Re: users file and User-Password..
Hello Alan. Dne petek 27 maj 2005 18:43 je Alan DeKok napisal(a): Rok Papez [EMAIL PROTECTED] wrote: I beg to differ... the users file is one of the things in freeradius that are not confusing :). It appears to be simple, but your question about User-Password shows the limitations problems of the users file. Which question ? You are probably confusing me with Anthony :). Users file was always the clearest part of FreeRADIUS to me. What is supposed to replace the users file ? rlm_policy, or something similar. Yes, it is a little bit more complicated than the users file, but it's MUCH clearer as to what it's doing, and why. I won't judge rlm_policy before I get a decent chance to try it out. But more complicated and much cleaner won't convince me :). Btw.: Good software isn't just fast and very configurable, it's also easy and intuitive to configure and use. For example I use users file to do: ... We will NOT remove functionality from the server in future releases. We MAY change how you configure that functionality. Thanks :-). Of course: There is nothing wrong with more than one way how to skin a cat ;-))). -- lep pozdrav, Rok Pape. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wireless Authentication
Hello! Dne nedelja 29 maj 2005 19:02 je Radius napisal(a): Does anyone have any links or on-line examples that show how to use FreeRadius to do 802.1x authentication? I've sent you a configuration guide to you private address. I also have a web page with technical documentation and sample configurations for a secure wireless network using: - Switch Catalyst 3750 - Access point Cisco AP-1231G - OpenLDAP - MySQL - DHCP - FreeRADIUS Unfortunately it is still unavailable to general public :-/ (and a major update is pending). I can provide you with an access user-name and password but you'll have to send me the following information (to my private address, please): 1. You name and surname. 2. What organisation are you working for ? 3. Which project do you require this information for ? 4. What is your role in this project ? -- Best regards, Rok Papez [EMAIL PROTECTED] ARNES - Academic and Research NEtwork of Slovenia http://www.arnes.si Jamova 39 p.p. 7, SI-1001 Ljubljana, Slovenia tel: +386 1 479 88 00, fax: +386 1 479 88 78 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users file and User-Password..
Hello Alan. Dne etrtek 26 maj 2005 18:25 je Alan DeKok napisal(a): Anthony Hinsinger [EMAIL PROTECTED] wrote: Can you explain me what is the problem if you use := operator and for example a CHAP authentication ? because i imagine the CHAP module use the password found in the config items list ... ??? no ?? If it works, use it. But the users file will be deprecated in later releases, as it's just too confusing. I beg to differ... the users file is one of the things in freeradius that are not confusing :). What is supposed to replace the users file ? For example I use users file to do: 1. realm rejection 2. usernames rejection 3. Accounting with tunneled usernames 4. To set the use of LDAP organisational unit based on the users realm 5. Block other authentication methods and only allow EAP-TTLS + PAP. 6. Staticly enter usernames (for radius hierarhy testing, service usernames, ...) -- lep pozdrav, Rok Pape. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: getting byte-in and byte-out on freeradius?
Hello Jabriel. Dne sreda 09 marec 2005 11:36 je Jabriel Tezser napisal(a): Hi, I've a problem to getting byte-in and byte-out when processing accounting to database on freeradius. Anybody have experience on this? I use this to log bytes-in/out and packets-in/out + other data to the MySQL database: CREATE TABLE ACCOUNTING ( `User-Name` varchar(100) NOT NULL default '', `Calling-Station-Id` varchar(100) NOT NULL default '', `Client-IP-Address` varchar(100) NOT NULL default '', `Called-Station-Id` varchar(100) NOT NULL default '', `NAS-Port` int(10) unsigned NOT NULL default '0', `Timestamp Start` datetime NOT NULL default '-00-00 00:00:00', `Timestamp Dhcp` datetime NOT NULL default '-00-00 00:00:00', `Timestamp Stop` datetime NOT NULL default '-00-00 00:00:00', `Acct-Unique-Session-Id` varchar(100) NOT NULL default '', `Acct-Session-Time` int(10) unsigned NOT NULL default '0', `Acct-Input-Octets` int(10) unsigned NOT NULL default '0', `Acct-Output-Octets` int(10) unsigned NOT NULL default '0', `Acct-Input-Packets` int(10) unsigned NOT NULL default '0', `Acct-Output-Packets` int(10) unsigned NOT NULL default '0', `Acct-Terminate-Cause` varchar(100) NOT NULL default '' ) TYPE=MyISAM; Of course you will need to check your NAS and see the actual attribute names. These are for the Cisco AP12xx. sql.conf: sql { driver = rlm_sql_mysql server = localhost login = mysql user password = mysql password radius_db = radius accounting_start_query = INSERT into ACCOUNTING SET\ `User-Name` = '%{User-Name}',\ `Calling-Station-Id` = '%{Calling-Station-Id}',\ `Called-Station-Id` = '%{Called-Station-Id}',\ `NAS-Port` = %{NAS-Port},\ `Timestamp Start` = NOW(),\ `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}' accounting_update_query = UPDATE ACCOUNTING SET\ `Acct-Session-Time` = '%{Acct-Session-Time}',\ `Acct-Input-Octets` = '%{Acct-Input-Octets}',\ `Acct-Output-Octets` = '%{Acct-Output-Octets}',\ `Acct-Input-Packets` = '%{Acct-Input-Packets}',\ `Acct-Output-Packets` = '%{Acct-Output-Packets}'\ WHERE `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'\ LIMIT 1 accounting_stop_query = UPDATE ACCOUNTING SET\ `Timestamp Stop` = NOW(),\ `Acct-Session-Time` = '%{Acct-Session-Time}',\ `Acct-Input-Octets` = '%{Acct-Input-Octets}',\ `Acct-Output-Octets` = '%{Acct-Output-Octets}',\ `Acct-Input-Packets` = '%{Acct-Input-Packets}',\ `Acct-Output-Packets` = '%{Acct-Output-Packets}',\ `Acct-Terminate-Cause` = '%{Acct-Terminate-Cause}'\ WHERE `Acct-Unique-Session-Id` = '%{Acct-Unique-Session-Id}'\ LIMIT 1 } -- lep pozdrav, Rok Pape. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: getting byte-in and byte-out on freeradius?
Hello! Dne sreda 09 marec 2005 12:22 je Jabriel Tezser napisal(a): Hello Papez, Woooww... thank you very much for your reply.. it's was work now.. :) One question please, what is attribute to getting bytes-out? Acct-Output-Octets? or Acct-Output-Packets? Acct-Output-Octets In communications the word octet is usualy used to describe 8 bits. -- lep pozdrav, Rok Pape. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS + PAP in LDAP for freeradius
Hell Justin. Dne etrtek 24 februar 2005 15:36 je Justin Guidroz napisal(a): TTLS + PAP has worked for me out of the box with FreeRADIUS. The only changes I have made to the EAP settings is to point FreeRADIUS to my server certificates. The server does the rest. There is more to seting up things than just to make something work. What about disabling other authentication methods ? Routing of accounting packets ? Anonymous username handling ? Logging network usage to the database ? .. and much more :). If you attitude is: I just changed something and software did the rest, you are better off running your freeradius under the Cygwin ;))). -- lep pozdrav, Rok Pape. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS + PAP in LDAP for freeradius
Hello Chan Min Wai. Dne etrtek 24 februar 2005 07:28 je Chan Min Wai napisal(a): Anyone have a good documentation on this part? I have some documentation (system set-up instructions). If it's any good for you, you'll have to judge by yourself. I've correctly make my freeradius work with EAP_MD5 although, I need to specify the auth-type to EAP otherwise the auth don't really work EAP. (Might suspecting it a config problem problem) But after doing the justification, I'm thinking about doing TTLS+PAP. Anyone have any clue? :))) url: http://www.arnes.si/dostop/wlan I'm sending you the username and password in a private e-mail (the site unfortunately isn't public yet) + some more documentation in English. Anyone else interested can contact me directy/privately. -- Best regards, Rok Papez [EMAIL PROTECTED] ARNES - Academic and Research NEtwork of Slovenia http://www.arnes.si Jamova 39 p.p. 7, SI-1001 Ljubljana, Slovenia tel: +386 1 479 88 00, fax: +386 1 479 88 99 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Iffy idea engineering using freeradius :-)
Dne sreda 16 februar 2005 18:48 je Drew Weaver napisal(a): Thanks Alan, I'll give it a shot, the real trick I had originally was getting the source to compile on FC 3 so I ended up using RPM. So I guess im not that good with compilers and linkers and such. Do I need to do anything to the makefile to get it to build in the new module? If building freeradius is a problem, but you are good with C: Install the src.rpm file and make all modifications there in the specs file. No need to reinvent the wheel ;). rpmbuild -bp freeradius.spec ... will create a BUILD directory you can modify, make modfications and create diffs. Copy the diffs into the original srpm directory and enter them into the .spec file. You can check the specs file to see how to do interrim builds manualy, without the rpmbuild :. rpmbuild -ba freeradius.spec ... and you'll get a new .rpm -- lep pozdrav, Rok Pape. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Iffy idea engineering using freeradius :-)
Dne sreda 16 februar 2005 18:48 je Drew Weaver napisal(a): Thanks Alan, I'll give it a shot, the real trick I had originally was getting the source to compile on FC 3 so I ended up using RPM. So I guess im not that good with compilers and linkers and such. Do I need to do anything to the makefile to get it to build in the new module? If building freeradius is a problem, but you are good with C: Install the src.rpm file and make all modifications there in the specs file. No need to reinvent the wheel ;). rpmbuild -bp freeradius.spec will create a BUILD directory you can modify, make modfications and create diffs. Copy the diffs into the original srpm directory and enter them into the .spec. -- lep pozdrav, Rok Pape. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP and FreeRADIUS accounting
Hello David. Dne sreda 16 februar 2005 10:23 je David ROUMANET napisal(a): in wireless network (EAP/TTLS), there is no way to use FreeRADIUS for dynamic IP affectation, so I use dhcpd. Unfortunely, I'm not able to have accounting with IP address == user. I will write a script to scan dhcpd log and RADIUS accounting log but before I would to be sure nobody has already done this... I don't want to re-invent the wheel ;) I'm attaching the script. - The script tails the DHCP log file and updates the client records with the assigned IP numbers. (freeradius is configured to log to MySQL DB) - Old unclosed records are checked at the AP via SNMP (we use Cisco AP12xx) to be valid. If not, they are closed. You might be interested also in the freeradius, mysql and dhcp configurations. They are available at http://www.arnes.si/dostop/wlan. Unfortunately the pages are not open yet to the public :-( and I'll provide you with a username/password via a private e-mail. If anyone else is interested in access please contact me privately. -- Best regards, Rok Papez [EMAIL PROTECTED] ARNES - Academic and Research NEtwork of Slovenia http://www.arnes.si Jamova 39 p.p. 7, SI-1001 Ljubljana, Slovenia tel: +386 1 479 88 00, fax: +386 1 479 88 99 bio_monitor.pl Description: Perl program
Re: Problems with ttls using SecureW2
This debate is off-topic and I've moved it off-list. Dne torek 08 februar 2005 14:08 je ystein Gsdal napisal(a): Anyway, have you been able to authenticate at a very early stage, so logon scripts can be used with SecureW2? If not, are there other supplicants that support that? I had no need for that, but it is documented in the new http://www.securew2.com/uk/resources/index.htm#AdvancedConfiguration users manual, see use computer credentials. I'm sorry, but I could not anything in that link saying something about that? Could you be more specific? Thanks again, - ystein - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- lep pozdrav, Rok Pape. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with ttls using SecureW2
Hello ystein. Dne ponedeljek 07 februar 2005 12:54 je ystein Gsdal napisal(a): I see that the example in the link uses PAP instead of EAP? That is correct. We use EAP-TTLS+PAP. When I try to use that, the supplicant does not try to authenticate at all, exept when I go to User account, and write in user credentials manually. Do you have the network connection status icon enabled ? For me, it authenticates without problems either way. But then SecureW2 tries to authenticate me as [EMAIL PROTECTED]/password, istead of domain\\username as it should be. Either way, I want to user the logon information, not write in the information manually. So the solution is still not working, even with the changes you suggested int eap.conf The eap.conf I've sent you is for the PAP configuration. But it works, however, if I use EAP with MSCHAP v2, but I guess that's good enough? I believe EAP-TTLS+EAP+MSCHAPv2 is usefull when you want to use the same credentials for logoin into PC and into the network. Anyway, have you been able to authenticate at a very early stage, so logon scripts can be used with SecureW2? If not, are there other supplicants that support that? I had no need for that, but it is documented in the new http://www.securew2.com/uk/resources/index.htm#AdvancedConfiguration users manual, see use computer credentials. -- lep pozdrav, Rok Pape. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with ttls using SecureW2
Hello ystein. Dne petek 04 februar 2005 08:37 je ystein Gsdal napisal(a): I think Alan wrote that the job with getting ttls to work was to set up tls properly... Freeradius works with the built-in 802.1x supplicant, so I guess that tls is in fact set up properly? In eap.conf i have unchecked these lines: ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = no } Anyone else having this problem, or at least knows what i'm doing wrong? :) No, EAP-TTLS is working just fine for me (FreeRADIUS and SecureW2) :). This is my eap.conf: eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given # a User-Name attribute in an Access-Accept, it copies one # more byte than it should. # # We can work around it by configurably adding an extra # zero byte. cisco_accounting_username_bug = yes tls { private_key_file = /etc/ssl/key.pem certificate_file = /etc/ssl/cert.pem CA_file = /etc/ssl/cacert.pem dh_file = /etc/ssl/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes } ttls { use_tunneled_reply = yes } } And here are the instructions how to set-up the SecureW2 client (they are in Slovenian language, but screenshots are from an English Windows XP): http://www.arnes.si/bio/nastavitve/nastavitve_secure_w2_sp2.html -- lep pozdrav, Rok Pape. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: extendedKeyUsage = 1.3.6.1.5.5.7.3.1
Hello Bilal. Dne petek 19 november 2004 09:02 je Bilal Shahid napisal(a): I am using FreeRADIUS to authenticate the XSupplicant using EAP-TLS. The certificates are being generated using the script CA.all. For the Server certificate, the TLS Web Server OID used is 1.3.6.1.5.5.7.3.1. Now what the FreeRADIUS Server is actually sending out to the Client (XSupplicant) (as seen from the Access Challenge packet dump while running the FreeRADIUS Server in the debug mode) is the following byte sequence: 0x08 2b 06 01 05 05 07 03 01 as opposed to 0x01 03 06 01 05 05 07 03 01 Have you checked the certificate for errors ? I've been using this EKU without problems with freeradius. AFAIK freeradius is not processing the certificates, but the openssl code is. In openssl.cnf you need: # [ eku ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 And when you sign a certificate request (I use openssl directly): openssl ca -extensions eku ... Check the certificate with: # openssl x509 -in krkotnik.arnes.si_cert.pem -noout -text [...] X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication [...] -- lep pozdrav, Rok Pape. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PATCH: regular expression matching of realms.
Hello! == Regular expression matching in proxy.conf enables very flexible and intiutive realm proxying. It can reduce number of realm entries: realm company2.com { regexp = ^.*\.company2\.com$ type= radius authhost= rad.company2.com accthost= rad.company2.com } == I'm operating a TLD radius server and delegating certain RADIUS realms to sub-node RADIUS severs. We have built a sort of RADIUS tree structure. For example (radiator config): Handler Realm=/^subX\.tld$|^.*\.subX\.tld$/ AuthBy RADIUS [...] /AuthBy /Handler The subX.org.tld are usualy freeradius servers, that define a subX.tld and a few subsub1.subX.tld, subsub2.subX.tld, subsub3.subX.tld. This can be dangerous, becouse I delegate all *.subX.tld to the organisation and they delegate DEFAULT to me. So for a non-existant subsub4.subX.tld we create a RADIUS loop :. I could: - delegate realms strictly (too much administration on my part and too restrictive for subX operators) - implement split horizont in TLD server (I might do this, but I prefer to enhance free software) - imeplement regexp realm matching in freeradius (this is this patch) == proxy.conf: # Local realms realm subsub1.orgX.tld { } realm subsub2.orgX.tld { } realm subsub3.orgX.tld { } realm NULL { } # this realm is matched by: #*.orgX.tld #blackhole.orgX.tld # blackhole is handled locally (denied) realm blackhole.orgX.tld { regex = ^.*\.orgX\.tld$ } realm DEFAULT { type= radius authhost= radius.tld:1812 accthost= radius.tld:1813 secret = blah nostrip } == users: DEFAULT Realm == blackhole.orgX.tld, Auth-Type := Reject == This patch is based on this regex patch: http://projects.nuschkys.net/patches/ I've cleaned it up a bit and did some testing. It seems to work fine and not add overhead if no regex is used. It also makes realm proxying in freeradius very flexible and intiutive. Appreciate any review :). == diff -ur freeradius-1.0.1/raddb/proxy.conf freeradius-1.0.1-rlm_regexp/raddb/proxy.conf --- freeradius-1.0.1/raddb/proxy.conf 2004-02-26 17:16:32.0 +0100 +++ freeradius-1.0.1-rlm_regexp/raddb/proxy.conf2004-11-17 14:47:41.0 +0100 @@ -136,6 +136,22 @@ # secret = testing123 #} +# A realm containing a regular expression, matching anything like +# [EMAIL PROTECTED] as well as [EMAIL PROTECTED]. All +# requests with this realm will be handled locally. +# +# Please note that the regular expressions must be POSIX compatible +# and will be matched case insensitive. +# Additionally, the regexp should be the same on all servers of +# a fail-over and round-robin realm. +# +#realm company2.com { +# regexp = ^.*\.company2\.com$ +# type= radius +# authhost= rad.company2.com +# accthost= rad.company2.com +#} + # A realm entry with an optional fail-over realm. A request from # [EMAIL PROTECTED] will be sent to radius.isp2.com as [EMAIL PROTECTED], # because the 'nostrip' directive is specified for this realm. diff -ur freeradius-1.0.1/src/include/radiusd.h freeradius-1.0.1-rlm_regexp/src/include/radiusd.h --- freeradius-1.0.1/src/include/radiusd.h 2004-09-09 16:31:06.0 +0200 +++ freeradius-1.0.1-rlm_regexp/src/include/radiusd.h 2004-11-17 14:47:41.0 +0100 @@ -35,6 +35,10 @@ #include arpa/inet.h #endif +#ifdef HAVE_REGEX_H +#include regex.h +#endif + #include missing.h #define NO_SUCH_CHILD_PID (child_pid_t) (0) @@ -139,6 +143,10 @@ int acct_active; time_t acct_wakeup; int ldflag; +#ifdef HAVE_REGEX_H + regex_t *regex; +#endif + struct _realm *next; } REALM; @@ -328,6 +336,7 @@ void clients_free(RADCLIENT *cl); /* files.c */ +intrealm_find_cmp(const REALM *rlm, const char *realm); REALM *realm_find(const char *, int); REALM *realm_findbyaddr(uint32_t ipno, int port); void realm_free(REALM *cl); diff -ur freeradius-1.0.1/src/main/files.c freeradius-1.0.1-rlm_regexp/src/main/files.c --- freeradius-1.0.1/src/main/files.c 2004-04-06 22:43:49.0 +0200 +++ freeradius-1.0.1-rlm_regexp/src/main/files.c2004-11-17 14:47:41.0 +0100 @@ -33,6 +33,10 @@ # include netinet/in.h #endif +#ifdef HAVE_REGEX_H +# include regex.h +#endif + #include stdlib.h #include string.h #include netdb.h @@ -314,6 +318,12 @@ while(cl) { next = cl-next; +#ifdef HAVE_REGEX_H + if (cl-regex != NULL) { +
Re: Cisco accounting problem
Hello Mario. Dne sobota 07 avgust 2004 11:09 je Mario Duve napisal(a): I have here a Wireless Cisco Aironet 1200 Access Point. You _really_ should also append output of these commands to you message: sh ver sh run | inc aaa The Problem is, the AP send only the AcctSessionTime in Accounting Update/Stop Request. But the AP send no AcctInputOctets or AcctOutputOctets Accounting Information. A quick search with bug toolkit on www.cisco.com finds this: CSCee77277 Bug Details Headline RADIUS Accounting is incomplete: missing attributes Product c1200 Model Componentc1200-sw Duplicate of Severity 3 Severity help Status Resolved Status help First Found-in Version 12.2(15)JA First Fixed-in Version Version help Release Notes Symptom: RADIUS Accounting information is not complete: the following attributes are missing: - Acct-Input-Octets - Acct-Output-Octets - Acct-Input-Packets - Acct-Output-Packets Conditions: Using Cisco IOS 12.2(15)JA. This was working fine before. Workaround: Use previous software image. Can anybody help me ??? Yes :. Somebody probably can :) -- lep pozdrav, Rok Pape. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modify User-Name
Hello Sergei. Dne torek 27 julij 2004 10:25 je Sergei Koveshnikov napisal(a): Can I modify User-Name in users file? Some thing like this: DEFAULT User-Name =~ (testlogin)#(12345) User-Name = `%{1}` Have alook at rlm_attr_rewrite: ./man/man5/rlm_attr_rewrite.5 -- lep pozdrav, Rok Pape. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS w/ PAP (tunnel) works, w/ EAP (tunnel) it doesn't
Hello Kaspar. Kaspar Landsberg pravi: The problem was that I didn't really know how to rectify it. But now, I got the EAP frame inside the tunnel to be handled as such (by fine-tuning the users file :). You should attach you fine tuned users file ;). modcall[authorize]: module preprocess returns ok for request 5 rlm_eap: EAP packet type response id 1 length 28 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 5 users: Matched DEFAULT at 222 What is in your users file at line 222 ? modcall[authorize]: module files returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 OK.. EAP found MD5 rlm_eap_md5: User-Password is required for EAP-MD5 authentication You obviously didn't set the user password. How can I tell freeradius to perform a system password lookup when EAP (in this case EAP/MD5 in the tunnel) is used (if this makes sense at all (if not, why doesn't it?))? You have to set the User aptest with a User-Password entry in you users file. DEFAULT User-Password == test123 Wrong. DEFAULT User-Password == System No :). What you need is: aptest User-Password == test123 -- Lep pozdrav, Rok Papez. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS w/ PAP (tunnel) works, w/ EAP (tunnel) it doesn't
Hello Kasper. Kaspar Landsberg pravi: I successfully set up a WLAN/radius system with a Cisco AP-1100, Windows XP (securew2) and freeradius v1.0.0-pre3 using EAP/TTLS with PAP inside the tunnel. But trying to use the same system with EAP/MD5 inside the tunnel instead of PAP (as suggested in the eap.conf file) gives me the following error: --- radiusd -xx --- [...] TTLS: Got tunneled request EAP-Message = 0x020b01617074657374 Message-Authenticator = 0x FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Got tunneled identity of aptest TTLS: Setting default EAP type for tunneled EAP session. TTLS: Sending tunneled request EAP-Message = 0x020b01617074657374 Message-Authenticator = 0x FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = aptest Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module preprocess returns ok for request 4 rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 4 users: Matched DEFAULT at 222 users: Matched DEFAULT at 225 modcall[authorize]: module files returns ok for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP rad_check_password: Found Auth-Type System Warning: Found 2 auth-types on request for user 'aptest' auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_unix: Attribute User-Password is required for authentication. modcall[authenticate]: module unix returns invalid for request 4 modcall: group authenticate returns invalid for request 4 auth: Failed to validate the user. Login incorrect: [aptest] (from client localhost port 0) TTLS: Got tunneled reply RADIUS code 3 TTLS: Got tunneled Access-Reject [...] I suppose that my users file is not correctly set up for EAP/TTLS with EAP/MD5 inside the tunnel: SecureW2 supports EAP-TTLS-PAP and EAP-TTLS-EAP-windows EAPs, in your case EAP-TTLS-EAP-MD5. Please read the logfiles again, they clearly state you are having an EAP inside a tunnel and complain about double Auth-Type setting (EAP and System). (anonymous is the UID used by securew2 for the outer identity.) --- users --- anonymous DEFAULT Freeradius-Proxied-To == 127.0.0.1 Fall-Through = yes DEFAULT Auth-Type += System --- users --- I'm pretty sure I'm missing something rather basic and simple. But up to now, this something has managed to escape my attention... :) -- Lep pozdrav, Rok Papez. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question EAP-TTLS/MSCHAPv2
Hello Alan, David. David, you realy should ask Alfa Ariss about their product details, not the FreeRADIUS developers. Alan DeKok pravi: [EMAIL PROTECTED] wrote: Does SecureW2 (1.0.9) support only PAP ? AFAIK: Yes. 2.x supports EAP and Windows EAP module (EAP-TTLS-EAP-xxx) It is possible to do authentication with EAP-TTLS/MSCHAPv2 or EAP-TTLS/MD5 (not EAP-TTLS/EAP-MSCHAPV2 ...) with SecureW2 as client ? AFAIK: No. But EAP-TTLS-EAP-MD5, EAP-TTLS-EAP-PEAP, EAP-TTLS-EAP-MSCHAPv2 and EAP-TTLS-EAP-TLS should be supported. Do they have a web page, describing the features of the product? http://www.securew2.com/uk/resources/securew2/v2/SecureW2%20Client%202.1%20for%20Windows.pdf -- Best regards, Rok Papez. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Case insensitive regexps
Hello! Is it possible to do case insensitive regular expression matching in users file ? I'd like to replace: DEFAULT User-Name =~ ^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]|[EMAIL PROTECTED] with something like: DEFAULT User-Name =~ m/^anonymous|[EMAIL PROTECTED]/i lower-casing all usernames is not an option ;) since case does matter, just not in this case ;))). -- Lep pozdrav, Rok Papez. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Hello Christophe. Christophe Saillard pravi: And you set Auth-Type = EAP. DON'T DO THAT. I do that ;). I prefer to manualy set EAP when user tries to identify as [EMAIL PROTECTED]. Users are *NOT* allowed to use any other authentication method :). For the moment I've a running freeradius EAP-TTLS/PAP configuration which works fine. Now I'd like to get credentials from an existing LDAP user storage instead of the Freeradius users file (I store MD5 hashed password to have PAP compatibility). 1. It would be nice to see relevant parts of the config file 2. The `radiusd -Xxxx 21 | tee logfile` output But there's some particular things I need to know : - how do I have to store password in the LDAP database (because I'd like to use TTLS/PAP) : crypt/MD5 hashed, clear text ? That's an LDAP thingy.. Here is an example of ldap diff entry for userPassword: userPassword: {crypt}$1$dK1Zl.Qp$khF3af1c7Te0cSf2w/tZO0 All you need is a type prefix in {...} and then a password hash. This is a perl code snippet that creates these hashes: my $pass = '{crypt}' . crypt($plaintext_password, '$1$' . join(, ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64]) . '$'); The hash is the same kind as used in a /etc/shadow file. Check the crypt() man page for details. = And this is in my radiusd.conf file: modules { pap { encryption_scheme = clear } # this is for the files, passwords are plaintext there :) ldap { server = localhost basedn = ou=users,dc=org,dc=tld filter = (attribWithUserName=%{User-Name}) start_tls = no } ... authenticate { Auth-Type EAP { eap } Auth-Type PAP { pap } Auth-Type LDAP { ldap } } - what do I have to put in the users file ? (I know that auth-type := EAP is wrong) ? In contrary to Alans advice O;-), I have this: # User anonymous and [EMAIL PROTECTED] should be allowed # # activate eap for them# DEFAULT User-Name =~ ^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]|[EMAIL PROTECTED], Auth-Type := EAP # Users with a NULL realm should be rejected # DEFAULT Realm == NULL, Auth-Type := Reject Fall-Through = No # 1. Accounting fix for AP # # 2. a static username files_test for testing # # 3. LDAP authentication for local users # DEFAULT Realm == org.tld, Freeradius-Proxied-To == 127.0.0.1 User-Name = `%{User-Name}`, Fall-Through = yes files_test Realm == org.tld, User-Password == secret DEFAULT Realm == org.tld, Auth-Type := LDAP, Ldap-UserDN := `attribWithUserName=%{User-Name},ou=users,dc=org,dc=tld`, Freeradius-Pro xied-To == 127.0.0.1 Do notice, that I use the users username/password to bind to LDAP. This is done with the Ldap-UserDN item. - if it's not possible to have TTLS/PAP authentication what can I do else (PEAP/Mschapv2 ...) ? TTLS/PAP is working :). For MsCHAP you won't be able to use SecureW2 and you'll need to have plaintext passwords in LDAP. I hope my questions are not to stupid. Radius configuration is not simple. The documentation is still lacking and you simply have to learn as you go ;). So don't feel like you are asking stupid questions. -- Best regards, Rok Papez. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius using PGP to authenticate users
Hi Alan. Alain Perry pravi: FreeRADIUS can do challenge-response fairly easily, but you will have to write code to decide what to use for a challenge, and how to verify the response. Is this feasable as a module, or do I have to actually modify FreeRADIUS code to do it ? A lot of freeRadius functionality is in modules, you'll have to look into ./src/modules/rlm_eap/types and create something like rlm_eap_gpg. This would be a directory for EAP_GPG submodule. Also, for development the freeradius-devel m.l. is available. But don't ask questions until you've studied at least one rlm_eap_* (I think md5 is the closest thing to what you want) and know some basic concepts. AFAIK Freeradius is very easy to code for. Code is well structured and clear. You'll have more fun ;-] with an EAP client. Your best (fastest) bet is to get it working with Xsupplicant. -- Good luck, Rok Papez. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Hi Christophe. Christophe Saillard pravi: For the moment I use Freeradius with EAP-TTLS and it works fine...now I'd like to get users credentials form an existing LDAP database. The LDAP server sends me a valable MD5 hashed password but I think something failed in my users file configuration. You should run the server in debug mode and check the output. I use this command: radiusd -Xxxx 21 | tee logfile Does someone have such a working configuration ? If so, can you send a copy ? modules { ldap { server = localhost basedn = ou=employees,dc=org,dc=tld filter = (PrincipalName=%{User-Name}) start_tls = no } [...] authorize { preprocess auth_log attr_rewrite suffix group { # the files also activates EAP for user anonymous files { notfound = 1 ok = return } ldap } } authenticate { Auth-Type EAP { eap } Auth-Type PAP { pap } Auth-Type LDAP { ldap } } In the users file I have: # User anonymous and [EMAIL PROTECTED] should be allowed # # activate eap for them# anonymous Auth-Type := EAP # Accounting fix for AP# # LDAP authentication for local users # DEFAULT Realm == org.tld, Freeradius-Proxied-To == 127.0.0.1 User-Name = `%{User-Name}`, Fall-Through = yes DEFAULT Realm == org.tld, Auth-Type := LDAP, Ldap-UserDN := `PrincipalName=%{User-Name},ou=employees,dc=org,dc=tld`, Freeradius-Proxied-To == 127.0.0.1 -- Lep pozdrav, Rok Papez. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP in authenticate, not authorize -- connect with client user/pass
Hello! I'm trying to configure LDAP authentication to work with the user supplied credentials. ACLs don't allow me to browse the LDAP directory so I'd like to authenticate the user based on a successfull connection to LDAP server with his user/pass. I've come up with this configuration but don't know how to insert user supplied username and password: modules { [...] ldap { server = x.x.x.x identity = uid=%{Stripped-User-Name},ou=users,dc=org1,dc=tld password = %{User-Password} basedn = ou=users,dc=org1,dc=tld filter = (uid=%{Stripped-User-Name}) } } authorize { # No LDAP entry here, I don't want it to browse LDAP directory. [...] } authenticate { eap Auth-Type LDAP { ldap } Auth-Type PAP { pap } } Tue Mar 23 08:41:31 2004 : Debug: modcall: entering group Auth-Type for request 4 Tue Mar 23 08:41:31 2004 : Debug: modsingle[authenticate]: calling ldap (rlm_ldap) for request 4 Tue Mar 23 08:41:31 2004 : Debug: rlm_ldap: - authenticate Tue Mar 23 08:41:31 2004 : Debug: rlm_ldap: login attempt by test1 with password test1 Tue Mar 23 08:41:31 2004 : Debug: radius_xlat: '(uid=test1)' Tue Mar 23 08:41:31 2004 : Debug: radius_xlat: 'ou=users,dc=org1,dc=tld' Tue Mar 23 08:41:31 2004 : Debug: ldap_get_conn: Got Id: 0 Tue Mar 23 08:41:31 2004 : Debug: rlm_ldap: attempting LDAP reconnection Tue Mar 23 08:41:31 2004 : Debug: rlm_ldap: (re)connect to x.x.x.x:y, authentication 0 Tue Mar 23 08:41:31 2004 : Debug: rlm_ldap: bind as uid=%{Stripped-User-Name},ou=users,dc=org1,dc=tld/%{User-Password} to x.x.x.x:y Tue Mar 23 08:41:31 2004 : Debug: rlm_ldap: waiting for bind result ... Tue Mar 23 08:41:31 2004 : Error: rlm_ldap: LDAP login failed: check login, password settings in ldap section of radiusd.conf Tue Mar 23 08:41:31 2004 : Error: rlm_ldap: (re)connection attempt failed Tue Mar 23 08:41:31 2004 : Debug: ldap_release_conn: Release Id: 0 Tue Mar 23 08:41:31 2004 : Debug: modsingle[authenticate]: returned from ldap (rlm_ldap) for request 4 Tue Mar 23 08:41:31 2004 : Debug: modcall[authenticate]: module ldap returns fail for request 4 Tue Mar 23 08:41:31 2004 : Debug: modcall: group Auth-Type returns fail for request 4 Tue Mar 23 08:41:31 2004 : Debug: auth: Failed to validate the user. Tue Mar 23 08:41:31 2004 : Auth: Login incorrect: [EMAIL PROTECTED]/test1] (from client localhost port 0) As it can be seen from logs, the %{User-Password} and %{Stripped-User-Name} are not substituted in identity and password. If I enter the values (username and pass) directy into these fields authentication works (naturaly). How is it done correctly or doesn't rlm_ldap support this kind of LDAP authentication ? -- Lep pozdrav, Rok Papez. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS + LDAP authentication
Hello David! David Dunn wrote: You need to set Auth-Type in the users file. Since you don't the ldap module sets it to LDAP. OK I understand, but what Auth-Type should I set in the users file? It shouldn't be LDAP (I'll end up where I started). Nor PAP, as password is not available before the EAP-TLS tunnel has been established and authentication will fail. Set to EAP, once the password is sent through the TLS tunnel FR still expect EAP authentication and it failed. Suggestions? DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1 Fall-Through = Yes AFAIK: FR works so that after the EAP-TTLS tunnel is established it proxies all inner RADIUS requests to 127.0.0.1 where they reenter processing. -- Lep pozdrav, Rok Papez. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: patch -- Re: denying access to a NULL realm
Hello Chris. Chris Parker wrote: Rok Papez wrote: What is the best way to block the NULL realm ? Blocking of any realm would also be very usefull if users from some other realm wouldn't be allowed to log into this network. I've added a realm option that blocks a certain realm. This way I can deny access for users from certain realms and when used with a NULL realm, users are forced to always specify a @realm with their username :). What's wrong with putting this in the 'users' file: DEFAULT Realm == NULL, Auth-Type := Reject Fall-Through = No Now that you mentioned it... :)) not much except: 1. I couldn't find this solution even after RTFMing extensively in ./doc and googling for it (it was easier to code the required functionality :-/) 2. You still need to configure realm NULL as LOCAL and split configuration for this in two seperate files. If we have notrealm and it's actualy a no-op we can also have blocked ;)). -- Lep pozdrav, Rok Papez. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS authentication failed
Hello Tom. Tom Rixom wrote: Just a quick remark without sounding too arrogant... what we are doing is: EAP-TTLS-EAP-MSCHAPV2 not EAP-TTLS-MSCHAPV2. The first uses what we call Inner EAP, the second is using the normal MSCHAPV2 within TTLS. What is the benefit of using Inner EAP + CHAP over normal CHAP within TTLS ? -- Lep pozdrav, Rok Papez. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
patch -- Re: denying access to a NULL realm
Rok Papez wrote: What is the best way to block the NULL realm ? Blocking of any realm would also be very usefull if users from some other realm wouldn't be allowed to log into this network. I've added a realm option that blocks a certain realm. This way I can deny access for users from certain realms and when used with a NULL realm, users are forced to always specify a @realm with their username :). === --- raddb/proxy.conf.orig 2004-03-08 14:08:16.0 +0100 +++ raddb/proxy.conf2004-03-08 14:11:07.0 +0100 @@ -278,6 +278,14 @@ #} # +# All users have to enter [EMAIL PROTECTED] or their access is +# blocked. +# +#realm NULL { +# blocked +#} + +# # This realm is for ALL OTHER requests. # #realm DEFAULT { --- doc/proxy.orig 2004-03-08 14:00:25.0 +0100 +++ doc/proxy 2004-03-08 14:07:02.0 +0100 @@ -67,6 +67,10 @@ user who enters '[EMAIL PROTECTED]' from being proxied if the 'foobar' realm configuration contains 'notrealm'. This function used to be called 'notsuffix', and the old syntax is still supported. + - blocked: +User access from blocked realm is denied. Usable for denying +access from the listed realm. + 2. WHAT HAPPENS --- ./src/include/radiusd.h.orig2004-03-08 13:23:44.0 +0100 +++ ./src/include/radiusd.h 2004-03-08 13:24:25.0 +0100 @@ -121,6 +121,7 @@ int striprealm; int trusted; /* old */ int notrealm; + int blocked; /* realm is blocked and user should be rejected */ int active; /* is it dead? */ time_t wakeup; /* when we should try it again */ int acct_active; --- ./src/main/files.c.orig 2004-03-08 13:33:48.0 +0100 +++ ./src/main/files.c 2004-03-08 13:34:46.0 +0100 @@ -444,6 +444,8 @@ c-notrealm = 1; if (strstr(opts, notsuffix) != NULL) c-notrealm = 1; + if (strstr(opts, blocked) != NULL) + c-blocked = 1; } c-next = NULL; --- ./src/main/mainconfig.c.orig2004-03-08 13:33:54.0 +0100 +++ ./src/main/mainconfig.c 2004-03-08 13:35:41.0 +0100 @@ -479,6 +479,8 @@ c-notrealm = 1; if ((cf_section_value_find(cs, notsuffix)) != NULL) c-notrealm = 1; + if ((cf_section_value_find(cs, blocked)) != NULL) + c-blocked = 1; if ((t = cf_section_value_find(cs,ldflag)) != NULL) { static const LRAD_NAME_NUMBER ldflags[] = { { fail_over, 0 }, --- ./src/modules/rlm_realm/rlm_realm.c.orig2004-03-08 13:25:00.0 +0100 +++ ./src/modules/rlm_realm/rlm_realm.c 2004-03-08 13:32:46.0 +0100 @@ -212,6 +212,10 @@ * Perhaps accounting proxying was turned off. */ case PW_ACCOUNTING_REQUEST: + if (1 == realm-blocked) { + DEBUG2(rlm_realm: Realm is blocked.); + break; + } if (realm-acct_ipaddr == htonl(INADDR_NONE)) { DEBUG2(rlm_realm: Accounting realm is LOCAL.); return NULL; @@ -227,6 +231,10 @@ * Perhaps authentication proxying was turned off. */ case PW_AUTHENTICATION_REQUEST: + if (1 == realm-blocked) { + DEBUG2(rlm_realm: Realm is blocked.); + break; + } if (realm-ipaddr == htonl(INADDR_NONE)) { DEBUG2(rlm_realm: Authentication realm is LOCAL.); return NULL; @@ -353,6 +361,13 @@ } /* +* If realm is blocked, reject the request. +*/ + if (realm-blocked) { + return RLM_MODULE_REJECT; + } + + /* * Maybe add a Proxy-To-Realm attribute to the request. */ DEBUG2(rlm_realm: Preparing to proxy authentication request to realm \%s\\n, @@ -371,9 +386,9 @@ const char *name = (char *)request-username-strvalue; REALM *realm; - if (!name) - return RLM_MODULE_OK; - + if (!name) { + return RLM_MODULE_OK; + } /* * Check if we've got to proxy the request. @@ -385,6 +400,12 @@ return RLM_MODULE_NOOP; } + /* +* If realm is blocked, reject the request. +*/ + if (realm-blocked) { + return RLM_MODULE_REJECT; + } /* * Maybe add a Proxy
denying access to a NULL realm
Hello devel :) Most of my users will be able to migrate between different realms, thus I want to force them to use full [EMAIL PROTECTED] string as User-Name. I found the notrealm parameter that is documented as this: - notrealm: By default if a realm is matched, it will be proxied to the server specified. However, if you are using Replication functionality, you may want to override this behaviour. This option will prevent a user who enters '[EMAIL PROTECTED]' from being proxied if the 'foobar' realm configuration contains 'notrealm'. This function used to be called 'notsuffix', and the old syntax is still supported. However it is never used in rlm_realm module. The behaviour is the same if you specify it or not: the request is not proxied but it is handled LOCALy. What is the best way to block the NULL realm ? Blocking of any realm would also be very usefull if users from some other realm wouldn't be allowed to log into this network. -- Lep pozdrav, Rok Papez. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL problem
Hello Tom! Tom Rixom wrote: I installed openssl-0.9.7c on a clean system (no previous openssl installed) and set the directories in the configure command but I seems it cannot find certain files and or attributes in files. When checking for files it for example says that it can find the openssl.h file but cannot find the files crypto.h, engine.h and so forth. But if I look the files are there are there... You need to specify full paths as in: ./configure --prefix=/opt/freeradius \ --with-openssl-libraries=/opt/openssl-0.9.7c/lib/ \ --with-openssl-includes=/opt/openssl-0.9.7c/include/ checking for openssl/ssl.h... yes checking for openssl/err.h... yes checking for openssl/crypto.h... yes checking for openssl/rand.h... yes checking for openssl/engine.h... yes checking for OpenSSL version = 0.9.7... yes Make sure the options to configure are passed exactly as above. They are not checked! -- Lep pozdrav, Rok Papez. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html