Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
On Mon, Oct 14, 2013 at 10:40:19AM +0100, Matthew Newton wrote: > On Fri, Oct 11, 2013 at 05:41:07PM +0100, Fabrizio Vecchi wrote: > > As you can see, the device wasn't listed in the file, the authentication > > went fine, saying that the tunnel that I should get has ID 40, but that > > wasn't overwritten by the authorized_macs check... > > DEFAULT Auth-Type := Reject I misread (and replied before I'd seen the other thread from your duplicate message...) - to set the vlan for any users that *don't* match other entries, then add this at the bottom: DEFAULT Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "999" To Reject, you can do it in authorize. To set the VLAN, as Alan said, post-auth is the better place. Use ":=" to force the values to be set. "=" will not change the values if already set by the inner tunnel, etc. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
On Fri, Oct 11, 2013 at 05:41:07PM +0100, Fabrizio Vecchi wrote: > As you can see, the device wasn't listed in the file, the authentication > went fine, saying that the tunnel that I should get has ID 40, but that > wasn't overwritten by the authorized_macs check... Add DEFAULT Auth-Type := Reject to the bottom of your authorized_macs file. You might as well move the mac address check up above eap in the authorize section. There's no point going through all the eap processing if you're just going to reject afterwards based on something that could easily have been done first. Cheers Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cache for machine authentication
On Fri, Oct 04, 2013 at 09:54:29AM -0400, Garber, Neal wrote: > Can someone tell me if it is possible in FR to cache in memory > (for a short amount of time) Calling-Station-Id from successful rlm_cache ? http://wiki.freeradius.org/modules/Rlm_cache Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho not working
Hi Clint,
On Thu, Oct 03, 2013 at 09:53:57PM +, Clint Petty wrote:
...
> [detail] expand: %t -> Thu Oct 3 21:45:27 2013
> ++[detail] returns ok
> ++[unix] returns ok
> [radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
> [radutmp] expand: %{User-Name} -> test
> ++[radutmp] returns ok
> ++[exec] returns noop
>From that, have you tried the following?
radwho -F /var/log/radius/radutmp
See also radwho(1).
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ubuntu postgresql unknown client
On Thu, Sep 19, 2013 at 12:00:47PM -0500, rich carroll wrote:
> I am having problems getting freeradius with ubuntu and postgres to work. I
> have set up this setup on freebsd several time successfully. I believe that
> it is not checking the database at all. Below is my radtest command and my
> debug command.
...
> listen {
> type = "auth"
> ipaddr = 127.0.0.1
> port = 18120
> }
> Listening on authentication address * port 1812
> Listening on accounting address * port 1813
> Listening on authentication address 127.0.0.1 port 18120 as server
> inner-tunnel
> Listening on proxy address * port 1814
> Ready to process requests.
> Ignoring request to authentication address * port 1812 from unknown client
> 127.0.0.1 port 52834
^^
Make sure there is an entry for 127.0.0.1 in your clients.conf.
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius authenticate against Active directory
On Fri, Sep 13, 2013 at 12:23:47AM +0100, trevor obba wrote:
> expand: --username=%{mschap:User-Name:-None} -> --username=t...@abc.ac.uk
...
> Exec-Program output: Logon failure (0xc4f)
> How can I fix the problem of authentication users that type
> in there local realm @abc.ac.uk with their username as well as proxing eduroam
> users?
> Basically, how do I authenticate local user or stripe local
> realm before pass to active directory for authentication?
Use unlang to strip the realm off, something like this before the call to eap:
if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) {
update request {
Stripped-User-Name := "%{1}"
}
if ("%{3}") {
update request {
Realm := "%{3}"
}
}
else {
# this will reject requests that have no realm
reject
}
}
Then in your mschap module config use Stripped-User-Name instead of User-Name,
e.g.
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=abc.ac.uk
--username=%{Stripped-User-Name} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc1
On Mon, Sep 09, 2013 at 03:18:06PM +0100, Arran Cudbard-Bell wrote: > This negates problems caused by installing over the top of a > previous installation, which IMHO is always an extremely bad > idea with any unpackaged software. ...or even packaged software. FWIW, I put all freeradius config in /srv/radius, and then /etc/default/freeradius sets the daemon option '-d /srv/radius'. Even with Debian's pretty good system of not overwriting config files, I want to a) guarantee that my config never gets touched, and b) not have to be asked about changed config files at package upgrade time. Moving my config to a different location solves that entirely. It also means that I have a reference raddb in the standard location, so I can refer to it. My config is mostly stripped of comments for brevity (and my sanity). The reference config has them all in. I can't personally see why anyone would 'make install' on top of a working config on a server and trust the install to not touch any local changes. Even if I'm 99.99% sure it won't, I'd be too worried to do it when there's an easy alternative. But I guess some are just more adventurous than me! :) Cheers, Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: range of mac addresses
On Thu, Aug 29, 2013 at 05:13:54PM -0500, Dan Letkeman wrote:
> #Range of mac addresses:
>
> 94ebcd** Cleartext-Password := "94ebcd**"
If you're using PAP (which I guess is most likely if it's MAC
auth), you should be able to do something like
DEFAULT User-Name =~ "^94ebcd", User-Password =~ "^94ebcd", Auth-Type :=
Accept
Or, depending on the number of prefixes, forget the users file and
just write it in unlang; maybe something like.
if ( User-Name =~ /^94ebcd..$/ ) {
update control {
Cleartext-Password := "%{User-Name}"
}
}
Be very careful with that one for obvious reasons...
If you're doing CHAP (or something that needs the full cleartext
password) then you're probably limited anyway, as the only way
you're going to get the right cleartext password from a username
in a range when you don't list them all is to refer to said
username.
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking TLS-Cert-* and and accept/reject based on them
On Thu, Aug 29, 2013 at 02:48:59PM +0100, Phil Mayers wrote: > Or you could abandon the prejudice against upgrading because "it's > supported" (support you're not taking advantage of, I might add, > since you're asking here) and upgrade to 2.2.0 which, IIRC, has > those patches in. I don't think it's in 2.2.0 - it is in 2.x HEAD, though, so should be in 2.2.1. Agreed on the support contract thing. If something is apparently "unsupported" when it's broken, just run the "supported" version on a test system, reproduce the problem, and go from there. If you know the problem is to do with the newer features, forget the paid support and ask here like you just did. If the support is worth anything, of course, then I'm sure they'll be delighted to build later packages for you that include the patch. :-) Cheers, Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 04:49:42PM +0100, Matthew Newton wrote: > See the sites-available/check-eap-tls file in v3, and the > mods-available/eap file, option "virtual_server" in the "tls" > section. > > I backported the patch I wrote to do this to v2 (which is what we > are running); I'm not sure if it made it into the released 2.x > code (I doubt it). It's an easy patch it anyone wants to do it > themselves. I just checked - it's in v2 HEAD. See tls section of eap.conf. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (was) RE: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 03:13:12PM +, Brian Julin wrote: > Arran wrote: > > and wow did they get rid of the 802.1X profile configuration GUI interface > > in > > OSX 10.8? That sucks. > > If you think that sucks, wait till you see the horrible things you have to do > to generate a .mobileconfig without access to an OSX server license. http://support.apple.com/kb/DL1466 ? But this is getting a bit off-topic. m. -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 03:46:53PM +0100, Arran Cudbard-Bell wrote:
> > Apparently not; you can apparently run EAP-TLS inside PEAP,
> > which is a new one on me.
Has been running fine here for months. Only real benefit - SoH with
EAP-TLS.
> > For PEAP/MSCHAP, under 2.x the link someone posted to my
> > horrible hack works. Or under 3.x, "eap { ok = return }" in
> > the inner-tunnel also works.
>
> OK. Just wondering if you could really get it down to a single
> lookup, IIRC you needed the 'known good' NT-Password data for a
> couple of rounds of MSCHAPv2?
Using PEAP/EAP-TLS, we put the LDAP lookup in the TLS virtual
server, where we can lookup the certificate data in LDAP. It hits
once, after the cert has verified, and allows other things to deny
the auth. LDAP is in the example file.
See the sites-available/check-eap-tls file in v3, and the
mods-available/eap file, option "virtual_server" in the "tls"
section.
I backported the patch I wrote to do this to v2 (which is what we
are running); I'm not sure if it made it into the released 2.x
code (I doubt it). It's an easy patch it anyone wants to do it
themselves.
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 03:11:04PM +0100, Arran Cudbard-Bell wrote: > > On 28 Aug 2013, at 15:01, Phil Mayers wrote: > > > On 28/08/13 14:49, Arran Cudbard-Bell wrote: > > > >> Does anyone have a configuration which gets it down to a single LDAP query > >> for PEAP? > > > > What inner? > > MSHCAPv2 - I thought PEAPv0 was only MSCHAPv2? and TLS. m. -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 12:20:12AM +0200, Martin Kraus wrote: > I'm stuck with 2.1.10 on ubuntu:-( Without trying to come across as if I'm a stuck record... this is easy to solve. https://lists.freeradius.org/pipermail/freeradius-users/2013-August/067939.html Cheers, Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On Thu, Aug 22, 2013 at 10:30:54AM +0100, Phil Mayers wrote: > Matthew Newton wrote: > >On Wed, Aug 21, 2013 at 09:52:14PM +0200, Martin Kraus wrote: > >> well looking at man wpa_supplicant I can see > >> > >> EAP-PEAP/TLS > > > >I think that should be PEAP/EAP-TLS. Otherwise I'm not sure what > >it's talking about. > > > Huh, and I thought MS-PEAP specified only soh and mschap as valid inners. > Nice to see ms honouring their own specs ;o) Or maybe they updated it since I > last read it. We've been doing it for ~18 months now. Works fine (when the fragment sizes have been set up correctly) so we get domain managed certs and soh. Just a shame you can't do user auth as well at the same time. m. -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On Wed, Aug 21, 2013 at 09:52:14PM +0200, Martin Kraus wrote: > well looking at man wpa_supplicant I can see > > EAP-PEAP/TLS I think that should be PEAP/EAP-TLS. Otherwise I'm not sure what it's talking about. > also from my google searches it might be possible that windows supports > PEAP/TLS as well as PEAP/MSCHAPV2 and that's the main reason I'm trying to get Yes > There is a concern in our organization with security of PEAP/MSCHAPV2 over > Eduroam > because we don't really trust supplicants in windows, macs and various phones > to do the right thing (windows phone doesn't check the radius certificate for > example). If that's all you're doing, forget about PEAP and just go for straight EAP-TLS. All PEAP really gives you on top is the SoH support, and may cause problems with other non-Windows clients. EAP-TLS should work on more devices. Some devices you'll be stuck with PEAP/MSCHAPv2 though (or TTLS/MSCHAPv2). I'm pretty sure there are some phones that can't do EAP-TLS. You do realise that EAP-TLS is certificate based, not user/password? So you need a full certificate management system to go with it as well to issue certs to your users. You can't get user-based auth with EAP-TLS by doing PEAP/EAP-TLS - it's still certificate (machine auth) only. My advice would be to stick with PEAP/EAP-MSCHAPv2 and use deployment tools to get the devices configured correctly. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On Wed, Aug 21, 2013 at 01:17:02PM +0200, Martin Kraus wrote: > I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer > TLS tunnel is established: On the assumption that your certificates are OK... Have you updated the fragment_size so that the outer is larger than the inner? I did a write-up on getting this to work (see http://q.asd.me.uk/pet ) - fragment_size was the biggest gotcha IIRC. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python
On Wed, Aug 21, 2013 at 09:19:35AM +, stefan.pae...@diamond.ac.uk wrote: > > Well... as Alan says, upgrade. Particularly if "you know". > > There is no 'out of the box' version for upgrade on Ubuntu 12 at > this point short of having to compile it ourselves, that is Building your own packages on Debian/Ubuntu is trivial. There's really no excuse not to run the latest code. See: http://wiki.freeradius.org/building/Build#Building-Debian-packages Building from git is just about as easy (I think easier - you save the step of downloading a tarball); I wrote it up a while back: http://notes.asd.me.uk/2012/01/27/compiling_freeradius_from_git_on_debian/ Note these both give you packages - so you can easily uninstall etc as required, or roll back to the distribution ones. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple policy files
On Fri, Aug 09, 2013 at 11:05:47AM +0100, Jonathan Gazeley wrote:
> On 09/08/13 10:52, Arran Cudbard-Bell wrote:
> >Whilst making up features is a fun pastime it's not very productive.
> >
> >There is one global policy section at the top level. Virtual servers do not
> >have different policy name spaces.
>
> Thanks for this. So you're saying that there can only be one policy
> {} section in the whole server, and if I wish to load two sets of
> policies I will have to merge the two files?
You should be able to do
policy {
$INCLUDE /path/to/policy/dir
}
in radiusd.conf, then just put policies in that directory (without
the policy { } wrapper of course).
That's how it is now done by default in version 3.
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius -username for authentication is not picking from users file.
On Mon, Aug 05, 2013 at 12:50:20PM +0530, rajeev sr wrote:
> I am trying to run the radtest on local machine which is CentOS 6.0. But am
> getting the following error while sending the Access Request message from
> client which is another machine.
>
> The user name is defined in users file under /usr/local/etc/raddb. But
> still am getting the error. I had provided the snapshot received on radiusd
> –Xx in the end. Can you please help me in figuring out the issue?
>
In addition to having an incorrect shared secret as already
pointed out, it looks like you've commented out "files" from the
authorize section of /usr/local/etc/raddb/sites-enabled/default.
> Fri Aug 2 16:45:25 2013 : Debug: client 10.100.111.0/24 {
> Fri Aug 2 16:45:25 2013 : Debug: require_message_authenticator = no
> Fri Aug 2 16:45:25 2013 : Debug: secret = "ABC123"
> Fri Aug 2 16:45:25 2013 : Debug: shortname = "BTS111"
> Fri Aug 2 16:45:25 2013 : Debug: }
> Fri Aug 2 16:45:25 2013 : Debug: client 10.100.111.2/24 {
> Fri Aug 2 16:45:25 2013 : Debug: ipaddr = 10.100.111.2
> Fri Aug 2 16:45:25 2013 : Debug: require_message_authenticator = no
> Fri Aug 2 16:45:25 2013 : Debug: secret = "ABC123"
> Fri Aug 2 16:45:25 2013 : Debug: shortname = "BTS111"
> Fri Aug 2 16:45:25 2013 : Debug: nastype = "other"
> Fri Aug 2 16:45:25 2013 : Debug: }
You've also got two netblocks that clash there. I'm not sure it
will hurt, but you probably want to remove one of them, or fix
the netmask.
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OCSP http requests
On Wed, Jul 31, 2013 at 09:46:20AM +, Beltramini Francesco wrote: > As explained in the eap.conf file, the freeradius' HTTP requests > sent to the responder does not contain the "Host:" information > and therefore the traffic manager can't handle it properly > (unless we use for it a separate vIP, making the host field > unnecessary). > > Is there any plan in the next releases to include this > information in the HTTP requests ? The OSCP request is made by the openssl library, so that needs fixing rather than FreeRADIUS. The API does not provide a way to pass the Host: header data through. You could do it by hacking the openssl library I guess. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization failed in cisco switch
On Mon, Jul 22, 2013 at 04:44:29PM +0200, Marco Aresu wrote:
> here the debug after authentication:
>
> Found Auth-Type = PAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group PAP {...}
> [pap] login attempt with password "secret"
> [pap] Using CRYPT password
> "$6$GW4SlOPp$TZhPalub.qyMY8Z9zU03FMz3A.hSv0b6ycuZT5bYeyG89HPb2Gm/FINd2pdtU79NkgYhE5TUgp5e5/w6iNA40/"
> [pap] User authenticated successfully
> ++[pap] returns ok
> # Executing section post-auth from file /etc/raddb/sites-enabled/default
> +- entering group post-auth {...}
> ++[exec] returns noop
> Sending Access-Accept of id 70 to 172.31.61.224 port 1812
...
The RADIUS server sent an Access-Accept. That means that if you
still can't get in, it's the switch that has the problem.
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Post Auth Configurations
On Thu, Jul 18, 2013 at 11:34:56AM -0500, Matt Zagrabelny wrote: > I've got a similar question that dovetails into this discussion. > Suppose I wanted to reject certain users and wanted the Reply-Message > to be customized per user authenticating, but I want to ensure that I > am not leaking the customized message. Is there a way to test the > user/pw combo first and *then* perform unlang logic? That's what the post-auth section is for. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authentication filter based on source SSID
On Fri, Jul 12, 2013 at 12:48:48PM -0300, Gustavo Vieira Oliveira wrote: > The problem is that we have to do it manually (the Controller > doesn't support it) in the AP, so when it reboots for some reason it > cannot authenticate cause the RADIUS doesn't receive the SSID. So, > we need an alternative for that. > > Any suggestion?! This came up the other day; I don't think there was a resolution. It's not a FreeRADIUS issue - you're probably best off talking to Cisco TAC. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Loading fails without reporting an error
On Fri, Jul 12, 2013 at 11:24:54AM +0100, Matthew Newton wrote: > On Fri, Jul 12, 2013 at 11:19:00AM +0200, Alan DeKok wrote: > > Lovaas,Steven wrote: > > > I had a mismatch between the type of the home_server localhost (auth), > > > and the attribute used in one of the realms pointing to the pool that > > > references that home server (pool, instead of auth_pool). Changing the > > > type of the localhost home_server allowed FR to complete loading. > > It's likely just adding a printed error message in the home server > > code. But knowing exactly where to add it would be useful. > > It's easy to trigger - take a standard 2.x config and apply the > following patch to the config: To add to that, the same config error on v3 does give an error message, but although it's technically true (a home server being defined by its name *and* type), it's not entirely helpful- raddb/proxy.conf[593]: Unknown home_server "localhost". Don't know if there are any ways to improve that message - I guess there are a number of reasons that the home_server might not be found. The line number should point to the problem section, though. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Loading fails without reporting an error
On Fri, Jul 12, 2013 at 11:19:00AM +0200, Alan DeKok wrote:
> Lovaas,Steven wrote:
> > Thanks, Adam... this got me looking at the right thing.
> >
> > I had a mismatch between the type of the home_server localhost (auth), and
> > the attribute used in one of the realms pointing to the pool that
> > references that home server (pool, instead of auth_pool). Changing the type
> > of the localhost home_server allowed FR to complete loading.
>
> If you have a simple config that can reproduce it, I'd like to fix the
> problem.
>
> It's likely just adding a printed error message in the home server
> code. But knowing exactly where to add it would be useful.
I've sent a pull request.
It's easy to trigger - take a standard 2.x config and apply the
following patch to the config:
diff --git a/raddb/proxy.conf b/raddb/proxy.conf
index 413fc14..6ceb5cb 100644
--- a/raddb/proxy.conf
+++ b/raddb/proxy.conf
@@ -613,6 +613,7 @@ realm example.com {
# and "acct_pool".
auth_pool = my_auth_failover
+ acct_pool = my_auth_failover
# acct_pool = acct
#
There are a distinct lack of errors printed out in realms.c when
it returns. I'm guessing there may be better error messages or
locations to print them, but the pull request will give the right
starting pointers :-)
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius using linux user passwd
Hi,
On Tue, Jul 09, 2013 at 10:58:15AM -0700, Julian Macassey wrote:
> On 2013-07-09 at 10:18, Matthew Newton (m...@leicester.ac.uk) wrote:
> > Try adding the following to the *top* of your users file:
> >
> > evergreen Cleartext-Password := "pa55word", MS-CHAP-Use-NTLM-Auth := 0
>
> When I use the users file, it works. In fact, every possible auth
> protocol works:
...
> I will persevere. I have seen that in the 1.* release
> there was an "Auth-Type System", which was for system username
> password.
Auth-Type System is obsolete and likely won't do what you want.
What you want can be done, but you need to fixup some things.
First to note (as said before) and importantly, your client is
configured to use PEAP/MS-CHAPv2. That *won't* work with
/etc/password, full stop. There is no way to get that to work, so
there's no point looking any more.
If you change your client to use EAP-TTLS/PAP, then you should be
able to get it to work. This is because the client will then send
the cleartext password (inside the TTLS encrypted tunnel) which
can be used to check against the /etc/shadow hash.
In your modules directory, configure 'passwd' to read the
/etc/passwd or /etc/shadow file appropriately.
Make sure that freeradius has permission to read shadow, which is
normally restricted.
In your sites-enabled/inner-tunnel file, add 'etc_passwd' (or
whatever the name of the passwd module is in modules/passwd) into
the authorize section near the top (definitely above 'pap').
In your eap.conf you can edit default_eap_type to be 'ttls' to
save a bit of negotiation time when connecting, and then in the
ttls{} section set default_eap_type to pap.
Then watch the debug output and make sure that the client is doing
EAP-TTLS/PAP. If not, fix the client as otherwise there's no
chance of getting it to work. Macs and Linux should be OK.
You might have problems if the system is using the newer $n$
type passwords. It will be possible to get working, but might
be harder to check if the password is OK. Try the above and send
full debug output if it's still failing.
Cheers
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius using linux user passwd
Julian,
On Mon, Jul 08, 2013 at 03:10:31PM -0700, Julian Macassey wrote:
> I'm just trying to do a bog standard username and
> password for OS X and Linux users on laptops - Plus the
> ubiquitous smartphones of course. I have no Microsoft gear on the
> LAN.
Try adding the following to the *top* of your users file:
evergreen Cleartext-Password := "pa55word", MS-CHAP-Use-NTLM-Auth := 0
Then restart FR and try logging in again with the password 'pa55word'.
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
...
your client is set to do PEAP/EAP-MSCHAPv2 - which is what most
things (including Windows) will do by default. It can't auth
against /etc/passwd, but it can if it knows the cleartext password
as shown above.
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] # Executing group from file
> /etc/freeradius/sites-enabled/inner-tunnel
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
> [mschap] No Cleartext-Password configured. Cannot create NT-Password.
> [mschap] Creating challenge hash with username: evergreen
> [mschap] Told to do MS-CHAPv2 for evergreen with NT-Password
> [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
This is the EAP-MSCHAPv2 bit (inside the PEAP inner tunnel)
telling you it's got no cleartext password or NTLM hash, so it
can't authenticate the user.
Given a cleartext password as above, you should be good to go.
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius using linux user passwd
On Mon, Jul 08, 2013 at 01:49:47PM -0700, Julian Macassey wrote:
> I have a Netgear WiFi router set up for WPA2 Enterprise.
> It is pointed at a freeradius server. I am trying to use the
> username and password of that server to authenticate. It fails
> consistenty with:
>
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> ERROR: No authenticate method (Auth-Type) found for the request:
> Rejecting the user
> Failed to authenticate the user.
It looks like you've removed 'eap' from your default server
configuration. As WPA uses eap, you won't get far without it.
However, if you want to authenticate using the system
(/etc/passwd or shadow) database, then the only EAP type that's
going to work is EAP-TTLS/PAP. Windows older than Win8 don't
support that without a 3rd party supplicant, which is a barrier
for many people wanting to use it, so most dont.
In short the most likely things you want to do after adding eap
back in again are to use either a database with cleartext
passwords in it or use mschap (NTLM hash) passwords.
Matthew
> rad_recv: Access-Request packet from host 10.1.1.211 port 35032, id=73,
> length=162
> User-Name = "evergreen"
> NAS-IP-Address = 192.168.1.1
> NAS-Port = 0
> Called-Station-Id = "28-C6-8E-A4-2B-6A:plum-radius"
> Calling-Station-Id = "00-1F-5B-C1-AB-24"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11b"
> EAP-Message = 0x02b1000e0165766572677265656e
> Message-Authenticator = 0x6f0e884ab22ca3b623c88cb2a8bab823
> # Executing section authorize from file /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "evergreen", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[unix] returns notfound
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user. Authentication
> may fail because of this.
> ++[pap] returns noop
> ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
> the user
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} -> evergreen
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 0
> Sending Access-Reject of id 73 to 10.1.1.211 port 35032
> Waking up in 4.9 seconds.
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with CISCO WIRELESS CONTROLLER and RADIUS Authentication
Hi, This isn't a FreeRADIUS issue, and shouldn't really be on this list. However - On Thu, Jul 04, 2013 at 09:12:40AM -0300, Gustavo Vieira Oliveira wrote: > We have a Cisco Wireless Controller 5508 with Aironet 1041 APs. We have the same, authenticating against FreeRADIUS. > To make the AP authenticate with RADIUS we need to set the following > command manually in the AP: > > - radius-server vsa send That is odd, and I would guess that you have something not set up correctly on the controller (I assume your APs are all lightweight and correctly joined to the controller). It all works fine here with no manual configuration of the APs at all - they get all their config from the controller, as they should do. The APs don't do any RADIUS themselves - it's all handled from the controller. So I can't understand why they would need to know anything about RADIUS attributes. > The thing is, the APs can only authenticate if this command is > issued in the AP by cli and we need that the Wireless Controller can > pass this configuration to the APs, which it doesn't support. So, > anyone know why is it necessary and if there is another alternative > or workaround to make it work without it? I would check that your WLANs are correctly configured with the RADIUS servers in the controller. You shouldn't need to configure the APs like this. You're better off asking on another mailing list, though. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac-auth. authorized_macs file sintax
On Fri, Jun 21, 2013 at 02:56:57PM +0200, Roberto Ortega Ramiro wrote: > I'm trying to conect using AEP-TLS one host, and i was using one wrong user > and password for connect the host with his mac. > I have undertand that this is no posible. Right? You can do EAP-TLS *and* validate the MAC address. You just can't authenticate based on the MAC address only if you're doing EAP. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac-auth. authorized_macs file sintax
On Fri, Jun 21, 2013 at 01:23:28PM +0200, Roberto Ortega Ramiro wrote: > Hello, I have configured freeradius for accept one host conection over host > mac address On the assumtion this is an instantation of 'files', then the format for the file would be 98-0c-82-b5-00-f2Auth-Type := Accept > NAS-Port-Type = Wireless-802.11 > Connect-Info = "CONNECT 802.11g" > EAP-Message = 0x02010010016c756e612e20626f726a61 However, you can't do MAC address authentication with a plain 'Access-Accept' when you're doing EAP, so this isn't going to work anyway. The client won't see the Accept (this goes to the NAS) and will disconnect without an EAP Success. You probably want EAP-TLS if you want host (rather than user) based authentication on wireless. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
On Wed, Jun 19, 2013 at 02:49:21PM +0200, Olivier Beytrison wrote: > On 19.06.2013 14:11, Marco Streich wrote: > > We have deployed FreeRADIUS on OS X before, but our > > configuration was rather ugly. What we would do is > > authenticate users locally, having the machine attached to our > > OpenDirectory server directly using the Connect Network > > Account Server functionality provided by OS X. > I will make it short and easy. > > You can't do LDAP authentication with 802.1x. EAP needs the password of > the user in cleartext. if it's not in your ldap, you're screwed. Not entirely true. With PAP (which is what radtest is doing) then you can work without a cleartext password as auth is (generally) based on a ldap bind. With EAP-TTLS/PAP, you can also work with just the hash in ldap, as (same as clear PAP) you get the password from the client to do a bind with. With EAP-TTLS/MSCHAP or PEAP/EAP-MSCHAP etc you need the cleartext password from ldap - auth is done by checking this in FreeRADIUS, not by a bind to ldap. > > [ldap] login attempt by "a4" with password "whatever" > > [ldap] user DN: uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu > > [ldap] (re)connect to ldap.hopro.edu:389, authentication 1 > > [ldap] bind as uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu/whatever to > > ldap.hopro.edu:389 > > [ldap] waiting for bind result ... > > [ldap] Bind was successful > > [ldap] user a4 authenticated successfully > > ++[ldap] returns ok > This works because you're doing PAP. with radtest the user password is > sent in cleartext. so YES you can authenticate with ldap because you can > BIND to the ldap with the provided password. > > you don't have this password with 802.1x/EAP. you work only with > challenges, hash and keys. Apple OS X can do EAP-TTLS/PAP as far as I am aware (native Windows < 8 can't), so this should work. I don't recognise the error you're getting, though - it looks like the client gave up and sent an empty packet. Note you don't need ldap configured in the outer for 802.1X to work - the outer is just doing EAP. It's the inner that will need the ldap modules. Some other comments - Upgrade from 2.1.12 to 2.2.x, as there are security issues pre 2.2.x. Save yourself some round trip packets by setting default_eap_type = ttls in eap.conf Save yourself some LDAP lookups by removing ldap from the outer. Cheers Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql xlat help
On Sat, Jun 15, 2013 at 12:42:49AM +0530, Go WiFi wrote: > also i denied to give the full code as it's part of my confidential company > files if i give the full code then someone might get the details about the > table structure Sorry, 'Go', but nobody here cares about your confidential files. If you ask for help on a public *free* mailing list, then it's common courtesy to provide the information that people need to help you. There are experts here that know more than you do about FreeRADIUS (which is why you're asking here, right?) and therefore you should provide the requested information. If you can't or won't, then please find some commercial paid support for your problems and stop wasting people's time having to read e-mails that they can't help with. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: buffered-sql, radsqlrelay and fault resilience
On Mon, Jun 10, 2013 at 05:14:16PM +0200, Yann Belin wrote: > I am trying to build a multi-server setup, where each server uses a > local user database (replicated from a central management server) and > buffers its accounting data before pushing it back to the management > server. I have tried two different methods, but none fully satisfied > me so far. In case it's useful: Our "front-end" RADIUS servers[0] write a 'detail' log file to disc. We then have a detail reader (see "copy-acct-to-home-server" virtual server) that reads this file and relays it to the management RADIUS server for centralised logging. If the management server goes down, the files on disc just grow until it comes back again and then the logs are relayed over. It works well, and means that there are no dependencies on the management server for service to be operational. HTH, Matthew [0] recent 2.x from git -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user from particular NAS-IP-Address
Pete, On Sat, May 25, 2013 at 02:31:12PM -0600, Pete Ashdown wrote: > I'm trying to restrict a guest user from a single NAS-IP-Address via "users" > and I can't get it to work. > > Doesn't work: > > test NAS-IP-Address == "127.0.0.1" > Auth-Type := Accept Try: test NAS-IP-Address == "127.0.0.1", Auth-Type := Accept The first line is matches against the incoming request packets, and setting things in the control list. The subsequent lines are entries for the reply packet. Auth-Type is a control item. This is documented in the users file - read it carefully and look at the examples, such as "deny access for a group of users". But for restricting users, I doubt you want "Accept"! :) > Also, how would I do this for a group of NAS IP addresses? Is it possible to > assign them to a group in "clients.conf" that can be later checked against in > "users"? Where is the documentation of what can be tested against in the > "users" file? Add entries in the huntgroups file: blockednaslist NAS-IP-Address == 127.0.0.1 blockednaslist NAS-IP-Address == 127.0.1.1 then use something like this in users: testuser Huntgroup-Name == "blockednaslist", Auth-Type := Reject Don't forget that NAS-IP-Address can be spoofed if you permit NASes not under your own control. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?
On Tue, May 21, 2013 at 03:21:33PM +0800, Robert wrote: > Thank you! The configuration in the link works. The key is setting > fragment_size correctly. Yes, that was the gotcha. > But I am confused about the two methods : > Is EAP PEAP/TLS = EAP PEAP/EAP-TLS ? > Or they are two different methods? Same thing, but usually referred to as PEAP/EAP-TLS (or sometimes, probably incorrectly, EAP-PEAP/EAP-TLS). Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?
On Tue, May 21, 2013 at 08:03:48AM +0100, Franks Andy (RLZ) IT Systems Engineer wrote: > Just confirming that I've tested this in the past and it works, but I > believe the poster of the article is dubious about a production > environment. Not at all - we are running it in production. The warning at the bottom is to make you think about what you're doing first, rather than to blindly copy my examples and then open yourself up to security issues that you haven't thought through. The examples are stripped down to their utter bare minimum - which is unlikely to be what you want in production. > When I tried it on wifi it took a second or so more to > authenticate for some reason, so we eventually went with eap-tls > instead because of this and because it was simpler. I did also > get quite a few "The EAP message did not complete" but that > could be coincidental. It's been running fine here with a lot of laptops for over a year now. We usually see the "EAP did not complete" errors from bad wireless signals or misconfigured EAP timers. As the article says - the only real benefit is to get SoH data from the device. If you don't want/need that, you're fine with plain EAP-TLS (and with less round trips, it will auth faster, too). Cheers Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bug in CUI generation? Is this a known issue?
Hi,
On Fri, May 10, 2013 at 09:49:14AM +, stefan.pae...@diamond.ac.uk wrote:
> As you can see, the expand: bit shows an empty value. Then I
> changed my cui_hash_key to "01234567890abcdef01234567890abcdef"
> and it did the same. However, when I set cui_hash_key to a hex
> string that was not 32 characters in length ("abcdef" as an
> example), or a non-hex string of any length, it works ok. So I'm
> guessing here that if the cui_hash_key happens to be a string
> that is a potentially valid MD5 hash, the md5 operator in the
> CUI generation statement does nothing or barfs.
Bug. src/main/xlat.c:1077 has:
if (isdigit(l[1])) break;
which stops looking for a module_name (e.g. "md5" if the first
character after the : is a digit.
Fixed in 3.0 (see 4fd62ce9 22 August 2012).
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Treatment of PAP/Chap Auth Types
On Fri, May 03, 2013 at 09:19:40PM +0800, Prashant Abhang wrote:
> I faced the same issue. I am using sql for storing user
> password. For solving issue I changed the password type from
> 'Cleartext-Password' to User-Password and it worked for me.
>
> But as you said, there is no difference and User-Password is
> deprecated. So what would be the reason for the above issue?
radiusd -X?
If you're using a password with a header (e.g. "{SHA1}...") then
you should use Password-With-Header instead of Cleartext-Password.
Otherwise it should work. See rlm_pap(5).
Without full debug logs, it's impossible to tell much more.
Matthew
> ____
> From: Matthew Newton
> To: FreeRadius users mailing list
> Sent: Friday, 3 May 2013 6:21 PM
> Subject: Re: Proxy Treatment of PAP/Chap Auth Types
>
>
> On Fri, May 03, 2013 at 04:46:27AM +0200, James T Mugauri wrote:
> > attributes so: radtest -t iS_u2h4gna a2uwv localhost 1812
> ...
> > [chap] login attempt by "iS_u2h4gna" with CHAP password
> > [chap] Using clear text password "uz3f9" for user iS_u2h4gna authentication.
> > [chap] Password check failed
> ...
> > +- entering group PAP {...}
> > [pap] login attempt with password "a2uwv"
> > [pap] Using clear text password "uz3f9"
> > [pap] Passwords don't match
>
> Have you tried testing it with the right password?
>
> Otherwise, you should post the *full* output of radiusd -X for the
> startup and test request going through both servers so we can see
> what's happening. A small section doesn't help much.
>
> You should use Cleartext-Password in place of User-Password in the
> config. There is no difference, and User-Password is deprecated
> and going away in 3.0.
>
> Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Treatment of PAP/Chap Auth Types
On Fri, May 03, 2013 at 04:46:27AM +0200, James T Mugauri wrote:
> attributes so: radtest -t iS_u2h4gna a2uwv localhost 1812
...
> [chap] login attempt by "iS_u2h4gna" with CHAP password
> [chap] Using clear text password "uz3f9" for user iS_u2h4gna authentication.
> [chap] Password check failed
...
> +- entering group PAP {...}
> [pap] login attempt with password "a2uwv"
> [pap] Using clear text password "uz3f9"
> [pap] Passwords don't match
Have you tried testing it with the right password?
Otherwise, you should post the *full* output of radiusd -X for the
startup and test request going through both servers so we can see
what's happening. A small section doesn't help much.
You should use Cleartext-Password in place of User-Password in the
config. There is no difference, and User-Password is deprecated
and going away in 3.0.
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Hi Danny,
On Tue, Apr 23, 2013 at 11:13:46PM +0800, Danny Kurniawan wrote:
> What you mean? Sorry i think you might mis-understand my previous 2
> message. I mean 2 ask what is the correct syntax for update reply
>
> Is it exactly like what you said in previous email or else :
> update reply {
> Session-Timeout : = 7200
> }
It should be:
post-auth {
update reply {
Session-Timeout := 7200
}
}
(e.g. no space between ":" and "=")
HTH,
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: get some invalid value in User-Name attribute
On Tue, Apr 23, 2013 at 12:58:11PM +0430, Mehdi Ravanbakhsh wrote: > I get something like > 'aolnet/aol.dsl.newuser.10A50001000300010001US92C1..prod' in > User-Name attribute . > > I think it should be connect-info attribute ! Check your NAS. That is what is sending the data to FreeRADIUS so, if it is a problem, that is where to fix it. It's nothing to do with FreeRADIUS. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: captive portal auth with freeradius
On Fri, Apr 19, 2013 at 10:42:04PM +0530, Chitrang Srivastava wrote:
> Ok I will try that out, ntlm_auth module is already configured and works
> for radtest and wifi.
In the mschap/eap modules using mschap keys.
> So ntlm_auth with captive portal , is that the way to go , as told by you
> ? All other captive portal portal server we have to do like that ?
There are two ways of calling ntlm_auth. First with MSCHAP keys,
the other with username and password.
The mschap module takes the mschap keys from RADIUS and passes
them to ntlm_auth for checking against AD. e.g. EAP-TTLS/MSCHAPv2,
or just plain mschap.
The eap module extracts the mschap keys from the EAP
(EAP-MSCHAP-V2) data and passes them internally to the mschap
module which passes them to ntlm_auth for auth. e.g.
PEAP/EAP-MSCHAPv2
These are what you've been doing so far, from what I can tell.
We've not seen radiusd -X output for an auth success for wifi or
radtest, so nobody can really be sure.
The second method is to pass ntlm_auth a username and password,
and ask it to authenticate for you. This has *nothing* to do with
the mschap or eap modules, which deal with keys and NT hashes.
It's essentially another auth method for PAP. The PAP module
can't do it for you, as it knows nothing about the ntlm_auth
utility, so you have to call it yourself, using something like the
config I gave you just now.
Matthew
> On Fri, Apr 19, 2013 at 9:56 PM, Matthew Newton wrote:
>
> > On Fri, Apr 19, 2013 at 08:59:57PM +0530, Chitrang Srivastava wrote:
> > > I am using Microsoft 2003 Active Directory Server , the way wifi
> > (MSCHAPv2)
> > > works is with ntlm_auth , which does the authentication.
> >
> > OK, finally the information that's needed.
> >
> > > The way it works with wifi or radtest is , Auth-Type is set to EAP (it
> > > refers to eap.conf ) , it goes to mschap modules(set up TLS channel and
> > > then under that) , from there its told to use external program ntlm_auth
> > ,
> > > which does the authentication and tells radius if its OK or not.
> > >
> > > What i was trying , is to get similar way working with captive portal as
> > > well.
> >
> > There's an example in raddb/modules/ntlm_auth. Configure that
> > file, and then do something like this:
> >
> > authorize {
> > ...
> >if (!EAP-Message && User-Password) {
> > update control {
> >Auth-Type = PAP
> > }
> >}
> > }
> >
> > authenticate {
> > Auth-Type PAP {
> > # pap <-- comment out
> > ntlm_auth
> > }
> > }
> >
> > Then it should take your User-Name and User-Password, check them
> > using the ntlm_auth utility rather than the pap module (the
> > ntlm_auth "module" is just an instantiation of exec).
> >
> > Matthew
> >
> >
> >
> > --
> > Matthew Newton, Ph.D.
> >
> > Systems Specialist, Infrastructure Services,
> > I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
> >
> > For IT help contact helpdesk extn. 2253,
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: captive portal auth with freeradius
On Fri, Apr 19, 2013 at 08:59:57PM +0530, Chitrang Srivastava wrote:
> I am using Microsoft 2003 Active Directory Server , the way wifi (MSCHAPv2)
> works is with ntlm_auth , which does the authentication.
OK, finally the information that's needed.
> The way it works with wifi or radtest is , Auth-Type is set to EAP (it
> refers to eap.conf ) , it goes to mschap modules(set up TLS channel and
> then under that) , from there its told to use external program ntlm_auth ,
> which does the authentication and tells radius if its OK or not.
>
> What i was trying , is to get similar way working with captive portal as
> well.
There's an example in raddb/modules/ntlm_auth. Configure that
file, and then do something like this:
authorize {
...
if (!EAP-Message && User-Password) {
update control {
Auth-Type = PAP
}
}
}
authenticate {
Auth-Type PAP {
# pap <-- comment out
ntlm_auth
}
}
Then it should take your User-Name and User-Password, check them
using the ntlm_auth utility rather than the pap module (the
ntlm_auth "module" is just an instantiation of exec).
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: captive portal auth with freeradius
On Fri, Apr 19, 2013 at 06:15:09PM +0530, Chitrang Srivastava wrote: > tried what Matthew suggest , in authorize section and it worked. Whole > issue is captive portal is sending a non-EAP message with User-Password set > , in this case we have to set auth type as ldap. It's obvious from your debug output that - your LDAP module isn't setting Auth-Type for some reason - your LDAP server isn't returning any sort of password (plain or crypted) and therefore you probably need to try and do that horrible hack of binding to the LDAP server to auth. Really, Alan is right - LDAP is not an authentication server, even though lots of people seem to think it is. Hence the suggestion to "fix" your problem by setting Auth-Type, iff it has not already been set, when not doing EAP and User-Password is supplied. The best solution is to fixup your LDAP server to return the crypted password back to FreeRADIUS. Like already pointed out, if it's AD, this isn't likely to happen. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: captive portal auth with freeradius
On Thu, Apr 18, 2013 at 09:37:06PM +0530, Chitrang Srivastava wrote:
> radtest is working
> wifi authentication is also working ( configured the access point to use
> TTLS-MSCHAPv2)
ok.
> open wifi with captive portal (lightttpd) is *not * working
right.
> What I found is captive portal server is sending a non-EAP message and as
> suggested in wiki I am not using setting auth type anywhere (EAP message
> will determine automatically)
Captive portal is doing PAP. I guess you want to try and auth this
by binding to the ldap server. I've not done this recently, but I
think the following might work.
For some reason, even though
> Module: Instantiating module "ldap_secondary" from file
> /etc/raddb/radiusd.conf
> ldap ldap_secondary {
...
> set_auth_type = yes
...
> }
is set, it's not setting auth_type. That's clear from
> ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
> the user
Try this at the bottom of the authorize {} section:
authorize {
...
# not EAP, is PAP, and no other Auth-Type set, so assume ldap
if (!EAP-Message && User-Password) {
update control {
Auth-Type = ldap_secondary
}
}
}
and then in the authenticate section:
authenticate {
Auth-Type ldap_secondary {
ldap_secondary
}
}
and see what you get. Again, post output of radiusd -X if there
are still problems (new output, not the same as last time :) ).
I don't know enough about the ldap module to know why it's not
setting Auth-Type (and too ill at present to go digging to find
out).
Cheers,
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending a disconnect message when replying with an access reject.
On Thu, Apr 18, 2013 at 05:52:16PM +1200, Peter Lambrechtsen wrote: > When I setup the post-auth policy to send a update disconnect it works fine > if the response is an access accept. But if I update the control to access > reject the disconnect module gives me a noop. As a guess: The Post-Auth-Type REJECT section in the inner-tunnel is never called. This is fixed in v2.x.x HEAD and master. Post-Auth-Type REJECT in the outer tunnel is fine. This might be your problem. > Or perhaps I am just doing something wrong. You didn't send output from radiusd -X. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Profile-Name attribute
On Wed, Apr 17, 2013 at 05:04:11PM -0400, John Center wrote:
> it correctly, it looks like one could have a "profiles" file with
> individual named profiles defined containing NAS-specific text that
> would be sent back to the NAS as is upon successful authentication.
> Is anything like this still supported? Can the "User-Profile"
There are many ways of sending attributes back based on incoming
attributes (such as which NAS the request came from). One way
would be to just use an instantiation of the files module that
keys off the NAS-IP-Address:
files nasprofile {
key = "%{NAS-IP-Address}"
usersfile = ${confdir}/nas-profile
...
}
in the "nas-profile" file:
10.0.0.1
Reply-Message := "Welcome to NAS 1"
10.0.0.2
Reply-Message := "Welcome to NAS 2"
then call "nasprofile" in your sites-enabled/default authorize
section.
...or use one of the other multitude of methods just discussed in
the Idle-Timeout thread :-)
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting different IDLE-TIMEOUTS based on IP Address
On Wed, Apr 17, 2013 at 03:58:12PM -0500, John Giordano wrote:
> Yeehaw!
>
> And *Matthew* (sorry about getting your name wrong in the last email):
np
> The new REGEXP is working as such:
Great.
Don't forget to strip the debugging if() out of
sites-enabled/default
Matthew
> Login OK: [xx] (from client Seattle port 0)
> # Executing section post-auth from file
> /usr/local/etc/raddb/sites-enabled/default
> +- entering group post-auth {...}
> ++[exec] returns noop
> Sending Access-Accept of id 134 to 192.168.0.15 port 65460
> Idle-Timeout = 7
> Tellabs-UAP-CLI := "A8"
> Callback-Id := "Admin"
> Reply-Message += "superuser"
> Reply-Message += "Administrator"
> Finished request 1.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 1 ID 134 with timestamp +14
> Ready to process requests.
>
> So I am thankful I can avoid putting a whole bunch of entries in
> huntgroups... either manually or through a Perl script. :)
>
> Cheers!
>
> -jg
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting different IDLE-TIMEOUTS based on IP Address
Hi, On Wed, Apr 17, 2013 at 08:38:36PM +0100, Matthew Newton wrote: > On Wed, Apr 17, 2013 at 12:32:32PM -0500, John Giordano wrote: > > So in huntgroups I have: > > > > ### RADIUS HUNTGROUP TEST - jg ### > > > > MSP7345 NAS-IP-Address =~ /^10\.99\.3\./ > > SNJ7000 NAS-IP-Address =~ /^10\.3\.99\./ > > LAB7000 NAS-IP-Address =~ /^192\.168\.0./ > > Testing it here, I'm not convinced that =~ is working in the > huntgroups file, which slightly surprises me. OK, this is rather inconsistent behaviour compared to unlang, but after digging in the code, the syntax you want is this: MSP7345 NAS-IP-Address =~ ^10\.99\.3\. SNJ7000 NAS-IP-Address =~ ^10\.3\.99\. LAB7000 NAS-IP-Address =~ ^192\.168\.0. i.e. don't put the usual /'s around the regex. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting different IDLE-TIMEOUTS based on IP Address
Hi,
On Wed, Apr 17, 2013 at 12:32:32PM -0500, John Giordano wrote:
> So in huntgroups I have:
>
> ### RADIUS HUNTGROUP TEST - jg ###
>
> MSP7345 NAS-IP-Address =~ /^10\.99\.3\./
> SNJ7000 NAS-IP-Address =~ /^10\.3\.99\./
> LAB7000 NAS-IP-Address =~ /^192\.168\.0./
Testing it here, I'm not convinced that =~ is working in the
huntgroups file, which slightly surprises me.
To test, what happens if you temporarily add this instead
LAB7000 NAS-IP-Address == 192.168.0.15
?
If you put the following after the 'preprocess' line in
sites-enabled/default, you should get the Huntgroup-Name expand
and display in the debug output... is it being set?
if ("%{Huntgroup-Name}") {
}
> +- entering group authorize {...}
> [preprocess]expand: %{NAS-IP-Address} -> 192.168.0.15
> [preprocess]expand: %{NAS-IP-Address} -> 192.168.0.15 <---
> Does this mean that the huntgroups file is being checked? Perhaps a regex
> thing?
> [preprocess]expand: %{NAS-IP-Address} -> 192.168.0.15
> ++[preprocess] returns ok
huntgroups is definitely being read (it's read by preprocess), but
the lines might not be being matched.
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trimming character of variables within configuration files
Hi,
On Wed, Apr 17, 2013 at 02:25:36PM +0100, P. Manton wrote:
> OK, So I see there is a preprocess module that says you can manipulate
> attributes:
preprocess is irrelevant here.
> # The preprocess module takes care of sanitizing some bizarre
> # attributes in the request, and turning them into attributes
> # which are more standard.
Yes - it's not something that you can change. It solves a fixed
set of problems.
> so I added the following:
>
>if (User-Password =~ /^(.+)([0-9]{6})$/) {
> update request {
>User-Password = "%{1}"
Use :=
= will not overwrite an existing attribute, so it will not change
the attribute.
Then look at the debug output to check that it actually did what
you asked (e.g. the regex is right, etc).
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: captive portal auth with freeradius
On Wed, Apr 17, 2013 at 05:21:32PM +0530, Chitrang Srivastava wrote: > I am facing a issue that captive portial server is sending a auth request > which is not a EAP message and hence freeradius server is rejecting , it > goes to users file and found the last line Auth-Type: Reject > > Anyone can point how to fix this ? I guess if captive portal send a eap > message , it will be looked into eap.conf and then a valid authenticate > section can be chosen ? I'm not sure you really understand what's happening here. It's unlikely a captive portal will do EAP, although it's technically possible. It's more likely PAP, so you just need to supply a Cleartext-Password for each user. This can be from the users file, or a myriad of other different sources such as LDAP or SQL. Have you tried following the "initial tests" on the first page of the documentation: http://freeradius.org/doc/ ? Having added the entry to the users file, then try logging in with that username/password. To help further, we're going to need more information. Primarily, *complete* debugging output, generated by running in debug mode with "radiusd -X" Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trimming character of variables within configuration files
On Wed, Apr 17, 2013 at 11:45:33AM +0100, P. Manton wrote:
> Is there a way I could trim a variable (such as a password variable) within
> a configuration file. I saw a few examples manipulating variables using
> unlang here: http://freeradius.org/radiusd/man/unlang.html#lbAB but could
> not find anything about trimming variables.
regex:
if ("%{User-Password}" =~ /^(.*)123456$/) {
update request {
User-Password := "%{1}"
}
}
Matthew
>
> For example I have the following /etc/freeradius/ntlm_auth
>
> #
> # For testing ntlm_auth authentication with PAP.
> #
> # If you have problems with authentication failing, even when the
> # password is good, it may be a bug in Samba:
> #
> # https://bugzilla.samba.org/show_bug.cgi?id=6563
> #
> exec ntlm_auth {
> wait = yes
> program = "/usr/bin/ntlm_auth --request-nt-key --domain=TEST.DOMAIN
> --username=%{mschap:User-Name} --password=%{User-Password}"
> }
>
> The password variable input initially has an authentication code appended
> to the password and hence needs to be trimmed of the password variable so
> it authenticates with AD correctly.
>
> So e.g. the input password is: 'testing123456' - but needs to be trimmed to
> 'testing'
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_passwd help
Hi, Good you got it working. Just as a couple of points: On Wed, Apr 17, 2013 at 02:16:25PM +1000, David Brodrick wrote: > I got there. I added authtype = PAP to the passwd module There's no such option, so this is irrelevant. > configuration and then DEFAULT Auth-Type = PAP to users. You /shouldn't/ need to do this - FR will generally work this out by itself - just make sure 'passwd' is above 'pap' in authorize. Setting this might cause you problems in the future. Cheers, Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting different IDLE-TIMEOUTS based on IP Address
On Tue, Apr 16, 2013 at 10:39:18PM +0100, a.l.m.bu...@lboro.ac.uk wrote:
> >client 10.3.99.0/24 {
> >secret = XX
> >shortname = SNJ 7000 Switches
> >}
>
> I'd use "%{client:shortname}" eg
>
> if ("%{client:shortname}" == "MSP 7345's") {
> update reply {
> Idle-Timeout = 1800
> }
> }
>
>
> yes. you can do that sort of thing. :-)
Actually, taking that one step further... make up a new value in
the clients.conf file:
client 10.3.99.0/24 {
secret = XXX
shortname = My switches
myidlevalue = 600
}
...
then just do this in authorize:
update reply {
Idle-Timeout := "%{client:myidlevalue}"
}
(may want an if{} around it if myidlevalue isn't defined for all
clients)
:)
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OCSP parsing in client certificate
On Tue, Apr 16, 2013 at 04:30:18PM -0400, Alan DeKok wrote: > Beltramini Francesco wrote: > > but when I try to remove this feature and use the OCSP > > property extracted from the client certificate, the radiusd -X > > output is: > > > > [tls] --> Starting OCSP Request > > [ocsp] --> Responder URL = http://(null):(null)(null) > > From the v2.2.0 change log: > > * Skip OCSP if there's no host / port / url, with soft_fail Hmm - I'm not sure if the override_cert_url = no code works correctly - I seem to remember I had problems with it, but I just set it to yes and forced the server anyway, as it seemed better than trusting the client-provided cert (our setup is private CA, so I know what the OCSP server is). I think I saw the same - that it wouldn't extract the URL from the cert, and just came back with (null)s. As usual, I just blamed OpenSSL and moved on. If I get a chance, I'll try and check it again. soft_fail will allow the auth to succeed in the event that there is no response (rather than a negative response) from the OCSP server - otherwise it "fails safe" and rejects the request. It's in case the OCSP server happens to be down for some reason. > Upgrade. Always the right thing anyway :-) Cheers, Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting different IDLE-TIMEOUTS based on IP Address
Hi, On Tue, Apr 16, 2013 at 02:05:45PM -0500, John Giordano wrote: > So I man’ed unlang and then did some more reading on huntgroups > and the users file. If at all possible I think we would opt for > a combo of the huntgroups/users file approach. I am still not > clear as to how we would do this though…. > > Could you please speak to the interrelationship between the > clients file and the huntgroups file? The clients file lists clients (NASes) that can talk the the server. The huntgroups file (read by the preprocess module, not the files module as in the comments at the top of the file) is used to match incoming request attributes to set the Huntgroup-Name attribute, which can be further used to set other attributes in the reply (for example, in the users file, or by using unlang). The users file (read by the files module) can match on request attributes to set reply attributes. The standard lookup is for User-Name; this can be changed, or a DEFAULT entry can be used to match anything else. > My first question is that every huntgroups file example I have seen on the > Net uses a per NAS definition: > > raleighNAS-IP-Address == 192.168.1.101 > raleighNAS-IP-Address == 192.168.1.102 > raleighNAS-IP-Address == 192.168.1.103 > premiumNAS-IP-Address == 192.168.1.101, NAS-Port-Id == 0-4 >Group = premium, >Group = staff > > I would rather not have to define 254 different entries in our > huntgroups file (254 hosts in a Class C obviously). Can I use a > netmask somehow in the huntgroups file? It's a check list, so you should be able to use any standard check operator - so try regex, for example: huntgroups: foo NAS-IP-Address =~ /^10\.2\.3\./ bar NAS-IP-Address =~ /^10\.4\.9\./ users: (add these at the *top* of the file) DEFAULT Huntgroup-Name == foo Idle-Timeout := 600 Fall-Through := yes DEFAULT Huntgroup-Name == bar Idle-Timeout := 1200 Fall-Through := yes > In pseudo parlance this is what I am trying to accomplish in huntgroups: > > MSP 7345’s NAS-IP-Address == 10.99.3.0/24 > IDLE-TIMEOUT = 1800 > > SNJ 7000 NAS-IP-Address == 10.3.99.0/24 > IDLE-TIMEOUT = 60 Note that Client-IP-Address is sometimes better than NAS-IP-Address (it can't be spoofed, which may be the case if you process proxied requests from RADIUS servers out of your own control), but Client-IP-Address can *not* be used in the huntgroups file as it only looks at the incoming request attributes, of which Client-IP-Address is not. If this is a concern there are ways of getting around it. One is to use unlang instead of the huntgroups file, as Alan suggested. Note the above splits the config over two locations. If you want to keep it all in one place, use unlang like Alan said. If it doesn't look tidy, put it in the policy.conf file and then call the policy name instead. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Address Auth
On Mon, Apr 08, 2013 at 04:18:54AM -0700, Mulindwa wrote: > I want user eric@ut3 with this Mac Address to log in, and if > the MAC address is different he will not be granted access. Move the Mac-Addr attribute from the reply list to the check list, and make it a check operator (==) not assignment (=): eric@ut3 Cleartext-Password := "eric", Simultaneous-Use := 1, Mac-Addr == 02-1B-9E-D3-0B-F0 Service-Type = Framed-User, Qos-Policy-Policing = broadband_128_policing, Qos-Policy-Metering = broadband_128_metering, Framed-Protocol = PPP, Ip_Address_Pool_Name = pool_128, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Fall-Through = 0 Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type krb5 not recognized by v2.1.12
On Wed, Mar 27, 2013 at 07:06:09PM +0100, Jaap Winius wrote:
> >That's interesting, but without a copy of the debug output from
> >radiusd -X, nobody will know where to start.
>
> I included what I thought was the most relevant output from
> 'freeradius -X', because the entire exchanges were about 12 times
> longer. But, if you think it would make a difference, I'll be sure
> to include all of it next time.
Lots of people do that, and mean well. Most of them are
subsequently asked to post the rest of the debug output. It often
contains things that you don't realise are important.
In your case, I wonder if either the order of module instantiation
has meant that files is being loaded before kerberos, or something
in a dictionary has changed. It's hard to tell without other
information. I wouldn't expect this to break between 2.1.10 and
2.1.12.
>
> >You could also put the following in your inner-tunnel, rather than
> >the line in your users file, which is probably the tidier way:
> >
> >update control {
> > Auth-Type := krb5
> >}
>
> That's it -- it works!!
Cool.
> I no longer have "DEFAULT Auth-Type = krb5"
Possibly using
DEFAULT Auth-Type := krb5
may have fixed it, too. Auth-Type might have been being set by
something else beforehand, and needed the := to force it.
But unlang is probably tidier than files here.
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type krb5 not recognized by v2.1.12
On Wed, Mar 27, 2013 at 04:09:09AM +0100, Jaap Winius wrote:
> Quoting Phil Mayers :
>
> >... you should be using 2.2.0 or 2.2.1 when it's release, as the
> >2.1.10/11/12 releasea have a known security issue.
>
> I'll be sure to install 2.2.x as soon as a Debian package becomes
> available for it, but for now I'm going to stick with 2.1.x.
For what it's worth, rolling your own FreeRADIUS packages for
Debian is trivial.
http://wiki.freeradius.org/building/Build#Building-Debian-packages
> After upgrading to 2.1.12, what kills my setup is that Freeradius
> will no longer start up if I leave 'DEFAULT Auth-Type = krb5'
> enabled in the users file.
That's interesting, but without a copy of the debug output from
radiusd -X, nobody will know where to start.
You could also put the following in your inner-tunnel, rather than
the line in your users file, which is probably the tidier way:
update control {
Auth-Type := krb5
}
but both should work. We need full debug output.
> But if I disable it, I get exactly the same failure output as I
> do from 2.1.10 when I disable that line in the users file.
Understandable; that's not the issue here.
Cheers,
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server switch
On Tue, Mar 26, 2013 at 02:52:48PM +0100, Emmanuel BILLOT wrote:
> Thanks it seems to be ok. Proxy should resent request to virtual
> server so it should work.
> But now i have
>
> authorize {
> if (Called-Station-Id =~ /^.*:([-a-zA-Z]+)$/) {
> update control {
use instead:
update request {
> Tmp-String-0 := "%{1}"
> }
> }
It was an *untested example*.
But now I've actually had to go and test it, this works here:
authorize {
if (Called-Station-Id =~ /^.*:([a-zA-Z-]+)$/) {
update request {
Tmp-String-0 := "%{1}"
}
}
switch "%{Tmp-String-0}" {
case 'TEST' {
update control {
Proxy-To-Realm := "testproxy"
}
}
case 'WIFI' {
update control {
Proxy-To-Realm := "wifiproxy"
}
}
}
}
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server switch
On Tue, Mar 26, 2013 at 02:24:21PM +0100, Emmanuel BILLOT wrote:
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++? if (Called-Station-Id =~ /^.*:(.*)$/)
> ? Evaluating (Called-Station-Id =~ /^.*:(.*)$/) -> TRUE
> ++? if (Called-Station-Id =~ /^.*:(.*)$/) -> TRUE
> ++- entering if (Called-Station-Id =~ /^.*:(.*)$/) {...}
> +++[control] returns notfound
if (Calling-Station-Id =~ /^.*:([a-zA-Z-]+)$/) {
update control {
Tmp-String-0 := "%{1}"
}
}
Put "quotes" around the %{1}.
I said it wasn't tested :)
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server switch
On Tue, Mar 26, 2013 at 02:20:40PM +0100, Emmanuel BILLOT wrote:
> How about hyphen SSID ? ex : WIFI-TEST
> I failed in writing regex for it...
if (Calling-Station-Id =~ /^.*:([a-zA-Z-]+)$/) {
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server switch
On Tue, Mar 26, 2013 at 10:53:36AM +0100, Emmanuel BILLOT wrote:
> Considering request show lines like
> Called-Station-Id = "C0-8A-DE-3D-B4-09:TEST"
> or
> Called-Station-Id = "C0-8A-DE-3D-B4-09:WIFI"
>
> where TEST and WIFI are the SSID concerned.
>
> How can we route request to different ports of the server (so
> instances) by using this ?
> I mean when SSID is TEST, request is redirected to local instance on
> port 1820, and when SSID is WIFI, request is redirected to local
> instance on port 1821 ?
Set up proxy.conf with entries for the right ports, then you
should be able to do something like (example, untested):
authorize {
if (Calling-Station-Id =~ /^.*:([a-zA-Z]+)$/) {
update control {
Tmp-String-0 := %{1}
}
}
switch "%{Tmp-String-0}" {
case 'TEST' {
update control {
Proxy-To-Realm := testproxy
}
}
case 'WIFI' {
update control {
Proxy-To-Realm := wifiproxy
}
}
...
}
}
This should work between different servers; I'm not sure if you'll
hit the "only one internal proxy" limit on one server.
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Instantiating modules
On Thu, Mar 14, 2013 at 03:04:08PM +, Jonathan Gazeley wrote:
> On 14/03/13 14:26, Matthew Newton wrote:
> >Just put it in the global instantiate section, as above, then use
> >it in the virtual server.
>
> The point of my exercise is to make my FreeRADIUS config fully
> modular in preparation for my suite of RADIUS servers being managed
> by a config management tool, and therefore edits to a global file
> are not helpful.
>
> I suppose I could set up an includes.d/ arrangement so snippets of
> file can be dropped into place in the global config, but really I
> would rather solve the problem "properly" by loading only the needed
> modules in virtual servers.
>
> Any suggestions?
A "virtual server" is essentially a collection of config blocks
for authorize/authenticate/accounting, etc, that call modules in
the main server. You can configure the server to send particular
packets (using listen statements, or options in clients.conf, or,
e.g. EAP virtual server settings) through a particular "virtual
server" - i.e. a particular config.
That's it - it's a configuration. The modules are global to the
server, so what you did first was right.
For config management, if you really don't want it instantiated on
some servers, I guess you could $INCLUDE a file instead of the
instantiate{} block, and move this to a separate file dependent on
the server. We do this sort of thing with cfengine, often using a
symlink with the hostname in it, and the $INCLUDE is to the
symlink. Then have one file per server with the required config.
Cheers,
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Instantiating modules
On Thu, Mar 14, 2013 at 02:14:57PM +, Jonathan Gazeley wrote:
> instantiate {
> uobsql-rnwc
> }
>
> This worked.
OK.
> Forgive me if I've missed something obvious. How do I load custom
> modules within virtual servers?
Just put it in the global instantiate section, as above, then use
it in the virtual server.
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: post-auth not being entered in inner-tunnel
On Thu, Mar 14, 2013 at 10:10:28AM +, Phil Mayers wrote: > On 03/14/2013 09:36 AM, Alex Sharaz wrote: > >so is that done as in post-auth in the inner-tunnel now works? > > Should be. Please "git pull" and recompile and confirm. It should fully work now. Previously, inner-tunnel post-auth reject was skipped, so inner post-auth was only called for success. Some confirmation would be useful - I haven't got time to check right now. Cheers, Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: post-auth not being entered in inner-tunnel
On Wed, Mar 13, 2013 at 12:58:15PM -0400, Arran Cudbard-Bell wrote: > > 00cadac7 > > Defines the function rad_virtual_server, but doesn't call it > from anywhere. Where should that be called? Was there another > commit? Grr, fatfinger paste bug :) > I'd suggest that either a00c4432 needs backing out, or 00cadac7 > and need backporting as well. should have read: I'd suggest that either a00c4432 needs backing out, or 00cadac7 and c625bf173 need backporting as well. There are three commits in series that all go together. Cheers! Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: post-auth not being entered in inner-tunnel
Hi, On Wed, Mar 13, 2013 at 04:09:55PM +, Alex Sharaz wrote: > On 13 Mar 2013, at 13:05, Olivier Beytrison wrote: > > > On 13.03.2013 12:46, Alex Sharaz wrote: > >> coming in the inner-tunnel deals with them. About a week ago > >> I downloaded the latest 2.2 code from git.freeradius, built > >> that and upgraded one of my FR2.2 servers. Since then I > >> can't see an invocation of post-auth within the inner-tunnel. > >> I can see it for the "default" site but not the inner-tunnel. > >> Everything else seems to work but not that. Same hardware > >> platform, same config files just different FR code. > > > > Sounds weird. But again hard to tell without a radius -X output. Just > > send it here on the list, a complete request output, and maybe the > > relevant virtual-server configuration snippet I hacked around on master in September (see commits 5f03313da, 00cadac7 and c625bf173) to fix up auth.c so that inner-tunnel post-auth worked properly. It looks like Arran may have backported 5f03313da to 2.2 in commit a00c4432, which means that rad_postauth is called from event.c, rather than from auth.c Unfortunately, this also means that the inner-tunnel code needs fixing, as it then won't call post-auth at all. I'd suggest that either a00c4432 needs backing out, or 00cadac7 and need backporting as well. Cheers, Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius 2.1.1 showing clear text password at the debug mode
On Thu, Feb 21, 2013 at 05:58:14PM +0800, Danny Kurniawan wrote: > Thanks a lot. So could you please let me know how can i disabled the output > (which conf file and what need to be added). Also by saying echo it do i > need to put something into a config file or just echo command while i'm at > radiusd - X debug mode? You can't - FreeRADIUS dumps the entire incoming packet out in clear text when in debug mode. If you don't want to debug things, don't run it in debug mode. With PAP the password is sent in (effectively) clear text. If you don't want to ever see the password then you need to use something different that can handle auth without plaintext passwords. Cheers Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simulate Point Access
On Wed, Feb 20, 2013 at 10:46:59PM +0100, tabibel sami wrote: > Hello, i try to make a virtual infrastructure for testing wireless eap > authtication via freeradius, so i created three virtual machine for > supplicant, authenticator (point access), radius server > i installed wpa_supplicant on first machine, freeradius on server, but i > have no idea on how can i simulate a point access whith a linux virtual > machine. please help me ! If you are just interested in testing EAP, then you only need one machine. Your test setup is never going to be able to test the behaviour of different APs out there anyway, so to do that you'd want to just do it for real. Build wpa_supplicant, and make sure you build the eapol_test program. It's not enabled in the wpa_supplicant defconfig file by default. Then build or install freeradius. eapol_test takes the same config files as wpa_supplicant, but rather than talking EAP (as a supplicant) over wireless, it just sends the EAP directly in RADIUS packets. FreeRADIUS by default listens on localhost with secret testing123, and comes with a selection of conf files for eapol_test, so you can point it at localhost for testing your EAP. Of course, you can run eapol_test on a different machine than FreeRADIUS if you want to - just make sure you set up a client for the test machine in the FR config. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issues with Freeradius crashing after a sighup
On Fri, Feb 08, 2013 at 10:10:05AM -0500, Alan DeKok wrote: > Alex Sharaz wrote: > > Anyone else seen serve crashes on a reload? > > Unfortunately I've seen this before. I haven't seen enough > information to track it down and fix it, though. One workaround is to just do a restart instead of a reload. It's not likely to make much of a difference. Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius accounting of cdr and quotes for string attributes
On Tue, Feb 05, 2013 at 05:18:13PM +, Kelly Roestel wrote:
> If you look at the detailed format, these string attributes are
> enclosed. But there seems to be no option in linelog module.
linelog {
...
format = "\"%{Client-IP-Address}\",\"%{Calling-Station-Id}\",\"%{User-Name}\""
...
}
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mac address format
On Mon, Jan 28, 2013 at 02:17:04PM +0100, François Dagorn wrote:
> 062f68c7dcc2 Auth-type := Accept, User-Password == "062f68c7dcc2"
> .
>
> but now the stations controlled by the new Cisco appears as follows
>
> 06:2f:68:c7:dc:c2
Security tab ->AAA -> RADIUS -> Authentication
MAC Delimiter can be set to "No delimiter"
> So my first idea was to duplicate entries in the authorized file included
> within my conf, unfortunantely it does not run.
>
> So, is there a simple way to force radiusd to accept different mac address
> format ?
You can use unlang like the following to 'fix up' the mac
addresses:
if ("%{request:Called-Station-Id}" =~
/^([0-9a-fA-F]{2}):?([0-9a-fA-F]{2})[:.]?([0-9a-fA-F]{2}):?([0-9a-fA-F]{2})[:.]?([0-9a-fA-F]{2}):?([0-9a-fA-F]{2})$/)
{
update request {
Called-Station-Id := "%{1}%{2}%{3}%{4}%{5}%{6}"
}
}
However - if you're trying to do wireless WPA and EAP with mac based auth, it's
not likely to go well...
> Sorry if this is a FAQ, of course I've not changed anything within my conf
> since 2009 !
You should upgrade. There have been security bugs fixed in 2.2.0.
Matthew
--
Matthew Newton, Ph.D.
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: upgrading freeradius
On Sun, Jan 27, 2013 at 08:51:28PM +, a.l.m.bu...@lboro.ac.uk wrote: > > I have a working server running on version 2.1.10 > if you got your 2.1.10 from distribution...then you have to wait > for your distro to catch up Actually, with Debian and Ubuntu, building new local packages of the latest version is trivially easy, and the way I would recommend upgrading. http://wiki.freeradius.org/building/Build#Building-Debian-packages But of course if you roll your own packages you've got to watch for security issues when they crop up, and rebuild yourself. With distro supported packages they tend to patch up the security issues, though you might be left with older non-security related bugs unpatched. Like Alan wrote: if it says 2.1.10, you have no easy way of guaranteeing all latest security patches have been applied. Popping up on this list and saying you're using an old version is also likely to get you a lot of 'go away and upgrade' responses, rather than answers to your question... Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log format
Hi, On Tue, Jan 22, 2013 at 10:54:16AM +0100, Emmanuel BILLOT wrote: > Is there anyway to have log format (radius.log) with any date for > eah line or section ? Don't quite understand your question, but you can write pretty much anything with linelog - "\n" will include a newline in the output, too. Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: computer authentication
On Fri, Dec 07, 2012 at 12:39:13PM -0600, Dan Letkeman wrote: > Sorry, I was not clean with my setup information. We do not have a domain, > these are stand alone windows 7 devices. We also have some tablets and > some linux boxes. Concern right now is the Windows 7 devices. I didn't > know that you cannot do machine authentication without a domain You can, but you'll need to handle the certificates on the hosts manually. That's usually such a pain that the only real solution is to use AD. If you've got a small number of devices, or can write some other automated method of deploying certs, then it can be possible to handle. What you /can't/ do is both User auth (mschap - username + password) *and* Computer auth (certificates - EAP-TLS) in the same connection, as the default Windows supplicant, like most, doesn't support client certificates with PEAP (and user auth - mschap - needs to be inside PEAP). > User authentication in my environment is just not an option because all of > the devices need to have a connection to the network at all times even if > nobody is logged in. Should I be using PEAP/EAP-TLS instead? There are no good reasons for doing PEAP/EAP-TLS unless you want to use SoH. PEAP adds overhead to the auth, with no added benefit. > If so do you know of any good setup documentation for that? I wrote up how to do PEAP/EAP-TLS a while back - you can find it here: http://q.asd.me.uk/pet That said - your connection is trying to do PEAP, so you've configured your client for either 'certifiates' or mschap inside PEAP. I forget the exact options in the interface, but you need to choose 'certificates' rather than 'PEAP', then select the client certificate that you want to auth with - which will be one that is signed by the same CA that the CA_file option in your FreeRADIUS eap.conf file points to. Make sure it's set to 'Computer' auth, not 'User' or 'User + Computer'. In theory, you'll then find that it Just Works. But the Windows config interface takes a bit of head scratching to get around until you understand what it's doing under the hood. Cheers Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x Issue
On Fri, Nov 30, 2012 at 09:18:13PM +, Brekler Custodio wrote: > Its better to make a new DB with new passwords on EAP and use a > .bat + xml profile to configure windows notebooks. Rather than .bat + xml to do it, there are more user-friendly front-ends available. The main eduroam one (but not limited to eduroam of course) is su1x (http://sourceforge.net/projects/su1x/). I found that had too many features for my liking, and it does confuse some of our users (we still use it at the moment). I put together an MSI installer instead (warning - not well tested) https://github.com/mcnewton/edusetup which is intended to be simpler to use - it follows what they usually expect for an "install". It depends on your user base, but giving a .bat file to our users just wouldn't work (they seem to find it hard enough to follow instructions on how to run a .exe)... Of course, if they are managed Windows devices (especially as part of a windows domain), then EAP-TLS can also be another good option. Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: Freeradius several segfaults at heavy load and startup ?
> -Ursprungligt meddelande- > On my debian boxes FR cannot run without preload. On Wed, Nov 28, 2012 at 03:57:34PM +, Alexander Silveröhrt wrote: > Same here doesn't even start without LD_PRELOAD. What versions of Debian and FreeRADIUS are these reports referring to? Are you using FR compiled yourself, or own-built packages (from git?), or the standard Debian packages from their repo? Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: files Authentication problem
On Mon, Nov 26, 2012 at 12:13:06PM +0100, alexdhel...@free.fr wrote:
> Thanks, it's working now.
That's good.
> I will try with PAP as soon as I have more time.
There's nothing to try - your debug log shows that PAP is already
being called (it's in be default), so all you need to to is remove
the auth-type := local from your config. It will work exactly as
it does now.
Setting Auth-Type like this has been deprecated for *years*, and
is only likely to cause you problems some time in the future.
There are very few situations where it should be set manually.
Matthew
> >On Mon, Nov 26, 2012 at 08:17:21AM +0100, alexdhel...@free.fr wrote:
> >>Thanks for your answer.
> >I've just re-read what you're doing - you're looking up the
> >lowercase password in the users file instead of the username (e.g.
> >you're ignoring the username), but then your password check
> >is between User-Password and Cleartext-Password, as usual.
> >
> >Try something like this in your sites-enabled/default, after
> >preprocess:
> >
> > update request {
> > User-Password := "%{tolower:%{User-Password}}"
> > }
> >
> >>But, at the moment, we must keep this Auth-Type, to be compatible
> >>wirth an old version of freeradius, we couldn't update at the
> >>moment.
> >No, you still don't need it. The PAP module will do it for you -
> >read the debug output.
> >
> >Matthew
> >
> >(waiting for 3.x so that Auth-Type := Local will actually break
> >things at last).
> >
> >
> >
> >>>On Wed, Nov 21, 2012 at 09:01:22AM +0100, alexdhel...@free.fr wrote:
> >>>>"00c51180d29c" Auth-Type := Local, Cleartext-Password := "00c51180d29c"
> >>>> Alcatel-Lucent-Auth-Group = 4
> >>>As the debug log says, Remove "Auth-Type := Local" from the above.
> >>>
> >>>Matthew
> >>>
> >>>
> >>-
> >>List info/subscribe/unsubscribe? See
> >>http://www.freeradius.org/list/users.html
>
--
Matthew Newton, Ph.D.
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: files Authentication problem
Hi
On Mon, Nov 26, 2012 at 08:17:21AM +0100, alexdhel...@free.fr wrote:
> Thanks for your answer.
I've just re-read what you're doing - you're looking up the
lowercase password in the users file instead of the username (e.g.
you're ignoring the username), but then your password check
is between User-Password and Cleartext-Password, as usual.
Try something like this in your sites-enabled/default, after
preprocess:
update request {
User-Password := "%{tolower:%{User-Password}}"
}
> But, at the moment, we must keep this Auth-Type, to be compatible
> wirth an old version of freeradius, we couldn't update at the
> moment.
No, you still don't need it. The PAP module will do it for you -
read the debug output.
Matthew
(waiting for 3.x so that Auth-Type := Local will actually break
things at last).
> >On Wed, Nov 21, 2012 at 09:01:22AM +0100, alexdhel...@free.fr wrote:
> >>"00c51180d29c" Auth-Type := Local, Cleartext-Password := "00c51180d29c"
> >> Alcatel-Lucent-Auth-Group = 4
> >As the debug log says, Remove "Auth-Type := Local" from the above.
> >
> >Matthew
> >
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Matthew Newton, Ph.D.
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with test aaa-server in ciscoasa
On Sat, Nov 24, 2012 at 02:00:45PM +0800, studyfordo wrote: > ++[files] returns noop Assuming you added the line to the correct file, it wasn't found by the server. > > I have add user such as following format > cat users | sed -n '/^[^#]/p' > tsbCleartext-Password := "123456" ^ Looks like you've got a space at the beginning - that will stop it working. Remove it and try again. Matthew > DEFAULT Framed-Protocol == PPP > Framed-Protocol = PPP, > Framed-Compression = Van-Jacobson-TCP-IP > DEFAULT Hint == "CSLIP" > Framed-Protocol = SLIP, > Framed-Compression = Van-Jacobson-TCP-IP > DEFAULT Hint == "SLIP" > Framed-Protocol = SLIP > > So I still problem with user fomat in file users? pls give me some advice. > thanks > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with test aaa-server in ciscoasa
On Fri, Nov 23, 2012 at 06:47:44PM +0800, studyfordo wrote:
> I have install freeradius-server-2.2.0, and make test such as ./ratest
> test test 127.0.0.1 0 testing123.
> the result is ok.
> so i ass user tsb to users file as following format.
> tsb Auth-Type := Local, User-Password == "12345678"
That's very out of date, and wrong. Where did you read that you
should do it that way? It should probably be:
tsbCleartext-Password := "12345678"
It needs to be at the top of the users file.
> and add asa ip to clients.
>
> client X.X.X.X{
> secret = testvpn
> shortname =asa5520 }
>
> complete this I do testing in asa5520 like this
> test asa-server authencation RadiusVPN host X.X.X.X username tsb password
> 12345678
> hint Authentication Rejected: AAA failure
> I debug it. the folloing is details.
...
This is the FreeRADIUS list. You are likely to get more help if
you send the debug output from FreeRADIUS (radiusd -X).
Matthew
--
Matthew Newton, Ph.D.
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch & Debian build
On Thu, Nov 22, 2012 at 09:32:57AM +0100, Olivier Beytrison wrote: > Same thing on a clean system, with debian package or normal compilation. > Is there a way to actually see the commands used during the building > process, as it is with "standard" building system ? Edit scripts/boiler.mk (and other .mk files in that dir), remove @ characters at the beginning of the lines. Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch & Debian build
On Wed, Nov 21, 2012 at 11:13:40AM -0500, Alan DeKok wrote: > I've pushed a few other minor fixes. "make -j 8" now should work out > of the box. Build & install all now seems to work great. > Thanks for everyone's patience. I think the new build system is worth > it. Faster, simpler to understand, incremental builds, full > dependencies, etc. (As usual after a tedious configure) 5.4 second build here. I'm still amazed at that :) The debian package builds now builds, too (much slower, it's serial make), but it's getting a library path wrong somewhere # /usr/sbin/freeradius /usr/sbin/freeradius: error while loading shared libraries: build/lib/relink/.libs/rlm_acctlog.so: cannot open shared object file: No such file or directory No time to look right now - maybe tomorrow. Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: files Authentication problem
On Wed, Nov 21, 2012 at 09:01:22AM +0100, alexdhel...@free.fr wrote: > "00c51180d29c" Auth-Type := Local, Cleartext-Password := "00c51180d29c" > Alcatel-Lucent-Auth-Group = 4 As the debug log says, Remove "Auth-Type := Local" from the above. Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + Mysql + xl2tpd and pptpd
Can't help much, as I didn't set up our system, but have you tried "require authentication = no" in xl2tpd.conf? You've got auth in IPsec (one assumes), and also in PPP (CHAP; we use MSCHAPv2 for Windows compatibility), so my understanding is you don't need it in L2TP as well, which goes inside IPsec. Just make sure you have an iptables rule to block direct access to L2TP, and force it through IPsec. But really, this isn't a FreeRADIUS question... Matthew On Thu, Nov 15, 2012 at 09:33:28PM +0200, Dmitry Korzhevin wrote: > Here, is links to logs on pastebin service: > > freeradius_debug_log (freeradius -X): http://dpaste.com/831692/ > xl2tpd_debug_log (xl2tpd -D): http://dpaste.com/831693/ > /etc/xl2tpd/xl2tpd.conf http://dpaste.com/831695/ > /etc/ppp/options.xl2tpd http://dpaste.com/831696/ > > Guys, i just need "another eyes" to look at config files.. Strange, > that ipsec auth with same freeradius server works without any > problems, while xl2tpd - doesn't > > 15.11.2012 12:52, Dmitry Korzhevin пишет: > >Hello, > > > >Can anyone please share working configs for freeradius + xl2tpd or > >pptpd? Radius server is already configured, and works with mysql backend > >+ strongSwan ipsec (dirrect connection). But, i try several pptpd / > >xl2tpd configurations, and suddenly they doesn't work.. > > > >I even try configuration from wiki: > >http://wiki.freeradius.org/config/PopTop > > > >And it is not working. > > > >I use Debian 6.0.6 x86_64, freeradius 2.1.10+dfsg-2+squeeze1, xl2tpd > >1.2.7+dfsg-1, pptpd 1.3.4-3 > > > > > > > >Best Regards, > >Dmitry > > > >--- > >Dmitry KORZHEVIN > >System Administrator > >STIDIA S.A. - Luxembourg > > > >e: dmitry.korzhe...@stidia.com > >m: +38 093 874 5453 > >w: http://www.stidia.com > > > > > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > > > Best Regards, > Dmitry > > --- > Dmitry KORZHEVIN > System Administrator > STIDIA S.A. - Luxembourg > > e: dmitry.korzhe...@stidia.com > m: +38 093 874 5453 > w: http://www.stidia.com > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help:freeradius + ldap + cisco ap can not work
On Fri, Nov 09, 2012 at 04:59:44PM +0800, Manifold Yu wrote:
> pap against LDAP works find,but others can not works find (eg:mschap) .
> [ldap] looking for check items in directory...
> [ldap] userPassword -> Cleartext-Password ==
> "{MD5}85Q3W/VY9rt11BfdBNzdfQ=="
Your password, from LDAP, is not clear text. You need clear text
passwords or NTLM (NT-Password) for mschap to work.
http://deployingradius.com/documents/protocols/compatibility.html
Matthew
--
Matthew Newton, Ph.D.
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot Authenticate Local User
On Wed, Nov 07, 2012 at 04:16:23PM +0200, Manjith Gajadhar wrote: > I am new to using FreeRadius and I need help trying to authenticate a > local user account using FreeRadius. I have installed FreeRadius > 2.1.12 on Centos 6.3 I have created a local user with the > following details: Created a 'local user' how? Added an entry to the users file? (In which case, did you add it to the top?) > --- > [root@localhost raddb]# radiusd -X > FreeRADIUS Version 2.1.12, for host i386-redhat-linux-gnu, built on > Jun 22 2012 at 11:10:43 ... > Listening on accounting address * port 1813 > Listening on command file /var/run/radiusd/radiusd.sock > Listening on authentication address 127.0.0.1 port 18120 as server > inner-tunnel > Listening on proxy address * port 1814 > Ready to process requests. You've missed the rest of the log off that contains the actual authentication attempt, so we can't see what's broken. Try again with rtestCleartext-Password := "rtest" at the top of the users file. Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No EAP Start, assuming it's an on-going EAP conversation
On Tue, Nov 06, 2012 at 10:59:45PM -, dvmp wrote:
> [mschap]expand: --nt-response=%{mschap:NT-Response:-00} ->
> --nt-response=3213a667f5405fe084a9e7291e326e0f0c68ce28482c998a
> Exec-Program output: NT_KEY: 56F8FF72C1E6DB98E25A86F7E98A3C53
> Exec-Program-Wait: plaintext: NT_KEY: 56F8FF72C1E6DB98E25A86F7E98A3C53
> Exec-Program: returned: 0
> [mschap] adding MS-CHAPv2 MPPE keys
> ++[mschap] returns ok
> MSCHAP Success
> ++[eap] returns handled
OK, mschap seems to succeed.
> } # server inner-tunnel
> [peap] Got tunneled reply code 11
...
> [peap] Got tunneled Access-Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 173 to ip_AP_cisco port 1645
> EAP-Message =
> 0x0109005b190017030100505317a8177c77666155012c3211bf6b1c09ef17d29e1bb1fdcf91
> ae82bf7dc5baae0e670350b67151aefb6bc5e1f18861cd55c6cdb04a829d8d59349be4ae0f68
> a1ccd3f6714ea7a663b7c98ff3904cf9
> Message-Authenticator = 0x
> State = 0x2bebcbfd2de2d2392b8b84ab35544cf2
> Finished request 386.
> Going to the next request
> Waking up in 4.9 seconds.
Client is sent the access challenge for the user's device with the mschap
success.
> rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=174,
> length=167
> User-Name = "DOMAIN\\userADaccount"
> Framed-MTU = 1400
> Called-Station-Id = "003a.994b.fd40"
> Calling-Station-Id = "e02a.8255.86ba"
> Service-Type = Login-User
> Message-Authenticator = 0xbfbafd91f0c8db0b664454958ff46920
> EAP-Message = 0x020200190153554d4f4c434f4d50414c5c5343313031383536
User's device sends back an EAP Identity
> [eap] EAP packet type response id 2 length 25
> [eap] No EAP Start, assuming it's an on-going EAP conversation
Which is why this isn't picked up as part of the previous PEAP
conversation, so the client isn't sent an Access-Accept
...
> Exec-Program: returned: 0
> [mschap] adding MS-CHAPv2 MPPE keys
> ++[mschap] returns ok
> MSCHAP Success
> ++[eap] returns handled
> } # server inner-tunnel
...
> ++[eap] returns handled
> Sending Access-Challenge of id 180 to ip_AP_cisco port 1645
> EAP-Message =
> 0x0109005b190017030100502f79f75d930239412dc6c2abfbbed6c6930ef8ed21bedee2d972
> 9a2a1c987a285ddfd23ef4379fa1e6bf44ffa1eb1d08f8a24c50606ba462b9cbdf8c68923e52
> 72a032112af4c2f1af939b470d00b30b
> Message-Authenticator = 0x
> State = 0xf9273f5cff2e268144e0f611590a6390
> Finished request 393.
> Going to the next request
> Waking up in 2.4 seconds.
...
repeat of last time.
The client has given up (that much is certain), so check EAP logs
on the client. If it's Windows, you probably don't stand much of a
chance of getting much useful (easy to read) logs. Check things
like certificates expiring (but it doesn't sound like this).
But first I'd restart winbind and see if it all works again. Then
check your domain join (net ads testjoin or similar). I've seen
similar before when everything individually worked OK, but the
clients didn't like something that was sent back. [0] I think
something has broken with the domain join, or winbind - it isn't
at all obvious, but the client doesn't like it. You could also try
re-joining the server to the domain.
Oh, and you want to upgrade FreeRADIUS to 2.2.0; there's a
security vulnerability in anything older.
Cheers
Matthew
[0]
http://notes.asd.me.uk/2011/01/11/freeradius-and-ntlm_auth-reminder-from-a-silent-failure/
--
Matthew Newton, Ph.D.
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_ttls: Cannot tunnel EAP-Type/ttls inside of TTLS
On Wed, Oct 31, 2012 at 03:55:29PM -0500, Darren Shea wrote:
> rlm_eap: Loaded and initialized type tls
> ttls: default_eap_type = "ttls"
> ttls: copy_request_to_tunnel = yes
> ttls: use_tunneled_reply = yes
> rlm_eap_ttls: Cannot tunnel EAP-Type/ttls inside of TTLS
> rlm_eap: Failed to initialize type ttls
...
> Module: Linked to sub-module rlm_eap_ttls
> Module: Instantiating eap-ttls
>ttls {
> default_eap_type = "ttls"
Try setting that to something other than "ttls". For instance,
"mschapv2", to match your PEAP section.
Cheers,
Matthew
--
Matthew Newton, Ph.D.
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP attribute mapping
On Tue, Oct 30, 2012 at 07:02:02PM +, Phil Mayers wrote:
> +1
>
> Personally I'd rather the latter format everywhere, even unlang:
>
> update {
> request:foo = 1
> }
Agreed - having that option would make things much tidier when
several things in different lists are being updated at once.
update {
config:Auth-Type = Reject
reply:Reply-Message = "Go away"
}
On the other hand, the current form is nicer when updating a few
attributes all in one list, so maybe both...? :)
or...
update [] {
...
}
update reply {
config:Auth-Type = Reject
Reply-Message = "Go away"
}
Matthew
--
Matthew Newton, Ph.D.
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User authorize with Perl-Script
On Tue, Oct 30, 2012 at 02:40:35PM +0100, Oliver Werner wrote:
> I would configure my Switch-Ports Mac-Based. When a Computer
> wired a Perl-Script should check the Username and gives VLAN
> back.
You can probably do this without a perl script, however -
> exec {
> wait = yes
> program = "/usr/bin/perl /usr/local/test.pl %{User-Name}"
> input_pairs = request
> output = reply
output = config
Currently you're trying to send the cleartext password back to the
NAS...
Matthew
--
Matthew Newton, Ph.D.
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding pam_radius_auth to be integrated with busybox
On Tue, Oct 30, 2012 at 01:14:09AM +0530, Deep Shah wrote: > "pam_radius_auth: packet from RADIUS server 192.168.100.19 fails > verification: The shared secret is probably incorrect." > > WARNING: Unprintable characters in the password. Double-check the > > shared secret on the server and the NAS! > > Can you please suggest what might be the issue is? I am getting password Please read the debug output. It's telling you the answer. Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Realm in table radacct
On Sat, Oct 20, 2012 at 11:17:21PM +0700, Fajar A. Nugraha wrote: > Short version, your NAS (172.16.18.82) sends inconsistent user name. > It sends "mar...@kl-dfki.de" for access-request, but "markus" for > accounting. Fix the NAS. Period. I don't know about different NASes, but ours send the User-Name in the Accounting-Request that was returned to the NAS in the Access-Accept, not the User-Name that they used in the Access-Request. Therefore the result from FreeRADIUS does directly affect what is sent for Accounting. Cheers, Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Identifying Virtual-Server from Inner-Tunnel
On Thu, Oct 04, 2012 at 01:07:57PM -0600, Jordan Dohms wrote: > - Depending on the virtual server the request was received through, > call a different mschap module from the inner-tunnel or reject the > request. (not working) You've gone to the hassle of duplicating RADIUS server configs in your clients and sending requests to different ports, so you could do your check based on Packet-Dst-Port. > If there's a better/cleaner/simpler way to do this, I'm all ears. If there is something in the packet that can indicate which network is being connected to, you likely don't need to use two ports as you can just do it all in one server (testing based on that attribute). For example, with wireless networks, you can usually get the SSID in the request somehow. > virtual-server? Should I need to set a separate variable in the > outer-server and read it below? I guess that's another way of doing it. Personally unless functionality was a lot different (which it doesn't sound like it is), I'd probably do it all in one outer server and test based on request attribute or Packet-Dst-Port, but if it works then it's OK. Cheers Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: getting rejected, please give me some light.
On Thu, Oct 04, 2012 at 07:59:09PM +0200, Eliezer Croitoru wrote:
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "bob", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> [files] users: Matched entry bob at line 204
> ++[files] returns ok
> WARNING: Please update your configuration, and remove 'Auth-Type =
> Local' ### what is that means? what it refers to? i
> dont have the word loca at all in my files else then the defaults
> WARNING: Use the PAP or CHAP modules instead.
> User-Password in the request is correct.
This error is slightly misleading. If you remove the pap module in
2.x, the server will internally authenticate in a similar way by
setting Auth-Type to 'Local', iff it is not already set.
It's an indication that you removed pap, as it will only occur if
no Auth-Type has been set, and there is a User-Password in the
request.
This will break in 3.0. You need to add pap back in again and not
rely on Local auth.
> [files] users: Matched entry DEFAULT at line 172
> ++[files] returns ok
> ERROR: No authenticate method (Auth-Type) found for the request:
> Rejecting the user #it's the basic as before so why the software
> saying that?what is the difference between the logins (a lot) that
> makes it's not work with users file?
You added 'bob' at the bottom of the 'users' file. Move it to the
top. (And add pap back in).
Matthew
--
Matthew Newton, Ph.D.
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Indeterministic EAP error
On Thu, Oct 04, 2012 at 05:45:30PM +0200, Matthias Nagel wrote: > WARNING: !! EAP session for state 0xABCDEFGHIJKLMNOP did not finish! ... > Has anybody an idea what the reason might be? We see it a lot less since we tweaked the EAP timers on our Cisco Wireless Controller. You don't say what APs or system you're using, but for example if it's the Cisco WLCs see https://supportforums.cisco.com/docs/DOC-12110 The issue would go /something/ like (I forget the precise details): User clicks connect (*) Types in username and password slowly EAP Identity Request would time out (20s or so) EAP session would get closed - client & controller would give up - error above User clicks login EAP session starts again either a) EAP completes and client connects or b) client realises that their EAP session got broken, and prompts the user for their password again - go back to '*'. Then... after after a couple of times, the controller might figure that the client has done some bad authentications, and ban them for a minute or so. We tweaked the timers to make the Identity Request time + max retries longer, and disabled the automatic banning of clients from invalid authentications. Generally now the only time we see that error is if we restart FreeRADIUS (in which case, EAP sessions in transit get broken, so it's the sort of thing I expect). You still sometimes see it if a client is on the edge of a radio cell, and moves out of range whilst connecting, for example, but it's nothing like as often as it used to be. In short, it's a client/NAS issue, as already stated. Hope that helps, Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
