Re: new to freeradius, securing LAN
ldap.lippogeneral.com a écrit : But how, if they can manually configure an interface on their PC and completely bypass our DHCP server.. this is typically why you'd like to set up authentication, so the physical access to your switch port is not sufficient to get access to your network. please check if your network devices can do 802.1x, then try the authentication you'd like. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new to freeradius, securing LAN
ldap.lippogeneral.com a écrit : Hello All, I am very new to FreeRadius, some of users are already knew our LAN IPs .. so they can manually configure an interface on their PC and completely bypass our DHCP server.. can I solve this by using FreeRadius? I thought this can be done by checking its MAC address, so although they use valid IP address but if their MAC address not recognized by our server then they must be denied and they cannot go anywhere and cannot do anything in our LAN.. I need advise.. Hi, The problem is not really linked with radius, let's try to propose some directions anyway. Most recent switches proposes to do VLAN assignement based on port or MAC address. Check if your switches can do this. Radius can be used to authenticate a device (in your case, a PC) with informations like MAC address or a certificate. So you can also do some mac based authentication, but keep in mind that changing a MAC address is as easy as setting a static LAN IP on a PC, so it's definitely not enough if you wish to avoid what you described above. hope this'll help. many thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie - authentication error
[EMAIL PROTECTED] a écrit : Hi, cp /etc/freeradius/sites-available/default /etc/freeradius/sites-enabled/default that default file contains the brains of the server! that's it. next step is to report the bug to debian package maintainer ... thanks everyone for patience and help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie - authentication error
[EMAIL PROTECTED] a écrit :
Hi,
here it is :
freeradius -X
okay. so you didnt edit the config - the package maintainers
have edited it in weird ways and broken in.
can you please post your radiusd.conf and sites-enabled/default
there is no sites-enabled/default file. the default is only in the
sites-available directory.
please find below the radiusd.conf.
I removed the comments, but I can also send the complete file if needed.
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
db_dir = $(raddbdir)
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/freeradius.pid
user = freerad
group = freerad
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions= yes
extended_expressions= yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
snmp= no
$INCLUDE snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
auto_header = no
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
radwtmp = ${logdir}/radwtmp
}
$INCLUDE eap.conf
mschap {
}
ldap {
server = "ldap.your.domain"
basedn = "o=My Org,c=UA"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
}
realm IPASS {
format = prefix
delimiter = "/"
}
realm suffix {
format = suffix
delimiter = "@"
}
realm realmpercent {
format = suffix
delimiter = "%"
}
realm ntdomain {
format = prefix
delimiter = "\\"
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
header = "%t"
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter attr_filter.post-proxy {
attrsfile = ${confdir}/attrs
}
attr_filter attr_filter.pre-proxy {
attrsfile = ${confdir}/attrs.pre-proxy
}
attr_filter attr_filter.access_reject {
key = %{User-Name}
attrsfile = ${confdir}/attrs.access_reject
}
attr_filter attr_filter.accounting_response {
key = %{User-Name}
attrsfile = ${confdir}/attrs.accounting_response
}
counter daily {
filename = ${db_dir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
reply-name = Session-Timeout
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always noop {
rcode = noop
}
always handled {
rcode = handled
}
always updated {
rcode = updated
}
always notfound {
rcode = notfound
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
expiration {
reply-message = "Password Has Expired\r\n"
}
logintime {
reply-message = "You are calling outside your allowed timespan\
Re: newbie - authentication error
Ivan Kalik a écrit :
Where is the output from the debug (radiusd -X)?
here it is :
freeradius -X
FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on May 11
2008 at 18:46:28
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/snmp.conf
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/freeradius/freeradius.pid"
user = "freerad"
group = "freerad"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server {
modules {
}
}
radiusd: Opening IP addresses and Ports
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
main {
snmp = no
smux_password = ""
snmp_write_access = no
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 32780, id=45,
length=55
User-Name = "bob"
User-Password = "hello"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [bob/hello] (from client localhost port 0)
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 45 to 127.0.0.1 port 32780
Waking up in 4.9 seconds.
Cleaning up request 0 ID 45 with timestamp +8
Ready to process requests.
thanks for your time and patience.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie - authentication error
Ivan Kalik a écrit : Default configuration works - there is no need to change it. You have instructions in FAQ or users file about making simplest user entries. You don't need to set Auth-Type - server does this on it's own. I just removed the debian packages, removes the /var/log/radius and /etc/freeradius, did an apt-get install again, then followed the first step described in http://deployingradius.com/documents/configuration/pap.html, ie place the following text <http://deployingradius.com/scripts/raddb/users/pap.txt> at the *top* of the /users/ file: bob Cleartext-Password := "hello" then started the freeradius with a -X option : freeradius -X. radtest bob hello localhost 0 testing123 Sending Access-Request of id 189 to 127.0.0.1 port 1812 User-Name = "bob" User-Password = "hello" NAS-IP-Address = x.x.x.x NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=189, length=20 it looks like I choosed the wrong FAQ. the line added to the /etc/freeradius/users was the only modification I did to the users file. anyway, I'll test on another host, to see if it works better. Ivan Kalik Kalik Informatika ISP Dana 28/5/2008, "pkc_mls" <[EMAIL PROTECTED]> piše: [EMAIL PROTECTED] a écrit : Hi, Hi all, I'd like to tetst my radius conf with a basic setting. really? looks from the log you posted that you've massively edited the provided config files. why? you've just broken the server. ok, that means I have to remove the package and reinstall it. should I then test with a user already created on the system, or shall I create a new one in the users file ? the auth-type cannot be explicitely added to the arguments of the radtest, that's why I tried to set up in many different ways the users file. alan - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie - authentication error
[EMAIL PROTECTED] a écrit : Hi, Hi all, I'd like to tetst my radius conf with a basic setting. really? looks from the log you posted that you've massively edited the provided config files. why? you've just broken the server. ok, that means I have to remove the package and reinstall it. should I then test with a user already created on the system, or shall I create a new one in the users file ? the auth-type cannot be explicitely added to the arguments of the radtest, that's why I tried to set up in many different ways the users file. alan - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie - authentication error
Ivan Kalik a écrit :
Post the output from radiusd -X.
here it is :
FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on May 11
2008 at 18:46:28
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/snmp.conf
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/freeradius/freeradius.pid"
user = "freerad"
group = "freerad"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server {
modules {
}
}
radiusd: Opening IP addresses and Ports
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
main {
snmp = no
smux_password = ""
snmp_write_access = no
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 57784, id=236,
length=59
User-Name = "testuser"
User-Password = "testpasswd"
NAS-IP-Address = x.x.x.x
NAS-Port = 1812
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [testuser/testpasswd] (from client localhost port 1812)
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 236 to 127.0.0.1 port 57784
Waking up in 4.9 seconds.
N F
Ivan Kalik
Kalik informatika ISP
Dana 28/5/2008, "pkc_mls" <[EMAIL PROTECTED]> piše:
Hi all,
I'd like to tetst my radius conf with a basic setting.
I'm running freeradius-2.0.4-2 on linux debian.
my client.conf contains the following :
client localhost {
ipaddr = 127.0.0.1
secret = testing123
nastype=other
}
I still don't know which kind of parametre I have to set in my
/etc/freeradius/users file
to allow my radtest to work.
all my tests with cleartext-password, user-password, aht-type, and := =,
==, leads to the same
error message :
rad_recv: Access-Request packet from host 127.0.0.1 port 57756, id=178,
length=59
User-Name = "testuser"
User-Password = "testpasswd"
NAS-IP-Address = x.x.x.x
NAS-Port = 1812
Wed May 28 11:41:06 2008 : Debug: auth: No authenticate method
(Auth-Type) configuration found for the request: Rejecting the user
next step, how to set up the users file so
newbie - authentication error
Hi all,
I'd like to tetst my radius conf with a basic setting.
I'm running freeradius-2.0.4-2 on linux debian.
my client.conf contains the following :
client localhost {
ipaddr = 127.0.0.1
secret = testing123
nastype=other
}
I still don't know which kind of parametre I have to set in my
/etc/freeradius/users file
to allow my radtest to work.
all my tests with cleartext-password, user-password, aht-type, and := =,
==, leads to the same
error message :
rad_recv: Access-Request packet from host 127.0.0.1 port 57756, id=178,
length=59
User-Name = "testuser"
User-Password = "testpasswd"
NAS-IP-Address = x.x.x.x
NAS-Port = 1812
Wed May 28 11:41:06 2008 : Debug: auth: No authenticate method
(Auth-Type) configuration found for the request: Rejecting the user
next step, how to set up the users file so my local unix users can also
be authenticated via radius ?
thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
newbie - authentication error
Hi all,
I'd like to tetst my radius conf with a basic setting.
I'm running freeradius-2.0.4-2 on linux debian.
my client.conf contains the following :
client localhost {
ipaddr = 127.0.0.1
secret = testing123
nastype=other
}
my users file contains the following :
testuser
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
