Re: Simple Peap + PAP authentication
On 9 Mar 2013, at 20:11, Matthew Ceroni wrote: > Trying to setup 802.1x authentication on my home router (running OpenWRT). > > http://pastebin.com/fWtNZ8FD > > Above is the output of radiusd -X > > I am trying to connect via my Android phone. Shouldn't the request coming > from the device include the ClearText password it is looking for? I am simply > listing the user in the users file. No LDAP, AD, SQL database. So you're trying to do 802.1X which uses EAP as the transport protocol for authentication data, but you deleted the call to the EAP module which IIRC is in the default config, and just arbitrarily started listing modules you hoped might work. That's special, you're a special person. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simple Peap + PAP authentication
Trying to setup 802.1x authentication on my home router (running OpenWRT). http://pastebin.com/fWtNZ8FD Above is the output of radiusd -X I am trying to connect via my Android phone. Shouldn't the request coming from the device include the ClearText password it is looking for? I am simply listing the user in the users file. No LDAP, AD, SQL database. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Chap/Pap Authentication
Forget the user-password. You are not using it, you are trying to kludge it. Just use the variable you have, or the facsimile you are making. This is freeradius, there are at least a dozen ways of doing what you want, Alan has given you a fine method alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Chap/Pap Authentication
Joseph Showalter wrote: > Can I use a userdefined variable in the select statement that the EXEC perl > script returns: Only if it's returned in the Perl script. > I would like to use the User-Password below: > > [evdoesn] expand: %{User-Name} -> 6064191...@evdo.myawi.net > Exec-Program output: User-Password := 268435460102579521, CHAP-Password :="" > , CHAP-Challenge :="" , Auth-Type := PAP > Exec-Program-Wait: value-pairs: User-Password := 268435460102579521, > CHAP-Password :="" , CHAP-Challenge :="" , Auth-Type := PAP > Exec-Program: returned: 0 > ++[evdoesn] returns ok So... you're going to ignore my advice, and still run the script, and still mangle the CHAP / User-Passwords, and still not have a *simple* SQL query as I suggsted.I I have no idea why I'm wasting my time trying to help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Chap/Pap Authentication
On Jan 18, 2013, at 3:34 PM, Alan DeKok wrote: > authorize { > ... > > if (! "%{sql:SELECT ... }") { > reject > } Can I use a userdefined variable in the select statement that the EXEC perl script returns: I would like to use the User-Password below: [evdoesn] expand: %{User-Name} -> 6064191...@evdo.myawi.net Exec-Program output: User-Password := 268435460102579521, CHAP-Password :="" , CHAP-Challenge :="" , Auth-Type := PAP Exec-Program-Wait: value-pairs: User-Password := 268435460102579521, CHAP-Password :="" , CHAP-Challenge :="" , Auth-Type := PAP Exec-Program: returned: 0 ++[evdoesn] returns ok Here is the relevant entry from the "default" file: evdoesn (exec script/perl) if (! "%{sql:SELECT username FROM 'radcheck' WHERE username=%{User-Name} AND value=%{User-Password} }") { reject } update control { Auth-Type := Accept } But it can't expand the %User-Password... rlm_sql_postgresql: query: SELECT username FROM 'radcheck' WHERE username=6064191...@evdo.myawi.net AND value= rlm_sql_postgresql: Status: PGRES_FATAL_ERROR rlm_sql_postgresql: Error syntax error at or near "'radcheck'" rlm_sql_postgresql: Postgresql Fatal Error: [42601: SYNTAX ERROR] Occurred!! Its not expanding the User-Password variable which was setup in EXEC. > > update control { > Auth-Type := Accept > } > ... > } > > It's that easy. -- respectfully, Joseph / IT [M] +1(606)477-7551 / t...@ekn.com East Kentucky Network, LLC. dba Appalachian Wireless == - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Chap/Pap Authentication
Joseph Showalter wrote: > Instead of using Chap which we are getting above, we want to use the > "3GPP2-Attr-61 = 0x010600010209a029275c41" value which we can convert > to the device serial number. OK. > In our DB we store the device serial number. The devices chap info most of > them time might be tampered with or wrong. That's a little surprising, but OK. > So we wanted our EXEC script to replace the chap user/pass with the new PAP > user/password. No. You don't want that. I said you don't want that. Don't do that. It's wrong. > Should we be setting Cleartext-Password and the User-Password? No. You should be setting Auth-Type := Accept, just like I said in my last message. >> If you're going to force authentication success, why not just set >> "Auth-Type := Accept"? That avoids all of the mangling of passwords >> (chap and pap) > > We still want radius to run through the normal SQL process to verify that the > above serial number is valid. So... do an SQL query to see if the serial number is valid. There's no need to run a script. There's no need to play games with CHAP. There's no need to play games with PAP. Write an SQL statement that returns a string if the serial number is in the database. If the number isn't in the database, it returns nothing. Then, use the SQL statement in the "authorize" section: authorize { ... if (! "%{sql:SELECT ... }") { reject } update control { Auth-Type := Accept } ... } It's that easy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Chap/Pap Authentication
Thanks so much for taking a look... See comments below: On Jan 18, 2013, at 3:04 PM, Alan DeKok wrote: > Joseph wrote: >> What we would like to do is this: >> >> Take this request: >> >> User-Name = "6064191...@evdo.myawi.net" >> CHAP-Password = 0x59db2896a9629a7a1296e8e3dc7751da58 >> NAS-IP-Address = 10.130.2.1 >> CHAP-Challenge = 0x022074534be2e8405c867f676b46b432 >> 3GPP2-Attr-60 = 0x0001 >> 3GPP2-Attr-61 = 0x010600010209a029275c41 > > That looks like a series of TLVs to me. i.e. not a password. There > seems to be a 32-bit integer, followed by a 64-bit integer. > >> And instead of using chap to authenticate the user, we take the >> 3GPP2-Attr-61, convert it to the password we want, set it into the >> cleartext-password, and have the sql module query the DB for that new >> password. > > I'm not sure what that means. "convert it to the password we want"? Instead of using Chap which we are getting above, we want to use the "3GPP2-Attr-61 = 0x010600010209a029275c41" value which we can convert to the device serial number. In our DB we store the device serial number. The devices chap info most of them time might be tampered with or wrong. So we wanted our EXEC script to replace the chap user/pass with the new PAP user/password. > >> Here is the perl code that we run prior to the pap module: >> >> >> $retattr .= "Cleartext-Password := $meid"; >> $retattr .= ", CHAP-Password :=\"\" , CHAP-Challenge :=\"\" "; >> $retattr .= ", Auth-Type := PAP "; > > Well, that won't work. > > The Cleartext-Password is the *known good* password. The PAP module > needs a User-Password, too. The User-Password is the password as > entered by the user. > Should we be setting Cleartext-Password and the User-Password? > If you're going to force authentication success, why not just set > "Auth-Type := Accept"? That avoids all of the mangling of passwords > (chap and pap) We still want radius to run through the normal SQL process to verify that the above serial number is valid. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --regards, Joseph - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Chap/Pap Authentication
Joseph Showalter wrote: > What we would like to do is this: > > Take this request: > > User-Name = "6064191...@evdo.myawi.net" > CHAP-Password = 0x59db2896a9629a7a1296e8e3dc7751da58 > NAS-IP-Address = 10.130.2.1 > CHAP-Challenge = 0x022074534be2e8405c867f676b46b432 > 3GPP2-Attr-60 = 0x0001 > 3GPP2-Attr-61 = 0x010600010209a029275c41 That looks like a series of TLVs to me. i.e. not a password. There seems to be a 32-bit integer, followed by a 64-bit integer. > And instead of using chap to authenticate the user, we take the > 3GPP2-Attr-61, convert it to the password we want, set it into the > cleartext-password, and have the sql module query the DB for that new > password. I'm not sure what that means. "convert it to the password we want"? > Here is the perl code that we run prior to the pap module: > > > $retattr .= "Cleartext-Password := $meid"; > $retattr .= ", CHAP-Password :=\"\" , CHAP-Challenge :=\"\" "; > $retattr .= ", Auth-Type := PAP "; Well, that won't work. The Cleartext-Password is the *known good* password. The PAP module needs a User-Password, too. The User-Password is the password as entered by the user. If you're going to force authentication success, why not just set "Auth-Type := Accept"? That avoids all of the mangling of passwords (chap and pap) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Chap/Pap Authentication
What we would like to do is this: Take this request: User-Name = "6064191...@evdo.myawi.net" CHAP-Password = 0x59db2896a9629a7a1296e8e3dc7751da58 NAS-IP-Address = 10.130.2.1 CHAP-Challenge = 0x022074534be2e8405c867f676b46b432 3GPP2-Attr-60 = 0x0001 3GPP2-Attr-61 = 0x010600010209a029275c41 Message-Authenticator = 0x01f9054690c3a469fa1bf824dfba3bbe Proxy-State = 0x3136 And instead of using chap to authenticate the user, we take the 3GPP2-Attr-61, convert it to the password we want, set it into the cleartext-password, and have the sql module query the DB for that new password. Here is the perl code that we run prior to the pap module: $retattr .= "Cleartext-Password := $meid"; $retattr .= ", CHAP-Password :=\"\" , CHAP-Challenge :=\"\" "; $retattr .= ", Auth-Type := PAP "; We return the retattr to freeradius. Here is the output: Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} [preprocess]expand: %{NAS-IP-Address} -> 10.130.2.1 [preprocess]expand: %{NAS-IP-Address} -> 10.130.2.1 ++[preprocess] returns ok [evdoesn] expand: %{User-Name} -> 6064191...@evdo.myawi.net Exec-Program output: Cleartext-Password := 268435460102579521, CHAP-Password :="" , CHAP-Challenge :="" , Auth-Type := PAP Exec-Program-Wait: value-pairs: Cleartext-Password := 268435460102579521, CHAP-Password :="" , CHAP-Challenge :="" , Auth-Type := PAP Exec-Program: returned: 0 ++[evdoesn] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.55.42.32/auth-detail-20130118 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.55.42.32/auth-detail-20130118 [auth_log] expand: %t -> Fri Jan 18 11:06:43 2013 ++[auth_log] returns ok [sql] expand: %{User-Name} -> 6064191...@evdo.myawi.net [sql] sql_set_user escaped user --> '6064191...@evdo.myawi.net' rlm_sql (sql): Reserving sql socket id: 50 [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, OpFROM radcheck WHERE Username = '6064191...@evdo.myawi.net'ORDER BY id rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '6064191...@evdo.myawi.net' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [sql] User found in radcheck table [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, OpFROM radreply WHERE Username = '6064191...@evdo.myawi.net'ORDER BY id rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '6064191...@evdo.myawi.net' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 [sql] expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE UserName='6064191...@evdo.myawi.net' rlm_sql_postgresql: query: SELECT GroupName FROM usergroup WHERE UserName='6064191...@evdo.myawi.net' rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 [sql] expand: SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id -> SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE usergroup.Username = '6064191...@evdo.myawi.net' AND usergroup.GroupName = radgroupcheck.GroupNameORDER BY radgroupcheck.id rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE usergroup.Username = '6064191...@evdo.myawi.net' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 [sql] User found in group evdo [sql] expand: SELECT radgroupreply.id, radgroupreply.G
Re: openLDAP authorization with PAP authentication
Take the default supplied config. Add ldap to the authorize section in default and inner-tunnel, and to the authenticate section of both. Add your AP into clients.conf. now edit the ldap module to your requirements That should work pretty much as is Rinse, repeat. Ie now edit other things to optimise , looking at the debug output AFTER EACH CHANGE to see what's needed and whats not..set PEAP as default type in EAP.conf rather than md5 etc alan -- This smartphone has free worldwide WiFi access using eduroam. Now. that IS smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openLDAP authorization with PAP authentication
On Fri, Mar 30, 2012 at 03:52:50PM -0700, Jay Ludlow wrote: > Found Auth-Type = EAP > > WARNING: Unknown value specified for Auth-Type. Cannot perform requested > action. You've got "eap" in the authorize section of your outer (default) virtual server, but you've removed it from the authenticate section. Hint: put your whole config in version control (e.g. git) and then it makes it easy to go back to a working config when you break it. Cheers, Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openLDAP authorization with PAP authentication
Jay Ludlow wrote: > I have a working RADIUS server for localhost lookup, but when I try and > authenticate with my HP Procurve 420 Wireless Access Point using these > wireless connection methods with Ubuntu 10.04LTS: ... > I get the following result: > Found Auth-Type = EAP > WARNING: Unknown value specified for Auth-Type. Cannot perform > requested action. You edited the default configuration files, and broke the server. Don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
openLDAP authorization with PAP authentication
I have a working RADIUS server for localhost lookup, but when I try and authenticate with my HP Procurve 420 Wireless Access Point using these wireless connection methods with Ubuntu 10.04LTS: Wireless Security: WPA & WPA2 Enterprise Authentication: Tunneled TLS | Protected EAP (PEAP) Anonymous Identity: (Blank) CA Certificate: (None) Inner Authentication: PAP, MSCHAP, MSCHAPv2, CHAP | MSCHAPv2, MD5, GTC Username: guest Password: userpasswd I get the following result: FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Feb 22 2012 at 14:59:35 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/ldap.rpmnew including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/mschap.bak including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/pap.rpmnew including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/ldap.rpmnew.original including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default.original including configuration file /etc/raddb/sites-enabled/inner-tunnel main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" ho
Re: openLDAP authorization with PAP authentication
Jay Ludlow wrote: > I am very new to radius, and I am having a problem configuring radius to > authenticate by checking my already running openldap server for > authorization and then using PAP for authentication. I suggest formatting your post in paragraphs to clearly delineate ideas. Right now, it's just a wall of pale blue text. That makes it hard for people to read your message, and therefore hard for people to help you. In short, you are logging in with a username that appears in /etc/passwd. FreeRADIUS is using the password taken from there, instead of the password from LDAP. Edit raddb/sites-available/default, and remove the "unix" entry from the "authorize" section. After that, it will start using the password from LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP authentication to Active Directory
On 07/13/2011 06:04 PM, Axford M.F. wrote: Hi I'm currently setting up a radius server to authenticate EAP based requests against Active Directory. Using Alan Dekok's guide I've got this authenticating mschap based EAP requests successfully. I also want to authenticate ttls/pap requests and I've found two ways to do this that seem to work. Method 1 is based on whats in http://freeradius.1045715.n5.nabble.com/EAP-TTLS-w-PAP-using-ntlm-auth-td2773260.html Method 2 is to use LDAP for pap authentications. All things being equal my preference is to use Method 1 as it keeps all authentications the same, however the: if (!control:Auth-Type) { update control { Auth-Type = ntlm_auth_pap } } In the inner-tunnel/authorize section seems a bit like a hack. Is there a better way to do this ? We do this: server inner-tunnel { authorize { ... mschap eap pap } authenticate { Auth-Type PAP { ntlm_auth_pap } ... } } ...which is, in it's own way, a hack (run the "pap" module to set the Auth-Type, run a different module to service it). Your solution isn't so bad; the "pap" module itself basically only does this internally: if (!control:Auth-Type && User-Password) { update control { Auth-Type := PAP } } Is either method particularly better than the other ? There might be circumstances in which LDAP is better; but knowing how the protocols works and the failure modes of the two modules in FreeRADIUS, I doubt it. It also means you don't need a username to bind to LDAP for you; which is just another bit of config to get wrong, out of data, expired password, or compromised... If you don't need LDAP for other reasons (e.g. groups) then don't bother with it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP authentication to Active Directory
Hi I'm currently setting up a radius server to authenticate EAP based requests against Active Directory. Using Alan Dekok's guide I've got this authenticating mschap based EAP requests successfully. I also want to authenticate ttls/pap requests and I've found two ways to do this that seem to work. Method 1 is based on whats in http://freeradius.1045715.n5.nabble.com/EAP-TTLS-w-PAP-using-ntlm-auth-td2773260.html Method 2 is to use LDAP for pap authentications. All things being equal my preference is to use Method 1 as it keeps all authentications the same, however the: if (!control:Auth-Type) { update control { Auth-Type = ntlm_auth_pap } } In the inner-tunnel/authorize section seems a bit like a hack. Is there a better way to do this ? Is either method particularly better than the other ? Regards Mike Axford -- Mike Axford Enterprise Systems iSolutions University of Southampton Southampton SO17 1BJ Email: m.f.axf...@soton.ac.uk Phone: 023 8059 5337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OT: JRadius client <-> Freeradius 2.1.10 PAP authentication
Hi All, If anyone is using JRadius client (especially via JASIG CAS) to authenticate to a freeradius server using PAP could you contact me offlist? Cheers, Harry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP Authentication
Am 21.06.2010 um 17:24 schrieb simone.trevi...@telsey.it: Dear all, I have an ADSL modem (running PPPoE Client) connect to a Cisco PPPoE Server. The Cisco PPPoE Server forward PPPoE request from CPE to the Freeradius 2.1.0. I would like to provide to CPE an IP address based on the pair: Username/password. Authentication used: PAP I see the WARNING message reported by Freeradius, but my tentative to fix them fails. Can you help me Thank you very much. ~~ 1) I have added to radiusd.conf the module: # PAP module to authenticate users based on their stored password # # Supports multiple encryption schemes # clear: Clear text # crypt: Unix crypt #md5: MD5 ecnryption # sha1: SHA1 encryption. # DEFAULT: crypt pap { encryption_scheme = clear } 2) I have modify the module pap: pap { auto_header = yes } 3) In users I have added: mr642wg Auth-Type := PAP, User-Password == "mr642wg" Try using Cleartext-Password := "mr642wg" instead [...] Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP Authentication
Dear all, I have an ADSL modem (running PPPoE Client) connect to a Cisco PPPoE Server. The Cisco PPPoE Server forward PPPoE request from CPE to the Freeradius 2.1.0. I would like to provide to CPE an IP address based on the pair: Username/password. Authentication used: PAP I see the WARNING message reported by Freeradius, but my tentative to fix them fails. Can you help me Thank you very much. ~~ 1) I have added to radiusd.conf the module: # PAP module to authenticate users based on their stored password # # Supports multiple encryption schemes # clear: Clear text # crypt: Unix crypt #md5: MD5 ecnryption # sha1: SHA1 encryption. # DEFAULT: crypt pap { encryption_scheme = clear } 2) I have modify the module pap: pap { auto_header = yes } 3) In users I have added: mr642wg Auth-Type := PAP, User-Password == "mr642wg" Service-Type = Framed-User, User-Name = "mr642wg", User-Password = "mr642wg", Framed-Protocol = PPP, Framed-IP-Address = 192.168.90.161, Framed-IP-Netmask = 255.255.255.248, 4) In clients.conf I have added; client 10.31.0.0/24 { # # secret and password are mapped through the "secrets" file. secret = testing123 shortname = liv1 # # the following three fields are optional, but may be used by # # checkrad.pl for simultaneous usage checks # nastype = livingston # login = !root # password= someadminpas } This is the output from freeradius -X freeradius -X FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Nov 14 2008 at 11:57:03 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/mysql/dialup.conf including configuration file /etc/freeradius/sql/mysql/counter.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file
Re: pap authentication for freeradius
Alan DeKok wrote: jittinan suwanrueangsri wrote: It's seem that rlm_pap module select password which reside in /etc/shadow file before /usr/local/etc/users file. How can I change freeradius configure to select password from users file first? Edit raddb/sites-available/default. Look for "unix", and delete that line. What is different between := and == operator? I have already readed man page but it does not make me clear. There really isn't much more to say, unfortunately. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html read Operators ? The operator used to assign the value of the attribute may be one of the following, with the given meaning. ? =? Add the attribute to the list, if and only if an attribute of the same name is already present in that list. ? := Add? the? attribute? to the list.? If any attribute of the same name is already present in that list, its value is replaced with the value of the current attribute. ? += Add the attribute to the tail of the list, even if attributes of the same name are already present in the list. -- http://www.EasyHorpak.com - ???,???,???,?,?? http://www.EasyZoneCorp.net - ? internet ? Hotpsot ??? PPPoE ,Anti NetCut, Mac spoof http://www.thai-school.net - ,? ? EasyZone SuperLink - ?? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap authentication for freeradius
jittinan suwanrueangsri wrote: > It's seem that rlm_pap module select password which reside in > /etc/shadow file before /usr/local/etc/users file. > > How can I change freeradius configure to select password from users file > first? Edit raddb/sites-available/default. Look for "unix", and delete that line. > What is different between := and == operator? I have already readed man > page but it does not make me clear. There really isn't much more to say, unfortunately. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pap authentication for freeradius
Dear All I have added an user in /usr/local/etc/users and /etc/shadow but passwod in both place are different. First, I try to authenticate by pap protocol then I can login correctly by supply shell account password but can not login by supply password which reside in users file. Second,I have created another account which exits only in users file but not /etc/shadow then I can login correctly It's seem that rlm_pap module select password which reside in /etc/shadow file before /usr/local/etc/users file. How can I change freeradius configure to select password from users file first? What is different between := and == operator? I have already readed man page but it does not make me clear. Thank You - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP Authentication Not Working ??
Regarding the version, by design if running Centos, which purposely has a long cycle between releases based on upstream for stability. I'm not against upgrading this though. :) So I did in fact read the users file or I wouldn't have made it this far, but I'm not seeing anything that points me to this. Upon further analysis, I can make this work, it seems from the Users file. But if I have the user in mysql it will only respond with an Access- Accept if the password type on NTRadPing is set to Chap. On Dec 1, 2009, at 6:01 PM, t...@kalik.net wrote: I've got a 1.1-3 FreeRadius server and trying to figure out what to do to enable PAP authentication. CHAP is working when I use Radius Ping but if I change the Password to User-Password which if I understand it is supposed to enable PAP. When I do this, I get a Access-Reject. Is there something else I need to do to enable PAP or force it? Why are you using such an ancient server version? Upgrade. Or read instructions in users file. They should be relevant for your server version. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP Authentication Not Working ??
> I've got a 1.1-3 FreeRadius server and trying to figure out what to do > to enable PAP authentication. CHAP is working when I use Radius Ping > but if I change the Password to > > User-Password which if I understand it is supposed to enable PAP. > When I do this, I get a Access-Reject. Is there something else I need > to do to enable PAP or force it? Why are you using such an ancient server version? Upgrade. Or read instructions in users file. They should be relevant for your server version. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP Authentication Not Working ??
Greetings, I've got a 1.1-3 FreeRadius server and trying to figure out what to do to enable PAP authentication. CHAP is working when I use Radius Ping but if I change the Password to User-Password which if I understand it is supposed to enable PAP. When I do this, I get a Access-Reject. Is there something else I need to do to enable PAP or force it? Thanks! Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP authentication and multiple LDAP userpassword attributes
Christophe Saillard wrote: > I'm working on upgrading from FR 1.1.7 to FR 2.1.3. > > I use FR for EAP-TTLS/PAP authentication with LDAP. > > FR 1.1.7 successfully authenticates users with multiple LDAPuserpassword > attributes which are stored with crypt and/or MD5 hash, the passwords > are not the same (even it's better if the are) : No. In 1.1.7, the server is doing LDAP "bind as user" for authentication. It is *completely* ignoring the crypt/MD5 passwords. ... > rlm_ldap: Added password {MD5}x in check items > rlm_ldap: Added password {crypt}x in check items ... > Processing the authenticate section of radiusd.conf > modcall: entering group LDAP_OSIRIS for request 29 > rlm_ldap: - authenticate > rlm_ldap: login attempt by "saillard" with password "mycleartextpassword" > rlm_ldap: user DN: uid=mylogin,ou=uds,ou=people,o=annuaire > rlm_ldap: (re)connect to ldaps://ldapuds.u-strasbg.fr, authentication 1 > rlm_ldap: setting TLS mode to 1 > rlm_ldap: bind as uid=mylogin,ou=uds,ou=people,o=annuaire/polopackvih+ > to ldaps://ldapuds.u-strasbg.fr > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: user mylogin authenticated succesfully See? LDAP "bind as user". > Now with FR 2.1.3, it looks like only the first password attribute is > used : In 2.1.3, the "bind as user" functionality isn't used if the LDAP server returns a "known good" password. ... > [ldap] Added User-Password = {crypt}x in check items > [ldap] Added User-Password = {MD5}x in check items ... > ++[pap] returns updated > Found Auth-Type = PAP > +- entering group authenticate {...} > [pap] login attempt with password "mycleartextpassword" > [pap] Using CRYPT encryption. > [pap] Passwords don't match The solution is simple: (1) fix it so that the passwords are NOT returned from LDAP or (2) force "Auth-Type := LDAP" inside of the TTLS tunnel. This might break other things, but it will make the server work the same way as in 1.1.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP authentication and multiple LDAP userpassword attributes
Hi, I'm working on upgrading from FR 1.1.7 to FR 2.1.3. I use FR for EAP-TTLS/PAP authentication with LDAP. FR 1.1.7 successfully authenticates users with multiple LDAPuserpassword attributes which are stored with crypt and/or MD5 hash, the passwords are not the same (even it's better if the are) : ### [...] rlm_ldap: performing user authorization for mylogin radius_xlat: '(&(uid=mylogin)(udsradiusProfileWifi=*))' radius_xlat: 'ou=people,o=annuaire' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,o=annuaire, with filter (&(uid=mylogin)(udsradiusProfileWifi=*)) rlm_ldap: performing search in uid=wifi-crc,ou=profilsWifi,o=annuaire, with filter (objectclass=radiusprofile) rlm_ldap: Added password {MD5}x in check items rlm_ldap: Added password {crypt}x in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user mylogin authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "LDAP_OSIRIS" returns ok for request 29 modcall: leaving group LDAP_OSIRIS (returns ok) for request 29 rad_check_password: Found Auth-Type LDAP_OSIRIS auth: type "LDAP_OSIRIS" Processing the authenticate section of radiusd.conf modcall: entering group LDAP_OSIRIS for request 29 rlm_ldap: - authenticate rlm_ldap: login attempt by "saillard" with password "mycleartextpassword" rlm_ldap: user DN: uid=mylogin,ou=uds,ou=people,o=annuaire rlm_ldap: (re)connect to ldaps://ldapuds.u-strasbg.fr, authentication 1 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as uid=mylogin,ou=uds,ou=people,o=annuaire/polopackvih+ to ldaps://ldapuds.u-strasbg.fr rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user mylogin authenticated succesfully [...] ### Now with FR 2.1.3, it looks like only the first password attribute is used : ### [...] [ldap] expand: (&(uid=%{Stripped-User-Name:-%{User-Name}})(udsradiusProfileWifi=*)) -> (&(uid=mylogin)(udsradiusProfileWifi=*)) [ldap] expand: ou=people,o=annuaire -> ou=people,o=annuaire rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,o=annuaire, with filter (&(uid=mylogin)(udsradiusProfileWifi=*)) rlm_ldap: performing search in uid=wifi-crc,ou=profilsWifi,o=annuaire, with filter (objectclass=radiusprofile) [ldap] Added User-Password = {crypt}x in check items [ldap] Added User-Password = {MD5}x in check items [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user mylogin authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[pap] returns updated Found Auth-Type = PAP +- entering group authenticate {...} [pap] login attempt with password "mycleartextpassword" [pap] Using CRYPT encryption. [pap] Passwords don't match [...] ### Is there a way to tell FR to try with others attributes ? My configuration is quite simple, here's my sites-enabled/proxy-inner-tunnel : server proxy-inner-tunnel { authorize { eap ldap pap } authenticate { eap pap } post-proxy { eap } } And the pap modules : pap { auto_header = yes } Any clue ? Thanks -- --- Christophe Saillard Université de Strasbourg Direction Informatique --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP Authentication User-Password not working properly
Thank you Ivan Kalik: Great work in the mailing list for you and also Alan DeKok. I'll try the recomendations. There is much documentation in the Freeradius Wiki and in many other articles and forums. But one have to learn wrong things from wrong articles and I'ts sometimes difficult to guess the right information. Bye all. - Original Message - From: "Ivan Kalik" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Friday, May 09, 2008 10:59 PM Subject: Re: PAP Authentication User-Password not working properly > mysql> select * from radcheck -> ; ++-+++---+ | id | username| attribute | op | value | ++-+++---+ | 1 | Chapsqluser | User-Password | == | chapsecret| | 2 | Chapsqluser | Auth-Type | := | Local | | 3 | Papsqluser | Crypt-Password | == | /gTPHauHkNjWE | | 4 | Papsqluser | Auth-Type | := | Crypt-Local | ++-+++---+ 4 rows in set (0.00 sec) Don't force Auth-Type. Remove Auth-Type Crypt-Local from the database entry. Let pap module sort it out. And entry for Chapsqluser is also wrong. Remove Auth-Type, replace password attribute with Cleartext-Password and op with :=. Server documentation clearly states: - don't use Auth-Type - use Cleartext-Password (not User-Password) for clear text passwords. Ivan Kalik Kalik Inormatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Información de NOD32, revisión 3090 (20080509) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP Authentication User-Password not working properly
On Fri, May 09, 2008 at 08:17:25PM +0100, Yago Fdez. Hansen wrote: > Dana 9/5/2008, "Yago Fdez. Hansen" <[EMAIL PROTECTED]> piše: > >Hi everybody: > > > >I am installing a lab test server with Freeradius 2.0.4 with all > >the authentication installed: CHAP, PAP, EAP and authorization over > >MySQL, users, system, and LDAP. > > > >I installed it in the few last days and I have everything working > >now, but as I was testing it, I could notice a bug. I created > >users in every DB and file all of them with own password and user > >entries. When I was testing with radtest ALL worked fine, but I > >noticed that ONLY with PAP authentication and MySQL user it doesn't > >matter if I put a clear password in radtest larger than the original > >one I get an Access-Accept message. > > > >Example: > > > >radtest papsqluser papsecret localhost 0 testing123 > >Access-Accept > > > >radtest papsqluser papsecret43343 localhost 0 testing123 > >Access-Accept > > > mysql> select * from radcheck >-> ; > ++-+++---+ > | id | username| attribute | op | value | > ++-+++---+ > | 1 | Chapsqluser | User-Password | == | chapsecret| > | 2 | Chapsqluser | Auth-Type | := | Local | > | 3 | Papsqluser | Crypt-Password | == | /gTPHauHkNjWE | > | 4 | Papsqluser | Auth-Type | := | Crypt-Local | > ++-+++---+ > 4 rows in set (0.00 sec) The DES crypt algorithm only deals with the first 8 characters of the password. No bug, working as designed. -- Scott LambertKC5MLE Unix SysAdmin [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP Authentication User-Password not working properly
> >mysql> select * from radcheck >-> ; >++-+++---+ >| id | username| attribute | op | value | >++-+++---+ >| 1 | Chapsqluser | User-Password | == | chapsecret| >| 2 | Chapsqluser | Auth-Type | := | Local | >| 3 | Papsqluser | Crypt-Password | == | /gTPHauHkNjWE | >| 4 | Papsqluser | Auth-Type | := | Crypt-Local | >++-+++---+ >4 rows in set (0.00 sec) > Don't force Auth-Type. Remove Auth-Type Crypt-Local from the database entry. Let pap module sort it out. And entry for Chapsqluser is also wrong. Remove Auth-Type, replace password attribute with Cleartext-Password and op with :=. Server documentation clearly states: - don't use Auth-Type - use Cleartext-Password (not User-Password) for clear text passwords. Ivan Kalik Kalik Inormatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP Authentication User-Password not working properly
sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'papsqluser' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'papsqluser' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'papsqluser' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for papsqluser WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=papsqluser) expand: dc=midominio,dc=loc -> dc=midominio,dc=loc rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.midominio.loc:389, authentication 0 rlm_ldap: bind as cn=admin,dc=midominio,dc=loc/misecreto to ldap1.midominio.loc:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=midominio,dc=loc, with filter (uid=papsqluser) rlm_ldap: object not found or got ambiguous search result rlm_ldap: searcch failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Crypt-Local auth: type Crypt Login OK: [papsqluser/papsecret] (from client localhost port 0) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 144 to 127.0.0.1 port 60121 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 144 with timestamp +4 Ready to process requests. --- Seccond auth: rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=144, length=20 [EMAIL PROTECTED]:~# [EMAIL PROTECTED]:~# radtest papsqluser papsecret1233323 localhost 0 testing123 Sending Access-Request of id 167 to 127.0.0.1 port 1812 User-Name = "papsqluser" User-Password = "papsecret1233323" NAS-IP-Address = 192.168.1.100 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=167, length=20 rad_recv: Access-Request packet from host 127.0.0.1 port 53931, id=167, length=62 User-Name = "papsqluser" User-Password = "papsecret1233323" NAS-IP-Address = 192.168.1.100 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "papsqluser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> papsqluser rlm_sql (sql): sql_set_user escaped user --> 'papsqluser' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'papsqluser' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'papsqluser' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'papsqluser' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for papsqluser WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=papsqluser)
Re: PAP Authentication User-Password not working properly
radiusd -X Ivan Kalik Kalik Informatika ISP Dana 9/5/2008, "Yago Fdez. Hansen" <[EMAIL PROTECTED]> piše: >Hi everybody: > >I am installing a lab test server with Freeradius 2.0.4 with all the >authentication installed: CHAP, PAP, EAP and authorization over MySQL, >users, system, and LDAP. > >I installed it in the few last days and I have everything working now, but >as I was testing it, I could notice a bug. I created users in every DB and >file all of them with own password and user entries. When I was testing with >radtest ALL worked fine, but I noticed that ONLY with PAP authentication and >MySQL user it doesn't matter if I put a clear password in radtest larger >than the original one I get an Access-Accept message. > >Example: > >radtest papsqluser papsecret localhost 0 testing123 >Access-Accept > >radtest papsqluser papsecret43343 localhost 0 testing123 >Access-Accept > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP Authentication User-Password not working properly
Hi everybody: I am installing a lab test server with Freeradius 2.0.4 with all the authentication installed: CHAP, PAP, EAP and authorization over MySQL, users, system, and LDAP. I installed it in the few last days and I have everything working now, but as I was testing it, I could notice a bug. I created users in every DB and file all of them with own password and user entries. When I was testing with radtest ALL worked fine, but I noticed that ONLY with PAP authentication and MySQL user it doesn't matter if I put a clear password in radtest larger than the original one I get an Access-Accept message. Example: radtest papsqluser papsecret localhost 0 testing123 Access-Accept radtest papsqluser papsecret43343 localhost 0 testing123 Access-Accept - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS-PAP authentication with LDAP bind
Richard Hesse wrote: > If I force the Mac or Windows supplicants to use TTLS-PAP, the request is > never > passed to radiusd. The NAS is broken. > I don't know what's going on but my AP (Aruba 200) seems to be detecting that > something isn't right with its AAA server Disable the Aruba AAA server. If you're using FreeRADIUS, you DO NOT need the Aruba AAA server. > and not passing the request on. If I change the supplicants to use their > default > settings, the requests are sent to FreeRadius, but the requests fail. Again, > the Aruba seems to think that something is wrong and presents its > certificate instead of my server's. Disable the Aruba AAA server. > Yes, I've run the server in debug mode (there are no requests coming in). Then the NAS is broken. It's not rocket science: If FreeRADIUS isn't getting any requests, then there is NOTHING YOU CAN DO to FreeRADIUS to fix the problem. The NAS is broken. Disable its AAA server. I can't emphasize that enough. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TTLS-PAP authentication with LDAP bind
First off, I'd like to say thanks in advance to anyone who can help me here. I've spent the past few days searching the list archives and other sites for information on how to accomplish this. The overwhelming message from these searches was that "it should just work" and that "the server will figure out what to do." Sadly, that's not the case here. My goals here are straightforward: -Authorize the user in LDAP if a corresponding entry exists (just checking against uid, nothing fancy). -Support TTLS-PAP and PEAP-GTC. The default Macintosh configuration supports PEAP-GTC with no config. SecureW2 will be used for TTLS-PAP on Windows clients. -Authenticate the user's clear-text password via a simple LDAP bind encrypted via TLS. No userPassword attribute checking here. A simple bind is all. Using version 1.14. Here's my eap.conf with comments stripped out: eap { default_eap_type = ttls timer_expire = 10 ignore_unknown_eap_types = no cisco_accounting_username_bug = no gtc { challenge = "Password: " auth_type = PAP } tls { private_key_password = foo private_key_file = ${raddbdir}/certs/key.pem certificate_file = ${raddbdir}/certs/cert.pem CA_file = ${raddbdir}/certs/sf_issuing.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" } ttls { default_eap_type = gtc } peap { default_eap_type = gtc } } Relevant sections of radius.conf are: ldap { server = "myserverentry" basedn = "myDN" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = yes tls_cacertfile = /opt/fedora-ds/alias/intCA.pem tls_require_cert= "demand" access_attr = "uid" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } authorize { preprocess suffix ntdomain eap files ldap pap } authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap } eap } If I force the Mac or Windows supplicants to use TTLS-PAP, the request is never passed to radiusd. I don't know what's going on but my AP (Aruba 200) seems to be detecting that something isn't right with its AAA server and not passing the request on. If I change the supplicants to use their default settings, the requests are sent to FreeRadius, but the requests fail. Again, the Aruba seems to think that something is wrong and presents its certificate instead of my server's. At one point, I had the clients seeing the server's certificate but I can't seem to get back in that state. So I don't think my AP is broken, I'm pretty sure it's my FreeRadius config that's broken. The users file is unchanged and the proper entries are in clients. Yes, I've run the server in debug mode (there are no requests coming in). Thanks, -richard Have a burning question? Go to www.Answers.yahoo.com and get answers from real people who know. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in sending PAP Authentication with radclient
Hamzeh Motahari <[EMAIL PROTECTED]> wrote: > What should we do if we want send password using MD5 method? RADIUS doesn't support sending MD5 passwords in a packet. > If "radclient" doesn't support this, can you suggest an open source > radius client which can do this? No RADIUS client can do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem in sending PAP Authentication with radclient
Hello We have set PAP scheme to MD5 in "radius.conf". Now we can't authenticate users using "radclient". When configuration changes from 'MD5' to 'Clear text', every thing is good. What should we do if we want send password using MD5 method? If "radclient" doesn't support this, can you suggest an open source radius client which can do this? Thanks. Yahoo! Photos Got holiday prints? See all the ways to get quality prints in your hands ASAP.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP - Userbase with EAP-TTLS/PAP authentication
On Fri, 10 Sep 2004, Emil Kokor wrote: > Hi! > > My userbase is LDAP. > The LDIF looks like: > > dn: uid=ekokor, ou=People, dc=wss-stuttgart,dc=de > userPassword:: e1NTSEF9ZDNCZGZmWkFVQVZxa01SV1lJMGVZUTNnRThVcFdPNTE= > > UserPassword is "emil" == "{SSHA}d3BdffZAUAVqkMRWYI0eYQ3gE8UpWO51" > (only for testing purposes) > > I'm using FreeRADIUS 1.0.0 with OpenSSL 0.9.7d (now without problems after I used > --disable-shared option). > > For authentication I should use (I think so) EAP-TTLS/PAP because of LDAP-Userbase > and > crypted passwords. > > > In users-File there is only one default entry to deny access for a group of users. > > Are the settings so far ok? > Because it doesn't work. > > > radiusd.conf: > > authenticate { > Auth-Type PAP { > pap > } > > # Auth-Type CHAP { > # chap > # } > # Auth-Type MS-CHAP { > # mschap > # } > # Auth-Type LDAP { > # ldap > # } > eap Please configure authentication through the ldap module not the pap module.That should make things work. And as suggested in the FAQ and the documentation, run the server in debug mode (radiusd -X). -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP - Userbase with EAP-TTLS/PAP authentication
Hi! My userbase is LDAP. The LDIF looks like: dn: uid=ekokor, ou=People, dc=wss-stuttgart,dc=de userPassword:: e1NTSEF9ZDNCZGZmWkFVQVZxa01SV1lJMGVZUTNnRThVcFdPNTE= loginShell: /bin/bash uidNumber: 5966 gidNumber: 831 objectClass: posixAccount objectClass: account objectClass: top objectClass: shadowAccount objectClass: radiusprofile uid: ekokor gecos: S27064 shadowLastChange: 12405 cn: Emil Kokor homeDirectory: /home/schueler/K3fti1/ekokor radiusGroupName: allowed UserPassword is "emil" == "{SSHA}d3BdffZAUAVqkMRWYI0eYQ3gE8UpWO51" (only for testing purposes) I'm using FreeRADIUS 1.0.0 with OpenSSL 0.9.7d (now without problems after I used --disable-shared option). For authentication I should use (I think so) EAP-TTLS/PAP because of LDAP-Userbase and crypted passwords. In users-File there is only one default entry to deny access for a group of users. Are the settings so far ok? Because it doesn't work. radiusd.conf: pap { encryption_scheme = crypt } .. .. ldap { server = "localhost" identity = "cn=Manager,dc=wss-stuttgart,dc=de" password = wlan basedn = "ou=People,dc=wss-stuttgart,dc=de" filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusProfile))" base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" #access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword groupname_attribute = radiusGroupName groupmembership_filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusProfile))" groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } .. .. files { usersfile = ${confdir}/users #acctusersfile = ${confdir}/acct_users # If you want to use the old Cistron 'users' file # with FreeRADIUS, you should change the next line # to 'compat = cistron'. You can the copy your 'users' # file from Cistron. compat = no } .. .. authorize { preprocess auth_log # attr_filter # chap # mschap suffix eap files ldap } .. .. authenticate { Auth-Type PAP { pap } # Auth-Type CHAP { # chap # } # Auth-Type MS-CHAP { # mschap # } # Auth-Type LDAP { # ldap # } eap } eap.conf: eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } tls { . } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no } users: only DEFAULT Ldap-Group == "disabled", Auth-Type := Reject Reply-Message = "Sie sind nicht berechtigt!" signature.asc Description: OpenPGP digital signature