PEAP or TTLS and Microsoft Vista.
Hello. I need your help. For the last few days I try to authenticate and authorize Microsoft Vista operating system against FreeRADIUS and 3com switch (as NAS) for wired authentication with no luck. I'm using FreeRADIUS 2.0.5 from sources built on Debian Etch GNU/Linux and certs made by bootstrap command (so those certs should have a bit of magic from xpextensions afaik). I try to make little steps and change as less as possible - to be honest I've only added user to the users file and client definition to the clients.conf file. I've tested my configuration with eapol_test command (as suggested at this site[1]) and it works fine. I've tested it against MacOsX 10.4 and MacOsX 10.5 and it works fine. I even tested it against Windows XP SP2 and it works fine. It doesn't work with Windows Vista and Windows XP SP3. Please help! What I have spotted is that the server sends "Access Challenge" and then on OSX dialog pops up where I can accept server's certificate and on Windows it's over. So I think it's the issue mentioned on this site[2] however i DO have Validate Server Certificate un-checked. One more thing. If I won't use Windows' PEAP authorization and install securew2 and use securew2's auth - I am able to connect. Work for a minute or so and then NAS reports lost carrier and the connection is lost. I've written about this issue about a year ago however this was put on-hold. You might want to look at logfiles from that tests. [1] - http://deployingradius.com/scripts/eapol_test/ [2] - http://deployingradius.com/documents/configuration/eap-problems.html [3] - http://lists.freeradius.org/pipermail/freeradius-users/2007-July/msg00096.html Any hints and tips much appreciated. I'm attaching two logfiles. The first one - freeradius.log - is the one where I'm trying to authenticate using system-wide PEAP. The second one, namely freeradius-securew2.log, is the one where switch receives Access-Accept and a few moments later switch sends back information that the carrier is lost. I've compressed both logfiles. I hope it's ok here. If it's not - please let me know. Thanks in advance. -- Lech Karol Pawłaszek "You will never see me fall from grace." [KoRn] freeradius.log.gz Description: GNU Zip compressed data freeradius-securew2.log.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
Alan DeKok wrote: Lech Karol Pawłaszek wrote: I've tested my configuration with eapol_test command (as suggested at this site[1]) and it works fine. I've tested it against MacOsX 10.4 and MacOsX 10.5 and it works fine. I even tested it against Windows XP SP2 and it works fine. It doesn't work with Windows Vista and Windows XP SP3. Please help! Vista and XP3 are broken. Microsoft does this deliberately. Is there any way to un-break it? I've tried to add server.cer to Vista however this doesn't help. I understand that it's Vista's and XP SP3's fault however I might be forced because of that to use Microsoft's solutions. Is there anyone who use FreeRADIUS w/ Vista for _WIRED_ connections? One more thing. If I won't use Windows' PEAP authorization and install securew2 and use securew2's auth - I am able to connect. Work for a minute or so and then NAS reports lost carrier and the connection is lost. Something else is going on there. The securew2 software Maybe the Vista wireless management is getting in the way, and hanging up on a perfectly valid connection. I know this is not the place to ask such questions however is there any way to check what might "getting in the way"? Or is there any other software besides Vista's built-in PEAP and securew2 TTLS which can be used w/ 802.1x? Kind regards, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
SecureW2 (List) wrote: http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx Nice article. However I don't understand a few things. What's "pdb "? I'm not good at Windows. To enable logging do the following: - Netsh wlan set tra yes - netsh ras set tr * en - Reproduce your problem - netsh ras set tr * dis - Netsh wlan set tra no Well. I have problems with _wired_ connection so I've used "netsh lan" instead "netsh wlan". I hope it's the right thing. If you go to the %windir%\tracing\wireless\ directory you will a load of .etl files in different directories. :-) yea. Which one is... hm... important? onex or eaphost? Use the tracerpt *.* command to change the .etl to readable .txt files. I'm attaching onex.txt and eaphost.txt. I'm not exactly sure what I should search for. Any hints? PS. I don't like plugging like this but we are almost finished with the latest SecureW2 EAPSuite which supports EAP-TTLS/EAP-PEAPv0/v1 and EAP-GTC and has been tested quite extensively with Vista SP0/SP1. Awesome. I hope it'll work with my Vista's... Kind regards, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] eaphost.txt.gz Description: GNU Zip compressed data onex.txt.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
Stefan Winter wrote: Hi, I noticed that the EAP debug speaks about quarantine states and such. XP3 and Vista have "Network Access Protection". Is that checkbox checked in your supplicant config? If yes, try unchecking it. I've tried to use netsh nap offline to disable Network Access Protection however the problem still occurs. I'm using Windows' built-in supplicant (for PEAP) which doesn't work probably because of a wrong certificate and secureW2 EAP suite 1.0.6 which doesn't have "Network Access Protection" checkbox. To be honest built-in PEAP doesn't have it as well. Or at least I couldn't find it. I've tried to follow Microsoft document[1] however I wasn't able to locate "Configuration Manager console". Holy cow. [1] - http://technet.microsoft.com/en-us/library/bb633004(TechNet.10).aspx If you can point me where I can uncheck such checkbox... Kind regards, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(SOLVED) Re: PEAP or TTLS and Microsoft Vista.
Phil Mayers wrote: Lech Karol Pawłaszek wrote: SecureW2 (List) wrote: http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx Nice article. However I don't understand a few things. What's "pdb "? I'm not good at Windows. Good lord... they've made the EAP logging *worse*. I didn't think that was possible. :-) [...] So, all is good. But about 5 seconds later: [2108] 12:04:03.819 OneXIndicatePacket [2108] 12:04:03.819 Port(38): Received an Eap packet length=5, type=EapRequestId, identifier=11, eapType=0 [4924] 12:04:03.820 Port(38): Restarting authentication due to reason = PeerInitiated similarly in eaphost.txt: [3432] 12:04:03.831 Received an identity request packet without an active session - restart auth Are you sure the problem is what you think it is? Ok. You rock. It's 3com's fault. At least I believe so. I've upgraded 3com 4500 switch firmware to the newest version on my test switch and when "user handshaking" is disabled everything works. FWIW the previous firmware (which I use on production atm) doesn't have an option to disable user handshaking. Pity. And to be clear - ALL OTHER OSes (namely MacOsX 10.4 Tiger, MacOsX 10.5 Leopard, GNU/Linux <> and MS Windows XP <>) work with this feature enabled. [...] Can you get a trace from both the windows machine and FreeRadius run under "-X" at the *same time*? The "freeradius.log" in your original email does not appear to be the same issue - that looks more like there are no compatible EAP types at both ends. Hm. The original "freeradius.log" contains logs when I tried to authenticate using Vista's built-in PEAP supplicant. Which - I suppose - says that Vista doesn't like my certificate. OTOH "freeradius-securew2.log" contains logs when I tried to use secureW2 EAP suite which showed server-side of this issue. I was able to connect. Work for a minute or so. And suddenly... switch sends 'handshake packet' which confuses Vista... and connection is dropped. Anyway. Thanks everyone for help. I'll make some more testing and try to update firmware on production. I'll let you know if everything will be ok. Kind regards, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP or TTLS and Microsoft Vista.
Stefan Winter wrote: I've tried to follow Microsoft document[1] however I wasn't able to locate "Configuration Manager console". Holy cow. [1] - http://technet.microsoft.com/en-us/library/bb633004(TechNet.10).aspx If you can point me where I can uncheck such checkbox... "Protected EAP Properties" Window has three checkboxes near the bottom. The relevant one is labelled "Enable Quarantine Checks". Hm. This doesn't help. At least for Vista's built-in PEAP authentication. I do have those checkbox unchecked however it doesn't matter if they are checked or not - process stops after sending Access-Challenge. I'll try to debug this issue more with netsh ;-) later. OTOH i'll recommend my users to use secureW2 EAP suite (which works). Kind regards, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius MAC address authorization (no authentication)
Ramot Lubis wrote: Thanks Alan, it was my mistake. I have fixed the openssl trouble. Now PEAP is running. But I still have problem with authentication. I put the log here. Please, tell me what my next mistake is. [...] Sending Access-Challenge of id 76 to 10.0.0.2 port 1027 EAP-Message = 0x010d00061900 Message-Authenticator = 0x State = 0x61fcdc3965f1c5fd5ac44742bec48a4e Finished request 9. Lucky guess... http://deployingradius.com/documents/configuration/eap-problems.html :-) kind regards, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xp sp3 and freeradius 2.0.5
Arran Cudbard-Bell wrote: I let the client to stay on VLAN1, not moving to other vlan, the same behavior, the PC gets ACCESS-ACCEPT but then it tries again, until the exclamation icon appears, no ping to the client at all. What can it be ?, what i'm doing wrong ? is the problem XP SP3 ?, or is 3COM 5500G-EI ? Didn't we have exactly the same problem on the list, like a week ago ? You have upgraded to the latest firmware for your 3COM switch right ? Yup. It's me who had this problem. Actually my switches are from 4500 family and Oxiel's are 5500 however those families are kind of similar. Oxiel: use the newest available firmware for your switches (the one from 12th of May) - namely 3.03.1. Then disable handshake (dis)funcion. <5500> system-view [5500] undo dot1x handshake enable And - because I've found another bug - you'll have to use port based authentication method instead of the default mac based [5500] dot1x port-method portbased If you will have any further questions - feel free to ask. Kind regards, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SOLVED - Re: xp sp3 and freeradius 2.0.5
Oxiel Contreras wrote: Hello. Thanks to all for your accurate replies, Lech was right, the problem with 4500 is the handshake (dis)function, it works like a charm!!, so does cisco gear too!!, both with the same setup at FR 2.0.5 and with all clients, XP SP2/SP3, Vista, Win2KX. ;-) nice. BUT, 5500 is not working, the characteristics of this switch are: 5500G-EI - 3CR17254-91 os 3.02.04s168 bootrom v 4.0.3 This firmware versión is the latest available as today, and doesn't have the option to disable handshake, so it doesn't work at all, for any soul out there trying to make this switch work, help me out to ask 3COM to correct their software and allow to disable handshake as 4500's do.. [...] You might want to check out this page. http://www.3com.com/products/en_US/result.jsp?selected=6&sort=effdt&order=desc&sku=WEBSW5500SYS Kind regards, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP-TLS
Guk Victor wrote: > Hi all. > > I have problem with EAP-TLS. Computer with OS Windows Vista, Freeradius > 1.1.3. > Immediately access to the network exists after connection, but access is > forbidden through several minutes. > This is what it is obtained: Well. I had very similar issue. If your NAS is 3com - check out this post. http://lists.freeradius.org/mailman/htdig/freeradius-users/2008-July/msg00563.html Kind regards, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, PEAP, Active Directory and --require-membership-of
Vieri wrote: > --- On Thu, 10/2/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > >> As with every other freeradius problem - when it doesn't >> work - debug >> (radiusd -X). > > That's how I'm running it. Does the list mind if I post the debug lines? You're supposed to do so! It's even in the FreeRADIUS' FAQ (however IMVHO it should be on the ML front page). http://wiki.freeradius.org/FAQ#It_still_doesn.27t_work.21 PS: I followed your Reply-To however I don't think that was necessary - do you really have to set it that way? Kind regards, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius is not listening
Elizabeth Steinke wrote: > a few more suggestions :) > > What is in your rules file? > > Can you telnet to localhost port 1812, how about 127.0.0.1 > <http://127.0.0.1> 1812 (broken hosts file mebbe) Well. AFAIK FreeRADIUS operates in UDP protocol while telnet uses TCP. I don't believe saman will be able to connect. Anyway. Saman. Your FreeRADIUS server listens at: > Listening on authentication address 192.168.0.10 port 1812 > Listening on accounting address 192.168.0.10 port 1813 > Listening on proxy address 192.168.0.10 port 1814 And you're trying to connect at: > #radtest John hello localhost 0 testing > User-Name = "John" > User-Password = "hello" > NAS-IP-Address = 192.168.1.2 > NAS-Port = 0 Can you see a difference? Try to connect at 192.168.0.10 using radtest or change FreeRADIUS' listening ports. Kind regards, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to test whether EAP-PEAP works?
Sebo PL wrote: > Hi all! > Is it possible to test whether EAP works from the shell? > I'm looking for something simullar to: Sure there is: http://deployingradius.com/scripts/eapol_test/ Kind regards, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Space after exec module - is it a bug?
Hello.
I've encountered a weird problem. Tested on the newest stable (2.1.3)
too. Well it's not a problem anymore since I found out a way to make my
unlangish things work but:
I wanted to check some things in post-auth. I am passing some arguments
to my script and I want to do something based on the script's output
switch "%{exec:/script %{User-Name} %{outer.request:Calling-Station-Id}" {
case 0 {
update reply {
Tunnel-Private-Group-Id := "2000"
}
}
case "1" {
update reply {
Tunnel-Private-Group-Id := "1999"
}
}
case "2 " {
update reply {
Tunnel-Private-Group-Id := "999"
}
}
}
As you can see it's not a rocket science. script prints a number 0, 1 or
2 and exits. What's weird is that only the last case example will work.
Is this intentional that there has to be a space in case expression?
The same applies to this situation:
if ("%{Calling-Station-Id} " == "%{exec:/script2 %{Calling-Station-Id}") {
$do_anything
}
when script2 only prints the argument. Why there is a need for a space?
It won't work with this expression:
if ("%{Calling-Station-Id}" == "%{exec:/script2 %{Calling-Station-Id}")
{
$never_here
}
Kind regards,
PS script2 looks like this:
#!/usr/bin/python
import sys
if __name__ == "__main__":
print sys.argv[1]
--
Lech Karol Pawłaszek
"You will never see me fall from grace" [KoRn]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Space after exec module - is it a bug?
Phil Mayers wrote:
> Lech Karol Pawłaszek wrote:
[...]
>> switch "%{exec:/script %{User-Name}
>> %{outer.request:Calling-Station-Id}" {
>
> You're missing a closing }
>
> I suspect this is adding a trailing " " to the output
[...]
>> if ("%{Calling-Station-Id} " == "%{exec:/script2
>> %{Calling-Station-Id}") {
>> $do_anything
>> }
>
> Ditto missing } on the %{exec}
Argh! True. However I still have the same symptoms even if I'll put the
missing brace like this:
switch "%{exec:/script %{User-Name} %{outer.request:Calling-Station-Id}}"
[...]
Some logs:
The case when there is no space:
Mon Dec 15 12:51:38 2008 : Auth: Login OK: [test/]
(from client localhost port 0 via TLS tunnel)
Mon Dec 15 12:51:38 2008 : Info: +- entering group post-auth {...}
Mon Dec 15 12:51:38 2008 : Info: Executing /root/test.py %{User-Name}
%{outer.request:Calling-Station-Id}
Mon Dec 15 12:51:38 2008 : Info:expand: %{User-Name} -> test
Mon Dec 15 12:51:38 2008 : Info:expand:
%{outer.request:Calling-Station-Id} -> 02-00-00-00-00-01
Mon Dec 15 12:51:38 2008 : Debug: Exec-Program output: 1
Mon Dec 15 12:51:38 2008 : Debug: Exec-Program-Wait: plaintext: 1
Mon Dec 15 12:51:38 2008 : Debug: Exec-Program: returned: 0
Mon Dec 15 12:51:38 2008 : Info: result 0
Mon Dec 15 12:51:38 2008 : Info:expand: %{exec:/root/test.py
%{User-Name} %{outer.request:Calling-Station-Id}} -> 1
Mon Dec 15 12:51:38 2008 : Info: ++- entering switch
%{exec:/root/test.py %{User-Name} %{outer.request:Calling-Station-Id}} {...}
Mon Dec 15 12:51:38 2008 : Info: +++- switch %{exec:/root/test.py
%{User-Name} %{outer.request:Calling-Station-Id}} returns noop
Mon Dec 15 12:51:38 2008 : Info: ++- group post-auth returns noop
} # server inner-tunnel
Mon Dec 15 12:51:38 2008 : Info: [peap] Got tunneled reply code 2
Tunnel-Private-Group-Id:0 = "2000"
(Tunnel-Private-Group-Id = "2000" is the default. It sould be 1999 here
because /root/test.py returned 1)
The case when there is a space:
Mon Dec 15 12:53:04 2008 : Auth: Login OK: [test/]
(from client localhost port 0 via TLS tunnel)
Mon Dec 15 12:53:04 2008 : Info: +- entering group post-auth {...}
Mon Dec 15 12:53:04 2008 : Info: Executing /root/test.py %{User-Name}
%{outer.request:Calling-Station-Id}
Mon Dec 15 12:53:04 2008 : Info:expand: %{User-Name} -> test
Mon Dec 15 12:53:04 2008 : Info:expand:
%{outer.request:Calling-Station-Id} -> 02-00-00-00-00-01
Mon Dec 15 12:53:04 2008 : Debug: Exec-Program output: 2
Mon Dec 15 12:53:04 2008 : Debug: Exec-Program-Wait: plaintext: 2
Mon Dec 15 12:53:04 2008 : Debug: Exec-Program: returned: 0
Mon Dec 15 12:53:04 2008 : Info: result 0
Mon Dec 15 12:53:04 2008 : Info:expand: %{exec:/root/test.py
%{User-Name} %{outer.request:Calling-Station-Id}} -> 2
Mon Dec 15 12:53:04 2008 : Info: ++- entering switch
%{exec:/root/test.py %{User-Name} %{outer.request:Calling-Station-Id}} {...}
Mon Dec 15 12:53:04 2008 : Info: +++- entering case 2 {...}
Mon Dec 15 12:53:04 2008 : Info: [reply] returns noop
Mon Dec 15 12:53:04 2008 : Info: +++- case 2 returns noop
Mon Dec 15 12:53:04 2008 : Info: ++- switch %{exec:/root/test.py
%{User-Name} %{outer.request:Calling-Station-Id}} returns noop
} # server inner-tunnel
Mon Dec 15 12:53:04 2008 : Info: [peap] Got tunneled reply code 2
Tunnel-Private-Group-Id:0 = "999"
Kind regards,
--
Lech Karol Pawłaszek
"You will never see me fall from grace" [KoRn]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan in ldap - full version
alois blasbichler wrote: [...] > I changed to > --- > replayItem Tunnel-Type radiusTunnelType > replayItem Tunnel-Medium-TyperadiusTunnelMediumType > replayItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId > > But so it says that : It should be "replyItem". Kind regards, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan in ldap
alois blasbichler wrote: > Hello list > > I am trying to assign different vlans for my different Radius-users. > The good news is that with a user defined in the users file it works fine. Check ldap.attrmap if it has this lines: replyItem Tunnel-Type radiusTunnelType replyItem Tunnel-Medium-Type radiusTunnelMediumType replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId Kind regards, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Force CA validation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Fernando Calvelo Vazquez wrote: > How can I force the CA validation on a EAP-TTLS configuration. > If in my Windows-Supplicant software I select the CA validation, it > works. But if remove it, and I use only the User-Credentials > Authentication part... it works also. > I would like to force that the CA certification Authentication part must > be mandatory also. Use EAP-TLS. It requires client-side certificate. Kind regards, - -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.12 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJLDm9UAAoJEAinxibr2rgG/PMIAKpMnoFhDRECRyK1lywIaVD/ mVwrbDRwIBNYE8/YGPZF3Xq7ZZCWkFQALU6Pk7drnzHU5yWRYPbNugkPw3I4Ps8D voAU2WxDUAa4rxW4dEG/6QeimUPPp/fN3dYf336ww+j/7Zd5TgYdWsFah37rbksF 3WzaIen69RsmHZMSJo2Jt0ujJfzEWYTFdvIGZF76kqUXor+P7Lm4fONJmUBSVZiA eImBj7m8c2TdPBMmwyl9iO6+sf6k8ivU79q7INeA5lV+JKclp2hw3Dd/rhWp5Ff9 rcj3fdTpvMEHZk/8QHf8vc0LYo/ZJ1+BY2K23Pa4ya0F9bfRuO0VAfn+teMqKSY= =wNt4 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NT/LM password from LDAP (PAP works, MSCHAP doesn't).
Hello.
I've working FreeRADIUS installation for 802.1x authentication and
authorization using EAP-TLS with passwords - NT/LM hashes - stored in
LDAP. And it works nice.
Right now I'm deploying (yes. at this particular moment!) IPsec/L2TP VPN
which will be utilizing RADIUS via ppp connection. And for PAP it works
nice. However MSCHAP doesn't want to work. I'm kinda lost because EAP
connection uses MSCHAP(v2) as well and this one works flawlessly.
;-) Am I missing something? I believe it should work. Or it cannot?
I've attached FreeRADIUS' logfile. Any pointers/hints much appreciated.
Kind regards,
--
Lech Karol Pawłaszek
"You will never see me fall from grace" [KoRn]
FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Aug 18 2009 at
19:08:27
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/snmp.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/postgresql/dialup.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/freeradius/freeradius.pid"
user = "freerad"
group = "freerad"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client 172.17.8.5 {
require_message_authenticator = no
secret = "ass"
shortname = "ass"
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
w
Re: NT/LM password from LDAP (PAP works, MSCHAP doesn't).
On 1/13/10 5:06 PM, Alan DeKok wrote: > Lech Karol Pawłaszek wrote: >> Right now I'm deploying (yes. at this particular moment!) IPsec/L2TP VPN >> which will be utilizing RADIUS via ppp connection. And for PAP it works >> nice. However MSCHAP doesn't want to work. I'm kinda lost because EAP >> connection uses MSCHAP(v2) as well and this one works flawlessly. >> >> ;-) Am I missing something? I believe it should work. Or it cannot? >> >> I've attached FreeRADIUS' logfile. Any pointers/hints much appreciated. > > The Access-Request doesn't contain any MS-CHAP attributes. The server > cannot do MS-CHAP. Thanks! I don't know how I've missed that. The problem was with radiusclient-ng's dictionary.microsoft file. For the reference there is a nice howto on the poptop page: http://poptop.sourceforge.net/dox/skwok/poptop_ads_howto_8.htm Now IPsec/L2TP works with RADIUS (using MS-CHAPv2), which is connected to a LDAP, which stores users' passwords in NT/LM hashes. Great success. ;-) Thanks again Alan for the awesome FreeRADIUS. Kind regards, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is Centralized SSH Public Key Authentication Possible?
On 2/17/10 9:24 PM, John L. Singleton wrote: > Hi All, > > I am trying to set up a centralized SSH authentication server that allows > authentication via public keys. I can't find anything on the web about if > this is possible with FR. Is it? Basically all I need is for FR to allow > authentication off of a respective users's .ssh/.authorized_keys file. So far > all I can seem to get going is password authentication. Can anyone let me > know if this is even doable? > Hello, I'm using OpenSSH-LPK patch. This patch allows to keep public keys in an LDAP tree. But it has nothing to do with RADIUS. http://code.google.com/p/openssh-lpk/ Hope it helps, -- Lech Karol Pawłaszek "You will never see me fall from grace" [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
