RE: wpa2 freeradius peap rlm_perl
Hi. I have discovered that my goal is possible. However, I had to change the way I was thinking about the authentication. Essentially, the rlm_perl script does not perform the password comparison--it only retrieves the password and makes it available to the mschap module. Summary: Yes, you can authenticate Windows clients with WPA2 PEAP using a perl script. -- Ray Eads -Original Message- From: freeradius-users-bounces+reads=sno-isle@lists.freeradius.org [mailto:freeradius-users-bounces+reads=sno-isle@lists.freeradius.org] On Behalf Of Ray Eads Sent: Monday, December 05, 2011 14:30 To: 'freeradius-users@lists.freeradius.org' Subject: wpa2 freeradius peap rlm_perl Hi. I'm using freeradius-2.1.10-5.el6.x86_64 from RHEL 6. I'd like to use freeradius to accomplish a specific authentication goal, and haven't met with success yet. I'm assuming this is either because the configuration is difficult, or I'm trying to solve the problem the wrong way, or I don't understand the protocols, or a combination of all three. Essentially, I'd like to have an access point offer WPA2 Enterprise authentication to wireless devices of various makes and models. I'd like the user to submit for traditional username/password authentication to the radius server (without a client side certificate). I'm able to produce a yes/no answer with an rlm_perl script that functions as expected with a normal radius query. My problem is that I haven't been able to connect that rlm script properly when freeradius is contacted as part of an EAP message. From what I can tell, my choice of Windows compatible EAP types is fairly limited. I've used PEAP in the past, but only with the intended AD repository of passwords. With this application, I'd like to use the rlm_perl script instead of AD accounts as a source of usernames and passwords. Big picture-wise, am I on the right path, or is this fundamentally the wrong way? I'm imagining a PEAP - rlm_perl configuration. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wpa2 freeradius peap rlm_perl
Hi. I'm using freeradius-2.1.10-5.el6.x86_64 from RHEL 6. I'd like to use freeradius to accomplish a specific authentication goal, and haven't met with success yet. I'm assuming this is either because the configuration is difficult, or I'm trying to solve the problem the wrong way, or I don't understand the protocols, or a combination of all three. Essentially, I'd like to have an access point offer WPA2 Enterprise authentication to wireless devices of various makes and models. I'd like the user to submit for traditional username/password authentication to the radius server (without a client side certificate). I'm able to produce a yes/no answer with an rlm_perl script that functions as expected with a normal radius query. My problem is that I haven't been able to connect that rlm script properly when freeradius is contacted as part of an EAP message. From what I can tell, my choice of Windows compatible EAP types is fairly limited. I've used PEAP in the past, but only with the intended AD repository of passwords. With this application, I'd like to use the rlm_perl script instead of AD accounts as a source of usernames and passwords. Big picture-wise, am I on the right path, or is this fundamentally the wrong way? I'm imagining a PEAP - rlm_perl configuration. -- Ray Eads (re...@sno-isle.org) Network Engineer II - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Policy construct for string concatenation
Good morning:
So, I took all of your advice - example constructs, suggestion to do a little
testing etc. I built a duplicate server and my question still remain.
The construct I have -
if ( clients_ldap-Ldap-Group ==
%{FreeRadius-Client-Shortname}%{'otp'} ) {
.
}
My intention is to see if the active directory security group 'xyzotp' from the
attribute on the left matched the content of the short name variable 'xyz'
after adding/concatenating 'otp'. When I tested, as suggested, any time the
token was in the group it evaluated true NO MATTER what the group name really
was.
If this isn't clear enough I will be very concise in my configuration and goals
- just looking for a solution to wrap this up once and for all.
Thanks,
Ray
-Original Message-
From: freeradius-users-bounces+ray.scholl=security7@lists.freeradius.org
[mailto:freeradius-users-bounces+ray.scholl=security7@lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: Thursday, October 13, 2011 9:54 PM
To: FreeRadius users mailing list
Subject: Re: Policy construct for string concatenation
Ray Scholl wrote:
You refer to them as variables – so I am assuming it cannot be a
constant? I must declare a variable and assign ‘otp’?
They're just strings. If you've done any kind of computer programming,
string expansion should be familiar.
(1) take the string ...
(2) Expand everything which looks like %{NAME}
(3) leave everything else alone.
Hello, my name is %{User-Name}
--
Hello, my name is bob
Again like most computer programming, it would have been faster for you to
*try* a few things for yourself. That way you learn by experience, rather than
waiting for someone to get around to answering the posts on the list.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Policy construct for string concatenation
Good afternoon: I was hoping to see if anyone could provide the best syntax to concatenate two strings being used in a comparison (policy.conf). Synopsis: We intend to compare an LDAP group name to a Freeradius shortname, but we want the shortname to be shortname ++ otp. The existing syntax (which we believe will work) is : if ( clients_ldap-Ldap-Group == FreeRadius-Client-Shortname) New syntax : if ( clients_ldap-Ldap-Group ==) The Manpage for unlang references double quotes around variable, but one is a constant. Should I declare a variable and then quote them - FreeRadius-Client-Shortname vOTP Thanks in advance, Ray - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Policy construct for string concatenation
Thank you -
You refer to them as variables - so I am assuming it cannot be a constant? I
must declare a variable and assign 'otp'?
sOTP := 'otp'
if ( %{FreeRadius-Client-Shortname}%{sOTP} == %{clients_ldap-Ldap-Group} )
{
Am I correct? Again, thanks in advance.
Ray
From: freeradius-users-bounces+ray.scholl=security7@lists.freeradius.org
[mailto:freeradius-users-bounces+ray.scholl=security7@lists.freeradius.org]
On Behalf Of Arran Cudbard-Bell
Sent: Thursday, October 13, 2011 1:29 PM
To: FreeRadius users mailing list
Subject: Re: Policy construct for string concatenation
On 13 Oct 2011, at 19:15, Ray Scholl wrote:
Good afternoon:
I was hoping to see if anyone could provide the best syntax to concatenate two
strings being used in a comparison (policy.conf).
if(%{My-Var1}%{My-Var2} == %{My-Var3}){
}
Left operand can be attribute ref or string, right operand must be a string.
FreeRADIUS takes care of the type conversions...
Arran Cudbard-Bell
a.cudba...@freeradius.orgmailto:a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
oracle server-freeradius-ssl-ldap
Oracle advanced security product supports external radius authentication. I would like to use this external auth for oracle clients connecting to an oracle db server. The radius server would need to talk to an external ldap over ssl. I've installed freeradius on the db server, but have no idea how to configure this. Can you please get me going. I am a complete novice. I'm sorry to ask such a uninformed question. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compiling free radius 1.1.7 on NetBSD
Thanks for your reply Alan. I've attempted to compile free radius 1.1.7 on a machine running NetBSD/amd64 without success... FreeRADIUS is in pkgsrc. Yes, it is there. I suppose I'm obstinate, but I'd like the original sources to be compilable without having to patch them. If the version there isn't 1.1.7, The 2007Q2 pkgsrc, which I think is the most recent, contains FreeRADIUS 1.1.6. the patches will let you build it on NetBSD. If you understand them. :) It looks to me as though none of the patches in /usr/pkgsrc/net/freeradius/patches apply to files in ./src/modules/rlm_krb5. At first configure couldn't find krb5.h and make failed: I've fixed that in CVS head. If it can't find krb5.h, it doesn't build the module. Thanks. so I ran configure again, explicitly telling it the path to krb5.h (with a freshly untar'ed source tree): All that does is refresh the source. It does NOT delete any files left over from a previous configure run. Sorry, I meant I deleted the directory where I'd just run ./configure, executed 'tar jxf freeradius-1.1.7.tar.bz2' and started again in the new freeradius-1.1.7 directory. % sh -c './configure CPPFLAGS=-I/usr/include/krb5 configure.log 21' Use CFLAGS, not CPPFLAGS. OK. Could you suggest a solution to this please? Edit src/modules/rlm_krb5/Makefile by hand. It's tiny. I did actually try that but didn't mention it because I thought it might have been a silly approach... I noticed ./src/modules/rlm_krb5/Makefile contains the line include ../rules.mak and ./src/modules/rules.mak contains ' contains the line $(RLM_DIR)../../../Make.inc and ./Make.inc contains the line: CFLAGS = $(INCLUDE) -I/usr/include/krb5 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG (I don't know which directory RLM_DIR is but guess that path points to freeradius-1.1.7/Makefile.inc ?) so I thought ./src/modules/rlm_krb/Makefile would implicitly know to use -I/usr/include/krb5. Anyway, I'll try again now... % ls freeradius-1.1.7.tar.bz2 % tar jxf * % cd freeradius-1.1.7 % /usr/bin/time sh -c './configure CFLAGS=-I/usr/include/krb5 configure.log 21' 33.24 real15.51 user16.47 sys % vi src/modules/rlm_krb5/Makefile change the RLM_FLAGS line to RLM_CFLAGS = -I/usr/include/et -I/usr/include/krb5 (what's normally in /usr/include/et by the way? I've not heard of that directory.) % /usr/bin/time sh -c 'gmake gmake.log 21' 23.74 real14.38 user11.71 sys % sed -n '920,$p' gmake.log Making all in rlm_krb5... gmake[6]: Entering directory `/usr/home/ray/installers/freeradius/1.1.7/freeradius-1.1.7/src/modules/rlm_krb5' /usr/home/ray/installers/freeradius/1.1.7/freeradius-1.1.7/libtool --mode=compile gcc -I/usr/include/krb5 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -I/usr/home/ray/installers/freeradius/1.1.7/freeradius-1.1.7/src/include -I/usr/include/et -I/usr/include/krb5 -c rlm_krb5.c mkdir .libs gcc -I/usr/include/krb5 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -I/usr/home/ray/installers/freeradius/1.1.7/freeradius-1.1.7/src/include -I/usr/include/et -I/usr/include/krb5 -c rlm_krb5.c -fPIC -DPIC -o .libs/rlm_krb5.o rlm_krb5.c: In function 'verify_krb5_tgt': rlm_krb5.c:96: warning: implicit declaration of function 'krb5_princ_component' rlm_krb5.c:96: error: 'c' undeclared (first use in this function) rlm_krb5.c:96: error: (Each undeclared identifier is reported only once rlm_krb5.c:96: error: for each function it appears in.) rlm_krb5.c:96: error: invalid type argument of '-' rlm_krb5.c:105: warning: passing argument 2 of 'krb5_kt_read_service_key' discards qualifiers from pointer target type rlm_krb5.c: In function 'krb5_auth': rlm_krb5.c:217: warning: initialization makes pointer from integer without a cast rlm_krb5.c:219: warning: excess elements in struct initializer rlm_krb5.c:219: warning: (near initialization for 'tgtname') rlm_krb5.c:257: warning: pointer targets in assignment differ in signedness rlm_krb5.c:258: warning: pointer targets in assignment differ in signedness rlm_krb5.c:292: error: request for member 'length' in something not a structure or union rlm_krb5.c:293: error: request for member 'data' in something not a structure or union rlm_krb5.c:296: error: request for member 'length' in something not a structure or union rlm_krb5.c:297: error: request for member 'data' in something not a structure or union gmake[6]: *** [rlm_krb5.lo] Error 1 gmake[6]: Leaving directory `/usr/home/ray/installers/freeradius/1.1.7/freeradius-1.1.7/src/modules/rlm_krb5' gmake[5]: *** [common] Error 2 gmake[5]: Leaving directory `/usr/home/ray/installers/freeradius/1.1.7/freeradius-1.1.7/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/usr/home/ray/installers/freeradius/1.1.7/freeradius-1.1.7/src/modules' gmake[3]: *** [common] Error 2
compiling free radius 1.1.7 on NetBSD
I've attempted to compile free radius 1.1.7 on a machine running NetBSD/amd64 without success... % uname -v NetBSD 4.99.20 (GENERIC.MP) #0: Thu Jul 5 13:21:09 EST 2007 [EMAIL PROTECTED]:/usr/obj/sys/arch/amd64/compile/GENERIC.MP % At first configure couldn't find krb5.h and make failed: % ls -l total 4064 -rw--- 1 ray wheel 2063278 Aug 26 01:39 freeradius-1.1.7.tar.bz2 % tar jxf * % cd *7 % sh -c './configure configure.log 21' % sh -c 'gmake gmake.log 21' % sed -n '651,670p' configure.log === configuring in src/modules/rlm_krb5 (/usr/home/ray/installers/freeradius/1.1.7/freeradius-1.1.7/src/modules/rlm_krb5) configure: running /bin/ksh ./configure '--prefix=/usr/local' '--enable-ltdl-install' --cache-file=/dev/null --srcdir=. checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking how to run the C preprocessor... gcc -E checking for krb5.h... no checking for krb5_encrypt_data in -lk5crypto... no checking for DH_new in -lcrypto... yes checking for set_com_err_hook in -lcom_err... yes checking for krb5_init_context in -lkrb5... yes configure: creating ./config.status config.status: creating Makefile === configuring in src/modules/rlm_ldap (/usr/home/ray/installers/freeradius/1.1.7/freeradius-1.1.7/src/modules/rlm_ldap) % wc -l gmake.log 985 gmake.log % sed -n '920,931p' gmake.log Making all in rlm_krb5... gmake[6]: Entering directory `/usr/home/ray/installers/freeradius/1.1.7/freeradius-1.1.7/src/modules/rlm_krb5' /usr/home/ray/installers/freeradius/1.1.7/freeradius-1.1.7/libtool --mode=compile gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -I/usr/home/ray/installers/freeradius/1.1.7/freeradius-1.1.7/src/include -I/usr/include/et -c rlm_krb5.c mkdir .libs gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -I/usr/home/ray/installers/freeradius/1.1.7/freeradius-1.1.7/src/include -I/usr/include/et -c rlm_krb5.c -fPIC -DPIC -o .libs/rlm_krb5.o rlm_krb5.c:39:18: error: krb5.h: No such file or directory rlm_krb5.c:40:21: error: com_err.h: No such file or directory rlm_krb5.c:45: error: expected specifier-qualifier-list before 'krb5_context' rlm_krb5.c:57: error: expected ')' before 'context' rlm_krb5.c: In function 'krb5_instantiate': rlm_krb5.c:174: error: 'krb5_context' undeclared (first use in this function) rlm_krb5.c:174: error: (Each undeclared identifier is reported only once % krb5.h was present though: % ls -l /usr/include/krb5 total 436 -r--r--r-- 1 root wheel792 Jul 5 10:39 asn1_err.h -r--r--r-- 1 root wheel 1934 Jul 5 10:39 base64.h -r--r--r-- 1 root wheel 2571 Jul 5 10:39 com_err.h -r--r--r-- 1 root wheel 2397 Jul 5 10:39 com_right.h -r--r--r-- 1 root wheel 2875 Jul 5 10:39 getarg.h -r--r--r-- 1 root wheel464 Jul 5 10:39 hdb-private.h -r--r--r-- 1 root wheel 3236 Jul 5 10:39 hdb-protos.h -r--r--r-- 1 root wheel 3634 Jul 5 10:39 hdb.h -r--r--r-- 1 root wheel 5593 Jul 5 10:39 hdb_asn1.h -r--r--r-- 1 root wheel835 Jul 5 10:39 hdb_err.h -r--r--r-- 1 root wheel 1156 Jul 5 10:39 heim_err.h -r--r--r-- 1 root wheel724 Jul 5 10:39 k524_err.h -r--r--r-- 1 root wheel 6819 Jul 5 10:39 kafs.h -r--r--r-- 1 root wheel 1830 Jul 5 10:39 krb5-private.h -r--r--r-- 1 root wheel 61078 Jul 5 10:39 krb5-protos.h -r--r--r-- 1 root wheel 21060 Jul 5 10:39 krb5.h -r--r--r-- 1 root wheel 35798 Jul 5 10:39 krb5_asn1.h -r--r--r-- 1 root wheel 6644 Jul 5 10:39 krb5_err.h -r--r--r-- 1 root wheel 2049 Jul 5 10:39 parse_bytes.h -r--r--r-- 1 root wheel 2074 Jul 5 10:39 parse_time.h -r--r--r-- 1 root wheel 2525 Jul 5 10:39 parse_units.h -r--r--r-- 1 root wheel 4388 Jul 5 10:39 resolve.h -r--r--r-- 1 root wheel 7457 Jul 5 10:39 roken-common.h -r--r--r-- 1 root wheel 5050 Jul 5 10:39 roken.h -r--r--r-- 1 root wheel 2134 Jul 5 10:39 rtbl.h -r--r--r-- 1 root wheel 2302 Jul 5 10:39 sl.h -r--r--r-- 1 root wheel 2324 Jul 5 10:39 ss.h % so I ran configure again, explicitly telling it the path to krb5.h (with a freshly untar'ed source tree): % sh -c './configure CPPFLAGS=-I/usr/include/krb5 configure.log 21' % sed -n '649,668p' configure.log === configuring in src/modules/rlm_krb5 (/usr/home/ray/installers/freeradius/1.1.7/freeradius-1.1.7/src/modules/rlm_krb5) configure: running /bin/ksh ./configure '--prefix=/usr/local' 'CPPFLAGS=-I/usr/include/krb5' '--enable-ltdl-install' --cache-file=/dev/null --srcdir=. checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking
Re: Help with Cisco 1200 AP and FreeRadius
Same here... Ray - Original Message - From: Carl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, December 04, 2004 4:33 AM Subject: Re: Help with Cisco 1200 AP and FreeRadius There are no packets being passed to the Radius Server Thor Spruyt wrote: Carl wrote: I'm using a Cisco 1200 AP and freeradius 1.0.1 for authentication. I have Radius set up fine, but I can't get the AP to foward the packets on to the server. Does anyone have any ideas? Use packet sniffers (like tcpdump or ethereal) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trying to authenticate ALL users using MSCHAP/MPPE
We have a scenario in which we would like to have all our users authenticated automatically regardless of what password they provide. Per the faq, this is accomplished by doing: DEFAULT Auth-Type := Accept in the users file. However, this does not appear to work when using MSCHAP as the Auth-Type (also requireing MPPE encryption). I assume this is because the response keys are not properly generated. I can append some attributes that are required here like the MS-MPPE-Encryption-Policy, but it doesn't do me much good unless valid Success, Send and Recv-Keys are generated which only seems to occur when the Auth-Type matchese MS-CHAP. I tried doing something like: DEFAULT Auth-Type := MS-CHAP, Password =~ .* But no go there either... maybe wildcards don't work with Passwords? :( Anywawys, any suggestions for allowing all users to get a valid MSCHAP/MPPE login regardless of password? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to authenticate ALL users using MSCHAP/MPPE
Well, one is being provided by the user, I just don't want to check if it's valid or not. But keys could still be generated against it it would seem. Maybe not easily though. :( Turning out to be more difficult than I thought it would be. :-) Thanks for the reply... On Fri, Jul 23, 2004 at 05:05:40PM -0400, Alan DeKok wrote: Ray Van Dolson [EMAIL PROTECTED] wrote: Anywawys, any suggestions for allowing all users to get a valid MSCHAP/MPPE login regardless of password? It's impossible. You need a password to generate the correct MSCHAP data. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
