Re: new to freeradius, securing LAN
ldap.lippogeneral.com a écrit : But how, if they can manually configure an interface on their PC and completely bypass our DHCP server.. this is typically why you'd like to set up authentication, so the physical access to your switch port is not sufficient to get access to your network. please check if your network devices can do 802.1x, then try the authentication you'd like. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new to freeradius, securing LAN
ldap.lippogeneral.com a écrit : Hello All, I am very new to FreeRadius, some of users are already knew our LAN IPs .. so they can manually configure an interface on their PC and completely bypass our DHCP server.. can I solve this by using FreeRadius? I thought this can be done by checking its MAC address, so although they use valid IP address but if their MAC address not recognized by our server then they must be denied and they cannot go anywhere and cannot do anything in our LAN.. I need advise.. Hi, The problem is not really linked with radius, let's try to propose some directions anyway. Most recent switches proposes to do VLAN assignement based on port or MAC address. Check if your switches can do this. Radius can be used to authenticate a device (in your case, a PC) with informations like MAC address or a certificate. So you can also do some mac based authentication, but keep in mind that changing a MAC address is as easy as setting a static LAN IP on a PC, so it's definitely not enough if you wish to avoid what you described above. hope this'll help. many thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie - authentication error
[EMAIL PROTECTED] a écrit : Hi, cp /etc/freeradius/sites-available/default /etc/freeradius/sites-enabled/default that default file contains the brains of the server! that's it. next step is to report the bug to debian package maintainer ... thanks everyone for patience and help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie - authentication error
[EMAIL PROTECTED] a écrit : Hi, here it is : freeradius -X okay. so you didnt edit the config - the package maintainers have edited it in weird ways and broken in. can you please post your radiusd.conf and sites-enabled/default there is no sites-enabled/default file. the default is only in the sites-available directory. please find below the radiusd.conf. I removed the comments, but I can also send the complete file if needed. prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius db_dir = $(raddbdir) libdir = /usr/lib/freeradius pidfile = ${run_dir}/freeradius.pid user = freerad group = freerad max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } listen { ipaddr = * port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions= yes extended_expressions= yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf snmp= no $INCLUDE snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { auto_header = no } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { radwtmp = ${logdir}/radwtmp } $INCLUDE eap.conf mschap { } ldap { server = "ldap.your.domain" basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no } realm IPASS { format = prefix delimiter = "/" } realm suffix { format = suffix delimiter = "@" } realm realmpercent { format = suffix delimiter = "%" } realm ntdomain { format = prefix delimiter = "\\" } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 header = "%t" } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter attr_filter.post-proxy { attrsfile = ${confdir}/attrs } attr_filter attr_filter.pre-proxy { attrsfile = ${confdir}/attrs.pre-proxy } attr_filter attr_filter.access_reject { key = %{User-Name} attrsfile = ${confdir}/attrs.access_reject } attr_filter attr_filter.accounting_response { key = %{User-Name} attrsfile = ${confdir}/attrs.accounting_response } counter daily { filename = ${db_dir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always noop { rcode = noop } always handled { rcode = handled } always updated { rcode = updated } always notfound { rcode = notfound } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } expiration { reply-message = "Password Has Expired\r\n" } logintime { reply-message = "You are calling outside your allowed timespan\
Re: newbie - authentication error
Ivan Kalik a écrit : Where is the output from the debug (radiusd -X)? here it is : freeradius -X FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on May 11 2008 at 18:46:28 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/freeradius/freeradius.pid" user = "freerad" group = "freerad" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { modules { } } radiusd: Opening IP addresses and Ports listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } main { snmp = no smux_password = "" snmp_write_access = no } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 32780, id=45, length=55 User-Name = "bob" User-Password = "hello" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [bob/hello] (from client localhost port 0) Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 45 to 127.0.0.1 port 32780 Waking up in 4.9 seconds. Cleaning up request 0 ID 45 with timestamp +8 Ready to process requests. thanks for your time and patience. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie - authentication error
Ivan Kalik a écrit : Default configuration works - there is no need to change it. You have instructions in FAQ or users file about making simplest user entries. You don't need to set Auth-Type - server does this on it's own. I just removed the debian packages, removes the /var/log/radius and /etc/freeradius, did an apt-get install again, then followed the first step described in http://deployingradius.com/documents/configuration/pap.html, ie place the following text <http://deployingradius.com/scripts/raddb/users/pap.txt> at the *top* of the /users/ file: bob Cleartext-Password := "hello" then started the freeradius with a -X option : freeradius -X. radtest bob hello localhost 0 testing123 Sending Access-Request of id 189 to 127.0.0.1 port 1812 User-Name = "bob" User-Password = "hello" NAS-IP-Address = x.x.x.x NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=189, length=20 it looks like I choosed the wrong FAQ. the line added to the /etc/freeradius/users was the only modification I did to the users file. anyway, I'll test on another host, to see if it works better. Ivan Kalik Kalik Informatika ISP Dana 28/5/2008, "pkc_mls" <[EMAIL PROTECTED]> piše: [EMAIL PROTECTED] a écrit : Hi, Hi all, I'd like to tetst my radius conf with a basic setting. really? looks from the log you posted that you've massively edited the provided config files. why? you've just broken the server. ok, that means I have to remove the package and reinstall it. should I then test with a user already created on the system, or shall I create a new one in the users file ? the auth-type cannot be explicitely added to the arguments of the radtest, that's why I tried to set up in many different ways the users file. alan - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie - authentication error
[EMAIL PROTECTED] a écrit : Hi, Hi all, I'd like to tetst my radius conf with a basic setting. really? looks from the log you posted that you've massively edited the provided config files. why? you've just broken the server. ok, that means I have to remove the package and reinstall it. should I then test with a user already created on the system, or shall I create a new one in the users file ? the auth-type cannot be explicitely added to the arguments of the radtest, that's why I tried to set up in many different ways the users file. alan - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie - authentication error
Ivan Kalik a écrit : Post the output from radiusd -X. here it is : FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on May 11 2008 at 18:46:28 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/freeradius/freeradius.pid" user = "freerad" group = "freerad" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { modules { } } radiusd: Opening IP addresses and Ports listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } main { snmp = no smux_password = "" snmp_write_access = no } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 57784, id=236, length=59 User-Name = "testuser" User-Password = "testpasswd" NAS-IP-Address = x.x.x.x NAS-Port = 1812 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [testuser/testpasswd] (from client localhost port 1812) Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 236 to 127.0.0.1 port 57784 Waking up in 4.9 seconds. N F Ivan Kalik Kalik informatika ISP Dana 28/5/2008, "pkc_mls" <[EMAIL PROTECTED]> piše: Hi all, I'd like to tetst my radius conf with a basic setting. I'm running freeradius-2.0.4-2 on linux debian. my client.conf contains the following : client localhost { ipaddr = 127.0.0.1 secret = testing123 nastype=other } I still don't know which kind of parametre I have to set in my /etc/freeradius/users file to allow my radtest to work. all my tests with cleartext-password, user-password, aht-type, and := =, ==, leads to the same error message : rad_recv: Access-Request packet from host 127.0.0.1 port 57756, id=178, length=59 User-Name = "testuser" User-Password = "testpasswd" NAS-IP-Address = x.x.x.x NAS-Port = 1812 Wed May 28 11:41:06 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user next step, how to set up the users file so
newbie - authentication error
Hi all, I'd like to tetst my radius conf with a basic setting. I'm running freeradius-2.0.4-2 on linux debian. my client.conf contains the following : client localhost { ipaddr = 127.0.0.1 secret = testing123 nastype=other } I still don't know which kind of parametre I have to set in my /etc/freeradius/users file to allow my radtest to work. all my tests with cleartext-password, user-password, aht-type, and := =, ==, leads to the same error message : rad_recv: Access-Request packet from host 127.0.0.1 port 57756, id=178, length=59 User-Name = "testuser" User-Password = "testpasswd" NAS-IP-Address = x.x.x.x NAS-Port = 1812 Wed May 28 11:41:06 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user next step, how to set up the users file so my local unix users can also be authenticated via radius ? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
newbie - authentication error
Hi all, I'd like to tetst my radius conf with a basic setting. I'm running freeradius-2.0.4-2 on linux debian. my client.conf contains the following : client localhost { ipaddr = 127.0.0.1 secret = testing123 nastype=other } my users file contains the following : testuser - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html