No.

josh.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ms-chap authentication with client tool?

[Josh Howlett]

Patrick Bartkus wrote:
You could try using the windows program NTRadPing from 
http://www.dialways.com/download/.

It has a "CHAP" checkbox.


CHAP and MS-CHAP are quite different.

josh.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS proxy??

[Josh Howlett]

Danai,

Yes this is possible, and Universities in nearly 30 countries are doing 
it. Check out http://www.eduroam.org.


If you have any questions, feel free to drop me a line.

josh.

Danai Chudthong wrote:

Hi all,

I'm working in a university in Thailand. We use
Freeradius for our wireless network.

Currently, Each university have it own Freeradius and
the authentication method is EAP-TLS. 


Is it possible to configure radius to proxy
certificate so our student will be able to roam from
their university to anothers by using certificate
issued from their university?

I tried to do it by myself but it's not working.

Thank you very much
Danai 


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius as Proxy

[Josh Howlett]

Everything goes through the proxy.

josh.

--On Thursday, December 15, 2005 15:09:22 +0100 Nicola Iotti 
<[EMAIL PROTECTED]> wrote:




 Hi,
I'm using Freeradius 1.0.5 as Proxy , but does anyone knows if
freeradius have just to send requests from NAS to Server or also server's
replies to the nas ? I mean does the radius serves reply directly to NAS
or it communicates always through the freeradius proxy?

Regards

Ing. Nicola Iotti
Network Manager
mailto: [EMAIL PROTECTED]

Guglielmo S.r.l.
Sede legale: Via Martiri di Minozzo, 12
Sede operativa: Via Sante Vincenzi , 2 / D
42100 Reggio Emilia
ITALIA
Tel.: +39-0522 - 40 63 67
Fax: +39-0522 - 54 08 16
Cell: +39-320 61 90 072
internet website: http://www.guglielmo.biz
mailto:[EMAIL PROTECTED]
 [Image: "Add FUN to your email - CLICK HERE!"]




--
-------
Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: [EMAIL PROTECTED]

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS Auth-Type

[Josh Howlett]

Alan DeKok wrote:

"Bohannan, Chad W" <[EMAIL PROTECTED]> wrote:


.so is there not a way to have FR proxy request out to the AD
server? 



  AD doesn't do RADIUS, so FreeRADIUS can't proxy requests to it.

  Terminology matters.

  If you want to authenticate PAP from FreeRADIUS to AD, use the LDAP
module in the "authenticate" section.  it will work.


Alternatively (and a bit easier IMHO), proxy to IAS running on the 
Windows box.


josh.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius for securing wlan in big installation

[Josh Howlett]

Hi Thomas,

What you're asking for is not possible, with any combination of existing 
technologies.


Drop the web portal, and use an 802.1X supplicant. FreeRADIUS does this 
well :-)


best regards, josh.

Thomas Widhalm wrote:

Hi everyone!

I'm searching for a way to secure our wireless Lan with encryption, but
we don't want any sort of authentication. This is, because we have
another way of authenticating our users (a webportal, they have to log
in, before getting access to the wlan)

What we want is an encrypted wlan without our helpdesk installing
software or passing keys to our users. They are using all kinds of OSs.

Can freeradius actually provide us with that or do we have to search for
another solution?

Sorry if the answer is obvious, but we are running out of time and so I
got to ask around a lot.

Thanks and regards,
Thomas Widhalm


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco AP Vlan assignment when proxying EAP-PEAP?

[Josh Howlett]

Hi Jezz,


Do you have any cunning solutions to how you might get around the reject
issue?  
I'd imagine it's quite a common scenario, IE wanting to let users know that
they are doing something wrong as opposed to just rejecting them. 


Not really. FWIW, I think that a module that caught proxied packets 
(such as Access-Rejects) and converted them into other packet-types 
(such as Access-Accepts) would be very useful.


best regards, josh.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco AP Vlan assignment when proxying EAP-PEAP?

[Josh Howlett]

Hi Jezz,

Palmer J.D.F. wrote:

Hi,

Can anyone tell me if it's possible to proxy EAP-PEAP from a Cisco Aironet
to an IAS server via FreeRADIUS (I can do this bit), then, set the user's
VLAN information within FreeRADIUS in the access-accept packet returned to
the AP?


Yes - write a script that outputs the relevant attributes to stdout, and 
specify it in an "exec" clause in radiusd.conf, making sure you set 
packet_type = access-accept. Invoke the exec clause by placing it in 
post-proxy section. For example (assuming you've got the proxying working):


assign-vlan.sh:

 #!/bin/bash

 VLAN = "123"

 # We can also grab the RADIUS username attribute from the environment.
 # USER = $USER_NAME
 # This might be useful if you wanted to drop users
 # into different VLANs.
 # if ( $USER == "[EMAIL PROTECTED] ); then
 #  VLAN = "666"
 # fi

 echo "Tunnel-Medium-Type = 802"
 echo "Tunnel-Type = VLAN"
 echo "Tunnel-Private-Group-ID = $VLAN"

 exit 0

radiusd.conf:

 exec assign-vlan {
program = "/path/to/assign-vlan.sh"
input_pairs = proxy-reply
output_pairs = proxy-reply
wait = yes
packet_type = Access-Accept
 }

 authorize {
...
# Make sure you put this AFTER the clause that invokes proxying
assign-vlan
...
 }


Also, is there a way to return an access-accept with a 'dirty' VLAN ID, even
if the IAS server rejects the user?  The idea being that the user would be
put into a dead end VLAN so they could get info on how to register to use
the service.


No; only a couple of attributes are permitted in Access-Reject packets.

I don't think it would be possible to "catch" Access-Rejects from IAS 
and cunningly turn them into Access-Accepts, either :-/ (well, it would 
be possible, but you'd need to hack FR to do this).


josh.


Many thanks,
Jezz Palmer.


Jezz Palmer.
Internet Systems Officer.
Library and Information Services
University of Wales, Swansea
Singleton Park
Swansea
SA2 8PP



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/PEAP

[Josh Howlett]

No - your user database needs to store passwords in plaintext or NTLM.

You basically have two options: use a TTLS supplicant instead (such as 
wpa_supplicant or SecureW2), or change your user database.


best regards, josh.

James Taylor wrote:

Am I able to use PEAP to auth to UNIX or PAM instead of mscahpv2?  Do I do
this in the EAP.CONF file?  What we are basically trying to do is use
FreeRadius to authenticate against our current user database on our linux
server while still maintaining the PEAP-TLS security with wireless.  Is that
even possible?  


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Josh
Howlett
Sent: Thursday, October 13, 2005 2:25 PM
To: FreeRadius users mailing list
Subject: Re: FreeRadius/PEAP

James,

MSChapv2 needs plaintext or NTLM credentials. You won't be able to do 
what you're trying. It works with users file because you specify the 
plaintext.


josh.

James Taylor wrote:


Hi,



I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to 
authenticate users against my Linux /etc/shadow; /etc/password/; and 
/etc/group files.  I would like to use PAM but UNIX will work too.  I do 
not want to use the USERS file as it stores passwords in clear text and 
that is what we are trying to avoid. 




All my tests conclude that this functionality will not work.  I am able 
to Auth just fine using the USERS file with a username and password.




Any info or direction would be greatly appreciated.



Thank you



James




- 
List info/subscribe/unsubscribe? See


http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See

http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius/PEAP

[Josh Howlett]

James,

MSChapv2 needs plaintext or NTLM credentials. You won't be able to do 
what you're trying. It works with users file because you specify the 
plaintext.


josh.

James Taylor wrote:

Hi,

 

I am trying to secure my wireless connections using PEAP-TLS MSChapv2 to 
authenticate users against my Linux /etc/shadow; /etc/password/; and 
/etc/group files.  I would like to use PAM but UNIX will work too.  I do 
not want to use the USERS file as it stores passwords in clear text and 
that is what we are trying to avoid. 

 

All my tests conclude that this functionality will not work.  I am able 
to Auth just fine using the USERS file with a username and password.


 


Any info or direction would be greatly appreciated.

 


Thank you

 


James




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: (no subject)

[Josh Howlett]

Nope.

josh.

nagaraj wrote:

 Hi, Has any body had any experience implementing CHAP-PASSWORD to
authenticate http clients against a radius server ? I read a document
that says The CHAP-Challenge and CHAP-PASSWORD attributes are not
suitable since the CHAP algorithm is not compatible with HTTP digest.
If that is the case, Please let me know if there is a work around.

Regards,
Nagaraj




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Wireless Provisioning Service Protocol

[Josh Howlett]

Hi Artur,

A much more sane approach, IMHO, is simple authentication-by-proxy  as 
implemented by several roaming consortia.


are we still talking about L2 security? if yes, can you provide some  
references on this? i don't know anything about it.


I mean EAP over RADIUS within a roaming consortium. A good example of 
one, which I'm involved in, is eduroam (www.eduroam.org).


Most of the effort in WPS is expended in provisioning configuration 
stuff (SSID names, etc). But it's reasonably trivial for a roaming 
consortium to agree on these without requiring a protocol like WPS.


Microsoft should put more effort into fixing their terribly broken  
supplicant, and stop trying to invent wheels...


that's where we almost agree :-) MS really could and should improve  
their supplicant a lot, both in terms of correctness and in terms of  
usability. it's still a pain in the ass to use. the supported EAP  
methods are scarce. the API has changed several times since XP and  the 
newest one is difficult to decipher... (greetings to Tom).


however, i do expect from somebody as big as microsoft to do  research, 
to invent stuff and to specify new things. btw, that's what  the 
community was always critisizing MS before. they did hire some of  the 
best scientists (look at their R&D stuff), so why shouldn't they  invent 
new things now?


It would be nice if this stuff ended up in their products, and worked!

josh.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Wireless Provisioning Service Protocol

[Josh Howlett]

Artur Hecker wrote:

hmmm.

i am not sure if the question is to be impressed.


I admit I was being a bit flippant.

it is simply true  
that some signaling is necessary to allow user to choose a network  
(e.g. an operator). in usual hotspots you end up with a web page  which 
can present you all the information you need (e.g. prices,  names, 
available services, etc.) - however without any L2 security.


but in 802.1X you have to first authenticate to be able to exchange  any 
signaling. this is indeed insufficient e.g. for WISPs: how do you  know 
that your authentication will work in a particular network?  which 
authentication protocol should you use if it does not? what  will you 
pay by accessing there? which service do you get? etc. etc.  etc. all 
these things become terribly complicated. in fact, i've  written a paper 
on that about two years ago... using something like  TTLS/PEAP provides 
a tunnel which you can use to exchange any data  with the operator's 
control plane, and that prior to IP.


could you be more specific?


I'll try and keep this brief, because it's a bit OT. WPS doesn't seem to 
offer anything particularly novel, besides a proprietary mechanism for 
configuring the Windows supplicant.


A much more sane approach, IMHO, is simple authentication-by-proxy as 
implemented by several roaming consortia.


Microsoft should put more effort into fixing their terribly broken 
supplicant, and stop trying to invent wheels...


josh.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Wireless Provisioning Service Protocol

[Josh Howlett]

I read the 132 page spec last night. Personally, I wasn't terribly 
impressed.


josh.

King, Michael wrote:

Has any thought been given on adding the WPS (Wireless Provisioning
Service) Protocol to FreeRADIUS?

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/randz/p
rotocol/portal_wireless_provisioning_service_protocol.asp

It sounds really cool in theory.

From:
http://www.microsoft.com/downloads/details.aspx?FamilyId=9ADF7496-0D50-4
138-848E-9BC810B83C01&displaylang=en

With WPS technology, new and existing customers can connect to your
Wi-Fi network without manual configuration of the computer or network
connection.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PID variable

[Josh Howlett]

[EMAIL PROTECTED] ~]# cat /var/run/radiusd.pid
10163

josh.

Abdul Lateef wrote:

Hi all,

How i can retrive the current pid value of freeradius
in Shell script.

I wanted to create one shell script to run in linux
corn commond. because our database is very slow and
always radius is going to crashed when it receives
more than 1000 request. so my script will check if the
radius is crashed it will start automatically using
cron.

Is anyone have good logic to auto restart radius when
it will be crashed?




Yours,
Abdul Lateef
Computer Programmer
HATIF COM
Mob: +974 - 5405022
Tel: +974 - 4883068
ICQ: 276994704
YM!: abdul_zu
Fax: +974 - 4883063
Doha Qatar
http://www.hatif.com



__ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Expose RADIUS packet's identifier

[Josh Howlett]

Hi,

Does anyone know if the server can expose a RADIUS packet's identifier, 
for example through mod_exec? Or, is this limited to RADIUS attributes only?


thanks, josh.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radeapclient + EAP/TLS testing

[Josh Howlett]

Ben,

You're easiest option is probably eapol_test from wpa_supplicant.

josh.

Ben Walding wrote:
Has anyone ever tried (or succeeded) in getting the radeapclient to work 
with an EAP-TLS configured FreeRADIUS server?


We have two requirements at hand:
1) Load testing the RADIUS servers (two nodes)
2) Using the client to verify correct operation of the server on a day 
to day basis (eg. for Nagios)


As far as I can tell radeapclient is only for EAP-MD5/EAP-SIM; I wonder 
how much work it would be to allow EAP-TLS communications be tested? 
(for someone unfamiliar with FreeRADIUS internals, but reasonably 
familiar with C/gdb etc)



Any insight is appreciated!


Thanks,

Ben




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Multiple Password Prompts

[Josh Howlett]

Alan DeKok wrote:

Zyxel is selling a $500 FreeRADIUS box (with some question of possible GPL
violations)


*sigh*

If this is the case I hope you will inform the list.

josh.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html