RE: Beginner Question: "Hotspot Login Failed"

[Sean Wingert]

Yes, Alan, you were right. The SQL entries were causing the message about 
"Please update your configuration so that the "known good." Since DaloRadius 
created those entries, I will investigate it.

Sean

This message is intended only for the individual or entity to which it is 
addressed and may contain information that is privileged, confidential and 
exempt from disclosure under applicable law.  If you are not the intended 
recipient, or the agent responsible for delivering the message to the intended 
recipient, you are hereby notified that any dissemination, distribution or 
copying of this communication is strictly prohibited, and you are requested to 
return the original message to the sender.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Beginner Question: "Hotspot Login Failed"

[Alan Buxey]

Hi,

> Thanks again, Alan. Sorry, not selectively. I do not understand how to 
> proceed. What does "your configuration" refer to specifically? (users, 
> radcheck, *.conf, chillispot?) I grepped all the config files for "known" and 
> none appeared to be insightful (to my newbie understanding of radius).

look at the output:

> !!!
> !!!Replacing User-Password in config items with Cleartext-Password. 
> !!!
> !!!
> !!! Please update your configuration so that the "known good"   
> !!!
> !!! clear text password is in Cleartext-Password, and not in User-Password. 
> !!!
> !!!


which bit of that message isnt fairly clear?   you are using the wrong type of 
comparison
operator in one of your configs - I would suggest that its either the SQL of 
the users file.

read my previous email where I highlighted which format in the SQL table was 
correct,
the same would apply to eg the users file

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Beginner Question: "Hotspot Login Failed"

[Sean Wingert]

Thanks again, Alan. Sorry, not selectively. I do not understand how to proceed. 
What does "your configuration" refer to specifically? (users, radcheck, *.conf, 
chillispot?) I grepped all the config files for "known" and none appeared to be 
insightful (to my newbie understanding of radius).

Also, that message may be a red herring anyway (thoughts?), since I just 
corrected a mistake in the "UAM Allowed" field in Chillispot by including the 
Nas gateway's IP address (I had previously left it blank in ignorance). That 
adjustment allowed me to uncomment the $uamsecret in hotspotlogin.php and 
authenticate with various accounts/methods, such as the 123 (User-Password), 
entries in the users file, and the "PIN" (Daloradius) password (radcheck for 
"Auth-Type"). For example:


working (acct 123) debug:


rad_recv: Access-Request packet from host 192.168.0.72 port 2128, id=0, 
length=190
User-Name = "123"
User-Password = "123"
NAS-IP-Address = 0.0.0.0
Service-Type = Login-User
Framed-IP-Address = 192.168.182.2
Calling-Station-Id = "C4-17-FE-1C-5C-9D"
Called-Station-Id = "00-24-A5-6F-81-0A"
NAS-Identifier = "1"
Acct-Session-Id = "4c8944db"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Message-Authenticator = 0x30fbed83c2eb77085b524bd043b27f45
WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff";
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "123", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} -> 123
rlm_sql (sql): sql_set_user escaped user --> '123'
rlm_sql (sql): Reserving sql socket id: 1
expand: SELECT id, username, attribute, value, op   FROM 
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER BY id -> 
SELECT id, username, attribute, value, op   FROM radcheck   
WHERE username = '123'   ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op   FROM 
radreply   WHERE username = '%{SQL-User-Name}'   ORDER BY id -> 
SELECT id, username, attribute, value, op   FROM radreply   
WHERE username = '123'   ORDER BY id
expand: SELECT groupname   FROM radusergroup   WHERE 
username = '%{SQL-User-Name}'   ORDER BY priority -> SELECT groupname   
FROM radusergroup   WHERE username = '123'   ORDER BY 
priority
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
  rad_check_password:  Found Auth-Type
!!!
!!!Replacing User-Password in config items with Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the "known good"   !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "123"
rlm_pap: Using clear text password "123"
rlm_pap: User authenticated successfully
++[pap] returns ok
Login OK: [123/123] (from client Subnet port 0 cli C4-17-FE-1C-5C-9D)
+- entering group post-auth
rlm_sql (sql): Processing sql_postauth
expand: %{User-Name} -> 123
rlm_sql (sql): sql_set_user escaped user --> '123'
expand: %{User-Password} -> 123
expand: INSERT INTO radpostauth   (username, 
pass, reply, authdate)   VALUES (   
'%{User-Name}',   
'%{%{User-Password}:-%{Chap-Password}}',   
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
   (username, pass, reply, authdate)   VALUES ( 
  '123',   '123',   
'Access-Accept', '2010-09-09 11:34:59')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth 
  (username, pass, reply, authdate)   VALUES (  
 '123',   '123',
   'Access-Accept', '2010-09-09 11:34:59')
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 0 to 192.168.0.72 port 2128
Finished request 47.
Going to the next request
Waking up in 4.9 sec

Re: Beginner Question: "Hotspot Login Failed"

[Alan Buxey]

Hi,

>   rad_check_password:  Found Auth-Type CHAP
> !!!
> !!!Replacing User-Password in config items with Cleartext-Password. 
> !!!
> !!!
> !!! Please update your configuration so that the "known good"   
> !!!
> !!! clear text password is in Cleartext-Password, and not in User-Password. 
> !!!
> !!!

you appear to have selectively ignored the advice given in my previous email.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Beginner Question: "Hotspot Login Failed"

[YvesDM]

On Thu, Sep 9, 2010 at 8:01 PM, Sean Wingert  wrote:
> Thanks to Alan and Stephen, I am closer to a solution. I realized the 
> scrambled password was due to hotspotlogin.php (I need to study Chillispot 
> more), so for now I commented out its uamsecret line, which -- although it 
> still fails on the 123 account -- provides different output in debugging mode:
>

You should not uncomment the uamsecret line, but configure it the same
in your hotspotlogin.php and your nas (read:chillispot)

Kind regards
Yves

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Beginner Question: "Hotspot Login Failed"

[Sean Wingert]

Thanks to Alan and Stephen, I am closer to a solution. I realized the scrambled 
password was due to hotspotlogin.php (I need to study Chillispot more), so for 
now I commented out its uamsecret line, which -- although it still fails on the 
123 account -- provides different output in debugging mode:


rad_recv: Access-Request packet from host 192.168.0.72 port 2116, id=0, 
length=209
User-Name = "123"
CHAP-Challenge = 0x176af9b56c5cd047480bbaa4e88b04fd
CHAP-Password = 0x00a6498cb1313e02eb187f93dc05302b50
NAS-IP-Address = 0.0.0.0
Service-Type = Login-User
Framed-IP-Address = 192.168.182.3
Calling-Station-Id = "C4-17-FE-1C-5C-9D"
Called-Station-Id = "00-24-A5-6F-81-0A"
NAS-Identifier = "1"
Acct-Session-Id = "4c892dd4"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Message-Authenticator = 0x5a8e0072ed810540ab6baf61b668b2bd
WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff";
+- entering group authorize
++[preprocess] returns ok
  rlm_chap: Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "123", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} -> 123
rlm_sql (sql): sql_set_user escaped user --> '123'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id, username, attribute, value, op   FROM 
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER BY id -> 
SELECT id, username, attribute, value, op   FROM radcheck   
WHERE username = '123'   ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op   FROM 
radreply   WHERE username = '%{SQL-User-Name}'   ORDER BY id -> 
SELECT id, username, attribute, value, op   FROM radreply   
WHERE username = '123'   ORDER BY id
expand: SELECT groupname   FROM radusergroup   WHERE 
username = '%{SQL-User-Name}'   ORDER BY priority -> SELECT groupname   
FROM radusergroup   WHERE username = '123'   ORDER BY 
priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type CHAP
!!!
!!!Replacing User-Password in config items with Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the "known good"   !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!
auth: type "CHAP"
+- entering group CHAP
  rlm_chap: login attempt by "123" with CHAP password
  rlm_chap: Using clear text password "123" for user 123 authentication.
  rlm_chap: Password check failed
++[chap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_chap: Wrong user password): [123/] (from 
client Subnet port 0 cli C4-17-FE-1C-5C-9D)
  Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> 123
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 10 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 10
Sending Access-Reject of id 0 to 192.168.0.72 port 2116
Waking up in 4.9 seconds.
Cleaning up request 10 ID 0 with timestamp +3707
Ready to process requests.

This message is intended only for the individual or entity to which it is 
addressed and may contain information that is privileged, confidential and 
exempt from disclosure under applicable law.  If you are not the intended 
recipient, or the agent responsible for delivering the message to the intended 
recipient, you are hereby notified that any dissemination, distribution or 
copying of this communication is strictly prohibited, and you are requested to 
return the original message to the sender.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Beginner Question: "Hotspot Login Failed"

[Stephan Kirsten]

 Am 09.09.2010 17:59, schrieb Sean Wingert:

WARNING: Unprintable characters in the password.Double-check the shared 
secret on the server and the NAS!

Read this message and check the shared secret

Stephan



smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Beginner Question: "Hotspot Login Failed"

[Alan Buxey]

Hi,

> In my testing lab (yes, I'm new to FreeRadius), usernames entered (e.g. with 
> attribute User-Password in sql radcheck table) via my NAS (dd-wrt with 
> Chillispot) refuse to authenticate (error below), whereas attribute=Auth-Type 
> (what DaloRadius calls a "PIN") works fine. I'm using the packaged MySQL 
> (5.0.51a-24+lenny3) with FreeRadius (2.0.4+dfsg-6)and freeradius-dialupadmin 
> (2.0.4+dfsg-6) on Debian Lenny, along with Daloradius 0.9-8 for GUI frontend.

corrupted password - incorrect RADIUS secret is most likely culprit.

also, out of your whole list, only this one is 'correct' syntax

> ++--+++--+
> | id | username | attribute  | op | value|
> ++--+++--+
> | 12 | eee  | Cleartext-Password | := | eee  |
> ++--+++--+


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Beginner Question: "Hotspot Login Failed"

[Sean Wingert]

Hi All,

In my testing lab (yes, I'm new to FreeRadius), usernames entered (e.g. with 
attribute User-Password in sql radcheck table) via my NAS (dd-wrt with 
Chillispot) refuse to authenticate (error below), whereas attribute=Auth-Type 
(what DaloRadius calls a "PIN") works fine. I'm using the packaged MySQL 
(5.0.51a-24+lenny3) with FreeRadius (2.0.4+dfsg-6)and freeradius-dialupadmin 
(2.0.4+dfsg-6) on Debian Lenny, along with Daloradius 0.9-8 for GUI frontend.

Below is the Daloradius-populated mysql table (again, only 4321 works fine, 
regardless of password entered):

++--+++--+
| id | username | attribute  | op | value|
++--+++--+
|  9 | aaa  | MD5-Password   | := | 47bce5c74f589f4867dbd57e9ca9f808 |
|  7 | 123  | User-Password  | := | 123  |
|  8 | 4321 | Auth-Type  | := | Accept   |
| 10 | bbb  | SHA1-Password  | := | bbb  |
| 11 | ccc  | CHAP-Password  | := | ccc  |
| 12 | eee  | Cleartext-Password | := | eee  |
++--+++--+
6 rows in set (0.00 sec)

==
Debug output of working connection
==
rad_recv: Access-Request packet from host 192.168.0.72 port 2112, id=0, 
length=191
User-Name = "4321"
User-Password = "\223=\0322\343\233\361a\365\323\320\333_\245×¼"
NAS-IP-Address = 0.0.0.0
Service-Type = Login-User
Framed-IP-Address = 192.168.182.3
Calling-Station-Id = "C4-17-FE-1C-5C-9D"
Called-Station-Id = "00-24-A5-6F-81-0A"
NAS-Identifier = "1"
Acct-Session-Id = "4c890e89"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Message-Authenticator = 0x468b4f124525571d6d37d6d1ec69cbdd
WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff";
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "4321", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} -> 4321
rlm_sql (sql): sql_set_user escaped user --> '4321'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op   FROM 
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER BY id -> 
SELECT id, username, attribute, value, op   FROM radcheck   
WHERE username = '4321'   ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op   FROM 
radreply   WHERE username = '%{SQL-User-Name}'   ORDER BY id -> 
SELECT id, username, attribute, value, op   FROM radreply   
WHERE username = '4321'   ORDER BY id
expand: SELECT groupname   FROM radusergroup   WHERE 
username = '%{SQL-User-Name}'   ORDER BY priority -> SELECT groupname   
FROM radusergroup   WHERE username = '4321'   ORDER BY 
priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type Accept
  rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [4321/\223=\0322\343\233\361a\365\323\320\333_\245×¼] (from client 
Subnet port 0 cli C4-17-FE-1C-5C-9D)
+- entering group post-auth
rlm_sql (sql): Processing sql_postauth
expand: %{User-Name} -> 4321
rlm_sql (sql): sql_set_user escaped user --> '4321'
expand: %{User-Password} -> =93=3D=1A2=E3=9B=F1a=F5=D3=D0=DB_=A5=D7=BC
expand: INSERT INTO radpostauth   (username, 
pass, reply, authdate)   VALUES (   
'%{User-Name}',   
'%{%{User-Password}:-%{Chap-Password}}',   
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth
   (username, pass, reply, authdate)   VALUES ( 
  '4321',   
'=93=3D=1A2=E3=9B=F1a=F5=D3=D0=DB_=A5=D7=BC',   
'Access-Accept', '2010-09-09 08:36:57')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth 
  (username, pass, reply, authdate)   VALUES (  
 '4321',   
'=93=3D=1A2=E3=9B=F1a=F5=D3=D0=DB_=A5=D7=BC',

Re: Beginner question

[Benjamin Bennett]

Khan wrote:
> My first one is to use several root CA in an EAP-TLS config.
> There is a line for "root CA List", but how can I set 2 root CAs
> or more ? I tried to have the line several times and also
> separate the rootCAs file names by a comma (,). None of this attempts
> seems to work.
> What am I doing wrong ? Is it possible to do it, and if so, how ?

Put multiple CA certs in that one file.

--ben



signature.asc
Description: OpenPGP digital signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Beginner question

[Alan DeKok]

Khan <[EMAIL PROTECTED]> wrote:
> My first one is to use several root CA in an EAP-TLS config.
> There is a line for "root CA List", but how can I set 2 root CAs
> or more ? I tried to have the line several times and also
> separate the rootCAs file names by a comma (,). None of this attempts
> seems to work.
> What am I doing wrong ? Is it possible to do it, and if so, how ?

  I don't think it's possible.  But you can have one root CA sign
multiple other CA's.  It's called certificate chains, which the server
*does* support.

> The second one is regarding an EAP-TLS connection. My client get
> authenticated properly using the certificates (CISCO's AP), but I
> noticed that when authenticated, there is no more "traffic" with the
> radius server.

  That's how RADIUS works.

> Is it possible to force FreeRadius or the CISCO AP to verify the
> authenticated client regurlarly in a similar way DHCP is done ?

  See Session-Timeout.

> I don't want to kill the connection, traffic between AP/client
> should still be running.

  That isn't how AP authentication works.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Beginner question

[Khan]

Hi to all,
I just register to the ML as I'm looking for specific item
in freeradius without being able to find any help. Even if google
is supposed to be my friend, it was not in that cases ;)

My first one is to use several root CA in an EAP-TLS config.
There is a line for "root CA List", but how can I set 2 root CAs
or more ? I tried to have the line several times and also
separate the rootCAs file names by a comma (,). None of this attempts
seems to work.
What am I doing wrong ? Is it possible to do it, and if so, how ?


The second one is regarding an EAP-TLS connection. My client get
authenticated properly using the certificates (CISCO's AP), but I
noticed that when authenticated, there is no more "traffic" with the
radius server.
Is it possible to force FreeRadius or the CISCO AP to verify the
authenticated client regurlarly in a similar way DHCP is done ?
I don't want to kill the connection, traffic between AP/client
should still be running.

Many thanks for the help you may provide.

Regards
Khan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Beginner question: Trying to secure a wlan

[Vladimir Vuksan]

Tim Boneko wrote:
That still doesn't tell us whether you configured SoftAP to use the
RADIUS server ? SoftAP is only the AP piece but not the RADIUS server
itself. You have to point to FreeRADIUS instance you are using.
   

That seems to be the part i am  missing. How do i do  that? Is it a
setting for my dhcpd?
 

No. It is all in the AP.
SoftAP claims it supports WPA. Read the documentation for it and look 
for where they mention WPA-RADIUS or WPA-Enterprise and see how to 
configure it. If they only talk about WPA-Personal or WPA-PSK that is 
not what you want. WPA config should ask you for

1. RADIUS server IP/hostname ie. 127.0.0.1
2. Shared secret ie. whatever you set, FreeRADIUS defaults to testing123 
for 127.0.0.1
3. Optionally it may ask for RADIUS server port ie. 1812

You should be able to get tech support from PCtel since SoftAP is a paid 
product.

Vladimir

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Beginner question: Trying to secure a wlan

[Tim Boneko]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Vladimir Vuksan schrieb:

> That still doesn't tell us whether you configured SoftAP to use the
> RADIUS server ? SoftAP is only the AP piece but not the RADIUS server
> itself. You have to point to FreeRADIUS instance you are using.

That seems to be the part i am  missing. How do i do  that? Is it a
setting for my dhcpd?

> Go to www.freeradius.org. Press CTRL-F and type 802.1x and Voila!

You?re right. Fortunately my new glasses are about to  be delivered
tomorrow...

Thanks a lot,

timbo

PS Want to hear some  hot news? I?m a radius NEWBIE!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCWnfcG68ndDW+t7gRAkDWAKC60RY7VnosUobTP5mC5z0wuDdQMgCfVHaM
hRldkWlEBqiuSoejQUP0OHs=
=BXGM
-END PGP SIGNATURE-

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Beginner question: Trying to secure a wlan

[Vladimir Vuksan]

Tim Boneko wrote:
A silly question, perhaps, but you *did* configure you wireless AP to
actually *use* the RADIUS server, did you not?
   

OW! Damn, i forgot to mention that the AP _is_ the Radius server...
sorry, my fault. It?s a SoftAP.
 

That still doesn't tell us whether you configured SoftAP to use the 
RADIUS server ? SoftAP is only the AP piece but not the RADIUS server 
itself. You have to point to FreeRADIUS instance you are using.

Errr... where is it? I can?t find it...
Thanks so far,
 

Go to www.freeradius.org. Press CTRL-F and type 802.1x and Voila!
http://tldp.org/HOWTO/html_single/8021X-HOWTO/


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Beginner question: Trying to secure a wlan

[Tim Boneko]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jim Seymour schrieb:

> A silly question, perhaps, but you *did* configure you wireless AP to
> actually *use* the RADIUS server, did you not?

OW! Damn, i forgot to mention that the AP _is_ the Radius server...
sorry, my fault. It?s a SoftAP.

> There's mention of, and a link to, the "802.1X Port-Based Authentication
> HOWTO" right on FreeRADIUS' home page.

Errr... where is it? I can?t find it...
Thanks so far,

timbo
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCWV0WG68ndDW+t7gRAu84AJ9nREWjNvS7oFZ7HdqmfoplPCpnvgCaAqAk
9cCZ1rfE0AD4pPpEYEXhyd0=
=bp+w
-END PGP SIGNATURE-

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Beginner question: Trying to secure a wlan

[Jim Seymour]

Tim Boneko <[EMAIL PROTECTED]> wrote:
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Hi,
> i installed freeradius 1.0.2 on Debian 3.1 (sarge) in order to protect
> my wlan (test for a production installation).
> I?m not yet sure how i want to secure the  net (encryption or mac auth),

MAC "auth" is worthless, as it is trivial for somebody to spoof a MAC
address.

[snip]
> However, freeradius doesn?t keep  anybody from connecting. Despite the
> running  daemon  the  network  is wide  open.
[snip]

A silly question, perhaps, but you *did* configure you wireless AP to
actually *use* the RADIUS server, did you not?

There's mention of, and a link to, the "802.1X Port-Based Authentication
HOWTO" right on FreeRADIUS' home page.

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Beginner question: Trying to secure a wlan

[Tim Boneko]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,
i installed freeradius 1.0.2 on Debian 3.1 (sarge) in order to protect
my wlan (test for a production installation).
I?m not yet sure how i want to secure the  net (encryption or mac auth),
but the configuration seems to run fine so far: radtest on the local
host runs  successfully.
However, freeradius doesn?t keep  anybody from connecting. Despite the
running  daemon  the  network  is wide  open.
Should i mail parts of my  config, and if so, which? The output of
freeradius -X  is pasted below. I also ran "radtest tim Password kiste 0
Passw2" for testing.
Thanks for replying,

timbo

kiste:/etc/freeradius# freeradius -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/freeradius/proxy.conf
Config:   including file: /etc/freeradius/clients.conf
Config:   including file: /etc/freeradius/snmp.conf
Config:   including file: /etc/freeradius/eap.conf
Config:   including file: /etc/freeradius/sql.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/freeradius"
 main: libdir = "/usr/lib/freeradius"
 main: radacctdir = "/var/log/freeradius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/freeradius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/freeradius/freeradius.pid"
 main: bind_address = 192.168.25.1 IP address [192.168.25.1]
 main: user = "freerad"
 main: group = "freerad"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "/etc/shadow"
 unix: group = "(null)"
 unix: radwtmp = "/var/log/freeradius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = "md5"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/etc/freeradius/huntgroups"
 preprocess: hints = "/etc/freeradius/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = "/etc/freeradius/users"
 files: acctusersfile = "/etc/freeradius/acct_users"
 files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
 detail: detailfile =
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detai

Re: Beginner question

[Alan DeKok]

"Russell Webb" <[EMAIL PROTECTED]> wrote:
> I'm struggling to find out if it's possible to instigate a password
> change by the user (not via a challenge request) using the RADIUS
> protocol.
> 
> Is this possible and if it is is it a standard or non-standard feature?

  It's generally not possible.

  Some NASes may support it.  Check your NAS documentation.

  It's not a feature in FreeRADIUS.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Beginner question

[Russell Webb]

Hello,

I'm struggling to find out if it's possible to instigate a password change by the user 
(not via a challenge request) using the RADIUS protocol.

Is this possible and if it is is it a standard or non-standard feature?

Thanks in advance,
Russell Webb

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html