Cisco VSA hack
All, I've set with_cisco_vsa_hack = yes in radiusd.conf on a box running FreeRADIUS 1.0.4, but when running "freeradius -X", I still see accounting packets with un-hacked Cisco-AVPair entries during debug: rad_recv: Accounting-Request packet from host :1636, id=198, length=292 ... Cisco-AVPair = "ssid=default" ... I expected to see: ssid = "default" or similar. Is this output merely the accounting request packet as it's received, before preprocessing and the cisco_vsa_hack taking place? A quick check of the source code leads me to suspect that the VSA hack won't cater for pairs such as 'Cisco-AVPair = "ssid=default"', but my C knowledge is virtually nonexistant and I may well be misunderstanding the code. Can anyone clarify what's happening, please? I'd be pleasantly surprised if I'm wrong and I really can start using the contents of Cisco-AVPairs for accounting. Best wishes, Peter. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Making user logins expire after a certain time
Hi Maq On Tue, Oct 11, 2005 at 02:29:03PM +0100, Maqbool Hashim wrote: > Is it possible to tell radius to expire logins after a time period? One option which we can use with our in-house RADIUS servers is to have an 'expiry' field on the SQL table, with the authorize_check_query checking that the login hasn't yet expired. Peter. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple VSA pairs
Hello I'm using FreeRADIUS with MySQL for accounting and authentication. >From a Cisco 2651XM router, I have multiple Cisco-AVPair attributes send in accounting packets: rad_recv: Accounting-Request packet from host 192.168.167.14:1646, id=186, length=201 Acct-Session-Id = "9E13" Cisco-AVPair = "isakmp-group-id=cg-ectvpn" Framed-IP-Address = 172.16.33.119 Cisco-AVPair = "isakmp-initator-ip=82.104.97.16" User-Name = "pwh" Cisco-AVPair = "connect-progress=Auth Open" Acct-Authentic = RADIUS Acct-Status-Type = Start Cisco-NAS-Port = "FastEthernet0/1" NAS-Port = 1 NAS-IP-Address = 192.168.167.14 Acct-Delay-Time = 0 When trying to refer to these in a SQL INSERT statement for accounting (where if the AVPair is 'isakmp-initiator-ip', it gets stripped and the address inserted), the AVPairs overwrite each other. Is there a workaround for this, or is the behaviour of a Cisco IOS router 'broken' for sending the same attribute twice in the same packet? Best wishes, Peter. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huntgroups
Hello I have a large number of Cisco routers/switches which authenticate back to FreeRADIUS 1.0.1 on a Debian box. At present, anyone with a RADIUS login may log in to any of the devices. I've been asked to set up certain users so they are only able to log in to a subset of the devices - typically, local administrators at a site. Working with huntgroups appears to be the simplest way to do this, however I can't work out how to do it. Documentation appears a little sparse. I'm assuming I need to assign each user in the users file in to a group, and FreeRADIUS will take care of the authentication. Does anyone have a working configuration they could post here, and that I can hack around to suit my environment? Best wishes, Peter. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Solaris & PEAP-MSCHAP don't mix in rel 1.0.1
This has been raised but to let everyone know again, PEAP-MSCHAPv2 doesn't run on Solaris 9.0 running FR 1.0.1. EAP-TLS is fine but the MSCHAP hashing apparently fails when we try PEAP. That problem has previously been identified on the mailing list as a an issue involving the MD4 source. We tried recompiling with v0.9.3 MD4 files (as suggested) but had no luck. As soon as we went to linux PEAP-MSCHAPv2 started working. The symptoms, in case someone else spends a week trying to get it going, are: 1. The server sends an Access-Challenge, but the client never responds. This occurs when the client has 'validate server certificate' checked in the Wireless setup for XinXP. 2. If 'validate server certificate' is not checked in the Wireless setup for XinXP then the process seems to go right through but fails at the end. The server responds with [user/], presumably because the client never responds to the Access-Challenge with the password hash. There are other causes to these problems, like your certificates are bad (or you haven't installed the rootCA on the client) but if you have Solaris don't bother. Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: error authenticating wireless user
What did you do to import the certificate? I know it seems like a dumb question but I have used the IE import facility yet I am getting the same TLS_accept error as you reported. I have also tried importing .pem and .der certificates but it hasn't made a difference. EAP-TLS works fine so the certificates seem to be loaded properly but I am willing to try alternative import methods. Is there a reason that TLS would work but PEAP wouldn't? Does anyone else have advice, from their experience? Thanks, Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, 20 October 2004 1:37 AM To: [EMAIL PROTECTED] Subject: Re: error authenticating wireless user Hi again, Ok so now I have the supplicants working after manually setting up the certificates on the clients. What is the best way of setting up a certificate server so that this kind of thing can be done seamlessly ? Manually adding certificates to 100's of laptops does not sound like my cup of tea. Regards Dave - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 19, 2004 5:02 PM Subject: Re: error authenticating wireless user > "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: >> I have it setup to use peap and all the configurations seem correct. >> I have the shared secret set in the clients.conf for the AP and the same >> key set on the Radius section along with the IP of the server on the AP. > > Yup. The debug log shows that everything is configured correctly. > >> Notice that for some reason the password is not there ? > > It's using EAP, which doesn't include the password. > > ... >> Sending Access-Challenge of id 134 to 192.168.0.253:1072 > > What's happening is that the server is going through the EAP > conversation, and at some point, the laptop stops responding to it. > There's not much you can do to the server to solve that problem. > > Alan DEKok. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Another PEAP-MSCHAP problem
I have configured freeradius from scratch using the 802.1x HOWTO by Lars Strand but I must have (not) done something. I have been looking over it for two days and can't find where the problem lies. When I try to authenticate it goes through TLS OK but when it comes time to check the password it fails. I have seen some other posts that have MS-CHAP-Challenge and Response attributes in Access-Request packet mine do not. Is this an indication of the problem? I am using the users file with no auth-type specified and it works with radtest. I have had TLS working with Freeradius, and PEAP-MSCHAP working with Cisco-ACS using the same client (with XP supplicant). I am using a Cisco Aironet 1220 with 12.2(15). Some debug info follows... Thanks, Peter Here is the point where it first fails... === modcall: entering group Auth-Type for request 5 rlm_mschap: Told to do MS-CHAPv2 for 180694p with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 5 modcall: group Auth-Type returns reject for request 5 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 5 modcall: group authenticate returns reject for request 5 auth: Failed to validate the user. Login incorrect: [180694p/] (from client localhost p ort 0) === After this it sends a reject back and forth. Here is the complete request 5... rad_recv: Access-Request packet from host 10.1.1.1:21661, id=208, length=229 User-Name = "180694p" Framed-MTU = 1400 Called-Station-Id = "0007.50d5.a8b3" Calling-Station-Id = "0009.b71a.bc0f" Service-Type = Login-User Message-Authenticator = 0x494b12739d3cda78d9f90a0ab060e2e2 EAP-Message = 0x020700591900170301004ee71b282fe2b35f5f262bda4d952f7bc9d6 12ae8bb63a6e386988020cfe3aa9c8a93566d51a69ac2f5d0c7215693b666b4bf1c1ae816aa7 d727 aa3a4bc68d489064a7d2428e7b9ec0c9a5cbf06dd4 NAS-Port-Type = Wireless-802.11 NAS-Port = 5348 State = 0x92fbee2504f996f3a3a0d9d139ee6ee2 NAS-IP-Address = 10.1.1.1 NAS-Identifier = "B309-AP-1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "180694p", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 7 length 89 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched 180694p at 97 modcall[authorize]: module "files" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "180694p", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 7 length 89 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched 180694p at 97 modcall[authorize]: module "files" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020700421a0207003d312b2ce7e14a8632c3672347d13e03c442 b31975c0f2eaa9570a2e45feb59e8a678a761139a3cd4a9b0031383036393470 PEAP: Setting User-Name to 180694p PEAP: Adding old state with 30 94 PEAP: Sending tunneled request EAP-Message = 0x020700421a0207003d312b2ce7e14a8632c3672347d13e03c442 b31975c0f2eaa9570a2e45feb59e8a678a761139a3cd4a9b0031383036393470 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "180694p" State = 0x3094792a04ed7cef16c2ddac7b1981cb Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[
RE: PEAP with MSCHAPV2 (windows xp remembers the username/passwor d in cache)
No it is not possible, according to MS at least. Their article is at http://support.microsoft.com/default.aspx?scid=kb;en-us;823731 You could create a login script that resets the registry everytime someone logs in. You could also provide your users with a NAL object or some other deployed mechanism to do this if they want to change credentials. An easy way to clear the username on the fly (especially for testing) is to use a .reg file. Create a file called UserEapInfo.reg file and paste in the following information: REGEDIT4 [-HKEY_CURRENT_USER\Software\Microsoft\Eapol\UserEapInfo] Now double click on the file to merge it. This will delete the existing info and you will be prompted again. I got this solution came from www.jsiinc.com and it works a treat. Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Khurram Jahangir Sent: Friday, 15 October 2004 12:14 AM To: [EMAIL PROTECTED] Subject: PEAP with MSCHAPV2 (windows xp remembers the username/password in cache) Hi All, I have set up freeradius server 1.0.1 and I am using windows XP 802.1x client. The authenticator is an HP 2524 switch. I have test the setup with PEAP using MSCHAP V2 and it worked fine for me. My problem is that I want to use this mechanism for VLAN selection so that depending on the username/password, the user gets the VLAN from the freeradius server. Now the problem here is that windows xp stores the username and password in the cache and in case user wants to get reauthenticated to and get assigned to another vlan, the username/password should be entered again. I can go in registry and delete the file and in that case, when I reconnect the client, I will be asked to enter the username/password. I wonder if it is possible to tell windows not to store the username/password in the cache. May be any of you knows about this. I dont know may be I can set some parameter in radisu configuration that trigers the windows xp 802.1x client to enter the username and password everytime the user connects the computer to the network. Probably someone knows about an open source 802.1x client which works for windows and linux both. I will really appreciate any kind of help regarding this. Best Regards Khurram __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: Fwd: Re: Wireless authentication via LDAP and PEAP
Sorry for not making the distinction. It's all Novell to me ;-) Any ETA? Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sayantan Bhowmick Sent: Monday, 13 September 2004 7:30 PM To: [EMAIL PROTECTED] Subject: Re: RE: Fwd: Re: Wireless authentication via LDAP and PEAP >CHAP. No EAP or MSCHAP yet. > Novell Radius which was bundled with NMAS / Border Manager does have support for CHAP. Novell is working on a new FreeRadius based Radius solution that will support all the above mentioned methods. Again eDirectory on its own does not support CHAP,EAP,MS-CHAP. Sayantan >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok >Sent: Friday, 10 September 2004 10:39 PM >To: [EMAIL PROTECTED] >Subject: Re: Fwd: Re: Wireless authentication via LDAP and PEAP > >"Sayantan Bhowmick" <[EMAIL PROTECTED]> wrote: >> Novell is working towards making FreeRADIUS work with eDirectory. >> This will allow eDirectory users to authenticate via FreeRADIUS. > > Does eDirectory do CHAP, MS-CHAP, or EAP? > > Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Fwd: Re: Wireless authentication via LDAP and PEAP
CHAP. No EAP or MSCHAP yet. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, 10 September 2004 10:39 PM To: [EMAIL PROTECTED] Subject: Re: Fwd: Re: Wireless authentication via LDAP and PEAP "Sayantan Bhowmick" <[EMAIL PROTECTED]> wrote: > Novell is working towards making FreeRADIUS work with eDirectory. > This will allow eDirectory users to authenticate via FreeRADIUS. Does eDirectory do CHAP, MS-CHAP, or EAP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Wireless authentication via LDAP and PEAP
Jon, I hope I am not stating the obvious to you but I think that you need Universal Password turned on (as part of the NDBS package) to be able to use clear-text passwords with the Novell LDAP server. I can't confirm because my Novell Eng isn't around, but we went through a similar rigmarole. This link has some info for configuring LDAP for eDirectory 8.6 (including clear-text passwords) http://www.novell.com/documentation/ndsedir86/index.html?page=/documentation /ndsedir86/taoenu/data/a5bwtyl.html I haven't implemented FreeRdaius yet so I can't help there, but when you do get it going I would would like to hear about it ;-) Peter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, 9 September 2004 5:49 AM To: [EMAIL PROTECTED] Subject: Re: Wireless authentication via LDAP and PEAP "Jon Stahler" <[EMAIL PROTECTED]> wrote: > Since version 6 of Netware, Novell has an LDAP server running on the > Netware OS that stays sync'd with eDirectory. I'm not familiar with their implementation. You went back and forth in terminology between LDAP & eDirectory, and talked about them like they were identical. I'm sorry I assumed eDirectory was an LDAP server. > This LDAP server is what I am attempting to authenticate against, > not the eDirectory itself. No, you don't want to do that. Please READ my messages. For the third time, LDAP stores passwords. It doesn't do authentication. FreeRADIUS does authentication. It doesn't store passwords. If you have clear-text passwords configured in your LDAP database for a user, then the server WILL WORK. Please try it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-MSCHAPV2 - LDAP authentication
At the moment I use Cisco ACS to authenticate against eDirectory LDAP servers. I would like to use PEAP(EAP-MCHAP) if possible due the the widespread availability of the 802.1x suplicant in Windows. Unfortunately ACS does not support PEAP->LDAP authentication. Before I start down working with another AAA product I would like a better understanding if I can do it and how I can get it working. I found a reference to CHAP and LDAP in the FreeRADIUS FAQ (#5.11). I get the impression that the if LDAP module is configured to get a clear text password, then the CHAP module can use it to do the hashing and handshaking. Is this the same for MSCHAP? Another alternative I am exploring is to find an MSCHAP front-end for the LDAP server. Any thoughts? Peter Hicks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
