Re: EAP-PEAP GTC vs MSCHAPv2
On Fri, Sep 27, 2013 at 6:34 AM, Alan DeKok al...@deployingradius.comwrote:
Don wrote:
I tried one of these inside gtc sub-section of eap.conf, that don't
seem to work:
auth_type = ntlm_auth
Setting that *should* be one step of a working configuration.
Ok, thank you for confirming that the above is one step towards working
configuration.
or
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{User-Name} --password=%{User-Password}
Set where? You have been *very* vague about what you're doing. Is it
a secret?
Nothing secret, as I said I tried both configuration (one at a time) inside
gtc sub-section of eap.conf.
Though I haven't tried replacing User-Password with Cleartext-Password.
Don't do that. Trying random things is *always* a bad idea.
Thank you for confirming again. I won't change it in this case.
Do I have to place this under gtc sub-section inside inner-eap?
No. You have to configure the ntlm_auth module, and the ntlm_auth
sub-section of the authenticate section. All of that is documented in
the deployingradius.com page.
See my comment earlier. Did I place the configuration at the right
sub-section?
I have no idea. You've been careful to say as little as possible, in
a manner which is as confusing as possible.
The two configurations mentioned earlier, I tried it both inside gtc
sub-section of eap.conf.
Yes, I saw the ntlm_auth configuration under modules/mschap and
modules/ntlm_auth. As stated in my first email, I am able to configure
freeRadius to authenticate against our Active Directory using
EAP-MSCHAPv2 (ntlm_auth) and I am looking to see if using EAP-GTC will
work as well.
It WILL work. Just set auth_type = ntlm_auth in the gtc
configuration. As I said.
I did that, but that didn't work. Perhaps I didn't configure the ntlm_auth
module though there is modules/ntlm_auth created when I configured
EAP-MSCHAPv2 with ntlm_auth.
As I mentioned earlier, I tried both auth_type = ntlm_auth nor ntlm_auth
= /usr/bin/ntlm_auth ... command execution, but that don't work.
So... rather than following instruction,s you're trying random things.
How about running it in debugging mode, as suggested in the FAQ, man
page, web pages, and daily on this list?
The reason we recommend it is that IT WORKS. If you're trying random
nonsense, you're wasting your time, and ours.
So far I have tried adding two configurations inside gtc sub-section of
eap.conf. Nothing else was touched. I did run in debug mode (with -XX) and
I will capture the error later.
The reason I am asking the question of multiple challenges because I am
currently evaluating another vendor solution for multi-factor
authentication thru EAP-PEAP/TLS with EAP-GTC and the solution prompts 2
additional inputs during authentication. Here is the
link: https://www.duosecurity.com/docs/netmotion. I thought if they can
do it, freeRadius can do it as well.
The issue is the EAP-GTC specification, and the clients. Last I
recall, it didn't support multiple challenge-responses.
If it does, then it's possible to upgrade FreeRADIUS to do it. As
always,
My understanding about RADIUS is that client sends AccessRequest and wait
for either: AccessReject, AccessAccept, or AccessChallenge. If it gets
AccessChallenge and later gets another AccessChallenge again, it will
response, until it gets AccessAccept or AccessReject. The client that I am
using is NetMotion Mobility XE.
Thank you once again for your response. Apologize if I am wasting your
time, not my intention.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC vs MSCHAPv2
Alan,
I finally made EAP-GTC using ntlm_auth to work. Basically my initial
configuration inside gtc sub-section of raddb/eap.conf was correct and
modifying raddb/modules/ntlm_auth from %{mschap:User-Name} to
%{User-Name} was also correct. I can also use
%{%{mschap:User-Name}:-%{User-Name}} that is also working fine and won't
break mschap testing thru radtest.
The problem lies somewhere else, in this case something inside file
raddb/users where the following line was added when I configured freeRadius
with EAP-MSCHAPv2 and testing it with radtest:
DEFAULT Auth-Type := ntlm_auth
Once I removed that line from raddb/users, EAP-GTC with ntlm_auth works.
So, the gtc sub-section inside raddb/eap.conf is as follow:
gtc {
challenge = Password:
auth_type = ntlm_auth
}
and raddb/modules/ntlm_auth content:
exec ntlm_auth {
wait yes
program = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{%{mschap:User-Name}:-%{User-Name}}
--password=%{User-Password}
}
Again, thank you for all the supports.
Regards,
Dono
On Fri, Sep 27, 2013 at 9:50 AM, Alan DeKok al...@deployingradius.comwrote:
Don wrote:
Nothing secret, as I said I tried both configuration (one at a time)
inside gtc sub-section of eap.conf.
That's a problem. NOTHING in the documentation or examples says to do
that. LOTS of documentation and examples give the CORRECT way to use
ntlm_auth.
I did that, but that didn't work.
See the FAQ for it doesn't work
Perhaps I didn't configure the
ntlm_auth module though there is modules/ntlm_auth created when I
configured EAP-MSCHAPv2 with ntlm_auth.
Perhaps you could try following the examples on deployingradius.com,
or the examples distributed with the server.
My understanding about RADIUS is that client sends AccessRequest and
wait for either: AccessReject, AccessAccept, or AccessChallenge. If it
gets AccessChallenge and later gets another AccessChallenge again, it
will response, until it gets AccessAccept or AccessReject. The client
that I am using is NetMotion Mobility XE.
Which is all useless and irrelevant. I asked about the EAP-GTC spec,
not RADIUS.
Thank you once again for your response. Apologize if I am wasting your
time, not my intention.
If you ask questions on this list, you need to follow the instructions
we give. Doing anything else is rude.
You've been very careful to say as little as possible about what
you're doing. You've also been careful to NOT follow the documentation
or examples.
That explains why you're having issues making it work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-PEAP GTC vs MSCHAPv2
All,
I have successfully configured freeRadius using EAP-PEAP with:
1. GTC to authenticate user against local password
2. MSCHAPv2 to authenticate user against Active Directory via ntlm_auth
following instructions on this link:
http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO
I also understand from reading this link that EAP-GTC can be used
(compatible) with ntlm_auth:
http://deployingradius.com/documents/protocols/compatibility.html
That said, if EAP-GTC can be used along with ntlm_auth how do I configure
it to make that work? I tried to execute ntlm_auth passing
--password=%{User-Password}, but that didn't work as User-Password is
empty. It says in eap.conf that GTC challenges the user with text and the
response from the user is taken to be the User-Password. Perhaps I am
executing ntlm_auth too early before GTC Password challenge is sent out and
received the response.
My questions are:
1. How can I configure freeRadius so GTC will work with ntlm_auth?
2. Is it possible to send subsequent GTC challenge in addition to default
Password challenge? If possible, how do I configure the subsequent GTC
challenge?
Thank you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP GTC vs MSCHAPv2
Alan,
Thank you for your reply and please find my inline response below.
On Thu, Sep 26, 2013 at 7:54 PM, Alan DeKok al...@deployingradius.comwrote:
Don wrote:
That said, if EAP-GTC can be used along with ntlm_auth how do I
configure it to make that work?
Read the gtc sub-section of eap.conf. It tells you how to make
EAP-GTC use a particular authentication method.
I tried one of these inside gtc sub-section of eap.conf, that don't seem
to work:
auth_type = ntlm_auth
or
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{User-Name} --password=%{User-Password}
Though I haven't tried replacing User-Password with Cleartext-Password.
Do I have to place this under gtc sub-section inside inner-eap?
I tried to execute ntlm_auth passing
--password=%{User-Password}, but that didn't work as User-Password is
empty.
You tried *where*? That matters.
See my comment earlier. Did I place the configuration at the right
sub-section?
It says in eap.conf that GTC challenges the user with text and
the response from the user is taken to be the User-Password. Perhaps I
am executing ntlm_auth too early before GTC Password challenge is sent
out and received the response.
My questions are:
1. How can I configure freeRadius so GTC will work with ntlm_auth?
a) configure ntlm_auth as per the deployingradius.com docs, and the
examples in the config files
Yes, I saw the ntlm_auth configuration under modules/mschap and
modules/ntlm_auth. As stated in my first email, I am able to configure
freeRadius to authenticate against our Active Directory using EAP-MSCHAPv2
(ntlm_auth) and I am looking to see if using EAP-GTC will work as well.
b) tell EAP-GTC to use ntlm_auth as per the examples in the gtc
configuration.
As I mentioned earlier, I tried both auth_type = ntlm_auth nor ntlm_auth =
/usr/bin/ntlm_auth ... command execution, but that don't work.
2. Is it possible to send subsequent GTC challenge in addition to
default Password challenge? If possible, how do I configure the
subsequent GTC challenge?
No. EAP-GTC is only challenge-response. It doesn't do multiple
challenges.
The reason I am asking the question of multiple challenges because I am
currently evaluating another vendor solution for multi-factor
authentication thru EAP-PEAP/TLS with EAP-GTC and the solution prompts 2
additional inputs during authentication. Here is the link:
https://www.duosecurity.com/docs/netmotion. I thought if they can do it,
freeRadius can do it as well.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Regards,
Dono
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ascend data filters not being returned
Hi, When I run radtest, I get the following response: Sending Access-Request of id 64 to 192.168.1.41 port 1645 User-Name = [EMAIL PROTECTED] User-Password = donjames NAS-IP-Address = 255.255.255.255 NAS-Port = 5 rad_recv: Access-Accept packet from host 192.168.1.41:1645, id=64, length=20 As you can see, the data from the ascend data filters is not being returned. I suspect that I have somehow turned on encryption. How do I set plain text communication? Sincerely, Don James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Database Population problem with mysql
I know I'm a newb here, and I'm not a Mysql expert, but it looks to me like '-00-00 00:00:00 is clearly outside the allowed range, if that range is published as '1000-01-01 00:00:00' - '-12-31 23:59:59' On Aug 21, 2007, at 8:59 AM, ram wrote: On 8/21/07, Josh Howlett [EMAIL PROTECTED] wrote: Not sure why this is failing; FWIW, according to the MySQL docs: The DATETIME type is used when you need values that contain both date and time information. MySQL retrieves and displays DATETIME values in '-MM-DD HH:MM:SS' format. The supported range is '1000-01-01 00:00:00' to '-12-31 23:59:59'. Hi thats what iam wondering and posted in the group why iam failing to populate the data which is compatable ram !DSPAM:1462,46cb0c6f301301263415243! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html !DSPAM:1462,46cb0c6f301301263415243! -- Don - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Database Population problem with mysql
That's what I get for thinking... I just tried that, ie: create table test (dt datetime NOT NULL default '-00-00 00:00:00'); on mysql 3,4 and 5. No problems. At least not with 'C' or 'en_US' locales set. Sorry for wasting the bandwidth... On Aug 21, 2007, at 10:26 AM, [EMAIL PROTECTED] wrote: Hi, I know I'm a newb here, and I'm not a Mysql expert, but it looks to me like '-00-00 00:00:00 is clearly outside the allowed range, if that range is published as '1000-01-01 00:00:00' - '-12-31 23:59:59' just what i was thinking - but its worked until now ..hang on... nope. even 2.0 CVS has all 0's (though as you say...maybe it shouldnt) though 2.0 now doesnt CapiTaliZe the variables. what version of mysql are you running? 3.x or 4.x might be very fussy? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html !DSPAM:1462,46cb20bc202631603212334! -- Don - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Use of hints to preselect EAP type
If the RADIUS User-Name were prefixed with a string to indicate its preferred EAP type for authentication, could the hints file be used to force first that EAP authentication be used, and then that the indicated EAP type be used? This would be desirable to minimize response time. If so, how would this be configured? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple server certificates in EAP-TLS or EAP-TTLS
Multiple RADIUS clients can be defined in the clients.conf file. Is there a way to define the location of a server certificate for each client? I'm envisioning a single freeRadius server supporting multiple client authenticators. I want each authenticator to be able to send a unique certificate to identify itself to its supplicants. It appears that the certificate_file parameter in the eap.conf file would only support a single certificate. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup admin help
I am using php4, works fine. I am using debian so all I had to do was 'apt-get install freeradius-dialupadmin' -- Don Schultz http://www.airdial.net Does it work with PHP4 or should I install 3? On 1/8/07 1:07 PM, Greg Hartung [EMAIL PROTECTED] wrote: Any ideas where to begin? Is this an apache, php or mysql problem? On 1/5/07 9:14 PM, Don Schultz [EMAIL PROTECTED] wrote: I'm still not completely done with my setup of dialupadmin but when I first set things up I found that groups only display on the group page if there are users in them. Second, a white screen suggests a problem. sql_debug does output to the browser window, provided php and all that are working correctly. -- Don Schultz Airdial Technologies http://www.airdial.net Greg Hartung wrote: I have had FreeRadius and Mysql have been authenticating users for months but now I am trying to get dialup admin working for the first time. The main page loads fine. Find User does load a search page but won't return any users and Show Groups loads a header with no groups. The rest of the menu items are either a blank white or blank green screen. I am using Mysql and I have configured user,pwd, dbname, etc. in admin.conf and I have run the 4 create table scripts. Does it log anywhere? How do I tell if it's hitting the db? Or what should I try next? Thanks! Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup admin help
I'm still not completely done with my setup of dialupadmin but when I first set things up I found that groups only display on the group page if there are users in them. Second, a white screen suggests a problem. sql_debug does output to the browser window, provided php and all that are working correctly. -- Don Schultz Airdial Technologies http://www.airdial.net Greg Hartung wrote: I have had FreeRadius and Mysql have been authenticating users for months but now I am trying to get dialup admin working for the first time. The main page loads fine. Find User does load a search page but won't return any users and Show Groups loads a header with no groups. The rest of the menu items are either a blank white or blank green screen. I am using Mysql and I have configured user,pwd, dbname, etc. in admin.conf and I have run the 4 create table scripts. Does it log anywhere? How do I tell if it's hitting the db? Or what should I try next? Thanks! Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dictionary: adding MONTHLY-TIME-LIMIT
Hi, I am trying to add MONTHLY-TIME-LIMIT to the freeradius dictionary. I will be using this parameter in the radreply table of the freeradius database. Exactly how do I add this to the freeradius dictionary? Sincerely, Don James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dictionary: adding MONTHLY-TIME-LIMIT
Hi, I am trying to add MONTHLY-TIME-LIMIT to the freeradius dictionary. I will be using this parameter in the radreply table of the freeradius database. Exactly how do I add this to the freeradius dictionary? Sincerely, Don James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dictionary: adding MONTHLY-TIME-LIMIT
Oh, yeah, right. It may as well be written in Greek. Thanks for nothing. Tuesday, December 6, 2005Tue, 6 Dec 2005 18:04:06 -050017:04-060018:04- [EMAIL PROTECTED] [EMAIL PROTECTED] don james [EMAIL PROTECTED] wrote: Exactly how do I add this to the freeradius dictionary? $ man dictionary Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dictionary: adding MONTHLY-TIME-LIMIT
Hi Alan, Thanks for your help. I've read all of the docs that I could find. I subscribe to the O'Reilly online books and haven't been able to find much there. I am willing to read all of the docs extant. Sincerely, Don James Tuesday, December 6, 2005Tue, 6 Dec 2005 18:43:50 -050017:43-060018:43- [EMAIL PROTECTED] [EMAIL PROTECTED] don james [EMAIL PROTECTED] wrote: Oh, yeah, right. It may as well be written in Greek. Thanks for nothing. If you want a perfect answer, see: http://www.freeradius.org/business/ I'm sure if you pay someone they'll tell you what you need to do. If you're not willing to spend the time to read the docs, and you're not willing to pay anyone, good luck solving the problem. I wish you the best. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius with Gentoo Linux
Hi, Is anyone using freeradius with Gentoo Linux? Also, is anyone using freeradius-dialupadmin and mysql? Sincerely, Don James Henderson, Texas USA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS/DIAMETER equivalents for Cable/DSL/802.1x
I have a basic understanding of the application of RADIUS/DIAMETER technologies to Dialup users. However, where I start to fall short is how this technology, or its equivalent, applies to Cable/DSL/802.1x users. How does an ISP perform the same AAA activities for a Cable/DSL/wireless user as it would for someone who inherently has to connect/disconnect frequently, and can be redirected accordingly? For example, as a dialup user, if you are seriosuly delinquent paying a bill, your access can be suspended and you are redirected to a page requiring payment before access is restored. What technology forces this behavior for a PPPOE/IPoE user? In the case of Cable, I have heard reports of bandwidth throttling for delinquent users. I presume if bandwidth can be throttled, that technology could be applied to redirect a customer who was delinquent paying their bill. My thought was that all access could be restricted by using a proxy server, which then intercepts all HTTP requests and can force a user to the desired area. However, this does not seem practical if it is not implemented at inception. If a user has a persistent connection, do you have to wait for an IP Address lease to expire/refresh to redirect? What about the implications of interrupting a critical activity due to a redirection flag (say a E911 call over VOIP, or an ecommerce transaction in general)? Essentially, I'm trying to figure out if RADIUS is the vehicle by which a consistent redirection experience can be rolled out to all users regardless of access type, and whether the ISP has a high level of control over that experience. Is RADIUS along with other tecnologies the way to go to control broadband access (i.e. pushing sync-disable files for cable modems, PPPoE account suspension for DSL???). And lastly, can a small ISP roll this level of user authentication out to all users (DUN/Broadband/Wireless), or is it cost prohibitive? Sorry for all the questions... Just trying to understand how to speak the right language here. -DRB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL and FreeRadius
Hello list, I am running freeradius and mysql on Gentoo Linux. I have installed mysql, but can't seem to find the file, db_mysql.sql, so that I can create the radius database using the command: mysql -uroot -prootpass radius db_mysql.sql Does anyone out there have a clue where db_mysql.sql is hiding? Thanks, Don James Henderson, Texas USA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
