upgrade path to v1.1.1
I am running a version of FreeRadius 1.0.0. Is there a patch path to upgrade to v1.1.1? Or must I rebuild completely from source? --johnk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.4 and Cisco WLSE
On Thu, Aug 11, 2005 at 07:02:19PM -0400, Alan DeKok wrote: [EMAIL PROTECTED] wrote: I am trying to speak between my Freeradius server and a Cisco WLSE. I am seeing EAP timeouts while WLSE is trying to authenticate through Freeradius. Short summary: the supplicant is broken. Sending Access-Challenge of id 3 to 192.168.254.10:32815 EAP-Message = 0x010100221a0101001d10b063da2c8f5c52273cd537b0c09d69e5776c736561636374 Message-Authenticator = 0x State = 0x8c90735921dd51b22bc8ef97379845b8 ... rad_recv: Access-Request packet from host 192.168.254.10:32815, id=3, length=125 User-Name = wlseacct NAS-IP-Address = 192.168.254.10 Called-Station-Id = ABBAABBAABBA Calling-Station-Id = ABBAABBAABBA NAS-Identifier = Cisco Secure II NAS-Port = 29 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300060311 Message-Authenticator = 0x070f8a208866000f797e64be5bd48f48 The client is sending a NACK, and asking for another EAP type. But it's changing the EAP ID in a broken way, which means that the AP doesn't add the State attribute from the previous challenge. In the last packet, FreeRADIUS is seeing the middle of a conversation, without any way to know what the conversation was about. The supplicant is broken. Use another one. I am stuck using WLSE. Are there plans on an official fix in Freeradius, to work with whatever is broken in WLSE? Cisco APs are only good if you have decent management. --johnk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 1.0.4 and Cisco WLSE
I am trying to speak between my Freeradius server and a Cisco WLSE. I am seeing
EAP timeouts while WLSE is trying to authenticate through Freeradius.
I have setup the AAA details (server,port,username,password,eap protocol) in
the WLSE, and enabled fault tracking, so that polling is able to take place.
The WDS Master router has no problems authenticating, it is the WLSE that
I am having problems getting authenticated.
AP-70#show wlccp wnm status
WNM IP Address : 192.168.254.5 Status : NOT AUTHENTICATED
AP-70#show wlccp wds
MAC: 0014.6a77.1604, IP-ADDR: 192.168.254.70 , Priority: 254
Interface BVI1, State: Administratively StandAlone - ACTIVE
AP Count: 43 , MN Count: 9
==
The WLSE is speaking with freeradius:
(output from tcpdump)
17:40:36.415982 IP wlse.southwestern.edu.32815
radius.southwestern.edu.radius: rad-access-req 132 [id 3] Attr[
User{wlseacct} NAS_ipaddr{wlse.southwestern.edu} Called_station{ABBAABBAABBA}
[|radius]
17:40:36.422513 IP radius.southwestern.edu.radius
wlse.southwestern.edu.32815: rad-access-cha 92 [id 3] Attr[ [|radius]
17:40:36.423393 IP wlse.southwestern.edu.32815
radius.southwestern.edu.radius: rad-access-req 125 [id 3] Attr[
User{wlseacct} NAS_ipaddr{wlse.southwestern.edu} Called_station{ABBAABBAABBA}
[|radius]
17:40:42.433507 IP radius.southwestern.edu.radius
wlse.southwestern.edu.32815: rad-access-reject 20 [id 3]
==
==
...and the output from Freeradius
rad_recv: Access-Request packet from host 192.168.254.10:32815, id=3, length=132
User-Name = wlseacct
NAS-IP-Address = 192.168.254.10
Called-Station-Id = ABBAABBAABBA
Calling-Station-Id = ABBAABBAABBA
NAS-Identifier = Cisco Secure II
NAS-Port = 29
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020d01776c736561636374
Message-Authenticator = 0x586aa1b877caeafd3956095cf718be31
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 180
rlm_eap: EAP packet type response id 0 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 180
radius_xlat: 'wlseacct'
rlm_sql (sql): sql_set_user escaped user -- 'wlseacct'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'wlseacct' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'wlseacct' AND
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'wlseacct' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'wlseacct' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module sql returns ok for request 180
modcall: group authorize returns updated for request 180
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 180
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
modcall[authenticate]: module eap returns handled for request 180
modcall: group authenticate returns handled for request 180
Sending Access-Challenge of id 3 to 192.168.254.10:32815
EAP-Message =
0x010100221a0101001d10b063da2c8f5c52273cd537b0c09d69e5776c736561636374
Message-Authenticator = 0x
State = 0x8c90735921dd51b22bc8ef97379845b8
Finished request 180
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.254.10:32815, id=3, length=125
User-Name = wlseacct
NAS-IP-Address = 192.168.254.10
Called-Station-Id = ABBAABBAABBA
Calling-Station-Id = ABBAABBAABBA
NAS-Identifier = Cisco Secure II
NAS-Port = 29
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300060311
Message-Authenticator = 0x070f8a208866000f797e64be5bd48f48
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 181
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 181
radius_xlat: 'wlseacct'
rlm_sql (sql): sql_set_user escaped user -- 'wlseacct'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'wlseacct' ORDER BY id'
rlm_sql (sql): Reserving
XP supplicant and Secure Cerficate acceptance
I am running FreeRadius 1.0.4 and using XP supplicants. My problem is after authenticating against FreeRadius, XP asks me to OK the server certificate. I do not want to manually validate the server certificate. XP should be able to validte the certificate by itself, as long as the cert has been issued by a valid Certificate Authority. I have tried using certs from DigiCert and Verisign. Does anyone else see this same problem? How can this step be automated so that my users are not requried this additional click? --johnk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with Simultaneous-Use
= This is a re-post. I received no help from the previous posting =
Hello,
I am having problems with Simultaneous-Use and checkrad. I know that
checkrad is not running because:
grep debug /usr/local/sbin/checkrad
# Config: $debug is the file you want to put debug messages in
#$debug = ;
$debug = $logdir/checkrad.log;
and:
--
tail -F /var/log/radius/checkrad.log
Fri Jul 29 12:57:30 2005 checkrad
Usage: checkrad nas_type nas_ip nas_port login session_id
--
(nothing new is showing up in the checkrad log file, except for when I
run it by hand)
I have both the Perl SNMP modules installed, along with NET-SNMP (and
the correct syntax for NET used in the checkrad script, even though
it should be using the perl modules first).
I am able to manually use snmpwalk /fine/.
Here is how my SQL table looks:
mysql select * from radgroupcheck;
+++--++---+
| id | GroupName | Attribute| op | Value |
+++--++---+
| 1 | pirate | Simultaneous-Use | := | 2 |
| 2 | pirate-stu | Simultaneous-Use | := | 2 |
| 3 | pirate-stf | Simultaneous-Use | := | 2 |
| 4 | pirate-fac | Simultaneous-Use | := | 2 |
| 5 | pirate-its | Simultaneous-Use | := | 1 |
+++--++---+
Here are the related sections from my radiusd.conf file:
radutmp {
# Where the file is stored. It's not a log file,
# so it doesn't need rotating.
#
filename = ${logdir}/radutmp
# The field in the packet to key on for the
# 'user' name, If you have other fields which you want
# to use to key on to control Simultaneous-Use,
# then you can use them here.
#
# Note, however, that the size of the field in the
# 'utmp' data structure is small, around 32
# characters, so that will limit the possible choices
# of keys.
#
# You may want instead: %{Stripped-User-Name:-%{User-Name}}
username = %{User-Name}
# Whether or not we want to treat user the same
# as USER, or User. Some systems have problems
# with case sensitivity, so this should be set to
# 'no' to enable the comparisons of the key attribute
# to be case insensitive.
#
case_sensitive = yes
# Accounting information may be lost, so the user MAY
# have logged off of the NAS, but we haven't noticed.
# If so, we can verify this information with the NAS,
#
# If we want to believe the 'utmp' file, then this
# configuration entry can be set to 'no'.
#
check_with_nas = yes
# Set the file permissions, as the contents of this file
# are usually private.
perm = 0600
# callerid = yes
}
#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There is little we can do about it.
radutmp
# sradutmp
#
# Log traffic to an SQL database.
#
# See Accounting queries in sql.conf
sql
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
#radutmp
#
# See Simultaneous Use Checking Querie in sql.conf
sql
}
And here is my sql.conf file:
# Simultaneous Use Checking Queries
###
# simul_count_query - query for the number of current connections
# - If this is not defined, no simultaneouls use
checking
# - will be performed by this module instance
# simul_verify_query- query to return details of current
connections for verification
# - Leave blank or commented out to disable
verification step
# - Note that the returned field order should not
be changed.
###
# Uncomment simul_count_query to enable simultaneous use checking
simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE
UserName='%{SQL-User-Name}' AND AcctStopTime = 0
simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName,
NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM
${acct_table1} WHERE
Problems with Simultaneous-Use
Hello,
I am having problems with Simultaneous-Use and checkrad. I know that
checkrad is not running because:
grep debug /usr/local/sbin/checkrad
# Config: $debug is the file you want to put debug messages in
#$debug = ;
$debug = $logdir/checkrad.log;
and:
--
tail -F /var/log/radius/checkrad.log
Fri Jul 29 12:57:30 2005 checkrad
Usage: checkrad nas_type nas_ip nas_port login session_id
--
(nothing new is showing up in the checkrad log file, except for when I
run it by hand)
I have both the Perl SNMP modules installed, along with NET-SNMP (and
the correct syntax for NET used in the checkrad script, even though
it should be using the perl modules first).
I am able to manually use snmpwalk /fine/.
Here is how my SQL table looks:
mysql select * from radgroupcheck;
+++--++---+
| id | GroupName | Attribute| op | Value |
+++--++---+
| 1 | pirate | Simultaneous-Use | := | 2 |
| 2 | pirate-stu | Simultaneous-Use | := | 2 |
| 3 | pirate-stf | Simultaneous-Use | := | 2 |
| 4 | pirate-fac | Simultaneous-Use | := | 2 |
| 5 | pirate-its | Simultaneous-Use | := | 1 |
+++--++---+
Here are the related sections from my radiusd.conf file:
radutmp {
# Where the file is stored. It's not a log file,
# so it doesn't need rotating.
#
filename = ${logdir}/radutmp
# The field in the packet to key on for the
# 'user' name, If you have other fields which you want
# to use to key on to control Simultaneous-Use,
# then you can use them here.
#
# Note, however, that the size of the field in the
# 'utmp' data structure is small, around 32
# characters, so that will limit the possible choices
# of keys.
#
# You may want instead: %{Stripped-User-Name:-%{User-Name}}
username = %{User-Name}
# Whether or not we want to treat user the same
# as USER, or User. Some systems have problems
# with case sensitivity, so this should be set to
# 'no' to enable the comparisons of the key attribute
# to be case insensitive.
#
case_sensitive = yes
# Accounting information may be lost, so the user MAY
# have logged off of the NAS, but we haven't noticed.
# If so, we can verify this information with the NAS,
#
# If we want to believe the 'utmp' file, then this
# configuration entry can be set to 'no'.
#
check_with_nas = yes
# Set the file permissions, as the contents of this file
# are usually private.
perm = 0600
# callerid = yes
}
#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There is little we can do about it.
radutmp
# sradutmp
#
# Log traffic to an SQL database.
#
# See Accounting queries in sql.conf
sql
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
#radutmp
#
# See Simultaneous Use Checking Querie in sql.conf
sql
}
And here is my sql.conf file:
# Simultaneous Use Checking Queries
###
# simul_count_query - query for the number of current connections
# - If this is not defined, no simultaneouls use
checking
# - will be performed by this module instance
# simul_verify_query- query to return details of current
connections for verification
# - Leave blank or commented out to disable
verification step
# - Note that the returned field order should not
be changed.
###
# Uncomment simul_count_query to enable simultaneous use checking
simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE
UserName='%{SQL-User-Name}' AND AcctStopTime = 0
simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName,
NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM
${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0
Here is how my
Re: problems authenticating
On Mon, Jul 11, 2005 at 08:12:09PM -0400, Alan DeKok wrote: [EMAIL PROTECTED] wrote: Try using just MS-CHAP with an NT password in SQL. Once that works, PEAP will work. I am not entirely sure what you mean, so I tried a two different combinations. Find a RADIUS client that implements MS-CHAPv. The native windows XP client uses MS-CHAPv2. Unless I decide to use a smartcard, the built-in client uses EAP type of PEAP and authentication of MS-CHAP-V2, /only/. See src/tests/mschapv1 for a sample script which can be used with radclient to test MSCHAP. I do not understand how radclient is any different compared to radtest. If I use the src/tests/mschapv1 script as input to radclient, do I not need to put some information in for user Bob into my SQL database? I am unsure how I need to change my radiusd.conf or authorization backend, to accommodate the script. If it is MS-CHAP-V2 which is failing, how will testing MS-CHAP-V2 with a MS-CHAP client help? I should see the same error when testing, that I see now, correct? rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP' modcall[authorize]: module mschap returns ok for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv1 with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: MS-CHAP-Response is incorrect. modcall[authenticate]: module mschap returns reject for request 0 modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. Login incorrect: [bob/no User-Password attribute] (from client localhost port 0) EAP removed from authorization stanza: http://www.southwestern.edu/~johnk/eap_removed_authorization.txt If you tell the server not to use EAP, and then send it EAP requests, it won't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --johnk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems authenticating
On Tue, Jul 12, 2005 at 10:30:22AM -0500, [EMAIL PROTECTED] wrote: What I find interesting, is if I use NT-Password and or LM-Password, in the radcheck table, the sql authorization complains: modcall[authorize]: module auth_log returns ok for request 18 radius_xlat: 'johnk' rlm_sql (sql): sql_set_user escaped user -- 'johnk' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'johnk' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 2 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'johnk' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'johnk' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'johnk' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): No matching entry in the database for request from user [johnk] rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module sql returns notfound for request 18 however, if I use User-Password, I see: modcall[authorize]: module auth_log returns ok for request 29 radius_xlat: 'johnk' rlm_sql (sql): sql_set_user escaped user -- 'johnk' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'johnk' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'johnk' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'johnk' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'johnk' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 29 Does this not mean that my supplicant is sending a password response in the form of User-Password, and not in NT/LM form? --johnk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems authenticating
On Mon, Jul 11, 2005 at 05:26:54PM -0400, Alan DeKok wrote:
[EMAIL PROTECTED] wrote:
rlm_mschap: Told to do MS-CHAPv2 for johnk with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
That's pretty definitive.
I thought so as well. I am 99% sure that the NTLM passwords I am
using are valid.
My thoughts are that SQL and MSCHAP should be in the authorization section,
and MSCHAP and EAP should be in authentication.
eap should be in the authorize section, too. That's the way the
server comnes configured.
radiusd.conf now reads, in part:
authorize {
preprocess
auth_log
sql
mschap
eap
}
authenticate {
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
mschap
eap
}
I am storing NTLM passwords in my SQL server.
...
| 1490 | johnk| User-Password | == |
0393A990E3426721695109AB020K4E1C:FBFR81520C5BDDENOTREALPASSWORD33 |
No, you're not.
You're telling the server that the clear-text password is a hex
string, which it's not.
If you want to store the NT-hashed passwords in SQL, use the
NT-Password attribute, and ensure that the value is 32 bytes of hex
data.
When using NT-Password, I was noticing that the sql authorization phase
would not return OK. Switching it to User-Password seemed to fix that
(albeit not correctly). I have switched radcheck back to using Attributes
of NT-Password.
But before you do that, I would STRONGLY suggest storing a simple
clear-text password in SQL, like test. Verify that it works, and
THEN start storing NT password.
I have a test account, named testacct. I have switched his values in radcheck
to Password == monkey
host:/etc/raddb # radtest testacct monkey host:1645 0 testing123
Sending Access-Request of id 77 to 127.0.0.1:1645
User-Name = testacct
User-Password = monkey
NAS-IP-Address = hecate
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1645, id=77, length=37
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
Tunnel-Private-Group-Id:0 = 111
host:/etc/raddb #
By trying to configure 3 things at the same time, you guarantee that
you can't possible figure out which one of the three is failing.
Agreed.
I am including two URLs. One with debug logs showing user 'johnk'
trying to AAA, using NT-Password. The other shows testacct
(using the same supplicant as johnk, XP) using Password (cleartext).
NT-Password, logging in as johnk:
http://www.southwestern.edu/~johnk/johnk_NT-Password_debug.txt
Password, logging in as testacct:
http://www.southwestern.edu/~johnk/testacct_Password_debug.txt
Notice that with changing the Attribute in radcheck to Password, and assigning
the Value a cleartext, Access-Accept is generated.
--johnk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems authenticating
On Mon, Jul 11, 2005 at 03:40:32PM -0600, Vladimir Vuksan wrote: I believe this is incorrect. You may want to split off the two password hashes and put them in separate variables ie. LM-Password and NT-Password. User-Password usually refers to either a crypted or cleartext password. I think you are correct! I have tried splitting the password into two seperate parts: mysql select * from radcheck where UserName =testacct; +--+--+-++--+ | id | UserName | Attribute | op | Value| +--+--+-++--+ | 697 | testacct | NT-Password | == | 8503P0UI042LADKP3M13B449051404EE | | 2513 | testacct | LM-Password | == | BEO04PD4LA909194D58181AFS44KE005 | +--+--+-++--+ 2 rows in set (0.00 sec) I receive logs similar to what is received when logging in with a bad password, as before. I have even swapped two values with each other (NT for LM). MS-CHAP failed. --johnk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems authenticating
On Mon, Jul 11, 2005 at 06:56:44PM -0400, Alan DeKok wrote:
Try using just MS-CHAP with an NT password in SQL. Once that works,
PEAP will work.
Alan DeKok.
I am not entirely sure what you mean, so I tried a two different combinations.
johnk has only a NT-Password. testacct has both NT-Password and LM-Password.
EAP removed from authorization stanza:
http://www.southwestern.edu/~johnk/eap_removed_authorization.txt
authorize {
preprocess
auth_log
sql
mschap
#eap
}
authenticate {
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
mschap
eap
}
EAP removed from authentication stanza:
http://www.southwestern.edu/~johnk/eap_removed_authentication.txt
authorize {
preprocess
auth_log
sql
mschap
eap
}
authenticate {
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
mschap
#eap
}
--johnk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: self user registration
On Sun, Jul 10, 2005 at 08:40:46PM +0100, Jason Clifford wrote: How about simply firewalling unauthenticated connections and routing all access requests to a secured website running a registration script. This may not scale to a large deployment without a fair bit of work but for a small to medium sized network it should be fairly easy. Great idea, Jason! That is exactly what NetReg does: http://www.netreg.org Jason -- UKFSN.ORG Finance Free Software while you surf the 'net http://www.ukfsn.org/ 2Mb ADSL Broadband from just ?14.98 / month - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --johnk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems authenticating and assigning DHCP addresses
I am running Freeradius-1.0.4 from source. Radius is accessed by XP requesting through a Cisco AP. I am running PEAP (MS-CHAP-V2) w/ SQL. My first question is: How do I tie all of this together with a DHCPd server, so that they authenticated clients can be assigned an IP address. I am using VLAN tunnel attributes so that, when DHCP support /is/ implemented, I can assign different IP addresses with different access privileges. How can I implement a DHCPd server into my configuration? Second question: How can I authenticate against a Crypt-Password, in SQL? I am able to receive an Access-Accept when using a clear text password (Attribute=Password), through XP. I receive: rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 9 modcall: group authenticate returns invalid for request 9 auth: Failed to validate the user. Login incorrect: [johnk/no User-Password attribute] (from client Aironet1100 port 318 cli 000e.35b5.eb8f) Delaying request 9 for 1 seconds Finished request 9 Going to the next request when using Crypt-Password. However, Crypt-Password works fine when testing with radtest. Sincerely, --johnk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: self user registration
Michael, On Sat, Jul 09, 2005 at 08:40:29PM +0100, Michael Fisher wrote: So how do i go about creating the self registration system and what im thinking is offering walled garden access for email Take a look into NetReg for doing what you want: http://www.netreg.org Alan DeKok wrote: Michael Fisher [EMAIL PROTECTED] wrote: I am currently envolved in a wireless project. How ever we currently need a radius server with the ability for users to register them selfs, also it would be ideal if this solution offerd email authentication. Is this possible at all? They can't send email until they're authenticated. So they'll have to send email from somewhere else on the net. You can then put that information into a database, at which time they can login through RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --johnk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems authenticating and assigning DHCP addresses
Zoltan, On Sat, Jul 09, 2005 at 06:21:37PM -0400, Zoltan A. Ori wrote: On Saturday 09 July 2005 16:45, [EMAIL PROTECTED] wrote: My first question is: How do I tie all of this together with a DHCPd server, so that they authenticated clients can be assigned an IP address. I am using VLAN tunnel attributes so that, when DHCP support /is/ implemented, I can assign different IP addresses with different access privileges. How can I implement a DHCPd server into my configuration? Since you are using VLANs and want different IP ranges for different access privileges, I would suggest you use Q-Trunks if your network equipment We currently do dot-Q trunking of VLANS, and my testing AP has been setup to support the configuration. Let me know if you are referring to something else. permits. Build a DHCP scope for each VLAN address range, then assign the By scope, yes, we have a ISC DHCPd server setup to give out DHCP IP addresses, based on VLAN DHCP request. gateway and helper address to each virtual interface of the trunks on your router. This has nothing to do with RADIUS and should be covered in your router, switch and access point manuals. I was under the impression that if my TCP/IP stach was setup for DHCP, and I received an Access-Accept packet from FreeRadius, that my supplicant would go out and request an IP address. Is this not correct? It is not working for me. In addition, I also am wondering why I can only use Attribute=Password for successful authentication, and not Attribute=Crypt-Password. Crypt-Password works fine when tested through radtest. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --johnk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems authenticating and assigning DHCP addresses
On Sat, Jul 09, 2005 at 07:01:10PM -0400, Zoltan A. Ori wrote: On Saturday 09 July 2005 18:36, [EMAIL PROTECTED] wrote: We currently do dot-Q trunking of VLANS, and my testing AP has been setup to support the configuration. Let me know if you are referring to something else. That is what I meant. I was under the impression that if my TCP/IP stach was setup for DHCP, and I received an Access-Accept packet from FreeRadius, that my supplicant would go out and request an IP address. Is this not correct? It is not working for me. It should work that way. Is the DHCP request getting relayed properly? tcpdump or Ethereal will tell you. In addition, I also am wondering why I can only use Attribute=Password for successful authentication, and not Attribute=Crypt-Password. Crypt-Password works fine when tested through radtest. As far as I know, PEAP doesn't support crypt passwords. Try TTLS. My problem with TTLS, is that for what I can tell, Microsoft has no native support for TTLS. Only PEAP. If someone can tell me of another method for doing a TLS tunnel, with no client certificate neeed, and use Crypt passwords, I would be very happy! Zoltan ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --johnk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with installing to /etc and /var
I am running freeradius-1.0.4 from source, on SLES 9.0. I want to install freeradius so that it uses /etc and /var, and not /usr/local/etc and /usr/local/var. If I do: /usr/local/src/freeradius-1.0.4 # make clean make distclean /usr/local/src/freeradius-1.0.4 # ./configure --disable-shared --without-rlm_x99_token --prefix=/ --localstatedir=/var --sysconfdir=/etc --exec-prefix=/ --bindir=/usr/local --sbin=/usr/local --libexec=/usr/local --datadir=/usr/local --libdir=/usr/local --includedir=/usr/local --oldincludedir=/usr/local --infodir=/usr/local --mandir=/usr/local make Why do I receive this error message: /usr/local/src/freeradius-1.0.4 # src/main/radiusd Fri Jul 8 15:49:43 2005 : Info: Starting - reading configuration files ... radiusd: Couldn't open /usr/local/var/log/radius/radius.log for logging: Permission denied (rlm_exec: Wait=yes but no output defined. Did you mean output=none?) There should be no reference to: Couldn't open /usr/local/var/log/radius/radius.log Full logs of configure and make are viewable at: http://www.southwestern.edu/~johnk/freeradius_build_logs.txt Additionaly, why isn't there a Makefile method for deinstallation? Thanks, --johnk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with installing to /etc and /var
Hello Michael, On Fri, Jul 08, 2005 at 05:36:26PM -0500, Michael Cooper wrote: Hello jck, I don't know what the proper permissions are, however My problem is not permissions related. I am trying to install FreeRADIUS so that it references /etc/raddb, and writes to /var/log/radius. Instead, I receive the following upon startup: radiusd: Couldn't open /usr/local/var/log/radius/radius.log for logging: Permission denied Granted, this is a permissions error. Please note, I am not worried about the permission error. Instead, I am worried about radiusd trying to reference: /usr/local/var/log/radius/radius.log when it should be referring to: /var/log/radius/radius.log I still require assistance with this matter! - Original Message - From: [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Friday, July 08, 2005 4:37 PM Subject: Problems with installing to /etc and /var I am running freeradius-1.0.4 from source, on SLES 9.0. I want to install freeradius so that it uses /etc and /var, and not /usr/local/etc and /usr/local/var. If I do: /usr/local/src/freeradius-1.0.4 # make clean make distclean /usr/local/src/freeradius-1.0.4 # ./configure --disable-shared --without-rlm_x99_token --prefix=/ --localstatedir=/var --sysconfdir=/etc --exec-prefix=/ --bindir=/usr/local --sbin=/usr/local --libexec=/usr/local --datadir=/usr/local --libdir=/usr/local --includedir=/usr/local --oldincludedir=/usr/local --infodir=/usr/local --mandir=/usr/local make Why do I receive this error message: /usr/local/src/freeradius-1.0.4 # src/main/radiusd Fri Jul 8 15:49:43 2005 : Info: Starting - reading configuration files ... radiusd: Couldn't open /usr/local/var/log/radius/radius.log for logging: Permission denied (rlm_exec: Wait=yes but no output defined. Did you mean output=none?) It looks like to me you have to chmod 644 /usr/local/var/log/radius/ - this dir then also make sure it is creating the proper log file - radius.log Maybe one of these othere gurus know better what to tell you I ran into that problem as well a week ago I think. There should be no reference to: Couldn't open /usr/local/var/log/radius/radius.log Full logs of configure and make are viewable at: http://www.southwestern.edu/~johnk/freeradius_build_logs.txt Additionaly, why isn't there a Makefile method for deinstallation? Thanks, --johnk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.8.10/43 - Release Date: 7/6/2005 Good luck, Michael A Cooper BCCISP.net http://www.bccisp.net 281-854-2079 Technology that counts, voices that matter! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you, --johnk - End forwarded message - -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS w/ files - cert and username issues]
On Thu, Jul 07, 2005 at 01:33:31PM -0400, Alan DeKok wrote: [EMAIL PROTECTED] wrote: I am experiencing several barriers in getting the FreeRadius 1.0.2 port to work, in FreeBSD 5.4-RELEASE. The supplicant is XP SP2, requesting through a Cisco 1100 AP NAS. SP2 ha sknown interoperability problems with RADIUS servers. See Microsoft's web site for a hot fix. This hotfix is to correct PEAP the Type:Length:Value format. I am doing EAP-TTLS, not PEAP. This raise another question: My Authentication type is: TTLS What should my Authentication Protocol be? I have the choices of MS-CHAP-V2, MD5 or PAP. I am unsure which one is the optimal choice. I am thinking either MS-CHAP-V2 or MD5. Depending on which protocol I select, default_eap_type line in eap.conf need to reflect the protocol (I want to do EAP-TTLS)? When I can get everything working with the built-in XP 802.1x authentcation client, I would like to enable multiple VLAN support into my radius config. Sure. Just send back tunnel attributes. Thanks. I will look into this when I have these other situations handled. Why am I seeing \\username, instead of just username? Because that's what the client is sending. Sure, understood. How do I prevent the \\ from happening? I noticed the prefixing of my username with \\ as soon as the supplicant (windows XP) began requesting a Roaming Identity. I have no idea what this dialog means, and I would like to know how to prevent it from coming up (it seems to be releated to selecting TTLS as my Authentication type). Is there a way to disable the validation of a CA in the built-in XP supplicant 802.1x authentication dialog? Yes. Uncheck validate server sertificate. Alan DeKok. Thank you for your assistance! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --johnk - End forwarded message - -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
