custom sql query
Hello, We have a database that contains usernames and password that we want to auth from using a web app we have. I have tried all kinds of config's in the sql.conf file and still get fails I have turned on sqltrace and here is the error we currently get, its not much... rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): SQL query error; rejecting user rlm_sql (sql): Released sql socket id: 2 Right now to retrieve username and password...(sql script) we use this from sql query select Username, Password from Contact where length(Username) > 0; How do I slap that into sql.conf to make it work for simply just username/password auth? Any help would be appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-tls not authenticating
Whats happening here? It's like the radius tries to send a request back to
the supplicant, but gives up...
The supplicant is NAT'ed behind 192.168.0.1 could that be causing a issue?
I have tried DMZ'ing the supplicant still with no success...
Any ideas? Thanks for the help
rad_recv: Access-Request packet from host 192.168.0.1 port 50334, id=4,
length=293
User-Name = "u...@example.com"
NAS-IP-Address = 10.1.10.125
Framed-MTU = 1488
Service-Type = Framed-User
NAS-Port = 101
Called-Station-Id = "00:0d:67:0c:e4:b8:ssidradius"
Calling-Station-Id = "00:1f:41:00:4c:f0"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "belair"
Connect-Info = "CONNECT 11Mbps 802.11b"
State = 0x6b173f2c6b153285c2b292790cdb3215
EAP-Message =
0x0202006a0d00160301005f015b030148ab6bfe07adac217c9be3adfa4c0d81f59f6fc9c85de2f84ff594d9ef567d9b3400390038003500160013000a00330032002f006600050004006300620061001500120009006500640060001400110008000600030100
Message-Authenticator = 0xbdf917161b202095f4a13c0d9b4419ae
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "u...@example.com"
[suffix] No such realm "example.com"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 106
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 005f], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 085e], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[tls] TLS_accept: SSLv3 write key exchange A
[tls] >>> TLS 1.0 Handshake [length 00a8], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 4 to 68.62.165.40 port 50334
EAP-Message =
0x010304000dc00b51160301002a0226030149a307eb390fe67471d54aaf899661654f00b98af8efed3bd1f7032485d434963900160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message =
0x301e170d303930313237313835395a170d313030313237313835395a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a02820101009f6535858b4f16fedb618bbd7afe5e46061ae229a67e5b21b5ef37ec36c06ffa8c9644be595648239589bcd2bbf7e20af425789e9ee4f5ee046b7e98df53
EAP-Message =
0x717e573476a7206cd7bba64403d9b5538f63dcefb634613f8d79b774fa1a249035a94eb5639c26e48424bb3c304985c6b4e1508b01a8077c9e531a6d29d2c80ab96b56b7e709659d620e0f5328d8c5cb4a4b38b3f84ee8f61c0b03411b21a771aa662a40e53e64dcad6e1bb999f5bd6d229d5331e36bad1160ef09be09e28aa134670362e4d1507d9a97ce3d4a04b710e553ffaeec08bb3fff8bfb76e7aa0fb9322ff5cbf08541e61dc38245a3e66a3cfd393d5b49b0eec19086a1305fde730903f30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100a7dd61c264ef875880
EAP-Message =
0xc065747a3cad29b4c31f0c82e78fc9318213601743e6bf1e347335756733b08ecb6759a9d318c35c60a99e8b7b6d2065b31fe8bbe9d1dfbaaa5ebcba7297ef10eb3974f131abd9c05ea0860152e8c9dd748e95a565fe006beff2790e67d74960468e1b4c6a37a31cf3da2173678d68ec154c45e813406a75996d0fc769d98a4108844288b777dc25d7fb41f45917d39f99feddd6dfcb7bd6c85e5e40764d8d1525148e7285ff5ae66f60074c29c15f6237a51285a1841dcd11c67e5a3b9cff2f2ac540b0831a1f4bdc5f66fe5d62d8d26f7648ab29ec2d5640e5c9cec245a8b441ad9dd9bc739fb3bd29384841c769506f09b69b2f2f8d0004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x000
Re: ttls ssl handshake error.
Called them and they said they have numerous people utilizing their units
with freeradius and 802.1x...
Any other ideas?
Posted are my eap.conf
# -*- text -*-
##
## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
##$Id: eap.conf,v 1.24 2008/02/26 09:32:29 aland Exp $
###
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
# EAP types NOT listed here may be supported via the "eap2" module.
# See experimental.conf for documentation.
#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
default_eap_type = ttls
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to "yes", you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = no
# Supported EAP-types
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
md5 {
}
# Cisco LEAP
#
# We do not recommend using LEAP in new deployments. See:
# http://www.securiteam.com/tools/5TP012ACKE.html
#
# Cisco LEAP uses the MS-CHAP algorithm (but not
# the MS-CHAP attributes) to perform it's authentication.
#
# As a result, LEAP *requires* access to the plain-text
# User-Password, or the NT-Password attributes.
# 'System' authentication is impossible with LEAP.
#
leap {
}
# Generic Token Card.
#
# Currently, this is only permitted inside of EAP-TTLS,
# or EAP-PEAP. The module "challenges" the user with
# text, and the response from the user is taken to be
# the User-Password.
#
# Proxying the tunneled EAP-GTC session is a bad idea,
# the users password will go over the wire in plain-text,
# for anyone to see.
#
gtc {
# The default challenge, which many clients
# ignore..
#challenge = "Password: "
# The plain-text response which comes back
# is put into a User-Password attribute,
# and passed to another module for
# authentication. This allows the EAP-GTC
# response to be checked against plain-text,
# or crypt'd passwords.
#
# If you say "Local" instead of "PAP", then
# the module will look for a User-Password
# configured for the request, and do the
# authentication itself.
#
auth_type = PAP
}
## EAP-TLS
#
# See raddb/certs/README for additional comments
# on certificates.
#
# If OpenSSL was not found at the time the server was
# built, the "tls", "ttls", and "peap" sections will
# be ignored.
#
# Otherwise, when the server first starts in debugging
# mode, test certificates will be created. See the
# "make_cert_command" below for details, and the README
# file in raddb/certs
#
# These test certificates SHOULD NOT be used
Re: ttls ssl handshake error.
no not windows it was via a wifi CPE (ruckus cpe) On Wed, Jan 21, 2009 at 5:04 PM, wrote: > >I have created all the certs etc using FR bootstrap and "make client" .. I > >have made sure my eap.conf info is all correct.. > >Yest here is what i'm receiving in the logs , thanks for any input > > > >rlm_eap_ttls: Authenticate > > rlm_eap_tls: processing TLS > > eaptls_verify returned 7 > > rlm_eap_tls: Done initial handshake > > rlm_eap_tls: <<< TLS 1.0 Handshake [length 0007], Certificate > > rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal handshake_failure > >TLS Alert write:fatal:handshake failure > >TLS_accept:error in SSLv3 read client certificate B > >rlm_eap: SSL error error:140890C7:SSL > >routines:SSL3_GET_CLIENT_CERTIFICATE:peer > >did not return a certificate > >rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. > > eaptls_process returned 13 > > rlm_eap: Freeing handler > >++[eap] returns reject > >auth: Failed to validate the user. > > That's Windows, right? You have properly installed the client > certificate into the certificate store but Windows won't send it? When > you open certificate properties it goes on about "not being able to > validate certificate"? > > Try altering Makefile in raddb/certs and signing client certificate with > ca instead of server certificate. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ttls ssl handshake error.
I have created all the certs etc using FR bootstrap and "make client" .. I have made sure my eap.conf info is all correct.. Yest here is what i'm receiving in the logs , thanks for any input rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0007], Certificate rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal handshake_failure TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. eaptls_process returned 13 rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-ttls and require a certificate along with username/password
How can i make freeradius require a certificate along with username/password with eap-ttls? Im using the latest version of FR. We need it to do the two step auth for our current backend user management. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply Attribute and Stripping a realm
I have a couple questions. I need to force a reply attribute for the slipstream service to all my customers. I'm using flatfile, just a basic setup. What would be the best way to do this? Also, How do I strip Realms? We get users coming to our RADIUS in this format [EMAIL PROTECTED] My flatfile only has username due to the backend system we use. I need to strip the realm.. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
