Re: load balancing radius with F5 devices
Am Mittwoch, 9. Oktober 2013, 09:41:19 schrieb Alex Sharaz: Hi, Is anyone out there load balancing RADIUS with an F5 load balancer? We're doing it here, but I can't help thinking that the actual load balancing algorithm need some tweaking. As far as I'm aware ( systems section support the F5 boxes) 1). We're using round robin to spread the load over 2 back end radius servers. 2). There is some general sticky persistence so that once a RAS device starts talking to a particular back end server it continues to talk to that server for a predetermined length of time ( might be an hour, not sure). This ensures that an eap dialogue will always talk to the same back end server for the duration of the stuck time. Not sure what happens when you get to the end of the time interval though. According to the F5 statistics, overall radius traffic seems to be shared evenly over the 2 back end servers. However, our most heavily loaded RAS client is our wireless network. While we have 900 switches doing mac and 802.1x based auth, we can have 6000+ users on our wireless network all authenticating to RADIUS via 3 RAS clients. Looking at the back end server log files, it does look as if, in general, all wireless RADIUS auths head for the same back end server. I was wondering if there's a way off having a bit more granularity in terms of how the f5 load balances incoming RADIUS requests. You would need to use application layer load balancing on the BigIPs. But I don't think that you can configure this on the BigIPs. The RADIUS protocol is stateless, so there is no criteria in the application that a load balancer could use to balance inside the application. Greetings, -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication
Am Montag, 23. September 2013, 13:53:14 schrieb ken.farrington: Just also beware that the MAC and be spoofed also with lots of programs :) Yes: ip link dev ... set addr ... On 23 September 2013 at 13:46 Nikolaos Milas nmi...@noa.gr wrote: On 23/9/2013 3:14 μμ, Free-Radius wrote: I wonder if the Freeradius to authenticate a client by IP number, without using login and password, only the IP. If possible, how to do? You can authenticate a client based on MAC Address. See http://wiki.freeradius.org/guide/Mac-Auth for various scenarios. Of course not by IP number which can be manipulated. Regards, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864. -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: differentiate authoriztion/ authentication in separate ldap modules
Am Dienstag, 3. September 2013, 07:27:47 schrieb Hachmer, Tobias: Hello list, first of all a bit background about my environment: - CentOS 6.4 - FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Oct 3 2012 at 01:22:51 - OpenLDAP: slapd 2.4.23 (Apr 29 2013 07:47:08) Here we use Microsoft Active Directory (not in our responsibility) for User Authentication. I have set up an OpenLDAP Master/ Slave construct (syncrepl) for RADIUS authorization and (fallback) authentication, like: LDAP Master --- - RADIUS Primary RADIUS Secondary local LDAP copy local LDAP copy All RADIUS authorization information are stored in the OpenLDAP DIT using RADIUS profiles. The usernames in OpenLDAP DIT and in Active Directory are the same. The normal scenario should be: - retrieve authorization from openldap dit (module ldap_openldap) - authenticate the user (password verification) against active directory (module ldap_ad) oif active directory server isn't reachable check password against module ldap_openldap Problem: After the module ldap_openldap has found the DN for the requesting user freeradius uses the same DN to bind against module ldap_ad. I know this can't work. Is there a possible solution for this using ldap? - Configure module ldap_ad to determine the DN of user again? - Rewrite DN? If not, would this work using ntlm_auth? Any help appreciated. Kind regards, Tobias Hachmer As far as I know it is not possible to use a ldap module to authenticate agains AD. See this page for protocol compatibility: http://deployingradius.com/documents/protocols/compatibility.html See also the setup guide for ntlm. The first lines say: The clear-text passwords are unavailable through Active Directory, so we have to use Samba, and the ntlm_auth helper program. http://deployingradius.com/documents/configuration/active_directory.html Greetings, -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring the DHCP module to forward request to another Radius server.
Am Donnerstag, 8. August 2013, 09:19:30 schrieb Fabrice-externe SEGURA: Hi. I'm trying to use Freeradius 2.2.0 to catch DHCP request on a local network (a specific interface and physical network of my machine), and forward it to another radius server (through another interface), using the radius protocol, to get authorized, and get the IP address to respond with to the DHCP request. You want to try the DHCP relay agent feature implemented on every better router or layer 3 switch. Greetins, -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS-Client-Cert-Expiration date format
Am Donnerstag, 25. Juli 2013, 09:32:46 schrieb Franks Andy IT Systems Engineer: Hi All, Just wondering if anyone knew what the expiration date format was back from eap-tls transactions? I have a cert here that expires 23/07/2015 and FR gives back 150723132302Z. That's a Z on the end..? Zulu time. Equals GMT. It's certainly not seconds since epoch or Jan 01 - 1601 which is seen in certain other operating systems. YYMMDDhhmmssZ -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP support for Free Radius
Am Donnerstag, 18. Juli 2013, 07:43:24 schrieb manjunath uthappa ponnachana: Hi, Can i know the reason why SNMP support in Free Radius was broken. SMUX was a old interface between the ucd-snmp Master Agent. Since ucd-snmp became net-snmp and the modern interface is AgentX, it seems that nobody cared to port the SNMP subagent from FreeRADIUS version 1 to version 2. But it should not be too difficult to write a new AgentX wrapper around the existing SNMP subagant and to pimp the code to work with FreeRADIUSv2 or v3. Which is the last version of Free radius having SNMP support. FRv1. But you do not want to use that. -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP support for Free Radius
Am Donnerstag, 18. Juli 2013, 06:30:19 schrieb Bruce Nunn: To get by the work of those kittens I set up a remote login to run radmin commands and parse the output so it is suitable for mrtg. It has worked well for me. Ever tried the extend config option of the net-snmp agent? It executes commands, i.e. radmin, and passes the results as SNMP protocol over the net. And mrtg, cacti or all the other monitoring systems do understand SNMP very well. -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: inactive users can authenticate
I had a quick look at the output you sent, and I see this: base_filter = *(*sambaAcctFlags=[U ] Seems like your are missing a closing bracket... but that should have triggered an error, so I looked at rlm_ldap source, and it seems base filter is only used for the profile user whatever that is... (seems to be an entry in the directory that store extra checks to be made, but I never used that) I would suggest you trying to set the filter to: ((uid=%{mschap:User-Name:-%{User-Name}})(sambaAcctFlags=[U ])) (or something like that, my LDAP is rusty), and leave the base_filter commented. I hope this helps, Michael On Fri, Jun 28, 2013 at 9:14 AM, Mathieu Simon mathieu@gmail.comwrote: G'day all, and thanks Phil for your hints (Arran I'd want to leave 3.0 as an option of last resort even though it's considered RC by now) ;-) try moving mschap after LDAP in authorise Tried this one, no change unfortunately. Second, I can't remember if mschap checks the acct control flags in authorize or authenticate. If the latter you'll need to move away from using LDAP bind for auth Hmm, I guess that would require me studying the code :-\ Anyway, I'm not entirely sure if I'm going to stay with this setup of this Debian derivative since it uses its own AD to local OpenLDAP replication and It didn't entirely convince me (too many replications and components talking to each other) Best regards Mathieu 2013/6/26 Phil Mayers p.may...@imperial.ac.uk Couple of things: IIRC the account control flags are checked by the mschap module, which I see is running before the LDAP lookup - try moving mschap after LDAP in authorise Second, I can't remember if mschap checks the acct control flags in authorize or authenticate. If the latter you'll need to move away from using LDAP bind for auth -- Sent from my phone with, please excuse brevity and typos -- Mathieu Simon mathieu@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service Provisioning Using AAA (FreeRadius)
Am Dienstag, 4. Juni 2013, 10:45:01 schrieb Russell Mike: Hi List After googling for few days still not so much clear. Therefore, i have decided to implement three *A* in three different steps. For now, i only want to use Authorize function of FR. i do not want authentication Accounting BUT authorization. No. How can you authorize somebody without beeing sure who that user is. Only authentication provides that information. So you need authentication and authorization. -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Failure authenticate using IPv6
Using global IPV6 addresses worked. Thanks for the help. Mike -Original Message- From: freeradius-users- bounces+michael.sherman=exfo@lists.freeradius.org [mailto:freeradius-users- bounces+michael.sherman=exfo@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, May 24, 2013 9:57 AM To: FreeRadius users mailing list Subject: Re: Failure authenticate using IPv6 Stefan Winter wrote: I don't *know* why this doesn't work, but it does with our global- scope addresses just fine, so I'm guessing it's the address type. Especially since link-local addresses are only valid with an interface scope. Exactly. is the valid address. I don't know if the FreeRADIUS address parser is prepared to handle such interface-scoped addresses. There's not much use case for this. FreeRADIUS calls getaddrinfo, which *should* parse link-local addresses. I guess... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Failure authenticate using IPv6
what does this do... client fe80::215:17ff:fed0:d278 { secret = test shortname = test-net nastype = other } ... ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Same :( radiusd: Loading Clients client 127.0.0.1 { require_message_authenticator = no secret = testing123 shortname = localhost nastype = other } client 10.10.0.0/16 { require_message_authenticator = no secret = bigsecret shortname = test-net } client fe80::215:17ff:fed0:d278 { require_message_authenticator = no secret = bigsecret shortname = test-net nastype = other } ... radiusd: Opening IP addresses and Ports listen { type = auth ipv6addr = :: IPv6 address [::] port = 0 } listen { type = acct ipv6addr = :: IPv6 address [::] port = 0 } listen { type = control listen { socket = /usr/local/var/run/radiusd/radiusd.sock } } listen { type = auth ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 54225 Listening on authentication address :: port 1812 Listening on accounting address :: port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address :: port 1814 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 48848 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 48848 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 48848 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failure authenticate using IPv6
HI All, I'm testing freeradius server version 2.2.0. Worked fine using IPv4. When I switched to IPv6 I got the following error: Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 41189 Here is the entry from the clients.conf: client goya { ipv6addr= fe80::215:17ff:fed0:d278 # netmask = 128 secret = test shortname = test-net } Radtest command used with output: radtest -6 test test fe80::21b:78ff:fe40:1de1 0 test Sending Access-Request of id 143 to fe80::21b:78ff:fe40:1de1 port 1812 User-Name = test User-Password = test NAS-IPv6-Address = ::1 NAS-Port = 0 Message-Authenticator = 0x Tcpdump on server: [root@jackass ~]# tcpdump -i eth0 host fe80::21b:78ff:fe40:1de1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 16:40:27.693362 fe80::21b:78ff:fe40:1de1 fe80::215:17ff:fed0:d278: icmp6: neighbor adv: tgt is fe80::21b:78ff:fe40:1de1 16:40:27.693704 fe80::215:17ff:fed0:d278.48743 fe80::21b:78ff:fe40:1de1.radius: RADIUS, Access Request (1), id: 0x20 length: 86 16:40:32.692677 fe80::21b:78ff:fe40:1de1 fe80::215:17ff:fed0:d278: icmp6: neighbor sol: who has fe80::215:17ff:fed0:d278 16:40:32.694009 fe80::215:17ff:fed0:d278 fe80::21b:78ff:fe40:1de1: icmp6: neighbor adv: tgt is fe80::215:17ff:fed0:d278 16:40:32.697159 fe80::215:17ff:fed0:d278.48743 fe80::21b:78ff:fe40:1de1.radius: RADIUS, Access Request (1), id: 0x20 length: 86 16:40:37.702304 fe80::215:17ff:fed0:d278.48743 fe80::21b:78ff:fe40:1de1.radius: RADIUS, Access Request (1), id: 0x20 length: 86 Ifconfig on server: [root@jackass ~]# ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:1B:78:40:1D:E1 inet addr:10.10.20.208 Bcast:10.10.20.255 Mask:255.255.255.0 inet6 addr: fe80::21b:78ff:fe40:1de1/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:11032790 errors:0 dropped:0 overruns:0 frame:0 TX packets:282990 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2421527725 (2.2 GiB) TX bytes:116875391 (111.4 MiB) Interrupt:209 Here is the related logs from radius -X: radiusd: Loading Clients client 127.0.0.1 { require_message_authenticator = no secret = testing123 shortname = localhost nastype = other } client 10.10.0.0/16 { require_message_authenticator = no secret = test shortname = test-net } client goya { ipv6addr = fe80::215:17ff:fed0:d278 IPv6 address [fe80::215:17ff:fed0:d278] require_message_authenticator = no secret = test shortname = test-net } ... radiusd: Opening IP addresses and Ports listen { type = auth ipv6addr = :: IPv6 address [::] port = 0 } listen { type = acct ipv6addr = :: IPv6 address [::] port = 0 } listen { type = control listen { socket = /usr/local/var/run/radiusd/radiusd.sock } } listen { type = auth ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 53193 Listening on authentication address :: port 1812 Listening on accounting address :: port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address :: port 1814 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 43140 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 43140 Ready to process requests. Ignoring request to authentication address :: port 1812 from unknown client fe80::215:17ff:fed0:d278 port 43140 Thanks in advance, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any One-Time password system.
Am Dienstag, 14. Mai 2013, 09:53:30 schrieb Sergii Bieliaievskyi: :) I am using FreeBSD distro. People! Help me please. I will take into consideration any suggestion concern OTP, any open source project, just anything. I tried motp. Works nice. You can install the otp generator on your smartphone. See: http://sys4.de/en/blog/2013/03/16/otp-freeradius/ -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any One-Time password system.
Am Dienstag, 14. Mai 2013, 10:26:17 schrieb Sergii Bieliaievskyi: I am reading about MOTP and realy hope to implement its in my network. Could I count on your help if i will have a difficulties? Of course. That is what the mailing list exists for. On the other hand I earn my money with consulting ;-) Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config for 802.1x use on network switches
Am Mittwoch, 8. Mai 2013, 12:29:44 schrieb Nikolaos Milas: On 7/5/2013 2:37 μμ, Michael Schwartzkopff wrote: http://vuksan.com/linux/dot1x/802-1x-LDAP.html Thank you Michael for your valuable feedback, esp. the link above. By the way, I've been pointed to: http://www.packetfence.org for a more integrated system, which also supports 802.1x and it looks nice and clean. It works with freeRadius too. Any experience with it? Any advice? Thanks in advance, Nick Depending on your needs it might be a little bit oversized. It seems to integrate everything that someone might ever need. But if you need that functionality you might give it a try. If you only need 802.1x for a handful of switches plain FreeRADIUS with a *SQL database in the backend is perhaps the right choice for you. Greetings, -- Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config for 802.1x use on network switches
Am Dienstag, 7. Mai 2013, 14:27:35 schrieb Nikolaos Milas: Hello, We would like to enforce authentication for all clients connecting to our network (wired or wireless), so that when a client connects, the client will not be able to use the network unless it successfully authenticates (e.g. via web) with a valid account (LDAP-based). We have a network based mainly on Cisco 2950/2960 switches. http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11x/configuration/guide/sw8021x.html or search for your switch and IOS version. We are running a central LDAP Server (openldap) where we hold user accounts, which are used for mail, ftp, web, Shibboleth access. I guess we can enable 802.1x on switches and require authentication of clients over freeradius. Is there a suggested sample freeradius configuration for such use? Can you please provide one or point me to a URL for it? Read the rlm_ldap file in the doc directory. Quite old, but still work: http://vuksan.com/linux/dot1x/802-1x-LDAP.html Can you share your experience and any pitfalls we should consider? Pitfalls: - Devices that do not speak 802.1x, i.e. printers. - Devices with more that one MAC address, i.e. laptops with virtual machines. - Devices of users that are not in your LDAP, i.e. consultants, guests. - Devices behind IP phones (two MAC addresses!). Perhaps you need to mess around with guest, resticted, and voice VLAN. Any experiences on such use? Does this scale well (for about 20-30 switches)? Should we consider a central management solution? (Which?) LDAP scales well. FreeRADIUS will not have any performace problem. Perhaps you get a lot of work taking care of all the MAC addresses of your non-802.1x devices. A customer of mine has a data base with 120.000 MAC addresses ... -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco av-pair for NX-OS and IOS
Am Donnerstag, 7. Februar 2013, 23:51:34 schrieb Norman Zhang: Hi, Using freeradius2-2.1.12. I need to setup read-write access for both Cisco NX-OS and IOS devices. I did the following, DEFAULT Group == operator-rw, Auth-Type = System Service-Type = NAS-Prompt-User, cisco-avpair := shell:roles*\network-admin vdc-admin priv-lvl=15\ I can log into both NX-OS and IOS devices; however, IOS devices only permits exec mode not the privileged exec (enable) mode. Not sure if I'm doing something wrong on the syntax. Can someone give me few pointers? Norman Hi, Please read http://wiki.freeradius.org/vendor/Cisco especially the section Command Authorization, last paragraph. Your configuration should work, but in a move by Cisco to make TACACS superior to RADIUS they compiled their IOS so that this AV pair does not work. I have a feature request at Cisco to improve the situation. I am really looking forward when Cisco will implement it. Greetings, -- Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory + LDAP + groups for dynamic VLAN assignment
host 127.0.0.1 port 48400, id=1, length=250 User-Name = mceroni NAS-IP-Address = 127.0.0.1 Calling-Station-Id = 02-00-00-00-00-01 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x0201007a19800070160301006b0167030150ee101279602ec4eddc8d6cfc926da8 5eee0e034a2c20ea6abd4fd75e1ea5553a00390038008800870035008400160013000a00 330032009a009900450044002f00960041000500040015001200090014001100080006000300 ff01040023 State = 0x2a1689d42a17904c9b87561fac99b7b3 Message-Authenticator = 0x0a3e365c6cd7a8ae795def8cb962360e But in the final response those attributes are not there. Sending Access-Accept of id 9 to 127.0.0.1 port 48400 MS-MPPE-Recv-Key = 0xf318d3dd21910be1544fd848af03baebe4f23ae85b786100b02b967d4cc1761e MS-MPPE-Send-Key = 0xa01a409bf3f54388c69613c576e657605022285909917ddbee9e52e776c3b0e1 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = mceroni Any help would be appreciated. Thanks Hi, please set the use_tunneled_reply=yes in the outer tunnel. Then FR copies the attributes from the inner tunnel to the outer reply. Greetings, -- Dr. Michael Schwartzkopff Guardinistr. 63 81375 München Tel: (0163) 172 50 98 Fax: (089) 620 304 13- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different BaseDN for User/Group Objects in rlm_ldap
Am Mittwoch, 9. Januar 2013, 09:29:48 schrieb Rudolph Bott: Hi List, we are currently using rlm_ldap to check against a LDAP backend, which works fine so far. rlm_ldap is configured to use a BaseDN of ou=poeple,dc=example,dc=org. We have also specified a group membership filter and are trying to enforce group memberships via the combination of huntgroups-file and Ldap-Group-Settings in the users file. According to debug output, this seems to work (since freeradius is trying to find the groups specified in the users file). However, our groups are stored underneath ou=groups,dc=example,dc=org - so rlm_ldap is not able to find them with the basedn shown above. We are also not able to change the basedn to something else, since there is a different user-tree underneath dc=example,dc=org which should not be taken into account by freeradius. Is there is possibility to set a different basedn for group lookups OR another feasable solution (e.g. modify the filter...?). Filter and groupmembership_filter are currently set to: filter = (uid=%{Stripped-User-Name:-%{mschap:User-Name}}) groupname_attribute = cn groupmembership_filter = (objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{mschap:User-Name }}) Debug output states this: rlm_ldap: performing search in ou=poeple,dc=example,dc=org, with filter ((cn=GROUP-NAME-FROM-USERS-FILE)(objectClass=posixGroup)(memberUid=LOGIN-US ER)) Change the baseDN in the ldap module configuration of FR to dc=example,dc=org. -- Dr. Michael Schwartzkopff Guardinistr. 63 81375 München Tel: (0163) 172 50 98 Fax: (089) 620 304 13- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attribute type error
On 1/7/2013 22:48 PM, Yashaswini Sathyanarayana wrote: Hi , By default all standard attribute like user-name, user-password are of type 1 and length 1. But kineto attributes are of type 2 and length 2. So is there a way to make RFC-2865 dictionary that is added in free radius to type 2. Please help. The format is 2,1 not 2,2. The dictionary file specifically tells us FreeRadius understands the format. # Note: format=2,1 indicates to freeRADIUS that vsaType=2bytes, and vsaLen=1byte # VENDOR Kineto 16445 format=2,1 FreeRadius can handle these long tag VendorSpecific attributes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Lost user
Am Mittwoch, 26. Dezember 2012, 15:31:18 schrieb Dmitry Korzhevin: Hi, Alan Currently, i found only one such user. On NAS i use pptp, ipsec (strongswan), L2TP/ipsec - all services use radius as auth server. Do these applications send RADIUS accounting information? How did you set it up? Did you follow the accounting packets with tcpdump on the line? did you try to run your radius server in debug mode? -- Dr. Michael Schwartzkopff Guardinistr. 63 81375 München Tel: (0163) 172 50 98 Fax: (089) 620 304 13- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius stops. Received HUP signal.
substance SUBSTANCE wrote: Why FreeRADIUS receives that HUP signal? Can I disable it , or should I update FreeRADIUS software? I had the same problem. This version of Freeradius should not be HUP'ed it seems. I found this info by searching the archives. Problem is that Ubuntu and Debian do that by default once a day in /etc/logrotate.d/freeradius. You should be fine by replacing /etc/init.d/freeradius reload with etc/init.d/freeradius restart in that file. Disclaimer: untested by me. In my case i upgraded to a more recent version. But this if far more hassle. hth, Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with freeradius + openldap for AP authentication
Hiya I need some help to configure freeradius with openldap. I have a ldap database which stores password in SSHA format, so i choose PAP for authentication. I want to use freeradius to authenticate on a netgear Wifi access point. (http://deployingradius.com/documents/protocols/compatibility.html) I've set up the AP in client freeradius in clients.conf, with a secret and shortname like in documentation. Next i've put auto_header = yes in pap.conf And uncomment the line ldap to activate module in /site-enable/default When i start server in debug mode, authorization works fine but server have problems to authentication step and i don't understand why Here is the debug comments : rad_recv: Access-Request packet from host 192.168.0.201 port 32774, id=85, length=169 User-Name = cyril NAS-IP-Address = 192.168.0.201 NAS-Identifier = hello NAS-Port = 0 Called-Station-Id = 4C-60-DE-D2-22-61:easyBridge2 Calling-Station-Id = 7C-C5-37-14-16-C9 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 0Mbps 802.11b EAP-Message = 0x020e016e6c61746869657265 Message-Authenticator = 0x2bf3ec3446adc97ea15c4c160ee8b0bbThu Nov 22 15:04:36 2012 : Since your 802.1x supplicant does not send a User-Password it seems that you configured some kind of EAP (802.1x) in the network authentications settings of your client (notebook). You also have a EAP-Message attribute in your Access- Request packet. And according to the protocol compatibility matrix you mentioned, SSHA and *EAP will not work. -- Dr. Michael Schwartzkopff Guardinistr. 63 81375 München Tel: (0163) 172 50 98 Fax: (089) 620 304 13 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Novice problems
Hello, (...) 1. How do I create users that have a specific vlan attached to them (say user2 will always associate Vlan2 when connected), user1 is untagged so it's vlan1, user2 is attached to vlan2 and so on and so on. Normally your assign the VLAN with the attributes Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-id = 2 a. As I explained I have one user (untagged) running and working, but I would like to prevent the locking of this user so a lot of connections will be allowed to use the same Username (this is a lab environment not production) read: simultanous-use. 2. Accounting: how do I enable accounting? Is enabled by default. Or do you mean accounting to SQL? - read the docu. a. How do I view the accounting file for each connected user? write a parser that parses the accounting file. i. And since I have MySQL installed is there a way to view this on a GUI? Please ask on a MySQL list for a MySQL GUI. b. Can I have accounting for none authenticated users (since this is a Wifi testing lab we need the user to be in open mode and Also enable accounting) – how? No. not authenticated - no information in RADIUS. 3. GUI: is there a management GUI for FreeRadius and if so how do I install it? dialupadmin, daloradius. Please see the documentation of these packages. -- Dr. Michael Schwartzkopff Guardinistr. 63 81375 München Tel: (0163) 172 50 98 Fax: (089) 620 304 13 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Complex eduroam radius design
Hello, We're planning to deploy eduroam centrally for all the university of applied science of west-switzerland. (consists of ~27 schools and 25'000 people). On one side, we will have the central radius servers, connected to the central ldap backend which contains all the user account. On the other side, we will have local radius servers (about 7 pairs of servers, because the schools are grouped regionally and under a central management). The idea is the following : User join the WLAN (802.1x, eduroam). the WiFi controller (nas) contact the local radius for authentication, which in turn contact the central radius to authenticate the user. upon successful authentication, the central radius return the Access-Accept along with some custom attribute about the user. The local radius then perform admission control based on those attributes. (selecting the correct vlan, subnet, ect) So I have two questions : 1. is this implementation possible ? Yes. 2. If it is possible, will the inner-tunnel for eap-peap and eap-ttls end on the local or central radius, taking in account that the authentication is performed by the central radius. (I'll go for the central one) EAP tunnel will end on the end system. Attributes from inside the tunnel can be copied to the outside RADIUS protocol. This attributes can be seen from the NAS. So they can react as configured. Greetings, -- Dr. Michael Schwartzkopff Guardinistr. 63 81375 München Tel: (0163) 172 50 98 Fax: (089) 620 304 13 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User authorize with Perl-Script
Hello, I'm useing FreeRADIUS in Version 2.1.10. I would configure my Switch-Ports Mac-Based. When a Computer wired a Perl-Script should check the Username and gives VLAN back. Why so complicated? FreeRADIUS can do this out of the box, provided the NAS (switch) can do this. -- Dr. Michael Schwartzkopff Guardinistr. 63 81375 München Tel: (0163) 172 50 98 Fax: (089) 620 304 13 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius AAA running in fail over mode
Dear Community of FreeRadius Greetings, i am not new to open source Linux / Unix system but new to FreeRadius. Have anyone got FreeRadius AAA running in fail over mode (replication)? Yes. it is possible to download .ovf template from some where, already configured up and running FreeRadius? Install freeradius. Nearly everything works out of the box. -- Dr. Michael Schwartzkopff Guardinistr. 63 81375 München Tel: (0163) 172 50 98 Fax: (089) 620 304 13 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius against Active Directory
Hi, I thought the whole meaning of binding a freeRadius to an Active Directory is that I have from now on just to configure Users in the AD. So every device I want to authenticate on asks the FR which then asks the AD. So the AD will answer if the User is valid and which Service-Type he has. On my AD Server I installed the Role NPS, configured a RADIUS-Client and some Network Policies. Maybe I am on the right way, maybe not... :-( The AD succesfully tells the FR if the user is valid, just that Service-Type is missing. Martin hi, as stated in the doc on deployingradius: In this configuration, we are using Active Directory as an authentication oracle, and not as an LDAP database. So it seems that you will not get any attributes back from AD. If your NAS expects the Service-Type attribute you would have to add it on the fly from your FreeRADIUS configuration. Greetings, -- Dr. Michael Schwartzkopff Guardinistr. 63 81375 München Tel: (0163) 172 50 98 Fax: (089) 620 304 13 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cloud Radius Server
Thank you all for your input. I would be managing the Radius servers hosted by like HostGator or Rackspace or someone like that. On Thu, Sep 27, 2012 at 4:39 AM, Phil Mayers p.may...@imperial.ac.ukwrote: On 09/26/2012 11:42 PM, Michael Geary wrote: Good Evening, We have several separate networks. Our main network runs PPPoE while all of the others run over DHCP. I would like to migrate the DHCP networks to use PPPoE. I assume these are Ethernet-over-ADSL lines and you want to move away from static DSLAM port config, and to @isp.com dynamic routing? We are a fixed-terrestrial wireless internet service provider Currently, our Radius server resides at the head end of our PPPoE network. I would like to remove the chance that if the Internet failed there, that no one on the separate networks would be able to authenticate. So the other networks have separate internet connectivity? Yes, they are located throughout Vermont, New Hampshire and Massachusetts Has anyone had any experience with using a Radius server in the cloud to authenticate users? Personally, I'd never do it. FreeRADIUS performs well on commodity hardware, so just build more RADIUS servers and put them in various locations e.g. one in each remote location. Presumably you have DHCP servers in those locations now - the same hardware would probably suffice, since the load should be approximately the same. However, as Fajar says, if you want to cloud it there's nothing magic - RADIUS is just UDP/IP packets, so running it in the cloud should work fine. Couple of things to watch out for: 1. RADIUS shared-secrets are keyed off source IP and destination IP/port. We occasionally see people who've painted themselves into a corner with NAT, or NASes on dynamic, unknown-prior IPs. Think carefully about how you'll avoid this issue, particularly if your NASes are on private IPs. This is not usually a problem over an internal network. 2. Normal radius doesn't encrypt (but does sign) the entire packet. Only selected fields like User-Password (and EAP payloads that are encrypted by the EAP method). Decide if you care about this - the RADIUS packet will contain things like user names, MAC addresses and so on, and they'll be flowing over an untrusted network. It's probably not a worry, but in the EU at least, I'd be concerned about data protection. In theory you can solve this with RADSEC. In practice, virtually no NAS supports RADSEC, so you are left with IPSec or some other VPN as an option, or just live with it. Thank you, I was thinking of connecting them to the internal networks via OpenVPN or IPSec Likewise, not usually a problem over an internal network. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cloud Radius Server
Good Evening, We have several separate networks. Our main network runs PPPoE while all of the others run over DHCP. I would like to migrate the DHCP networks to use PPPoE. Currently, our Radius server resides at the head end of our PPPoE network. I would like to remove the chance that if the Internet failed there, that no one on the separate networks would be able to authenticate. Has anyone had any experience with using a Radius server in the cloud to authenticate users? Thank you very much, -- Michael Geary GAW High-Speed Internet 72 Shaker Rd. Enfield, CT 06082 www.GAW.com http://www.gaw.com/ Office: 877.543.8429 Direct: 413.203.4911 Cell:413.218.1446 Fax:877.816.7068 net...@gaw.com -- “The information contained in this email message may be confidential. If you are not the intended recipient any use, distribution, disclosure or copying of this information is prohibited. If you receive this email in error, please tell us by return email and destroy this communication and any attachments from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reporting from logs
Hi guys, We are new to eduroam and we are using FreeRadius for authentication and connection to national proxies. Just wondering what kind of reporting you have managed to get out from the FreeRadius logs, we wanted some user friendly reports with user numbers, success and failed attempts, what realms were used and numbers, even possibly bandwidth consumed per user. Daily, weekly and monthly reports. Would be grateful to find out what everyone is using to achieve this and if someone has some sample reports would be great. Cheers Paulo Hi, you could use the status server to get the interesting figures: http://wiki.freeradius.org/config/Status With a simple script/cronjob you can feed these data into a RRD and generate nice graphs. Greetings, -- Dr. Michael Schwartzkopff Guardinistr. 63 81375 München Tel: (0163) 172 50 98 Fax: (089) 620 304 13 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Config and Router
Hello; I have configured the radius and some servers to authenticate through the Radius. I can authenticate well from the servers but the same is not working on the routers. Users have been created on the router as a test before implementation. The log file has credentials that i have not created. Thanks to assist According to you log you messed up your config. Please restore the users file with the help of the original file. Then add the correct entries copying the samples from the original file. Greetings, -- Dr. Michael Schwartzkopff Guardinistr. 63 81375 München Tel: (0163) 172 50 98 Fax: (089) 620 304 13 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting pakets on layer 2
Hello! Excuse me please, if this is the wrong list for my question! If I have an AccessPoint working on layer 2 like the ALL0278, how are accounting pakets generated and sent to the radius-server on port 1813. Which application is responsible for generating those pakets? Thank you! Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html See section Security Settings - WPA-802.1x or section Security Settings - 802.1x of the ALLNET manual. -- Dr. Michael Schwartzkopff Guardinistr. 63 81375 München Tel: (0163) 172 50 98 Fax: (089) 620 304 13 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New FreeRADIUS Deployment
Dear friends, I searched list archive, but I couldn't find anything about this. I need to correctly design and deploy a brand new FreeRADIUS server. It will receive about 25.000 simultaneous users, so I'm planning to have, at least, two servers. My questions are: 1. What would be recommended server hardware (memory, disk, CPU, ...) and software (Linux distribution, kernel version, ...)? Should be possible with off-the-shelve hardware. Some middle-class server should be enough. 2. How could I synchronize both servers' users? I mean, in the beginning, I'd have two separate /etc/shadow files but this is not scalable. I need to share a single file between both servers. Is it possible? How? more than 10.000? You should use a SQL backend storage. use replication scheme of the SQL database. Or use DRBD to replicate disk partitions. 3. Any recommendations to the backup policy? Ordinary backup solution of the SQL database. -- Dr. Michael Schwartzkopff Guardinistr. 63 81375 München Tel: (0163) 172 50 98 Fax: (089) 620 304 13 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius reject the request
Pretty sure when you installed it the users file that is being used is not in your home directory. I am pretty sure that if you were to look in output.txt you would be able to see what users file is being used. Michael -- Michael J. Hartwick, VE3SLQ hartw...@hartwick.com Hartwick Communications Consulting (519) 396-7719 Kincardine, ON, CA http://www.hartwick.com -- From: freeradius-users-bounces+hartwick=hartwick@lists.freeradius.org [mailto:freeradius-users-bounces+hartwick=hartwick.com@lists.freeradiu s.org] On Behalf Of Reza Hajjizadeh Sent: Saturday, July 21, 2012 02:29 To: freeradius-users@lists.freeradius.org Subject: Radius reject the request Hello I'm newbie in Linux, install a new radius server as http://wiki.freeradius.org/Build explain tar zxvf freeradius-server-2.1.12.tar.gz ./configure make su - root make install edit /home/reze/freeradius-server-2.1.12/users at top of file add testing Cleartext-Password :=123456 and start radius #radius -X output.txt on another terminal type #radtest resting 123456 127.0.0.1 10 testing123 but reject the request. Please help me to solve this problem. Best Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: dalo(free)radius authentication problem
Not sure why you are posting about daloradius on a FreeRADIUS list, but a 2 second look says you have the port numbers wrong. Michael -- Michael J. Hartwick, VE3SLQ mailto:hartw...@hartwick.com hartw...@hartwick.com Hartwick Communications Consulting (519) 396-7719 Kincardine, ON, CA http://www.hartwick.com http://www.hartwick.com -- From: freeradius-users-bounces+hartwick=hartwick@lists.freeradius.org [mailto:freeradius-users-bounces+hartwick=hartwick.com@lists.freeradiu s.org] On Behalf Of Soul - Sent: Wednesday, July 11, 2012 04:17 To: freeradius-users@lists.freeradius.org Subject: dalo(free)radius authentication problem Dear ALL i was follow the guide from the following page with the command, but when testing, the Radius server is not responding. For the setup on the Ubuntu newest server.. -sudo apt-get update -sudo apt-get upgrade -sudo apt-get install mysql-server -sudo apt-get install php5-gd php-pear php-db -sudo apt-get install freeradius freeradius-mysql -sudo apt-get install phpmyadmin On the DaloRadius Setup -wget .. 9-9.tar.gz -tar -zxvf daloradius-0.9-9.tar.gz -mv daloradius-0.9-9 daloradius -sudo cp daloradius/ /var/www -R -sudo chown www-data:www-data /var/www/daloradius -R -sudo chmod 644 /var/www/daloradius/library/daloradius.conf.php Database setup: -cd /var/www/daloradius/contrib/db/ - Ignored: -mysql -u root -p Enter 'mySqlPassword' mysql! CREATE DATABASE radius; mysql quit - Ignored: -mysql -u root -p radius fr2-mysql-daloradius-and-freeradius.sql Database connection setup: -cd /var/www/daloradius/library/ -sudo nano -w daloradius.conf.php $configValues['FREERADIUS_VERSION'] = '2'; $configValues['CONFIG_DB_PASS'] = 'mySqlPassword'; $configValues['CONFIG_DB_TBL_RADUSERGROUP'] = 'radusergroup'; Installation completed and login page to create user: -http://your ip address/daloradius username: administrator password: radius When i test it shown not respond from the server.. the NAS setting is matched, refer to the log file from the Daloradius, it shown Error: Ignoring request to authentication address could it be due to the setup error or? as refer to the guidance from th! e web, the setup everything is run well, using the freerad ius -x, it shown.. ~Listening on authentication interface eth0 *port 1812 ~Listening on accounting *port 1813 ~Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel ~Ready to process request. what could be wrong and which part should i check on it? router debugging exsist: R1# *Mar 1 00:03:05.639: AAA/BIND(0003): Bind i/f *Mar 1 00:03:05.643: AAA/AUTHEN/LOGIN (0003): Pick method list 'default' *Mar 1 00:03:05.651: RADIUS/ENCODE(0003): ask Username: *Mar 1 00:03:05.651: RADIUS/ENCODE(0003): send packet; GET_USER R1# *Mar 1 00:03:07.359: RADIUS/ENCODE(0003): ask Password: *Mar 1 00:03:07.363: RADIUS/ENCODE(0003): send packet; GET_PASSWORD *Mar 1 00:03:08.795: RADIUS/ENCODE(0003):Orig. com! ponent type = EXEC *Mar 1 00:03:08.799: RADIUS: AAA Unsupported Attr: interface [174] 5 *Mar 1 00:03:08.799: RADIUS: 74 74 79 [tty] *Mar 1 00:03:08.799: RADIUS/ENCODE(0003): dropping service type, radius-server attribute 6 on-for-login-auth is off *Mar 1 00:03:08.803: RADIUS(0003): Config NAS IP: 0.0.0.0 *Mar 1 00:03:08.803: RADIUS/ENCODE(0003): acct_session_id: 1 *Mar 1 00:03:08.803: RADIUS(0003): sending *Mar 1 00:03:08.807: RADIUS/ENCODE: Best Local IP-Address 192.168.44.1 for Radius-Server 192.168.44.129 *Mar 1 00:03:08.811: RADIUS(0003): Send Access-Request to 192.168.44.129:1645 id 1645/1, len 84 *Mar 1 00:03:08.811: RADIUS: authenticator 7D F1 9D 12 60 81 DE 8C - FC 0B A4 96 E1 CD 71 E8 *Mar 1 00:03:08.811: RADIUS: User-Name [1] 6 test *Mar 1 00:! 03:08.815: RADIUS: User-Password [2] 18 * *Mar 1 00:03:08.815: RADIUS: NAS-Port[5] 6 98 *Mar 1 00:03:08.815: RADIUS: NAS-Port-Id [87] 7 tty98 *Mar 1 00:03:08.815: RADIUS: NAS-Port-Type [61] 6 Virtual [5] *Mar 1 00:03:08.819: RADIUS: Calling-Station-Id [31] 15 192.168.44.10 *Mar 1 00:03:08.819: RADIUS: NAS-IP-Address [4] 6
Auth-Type :- Reject in users file matches inner tunnel request but sends Access-Accept
Hi I have setup WPA2-EAP authentication using FreeRADIUS 2.1.8 on Ubuntu 10.04.4 with an OpenLDAP backend, and can successfully authenticate using PEAP/MSCHAPv2, TTLS/MSCHAPv2 and TTLS/PAP (both via the AP and using eapol_test). I am now trying to restrict access to specific SSIDs based on the LDAP groups which users belong to. From what I can gather, I need to add appropriate rules to /etc/freeradius/users which matches the SSID/group combinations, and rejects everything else. The problem I'm having is with the default reject, not the SSID/group matching. My first attempt was this: DEFAULT Ldap-Group == employees DEFAULT Auth-Type := Reject But this immediately rejects the Access-Request in the outer tunnel, because the anonymous user is not in the employees group. I then modified it to this so that it only matches inner tunnel requests: DEFAULT Ldap-Group == employees DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 Auth-Type := Reject, Reply-Message = User does not belong to any groups which may access this SSID. The inner tunnel Access-Request is now sent and members of the employees group are accepted, but non-members are not actually rejected. I see the users entry being matched, and the Reply-Message is even set, but the server responds with Access-Accept and eapol_test reports SUCCESS. Debug: rlm_ldap::ldap_groupcmp: Group employees not found or user is not a member. Info: [files] users: Matched entry DEFAULT at line 209 Info: ++[files] returns ok ... Auth: Login OK: [mgorven] (from client test port 0 cli 02-00-00-00-00-01 via TLS tunnel) Info: WARNING: Empty section. Using default return values. ... Info: [peap] Got tunneled reply code 2 Auth-Type := Reject Reply-Message = User does not belong to any groups which may access this SSID. ... Info: [peap] Got tunneled reply RADIUS code 2 Auth-Type := Reject Reply-Message = User does not belong to any groups which may access this SSID. ... Info: [peap] Tunneled authentication was successful. Info: [peap] SUCCESS Info: [peap] Saving tunneled attributes for later ... Sending Access-Accept of id 11 to 172.16.2.44 port 60746 Reply-Message = User does not belong to any groups which may access this SSID. User-Name = mgorven eapol_test receives an Access-Accept with the Reply-Message set. RADIUS message: code=2 (Access-Accept) identifier=11 length=233 Attribute 18 (Reply-Message) length=64 Value: 'User does not belong to any groups which may access this SSID.' Attribute 1 (User-Name) length=9 Value: 'mgorven' ... SUCCESS Behaviour is the same with PEAP/MSCHAPv2 and TTLS/PAP. I tried setting copy_request_to_tunnel and use_tunneled_reply to yes in the PEAP and TTLS sections, but this didn't make a difference. How do I actually reject an inner tunnel request? Michael -- http://michael.gorven.za.net PGP Key ID 1E016BE8 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type :- Reject in users file matches inner tunnel request but sends Access-Accept
On 12/06/2012 14:08 PDT, Alan DeKok wrote: Note that everything BUT the Reply-Message belongs on the first line with the DEFAULT. The Reply-Message belongs on the second line. *sigh*, moving the Auth-Type :- Reject to the first line fixed this. I thought that Auth-Type was a reply item and therefore went on the second line. Thank you for your assistance. Michael -- http://michael.gorven.za.net PGP Key ID 1E016BE8 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure Solaris 10 Radius Authentication client.
-BEGIN PGP SIGNED MESSAGE- On Jun 4, 2012, at 2:06 PM, Alek Barsky wrote: I need to configure bunch of Solaris servers to use RADIUS PAM for Authentication/Authorization. PAM only does authentication. After all, it stands for Pluggable Authentication Modules. I followed instructions in http://freeradius.org/pam_radius_auth/ and was able to configure Authentication portion of this task. There is one problem – the only way I can receive login shell on this box – if user already exists. That's because in addition to PAM you still need some kind of directory to hold all the other user information like user id, group id, home directory, gecos field and preferred shell. /etc/nsswitch.conf determines where that information can be retrieved from (files, NIS, LDAP, DNS, etc.). I am not aware of a solution that lets you use RADIUS as a directory service for Solaris. - - Michael -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.0.3 (Build 1) Charset: windows-1252 wsBVAwUBT80NGZbfnpCg64TVAQHd4ggArN/0myf0kzlm1eSp+uMZuUl/s4Zi2Ua3 2nhocQZ6psuKwsDXphEkZqOeR5ZOjms8I3HiljLs8Cg6W7iE6ykFU0TRK8miG301 HQLWqHczFA/X4bDsHa8UH6do9Bvt9Nd6uDYn4ksrKJFCQabhTaVocECmOmXFLpUo JSWXqpoaLgS9HJOlb613PqJQa5P5B5poQs+5bN4CPVuyAqKHMjIGquZlswwbl63R hGM5JvlMhxiL7/U7XDqxZNAeo3vz01nVkYE4C6Ml+imYyVWJmBR60MdrehzpsN+s dsJ2LK93Pv1y9r6CbvzhmNnRKxAOy+srk751FcmFEyg5unMZhgbizA== =qg2E -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Address already in use but server is not running
I recently had to install debian 6.0 on one of my servers after a hard drive crash, and while I had freeradius running before, I can't seem to get it running now. I ran sudo apt-get install freeradius and hit enter to accept the additional packages, and I also installed dialup admin with the intention of getting to it after getting freeradius running, but now I am running into trouble with starting freeradius. The install completed without errors, but running sudo ./freeradius -X produces the following: Failed binding to authentication address * port 1812: Address already in use /etc/freeradius/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812 I can post the full contents of the debug dump, but this appears to be the only point at which an error is encountered. I am quite sure that there is not an instance already running, so I don't know what else could be using the port. Any ideas? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Address already in use but server is not running
I could if I knew how. manually sifting the output of lsof doesn't appear to include anything pertaining to that socket - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Address already in use but server is not running
yep, killing the offending process worked just fine. thanks for the help! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't start server on mac OS X
your were right, the directory didn't exist. It now loads correctly, I just have to get the server configured now in case anyone else has this problem, you have to have it writeable to the system user 'everyone' and the user that you are logged into the terminal as. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Server Starts, but rejects test user
I set up the server with gracious help from the community, and now it starts without errors. The problem comes in trying to get the test user to work. The server simply replies with Access-Reject and awaits the next user. Here is the dump from radtest: DeepBlue:~ michaelaldridge$ radtest testing password localhost 0 testing123 Sending Access-Request of id 227 to 127.0.0.1 port 1812 User-Name = testing User-Password = password NAS-IP-Address = 192.168.25.1 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=227, length=20 DeepBlue:~ michaelaldridge$ radtest bob bob localhost 0 testing123 Sending Access-Request of id 241 to 127.0.0.1 port 1812 User-Name = bob User-Password = bob NAS-IP-Address = 192.168.25.1 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=241, length=20 __ And here are the contents of the users file: bob Cleartext-Password := bob Reply-Message = Hello, bob All help is appreciated Also, as a side note, what is the proper way to stop the server gracefully? Normally I just kill the associated PID#... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server Starts, but rejects test user
As requested: DeepBlue:raddb michaelaldridge$ radiusd -X FreeRADIUS Version 2.1.9, for host i386-apple-darwin10.8.0, built on Dec 9 2011 at 18:58:07 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /opt/local/etc/raddb/radiusd.conf including configuration file /opt/local/etc/raddb/proxy.conf including configuration file /opt/local/etc/raddb/clients.conf including files in directory /opt/local/etc/raddb/modules/ including configuration file /opt/local/etc/raddb/modules/acct_unique including configuration file /opt/local/etc/raddb/modules/always including configuration file /opt/local/etc/raddb/modules/attr_filter including configuration file /opt/local/etc/raddb/modules/attr_rewrite including configuration file /opt/local/etc/raddb/modules/chap including configuration file /opt/local/etc/raddb/modules/checkval including configuration file /opt/local/etc/raddb/modules/counter including configuration file /opt/local/etc/raddb/modules/cui including configuration file /opt/local/etc/raddb/modules/detail including configuration file /opt/local/etc/raddb/modules/detail.example.com including configuration file /opt/local/etc/raddb/modules/detail.log including configuration file /opt/local/etc/raddb/modules/digest including configuration file /opt/local/etc/raddb/modules/echo including configuration file /opt/local/etc/raddb/modules/etc_group including configuration file /opt/local/etc/raddb/modules/exec including configuration file /opt/local/etc/raddb/modules/expiration including configuration file /opt/local/etc/raddb/modules/expr including configuration file /opt/local/etc/raddb/modules/files including configuration file /opt/local/etc/raddb/modules/inner-eap including configuration file /opt/local/etc/raddb/modules/ippool including configuration file /opt/local/etc/raddb/modules/krb5 including configuration file /opt/local/etc/raddb/modules/ldap including configuration file /opt/local/etc/raddb/modules/linelog including configuration file /opt/local/etc/raddb/modules/logintime including configuration file /opt/local/etc/raddb/modules/mac2ip including configuration file /opt/local/etc/raddb/modules/mac2vlan including configuration file /opt/local/etc/raddb/modules/mschap including configuration file /opt/local/etc/raddb/modules/ntlm_auth including configuration file /opt/local/etc/raddb/modules/otp including configuration file /opt/local/etc/raddb/modules/pam including configuration file /opt/local/etc/raddb/modules/pap including configuration file /opt/local/etc/raddb/modules/passwd including configuration file /opt/local/etc/raddb/modules/perl including configuration file /opt/local/etc/raddb/modules/policy including configuration file /opt/local/etc/raddb/modules/preprocess including configuration file /opt/local/etc/raddb/modules/radutmp including configuration file /opt/local/etc/raddb/modules/realm including configuration file /opt/local/etc/raddb/modules/smbpasswd including configuration file /opt/local/etc/raddb/modules/smsotp including configuration file /opt/local/etc/raddb/modules/sql_log including configuration file /opt/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /opt/local/etc/raddb/modules/sradutmp including configuration file /opt/local/etc/raddb/modules/unix including configuration file /opt/local/etc/raddb/modules/wimax including configuration file /opt/local/etc/raddb/eap.conf including configuration file /opt/local/etc/raddb/policy.conf including files in directory /opt/local/etc/raddb/sites-enabled/ including configuration file /opt/local/etc/raddb/sites-enabled/control-socket including configuration file /opt/local/etc/raddb/sites-enabled/default including configuration file /opt/local/etc/raddb/sites-enabled/inner-tunnel including dictionary file /opt/local/etc/raddb/dictionary main { prefix = /opt/local localstatedir = /opt/local/var logdir = /opt/local/var/log/radius libdir = /opt/local/lib radacctdir = /opt/local/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /opt/local/var/run/radiusd/radiusd.pid checkrad = /opt/local/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = status-server ping_interval
Re: Server Starts, but rejects test user
I feel stupid now, I was editing the wrong users file... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VMPS
All, I've got a Freeradius server I'm testing for VMPS. My mac2vlan file needs to be dynamically updated. Right now I have a cron job that does that and then stops/starts Freeradius so the new mac2vlan file is read. Is there a better way to do this? Thanks much, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius testing.
Anybody knows a tool to test radius performance? Vasco's radius simulator. It runs in Wine under Linux just fine. Regards, Michael Holstein Cleveland State University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP/MSCHAP
I wanted to say thanks to everybody from this list who has given me a hand over the past few weeks. I have successfully configured Freeradius to authenticate 802.1X wireless clients from an AD domain and assign them the appropriate VLAN tag based on AD/LDAP group membership. Many thanks to everybody. -Original Message- From: freeradius-users-bounces+mwhitlow=bumail.bradley@lists.freeradius.org [mailto:freeradius-users-bounces+mwhitlow=bumail.bradley@lists.freeradius.org] On Behalf Of Sven Hartge Sent: Sunday, November 13, 2011 8:39 AM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP/MSCHAP Andreas Rudat ru...@endstelle.de wrote: Am 12.11.2011 23:00, schrieb Sven Hartge: This also means you have to protect those Hashes inside your database like a raw cleartext password, as you can authenticate to any Windows box with the knowledge of the NT/LM-Hash. This has been exploitet by several Windows trojan horses, which grabbed to NT-Hash from the Administrator user to login into other boxes on the network using the same password (or worse: the domain controller). Ah much thanks for that clearing, so both is bad no matter which mechnism is used. Yes. Storing the NT-Hash has the advantage of not completley exposing the cleartext password to a possible intruder. Storing the LM-Hash is just dumb, because a) it limits the the length of the password to 16 characters and b) LM-Hash is easily broken in seconds by todays computers. Storing the raw cleartext password is as bad, but it enables one to use other challange-handshake auths, if needed. I chose to store the raw cleartext password in LDAP, but in a different attribute than the normal userPassword. This way, if my LDAP servers ever get compromised (or I mess up with an ACL, enabling anyone to read the cleartext password), just the WLAN/Dialup-Password of a user is revealed and not the master password for the account, which is used for mail, login in to computers, etc. Grüße, Sven. -- Sigmentation fault. Core dumped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Certificate Validation Process
All, I have one minor issue to ask the group about. Using Freeradius to authenticate 802.1X wireless clients, I noticed that if I try to connect to the wireless network and I purposely put in a bad password I still get the popup to validate the server certificate. On the other radius implementations I am used to the cert validation does not happen until after the user is authenticated. I imagine I have something configured not quite right but I don't know what. So, in Freeradius is there a way to change it so the validate server certificate comes only after successfull authentication? Thanks much, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP/MSCHAP
All, I am really close to a successful Freeradius implementation for 802.1X wireless using LDAP authentication on the back end. Here is what I have: - RADTEST / clear text Freeradius password from users file / WORKS GREAT - Windows XP 802.1X PEAP/MS-CHAPv2 wireless client / clear text Freeradius password from users file / WORKS GREAT - RADTEST / LDAP credentials / WORKS GREAT - Windows XP 802.1X PEAP/MS-CHAPv2 wireless client / LDAP credentials / NO GO Here is the debug output. I have read others online with these symptoms but nothing I have found yet will help me. [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: mwhitlow [mschap] Told to do MS-CHAPv2 for mwhitlow with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect Thanks much in advance for the help! Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: AD integration
Jake, Thanks for the reply. Much appreciated. I have worked on this more and from what I have learned I need to configure the users file properly. I have a feeling that if I could figure out exactly what I need to put in there I would be in business. I just can't seem to find exactly what I need to do in there to identify AD groups and provide the right IEEE tags to the client. Mike From: freeradius-users-bounces+mwhitlow=bumail.bradley@lists.freeradius.org on behalf of Sallee, Stephen (Jake) Sent: Fri 10/28/2011 3:39 PM To: FreeRadius users mailing list Subject: RE: AD integration We are actually looking into doing the same thing. Although we are probably going to add a custom attribute that we can set to the vlan of our choice, that way we can find the vlan by a simple ldap query without adding complex logic to the server. This to us seems the simplest route. It is worth noting that we do not have this in production yet so I cannot vouch for its real world effectiveness. As for getting the ldap query to work, you have already done the hard part. Once your server is able to auth users via ntlm the difficult part is over. We have setup a special account that has almost no privileges, only access to search AD. We use this account to interact with AD. If I remember correct deployingradius.com has an excellent walk through on the initial setup, I would try there for initial config instructions. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On Behalf Of Whitlow, Michael Sent: Friday, October 28, 2011 3:18 PM To: freeradius-users@lists.freeradius.org Subject: AD integration Hello, I just got Freeradius running on Ubuntu and have successfully configured integration Active Directory using Samba and NTLM_AUTH. When I run radtest against Freeradius and put in AD credentials, it is successful. My next goal is to configure Freeradius to assign 802.1X VLANs for a wireless environment. In other words, users who are a member of ADGROUP1 get assigned vlan # 111, and users who are a member of ADGROUP2 get assigned vlan #222. I am unclear which direction to go to accomplish this. Any help would be greatly appreciated. Thanks much Mike Whitlow - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AD integration
Hello, I just got Freeradius running on Ubuntu and have successfully configured integration Active Directory using Samba and NTLM_AUTH. When I run radtest against Freeradius and put in AD credentials, it is successful. My next goal is to configure Freeradius to assign 802.1X VLANs for a wireless environment. In other words, users who are a member of ADGROUP1 get assigned vlan # 111, and users who are a member of ADGROUP2 get assigned vlan #222. I am unclear which direction to go to accomplish this. Any help would be greatly appreciated. Thanks much Mike Whitlow - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE:
Check your NAS' documentation. The NAS sends that to FreeRADIUS to log. Michael -- Michael J. Hartwick, VE3SLQ hartw...@hartwick.com Hartwick Communications Consulting (519) 396-7719 Kincardine, ON, CA http://www.hartwick.com -- From: freeradius-users-bounces+hartwick=hartwick@lists.freeradius.org [mailto:freeradius-users-bounces+hartwick=hartwick@lists.freeradius.org] On Behalf Of OzSpots - Carl Sawers Sent: Friday, October 14, 2011 20:18 To: freeradius-users@lists.freeradius.org Subject: Hi All, I have searched high and low for a Radacct Terminate cause description for Freeradius, the terminate cause states Lost-Session , anyone know what it refers too? Regards Carl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic Attributes Based on NAS Type !
It may not be pretty, but why not just sent all 3 sets of VSA's. If the NAS doesn't recognize it won't it just ignore the attribute? From: freeradius-users-bounces+hartwick=hartwick@lists.freeradius.org [mailto:freeradius-users-bounces+hartwick=hartwick@lists.freeradius.org] On Behalf Of Suman Dash Sent: Saturday, October 08, 2011 13:08 To: FreeRadius users mailing list Subject: Re: Dynamic Attributes Based on NAS Type ! To be specific , I am concerned about the QoS VSA's . For Example. Mikrotik NAS - Mikrotik-Rate-Limit Chillispot - Chillispot-Max-UP , Chillispot-Max-Down Cisco - Cisco-Policy-UP , Cisco-Policy-Down Now if the user logged from different NAS's the VSA will differ so it is not possible to have a single entry in radgroupreply or radreply pertaining to a kind of NAS. I guess that this is not an out of the box feature in freeradius , instead i need to use some kind of custom script in Post-Auth section which will check the NAS Type and reply out the correct VSA's I am looking for a unique identifier from NAS by which freeradius can understand what type of NAS it is. I tried it and it seems that i have no control on the Access-Request sent by NAS to freeradius. The only idea which currently comes into my mind is to use nas.type value in DB but incase the NAS Type is incorrectly specified reply attributes will go nuts . So any idea if there are any unique identifiers ? Regards Suman On Sat, Oct 8, 2011 at 9:40 PM, Stefan A. a.freerad...@premit.de wrote: Suman, As you did not say anything about the exact attributes, you will send to the NAC, here is how we do this: we are also using different NAS and have to reply with different VSAs for setting up the QOS. We use the existence of a specific VSAs (specified per NAS type) in the request to select the VSAs to be used in responses. e.g: if we found the Starent Networks VSA 'SN-Service-Type' in the request, we reply with 'SN-QOS-Profile' to set up QoS This is save, as we won't see any Starent VSAs in Cisco or Chillispot NASses. To make this flexible, we have set up our own VSA to configure users QOS, which is then translated into the specific reply attributes for the NAS, the user is currently using. Regards Stefan From: freeradius-users-bounces+a.freeradius=premit...@lists.freeradius.org [mailto:freeradius-users-bounces+a.freeradius mailto:freeradius-users-bounces%2Ba.freeradius =premit...@lists.freeradius.org] On Behalf Of Suman Dash Sent: Saturday, October 08, 2011 4:40 PM To: FreeRadius users mailing list Subject: Dynamic Attributes Based on NAS Type ! Hi Everyone ... Currently i am planning to integrate freeradius with different NAS like Chillispot , Cisco etc and enable roaming users so that they can log in from any of the NAS. As the reply items are different with different NAS , i am looking for ideas how to enable a single user to roam and connect from different NAS. In my case i think static reply items are not possible per user wise or per groupwise so my question is what trick can be used to achieve the same. I had not tried anything as i have no clue on the same so some highlights on the approach will be a good starting point for me. Cheers Suman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
http://bestserv.ae/go.php - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Odd issue with auth-type:ldap
Upgrade. This was fixed a long time ago. Thanks .. that worked. It's even referenced in the config. My google foo must have failed me searching the error to have not found that in the changelog. Cheers, Michael Holstein Cleveland State University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Pre-Login Auth
On Windows 7 you can configure pre-login authentication (wireless connection properties - Advanced settings) both for computer and user. On XP (with native windows client), I don't think that it is possible to do that. Yes it is .. just check the box for authenticate as computer account in the wireless properties (in XP). IIRC this was introduced when they finally fixed the supplicant in sp2. The credentials come across as COMPUTERNAME$ Regards, Michael Holstein Cleveland State University On Fri, 9 Sep 2011 09:00:32 -0500, Scott Hughes wrote: Hello all, I have been using FreeRadius for several years now and am stuck trying to make our Windows based wireless system authenticate PRIOR to user login. I have searched the FreeRadius and Deploying FreeRadius sites as well as Google, but no luck. Here is a brief over-view of my FreeRadius setup: 1) Clients: Windows XP 2) Currently running FreeRadius version 2.0.5 3) Currently authenticating users via TLS/PEAP with computer name/username I'm not sure what else (if anything) you might need. I am also looking at changing the FreeRadius setup to authenticate against our Windows 2008r2 Active Directory servers. We have one main location and two remote sites. Currently we have only one FreeRadius server at the main site. If the VPN connection between the main site and either / both of the remote sites goes down, the remote sites can't authenticate. My thought was to have three FreeRadius servers that would authenticate to the local copy of the AD. Having said all of this, I do not want to get to many things going at one time. I much prefer to tackle on issue at a time. Thanks in advance for any insight you may have on either/both of these issues. Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Authentication bind as user issue
This way it binds anonymously, and then fails to do an ldapsearch because of insufficient privs. Giving * read to all seems silly, and I would rather not go that route. If anyone has suggestions or comments they would be greatly appreciated. How I did it (assuming your using AD as the backend) .. is just create a user account to bind with to do the search (to locate the DN). It does not need to be an admin user, unless you have torqued down the permissions inside AD. This allows bind as the defined user (to search for the DN of the striped-user-name) and then rebind as that DN. ldap { server = mydc.foocorp.com identity = CN=LDAP Account,OU=whatever,OU=Domain Users,DC=foocorp,DC=com password = imnotgoingtotellyou basedn = dc=foocorp,dc=com filter = ((objectCategory=person)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})) .. } Cheers, Michael Holstein Cleveland State University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Odd issue with auth-type:ldap
Using .. FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep 7 2008 at 23:35:34 ^^ .. that is what Debian 5.0.6 (Lenny) had in packages. I have LDAP enabled as an auth-type (for ipsec-tools using libradius, since it sends cleartext password and I have AD as backend). I also process mschapv2 (for l2tp/ipsec connections). This works correctly *only* if I enable LDAP debugging. {radiusd.conf} ldap_debug = 0x Whereby I get : (for ISPEC) rlm_ldap: user authorized to use remote access ldap_msgfree rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok or (for L2TP/PPP) Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok *HOWEVER* .. if I disable the debug directive, I get : rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns fail Debugging what goes on in the background, the underlying complaint is must bind to perform.. in case #2. The first case (from a pcap trace) does to the search as defined user (in radiusd.conf) and then bind as the found DN, so it's not as if debugging forces a valid return on all queries. Any ideas? Related question .. is there an easier way to pass plaintext (to Radius) credentials into AD (and determine group membership) like auth_ntlm does? .. I know how to call ntlm_auth with plaintext credentials and return a success but can't seem to get freeradius to use that as an auth-type. TIA, Michael Holstein Cleveland State University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
can policy.conf be used to create an access control list
Hi, I am using version freeRadius 1.1.7. I am trying to create an access control list via radius, to prevent specific PC's/locations from accessing my network. Please see my policy.conf example below. My freeRadius server keeps sending an access-accept, when I try to login in from my office as a test, which has the IP address 10.2.222.35. I don't understand why the server is allowing the login. It seems logical to me the way that I have approached an implementation, but I can't find any specific info from the wiki or in internet searches. So I am not sure if I am still misconfigured or if it just doesn't work for some other reason. Thanks, Mike In policy.conf, I have the following, but it doesn't have any affect ( I do have '$INCLUDE ${confdir}/policy.conf' in my radiusd.conf file): policy { forbid_login_ip_hosts { %{request:Login-IP-Host} =~ /^10.2./ { reject } } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
question re inner tunnel / virtual server
Hi *, i try to get a better grip in understanding the virtual server for inner eap tunnel. Please forgive if any of the following statements represents misunderstanding of concepts from my side. Which of the following statements describe the inner tunnel virtual server for EAP wrong / correct ? EAP: -The eap module can map tunneled requests to a virtual server ( inner tunnel ) - It knows where to communicate by freeradius reading the virtual servers configs in sites-enabled -So the Port configured for the inner tunnel virtual server (statement valid only for this inner tunnel VS) is only relevant wrt external for testing purposes in order to test correct freeradius config wrt EAP -freeradius handles the communication to the inner tunnel with the above mentioned mapping of the eap module. So in productive use there is no need to reference the Port for the inner tunnel ( except when proxying or using the test for EAP to check for a valid config ) -the main goal of the inner tunnel virtual server is to allow completely independent policies for outer / inner tunneled sessions. hope i did not fall for to many misunderstandings TIA Micha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
no authenticate step ...
hello * i try to transfer a working configuration from an very old (1.x) freeradius version to a more recent radius version: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010 at 21:14:10 My problem: after authenticate against ldap and auth-type = ldap is set, no authorize step is done the next step happening is trying the next entry from the users file expected: authenticate with bind as user and password hash of the user against ldap here the snippet from debug log i assume relevant: hu Apr 7 12:45:28 2011 : Info: [auth_log] expand: %t - Thu Apr 7 12:45:28 2011 Thu Apr 7 12:45:28 2011 : Info: ++[auth_log] returns ok Thu Apr 7 12:45:28 2011 : Info: ++[mschap] returns noop Thu Apr 7 12:45:28 2011 : Info: [suffix] No '@' in User-Name = pilot1, looking up realm NULL Thu Apr 7 12:45:28 2011 : Info: [suffix] No such realm NULL Thu Apr 7 12:45:28 2011 : Info: ++[suffix] returns noop Thu Apr 7 12:45:28 2011 : Info: [ldap] performing user authorization for pilot1 Thu Apr 7 12:45:28 2011 : Info: [ldap] WARNING: Deprecated conditional expansion :-. See man unlang for details Thu Apr 7 12:45:28 2011 : Info: [ldap] ... expanding second conditional Thu Apr 7 12:45:28 2011 : Info: [ldap] expand: %{User-Name} - pilot1 Thu Apr 7 12:45:28 2011 : Info: [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=pilot1) Thu Apr 7 12:45:28 2011 : Info: [ldap] expand: l=Berlin,dc=de,o=ABC- l=Berlin,dc=de,o=ABC Thu Apr 7 12:45:28 2011 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Thu Apr 7 12:45:28 2011 : Debug: [ldap] ldap_get_conn: Got Id: 0 Thu Apr 7 12:45:28 2011 : Debug: [ldap] attempting LDAP reconnection Thu Apr 7 12:45:28 2011 : Debug: [ldap] (re)connect to 10.128.1.1:389, authentication 0 Thu Apr 7 12:45:28 2011 : Debug: [ldap] bind as cn=Manager,o=ABC/xyz to 10.128.1.1:389 Thu Apr 7 12:45:28 2011 : Debug: [ldap] waiting for bind result ... Thu Apr 7 12:45:28 2011 : Debug: [ldap] Bind was successful Thu Apr 7 12:45:28 2011 : Debug: [ldap] performing search in l=Berlin,dc=de,o=ABC, with filter (uid=pilot1) Thu Apr 7 12:45:28 2011 : Info: [ldap] No default NMAS login sequence Thu Apr 7 12:45:28 2011 : Info: [ldap] looking for check items in directory... Thu Apr 7 12:45:28 2011 : Debug: [ldap] userPassword - Password-With-Header == {MD5}hashvalueD1xtOw==- the sequence after the hashed pw astonishes me, the D1xt0w Thu Apr 7 12:45:28 2011 : Info: [ldap] looking for reply items in directory... Thu Apr 7 12:45:28 2011 : Info: [ldap] Setting Auth-Type = LDAP Thu Apr 7 12:45:28 2011 : Info: [ldap] user pilot1 authorized to use remote access Thu Apr 7 12:45:28 2011 : Debug: [ldap] ldap_release_conn: Release Id: 0 Thu Apr 7 12:45:28 2011 : Info: ++[ldap] returns ok Thu Apr 7 12:45:28 2011 : Info: [eap] No EAP-Message, not doing EAP Thu Apr 7 12:45:28 2011 : Info: ++[eap] returns noop ... next line / match in users file is done next ...in the old config next step was authenticate So clearly i do a mistake and have overlooked a neccessary config option any hints where to look next ? The hint to transfer a deprecated expression from users file to unlang will be done when i succeed with auth TIA Micha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strip off the domain part from the User-Name
The MSCHAPs include the given name when calculating the hashes. Stripping the domain will therefore not work. The client is using the domain\name in the hash and you're asking the server to use just the name. On 3/23/2011 15:08 PM, Thomas Wunder wrote: Hi, I'm currently trying to configure my Win7 clients to do wired 802.1X authentication using the credentials a user provides at the login screen. Wired 802.1X auth itself works fine but as soon as I have it use the logon credentials (using the Automatically use my Windows logon name and password (and domain if any).) Windows sends User-Names like 'computername\\username'. That's normal so far I think. To get the rlm_ldap related stuff working I simply changed my filter and groupmembership_filter settings in modules/ldap to be [...]uid=%{mschap:User-Name:-%{User-Name}}[...] instead of [...]uid=%{%{Stripped-User-Name}:-%{User-Name}}[...] and that works well. But when it comes to MSCHAP authentication I've got a problem: I get errors like [mschap] ERROR: User-Name (testpc\tom1) is not the same as MS-CHAP Name (tom1) from EAP-MSCHAPv2 (...which sounds consequent) I've tried solve that problem by changing with_ntdomain_hack = yes (I know you recommend against that) without any luck: +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [tom1] (from client swtswitch01 port 0 via TLS tunnel) Somewhere I've read that in such a case one should use the realms concept but I can't seem to get it working. There's an entry like realm ntdomain { format = prefix delimiter = \\ } in the modules/realm but what else do I need? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The decoded content is not same as command in CoA
Perhaps the character value of the string for zero ('0') is 30 in hex (0x30). On 1/12/2011 23:33 PM, Xiaochen wrote: Dear all, I am using Fedora 12 + Freeradius to do some CoA tests. One is : AAA sends Disconnect request to Client. My packet.txt content is as: WiMAX-DM-Action-Code=0 But when I run it in the command terminal, the screen said as below: - WiMAX-DM-Action-Code = 0x30 I don't know why WiMAX-DM-Action-Code content was changed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple usergroups failing; freeradius 2.1.10 + Cisco-AVPairs
Hi, During a rebuild of our Radius servers from an old freeradius 1.x install to 2.1.10, we've lost ability to push multiple usergroups to our Cisco LNS: MySQL: radcheck: id UserNameAttribute op Value 9791t...@realm Password:= {clear}somepass radgroupreply: id GroupName Attribute op Value 161 VRF-TESTCisco-AVPair+= ip:vrf-id=TEST 162 VRF-TESTCisco-AVPair+= ip:ip-unnumbered=loopback25 2211QOS-PROFILE Cisco-AVPair+= ip:sub-qos-policy-out=TEST-QOS-PROFILE radreply: id UserNameAttribute op Value 124561 t...@realm Framed-IP-Netmask = 255.255.255.255 124571 t...@realm Framed-IP-Address = 1.1.1.1 usergroup: UserNameGroupName priority t...@realm VRF-TEST1 t...@realm QOS-PROFILE 2 debugging Radius on the Cisco shows (amongst other things): RADIUS: Vendor, Cisco [26] 21 RADIUS: Cisco AVpair [1] 15 ip:vrf-id=TEST RADIUS: Vendor, Cisco [26] 35 RADIUS: Cisco AVpair [1] 29 ip:ip-unnumbered=loopback25 If you set QOS-PROFILE to priority 0 for example, it will then only pick up the QOS-PROFILE usergroup, not both. Setting both usergroups to same priority yeilds the same results; only applying the first, never both. To rule out the Cisco i've performed a tcpdump on Radius itself; I can only see freeradius sending one usergroup in the Access-Accept response. This is also a fresh freeradius install via FreeBSD ports; no configuration was carried over from the previous install except for MySQL DB credentials. Thoughts? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple usergroups failing; freeradius 2.1.10 + Cisco-AVPairs
SQL log attached: rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 't...@realm' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 't...@realm' ORDER BY id rlm_sql_mysql: query: SELECT groupname FROM usergroup WHERE username = 't...@realm' ORDER BY priority rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'VRF-TEST' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'VRF-TEST' ORDER BY id rlm_sql (sql): Released sql socket id: 4 If I run the 3rd query manually, it does pickup VRF-TEST and QOS-PROFILE usergroups, however looking at the above groupcheck/groupreply query, it is only running it for the first instance. bug perhaps in rlm_sql_mysql? -Michael On Thu, 16 Dec 2010 11:33:46 +1100, mich...@jarrett.id.au wrote: Hi, During a rebuild of our Radius servers from an old freeradius 1.x install to 2.1.10, we've lost ability to push multiple usergroups to our Cisco LNS: MySQL: radcheck: idUserNameAttribute op Value 9791 t...@realm Password:= {clear}somepass radgroupreply: idGroupName Attribute op Value 161 VRF-TESTCisco-AVPair+= ip:vrf-id=TEST 162 VRF-TESTCisco-AVPair+= ip:ip-unnumbered=loopback25 2211 QOS-PROFILE Cisco-AVPair+= ip:sub-qos-policy-out=TEST-QOS-PROFILE radreply: idUserNameAttribute op Value 124561t...@realm Framed-IP-Netmask = 255.255.255.255 124571t...@realm Framed-IP-Address = 1.1.1.1 usergroup: UserName GroupName priority t...@realmVRF-TEST1 t...@realmQOS-PROFILE 2 debugging Radius on the Cisco shows (amongst other things): RADIUS: Vendor, Cisco [26] 21 RADIUS: Cisco AVpair [1] 15 ip:vrf-id=TEST RADIUS: Vendor, Cisco [26] 35 RADIUS: Cisco AVpair [1] 29 ip:ip-unnumbered=loopback25 If you set QOS-PROFILE to priority 0 for example, it will then only pick up the QOS-PROFILE usergroup, not both. Setting both usergroups to same priority yeilds the same results; only applying the first, never both. To rule out the Cisco i've performed a tcpdump on Radius itself; I can only see freeradius sending one usergroup in the Access-Accept response. This is also a fresh freeradius install via FreeBSD ports; no configuration was carried over from the previous install except for MySQL DB credentials. Thoughts? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: LDAP auth success / User reject
Hello *, Problem solved thx to Alans help -Find out what part of the configuration is setting Auth-Type := Reject -Look in the files configuration, and in the data in LDAP. The reject was the last default statement in the users file My problem was, that the patterns for both entries before failed. I resolved the reason, It was a Bug in the LDAP Tree of customer for this site, not noticed by me before. Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No NAS Port seen ?
Hello * -is the error belwo caused by fault of the NAS -or a stupid mistake of mine within setup ? rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! -other attributes are sent correctly -device is a lancom 315-agn TIA Micha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP auth success / User reject
hello * Szenario: freeradius auth via LDAP simple bind with user passwd / user name for a hot spot Used config works with two other setups of same environment Problem: simple bind returns ok then another module rejects the user Any hints where i should look ? Used Freeradius Version: FreeRADIUS Version 1.1.6 below debug output hu Nov 18 11:20:52 2010 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Thu Nov 18 11:20:52 2010 : Debug: modcall[authorize]: module suffix returns noop for request 0 Thu Nov 18 11:20:52 2010 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0 Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: - authorize Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: performing user authorization for test1 Thu Nov 18 11:20:52 2010 : Debug: radius_xlat: '(uid=test1)' Thu Nov 18 11:20:52 2010 : Debug: radius_xlat: 'l=Stadt,dc=de,o=Organisationr' Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: attempting LDAP reconnection Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: bind as cn=LDAPADMIN,o=Customer/sharedsecret to 127.0.0.1:389 Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: waiting for bind result ... Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: Bind was successful Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: performing search in l=Stadt,dc=de,o=Organisation, with filter (uid=test1) Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: looking for check items in directory... Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: looking for reply items in directory... Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: Setting Auth-Type = ldap Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: user test1 authorized to use remote access Thu Nov 18 11:20:52 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Thu Nov 18 11:20:52 2010 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0 Thu Nov 18 11:20:52 2010 : Debug: modcall[authorize]: module ldap returns ok for request 0 Thu Nov 18 11:20:52 2010 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Thu Nov 18 11:20:52 2010 : Debug: rlm_eap: No EAP-Message, not doing EAP Thu Nov 18 11:20:52 2010 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Thu Nov 18 11:20:52 2010 : Debug: modcall[authorize]: module eap returns noop for request 0 Thu Nov 18 11:20:52 2010 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Thu Nov 18 11:20:52 2010 : Debug: users: Matched entry DEFAULT at line 3 Thu Nov 18 11:20:52 2010 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Thu Nov 18 11:20:52 2010 : Debug: modcall[authorize]: module files returns ok for request 0 Thu Nov 18 11:20:52 2010 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 0 Thu Nov 18 11:20:52 2010 : Debug: rlm_pap: Found existing Auth-Type, not changing it. Thu Nov 18 11:20:52 2010 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 0 Thu Nov 18 11:20:52 2010 : Debug: modcall[authorize]: module pap returns noop for request 0 Thu Nov 18 11:20:52 2010 : Debug: modcall: leaving group authorize (returns ok) for request 0 Thu Nov 18 11:20:52 2010 : Debug: rad_check_password: Found Auth-Type Reject Thu Nov 18 11:20:52 2010 : Debug: rad_check_password: Auth-Type = Reject, rejecting user Thu Nov 18 11:20:52 2010 : Debug: auth: Failed to validate the user. Thu Nov 18 11:20:52 2010 : Auth: Login incorrect: [test1/testpasswd] (from client wlanhsp port 0 cli 00:1e:c2:a3:4d:b line from users DEFAULT Called-Station-Id =~ .*:LIBRARY , Ldap-group == cn=city,cn=Groups,l=Stadt,dc=de,o=Organisation thx for any hints :-) I have anonymized the ldap Attributes Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: LDAP auth success / User reject
Alan, Use -X. You've added an additional -x, which makes the output harder to read. ok, understood, attached below Thu Nov 18 11:20:52 2010 : Debug: rad_check_password: Found Auth-Type Reject Thu Nov 18 11:20:52 2010 : Debug: rad_check_password: Auth-Type = Reject, rejecting user Well... something is setting that. Go find out what, and fix it. any hints, how to proceed to debug from where the Reject for rad_check_passwd is caused ? I checked ldap atributes and verified correctness of user passwd for simple bind with ldapsearch So i at last have exluded trivial errors like testing with a dn or wrong user password But now i d not see how to trace why the radius request comes back with reject lm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in l=Stadt,dc=de,o=Organisation, with filter (uid=test1) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user test11 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 4 modcall[authorize]: module files returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Login incorrect: [test1/testpass] (from client wlanhsp port 0 cli 00:1e:c2:a3:4d:b3) TIA Micha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
There's many a slip 'twixt the cup and the lip I promise you'll want to kick yourself when you find the simple difference after so many messages. Many of us have the grace to go through this necessarily humbling exercise in private. On 2010-11-05 2:47 PM, Eduardo Moreira wrote: sorry, but where i checked the shared secret? in clients.conf? if yes, secret is ok! thanks for any help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No authenticate method (Auth-Type) configuration found
of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [guest/MM\250f\375 \241Ñ?\247\007\242Ë?i\316] (from client nas01 port 2 cli 00-0C-29-00-71-20) WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - guest attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 13 to 172.16.20.10 port 42793 Waking up in 4.9 seconds. Cleaning up request 0 ID 13 with timestamp +7 Ready to process requests. Many Thanks. Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No authenticate method (Auth-Type) configuration found
WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'guest' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type PAP +- entering group PAP rlm_pap: login attempt with password guest rlm_pap: Using clear text password guest rlm_pap: User authenticated successfully ++[pap] returns ok Login OK: [guest/guest] (from client 172.16.30.6 port 0) +- entering group post-auth rlm_sql (sql): Processing sql_postauth expand: %{User-Name} - guest rlm_sql (sql): sql_set_user escaped user -- 'guest' expand: %{User-Password} - guest expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') - INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'guest', 'guest', 'Access-Accept', '2010-10-20 15:47:40') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'guest', 'guest', 'Access-Accept', '2010-10-20 15:47:40') rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 105 to 172.16.30.6 port 42677 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 105 with timestamp +20 Ready to process requests. What else could be wrong here? Alan DeKok schrieb: Bereos OHG Michael Spinnenhirn wrote: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [guest/MM\250f\375 \241Ñ?\247\007\242Ë?i\316] (from client nas01 port 2 cli 00-0C-29-00-71-20) WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! I allready checked the secret. It's the same in chilli config and client.conf on the server. That message is pretty definitive. I suggest *deleting* the client. Then send the server packets. Verify that the server complains about unknown client. Then, add the client again. This time re-entering all of the data, rather than copying it from your existing configuration. Also try radtest (or radclient) from the remote machine. There's no need to depend on Chillispot config when you can use the FreeRADIUS software to do the tests. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No authenticate method (Auth-Type) configuration found
I can see the difference between the working one on the server and the other one from the remote client. But I executed the same command on both machines. echo User-Name=guest,Password=guest | radclient 172.16.30.6:1812 auth radiussecret I have tried it from another debian server, too, with success. So it has to be a problem with the radclient on the openwrt box, doesn't it? Alan DeKok schrieb: Bereos OHG Michael Spinnenhirn wrote: The remote radclient gives the following debug output: rad_recv: Access-Request packet from host 172.16.20.10 port 56195, id=36, length User-Name = guest sigh You're not including a User-Password in the request. It needs one. What else could be wrong here? Look at the packets the server is receiving from the two clients: they're different. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: doubt regarding free-radius
Hi, I couldn't solve my problem with this package. I think that not all dependencies could be fulfilled because of my core-installation. Finally I installed free-radius from blastwave wget http://download.blastwave.org/csw/pkgutil_i386.pkg pkgadd -d pkgutil_i386.pkg pkgutil --catalog pkgutil -a freeradius pkgutil -i freeradius # if there are problems with generating certs following worked for me cd /opt/csw/etc/raddb/certs/ date ./random ./bootstrap radiusd -X Michael Am 29.09.2010 14:33, schrieb vijay: Hi, i saw your posting regarding segmentation-fault while run following command on solaris10-x86. /usr/local/sbin/radiusd -X Iam also facing same problem.How you resolved it.It will be helpful to me. vijay -- Michael Bathe Rechenzentrum -Netzwerkadministration- Tel.: +49 (0)331/288-1803 Fax: +49 (0)331/288-1730 Email: michael.ba...@gfz-potsdam.de ___ Helmholtz-Zentrum Potsdam Deutsches GeoForschungsZentrum - GFZ Stiftung des Öff. Rechts Land Brandenburg Telegrafenberg G257, D-14473 Potsdam smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: radius client / send NAS IP ?
Hello Alan, sorry, my fault :-) radclient saves my day, indeed i can send any attribute / value pair i like thanks for your help Micha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_exec: Wait=yes but no output defined
Hello *, radiusd -X in different places announces rlm_exec: Wait=yes but no output defined. Did you mean output=none? Will freeradius fall back internally to output=none without inserting this attribut / value in the config ? Or should i mandatory add output=none ? TIA Micha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius client / send NAS IP ?
Hello *, at the time beeing i have to use an old radius version for different reasons. freeradius-client-1.1.5-36 freeradius-devel-1.1.6-47 freeradius-1.1.6-47 freeradius-client-devel-1.1.5-36 freeradius-client-libs-1.1.5-36 for real logins at WLAN Hot Spot the DEFAULT NAS-IP-Address == 192.168.123.45 or DEFAULT Called-Station-Id =~ .*:MYSSID are part of the check ( via criteria in users ) is there a radtest client where i can send those attribute / value pairs intentionally ? else in my traces i will always see a refused as test result, since from localhost those parameters will not match Prio low, would just be nice for testing TIA Micha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: radius client / send NAS IP ?
Alan, thx for answering at least the radclient of the installed version does not allow to add those attributes according to manpage if i read your hint right i should download an actual version and compile to get an radclient with enhanced abilities :-) TIA Micha - ursprüngliche Nachricht - Subject: Re: radius client / send NAS IP ? Date: Sa 25 Sep 2010 15:01:49 CEST From: Alan DeKokal...@deployingradius.com To: FreeRadius users mailing listlt;freeradius-users@lists.freeradius.orggt; Michael Arndt wrote: is there a radtest client where i can send those attribute / value pairs intentionally ? $ man radclient Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ursprüngliche Nachricht Ende - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: still not working (newbie for radius)
By the looks of it you have two problems. The User-Password name 'bob' isn't matched by the response Juniper-Local-User-Name 'labrat'. Perhaps ssh cares. Your broken client sends the identical packet for the new authentication attempt when it must send a brand new packet (different id, socket or port). That's why the server drops subsequent login attempts from ssh - they're duplicate requests which the server has already answered. In your second attempt you're User-Name is 'labrat' and the Juniper-Local-User-Name 'labrat' is being returned in the response probably convincing SSH you are who you claim to be. On 2010-09-19 9:35 PM, gahn wrote: thanks tim: yes, it is better but yet working correctly: g...@giraffe:~:$ ssh b...@192.168.255.138 b...@192.168.255.138's password: Permission denied, please try again. b...@192.168.255.138's password: Permission denied, please try again. b...@192.168.255.138's password: Permission denied (publickey,password,keyboard-interactive). but trying local username labrat is working fine: g...@giraffe:~:$ ssh lab...@192.168.255.138 lab...@192.168.255.138's password: --- JUNOS 8.5R4.3 built 2008-08-12 23:16:55 UTC lab...@lab-r8 what is interesting here is that now i can see Access-Accept in the debugging messages of radiusd -X: rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57 User-Name = bob User-Password = bob NAS-Identifier = lab-r8 NAS-IP-Address = 150.150.0.1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = bob, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry bob at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password bob [pap] Using clear text password bob [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 3 to 192.168.255.138 port 65003 Juniper-Local-User-Name = labrat Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57 Sending duplicate reply to client r8 port 65003 - ID: 3 Sending Access-Accept of id 3 to 192.168.255.138 port 65003 Waking up in 1.9 seconds. Cleaning up request 4 ID 3 with timestamp +91 Ready to process requests. rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57 User-Name = bob User-Password = bob NAS-Identifier = lab-r8 NAS-IP-Address = 150.150.0.1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = bob, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry bob at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password bob [pap] Using clear text password bob [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 3 to 192.168.255.138 port 65003 Juniper-Local-User-Name = labrat Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 5 ID 3 with timestamp +97 Ready to process requests. --- On Sun, 9/19/10, Tim Sylvestertim.sylves...@networkradius.com wrote: From: Tim Sylvestertim.sylves...@networkradius.com Subject: RE: still not working (newbie for radius) To: 'FreeRadius users mailing list'freeradius-users@lists.freeradius.org Date: Sunday, September 19, 2010, 5:52 PM well, i had tried other configuration for users: bob Cleartext-Password = bob Juniper-Local-User-Name = labrat labrat is local login user id so that all of radius users will be mapped to that user. unfortunately, it is also failed though with no warning messages: tim You are missing a : - try the following: bob Cleartext-Password := bob Juniper-Local-User-Name = labrat - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: still not working (newbie for radius)
I'm merely speculating that your SSH client is rejecting the response where the User-Name Juniper-Local-User-Name for 'bob' but accepts the name 'labrat' and response name 'labrat'. well, i don't have user labrat configured in file users on the radius server. KISS: Set up the server to test the Juniper-Local-User-Name responses. You might consider testing just that side of things 'til you figure out the pattern. This part is not a RADIUS problem. BTW the Access-Request packet should use either the NAS-Identifier OR the NAS-IP-Address but not both. Something is likely to mysteriously break later. Choose one. also you are right, for some reasons, every login attempt will have two more duplicated messages besides the first one. why is that? The RADIUS server is working properly. Your client is not. Your RADIUS client sends an identical packet for each different attempt to log in. This is just plain wrong and the server is replying with a copy of the original response. Either the client is broken or SSH is misusing the client. On 2010-09-19 11:19 PM, gahn wrote: thanks. well, i don't have user labrat configured in file users on the radius server. the labrat is in local user password database on the juniper box. for the raqdius support on juniper routers, it must map a remote user (in the database of radius server) to a specific local user. in my case, i map the radius username bob to the juniper local username labrat. if i understand correctly what you were saying, this attribute of Juniper-Local-User-Name is not working? also you are right, for some reasons, every login attempt will have two more duplicated messages besides the first one. why is that? I am really new on this. thanks for the help... --- On Sun, 9/19/10, Michael Lecuyerm...@iterpacis.org wrote: From: Michael Lecuyerm...@iterpacis.org Subject: Re: still not working (newbie for radius) To: FreeRadius users mailing listfreeradius-users@lists.freeradius.org Date: Sunday, September 19, 2010, 7:26 PM By the looks of it you have two problems. The User-Password name 'bob' isn't matched by the response Juniper-Local-User-Name 'labrat'. Perhaps ssh cares. Your broken client sends the identical packet for the new authentication attempt when it must send a brand new packet (different id, socket or port). That's why the server drops subsequent login attempts from ssh - they're duplicate requests which the server has already answered. In your second attempt you're User-Name is 'labrat' and the Juniper-Local-User-Name 'labrat' is being returned in the response probably convincing SSH you are who you claim to be. On 2010-09-19 9:35 PM, gahn wrote: thanks tim: yes, it is better but yet working correctly: g...@giraffe:~:$ ssh b...@192.168.255.138 b...@192.168.255.138's password: Permission denied, please try again. b...@192.168.255.138's password: Permission denied, please try again. b...@192.168.255.138's password: Permission denied (publickey,password,keyboard-interactive). but trying local username labrat is working fine: g...@giraffe:~:$ ssh lab...@192.168.255.138 lab...@192.168.255.138's password: --- JUNOS 8.5R4.3 built 2008-08-12 23:16:55 UTC lab...@lab-r8 what is interesting here is that now i can see Access-Accept in the debugging messages of radiusd -X: rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57 User-Name = bob User-Password = bob NAS-Identifier = lab-r8 NAS-IP-Address = 150.150.0.1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = bob, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry bob at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password bob [pap] Using clear text password bob [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 3 to 192.168.255.138 port 65003 Juniper-Local-User-Name = labrat Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57 Sending duplicate reply to client r8 port 65003 - ID: 3 Sending Access-Accept of id 3 to 192.168.255.138 port 65003 Waking up in 1.9 seconds. Cleaning up request 4 ID 3 with timestamp +91 Ready to process requests. rad_recv: Access-Request packet from host 192.168.255.138 port 65003, id=3, length=57 User-Name = bob User-Password = bob NAS-Identifier = lab-r8 NAS-IP-Address = 150.150.0.1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = bob, looking up
Solved: interpret check-Item and change reply-item to set VLAN
Thanks for reply! I have solved my attempt to set VLAN-Group-ID based on checkItem by insert this line in post-auth section of 'sites-available/default' -- $INCLUDE ${confdir}/setTunnelGroup -- In the file setTunnelGroup I insert this: -- if (reply:SectionNetwork == sec11) { update reply { Tunnel-Private-Group-ID :=111 } } -- In file 'dictionary' I add this line: -- ATTRIBUTE SectionNetwork 4000string -- In file 'ldap.attrmap' I add this line: -- replyItem SectionNetwork sectionNetwork -- @ Phil: My problem is that the value of ldap-attribute is not correspond to the vlan name in our cisco switch at this time. LG Michael Am 13.09.2010 16:10, schrieb Alan DeKok: Michael Bathe wrote: is there any how_to or solution to interpret the ldap checkItem and change the replyItem (I think in inner-tunnel)? f.e.: If the checkItem match one of 'sec11', 'Sec11', 'SEC11'... the replyItem should be set to '111'. $ man unlang The ldap module doesn't do generic comparison or setting of attributes. Neither does the users file. But the unlang policy language does. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Michael Bathe Rechenzentrum -Netzwerkadministration- Tel.: +49 (0)331/288-1803 Fax: +49 (0)331/288-1730 Email: michael.ba...@gfz-potsdam.de ___ Helmholtz-Zentrum Potsdam Deutsches GeoForschungsZentrum - GFZ Stiftung des Öff. Rechts Land Brandenburg Telegrafenberg G257, D-14473 Potsdam smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
interpret check-Item and change reply-item to set VLAN
Hallo Liste, is there any how_to or solution to interpret the ldap checkItem and change the replyItem (I think in inner-tunnel)? f.e.: If the checkItem match one of 'sec11', 'Sec11', 'SEC11'... the replyItem should be set to '111'. ldap.attrmap: checkItem Tunnel-Private-Group-Id sectionNetwork replyItem Tunnel-Private-Group-Id sectionNetwork the following in users file wont work: DEFAULT Tunnel-Private-Group-Id == sec11 Tunnel-Private-Group-Id=111, Reply-Message += changed DEFAULT Auth-Type == EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN, Reply-Message += Access success for %{User-Name}., Fall-Through = no I use FreeRADIUS Version 2.1.6, for host i386-pc-solaris2.8, openLDAP, 802.1x with mschapv2. This works fine for me. radiusd -X output: ... rlm_ldap: performing search in dc=domain,dc=de, with filter (uid=user) checking if remote access for user is allowed by uid looking for check items in directory... rlm_ldap: sectionNetwork - Tunnel-Private-Group-Id:0 == sec11 rlm_ldap: sambaNTPassword - NT-Password == removed rlm_ldap: sambaLMPassword - LM-Password == removed looking for reply items in directory... rlm_ldap: sectionNetwork - Tunnel-Private-Group-Id:0 = sec11 WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ... ++[eap] returns ok } # server inner-tunnel Got tunneled reply code 2 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Reply-Message = Access success for user. Tunnel-Private-Group-Id:0 = sec11 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = user Got tunneled reply RADIUS code 2 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Reply-Message = Access success for user. Tunnel-Private-Group-Id:0 = sec11 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = user Tunneled authentication was successful. SUCCESS Saving tunneled attributes for later ++[eap] returns handled ... Sending Access-Accept of id 131 to 10.0.0.12 port 1645 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Reply-Message = Access success for user. Tunnel-Private-Group-Id:0 = sec11 User-Name = user MS-MPPE-Recv-Key = 0x611ed2d5955bded1d3302045c5930fd4aad610a0b6f5aa1045ba0477f12b7eee MS-MPPE-Send-Key = 0xc38e1cad9590596e3902a46a40706ad8bde70f05bde110698b631b503c00f51b EAP-Message = 0x030a0004 Message-Authenticator = 0x Finished request 10. ... thanks and beste Gruesse Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Construction of Response-Authenticator
No one here is going to do your homework for you. RFC 2865 is pretty clear on how this is calculated. A Message-Authenticator attribute in the response attributes will require more work. Perhaps you can get extra credit for figuring it out. On 2010-09-12 1:25 PM, Theresa Otte wrote: Hello, I use FreeRADIUS 2.1.8 on Ubuntu 10.4. For my course at university I have to write a program in which I need to re-calculate the response-authenticator (MD5(Code+ID+Length+Request-Auth.+Attributes+Secret)). Does anybody know how FreeRADIUS calculates it? Does it take the binary code of the message fields or an other encoding? When I try to re-calculate it, I never get the same Response-Authenticator as in the Access-Accept-Message. I'm programming with Python and using the libraries of scapy and hashlib. Perhaps anyone of you can help me. Thank you very much! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Of accounting data and security
TACACS+ uses an MD5 pad based on the session ID, shared secret, TACACS+ version, and packet sequence number. This is XOR'd over the packet. The pad is in multiples of the MD5 hash length. The header is sent plain text and includes the sequence number, the session ID and version number. Encoding and decoding are symmetrical. It is not considered strong encoding. We're all fortunate RADIUS doesn't use this to encode packets. Natr Brazell wrote: Thanks, I'm looking into IPSEC at the moment. I'm curious how TACACS+ does their encryption? N On Fri, Aug 6, 2010 at 4:09 PM, Alan DeKok al...@deployingradius.com mailto:al...@deployingradius.com wrote: Natr Brazell wrote: Is there a way to secure the communication between the radius server and the NAS especially wrt accounting data? IPSec. Most NASes implement IPv4, and not much else. Security means don't run RADIUS over a network where users have access. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Of accounting data and security
We would be stuck with static weak security built in to RADIUS just like TACACS uses. There are options for securely tunneling RADIUS packets that weren't available in the early years. Secure tunneling doesn't require changes to the RADIUS protocol. The EAP-TLS extension alone has made most of RADIUS secure. For TACACS changing the encoding means re-writing every client and server. Tunneling TCP through SSL takes way too many packets to efficiently perform a large number of each separate authentication, authorization and accounting transaction. Built in transport security is a bad idea. For TACACS it is the only way since PAP/ASCII authentication and password changes really are sent in plain text. Please, no more talk of TACACS. Its not a good example of anything. Natr Brazell wrote: Curious why we're fortunate? Could you elaborate some? On Sun, Aug 8, 2010 at 10:01 PM, Michael Lecuyer m...@iterpacis.org mailto:m...@iterpacis.org wrote: TACACS+ uses an MD5 pad based on the session ID, shared secret, TACACS+ version, and packet sequence number. This is XOR'd over the packet. The pad is in multiples of the MD5 hash length. The header is sent plain text and includes the sequence number, the session ID and version number. Encoding and decoding are symmetrical. It is not considered strong encoding. We're all fortunate RADIUS doesn't use this to encode packets. Natr Brazell wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Master key and Pairwise Master Key encryption
I'm not sure it would help you to know how the Master Keys are generated or encoded - it's not simple. It's a process involving the accumulated TLS handshake messages, random number generation, various sorts of key exchanges, cryptographic hashes, and the PRF function described in the TLS RFC's. Not really casual reading. TTLS and TLS use different TLS PRF (Pseudo-Random Function) labels to generate the key material. The MMPE RFC 3079 describes the generation of the master MPPE keys from the PRF and how the supplicant should use them. Some of us find this casual reading :) Encoding attribute data is done using a salt encoding described in RFC 2548 with a Microsoft modification described in some MPPE RFC. The 'code' is scattered throughout the FR rlm source (those dealing with TLS and the many mschap's) and in the separate OpenSSL source dealing with SSL/TLS. However, in FR, it just automagically works. Khan Ferdous Wahid wrote: Hi, I want to know about the Master key (MK) encapsulation and Pairwise Master key (PMK) generation during EAP-TLS or EAP-TTLS methods. When the supplicant is authenticated, the server generates a MK and sends it in encrypted format to the supplicant. How this MK (I think it is a random number) is encrypted? Which algorithm is used and which parameters are included (input) to disguise the MK? Then how the PMK is generated independently inside server and supplicant? What algorithm and parameters are used to cryptically pass the PMK to authenticator (Access point)? Please tell me clearly because I am a newbie. Which source codes include these operations, where should I look? Thank you. /Khan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: speed of detail reader server
On Mon, Jun 21, 2010 at 07:48:19PM +0300, Alexandru Oprisan wrote: I'm using freeradius 2.1.6 on gentoo to do decoupled accounting. I have everything set up, the only problem seems to be the speed of the 'detail reader server'. I do quite a lot off accounting packets on the box ( no auth ), the detail writer has already written 1.9G of details ( in about 5 hours ) to hourly files, but the detail reader is lagging far behind (still working on the first file). I only see about 1 row inserted per second, but I know the server can do far more. I have set load-factor to 100, doesn't seem to help. The detail reader is serial in nature, meaning it will read a packet, transmit it, and wait for a response. Upon receipt of an ack it will repeat for the next packet. If you have any sort of latency on your link you can easily get heavily backlogged. We ended up implementing a proxy in between the detail file reader and the remote end; the proxy (a custom Perl script) transmits across several sockets, which the remote end seems to be able to deal with properly. This has alleviated any backlog. I have grand plans to modify the reader to transmit non-serially, but so far have not had the tuits to apply to the problem. I'm not sure I would recommend the proxy solution, but if you can manage it, it may be a reasonable stop-gap. -- Michael Fowler www.shoebox.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic assignment of VLANs from LDAP via freeradius to WLAN-Clients doesn't work properly
Am Donnerstag, 27. Mai 2010 18:42:29 schrieb Meister, Frank: Hello, we have freeradius-2.1.8 running, with openldap-2.3.43 as backend. in ldap we have three attributes (radiusTunnelMediumType=IEEE-802, radiusTunnelType=VLAN, and radiusTunnelPrivateGroupId=[vlan-id]), freeradius maps the ldap-attributes to radius-attributes. We have three vlans, one for staff, one for students and one for guests on the WLAN. after assigning the 1st VLAN on our cisco aironet 1242 accesspoints to the SSID - clicking Apply, assigning the 2nd VLAN - click Apply, assigning the 3rd VLAN, click Apply it works fine. (I mean manual assigning VLANs using web-interface) after reboot of the accesspoint it doesn't work anymore. after assign all three VLANs again, one after the other, it works. Besides that this question doesn't have anything to do with this list, did you try: copy running-config startup-config ? Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Looking for an editor for FreeRADIUS documentation
Am Dienstag, 18. Mai 2010 09:16:06 schrieb Alan DeKok: In the interest of making the project better, we're looking for an editor for the documentation. The existing documentation is an ad hoc collection of files thrown together over a decade of effort, and written by many different people. We'd like to organize the documentation (doc/ directory), and clean it up. We're looking for an editor with the following skills: - willing to do the work - can write reasonably clearly - basic knowledge of RADIUS The goal is to *organize* the documentation, not to write more. The existing documentation is basic, and could be improved through simple re-organization. No knowledge of git is required. Familiarity with restructured text would be good. We're looking to move the documentation to that format. If it matters, this is a *paid* position. We can't afford a lot, but we can afford to pay for work done. The rates will be negotiable based on quantity of work and results. Please send email to the list if you're interested. We can choose a candidate, and do the edits publicly, so people see visible progress. Alan DeKok. Hi, I'd like to contribute. I can write some chapters. Since I am no native English speaker I'd need a lector to check my writing. And I have some experience in artice and book writing. Perhaps with the help of all the volunteers we can finish the book. You define the structure and people contribute text. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Encrypted password with FR+LDAP+Wireless Network
The password is encoded for PAP (when a User-Password is present). Its the only authentication method that uses decodable passwords. FR is displaying it in plain text for your convenience. Inýcio Alves wrote: Good Morning to all. I would like if is possible use FR+LDAP with Use-Password encrypted? I'm using FR 2.1.8 + OpenLDAP 2.4.21. I'm trying configure FR to authenticate users in wireless network. This is my debug output. When I try a radtest with login/pass from the users file I don't get warning, but LDAP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VMPS logging
Am Montag, 3. Mai 2010 16:56:23 schrieb Alan DeKok: Michael Schwartzkopff wrote: Strange. I added a line Access-Accept = Accepted %{User-Name} But I only see entries from the Access-Request part of the linelog module. You have the reference line as Packet-Type? Change it to reply:Packet-Type Alan DeKok. Yes, this works. Thanks. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: R: Re: R: Re: R: rlm_ippool: No available ip addresses in pool
How is FreeRADIUS supposed to know when a user disconnects and frees up the IP address from the pool if the NAS doesn't tell it? Anything else is not exactly reliable. If you have a user with a long duration session that lasts longer than your timeout the IP could be put back into the pool when it is still in use. The best solution would be to fix the NAS to send the packets or fix the network to make sure they get delivered. Michael -- Michael J. Hartwick, VE3SLQ hartw...@hartwick.com Hartwick Communications Consulting (519) 396-7719 Kincardine, ON, CA http://www.hartwick.com -- From: freeradius-users-bounces+hartwick=hartwick@lists.freeradius.org [mailto:freeradius-users-bounces+hartwick=hartwick@lists.freeradius.org] On Behalf Of Tabacchiera Stefano Sent: Tuesday, May 04, 2010 15:39 To: freeradius-users@lists.freeradius.org Subject: Re: R: Re: R: Re: R: rlm_ippool: No available ip addresses in pool Tabacchiera Stefano wrote: Alan, here's the content of gdbm db: Ah... it's the DBM pools. I already stated that in the subject of my mail (did you notice the module name?). Well.. use rlm_ippool_tool to manage the pool. Great idea! Too bad that tool allow only to cleal *all* the entries in the DBM pool. Or am I just missing something? Or, get your NAS to send accounting stop packets. It's *supposed* to send stop packets when a user session is cleared. As I already said, I know the NAS sometimes doesn't send acct-stop pkts, but it's out of my control. My questions (still unanswered, let me say) are: 1) is maximum_timeout useless? 2) Is there a way to keep my dbm pool safe and updated (I mean no expired addresses), even in the case some acct-stop pkt are loss? 3) Should I switch to sql pool, 'cause dbm it's actually unreliable? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VMPS logging
Am Montag, 3. Mai 2010 13:29:24 schrieb Alan DeKok: Michael Schwartzkopff wrote: Am Sonntag, 2. Mai 2010 12:22:57 schrieb Jens Link: I also got problems logging Access-Accept details through linelog. Is it possible at all? Yes... what's going wrong? Strange. I added a line Access-Accept = Accepted %{User-Name} But I only see entries from the Access-Request part of the linelog module. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VMPS logging
Am Sonntag, 2. Mai 2010 12:22:57 schrieb Jens Link: Alan DeKok al...@deployingradius.com writes: Jens Link wrote: I have a working VMPS installation, radiusd -X shows me the relevant information ( MAC - VLAN assignments) but how do I log these information to a file or syslog? rlm_linelog Either I'm to tired or to stupid to get it up an running. Is there an example on how to use it? thanks Jens hi, I also got problems logging Access-Accept details through linelog. Is it possible at all? thanks. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius-1.1.7-sol10-x86-local from sunfreeware on solaris 10 x86
Hello freeRadius-Users, I've installed freeradius-1.1.7-sol10-x86-local and all dependencies. I don't know whats wrong! then i run /usr/loacl/sbin/radiusd -X i get the following output: r...@host# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Segmentation Fault (core dumped) Can somebody help me, please? best regards Michael smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP vs srcIP
Plenty of reasons - but one you won't have control over even in CoA is that it could be proxied. The NAS-IPAddress is used in the CoA request packet to tell the NAS which client should receive the packet. Marlon Duksa wrote: Hi everyone - Can anyone think of a reason why the NAS-IP and the scr-IP of the access-req packet should not be the same? If the NAS-IP is configurable in the NAS, then the NAS-IP can be set to the IP address other than the src-ip of the NAS that is used in reqular FreeRadius accounting/authorization packets. The source IP address of the NAS is normally the native interface address from which access-req was sent (but it can be configurable). The NAS-IP would be used to address NAS in CoA requests sent from the FreeRadius. We need this behavior to address certain deployment requirements. for example: IP prot: srcIP: 1.1.1.1 dstIP: 2.2.2.2 Radius prot: code: access-request (1) AVPs: NAS-IP-Address: 3.3.3.3 scrIP != NAS-IP-Address Thanks, Marlon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radpostauth question
It's a one-way hash of the password. What you're seeing is the CHAP password value. Only PAP uses a reversible password. Sallai Janos wrote: Hi, Does anyone knows how I could save the CHAP password into radpostauth pass in a VISIBLE format, in mysql ? Actually I can correctly log both the successful and unsuccessful authentications, but I can see only the PAP auth in a visible format. Is there a chance to configure freeradius to see a visible chap-password when quering in mysql , not the 0xea8c35456432dd70a3bbe3ef701a669a13 encrypted formula ? thanks, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
notifying another server on accounting
Greetings, We have a bit of an odd setup (apparently). We have a vendor that is providing services based on whether a user has an active and authorized session. In order to support this we forward on accounting data with a detail file writer and reader, using the copy-acct-to-home-server as a template. This is using FreeRadius 2.1.8. I have always felt lame ascii drawings help, so this is the setup (in essence): request: NAS - accounting-server | copy | - vendor response: NAS - accounting-server - vendor Unfortunately, we seem to be hitting a wall in terms of packets transmitted to the vendor. It is my understanding that the detail reader is serial in nature, meaning it only sends one packet to the vendor (in this case), and will not send another until it gets a response. The vendor is over a slow link, or the packets are otherwise delayed, so we are getting a backlog of detail entries. The detail file is filling faster than it can be flushed to the vendor. My question is, how can we fix this? A few ideas have been batted around. One is to write some code (via rlm_perl or rlm_python) that essentially does what the entire writer/reader combination is doing, only in parallel. Meaning, it handles transmitting and retransmitting to the vendor. In the short term this might be viable, but it's reinventing wheels, and it's hard to justify long-term given most of the people dealing with this are not programmers. Another was to somehow load-balance the readers. I cannot find a configuration example to support this, but would it be possible, and more importantly useful, to have multiple readers pointing to the same detail file? Any help or suggestions would be appreciated. Thanks. -- Michael Fowler www.shoebox.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html