RE: free radius setup
-Original Message- From: freeradius-users-bounces+cswenson=curry@lists.freeradius.org [mailto:freeradius-users-bounces+cswenson=curry@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Tuesday, September 10, 2013 3:07 PM To: FreeRadius users mailing list Subject: Re: free radius setup On 10 Sep 2013, at 19:15, "Swenson, Chris" wrote: > I understand a bit more why people were bring up plain text passwords now. > > My radius server is being presented with peap ms-chapV2 credentials and I > want it to receive authentication from my openldap server. What happened to that web gateway? >>> my vague understanding of what I was getting into led to a misstatement. > It seems that the credentials in this format cannot be digested by openldap > and acknowledged. > The passwords in my openldap are encrypted as SHA > > Do I have this right? > Is there an alternative. * Use a different EAP method, OR * Rehash all your credentials to NT-Password format, OR * Harvest passwords and store them in Plaintext > Maybe that FreeRadius 3.0.0 rc1 mentioned in one of the emails the other day? No. It's good but it's not magic. You need the plaintext password for comparison, there's no way to transform the MSHCAPV2 responses in the cleartext password or to a SHA1 password. >>> Back to the drawing board for me. I may be back with more questions. Thanks Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: free radius setup
Yes, I already saw that and this is why I am stuck. I am using Aruba 3000 Wireless controllers running the 6.2.X.X code. As I understand it when the laptop user selects the secure SSID they should be prompted for a username and password. This username and password will be presented to radius as peap MS-CHAPV2. Radius then needs to authenticate this against my Openldap where the passwords are encrypted as SHA, thus bad end. I could not find an encryption type in open ldap that would satisfy the chart. If it did work then I could take the info from radius accounting and pass it to our NAC control (Impulse Safe Connect) which will let the students onto the network after they pass some computer hygiene checks. I have a population of 2000 college students who have little idea of what security really is. And of course I am trying to do this on the typical budget provided by a non-profit such as my college is. Chris S. -Original Message- From: John Dennis [mailto:jden...@redhat.com] Sent: Tuesday, September 10, 2013 6:09 PM To: FreeRadius users mailing list Cc: Swenson, Chris Subject: Re: free radius setup On 09/10/2013 02:15 PM, Swenson, Chris wrote: > I understand a bit more why people were bring up plain text passwords now. > > > > My radius server is being presented with peap ms-chapV2 credentials > and I want it to receive authentication from my openldap server. > > It seems that the credentials in this format cannot be digested by > openldap and acknowledged. > > The passwords in my openldap are encrypted as SHA > > > > Do I have this right? > > Is there an alternative. > > Maybe that FreeRadius 3.0.0 rc1 mentioned in one of the emails the > other day? Before you go any further you need to read and understand the material on this page: http://deployingradius.com/documents/protocols/compatibility.html -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free radius setup
I understand a bit more why people were bring up plain text passwords now. My radius server is being presented with peap ms-chapV2 credentials and I want it to receive authentication from my openldap server. It seems that the credentials in this format cannot be digested by openldap and acknowledged. The passwords in my openldap are encrypted as SHA Do I have this right? Is there an alternative. Maybe that FreeRadius 3.0.0 rc1 mentioned in one of the emails the other day? Thanks for your attention - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: my Radius goal radius and openldap.
Yeah, bit the goal is that it is passed to the server via a secure web page. The end goal here is getting authenticated users the right to connect to the secure ssid's. The Aruba wireless controllers are supposed to do that. If I am way over my head I have a consultant on contract. RHIP. Sent from my Verizon Wireless 4GLTE smartphone - Reply message - From: "Arran Cudbard-Bell" To: "FreeRadius users mailing list" Subject: my Radius goal radius and openldap. Date: Mon, Sep 9, 2013 7:34 pm On 10 Sep 2013, at 00:19, "Swenson, Chris" wrote: > No, they are encrypted in the ldap database in md5 hash. Right, but you have the plaintext version from the user? > I might be too old to do bleeding edge stuff like 3.0 RC1 > I will take a look and a poke at it though. Fair enough. Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
my Radius goal radius and openldap.
I already have functioning openldap with SSL. (actually a neat little multi master setup.) I would like to get this radius to authenticate against the openldap. I have dug around Google and found some useful looking pages, but I wonder if anybody has any hot tips on this so I don't feel like I am completely reinventing the wheel. Thanks Chris s. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: my Radius goal radius and openldap.
No, they are encrypted in the ldap database in md5 hash. I might be too old to do bleeding edge stuff like 3.0 RC1 I will take a look and a poke at it though. Thanks. -Original Message- From: freeradius-users-bounces+cswenson=curry@lists.freeradius.org [mailto:freeradius-users-bounces+cswenson=curry@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Monday, September 09, 2013 6:54 PM To: FreeRadius users mailing list Subject: Re: my Radius goal radius and openldap. On 9 Sep 2013, at 23:00, "Swenson, Chris" wrote: > I already have functioning openldap with SSL. (actually a neat little > multi master setup.) I would like to get this radius to authenticate against > the openldap. You have plaintext passwords then? > I have dug around Google and found some useful looking pages, but I wonder if > anybody has any hot tips on this so I don't feel like I am completely > reinventing the wheel. Use FreeRADIUS 3.0.0-rc1, the LDAP module is SIGNIFICANTLY better. For redundancy/resilience you can either just point the module at a round-robin FQDN, or set a comma delimited list of servers in the 'server' config item, libldap handles the failover. Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: problem with initial setup solved
I guess I need to recycle my 2002 Shell O'Reilly book. -Original Message- From: freeradius-users-bounces+cswenson=curry@lists.freeradius.org [mailto:freeradius-users-bounces+cswenson=curry@lists.freeradius.org] On Behalf Of Swenson, Chris Sent: Monday, September 09, 2013 1:27 PM To: FreeRadius users mailing list Subject: RE: problem with initial setup That did it, In the version 1 the radtest must have been installed with the radius, not as a separate package. I have now also successfully tested. I wonder why the in the ticket I opened with red hat support they did not suggest the upgrade. Thanks to all. Chris S. -Original Message- From: John Dennis [mailto:jden...@redhat.com] Sent: Monday, September 09, 2013 1:11 PM To: FreeRadius users mailing list Cc: Swenson, Chris Subject: Re: problem with initial setup On 09/09/2013 12:52 PM, Swenson, Chris wrote: > Thanks for the replies: > Ok, uninstalled #1 and updated to freeradius2 > > radiusd started without a hitch with testing Cleartext-Password := > "password" in users file. > > When I ran radtest testing password localhost 0 testing123 > > Received -bash: /usr/bin/radtest: No such file or directory It's in the freeradius2-utils package. % yum install /usr/bin/radtest or % yum install freeradius2-utils or read how to use the yum package manager. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with initial setup
Hi all, I have not used radius in about 15 years and found a need recently. I have set up the rpm on a red hat 5.6 server and when I run radius -X the system starts fine with the expected info. When I enter the suggested as the first line in the users file testing Cleartext-Password := "password" And then rerun the radius -X it bombs and does not start. See output below. Without this running I cannot do the radtest. Thanks for any guidance. [root@ldap1 raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" /etc/raddb/users[91]: Parse error (check) for entry testing: Unknown attribute "Cleartext-Password" Errors reading /etc/raddb/users radiusd.conf[1059]: files: Module instantiation failed. radiusd.conf[1837] Unknown module "files". radiusd.conf[1773] Failed to parse authorize section. [root@ldap1 raddb]# - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: problem with initial setup
That did it, In the version 1 the radtest must have been installed with the radius, not as a separate package. I have now also successfully tested. I wonder why the in the ticket I opened with red hat support they did not suggest the upgrade. Thanks to all. Chris S. -Original Message- From: John Dennis [mailto:jden...@redhat.com] Sent: Monday, September 09, 2013 1:11 PM To: FreeRadius users mailing list Cc: Swenson, Chris Subject: Re: problem with initial setup On 09/09/2013 12:52 PM, Swenson, Chris wrote: > Thanks for the replies: > Ok, uninstalled #1 and updated to freeradius2 > > radiusd started without a hitch with testing Cleartext-Password := > "password" in users file. > > When I ran radtest testing password localhost 0 testing123 > > Received -bash: /usr/bin/radtest: No such file or directory It's in the freeradius2-utils package. % yum install /usr/bin/radtest or % yum install freeradius2-utils or read how to use the yum package manager. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: problem with initial setup
Thanks for the replies:
Ok, uninstalled #1 and updated to freeradius2
radiusd started without a hitch withtesting Cleartext-Password :=
"password" in users file.
When I ran radtest testing password localhost 0 testing123
Received -bash: /usr/bin/radtest: No such file or directory
For academics sake here is the radius -X output. (definitely not my granddads
radius )
[root@ldap1 raddb]# radiusd -X
FreeRADIUS Version 2.1.12, for host i386-redhat-linux-gnu, built on Sep 25 2012
at 10:55:14
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home
