Re: redundant-load-balance for AD ntlmauth

[FreeRadius List]

Thank you I'll check with the samba people and get a better understanding
of how ntlm_auth works.
On 29 Apr 2013 13:58, "Alan DeKok"  wrote:

> FreeRadius List wrote:
> > I use redundant-load-balance for ldap user auth to authenticate users to
> > a pool of active directory servers for one service. That seems to work
> well.
>
>   Because the LDAP module maintains a long-lived connection to the LDAP
> server.
>
> > I'm trying to think why I don't do that for ntlmauth (used inside mschap
> > inner-tunnel) for another other service.
>
>   It won't work for ntlm_auth.  That re-connects to Samba every time.
>
>   Samba is responsible for maintaining long-lived connections to AD.  If
> ntlm_auth fails, it's because (a) Samba is down, or (b) the AD server is
> down.
>
> > I've knocked that up to test it with mschap modules like (with N being
> > 1,2,3,4,5)
> >
> > mschap mschapadN {
> > with_ntdomain_hack = yes
> > ntlm_auth = "/usr/local/bin/mschap-ntlm_auth --request-nt-key
> > --username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
> > --challenge=%{mschap:Challenge:-00}
> > --nt-response=%{mschap:NT-Response:-00}
> > --configfile=/etc/samba/smb-adN.conf"
> > }
> >
> > where /etc/samba/smb-adN.conf is the same as the others except for
> > "password server = adN.domain"
>
>   I'm not sure that will work.  You'll have to check with the Samba people.
>
> > Is this along the lines that others follow?
>
>   No.  I've never seen this before.
>
> >  if not how does ntlmauth handle the AD server being down.  Does
> ntlmauth/winbind handle AD being
> > down so freeradius does not have to?
>
>   Samba handles it.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

redundant-load-balance for AD ntlmauth

[FreeRadius List]

Hello

I use redundant-load-balance for ldap user auth to authenticate users to a
pool of active directory servers for one service. That seems to work well.

I'm trying to think why I don't do that for ntlmauth (used inside mschap
inner-tunnel) for another other service.

I've knocked that up to test it with mschap modules like (with N being
1,2,3,4,5)

mschap mschapadN {
with_ntdomain_hack = yes
ntlm_auth = "/usr/local/bin/mschap-ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
--configfile=/etc/samba/smb-adN.conf"
}

where /etc/samba/smb-adN.conf is the same as the others except for
"password server = adN.domain"

and then in the inner-tunnel site I have
authenticate {
Auth-Type MS-CHAP {
redundant-load-balance {
mschapad1
mschapad2
..
mschapadN
}
}
}

Is this along the lines that others follow?  if not how does ntlmauth
handle the AD server being down.  Does ntlmauth/winbind handle AD being
down so freeradius does not have to?

Thanks,

Neil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

how to conf VLAN assign,mac-auth-bypass, and redirect url?

[freeradius]

hi all, can anyone show me  how to conf VLAN assign,mac-auth-bypass, and 
redirect url?thank you very much-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Patch for radiusclient: new program radlistdictionary and fixes to PPTP/CHAP problem

[freeradius developer/user identity]

I have posted at
  http://www.cardiothink.com/downloads/ 
a set of patches which, when applied to the latest stable
freeradius-client (version 1.1.6) and to the CVS version,
fixes the problem with PPTP and radiusclient that results
in failure of CHAP authentication with the syslog errors:
   rc_avpair_new: unknown attribute 11
   rc_avpair_new: unknown attribute 25
(The problem, for me, turned out to be blanks at the start of
every line in dictionary.microsoft. The patches, among other things,
skip the blanks.) 

Included in the patches is a new program in the src subdirectory that I
have named radlistdictionary (you can change it if you like). It is a
simple program that uses the installed freeradius-client library to read
dictionaries, and it displays the loading and parsing steps explicitly
so that you can see where errors are occurring. (This program requires that
the library itself be patched to show the parsing.)

Fixing problems with the dictionaries is easy once you can see what is
going on! Please see the above web site for more details, and let me know
of any problems.  


signature.asc
Description: Digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MSCHAP vs MSCHAPv2 for VPN

[freeradius]

At 03:43 PM 10/13/2010, Alan DeKok wrote:

> Wed Oct 13 14:50:57 2010 : Debug: Exec-Program output: NT_KEY:
> DDE9BB9EA12ED17BE5F358CB53EE6A8F

  Change the version of Samba that you're using.  3.5.5 contains a fix
which addresses this issue.


Thanks Alan. That server is running samba3x-3.3.8-0.52.el5_5.2 , so 
that's quite useful!


What's interesting is that I have found a server running 
samba3x-3.3.8-0.52.el5_5 (separate installation, same config files, 
also VPN <> sonicwall) which is not exhibiting this issue. 
Regardless, I'll go see about finding the new samba.


Rick




  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MSCHAP vs MSCHAPv2 for VPN

[freeradius]

Using freeradius 2.1.8, I have a sonicwall firewall that 
authenticates VPN users against the freeradius server. The VPN 
clients are the native MSFT VPN client.


When the client is configured for L2TP, MS-CHAP, the client connects. 
When the client is configured for L2TP MSChapv2, the client fails to 
connect with an error "It was not possible to verify the identity of 
the server"


As I understand it, the difference between mschapv1 and v2 is that 
the server sends back an authentication response. Seems like that 
handshake isn't working out? I know I've missed something somewhere. . .



radiusd -xX:
rad_recv: Access-Request packet from host 192.168.104.1 port 3873, 
id=22, length=124

User-Name = "rsteeves"
MS-CHAP-Challenge = 0x68dd158c5082247cfe49fecd9520386a
MS-CHAP2-Response = 
0x010005edd3135eca19372073504d57f8a4b3ab31aff8b876e703bb4141ddc19afff921f6a358cd80b94b

NAS-IP-Address = x.x.x.x
NAS-Port = 0
Wed Oct 13 14:50:57 2010 : Info: server server_vpn {
Wed Oct 13 14:50:57 2010 : Info: +- entering group authorize {...}
Wed Oct 13 14:50:57 2010 : Info: ++[preprocess] returns ok
Wed Oct 13 14:50:57 2010 : Info: [mschap] Found MS-CHAP 
attributes.  Setting 'Auth-Type  = mschap'

Wed Oct 13 14:50:57 2010 : Info: ++[mschap] returns ok
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] Entering ldap_groupcmp()
Wed Oct 13 14:50:57 2010 : Info: [files]expand: 
OU=Enterprise,DC=int,DC=example,DC=com -> 
OU=Enterprise,DC=int,DC=example,DC=com
Wed Oct 13 14:50:57 2010 : Info: [files]expand: 
%{Stripped-User-Name} ->
Wed Oct 13 14:50:57 2010 : Info: [files]... expanding second 
conditional
Wed Oct 13 14:50:57 2010 : Info: [files]expand: %{User-Name} 
-> rsteeves
Wed Oct 13 14:50:57 2010 : Info: [files]expand: 
(&(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})(objectClass=person)) 
-> (&(sAMAccountname=rsteeves)(objectClass=person))

Wed Oct 13 14:50:57 2010 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] performing search in 
OU=Enterprise,DC=int,DC=example,DC=com, with filter 
(&(sAMAccountname=rsteeves)(objectClass=person))
Wed Oct 13 14:50:57 2010 : Error:   [ldap] ldap_search() failed: LDAP 
connection lost.

Wed Oct 13 14:50:57 2010 : Info:   [ldap] Attempting reconnect
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] attempting LDAP reconnection
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] closing existing LDAP connection
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] (re)connect to 
dc.int.example.com:389, authentication 0
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] bind as 
CN=_UserID,OU=Service Accounts,OU=Special User 
Accounts,OU=Enterprise,DC=int,DC=example,DC=com/wvyjCHCd2LJHcNrmpr0I 
to dc.int.example.com:389

Wed Oct 13 14:50:57 2010 : Debug:   [ldap] waiting for bind result ...
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] Bind was successful
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] performing search in 
OU=Enterprise,DC=int,DC=example,DC=com, with filter 
(&(sAMAccountname=rsteeves)(objectClass=person))

Wed Oct 13 14:50:57 2010 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Wed Oct 13 14:50:57 2010 : Info: [files]expand: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) 
-> (|(&(objectClass=GroupOfNames)(member=CN\3dRick 
Steeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dRick 
Steeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom)))

Wed Oct 13 14:50:57 2010 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] performing search in 
OU=Enterprise,DC=int,DC=example,DC=com, with filter 
(&(cn=VPN_Users)(|(&(objectClass=GroupOfNames)(member=CN\3dRick 
Steeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dRick 
Steeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom

Wed Oct 13 14:50:57 2010 : Debug:   [ldap] object not found
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] performing search in 
CN=Rick 
Steeves,OU=IS,OU=Users,OU=Enterprise,DC=int,DC=example,DC=com, with 
filter (objectclass=*)
Wed Oct 13 14:50:57 2010 : Debug:   [ldap] performing search in 
CN=VPN_Users,OU=Security 
Groups,OU=Enterprise,DC=int,DC=example,DC=com, with filter (cn=VPN_Users)
We

Certificates

[freeradius]

I'm tinkering with my VPN setup using FreeRadius and AD, and getting 
"Not possible to verify the identity of the server". Some googling 
shows that message can be related to certificates.


Some digging through the FreeRadius docs came up with:
  If FreeRADIUS was configured to use OpenSSL, then simply starting
the server in root in debugging mode should also create test
certificates, i.e.:

Does this mean that, presuming I never did create certificates, that 
freeradius could function differently in debug mode than when running 
not in debug mode?


Rick



Rick Steeves
http://www.sinister.net

In reality nothing is more damaging to the adventurous spirit within 
a man than a secure future -  Alexander Supertramp


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP VPN Auth yet not in group?

[freeradius]

At 04:48 PM 8/24/2010, Rick Steeves wrote:

I authenticate VPN users where the VPN Server authenticates against 
a LDAP server and FreeRadius 2.1.8 on CentOS. That generally, works 
fine. I'm using a user account to authenticate the radius server 
against AD for the queries.


What's odd is tho the other user accounts work, I can't authenticate 
with that actual user account (even though it's in the same Security 
group). Multiple other users in the security group VPN_Users work.


I tracked down where this is different.
In huntgroups I have:
VPN_Huntgroup  NAS-IP-Address == x.x.x.x
In users I have:
DEFAULT Huntgroup-Name == VPN_Huntgroup, Ldap-Group == "VPN_Users"
Reply-Message := "Authorized Users Only"

For a normal user, I see:
Tue Aug 24 17:02:32 2010 : Info: ++- if (Huntgroup-Name == 
"VPN_Huntgroup") returns ok

Tue Aug 24 17:02:32 2010 : Info: Found Auth-Type = MSCHAP
Tue Aug 24 17:02:32 2010 : Info: +- entering group MS-CHAP {...}

But if the LDAP service account connects with the VPN_Huntgroup set, I see:

Tue Aug 24 16:41:57 2010 : Info: ++- if (Huntgroup-Name == 
"VPN_Huntgroup") returns reject
Tue Aug 24 16:41:57 2010 : Auth: Invalid user: [_sonicwall] (from 
client VPN_SOHO port 0)


If I remove
VPN_Huntgroup  NAS-IP-Address == x.x.x.x
I
from huntgroups, the normal accounts still work and log the same, but 
the LDAP service account now looks like the normal users account in 
the logs, and defaults to MSCHAP and then everything is ok.


As always, no idea why. Any insights appreciated for why that account 
behaves differently.


Thx.

Rick



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP VPN Auth yet not in group?

[freeradius]

I authenticate VPN users where the VPN Server authenticates against a 
LDAP server and FreeRadius 2.1.8 on CentOS. That generally, works 
fine. I'm using a user account to authenticate the radius server 
against AD for the queries.


What's odd is tho the other user accounts work, I can't authenticate 
with that actual user account (even though it's in the same Security 
group). Multiple other users in the security group VPN_Users work.


What seems (to me) to be odd in particular is I see
ue Aug 24 16:41:57 2010 : Info: ++? if (Huntgroup-Name == "VPN_Huntgroup")
Tue Aug 24 16:41:57 2010 : Info: ? Evaluating (Huntgroup-Name == 
"VPN_Huntgroup") -> TRUE
Tue Aug 24 16:41:57 2010 : Info: ++? if (Huntgroup-Name == 
"VPN_Huntgroup") -> TRUE
Tue Aug 24 16:41:57 2010 : Info: ++- entering if (Huntgroup-Name == 
"VPN_Huntgroup") {...}

Tue Aug 24 16:41:57 2010 : Info: +++? if (Ldap-Group == "VPN_Users")
Tue Aug 24 16:41:57 2010 : Debug:   [ldap] Entering ldap_groupcmp()


which makes me think it sees the user _sonicwall in the VPN_Users 
group, but then I get:


Tue Aug 24 16:41:57 2010 : Debug: rlm_ldap::ldap_groupcmp: 
ldap_get_values() failed

Tue Aug 24 16:41:57 2010 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Tue Aug 24 16:41:57 2010 : Info: ? Evaluating (Ldap-Group == 
"VPN_Users") -> FALSE

Tue Aug 24 16:41:57 2010 : Info: +++? if (Ldap-Group == "VPN_Users") -> FALSE


Any insights appreciated.

Thanks

Rick

Full output below.

rad_recv: Access-Request packet from host 10.4.1.241 port 1196, 
id=26, length=126

User-Name = "_sonicwall"
MS-CHAP-Challenge = 0x780006c8503fee2cdf1d2505fe99f322
MS-CHAP2-Response = 
0x01002f06ff27350f7121396d65349fc61ca9675d0094d1b342dc5f172dc60bd9fd258fb94fc68aac5ff6

NAS-IP-Address = 10.4.1.241
NAS-Port = 0
Tue Aug 24 16:41:57 2010 : Info: server server_vpn {
Tue Aug 24 16:41:57 2010 : Info: +- entering group authorize {...}
Tue Aug 24 16:41:57 2010 : Info: ++[preprocess] returns ok
Tue Aug 24 16:41:57 2010 : Info: [mschap] Found MS-CHAP 
attributes.  Setting 'Auth-Type  = mschap'

Tue Aug 24 16:41:57 2010 : Info: ++[mschap] returns ok
Tue Aug 24 16:41:57 2010 : Debug:   [ldap] Entering ldap_groupcmp()
Tue Aug 24 16:41:57 2010 : Info: [files]expand: 
OU=Enterprise,DC=int,DC=invtitle,DC=com -> 
OU=Enterprise,DC=int,DC=invtitle,DC=com
Tue Aug 24 16:41:57 2010 : Info: [files]expand: 
%{Stripped-User-Name} ->
Tue Aug 24 16:41:57 2010 : Info: [files]... expanding second 
conditional
Tue Aug 24 16:41:57 2010 : Info: [files]expand: %{User-Name} 
-> _sonicwall
Tue Aug 24 16:41:57 2010 : Info: [files]expand: 
(&(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})(objectClass=person)) 
-> (&(sAMAccountname=_sonicwall)(objectClass=person))

Tue Aug 24 16:41:57 2010 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 24 16:41:57 2010 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Tue Aug 24 16:41:57 2010 : Debug:   [ldap] performing search in 
OU=Enterprise,DC=int,DC=invtitle,DC=com, with filter 
(&(sAMAccountname=_sonicwall)(objectClass=person))

Tue Aug 24 16:41:57 2010 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Tue Aug 24 16:41:57 2010 : Info: [files]expand: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) 
-> 
(|(&(objectClass=GroupOfNames)(member=CN\3d_sonicwall\2cOU\3dService 
Accounts\2cOU\3dSpecial User 
Accounts\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dinvtitle\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3d_sonicwall\2cOU\3dService 
Accounts\2cOU\3dSpecial User 
Accounts\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dinvtitle\2cDC\3dcom)))

Tue Aug 24 16:41:57 2010 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 24 16:41:57 2010 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Tue Aug 24 16:41:57 2010 : Debug:   [ldap] performing search in 
OU=Enterprise,DC=int,DC=invtitle,DC=com, with filter 
(&(cn=VPN_Users)(|(&(objectClass=GroupOfNames)(member=CN\3d_sonicwall\2cOU\3dService 
Accounts\2cOU\3dSpecial User 
Accounts\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dinvtitle\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3d_sonicwall\2cOU\3dService 
Accounts\2cOU\3dSpecial User 
Accounts\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dinvtitle\2cDC\3dcom

Tue Aug 24 16:41:57 2010 : Debug:   [ldap] object not found
Tue Aug 24 16:41:57 2010 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Tue Aug 24 16:41:57 2010 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 24 16:41:57 2010 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Tue Aug 24 16:41:57 2010 : Debug:   [ldap] performing search in 
CN=_sonicwall,OU=Service Accounts,OU=Special User 
Accounts,OU=Enterprise,DC=int,DC=invtitle,DC=com, with filt

Re: Freeradius2 and Samba3x

[freeradius]

At 01:59 PM 7/14/2010, Phil Mayers wrote:

Samba being "behind" what, exactly?

I've never had this problem. We authenticate against windows 2008R2 
domain controllers on Samba 3.0.x. I had to do nothing special. It 
"just works".


There was a specific bug in some newer Samba versions where Samba 
seemed to make a change that caused NT_KEY to be wrong. So just run 
an older one. This problem is well described in the list archives 
and eap.conf in recent FreeRadius source distros. The latest Samba 
distributions should not have the problems.



The problem appears to be that samba 3.0.x doesn't work with 2008r2. 
So going to 3.3.x (I'm 3.3.8 the default coming from RedHat for samba 3x)


So to go to 2008r2 you can't just stay on 3.0.x

Rick



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius2 and Samba3x

[freeradius]

At 11:47 AM 7/14/2010, you wrote:

> Sending Access-Accept of id 225 to 10.4.1.2 port 2452
> Reply-Message := "Authorized Users Only"
> MS-CHAP2-Success =
> 0x01533d39444636303933394145343137463835384143443632443
> 9374137343844413541313936
>  MS-MPPE-Recv-Key = 0xd81d386eb6bd95dcd85badccd21036b4
>  MS-MPPE-Send-Key = 0x1415b0a4e0f2d9063a9b0d0e92e2869b
>  MS-MPPE-Encryption-Policy = 0x0001
>  MS-MPPE-Encryption-Types = 0x0006
> Wed Jul 14 11:18:38 2010 : Info: Finished request 8.
> Wed Jul 14 11:18:38 2010 : Debug: Going to the next request
> Wed Jul 14 11:18:38 2010 : Debug: Waking up in 4.9 seconds.
> Wed Jul 14 11:18:43 2010 : Info: Cleaning up
> request 8 ID 225 with timestamp +665
> Wed Jul 14 11:18:43 2010 : Info: Ready to process requests.
>
> Any ideas?

Any ideas about what - the server returned Access-Accept??  Is this 
not what you wanted?  What problem are you trying to solve?


That my VPN session still doesn't establish. I get back that the user 
can't be authenticated.


rick





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius2 and Samba3x

[freeradius]

At 11:46 AM 7/14/2010, you wrote:
Rather than deal with the never-ending tail-chasing between samba 
and Microsoft, I've decided to move toward using FreeRadius as a 
proxy for the Windows radius implementation (formerly IAS, now 
called NPS). I haven't completed the change, so I'm sorry that I 
can't tell you how easy it is... but it surely can't be as 
frustrating as trying to deal with samba always being behind, right?


Steve Lovaas



Why use it as a proxy then? Why not just use NPS?

RIck




-Original Message-
From: 
freeradius-users-bounces+steven.lovaas=colostate@lists.freeradius.org 
[mailto:freeradius-users-bounces+steven.lovaas=colostate@lists.freeradius.org] 
On Behalf Of freerad...@corwyn.net

Sent: Wednesday, July 14, 2010 9:23 AM
To: FreeRadius users mailing list
Subject: Freeradius2 and Samba3x



We're in the process of upgrading from Windows
2003 to 2008 R2. Our Linux systems are CentOS
5.5. Looks like samba won't auth against  2008 r2.

So we upgraded to samba 3x, but that appears to break freeradius. Hrm.

We're using freeradius to auth VPN users that are
connecting from a sonicwall firewall, using the windows l2tp client.

freeradius2-2.1.8-2.el5

Here's the output from radiusd -xX

rad_recv: Access-Request packet from host
10.4.1.2 port 2452, id=213, length=124
 User-Name = "useraccount"
 MS-CHAP-Challenge = 0xc527897da16351a24f3a92d91b066df1
 MS-CHAP2-Response =
0x0100f3dd5207d539bd0d7e1f7be50178d382a3492c6411f5548251a05606aa028964d34b69c58e61c7d5
 NAS-IP-Address = 10.4.1.2
 NAS-Port = 0
Wed Jul 14 10:51:16 2010 : Info: server server_vpn {
Wed Jul 14 10:51:16 2010 : Info: +- entering group authorize {...}
Wed Jul 14 10:51:16 2010 : Info: ++[preprocess] returns ok
Wed Jul 14 10:51:16 2010 : Info: [mschap] Found
MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
Wed Jul 14 10:51:16 2010 : Info: ++[mschap] returns ok
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] Entering ldap_groupcmp()
Wed Jul 14 10:51:16 2010 : Info:
[files]expand:
OU=Enterprise,DC=int,DC=example,DC=com ->
OU=Enterprise,DC=int,DC=example,DC=com
Wed Jul 14 10:51:16 2010 : Info:
[files]expand: %{Stripped-User-Name} ->
Wed Jul 14 10:51:16 2010 : Info:
[files]... expanding second conditional
Wed Jul 14 10:51:16 2010 : Info:
[files]expand: %{User-Name} -> useraccount
Wed Jul 14 10:51:16 2010 : Info:
[files]expand:
(&(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})(objectClass=person))
-> (&(sAMAccountname=useraccount)(objectClass=person))
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] attempting LDAP reconnection
Wed Jul 14 10:51:16 2010 : Debug:   [ldap]
(re)connect to int.example.com:389, authentication 0
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] bind
as CN=_sonicwall,OU=Service Accounts,OU=Special
User
Accounts,OU=Enterprise,DC=int,DC=example,DC=com/wvyjCHCd2LJHcNrmpr0I
to int.example.com:389
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] waiting for bind result ...
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] Bind was successful
Wed Jul 14 10:51:16 2010 : Debug:   [ldap]
performing search in
OU=Enterprise,DC=int,DC=example,DC=com, with
filter (&(sAMAccountname=useraccount)(objectClass=person))
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Wed Jul 14 10:51:16 2010 : Info:
[files]expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=CN\3dUser
Account\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dUser
Account\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom)))
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Wed Jul 14 10:51:16 2010 : Debug:   [ldap]
performing search in
OU=Enterprise,DC=int,DC=example,DC=com, with
filter
(&(cn=VPN_Users)(|(&(objectClass=GroupOfNames)(member=CN\3dUser
Account\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dUser
Account\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] object not found
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Wed Jul 14 10:51:16 2010 : Debug:   [ldap]
performing search in CN=User
Account,OU=IS,OU=Users,OU=Enter

Re: Freeradius2 and Samba3x

[freeradius]

At 11:36 AM 7/14/2010, you wrote:

HI,

Wed Jul 14 10:51:16 2010 : Info: [mschap]   expand: 
--nt-response=%{mschap:NT-Response:-00} -> 
--nt-response=a3492c6411f5548251a05606aa028964d34b69c58e61c7d5
Wed Jul 14 10:51:16 2010 : Debug: Exec-Program output: winbind 
client not authorized to use winbindd_pam_auth_crap. Ensure 
permissions on /var/lib/samba/winbindd_privileged are set correctly. 
(0xc022)
Wed Jul 14 10:51:16 2010 : Debug: Exec-Program-Wait: plaintext: 
winbind client not authorized to use winbindd_pam_auth_crap. Ensure 
permissions on /var/lib/samba/winbindd_privileged are set correctly. 
(0xc022)

Wed Jul 14 10:51:16 2010 : Debug: Exec-Program: returned: 1


^^ is that not the problem?

-James



It was the 1st time, but then I changed permissions, and I still 
don't get access.


Rick




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius2 and Samba3x

[freeradius]

We're in the process of upgrading from Windows 
2003 to 2008 R2. Our Linux systems are CentOS 
5.5. Looks like samba won't auth against  2008 r2.


So we upgraded to samba 3x, but that appears to break freeradius. Hrm.

We're using freeradius to auth VPN users that are 
connecting from a sonicwall firewall, using the windows l2tp client.


freeradius2-2.1.8-2.el5

Here's the output from radiusd -xX

rad_recv: Access-Request packet from host 
10.4.1.2 port 2452, id=213, length=124

User-Name = "useraccount"
MS-CHAP-Challenge = 0xc527897da16351a24f3a92d91b066df1
MS-CHAP2-Response = 
0x0100f3dd5207d539bd0d7e1f7be50178d382a3492c6411f5548251a05606aa028964d34b69c58e61c7d5

NAS-IP-Address = 10.4.1.2
NAS-Port = 0
Wed Jul 14 10:51:16 2010 : Info: server server_vpn {
Wed Jul 14 10:51:16 2010 : Info: +- entering group authorize {...}
Wed Jul 14 10:51:16 2010 : Info: ++[preprocess] returns ok
Wed Jul 14 10:51:16 2010 : Info: [mschap] Found 
MS-CHAP attributes.  Setting 'Auth-Type  = mschap'

Wed Jul 14 10:51:16 2010 : Info: ++[mschap] returns ok
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] Entering ldap_groupcmp()
Wed Jul 14 10:51:16 2010 : Info: 
[files]expand: 
OU=Enterprise,DC=int,DC=example,DC=com -> 
OU=Enterprise,DC=int,DC=example,DC=com
Wed Jul 14 10:51:16 2010 : Info: 
[files]expand: %{Stripped-User-Name} ->
Wed Jul 14 10:51:16 2010 : Info: 
[files]... expanding second conditional
Wed Jul 14 10:51:16 2010 : Info: 
[files]expand: %{User-Name} -> useraccount
Wed Jul 14 10:51:16 2010 : Info: 
[files]expand: 
(&(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})(objectClass=person)) 
-> (&(sAMAccountname=useraccount)(objectClass=person))

Wed Jul 14 10:51:16 2010 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] attempting LDAP reconnection
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] 
(re)connect to int.example.com:389, authentication 0
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] bind 
as CN=_sonicwall,OU=Service Accounts,OU=Special 
User 
Accounts,OU=Enterprise,DC=int,DC=example,DC=com/wvyjCHCd2LJHcNrmpr0I 
to int.example.com:389

Wed Jul 14 10:51:16 2010 : Debug:   [ldap] waiting for bind result ...
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] Bind was successful
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] 
performing search in 
OU=Enterprise,DC=int,DC=example,DC=com, with 
filter (&(sAMAccountname=useraccount)(objectClass=person))

Wed Jul 14 10:51:16 2010 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Wed Jul 14 10:51:16 2010 : Info: 
[files]expand: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) 
-> 
(|(&(objectClass=GroupOfNames)(member=CN\3dUser 
Account\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dUser 
Account\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom)))

Wed Jul 14 10:51:16 2010 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] 
performing search in 
OU=Enterprise,DC=int,DC=example,DC=com, with 
filter 
(&(cn=VPN_Users)(|(&(objectClass=GroupOfNames)(member=CN\3dUser 
Account\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dUser 
Account\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom

Wed Jul 14 10:51:16 2010 : Debug:   [ldap] object not found
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] 
performing search in CN=User 
Account,OU=IS,OU=Users,OU=Enterprise,DC=int,DC=example,DC=com, 
with filter (objectclass=*)
Wed Jul 14 10:51:16 2010 : Debug:   [ldap] 
performing search in CN=VPN_Users,OU=Security 
Groups,OU=Enterprise,DC=int,DC=example,DC=com, with filter (cn=VPN_Users)
Wed Jul 14 10:51:16 2010 : Debug: 
rlm_ldap::ldap_groupcmp: User found in group VPN_Users

Wed Jul 14 10:51:16 2010 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Wed Jul 14 10:51:16 2010 : Info: [files] users: 
Matched entry DEFAULT at line 11

Wed Jul 14 10:51:16 2010 : Info: ++[files] returns ok
Wed Jul 14 10:51:16 2010 : Info: [ldap] 
performing user authorization for useraccount
Wed Jul 14 10:51:16 2010 : Info: 
[ldap] expand: %{Stripped-User-Name} ->
Wed Jul 14 10:51:16 2010 : Info: 
[ldap] ... expanding second conditional
Wed Jul 14 10:51:16 2010 :

Re: Your maximum never usage time has been reached

[freeradius]

Thanks Alan

>the easyhotsort people have leveraged, from what i can see, chillispot
>and FreeRADIUS for their solution. as such, they are the ones who are
>first in line to fix thingsI dont see why the volunteers in FreeRADIUS
>should deal with the random logic and code from a 3rd party solution.

Fair call.  

>> This only occurs for users where the check-name attribute is 
>> "Max-All-MB".  If there is no check for this attribute then the user can 

>are you checking the the attribute EXISTS - in which case it will always
>be the case unless is only exists if another system make it so (from reading
>accounting) or is is supposed to be a comparison with a value.

If I create a user where the attribute does NOT exist then I can authenticate 
but cannot keep the user to the total data allowance (see below as why this is 
required).
If I create a user where the attribute does exist then after the accounting 
record is created in the radacct table then subsequent attempts to authenticate 
fail.

Maybe it's time to read the source code for the counter module :(

>sorry, dont care for captive portals - I'm all about 802.1X and proper systems
>and dont beleive that customers should be limited to small amounts of data
>allowance - its 2010 1998 have called and want their business model back.


Yeah - I'd rather provide an unlimited data allowance too but in this case it 
is not possible. I've taken on the task (as a volunteer) to provide  a hotspot 
for a community group's conference and the only broadband access we have at the 
venue is via a 3G mobile service (limited to 3GB in a month) :(  Additional 
data is priced at $100/GB !!


David


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Upgrade from 1.3 to 2.0

[Account for FreeRadius mail list]

Hello,

We just upgraded one of our FreeRadius servers from 1.3 to 2.0 (part of a 
debian upgrade from Etch to Lenny).


Anyway one of the problems I'm having is updating the "proxy.conf" file.
It states that one should move away from the "realm" entry to the 
"home_server" entry. So I have changed this entry in the proxy.conf file:


realm somedomain.net {
type= radius
authhost= wendy.somedomain.net:1645
accthost= LOCAL
secret  = ItsSecret
nostrip
}

to:

home_server somedomain.net {
   type   = auth
   virtual_server = wendy.somedomain.net
   port   = 1645
   secret = ItsSecret
   response_window= 7
   zombie_period  = 40
   status_check   = status-server
   check_interval = 20
   num_answers_to_alive   = 3
}

I had tried the "ipaddr =" command as well. Anyway the authentication 
request to the wendy.somedomain.net server is not getting through using 
this new "home_server" entry.


What am I doing wrong"

Thanks,

Ken
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radiusd -X with timestamps?

[freeradius]

Is there any way to get timestamps to display when running radiusd -X?

I get them when running as a service, but then I don't get the same 
detail in radius.log


Rick




Rick Steeves
http://www.sinister.net

In reality nothing is more damaging to the adventurous spirit within 
a man than a secure future -  Alexander Supertramp


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ldap rebind?

[freeradius]

At 07:16 PM 1/26/2010, Alan DeKok wrote:

freerad...@corwyn.net wrote:
> In the release notes for 2.1.8 it says:
> Document "chase_referrals" and "rebind" in raddb/modules/ldap
...
> which is no different than 2.1.8.   What's different? Is this
> documentation somewhere? I'm especially interested in rebind. Wat's it do?

  It re-sends authentication credentials for referrals.

  Active Directory has a habit of referring LDAP clients to a
*different* LDAP server.  The client needs to re-authenticate to that
server before it answers queries.



Intereesting. What errors does freeradius thrown when this occurs? 
(since I'm still troubleshooting my ldap woes)



Rick

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ldap rebind?

[freeradius]

In the release notes for 2.1.8 it says:
Document "chase_referrals" and "rebind" in raddb/modules/ldap

Well 2.1.7 says:
#  The following two configuration items are for Active Directory
#  compatibility.  If you see the helpful "operations error"
#  being returned to the LDAP module, uncomment the next
#  two lines.
#
# chase_referrals = yes
# rebind = yes

which is no different than 2.1.8.   What's different? Is this 
documentation somewhere? I'm especially interested in rebind. Wat's it do?


Rick




Rick Steeves
http://www.sinister.net

In reality nothing is more damaging to the adventurous spirit within 
a man than a secure future -  Alexander Supertramp


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP timeouts

[freeradius]

At 12:43 AM 1/20/2010, freerad...@corwyn.net wrote:

At 08:33 PM 1/14/2010, freerad...@corwyn.net wrote:
The Windows environment works, with one quirk, if no one has logged 
in for a while (~15-30 min), the next user gets:


It looks like the only difference (besides MSCHAP strings) between 
the first try and the second one is:


 [ldap] attempting LDAP reconnection
  [ldap] (re)connect to int.invtitle.com:389, authentication 0
  [ldap] bind as CN=_sonicwall,OU=Service Accounts,OU=Special User 
Accounts,OU=Enterprise,DC=int,DC=example,DC=com/xxx to int.example.com:389

  [ldap] waiting for bind result ...
  [ldap] Bind was successful

It takes only moments, but still fails the first time.

Rick

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Conditional expression ":-" deprecated?

[freeradius]

At 04:26 PM 1/24/2010, Alan Buxey wrote:

> It's the same reason I keep asking about this error:
>
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure
> that the user is configured correctly?
> [ldap] user rsteeves authorized to use remote access

 - LDAP was unable to find a useable password for the user
in LDAP - for the authentication - but as this is the authorization
(authz) stage then not to worry?


I'd think that, but I have it on good advice to worry about Warning messages ;)



Rick 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Conditional expression ":-" deprecated?

[freeradius]

At 06:45 AM 1/24/2010, Alan Buxey wrote:

(&(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})(objectClass=person))


thanks


there have been a few places where these things have been fixed in the default
configurations so remove those errors.though its suprising how many
people still run their servers with that error message being flagged...surely
you read it and think 'WARNING? must check that out and fix it' ?


Sure do!, and posted the question :-)  this is from a recent 2.17 
install using the associated docs on the freeradius pages. . .


It's the same reason I keep asking about this error:

[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure 
that the user is configured correctly?

[ldap] user rsteeves authorized to use remote access



..and , in fact, the latest version has that default value fixed. go grab the
2.1.8 source code and check raddb/modules/ldap file...


Thx, will do. One question about that file. Example:

#  seconds LDAP server has to process the query (server-side
#  time limit). default: 20
#
#  LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3


Why does it say the default is 20, and yet actually have the default 
value set to 3?


Rick






-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Conditional expression ":-" deprecated?

[freeradius]

At 12:19 PM 1/23/2010, Alan DeKok wrote:

John Morrissey wrote:
> WARNING: Deprecated conditional expansion ":-".  See "man unlang" 
for details


  Use %{%{#User-Name}:-0}



Thanks Alan,

I have the same (or very similar issue):

[files] expand: OU=Enterprise,DC=int,DC=invtitle,DC=com -> 
OU=Enterprise,DC=int,DC=invtitle,DC=com
[files] WARNING: Deprecated conditional expansion ":-".  See "man 
unlang" for details

[files] ... expanding second conditional
[files] expand: %{User-Name} -> rsteeves

Can you by chance point out how I can change the code to not deprecated:

users:
DEFAULT Huntgroup-Name == Cisco_Huntgroup, Auth-Type:=ntlm_auth, 
Ldap-Group == "Infrastructure"

Service-Type:=NAS-Prompt-User,
cisco-avpair:="shell:priv-lvl=15",
Reply-Message := "Authorized Users Only"
DEFAULT Huntgroup-Name == Cisco_Huntgroup, Auth-Type:=ntlm_auth, 
Ldap-Group == "HelpDesk"

Service-Type:=NAS-Prompt-User,
cisco-avpair:="shell:priv-lvl=1",
Reply-Message := "Authorized Users Only"
DEFAULT Huntgroup-Name == VPN_Huntgroup, Ldap-Group == "VPN_Users"
Reply-Message := "Authorized Users Only"


but I suspect it's this in the LDAP module:
filter = 
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))



Thx.

Rick

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: new ntlm_auth?

[freeradius]

At 04:49 PM 1/21/2010, Alan Buxey wrote:

you should avoid just lurching your old configs across to new versions.
best to start witha  clean slate and then edit/add your logic as required


Perhaps. But having to rebuild everything to go from 2.1.7 to 2.1.8 
is excessive.



Rick

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: new ntlm_auth?

[freeradius]

I think that breaks most of the current instructions out there, since 
the module seems to win out over what I have defined in radiusd.conf. 
Heck, it breaks my 2.1.7 ones, and the wiki 


If I just remove the exec from radiusd.conf ( and confiure the new 
ntlm_auth module) everything should be ok?


Rick



At 02:50 PM 1/21/2010, John Dennis wrote:

On 01/21/2010 02:31 PM, freerad...@corwyn.net wrote:




Did the recent upgrade of freeradius2 add a ntlm_auth module?


Yes, 2.1.8 added ntlm_auth.

Unfortunately doc/ChangeLog omitted this.

--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

new ntlm_auth?

[freeradius]

Did the recent upgrade of freeradius2 add a ntlm_auth module?

I'm now seeing
Exec-Program output: Exec-Program: FAILED to execute 
/path/to/ntlm_auth: No such file or directory
Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute 
/path/to/ntlm_auth: No such file or directory

Exec-Program: returned: 1
++[ntlm_auth] returns reject
Failed to authenticate the user.
Login incorrect: [rsteeves] (from client 10.100.0.8 port 1 cli 10.20.31.17)


I went and looked, and there's a ntlm_auth module now where I don't 
think there was one before. . .


I had/have ntlm_auth defined in radiusd.conf
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth ntlm_auth 
--request-nt-key --domain=int.example.com 
--username=%{mschap:User-Name} --password=%{User-Password}"

}


Rick



Rick Steeves
http://www.sinister.net

In reality nothing is more damaging to the adventurous spirit within 
a man than a secure future -  Alexander Supertramp


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: No "known good" in ldap authorizes?

[freeradius]

At 02:50 AM 1/20/2010, Alan DeKok wrote:

freerad...@corwyn.net wrote:
> But i see this in the log when running with radiusd -X:
>
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure that
> the user is configured correctly?

  It means that the LDAP search returned nothing.  What happens if you
try the same user again?  Do you get the same thing, or does it now find
a password?



I get the same thing. Note that the first and second time the user is 
permitted to log in.


Rick




  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP timeouts

[freeradius]

At 08:33 PM 1/14/2010, freerad...@corwyn.net wrote:
The Windows environment works, with one quirk, if no one has logged 
in for a while (~15-30 min), the next user gets:



Here's the full log of one of those events (redacted):  Two 
interesting points are noted with "***". The reconnect takes only 
moments when watching it flow by.


rad_recv: Access-Request packet from host 10.4.1.2 port 4734, id=116, 
length=121

User-Name = "testuser"
MS-CHAP-Challenge = 0xe23b19133fb8d89eeaddcea89d9917ee
MS-CHAP2-Response = 
0x01008875de342e3a72b85b591ede3516972e8709a70df8e4f28d3f5d880e9558e580d723bc5d98c4a717

NAS-IP-Address = 10.4.1.2
NAS-Port = 0
server server_vpn {
+- entering group authorize {...}
++[preprocess] returns ok
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
rlm_ldap: Entering ldap_groupcmp()
[files] expand: OU=Enterprise,DC=int,DC=example,DC=com -> 
OU=Enterprise,DC=int,DC=example,DC=com
[files] WARNING: Deprecated conditional expansion ":-".  See "man 
unlang" for details
[files] expand: 
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) 
-> (&(sAMAccountname=testuser)(objectClass=person))

rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in 
OU=Enterprise,DC=int,DC=example,DC=com, with filter 
(&(sAMAccountname=testuser)(objectClass=person))




rlm_ldap: ldap_search() failed: LDAP connection lost.
rlm_ldap: Attempting reconnect
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to int.example.com:389, authentication 0


rlm_ldap: bind as CN=Admin_account,OU=Service Accounts,OU=Special 
User 
Accounts,OU=Enterprise,DC=int,DC=example,DC=com/wvyjCHCd2LJHcNrmpr0I 
to int.example.com:389

rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in 
OU=Enterprise,DC=int,DC=example,DC=com, with filter 
(&(sAMAccountname=testuser)(objectClass=person))

rlm_ldap: ldap_release_conn: Release Id: 0
[files] expand: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) 
-> (|(&(objectClass=GroupOfNames)(member=CN\3dJoe 
Bob\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dJoe 
Bob\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom)))

rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in 
OU=Enterprise,DC=int,DC=example,DC=com, with filter 
(&(cn=VPN_Users)(|(&(objectClass=GroupOfNames)(member=CN\3dJoe 
Bob\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dJoe 
Bob\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom

rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in CN=Joe 
Bob,OU=Users,OU=Enterprise,DC=int,DC=example,DC=com, with filter 
(objectclass=*)
rlm_ldap: performing search in CN=VPN_Users,OU=Security 
Groups,OU=Enterprise,DC=int,DC=example,DC=com, with filter (cn=VPN_Users)

rlm_ldap::ldap_groupcmp: User found in group VPN_Users
rlm_ldap: ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 11
++[files] returns ok
[ldap] performing user authorization for testuser
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man 
unlang" for details
[ldap]  expand: 
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) 
-> (&(sAMAccountname=testuser)(objectClass=person))
[ldap]  expand: OU=Enterprise,DC=int,DC=example,DC=com -> 
OU=Enterprise,DC=int,DC=example,DC=com

rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in 
OU=Enterprise,DC=int,DC=example,DC=com, with filter 
(&(sAMAccountname=testuser)(objectClass=person))

[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...

*
*
WARNING: No "known good" password was found in LDAP.  Are you sure 
that the user is configured correctly?

[ldap] user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok

*** also odd.

++? if (Huntgroup-Name == "VPN_Huntgroup")
? Evaluating (Huntgroup-Name == "VPN_Huntgroup") -> TRUE
++? if (Huntgroup-Name == "VPN_Huntgroup") -> TRUE
++- entering if (Huntgroup-Name == "VPN_Huntgroup") {...}
+++? if (Ldap-Group == "VPN_Users")
rlm_ldap: Entering ldap_groupcmp()
expand: OU=Enterprise,DC=int,DC=example,DC=com -> 
OU=Enterprise,DC=int,DC=example,DC=com
expand: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:L

No "known good" in ldap authorizes?

[freeradius]

I've got something odd happening. I'm using freeradius and it's ldap 
module to authenticate/ authorize users for a l2tp vpn connection. 
Works (mostly) fine, except for some odd timeout issues I'll cover 
elsewhere (see following post re: LDAP timeouts).


Valid users with valid passwords connect, other combinations don't 
(valid user,. invalid password, invalid user with invalid password,etc.)


But i see this in the log when running with radiusd -X:

[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure 
that the user is configured correctly?

[ldap] user test_user authorized to use remote access

?

Rick

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Major noob question about freeradius

[freeradius]

At 02:01 PM 1/18/2010, Eric Swanson wrote:
On Mon, Jan 18, 2010 at 10:51 AM, Bryan Boone 
<bryan-bo...@msn.com> wrote:
For me the simplest solution to solve this would be a windows 2003 
server domain controller.  Unfortunately due to some corporate 
restrictions I cannot install a windows server.



If you can't set up a Windows server to do this job, the best way to 
meet this need is to run Samba on a Linux machine.  If you run it in 
domain control mode, it'll act very much like a Windows server for 
the purposes you're talking about.



If there's a corporate restriction on installing a windows server, 
setting up a linux server to behave just like a windows server might 
also be a problem.  and indeed if it's one the same network, you'll 
really need to get things right so that it doesn't screw anything up 
(such as becoming the master browser).


Just be sure first :-)

rick

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP timeouts

[freeradius]

I'm currently using freeradius2-2.1.7-2.el5 on CentOS 5.2 for Cisco 
and L2TP VPN user authentication (via a Sonicwall firewall), using 
LDAP back to a AD environment, with the Windows built in VPN client.


(for very specific details of that environment see my post of Tue, 
Dec 1, 2009 at 6:31 PM )


The Cisco environment works flawlessly. Every time I attempt to log 
in it works.


The Windows environment works, with one quirk, if no one has logged 
in for a while (~15-30 min), the next user gets:


Thu Jan 14 19:31:51 2010 : Error: rlm_ldap: ldap_search() failed: 
LDAP connection lost.

Thu Jan 14 19:31:51 2010 : Info: rlm_ldap: Attempting reconnect
Thu Jan 14 19:31:51 2010 : Auth: Login OK: [user] (from client VPN port 0)

The end user reports that the first attempt to login fails, but the 
second succeeds. Further attempts will succeed until it's been a 
while since anyone logged in.


That's only true for VPN users, logging into a Cisco never causes the 
same issue - works every time.  Both servers refer to the same ldap module.


I only have about 4 VPN users right now, so I'm thinking it's not a 
load problem. In some respecting I'm thinking it's the reverse of a 
load problem - that once I have more users on the system there won't 
be a long period of time where no one has logged in, and so the 
problem will go away.


Thoughts?  I'd like for the user to (barring network issues) be able 
to log on the first time, every time.


Thanks

Rick


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Have a client with multiple secrets?

[freeradius]

I have a firewall that i connect to over SSH to manage. It has a 
client entry with a secret in clients.conf, it's got a huntgroup 
entry, and the huntgroup has entries in the users file, and 
everything is working fine (I think I've got the order right there).


The frewall also serves as teh VPN server, authenticating users 
through radius. But I'd like the VPN users to use a different secret 
and, more importantly, a different huntgroup (since the user group 
for authentication is different between those two groups).  Is that possible?


rick


Rick Steeves
http://www.sinister.net

In reality nothing is more damaging to the adventurous spirit within 
a man than a secure future -  Alexander Supertramp


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

winbindd_privileged error?

[freeradius]

I had everything working fine, and now it's not.  (I use the ldap 
module to auth)


When I look through the logs, I'm getting a winbindd_privileged error.

I've seen that before, where you apply:
chgrp radiusd /var/cache/samba/winbindd_privileged
chmod g+rw /var/cache/samba/winbindd_privileged


but that doesn't seem to be resolving in this case. I believe I did 
run yum update today and it updated samba.


winbind won't start.
Jan  8 17:09:45 ns5 winbindd[2086]:   initialize_winbindd_cache: 
clearing cache and re-creating with version number 1
Jan  8 17:09:45 ns5 winbindd[2086]: [2010/01/08 17:09:45, 0] 
lib/util_sock.c:create_pipe_sock(1280)
Jan  8 17:09:45 ns5 winbindd[2086]:   invalid permissions on socket 
directory /var/cache/samba/winbindd_privileged




Rick Steeves
http://www.sinister.net

In reality nothing is more damaging to the adventurous spirit within 
a man than a secure future -  Alexander Supertramp


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Bugzilla with freeradius support

[freeradius]

I see that bugzilla has added Freeradius support. Went looking for 
any type of guide, and seems obscured by freeradius using bugzilla 
for bug tracking.


Can someone point me to anything that has pointers for using 
freeradius to support my bugzilla implementation?


Rick


Rick Steeves
http://www.sinister.net

In reality nothing is more damaging to the adventurous spirit within 
a man than a secure future -  Alexander Supertramp


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Testing radius server

[freeradius]

At 12:12 AM 12/11/2009, Alex Bahoor wrote:
>

For someone that claims words are important, you're not listening to 
the people trying to tell you you're using words wrong.


random != dynamic   for example

client != user  would be another example.

The client is not the user. It's the physical device that's 
configured to uses RADIUS for authentication. cilents are defined in 
./clients.conf


The user is the one with an ID and a password. Users are defined in 
./users  (who they are, what their password is, where to go look for 
their information)


And to get to your next question, ./huntgroups can be used to define 
the association between the two (which users can log into which clients)


The docs might not be optimal, but they're offset by an amazing 
supportive and active email list (which I'll trade for docs any day 
really).  That is, if you don't spend all your time claiming the 
application is broken and buggy



The real question is, presuming you bear with it and get FR to work, 
will you write up and contribute documentation for what you've done 
to help others?


Rick

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Config Examples

[freeradius]

At 09:32 PM 12/5/2009, Alex Bahoor wrote:

I hope that help,


It helps show you're not worth bothering with. Thanks.

Bye.

Rick


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Config Examples

[freeradius]

At 02:54 PM 12/5/2009, Alex Bahoor wrote:


Ivan,

Imagine DNS uses dynamic port assignment instead of port 53? Guess 
what, no one would be able to use the internet. :-)


Alex


First, I believe you're trying to respond to me.

Second, you're asking questions about which you don't apparently understand.

What if I wanted to run my own implementation of DNS to do something 
bizarre? SSH on a different port than 22 (quite common)? A web server 
on port 88?  Telnet on port 8000. I can do all of those things. And 
apache, bind, tftp, ftp, telnet, sshd (and really almost every 
service that assigns a port) all have the ability to change the default port.


If I'm running my own services, I might want the ability to run them 
on non-standard ports. That's why there are defaults, AND the ability 
to change them.


Rick


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Config Examples

[freeradius]

At 12:55 PM 12/5/2009, Alex Bahoor wrote:


Ivan,

I red that. Assigning dynamic ports other than the specific ones, could be
to resolve conflict incase the ports are assigned to different processes.
But that does not make sense, there must be other reasons, otherwise, tftp,
ftp, mail, telnet, bootp...etc would have this option too.


They do.

Rick

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Which RPM Should I use

[freeradius]

At 04:09 PM 12/4/2009, Tim Sylvester wrote:

An alternative would be switching to CentOS which will be easier. You can
move to CentOS and follow the directions on the FreeRADIUS web site on how
to install in a RedHat environment. This would allow you to use the "yum"
utility which automatically downloads the dependencies for you.


RHEL and CentOS are, effectively, the same (except from a 
support/licensing perspective). yum exists in both. There should be 
no reason to install the src RPM.


Rick




Tim

> -Original Message-
> From: freeradius-users-
> bounces+tim.sylvester=networkradius@lists.freeradius.org
> [mailto:freeradius-users-
> bounces+tim.sylvester=networkradius@lists.freeradius.org] On Behalf
> Of Alex Bahoor
> Sent: Friday, December 04, 2009 12:36 PM
> To: 'FreeRadius users mailing list'
> Subject: Which RPM Should I use
>
>
>
> Hi,
>
> I would need LDAP and Mysql. Should I install two RPMSs?
> freeradius-ldap-2.1.7-2.fc12.i686.rpm
> freeradius-mysql-2.1.7-2.fc12.i686.rpm
>
> What is i686 means? I have a dell laptop IBM clone.
> thx,
>
> Alex
>
>
> __ Information from ESET NOD32 Antivirus, version of virus
> signature
> database 4661 (20091204) __
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AD, Groups, and LDAP (was Re: separating Users?)

[freeradius]

At 11:00 AM 12/4/2009, Alan DeKok wrote:

freerad...@corwyn.net wrote:
>> Update max_requests to # users * 256
>>   That isn't necessary.  It should be no more than "max request/s *
>> max_request_time".
>
> Well the docs say:
> #  max_requests: The maximum number of requests which the server keeps
> #  track of.  This should be 256 multiplied by the number of clients.
> #  e.g. With 4 clients, this number should be 1024.

  No.  "users" are not "clients".  Users are people logging in.  RADIUS
clients are NAS machines.



Ah! cool, thx.

Rick

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AD, Groups, and LDAP (was Re: separating Users?)

[freeradius]

At 04:33 AM 12/4/2009, Alan DeKok wrote:

freerad...@corwyn.net wrote:
> Note that the configuring of SAMBA, kerberos, and adding to the domain
> should already be done as part of the default Linux install, see
> h:\is\operating system\Linux\Guide_linux.doc

  This file is... ?


Heh, part of our internal documentation structure. As long as I'm 
copy/pasting this from that, it's likely to stay in there.


> Update max_requests to # users * 256

  That isn't necessary.  It should be no more than "max request/s *
max_request_time".


Well the docs say:
#  max_requests: The maximum number of requests which the server keeps
#  track of.  This should be 256 multiplied by the number of clients.
#  e.g. With 4 clients, this number should be 1024.

so I was just doing what this said.


> Add to the end of the acct listen {..}  (to permit groups of clients)
> clients = disambiguate

  I don't understand why this is necessary.  All it does is put the
clients into a sub-section.  There's no additional value or capabilities
in doing this.


I probably picked this up from one of the random docs while trying to 
puzzle things out that weren't clear. Since it helps show how to use 
a subsection, it's useful to me.



> Since we're not using any of these methods for the Ciscos, in
> authenticate{..} disable:   chap, mschap, suffix, ntdomain, unix, pap
>
> Add to the end of the authorize{..} section:
> ntlm_auth

  Or to the end of the "authenticate" section?


d'oh!  good catch (it's right in the appendix at least)


Thanks!

Rick


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AD, Groups, and LDAP (was Re: separating Users?)

[freeradius]

At 05:27 PM 12/3/2009, Alan Buxey wrote:

note, there are other packages should you need eg SQL support


Not if you're not using SQL support (which I'm not). You'd them also 
need a lot of instructions on setting up SQL :-)



you didnt note if you were SELinux enabled and any issues that
might befall that -


For my own doc purposes that's covered in the Linux guide we use to 
set up systems, but I'll add a note here.



I'm also not sure but does the freeradiusd2
package automatically put the right firewall holes into place too
(if not you'd need to add UDP 1812,1813 and 1814 to the incoming
rule chain)


no it does not. FYI I believe 1813 is actually TCP (empirically 
working through my firewalls that way).  1814 only necessary if 
you're using proxy I think.


Rick



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AD, Groups, and LDAP (was Re: separating Users?)

[freeradius]

Having just followed all of those instructions to 
build out my production systems, I have a few 
tweaks to fix all those little things that drive 
one insane when following someone's instructions 
because they never tested them.



Using FreeRADIUS2

Rick Steeves – 091203
freeradi...@corwyn.net

Setup, configuration, troubleshooting instructions, on CentOS 5.x
Goals:
o   Authentication telnet sessions for Cisco 
switches against AD for a specific security group (Infrastructure)
o   Authentication for VPN users using MSCHAP 
on a sonicwall firewall using a Windows VPN 
client with L2TP against AD for a specific security group (VPN_Users)

Install
The linux site for the rpm download of freeradius2 is:
http://people.redhat.com/jdennis/freeradius-rhel-centos

Create /etc/yum.repos.d/freeradius2.repo:

[freeradius2]
name=Freeradius2
baseurl=http://people.redhat.com/jdennis/freeradius-rhel-centos
enabled=1
gpgcheck=0

Install freeradius2:
yum clean all
yum install freeradius2 freeradius2-utils freeradius2-ldap

Enable FreeRadius to start on boot:
chkconfig radiusd on

To start the freeRadius service
service radiusd start

To run the service in debug mode (which you 
should be doing until everything works):

service radiusd stop
radiusd –X
Quirks
If you get an error from the output of radiusd –X along the lines of:

Exec-Program output: winbind client not 
authorized to use winbindd_pam_auth_crap.  Ensure 
permissions on 
/var/cache/samba/winbindd_privileged are set correctly. (0xc022)


then the issue is that radiusd doesn't have 
access to the winbindd_privileged folder. You can fix with:


chgrp radiusd /var/cache/samba/winbindd_privileged
chmod g+rw /var/cache/samba/winbindd_privileged
Configuration
See http://deployingradius.com/documents/configuration/active_directory.html

Note that the configuring of SAMBA, kerberos, and 
adding to the domain should already be done as 
part of the default Linux install, see 
h:\is\operating system\Linux\Guide_linux.doc

Verify that a user in the domain can be authenticated:
wbinfo -a user%password
Try the same login with the ntlm_auth program, 
which is what FreeRADIUS will be using:
ntlm_auth --request-nt-key --domain=MYDOMAIN 
--username=user --password=password

/etc/raddb/radiusd.conf  (see Appendix C)

Update max_requests to # users * 256

Add to the end of the auth listen {..} (to permit groups of clients)
clients = disambiguate

Add to the end of the acct listen {..}  (to permit groups of clients)
clients = disambiguate

Add to the end of the modules{..} section:  (to 
enable ntlm_auth as an authentication method)


exec ntlm_auth {
 wait = yes
 program = "/usr/bin/ntlm_auth ntlm_auth 
--request-nt-key --domain=example.com 
-username=%{mschap:User-Name} --password=%{User-Password}"

}

In log{..}

auth = yes  (to log authentication requests)
/etc/raddb/huntgroups
huntgroups let you restrict which clients are 
associated with which user. You will need to add 
each IP of each device that will be using the 
RADIUS server, and associate it with the correct 
huntgroup. This will let the /etc/raddb/users 
file associate the user with the appropriate device:


/etc/radbb/huntgroups:
Cisco_Huntgroup NAS-IP-Address == 10.100.0.1
Cisco_Huntgroup NAS-IP-Address == 10.100.0.2
Cisco_Huntgroup NAS-IP-Address == 10.100.0.3
…
VPN_Huntgroup   NAS-IP-Address == 10.4.1.2
/etc/raddb/modules/ldap
If this file is missing, you need to install the RPM for freeradius2-ldap.

This section is one of the biggest pains to 
configure, as all of your LDAP strings need to be 
100% correct, andt hey will be very specific to 
the environment. Of course, update server, 
identify, password, basedn for your own environment.


You will need a user account in AD to permit the 
bind to LDAP. In this example, that account is in:
CN=_useraccount,OU=Service Accounts,OU=Special 
User Accounts,OU=Enterprise,DC=example,DC=com


In this example, the Security groups are located in (or below):
OU=Enterprise,DC=example,DC=com

ldap {
server = "example.com"
identity = "CN=_useraccount,OU=Service 
Accounts,OU=Special User Accounts,OU=Enterprise,DC=example,DC=com"

password = secretpassword
basedn = "OU=Enterprise,DC=example,DC=com"
filter = 
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))

groupmembership_attribute = "memberOf"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupname_attribute = cn
groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"

}
Conf

Re: FreeRadius with ntlm_auth

[freeradius]

At 08:44 AM 12/3/2009, char...@copel.com wrote:

My environment is: FreeBSD 6.2 + Samba 3.0.26a + freeradius 1.1.7

How can I do this configuration for more than one NT group ? Any idea ?



See my post from  "Re: separating users", ~6:30, 12/1/09

I tried your approach (separate ntlm_auth execs). In the end I ended 
up using LDAP


Rick

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Logging From where?

[freeradius]

At 05:29 PM 12/2/2009, t...@kalik.net wrote:

Client is where user is logging into, cli is where user is logging from.
Give more distinctive shortnames to clients.


Hmm. I was using a client group for a subnet.
client Cisco {
ipaddr = 10.100.0.0
netmask = 16
secret = jjj
virtual_server = server_cisco
nastype = cisco
}
I have to create individual client entries?





Ivan Kalik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FW: Free Radius & Cisco

[freeradius]

DEFAULT Huntgroup-Name == Cisco_Huntgroup, 
Auth-Type:=ntlm_auth, Ldap-Group == "HelpDesk"

Service-Type:=NAS-Prompt-User,
cisco-avpair:="shell:priv-lvl=1",
Reply-Message := "Authorized Users Only"


is what I'm using. Change priv-lvl to 15 for enable

Rick

At 07:03 PM 12/2/2009, Johnston, Ian wrote:

Content-Class: urn:content-classes:message
Content-Type: multipart/alternative;
boundary="_=_NextPart_001_01CA73AC.1AC44E3C"

Hi,

Thanks for Free Radius – I’m confident it will be just what we need.

I have set it up on a Dell DL360 G5 running 
CentOS 2.3 and created simple clients.conf, 
raddb.conf and users files. Radtest and logins 
from a couple of clients are working well. 
However, when I try to move up from the absolute 
basics, e.g. to give my user who telnets to a 
Cisco switch an enabled priveledge leval it just 
doesn’t work: the user logons OK but is still at 
the plain command prompt. I’m sure it’s 
something simple I’ve missed and I’d be grateful 
if you could give me any pointers.


I’ve looked through the mailing-list archive, 
and although one question is exactly the same 
Freeradius and Cisco (cisco-avpair = 
"shell:priv-lvl=15" doesn't work) I seem to have 
everything they have suggested in the answers?


Thanks in advance for your help.



Regards,

Ian



Here are some cuts from various files:

Switch Config

aaa authentication login nocusers group radius

aaa authorization exec nocusers group radius

aaa session-id common

radius-server host 10.210.27.4 auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

line vty 0 4

   exec-timeout 60 0

   login authentication nocusers









users

dan Cleartext-Password := "password"

Reply-Message = "Hello, %{User-Name}",

Service-Type = Administrative-user,

cisco-avpair = "shell:priv-lvl=15"



ipj Cleartext-Password := "password"

Reply-Message = "Hello, %{User-Name}",

Service-Type = NAS-Prompt-User,

cisco-avpair = "shell:priv-lvl=15"



I also tried:

dan Cleartext-Password := "password", 
Service-Type = Administrative-user, cisco-avpair = "shell:priv-lvl=15"


Reply-Message = "Hello, %{User-Name}",

Service-Type = Administrative-user,



and

dan Cleartext-Password := "password"

Reply-Message = "Hello, %{User-Name}",

Service-Type = 
“Administrative-user”,  # and 
Shell-user, and login and a few other things !-(


cisco-avpair = "shell:priv-lvl=15"



the login failed with the first alternate and 
logged on as a plain user on the second.














Snips from radiusd –X output

Sending Access-Accept of id 42 to 10.210.27.2 port 1645

Reply-Message = "Hello, ipj"

Service-Type = NAS-Prompt-User

Cisco-AVPair = "shell:priv-lvl=15"



Sending Access-Accept of id 43 to 10.210.27.2 port 1645

Reply-Message = "Hello, dan"

Service-Type = Administrative-User

Cisco-AVPair = "shell:priv-lvl=15"











Output from radtest

[r...@radius1 raddb]# radtest dan password radius1:1645 0 testing123

Sending Access-Request of id 33 to 10.210.27.4 port 1645

User-Name = "dan"

User-Password = "password"

NAS-IP-Address = 10.210.27.4

NAS-Port = 0

rad_recv: Access-Request packet from host 
10.210.27.4 port 32770, id=33, length=55


User-Name = "dan"

User-Password = "password"

NAS-IP-Address = 10.210.27.4

NAS-Port = 0

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] No '@' in User-Name = "dan", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

++[unix] returns notfound

[files] users: Matched entry dan at line 11

[files] expand: Hello, %{User-Name} -> Hello, dan

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

++[pap] returns updated

Found Auth-Type = PAP

+- entering group PAP {...}

[pap] login attempt with password "password"

[pap] Using clear text password "password"

[pap] User authenticated successfully

++[pap] returns ok

Login OK: [dan] (from client radius1 port 0)

+- entering group post-auth {...}

++[exec] returns noop

Sending Access-Accept of id 33 to 10.210.27.4 port 32770

Service-Type = Administrative-User

Cisco-AVPair = "shell:priv-lvl=15"

Reply-Message = "Hello, dan"

Finished request 2.

Going to the next request

rad_recv: Access-Accept packet from host 
10.210.27.4 port 1645, id=33, le

Logging From where?

[freeradius]

Everything is all running well. Currently when a user logs in I get 
this in the log:



Wed Dec  2 17:09:32 2009 : Auth: Login OK: [rsteeves] (from client 
Cisco port 2 cli 10.20.31.17)


Is it possible to also have freeradius log where I was logging into 
in addition to where I logged in from?


Rick




Rick Steeves
http://www.sinister.net

In reality nothing is more damaging to the adventurous spirit within 
a man than a secure future -  Alexander Supertramp


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: separating Users?

[freeradius]

Well, thanks to an inordinate amount of help, 
I've got my RADIUS server up and running exactly how I want it to.


As part of my business process, I've got a 
detailed doc on how the server is/was 
constructed. I'd like to contribute that to the 
wiki, but I don't see that I can create an account.


Also, since it drives me nuts when I'm searching 
on line for a fix, and an email thread ends JUST 
before I have the data that I need, or a piece is 
missing, here's that documentation as well


Rick Steeves – 091201
freeradi...@corwyn.net

Setup and configuration instructions, on CentOS 5.x
Goals:
o   Authentication telnet sessions for Cisco 
switches against AD for a specific security group (Infrastructure)
o   Authentication for VPN users using MSCHAP 
on a sonicwall firewall using a Windows VPN 
client with L2TP against AD for a specific security group (VPN_Users)

Install
The linux site for the rpm download of freeradius2 is:
http://people.redhat.com/jdennis/freeradius-rhel-centos

Create /etc/yum.repos.d/freeradius2.repo:

[freeradius2]
name=Freeradius2
baseurl=http://people.redhat.com/jdennis/freeradius-rhel-centos
enabled=1
gpgenabled=0

Install freeradius2:
yum install freeradius2 freeradius2-utils freeradius2-ldap

Enable FreeRadius to start on boot:
chkconfig radiusd on

To start the freeRadius service
service radiusd start

To run the service in debug mode (which you 
should be doing until everything works):

service radiusd stop
radiusd –X
Configuration
http://deployingradius.com/documents/configuration/active_directory.html

Note that the configuring of SAMBA, kerberos, and 
adding to the domain should already be done as 
part of the default Linux install, see 
h:\is\operating system\Linux\Guide_linux.doc

Verify that a user in the domain can be authenticated:
wbinfo -a user%password
Try the same login with the ntlm_auth program, 
which is what FreeRADIUS will be using:
ntlm_auth --request-nt-key --domain=MYDOMAIN 
--username=user --password=password

./raddb/radiusd.conf  (see Appendix C)

Update max_requests to # users * 256

Add to the end of the auth listen {..}
clients = disambiguate

Add to the end of the acct listen {..}
clients = disambiguate

Add to the end of the modules{..} section:

exec ntlm_auth {
 wait = yes
 program = "/usr/bin/ntlm_auth ntlm_auth 
--request-nt-key --domain=example.com 
-username=%{mschap:User-Name} --password=%{User-Password}"

}

In log {..}

auth = yes
huntgroups
huntgroups let you restrict which clients are 
associated with which user. You will need to add 
each IP of each device that will be using the 
RADIUS server, and associate it with the correct 
huntgroup. This will let the ./users file 
associate the user with the appropriate device:


/etc/radbb/huntgroups:
Cisco_Huntgroup NAS-IP-Address == 10.100.0.1
Cisco_Huntgroup NAS-IP-Address == 10.100.0.2
Cisco_Huntgroup NAS-IP-Address == 10.100.0.3
…
VPN_Huntgroup   NAS-IP-Address == 10.4.1.2
./raddb/modules/ldap (See appendix D)
If this file is missing, you need to install the RPM for freeradius2-ldap.

This section is one of the biggest pains to 
configure, as all of your LDAP strings need to be 
100% correct, andt hey will be very specific to 
the environment. Of course, update server, 
identify, password, basedn for your own environment.


You will need a user account in AD to permit the 
bind to LDAP. In this example, that account is in:
CN=_useraccount,OU=Service Accounts,OU=Special 
User Accounts,OU=Enterprise,DC=example,DC=com


In this example, the Security groups are located in (or below):
OU=Enterprise,DC=example,DC=com

ldap {
server = "example.com"
identity = "CN=_useraccount,OU=Service 
Accounts,OU=Special User Accounts,OU=Enterprise,DC=example,DC=com"

password = secretpassword
basedn = "OU=Enterprise,DC=example,DC=com"
filter = 
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))

groupmembership_attribute = "memberOf"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupname_attribute = cn
groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"

}
Configuration of different virtual sites
For this you'll have 3 general sites, default 
(used mostly for testing on 127.0.0.1), 
server_cisco (used to AAA the Cisco users), and 
server_vpn (used to AAA the VPN users).

inner-tunnel
Add:
ntlm_auth
to the end of the authenticate{..} section
default
Add:
 ntlm_auth
to the end of the authenticate{..} section
server_cisco (see Appendix B)
We&#

Re: separating Users?

[freeradius]

At 01:29 PM 12/1/2009, t...@kalik.net wrote:

> So I think what I need is:
>>if(Huntgroup-Name == "VPN_Huntgroup") {
>>  if(Ldap-Group == "VPN_Users") {

Put just ok in there. It might not like empty brackets.

>>  }
>>  else {
>>   reject
>>  }
>>}
>



That did it! Thanks! I think that gets me up 100%.

(Now to go write up all the docs for my own paper trail, and get them 
in shape to go somewhere in the freeradius doc realm)


Rick


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: separating Users?

[freeradius]

At 01:03 PM 12/1/2009, t...@kalik.net wrote:

Use unlang for better control of what happens:

if(Huntrgroup-Name == "VPN_Huntgroup") {
 if(Ldap-Group == "VPN_Users") {
  if(!control:Auth-Type) {
   update control {
Auth-Type = "ntlm_auth"
   }
  }
 }
 else {
  reject
 }
}



If I understand correctly, I don't need to worry about ntlm_auth at 
all in this case (because with MSCHAP I don't have a cleartext 
password, and thus ntlm_auth won't do me any good), so I probably 
don't need to update the Auth-Type?


So I think what I need is:

if(Huntgroup-Name == "VPN_Huntgroup") {
 if(Ldap-Group == "VPN_Users") {
 }
 else {
  reject
 }
}


woudl that unlang go into the ./users file?  or into the 
authorization {..} section?




Ivan Kalik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: separating Users?

[freeradius]

At 02:39 AM 12/1/2009, Alan DeKok wrote:

  Because you've forced the "ntlm_auth" module to be run.  That module
ONLY checks clear-text passwords, and there is NO clear-text password in
the request.

  Change the line having
... Auth-Type := ntlm_auth, ...
  to
... Auth-Type = ntlm_auth, ...


DEFAULT Huntgroup-Name == Cisco_Huntgroup, Auth-Type:=ntlm_auth, 
Ldap-Group == "Infrastructure"

Service-Type:=NAS-Prompt-User,cisco-avpair:="shell:priv-lvl=15"
DEFAULT Huntgroup-Name == VPN_Huntgroup, Auth-Type=ntlm_auth, 
Ldap-Group == "VPN_Users"



It runs the LDAP group check, but still lets the user log in even 
when he's not in the VPN_Users group:


rlm_ldap::groupcmp: Group VPN_Users not found or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
++[files] returns noop
[ldap] performing user authorization for ciscorsteeves
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man 
unlang" for details
[ldap]  expand: 
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) 
-> (&(sAMAccountname=ciscorsteeves)(objectClass=person))
[ldap]  expand: OU=Enterprise,DC=example,DC=com -> 
OU=Enterprise,DC=example,DC=com

rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Enterprise,DC=example,DC=com, with 
filter (&(sAMAccountname=ciscorsteeves)(objectClass=person))

[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure 
that the user is configured correctly?

[ldap] user ciscorsteeves authorized to use remote access



  And read "man users" to see what the difference is.


Ahh, man 5 users. cool.

Rick



  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: separating Users?

[freeradius]

At 09:41 PM 11/30/2009, you wrote:

Yes, if that DEFAULT entry doesn't match - it will get ignored. If you
want authentication to fail if such conditions are not met you need to add
Auth-Type to it. If there is no Fall-Through to DEFAULT forcing ntlm_auth,
Auth-Type won't be set and authentication will fail.


so if ./users:
DEFAULT Huntgroup-Name == Cisco_Huntgroup, 
Auth-Type:=ntlm_auth, Ldap-Group == "Infrastructure"

Service-Type:=NAS-Prompt-User,cisco-avpair:="shell:priv-lvl=15",
DEFAULT Huntgroup-Name == VPN_Huntgroup, 
Auth-Type:=ntlm_auth, Ldap-Group == "VPN_Users"


it should work?  I think even with the Auth-Type specified as 
ntm_auth, a Auth-Type is being set, as it's finding MSCHAP for me:


radiusd -X gives:
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}

If I remark out:
#   Auth-Type MS-CHAP {
#   mschap
#   }
from my server config, that stops it from being found, but then I 
lose the password for ntlm_auth I think:


Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=rsteeves
[ntlm_auth] expand: --password=%{User-Password} -> --password=
Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a)

Is that going to be a limitation of using MSCHAP/MSCHAP2?

Rick



Ivan Kalik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: separating Users?

[freeradius]

At 06:12 PM 11/30/2009, t...@kalik.net wrote:

> You need to set fall-through so that you still do per user processing.
> This is documented in the raddb/users file and you should also read
> doc/processing_users_file

Or just add Auth-Type := ntlm_auth to the first line (ie. instead of
Accept). Fall-Through is more elegant since you don't have to add
Auth-Type to every DEFAULT entry.


Yup, both of those work, and I'm to the point I understand why!

What I think is my final problem.  I'm now working to authenticate 
VPN users in the same scenario, using the l2tp client in 
windows.   Looks like everything automatically picks up that it's a 
MSCHAP request.


Using a similar logic:
DEFAULT Huntgroup-Name == VPN_Huntgroup, Ldap-Group == "VPN_Users"

The only problem is that it appears to ignore my LDAP group, and just 
authenticate ANY user (with a valid User ID/ Password) regardless of 
LDAP group.


rad_recv: Access-Request packet from host 10.4.1.2 port 1924, id=55, length=129
User-Name = "notvpnuser"
MS-CHAP-Challenge = 0x85e6507f219630664491c4e1bbeee67b
MS-CHAP2-Response = 
0x0100cc49a55de60f33a16e0afd73fb10d7ddeb6a17be2a61ce216acf7f23fce99bd216afceacc6f81ba4

NAS-IP-Address = 10.4.1.2
NAS-Port = 0
server server_vpn {
+- entering group authorize {...}
++[preprocess] returns ok
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
rlm_ldap: Entering ldap_groupcmp()
[files] expand: OU=Enterprise,DC=int,DC=example,DC=com -> 
OU=Enterprise,DC=int,DC=example,DC=com
[files] WARNING: Deprecated conditional expansion ":-".  See "man 
unlang" for details
[files] expand: 
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) 
-> (&(sAMAccountname=notvpnuser)(objectClass=person))

rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to int.example.com:389, authentication 0
rlm_ldap: bind as CN=_sonicwall,OU=Service Accounts,OU=Special User 
Accounts,OU=Enterprise,DC=int,DC=example,DC=com/wvyjCHCd2LJHcNrmpr0I 
to int.example.com:389

rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in 
OU=Enterprise,DC=int,DC=example,DC=com, with filter 
(&(sAMAccountname=notvpnuser)(objectClass=person))

rlm_ldap: ldap_release_conn: Release Id: 0
[files] expand: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) 
-> (|(&(objectClass=GroupOfNames)(member=CN\3dcisco 
rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dcisco 
rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom)))

rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in 
OU=Enterprise,DC=int,DC=example,DC=com, with filter 
(&(cn=VPN_Users)(|(&(objectClass=GroupOfNames)(member=CN\3dcisco 
rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dcisco 
rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom

rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in CN=cisco 
rsteeves,OU=IS,OU=Users,OU=Enterprise,DC=int,DC=example,DC=com, with 
filter (objectclass=*)
rlm_ldap: performing search in CN=Infrastructure,OU=Security 
Groups,OU=Enterprise,DC=int,DC=example,DC=com, with filter (cn=VPN_Users)

rlm_ldap: object not found
rlm_ldap::groupcmp: Group VPN_Users not found or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
++[files] returns noop
[ldap] performing user authorization for notvpnuser
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man 
unlang" for details
[ldap]  expand: 
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) 
-> (&(sAMAccountname=notvpnuser)(objectClass=person))
[ldap]  expand: OU=Enterprise,DC=int,DC=example,DC=com -> 
OU=Enterprise,DC=int,DC=example,DC=com

rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in 
OU=Enterprise,DC=int,DC=example,DC=com, with filter 
(&(sAMAccountname=notvpnuser)(objectClass=person))

[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure 
that the user is configured correctly?

[ldap] user notvpnuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for notvpnuser with NT-Password
[mschap]expand: --username=%{ms

Re: separating Users?

[freeradius]

At 03:27 PM 11/30/2009, David Mitchell wrote:

1) Don't specify the Auth-Type. You still want to check the password I
assume. I think your config will let in any user who is in group
"Group1" irrespective of the supplied password.


Sigh. Here I was all excited that I had everything working, and was 
merrily working on my docs and making them into a HOWTO. And you're 
right on target. Correct user ID any password permits access.


So here's my users file once I take that out:
DEFAULT Huntgroup-Name == Cisco_Huntgroup, Ldap-Group == 
"Infrastructure"

Service-Type:=NAS-Prompt-User,cisco-avpair:=shell:priv-lvl=15"
DEFAULT Auth-Type = ntlm_auth

And now it doesn't work.
"Authentication failed".

If I switch the order I get:
"Authorization failed"  


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[freeradius]

At 11:21 AM 11/30/2009, freerad...@corwyn.net wrote:

Add to top of ./raddb/users:

DEFAULT Ldap-Group == "UserGroup",Service-Type = 
NAS-Prompt-User,cisco-avpair = "shell:priv-lvl=15"

DEFAULT Auth-Type = ntlm_auth



Hmm, it looks like
DEFAULT Ldap-Group == "UserGroup",Service-Type = 
NAS-Prompt-User,cisco-avpair = "shell:priv-lvl=15"

is not the same as
DEFAULT Ldap-Group == "UserGroup"
Service-Type = NAS-Prompt-User,cisco-avpair = 
"shell:priv-lvl=15"


After some tinkering:
DEFAULT Auth-Type:=Accept,Ldap-Group == "Infrastructure"
Service-Type=NAS-Prompt-User,cisco-avpair="shell:priv-lvl=15"

appears to work with the rest of the config, and users in the 
Infrastructure group can log in, and other users cannot!


However, this means that if you're in ./users you authorize 
(regardless of where I think you're going). Is there a way to 
associate the users data only with a particular virtual server config?


Rick




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

separating Users?

[freeradius]

There's a piece of RADIUS that I'm not understanding.

If I have an entry in my ./users file
DEFAULT Auth-Type:=Accept,Ldap-Group == "Group1"
Service-Type=NAS-Prompt-User,cisco-avpair="shell:priv-lvl=15"

And another entry
DEFAULT Auth-Type:=Accept,Ldap-Group == "Group2"
Service-Type=NAS-Prompt-User,cisco-avpair="shell:priv-lvl=15"

where I'm trying to authorize users in Group1 for one set of 
switches, and users in Group2 for another set of switches, how does 
freeradius know which is which?


Rick




Rick Steeves
http://www.sinister.net

In reality nothing is more damaging to the adventurous spirit within 
a man than a secure future -  Alexander Supertramp


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[freeradius]

At 11:13 PM 11/29/2009, freerad...@corwyn.net wrote:

A resummary:
Goal: Authenticate and Authorize users that telnet into the switches 
in Groups A and/or B based on their inclusion in a specific AD 
security group for A & B .


Environment:
CentOS 5.2  (IP 10.10.0.1)

freeradius2-2.1.7-2.el5
freeradius2-utils-2.1.7-2.el5
freeradius2-libs-2.1.7-2.el5
freeradius2-ldap-2.1.7-2.el5

Cisco switch running IOS 12.4 in subnet A (10.100.0.0/24)
Cisco switch running IOS 12.4 in subnet B (10.101.0.0/24)

windows Active Directory (example.com) with Security Groups A & B

Add to modules{} inradiusd.conf:
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key 
--domain=example.com --username=%{mschap:User-Name} 
--password=%{User-Password}"

}

Copy:
./raddb/sites-available/default to ./raddb/sites-available/server_A 
and link it to ./raddb/sites-enabled/server_A
./raddb/sites-available/default to ./raddb/sites-available/server_B 
and link it to ./raddb/sites-enabled/server_B


and then surround the contents of those files with
server server_A {..}
and
server server_B {..}
respectively

Add to the authenticate{} section of ./server_A and ./server_B :

ntlm_auth

Edit ./modules/ldap to:
ldap {
server = "example.com"
identity = "CN=user,OU=Enterprise,DC=example,DC=com"
password = xxx
basedn = "OU=Enterprise,DC=example,DC=com"
filter = 
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))
groupmembership_filter 
="(&(objectClass=group)(member=%{Ldap-UserDn}))"

groupmembership_attribute = "memberOf"

groupname_attribute = cn
groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"

groupmembership_attribute = "memberOf"


...
}


Add to top of ./raddb/users:

DEFAULT Ldap-Group == "UserGroup",Service-Type = 
NAS-Prompt-User,cisco-avpair = "shell:priv-lvl=15"

DEFAULT Auth-Type = ntlm_auth


Add to ./raddb/cilents.conf:
clients disambiguate {
client localhost {
#  Allowed values are:
#   dotted quad (1.2.3.4)
#   hostname(radius.example.com)
ipaddr = 127.0.0.1

client Cisco_A {
ipaddr = 10.101.0.0
netmask = 24
secret = testing123
virtual_server = server_A
}
client Cisco_B {
ipaddr = 10.100.0.0
netmask = 24
secret = testing123
virtual_server = server_B
}


Add to the listen{} section of radiusd.conf:
clients = disambiguate


On the cisco switches A & B:

aaa new-model
aaa group server radius RAD
 server 10.10.0.1 auth-port 1812 acct-port 1813
!
aaa authentication login default group radius line
aaa authentication enable default group radius enable
aaa authorization exec default group radius none
radius-server host 10.10.0.1 auth-port 1812 acct-port 1813 timeout 3
radius-server retransmit 2
radius-server key 7 encrypted-secret



that configuration still fails to authorize, even tho the output of 
radiusd -X looks like its working (sanitized)




rad_recv: Access-Request packet from host 10.100.0.8 port 1812, 
id=80, length=79

NAS-IP-Address = 10.100.0.8
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "testuser"
Calling-Station-Id = "10.100.0.5"
User-Password = "password"
server server_cisco {
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
rlm_ldap: Entering ldap_groupcmp()
[files] expand: OU=Enterprise,DC=example,DC=com -> 
OU=Enterprise,DC=example,DC=com
[files] WARNING: Deprecated conditional expansion ":-".  See "man 
unlang" for details
[files] expand: 
(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) 
-> (&(sAMAccountname=testuser)(objectClass=person))

rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to example.com:389, authentication 0
rlm_ldap: bind as 
CN=_radiususer,OU=Enterprise,DC=example,DC=com/wx to example.com:389

rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in OU=Enterprise,DC=example,DC=com, with 
filter (&(sAMAccountname=testuser)(objectClass=person))

rlm_ldap: ldap_release_conn: Release Id: 0
[files] expand: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) 
-> 
(|(&(objectClass=GroupOfNames)(member=CN\3dRick\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\2cDC\3dexample\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dRickOU\3dUsers\2cOU\3dEnterprise\DC\3dexample\2cDC\3dcom)))

rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Enterprise,DC=example,DC=com, with 
filter 
(&(cn=Infrastructure)(|(&(obje

Re: Exec and ntlm_auth

[freeradius]

At 06:24 PM 11/25/2009, Ivan Kalik wrote:
Configure AD as ldap server in ldap module (.raddb/modules/ldap). 
Then add to users file:


DEFAULT Ldap-Group == "max_priv_level" or whatever is your group called
 Service-Type = NAS-Prompt-User,
 cisco-avpair = "shell:priv-lvl=15"


closer!  First, if I use the account directly:
testuser   Cleartext-Password := "testpass"
   Service-Type = NAS-Prompt-User,
   cisco-avpair = "shell:priv-lvl=15"

I get auth. (so the cisco at least is right, and the base LDAP must 
be ok, because I get an LDAP success).


But when I switch to :
DEFAULT Ldap-Group == "Infrastructure"
Service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=15"

I get in the logs a failure to find the group:

[ldap] performing user authorization for testuser
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  expand: %{User-Name} -> testuser
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(uid=ciscorsteeves)
[ldap]  expand: OU=Enterprise,DC=int,DC=example,DC=com -> 
OU=Enterprise,DC=int,DC=example,DC=com

rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in 
OU=Enterprise,DC=int,DC=example,DC=com, with filter (uid=testuser)

rlm_ldap: object not found

[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
^


My suspicion is something wrong between base_filter and filter. Sigh.





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[freeradius]

Ah, you need to install freeradius2-ldap then.



Yeah, that would do it.

OK, so since I have two different groups I'm trying to authenticate, 
given previous advice, I'm going to need to copy the ldap module to, 
say, ldap_a and ldap_b, and then in each copied module make a change 
from ldap {..} to ldap ldap_a {..} and ldap ldap_b {..} respectively? 
(and then the appropriate changes in my respective virtual servers?)


rick

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[freeradius]

At 06:26 PM 11/29/2009, freerad...@corwyn.net wrote:

at least does not include ./raddb/modules/ldap



Default startup even gives:
 Module: Checking authenticate {...} for more modules to load
/etc/raddb/sites-enabled/default[287]: Failed to find module "eap".
/etc/raddb/sites-enabled/default[234]: Errors parsing authenticate section.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[freeradius]

At 05:58 PM 11/29/2009, t...@kalik.net wrote:

> Hmm, is there supposed to be a ldap module by default? Because I
> don't have that.

Yes, in 2.x.



Nope. Brand new clean install of the RPM
freeradius2-libs-2.1.7-2.el5
freeradius2-2.1.7-2.el5
freeradius2-utils-2.1.7-2.el5


at least does not include ./raddb/modules/ldap

Rick


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[freeradius]

At 06:24 PM 11/25/2009, Ivan Kalik wrote:
Configure AD as ldap server in ldap module (.raddb/modules/ldap). 
Then add to users file:



Hmm, is there supposed to be a ldap module by default? Because I 
don't have that.


Rick  


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Acct-Unique-Session-Id not unique

[Vega Freeradius]

Alan DeKok on Thu, 26 Nov 2009 09:08:37 -0800 Wrote: 

> Odds are
because the Client-IP-Address is different. Everything else
>in the packet
looks to be the same.

You are right!!! It 'was my mistake. It said
"Client-IP-Address" but I was reading "Framed-IP-Address" and did not
understand why hash come out different!

I don't need debug :) Thank
you!!

Marco
  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Acct-Unique-Session-Id not unique!

[Vega Freeradius]

Hi!
Forgive me for by bad English.
I've some problem with acctuniqueid. I use two freeradius server with 
two node mysql cluster.


My freeradius version is "2.0.5". On both server threre is the same config.
The modules/acct_unique content  on both server is  set to default:

acct_unique {
   key = "User-Name, Acct-Session-Id, NAS-IP-Address, 
Client-IP-Address, NAS-Port"

}



But servers generate two different "uniqueid" from the same data!

this is the START record (issued by first server)

Thu Nov 26 15:00:45 2009
   Acct-Status-Type = Start
   User-Name = "studi...@d.gbnetc.it"
   NAS-Identifier = "r-nl035"
   Acct-Session-Id = "erx atm 1/3.10083:1.83:0148107119"
   NAS-IP-Address = 217.141.253.49
   Framed-IP-Address = 79.34.44.195
   NAS-Port = 318832723
   NAS-Port-Id = "atm 1/3.10083:1.83"
   Acct-Unique-Session-Id = "40f5c1e75a777864"

this is the STOP record (issued by second server)


Thu Nov 26 15:39:00 2009
   Acct-Status-Type = Stop
   User-Name = "studi...@d.gbnetc.it"
   NAS-Identifier = "r-nl035"
   Acct-Session-Id = "erx atm 1/3.10083:1.83:0148107119"
   NAS-IP-Address = 217.141.253.49
   Framed-IP-Address = 79.34.44.195
   NAS-Port = 318832723
   NAS-Port-Id = "atm 1/3.10083:1.83"  
   Acct-Unique-Session-Id = "fb963455e99b780c"


I delete some data before post it here. I see that
User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port
ar the same on both record. But Acct-Unique-Session-Id is different 
How this could be ?


Thanks in advance

Marco


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[freeradius]

At 06:15 PM 11/25/2009, you wrote:
There are dozens of them there. Just save what is quoted in the 
guide (with adjusted text) as a file into raddb/modules directory.


Yeah, and in tinkering with module files I clearly haven't had success.

so you're saying create a (adjusted for my environment) file in ../modules:
rick_ntlm {
ntlm_auth = "/path/to/ntlm_auth --request-nt-key 
--username=%{mschap:User-Name:-None} 
--domain=%{mschap:NT-Domain:-MYDOMAIN} 
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"


}

and it should work?  In part I ask because the examples for 
radiusd.conf and mschap.conf are different.


I suspect I also have to put the reference to that new file 
(ntlm_rick in this case) into inner-tunnel as well? And in the 
virtual server config? In both the authorize{} and authenticate {} sections?




Rick



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[freeradius]

At 06:24 PM 11/25/2009, you wrote:
Configure AD as ldap server in ldap module (.raddb/modules/ldap). 
Then add to users file:


DEFAULT Ldap-Group == "max_priv_level" or whatever is your group called
 Service-Type = NAS-Prompt-User,
 cisco-avpair = "shell:priv-lvl=15"



Excellent. Thank you.

Rick
PS Noticed earlier that if I put a space in front of DEFAULT the 
behaviour changes. quirky.


PPS I noticed in the guide for radiusd.conf it suggests:
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth ntlm_auth 
--request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} 
--password=%{User-Password}"

}

yet I think it should be   (an extra ntlm_auth?)
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key 
--domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"

}


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[freeradius]

At 05:57 PM 11/25/2009, Rick Steeves wrote:
I have the cisco configured per that guide already . However, I 
don't want to put user / password info in the users file, because 
that would defeat part of the model of centralized authentication to 
AD.  So I want that to feed authentication back to radius > AD as well.


Perhaps my question is how to integrate

Per User Privilege Level

You can also send the privilege level (enable mode is level 15) for 
individual users as a reply item to automatically put them into that 
level with cisco-avpair = "shell:priv-lvl=15"


You can do this with an entry in your users file similar to the following

youruser   Cleartext-Password := "somepass"
   Service-Type = NAS-Prompt-User,
   cisco-avpair = "shell:priv-lvl=15"


into the AD part, instead of into the users file?  I had planned to 
just use AD security groups 


rick






Rick




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[freeradius]

At 05:04 PM 11/25/2009, t...@kalik.net wrote:

> At 02:54 PM 11/25/2009, you wrote:
>>Just make it anothe file in the modules directory (like all the others).
>>Any file placed in that directory is authomatically included as a module.
>
> Can you provide an example of that file?

Example for exec ntlm_auth is in the guide.


In the guide there are two separate ntlm_auth lines. The first one 
says it should go in radiusd.conf.  Where does that relate to a module?


It would be helpful to see what the module file would look like.

Rick


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[freeradius]

At 10:45 AM 11/25/2009, Alan DeKok wrote:

  What part of the instructions is not working for you?


well for me at least, I have authentication working.
radtest account password localhost 0 m3H1hc4Z1OtpNC2ZLX3A
works fine.
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=164, length=20

However, when I try the same thing from the Cisco client, I get
Authorization failed
back from the cisco.  Better, because I originally got back 
Authentication Failed, so I figure I'm one step farther.


If I disable Authorization on the Cisco, or change it back over to my 
old tacacs+ server, I can log in successfully, so my problem 
is  somewhere in the authorization process, which isn't really (to 
me) in that document.


Yet the results from the log show freeradius sending back
Sending Access-Accept of id 121 to 10.100.0.8 port 1812

rad_recv: Access-Request packet from host 10.100.0.8 port 1812, 
id=121, length=79

NAS-IP-Address = 10.100.0.8
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = "username"
Calling-Station-Id = "10.20.31.17"
User-Password = "password"
server server_cisco {
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "username", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the 
user.  Authentication may fail because of this.

++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=username
[ntlm_auth] expand: --password=%{User-Password} -> --password=password
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
Login OK: [rsteeves] (from client Cisco port 1 cli 10.20.31.17)
+- entering group post-auth {...}
++[exec] returns noop
} # server server_cisco
Sending Access-Accept of id 121 to 10.100.0.8 port 1812

Rick



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec and ntlm_auth

[freeradius]

At 02:54 PM 11/25/2009, you wrote:

Just make it anothe file in the modules directory (like all the others).
Any file placed in that directory is authomatically included as a module.


Can you provide an example of that file?

Also, on the web page for AD config it has:
ntlm_auth = "/path/to/ntlm_auth --request-nt-key 
--username=%{mschap:User-Name:-None} 
--domain=%{mschap:NT-Domain:-MYDOMAIN} 
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"


the "-" is bolded in the NT-Domain such that it indicates that it 
should be replaced, but should it be

--domain=%{mschap:NT-Domain:example.com}
or
--domain=%{mschap:NT-Domain:-example.com}


Rick



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ntlm_auth and AD authentication

[freeradius]

At 02:33 PM 11/23/2009, Paul Ryszka wrote:

On Mon, 2009-11-23 at 13:35 -0500, freerad...@corwyn.net wrote:
> Am I going to have to do something like create different modules
> (ntlm_auth and ntlm_auth2) radiusd.conf in the module section?

You need to create two separate entries in modules having two mschap
entries .. sth like :
mschap mschap_group1 {
...
ntlm_auth = "your first ntlm_auth command"
}
mschap mschap_group2 {
...
ntlm_auth = "your second ntlm_auth command"
}
and then have the respective mschaps used in the respective virtual
servers for each client.


I currently have (working)
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth ntlm_auth 
--request-nt-key --domain=int.invtitle.com 
--username=%{mschap:User-Name} --password=%{User-Password} 
--require-membership-of=int.example.com+VPN_Users"

}

so I'm not sure how that relates to mschap groups? I don't currently 
have a mschap group at all currently in the radiusd.conf file.


Would I just create
exec ntlm_auth_2 {
wait = yes
program = "/usr/bin/ntlm_auth ntlm_auth 
--request-nt-key --domain=int.invtitle.com 
--username=%{mschap:User-Name} --password=%{User-Password} 
--require-membership-of=int.example.com+Cisco_Users"

}

And how do I control which group is used for auth from a specific client?

Rick


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ntlm_auth and AD authentication

[freeradius]

At 10:24 AM 11/23/2009, freerad...@corwyn.net wrote:

to confirm, and it looks like it's working.


Hmm. I have two sets of authentication I care about, VPN Users, and 
Cisco switches. I'd like to be able to control access to each of 
those separately (different AD Security Groups, and different shared keys).


I've found instructions for restricting ntlm_auth to a particular 
security group, but adding --require-membership-of={SID|Name}  to the 
ntlm_auth command.


But I can't puzzle out how I'd then have one set of authentication 
for one security group, and one set of authentication for a second 
security group. (currently any AD users works).


Am I going to have to do something like create different modules 
(ntlm_auth and ntlm_auth2) radiusd.conf in the module section?


Rick

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ntlm_auth and AD authentication

[freeradius]

freeradius2-2.1.7-2.el5
freeradius2-utils-2.1.7-2.el5
freeradius2-libs-2.1.7-2.el5
CentOS 5.2

I'm trying to get freeradius to authenticate with an AD server, using 
the instructions at 
http://deployingradius.com/documents/configuration/active_directory.html


The initial confirmation of communication with AD is working. The 
instructions then say to try:
ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user 
--password=password


to confirm, and it looks like it's working. However, the instructions 
also indicate you should also see the NT_KEY output, which is needed 
in order for FreeRADIUS to perform MS-CHAP authentication.


However, whether I use
ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user 
--password=password

or
ntlm_auth --domain=MYDOMAIN --username=user --password=password

the output/response looks the same:
NT_STATUS_OK: Success (0x0)

which leads me to believe  that the nt-key isn't being provided? What 
is the nt-key supposed to look like? If it's not showing up 
correctly, any ideas why?


thanks

Rick



Rick Steeves
http://www.sinister.net

In reality nothing is more damaging to the adventurous spirit within 
a man than a secure future -  Alexander Supertramp


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: authorize_check_query - authorize_reply_query - synchronous or asynchronous?

[freeradius]

Thanks Padam!  That's just what I was hoping to hear :-)

Regards,  Mike.
 
From: freeradius-users-bounces+freeradius=duxtel@lists.freeradius.org
[mailto:freeradius-users-bounces+freeradius=duxtel@lists.freeradius.org]
On Behalf Of Padam J Singh
Sent: Monday, 23 November 2009 8:57 PM
To: FreeRadius users mailing list
Subject: Re: authorize_check_query - authorize_reply_query - synchronous or
asynchronous?
 
Hi Mike,

I use a similar setup (PG Functions for auth/acct) and I never had an issue
with the query ordering.

Padam

freerad...@duxtel.com wrote: 
Hi Alan,
 
Thanks heaps for your reply! :-)
 
  
So my basic question is:  Does "authorize_check_query" complete fully
  
before

starting the call to "authorize_reply_query"?
  
  To re-phrase your question:
 
Q: What work does the database perform after it's returned an answer
from a SELECT?
 
A: Nothing.

 
That is true for a select statement, but my authorize_check_query is /not/ a
simple select.
 
It is this:
 
authorize_check_query = "select id, username, attribute, value, op
from\
 auth('%{SQL-User-Name}',
'%{NAS-IP-Address}')\
 as (id integer, username varchar, attribute
varchar, value varchar, op varchar)"
 
the 'auth()' function is a plpgsql function that does a variety of lookups
and other checks, and then depending on the results returned from that
query, it *might* update database records, or it might insert additional
data.
 
Therefore, it is important to know whether authorize_check_query and
authorize_reply_query execute synchronously or not.
 
  
If they happen at the same time, then I expect that
  
'authorize_reply_query'

may execute before I get a chance to create the relevant records for the
'guest' user...
 
I know I can just go ahead and find out my answer by 'empirical method',
  
but

I figure that just because it seems to work every time, there is no
  
definite

guarantee that it will work *every* time unless I can be certain that
  
these

functions execute in sequence :-}
  
  Databases ensure transactional consistency.  This is the job of a
database.

 
Yes, very true - so it is conveivably possible that authorize_reply_query is
completed before my authorize_check_query has updated or inserted records.
 
I'm sure that there is a definitive answer to this question "Does freeradius
wait for the result of auth-check before running auth-reply?" and I am aware
that it may not be the answer that I'd hope to hear ;-)  but I'd still like
to know it, noneteheless :-D
 
Thanks - I really do appreciate any comments!
 
Regards,  Mike.
 
 
 
 
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
 
  
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: authorize_check_query - authorize_reply_query - synchronous or asynchronous?

[freeradius]

G'day!

> Do you understand how databases work?

Heheh - uh, yes: I understand how a database works!

>   Does the pgsql function do things AFTER it returns?

 Of course not!

>   I have *no idea* how you concluded that when I said the exact opposite.

H, I read your last reply again with hindsight gained from this new
response, and I still can't interpret that comment as a definitive answer to
the question.

>   Could you explain why my previous answer is incomprehensible to you?

I am wondering if this is a genuine question, or if there is some sarcastic
or condescending undertone - but when I look at my last reply to you, I
realise that those comments could be taken that way too!  And since no such
thing were intended, I'll respond anyway (whether you are interested or not!
;-)

Perhaps I am missing some significant detail that is obvious to you...(?)  I
am coming to this discussion with the assumption that the two queries we are
talking about might be executed synchronously by freeradius:  as in both
functions are called at the same time, and the radius reply packet is
constructed from the joint results of both.

Perhaps this is just a plain dumb idea, but that has been my thinking :-}

I've done a bit (NOT a lot!) of C++ coding in the past, and I'm thinking of
synchronous (vs asynchronous) functions that can be called essentially
simultaneously by the core process, and then retrieved a few cycles later
when the results of those functions have become available.

If that were the case for freeradius db queries, then it is conceivable that
the radius reply query could complete before the auth function had finished
doing it's job.

In fact the way I see it, and the way I have the database queries working at
the moment, /if/ the radius reply were executed BEFORE the radius auth were
called, the system would probably work just the same and with no noticeable
effect on functionality!

But all that aside, I now understand (although you have not actually *said*
it ;-) that if radius_auth_query makes updates to the database,
radius_reply_query result will ALWAYS reflect up those changes - and that is
all that I need to know!

So thanks indeed! :-)

Much appreciated (truly - no sarcasm intended! :-)

Cheers,  Mike.




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: authorize_check_query - authorize_reply_query - synchronous or asynchronous?

[freeradius]

Hi Alan,

Thanks heaps for your reply! :-)

> > So my basic question is:  Does "authorize_check_query" complete fully
> before
> > starting the call to "authorize_reply_query"?
> 
>   To re-phrase your question:
> 
> Q: What work does the database perform after it's returned an answer
> from a SELECT?
> 
> A: Nothing.

That is true for a select statement, but my authorize_check_query is /not/ a
simple select.

It is this:

authorize_check_query = "select id, username, attribute, value, op
from\
 auth('%{SQL-User-Name}',
'%{NAS-IP-Address}')\
 as (id integer, username varchar, attribute
varchar, value varchar, op varchar)"

the 'auth()' function is a plpgsql function that does a variety of lookups
and other checks, and then depending on the results returned from that
query, it *might* update database records, or it might insert additional
data.

Therefore, it is important to know whether authorize_check_query and
authorize_reply_query execute synchronously or not.

> > If they happen at the same time, then I expect that
> 'authorize_reply_query'
> > may execute before I get a chance to create the relevant records for the
> > 'guest' user...
> >
> > I know I can just go ahead and find out my answer by 'empirical method',
> but
> > I figure that just because it seems to work every time, there is no
> definite
> > guarantee that it will work *every* time unless I can be certain that
> these
> > functions execute in sequence :-}
> 
>   Databases ensure transactional consistency.  This is the job of a
> database.

Yes, very true - so it is conveivably possible that authorize_reply_query is
completed before my authorize_check_query has updated or inserted records.

I'm sure that there is a definitive answer to this question "Does freeradius
wait for the result of auth-check before running auth-reply?" and I am aware
that it may not be the answer that I'd hope to hear ;-)  but I'd still like
to know it, noneteheless :-D

Thanks - I really do appreciate any comments!

Regards,  Mike.




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

authorize_check_query - authorize_reply_query - synchronous or asynchronous?

[freeradius]

Hi Folks!

I have a working freeRadius with Postgresql database behind it, and looking
at developing some additional functionality for a public access wireless
service requested by one of our customers.

The deal is that they want to allow limited access (by time/download etc) to
first-time visitors for free, and then direct them to a purchase page once
they have used up that limit.

What I'm thinking is to point the authorize_check_query to a pgSQL function
that looks for the MAC address in a special table, and if it doesn't exist,
to create a new user linked to the client MAC (Our Access Points all support
MAC-Auth when the wireless client connects to the network).

I'm expecting that if I can create a new user in the authorize_check_query
and have it return auth-success, then the authorize_reply_query will return
the relevant data from what is created by the former  I hope that makes
some kind of sense! :-}

So my basic question is:  Does "authorize_check_query" complete fully before
starting the call to "authorize_reply_query"?

If they happen at the same time, then I expect that 'authorize_reply_query'
may execute before I get a chance to create the relevant records for the
'guest' user...

I know I can just go ahead and find out my answer by 'empirical method', but
I figure that just because it seems to work every time, there is no definite
guarantee that it will work *every* time unless I can be certain that these
functions execute in sequence :-}

Any comments are gratefully received! :-)

Thanks, regards,  Mike Everest.




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Failed default PAP in CentOS

[freeradius]

At 01:17 PM 11/20/2009, t...@kalik.net wrote:

http://wiki.freeradius.org/Red_Hat_FAQ#Current_Pre-built_RPM.27s_for_RHEL_5_and_CentOS_5



Just what I needed - thanks!

Rick 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Failed default PAP in CentOS

[freeradius]

CentOS 5.2
installing freeradius from the default base repository
freeradius-1.1.3-1.5.el5_4

If  I add, to the top of /etc/raddb/users:
bob Cleartext-Password := "hello"

Then when I attempt to start freeradius I get:
/etc/raddb/users[1]: Parse error (check) for entry bob: Unknown 
attribute "Cleartext-Password"


I haven't made any other changes to freeradius other than the rpm install.

(full dbug output)
[r...@ns4 ~]# radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/radius"
 main: libdir = "/usr/lib"
 main: radacctdir = "/var/log/radius/radacct"
 main: hostname_lookups = no
 main: snmp = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/radiusd/radiusd.pid"
 main: user = "radiusd"
 main: group = "radiusd"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "/etc/shadow"
 unix: group = "(null)"
 unix: radwtmp = "/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = "md5"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/etc/raddb/huntgroups"
 preprocess: hints = "/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
 preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = "/etc/raddb/users"
 files: acctusersfile = "/etc/raddb/acct_users"
 files: preproxy_usersfile = "/etc/raddb/preproxy_users"
 files: compat = "no"
/etc/raddb/users[1]: Parse error (check) for entry bob: Unknown 
attribute "Cleartext-Password"

Errors reading /etc/raddb/users
radiusd.conf[1059]: files: Module instantiation failed.
radiusd.conf[1837] Unknown module "files".
radiusd.conf[1773] Failed to parse authorize section.


If I remove that line, freeradius appears ok:


[r...@ns4 

strange behavior in proxy when some backend servers down

[travis+ml-freeradius-users]

Hello,

I've just been assigned a task regarding a problem with freeradius.

Bear with me if my understanding of freeradius terminology is a bit
weak, as I have just started familiarizing myself with this software
today.

The situation is that we have a freeradius instance running as a
proxy.

This instance is configured to proxy requests to a pool of four
freeradius servers.

Right now three are down, so we are testing the failover conditions.

IIUC, the desired behavior is that it tries one backend server, and
fails, marks it as a zombie, and then upon receiving another request
from the user logging in, it should try a different backend server.

What we're seeing is that once no response comes back from a server,
it marks the server as a zombie, but it marks the request as completed.

Subsequent authentication requests that come in are looked up in the
response hash, finds that the response has been completed, and ignores
the request.

I could use any help in tracking this down.  If it requires a code
change to fix, I'll be contributing that back to the project.

Does anyone have any suggestions on how to track this down?
-- 
Obama Nation | My emails do not have attachments; it's a digital signature
that your mail program doesn't understand. | 
http://www.subspacefield.org/~travis/ 
If you are a spammer, please email j...@subspacefield.org to get blacklisted.


pgpR77VJH7RXh.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ntlm_auth, universal principal name, multi-domain active directory, howto?

[freeradius]

New to freeradius & samba - and first post here.

Rather long post so to cut to the heart of the question:

Can freeradius be configured to authenticate users against an AD Forest 
(multi-domain) using universal principal name (UPN) and if so...how?

I'm posting here because our only need for samba is freeradius integration to 
AD - but if I need to go to the Samba community just let me know. 

The ultimate goal is to have the majority of remote access users authenticate 
using their universal principal names (UPN) from AD.  The path of that 
authentication however is not direct.

RA Appliance --> Freeradius (Proxy) --> Freeradius --> AD

There are some instances where we need users to authenticate from a repository 
other than AD, so Freeradius has been configured against both MySQL (primarily 
to hold NAS information & accounting info, but could potentially host users) 
and Openldap.

The MySql & Openldap configs are working just fine.

We don't really care if we use Samba - integration via LDAP would be fine, but 
it appears that their is an issue with sending the password in the clear if 
LDAP is used. If this is inaccurate please let me know.

Everything "appears" configured correctly.  In fact authentication using the 
"exec ntlm_auth" configuration referenced in 
http://deployingradius.com/documents/configuration/active_directory.html works 
if the username and domain are specified.  Once we tried to use the UPN 
(without domain name) it does not.  Going back to the command line for 
ntlm_auth tests resulted in the following.

Using a user account found in DEPT1.COMPANY.NET child domain

ntlm_auth --username=user  WORKS
ntlm_auth --username=user --domain=DEPT1   WORKS
ntlm_auth --username=u...@company.net  DOES NOT WORK

Using a user account found in DEPT2.COMPANY.NET child domain

ntlm_auth --username=user  DOES NOT WORK
ntlm_auth --username=user --domain=DEPT2   WORKS
ntlm_auth --username=u...@company.net  DOES NOT WORK

All of the DOES NOT WORK result in the same error.

NT_STATUS_NO_SUCH_USER: No such user (0xc064)

tcpdumps of the ntlm_auth traffic validate that all requests are being sent to 
one of the domain controllers within DEPT1.COMPANY.NET

The internal freeradius host is in the child domain DEPT1.COMPANY.NET based on 
policy.  If moving the server to COMPANY.NET is required that could be 
considered, however preference is to leave it in DEPT1.COMPANY.NET.

Linux Host
RHEL 5.2
Freeradius 2.1.6
Samba 3.3.4

Active Directory
Multi-Domain Model
Native Mode Win2003
Root Domain - company.net
Child Domain - dept1.company.net
Child Domain - dept2.company.net
..
Child Domain - dept9.company.net

For the sake of testing we are currently only configured for the root, child 
domains dept1 and dept2.  We do not have admin_server entries because all of 
the examples reference port 749 which is not running on any of the domain 
controllers or global catalogs.  

I am including sanitized copies of the krb5.conf and smb.conf because they seem 
pertinent to the question. If any of the freeradius config files, nsswitch or 
some other information is needed just let me know.

Thanks

Adam

krb5.conf
-

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DEPT1.COMPANY.NET
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 COMPANY.NET = {
  kdc = gc01.company.net:88
  kdc = gc02.company.net:88
  kdc = gc03.company.net:88
 }

 DEPT1.COMPANY.NET = {
  kdc = dept1-dc01.dept1.company.net:88
  kdc = dept1-dc02.dept1.company.net:88
  kdc = dept1-dc03.dept1.company.net:88
 }

 DEPT2.COMPANY.NET = {
  kdc = dept2-dc01.dept2.company.net:88
  kdc = dept2-dc02.dept2.company.net:88
  kdc = dept3-gc01.dept2.company.net:88
 }

[domain_realm]
 .company.net = COMPANY.NET
 .dept1.company.net = DEPT1.COMPANY.NET
 .dept2.company.net = DEPT2.COMPANY.NET

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

smb.conf
--

[global]

workgroup = DEPT1
netbios name = AAA-Server
realm = DEPT1.COMPANY.NET
security = ADS
template shell = /bin/bash
idmap uid = 500-1000
idmap gid = 500-1000
winbind nested groups = Yes
winbind enum users = yes
winbind enum groups = yes
server string = AAA


[homes]
comment = Home Directories
browseable = no
writable = yes
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: what is this ?

[Freeradius Mail List]

Freeradius Mail List пишет:

Have some error in freeradius log:

Fri Jan 30 03:32:55 2009 : Info: rlm_sql (sql): There are no DB 
handles to use! skipped 0, tried to connect 0
Fri Jan 30 03:32:55 2009 : Info: rlm_sql (sql): There are no DB 
handles to use! skipped 0, tried to connect 0
Fri Jan 30 03:32:55 2009 : Info: rlm_sql (sql): There are no DB 
handles to use! skipped 0, tried to connect 0
Fri Jan 30 03:32:55 2009 : Info: rlm_sql (sql): There are no DB 
handles to use! skipped 0, tried to connect 0
Fri Jan 30 03:32:55 2009 : Info: rlm_sql (sql): There are no DB 
handles to use! skipped 0, tried to connect 0
Fri Jan 30 03:32:55 2009 : Info: rlm_sql (sql): There are no DB 
handles to use! skipped 0, tried to connect 0
Fri Jan 30 03:32:57 2009 : Info: rlm_sql (sql): There are no DB 
handles to use! skipped 0, tried to connect 0
Fri Jan 30 03:32:57 2009 : Info: rlm_sql (sql): There are no DB 
handles to use! skipped 0, tried to connect 0
Fri Jan 30 03:32:57 2009 : Info: rlm_sql (sql): There are no DB 
handles to use! skipped 0, tried to connect 0
Fri Jan 30 03:32:57 2009 : Info: rlm_sql (sql): There are no DB 
handles to use! skipped 0, tried to connect 0


Can anybody talk what is this ? What is the reason and how to solve ?
Thx.
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

Sorry. Fixed.
P.S. max_request_time
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

what is this ?

[Freeradius Mail List]

Have some error in freeradius log:

Fri Jan 30 03:32:55 2009 : Info: rlm_sql (sql): There are no DB handles 
to use! skipped 0, tried to connect 0
Fri Jan 30 03:32:55 2009 : Info: rlm_sql (sql): There are no DB handles 
to use! skipped 0, tried to connect 0
Fri Jan 30 03:32:55 2009 : Info: rlm_sql (sql): There are no DB handles 
to use! skipped 0, tried to connect 0
Fri Jan 30 03:32:55 2009 : Info: rlm_sql (sql): There are no DB handles 
to use! skipped 0, tried to connect 0
Fri Jan 30 03:32:55 2009 : Info: rlm_sql (sql): There are no DB handles 
to use! skipped 0, tried to connect 0
Fri Jan 30 03:32:55 2009 : Info: rlm_sql (sql): There are no DB handles 
to use! skipped 0, tried to connect 0
Fri Jan 30 03:32:57 2009 : Info: rlm_sql (sql): There are no DB handles 
to use! skipped 0, tried to connect 0
Fri Jan 30 03:32:57 2009 : Info: rlm_sql (sql): There are no DB handles 
to use! skipped 0, tried to connect 0
Fri Jan 30 03:32:57 2009 : Info: rlm_sql (sql): There are no DB handles 
to use! skipped 0, tried to connect 0
Fri Jan 30 03:32:57 2009 : Info: rlm_sql (sql): There are no DB handles 
to use! skipped 0, tried to connect 0


Can anybody talk what is this ? What is the reason and how to solve ?
Thx.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius 2.0 + snmp

[Freeradius Mail List]

Hello,
have trouble with freeradius and snmp.
Freeradius log in debug mode:
...
SMUX connect try 1
SMUX SMUX open oid: 1.3.6.1.4.1.11344.1.1.1
SMUX open progname: radiusd
SMUX open password: x
SMUX SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1
SMUX register priority: -1
SMUX register operation: 1
SMUX SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1
SMUX register priority: -1
SMUX register operation: 1

At this point the radius down.

Syslog:
snmpd[3904]: refused smux peer: oid SNMPv2-SMI::enterprises.11344.1.1.1, 
descr radiusd


CPU: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
Any ideas ?
Thx.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

unsubscribe

[freeradius-users]

unsubscribe
 

CompuLab - Consult

Robert Schuster

Am Karmelkloster 16

53229 Bonn

 

mailto: robert.schus...@compulab-consult.de

Tel.  +49 228 97604-0

Fax.  +49 228 97604-25

mobil +49 175 1606254
 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Zithromax is your choice to fight any bacteria.

[freeradius-users]

		
			

	

  
	


	
	About this mailing: 
You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe 
you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service
 advertised. Prices and item availability subject to change without notice.

		©2008 Microsoft | Unsubscribe | More Newsletters | Privacy
		Microsoft Corporation, One Microsoft Way, Redmond, WA 98052



	

			
		
	







  




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

60% Off All Luxury Designer Shoes & Boots Men & Women Gucci Prada Chanel

[freeradius-users]

Thought I would let you know about the Fashion Footwear SPRING Sale!
Men and Women Designer Shoes, Heels, Sandals and Boots, All Half-OFF,
Buy Direct, Forget Department Store Prices, Get Exclusive 2008 Gucci
Prada Chanel, Christian Dior, Dsquared, Versace D&G, Uggs and More!
They Ship International for FREE on all Orders!

http://stowetangofest.com/images/menu/gif/










 


 


























 































 


 
 

   












-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_Python - PyExc_IOError

[freeradius]

Hi All Again

I have not fixed it, with all the playing around with FreeRadius
versions I had not got rlm_python loading when I believed I had fixed it.

Mike :(

Mike O'Connor wrote:
> Hi All
>
> I'm happy to say I have fixed this issue.
>
> I'm not totally happy with the way I did it because it would not be
> portable if python was installed a different location.
>
> If some with a little more knowledge could add this correctly that would
> be great.
>
> #
> # $Id: Makefile.in,v 1.2.10.1 2006/02/10 19:47:17 nbk Exp $
> #
>
> TARGET = @targetname@
> SRCS   = rlm_python.c
> HEADERS= /usr/include/python2.4/pyerrors.h <-
> RLM_LIBS   = @python_ldflags@
> RLM_CFLAGS = @python_cflags@
>
> include ../rules.mak
>
> $(LT_OBJS): $(HEADERS)
>
>
> Mike
>
> Mike O'Connor wrote:
>   
>> Hi All
>>
>> I have look at this problem and I can not see how to fix it
>>
>> How much is it going to cost me to have someone login to a virtual
>> machine I'll setup and fix this issue ASAP ?
>>
>> The fix would need to be done in such away that the standard Debian
>> build scripts would be used and the patch sent back to the project.
>>
>> I'll like the patch for both 1.1.x and for current head.
>>
>> If someone is interested please contact me privately.
>>
>> Thanks
>> Mike
>>
>> Alan DeKok wrote:
>>   
>> 
>>> Mike O'Connor wrote:
>>>   
>>> 
>>>   
>>>> I decided to try freeradius-2.0.0-pre2 and its give a much clear idea of
>>>> the problem.
>>>> The issue seems to be that the rlm_python module is having trouble
>>>> loading dynamic code.
>>>> 
>>>>   
>>>> 
>>>   I suspect it's a shared library problem.  The time.so library depends
>>> on another one that contains PyExc_IOError.  However, that dependency is
>>> NOT recorded in time.so.  That dependency is also NOT built into
>>> FreeRADIUS (or rlm_python), as it as no idea which Python library
>>> depends on which other Python library.
>>>
>>>   I suggesting finding out out which library contains that symbol, and
>>> then re-building rlm_python to link to that library.
>>>
>>>   Alan DeKok.
>>> -
>>> List info/subscribe/unsubscribe? See 
>>> http://www.freeradius.org/list/users.html
>>>   
>>> 
>>>   
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>   
>> 
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: final rlm_perl question, hopefully...

[FreeRadius-ML]

Hi all,

  Please disregard, I've solved the thing ;-) Silly typo in the return.

Z2L

- Original Message -
From: "FreeRadius-ML" <[EMAIL PROTECTED]>
To: "freeradius-users" 
Sent: Thursday, July 26, 2007 6:41:21 PM (GMT+0200) Asia/Jerusalem
Subject: Fwd: final rlm_perl question, hopefully...

Hi All,

  Ok, after reviewing all the information that was received, I've setup my 
FreeRadius
as following:

1. The authorize and authenticate sections are setup to activate digest and 
perl.
2. My rlm_perl script utilizes the following lines in order to return the 
unencrypted 
   user password back to FreeRadius for digest authentication:

   $RAD_CHECK{'Cleartext-Password'} = "xx";   # Remove this line for 
production
   $RAD_CHECK{'User-Password'}="xx";  # Remove this line for 
production

   I just put these inside my script for checking, later on this information 
will be
retrieved from an external source.

  Now, FreeRadius activates my rlm_perl module, no problem, as I can see the 
various 
reply fields being setup, however, I'm still getting the following error:


rlm_perl: RAD_REQUEST: Client-IP-Address = 192.168.2.80
rlm_perl: RAD_REQUEST: Digest-Response = 632905a2325f672f049800eda7df9ee4
rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED]
rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register
rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.2.80
rlm_perl: RAD_REQUEST: NAS-Port = 5060
rlm_perl: RAD_REQUEST: Sip-Uri-User = z2l
rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0xbbc93f0)
rlm_perl: RAD_REPLY: Reply-Message = User accepted by z2l WSDL
rlm_perl: RAD_REPLY: z2l-Duration = 60
rlm_perl: RAD_REPLY: z2l-Status = 2
rlm_perl: RAD_REPLY: z2l-Session = 833abb3d-d047-4d0d-a40e-2e147049f96d
rlm_perl: Added pair Reply-Message = User accepted by z2l
rlm_perl: Added pair z2l-Duration = 60
rlm_perl: Added pair z2l-Status = 2
rlm_perl: Added pair z2l-Session = 833abb3d-d047-4d0d-a40e-2e147049f96d
rlm_perl: Added pair Cleartext-Password = z2l
rlm_perl: Added pair User-Password = z2l
rlm_perl: Added pair Auth-Type = digest
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0xb933260
  modcall[authorize]: module "perl" returns ok for request 5
rlm_realm: Looking up realm "192.168.2.80" for User-Name = "[EMAIL 
PROTECTED]"
rlm_realm: No such realm "192.168.2.80"
  modcall[authorize]: module "suffix" returns noop for request 5
modcall: leaving group authorize (returns ok) for request 5
  rad_check_password:  Found Auth-Type DIGEST
auth: type "digest"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_digest: Configuration item "User-Password" or Digest-HA1 is required for 
authentication.
  modcall[authenticate]: module "digest" returns invalid for request 5
modcall: leaving group authenticate (returns invalid) for request 5
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED]/] (from client 
192.168.2.80 port 5060)
Delaying request 5 for 1 seconds
Finished request 5
Going to the next request
Waking up in 3 seconds...

  Now, my configuration is very very simple. In the authorize I have digest and 
perl 
enabled, in authenticate I have only digest enabled. If I read the debug 
correctly, the 
authorization is going ok:

  modcall[authorize]: module "perl" returns ok for request 5
rlm_realm: Looking up realm "192.168.2.80" for User-Name = "[EMAIL 
PROTECTED]"
rlm_realm: No such realm "192.168.2.80"
  modcall[authorize]: module "suffix" returns noop for request 5
  modcall: leaving group authorize (returns ok) for request 5

  However, the authentication section fails: 

rad_check_password:  Found Auth-Type DIGEST
  auth: type "digest"
Processing the authenticate section of radiusd.conf
  modcall: entering group authenticate for request 5
  rlm_digest: Configuration item "User-Password" or Digest-HA1 is required for 
authentication.
modcall[authenticate]: module "digest" returns invalid for request 5
  modcall: leaving group authenticate (returns invalid) for request 5
  auth: Failed to validate the user.
  Login incorrect: [EMAIL PROTECTED]/] (from client 
192.168.2.80 port 5060)

  So, I'm either returning something in the wrong way, or I've broken something 
again.
Any pointers on the issue would be highly appreciated.

Regards,
  Z2L

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Fwd: final rlm_perl question, hopefully...

[FreeRadius-ML]

Hi All,

  Ok, after reviewing all the information that was received, I've setup my 
FreeRadius
as following:

1. The authorize and authenticate sections are setup to activate digest and 
perl.
2. My rlm_perl script utilizes the following lines in order to return the 
unencrypted 
   user password back to FreeRadius for digest authentication:

   $RAD_CHECK{'Cleartext-Password'} = "xx";   # Remove this line for 
production
   $RAD_CHECK{'User-Password'}="xx";  # Remove this line for 
production

   I just put these inside my script for checking, later on this information 
will be
retrieved from an external source.

  Now, FreeRadius activates my rlm_perl module, no problem, as I can see the 
various 
reply fields being setup, however, I'm still getting the following error:


rlm_perl: RAD_REQUEST: Client-IP-Address = 192.168.2.80
rlm_perl: RAD_REQUEST: Digest-Response = 632905a2325f672f049800eda7df9ee4
rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED]
rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register
rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.2.80
rlm_perl: RAD_REQUEST: NAS-Port = 5060
rlm_perl: RAD_REQUEST: Sip-Uri-User = z2l
rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0xbbc93f0)
rlm_perl: RAD_REPLY: Reply-Message = User accepted by z2l WSDL
rlm_perl: RAD_REPLY: z2l-Duration = 60
rlm_perl: RAD_REPLY: z2l-Status = 2
rlm_perl: RAD_REPLY: z2l-Session = 833abb3d-d047-4d0d-a40e-2e147049f96d
rlm_perl: Added pair Reply-Message = User accepted by z2l
rlm_perl: Added pair z2l-Duration = 60
rlm_perl: Added pair z2l-Status = 2
rlm_perl: Added pair z2l-Session = 833abb3d-d047-4d0d-a40e-2e147049f96d
rlm_perl: Added pair Cleartext-Password = z2l
rlm_perl: Added pair User-Password = z2l
rlm_perl: Added pair Auth-Type = digest
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0xb933260
  modcall[authorize]: module "perl" returns ok for request 5
rlm_realm: Looking up realm "192.168.2.80" for User-Name = "[EMAIL 
PROTECTED]"
rlm_realm: No such realm "192.168.2.80"
  modcall[authorize]: module "suffix" returns noop for request 5
modcall: leaving group authorize (returns ok) for request 5
  rad_check_password:  Found Auth-Type DIGEST
auth: type "digest"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_digest: Configuration item "User-Password" or Digest-HA1 is required for 
authentication.
  modcall[authenticate]: module "digest" returns invalid for request 5
modcall: leaving group authenticate (returns invalid) for request 5
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED]/] (from client 
192.168.2.80 port 5060)
Delaying request 5 for 1 seconds
Finished request 5
Going to the next request
Waking up in 3 seconds...

  Now, my configuration is very very simple. In the authorize I have digest and 
perl 
enabled, in authenticate I have only digest enabled. If I read the debug 
correctly, the 
authorization is going ok:

  modcall[authorize]: module "perl" returns ok for request 5
rlm_realm: Looking up realm "192.168.2.80" for User-Name = "[EMAIL 
PROTECTED]"
rlm_realm: No such realm "192.168.2.80"
  modcall[authorize]: module "suffix" returns noop for request 5
  modcall: leaving group authorize (returns ok) for request 5

  However, the authentication section fails: 

rad_check_password:  Found Auth-Type DIGEST
  auth: type "digest"
Processing the authenticate section of radiusd.conf
  modcall: entering group authenticate for request 5
  rlm_digest: Configuration item "User-Password" or Digest-HA1 is required for 
authentication.
modcall[authenticate]: module "digest" returns invalid for request 5
  modcall: leaving group authenticate (returns invalid) for request 5
  auth: Failed to validate the user.
  Login incorrect: [EMAIL PROTECTED]/] (from client 
192.168.2.80 port 5060)

  So, I'm either returning something in the wrong way, or I've broken something 
again.
Any pointers on the issue would be highly appreciated.

Regards,
  Z2L

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rml_perl question

[FreeRadius-ML]

Thanks, that makes everything much clearer now :-)

Cheers,
  Z2L

- Original Message -
From: "Peter Nixon" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], "FreeRadius users mailing list" 

Sent: Wednesday, July 25, 2007 6:17:14 PM (GMT+0200) Asia/Jerusalem
Subject: Re: rml_perl question

On Wed 25 Jul 2007, FreeRadius-ML wrote:
> Hi Peter,
>
>   Thanks, that was the missing part for me - I think. Just let me verify
> that I got you correctly:
>
>   1. My OpenSER will send a request to FreeRadius including the full
> digest information. 
> 2. Once the request in intercepted by FreeRadius, my 
> rlm_perl will simply need to ask the TCP server for the password of the
> user.

yes.

>   3. Once that password had been retrieved, I'll simply set the
> RAD_REPLY{'Cleartext-ssword'} to the password that was retrieved from the
> TCP server.

No. It needs to be RAD_CHECK{'Cleartext-Password'}

>   4. Once the rlm_perl script returns with the OK setting, the rest will
> be handled by the digest module.

Yes. Thats what we have been telling you :-)

>   Have I got it right this time? sorry for being a bit of a pain.

With the exception of Cleartext-Password being a CHECK item and not a REPLY 
item, yes, you are correct.


-- 

Peter Nixon
http://peternixon.net/

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rml_perl question

[FreeRadius-ML]

Hi Peter,

  Thanks, that was the missing part for me - I think. Just let me verify that I 
got you correctly: 

  1. My OpenSER will send a request to FreeRadius including the full digest 
information.
  2. Once the request in intercepted by FreeRadius, my rlm_perl will simply 
need to ask the
 TCP server for the password of the user.
  3. Once that password had been retrieved, I'll simply set the 
RAD_REPLY{'Cleartext-ssword'} 
 to the password that was retrieved from the TCP server.
  4. Once the rlm_perl script returns with the OK setting, the rest will be 
handled by the
 digest module.

  Have I got it right this time? sorry for being a bit of a pain.

Z2L

- Original Message -
From: "Peter Nixon" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], "FreeRadius users mailing list" 

Sent: Wednesday, July 25, 2007 5:05:02 PM (GMT+0200) Asia/Jerusalem
Subject: Re: rml_perl question

Several people have already told you this, but I am going to have another go 
at it.

You want to do Digest Authentication. That great. FreeRADIUS knows how to do 
it. All you have to do is supply the Cleartext-Password.

You tell us that you have some propriatary system which holds your passwords 
that you need to access over a TCP socket. Great. Feel free to do so.

Basically you need to:
a) Have the digest module enabled in the _authorize_ AND _authenticate_ 
sections of radiusd.conf
b) Get the password from your backend using perl and return it to FreeRADIUS 
in the _authorize_ section as:
  PaCleartext-ssword := "yoursupersecretpassword"

This is ALL you should have to do! Do not do anything else! Please. Just 
dont!

Cheers

Peter

On Wed 25 Jul 2007, FreeRadius-ML wrote:
> Ok,
>
>   What I'm trying to do is have FreeRadius perform its AAA functions again
> a PERL based backend, which reads the user information from a proprietary
> system - via a TCP interface.
>
>   The authorization section and the authenticate section both have PERL
> enabled in them.
>
> (I removed the remarks for easier reading) - the first digest is
> commented, but right after perl there is another one.
> -- SNIP 
> authorize {
> preprocess
> auth_log
> #   attr_filter
> #   chap
> #   mschap
> #   digest
> #   IPASS
> #   suffix
> #   ntdomain
> #   eap
> #   files
> digest
> perl
> #   sql
> #   etc_smbpasswd
> #   ldap
> #   daily
> #   checkval
> #   pap
> }
> ---
> You are correct in regards to the authentication section (see below), I
> missed that one: - SNIP 
> authenticate {
> #   Auth-Type PAP {
> #
> #   pap
> #
> #   }
> #   Auth-Type CHAP {
> #
> #   chap
> #
> #   }
> #   Auth-Type MS-CHAP {
> #
> #   mschap
> #
> #   }
> #   digest
> #   pam
> unix
> #   Auth-Type LDAP {
> #
> #   ldap
> #
> #   }
> #   eap
> perl
> }
> ---
>
> I may be going about it all wrong, which I'm not ruling out. If you have
> something specific to point me at, please do.
>
> Regards,
>  Z2L
> - Original Message -
> From: "A L M Buxey" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED], "FreeRadius users mailing list"
>  Sent: Wednesday, July 25, 2007
> 2:12:55 PM (GMT+0200) Asia/Jerusalem Subject: Re: rml_perl question
>
> Hi,
>
> you dont have perl enabled in the authorise section of your config...you
> dont have digest enabled in your authorise or authenticate sections
> either.  what are you trying to acheive?


-- 

Peter Nixon
http://peternixon.net/

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rml_perl question

[FreeRadius-ML]

Ok,

  What I'm trying to do is have FreeRadius perform its AAA functions again a 
PERL based
backend, which reads the user information from a proprietary system - via a TCP 
interface.

  The authorization section and the authenticate section both have PERL enabled 
in them.

(I removed the remarks for easier reading) - the first digest is commented, but 
right after
perl there is another one.
-- SNIP 
authorize {
preprocess
auth_log
#   attr_filter
#   chap
#   mschap
#   digest
#   IPASS
#   suffix
#   ntdomain
#   eap
#   files
digest
perl
#   sql
#   etc_smbpasswd
#   ldap
#   daily
#   checkval
#   pap
}
---
You are correct in regards to the authentication section (see below), I missed 
that one:
- SNIP 
authenticate {
#   Auth-Type PAP {
#
#   pap
#
#   }
#   Auth-Type CHAP {
#
#   chap
#
#   }
#   Auth-Type MS-CHAP {
#
#   mschap
#
#   }
#   digest
#   pam
unix
#   Auth-Type LDAP {
#
#   ldap
#
#   }
#   eap
perl
}
---

I may be going about it all wrong, which I'm not ruling out. If you have 
something specific
to point me at, please do.

Regards,
 Z2L
- Original Message -
From: "A L M Buxey" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], "FreeRadius users mailing list" 

Sent: Wednesday, July 25, 2007 2:12:55 PM (GMT+0200) Asia/Jerusalem
Subject: Re: rml_perl question

Hi,

you dont have perl enabled in the authorise section of your config...you
dont have digest enabled in your authorise or authenticate sections
either.  what are you trying to acheive?

alan

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rml_perl question

[FreeRadius-ML]

Hi Alan,

  Of course I updated the PERL script. I simply modified the debug function to 
be:

sub log_request_attributes {
   # This shouldn't be done in production environments!
   # This is only meant for debugging!
   for (keys %RAD_REQUEST) {
   &radiusd::radlog(1, "RAD_REQUEST: $_ = $RAD_REQUEST{$_}");
   }
   for (keys %RAD_CHECK) {
   &radiusd::radlog(1, "RAD_CHECK: $_ = $RAD_CHECK{$_}");
   }
   for (keys %RAD_REPLY) {
   &radiusd::radlog(1, "RAD_REPLY: $_ = $RAD_REPLY{$_}");
   }

}

  I hadn't set Auth-Type in radiusd.conf, according to references I've recieved,
the only Auth-Type directive I've added in the users.conf file. 

  Just for checking, I've removed the directive from the users.conf file, and 
now 
I'm getting the following in the debug:

rad_recv: Access-Request packet from host 192.168.2.80:43824, id=122, length=194
User-Name = "[EMAIL PROTECTED]"
Digest-Attributes = 0x0a05313031
Digest-Attributes = 0x010e3139322e3136382e322e3830
Digest-Attributes = 
0x022a3436613035303339383265646636633663306537373037353165383536346266646632346562
Digest-Attributes = 0x04127369703a3139322e3136382e322e3830
Digest-Attributes = 0x030a5245474953544552
Digest-Response = "897c22eebf92577a23d3d2e91a360d67"
Service-Type = IAPP-Register
Sip-Uri-User = "101"
NAS-Port = 5060
NAS-IP-Address = 192.168.2.80
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
  modcall[authorize]: module "preprocess" returns ok for request 8
radius_xlat:  
'/usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070720'
rlm_detail: 
/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
 expands to 
/usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070720
  modcall[authorize]: module "auth_log" returns ok for request 8
rlm_digest: Adding Auth-Type = DIGEST
  modcall[authorize]: module "digest" returns ok for request 8
perl_pool: item 0xa587328 asigned new request. Handled so far: 1
found interpetator at address 0xa587328
rlm_perl: RAD_REQUEST: Client-IP-Address = 192.168.2.80
rlm_perl: RAD_REQUEST: Digest-Response = 897c22eebf92577a23d3d2e91a360d67
rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED]
rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register
rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.2.80
rlm_perl: RAD_REQUEST: NAS-Port = 5060
rlm_perl: RAD_REQUEST: Sip-Uri-User = 101
rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0xa64592c)
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0xa587328
  modcall[authorize]: module "perl" returns ok for request 8
modcall: leaving group authorize (returns ok) for request 8
auth: No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED]/] (from client 
192.168.2.80 port 5060)
Delaying request 8 for 1 seconds
Finished request 8
Going to the next request
Cleaning up request 7 ID 121 with timestamp 46a03e12

  As a reference, I'm uploading my configuration files to pastebin.com, 
according to the following:

radiusd.conf - http://pastebin.com/f31b5226b
rlm_perl.pl  - http://pastebin.com/f15f198ca
users.conf   - Everything is commented in, which means basically an empty file

  Alan, i'm asking these questions as I want to understand the possibilities and
the various options that exist. I'm fully aware of the configuration of Digest 
and 
how to make digest work with a MySQL backend, that worked without a problem and 
I 
was able to understand how to start playing around with it to make do what I 
want
it to do. 

  My only problem here is that I'm now playing around with rlm_perl, which 
appears to
be a bit more complex in the way it does things. For example, I've looked into 
the 
documentation, I hadn't seen any document explaining the information transfer 
between
the rlm_perl script and the digest mechanism. The documentation describes how 
to work
with rlm_perl, how to write your own script and so on. But that little piece of
information is missing from it. The general information in the documentation is 
much
better than in most OSS projects I know, however, the lack of examples and the 
fact
that most people tend to work with some form of SQL/LDAP backend, makes any 
other 
usage beyond that a bit more complicated for the novice FreeRadius user.

  Alan, just to make something clear, I think FreeRadius is a wonderful tool. 
I've used
it in conjunction with GnuGK to build a multi-million minute H323 routing 
switch back in
2003, which is still working till today (switching over 25 million minutes a 
month). I

Re: rml_perl question

[FreeRadius-ML]

Hi Alan,

  Yes, that was the initial idea. However, $RAD_CHECK{User-Password}, at least 
according to 
my log file doesn't exist:

rad_recv: Access-Request packet from host 192.168.2.80:36905, id=35, length=194
User-Name = "[EMAIL PROTECTED]"
Digest-Attributes = 0x0a05313031
Digest-Attributes = 0x010e3139322e3136382e322e3830
Digest-Attributes = 
0x022a34363966346236616264653232346338613638653136613561373935323739366466303763633861
Digest-Attributes = 0x04127369703a3139322e3136382e322e3830
Digest-Attributes = 0x030a5245474953544552
Digest-Response = "08c1ee69ba91e6c3ef604a6173e2dfa2"
Service-Type = IAPP-Register
Sip-Uri-User = "101"
NAS-Port = 5060
NAS-IP-Address = 192.168.2.80
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
radius_xlat:  
'/usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070719'
rlm_detail: 
/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
 expands to 
/usr/local/freeradius/var/log/radius/radacct/192.168.2.80/auth-detail-20070719
  modcall[authorize]: module "auth_log" returns ok for request 3
users: Matched entry DEFAULT at line 51
  modcall[authorize]: module "files" returns ok for request 3
  modcall[authorize]: module "digest" returns ok for request 3
perl_pool: item 0x94fefb0 asigned new request. Handled so far: 1
found interpetator at address 0x94fefb0
rlm_perl: RAD_REQUEST: Client-IP-Address = 192.168.2.80
rlm_perl: RAD_REQUEST: Digest-Response = 08c1ee69ba91e6c3ef604a6173e2dfa2
rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED]
rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register
rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.2.80
rlm_perl: RAD_REQUEST: NAS-Port = 5060
rlm_perl: RAD_REQUEST: Sip-Uri-User = 101
rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x95bd5c0)
rlm_perl: RAD_CHECK: Auth-Type = perl
rlm_perl: Added pair Auth-Type = perl
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0x94fefb0
  modcall[authorize]: module "perl" returns ok for request 3
modcall: leaving group authorize (returns ok) for request 3
  rad_check_password:  Found Auth-Type Perl
auth: type "perl"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
perl_pool: item 0x95fede0 asigned new request. Handled so far: 1
found interpetator at address 0x95fede0
rlm_perl: RAD_REQUEST: Client-IP-Address = 192.168.2.80
rlm_perl: RAD_REQUEST: Digest-Response = 08c1ee69ba91e6c3ef604a6173e2dfa2
rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED]
rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register
rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.2.80
rlm_perl: RAD_REQUEST: NAS-Port = 5060
rlm_perl: RAD_REQUEST: Sip-Uri-User = 101
rlm_perl: RAD_REQUEST: Digest-Attributes = ARRAY(0x96bd3f0)
rlm_perl: RAD_CHECK: Auth-Type = perl
rlm_perl: Added pair Auth-Type = perl
perl_pool total/active/spare [32/0/32]
Unreserve perl at address 0x95fede0
  modcall[authenticate]: module "perl" returns ok for request 3
modcall: leaving group authenticate (returns ok) for request 3
Login OK: [EMAIL PROTECTED]/] (from client 
192.168.2.80 port 5060)
Sending Access-Accept of id 35 to 192.168.2.80 port 36905
Finished request 3
Going to the next request


  Aparently, the only thing that RAD_CHECK contains has inside is Auth-Type.

Regards,
  Z2L

- Original Message -
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], "FreeRadius users mailing list" 

Sent: Tuesday, July 24, 2007 5:47:36 PM (GMT+0200) Asia/Jerusalem
Subject: Re: rml_perl question

FreeRadius-ML wrote:
>   Now I understand you better, and I agree, that would constitute a much more
> scalable method. In that case, I return to my previous question, do you have a
> working rlm_perl script that does this, as I would like to see how this works.

  If you can write Perl code to get the clear-text password from the TCP
server, then it's trivial.

  1) get the password from the TCP server

  2) $RAD_CHECK{User-Password} = "password"

  The whole *point* of the server design is to make everything as
trivial as possible.  As I've said before, tell the server what the
clear text password is, and the server will figure out the rest.
Re-implementing any authentication protocol that is already in
FreeRADIUS is pointless and a waste of time.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rml_perl question

[FreeRadius-ML]

Ok,

  Now I understand you better, and I agree, that would constitute a much more
scalable method. In that case, I return to my previous question, do you have a
working rlm_perl script that does this, as I would like to see how this works.

  You'll have to excuse me, this is still a little new to me.

Regards,
  Z2L

- Original Message -
From: "Phil Mayers" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list" 
Sent: Tuesday, July 24, 2007 4:49:23 PM (GMT+0200) Asia/Jerusalem
Subject: Re: rml_perl question

On Tue, 2007-07-24 at 14:29 +0300, FreeRadius-ML wrote:
> Ok,
> 
>   I think there is a misunderstanding here. Here's my target:
> 
> OpenSER -> FreeRadius -- rlm_perl --> TCP Server
> 
>   Now, if I understand correctly, in order to validate that a SIP register
> coming in from the OpenSER is a valid username/password combo, I'm required
> to calculate the Digest on the TCP Server, and verify it against the digest

No, I understand what you're trying to do. I'm telling you you're doing
it the wrong way. You are welcome to disagree with my opinion, but there
it is.

> that is calculated at the OpenSER, and that is being done using the 
> AVP information that is passwed to the FreeRadius server, and the password
> that is stored at the remote TCP Server. 

Why can't you just have the TCP server pass the HA1 value back to the
Radius server on request, and have the Radius server (which already has
a proven, tested, high-performance digest implementation) do it?

In any event - if you are adamant that the entire digest auth needs to
take place inside the TCP server, then you will need to re-implement the
digest authentication algorithm, and that's not a Radius question.

You should re-read the RFC, and possibly look at the source for
rlm_digest, but this isn't really an appropriate forum to learn how the
digest algo works.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rml_perl question

[FreeRadius-ML]

Ok,

  I think there is a misunderstanding here. Here's my target:

OpenSER -> FreeRadius -- rlm_perl --> TCP Server

  Now, if I understand correctly, in order to validate that a SIP register
coming in from the OpenSER is a valid username/password combo, I'm required
to calculate the Digest on the TCP Server, and verify it against the digest
that is calculated at the OpenSER, and that is being done using the 
AVP information that is passwed to the FreeRadius server, and the password
that is stored at the remote TCP Server. 

  Tell me if I have something backwards here?

Z2L  

- Original Message -
From: "FreeRadius-ML" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list" 
Sent: Tuesday, July 24, 2007 2:10:49 PM (GMT+0200) Asia/Jerusalem
Subject: Re: rml_perl question

Ok,

  That makes more sense, do you have an example I can look at? 

  In any case, let me see if I understand the below:

  I see that we perform 3 MD5 sums, each time on a different concatenated
string. The fields that I'm not recognizing are nc-val and entiry-body. Can
you please add information about these, as I would like to get more information
on this, as there may be a possibility that I would be required to calculate
this externally.

Regards,
  Z2L
- Original Message -
From: "Phil Mayers" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list" 
Sent: Tuesday, July 24, 2007 2:00:33 PM (GMT+0200) Asia/Jerusalem
Subject: Re: rml_perl question

On Tue, 2007-07-24 at 11:43 +0300, FreeRadius-ML wrote:
> Hi Peter,
> 
>   Well, according to the RFC, the string should be:
> username:realm:password and then into the md5sum.

No, the digest response is:

md5 (
  concat (
md5 ( user:realm:passwd )
nonce:nc-val:cnonce:qop:md5(method:uri[:entity-body])
  )
)

 

>   So, I did the following: echo '[EMAIL PROTECTED]:192.168.2.80:101' | 
> md5sum, which generated
> the following output: ec6cec8f0b5904ba56401b1e305638b5.

*Even* if that were how it worked, you've md5'ed the "\n" that echo will
echo.

In any event, you're going about this totally wrong. FreeRadius has a
digest auth module; you should be extracting the credentials from your
database and letting FreeRadius do the auth algorithm.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rml_perl question

[FreeRadius-ML]

Hi Phil,
  
  I would agree, however, it kind of negates the purpose of using rlm_perl, 
doesn't it?

Z2L

- Original Message -
From: "Phil Mayers" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], "FreeRadius users mailing list" 

Sent: Tuesday, July 24, 2007 2:07:11 PM (GMT+0200) Asia/Jerusalem
Subject: Re: rml_perl question

On Tue, 2007-07-24 at 13:54 +0300, FreeRadius-ML wrote:
> Ok,
> 
>   It would appear that I'm a little silly, due to the way FreeRadius logs the 
> information
> on the console. I've been debugging the information that I get, and I can see 
> that the 
> Digest-Attributes actually contain the information, in accordance to the 
> following:
> 
>   The first Digest Attribute is the User-Name, 
>   The second Digest Attribute is the Realm,
>   The third Digest Attribute is the nonce,
>   The fourth Digest Attribute is the uri,
>   The fifth Digest Attribute is the SIP-METHOD request.
> 
>   I didn't realize this in the begining, as it was all HEX dumped, so I 
> couldn't see
> that I'm actually looking at the information.
> 
>   Now, my question is this, what is the formula to calculate the digest from 
> all of the 
> above information? I've tried backtracking the code, but ended up with a 
> slight headache.
> If anyone has information, that would be highly appreciated.

The "formula" is to do this:

authorize {
  preprocess
  digest
  files
}
authenticate {
  Auth-Type DIGEST {
digest
  }
}

HA1="0x`echo -n user:example.com:foobar | md5sum | cut -d ' ' -f 1`"

in users:

foo Digest-HA1 := 0xd07911de2b6cfea295166b56e8cecfa2

or better yet:

foo Cleartext-Password := "foobar"

...and FreeRadius should just work.

> 
> Regards,
>   Z2L
> 
> - Original Message -
> From: "FreeRadius-ML" <[EMAIL PROTECTED]>
> To: "freeradius-users" 
> Sent: Tuesday, July 24, 2007 1:07:01 PM (GMT+0200) Asia/Jerusalem
> Subject: Re: rml_perl question
> 
> Ok,
> 
>   I think I'm getting somewhere on this. After running wireshark and 
> capturing the traffic,
> I actually realized that the Authentication/Authorization headers consists of 
> a random hash
> that is identified by the nonce number. Following is an example:
> 
> Authorization: Digest username="101", realm="192.168.2.80", algorithm=MD5, 
> uri="sip:192.168.2.80", nonce="469f2996b4bb829917c6d5d7c3c50bed9da77682", 
> response="1efb1851e1e96ce6855bf406735af4b6"
> 
>   Now, if I understand correctly, the digest will be calculated from the 
> combination of the 
> username, uri and nonce. Problem is, it would appear that I'm unable to 
> access the nonce field
> from rlm_perl, unless, I'm missing something.
> 
> Regards,
>   Z2L
> 
> - Original Message -
> From: "FreeRadius-ML" <[EMAIL PROTECTED]>
> To: "freeradius-users" 
> Sent: Tuesday, July 24, 2007 11:43:19 AM (GMT+0200) Asia/Jerusalem
> Subject: Re: rml_perl question
> 
> Hi Peter,
> 
>   Well, according to the RFC, the string should be:
> username:realm:password and then into the md5sum.
> 
>   Now, according to my logs, I can see the following:
> 
> Packet-Type = Access-Request
> Thu Jul 19 09:37:23 2007
> User-Name = "[EMAIL PROTECTED]"
> Digest-Attributes = 0x0a05313031
> Digest-Attributes = 0x010e3139322e3136382e322e3830
> Digest-Attributes = 
> 0x022a34363966313930646437336461386462323964356231306236373262646532633262623030353733
> Digest-Attributes = 0x04127369703a3139322e3136382e322e3830
> Digest-Attributes = 0x030a5245474953544552
> Digest-Response = "80d23e66bd4d667eb445c89b74ff7a6b"
> Service-Type = IAPP-Register
> Sip-Uri-User = "101"
> NAS-Port = 5060
> NAS-IP-Address = 192.168.2.80
> Client-IP-Address = 192.168.2.80
> 
>   Now, the password for that user is 101.
> 
>   So, I did the following: echo '[EMAIL PROTECTED]:192.168.2.80:101' | 
> md5sum, which generated
> the following output: ec6cec8f0b5904ba56401b1e305638b5.
> 
>   Now, examining the log file shows that a few minutes before that, the 
> Access-Request looks
> like this:
> 
> Packet-Type = Access-Request
> Thu Jul 19 09:29:54 2007
> User-Name = "[EMAIL PROTECTED]"
> Digest-Attributes = 0x0a05313031
> Digest-Attributes = 0x010e3139322e3136382e322e3830
> Digest-Attributes = 
> 0x022a34363966313734623339623735663735363137326635613334646135666437393766353563353632
> Digest-Attributes = 0x04127369

Re: rml_perl question

[FreeRadius-ML]

Ok,

  That makes more sense, do you have an example I can look at? 

  In any case, let me see if I understand the below:

  I see that we perform 3 MD5 sums, each time on a different concatenated
string. The fields that I'm not recognizing are nc-val and entiry-body. Can
you please add information about these, as I would like to get more information
on this, as there may be a possibility that I would be required to calculate
this externally.

Regards,
  Z2L
- Original Message -
From: "Phil Mayers" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list" 
Sent: Tuesday, July 24, 2007 2:00:33 PM (GMT+0200) Asia/Jerusalem
Subject: Re: rml_perl question

On Tue, 2007-07-24 at 11:43 +0300, FreeRadius-ML wrote:
> Hi Peter,
> 
>   Well, according to the RFC, the string should be:
> username:realm:password and then into the md5sum.

No, the digest response is:

md5 (
  concat (
md5 ( user:realm:passwd )
nonce:nc-val:cnonce:qop:md5(method:uri[:entity-body])
  )
)

 

>   So, I did the following: echo '[EMAIL PROTECTED]:192.168.2.80:101' | 
> md5sum, which generated
> the following output: ec6cec8f0b5904ba56401b1e305638b5.

*Even* if that were how it worked, you've md5'ed the "\n" that echo will
echo.

In any event, you're going about this totally wrong. FreeRadius has a
digest auth module; you should be extracting the credentials from your
database and letting FreeRadius do the auth algorithm.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rml_perl question

[FreeRadius-ML]

Ok,

  It would appear that I'm a little silly, due to the way FreeRadius logs the 
information
on the console. I've been debugging the information that I get, and I can see 
that the 
Digest-Attributes actually contain the information, in accordance to the 
following:

  The first Digest Attribute is the User-Name, 
  The second Digest Attribute is the Realm,
  The third Digest Attribute is the nonce,
  The fourth Digest Attribute is the uri,
  The fifth Digest Attribute is the SIP-METHOD request.

  I didn't realize this in the begining, as it was all HEX dumped, so I 
couldn't see
that I'm actually looking at the information.

  Now, my question is this, what is the formula to calculate the digest from 
all of the 
above information? I've tried backtracking the code, but ended up with a slight 
headache.
If anyone has information, that would be highly appreciated.

Regards,
  Z2L

- Original Message -
From: "FreeRadius-ML" <[EMAIL PROTECTED]>
To: "freeradius-users" 
Sent: Tuesday, July 24, 2007 1:07:01 PM (GMT+0200) Asia/Jerusalem
Subject: Re: rml_perl question

Ok,

  I think I'm getting somewhere on this. After running wireshark and capturing 
the traffic,
I actually realized that the Authentication/Authorization headers consists of a 
random hash
that is identified by the nonce number. Following is an example:

Authorization: Digest username="101", realm="192.168.2.80", algorithm=MD5, 
uri="sip:192.168.2.80", nonce="469f2996b4bb829917c6d5d7c3c50bed9da77682", 
response="1efb1851e1e96ce6855bf406735af4b6"

  Now, if I understand correctly, the digest will be calculated from the 
combination of the 
username, uri and nonce. Problem is, it would appear that I'm unable to access 
the nonce field
from rlm_perl, unless, I'm missing something.

Regards,
  Z2L

- Original Message -
From: "FreeRadius-ML" <[EMAIL PROTECTED]>
To: "freeradius-users" 
Sent: Tuesday, July 24, 2007 11:43:19 AM (GMT+0200) Asia/Jerusalem
Subject: Re: rml_perl question

Hi Peter,

  Well, according to the RFC, the string should be:
username:realm:password and then into the md5sum.

  Now, according to my logs, I can see the following:

Packet-Type = Access-Request
Thu Jul 19 09:37:23 2007
User-Name = "[EMAIL PROTECTED]"
Digest-Attributes = 0x0a05313031
Digest-Attributes = 0x010e3139322e3136382e322e3830
Digest-Attributes = 
0x022a34363966313930646437336461386462323964356231306236373262646532633262623030353733
Digest-Attributes = 0x04127369703a3139322e3136382e322e3830
Digest-Attributes = 0x030a5245474953544552
Digest-Response = "80d23e66bd4d667eb445c89b74ff7a6b"
Service-Type = IAPP-Register
Sip-Uri-User = "101"
NAS-Port = 5060
NAS-IP-Address = 192.168.2.80
Client-IP-Address = 192.168.2.80

  Now, the password for that user is 101.

  So, I did the following: echo '[EMAIL PROTECTED]:192.168.2.80:101' | md5sum, 
which generated
the following output: ec6cec8f0b5904ba56401b1e305638b5.

  Now, examining the log file shows that a few minutes before that, the 
Access-Request looks
like this:

Packet-Type = Access-Request
Thu Jul 19 09:29:54 2007
User-Name = "[EMAIL PROTECTED]"
Digest-Attributes = 0x0a05313031
Digest-Attributes = 0x010e3139322e3136382e322e3830
Digest-Attributes = 
0x022a34363966313734623339623735663735363137326635613334646135666437393766353563353632
Digest-Attributes = 0x04127369703a3139322e3136382e322e3830
Digest-Attributes = 0x030a5245474953544552
Digest-Response = "a15ff7de436bada1093be663290f8ad8"
Service-Type = IAPP-Register
Sip-Uri-User = "101"
NAS-Port = 5060
NAS-IP-Address = 192.168.2.80
Client-IP-Address = 192.168.2.80

  As you can see, the Digest here is different, so I'm surely missing something 
here.

Regards,
  Z2L


- Original Message -
From: "Peter Nixon" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], "FreeRadius users mailing list" 

Sent: Tuesday, July 24, 2007 11:30:25 AM (GMT+0200) Asia/Jerusalem
Subject: Re: rml_perl question

On Tue 24 Jul 2007, FreeRadius-ML wrote:
> Thanks, that helps a bunch.
>
> Another question, may be non related. Anyone has an idea how does OpenSER
> and FreeRadius calculate the Digest response for rlm_digest?
>
> According to the output of my rlm_perl RAD_REQUEST, I'm getting the
> following request from the OpenSER server:
>
> rlm_perl: RAD_REQUEST: Client-IP-Address = 192.168.2.80
> rlm_perl: RAD_REQUEST: Digest-Response = 80d23e66bd4d667eb445c89b74ff7a6b
> rlm_perl: RAD_REQUEST: User-Name = [EMAIL PROTECTED]
> rlm_perl: RAD_REQUEST: Service-Type = IAPP-Register
> rlm_perl: RAD_REQU