RE: free radius setup
-Original Message- From: freeradius-users-bounces+cswenson=curry@lists.freeradius.org [mailto:freeradius-users-bounces+cswenson=curry@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Tuesday, September 10, 2013 3:07 PM To: FreeRadius users mailing list Subject: Re: free radius setup On 10 Sep 2013, at 19:15, "Swenson, Chris" wrote: > I understand a bit more why people were bring up plain text passwords now. > > My radius server is being presented with peap ms-chapV2 credentials and I > want it to receive authentication from my openldap server. What happened to that web gateway? >>> my vague understanding of what I was getting into led to a misstatement. > It seems that the credentials in this format cannot be digested by openldap > and acknowledged. > The passwords in my openldap are encrypted as SHA > > Do I have this right? > Is there an alternative. * Use a different EAP method, OR * Rehash all your credentials to NT-Password format, OR * Harvest passwords and store them in Plaintext > Maybe that FreeRadius 3.0.0 rc1 mentioned in one of the emails the other day? No. It's good but it's not magic. You need the plaintext password for comparison, there's no way to transform the MSHCAPV2 responses in the cleartext password or to a SHA1 password. >>> Back to the drawing board for me. I may be back with more questions. Thanks Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: free radius setup
Yes, I already saw that and this is why I am stuck. I am using Aruba 3000 Wireless controllers running the 6.2.X.X code. As I understand it when the laptop user selects the secure SSID they should be prompted for a username and password. This username and password will be presented to radius as peap MS-CHAPV2. Radius then needs to authenticate this against my Openldap where the passwords are encrypted as SHA, thus bad end. I could not find an encryption type in open ldap that would satisfy the chart. If it did work then I could take the info from radius accounting and pass it to our NAC control (Impulse Safe Connect) which will let the students onto the network after they pass some computer hygiene checks. I have a population of 2000 college students who have little idea of what security really is. And of course I am trying to do this on the typical budget provided by a non-profit such as my college is. Chris S. -Original Message- From: John Dennis [mailto:jden...@redhat.com] Sent: Tuesday, September 10, 2013 6:09 PM To: FreeRadius users mailing list Cc: Swenson, Chris Subject: Re: free radius setup On 09/10/2013 02:15 PM, Swenson, Chris wrote: > I understand a bit more why people were bring up plain text passwords now. > > > > My radius server is being presented with peap ms-chapV2 credentials > and I want it to receive authentication from my openldap server. > > It seems that the credentials in this format cannot be digested by > openldap and acknowledged. > > The passwords in my openldap are encrypted as SHA > > > > Do I have this right? > > Is there an alternative. > > Maybe that FreeRadius 3.0.0 rc1 mentioned in one of the emails the > other day? Before you go any further you need to read and understand the material on this page: http://deployingradius.com/documents/protocols/compatibility.html -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free radius setup
I understand a bit more why people were bring up plain text passwords now. My radius server is being presented with peap ms-chapV2 credentials and I want it to receive authentication from my openldap server. It seems that the credentials in this format cannot be digested by openldap and acknowledged. The passwords in my openldap are encrypted as SHA Do I have this right? Is there an alternative. Maybe that FreeRadius 3.0.0 rc1 mentioned in one of the emails the other day? Thanks for your attention - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: my Radius goal radius and openldap.
Yeah, bit the goal is that it is passed to the server via a secure web page. The end goal here is getting authenticated users the right to connect to the secure ssid's. The Aruba wireless controllers are supposed to do that. If I am way over my head I have a consultant on contract. RHIP. Sent from my Verizon Wireless 4GLTE smartphone - Reply message - From: "Arran Cudbard-Bell" To: "FreeRadius users mailing list" Subject: my Radius goal radius and openldap. Date: Mon, Sep 9, 2013 7:34 pm On 10 Sep 2013, at 00:19, "Swenson, Chris" wrote: > No, they are encrypted in the ldap database in md5 hash. Right, but you have the plaintext version from the user? > I might be too old to do bleeding edge stuff like 3.0 RC1 > I will take a look and a poke at it though. Fair enough. Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
my Radius goal radius and openldap.
I already have functioning openldap with SSL. (actually a neat little multi master setup.) I would like to get this radius to authenticate against the openldap. I have dug around Google and found some useful looking pages, but I wonder if anybody has any hot tips on this so I don't feel like I am completely reinventing the wheel. Thanks Chris s. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: my Radius goal radius and openldap.
No, they are encrypted in the ldap database in md5 hash. I might be too old to do bleeding edge stuff like 3.0 RC1 I will take a look and a poke at it though. Thanks. -Original Message- From: freeradius-users-bounces+cswenson=curry@lists.freeradius.org [mailto:freeradius-users-bounces+cswenson=curry@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Monday, September 09, 2013 6:54 PM To: FreeRadius users mailing list Subject: Re: my Radius goal radius and openldap. On 9 Sep 2013, at 23:00, "Swenson, Chris" wrote: > I already have functioning openldap with SSL. (actually a neat little > multi master setup.) I would like to get this radius to authenticate against > the openldap. You have plaintext passwords then? > I have dug around Google and found some useful looking pages, but I wonder if > anybody has any hot tips on this so I don't feel like I am completely > reinventing the wheel. Use FreeRADIUS 3.0.0-rc1, the LDAP module is SIGNIFICANTLY better. For redundancy/resilience you can either just point the module at a round-robin FQDN, or set a comma delimited list of servers in the 'server' config item, libldap handles the failover. Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: problem with initial setup solved
I guess I need to recycle my 2002 Shell O'Reilly book. -Original Message- From: freeradius-users-bounces+cswenson=curry@lists.freeradius.org [mailto:freeradius-users-bounces+cswenson=curry@lists.freeradius.org] On Behalf Of Swenson, Chris Sent: Monday, September 09, 2013 1:27 PM To: FreeRadius users mailing list Subject: RE: problem with initial setup That did it, In the version 1 the radtest must have been installed with the radius, not as a separate package. I have now also successfully tested. I wonder why the in the ticket I opened with red hat support they did not suggest the upgrade. Thanks to all. Chris S. -Original Message- From: John Dennis [mailto:jden...@redhat.com] Sent: Monday, September 09, 2013 1:11 PM To: FreeRadius users mailing list Cc: Swenson, Chris Subject: Re: problem with initial setup On 09/09/2013 12:52 PM, Swenson, Chris wrote: > Thanks for the replies: > Ok, uninstalled #1 and updated to freeradius2 > > radiusd started without a hitch with testing Cleartext-Password := > "password" in users file. > > When I ran radtest testing password localhost 0 testing123 > > Received -bash: /usr/bin/radtest: No such file or directory It's in the freeradius2-utils package. % yum install /usr/bin/radtest or % yum install freeradius2-utils or read how to use the yum package manager. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with initial setup
Hi all, I have not used radius in about 15 years and found a need recently. I have set up the rpm on a red hat 5.6 server and when I run radius -X the system starts fine with the expected info. When I enter the suggested as the first line in the users file testing Cleartext-Password := "password" And then rerun the radius -X it bombs and does not start. See output below. Without this running I cannot do the radtest. Thanks for any guidance. [root@ldap1 raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" /etc/raddb/users[91]: Parse error (check) for entry testing: Unknown attribute "Cleartext-Password" Errors reading /etc/raddb/users radiusd.conf[1059]: files: Module instantiation failed. radiusd.conf[1837] Unknown module "files". radiusd.conf[1773] Failed to parse authorize section. [root@ldap1 raddb]# - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: problem with initial setup
That did it, In the version 1 the radtest must have been installed with the radius, not as a separate package. I have now also successfully tested. I wonder why the in the ticket I opened with red hat support they did not suggest the upgrade. Thanks to all. Chris S. -Original Message- From: John Dennis [mailto:jden...@redhat.com] Sent: Monday, September 09, 2013 1:11 PM To: FreeRadius users mailing list Cc: Swenson, Chris Subject: Re: problem with initial setup On 09/09/2013 12:52 PM, Swenson, Chris wrote: > Thanks for the replies: > Ok, uninstalled #1 and updated to freeradius2 > > radiusd started without a hitch with testing Cleartext-Password := > "password" in users file. > > When I ran radtest testing password localhost 0 testing123 > > Received -bash: /usr/bin/radtest: No such file or directory It's in the freeradius2-utils package. % yum install /usr/bin/radtest or % yum install freeradius2-utils or read how to use the yum package manager. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: problem with initial setup
Thanks for the replies: Ok, uninstalled #1 and updated to freeradius2 radiusd started without a hitch withtesting Cleartext-Password := "password" in users file. When I ran radtest testing password localhost 0 testing123 Received -bash: /usr/bin/radtest: No such file or directory For academics sake here is the radius -X output. (definitely not my granddads radius ) [root@ldap1 raddb]# radiusd -X FreeRADIUS Version 2.1.12, for host i386-redhat-linux-gnu, built on Sep 25 2012 at 10:55:14 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home