Re: Allowing both PAP and CHAP with a mixture of clear text and encrypted passwords
>> Is it possible to make radius tell the dial equipemnt to send the >> password in clear text if it can't authenticate a CHAP password? > No. > In many cases, the NAS can't even control it. The client uses > CHAP, and there's no way for the NAS to tell it to use PAP. We had a case of a service that proxied to our RADIUS and tried to do CHAP. Our network engineers fixed this by putting the following into the DEFAULT profile for that client: Ascend-Send-Auth = Send-Auth-PAP I cannot speak to what this attribute does or if any special settings were configured on the router. I leave that to someone with a more vested interest in this scenario to figure out. _Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bug with Access-Reject and reject_delay
Alan (and all), I believe that I have found a bug related to Access-Reject and the reject_delay and max_session_time configuration settings. I am running FR 1.0.0. When I run radiusd -X, all behaves as expected. The Access-Reject is sent after the delay time indicated by the reject_delay setting. However, when I run radiusd as a deamon without any parameters, the Access-Reject is delayed by reject_delay + max_session_time when reject_delay>0. If I set reject_delay to 0 and run as a daemon, there is no delay. I would like to continue using the default reject_delay value as '1'. However, I have had to dramatically shorten the max_session_time to allow Access-Reject messages to be sent in a reasonable time. My first question is will shortening max_session_time to 1 second have any negative recurcussions? My second question is can the underlying problem be fixed in the next release? My environment is FR 1.0.0 using MySQL. I am using NTRadPing to test and tcpdump to monitor the response times from the RADIUS server. Thanks, _Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reject_delay anomaly
George, See also my post and Alan's response from the archives: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg08868.h tml Regards, Mike -Original Message- From: "George C. Kaplan" <[EMAIL PROTECTED]> Subject: Re: reject_delay anomaly Date: Mon, 20 Dec 2004 09:30:37 -0800 In message <[EMAIL PROTECTED]>, Scott writes : > George, > > I was recently monitoring some testing of my own radius server the other day. > > I'm using the CVS release (not a daily snapshot) from 2004-12-15 on RedHat > 7.2. While briefly testing my setup, I noticed there was a reject delay for > failed authentications. I didn't time anything, but your comment about two > seconds plus the config paramater sounds accurate. However, I have not > experienced any excessive delays like the 31 second ballpark you mention. The 31-second delay wasn't obvious, because most RADIUS clients will retry after a couple of seconds. A packet trace will reveal that no reply is sent to the first request, but the reject reply is sent immediately after the retry. Using 'radclient' with a really long timeout revealed the 31-second delay. > If you're not making any progress with this, I'd suggest investigating the > source code, to see where this is handled. I would then, either enable extra > > debugging (if logging is already present for this section), or add some debug > > messages of your own (including the current time+millisecond timestamp). I've sidestepped the immediate problem by turning off the reject_delay, but I'll try to dig through the source if I can find time. (I'm wary of debugging modes, as I've already seen that -X hides the problem). -- George C. Kaplan[EMAIL PROTECTED] Communication & Network Services510-643-0496 University of California at Berkeley - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Access-Reject not sent unless run with -X
> I am encountering some strange behaviour of freeradius > 1.01. May be a bug. > > A) If i launch the freeradius daemon with the radiusd > command i notice that Access-Reject packets are not > sent back. Access-Accept are sent. > > B) If now I launch freeradius using the interactive > "radiusd -X" command, for excatly the same context as > A) I now receive back my Access-Reject packets. This is a bug. See my previous post here: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg08868.h tml Where I state "max_session_time", I should have said "max_request_time". Either change you RADIUS client to have a 31+ second timeout or dramatically reduce the setting for "max_request_time". I use 6 seconds. Alternatively, have you RADIUS client resend the authentication request fairly soon after the first. A second authentication request gets an immediate Access-Reject response. No 31 second delay. Cheers, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: HuntGroups & MySql
I believe the reason these SQL Group discussions die is that it is hard to explain what it really happening. I will attempt to do so but cannot devote much time to followups if this is not clear. Also my understanding is based on FR 1.0.0 as we haven't moved up to 1.0.2 yet. FreeRADIUS' use of groups in the sql module is not the same as using Unix groups in the users file. You cannot create separate check conditions in separate SQL groups and then send only the reply elements from that same group. Look at the SQL queries in sql.conf - specifically, the authorize_group_check_query and authorize_group_reply_query settings. These queries return check and reply attributes for a user based on the settings in usergroup. IT DOES NOT RETURN THE GROUP NAMES THEMSELVES. As far as FreeRADIUS is concerned this is one large group of check and reply attributes. I have implemented two possible solutions and I'm sure there are plenty of others. One solution is to use Autz-Type and implement a different sql.conf definition for each Autz-Type. The downside is that many more SQL connections are opened when FR starts up. Another solution is to redefine the SQL queries in sql.conf. I have implemented this approach by adding a HuntGroup column to the table definitions. I then add the appropriate clients to the huntgroup file and have the SQL queries use the HuntGroup name as part of the query to find the appropriate check and reply attributes to return to FreeRADIUS. As example of our setup is as follows: +---+---+++---+ | GroupName | Attribute | op | Value | HuntGroup | +---+---+++---+ | DEFAULT | Auth-Type | = | Local | wlusers | | DEFAULT | Auth-Type | = | Reject | dial800 | | tollfree | Auth-Type | := | Local | dial800 | +---+---+++---+ +---+++-+---+ | GroupName | Attribute | op | Value | HuntGroup | +---+++-+---+ | DEFAULT | Service-Type | = | Framed-User | wlusers | | DEFAULT | Framed-Protocol| = | PPP | wlusers | | DEFAULT | Framed-IP-Address | = | 255.255.255.254 | wlusers | | DEFAULT | Framed-IP-Netmask | = | 255.255.255.255 | wlusers | | DEFAULT | Framed-Compression | = | Van-Jacobson-TCP-IP | wlusers | | tollfree | Service-Type | = | Framed-User | dial800 | | tollfree | Framed-Protocol| = | PPP | dial800 | | tollfree | Framed-IP-Address | = | 255.255.255.254 | dial800 | | tollfree | Framed-IP-Netmask | = | 255.255.255.255 | dial800 | | tollfree | Framed-Compression | = | Van-Jacobson-TCP-IP | dial800 | +---+++-+---+ A similar approach could be implemented using IP addresses, hints or realms. Cheers, _Mike (not a FreeRADIUS developer) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: HuntGroups & MySql
> This looks like my radgroupcheck -- is that what you are using? >> +---+---+++---+ >> | GroupName | Attribute | op | Value | HuntGroup | >> +---+---+++---+ Yes, this is the standard MySQL table layout but with the addition of the HuntGroup column. > This looks like my radgroupreply -- is that what you are using? >> +---+--++--+---+ >> | GroupName | Attribute| op | Value| HuntGroup | >> +---+--++--+---+ Ditto. > Can you post the changes you made to the sql.conf queries? authorize_group_check_query = "SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName, ${groupcheck_table}.Attribute,${groupcheck_table}.Value, ${groupcheck_table}.op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = trim('%{SQL-User-Name}') AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName AND (${groupcheck_table}.HuntGroup = '%{request:Huntgroup-Name}' OR ${groupcheck_table}.HuntGroup IS NULL) ORDER BY ${groupcheck_table}.id" authorize_group_reply_query = "SELECT ${groupreply_table}.id,${groupreply_table}.GroupName, ${groupreply_table}.Attribute,${groupreply_table}.Value, ${groupreply_table}.op FROM ${groupreply_table},${usergroup_table} WHERE ${usergroup_table}.Username = trim('%{SQL-User-Name}') AND ${usergroup_table}.GroupName = ${groupreply_table}.GroupName AND (${groupreply_table}.HuntGroup = '%{request:Huntgroup-Name}' OR ${groupreply_table}.HuntGroup IS NULL) ORDER BY ${groupreply_table}.id" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
Nick, Extend the MySQL schema and change the SQL queries in sql.conf to do what you want. You could extend by HuntGroup, NAS-IP, Client-IP, whatever. See my previous post to this list archived here: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg16842.h tml Cheers, _Mike -Original Message- Message: 6 Date: Tue, 07 Jun 2005 19:20:28 -0700 From: N White <[EMAIL PROTECTED]> Subject: Re: Authenticate/Attributes based on NAS-IP-Address To: FreeRadius users mailing list Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Actually I already have two running FreeRADIUS servers with SQL. That isn't the hard part. The problem with your instructions is that I'm not using ippool to assign dynamic IPs, our NASes are doing that (Portmaster 2/3). I don't have a problem setting up static IPs either, as we have several Dial-Up users who need those also. The problem lies in that I want to use the RADIUS server for PPPoE authentication also. But I want to allow users who log in through PPPoE to also be able to log in regularly(Dial-Up), when their PPPoE isn't logged in. BUT, when they log in through PPPoE, I want them to be assigned a static IP, when they login via Portmasters/Dial-Up, then they don't get the static IP, they get a regular dynamic one. Basically if a user logs in through NAS1, they are assigned X attributes with dynamic IP, if they log in through NAS2, they are assigned Y attributes with a static IP. And all this needs to be done in MySQL, that way my own PHP frontend(which I intend to release GPL) can work with it. Also I think MySQL scales better. -Nick -- | Nick White | | Network Consultant | | http://www.edge9.net | | [EMAIL PROTECTED] | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate/Attributes based on NAS-IP-Address
> That link doesn't give me anything. Page Not Found. I've done a lot of > searching through the archives though and haven't really found anything > like this. Did you add the "tml" back into the URL? >> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg16842.h >> tml _Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MD5 password encryption problem
Hello all, I have searched the mailing list archived and have failed to find a solution to my particular problem. I am trying to switch the entries in our users file from Unix crypt to MD5 encryption. My entry in the users file looks like this: mikelampson Auth-Type := PAP, Crypt-Password == "cc03e747a6afbbcbf8be7668acfebee5" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP The above Crypt-Password is for the string "test123" and was generated by using the md5_hex function from the Digest::MD5 Perl library. The top portion of the authenticate section of radiusd.conf is as follows: Auth-Type PAP { pap } And the pap section looks like this: # PAP module to authenticate users based on their stored password # # Supports multiple encryption schemes # clear: Clear text # crypt: Unix crypt #md5: MD5 ecnryption # sha1: SHA1 encryption. # DEFAULT: crypt pap { #encryption_scheme = crypt encryption_scheme = md5 } And finally the relevant lines when running radiusd -X is as follows: rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:3091, id=26, length=51 User-Name = "mikelampson" User-Password = "test123" modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 rlm_realm: No '@' in User-Name = "mikelampson", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 users: Matched mikelampson at 129 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type PAP auth: type Crypt auth: Failed to validate the user. I am using NTRadPing to generate the request. Any suggestions appreciated. Thanks, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MD5 encoded password will not validate
Hello all, I tried to ask this question on Friday and didn't receive an answer, so let me try to explain it better. I am presently running FreeRADIUS using Unix crypt passwords. This works fine. However I need to add support for better (i.e. longer) passwords and would like to use MD5 encoded passwords. This is not working using NTRadPing. I am getting a "failed to validate the user" error: >> modcall: group authorize returns ok for request 0 >> rad_check_password: Found Auth-Type PAP >> auth: type Crypt >> auth: Failed to validate the user. As best as I can tell, I am correctly MD5 encoding the password string "test123". Does anyone have any ideas? Below is the block from my users file: mikelampson Auth-Type := PAP, Crypt-Password == "cc03e747a6afbbcbf8be7668acfebee5" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP The top portion of the authenticate section of radiusd.conf is as follows: Auth-Type PAP { pap } And the pap section looks like this: # PAP module to authenticate users based on their stored password # # Supports multiple encryption schemes # clear: Clear text # crypt: Unix crypt #md5: MD5 ecnryption # sha1: SHA1 encryption. # DEFAULT: crypt pap { #encryption_scheme = crypt encryption_scheme = md5 } The original post to the list is archived at http://lists.freeradius.org/pipermail/freeradius-users/2004-February/028315. html I would appreciate any ideas anyone has on the use of MD5 encoded passwords. Thanks, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MD5 encoded password will not validate
Fellow FreeRADIUS Enthusiasts: I have solved the riddle of my problem. The details are: - Auth-Type := PAP does not work in user record. I added a DEFAULT record specifying Auth-Type := PAP. - Attribute "Crypt-Password" cannot be used with rlm_pap module. - Specifying "User-Password" with "==" operand does not work with rlm_pap; use ":=". So to solve my problem, my users file now looks like this: DEFAULT Auth-Type := PAP Fall-Through = Yes mikelampson User-Password := 7288edd0fc3ffcbe93a0cf06e3568e28521687bc Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobson-TCP-IP P.S. I've successfully tested this with both MD5 and SHA1 encoding. Cheers, Mike -Original Message- From: Mike Lampson Sent: Monday, February 16, 2004 2:47 PM To: [EMAIL PROTECTED] Subject: MD5 encoded password will not validate Archived at: http://lists.freeradius.org/pipermail/freeradius-users/2004-February/028423. html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "lower_pass = after" problems
On 3/27/04 12:26 AM, [EMAIL PROTECTED] (Alan DeKok) wrote: >> Do you want to remove only the "after" option (the real hack) or the >> entire command? > > Both. The "after" thing runs the packet through the server twice, > which is problematic. The "lower_pass" thing can be done in a module. I would urge you *not* to do this. We SHA1 encrypt our lowercased, MySQL-stored passwords. We then lowercase the incoming password from the authentication request before the PAP module SHA1-encodes it for comparison. I would rather not process the incoming authentication request through an additional module prior to performing the authentication. Regards, _Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Curious behavior with huntgroups and NAS-IP-Address
Hello all, I am seeing some curious behavior with Huntgroups and how it relates to the NAS-IP-Address attribute. This behavior is noticable in a certain RADIUS test utility I have used. This tool sends a NAS-IP-Address attribute inside of an Authentication request. What I see is that FreeRADIUS verifies that my true (public) IP address is in clients.conf. It then proceeds to look up my Huntgroup based on the NAS-IP-Address inside the RADIUS packet instead of the true IP address. I first noticed this because my test utility picked up my client IP and put it into the request. This IP is NAT'ed by our firewall and shows up at the FreeRADIUS server with a public address that is correctly verified in the clients.conf file. However FreeRADIUS then looks for a Huntgroup match using the private IP address. Is this behavior by design or is it a bug? Thanks, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Curious behavior with huntgroups and NAS-IP-Address
> If you want it to have huntgroups based on the source IP of the > RADIUS packet, edit the huntgroups file, and change "NAS-IP-Address" > to "Client-IP-Address". Thanks. I missed that attribute when looking through the various examples. Cheers, _Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question on client name and accounting
Hi all, Quick question: I see in variables.txt that there is a 1-character variable for the client name. I wish to store the client name in the accounting record. The 1-character variable, %C, works as I would expect. However since these variable names are will be removed in a future version, I would like to use the proper variable name. Can anyone tell me what name I should use? Thanks, Mike Lampson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Forum for freeRADIUS
Apologies if this is a duplicate e-mail. I read this mailing list in digest mode which means there is some delay between people's posting and arrival in my Inbox. I have had good luck searching the FreeRADIUS mailing list at the following URL: http://www.mail-archive.com/[EMAIL PROTECTED]/ The old version of the list, when it was hosted at cistron.nl, can be searched from here: http://www.mail-archive.com/[EMAIL PROTECTED]/ Cheers, Mike - Original Message - Message: 14 From: "Alan DeKok" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Forum for freeRADIUS Date: Wed, 09 Jun 2004 11:34:28 -0400 Reply-To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > There are number of questions answered on previous mailing list but they > lack good search engine & web interface. So we should add a good search engine, not another forum. > Lots of newbie like me keep on asking same questions again and again > which are already answered. I use google to search the list archives. It usually works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html