RE: Best way to capture RADIUS passwords

[Sallee, Stephen (Jake)]

> Am I going about this the wrong way?

Yes, yes you are.

#1) You will REALLY want to check your local laws, you may have just committed 
from a class B misdemeanor to a class C felony. Here is a link for states in 
the US:
http://www.irongeek.com/i.php?page=computerlaws/state-hacking-laws

#2) It is almost always simpler to get the user to reset their password

#3) A tcp dump will not give you all the info you need to crack a PW depending 
on the encryption method in use.

To summarize:

Don't crack user's passwords without the backing of a bunch of high paid 
lawyers and metric ton of signed notarized paperwork saying that the parties 
involved have given you specific permission to do so.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658
Phax: 254-295-4221
HTTP://WWW.UMHB.EDU

From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Chris Taylor
Sent: Friday, November 9, 2012 1:37 PM
To: freeradius-users@lists.freeradius.org
Subject: Best way to capture RADIUS passwords

I am migrating from one RADIUS setup that checks against a flat file with 
usernames and passwords inside it . Over to a RADIUS server with and LDAP 
backend. I have used JTR to crack most of the passwords but I still have some 
left over that JTR cant crack.

I was thinking of trying to run a packet capture to get the remaining usernames 
and passwords. What would be the best way to do this? Run RADIUS in debug mode 
Radius -X? Or try to use tcpdump and pick it up that way or is it even possible 
to do? I have been trolling the internet for a few days and have not come up 
with a good way to do it.

I setup tcpdump to dump to a file (tcpdump -i eth0 -n -s0 port radius -w 
rad-capture.lpc) , but when I check it out with wireshark I am unable to see 
the password (just the username). Am I going about this the wrong way?

Thanks,

Chris


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: freeraduis LDAP error

[Sallee, Stephen (Jake)]

... did you set a default auth type?  A lot of old how to docs have you do this 
 as a test to see if FR is working ... but it is easy to forget to undo when 
your done.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658
Phax: 254-295-4221
HTTP://WWW.UMHB.EDU

-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of dhanushka ranasinghe
Sent: Thursday, May 03, 2012 10:57 AM
To: FreeRadius users mailing list
Subject: freeraduis LDAP error

hi guys

im getting this error when radius  authenticating  with LDAP, is there any way 
to sort the issue

 # Executing group from file /etc/freeradius/sites-enabled/default
Thu May  3 11:50:26 2012 : Info: +- entering group PAP {...} Thu May  3 
11:50:26 2012 : Info: [pap] ERROR: You set 'Auth-Type = PAP' for a request that 
does not contain a User-Password attribute!
Thu May  3 11:50:26 2012 : Info: ++[pap] returns invalid Thu May  3 11:50:26 
2012 : Info: Failed to authenticate the user.

Thank You
Dhanushka
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentification

[Sallee, Stephen (Jake)]

Can you paste the output of radiusd -X?  Please dont use -XX, we dont need 
timestamps.

Jake Sallee
Godfather of Bandwidth
Network Engineer
University of Mary Hardin-Baylor

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] on behalf 
of Javier Ruiz Escalante [fruiz...@hotmail.com]
Sent: Monday, March 05, 2012 9:03 AM
To: freeradius-users@lists.freeradius.org
Subject: RE: Authentification

Thank you very much, but the password is ""testsecret", I don't know why it 
shows this strange password, I don't know if it is related to the port 443, as 
in the server console is working perfectly with the password "testsecret"

Thanks!!

Regards



Javier Ruiz Escalante
Teléfono: 00 34 512 700 524

Skype: fruiz002



> Date: Mon, 5 Mar 2012 06:46:01 -0800
> From: whope...@vocollect.com
> To: freeradius-users@lists.freeradius.org
> Subject: Re: Authentification
>
> Hi,
> NOTE the section here:
>
> > User-Name = "mysqltest"
> > User-Password = "O%:snv\nB\334Ξ\300H\035\235e"
>
> And here
>
> > Mon Mar 5 12:36:33 2012 : Info: [pap] login attempt with password "O%:snv
> > B��?�H??e"
> > Mon Mar 5 12:36:33 2012 : Info: [pap] Using clear text password
> > "testsecret"
> > Mon Mar 5 12:36:33 2012 : Info: [pap] Passwords don't match
>
> The password that the client is sending and the one listed in the DB are
> different. You will need to fix the client password or update the DB.
>
> --Ward
>
>
> --
> View this message in context: 
> http://freeradius.1045715.n5.nabble.com/Authentification-tp5537600p5537725.html
> Sent from the FreeRadius - User mailing list archive at Nabble.com.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Double-check the shared secret on the server and the NAS!

[Sallee, Stephen (Jake)]

> I have no idea which files to check despite the message is clear.

 Did you set up this server or did someone else?  The NAS is a client to the 
freeRADIUS server, normally these are setup in clients.conf.

Also, keep in mind that your password will be sent over the network as text and 
processed as text so using special characters that evaluate to  keystrokes 
(like ^ +  M) are likely to cause you trouble. Hence the unprintable warning.

Jake Sallee
Godfather of Bandwidth
Network Engineer
University of Mary Hardin-Baylor

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] on behalf 
of Javier Ruiz Escalante [fruiz...@hotmail.com]
Sent: Monday, March 05, 2012 8:53 AM
To: freeradius-users@lists.freeradius.org
Subject: Double-check the shared secret on the server and the NAS!


Sorry,

I have no idea which files to check despite the message is clear.

Thanks in advance.

Best regards


Javier Ruiz Escalante
Teléfono: 00 34 512 700 524

Skype: fruiz002



> Date: Mon, 5 Mar 2012 14:34:21 +
> From: p.may...@imperial.ac.uk
> To: freeradius-users@lists.freeradius.org
> Subject: Re: Authentification
>
> On 05/03/12 13:55, Javier Ruiz Escalante wrote:
> > Good afternoon,
> >
> > I'm new in Radius and I have no clue what happens, can anybody help me?
> > from the server in the command line works fine, from the wireless client
> > get this one.
> >
>
> > Mon Mar 5 12:36:33 2012 : Debug: WARNING: Unprintable characters in the
> > password. Double-check the shared secret on the server and the NAS!
>
> This message should be clear, no?
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: LDAP Binding

[Sallee, Stephen (Jake)]

If you are looking to assign users network permissions may I suggest you look 
into the open source enterprise NAC called PacketFence, we are using it with 
great success.

No use reinventing the wheel, especially when you can get a really tricked out 
wheel for free : )

Jake Sallee
Godfather of Bandwidth
Network Engineer
University of Mary Hardin-Baylor

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] on behalf 
of Alan DeKok [al...@deployingradius.com]
Sent: Friday, February 10, 2012 3:37 PM
To: FreeRadius users mailing list
Subject: Re: LDAP Binding

NdK wrote:
> Can't create "users" in AD. Just machine accounts.

  That's a local policy which can be changed.

  AD is perfectly capable of creating read-only administrator accounts.
 It's what everyone else does.

> Maybe it's possible
> to use the (or "a dedicated") *machine* account credentials?

  No.

> Reading FR docs it seems it's something to avoid whenever possible.
> Since there's an internal ldap module, I thought it could be possible to
> use it.

  Yes.

> I need to determine if/what to return in 'access-accept' when an user
> authenticates to a switch.

  See the switch documentation for what to return in an Access-Accept.
Every switch vendor has their own idea of what is "normal".

> - students (determined by *domain* membership) receive a VLAN membership
> - administrators (determined by *domain* and *group* membership) receive
> *no* VLAN memberships (so they can access all the VLANS configured for
> that switch port, as said on the wiki for HPs)
> - "regular" users receive VLAN membership for a different VLAN than
> students (preventing 'em to tamper with administration VLAN)

  That should all be straightforward.  Write a shell script which
implements those rules.  Test it.  Port the same rules to the internal
FreeRADIUS LDAP module && unlang.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Changing MTU value for EAP Session error

[Sallee, Stephen (Jake)]

I have read on the list and the FR wiki that decreasing the MTU value for the 
tunnel can help alleviate the pesky EAP session did not finish problem.  I 
would like to try this as I am getting the same issue on IOS and Android based 
phones using the default certs FR ships with.

However I cannot find where to specify the MTU value, I assume it is in the 
inner-tunnel virtual server, but my google-fu is weak today and cannot find any 
instructions.  I see several messages on the list saying that is should be done 
but none actually explaining HOW.

Someone please point me in the correct direction.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Distributing Certificates

[Sallee, Stephen (Jake)]

It may be a misunderstanding on my part but I believe any encrypted protocol 
would need a cert of some sort.  PEAP is an encrypted tunnel thus you will need 
a cert.  FR will generate its own certs for testing but for production you 
should generate your own.  We are making the move to 802.1x in the next few 
months and will be using a self-signed cert on the FR server and deploying it 
to the users' machines via a third party tool from a company called cloud path. 
 

Suffice it to say that windows Vista and beyond MUST have the server cert 
installed or be configured to ignore server certs before you can use any 
encrypted protocol (such as, PEAP).  It WILL NOT work out-of-the-box!  XP would 
show you a dialogue box with a warning but that functionality is gone in Vista 
and 7.

MAC OS and Linux will still allow you to download the cert and install it on 
first use, windows will not.

Your problem is going to be distributing the server cert to the clients NOT 
distributing client certs (unless you are using EAP/TLS or the like), as 
mentioned before AD makes this easy via GPO / login scripts.  However if you 
clients are not part of your domain then you have very few choices.

1) Roll your own program to install the cert for them
2) Buy a solution to install the cert (like cloud path)
3) issue instructions to the clients and have them install the certs manually
4) go around and install all the certs your self

There a pros and cons for each.  BTW for security reasons you should use a 
self-signed cert, that being the case you can make the cert valid for 99 years, 
then revoke it when you have time to redistribute them ; )

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221


-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of McSparin, Joe
Sent: Friday, January 06, 2012 3:07 PM
To: FreeRadius users mailing list
Subject: RE: Distributing Certificates

I don't have any particular desire to use certificates thus far in testing mode 
have been using PEAP and just ignoring the warning that tells me there is a 
certificate on the server that doesn't match.  I assumed in deployment I would 
have to install certificates so the users wouldn't be confused when they saw 
that message.  I thought that FreeRadius had to have certificates set up even 
if they were just example ones.  Radiusd -X runs bootstrap which creates 
example certificates automatically.  This led me to believe that certificates 
were somehow integral to 802.1x.  Is that not the case?  If so how can you take 
certificates completely out of the equation?


Joseph R. McSparin
Network Administrator
Hill Country Memorial Hospital
830 990 6638 phone
830 990 6623 fax
jmcspa...@hillcountrymemorial.org

-Original Message-
From: 
freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org 
[mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org]
 On Behalf Of David Mitton
Sent: Friday, January 06, 2012 12:44 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: Distributing Certificates

You can do such things as suggested... but you haven't articulated what your 
goal is and what you will be using the certificates for?
802.1X doesn't "require" certificates... but you may want to use them depending 
on what you are trying to do.

Dave.


Quoting "Danner, Mearl" :

> If you are using AD and have a CA set up you can create   
> autoenrollment gpo's for domain attached machines. You can issue   
> either user or computer certs. Can also configure the Windows   
> wireless supplicant via gpo.
>
> Mearl
>
> From:   
> freeradius-users-bounces+jmdanner=samford@lists.freeradius.org   
> [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org]   
> On Behalf Of McSparin, Joe
> Sent: Friday, January 06, 2012 10:18 AM
> To: FreeRadius users mailing list
> Subject: Distributing Certificates
>
> Now that I have my Radius server configured I need to begin   
> implementation I have 600 computers that will be using it.  The   
> question I am wondering is do I have to go around and install a   
> certificate on every one of the computers and then maintain that   
> every year changing out the certificate on 600 computers or is there  
>  some way that the server passes out certificates when the machine   
> logs on.  Or do I have an incorrect understanding of how to   
> implement 802.1x security.
> Joseph R. McSparin
> Network Administrator
> Hill Country Memorial Hospital
> 830 990 6638 phone
> 830 990 6623 fax
> jmcspa...@hillcountrymemorial.org
>
> 
> This email message and any attachments are for the sole use of the   
> intended recipient(s) and contain confidential and/or privileged   
> informa

RE: Connection Lost, tls resumption error

[Sallee, Stephen (Jake)]

To save other the trouble I will ask the obvious:

1) what does the RADIUS debug log say, please post it here IN FULL, do not clip 
out the portion you think you need.

2) have you checked the config on the client and the AP?  

3) What part of this problem do you think is a RADIUS issue, and why?

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221


-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Andreas Rudat
Sent: Wednesday, November 30, 2011 8:25 AM
To: FreeRadius users mailing list
Subject: Connection Lost, tls resumption error

Hi,

in my enviroment I got three AP's runnning, all with the same essid, after a 
while the connection seems lost and a reconnection starts to another AP and 
then I get the resumption error but I have no idea why I lost the connection. 
No Errors in radius debug and a good reception is given.
The resumption error can be only avoid with restarting the wirless device.

Thanks

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: LDAP/MSCHAP

[Sallee, Stephen (Jake)]

Please forgive the interjection, but does anyone know of a helper module like 
ntlm_auth that would work with LDAP, seems like such a tool would make 
questions like this a non-issue.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221


-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Sven Hartge
Sent: Thursday, November 10, 2011 5:24 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: LDAP/MSCHAP

Whitlow, Michael  wrote:

> I am really close to a successful Freeradius implementation for 802.1X 
> wireless using LDAP authentication on the back end.

Nope, you are not very close.

You _cannot_ use any LDAP authentication (via binding with a DN to the LDAP 
server) with any CHAP authentication. This will never work. 

You cannot use LDAP as an authentication oracle here, you have to use it more 
like a database.

See http://deployingradius.com/documents/protocols/oracles.html, quote:

"An authentication oracle is a system where the RADIUS server does not perform 
the authentication itself, but instead passes the users authentication 
credentials to another system. "

This does NOT work with MSCHAP, since the RADIUS server _does not have_ the 
complete authentication credentials in this case, it is missing the password. 
The only thing it has, is the hashed version, the so called "challenge".

> Here is what I have:

> -  RADTEST / clear text Freeradius password from "users" file /
> WORKS GREAT

Works because of the cleartext password.

> -  Windows XP 802.1X PEAP/MS-CHAPv2 wireless client / clear text
> Freeradius password from "users" file / WORKS GREAT

Works because of the cleartext password.

> -  RADTEST / LDAP credentials / WORKS GREAT

Works, because this uses PAP, which does _not_ need a cleartext password on the 
RADIUS server, because radtest supplies a cleartext password itself in the 
RADIUS packet (inside attribute User-Password) and the servers ldap modules 
then can use this information to bind to the LDAP server using the username and 
the supplied password from radtest.

CHAP does _not_ work like this.

> -  Windows XP 802.1X PEAP/MS-CHAPv2 wireless client / LDAP
> credentials / NO GO

Does not work, because you don't have any cleartext password in the RADIUS 
server, because your LDAP setup does not provide one.

And before you ask: no, just reading userPassword from the LDAP server will not 
help, because in 99.9% this is a crypted password, mostly hashed using SHA1.

> Here is the debug output. I have read others online with these 
> symptoms but nothing I have found yet will help me.

This is untrue. This comes up every fscking time any one tries to use LDAP and 
MSCHAP. It is a common error.

> [mschapv2] +- entering group MS-CHAP {...}

> [mschap] No Cleartext-Password configured.  Cannot create LM-Password.

> [mschap] No Cleartext-Password configured.  Cannot create NT-Password.

You will need to do the following:

a) setup a special user inside your LDAP tree for freeradius. This special user 
needs to have the correct permissions to read an attribute with the cleartext 
password of any user.

b) configure this special user in {confdir}/modules/ldap, search for "identity"

c) change password_attribute to the cleartext-password attribute you are using 
if it is not userPassword. (I strongly recommend using a different password 
attribute for your users, but the default is OK too, if you don't mind having 
the main password for a user being in cleartext inside your LDAP tree.)

This way FreeRADIUS logs into the LDAP server using its own credentials, 
searches for the username, reads the cleartext password and _THEN_ the
mschapv2 module is able to work.

This is the _only_ way to get MSCHAPv2 to work with LDAP.
And this has been discussed in this list every time anyone tried to tie LDAP 
and FreeRADIUS.

Grüße,
Sven.

--
Sigmentation fault. Core dumped.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: AD integration

[Sallee, Stephen (Jake)]

We are actually looking into doing the same thing.

Although we are probably going to add a custom attribute that we can set to the 
vlan of our choice, that way we can find the vlan by a simple ldap query 
without adding complex logic to the server.  This to us seems the simplest 
route.  It is worth noting that we do not have this in production yet so I 
cannot vouch for its real world effectiveness.

As for getting the ldap query to work, you have already done the hard part.  
Once your server is able to auth users via ntlm the difficult part is over.  We 
have setup a special account that has almost no privileges, only access to 
search AD.  We use this account to interact with AD.

If I remember correct deployingradius.com has an excellent walk through on the 
initial setup, I would try there for initial config instructions.


Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Whitlow, Michael
Sent: Friday, October 28, 2011 3:18 PM
To: freeradius-users@lists.freeradius.org
Subject: AD integration

Hello,

I just got Freeradius running on Ubuntu and have successfully configured 
integration Active Directory using Samba and NTLM_AUTH.

When I run "radtest" against Freeradius and put in AD credentials, it is 
successful.

My next goal is to configure Freeradius to assign 802.1X VLANs for a wireless 
environment.

In other words, users who are a member of ADGROUP1 get assigned vlan # 111, and 
users who are a member of ADGROUP2 get assigned vlan #222.

I am unclear which direction to go to accomplish this.

Any help would be greatly appreciated.

Thanks much

Mike Whitlow
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: PEAP with Machine auth

[Sallee, Stephen (Jake)]

Ok, I have been watching your discourse from afar and I have to say this:

> This kind of Q&A thing helps no one here! ...

Two things.  Number one, he IS answering your questions.  He is just not GIVING 
you the answer.  Number two, the gentleman in question is quite possibly the 
preeminent FreeRADIUS expert in the world.  When he tells you something about 
FreeRADIUS, you should listen.

Sorry, I am not trying to be too blunt.   But when an expert speaks, you should 
listen.  This is true in any area.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Sergio NNX
Sent: Wednesday, October 26, 2011 8:47 AM
To: freeradius-users@lists.freeradius.org
Subject: RE: PEAP with Machine auth

This kind of Q&A thing helps no one here! Many people are reporting the same 
issue on different platforms! I don't think the problem is either with the 
client or the certificates since I conducted some testing using the same client 
and the same certificates but an old FR version (1.1.7) and the tests pass. 
It's easier to blame something else but we could spend that time contributing 
to the solution and so helping others!


> Date: Wed, 26 Oct 2011 15:36:19 +0200
> From: al...@deployingradius.com
> To: 
> freeradius-users@lists.freeradius.org
> Subject: Re: PEAP with Machine auth
>
> Phil Mayers wrote:
> > Seriously - it's important to understand that the CLIENT stops
> > responding. FreeRADIUS can't do anything more in this case - the client
> > has stopped sending EAPOL packets, so the client must think that
> > something is wrong.
>
> That's the main issue people have with RADIUS. The client is in
> charge of pretty much everything, and few people understand that.
>
> Q: Why does the client stop talking to the server?
> A: Because it doesn't like the response from the server
>
> Q: OK... *what* part of the response doesn't it like?
> A: Go ask the client
>
> Q: But I can't! What do I do?
> A: well... we don't know, either. Go ask Microsoft.
>
> > You will have to debug the client. This is very very painful on Windows;
> > it's hard to even find the EAPOL debugging options, let alone interpret
> > the results.
>
> Yes. Everyone reading this list should understand CLIENT issues cause
> you to debug the CLIENT.
>
> If the server returns the wrong thing... you can fix the server. Fort
> pretty much everything else, blame the client.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: same pool_key

[Sallee, Stephen (Jake)]

I am sorry, but if you expect people to continue to assist you it is imperative 
that you communicate with us correctly.  Please run the server in debug mode, 
capture the output and post the  output here along with a comprehensible 
description of the issue.  I must assume that the reason you have failed to do 
so is because some language barrier exists, however this is not an 
insurmountable issue.  We will work with broken English (heck someone here 
might actually speak your native language), but the server debug almost always 
shows you exactly what is wrong.  The FreeRADIUS team has worked very hard to 
put in excellent debugging statements for this very reason, and this is 
precisely why we pretty much demand debug output.

So, to recap:

1)  run the server in debug mode = radiusd -X

2)  Post the full debug log containing the issue to the list

3)  INCLUDE AN UNDERSTANDABLE DESCRIPTION OF THE PROBLEM

PS:  You're also running a REALLY old version of FR ... your problem could be 
solved with a simple upgrade.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of sekchel lee
Sent: Friday, September 23, 2011 4:41 AM
To: freeradius-users
Subject: same pool_key

freeradius 1.7

nas1 - localhost

nas2 - 222.x21.xxx.2

sqlippool

nas1-user-1  pool_key 1
nas1-user-2  pool_key 2
..
..
nas2-user-1 pool_key 7
nas2-user-2 pool_key 9
..
..

sometimes and randomly

nas1-user-5  login  Be assigning ==> pool_key 9
(nas2-user the same pool_key)

nas2-user-6  login  Be assigning ==> pool_key 2
(nas1-user the same pool_key)


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius Performance

[Sallee, Stephen (Jake)]

There is a tool to test the maximum RADIUS requests per second your setup can 
handle.

As for the max number of clients / NAS, that will be determined by the hardware 
of the NAS.

As for what type of NAS ... do you really expect us to do your shopping for you?

By bandwidth, I assume you mean RADIUS bandwidth.  That will depend on the type 
of authentication and NAS used. But for 300 clients almost any user class 
broadband connection will suffice (in my opinion, others may know better)

Please, if there is a language barrier here that is stopping you from posting 
sensible questions and supporting information, at least seek out an online 
translator so we may rake through broken English.  Very few of us have time to 
attempt to decode your messages.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of sekchel lee
Sent: Monday, September 19, 2011 9:55 AM
To: freeradius-users
Subject: Freeradius Performance

Freeradius Performance
My computer
Intel(R) Pentium(R) Dual  CPU  E2220  @ 2.40GHz
RAM 2GB
CentOS 5.5

NAS Client pptp and openvpn

each NAS  user 100 ~ 300

How many NAS Client ?

The ? NAS

How much bandwidth?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Need a little regex help

[Sallee, Stephen (Jake)]

I found a nifty little tool a while back that has really helped me with 
difficult regex's it's called RegexDesigner and runs fine on 64bit Win 7.  
There is a simple GUI that shows you the regex, and helps you build it, then 
you can give it some input and it will how you the outcome ... handy little 
tool.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221


-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Commonn Systems
Sent: Friday, September 16, 2011 8:51 PM
To: FreeRadius users mailing list
Subject: Re: Need a little regex help

I guess all the regex gurus will laugh at my request  I figured it out, for 
others, looks like this works: .*:SSID_ABC !


On 9/16/2011 6:22 PM, Commonn Systems wrote:
> Hello list!
>
> After reading the list pretty much everyday for a month now, going 
> through the docs, manuals and a lot of googling (which always brought 
> me back to the list anyway), I have finally decided which way to go to 
> filter access to two SSIDs, for 2 groups.
> I am using FR 2.1.11 on Debian squeeze, against an AD domain with LDAP 
> membership lookup. I have 5 AP registered with FR, they each have 2 
> SSIDs that show in the request as MACADDRESS:SSID_ABC.
> Based on Phil Mayers  on this post, 
> http://freeradius.1045715.n5.nabble.com/How-do-I-have-one-Freeradius-server-hosting-multiple-ldap-instances-and-associate-each-SSID-with-pare-td2847210.html#a2850433
>  
> ,
> I would like to match the last 8 characters of the Called-Station-Id, 
> "SSID_ABC"
>
> authorize {
>if (Called-Sation-Id == SOMEREGEX:SSID_ABC) {
>  update request {
>Tmp-String-0 = "Staff"
>  }
>}
>elsif (Called-Sation-Id == SOMEREGEX:SSID_DEF) {
>  update request {
>Tmp-String-0 = "Students"
>  }
>}
> }
>
> Everything is working great, this is the last piece of the puzzle to 
> finalize the project.
> I understand, this does not have anything to do with the wonderful 
> software that freeradius is, but from what I have read, lots of people 
> on this list are very skilled with regex. Thank you so much for all 
> the work and help you put in here.
>
>
> Tossi
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Replacing Cisco ACS with Free RADIUS

[Sallee, Stephen (Jake)]

Our Cisco ACS was accidentally made useless by some numbskull (me) by raising 
the functionality level of our AD domain, apparently ACS 4.2 is not compatible 
with newer MS AD servers ... and once you raise the functionality level ... you 
can't go back ... go me  >:o

So! I am trying to replicate the Downloadable IP ACL function that we love so 
much in ACS, into Free RADIUS.  It seems that this is done through the Cisco AV 
Pair radius attribute.  If anyone has experience in this please drop me a line 
using my included contact info, if we move into production with it I will post 
back to the list for posterity what we did to get it to work.

Any help is always appreciated.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Best Practices - maximum NAS entries in clients.conf

[Sallee, Stephen (Jake)]

@ everyone

We have about 100 NAS entries in our clients.conf file, it makes the file a 
bear to deal with but the server seems to handle it fine.  We will be expanding 
our infrastructure soon and the number of NAS entries will increase 
significantly.  At what point should we think about putting them into a 
database for FR to use?

Also, I have seen some chatter on the list about dynamic NASs.  Am I correct in 
assuming that if we are using a DB instead of the clients.conf file we can add 
or remove clients simply by making changes to the correct table, all without 
having to restart FR?

Jake Sallee
Godfather of Bandwidth
Network Engineer
University of Mary Hardin-Baylor

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Packet Fence web interface and freeradius users

[Sallee, Stephen (Jake)]

I just finished a deployment that did exactly that!  This may be a subject more 
suited for their mailing list (which I am on as well).

Message me on that list and I bet we can get you working. I only say this 
because from what you say FreeRADIUS is sending the correct radius attributes 
back, if that is the case then FR is doing its job perfectly and the problem 
likely lies with your NAS.


Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Marlon Bastida
Sent: Thursday, August 25, 2011 9:16 PM
To: freeradius-users@lists.freeradius.org
Subject: Packet Fence web interface and freeradius users

Hi,

I have 3 radius users working on freeradius. I will give one sample:

On /etc/raddb/users

testCleartext-Password:="test"
Service-Type = Framed-User,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = "2"

When I enter with this user credentials on Xp client 802.1X auth they give to 
the proper VLAN assigned. For example I have  VLAN-ID = 2 - registration, 3 - 
isolation, 5 - guests, 10 - normal.

So with the statement Tunnel-Private-Group-ID = VLAN-ID, I can't get 
succesfully put a user on the proper VLAN, in this case above entered on 
registration VLAN.

If anyone has acknowledge with Packet Fence solution I would like some help to 
integrate these users with web interface of Packet Fence 2.1.0. So I can get on 
the Violation Tab (isolation VLAN) an user or Node Tab (guests VLAN).


Tks in advance,
Marlon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Cant Start Radius Server MAC OSX (snow leopard)

[Sallee, Stephen (Jake)]

Hmmm ... are you sure you are root?  I am not a MAC guy, but I do know that 
MACs are based off Linux (technically FreeBSD with some Steve Jobs magic on 
top, but who REALLY makes that distinction any more : ).  That being the case 
root SHOULD have access to everything, so if as root you are being denied 
access to a file then either the file has become locked somehow (but Linux is 
not supposed to care about that) or you are not REALLY root.  Your user may be 
root but it could be missing some privileges that another system user has.  I 
have been using Fedora, Ubuntu, CentOS, etc for several years and have NEVER 
had a file deny root access.  Root is the holy smack down you lay on a file 
when you want to fiddle with it no-matter-what, file permissions be d@mn3d!

Then again, as I said, I am not a MAC guy so Apple could have done something 
special.  Perhaps another MAC user here can say...

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Elizabeth Fife
Sent: Sunday, August 14, 2011 7:02 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: Cant Start Radius Server MAC OSX (snow leopard)

Hi Jack
I am root user

Server Radius Logs Say

Sun Aug 14 16:59:56 2011 : Info: rlm_sql (sql): Driver rlm_sql_sqlite (module 
rlm_sql_sqlite) loaded and linked
Sun Aug 14 16:59:56 2011 : Info: rlm_sql (sql): Attempting to connect to 
radius@localhost:/radius
Sun Aug 14 16:59:56 2011 : Info: rlm_sql_sqlite: Opening sqlite database 
/private/etc/raddb/sqlite_radius_client_database for #0
Sun Aug 14 16:59:56 2011 : Info: rlm_sql_sqlite: sqlite3_open() = 0
Sun Aug 14 16:59:56 2011 : Info: rlm_sql_sqlite: Opening sqlite database 
/private/etc/raddb/sqlite_radius_client_database for #1
Sun Aug 14 16:59:56 2011 : Info: rlm_sql_sqlite: sqlite3_open() = 0
Sun Aug 14 16:59:56 2011 : Info: rlm_sql_sqlite: Opening sqlite database 
/private/etc/raddb/sqlite_radius_client_database for #2
Sun Aug 14 16:59:56 2011 : Info: rlm_sql_sqlite: sqlite3_open() = 0
Sun Aug 14 16:59:56 2011 : Info: rlm_sql_sqlite: Opening sqlite database 
/private/etc/raddb/sqlite_radius_client_database for #3
Sun Aug 14 16:59:56 2011 : Info: rlm_sql_sqlite: sqlite3_open() = 0
Sun Aug 14 16:59:56 2011 : Info: rlm_sql_sqlite: Opening sqlite database 
/private/etc/raddb/sqlite_radius_client_database for #4
Sun Aug 14 16:59:56 2011 : Info: rlm_sql_sqlite: sqlite3_open() = 0
Sun Aug 14 16:59:56 2011 : Error: /private/etc/raddb/users[215]: Parse error 
(check) for entry Service-Type: Invalid octet string "NAS-Prompt-User" for 
attribute name ""
Sun Aug 14 16:59:56 2011 : Error: Errors reading /private/etc/raddb/users
Sun Aug 14 16:59:56 2011 : Error: /private/etc/raddb/modules/files[7]: 
Instantiation failed for module "files"
Sun Aug 14 16:59:56 2011 : Error: 
/private/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module 
"files".
Sun Aug 14 16:59:56 2011 : Error: 
/private/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize 
section.
Sun Aug 14 16:59:56 2011 : Error: Errors initializing modules


radiusd -x says

server10:~ admin$ radiusd -X
FreeRADIUS Version 2.1.3, for host i386-apple-darwin10.0, built on Apr 11 2011 
at 17:19:07
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /private/etc/raddb/radiusd.conf
Unable to open file "/private/etc/raddb/radiusd.conf": Permission denied
Errors reading /private/etc/raddb/radiusd.conf

DOes that help?




> To: 
> freeradius-users@lists.freeradius.org
> Subject: RE: Cant Start Radius Server MAC OSX (snow leopard)
> Date: Sun, 14 Aug 2011 22:56:13 +
>
> As what user are you attempting to start FreeRADIUS? Most times FR is run as 
> a daemon, so any user that tries to run FR should have permissions to look at 
> FR's files, most time this is root or some other super user. What does 
> radiusd -X say?
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> 900 College St.
> Belton, Texas
> 76513
> Fone: 254-295-4658
> Phax: 254-295-4221
>
> -Original Message-
> From: 
> freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
>  
> [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org]
>  On Behalf Of DavidS
> Sent: Sunday, August 14, 2011 5:22 PM
> To: 
> freeradiu

RE: Cant Start Radius Server MAC OSX (snow leopard)

[Sallee, Stephen (Jake)]

As what user are you attempting to start FreeRADIUS?  Most times FR is run as a 
daemon, so any user that tries to run FR should have permissions to look at 
FR's files, most time this is root or some other super user.  What does radiusd 
-X say?

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of DavidS
Sent: Sunday, August 14, 2011 5:22 PM
To: freeradius-users@lists.freeradius.org
Subject: Cant Start Radius Server MAC OSX (snow leopard)

Hi
I tried to Run Radius Server on Mac OSX Server Snow Leopard.

Tried to START Radius

It wont start

I had made a few changed (detailed below) I went to DEBUG with following out
put:

server10:~ admin$ radiusd -X
FreeRADIUS Version 2.1.3, for host i386-apple-darwin10.0, built on Apr 11
2011 at 17:19:07
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR 
PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the GNU General 
Public License v2. 
Starting - reading configuration files ...
including configuration file /private/etc/raddb/radiusd.conf Unable to open 
file "/private/etc/raddb/radiusd.conf": Permission denied Errors reading 
/private/etc/raddb/radiusd.conf server10:~ admin$ 

I had not edited this file

Can anyone help ?

Thanks

CHANGES I MADE PRIOR TO GETTING THIS ERROR First time I used the Radius Server

Using Server Admin selected the Radius service - it appeared as expected 
identified and I entered a local time capsule (That appeared as a base
station)

The Radius Server was running

I stopped the Radius Server

AND using textwrangler edited /etc/raddb/clients.conf 

I entered the following text below the preceding "#" and above the text "client 
localhost {"
client   {
 ipaddr = 192.168.0.100
 netmask = 32
 secret = 
 require_message_authenticator = no
 shortname = slr877
 nastype = cisco
 }

I saved the file closed the file


Using textwrangler I edited  /etc/raddb/users

At the end of the file entered

user1  Cleartext-Password := “password”
Service-Type = NAS-Prompt-User,
cisco-avpair = “webvpn:user-vpn-group=SLRgroup1”

Saved the file closed the file

Tried to restart the Radius Server and got the above error

Please help
Thanks

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Cant-Start-Radius-Server-MAC-OSX-snow-leopard-tp4699245p4699245.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Validate server certificate problem

[Sallee, Stephen (Jake)]

> Windows clients are on the domain, so the user cert and the CA are added by 
> default when you join the machine to the domain
That is true so long as you are using a self-signed cert assigned by your 
enterprise CA.  We had this same issue and we had to manually import the cert 
to get it to work.  Our computers are on a Windows AD Domain.  Hope that helps.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Petar Marinkovic
Sent: Tuesday, August 09, 2011 12:17 PM
To: FreeRadius users mailing list
Subject: Re: Validate server certificate problem

Windows clients are on the domain, so the user cert and the CA are added by 
default when you join the machine to the domain
On Tue, Aug 9, 2011 at 18:29, Sallee, Stephen (Jake) 
mailto:jake.sal...@umhb.edu>> wrote:
I believe you need to install the server cert and any intermediate certs on the 
client before the validate server cert option will work.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

From: 
freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org<mailto:umhb@lists.freeradius.org>
 
[mailto:freeradius-users-bounces+jake.sallee<mailto:freeradius-users-bounces%2Bjake.sallee>=umhb@lists.freeradius.org<mailto:umhb@lists.freeradius.org>]
 On Behalf Of Petar Marinkovic
Sent: Tuesday, August 09, 2011 11:16 AM
To: 
freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org>
Subject: Validate server certificate problem

I've set up latest version of FreeRadius from source on Ubuntu, and I cannot 
get EAP-TLS and PEAP to work when the option "Validate server certificate" is 
on. We're using Windows CA to be able to auth users on the domain. I saw this 
old article 
http://lists.freeradius.org/mailman/htdig/freeradius-users/2006-October/msg00515.html
 on how to generate server certificate, but that fails for me in both ways
1st fails because of a missing template on Windows CA - how to create the 
template to match what freeradius needs?
2nd fails with the following error CA certificate and CA private key do not 
match
2634:error:0B080074:x509 certificate routines:X509_check_private_key:key values 
mismatch:x509_cmp.c:406:
That's strange, cause CA cert and CA private key are in the same file (as noted 
in the text) and I didn't mistake the password (since I followed the message 
blindly, with the same password).

When I untick the "Validate server certificate" in Windows clients (XP, Windows 
7) I'm able to connect with both EAP-TLS and PEAP

Any help is appreciated, thanks in advance.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Validate server certificate problem

[Sallee, Stephen (Jake)]

I believe you need to install the server cert and any intermediate certs on the 
client before the validate server cert option will work.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Petar Marinkovic
Sent: Tuesday, August 09, 2011 11:16 AM
To: freeradius-users@lists.freeradius.org
Subject: Validate server certificate problem

I've set up latest version of FreeRadius from source on Ubuntu, and I cannot 
get EAP-TLS and PEAP to work when the option "Validate server certificate" is 
on. We're using Windows CA to be able to auth users on the domain. I saw this 
old article 
http://lists.freeradius.org/mailman/htdig/freeradius-users/2006-October/msg00515.html
 on how to generate server certificate, but that fails for me in both ways
1st fails because of a missing template on Windows CA - how to create the 
template to match what freeradius needs?
2nd fails with the following error CA certificate and CA private key do not 
match
2634:error:0B080074:x509 certificate routines:X509_check_private_key:key values 
mismatch:x509_cmp.c:406:
That's strange, cause CA cert and CA private key are in the same file (as noted 
in the text) and I didn't mistake the password (since I followed the message 
blindly, with the same password).

When I untick the "Validate server certificate" in Windows clients (XP, Windows 
7) I'm able to connect with both EAP-TLS and PEAP

Any help is appreciated, thanks in advance.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Security issues with 1.1.3 flatfile

[Sallee, Stephen (Jake)]

> Because that is what is installed when you do 'yum -y install freeradius' on 
> the CentOS 5.x PBX-in-a-Flash (PiaF) platform.

That is a fair statement, however I will say the installing FR from source is 
the easiest source installation I have ever done. And as for staying up to 
date, a two line script can pull the latest source and build the new version, 
and if you're really crazy a third line can restart the service with your new 
binary.

Sorry, didn't mean to hijack your thread.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of d.tom.schm...@l-3com.com
Sent: Monday, August 01, 2011 4:45 PM
To: FreeRadius users mailing list
Subject: RE: Security issues with 1.1.3 flatfile

Because that is what is installed when you do 'yum -y install freeradius' on 
the CentOS 5.x PBX-in-a-Flash (PiaF) platform.
Otherwise, you have to explain to everyone how to manually install 2.1.7.
Does the problem not exist in 2.1.7?

Also, that was the How-To for MySQL that I was able to find.
Do you have a newer link to a How-To?

What is the latest release of freeRADIUS that I should try to use and is it 
already configured to run MySQL?

Thanks,

Tom Schmitt
Senior IT Staff - R&D
L-3 Communication Systems West
640 North 2200 West
P.O. Box 16850
Salt Lake City, UT  84116
Phone (801) 594-3030
Cell  (801) 231-7230

From: freeradius-users-bounces+d.tom.schmitt=l-3com@lists.freeradius.org 
[mailto:freeradius-users-bounces+d.tom.schmitt=l-3com....@lists.freeradius.org] 
On Behalf Of Sallee, Stephen (Jake)
Sent: Monday, August 01, 2011 3:16 PM
To: FreeRadius users mailing list
Subject: RE: Security issues with 1.1.3 flatfile


> So my questions are:

There REALLY needs to be a good reason that you are running any 1.X version or 
else your question should be, Why haven't I upgraded to the latest and most 
secure FreeRADIUS release.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of d.tom.schm...@l-3com.com
Sent: Monday, August 01, 2011 4:09 PM
To: freeradius-users@lists.freeradius.org
Subject: Security issues with 1.1.3 flatfile


Currently running 1.1.3 on CentOS 5.x.



I am currently using the flat file option and it works just fine as long as the 
permissions on the file are:

  664   RW-RW-R-

  Record in the file looks like:

Tom  Auth-Type := Local, User-Password := "tompass"

This allows everyone to read the file - not good security.

If I change the permissions to 660 RW-RW then freeRADIUS will not restart.



I started setting up freeRADIUS to use MySQL DB for access but I must have 
something setup incorrectly.



I tried to follow the How-To but still must be missing something in the setup.

I have inserted a record into DB=radius and TALBE=radcheck where:

  Id = selected by the MySQL as the next index number

  UserName = tom

  Attribute = 'Cleartext-Password'

  Op = ':='

  Value = tompass   is the password



So my questions are:

1.   Is there a way to just secure the flatfile permissions?

2.   Is there a complete How-To for using MySQL with freeRADIUS?


Thanks,

Tom Schmitt
Senior IT Staff - R&D
L-3 Communication Systems West
Phone (801) 594-3030
||
   \ ~  ~ /
   | @  @ |
--oOo---(_)---oOo--
Have A Nice Day !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Security issues with 1.1.3 flatfile

[Sallee, Stephen (Jake)]

> So my questions are:

There REALLY needs to be a good reason that you are running any 1.X version or 
else your question should be, Why haven't I upgraded to the latest and most 
secure FreeRADIUS release.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of d.tom.schm...@l-3com.com
Sent: Monday, August 01, 2011 4:09 PM
To: freeradius-users@lists.freeradius.org
Subject: Security issues with 1.1.3 flatfile


Currently running 1.1.3 on CentOS 5.x.



I am currently using the flat file option and it works just fine as long as the 
permissions on the file are:

  664   RW-RW-R-

  Record in the file looks like:

Tom  Auth-Type := Local, User-Password := "tompass"

This allows everyone to read the file - not good security.

If I change the permissions to 660 RW-RW then freeRADIUS will not restart.



I started setting up freeRADIUS to use MySQL DB for access but I must have 
something setup incorrectly.



I tried to follow the How-To but still must be missing something in the setup.

I have inserted a record into DB=radius and TALBE=radcheck where:

  Id = selected by the MySQL as the next index number

  UserName = tom

  Attribute = 'Cleartext-Password'

  Op = ':='

  Value = tompass   is the password



So my questions are:

1.   Is there a way to just secure the flatfile permissions?

2.   Is there a complete How-To for using MySQL with freeRADIUS?


Thanks,

Tom Schmitt
Senior IT Staff - R&D
L-3 Communication Systems West
Phone (801) 594-3030
||
   \ ~  ~ /
   | @  @ |
--oOo---(_)---oOo--
Have A Nice Day !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Proxying based on a regex

[Sallee, Stephen (Jake)]

> Not quite ...

I see, that makes sense. Thanks for taking the time to explain.


Jake Sallee
Godfather of Bandwidth
Network Engineer
University of Mary Hardin-Baylor

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] on behalf 
of Arran Cudbard-Bell [a.cudba...@freeradius.org]
Sent: Monday, July 25, 2011 4:02 PM
To: FreeRadius users mailing list
Subject: Re: Proxying based on a regex

On 25 Jul 2011, at 22:49, Sallee, Stephen (Jake) wrote:

>> Impressive, you've both made up entirely fictitious syntaxes for doing 
>> proxying... Um anyway.
>
> Glad you like it : )
>
> I am still new to FR so forgive me if I am mistaken but that little bit of 
> unlang would go into the sites-enabled-default config correct?

Yep, correct.

> If so isn't it doing the same thing as the suffix module?

Not quite, this proxies a whole bunch of suffixes to a single realm if the 
format matches. Suffix will proxy to different realms based on the realm in the 
request.

-Arran


>
> Either way you need to setup the proxy config ...
>
> Ours may be working because we are only checking the domain the user uses and 
> then steering them to the correct inner-tunnel, my apologies if the advice 
> was incorrect.
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> 900 College St.
> Belton, Texas
> 76513
> Fone: 254-295-4658
> Phax: 254-295-4221
>
> -Original Message-
> From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
> [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] 
> On Behalf Of Arran Cudbard-Bell
> Sent: Monday, July 25, 2011 3:33 PM
> To: FreeRadius users mailing list
> Subject: Re: Proxying based on a regex
>
> Impressive, you've both made up entirely fictitious syntaxes for doing 
> proxying... Um anyway.
>
>
> if(User-Name =~ /REGEX/){
>   update control {
>   Proxy-To-Realm := 'my_proxy_realm'
>   }
> }
>
> Then configure the realm in proxy.conf. Subcapture groups can provide you 
> with parts of the User-Name string and can be accessed using the %{0}, %{1}, 
> %{2}... etc variables
>
> You don't need to do anything if you're just doing local authentication
>
>
> -Arran
>
> On 25 Jul 2011, at 22:20, Sallee, Stephen (Jake) wrote:
>
>> We did this through our realms see code:
>>
>> In your proxy.conf
>>
>> realm "~.*umhb\\.edu$" {
>>  some code here###
>> ###usually the virtual server you want to proxy them to### }
>>
>> If I am understanding your question right that should do it, but others may 
>> have a better way .. or I could be on crack ...
>>
>>
>> -Original Message-
>> From:
>> freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
>> [mailto:freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius
>> .org] On Behalf Of Charles Plater
>> Sent: Monday, July 25, 2011 3:05 PM
>> To: freeradius-users@lists.freeradius.org
>> Subject: Proxying based on a regex
>>
>> I'm trying to configure our FreeRadius (2.1.9) server to proxy based on the 
>> format of the ID. I have a working regex that determines the domain to which 
>> the request should be sent, but I'm having a hard time figuring out the 
>> syntax of the proxy statement. Here's what I've tried:
>>
>> if (User-Name !~ ) {
>>  proxy: domain.name
>> else {
>>  proxy: LOCAL
>>  }
>> }
>>
>> FWIW, I can successfully authenticate do the "domain.name" realm by using 
>> use...@domain.name.
>>
>> Can anyone offer any suggestions? Thanks in advance.
>> --
>> Charles Plater
>> Lead Application Technical Analyst
>> Internet Services
>> +1-313-577-4620
>> ab3...@wayne.edu
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
> Arran Cudbard-Bell
> a.cudba...@freeradius.org
>
> RADIUS - Half the complexity of Diameter
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

Arran Cudbard-Bell
a.cudba...@freeradius.org

RADIUS - Half the complexity of Diameter


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Proxying based on a regex

[Sallee, Stephen (Jake)]

> Impressive, you've both made up entirely fictitious syntaxes for doing 
> proxying... Um anyway.

Glad you like it : )

I am still new to FR so forgive me if I am mistaken but that little bit of 
unlang would go into the sites-enabled-default config correct?  If so isn't it 
doing the same thing as the suffix module?

Either way you need to setup the proxy config ...

Ours may be working because we are only checking the domain the user uses and 
then steering them to the correct inner-tunnel, my apologies if the advice was 
incorrect.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Arran Cudbard-Bell
Sent: Monday, July 25, 2011 3:33 PM
To: FreeRadius users mailing list
Subject: Re: Proxying based on a regex

Impressive, you've both made up entirely fictitious syntaxes for doing 
proxying... Um anyway.


if(User-Name =~ /REGEX/){
update control {
Proxy-To-Realm := 'my_proxy_realm'
}
}

Then configure the realm in proxy.conf. Subcapture groups can provide you with 
parts of the User-Name string and can be accessed using the %{0}, %{1}, %{2}... 
etc variables

You don't need to do anything if you're just doing local authentication


-Arran

On 25 Jul 2011, at 22:20, Sallee, Stephen (Jake) wrote:

> We did this through our realms see code:
> 
> In your proxy.conf
> 
> realm "~.*umhb\\.edu$" {
>  some code here###
> ###usually the virtual server you want to proxy them to### }
> 
> If I am understanding your question right that should do it, but others may 
> have a better way .. or I could be on crack ...
> 
> 
> -Original Message-
> From: 
> freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
> [mailto:freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius
> .org] On Behalf Of Charles Plater
> Sent: Monday, July 25, 2011 3:05 PM
> To: freeradius-users@lists.freeradius.org
> Subject: Proxying based on a regex
> 
> I'm trying to configure our FreeRadius (2.1.9) server to proxy based on the 
> format of the ID. I have a working regex that determines the domain to which 
> the request should be sent, but I'm having a hard time figuring out the 
> syntax of the proxy statement. Here's what I've tried:
> 
> if (User-Name !~ ) {
>   proxy: domain.name
> else {
>   proxy: LOCAL
>   }
> }
> 
> FWIW, I can successfully authenticate do the "domain.name" realm by using 
> use...@domain.name.
> 
> Can anyone offer any suggestions? Thanks in advance.
> --
> Charles Plater
> Lead Application Technical Analyst
> Internet Services
> +1-313-577-4620
> ab3...@wayne.edu
> 
> 
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 

Arran Cudbard-Bell
a.cudba...@freeradius.org

RADIUS - Half the complexity of Diameter


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Proxying based on a regex

[Sallee, Stephen (Jake)]

We did this through our realms see code:

In your proxy.conf

realm "~.*umhb\\.edu$" {
 some code here###
###usually the virtual server you want to proxy them to###
}

If I am understanding your question right that should do it, but others may 
have a better way .. or I could be on crack ...


-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Charles Plater
Sent: Monday, July 25, 2011 3:05 PM
To: freeradius-users@lists.freeradius.org
Subject: Proxying based on a regex

I'm trying to configure our FreeRadius (2.1.9) server to proxy based on the 
format of the ID. I have a working regex that determines the domain to which 
the request should be sent, but I'm having a hard time figuring out the syntax 
of the proxy statement. Here's what I've tried:

if (User-Name !~ ) {
proxy: domain.name
else {
proxy: LOCAL
}
}

FWIW, I can successfully authenticate do the "domain.name" realm by using 
use...@domain.name.

Can anyone offer any suggestions? Thanks in advance.
-- 
Charles Plater
Lead Application Technical Analyst
Internet Services
+1-313-577-4620
ab3...@wayne.edu


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Error with AD/freeradius config

[Sallee, Stephen (Jake)]

If I may interject... if Gary's hint does not pan out I would suggest also 
checking that the ntlm_auth binary is accessible to the FR daemon, I had an 
issue on my box that the file permissions were correct but one of the 
directories in the path was denying me access. So not only does the file need 
the correct permissions but every directory in the path does too.  That one was 
a bugger to pin down the first time I came against it : )

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Edge
Sent: Friday, July 15, 2011 10:42 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Error with AD/freeradius config 

Hi

Arran, I did read the debug messages, I just didn't understand what they were 
telling me, I couldn't understand why it had failed to execute as the file was 
there, I was root and I even tried using an admin account - just in case..
Gary has given me a clue so off I go hunting..

Thanks Guys and have a good weekend

-Original Message-
From: freeradius-users-bounces+edgedemon=hotmail@lists.freeradius.org
[mailto:freeradius-users-bounces+edgedemon=hotmail@lists.freeradius.org]
On Behalf Of freeradius-users-requ...@lists.freeradius.org
Sent: 15 July 2011 16:17
To: freeradius-users@lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 75, Issue 58

Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org

You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org

When replying, please edit your Subject line so it is more specific than
"Re: Contents of Freeradius-Users digest..."


Today's Topics:

   1. Re: Error with AD/freeradius config  (Arran Cudbard-Bell)
   2. Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and,
  ?more?broadly, setting Stripped-User-Name) (Alexander Clouter)
   3. RE: Error with AD/freeradius config  (Gary Gatten)


--

Message: 1
Date: Fri, 15 Jul 2011 16:31:34 +0200
From: Arran Cudbard-Bell 
Subject: Re: Error with AD/freeradius config
To: FreeRadius users mailing list

Message-ID: <7df14eea-3164-48bd-996b-8edc42c59...@freeradius.org>
Content-Type: text/plain; charset=us-ascii


On Jul 15, 2011, at 4:26 PM, Edge wrote:

> Exec-Program output: Exec-Program: FAILED to execute
> /usr/local/etc/raddb/modules/ntlm_auth: Permission denied
> Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute
> /usr/local/etc/raddb/modules/ntlm_auth: Permission denied

Helps to actually read the debug output you're posting ;)

Arran Cudbard-Bell
a.cudba...@freeradius.org

RADIUS - Half the complexity of Diameter



--

Message: 2
Date: Fri, 15 Jul 2011 15:49:34 +0100
From: Alexander Clouter 
Subject: Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and,
?more?broadly, setting Stripped-User-Name)
To: freeradius-users@lists.freeradius.org
Message-ID: 

Phil Mayers  wrote:
>
>>Unfortunately, when you set nostrip in the config, it doesn't add a 
>>Stripped-User-Name attribute to the request, but when you unset it, 
>>rlm_realms adds a Stripped-User-Name attribute and also updates the 
>>User-Name attribute to the same value.
>
> I am 90% sure that's not what rlm_realm does. We use unlang to process 
> realms now, but I am certain we used it with nostrip and it left the 
> original User-Name intact and populated Stripped-User-Name.
>
You are right, we use rlm_realm and it leaves User-Name unadulterated.

This sounds like maybe the *inner* auth User-Name is realmless and making it's 
way out into outer.reply.  When you use 'User-Name' in post-auth{} you will get 
reply:User-Name rather than request:User-Name if I remember correctly.

The fix is to *reject* inner-authentications that are realm-less.

Cheers

--
Alexander Clouter
.sigmonster says: You are the only person to ever get this message.



--

Message: 3
Date: Fri, 15 Jul 2011 10:16:48 -0500
From: Gary Gatten 
Subject: RE: Error with AD/freeradius config 
To: "'FreeRadius users mailing list'"

Message-ID:

<30615_1310743009_4E2059E1_30615_115_1_D9B37353831173459FDAA836D3B43499C5218
6...@wadpmbxv0.waddell.com>

Content-Type: text/plain; charset="us-ascii"

Exec-Program output: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Exec-Program-Wait: plaintext: Exec-Program: FAILED to e

RE: Mac-Auth

[Sallee, Stephen (Jake)]

If I may butt in here…

IF you are interested in a FOSS captive portal there is a rather good FOSS NAC 
called packetfence that can do exactly what Mr. Gatten is saying.  It uses 
FreeRADIUS for its 802.1x authentication and has all kinds of neat features.  
If your interested drop me a line I can give you more info or go to their 
website www.packetfence.org.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Gary Gatten
Sent: Thursday, July 07, 2011 5:09 PM
To: 'FreeRadius users mailing list'
Subject: RE: Mac-Auth

MAC-Auth has its place, but I agree with some others this isn’t the best fit.  
MAC spoofing = easy.  User gets new NIC or computer = often.

“You” don’t need to do anything on the client.  How about you set a default 
VLAN with restrictions, a captive portal of sorts.  They don’t need to “login”, 
but every DNS request lands them on a page that says: You’re not authenticated; 
you need to follow the directions in this link.  Have a how-to with pretty 
pictures and stuff, I’m sure there are many already on the web. ACL on the 
default “GUEST” VLAN restricts their IP access as you see fit.

Bottom line, users can enable / configure 802.1x supplicant themselves with a 
little guidance.  In the long run you’ll be WAY better off with 802.1x.  IMHO.

G


From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On 
Behalf Of Paulo Maia
Sent: Thursday, July 07, 2011 4:10 PM
To: FreeRadius users mailing list
Subject: Re: Mac-Auth

I dont want to enable 802.1x auth in the clients coz i have over 3000 computers 
and i dont have AD to set a gpo to set in all clients    But i do have all 
mac-addresses . I dont know if im going the wrong way here .

Thanks ,
On Thu, Jul 7, 2011 at 5:59 PM, Paulo Maia 
mailto:phc.m...@gmail.com>> wrote:
Ok guys thanks .
One other question tough   i have configured radius settings in the switch 
(c2960g) with aaa-newmodel dot1x port-control auto and the requests are getting 
to the radius server OK . But it keeps asking for user/pass auth and . Is there 
a way to authenticate the mac-address without enable 802.1x in the client 
computer ?

On Thu, Jul 7, 2011 at 4:19 PM, Alan Buxey 
mailto:a.l.m.bu...@lboro.ac.uk>> wrote:
Hi,
>Hi Guys ,
>Here is the thing , im trying to use Mac-Auth , I managed to get working
>using authorized-macs files , although i need to use a mysql table� witch
>i already have with the ssid and mac-address fields and i need to add an
>operator to expired macs , coz i work at a college campus and students
>mac-addresses need to expire acording to their course period . Any ideas ?
>Thanks in advance .
put MAC address in the radcheck table and set an Expiration. should work a treat

00-11-22-33-44-55 Expiration := "10 Jul 2011"


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


"This email is intended to be reviewed by only the intended recipient and may 
contain information that is privileged and/or confidential. If you are not the 
intended recipient, you are hereby notified that any review, use, 
dissemination, disclosure or copying of this email and its attachments, if any, 
is strictly prohibited. If you have received this email in error, please 
immediately notify the sender by return email and delete this email from your 
system."
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: NTLM Auth and mysql

[Sallee, Stephen (Jake)]

I should also note that all the questions you asked are not in any way related 
to FreeRADIUS.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221


-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of motaibi
Sent: Friday, June 17, 2011 10:08 AM
To: freeradius-users@lists.freeradius.org
Subject: NTLM Auth and mysql

Dear Guys,
  
i have this setup
 
Serv1: Linux Server CentOS 5.6 {
- Chillispot
- FreeRADIUS
- Apache
- Mysql
}
 
Serv2: Windows Server 2003 {
- Active Directory
}
 
now i will explain how i did setup this and what is my problem .
 
I integrated chillispot & mysql with FreeRADIUS .
 
When the client enter his username and password it's come to FreeRADIUS and do 
Authentication via NTLM-AUTH Active Directory to verfiy user entry Then do 
Authorization via mysql .
 
# If the user found in Active Directory only and not existing in Myql will 
login without any policy like Limited Download and login-time ..etc
 
# If the user found in Active Directory and Mysql will be login with policy .
 
How can i take the users on Active Directory and create them on mysql DB 
through some script php or else , lets say if after some time there many users 
created in Active Directory so they will not found in mysql .
How i do that Automatic not manual ?
 
I attached two example of my debuging mode in FreeRADIUS

http://freeradius.1045715.n5.nabble.com/file/n4499034/test.pdf test.pdf 
http://freeradius.1045715.n5.nabble.com/file/n4499034/user1.pdf user1.pdf 
 
I hope found someone solve my problem .

Thanks
Best Regards,
Metab

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/NTLM-Auth-and-mysql-tp4499034p4499034.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: NTLM Auth and mysql

[Sallee, Stephen (Jake)]

Are you new to this list?  If so please remember that this list is maintained 
by volunteers, if you want professional support at your fingertips go pay for 
it.  Also, the debugs you posted are incomplete.  Please post the FULL debug 
output and wait patiently.  Please do not mangle your debugs, sanitize them, 
but post them in full.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221


-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of motaibi
Sent: Friday, June 17, 2011 3:50 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: NTLM Auth and mysql

This my second post 
and no reply 
UP UP

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/NTLM-Auth-and-mysql-tp4499034p4499945.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius Secret

[Sallee, Stephen (Jake)]

It should be logged in the syslog or if you run in debug mode it WILL be 
plainly logged in the output.

Jake Sallee
Godfather of Bandwidth
Network Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Nathan McDavit-Van Fleet
Sent: Friday, May 27, 2011 1:22 PM
To: FreeRadius users mailing list
Subject: Freeradius Secret

Can somebody tell me the expected issues when the secret for a Client is 
misconfigured? We had an issue with some NAS' not able to connect to the 
Freeradius, and it appears as if the only we changed was the corresponding 
secrets. Are NAS' with mis-matched secrets dropped silently or logged?

Nathan Van Fleet

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Correct RegEX format for virtual server in proxy.conf

[Sallee, Stephen (Jake)]

Alan you are correct, the example in the proxy.conf file is correct, in the 
latest version.  Regrettably in the version I have installed there is a typo in 
the proxy.conf file and the all-so-important "." is omitted.  This is what I 
get for not staying current, thanks for the sharp eye!  

PS: Anybody know how to get current FR RPMs for CentOS?

Jake Sallee
Godfather of Bandwidth
Network Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221


-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Alan DeKok
Sent: Tuesday, May 17, 2011 9:48 AM
To: FreeRadius users mailing list
Subject: Re: Correct RegEX format for virtual server in proxy.conf

Sallee, Stephen (Jake) wrote:
> I am trying to follow the excellent instructions in the proxy.conf 
> file for setting up a virtual server using realms, however I keep 
> getting an error when I try to start radisud –X telling me that the 
> regex is invalid… here is my realm decleration, what am I doing wrong?
...
> realm ~*\.cru$ {
> 
> /etc/raddb/proxy.conf[676]: Invalid regex in realm "~*\.cru$"

  You're missing an initial ".", the "*" operator matches *something*.

realm "~.*\\.cru$" {

  i.e. ~   .   *

  not  ~  *

  Again, the example in proxy.conf is correct. :)

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Correct RegEX format for virtual server in proxy.conf

[Sallee, Stephen (Jake)]

I am trying to follow the excellent instructions in the proxy.conf file for 
setting up a virtual server using realms, however I keep getting an error when 
I try to start radisud -X telling me that the regex is invalid... here is my 
realm decleration, what am I doing wrong?

realm "~*\\.cru$" {
}
realm "~*\\.cru\\.umhb\\.edu$" {
}
realm "~*\\.umhb$" {
}
realm "~*\\.umhb\\.edu$" {
}


I know the realms are blank at this time so they do effectively nothing, but 
one step at a time : )

And here is the error from startup:

realm LOCAL {
}
realm ~*\.cru$ {
/etc/raddb/proxy.conf[676]: Invalid regex in realm "~*\.cru$"
} # realm ~*\.cru$

Jake Sallee
Godfather of Bandwidth
Network Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Compiling from source

[Sallee, Stephen (Jake)]

Actually FR is one of the easiest compiles on linux I have ever seen!  The 
trick is to make sure you have all the necessary DEV packages installed.  I 
haven't compiled from source in a bit but I know in other programs you have to 
have the correct DEV package architecture, IE: even though you may be running a 
64 bit OS the build may REQUIRE the 32 bit dev package.

I do not remember if FreeRADIUS does this or not but is has been a pain for me 
in the past when building other software, so if your build is failing on a req 
that you KNOW you have installed check to see if the dev package is installed 
and if it is the correct architecture.

Jake Sallee
Godfather of Bandwidth
Network Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Tim McNabb
Sent: Friday, May 13, 2011 1:43 PM
To: FreeRadius users mailing list
Subject: RE: Compiling from source

Thanks for the input Gary. I gave it a dry run a couple days ago, installing 
radiusd and rc.radiusd to /etc/rc.d/init.d will cause it to run at startup but 
I want to have more simplistic control over the service if possible. Obviously 
installing to sbin will give you control regardless of directory location, 
however the service command doesn't give you access, at least not that I've 
found (ex. Root#]service radiusd OPTION]). If someone has found a workaround 
for this, that would be fantastic. I know about enough Linux to be dangerous, 
though definitely having fun working on this and learning new things. ;-)

-Tim

From: freeradius-users-bounces+tim=velociter@lists.freeradius.org 
[mailto:freeradius-users-bounces+tim=velociter@lists.freeradius.org] On 
Behalf Of Gary Gatten
Sent: Friday, May 13, 2011 11:15 AM
To: 'FreeRadius users mailing list'
Subject: RE: Compiling from source

I just compiled / installed 2.1.10 on RHEL yesterday, zero problems.  I don't 
know about Chkconfig - I'm just testing it so launched it manually.

G



From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On 
Behalf Of Tim McNabb
Sent: Friday, May 13, 2011 1:03 PM
To: freeradius-users@lists.freeradius.org
Subject: Compiling from source

Has anyone been successful in installing FreeRADIUS 2.1.10 from src on CentOS 
or RHEL? I'd prefer not to use the package manager for installation as I'm 
attempting to install a custom module and the directory tree from the repo 
install doesn't match the source module setup. I know this is normal for using 
Yum, just wondering if anyone has been successful installing from src on CentOS 
and what worked and what didn't. Chkconfig doesn't seem to working on a src 
install either and I want radiusd to run as a service.

Thanks in advance,

Timothy McNabb
Network Administrator
Velociter Wireless, Inc
(209)838-1221

"This email is intended to be reviewed by only the intended recipient and may 
contain information that is privileged and/or confidential. If you are not the 
intended recipient, you are hereby notified that any review, use, 
dissemination, disclosure or copying of this email and its attachments, if any, 
is strictly prohibited. If you have received this email in error, please 
immediately notify the sender by return email and delete this email from your 
system."
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Radius Integration with Active Directory

[Sallee, Stephen (Jake)]

While MS ISA is fine for very small deployments it cannot scale very well in my 
experience. While FR scales extremely well.

While MS ISA will start to really putter out at about 50-100 NASs (depending on 
your hardware)  FR will happily hum along with THOUSANDS of NASs.

Jake Sallee
Network Engineer
University of Mary Hardin-Baylor
Fone: 254-295-4658
Phax: 254-295-4221


From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Raheel Itrat
Sent: Friday, March 25, 2011 1:08 AM
To: freeradius-users@lists.freeradius.org
Subject: Radius Integration with Active Directory

Hi all,

I have installed a freeradius machine on ubuntu server, now my boss wants me to 
integrate it with the Active directory so that the users can be authenticated 
through it. I was wondering design wise does it make sense to have a free 
radius server in between if we can run radius on the windows machine itself? 
what are security best practices in this case?

Cheers

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: New User and AD Question

[Sallee, Stephen (Jake)]

> My advice would be to define a local, internal-only attribute in
> /etc/raddb/dictionary:
> 
> ATTRIBUTE My-NT-Domain3003string
> 
> ...and set this in your regexps:
> 
> if (User-Name =~ /host[/].+[.]domain.com/) {
>update request {
>  My-NT-Domain = "DOMAIN.COM"
>}
> }
> elsif (...) {
> }
> 
> ...then in your ntlm_auth helper, do:
> 
>   ntlm_auth = "... --domain=%{My-NT-Domain:-DEFAULTVALUE} ..."
> 

That is brilliant!   We are going to deploy a second domain this summer, I was 
wondering exactly how I would make our FR server work with both.  I am 
definitely going to give this a try!

Jake Sallee
Network Engineer
University of Mary Hardin-Baylor
Fone: 254-295-4658
Phax: 254-295-4221

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Clarification / Confirmation needed re: Free Radius against Active Directory

[Sallee, Stephen (Jake)]

Just a word of warning, manually setting Authtype = ANTHING is usually a bad 
idea.  FR is really good about figuring out what to do all on its own, if you 
force an auth type it will very likely break something else. 

Jake Sallee
Network Engineer
University of Mary Hardin-Baylor
Fone: 254-295-4658
Phax: 254-295-4221



> -Original Message-
> From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
> [mailto:freeradius-users-
> bounces+jake.sallee=umhb@lists.freeradius.org] On Behalf Of Moe,
> John
> Sent: Tuesday, March 01, 2011 3:26 PM
> To: FreeRadius users mailing list
> Subject: RE: Clarification / Confirmation needed re: FreeRadius against
> ActiveDirectory
> 
> > -Original Message-
> > From: freeradius-users-bounces+jmoe=hatch.com...@lists.freeradius.org
> > [mailto:freeradius-users-
> > bounces+jmoe=hatch.com...@lists.freeradius.org] On Behalf Of Alan
> > bounces+DeKok
> > Sent: Tuesday, 1 March 2011 5:51 PM
> > To: FreeRadius users mailing list
> > Subject: Re: Clarification / Confirmation needed re: FreeRadius
> > against ActiveDirectory
> >
> > Moe, John wrote:
> > > Now, I've read a lot of configuration pages (for Ubuntu, Samba,
> > Winbind,
> > > and FreeRadius, to name a few) in the last few days, and my head's
> > > spinning a bit, and I'd like to make sure I'm doing this right, and
> > I've
> > > managed to grasp a few things...
> >
> >   The definitive guide is here:
> >
> > http://deployingradius.com/documents/configuration/active_directory.ht
> > m
> > l
> >
> >   It's simple, clear, and contains just enough information to allow
> > you to get it to work.
> >
> >   Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> 
> Yeah, the information in that one is, as you said, simple and "just enough".
> However, it doesn't address either of the two questions I asked.
> 
> 1) Is setting "Auth-Type = ntlm_auth" the correct way for doing what I want,
> or have I mis-configured something so that FreeRadius could work out that it
> needs to use ntlm_auth on its own?
> 2) How do I match a rule against AD Group membership?  This one was
> answered in a previous reply, and I think I can work out the implementation
> details from there, I just need to do some work and testing.
> 
> If anyone knows the answer to the first question, I'd appreciate it.
> 
> John H. Moe
> Network Support - Hatch IT
> HATCH
> Tel: +61 (7) 3166 
> Direct: +61 (7) 3166 7684
> Fax: +61 (7) 3368 3754
> Mobile: +61 438 772 425
> 61 Petrie Terrace, Brisbane, Queensland Australia 4011
> 
> *
> NOTICE - This message from Hatch is intended only for the use of the
> individual or entity to which it is addressed and may contain information
> which is privileged, confidential or proprietary.
> Internet communications cannot be guaranteed to be secure or error-free as
> information could be intercepted, corrupted, lost, arrive late or contain
> viruses. By communicating with us via e-mail, you accept such risks.? When
> addressed to our clients, any information, drawings, opinions or advice
> (collectively, "information") contained in this e-mail is subject to the terms
> and conditions expressed in the governing agreements.? Where no such
> agreement exists, the recipient shall neither rely upon nor disclose to 
> others,
> such information without our written consent.? Unless otherwise agreed, we
> do not assume any liability with respect to the accuracy or completeness of
> the information set out in this e-mail.? If you have received this message in
> error, please notify us immediately by return e-mail and destroy and delete
> the message from your computer.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: New User and AD Question

[Sallee, Stephen (Jake)]

Two comments about posting logs ... 

#1 Post the entire log of radiusd -X (NOT -XX, that has a bunch of timestamps 
we don't need) and don't redact anything that's not privileged info, you can 
very easily remove the portion of the log that holds the answer to your 
questions.

#2  your output of radiusd -X WILL CONTAIN your SSL cert passwords in CLEAR 
TEXT!  So make sure you remember to scrub them of any info you don't want 
becoming public.

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221


-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of McNutt, Justin M.
Sent: Sunday, February 27, 2011 2:05 PM
To: FreeRadius users mailing list
Subject: RE: New User and AD Question

> McNutt, Justin M. wrote:
> > New member to the list, here.  I have a question about AD
> computer-based
> > authentication.  Basically, how is it accomplished?
> 
> http://deployingradius.com/documents/configuration/active_directory.ht
> ml
> 
>   It's pretty much the same as normal user authentication.  PEAP goes 
> in, authentication goes out, never a miscommunication. :)

If I recall, we used this walkthrough to get user authentication to work (which 
it does), but it still doesn't work for host authentication.  This is keeping 
in mind that users' creds come across as "NT-LIKE-DOMAIN\\USERID" but hosts 
appear as "host\\computer.ad.domain.name" AND that "NT-LIKE-DOMAIN" and 
"ad.domain.name" do not look at all alike.

I'll re-read the link, though, just to be sure.

>   So... what goes wrong?

For users, it's a number of things.  Bad passwords.  Attempts to use EAP-TLS or 
EAP-MD5 (which we don't support).  Misspelled or missing domain names.  That 
sort of thing.

For the hosts, it Just Doesn't Work.  I have yet to determine why.  (More 
research.)

>   Post the debug log from a failed session.

Will do.  (Pulling just the relevant bits out will be difficult, given the 
verbosity of 'radiusd -X' but I have no shortage of hosts attempting this, so 
it shouldn't take long.)

--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Parallel running RADIUS servers

[Sallee, Stephen (Jake)]

I'm not sure how that would work ... the AAA process is a conversation that 
both sides participate in, your production server would churn along happily but 
how would your test server talk back to the client to keep the process going?

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Brian Candler
Sent: Thursday, February 17, 2011 8:38 AM
To: freeradius-users@lists.freeradius.org
Subject: Parallel running RADIUS servers

I wonder if anyone has implemented anything like the following, and if so, if 
they can share their experiences of how they did it.

When rolling out a new RADIUS config, I would like to be able to run both the 
current and new configs side by side, processing the same packets in real time 
in both servers, and highlight if and where the responses differ. 
This would give a very high confidence level that the new config didn't break 
things in unexpected ways.

(I already have an off-line test suite, which uses radclient to send a number 
of test cases to the development RADIUS server, but there is a lot of legacy 
traffic and I can never be sure that it the suite completely captures all 
possible cases)

I can think of a few ways of implementing this:

* Using bpf (like radsniff) to capture the live requests and responses.
  Forward a copy of the request to a second process, which would somehow
  be jailed to a loopback interface, and then compare the responses.

* Have some sort of forking proxy, which takes one input packet and sends
  it to two places, A and B. It would take either the A or B response and
  return it to the client. It could even vote on them (e.g. Access-Accept
  takes precedence over Access-Reject)

Some of the existing logic I work with makes use of the source IP address of 
the packet (i.e.  Client-IP-Address), so a simple proxy which resends the 
packet would be a problem.  I suppose I could put Client-IP-Address into a real 
AV.

Anybody doing anything like this today, or know of any projects which do this?

Thanks,

Brian.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: wiki question

[Sallee, Stephen (Jake)]

If you are using ver 1.3.0 then the article is for you ... and you should 
REALLY think about upgrading, otherwise use Alan's instructions @ 
http://deployingradius.com/


Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221


From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Raymond Norton
Sent: Wednesday, February 16, 2011 12:04 PM
To: FreeRadius users mailing list
Subject: wiki question

I am working through the following wiki:

http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO#Set_up_the_Linux_server

I'm good till I get to this area:
Configuration of radiusd.conf

Open this file and proceed to the section:

# Microsoft CHAP authentication

Make sure that the following lines are uncommented and that the value is the 
same as indicated here.

authtype = MS-CHAP

with_ntdomain_hack = yes, etc..





I don't have any of this info in radiusd.conf, so do I add all of it, or is 
this info contained elsewhere?





Raymond

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius + LDAP for WPA-Enterprise

[Sallee, Stephen (Jake)]

> As for accomplishing your goal, unfortunately others will have to help you 
> with that - I don't know FR/LDAP/EAP well enough.  But, I >don't THINK you 
> can authenticate EAP requests against LDAP directly because of the "no clear 
> text password" issue.

I think he is right ... I know that we had to use the ntlm_auth exec module ... 
is there a reason you are doing EAP instead of PEAP?

PEAP/MSCHAPv2 or PEAP/TTLS work great with Linux hosts ... even MACs (which are 
nothing more that bastardized Linux boxes) Windows hosts require a bit of 
configuring on the client to make it work but then they work too.

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Gary Gatten
Sent: Friday, February 11, 2011 11:37 AM
To: 'FreeRadius users mailing list'
Subject: RE: Freeradius + LDAP for WPA-Enterprise

I'm barely a novice with FR, so take this with a grain of salt:

You forced ALL Authentication requests to use LDAP.  EAP / LDAP don't play well 
together.  Remove the "Auth Type LDAP" - for now.

You almost "never" want to set the Auth-Type directly, FR figures it out from 
the request.  For testing and troubleshooting it's OK, and if you really know 
what the consequences are its OK, but generally speaking don't set the auth 
type.

As for accomplishing your goal, unfortunately others will have to help you with 
that - I don't know FR/LDAP/EAP well enough.  But, I don't THINK you can 
authenticate EAP requests against LDAP directly because of the "no clear text 
password" issue.

Gary


-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On 
Behalf Of Max Schröder
Sent: Friday, February 11, 2011 11:06 AM
To: freeradius-users@lists.freeradius.org
Subject: Freeradius + LDAP for WPA-Enterprise

Hello to all,

I would like to use Freeradius to authenticate my wireless network using 
OpenWRT and Freeradius + LDAP. What I've done:

First Authenticated Users in WLan using EAP-TTLS and files in Freeradius. 
WORKED! Then I've configured ldap-Modul + added "ldap" in the authorize- and 
"Auth-Type LDAP { ldap }" in the authenticate-section. The test via radtest 
succeeded.

But now the authentication using OpenWRT (EAP-TTLS) like the first try with 
files - now with ldap did not work. I do noticed the following comment

# Note that this means "check plain-text password against # the ldap database", 
which means that EAP won't work, # as it does not supply a plain-text password.
Auth-Type LDAP { ldap }

but I don't know what to change that it worked like my first try with the 
difference the users are in LDAP instead of a file.

Hope to get any hints

Best regards.
MS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






  "This email is intended to be reviewed by only the intended 
recipient  and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that  any 
review, use, dissemination, disclosure or copying of this email  and its 
attachments, if any, is strictly prohibited.  If you have  received this email 
in error, please immediately notify the sender by  return email and delete this 
email from your system."



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Unknown CA error in FR Debug

[Sallee, Stephen (Jake)]

I have imported the ca.der into BOTH the trusted root CA store and the 
Third-Party Root CA store, still I get the unknown CA error.

I must be doing something wrong, as per Alan's advice I did visit 
deployingradius.com, I there it mentions that the validate server cert check 
box must be selected in the 802.1x supplicant config, however I cannot seem to 
find where to configure that option BEFORE the first successful connection.  I 
know exactly how to do it once the profile is established, but before the 
client has successfully connected for the first time I cannot find where one 
would set this option.

Any help would be appreciated.  

Also, I have used the bootstrap script to generate the certs, but I wanted to 
check that the certs it is generating are what I need.  I mentioned that I 
changed the parameters, just to be clear the only options I changed are the 
name of the entity (changed it to the name of our university, for the CA and 
the name of the server for the server cert) and the expiry time (set it to a 
date way into the future) that's it.

I have also experimented with using different keys in the eap.conf file ( using 
server.crt instead of server.pem, etc.) but each time the results are the same. 
 Please see a copy of my eap.conf below:

# -*- text -*-
##
##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
##  $Id$

###
#
#  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server
#  is smart enough to figure this out on its own.  The most
#  common side effect of setting 'Auth-Type := EAP' is that the
#  users then cannot use ANY other authentication method.
#
#  EAP types NOT listed here may be supported via the "eap2" module.
#  See experimental.conf for documentation.
#
eap {
#  Invoke the default supported EAP type when
#  EAP-Identity response is received.
#
#  The incoming EAP messages DO NOT specify which EAP
#  type they will be using, so it MUST be set here.
#
#  For now, only one default EAP type may be used at a time.
#
#  If the EAP-Type attribute is set by another module,
#  then that EAP type takes precedence over the
#  default type configured here.
#
default_eap_type = peap

#  A list is maintained to correlate EAP-Response
#  packets with EAP-Request packets.  After a
#  configurable length of time, entries in the list
#  expire, and are deleted.
#
timer_expire = 60

#  There are many EAP types, but the server has support
#  for only a limited subset.  If the server receives
#  a request for an EAP type it does not support, then
#  it normally rejects the request.  By setting this
#  configuration to "yes", you can tell the server to
#  instead keep processing the request.  Another module
#  MUST then be configured to proxy the request to
#  another RADIUS server which supports that EAP type.
#
#  If another module is NOT configured to handle the
#  request, then the request will still end up being
#  rejected.
ignore_unknown_eap_types = no

# Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = no

#
#  Help prevent DoS attacks by limiting the number of
#  sessions that the server is tracking.  Most systems
#  can handle ~30 EAP sessions/s, so the default limit
#  of 4096 should be OK.
max_sessions = 4096

# Supported EAP-types

#
#  We do NOT recommend using EAP-MD5 authentication
#  for wireless connections.  It is insecure, and does
#  not provide for dynamic WEP keys.
#
md5 {
}

# Cisco LEAP
#
#  We do not recommend using LEAP in new deployments.  See:
#  http://www.securiteam.com/tools/5TP012ACKE.html
#
#  Cisco LEAP uses the MS-CHAP algorithm (but not
#  the MS-CHAP attributes) to perform it's authentication.
#
#  As a result, LEAP *requires* access to the plain-text
#  User-Passwo

Unknown CA error in FR Debug

[Sallee, Stephen (Jake)]

@all:
Firstly thank all of you who assisted me in trying to get a public cert 
working, regrettably since Microsoft apparently lost all intelligence in 
dealing with 802.1x wireless authentication it looks as though I will be using 
a private cert.

That being said, I have generated the new private cert using the bootstrap 
script (I did, of course, change the parameters to suit my needs) and I now 
have my shiny new private cert...however, after I import the new cert into my 
clients I am still getting the unknown CA error in my FR debug.  The client is 
obstinently silent, which makes me want to smash it with a hammer, but that is 
beside the point.

What cert should I import into the client and in what cert store location 
should I put in?  The clients are windows based BTW (usually Win 7)  THANKS for 
all your help.



Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Generating a Microsoft compatible CSR for FreeRADIUS

[Sallee, Stephen (Jake)]

>http://www.lawn.gatech.edu/help/gtwpa

HOLY CRAP! I looked at your documentation (very well done BTW) But NONE of my 
win 7 stations have ever showed me the accept certificate prompt! NONE!  
Please, please tell me how you got it to do that!  I have been searching for 
exactly that.

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of John Douglass
Sent: Friday, January 21, 2011 8:45 AM
To: FreeRadius users mailing list
Subject: Re: Generating a Microsoft compatible CSR for FreeRADIUS

I have built some WPA configuration guides as well as some troubleshooting 
documentation on our build out at:

http://www.lawn.gatech.edu/help/gtwpa

There is pretty much always some form of cert acceptance for most OS.

- John Douglass, Systems Engineer

Sent from my iPad

On Jan 21, 2011, at 9:33 AM, Phil Mayers  wrote:

> On 21/01/11 14:10, Sallee, Stephen (Jake) wrote:
>> Has anyone gotten windows clients to work WITHOUT having to do any 
>> manual config on the clients?
>> 
> 
> Windows XP with PEAP/MS-CHAPv2 always require some manual config; 
> specifically you need to select PEAP, de-select "automatically use my windows 
> logon name" and (if using a cert from a non-installed CA) install the CA cert.
> 
> Windows 7 (and I think Vista) default to PEAP/MS-CHAPv2 so you can just click 
> on the SSID and type your username/password, then "accept" the CA cert.
> 
> Sadly this wasn't backported into windows XP SP3 IIRC.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Generating a Microsoft compatible CSR for FreeRADIUS

[Sallee, Stephen (Jake)]

Has anyone gotten windows clients to work WITHOUT having to do any manual 
config on the clients?

Is it even possible?

Also, I have my shiny new publicly signed cert from comodo but my clients are 
still rejecting the connection ... i think the error is here:

[peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
[peap] WARNING: No data inside of the tunnel.

But I don't know why i would be getting a read error, the certs that i 
installed have the same permissions as the test certs...

here is the full debug, any help is appreciated:

FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu, built on Sep 28 
2010 at 09:20:29
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file 
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/UMHB
including configuration file /usr/local/etc/raddb/sites-available/default
including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
including configuration file /usr/local/etc/raddb/sites-enabled/Cru
including configuration file /usr/local/etc/raddb/sites-available/default
including configuration file /usr/local/etc/raddb/sites-enabled/default
main {
al

RE: Generating a Microsoft compatible CSR for FreeRADIUS

[Sallee, Stephen (Jake)]

>We sign our RADIUS cert with a public CA for the same reason as you.

>You will need to make sure that the Certificate Authority that you have sign 
>your CSR adds the extensions.
>The extensions that need to be added are in the file xpextensions in the certs 
>directory of your FreeRadius installation.

>Here they are.

THANKS!

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221


From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Johnson, Neil M
Sent: Thursday, January 20, 2011 1:09 PM
To: FreeRadius users mailing list
Subject: RE: Generating a Microsoft compatible CSR for FreeRADIUS

We sign our RADIUS cert with a public CA for the same reason as you.

You will need to make sure that the Certificate Authority that you have sign 
your CSR adds the extensions.
The extensions that need to be added are in the file xpextensions in the certs 
directory of your FreeRadius installation.

Here they are.

#
#  File containing the OID's required for Windows.
#
#  http://support.microsoft.com/kb/814394/en-us
#
[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ xpserver_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

--
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
319 384-0938
neil-john...@uiowa.edu<mailto:neil-john...@uiowa.edu>

From: freeradius-users-bounces+neil-johnson=uiowa@lists.freeradius.org 
[mailto:freeradius-users-bounces+neil-johnson=uiowa@lists.freeradius.org] 
On Behalf Of Sallee, Stephen (Jake)
Sent: Thursday, January 20, 2011 12:28 PM
To: freeradius-users@lists.freeradius.org
Subject: Generating a Microsoft compatible CSR for FreeRADIUS

I need help generating a Microsoft compatible CSR for my FR server that I can 
get signed by a public CA.

The documentation mentions special OID's that need to be present for MS 
machines to accept the cert, but I can't find WHAT those OID's are so I can 
make sure I include them in the CSR.

I know the docs also say that it is not best practices to use a publicly signed 
cart because ANYONE can auth against the server, however since I am in a 
position where almost all of the computers will NOT be managed by our staff 
(they are student workstations)  a public cert seems perfect.

If anyone has another route that will allow me to auth windows clients without 
having to manually install certs and/or manually configuring the wireless 
adapters I would be very grateful to hear your suggestions.

THANKS!

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Generating a Microsoft compatible CSR for FreeRADIUS

[Sallee, Stephen (Jake)]

> To clarify, they can pretend to be a valid server, because *anyone* signed by 
> Verisign is a valid server.

> To go one step further, they can have verisign sign a CA, and then use that 
> CA to create *any* certificate they want,
> including one which pretends to be your server.  Most users won't bother 
> reading the entire certificate chain.
> They'll just see "mit.edu" (or >whatever) and click "OK".

Ahh , I see what you mean.  Thank you for the clarification.  The masses of 
undereducated and/or apathetic users out there are the biggest challenges 
facing IT pros.

Thanks again.


Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Alan DeKok
Sent: Thursday, January 20, 2011 1:48 PM
To: FreeRadius users mailing list
Subject: Re: Generating a Microsoft compatible CSR for FreeRADIUS

Sallee, Stephen (Jake) wrote:
> Hmmm. I hadn't thought of that attack vector, kind of like a 
> man-in-the-middle attack, but isn't that what the private key is for, to 
> prevent just that?

  To clarify, they can pretend to be a valid server, because *anyone* signed by 
Verisign is a valid server.

  To go one step further, they can have verisign sign a CA, and then use that 
CA to create *any* certificate they want, including one which pretends to be 
your server.  Most users won't bother reading the entire certificate chain.  
They'll just see "mit.edu" (or whatever) and click "OK".

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Generating a Microsoft compatible CSR for FreeRADIUS

[Sallee, Stephen (Jake)]

>> I know the docs also say that it is not best practices to use a 
>> publicly signed cart because ANYONE can auth against the server, 
>> however since I am in a position where almost all of the computers 
>> will NOT be managed by our staff (they are student workstations)  a public 
>> cert seems perfect.

  >It's not a good idea because anyone can pretend to be the server, too.

Hmmm. I hadn't thought of that attack vector, kind of like a man-in-the-middle 
attack, but isn't that what the private key is for, to prevent just that?

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Alan DeKok
Sent: Thursday, January 20, 2011 1:13 PM
To: FreeRadius users mailing list
Subject: Re: Generating a Microsoft compatible CSR for FreeRADIUS

Sallee, Stephen (Jake) wrote:
> The documentation mentions special OID’s that need to be present for 
> MS machines to accept the cert, but I can’t find WHAT those OID’s are 
> so I can make sure I include them in the CSR.

  See the files in raddb/certs, or read eap.conf.  It's all there.

> I know the docs also say that it is not best practices to use a 
> publicly signed cart because ANYONE can auth against the server, 
> however since I am in a position where almost all of the computers 
> will NOT be managed by our staff (they are student workstations)  a public 
> cert seems perfect.

  It's not a good idea because anyone can pretend to be the server, too.

> If anyone has another route that will allow me to auth windows clients 
> without having to manually install certs and/or manually configuring 
> the wireless adapters I would be very grateful to hear your suggestions.

  Not much.  Blame Microsoft for not making it easy.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Generating a Microsoft compatible CSR for FreeRADIUS

[Sallee, Stephen (Jake)]

I need help generating a Microsoft compatible CSR for my FR server that I can 
get signed by a public CA.

The documentation mentions special OID's that need to be present for MS 
machines to accept the cert, but I can't find WHAT those OID's are so I can 
make sure I include them in the CSR.

I know the docs also say that it is not best practices to use a publicly signed 
cart because ANYONE can auth against the server, however since I am in a 
position where almost all of the computers will NOT be managed by our staff 
(they are student workstations)  a public cert seems perfect.

If anyone has another route that will allow me to auth windows clients without 
having to manually install certs and/or manually configuring the wireless 
adapters I would be very grateful to hear your suggestions.

THANKS!

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Issue with local authentication of MS-ChapV2

[Sallee, Stephen (Jake)]

Glad to hear you solved it, care to share so we can all benefit ?

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221


From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Hanavan, John (John)
Sent: Wednesday, January 19, 2011 6:18 PM
To: 'FreeRadius users mailing list'
Subject: RE: Issue with local authentication of MS-ChapV2

Hi All,

We solved the issue in house.

Regards,
John

-Original Message-
From: freeradius-users-bounces+jhanavan=avaya@lists.freeradius.org 
[mailto:freeradius-users-bounces+jhanavan=avaya@lists.freeradius.org] On 
Behalf Of Hanavan, John (John)
Sent: Wednesday, January 19, 2011 3:56 PM
To: 'freeradius-users@lists.freeradius.org'
Subject: Issue with local authentication of MS-ChapV2

I am trying to get PEAP/MS-ChapV2 working on my Radius Server.  The version I 
am using is FreeRadius 2.1.8.  I already have EAP-TLS working between a 
FreeRadius Server and an XP supplicant, so I am pretty sure that my 
certificates are configured correctly on the FreeRadius Server as well as the 
XP supplicant that I am trying to configure PEAP/MS-ChapV2 on.  I have attached 
the FreeRadius debug log from one of my attempted connections.  It appears that 
the EAP-TLS tunnel comes up but the MS-ChapV2 authentication fails.  I did see 
this warning:

Warning:  Found 2 auth-types on request for user 'jsmith1'

But I am uncertain what it means and how to correct it.  As stated earlier, I 
am trying to use local authentication for the MS-ChapV2 and this seems to be 
the point of failure.  I have a packet capture between the Radius Server and 
the authenticator showing Radius Access Challenges and Requests but no Access 
Accepts.  Not sure what I have mis-configured, so any suggestions would be 
greatly appreciated.

Regards,
John

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FreeRADIUS - no service!

[Sallee, Stephen (Jake)]

To be fair the fact that he is able to get along running such an ancient 
release of FreeRADIUS is a testament to the quality of the software...however 
it is dangerous to run antiquated versions of well know software, the security 
implications are horrendous.

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221


From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Alan Buxey
Sent: Wednesday, December 15, 2010 11:37 AM
To: achursi...@gmail.com; freeradius-users@lists.freeradius.org
Subject: Re: FreeRADIUS - no service!

1.1.0 ? And this is your ONLY problem?


At least upgrade to 1.1.8 - but if you want my help you'll need to be running 
the current release 2.1.x train


Alan

- Reply message -
From: "Александр Чурсин" 
Date: Wed, Dec 15, 2010 14:29
Subject: FreeRADIUS - no service!
To: "freeradius-users@lists.freeradius.org" 

Ok, thanks for explanation.
The RADIUS version is 1.1.0

In the accounting section of the radiusd.conf we have:

accounting {
#detail
#acct_unique

#
# Vladikavkaz   OSE

Acct-Type OSE {
acct_unique
group {
sqlacct {
fail = 1
#   ok = return
}
OSE {
fail = 1
ok = return
}
}
#   sql_log
}

#

and so on anologous to these constructions with  as a delimeter ...


So, no "sql" mentioned... I'am sorry, but it's unclear for me where to
put the wrapper.

Alexander
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FAQ and Wiki down?

[Sallee, Stephen (Jake)]

I feel your pain, we have the same thing happen form time to time.
Check with your ISP, when it happens to us it is usually their DNS
server caching and old entry or a bad statement in one of their routers.
Good luck!

 

Jake Sallee

Godfather Of Bandwidth

Network Engineer

 

Fone: 254-295-4658

Phax: 254-295-4221

 

 

From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of David Jea
Sent: Friday, October 29, 2010 9:51 AM
To: Mark Holmes
Cc: FreeRadius users mailing list
Subject: Re: FAQ and Wiki down?

 

Thanks all. It is my end's problem.
My home computer & network work fine,
but my company's network somehow cannot find wiki.freeradius.org.
Still puzzled to me, but out of scope of this mailing list.

Thanks,
David





On Fri, Oct 29, 2010 at 7:43 AM, Mark Holmes
 wrote:

Works for me also


-Original Message-
From:
freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.
org [mailto:freeradius-users-bounces+mark.holmes

=nuffield.ox.ac...@lists.freeradius.org] On Behalf Of Marinko Tarlac
Sent: 29 October 2010 15:40
To: dcjea...@gmail.com; FreeRadius users mailing list
Subject: Re: FAQ and Wiki down?

Works fine for me...

On 10/29/2010 4:33 PM, David Jea wrote:
> Hi,
>
> For past two days, I can't reach to these 2 tabs: FAQ and Wiki. All
> the others are good.
>
> http://wiki.freeradius.org/index.php/FAQ
> http://wiki.freeradius.org/
>
> I thought it was my issue, but my internet is good, no proxy, tried
> with IE and Firefox, it does seem to me that wiki site is down.
> Thought should report.
>
> Thanks,
> David
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Problems getting a linux server to join a AD domain

[Sallee, Stephen (Jake)]

I have to ask ... but what is your server's name?  The error is saying
that the name is incompatible with AD, do you have and special
characters, any spaces, or any other weirdness in you server's name?

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221


-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Rowley, Mathew
Sent: Thursday, October 28, 2010 1:33 PM
To: freeradius-users@lists.freeradius.org
Subject: Problems getting a linux server to join a AD domain

In an attempt to integrate Radius with AD, and following the tutorial
(http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWT
O) I have set up an AD server in our lab, and having trouble adding my
linux box to the domain. Can anyone see what im doing wrong? The error I
keep getting is:

$ sudo net join -w SECLAB -I 10.252.159.137 -U Administrator [sudo]
password for wuntee:
Enter Administrator's password:
[2010/10/28 12:23:36.656829,  0]
utils/net_rpc_join.c:406(net_rpc_join_newstyle)
  Error in domain join verification (credential setup failed):
NT_STATUS_INVALID_COMPUTER_NAME

Unable to join domain SECLAB.


Kerberos seems to work fine:

$ kinit mrowle000
Password for mrowle...@seclab.security.lab.net:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: mrowle...@seclab.security.lab.net

Valid starting ExpiresService principal
10/28/10 12:27:29  10/28/10 22:27:23
krbtgt/seclab.security.lab@seclab.security.lab.net
renew until 10/29/10 12:27:29


CONFIGS:

krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 kdc = SYSLOG:INFO:AUTH
 admin_server = FILE:/var/log/kadmind.log  admin_server =
SYSLOG:INFO:AUTH

[libdefaults]
 default_realm = SECLAB.SECURITY.LAB.NET  dns_lookup_realm = false
dns_lookup_kdc = false  ticket_lifetime = 24h  forwardable = yes

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

[realms]
SECLAB.SECURITY.LAB.NET = {
 kdc = seclab.security.lab.net:88
 default_domain = seclab.secuitry.lab.net }

[domain_realm]
.seclab.security.lab.net = SECLAB.SECURITY.LAB.NET
seclab.security.lab.net = SECLAB.SECURITY.LAB.NET


Samba.conf
[global]
   workgroup = SECLAB.SECURITY.LAB.NET
   server string = %h server (Samba, Ubuntu)
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ads
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/bash
   winbind use default domain = no
   password server = seclab.security.lab.net //your AD-server
   realm = SECLAB.SECURITY.LAB.NET //your real
   usershare allow guests = yes

[homes]
   comment = Home Directories
   browseable = no
   writable = yes

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authenticating agains AD issues

[Sallee, Stephen (Jake)]

Did you enable the "WITH NT DOMAIN HACK" in your MSCHAP module?

 

Jake Sallee

Godfather Of Bandwidth

Network Engineer

 

Fone: 254-295-4658

Phax: 254-295-4221

 

 

From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Johnson, Neil M
Sent: Thursday, October 28, 2010 9:48 AM
To: freeradius-users@lists.freeradius.org
Subject: Authenticating agains AD issues

 

 

I've been following the reciepe on the "Deploying RADIUS" web site, but
I have been unable to get an iPhone or Laptop to authenticate to
wireless.

 

It appears from the log that ntlm_auth is behaving correctly but the the
challenge continues.

 

I'm running 2.1.9 on Fedora 12 using the demonstration certificates.

 

Here is the last part of the log file:

 

Thanks in advance.

-Neil

 

[eap] Request found, released from the list

[eap] EAP/mschapv2

[eap] processing type mschapv2

[mschapv2] +- entering group MS-CHAP {...}

[mschap] Told to do MS-CHAPv2 for nmjoo with NT-Password

[mschap]expand: %{Stripped-User-Name} -> 

[mschap]... expanding second conditional

[mschap] WARNING: Deprecated conditional expansion ":-".  See "man
unlang" for details

[mschap]expand: %{User-Name:-None} -> IOWA\nmjoo

[mschap]expand:
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}} ->
--username=IOWA\nmjoo

[mschap]  mschap2: 5e

[mschap]expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=13fe382b60e3bba9

[mschap]expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=24bf15cdc812e5f7fb9723f21143bb775b24a1914870caf0

Exec-Program output: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38 

Exec-Program-Wait: plaintext: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38 

Exec-Program: returned: 0

[mschap] adding MS-CHAPv2 MPPE keys

++[mschap] returns ok

MSCHAP Success 

++[eap] returns handled

} # server inner-tunnel

[peap] Got tunneled reply code 11

EAP-Message =
0x010a00331a0309002e533d364637444633304644363834324235424237384637364543
39423230454534453639434431463338

Message-Authenticator = 0x

State = 0x9b59f55f9a53ef43871eb82ef0802a05

[peap] Got tunneled reply RADIUS code 11

EAP-Message =
0x010a00331a0309002e533d364637444633304644363834324235424237384637364543
39423230454534453639434431463338

Message-Authenticator = 0x

State = 0x9b59f55f9a53ef43871eb82ef0802a05

[peap] Got tunneled Access-Challenge

++[eap] returns handled

Sending Access-Challenge of id 112 to 128.255.11.74 port 32768

EAP-Message =
0x010a005b19001703010050f59dec82774ce4b8dc5bb542e29881b2cb321a7136c39e4f
1a498708fa2515da475f29ec726bd310dd96ab7ae6de4a85f079285567b375a7fa02d137
f9d0d2adcf75dc887c91c50a41e041c13b370882

Message-Authenticator = 0x

State = 0xa489d972ac83c05d8d6d2302f3fa3977

Finished request 17.

Going to the next request

Waking up in 3.2 seconds.

Cleaning up request 0 ID 95 with timestamp +9

Cleaning up request 1 ID 96 with timestamp +9

Cleaning up request 2 ID 97 with timestamp +9

Cleaning up request 3 ID 98 with timestamp +9

Cleaning up request 4 ID 99 with timestamp +9

Cleaning up request 5 ID 100 with timestamp +9

Cleaning up request 6 ID 101 with timestamp +9

Cleaning up request 7 ID 102 with timestamp +9

Cleaning up request 8 ID 103 with timestamp +9

Waking up in 1.0 seconds.

Cleaning up request 9 ID 104 with timestamp +10

Cleaning up request 10 ID 105 with timestamp +10

Cleaning up request 11 ID 106 with timestamp +10

Cleaning up request 12 ID 107 with timestamp +10

Cleaning up request 13 ID 108 with timestamp +10

Cleaning up request 14 ID 109 with timestamp +10

Cleaning up request 15 ID 110 with timestamp +10

Cleaning up request 16 ID 111 with timestamp +10

Cleaning up request 17 ID 112 with timestamp +10

Ready to process requests.

 

-- 

Neil Johnson

Network Engineer

Information Technology Services

The University of Iowa

Work: 319 384-0938

Mobile: 319 540-2081

Fax: 319 355-2618

E-mail: neil-john...@uiowa.edu

 

 

 

 

 

 

 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: LDAP authentication failed

[Sallee, Stephen (Jake)]

2 things:

1) near the bottom of the debug output there is a line that's says you
are passing the username as domain\user, and it asks if you have enabled
the with NT domain hack option?Check your mschap module config to
see if this is enabled, it is commented out by default.   You can check
the complete debug output that includes the server initializing and you
can see it there IF it is enabled.

2) I gave up on PEAP/MSCHAPv2 on linux, EAP/TTLS works great for me with
no other config tweaks after I got the windows clients working!  If
there is not a super important requirement to use the same authorization
on both platforms you could do the same, just an idea.



Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221


-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of snowman5840
Sent: Friday, October 22, 2010 11:58 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: LDAP authentication failed


ok I  found my problem. I have forgotten to add my domain in the
proxy.conf, after I have done this ldap search works fine.

but know I have one more problem with authentification. I want to use
peap with mschap to support both windows und linux systems. But
authentification fails. I don't know what i have to configure or where
is the problem. I would be very happy about some hints. 

I'm sorry about the very long debug output

rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=86,
length=149
NAS-IP-Address = 192.168.0.2
NAS-Port = 50006
NAS-Port-Type = Ethernet
User-Name = "FIRMA1\\usera"
Called-Station-Id = "00-15-F9-D8-7C-C6"
Calling-Station-Id = "00-1A-4B-63-69-0B"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x1558e554175bfc9edc831547521be2ad
EAP-Message = 0x020300061900
Message-Authenticator = 0xfb650903c7207e001d0385d8a036
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]  expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.0.2/auth-detail-20101022
[auth_log]  expand: %t -> Fri Oct 22 18:32:40 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] Looking up realm "FIRMA1" for User-Name = "FIRMA1\usera"
[ntdomain] Found realm "FIRMA1"
[ntdomain] Adding Stripped-User-Name = "usera"
[ntdomain] Adding Realm = "FIRMA1"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel
setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/peap [eap]
processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK
[peap] ACK handshake fragment handler [peap] eaptls_verify returned 1
[peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 86 to 192.168.0.2 port 1812
EAP-Message =
0x0104003619000f0b409c6f7dd2e83b8a1ad34c1b43c61b5cfa499e7822f081073040ea
4c9280acd2686fd194f216030100040e00
Message-Authenticator = 0x
State = 0x1558e554165cfc9edc831547521be2ad
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.2 port 1812, id=87,
length=465
NAS-IP-Address = 192.168.0.2
NAS-Port = 50006
NAS-Port-Type = Ethernet
User-Name = "FIRMA1\\usera"
Called-Station-Id = "00-15-F9-D8-7C-C6"
Calling-Station-Id = "00-1A-4B-63-69-0B"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x1558e554165cfc9edc831547521be2ad
EAP-Message =
0x0204014019800136160301010611020100626313e9c274f169e9ed94821e91
d59e61578ab381c0e35788422b88b6e12b77d9551a970514289baaaf9c2ec3edb8ae126c
1c5b5f29d7883997fee2eee9f55a635005cb534cf7c708f0a0ec98dbda376e88b67de461
6926d9aa586737b2536998fad9c4648c8ce1e3b704415c4031063fc103bf0ddd1159d8b8
ef2c5c41332aca99428569333c19f8d539b1a01f232cdf9023030176aef9c9bcea758844
7853febc8b340da21d9b5af78d2d8b5b3acc0779e9f8d970f93471273749a0653a7e6611
ee11bfcabb019b34e3f54f5e1b693d89fe471eab29d8027641dfed05bfeeeca249fd3561
371c
EAP-Message =
0xa736d666ebba66d8c0a368d306e0af12f71b43504cad85a61403010001011603010020
4c903a9993c942b403d46902c7564ea7f66787ca59a02e46fc08946a84aa509d
Message-Authenticator = 0x67bf63ab1ed1abebb8161ae463114461
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]  expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/192.16

RE: {Spam?} Re: Freeradius 1.2.3 and Windows 7

[Sallee, Stephen (Jake)]

It may be just me, but when they told you to upgrade they probably meant
to the latest 2.X release.

Is there a specific reason that you need to stay on a 1.X release?   I
only ask because you may be needlessly complicating your life by using
ancient software.

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Krzysztof Srokowski
Sent: Wednesday, October 20, 2010 9:16 AM
To: 'FreeRadius users mailing list'
Subject: RE: {Spam?} Re: Freeradius 1.2.3 and Windows 7

Ok. i made an upgrade, but when i test it without certificate
verification Windows 7 is not asking me for user and password, but sends
"host/name_of_the_host". I unchecked in connect properities to use same
login and password as I log in into machine..

-Original Message-
From:
freeradius-users-bounces+k.srokowski=gdansk.gda...@lists.freeradius.org
[mailto:freeradius-users-bounces+k.srokowski=gdansk.gda...@lists.freerad
ius.
org] On Behalf Of Alan DeKok
Sent: Wednesday, October 20, 2010 9:03 AM
To: FreeRadius users mailing list
Subject: {Spam?} Re: Freeradius 1.2.3 and Windows 7

Krzysztof Srokowski wrote:
> I`m sorry, I`m using pfSense release 1.2.3, with freeradius package
1.1.2_1 (latest)

  Uh... upgrade.  1.1.2 is *very* old.  It's very likely that it won't
work with recent versions of Windows.  Fixes to work around Windows
"issues" went into later versions of the server, and aren't in 1.1.2.

> Below I describe my configuration;
> 
> 1. pfSense with freeradius 1.1.2_1
> 2. Access Point Linksys WRT54G
> 3. Clients Windows XP SP3 and Windows 7
> 
> My goal was to create WiFi access with WPA2 (AES) +
EAP-PEAP(MSCHAPv2).
For tests I generated server certificate from my own CA. Both
certificates CA certificate, and server certificate was transferred to
freeradius server and configured in eap.conf file in tls section. I made
also other configurations to use peap protocol and mschapv2. 
>
> The second step was the clients. My root CA certificate was installed 
> to
certificate repo in system. I checked all required options in connection
properities like (use WPA2 with AES, PEAP, verify server certificate
also with root CA certificate which was imported before). When I tried
to connect from XP client everything is fine, client is authorized and
connection works without problem. But from Windows 7 client its not.
Same configuration, same settings, and I get error in radius.log:
> 
> 
> " Tue Oct 19 13:01:06 2010 : Error: TLS Alert read:fatal:unknown CA
> Tue Oct 19 13:01:06 2010 : Error: TLS_accept:failed in SSLv3 read
> client certificate A
> Tue Oct 19 13:01:06 2010 : Error: rlm_eap: SSL error 
> error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Tue Oct 19 13:01:06 2010
:
Error: rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session
fails.
> Tue Oct 19 13:01:06 2010 : Auth: Login incorrect:
> [host/um4910142413/] (from client WRT54G 
> port
35 cli 000e2e950bbd) "

Those error messages are pretty definitive.

  In any case, I wouldn't bother trying to track down the problem.
Install 2.1.10, and then follow the EAP / Windows instructions on my web
site: http://deployingradius.com

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: MS-CHAP failing?

[Sallee, Stephen (Jake)]

Just checking but you did see the problem I the following line of config
right?

>exec ntlm_auth {
>  wait = yes
>program = ***"/PATH/TO/NTLM_AUTH *** --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
-->password=%{User-Password}"
>}

I understand if you left it out on purpose but this code WILL NOT work
in production ; )

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Mark Holmes
Sent: Tuesday, October 12, 2010 8:47 AM
To: FreeRadius users mailing list
Subject: MS-CHAP failing?

OK, getting somewhere, but still won't let me connect.  I can't see in
the debug output why it fails.

I'm trying to authenticate against AD, using PEAP-MSCHAPv2

I have checked ntlm_auth is working by

ntlm_auth --request-nt-key --domain=MYDOMAIN --username=testuser
--password=password

and I get (NT_STATUS_OK)

my /modules/ntlm_auth looks like this:-

exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
--password=%{User-Password}"
}


and modules/mschap looks like this

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-NUFFIELDCOLLEGE}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response$
}


In the debug output I can see this - should authentication realm = LOCAL
as below?

[suffix] Looking up realm "mydomain.ox.ac.uk" for User-Name =
"testu...@mydomain.ox.ac.uk"
[suffix] Found realm "mydomain.ox.ac.uk"
[suffix] Adding Stripped-User-Name = "testuser"
[suffix] Adding Realm = "mydomain.ox.ac.uk"
[suffix] Authentication realm is LOCAL.


When I paste the debug into the checker it highlights this:-

[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.

But not sure I need to worry about that as I'm not doing PAP

Can't see anything else in there indicating a problem, but when I try to
connect a device (my iPhone) it just returns a 'cannot connect to'
message

What am I missing?  No doubt something obvious


Debug output


FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar
31 2010 at 00:25:31
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/expr
including configuration file
/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb

RE: EAP-MSCHAP-V2 - [mschap] FAILED: No NT/LM-Password. Cannot performauthentication.

[Sallee, Stephen (Jake)]

Your request is correctly being redirected to your inner tunnel, did you
enable MSCHAP in the inner tunnel?  Also, there seems to be an issue
with how your realms are setup (if they are at all).

Try setting up your realms and logging in using the usern...@domain
convention.   

Realms and make sure your mschap module is enabled in your inner-tunnel
server.

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of bmano
Sent: Monday, October 04, 2010 11:57 PM
To: freeradius-users@lists.freeradius.org
Subject: EAP-MSCHAP-V2 - [mschap] FAILED: No NT/LM-Password. Cannot
performauthentication.


Hello,

I am trying to Implement EAP-ttls and MSCHAP(V2). 
I tried all the forums to solutions.

I am getting the following error.

[mschapv2] +- entering group MS-CHAP {...} [mschap] No
Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for john with NT-Password [mschap] FAILED:
No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect


below is the Radius information:

FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan  5
2010 at 02:49:11 Copyright (C) 1999-2009 The FreeRADIUS server project
and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the GNU
General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf including
configuration file /etc/freeradius/proxy.conf including configuration
file /etc/freeradius/clients.conf including files in directory
/etc/freeradius/modules/ including configuration file
/etc/freeradius/modules/exec including configuration file
/etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/linelog including
configuration file /etc/freeradius/modules/mac2ip including
configuration file /etc/freeradius/modules/krb5 including configuration
file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/counter including
configuration file /etc/freeradius/modules/digest including
configuration file /etc/freeradius/modules/mschap including
configuration file /etc/freeradius/modules/sql_log including
configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/otp including
configuration file /etc/freeradius/modules/echo including configuration
file /etc/freeradius/modules/wimax including configuration file
/etc/freeradius/modules/ldap including configuration file
/etc/freeradius/modules/files including configuration file
/etc/freeradius/modules/mac2vlan including configuration file
/etc/freeradius/modules/inner-eap including configuration file
/etc/freeradius/modules/unix including configuration file
/etc/freeradius/modules/smbpasswd including configuration file
/etc/freeradius/modules/pap including configuration file
/etc/freeradius/modules/etc_group including configuration file
/etc/freeradius/modules/realm including configuration file
/etc/freeradius/modules/detail including configuration file
/etc/freeradius/modules/expr including configuration file
/etc/freeradius/modules/ippool including configuration file
/etc/freeradius/modules/sradutmp including configuration file
/etc/freeradius/modules/perl including configuration file
/etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/cui including
configuration file /etc/freeradius/modules/passwd including
configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/pam including
configuration file /etc/freeradius/modules/policy including
configuration file /etc/freeradius/modules/checkval including
configuration file /etc/freeradius/modules/always including
configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/chap including
configuration file /etc/freeradius/modules/smsotp including
configuration file /etc/freeradius/modules/radutmp including
configuration file /etc/freeradius/modules/logintime including
configuration file /etc/freeradius/eap.conf including configuration file
/etc/freeradius/policy.conf including files in directory
/etc/freeradius/sites-enabled/ including configuration file
/etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
allow_core_dumps = yes
}
including dictionary file /etc/freeradius/dictionary

RE: sending accounting for two home servers

[Sallee, Stephen (Jake)]

SORY! I misread your message!

Accounting packets may be different, I was thinking authentication.  My 
apologies.

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Evgeniy Kozhuhovskiy
Sent: Friday, September 24, 2010 9:19 AM
To: FreeRadius users mailing list
Subject: sending accounting for two home servers

Is it possible to send accounting packets to two home servers?

In fact, one server is real auth+acct server, and another server is a web 
filter that applies rules according information at start packets.


-- 
С уважением, Евгений Кожуховский
Руководитель группы сервисных платформ
УИТ ЦИТС МГТС РУП Белтелеком
+375-29-3998175
+375-29-7561625
+375-17-3060026


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: sending accounting for two home servers

[Sallee, Stephen (Jake)]

I don't think that is possible, most of the time you would want to either tie 
the RADIUS server into your web filter or the web filter into your RADIUS, not 
send to both independently.  The security risks in doing such a thing are just 
too much.

Just My $.02

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org 
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On 
Behalf Of Evgeniy Kozhuhovskiy
Sent: Friday, September 24, 2010 9:19 AM
To: FreeRadius users mailing list
Subject: sending accounting for two home servers

Is it possible to send accounting packets to two home servers?

In fact, one server is real auth+acct server, and another server is a web 
filter that applies rules according information at start packets.


-- 
С уважением, Евгений Кожуховский
Руководитель группы сервисных платформ
УИТ ЦИТС МГТС РУП Белтелеком
+375-29-3998175
+375-29-7561625
+375-17-3060026


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: 2.1.10 upgrade question

[Sallee, Stephen (Jake)]

>  Recompile && install.  It will *not* break anything in your existing
configuration.

Awesome! Now if only Cisco and MS took the same approach to their
software my life would be SO much simpler!  Thanks for the info.

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Alan DeKok
Sent: Wednesday, September 22, 2010 9:29 AM
To: FreeRadius users mailing list
Subject: Re: 2.1.10 upgrade question

Sallee, Stephen (Jake) wrote:
> My current FreeRADIUS server I have is compiled from source, when 
> 2.1.10 comes out can I simply recompile and go or do I need to rip out

> the old version first?

  Recompile && install.  It will *not* break anything in your existing
configuration.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

2.1.10 upgrade question

[Sallee, Stephen (Jake)]

With the (hopefully) impending release of 2.1.10 I thought to ask:

 

My current FreeRADIUS server I have is compiled from source, when 2.1.10
comes out can I simply recompile and go or do I need to rip out the old
version first?

 

Jake Sallee

Godfather Of Bandwidth

Network Engineer

 

Fone: 254-295-4658

Phax: 254-295-4221

 

 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: which samba version / patch for Active Directory 2008

[Sallee, Stephen (Jake)]

Have you tried disjoining and rejoining  the domain after the upgrade?
It sounds crazy but I have seen similar problems fixed this way.

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221


-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Neil Prockter
Sent: Monday, September 20, 2010 11:29 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: which samba version / patch for Active Directory 2008

Hello,

Well things have taken a turn for the worse.  At the weekend we upgraded
the last AD Domain controller to 2008r2 (still in AD2003 mode) and the
radius servers instantly stopped working with "named pipe disconnected"
and now "ntlm --username" and "wbinfo -a" no longer work.

I have a samba 3.4 install which 'works' from the "ntlm --username" and
"wbinfo -a" point of view but which, I strongly suspect, returns
incorrect NT_KEYs. (the reason I suspect this is that the previous
servers always returned the same value and that value matches the output
of the python script attached to
https://bugzilla.samba.org/show_bug.cgi?id=6563)

I've spent the best part of the day bang head on wall so I thought I'd
ask a thing

Would the KEY changing every few minutes be expected? (under
samba3.0/ad2003 it remained the same)  By key I mean the output of
"/usr/local/samba/bin/ntlm_auth --request-nt-key --username=bob
--challenge=deadshortbeef --nt-response=deadlongerbeef"

If no one has seen things like this I'll move over to the samba lists,
getting the feeling this issue belongs there.

Thanks all,

Neil

Please access the attached hyperlink for an important electronic
communications disclaimer:
http://www.lse.ac.uk/collections/planningAndCorporatePolicy/legalandComp
lianceTeam/legal/disclaimer.htm
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Ignoring EAP-Type/tls because we do not have OpenSSL support.

[Sallee, Stephen (Jake)]

I switched to CentOS for my FR server because my Ubuntu install was
being too picky.  I was able to get it to work but I had to compile
OpenSSL from source, then the libs are in different places, etc.  it was
a headache.  CentOS was much easier for me, if you're not forced to use
Debian you may consider it.

Just my $.02.

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of John Dennis
Sent: Friday, September 10, 2010 1:57 PM
To: FreeRadius users mailing list
Cc: Douglas Caro
Subject: Re: Ignoring EAP-Type/tls because we do not have OpenSSL
support.

On 09/10/2010 02:49 PM, Douglas Caro wrote:
> Hi,
>
> In #freeradius -X, I have those messages:
>
> Ignoring EAP-Type/tls because we do not have OpenSSL support.
> Ignoring EAP-Type/ttls because we do not have OpenSSL support.
> Ignoring EAP-Type/peap because we do not have OpenSSL support.
>
> I've researched on the subject, but I didn't find anything.
>
> Linux Debian Lenny
> Freeradius 2.0.4

It means it wasn't built with OpenSSL support. That used to be the case
due to licensing issues but the new deb packages include it. Try to use
a new package. I'm not a deb guy so I can't tell you where to find the
newer deb packages, but it's been discusssed on this list previously,
search the archives.

-- 
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: windows7 machine authentication

[Sallee, Stephen (Jake)]

> I dont use certificates neither on the server and neither  on the
client side.
> I read in teh internet that also windows7 should work without
certificates - is that true ?

Strictly speaking this is actually true, However! You need to understand
what is happening:

1) Win7 will not connect to a wireless network that is secured with a
certificate enabled protocol without some prior configuration, period.
This means that is you set up an AP using 802.1x with FreeRADIUS
(or any server) as your AAA server your windows 7 (and Vista AFAIK) WILL
NOT 
Authenticate successfully unless you specifically configure the
client to do so.  Gone are the days of click through protected WiFi
setups in Windows.
I have purchased a cert from thawte hoping that my clients will
trust it and allow the connection without manually touching each machine
but alas, no.

2) once correctly configured (depending on the auth protocol you are
using) the  client will accept the server's cert (the reason the auth is
failing now) and 
send back its own cert for the server to inspect (if needed by
the protocol).

So, you ARE using certs. Did you install them, no.  Is that a problem,
yes.  When working with certs you should ALWAYS know them inside and
out, they are your 
digital identity, and they do incur some legal implications.

If you need assistance configuring the windows clients to accept the
cert the server is sending, meet me on the IRC channel.  That is really
not a discussion for the list. ; )

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221


-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of alois blasbichler
Sent: Tuesday, August 24, 2010 9:20 AM
To: freeradius-users@lists.freeradius.org
Subject: windows7 machine authentication

Hello list

We use freeradius with opendlap and machine-authentification
(samba-pcs) for years with success.
Windows xp and vista  clients works fine.
Now i wanted to authenticate a Windows 7 laptop and i get the following
errors :

[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 12 length 19 [eap] No EAP Start,
assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop


and then

[eap] Request found, released from the list [eap] EAP/peap [eap]
processing type peap [peap] processing EAP-TLS
   TLS Length 7
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert
read:fatal:unknown CA
 TLS_accept:failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation [peap] eaptls_process
returned 4


I dont use certificates neither on the server and neither  on the client
side.
I read in teh internet that also windows7 should work without
certificates - is that true ?


Wath can bee the problem ?
Do you need more debug-output ?

Thank you and by

luis


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Encountering error when using "radius -X"

[Sallee, Stephen (Jake)]

>1)Before running "radius -X" what all steps should be completed?

... www.deployingradius.com, follow the how to ... and really and I mean
REALLY read the documentation in the conf files ... all of them.  Print
them out in color ... all of them.  Spread them out all over your work
surface, make piles, arrange them in the order they will be processed
in, etc.  This is not a joke, it really helped me make sense of the
program.


>2)what should be the subdirectory structure for freeradius and where it
should be formed in the directory structure?

... assuming you didn't change anything in the compilation command then
on centOS it was in /usr/local/etc/raddb when I installed from source
however this is related to your third question 



>3)which sub directory should I give the "radius -X" command.
... this is really a general linux question, if you cant find the radius
command try " locate radius"  in your favorite shell, if you haven't
rebuilt your locate DB since you  installed then "man locate" will be
your best friend.

 

Alan, I hope it is ok to plug your site, I found it an invaluable tool :
)

 

Jake Sallee

Godfather Of Bandwidth

Network Engineer

 

Fone: 254-295-4658

Phax: 254-295-4221

 

 

From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of kartik dadwal
Sent: Wednesday, August 18, 2010 3:39 PM
To: FreeRadius users mailing list
Subject: Re: Encountering error when using "radius -X"

 

Hi,

I have ubuntu 9.10. Can you please tell me 
1)Before running "radius -X" what all steps should be completed?
2)what should be the subdirectory structure for freeradius and where it
should be formed in the directory structure?
3)which sub directory should I give the "radius -X" command.

I guess these steps might help me nail down why I am getting this error
:
radiusd: error while loading shared libraries:
libfreeradius-radius-2.1.0.so  :
cannot open shared object file: No such file or directory
When I run "radius -X" under
"/home/kartik/Downloads/freeradius-2.1.0+dfsg/"

Thank you.

On Wed, Aug 18, 2010 at 7:05 AM, Fabien COMBERNOUS
 wrote:

kartik dadwal wrote:

Hi,

@Fablen:
I first used "synaptic packet manger" to install free radius as it
synaptic pkt. manger takes care of the dependencies. After insatlling
freeradius through the synaptic pkt. manger I could not find any of the
freeradius subdirectories.
So, I removed freeradius completely again using synaptic manager.

Then I decided to download .tar.gz file from the link that I had sent
earlier and ran:
./configure
make
make install
I just got one error for some particular package, I googled the error
and insatlled "libltdl-dev" package from
http://packages.ubuntu.com/karmic/libltdl-dev
After that everything went smoothly and I did face any error. I am sure
all dependencies were found.

can you also tell me why I don't have "raddb" in /etc/ ?. It makes me
believe as If there something is wrong (which might ot might noe be
true!!)

The /etc/raddb is the default settings. In my debian box, radius files
are in the directry /etc/freeradius/

In general you can get the list of the files from a deb package with the
command line :
$> dpkg -L 
Here we have :
$> dpkg -L freeradius | grep etc
/etc
/etc/pam.d
/etc/pam.d/radiusd
/etc/init.d
/etc/init.d/freeradius
/etc/freeradius
/etc/freeradius/preproxy_users
/etc/freeradius/policy.conf
/etc/freeradius/sites-enabled
/etc/freeradius/clients.conf
/etc/freeradius/sqlippool.conf
/etc/freeradius/templates.conf
/etc/freeradius/attrs.accounting_response
/etc/freeradius/attrs
/etc/freeradius/certs
/etc/freeradius/hints
/etc/freeradius/experimental.conf
/etc/freeradius/users
/etc/freeradius/huntgroups
...



-- 
*Fabien COMBERNOUS*
/unix system engineer/
www.kezia.com 
*Tel: +33 (0) 467 992 986*
Kezia Group
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




-- 
Best Regards
Kartik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Suffix authentication

[Sallee, Stephen (Jake)]

I have found a working solution for my environment and wanted to share
it with the list in case it may help someone else.

In my proxy.conf file I added the following
--
realm domainName1 {
}

Realm  domainName2{
}
--

That fixed my realm problem, not sure why...

We use Microsoft AD and ntlm_auth for authenticating our users through
MSCHAPv2 tunneled through a peap session.  I have 2 domains one is a
child of the other the FreeRADIUS server is joined to the parent domain
so it can authenticate users from both domains but passing the correct
domain for the user request was a bugger! In the end what I got to work
was modifying the ntlm_auth statement at the bottom of the mschap module
to be the following:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--domain=%{outer.request:Realm}  --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"

*** --domain=%{outer.request:Realm} was the key, now the realm of the
request is passed to the ntlm_auth script perfectly and the user is
authenticated like we all love them to be : )

This does seem to break the domain\username style of logging in though
... but due to time constraints this will have to do for now.

Thanks to everyone who everyone who helped out, especially Alan. Thank
you.


Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Alan DeKok
Sent: Tuesday, August 10, 2010 3:42 PM
To: FreeRadius users mailing list
Subject: Re: Suffix authentication

Sallee, Stephen (Jake) wrote:
> Quickly, my problem is users cannot log in using usern...@domain but 
> can login fine with domain\username.

 So... what is different in the debug log between the two requests?

> One person mentioned the realms module, but when I look at it the 
> default conf looks fine.  The delimiter is correctly set to '@'.  I 
> tried adding my domains to the realm module by copying the default 
> suffix config  and using my domain info but that causes FR to fail its

> sanity check.

  Because you made some random change without understanding how the
server works, or reading the documentation.

> I am using MSCHAPv2 with PEAP authentication and when the user fails 
> the logon with usern...@domain the ntlm_auth program reports a bad 
> password even though the same user will have no problem with
domain\username.
> 
> Also, the FR wiki says the realms file is depreciated ... so what am I

> supposed to do?

  Read proxy.conf.  It defines the realm names.  The "realms" module
just searches the User-Name in various ways (suffix, prefix, ntdomain),
and then sees if there is a matching realm.

> What would be really great would be a script I could use to determine 
> the domain of the user BEFORE they reach ntlm_auth so I can 
> prepopulate the command with the correct domain and just forget this
suffix stuff :
> )  I think the best place for this would be in the mschap module but 
> what is the language?  Would it be unlang or regular bash scripting?

  The default config documents how to define realms.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Suffix authentication

[Sallee, Stephen (Jake)]

I hope someone can help me.

I have written in about this problem before so please forgive me, but it
is still plaguing me : )

Quickly, my problem is users cannot log in using usern...@domain but can
login fine with domain\username.

One person mentioned the realms module, but when I look at it the
default conf looks fine.  The delimiter is correctly set to '@'.  I
tried adding my domains to the realm module by copying the default
suffix config  and using my domain info but that causes FR to fail its
sanity check.

I am using MSCHAPv2 with PEAP authentication and when the user fails the
logon with usern...@domain the ntlm_auth program reports a bad password
even though the same user will have no problem with domain\username.

Also, the FR wiki says the realms file is depreciated ... so what am I
supposed to do?

What would be really great would be a script I could use to determine
the domain of the user BEFORE they reach ntlm_auth so I can prepopulate
the command with the correct domain and just forget this suffix stuff :
)  I think the best place for this would be in the mschap module but
what is the language?  Would it be unlang or regular bash scripting?

Thanks for any assistance!

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: suffix configuration

[Sallee, Stephen (Jake)]

> Look at modules/realm
> This is how you "split" off domain\user or u...@domain.

I did look at that file before I posted, but I don't know what I could
change in it that would help me.  It looks like the only think that is
set in that file is the delimiter.

The suffix delimiter is correct, but I still cannot get authenticated
with the usern...@domain convention.

I tried adding the following to my realms file but it does nothing

--
realm umhb.edu {
format = suffix
delimiter = "@"
}

realm cru {
format = suffix
delimiter = "@"
}
--

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Johan Meiring
Sent: Thursday, August 05, 2010 2:03 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: suffix configuration

On 2010/08/05 08:37 PM, Sallee, Stephen (Jake) wrote:
>> realms
>
> ... thank you.  Whilst I do appreciate brevity, a single monosyllabic 
> response seems as though it may be a bit too brief : )
>
> Can you elaborate?  I am not asking for anyone so solve my problem for

> me but rather to be pointed in the correct direction.
>

Was hoping you had read all the files in /etc/radiusd (or
/etc/freeradius) already.

Look at modules/realm
This is how you "split" off domain\user or u...@domain.

-- 


Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: suffix configuration

[Sallee, Stephen (Jake)]

> realms

... thank you.  Whilst I do appreciate brevity, a single monosyllabic
response seems as though it may be a bit too brief : )

Can you elaborate?  I am not asking for anyone so solve my problem for
me but rather to be pointed in the correct direction.

Thanks!

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Johan Meiring
Sent: Thursday, August 05, 2010 1:29 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: suffix configuration

On 2010/08/05 08:17 PM, Sallee, Stephen (Jake) wrote:
> Does anyone have any input on this?  It is kind of a problem for me 
> and I could really use some help : )
>

realms

-- 


Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: suffix configuration

[Sallee, Stephen (Jake)]

Does anyone have any input on this?  It is kind of a problem for me and
I could really use some help : )

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Sallee, Stephen (Jake)
Sent: Tuesday, August 03, 2010 3:11 PM
To: freeradius-users@lists.freeradius.org
Subject: suffix configuration

One last problem and I think I am ready for production, wohoo!

When my users try to login with the convention usern...@domain the login
fails because I do not think I have FreeRADIUS correctly configured to
parse out the domain, however if they login with the convention
domain\username it works fine.

Where do I configure the behavior of suffix to act the same as prefix?

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221




-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RADIUS Certificate question

[Sallee, Stephen (Jake)]

I am about to generate a CSR for my FreeRADIUS Server.  The vast
majority of my clients are Vista and Win 7 with a few MACs, with this in
mind would I be better off going with a 1024 bit cert or would a 2048
bit cert be better?

I know both are quite secure, but for platform interoperability and
future proofing, does anyone have any thoughts on which one is better?

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

suffix configuration

[Sallee, Stephen (Jake)]

One last problem and I think I am ready for production, wohoo!

When my users try to login with the convention usern...@domain the login
fails because I do not think I have FreeRADIUS correctly configured to
parse out the domain, however if they login with the convention
domain\username it works fine.

Where do I configure the behavior of suffix to act the same as prefix?

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: windows users having trouble authenticating

[Sallee, Stephen (Jake)]

AMZAING!  Alan and John, you guys are on my Christmas card list now!  I
had my default eap type set to mschap and was never getting prompted to
accept the server cert, john, you mentioned the mschap vs TLS and it hit
me, set eap to TLS and VOILA, the client is prompted to accept the cert
EXACTLY as we intended.  Thanks a bundle!

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: windows users having trouble authenticating

[Sallee, Stephen (Jake)]

>  The various EAP methods *should* have tied usernames (i.e. domains)
to a field in the certificate.  e.g. a cert with CN "rad...@example.com"
>  should be sent logins for "u...@example.com", but NEVER sent logins
for "u...@example.net"

How does this workout with child domains?  For example: I have two
domains 1) umhb.edu and 2) Cru.umhb.edu.  "Cru" is a child of
"umhb.edu", if I get a single cert for FreeRADIUS.umhb.edu will it be ok
for authenticating users on both umhb.edu AND Cru.umhb.edu?

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Alan DeKok
Sent: Tuesday, August 03, 2010 1:13 PM
To: FreeRadius users mailing list
Subject: Re: windows users having trouble authenticating

John Dennis wrote:
> On 08/03/2010 01:30 PM, Alan DeKok wrote:
>> Using a known root CA for RADIUS authentication isn't really 
>> recommended.
> 
> Why?
> 
> P.S. just to clarify, it's not "using a known root CA for RADIUS 
> authentication", rather it's using a server cert signed by a known 
> root CA.

  Sure.

  It's because *anyone* can set up an AP, and a RADIUS server that your
PC will accept.  If the AP has the same SSID as (say) your work, it will
happily send your work username && login via EAP to the rogue AP.

  The various EAP methods *should* have tied usernames (i.e. domains) to
a field in the certificate.  e.g. a cert with CN "rad...@example.com"
should be sent logins for "u...@example.com", but NEVER sent logins for
"u...@example.net"

  You should ONLY send your login credentials when you *know* who it is
on the other end of the EAP conversation.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: windows users having trouble authenticating

[Sallee, Stephen (Jake)]

Alan:

Thank you for your response, I think I finally know what is going on.  I
need to get a real cert from my FreeRADIUS Server, any sugestions about
which vendor, IE Verisign vs thawte vs ?

I was under the impression that the clients was sending a cert to the
server and the server was rejecting it, instead it seems that the
clients are rejecting the server.

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221


-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Alan DeKok
Sent: Tuesday, August 03, 2010 1:47 AM
To: FreeRadius users mailing list
Subject: Re: windows users having trouble authenticating

Sallee, Stephen (Jake) wrote:
> I am still getting this error in my debug output:
> 
> rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 
> alert unknown ca
> 
> I have upgraded to version 2.1.8+dfsg-1ubuntu1, still no joy!

  No amount of upgrading FreeRADIUS will make it work.

  This message comes because (a) the supplicant has a client certificate
issued by a CA unknown to FreeRADIUS, or (b) the supplicant is telling
FreeRADIUS that the servers CA is unknown to the client.

> PLEASE someone tell me how to make FreeRADIUS automatically accept the

> client cert.

  PEAP doesn't work like that.  If you issued client certs, then
FreeRADIUS *MUST* be configured to know about the CA.

>  I have about 2 thousand clients that are not owned by my university, 
> I cannot install the server cert on all of them, the logistics are too

> much.  PLEASE HELP!

  We're trying.  We're asking you to listen to our responses.

  PEAP (or any TLS based EAP method) *cannot* do what you ask.  It's
impossible, and it was designed to be impossible by the people who
created the cryptography algorithms.

  If you want to have it work, then (a) configure FreeRADIUS to know
about the CA that issued the client cert, or (b) put the FreeRADIUS
cert/CA on a web site, for the clients to download themselves.

  I understand what you want, but please understand that there are
limitations to the protocols *independent* of FreeRADIUS.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: windows users having trouble authenticating

[Sallee, Stephen (Jake)]

I am still getting this error in my debug output:

rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca

I have upgraded to version 2.1.8+dfsg-1ubuntu1, still no joy!

PLEASE someone tell me how to make FreeRADIUS automatically accept the
client cert.  I have about 2 thousand clients that are not owned by my
university, I cannot install the server cert on all of them, the
logistics are too much.  PLEASE HELP!

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Sallee, Stephen (Jake)
Sent: Monday, August 02, 2010 7:07 PM
To: FreeRadius users mailing list
Subject: RE: windows users having trouble authenticating

Thanks for the info, I have the client setup the way you suggest, in Win
7 almost everything you said were defaults.  However I still get the
unknown CA problem.  Does anyone know how I can tell the FreeRADIUS
server to accept the client cert automatically?  

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Alan Buxey
Sent: Monday, August 02, 2010 5:59 PM
To: FreeRadius users mailing list
Subject: Re: windows users having trouble authenticating

hi,

wierd output due to special character \t, \r , \n all did similar
things in the output (latest version has fixed for this).

issue with windows is to do with certs etc.  you need to configure the
supplicant to use PEAP, not to use the windows login, if you havent
sorted out certs, then you need to not check any radius server ot tick
anything..and not have the 'do not prompt for new certs' etc unticked.
best to put the CA that the RADIUS server was signed with onto the host
(in trusted CA local root store).

alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: windows users having trouble authenticating

[Sallee, Stephen (Jake)]

Thanks for the info, I have the client setup the way you suggest, in Win
7 almost everything you said were defaults.  However I still get the
unknown CA problem.  Does anyone know how I can tell the FreeRADIUS
server to accept the client cert automatically?  

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Alan Buxey
Sent: Monday, August 02, 2010 5:59 PM
To: FreeRadius users mailing list
Subject: Re: windows users having trouble authenticating

hi,

wierd output due to special character \t, \r , \n all did similar
things in the output (latest version has fixed for this).

issue with windows is to do with certs etc.  you need to configure the
supplicant to use PEAP, not to use the windows login, if you havent
sorted out certs, then you need to not check any radius server ot tick
anything..and not have the 'do not prompt for new certs' etc unticked.
best to put the CA that the RADIUS server was signed with onto the host
(in trusted CA local root store).

alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: windows users having trouble authenticating

[Sallee, Stephen (Jake)]

Alan:

>  The supplicant is sending a certificate that the server doesn't
recognize.
I have turned off everything I can find on the windows box about
verifying certs and the like but still no joy.  Is there a way to tell
the FreeRADIUS box to accept the cert?

>  What "strange things" show up in the log?  Is it a secret?
No, no secrets just the following weirdness:
-
rad_recv: Access-Request packet from host 10.11.30.5 port 32853, id=253,
length=164
User-Name = "umhb\\test1"
NAS-IP-Address = 10.11.30.5
NAS-Port = 641
Called-Station-Id = "00-0F-7D-09-73-20:Temp"
Calling-Station-Id = "00-17-C4-F0-75-C8"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 1Mbps/36Mbps 802.11g"
EAP-Message = 0x020f01756d68625c7465737431
Message-Authenticator = 0x149047682e6d36b8bc634cfa08e39088
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Calling-Station-Id = 00-17-C4-F0-75-C8
rlm_perl: Added pair Called-Station-Id = 00-0F-7D-09-73-20:Temp
rlm_perl: Added pair Message-Authenticator =
0x149047682e6d36b8bc634cfa08e39088
rlm_perl: Added pair User-Name = umhb\\test1
rlm_perl: Added pair EAP-Message = 0x020f01756d68625c7465737431
rlm_perl: Added pair Connect-Info = CONNECT 1Mbps/36Mbps 802.11g
rlm_perl: Added pair NAS-IP-Address = 10.11.30.5
rlm_perl: Added pair NAS-Port = 641
rlm_perl: Added pair Framed-MTU = 1400
++[perl] returns ok
[suffix] No '@' in User-Name = "umhb\   est11", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 15
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [umhb\\\test1] (from client Sanderford port 641 cli
00-17-C4-F0-75-C8)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> umhb\   est11
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 56 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 56
Sending Access-Reject of id 253 to 10.11.30.5 port 32853
Waking up in 4.9 seconds.
Cleaning up request 56 ID 253 with timestamp +14627
-


The user (me) types in umhb\test1, but for some reason the server sees
umhb\\test1 which gets expanded into umhb\   est11.  There is even a
umhb\\\test1 in there! I know this has got to be a MS thing as it works
perfectly with Linux .. probably mac too as they are linux based.

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



  

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

windows users having trouble authenticating

[Sallee, Stephen (Jake)]

I have a working FreeRADIUS server that will authenticate linux clients
happily, however my windows clients are unable to authenticate.  Here is
a snippet

--
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 7
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept:failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[peap] eaptls_process returned 4
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [te...@umhb] (from client Sanderford port 129 cli
00-17-C4-F0-75-C8)
Using Post-Auth-Type Reject
--

As you can see the problem seems to lie in the TLS section, but I have
followed all the HOWTOs I can find on installing and configuring the
server cert.  but to no avail.  How do I tell the FreeRADIUS box to
trust its own certificate?  The cert was generated and signed on the
FreeRADIUS box.

Also as a side note, the linux users are able to authenticate by typing
in domain\username, but doing this on a windows box shows very strange
things in the radius log, and fails to authenticate.  Is there a way to
make both operating systems behave the same?  Otherwise my windows
clients must use the usern...@domain convention, once I get that working
:)



Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Samba Bug #6563

[Sallee, Stephen (Jake)]

We will be moving to Server 2008 R2 very soon, thanks for the heads up.

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Colantuoni, Robert
Sent: Monday, August 02, 2010 12:16 PM
To: freeradius-users@lists.freeradius.org
Subject: Samba Bug #6563


Our AD team recently upgraded their servers from Windows 2003 to 2008
and broke the Samba 3.0.34 installation we had been using for ntlm_auth.
We couldn't get this version of Samba to join the upgraded servers, so
we were forced to look into patching Samba 3.5.4 (latest) to fix the
issue where ntlm_auth returns an invalid NT_KEY. I believe this issue
has been open for about 2 years and hasn't moved much in the Samba bug
list:
https://bugzilla.samba.org/show_bug.cgi?id=6563

A committer named Volker Lendecke suggested that the source was
SamLogonEx... by using SamLogon instead, you can get around the issue.
This seems to stem from the SamLogonEx function using session keys
versus credentials... but I'd like to ask a windows/samba expert for a
better opinion.

I've attached a patch to the bug report above which adds the
--force-samlogon option to winbind. If winbind is started without this
flag, it operates "normally" and we get an invalid NT_KEY returned. If
it's started with the flag, the issue is resolved. 

We've been running this in production and haven't run into any issues
with a few thousand 802.1x users. I hope this helps a few people who
have been stuck in Samba purgatory.

Rob Colantuoni

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP authentication problem

[Sallee, Stephen (Jake)]

I have correctly configured the LDAP module (I think...)  but when I try
to authenticate a user I get an error saying the user cannot be found.
I have attached the debug output.  I have tried turning the "follow
referrals" and "rebind" vars on and off but I get the same outcome. At
first, I was getting a timeout error but I increased the timeouts and
fixed that.

I know the user is correct.  Here is the LDAP string for the user:

LDAP://CN=dspam,OU=InformationTechnology,OU=UsersByDepartment,OU=Adminis
trative,DC=umhb,DC=edu

Any ideas?


Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.11.30.5 port 32838, id=5, length=51
User-Name = "dspam"
User-Password = "11"
NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dspam", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for dspam
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  expand: %{User-Name} -> dspam
[ldap]  expand: (CN=%{%{Stripped-User-Name}:-%{User-Name}}) -> (CN=dspam)
[ldap]  expand: DC=umhb, DC=edu -> DC=umhb, DC=edu
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to omega.umhb.edu:389, authentication 0
rlm_ldap: bind as / to omega.umhb.edu:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in DC=umhb, DC=edu, with filter (CN=dspam)
rlm_ldap: rebind to URL ldap://cru.umhb.edu/DC=cru,DC=umhb,DC=edu
rlm_ldap: rebind to URL 
ldap://ForestDnsZones.umhb.edu/DC=ForestDnsZones,DC=umhb,DC=edu
rlm_ldap: rebind to URL 
ldap://DomainDnsZones.umhb.edu/DC=DomainDnsZones,DC=umhb,DC=edu
rlm_ldap: rebind to URL ldap://umhb.edu/CN=Configuration,DC=umhb,DC=edu
rlm_ldap: object not found
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may 
fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> dspam
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 5 to 10.11.30.5 port 32838
Waking up in 4.9 seconds.
Cleaning up request 0 ID 5 with timestamp +14
Ready to process requests.

rad_recv: Access-Request packet from host 10.11.30.5 port 32838, id=109, 
length=51
User-Name = "dspam"
User-Password = "11"
NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dspam", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for dspam
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  expand: %{User-Name} -> dspam
[ldap]  expand: (CN=%{%{Stripped-User-Name}:-%{User-Name}}) -> (CN=dspam)
[ldap]  expand: DC=umhb, DC=edu -> DC=umhb, DC=edu
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to omega.umhb.edu:389, authentication 0
rlm_ldap: bind as / to omega.umhb.edu:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in DC=umhb, DC=edu, with filter (CN=dspam)
rlm_ldap: object not found
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may 
fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> dspam
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next reques

RE: pap or chap authentication with MS AD Backend

[Sallee, Stephen (Jake)]

Never mind, God I feel dumb.

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221



-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Sallee, Stephen (Jake)
Sent: Thursday, July 29, 2010 9:53 AM
To: freeradius-users@lists.freeradius.org
Subject: pap or chap authentication with MS AD Backend

Could someone please point me to a good how-to that will explain how to
get either pap or chap running using Microsoft AD as a backend?

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221




-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

pap or chap authentication with MS AD Backend

[Sallee, Stephen (Jake)]

Could someone please point me to a good how-to that will explain how to
get either pap or chap running using Microsoft AD as a backend?

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

send radius response without request

[Sallee, Stephen (Jake)]

Is it possible to have FreeRADIUS send a radius response without first
receiving a request, provided I can feed it the same information the
request would have?

OR

Is it possible for FreeRADIUS to see the request come from one host and
have the response go to another?

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

incorrect auth-type

[Sallee, Stephen (Jake)]

I am new to FreeRADIUS so please be patient with me.  I am scouring the
docs  as I write this but so far I have been stumped.  Below I have
included the debug output of my server when I send it a authentication
request.

You will see that the user is found and authenticated by the
"ntlm_auth_Cru" module, however the user is still rejected bec the
server says no auth-type was configured for the request.  Any help is
appreciated.

I have the following lines in my users file:
-
DEFAULT Auth-Type := ntlm_auth
Fall-Through = Yes
-

I also have the following in my radius.conf:
--
redundant ntlm_auth {
group {
ntlm_auth_Cru {
reject = 1
ok = return
}
ntlm_auth_UMHB {
reject = 1
ok = return
}
}
}
--


Here is the debug output:
--
rad_recv: Access-Request packet from host 10.2.1.75 port 46841, id=239,
length=51
User-Name = "image"
User-Password = "image"
NAS-IP-Address = 10.2.1.75
Tue Jul 27 13:01:03 2010 : Info: +- entering group authorize {...}
Tue Jul 27 13:01:03 2010 : Info: ++[preprocess] returns ok
Tue Jul 27 13:01:03 2010 : Info: ++- entering group ntlm_auth {...}
Tue Jul 27 13:01:03 2010 : Info: +++- entering group  {...}
Tue Jul 27 13:01:03 2010 : Info: [ntlm_auth_Cru]expand:
--username=%{mschap:User-Name} -> --username=image
Tue Jul 27 13:01:03 2010 : Info: [ntlm_auth_Cru]expand:
--password=%{User-Password} -> --password=image
Tue Jul 27 13:01:03 2010 : Debug: Exec-Program output: NT_STATUS_OK:
Success (0x0)
Tue Jul 27 13:01:03 2010 : Debug: Exec-Program-Wait: plaintext:
NT_STATUS_OK: Success (0x0)
Tue Jul 27 13:01:03 2010 : Debug: Exec-Program: returned: 0
Tue Jul 27 13:01:03 2010 : Info: [ntlm_auth_Cru] returns ok
Tue Jul 27 13:01:03 2010 : Info: +++- group  returns ok
Tue Jul 27 13:01:03 2010 : Info: ++- group ntlm_auth returns ok
Tue Jul 27 13:01:03 2010 : Info: ++[expiration] returns noop
Tue Jul 27 13:01:03 2010 : Info: ++[logintime] returns noop
GOT CLONE -1208792368 0x9f8ff70
Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: PacketFence SWITCH:
10.2.1.75
Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: PacketFence MAC:
Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: PacketFence USER: image
Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: Added pair User-Name = image
Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: Added pair User-Password =
image
Tue Jul 27 13:01:03 2010 : Debug: rlm_perl: Added pair NAS-IP-Address =
10.2.1.75
Tue Jul 27 13:01:03 2010 : Info: ++[perl] returns ok
Tue Jul 27 13:01:03 2010 : Info: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Tue Jul 27 13:01:03 2010 : Info: Failed to authenticate the user.
Tue Jul 27 13:01:03 2010 : Info: Using Post-Auth-Type Reject
Tue Jul 27 13:01:03 2010 : Info: +- entering group REJECT {...}
Tue Jul 27 13:01:03 2010 : Info: [attr_filter.access_reject]expand:
%{User-Name} -> image
Tue Jul 27 13:01:03 2010 : Debug:  attr_filter: Matched entry DEFAULT at
line 11
Tue Jul 27 13:01:03 2010 : Info: ++[attr_filter.access_reject] returns
updated
Tue Jul 27 13:01:03 2010 : Info: Delaying reject of request 0 for 1
seconds
Tue Jul 27 13:01:03 2010 : Debug: Going to the next request
Tue Jul 27 13:01:03 2010 : Debug: Waking up in 0.8 seconds.
Tue Jul 27 13:01:04 2010 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 239 to 10.2.1.75 port 46841
Tue Jul 27 13:01:04 2010 : Debug: Waking up in 4.9 seconds.
Tue Jul 27 13:01:09 2010 : Info: Cleaning up request 0 ID 239 with
timestamp +26
Tue Jul 27 13:01:09 2010 : Debug: Ready to process requests.
--


PS: I know it is not best practice to specify the default auth-type but
this is a single purpose server and I know what types of requests are
going to come to it, anything other than what I want should be
discarded.



Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Integration Question

[Sallee, Stephen (Jake)]

Does anyone have any experience integrating FreeRADIUS with an FOSS
package called PacketFence?  If you do, and are willing, please drop me
a line.  Jake.Sallee(at)umhb(dot)edu.

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Documentation question

[Sallee, Stephen (Jake)]

HELLO ALL!

I am new to FreeRADIUS and I am looking for a good place to get some
documentation.  I know about the wiki and the .org site, but what I am
looking for is somewhere I can get all of that info in a printable
format, I am also interested if anyone knows of some good reference
books.  Thank you in advance.

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html