[no subject]
Actually, I don't think this will help since the wireless controller IP that freeradius "sees" is *not* in the 192.168.100.* range. This controller uses LWAPP, so the IP ranges that the wireless networks use are totally contained within the wireless infrastructure, which means that the NAS IP is actually the LAN IP address of the controller. Again, it appears the only way for my to determine that the client request is coming from the wrong subnet is via the "cli" value. If Cisco would just fix the guest wireless implementation to only look at the internal database or give you an option to specify this, all would be well. But... since they don't, I have to figure out how to break RADIUS for one subnet and yet allow it to function for the rest. -Original Message- From: Sam Schultz [mailto:[EMAIL PROTECTED] Sent: Thursday, March 15, 2007 12:46 PM To: freeradius-users@lists.freeradius.org; Capelle, Mark (PCMC-GB) Subject: Re: Reject authentication attempts based on "cli" value? An entry like this in your 'users' file should work: DEFAULT NASIPAddress =~ "192.168.100.*" Auth-Type := Reject I'm not sure '*' is the appropriate regular expression character for freeradius, but you should be able to verify that pretty quickly from the documentation. Operator information itself can be found on: http://wiki.freeradius.org/Operators On Thu, 15 Mar 2007 11:23:23 -0500 [EMAIL PROTECTED] wrote: >It is a Cisco WLAN 4402. For reference, here is a log entry from a >user connecting from the Guest network: > > Thu Mar 15 07:10:52 2007 : Auth: Login OK: [guestuser] (from client >PCMCWLANCTRLR1 port 0 cli 192.168.100.101) > >And here is a log entry from someone connecting via 802.1x on another >network: > > Thu Mar 15 07:26:36 2007 : Auth: Login OK: [DOMAIN\\guestuser] (from >client PCMCWLANCTRLR1 port 1 cli 00-12-F0-19-6E-B3) > >As you can see the only way I have to differentiate these two auth >attempts is via the "cli" value. 192.168.100.x is the subnet range of >my Guest network. I want all auth attempts from 192.168.100.x to be >rejected. > >Hope someone can help me out with this. > >Thanks. > >>Date: Thu, 15 Mar 2007 10:55:55 -0400 >>From: "King, Michael" <[EMAIL PROTECTED]> >>Subject: RE: >>To: "FreeRadius users mailing list" >> >>Message-ID: >> ><[EMAIL PROTECTED]> >>Content-Type: text/plain;charset="iso-8859-1" >> >>What manufacturer makes the NAS (the wireless controller?) >> >>I would look to the Called-Station field. Usually (Based on >Cisco AP's) >this is the MAC of the AP, followed by the SSID they connected to. >> >>> -Original Message- >>> From: >>> [EMAIL PROTECTED] >>> g >>> [mailto:[EMAIL PROTECTED] >>> adius.org] On Behalf Of [EMAIL PROTECTED] >>> Sent: Thursday, March 15, 2007 10:48 AM >>> To: freeradius-users@lists.freeradius.org >>> Subject: >>> >>> I have a situation where I have a wireless controller that >services >>> multiple wireless networks (vlans).? When the controller >contacts the >>> RADIUS server with an authentication request, it does so with >the IP >>> address of the controller as the client address.? The problem >is I >>> have a guest network that has lower security than my other >wireless >>> networks.? The guest network has it's own user/password >database >>> stored in the controller, but the way authentication occurs is >that it >>> checks RADIUS for the user first and assumes it will fail, then >will >>> use the internal database.? The issue with this is that if one >of my >>> users jumps on the guest network, they are authenticated which >is not >>> what I want to happen.? Looking at the logs, I noticed that all >the >>> guest network users have the IP address of the client in the >"cli" >>> field.? My guest network is a totally different VLAN and IP >subnet. >>> >>> Is there a way to key off of the "cli" field and then make it >so that >>> all requests from clients with a specific subnet in this field >are not >>> authenticated?? This would stop my internal users from >connecting, but >>> allow the correct users (those in the internal DB) to still get >>> connected. >>> >>> Thanks. >>> CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets >or >>> privileged, undisclosed or otherwise confidential information. >If you >>> have received this e-mail in error, you are hereby notified >that any >>> review, copying or distribution of this message in whole or in >part is >>> strictly prohibited. >>> Please inform the sender immediately and destroy the original >>> transmittal. Thank you for your cooperation. >>> >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >>> > CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or >privileged, undisclosed or otherwise confidential information. If you >have received this e-mail in error, you are hereby notified that any >review, copying or distribution of this message in whole or in part is >strictly prohibited. Please inform the s
Reject authentication attempts based on "cli" value?
It is a Cisco WLAN 4402. For reference, here is a log entry from a user connecting from the Guest network: Thu Mar 15 07:10:52 2007 : Auth: Login OK: [guestuser] (from client PCMCWLANCTRLR1 port 0 cli 192.168.100.101) And here is a log entry from someone connecting via 802.1x on another network: Thu Mar 15 07:26:36 2007 : Auth: Login OK: [DOMAIN\\guestuser] (from client PCMCWLANCTRLR1 port 1 cli 00-12-F0-19-6E-B3) As you can see the only way I have to differentiate these two auth attempts is via the "cli" value. 192.168.100.x is the subnet range of my Guest network. I want all auth attempts from 192.168.100.x to be rejected. Hope someone can help me out with this. Thanks. >Date: Thu, 15 Mar 2007 10:55:55 -0400 >From: "King, Michael" <[EMAIL PROTECTED]> >Subject: RE: >To: "FreeRadius users mailing list" > >Message-ID: > <[EMAIL PROTECTED]> >Content-Type: text/plain;charset="iso-8859-1" > >What manufacturer makes the NAS (the wireless controller?) > >I would look to the Called-Station field. Usually (Based on Cisco AP's) this is the MAC of the AP, followed by the SSID they connected to. > >> -Original Message- >> From: >> [EMAIL PROTECTED] >> g >> [mailto:[EMAIL PROTECTED] >> adius.org] On Behalf Of [EMAIL PROTECTED] >> Sent: Thursday, March 15, 2007 10:48 AM >> To: freeradius-users@lists.freeradius.org >> Subject: >> >> I have a situation where I have a wireless controller that services >> multiple wireless networks (vlans).? When the controller contacts the >> RADIUS server with an authentication request, it does so with the IP >> address of the controller as the client address.? The problem is I >> have a guest network that has lower security than my other wireless >> networks.? The guest network has it's own user/password database >> stored in the controller, but the way authentication occurs is that it >> checks RADIUS for the user first and assumes it will fail, then will >> use the internal database.? The issue with this is that if one of my >> users jumps on the guest network, they are authenticated which is not >> what I want to happen.? Looking at the logs, I noticed that all the >> guest network users have the IP address of the client in the "cli" >> field.? My guest network is a totally different VLAN and IP subnet. >> >> Is there a way to key off of the "cli" field and then make it so that >> all requests from clients with a specific subnet in this field are not >> authenticated?? This would stop my internal users from connecting, but >> allow the correct users (those in the internal DB) to still get >> connected. >> >> Thanks. >> CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or >> privileged, undisclosed or otherwise confidential information. If you >> have received this e-mail in error, you are hereby notified that any >> review, copying or distribution of this message in whole or in part is >> strictly prohibited. >> Please inform the sender immediately and destroy the original >> transmittal. Thank you for your cooperation. >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of this message in whole or in part is strictly prohibited. Please inform the sender immediately and destroy the original transmittal. Thank you for your cooperation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
I have a situation where I have a wireless controller that services multiple wireless networks (vlans). When the controller contacts the RADIUS server with an authentication request, it does so with the IP address of the controller as the client address. The problem is I have a guest network that has lower security than my other wireless networks. The guest network has it’s own user/password database stored in the controller, but the way authentication occurs is that it checks RADIUS for the user first and assumes it will fail, then will use the internal database. The issue with this is that if one of my users jumps on the guest network, they are authenticated which is not what I want to happen. Looking at the logs, I noticed that all the guest network users have the IP address of the client in the “cli” field. My guest network is a totally different VLAN and IP subnet. Is there a way to key off of the “cli” field and then make it so that all requests from clients with a specific subnet in this field are not authenticated? This would stop my internal users from connecting, but allow the correct users (those in the internal DB) to still get connected. Thanks. CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of this message in whole or in part is strictly prohibited. Please inform the sender immediately and destroy the original transmittal. Thank you for your cooperation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with proxy scenario
I have a need to proxy users based on either AD group membership or a substring in the username. I am currently using LDAP to AD . AD group membership scenario: If user is in group "x" then proxy to radius server "y". Substring scenario: If username contains string "x", then strip "x" and proxy to server "y". I believe both could work. Which is easiest and what modules are needed? Also, any examples of either would be greatly appreciated. Thanks, Mark CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of this message in whole or in part is strictly prohibited. Please inform the sender immediately and destroy the original transmittal. Thank you for your cooperation.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying based on substring in username
I am currently knee deep in an Active Directory domain collapse and need to figure out how to get FreeRADIUS to authenticate users as they are moved between domains. During the AD migration process users accounts are disabled in the source domain(where FreeRADIUS currently points) and enabled in the target domain. What I need to do is figure out a way to determine if a user has been moved and if they have, proxy the requests to the new domain. I see two possible ways to do this - 1 - If the user is in AD group "X" proxy the request 2 - If the username has string "m_", then remove the "m_" string and proxy the request My questions are these: which is the easiest to implement and how do I implement each? I have looked at rlm_attr_rewrite a bit and think this may be the module for the second situation. I have googled and searched the lists, unable to find anything of much help. CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of this message in whole or in part is strictly prohibited. Please inform the sender immediately and destroy the original transmittal. Thank you for your cooperation.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 2, Issue 3
>Hello all! I would like to know if anyone has gotten freeradius to work >with eDirectory (LDAP)? We are using freeradius 0.93 (ships with sles9) >and want our wireless users to authenticate to the eDirectory box. I >changed the radiusd.config file at the ldap entry. Clients file has not >been touched. It seems that i may need to "extend the schema" on the >eDirectory box. Then include the supplied radiusxx.schema file in the >slapd.conf file. Any help will be appreciated. >Chris I had this running in my environment for about 2 years. You don't need any schema changes(that I can recall) and you don't need to do anything with slapd. Just configure freeradius to look at your eDir as a LDAP store. Search the archive lists, there should be plenty of examples there. Mark Capelle CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of this message in whole or in part is strictly prohibited. Please inform the sender immediately and destroy the original transmittal. Thank you for your cooperation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Troubleshoot EAP-TTLS : I can't understand why it's not working.
> NAS-IP-Address = 10.256.256.256 256 has never been a vaild octet in an IP address. Use a real IP address and I suspect that your results will be much better. Mark Capelle CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of this message in whole or in part is strictly prohibited. Please inform the sender immediately and destroy the original transmittal. Thank you for your cooperation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x and authenticating machine account
I have been using 802.1x with PEAP/Windows XP/AD for a while. We now have some walkup stations in place that are giving me trouble. Since the machine does not have cached credentials of the user logging in, it cannot get past the login screen to start the EAP auth and activate the port on my switch. I enabled the checkbox to use the machine credentials, so now I see the request come in (host/machine.mydomain.corp.com). Is there a way I can auth the machine? Could I do this via the users file? Maybe use the realm file to modify the request to auth the machine against AD properly? Mark Capelle CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of this message in whole or in part is strictly prohibited. Please inform the sender immediately and destroy the original transmittal. Thank you for your cooperation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius authentication using Windows via ntlm_auth and winbindd
Jay,
Your problem is a typo at the least. Fix this and see if it works.
/usr/bin/ntlm_auth --request-nt-key --username=%{mschap-User-Name}
--domain=%{nschap:NT-Domain} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
--domain=%{nschap:NT-Domain} should be --domain=%{mschap:NT-Domain}
Mark Capelle
CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or
privileged, undisclosed or otherwise confidential information. If you have
received this e-mail in error, you are hereby notified that any review,
copying or distribution of this message in whole or in part is strictly
prohibited. Please inform the sender immediately and destroy the original
transmittal. Thank you for your cooperation.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication problems
Since upgrading to 1.0.1 and making some changes to the config for PEAP, I am seeing the following issue. When a user connects via iPass, they are getting a password failure on the client for the initial authentication, but then a success upon the rekeying the password. I have a redundant configuration (two FreeRADIUS servers, each going to two LDAP servers). The odd thing is when this is happening, on the primary FreeRADIUS server I see no auth failures and multiple auth OKs. I am also seeing auths on the backup RADIUS server. I never saw auths on both servers before the upgrade/changes and I never had multiple Auth OK responses. Here is the entry from the primary server: Tue Feb 8 13:59:40 2005 : Auth: Login OK: [EMAIL PROTECTED] (from client RoamServer1 port 187 cli 9204945601) Tue Feb 8 13:59:51 2005 : Auth: Login OK: [EMAIL PROTECTED] (from client RoamServer1 port 187 cli 9204945601) Tue Feb 8 14:00:42 2005 : Auth: Login OK: [EMAIL PROTECTED] (from client RoamServer1 port 110 cli 9204945601) Tue Feb 8 14:00:53 2005 : Auth: Login OK: [EMAIL PROTECTED] (from client RoamServer1 port 110 cli 9204945601) Tue Feb 8 14:04:10 2005 : Auth: Login OK: [] (from client Cisco3015 port 8884) And the secondary server: Tue Feb 8 13:59:51 2005 : Auth: Login OK: [EMAIL PROTECTED] (from client RoamServer1 port 187 cli 9204945601) Tue Feb 8 14:00:53 2005 : Auth: Login OK: [EMAIL PROTECTED] (from client RoamServer1 port 110 cli 9204945601) Could this be due to the fact that I had to comment out the following in the users file? #DEFAULTAuth-Type := LDAP # Fall-Through = 1 I had to do this to get the PEAP setup to allow the LDAP and users file authentication to work as well. I can provide config files and debug output if necessary. Mark Capelle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Strange script issues
Hi all,
I am having a strange issue after upgrading my radius servers from
0.9.3 to 1.0.1. I am running on Redhat and as such have the following
init.d script:
-
#!/bin/sh
#
# radiusd Start the radius daemon.
#
#This program is free software; you can redistribute it and/or modify
#it under the terms of the GNU General Public License as published by
#the Free Software Foundation; either version 2 of the License, or
#(at your option) any later version.
#
#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
#GNU General Public License for more details.
#
#You should have received a copy of the GNU General Public License
#along with this program; if not, write to the Free Software
#Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
USA
#
#Copyright (C) 2001-2002 The FreeRADIUS Project
http://www.freeradius.org
prefix=/usr/local
exec_prefix=${prefix}
sbindir=${exec_prefix}/sbin
localstatedir=${prefix}/var
logdir=/usr/local/var/log/radius2
rundir=${localstatedir}/run/radiusd
sysconfdir=${prefix}/etc
RADIUSD=$sbindir/radiusd2
RADDBDIR=/usr/local/etc/raddb2
DESC="FreeRADIUS"
#
# See 'man radiusd' for details on command-line options.
#
ARGS="-d /usr/local/etc/raddb2 -p 1822 -A -y"
test -f $RADIUSD || exit 0
test -f $RADDBDIR/radiusd.conf || exit 0
case "$1" in
start)
echo -n "Starting $DESC:"
$RADIUSD $ARGS
echo "radiusd2"
;;
stop)
[ -z "$2" ] && echo -n "Stopping $DESC: "
[ -f $rundir/radiusd2.pid ] && kill -TERM `cat
$rundir/radiusd2.pid`
[ -z "$2" ] && echo "radiusd2."
;;
reload|force-reload)
echo "Reloading $DESC configuration files."
[ -f $rundir/radiusd2.pid ] && kill -HUP `cat $rundir/radiusd2.pid`
;;
restart)
sh $0 stop quiet
sleep 3
sh $0 start
;;
*)
echo "Usage: /etc/init.d/$RADIUS {start|stop|reload|restart}"
exit 1
esac
exit 0
-
The issue is that this script no longer works as it did in the past. When
running the script I get the following errors in the log:
Tue Feb 1 13:36:03 2005 : Error: Errors reading dictionary: dict_init:
/usr/local/share/freeradius/dictionary.3gpp[29]: invalid type "ipv6addr"
Tue Feb 1 13:36:03 2005 : Error: Errors reading
/usr/local/var/log/radius2/radiusd.conf: For more information, please read
the tail end of /usr/local/var/log/radius2/radius.log
If I run the radius server from the bash prompt with the following,
everything works as expected:
radiusd -d /usr/local/etc/raddb2 -p 1822 -A -y
What am I missing?
Mark Capelle
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP AD 802.1x eap peap mschap v2=help
Brandon, You will never be able to do LDAP auth against AD when using EAP. In the archives there are many discussions on the topic. The only way to do EAP against AD is to use ntlm_auth. Mark Capelle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Extreme, 802.1x, PEAP, and FreeRADIUS
Here is the radiusd -Xxxx output from when the Extreme Networks switch tries to auth the port: Thu Jan 20 04:21:12 2005 : Debug: Listening on authentication *:1812 Thu Jan 20 04:21:12 2005 : Debug: Listening on accounting *:1813 Thu Jan 20 04:21:12 2005 : Debug: Listening on proxy *:1814 Thu Jan 20 04:21:12 2005 : Info: Ready to process requests. rad_recv: Access-Request packet from host 10.0.4.3:2082, id=176, length=98 User-Name = "[EMAIL PROTECTED]" EAP-Message = 0x0201001101414d535c6d636170656c6c65 NAS-IP-Address = 10.0.4.3 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x79e9c575d1b7ebe5618c65d8034791e4 Thu Jan 20 04:21:36 2005 : Debug: Processing the authorize section of radiusd.conf Thu Jan 20 04:21:36 2005 : Debug: modcall: entering group authorize for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall[authorize]: module "preprocess" returns ok for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall[authorize]: module "chap" returns noop for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall[authorize]: module "mschap" returns noop for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Thu Jan 20 04:21:36 2005 : Debug: rlm_realm: Looking up realm "AMS" for User-Name = "[EMAIL PROTECTED]" Thu Jan 20 04:21:36 2005 : Debug: rlm_realm: No such realm "AMS" Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall[authorize]: module "suffix" returns noop for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: calling ntdomain (rlm_realm) for request 0 Thu Jan 20 04:21:36 2005 : Debug: rlm_realm: No '\' in User-Name = "[EMAIL PROTECTED]", looking up realm NULL Thu Jan 20 04:21:36 2005 : Debug: rlm_realm: No such realm "NULL" Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: returned from ntdomain (rlm_realm) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall[authorize]: module "ntdomain" returns noop for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Thu Jan 20 04:21:36 2005 : Debug: rlm_eap: EAP packet type response id 1 length 17 Thu Jan 20 04:21:36 2005 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall[authorize]: module "eap" returns updated for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Thu Jan 20 04:21:36 2005 : Debug: users: Matched DEFAULT at 152 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall[authorize]: module "files" returns ok for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall: group authorize returns updated for request 0 Thu Jan 20 04:21:36 2005 : Debug: rad_check_password: Found Auth-Type EAP Thu Jan 20 04:21:36 2005 : Debug: auth: type "EAP" Thu Jan 20 04:21:36 2005 : Debug: Processing the authenticate section of radiusd.conf Thu Jan 20 04:21:36 2005 : Debug: modcall: entering group authenticate for request 0 Thu Jan 20 04:21:36 2005 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 0 Thu Jan 20 04:21:36 2005 : Error: rlm_eap: Identity does not match User-Name, setting from EAP Identity. Thu Jan 20 04:21:36 2005 : Debug: rlm_eap: Failed in handler Thu Jan 20 04:21:36 2005 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall[authenticate]: module "eap" returns invalid for request 0 Thu Jan 20 04:21:36 2005 : Debug: modcall: group authenticate returns invalid for request 0 Thu Jan 20 04:21:36 2005 : Debug: auth: Failed to validate the user. Thu Jan 20 04:21:36 2005 : Auth: Login incorrect: [EMAIL PROTECTED] (from client Alpine port 0 cli 0.0.0.0) Thu Jan 20 04:21:36 2005 : Debug: Delaying request 0 for 1 seconds Thu Jan 20 04:21:36 2005 : Debug: Finished request 0 Thu Jan 20 04:21:36 2005 : Debug: Going to the next request Thu Jan 20 04:21:36 200
Extreme, 802.1x, PEAP, and FreeRADIUS
Hi all, I currently have Windows XP SP1 ,HP switch, 802.1x, PEAP, and Active Directory working flawlessly. Now I have run up against a new issue with my Extreme Networks equipment. Here is the issue. When using the HP switch, I get the User-Name attribute from the switch as "AMS\\mcapelle" which works perfectly. When the Extreme gear sends the User-Name attribute it is in the format "[EMAIL PROTECTED]". Is there a way that I can fix this attribute so that the PEAP authentication can take place? Thanks, Mark Capelle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x, PEAP, and AD
Eureka!
Michael was correct. I had a typo (ntlm_atuh). Fixed that and it works!
Thanks to Ron, Michael, and Kurt for all the help, you guys are great!
[EMAIL PROTECTED]
Tried that and I end up with -
Thu Jan 20 00:51:30 2005 : Debug: modcall: entering group Auth-Type for
request 6
Thu Jan 20 00:51:30 2005 : Debug: modsingle[authenticate]: calling mschap
(rlm_mschap) for request 6
Thu Jan 20 00:51:30 2005 : Debug: rlm_mschap: No User-Password
configured. Cannot create LM-Password.
Thu Jan 20 00:51:30 2005 : Debug: rlm_mschap: No User-Password
configured. Cannot create NT-Password.
Thu Jan 20 00:51:30 2005 : Debug: rlm_mschap: Told to do MS-CHAPv2 for
mcapelle with NT-Password
Thu Jan 20 00:51:30 2005 : Debug: rlm_mschap: FAILED: No NT/LM-Password.
Cannot perform authentication.
Thu Jan 20 00:51:30 2005 : Debug: rlm_mschap: FAILED: MS-CHAP2-Response
is incorrect
Thu Jan 20 00:51:30 2005 : Debug: modsingle[authenticate]: returned from
mschap (rlm_mschap) for request 6
Thu Jan 20 00:51:30 2005 : Debug: modcall[authenticate]: module "mschap"
returns reject for request 6
>Actually, what you should be sending in the --username option is:
>--username=%{mschap:User-Name}
>This will automatically stip the domain portion (if it exists) from the
>username before sending it to the DC.
>--Mike
>---
>Michael Griego
>Wireless LAN Project Manager
>The University of Texas at Dallas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x, PEAP, and AD
Yes I did =). That yields:
Thu Jan 20 01:02:02 2005 : Debug: modsingle[authenticate]: calling mschap
(rlm_mschap) for request 6
Thu Jan 20 01:02:02 2005 : Debug: rlm_mschap: No User-Password
configured. Cannot create LM-Password.
Thu Jan 20 01:02:02 2005 : Debug: rlm_mschap: No User-Password
configured. Cannot create NT-Password.
Thu Jan 20 01:02:02 2005 : Debug: rlm_mschap: Told to do MS-CHAPv2 for
mcapelle with NT-Password
Thu Jan 20 01:02:02 2005 : Debug: radius_xlat: Running registered xlat
function of module mschap for string 'Challenge'
Thu Jan 20 01:02:02 2005 : Debug: mschap2: 79
Thu Jan 20 01:02:02 2005 : Debug: radius_xlat: Running registered xlat
function of module mschap for string 'NT-Response'
Thu Jan 20 01:02:02 2005 : Debug: radius_xlat: '/usr/bin/ntlm_auth
--request-nt-key --username=None --challenge=d38939043209bf91
--nt-response=ab7c6740f1d7494de6a26d6e42fcff2aa0fa39e24be7dfc6'
Thu Jan 20 01:02:02 2005 : Debug: Exec-Program: /usr/bin/ntlm_auth
--request-nt-key --username=None --challenge=d38939043209bf91
--nt-response=ab7c6740f1d7494de6a26d6e42fcff2aa0fa39e24be7dfc6
Thu Jan 20 01:02:03 2005 : Debug: Exec-Program output: Logon failure
(0xc06d)
Thu Jan 20 01:02:03 2005 : Debug: Exec-Program-Wait: plaintext: Logon
failure (0xc06d)
Which makes me think that for some reason the Stripped-User-Name is not
getting set.
>Did you try just
>--username=%{Stripped-User-Name:-None}
>Ron.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x, PEAP, and AD
Tried that and I end up with -
Thu Jan 20 00:51:30 2005 : Debug: modcall: entering group Auth-Type for
request 6
Thu Jan 20 00:51:30 2005 : Debug: modsingle[authenticate]: calling mschap
(rlm_mschap) for request 6
Thu Jan 20 00:51:30 2005 : Debug: rlm_mschap: No User-Password
configured. Cannot create LM-Password.
Thu Jan 20 00:51:30 2005 : Debug: rlm_mschap: No User-Password
configured. Cannot create NT-Password.
Thu Jan 20 00:51:30 2005 : Debug: rlm_mschap: Told to do MS-CHAPv2 for
mcapelle with NT-Password
Thu Jan 20 00:51:30 2005 : Debug: rlm_mschap: FAILED: No NT/LM-Password.
Cannot perform authentication.
Thu Jan 20 00:51:30 2005 : Debug: rlm_mschap: FAILED: MS-CHAP2-Response
is incorrect
Thu Jan 20 00:51:30 2005 : Debug: modsingle[authenticate]: returned from
mschap (rlm_mschap) for request 6
Thu Jan 20 00:51:30 2005 : Debug: modcall[authenticate]: module "mschap"
returns reject for request 6
>Actually, what you should be sending in the --username option is:
>--username=%{mschap:User-Name}
>This will automatically stip the domain portion (if it exists) from the
>username before sending it to the DC.
>--Mike
>---
>Michael Griego
>Wireless LAN Project Manager
>The University of Texas at Dallas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x, PEAP, and AD
That is what I tried originally. It always ends up with the AMS\\mcapelle
as the User-Name. It acts like it is not populating the Stripped-User-Name
value.
>This is what I use
>ntlm_auth = "/usr/local/samba/bin/ntlm_auth --request-nt-key
>--username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=
>%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf Of
>>[EMAIL PROTECTED]
>>Sent: Thursday, January 20, 2005 11:14 AM
>>To: freeradius-users@lists.freeradius.org
>>Subject: 802.1x, PEAP, and AD
>>I have that as well as the ntdomain lines from the authorize and
>>accounting
>>sections uncommented, still no dice. Any other ideas?
>>Thanks,
>>Mark Capelle
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x, PEAP, and AD
I have that as well as the ntdomain lines from the authorize and accounting sections uncommented, still no dice. Any other ideas? Thanks, Mark Capelle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x, PEAP, and AD
I have the with_ntdomain_hack = yes option set under the MSCHAP section. Where is the ntdomain option? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x, PEAP, and AD
Hi all,
I'm having an issue doing PEAP against AD. I have most of it working,
except for this. If I use the ntlm_auth line "ntlm_auth =
"/usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}" in the MSCHAP section, I get the
following debug output:
Wed Jan 19 23:56:26 2005 : Debug: modcall: entering group Auth-Type for
request 6
Wed Jan 19 23:56:26 2005 : Debug: modsingle[authenticate]: calling mschap
(rlm_mschap) for request 6
Wed Jan 19 23:56:26 2005 : Debug: rlm_mschap: No User-Password
configured. Cannot create LM-Password.
Wed Jan 19 23:56:26 2005 : Debug: rlm_mschap: No User-Password
configured. Cannot create NT-Password.
Wed Jan 19 23:56:26 2005 : Debug: rlm_mschap: Told to do MS-CHAPv2 for
mcapelle with NT-Password
Wed Jan 19 23:56:26 2005 : Debug: radius_xlat: Running registered xlat
function of module mschap for string 'Challenge'
Wed Jan 19 23:56:26 2005 : Debug: mschap2: 46
Wed Jan 19 23:56:26 2005 : Debug: radius_xlat: Running registered xlat
function of module mschap for string 'NT-Response'
Wed Jan 19 23:56:26 2005 : Debug: radius_xlat: '/usr/bin/ntlm_auth
--request-nt-key --username=AMS\\mcapelle --challenge=49ef2649993x
--nt-response=acb812c77520cad273a2dbf044b669d9d3e0ed08'
Wed Jan 19 23:56:26 2005 : Debug: Exec-Program: /usr/bin/ntlm_auth
--request-nt-key --username=AMS\\mcapelle --challenge=49ef2649993x
--nt-response=acb812c77520cad273a2dbf044b669d9d3e0ed08
Wed Jan 19 23:56:27 2005 : Debug: Exec-Program output: Logon failure
(0xc06d)
Wed Jan 19 23:56:27 2005 : Debug: Exec-Program-Wait: plaintext: Logon
failure (0xc06d)
Wed Jan 19 23:56:27 2005 : Debug: Exec-Program: returned: 1
Wed Jan 19 23:56:27 2005 : Debug: rlm_mschap: External script failed.
Wed Jan 19 23:56:27 2005 : Debug: rlm_mschap: FAILED: MS-CHAP2-Response
is incorrect
But if I replace the %{Stripped-User-Name:-%{User-Name:-None}} with
"mcapelle" the auth works. Try as I might, I cannot figure out what I need
to put after --username to end up with this format username for the
ntlm_auth request. Can anyone help?
Thanks,
Mark Capelle
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is this possible?
I have a project to enable 802.1x on our HP ProCurve switches. The backend DB will be Active Directory (read disease). The clients will be Windows XP. My project requires: EAP - This comes from the ProCurve as I can use CHAP or EAP, and CHAP will not work. Windows XP workstations - we don't want to have to install certs on each machine. Active Directory integration. I am sure this can be done if I use certificates on the client, but we want to avoid this. Is this possible? If so, can anyone share a working config? Thanks, Mark Capelle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Confirmation of LDAP/CHAP and AD
Okay. Thanks. Now my next question is would storing the CHAP passwords in AD using reversible encryption help (I would guess not, since your other posts seem to indicate the problem being that AD will not even give the RADIUS server the password to manipulate). Also, would using NTLM_AUTH be a possible solution? If not, then proxy RADIUS to an IAS server seems to be the only possible solution. Thanks, Mark Capelle >[EMAIL PROTECTED] wrote: >> I have FreeRADIUS doing password auth against AD via LDAP. I have a switch >> that allows port based security, but uses CHAP passwords. From my >> understanding, you can do this if the LDAP database has the passwords >> stored as clear-text passwords. You cannot do this with Active Directory >> since it does not store the passwords in clear-text. > > Exactly. > > Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Confirmation of LDAP/CHAP and AD
I have been running FreeRADIUS for over 3 years now and I can say that it is hands down one of the best pieces of software out there. I have spent the last few hours going through the archives, FAQ, etc. and think I know the answer to this, but would appreciate it if someone can confirm this. I have FreeRADIUS doing password auth against AD via LDAP. I have a switch that allows port based security, but uses CHAP passwords. From my understanding, you can do this if the LDAP database has the passwords stored as clear-text passwords. You cannot do this with Active Directory since it does not store the passwords in clear-text. Am I correct? Can someone with much more CHAP/LDAP/FreeRADIUS knowledge than myself confirm this? Thanks, Mark Capelle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS + MAC Auth + AD Auth
Yes this is possible as I have been running this way for over a year now. Mark Capelle Message: 1 Date: Thu, 14 Oct 2004 10:36:50 -0400 From: Thomas Lasswell <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: FreeRADIUS + MAC Auth + AD Auth Reply-To: [EMAIL PROTECTED] Hey there, I'm looking to deploy a freeRADIUS server, although I've found documents saying that MAC Authentication and Active Directory authentication is possible. I just want to make sure this is actually true. 802.1X Port-Based Authentication http://www.gnist.org/~lars/courses/04thales/8021X-HOWTO.html Setting Up MAC Authentication http://www.wi-fitechnology.com/Wi-Fi_Reports_and_Papers/Freeradius_Deployment_of_MAC_Address.html LDAP (Incorporates radius server with AD Authentication) http://www.siliconvalleyccie.com/linux-adv/ldap.htm If someone could let me know if these would all work together, I'd be very greatful. -- Thomas Lasswell [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of this message in whole or in part is strictly prohibited. Please inform the sender immediately and destroy the original transmittal. Thank you for your cooperation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Authentication (MS Windows AD)
Bill,
Is your actual username "User\\, Asteroid"? That does not look
correct to me. I would assume that you are looking for
"CN=User\\,OU=Asteroid"... If the comma is indeed a part of the username,
you may want to try to remove it as commas have a special meaning in LDAP.
Also, make sure that your freeradius machine can resolve
"win-dc.win-dom.ctc.edu". Other than that, your LDAP config looks fine.
-Mark
On Mon, 31 May 2004, Bill Shaver wrote:
Dusty,
Thanks. I spent some time working at it from the LDAP angle and it
still fails with the ldapsearch. I will do some more reading/research
to get that working first, then if I have problems getting it work
with FreeRADIUS, I will get back with you all. (If you have some good
recommendations on howto's or other references getting OpenLDAP and MS
AD to talk, I would appreciate the suggestions.)
Thanks for the pointers.
--Bill
>From Dustin Doris on Sat, 29 May 2004 10:40:55 -0400 (EDT)
Hmmm... Perhaps you should double-check just to make sure. Do you have
access to a machine with openldap on it? You could use the ldapsearch
command to attempt a bind to AD.
It would look something like this:
$ ldapsearch -h win-dc.win-dom.ctc.edu -D "CN=User\\, Asteroid,OU=System
Accounts,OU=CIS,OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu" -w
whateveryourpasswordis -b "OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu"
"(SamAccountName=jdummy)"
-Dusty
On Fri, 28 May 2004, Bill Shaver wrote:
> Thanks for the reply. Yes, it is a goofy name, but I am told it does
> have read access on AD (it is in the 'domain user' group).
>
> From: Dustin Doris <[EMAIL PROTECTED]> on Fri, 28 May 2004
13:16:20 -0400
> >
> > Is "CN=User\\, Asteroid,OU=System Accounts..." a valid user with read
> > access to AD?
> >
> > > It seems that this should not be so hard; I am sure I am making a
stupid
> > > mistake somewhere, but I just don't see it.
> > >
> > > I am attempting to set up freeradius 0.9.3 (redhat) to use
(initially) one
> > > of several Windows 2003 AD for authentication. I am, however, unable
to
> > > get the first one to work. I have attached what I think are the
relevant
> > > log and configuration sections. The Windows admin is not seeing any
> > > errors in her logs. On the radius side, it seems that radiusd is not
able to
> > > negotiate a connection that the ldap server will accept.
> > >
> > > Any recommendations would be appreciated.
> > > --Bill
> > >
> > >
> > > --- ldap config from radiusd.conf
> > >
> > > ldap {
> > > server = "win-dc.win-dom.ctc.edu"
> > > port = 636
> > > identity = "CN=User\\, Asteroid,OU=System
Accounts,OU=CIS,OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu"
> >
> > ** Is "CN=User\\, Asteroid,OU=System Accounts... a valid user with read
> > access to AD?
> >
> > > password = ""
> > > start_tls = yes
> > > basedn = "OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu"
> > > filter = "(SamAccountName=%u)"
> > > dictionary_mapping = ${raddbdir}/ldap.attrmap
> > > ldap_connections_number = 5
> > > timeout = 4
> > > timelimit = 3
> > > net_timeout = 1
> > > ldap_debug = 0x0028
> > > }
><>
--__--__--
CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or
privileged, undisclosed or otherwise confidential information. If you have
received this e-mail in error, you are hereby notified that any review,
copying or distribution of this message in whole or in part is strictly
prohibited. Please inform the sender immediately and destroy the original
transmittal. Thank you for your cooperation.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Active Directory/radiusServiceType
I currently have FreeRADIUS setup to authenticate users against Active Directory and the local users file. Now I want to use it as the RADIUS server for my Extreme network switches. My hope is to be able to use the Active Directory accounts to authenticate the users to the switch via FreeRADIUS. After doing some research I see that I need to return the radiusServiceType attribute to the Extreme switch. My understanding is that this will have to reside in the LDAP schema/database, correct? If this is correct, to extend the AD schema, I need an OID for the radiusServiceType attribute that needs to be unique. I have been unable to find what the X.500 OID for this attribute is. Anyone know this? Is there another way to do this that I am missing? I know I can use the users file, but that is not ideal as it is another place that passwords have to be managed and I cannot enforce password policies easily this way. Any guidance would be greatly appreciated. Thanks, Mark Capelle CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of this message in whole or in part is strictly prohibited. Please inform the sender immediately and destroy the original transmittal. Thank you for your cooperation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple Freeradius Servers On The Same Host
Frank Everitt <[EMAIL PROTECTED]> wrote: >All... >This may be a bizarre idea but if it will work I can save the purchase >of some additional equipment. I'd like to know if it's possible to run >two different radiusd process on the same server. Each would be set up >to listen at different port pairs and would do authentication from two >different password sources, local and ldap. Yes/Nowhat do you >think This works fine, I have had this exact setup in production for about a year. Mark Capelle CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of this message in whole or in part is strictly prohibited. Please inform the sender immediately and destroy the original transmittal. Thank you for your cooperation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
