SV: SV: SV: Controlling with Auth-Type a client must use

2010-07-26 Thread Madsen.Jan JMD 
Hmm okay.

I got 2 clients, client1 and client2
I want client1 to use my passwd module (kmdov3) to do authorization 
And I want client2 to use the unix module for authorization.

In my users file I have configured the one client I want to ONLY use my passwd 
module
 Users:
# Client1
DEFAULT Client-IP-Address == 1.1.1.1 

# Client2
DEFAULT NAS-IP-Address == 127.0.0.1, Auth-Type = System

But how to I tell that client1 is going to use my passwd configured 
authorization ? This was where I thougth I clould use the Auth-Type attribute, 
in a simelar way I used with client2.

Best regards
Jan Madsen

-Oprindelig meddelelse-
Fra: freeradius-users-bounces+jmd=kmd...@lists.freeradius.org 
[mailto:freeradius-users-bounces+jmd=kmd...@lists.freeradius.org] På vegne af 
Alan DeKok
Sendt: 26. juli 2010 09:01
Til: FreeRadius users mailing list
Emne: Re: SV: SV: Controlling with Auth-Type a client must use

Madsen.Jan JMD wrote:
> Yeah okay Alan, I have tried that allready, and it's working. But the 
> challange is, that I got some client that should use the Unix 
> authentication(unix server login), and some that dont(application logins and 
> Cisco node access). So that's why I want to decide witch authiruzation module 
> for a specific client I want to use.
> 
> So is this possible or am I on a wish trip ?

  Yes.  Figure out which client is supposed to get what service, and
configure that.

> A work around I have been thinking on, is to make additional sites (more 
> radius server) and do it that way around, but it requires other ports, or 
> other IP addresses etc.
> But what is your suggestion?

  Write down what you want.  Then, implement it in the server.

  So far, it looks like you haven't done the first step.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__
KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745 

KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til Datatilsynet som 
edb-servicevirksomhed. KMD er certificeret i henhold til ISO 9001:2000, med 
Dansk Standard som certificerende organ og er desuden Microsoft Gold Certified 
Partner og Certificeret SAP Hosting Center.

www.kmd.dk   www.kundenet.kmd.dk   www.organisator.dk   www.kmdinternational.com

Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give mig 
besked herom og slette den.
If you received this e-mail by mistake, please notify me and delete it. Thank 
you.
__
KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745 

KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til Datatilsynet som 
edb-servicevirksomhed. KMD er certificeret i henhold til ISO 9001:2000, med 
Dansk Standard som certificerende organ og er desuden Microsoft Gold Certified 
Partner og Certificeret SAP Hosting Center.

www.kmd.dk   www.kundenet.kmd.dk   www.organisator.dk   www.kmdinternational.com

Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give mig 
besked herom og slette den.
If you received this e-mail by mistake, please notify me and delete it. Thank 
you.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SV: SV: Controlling with Auth-Type a client must use

2010-07-25 Thread Madsen.Jan JMD 
Yeah okay Alan, I have tried that allready, and it's working. But the challange 
is, that I got some client that should use the Unix authentication(unix server 
login), and some that dont(application logins and Cisco node access). So that's 
why I want to decide witch authiruzation module for a specific client I want to 
use.

So is this possible or am I on a wish trip ?

A work around I have been thinking on, is to make additional sites (more radius 
server) and do it that way around, but it requires other ports, or other IP 
addresses etc.
But what is your suggestion?

Best regards
Jan Madsen

-Oprindelig meddelelse-
Fra: freeradius-users-bounces+jmd=kmd...@lists.freeradius.org 
[mailto:freeradius-users-bounces+jmd=kmd...@lists.freeradius.org] På vegne af 
Alan DeKok
Sendt: 23. juli 2010 11:26
Til: FreeRadius users mailing list
Emne: Re: SV: Controlling with Auth-Type a client must use

Madsen.Jan JMD wrote:
> But still the unix authorization is used and the client is rejected because 
> of the invalid shell.

  Because you listed "unix" in the "authorization" section.  If you
don't want to use the Unix module, delete it from the "authorization"
section.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SV: Controlling with Auth-Type a client must use

2010-07-22 Thread Madsen.Jan JMD 
Hello Alan 

Thanks for the answer.
But I allready did that !!!

I configured my passwd module with kmdov3 works fine.
I added the kmdov3 in the top pf the authorize section of sites-enabled/default
 preprocess

#
#  If you want to have a log of authentication requests,
#  un-comment the following line, and the 'detail auth_log'
#  section, above.
#   auth_log


kmdov3
...
..
Unix
...
..
Pap


But still the unix authorization is used and the client is rejected because of 
the invalid shell.
Is it not possible to force a single client to use only one type of 
authorization etc. Kmdov3 ?
Do I need to add something to the authentication section?

Here is the full debug log of the client call and you can see that kmdov3 
returns OK but the unix on fails with the invalid shell

rad_recv: Access-Request packet from host 131.165.80.37 port 9183, id=169, 
length=61
User-Name = "jmd"
User-Password = "password"
NAS-IP-Address = 127.0.0.1
NAS-Port = 8158
NAS-Port-Type = Virtual
Fri Jul 23 07:57:40 2010 : Info: +- entering group authorize {...}
Fri Jul 23 07:57:40 2010 : Info: ++[preprocess] returns ok
Fri Jul 23 07:57:40 2010 : Info: [kmdov3] Added crypt-Password: 'TLw0SiK4QfQxg' 
to config_items 
Fri Jul 23 07:57:40 2010 : Info: ++[kmdov3] returns ok
Fri Jul 23 07:57:40 2010 : Info: [radius_group] Added Radius1-Group: 
'wcs-superadmin' to request_items 
Fri Jul 23 07:57:40 2010 : Info: ++[radius_group] returns ok
Fri Jul 23 07:57:40 2010 : Info: ++[chap] returns noop
Fri Jul 23 07:57:40 2010 : Info: ++[mschap] returns noop
Fri Jul 23 07:57:40 2010 : Info: [suffix] No '@' in User-Name = "jmd", looking 
up realm NULL
Fri Jul 23 07:57:40 2010 : Info: [suffix] No such realm "NULL"
Fri Jul 23 07:57:40 2010 : Info: ++[suffix] returns noop
Fri Jul 23 07:57:40 2010 : Info: [eap] No EAP-Message, not doing EAP
Fri Jul 23 07:57:40 2010 : Info: ++[eap] returns noop
Fri Jul 23 07:57:40 2010 : Auth: [unix] [jmd]: invalid shell [/bin/bash1]
Fri Jul 23 07:57:40 2010 : Info: ++[unix] returns reject
Fri Jul 23 07:57:40 2010 : Info: Using Post-Auth-Type Reject
Fri Jul 23 07:57:40 2010 : Info: +- entering group REJECT {...}
Fri Jul 23 07:57:40 2010 : Info: [attr_filter.access_reject]expand: 
%{User-Name} -> jmd
Fri Jul 23 07:57:40 2010 : Debug:  attr_filter: Matched entry DEFAULT at line 11
Fri Jul 23 07:57:40 2010 : Info: ++[attr_filter.access_reject] returns updated
Fri Jul 23 07:57:40 2010 : Info: Delaying reject of request 1 for 1 seconds
Fri Jul 23 07:57:40 2010 : Debug: Going to the next request
Fri Jul 23 07:57:40 2010 : Debug: Waking up in 0.9 seconds.
Fri Jul 23 07:57:41 2010 : Info: Sending delayed reject for request 1
Sending Access-Reject of id 169 to 131.165.80.37 port 9183
Fri Jul 23 07:57:41 2010 : Debug: Waking up in 4.9 seconds.
Fri Jul 23 07:57:46 2010 : Info: Cleaning up request 1 ID 169 with timestamp +89
Fri Jul 23 07:57:46 2010 : Info: Ready to process requests.

Best regards
Jan Madsen

-Oprindelig meddelelse-
Fra: freeradius-users-bounces+jmd=kmd...@lists.freeradius.org 
[mailto:freeradius-users-bounces+jmd=kmd...@lists.freeradius.org] På vegne af 
Alan DeKok
Sendt: 22. juli 2010 14:20
Til: FreeRadius users mailing list
Emne: Re: Controlling with Auth-Type a client must use

Madsen.Jan JMD wrote:
> I’m using the module passwd working fine, and I have enabled unix
> authentication in my default section.

  Don't.  Use "pap".  It can do crypt authentication.

> Thu Jul 22 13:22:21 2010 : Auth: [unix] [jmd]: invalid shell [/usr/bin/bash]
> Thu Jul 22 13:22:21 2010 : Info: ++[unix] returns reject

  Which is what the Unix module does.

> But what I want to do is to set the client ONLY to use kmdov3 as my
> authentication and not the Unix one. Is this possible?

  No.  You want "crypt" authentication, without checking /etc/passwd.
Use the "pap" module.

  When you say "only to use kmdov3 as my authentication", it means you
have confused authorization and authentication.  They are *very* different.

> I have been trying to use the Auth-Type attribute, but can’t figure out
> how to tell that I want to use the kmdov3 authentication type.

  Don't.  Don't set Auth-Type.  In the default configuration, all you
need to do is:

1) configure the kmdov3 module in raddb/modules
2) list "kmdov3" in the "authorize" section *before* the "pap" module
3) authentication *will* work

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Controlling with Auth-Type a client must use

2010-07-22 Thread Madsen.Jan JMD 
Hello Radius People

I'm running freeradius 2.1.8 working great

I'm using the radius servers to many different clients, specially Cisco nodes, 
and some Unix servers.
I'm using the module passwd working fine, and I have enabled unix 
authentication in my default section.

Now when a specific client try to send username password to my system the 
passwd modle is accepting the password fine, but the unix section is rejecting 
the password ending in a Access-Reject back to client

Some debug here

Thu Jul 22 13:22:21 2010 : Info: [kmdov3] Added crypt-Password: 'TLw0SiK4QfQxg' 
to config_items
Thu Jul 22 13:22:21 2010 : Info: ++[kmdov3] returns ok
...
..
.
Thu Jul 22 13:22:21 2010 : Auth: [unix] [jmd]: invalid shell [/usr/bin/bash]
Thu Jul 22 13:22:21 2010 : Info: ++[unix] returns reject

I do know that the unix module reject because of a invalid shell, and chaning 
it to a valid shell fix this problem.
But what I want to do is to set the client ONLY to use kmdov3 as my 
authentication and not the Unix one. Is this possible?
I have been trying to use the Auth-Type attribute, but can't figure out how to 
tell that I want to use the kmdov3 authentication type.

Best regards
Jan Madsen
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SV: How to separate users to different server...

2010-07-22 Thread Madsen.Jan JMD 
What I would do.

Use the etc_group module

Create som groups for your users
Group1
Group2

Add the respective users to the correct groups

In the users file I will create a line for each login server (client to the 
raidus server)
Something like this:
Client-IP-Address == [login server1], Radius-Group == ”[name of group]”


Take a look at the module etc_group to see how you create a group.
Then remember to add the group etc_group name to the authentication section of 
your radius site probably the sites-enabled/default

Best regards
Jan Madsen

Fra: freeradius-users-bounces+jmd=kmd...@lists.freeradius.org 
[mailto:freeradius-users-bounces+jmd=kmd...@lists.freeradius.org] På vegne af 
Spacelee
Sendt: 22. juli 2010 12:34
Til: FreeRadius users mailing list
Emne: How to separate users to different server...

Environment: PPTP+PPP+FREERADIUS+MYSQL+LINUX
I want to separate users, for example, there are 10 users
user1, user2 ... user10
I want user1, user2 ... user5 can only login server1
I want user6.user10 can only login server2
if user1 login server2, could I sent a login failure? How to finish this task...

Thanks...

--
Spacelee
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SV: Same user-name/password question

2010-07-21 Thread Madsen.Jan JMD 
Use the something uniq from each client together with the User-Name to match 
each specific client.

Like:
User-Name = "John", SOMEHTING = "ClientA"

That SOMETHING could be Client-IP-Address or NAS-IP-Address if that is 
configurable on the Client side :)

Best regards
Jan Madsen

Fra: freeradius-users-bounces+jmd=kmd...@lists.freeradius.org 
[mailto:freeradius-users-bounces+jmd=kmd...@lists.freeradius.org] På vegne af 
Fabricio Viana
Sendt: 21. juli 2010 21:02
Til: freeradius-users@lists.freeradius.org
Emne: Same user-name/password question

I am with the following question:

I have two requests as follows:

First:
User-Name = "john"
User-Password = "john"
NAS-IP-Address = 200.xxx.xxx.10
NAS-Port = 0

Second:
User-Name = "john"
User-Password = "john"
NAS-IP-Address = 202.xxx.xxx.200
NAS-Port = 0

There are two requests for the same username and password but from different 
NAS. For each, the answer must be different.

In this case are the same user-name, how do I differentiate the answers?

I'm using freeradius + mysql 2.

Thank you!
Fabricio

FIQUE MAIS PROTEGIDO ENQUANTO FAZ DOWNLOADS INSTALE GRÁTIS O INTERNET EXPLORER 
8.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SV: SV: Getting groups to work, from a group file

2010-07-15 Thread Madsen.Jan JMD 
Yes Alan
Thanks alot for the help, was usefull as allways :D
 
Changing the Radius1-Group attribute from config item to a request item did 
what I would like to accomplish :D

So for other peoples my group file now looks like this.
passwd radius_group {
filename = /etc/freeradius/radius-groups
format = "~Radius1-Group:::*,User-Name"
hashsize = 50
ignorenislike = yes
allowmultiplekeys = yes
delimiter = ":"
}

The ~Radius1-Group makes it possible to use the variable in the users file for 
checking value :)

Best regards
Jan Madsen

-Oprindelig meddelelse-
Fra: freeradius-users-bounces+jmd=kmd...@lists.freeradius.org 
[mailto:freeradius-users-bounces+jmd=kmd...@lists.freeradius.org] På vegne af 
Alan DeKok
Sendt: 15. juli 2010 14:28
Til: FreeRadius users mailing list
Emne: Re: SV: Getting groups to work, from a group file

Madsen.Jan JMD wrote:
> I did change the variable to the following
> Etc_group module file
...
> Added the following to dictionary file
...
> Changed the users file
> DEFAULT NAS-IP-Address == 172.31.254.4, Radius1-Group == 
> "wcs-superadmin" 
> Cisco-AVPair += 'Wireless-WCS:role0=SuperUsers'
> 
> DEFAULT NAS-IP-Address == 172.31.254.4, Radius1-Group == 
> "wcs-monitors" 
> Cisco-AVPair += 'Wireless-WCS:task0=Users and Groups'

  That should all be OK.

  You might have to add the "Radius1-Group" attribute to the request
list, rather than the configuration list.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__
KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745 

KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til Datatilsynet som 
edb-servicevirksomhed. KMD er certificeret i henhold til ISO 9001:2000, med 
Dansk Standard som certificerende organ og er desuden Microsoft Gold Certified 
Partner og Certificeret SAP Hosting Center.

www.kmd.dk   www.kundenet.kmd.dk   www.organisator.dk   www.kmdinternational.com

Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give mig 
besked herom og slette den.
If you received this e-mail by mistake, please notify me and delete it. Thank 
you.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SV: Getting groups to work, from a group file

2010-07-15 Thread Madsen.Jan JMD 
Thanks for answer Alan

I did change the variable to the following
Etc_group module file
passwd radius_group {
filename = /etc/freeradius/radius-groups
format = "Radius1-Group:::*,User-Name"
hashsize = 50
ignorenislike = yes
allowmultiplekeys = yes
delimiter = ":"
}

Added the following to dictionary file
ATTRIBUTE   Radius1-Group   3003string

Changed the users file
DEFAULT NAS-IP-Address == 172.31.254.4, Radius1-Group == 
"wcs-superadmin" 
Cisco-AVPair += 'Wireless-WCS:role0=SuperUsers'

DEFAULT NAS-IP-Address == 172.31.254.4, Radius1-Group == "wcs-monitors" 
Cisco-AVPair += 'Wireless-WCS:task0=Users and Groups'

And still the debug looks the same Radius1-Group is getting set to the correct 
"group-name" but the +files returns noop
[kmdov3] Added crypt-Password: 'crypt-password' to config_items 
Thu Jul 15 10:47:45 2010 : Info: ++[kmdov3] returns ok
Thu Jul 15 10:47:45 2010 : Info: [radius_group] Added Radius1-Group: 
'wcs-monitors' to config_items 
Thu Jul 15 10:47:45 2010 : Info: ++[radius_group] returns ok
Thu Jul 15 10:47:45 2010 : Info: ++[chap] returns noop
Thu Jul 15 10:47:45 2010 : Info: ++[mschap] returns noop
Thu Jul 15 10:47:45 2010 : Info: [suffix] No '@' in User-Name = "jmd", looking 
up realm NULL
Thu Jul 15 10:47:45 2010 : Info: [suffix] No such realm "NULL"
Thu Jul 15 10:47:45 2010 : Info: ++[suffix] returns noop
Thu Jul 15 10:47:45 2010 : Info: [eap] No EAP-Message, not doing EAP
Thu Jul 15 10:47:45 2010 : Info: ++[eap] returns noop
Thu Jul 15 10:47:45 2010 : Info: ++[files] returns noop
Thu Jul 15 10:47:45 2010 : Info: ++[expiration] returns noop
Thu Jul 15 10:47:45 2010 : Info: ++[logintime] returns noop
Thu Jul 15 10:47:45 2010 : Info: ++[pap] returns updated
Thu Jul 15 10:47:45 2010 : Info: Found Auth-Type = PAP
Thu Jul 15 10:47:45 2010 : Info: +- entering group PAP {...}
Thu Jul 15 10:47:45 2010 : Info: [pap] login attempt with password "password"
Thu Jul 15 10:47:45 2010 : Info: [pap] Using CRYPT encryption.
Thu Jul 15 10:47:45 2010 : Info: [pap] User authenticated successfully
Thu Jul 15 10:47:45 2010 : Info: ++[pap] returns ok
Thu Jul 15 10:47:45 2010 : Info: +- entering group post-auth {...}
Thu Jul 15 10:47:45 2010 : Info: ++[exec] returns noop
Sending Access-Accept of id 216 to 127.0.0.1 port 33716

Does it looks like I'm missing something somewhere ?

Best regards
Jan Madsen

-Oprindelig meddelelse-
Fra: freeradius-users-bounces+jmd=kmd...@lists.freeradius.org 
[mailto:freeradius-users-bounces+jmd=kmd...@lists.freeradius.org] På vegne af 
Alan DeKok
Sendt: 15. juli 2010 10:30
Til: FreeRadius users mailing list
Emne: Re: Getting groups to work, from a group file

Madsen.Jan JMD wrote:
> I want to check a group file for witch group a user is member off, and
> after that send specific commands back to the radius client, on behalf
> of witch group the client is a member of.
> 
> I can’t get freeradius to do the correct check on my Group variable in
> my users file, and I can’t figure out what I’m missig or what I’m doing
> wrong.

  The "Group" and "Group-Name" attributes have pre-defined meanings.
Don't use them,.


> I have done the following
...
> format = "Group:::*,User-Name"

  No.  See raddb/modules/etc_group for a *working* example of a group
configuration.  See "man rlm_passwd" for more documentation on the same
subject.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__
KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745 

KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til Datatilsynet som 
edb-servicevirksomhed. KMD er certificeret i henhold til ISO 9001:2000, med 
Dansk Standard som certificerende organ og er desuden Microsoft Gold Certified 
Partner og Certificeret SAP Hosting Center.

www.kmd.dk   www.kundenet.kmd.dk   www.organisator.dk   www.kmdinternational.com

Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give mig 
besked herom og slette den.
If you received this e-mail by mistake, please notify me and delete it. Thank 
you.
__
KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745 

KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til Datatilsynet som 
edb-servicevirksomhed. KMD er certificeret i henhold til ISO 9001:2000, med 
Dansk Standard som certificerende organ og er desuden Microsoft Gold Certified 
Partner og Certificeret SAP Hosting Center.

www.kmd.dk   www.kundenet.kmd.dk   www.organisator.dk   www.kmdinternational.com

Hvis du har mo

SV: FR proxy to ACS and NPS with MS CHAP v2

2010-07-15 Thread Madsen.Jan JMD 
I think you need to stop the radius process and then start i with radiusd -X
This will run freeradius in the window you are starting it in, in debug mode.

On a Linux it will look something like this
/usr/sbin/freeradius -X (Default Debian install directory)

Or in a manually compiled 
/opt/freeradius-1.1.8/sbin/radiusd -X (My install location)

And that output it comes from that is what Phil wants :)

Best regards
Jan Madsen



-Oprindelig meddelelse-
Fra: freeradius-users-bounces+jmd=kmd...@lists.freeradius.org 
[mailto:freeradius-users-bounces+jmd=kmd...@lists.freeradius.org] På vegne af 
SagiBarOr
Sendt: 15. juli 2010 09:46
Til: freeradius-users@lists.freeradius.org
Emne: Re: FR proxy to ACS and NPS with MS CHAP v2


Thank you for the clarification Phil. I am not sure what "radius -x" means. I
posted the two output files I have. Are these the ones? If not, pls
elaborate. 

Note that these are the output files for the two FR servers, for which
eveything is just fine. What does not work is when the second server is not
FR but NPS or ACS.  I hope this data will suffice to identify the issue or
at least give good leads. 





Phil Mayers wrote:
> 
> On 07/14/2010 11:17 PM, SagiBarOr wrote:
>>
>> Files posted.
> 
> No.
> 
> Post the output of "radiusd -X" to the list.
> 
> We don't need anything else; just that.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 
http://old.nabble.com/file/p29170161/cn-check_splitauth.log
cn-check_splitauth.log 
http://old.nabble.com/file/p29170161/ldap_mschapv2.log ldap_mschapv2.log 
-- 
View this message in context: 
http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p29170161.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__
KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745 

KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til Datatilsynet som 
edb-servicevirksomhed. KMD er certificeret i henhold til ISO 9001:2000, med 
Dansk Standard som certificerende organ og er desuden Microsoft Gold Certified 
Partner og Certificeret SAP Hosting Center.

www.kmd.dk   www.kundenet.kmd.dk   www.organisator.dk   www.kmdinternational.com

Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give mig 
besked herom og slette den.
If you received this e-mail by mistake, please notify me and delete it. Thank 
you.
__
KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745 

KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til Datatilsynet som 
edb-servicevirksomhed. KMD er certificeret i henhold til ISO 9001:2000, med 
Dansk Standard som certificerende organ og er desuden Microsoft Gold Certified 
Partner og Certificeret SAP Hosting Center.

www.kmd.dk   www.kundenet.kmd.dk   www.organisator.dk   www.kmdinternational.com

Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give mig 
besked herom og slette den.
If you received this e-mail by mistake, please notify me and delete it. Thank 
you.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Getting groups to work, from a group file

2010-07-15 Thread Madsen.Jan JMD 
Hello FreeRadius users 

 

I'm trying to get some group stuff working in freeradius

 

I want to check a group file for witch group a user is member off, and
after that send specific commands back to the radius client, on behalf
of witch group the client is a member of.

I can't get freeradius to do the correct check on my Group variable in
my users file, and I can't figure out what I'm missig or what I'm doing
wrong.

 

I have done the following 

 

Added my group file to the passwd module

passwd groups {

filename = /etc/freeradius/radius-groups

format = "Group:::*,User-Name"

hashsize = 0

delimiter = :

ignorenislike = yes

allowmultiplekeys = yes

}

 

My group file looks like this

wcs-superadmin:x:1:admin

wcs-monitors:x:2:jmd

 

 

I have done the following in my users file to send the specific data
back to the radius client where my check relies on what the Group
variable contains.

DEFAULT NAS-IP-Address == 172.31.254.4, Group ==
"wcs-superadmin"

Cisco-AVPair += 'Wireless-WCS:role0=SuperUsers',

Cisco-AVPair += 'Wireless-WCS:task0=Users and Groups',

Cisco-AVPair += 'Wireless-WCS:task1=Audit Trails'

 

DEFAULT NAS-IP-Address == 172.31.254.4, Group == "wcs-monitors"

Cisco-AVPair += 'Wireless-WCS:task0=Users and Groups',

Cisco-AVPair += 'Wireless-WCS:task1=Audit Trails'

 

When I run a debug I get the following information

 

 

rad_recv: Access-Request packet from host 127.0.0.1 port 33646, id=62,
length=55

User-Name = "jmd"

User-Password = "password"

NAS-IP-Address = 172.31.254.4

NAS-Port = 0

Thu Jul 15 09:09:10 2010 : Info: +- entering group authorize {...}

Thu Jul 15 09:09:10 2010 : Info: ++[preprocess] returns ok

Thu Jul 15 09:09:10 2010 : Info: [kmdov3] Added crypt-Password:
'crpyt-password' to config_items 

Thu Jul 15 09:09:10 2010 : Info: ++[kmdov3] returns ok

Thu Jul 15 09:09:10 2010 : Info: [groups] Added Group: 'wcs-monitors' to
config_items 

Thu Jul 15 09:09:10 2010 : Info: ++[groups] returns ok

Thu Jul 15 09:09:10 2010 : Info: ++[chap] returns noop

Thu Jul 15 09:09:10 2010 : Info: ++[mschap] returns noop

Thu Jul 15 09:09:10 2010 : Info: [suffix] No '@' in User-Name = "jmd",
looking up realm NULL

Thu Jul 15 09:09:10 2010 : Info: [suffix] No such realm "NULL"

Thu Jul 15 09:09:10 2010 : Info: ++[suffix] returns noop

Thu Jul 15 09:09:10 2010 : Info: [eap] No EAP-Message, not doing EAP

Thu Jul 15 09:09:10 2010 : Info: ++[eap] returns noop

Thu Jul 15 09:09:10 2010 : Info: ++[files] returns noop

Thu Jul 15 09:09:10 2010 : Info: ++[expiration] returns noop

Thu Jul 15 09:09:10 2010 : Info: ++[logintime] returns noop

Thu Jul 15 09:09:10 2010 : Info: ++[pap] returns updated

Thu Jul 15 09:09:10 2010 : Info: Found Auth-Type = PAP

Thu Jul 15 09:09:10 2010 : Info: +- entering group PAP {...}

Thu Jul 15 09:09:10 2010 : Info: [pap] login attempt with password
"password"

Thu Jul 15 09:09:10 2010 : Info: [pap] Using CRYPT encryption.

Thu Jul 15 09:09:10 2010 : Info: [pap] User authenticated successfully

Thu Jul 15 09:09:10 2010 : Info: ++[pap] returns ok

Thu Jul 15 09:09:10 2010 : Info: +- entering group post-auth {...}

Thu Jul 15 09:09:10 2010 : Info: ++[exec] returns noop

Sending Access-Accept of id 62 to 127.0.0.1 port 33646

Thu Jul 15 09:09:10 2010 : Info: Finished request 1.

 

 

As you can see the Group: variable is set to 'wcs-monitors' witch is the
group jmd is member off. But i never sends the correct data back from
the users file. Howto do that ?

 

Best regards

Jan Madsen


__
KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745 

KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til
Datatilsynet som edb-servicevirksomhed. KMD er certificeret i henhold
til ISO 9001:2000, med Dansk Standard som certificerende organ og er
desuden Microsoft Gold Certified Partner og Certificeret SAP Hosting
Center.

www.kmd.dk www.kundenet.kmd.dk www.organisator.dk
www.kmdinternational.com

Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give
mig besked herom og slette den.
If you received this e-mail by mistake, please notify me and delete it.
Thank you.

__
KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745 

KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til
Datatilsynet som edb-servicevirksomhed. KMD er certificeret i henhold
til ISO 9001:2000, med Dansk Standard som certificerende organ og er
desuden Microsoft Gold Certified Partner og Certificeret SAP Hosting
Center.

www.kmd.dk www.kundenet.kmd.dk www.organisator.dk
www.kmdinternational.com

Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give
mig besked herom og slette den.
If you r

SV: SV: SV: Simple Configuration of using passwd-like file, howtoneeded

2010-07-11 Thread Madsen.Jan JMD 
Okay thanks alot Alan
That was my missing link. I could really not find anything about this on any 
Docs man or web pages. Your help is really appreciated :D

Best regards
Jan Madsen

-Oprindelig meddelelse-
Fra: freeradius-users-bounces+jmd=kmd...@lists.freeradius.org 
[mailto:freeradius-users-bounces+jmd=kmd...@lists.freeradius.org] På vegne af 
Alan DeKok
Sendt: 9. juli 2010 12:03
Til: FreeRadius users mailing list
Emne: Re: SV: SV: Simple Configuration of using passwd-like file, howto needed

Madsen.Jan JMD wrote:
> I did like this now
> More /etc/freeradius/modules/passwd
> passwd kmdov3 {

  OK.

> And still I just get a rejected login

  You need to list "kmdov3" in the "authorize" section.  The debug log
shows that the module is not being used... therefore the passwords are
not being found.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__
KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745 

KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til Datatilsynet som 
edb-servicevirksomhed. KMD er certificeret i henhold til ISO 9001:2000, med 
Dansk Standard som certificerende organ og er desuden Microsoft Gold Certified 
Partner og Certificeret SAP Hosting Center.

www.kmd.dk   www.kundenet.kmd.dk   www.organisator.dk   www.kmdinternational.com

Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give mig 
besked herom og slette den.
If you received this e-mail by mistake, please notify me and delete it. Thank 
you.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SV: SV: Simple Configuration of using passwd-like file, howto needed

2010-07-09 Thread Madsen.Jan JMD 
Okay Alan

I did like this now
More /etc/freeradius/modules/passwd
passwd kmdov3 {
filename = /etc/tac-plus/passwd
format = "*User-Name:Password:"
hashsize = 0
delimiter = :
authtype = pap
}

This looks very mutch like the smbpasswd file
passwd smbpasswd {
filename = /etc/smbpasswd
format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
hashsize = 100
ignorenislike = no
allowmultiplekeys = no
}

And still I just get a rejected login
rad_recv: Access-Request packet from host 127.0.0.1 port 41186, id=97, length=55
User-Name = "jmd"
User-Password = "password"
NAS-IP-Address = 172.31.254.4
NAS-Port = 0
Fri Jul  9 10:27:18 2010 : Info: +- entering group authorize {...}
Fri Jul  9 10:27:18 2010 : Info: ++[preprocess] returns ok
Fri Jul  9 10:27:18 2010 : Info: ++[chap] returns noop
Fri Jul  9 10:27:18 2010 : Info: ++[mschap] returns noop
Fri Jul  9 10:27:18 2010 : Info: [suffix] No '@' in User-Name = "jmd", looking 
up realm NULL
Fri Jul  9 10:27:18 2010 : Info: [suffix] No such realm "NULL"
Fri Jul  9 10:27:18 2010 : Info: ++[suffix] returns noop
Fri Jul  9 10:27:18 2010 : Info: [eap] No EAP-Message, not doing EAP
Fri Jul  9 10:27:18 2010 : Info: ++[eap] returns noop
Fri Jul  9 10:27:18 2010 : Info: ++[unix] returns updated
Fri Jul  9 10:27:18 2010 : Info: [files] users: Matched entry DEFAULT at line 49
Fri Jul  9 10:27:18 2010 : Info: ++[files] returns ok
Fri Jul  9 10:27:18 2010 : Info: ++[expiration] returns noop
Fri Jul  9 10:27:18 2010 : Info: ++[logintime] returns noop
Fri Jul  9 10:27:18 2010 : Info: ++[pap] returns updated
Fri Jul  9 10:27:18 2010 : Info: Found Auth-Type = PAP
Fri Jul  9 10:27:18 2010 : Info: +- entering group PAP {...}
Fri Jul  9 10:27:18 2010 : Info: [pap] login attempt with password 
"q1001wqwe123"
Fri Jul  9 10:27:18 2010 : Info: [pap] Using CRYPT encryption.
Fri Jul  9 10:27:18 2010 : Info: [pap] Passwords don't match
Fri Jul  9 10:27:18 2010 : Info: ++[pap] returns reject
Fri Jul  9 10:27:18 2010 : Info: Failed to authenticate the user.
Fri Jul  9 10:27:18 2010 : Info: Using Post-Auth-Type Reject
Fri Jul  9 10:27:18 2010 : Info: +- entering group REJECT {...}
Fri Jul  9 10:27:18 2010 : Info: [attr_filter.access_reject]expand: 
%{User-Name} -> jmd
Fri Jul  9 10:27:18 2010 : Debug:  attr_filter: Matched entry DEFAULT at line 11
Fri Jul  9 10:27:18 2010 : Info: ++[attr_filter.access_reject] returns updated
Fri Jul  9 10:27:18 2010 : Info: Delaying reject of request 1 for 1 seconds
Fri Jul  9 10:27:18 2010 : Debug: Going to the next request
Fri Jul  9 10:27:18 2010 : Debug: Waking up in 0.9 seconds.
Fri Jul  9 10:27:19 2010 : Info: Sending delayed reject for request 1
Sending Access-Reject of id 97 to 127.0.0.1 port 41186
Fri Jul  9 10:27:19 2010 : Debug: Waking up in 4.9 seconds.
Fri Jul  9 10:27:24 2010 : Info: Cleaning up request 1 ID 97 with timestamp +23
Fri Jul  9 10:27:24 2010 : Info: Ready to process requests.

Best regards
Jan Madsen

-Oprindelig meddelelse-
Fra: freeradius-users-bounces+jmd=kmd...@lists.freeradius.org 
[mailto:freeradius-users-bounces+jmd=kmd...@lists.freeradius.org] På vegne af 
Alan DeKok
Sendt: 9. juli 2010 10:16
Til: FreeRadius users mailing list
Emne: Re: SV: Simple Configuration of using passwd-like file, howto needed

Madsen.Jan JMD wrote:
> So I need to change the passwd file name ?
> Now using : /etc/freeradius/modules/passwd
> 
> or do I need to do somehting like this in the passwd file
> 
> Passwd-name {

  Something like that.  See the "smbpasswd" file for an example of what
you need to do.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__
KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745 

KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til Datatilsynet som 
edb-servicevirksomhed. KMD er certificeret i henhold til ISO 9001:2000, med 
Dansk Standard som certificerende organ og er desuden Microsoft Gold Certified 
Partner og Certificeret SAP Hosting Center.

www.kmd.dk   www.kundenet.kmd.dk   www.organisator.dk   www.kmdinternational.com

Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give mig 
besked herom og slette den.
If you received this e-mail by mistake, please notify me and delete it. Thank 
you.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SV: Simple Configuration of using passwd-like file, howto needed

2010-07-09 Thread Madsen.Jan JMD 
So I need to change the passwd file name ?
Now using : /etc/freeradius/modules/passwd

or do I need to do somehting like this in the passwd file

Passwd-name {
filename = /etc/tac-plus/passwd
format = "*User-Name:Password"
hashsize = 0
delimiter = :
authtype = pap
}

Best regards
Jan Madsen


-Oprindelig meddelelse-
Fra: freeradius-users-bounces+jmd=kmd...@lists.freeradius.org 
[mailto:freeradius-users-bounces+jmd=kmd...@lists.freeradius.org] På vegne af 
Alan DeKok
Sendt: 9. juli 2010 09:32
Til: FreeRadius users mailing list
Emne: Re: Simple Configuration of using passwd-like file, howto needed

Madsen.Jan JMD wrote:
> My specific configuration to get this working looks like this
>  
> Passwd module file
> 
> filename = /etc/tac-plus/passwd

  Hmm... there's more to it than that.  What did you name the module?


> The debug output look like this when I try to do an authentication using
> radtest command

  Shows now "passwd" module listed in the "authorize" section.

  You need to do that.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__
KMD A/S, Lautrupparken 40-42, DK-2750 Ballerup, CVR-nr. 26911745 

KMD er medlem af IT-Branchen og Dansk Erhverv samt anmeldt til Datatilsynet som 
edb-servicevirksomhed. KMD er certificeret i henhold til ISO 9001:2000, med 
Dansk Standard som certificerende organ og er desuden Microsoft Gold Certified 
Partner og Certificeret SAP Hosting Center.

www.kmd.dk   www.kundenet.kmd.dk   www.organisator.dk   www.kmdinternational.com

Hvis du har modtaget denne e-mail ved en fejl, bedes du venligst give mig 
besked herom og slette den.
If you received this e-mail by mistake, please notify me and delete it. Thank 
you.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Simple Configuration of using passwd-like file, howto needed

2010-07-08 Thread Madsen.Jan JMD 
Hello All freeradius users

I have been trying to get my freeradius to do authentication against a 
passwd-like file using the passwd module.

I'm running FreeRadius 2.1.8 on a Debian 4.0 Server used lenny-backports for 
the installation.


My specific configuration to get this working looks like this

Passwd module file
filename = /etc/tac-plus/passwd
format = *User-Name:User-Password
hashsize = 0
delimiter = :
authtype = pap

the password file looks like this /etc/tac-plus/passwd
jmd:TLw0SiK4QfQxg:159:20::/home/jmd:/bin/bash

users file
DEFAULT NAS-IP-Address == 172.31.254.4
Cisco-AVPair += 'Wireless-WCS:role0=SuperUsers',
Cisco-AVPair += 'Wireless-WCS:task0=Users and Groups',
Cisco-AVPair += 'Wireless-WCS:task1=Audit Trails',


There is no problem in stating the freeradius server

The debug output look like this when I try to do an authentication using 
radtest command
rad_recv: Access-Request packet from host 127.0.0.1 port 40466, id=179, 
length=55
User-Name = "jmd"
User-Password = "password"
NAS-IP-Address = 172.31.254.4
NAS-Port = 0
Thu Jul  8 15:02:10 2010 : Info: +- entering group authorize {...}
Thu Jul  8 15:02:10 2010 : Info: ++[preprocess] returns ok
Thu Jul  8 15:02:10 2010 : Info: ++[chap] returns noop
Thu Jul  8 15:02:10 2010 : Info: ++[mschap] returns noop
Thu Jul  8 15:02:10 2010 : Info: [suffix] No '@' in User-Name = "jmd", looking 
up realm NULL
Thu Jul  8 15:02:10 2010 : Info: [suffix] No such realm "NULL"
Thu Jul  8 15:02:10 2010 : Info: ++[suffix] returns noop
Thu Jul  8 15:02:10 2010 : Info: [eap] No EAP-Message, not doing EAP
Thu Jul  8 15:02:10 2010 : Info: ++[eap] returns noop
Thu Jul  8 15:02:10 2010 : Info: [files] users: Matched entry DEFAULT at line 49
Thu Jul  8 15:02:10 2010 : Info: ++[files] returns ok
Thu Jul  8 15:02:10 2010 : Info: ++[expiration] returns noop
Thu Jul  8 15:02:10 2010 : Info: ++[logintime] returns noop
Thu Jul  8 15:02:10 2010 : Info: [pap] WARNING! No "known good" password found 
for the user.  Authentication may fail because of this.
Thu Jul  8 15:02:10 2010 : Info: ++[pap] returns noop
Thu Jul  8 15:02:10 2010 : Info: No authenticate method (Auth-Type) 
configuration found for the request: Rejecting the user
Thu Jul  8 15:02:10 2010 : Info: Failed to authenticate the user.
Thu Jul  8 15:02:10 2010 : Info: Using Post-Auth-Type Reject
Thu Jul  8 15:02:10 2010 : Info: +- entering group REJECT {...}
Thu Jul  8 15:02:10 2010 : Info: [attr_filter.access_reject]expand: 
%{User-Name} -> jmd
Thu Jul  8 15:02:10 2010 : Debug:  attr_filter: Matched entry DEFAULT at line 11
Thu Jul  8 15:02:10 2010 : Info: ++[attr_filter.access_reject] returns updated
Thu Jul  8 15:02:10 2010 : Info: Delaying reject of request 19 for 1 seconds
Thu Jul  8 15:02:10 2010 : Debug: Going to the next request
Thu Jul  8 15:02:10 2010 : Debug: Waking up in 0.9 seconds.
Thu Jul  8 15:02:11 2010 : Info: Sending delayed reject for request 19
Sending Access-Reject of id 179 to 127.0.0.1 port 40466
Thu Jul  8 15:02:11 2010 : Debug: Waking up in 4.9 seconds.


Radtest command:
radtest jmd password localhost 0 secret

I have no clue of what I'm doing wrong !!
Please help me
Best regards
Jan Madsen
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Using another passwd file

2009-10-12 Thread Madsen.Jan JMD 
Hello Freeradius users
 
I have a challange about using passwd file in freeradius.
 
I'm running Debian 4.0 Kernel 2.6.18-5-486
I have installed FreeRADIUS Version 1.1.3, for host i486-pc-linux-gnu
 
I have activated the following in radiusd.conf file
   passwd = /etc/passwd
   shadow = /etc/shadow
 
This works great :)
But since all my users are registered on a HP-UX server, that are
running in untrusted inviroment, meaning that username and password are
stored in /etc/passwd file 
 
I'm copying the passwd from the HP-UX server to my Debian 4.0 server.
So now I'm chancing the radiusd.conf file to the following
   passwd = /etc/freeradius/passwd
   #shadow = /etc/shadow
Now I'm NOT able to authenticate on my radius server.
The passwd file from HP-UX looks like this
 
pse:VE74Bof8KAnxo:131:20::/home/pse:/sbin/sh

I even tried to work with the passwd module but without mutch luck.

Can anyone help me here or give me a tip about how to make it work.

Best regards
Jan Madsen

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html