from:"Yizhi Lao"

Why is the post-auth process result returned by jRadius Module over-written by freeradius?

2006-04-04 Thread Yizhi Lao

Hi all,

   I am struggling with this issue right now.  I have
installed a JRadius module on FreeRadius 1.1.0 , and
made FreeRadius to call the Jradius module in
post-auth section. The Jradius handler is supposed to
replace the access-accept packet obtained from prior
authentication with a access-challenge packet.  My
logs show that rlm_jradius has correctly return
FreeRadius an Access-challenge module, with code 11.
However, Freeradius still returns an Access-accept to
the client (which is an radtest program).  Does anyone
know what is the possible reason?  Or maybe someone
can enlighten me as which part of the freeradius code
is actually handling this portion, so I can take a
look?

following is the debug output of freeradius: (the
dashed line and below are of the primary concern)

Thank you very much?

rad_recv: Access-Request packet from host
127.0.0.1:4820, id=197, length=64
User-Name = hellouser123
User-Password = [EMAIL PROTECTED]
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Wed Apr  5 11:51:50 2006 : Debug:   Processing the
authorize section of radiusd.conf
Wed Apr  5 11:51:50 2006 : Debug: modcall: entering
group authorize for request 0
Wed Apr  5 11:51:50 2006 : Debug:  
modsingle[authorize]: calling preprocess
(rlm_preprocess) for request 0
Wed Apr  5 11:51:50 2006 : Error: Invalid operator for
item Suffix: reverting to '=='
Wed Apr  5 11:51:50 2006 : Error: Invalid operator for
item Suffix: reverting to '=='
Wed Apr  5 11:51:50 2006 : Error: Invalid operator for
item Suffix: reverting to '=='
Wed Apr  5 11:51:50 2006 : Debug:  
modsingle[authorize]: returned from preprocess
(rlm_preprocess) for request 0
Wed Apr  5 11:51:50 2006 : Debug:  
modcall[authorize]: module preprocess returns ok for
request 0
Wed Apr  5 11:51:50 2006 : Debug:  
modsingle[authorize]: calling ldap (rlm_ldap) for
request 0
Wed Apr  5 11:51:50 2006 : Debug: rlm_ldap: -
authorize
Wed Apr  5 11:51:50 2006 : Debug: rlm_ldap: performing
user authorization for hellouser123
Wed Apr  5 11:51:50 2006 : Debug: radius_xlat: 
'((cn=hellouser123)(objectclass=user))'
Wed Apr  5 11:51:50 2006 : Debug: radius_xlat: 
'cn=Users,dc=hellotechnology,dc=com'
Wed Apr  5 11:51:50 2006 : Debug: rlm_ldap:
ldap_get_conn: Checking Id: 0
Wed Apr  5 11:51:50 2006 : Debug: rlm_ldap:
ldap_get_conn: Got Id: 0
Wed Apr  5 11:51:50 2006 : Debug: rlm_ldap: attempting
LDAP reconnection
Wed Apr  5 11:51:50 2006 : Debug: rlm_ldap:
(re)connect to 10.26.1.202:389, authentication 0
Wed Apr  5 11:51:50 2006 : Debug: rlm_ldap: bind as
cn=krazy,cn=Users,dc=hellotechnology,dc=com/welcome123
to 10.26.1.202:389
Wed Apr  5 11:51:50 2006 : Debug: rlm_ldap: waiting
for bind result ...
Wed Apr  5 11:51:50 2006 : Debug: rlm_ldap: Bind was
successful
Wed Apr  5 11:51:50 2006 : Debug: rlm_ldap: performing
search in cn=Users,dc=hellotechnology,dc=com, with
filter ((cn=hellouser123)(objectclass=user))
Wed Apr  5 11:51:50 2006 : Debug: rlm_ldap: checking
if remote access for hellouser123 is allowed by
msNPAllowDialin
Wed Apr  5 11:51:50 2006 : Debug: rlm_ldap: looking
for check items in directory
...
Wed Apr  5 11:51:50 2006 : Debug: rlm_ldap: looking
for reply items in directory...
Wed Apr  5 11:51:50 2006 : Debug: rlm_ldap: user
hellouser123 authorized to use remote access
Wed Apr  5 11:51:50 2006 : Debug: rlm_ldap:
ldap_release_conn: Release Id: 0
Wed Apr  5 11:51:50 2006 : Debug:  
modsingle[authorize]: returned from ldap (rlm_ldap)
for request 0
Wed Apr  5 11:51:50 2006 : Debug:  
modcall[authorize]: module ldap returns ok for
request 0
Wed Apr  5 11:51:50 2006 : Debug: modcall: leaving
group authorize (returns ok) for request 0
Wed Apr  5 11:51:50 2006 : Debug:  
rad_check_password:  Found Auth-Type ldap
Wed Apr  5 11:51:50 2006 : Debug: auth: type LDAP
Wed Apr  5 11:51:50 2006 : Debug:   Processing the
authenticate section of radiusd.conf
Wed Apr  5 11:51:50 2006 : Debug: modcall: entering
group LDAP for request 0
Wed Apr  5 11:51:50 2006 : Debug:  
modsingle[authenticate]: calling ldap (rlm_ldap) for
request 0
Wed Apr  5 11:51:50 2006 : Debug: rlm_ldap: -
authenticate
Wed Apr  5 11:51:50 2006 : Debug: rlm_ldap: login
attempt by hellouser123 with password [EMAIL PROTECTED]
Wed Apr  5 11:51:50 2006 : Debug: rlm_ldap: user DN:
CN=hellouser123,CN=Users,DC=HelloTechnology,DC=com
Wed Apr  5 11:51:50 2006 : Debug: rlm_ldap:
(re)connect to 10.26.1.202:389, authentication 1
Wed Apr  5 11:51:50 2006 : Debug: rlm_ldap: bind as
CN=hellouser123,CN=Users,DC=HelloTechnology,DC=com/[EMAIL PROTECTED]
to 10.26.1.202:389
Wed Apr  5 11:51:50 2006 : Debug: rlm_ldap: waiting
for bind result ...
Wed Apr  5 11:51:50 2006 : Debug: rlm_ldap: Bind was
successful
Wed Apr  5 11:51:50 2006 : Debug: rlm_ldap: user
hellouser123 authenticated succesfully
Wed Apr  5 11:51:50 2006 : Debug:  
modsingle[authenticate]: returned from ldap (rlm_ldap)
for request 0
Wed Apr  5 11:51:50 2006 : Debug:  
modcall[authenticate]: module ldap returns ok for
request 0
Wed Apr  5 11:51:50

JRadius module for post-auth

2006-04-03 Thread Yizhi Lao

Hi,

   This is related to my previous mail on setting up
Freeradius for 2 factor authentication with
chanllenge-response.  I looked at what JRadius module
can do and am going to attempt the following approach

1. insert a JRadius module into the post-auth
section, such that the module will process an
Access-Accept packet into an Access-Chanllange
packet

Question: is this allowed by FreeRadius? i.e. would
FreeRadius allow an module in post-auth to change
the packet type(Code)?

2. insert a JRadius module into either the authorize
or authenticate section, such that it will recognize
an access-request packet which answers the chanllenge,
and process it using its own logic

Question: Would freeradius allow a module called in
authorize part to directly accept or reject a
request, without making it go through to the
authenticate section?

Thank you and best regards
Kaden 



--- Alan DeKok [EMAIL PROTECTED] wrote:

 Yizhi Lao [EMAIL PROTECTED] wrote:
  What I am worried about is not the second
 authentication method, but
  to chain two authentication together. is there any
 convenient way to
  do it?
 
   As I said, you have to write you own module to do
 this.
 
   The example module that is included with the
 server shows how to
 chain two authentications together.  Take a look at
 it.
 
   Alan DeKok.
 
 - 
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Setup Freeradius for Challenge response authentication

2006-04-02 Thread Yizhi Lao

Dear all, I am a new user of freeradius, currently using freeradius 1.1.0 on Redhat Linux. I wish to setup freeradius for a 2 factor authentication, such that: NAS issue an Access-Request to Radius server Radius server authenticate against LDAP once successful -- Radius server then issue an Access-Chanllenge to NAS (second factor, asking for an additional password/token) NAS reply with an Acces-Request Radius server then authenticate the second Access-request and reply to NAS. The above is roughly the authentication flow I wish to achieve. After reading the configuration setup instructions, I still have no clue where to start with the configuration, can some one please enlighten me? Is there a custom built radius module required?Thanks in advance for all the helpregardsKaden 
		New Yahoo! Messenger with Voice. Call regular phones from your PC for low, low rates.- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Setup Freeradius for Challenge response authentication

2006-04-02 Thread Yizhi Lao

Hi Alan, thank you for the response. What I am worried about is not the second authentication method, but to chain two authentication together. is there any convenient way to do it? Say: First access request, authenticated against LDAP, Radisu server reply with an Access challenge, NAS answers chanllenge, the answer is authenticated against LDAP again.Is it possible?Thanks and best regardsKaden  Alan DeKok [EMAIL PROTECTED] wrote: Yizhi Lao <[EMAIL PROTECTED]> wrote:I am a new user of freeradius, currently using freeradius 1.1.0 on Redhat Linux. I wish to setup freeradius for a 2 factor authentication, such that:NAS issue an Access-Request to Radius server   Radius server authenticate
 against LDAP   once successful --   Radius server then issue an Access-Chanllenge  to NAS (second factor, asking for  an additional password/token)   NAS reply with an Acces-Request   Radius server then authenticate the second Access-request and reply to NAS.  This is a very unusual request, since it isn't tied to anauthentication method.  You will have to write a module to do this.  Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
		New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Why is the post-auth process result returned by jRadius Module over-written by freeradius?

JRadius module for post-auth

Setup Freeradius for Challenge response authentication

Re: Setup Freeradius for Challenge response authentication

4 matches

Site Navigation

Mail list logo

Footer information