Re: Simple Peap + PAP authentication
On 9 Mar 2013, at 20:11, Matthew Ceroni wrote: > Trying to setup 802.1x authentication on my home router (running OpenWRT). > > http://pastebin.com/fWtNZ8FD > > Above is the output of radiusd -X > > I am trying to connect via my Android phone. Shouldn't the request coming > from the device include the ClearText password it is looking for? I am simply > listing the user in the users file. No LDAP, AD, SQL database. So you're trying to do 802.1X which uses EAP as the transport protocol for authentication data, but you deleted the call to the EAP module which IIRC is in the default config, and just arbitrarily started listing modules you hoped might work. That's special, you're a special person. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simple Peap + PAP authentication
Trying to setup 802.1x authentication on my home router (running OpenWRT). http://pastebin.com/fWtNZ8FD Above is the output of radiusd -X I am trying to connect via my Android phone. Shouldn't the request coming from the device include the ClearText password it is looking for? I am simply listing the user in the users file. No LDAP, AD, SQL database. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Chap/Pap Authentication
Forget the user-password. You are not using it, you are trying to kludge it. Just use the variable you have, or the facsimile you are making. This is freeradius, there are at least a dozen ways of doing what you want, Alan has given you a fine method alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Chap/Pap Authentication
Joseph Showalter wrote:
> Can I use a userdefined variable in the select statement that the EXEC perl
> script returns:
Only if it's returned in the Perl script.
> I would like to use the User-Password below:
>
> [evdoesn] expand: %{User-Name} -> 6064191...@evdo.myawi.net
> Exec-Program output: User-Password := 268435460102579521, CHAP-Password :=""
> , CHAP-Challenge :="" , Auth-Type := PAP
> Exec-Program-Wait: value-pairs: User-Password := 268435460102579521,
> CHAP-Password :="" , CHAP-Challenge :="" , Auth-Type := PAP
> Exec-Program: returned: 0
> ++[evdoesn] returns ok
So... you're going to ignore my advice, and still run the script, and
still mangle the CHAP / User-Passwords, and still not have a *simple*
SQL query as I suggsted.I
I have no idea why I'm wasting my time trying to help you.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Chap/Pap Authentication
On Jan 18, 2013, at 3:34 PM, Alan DeKok wrote:
> authorize {
> ...
>
> if (! "%{sql:SELECT ... }") {
> reject
> }
Can I use a userdefined variable in the select statement that the EXEC perl
script returns:
I would like to use the User-Password below:
[evdoesn] expand: %{User-Name} -> 6064191...@evdo.myawi.net
Exec-Program output: User-Password := 268435460102579521, CHAP-Password :="" ,
CHAP-Challenge :="" , Auth-Type := PAP
Exec-Program-Wait: value-pairs: User-Password := 268435460102579521,
CHAP-Password :="" , CHAP-Challenge :="" , Auth-Type := PAP
Exec-Program: returned: 0
++[evdoesn] returns ok
Here is the relevant entry from the "default" file:
evdoesn (exec script/perl)
if (! "%{sql:SELECT username FROM 'radcheck' WHERE username=%{User-Name} AND
value=%{User-Password} }") {
reject
}
update control {
Auth-Type := Accept
}
But it can't expand the %User-Password...
rlm_sql_postgresql: query: SELECT username FROM 'radcheck' WHERE
username=6064191...@evdo.myawi.net AND value=
rlm_sql_postgresql: Status: PGRES_FATAL_ERROR
rlm_sql_postgresql: Error syntax error at or near "'radcheck'"
rlm_sql_postgresql: Postgresql Fatal Error: [42601: SYNTAX ERROR] Occurred!!
Its not expanding the User-Password variable which was setup in EXEC.
>
> update control {
> Auth-Type := Accept
> }
> ...
> }
>
> It's that easy.
--
respectfully, Joseph / IT
[M] +1(606)477-7551 / t...@ekn.com
East Kentucky Network, LLC.
dba Appalachian Wireless
==
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Chap/Pap Authentication
Joseph Showalter wrote:
> Instead of using Chap which we are getting above, we want to use the
> "3GPP2-Attr-61 = 0x010600010209a029275c41" value which we can convert
> to the device serial number.
OK.
> In our DB we store the device serial number. The devices chap info most of
> them time might be tampered with or wrong.
That's a little surprising, but OK.
> So we wanted our EXEC script to replace the chap user/pass with the new PAP
> user/password.
No. You don't want that. I said you don't want that. Don't do that.
It's wrong.
> Should we be setting Cleartext-Password and the User-Password?
No. You should be setting Auth-Type := Accept, just like I said in my
last message.
>> If you're going to force authentication success, why not just set
>> "Auth-Type := Accept"? That avoids all of the mangling of passwords
>> (chap and pap)
>
> We still want radius to run through the normal SQL process to verify that the
> above serial number is valid.
So... do an SQL query to see if the serial number is valid. There's
no need to run a script. There's no need to play games with CHAP.
There's no need to play games with PAP.
Write an SQL statement that returns a string if the serial number is
in the database. If the number isn't in the database, it returns
nothing. Then, use the SQL statement in the "authorize" section:
authorize {
...
if (! "%{sql:SELECT ... }") {
reject
}
update control {
Auth-Type := Accept
}
...
}
It's that easy.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Chap/Pap Authentication
Thanks so much for taking a look... See comments below: On Jan 18, 2013, at 3:04 PM, Alan DeKok wrote: > Joseph wrote: >> What we would like to do is this: >> >> Take this request: >> >> User-Name = "6064191...@evdo.myawi.net" >> CHAP-Password = 0x59db2896a9629a7a1296e8e3dc7751da58 >> NAS-IP-Address = 10.130.2.1 >> CHAP-Challenge = 0x022074534be2e8405c867f676b46b432 >> 3GPP2-Attr-60 = 0x0001 >> 3GPP2-Attr-61 = 0x010600010209a029275c41 > > That looks like a series of TLVs to me. i.e. not a password. There > seems to be a 32-bit integer, followed by a 64-bit integer. > >> And instead of using chap to authenticate the user, we take the >> 3GPP2-Attr-61, convert it to the password we want, set it into the >> cleartext-password, and have the sql module query the DB for that new >> password. > > I'm not sure what that means. "convert it to the password we want"? Instead of using Chap which we are getting above, we want to use the "3GPP2-Attr-61 = 0x010600010209a029275c41" value which we can convert to the device serial number. In our DB we store the device serial number. The devices chap info most of them time might be tampered with or wrong. So we wanted our EXEC script to replace the chap user/pass with the new PAP user/password. > >> Here is the perl code that we run prior to the pap module: >> >> >> $retattr .= "Cleartext-Password := $meid"; >> $retattr .= ", CHAP-Password :=\"\" , CHAP-Challenge :=\"\" "; >> $retattr .= ", Auth-Type := PAP "; > > Well, that won't work. > > The Cleartext-Password is the *known good* password. The PAP module > needs a User-Password, too. The User-Password is the password as > entered by the user. > Should we be setting Cleartext-Password and the User-Password? > If you're going to force authentication success, why not just set > "Auth-Type := Accept"? That avoids all of the mangling of passwords > (chap and pap) We still want radius to run through the normal SQL process to verify that the above serial number is valid. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --regards, Joseph - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Chap/Pap Authentication
Joseph Showalter wrote: > What we would like to do is this: > > Take this request: > > User-Name = "6064191...@evdo.myawi.net" > CHAP-Password = 0x59db2896a9629a7a1296e8e3dc7751da58 > NAS-IP-Address = 10.130.2.1 > CHAP-Challenge = 0x022074534be2e8405c867f676b46b432 > 3GPP2-Attr-60 = 0x0001 > 3GPP2-Attr-61 = 0x010600010209a029275c41 That looks like a series of TLVs to me. i.e. not a password. There seems to be a 32-bit integer, followed by a 64-bit integer. > And instead of using chap to authenticate the user, we take the > 3GPP2-Attr-61, convert it to the password we want, set it into the > cleartext-password, and have the sql module query the DB for that new > password. I'm not sure what that means. "convert it to the password we want"? > Here is the perl code that we run prior to the pap module: > > > $retattr .= "Cleartext-Password := $meid"; > $retattr .= ", CHAP-Password :=\"\" , CHAP-Challenge :=\"\" "; > $retattr .= ", Auth-Type := PAP "; Well, that won't work. The Cleartext-Password is the *known good* password. The PAP module needs a User-Password, too. The User-Password is the password as entered by the user. If you're going to force authentication success, why not just set "Auth-Type := Accept"? That avoids all of the mangling of passwords (chap and pap) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Chap/Pap Authentication
What we would like to do is this:
Take this request:
User-Name = "6064191...@evdo.myawi.net"
CHAP-Password = 0x59db2896a9629a7a1296e8e3dc7751da58
NAS-IP-Address = 10.130.2.1
CHAP-Challenge = 0x022074534be2e8405c867f676b46b432
3GPP2-Attr-60 = 0x0001
3GPP2-Attr-61 = 0x010600010209a029275c41
Message-Authenticator = 0x01f9054690c3a469fa1bf824dfba3bbe
Proxy-State = 0x3136
And instead of using chap to authenticate the user, we take the 3GPP2-Attr-61,
convert it to the password we want, set it into the cleartext-password, and
have the sql module query the DB for that new password.
Here is the perl code that we run prior to the pap module:
$retattr .= "Cleartext-Password := $meid";
$retattr .= ", CHAP-Password :=\"\" , CHAP-Challenge :=\"\" ";
$retattr .= ", Auth-Type := PAP ";
We return the retattr to freeradius.
Here is the output:
Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
[preprocess]expand: %{NAS-IP-Address} -> 10.130.2.1
[preprocess]expand: %{NAS-IP-Address} -> 10.130.2.1
++[preprocess] returns ok
[evdoesn] expand: %{User-Name} -> 6064191...@evdo.myawi.net
Exec-Program output: Cleartext-Password := 268435460102579521, CHAP-Password
:="" , CHAP-Challenge :="" , Auth-Type := PAP
Exec-Program-Wait: value-pairs: Cleartext-Password := 268435460102579521,
CHAP-Password :="" , CHAP-Challenge :="" , Auth-Type := PAP
Exec-Program: returned: 0
++[evdoesn] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/10.55.42.32/auth-detail-20130118
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.55.42.32/auth-detail-20130118
[auth_log] expand: %t -> Fri Jan 18 11:06:43 2013
++[auth_log] returns ok
[sql] expand: %{User-Name} -> 6064191...@evdo.myawi.net
[sql] sql_set_user escaped user --> '6064191...@evdo.myawi.net'
rlm_sql (sql): Reserving sql socket id: 50
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, UserName, Attribute, Value, OpFROM radcheck
WHERE Username = '6064191...@evdo.myawi.net'ORDER BY id
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op
FROM radcheck WHERE Username = '6064191...@evdo.myawi.net'
ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[sql] User found in radcheck table
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM
radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, UserName, Attribute, Value, OpFROM radreply
WHERE Username = '6064191...@evdo.myawi.net'ORDER BY id
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op
FROM radreply WHERE Username = '6064191...@evdo.myawi.net'
ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
[sql] expand: SELECT GroupName FROM usergroup WHERE
UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE
UserName='6064191...@evdo.myawi.net'
rlm_sql_postgresql: query: SELECT GroupName FROM usergroup WHERE
UserName='6064191...@evdo.myawi.net'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
[sql] expand: SELECT radgroupcheck.id, radgroupcheck.GroupName,
radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM
radgroupcheck, usergroup WHERE usergroup.Username =
'%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName
ORDER BY radgroupcheck.id -> SELECT radgroupcheck.id,
radgroupcheck.GroupName, radgroupcheck.Attribute,
radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup
WHERE usergroup.Username = '6064191...@evdo.myawi.net' AND
usergroup.GroupName = radgroupcheck.GroupNameORDER BY
radgroupcheck.id
rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName,
radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op
FROM radgroupcheck, usergroup WHERE usergroup.Username =
'6064191...@evdo.myawi.net' AND usergroup.GroupName = radgroupcheck.GroupName
ORDER BY radgroupcheck.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
[sql] User found in group evdo
[sql] expand: SELECT radgroupreply.id, radgroupreply.G
Re: openLDAP authorization with PAP authentication
Take the default supplied config. Add ldap to the authorize section in default and inner-tunnel, and to the authenticate section of both. Add your AP into clients.conf. now edit the ldap module to your requirements That should work pretty much as is Rinse, repeat. Ie now edit other things to optimise , looking at the debug output AFTER EACH CHANGE to see what's needed and whats not..set PEAP as default type in EAP.conf rather than md5 etc alan -- This smartphone has free worldwide WiFi access using eduroam. Now. that IS smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openLDAP authorization with PAP authentication
On Fri, Mar 30, 2012 at 03:52:50PM -0700, Jay Ludlow wrote: > Found Auth-Type = EAP > > WARNING: Unknown value specified for Auth-Type. Cannot perform requested > action. You've got "eap" in the authorize section of your outer (default) virtual server, but you've removed it from the authenticate section. Hint: put your whole config in version control (e.g. git) and then it makes it easy to go back to a working config when you break it. Cheers, Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openLDAP authorization with PAP authentication
Jay Ludlow wrote: > I have a working RADIUS server for localhost lookup, but when I try and > authenticate with my HP Procurve 420 Wireless Access Point using these > wireless connection methods with Ubuntu 10.04LTS: ... > I get the following result: > Found Auth-Type = EAP > WARNING: Unknown value specified for Auth-Type. Cannot perform > requested action. You edited the default configuration files, and broke the server. Don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
openLDAP authorization with PAP authentication
I have a working RADIUS server for localhost lookup, but when I try and
authenticate with my HP Procurve 420 Wireless Access Point using these wireless
connection methods with Ubuntu 10.04LTS:
Wireless Security: WPA & WPA2 Enterprise
Authentication: Tunneled TLS | Protected EAP (PEAP)
Anonymous Identity: (Blank)
CA Certificate: (None)
Inner Authentication: PAP, MSCHAP, MSCHAPv2, CHAP | MSCHAPv2, MD5, GTC
Username: guest
Password: userpasswd
I get the following result:
FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Feb 22
2012 at 14:59:35
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/ldap.rpmnew
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/mschap.bak
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/pap.rpmnew
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/ldap.rpmnew.original
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default.original
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
ho
Re: openLDAP authorization with PAP authentication
Jay Ludlow wrote: > I am very new to radius, and I am having a problem configuring radius to > authenticate by checking my already running openldap server for > authorization and then using PAP for authentication. I suggest formatting your post in paragraphs to clearly delineate ideas. Right now, it's just a wall of pale blue text. That makes it hard for people to read your message, and therefore hard for people to help you. In short, you are logging in with a username that appears in /etc/passwd. FreeRADIUS is using the password taken from there, instead of the password from LDAP. Edit raddb/sites-available/default, and remove the "unix" entry from the "authorize" section. After that, it will start using the password from LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP authentication to Active Directory
On 07/13/2011 06:04 PM, Axford M.F. wrote:
Hi
I'm currently setting up a radius server to authenticate EAP based requests
against Active Directory.
Using Alan Dekok's guide I've got this authenticating mschap based EAP requests
successfully.
I also want to authenticate ttls/pap requests and I've found two ways to do
this that seem to work.
Method 1 is based on whats in
http://freeradius.1045715.n5.nabble.com/EAP-TTLS-w-PAP-using-ntlm-auth-td2773260.html
Method 2 is to use LDAP for pap authentications.
All things being equal my preference is to use Method 1 as it keeps all
authentications the same, however the:
if (!control:Auth-Type) {
update control {
Auth-Type = ntlm_auth_pap
}
}
In the inner-tunnel/authorize section seems a bit like a hack. Is there a
better way to do this ?
We do this:
server inner-tunnel {
authorize {
...
mschap
eap
pap
}
authenticate {
Auth-Type PAP {
ntlm_auth_pap
}
...
}
}
...which is, in it's own way, a hack (run the "pap" module to set the
Auth-Type, run a different module to service it). Your solution isn't so
bad; the "pap" module itself basically only does this internally:
if (!control:Auth-Type && User-Password) {
update control {
Auth-Type := PAP
}
}
Is either method particularly better than the other ?
There might be circumstances in which LDAP is better; but knowing how
the protocols works and the failure modes of the two modules in
FreeRADIUS, I doubt it.
It also means you don't need a username to bind to LDAP for you; which
is just another bit of config to get wrong, out of data, expired
password, or compromised...
If you don't need LDAP for other reasons (e.g. groups) then don't bother
with it.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP authentication to Active Directory
Hi
I'm currently setting up a radius server to authenticate EAP based requests
against Active Directory.
Using Alan Dekok's guide I've got this authenticating mschap based EAP requests
successfully.
I also want to authenticate ttls/pap requests and I've found two ways to do
this that seem to work.
Method 1 is based on whats in
http://freeradius.1045715.n5.nabble.com/EAP-TTLS-w-PAP-using-ntlm-auth-td2773260.html
Method 2 is to use LDAP for pap authentications.
All things being equal my preference is to use Method 1 as it keeps all
authentications the same, however the:
if (!control:Auth-Type) {
update control {
Auth-Type = ntlm_auth_pap
}
}
In the inner-tunnel/authorize section seems a bit like a hack. Is there a
better way to do this ?
Is either method particularly better than the other ?
Regards
Mike Axford
--
Mike Axford
Enterprise Systems
iSolutions
University of Southampton
Southampton
SO17 1BJ
Email: m.f.axf...@soton.ac.uk
Phone: 023 8059 5337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OT: JRadius client <-> Freeradius 2.1.10 PAP authentication
Hi All, If anyone is using JRadius client (especially via JASIG CAS) to authenticate to a freeradius server using PAP could you contact me offlist? Cheers, Harry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP Authentication
Am 21.06.2010 um 17:24 schrieb simone.trevi...@telsey.it:
Dear all,
I have an ADSL modem (running PPPoE Client) connect to a Cisco PPPoE
Server.
The Cisco PPPoE Server forward PPPoE request from CPE to the
Freeradius
2.1.0.
I would like to provide to CPE an IP address based on the pair:
Username/password.
Authentication used: PAP
I see the WARNING message reported by Freeradius, but my tentative
to fix
them fails.
Can you help me
Thank you very much.
~~
1) I have added to radiusd.conf the module:
# PAP module to authenticate users based on their stored password
#
# Supports multiple encryption schemes
# clear: Clear text
# crypt: Unix crypt
#md5: MD5 ecnryption
# sha1: SHA1 encryption.
# DEFAULT: crypt
pap {
encryption_scheme = clear
}
2) I have modify the module pap:
pap {
auto_header = yes
}
3) In users I have added:
mr642wg Auth-Type := PAP, User-Password == "mr642wg"
Try using Cleartext-Password := "mr642wg" instead
[...]
Have a nice day!
Nicolas Goutte
extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany
Geschäftsführer: Lars Busch
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP Authentication
Dear all,
I have an ADSL modem (running PPPoE Client) connect to a Cisco PPPoE
Server.
The Cisco PPPoE Server forward PPPoE request from CPE to the Freeradius
2.1.0.
I would like to provide to CPE an IP address based on the pair:
Username/password.
Authentication used: PAP
I see the WARNING message reported by Freeradius, but my tentative to fix
them fails.
Can you help me
Thank you very much.
~~
1) I have added to radiusd.conf the module:
# PAP module to authenticate users based on their stored password
#
# Supports multiple encryption schemes
# clear: Clear text
# crypt: Unix crypt
#md5: MD5 ecnryption
# sha1: SHA1 encryption.
# DEFAULT: crypt
pap {
encryption_scheme = clear
}
2) I have modify the module pap:
pap {
auto_header = yes
}
3) In users I have added:
mr642wg Auth-Type := PAP, User-Password == "mr642wg"
Service-Type = Framed-User,
User-Name = "mr642wg",
User-Password = "mr642wg",
Framed-Protocol = PPP,
Framed-IP-Address = 192.168.90.161,
Framed-IP-Netmask = 255.255.255.248,
4) In clients.conf I have added;
client 10.31.0.0/24 {
# # secret and password are mapped through the "secrets" file.
secret = testing123
shortname = liv1
# # the following three fields are optional, but may be used by
# # checkrad.pl for simultaneous usage checks
# nastype = livingston
# login = !root
# password= someadminpas
}
This is the output from freeradius -X
freeradius -X
FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Nov 14 2008
at 11:57:03
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/mysql/dialup.conf
including configuration file /etc/freeradius/sql/mysql/counter.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file
Re: pap authentication for freeradius
Alan DeKok wrote: jittinan suwanrueangsri wrote: It's seem that rlm_pap module select password which reside in /etc/shadow file before /usr/local/etc/users file. How can I change freeradius configure to select password from users file first? Edit raddb/sites-available/default. Look for "unix", and delete that line. What is different between := and == operator? I have already readed man page but it does not make me clear. There really isn't much more to say, unfortunately. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html read Operators ? The operator used to assign the value of the attribute may be one of the following, with the given meaning. ? =? Add the attribute to the list, if and only if an attribute of the same name is already present in that list. ? := Add? the? attribute? to the list.? If any attribute of the same name is already present in that list, its value is replaced with the value of the current attribute. ? += Add the attribute to the tail of the list, even if attributes of the same name are already present in the list. -- http://www.EasyHorpak.com - ???,???,???,?,?? http://www.EasyZoneCorp.net - ? internet ? Hotpsot ??? PPPoE ,Anti NetCut, Mac spoof http://www.thai-school.net - ,? ? EasyZone SuperLink - ?? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap authentication for freeradius
jittinan suwanrueangsri wrote: > It's seem that rlm_pap module select password which reside in > /etc/shadow file before /usr/local/etc/users file. > > How can I change freeradius configure to select password from users file > first? Edit raddb/sites-available/default. Look for "unix", and delete that line. > What is different between := and == operator? I have already readed man > page but it does not make me clear. There really isn't much more to say, unfortunately. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pap authentication for freeradius
Dear All I have added an user in /usr/local/etc/users and /etc/shadow but passwod in both place are different. First, I try to authenticate by pap protocol then I can login correctly by supply shell account password but can not login by supply password which reside in users file. Second,I have created another account which exits only in users file but not /etc/shadow then I can login correctly It's seem that rlm_pap module select password which reside in /etc/shadow file before /usr/local/etc/users file. How can I change freeradius configure to select password from users file first? What is different between := and == operator? I have already readed man page but it does not make me clear. Thank You - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP Authentication Not Working ??
Regarding the version, by design if running Centos, which purposely has a long cycle between releases based on upstream for stability. I'm not against upgrading this though. :) So I did in fact read the users file or I wouldn't have made it this far, but I'm not seeing anything that points me to this. Upon further analysis, I can make this work, it seems from the Users file. But if I have the user in mysql it will only respond with an Access- Accept if the password type on NTRadPing is set to Chap. On Dec 1, 2009, at 6:01 PM, t...@kalik.net wrote: I've got a 1.1-3 FreeRadius server and trying to figure out what to do to enable PAP authentication. CHAP is working when I use Radius Ping but if I change the Password to User-Password which if I understand it is supposed to enable PAP. When I do this, I get a Access-Reject. Is there something else I need to do to enable PAP or force it? Why are you using such an ancient server version? Upgrade. Or read instructions in users file. They should be relevant for your server version. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP Authentication Not Working ??
> I've got a 1.1-3 FreeRadius server and trying to figure out what to do > to enable PAP authentication. CHAP is working when I use Radius Ping > but if I change the Password to > > User-Password which if I understand it is supposed to enable PAP. > When I do this, I get a Access-Reject. Is there something else I need > to do to enable PAP or force it? Why are you using such an ancient server version? Upgrade. Or read instructions in users file. They should be relevant for your server version. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP Authentication Not Working ??
Greetings, I've got a 1.1-3 FreeRadius server and trying to figure out what to do to enable PAP authentication. CHAP is working when I use Radius Ping but if I change the Password to User-Password which if I understand it is supposed to enable PAP. When I do this, I get a Access-Reject. Is there something else I need to do to enable PAP or force it? Thanks! Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP authentication and multiple LDAP userpassword attributes
Christophe Saillard wrote:
> I'm working on upgrading from FR 1.1.7 to FR 2.1.3.
>
> I use FR for EAP-TTLS/PAP authentication with LDAP.
>
> FR 1.1.7 successfully authenticates users with multiple LDAPuserpassword
> attributes which are stored with crypt and/or MD5 hash, the passwords
> are not the same (even it's better if the are) :
No. In 1.1.7, the server is doing LDAP "bind as user" for
authentication. It is *completely* ignoring the crypt/MD5 passwords.
...
> rlm_ldap: Added password {MD5}x in check items
> rlm_ldap: Added password {crypt}x in check items
...
> Processing the authenticate section of radiusd.conf
> modcall: entering group LDAP_OSIRIS for request 29
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "saillard" with password "mycleartextpassword"
> rlm_ldap: user DN: uid=mylogin,ou=uds,ou=people,o=annuaire
> rlm_ldap: (re)connect to ldaps://ldapuds.u-strasbg.fr, authentication 1
> rlm_ldap: setting TLS mode to 1
> rlm_ldap: bind as uid=mylogin,ou=uds,ou=people,o=annuaire/polopackvih+
> to ldaps://ldapuds.u-strasbg.fr
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: user mylogin authenticated succesfully
See? LDAP "bind as user".
> Now with FR 2.1.3, it looks like only the first password attribute is
> used :
In 2.1.3, the "bind as user" functionality isn't used if the LDAP
server returns a "known good" password.
...
> [ldap] Added User-Password = {crypt}x in check items
> [ldap] Added User-Password = {MD5}x in check items
...
> ++[pap] returns updated
> Found Auth-Type = PAP
> +- entering group authenticate {...}
> [pap] login attempt with password "mycleartextpassword"
> [pap] Using CRYPT encryption.
> [pap] Passwords don't match
The solution is simple:
(1) fix it so that the passwords are NOT returned from LDAP
or
(2) force "Auth-Type := LDAP" inside of the TTLS tunnel. This might
break other things, but it will make the server work the same way as in
1.1.7.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP authentication and multiple LDAP userpassword attributes
Hi,
I'm working on upgrading from FR 1.1.7 to FR 2.1.3.
I use FR for EAP-TTLS/PAP authentication with LDAP.
FR 1.1.7 successfully authenticates users with multiple LDAPuserpassword
attributes which are stored with crypt and/or MD5 hash, the passwords
are not the same (even it's better if the are) :
###
[...]
rlm_ldap: performing user authorization for mylogin
radius_xlat: '(&(uid=mylogin)(udsradiusProfileWifi=*))'
radius_xlat: 'ou=people,o=annuaire'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,o=annuaire, with filter
(&(uid=mylogin)(udsradiusProfileWifi=*))
rlm_ldap: performing search in uid=wifi-crc,ou=profilsWifi,o=annuaire,
with filter (objectclass=radiusprofile)
rlm_ldap: Added password {MD5}x in check items
rlm_ldap: Added password {crypt}x in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user mylogin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "LDAP_OSIRIS" returns ok for request 29
modcall: leaving group LDAP_OSIRIS (returns ok) for request 29
rad_check_password: Found Auth-Type LDAP_OSIRIS
auth: type "LDAP_OSIRIS"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP_OSIRIS for request 29
rlm_ldap: - authenticate
rlm_ldap: login attempt by "saillard" with password "mycleartextpassword"
rlm_ldap: user DN: uid=mylogin,ou=uds,ou=people,o=annuaire
rlm_ldap: (re)connect to ldaps://ldapuds.u-strasbg.fr, authentication 1
rlm_ldap: setting TLS mode to 1
rlm_ldap: bind as uid=mylogin,ou=uds,ou=people,o=annuaire/polopackvih+
to ldaps://ldapuds.u-strasbg.fr
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user mylogin authenticated succesfully
[...]
###
Now with FR 2.1.3, it looks like only the first password attribute is used :
###
[...]
[ldap] expand:
(&(uid=%{Stripped-User-Name:-%{User-Name}})(udsradiusProfileWifi=*)) ->
(&(uid=mylogin)(udsradiusProfileWifi=*))
[ldap] expand: ou=people,o=annuaire -> ou=people,o=annuaire
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,o=annuaire, with filter
(&(uid=mylogin)(udsradiusProfileWifi=*))
rlm_ldap: performing search in uid=wifi-crc,ou=profilsWifi,o=annuaire,
with filter (objectclass=radiusprofile)
[ldap] Added User-Password = {crypt}x in check items
[ldap] Added User-Password = {MD5}x in check items
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user mylogin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[pap] returns updated
Found Auth-Type = PAP
+- entering group authenticate {...}
[pap] login attempt with password "mycleartextpassword"
[pap] Using CRYPT encryption.
[pap] Passwords don't match
[...]
###
Is there a way to tell FR to try with others attributes ?
My configuration is quite simple, here's my
sites-enabled/proxy-inner-tunnel :
server proxy-inner-tunnel {
authorize {
eap
ldap
pap
}
authenticate {
eap
pap
}
post-proxy {
eap
}
}
And the pap modules :
pap {
auto_header = yes
}
Any clue ?
Thanks
--
---
Christophe Saillard
Université de Strasbourg
Direction Informatique
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP Authentication User-Password not working properly
Thank you Ivan Kalik: Great work in the mailing list for you and also Alan DeKok. I'll try the recomendations. There is much documentation in the Freeradius Wiki and in many other articles and forums. But one have to learn wrong things from wrong articles and I'ts sometimes difficult to guess the right information. Bye all. - Original Message - From: "Ivan Kalik" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Friday, May 09, 2008 10:59 PM Subject: Re: PAP Authentication User-Password not working properly > mysql> select * from radcheck -> ; ++-+++---+ | id | username| attribute | op | value | ++-+++---+ | 1 | Chapsqluser | User-Password | == | chapsecret| | 2 | Chapsqluser | Auth-Type | := | Local | | 3 | Papsqluser | Crypt-Password | == | /gTPHauHkNjWE | | 4 | Papsqluser | Auth-Type | := | Crypt-Local | ++-+++---+ 4 rows in set (0.00 sec) Don't force Auth-Type. Remove Auth-Type Crypt-Local from the database entry. Let pap module sort it out. And entry for Chapsqluser is also wrong. Remove Auth-Type, replace password attribute with Cleartext-Password and op with :=. Server documentation clearly states: - don't use Auth-Type - use Cleartext-Password (not User-Password) for clear text passwords. Ivan Kalik Kalik Inormatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Información de NOD32, revisión 3090 (20080509) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP Authentication User-Password not working properly
On Fri, May 09, 2008 at 08:17:25PM +0100, Yago Fdez. Hansen wrote: > Dana 9/5/2008, "Yago Fdez. Hansen" <[EMAIL PROTECTED]> piše: > >Hi everybody: > > > >I am installing a lab test server with Freeradius 2.0.4 with all > >the authentication installed: CHAP, PAP, EAP and authorization over > >MySQL, users, system, and LDAP. > > > >I installed it in the few last days and I have everything working > >now, but as I was testing it, I could notice a bug. I created > >users in every DB and file all of them with own password and user > >entries. When I was testing with radtest ALL worked fine, but I > >noticed that ONLY with PAP authentication and MySQL user it doesn't > >matter if I put a clear password in radtest larger than the original > >one I get an Access-Accept message. > > > >Example: > > > >radtest papsqluser papsecret localhost 0 testing123 > >Access-Accept > > > >radtest papsqluser papsecret43343 localhost 0 testing123 > >Access-Accept > > > mysql> select * from radcheck >-> ; > ++-+++---+ > | id | username| attribute | op | value | > ++-+++---+ > | 1 | Chapsqluser | User-Password | == | chapsecret| > | 2 | Chapsqluser | Auth-Type | := | Local | > | 3 | Papsqluser | Crypt-Password | == | /gTPHauHkNjWE | > | 4 | Papsqluser | Auth-Type | := | Crypt-Local | > ++-+++---+ > 4 rows in set (0.00 sec) The DES crypt algorithm only deals with the first 8 characters of the password. No bug, working as designed. -- Scott LambertKC5MLE Unix SysAdmin [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP Authentication User-Password not working properly
> >mysql> select * from radcheck >-> ; >++-+++---+ >| id | username| attribute | op | value | >++-+++---+ >| 1 | Chapsqluser | User-Password | == | chapsecret| >| 2 | Chapsqluser | Auth-Type | := | Local | >| 3 | Papsqluser | Crypt-Password | == | /gTPHauHkNjWE | >| 4 | Papsqluser | Auth-Type | := | Crypt-Local | >++-+++---+ >4 rows in set (0.00 sec) > Don't force Auth-Type. Remove Auth-Type Crypt-Local from the database entry. Let pap module sort it out. And entry for Chapsqluser is also wrong. Remove Auth-Type, replace password attribute with Cleartext-Password and op with :=. Server documentation clearly states: - don't use Auth-Type - use Cleartext-Password (not User-Password) for clear text passwords. Ivan Kalik Kalik Inormatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP Authentication User-Password not working properly
sql socket id: 4
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'papsqluser' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'papsqluser' ORDER BY id
expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'papsqluser' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for papsqluser
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) ->
(uid=papsqluser)
expand: dc=midominio,dc=loc -> dc=midominio,dc=loc
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap1.midominio.loc:389, authentication 0
rlm_ldap: bind as cn=admin,dc=midominio,dc=loc/misecreto to
ldap1.midominio.loc:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=midominio,dc=loc, with filter
(uid=papsqluser)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: searcch failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type Crypt-Local
auth: type Crypt
Login OK: [papsqluser/papsecret] (from client localhost port 0)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 144 to 127.0.0.1 port 60121
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 144 with timestamp +4
Ready to process requests.
---
Seccond auth:
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=144,
length=20
[EMAIL PROTECTED]:~#
[EMAIL PROTECTED]:~# radtest papsqluser papsecret1233323 localhost 0 testing123
Sending Access-Request of id 167 to 127.0.0.1 port 1812
User-Name = "papsqluser"
User-Password = "papsecret1233323"
NAS-IP-Address = 192.168.1.100
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=167,
length=20
rad_recv: Access-Request packet from host 127.0.0.1 port 53931, id=167,
length=62
User-Name = "papsqluser"
User-Password = "papsecret1233323"
NAS-IP-Address = 192.168.1.100
NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "papsqluser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
expand: %{User-Name} -> papsqluser
rlm_sql (sql): sql_set_user escaped user --> 'papsqluser'
rlm_sql (sql): Reserving sql socket id: 4
expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'papsqluser' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'papsqluser' ORDER BY id
expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'papsqluser' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for papsqluser
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) ->
(uid=papsqluser)
Re: PAP Authentication User-Password not working properly
radiusd -X Ivan Kalik Kalik Informatika ISP Dana 9/5/2008, "Yago Fdez. Hansen" <[EMAIL PROTECTED]> piše: >Hi everybody: > >I am installing a lab test server with Freeradius 2.0.4 with all the >authentication installed: CHAP, PAP, EAP and authorization over MySQL, >users, system, and LDAP. > >I installed it in the few last days and I have everything working now, but >as I was testing it, I could notice a bug. I created users in every DB and >file all of them with own password and user entries. When I was testing with >radtest ALL worked fine, but I noticed that ONLY with PAP authentication and >MySQL user it doesn't matter if I put a clear password in radtest larger >than the original one I get an Access-Accept message. > >Example: > >radtest papsqluser papsecret localhost 0 testing123 >Access-Accept > >radtest papsqluser papsecret43343 localhost 0 testing123 >Access-Accept > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP Authentication User-Password not working properly
Hi everybody: I am installing a lab test server with Freeradius 2.0.4 with all the authentication installed: CHAP, PAP, EAP and authorization over MySQL, users, system, and LDAP. I installed it in the few last days and I have everything working now, but as I was testing it, I could notice a bug. I created users in every DB and file all of them with own password and user entries. When I was testing with radtest ALL worked fine, but I noticed that ONLY with PAP authentication and MySQL user it doesn't matter if I put a clear password in radtest larger than the original one I get an Access-Accept message. Example: radtest papsqluser papsecret localhost 0 testing123 Access-Accept radtest papsqluser papsecret43343 localhost 0 testing123 Access-Accept - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TTLS-PAP authentication with LDAP bind
Richard Hesse wrote: > If I force the Mac or Windows supplicants to use TTLS-PAP, the request is > never > passed to radiusd. The NAS is broken. > I don't know what's going on but my AP (Aruba 200) seems to be detecting that > something isn't right with its AAA server Disable the Aruba AAA server. If you're using FreeRADIUS, you DO NOT need the Aruba AAA server. > and not passing the request on. If I change the supplicants to use their > default > settings, the requests are sent to FreeRadius, but the requests fail. Again, > the Aruba seems to think that something is wrong and presents its > certificate instead of my server's. Disable the Aruba AAA server. > Yes, I've run the server in debug mode (there are no requests coming in). Then the NAS is broken. It's not rocket science: If FreeRADIUS isn't getting any requests, then there is NOTHING YOU CAN DO to FreeRADIUS to fix the problem. The NAS is broken. Disable its AAA server. I can't emphasize that enough. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TTLS-PAP authentication with LDAP bind
First off, I'd like to say thanks in advance to anyone who can help me here.
I've spent the past few days searching the list archives and other sites for
information on how to accomplish this. The overwhelming message from these
searches was that "it should just work" and that "the server will figure out
what to do." Sadly, that's not the case here.
My goals here are straightforward:
-Authorize the user in LDAP if a corresponding entry exists (just checking
against uid, nothing fancy).
-Support TTLS-PAP and PEAP-GTC. The default Macintosh configuration supports
PEAP-GTC with no config. SecureW2 will be used for TTLS-PAP on Windows clients.
-Authenticate the user's clear-text password via a simple LDAP bind encrypted
via TLS. No userPassword attribute checking here. A simple bind is all.
Using version 1.14.
Here's my eap.conf with comments stripped out:
eap {
default_eap_type = ttls
timer_expire = 10
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
gtc {
challenge = "Password: "
auth_type = PAP
}
tls {
private_key_password = foo
private_key_file = ${raddbdir}/certs/key.pem
certificate_file = ${raddbdir}/certs/cert.pem
CA_file = ${raddbdir}/certs/sf_issuing.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
}
ttls {
default_eap_type = gtc
}
peap {
default_eap_type = gtc
}
}
Relevant sections of radius.conf are:
ldap {
server = "myserverentry"
basedn = "myDN"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = yes
tls_cacertfile = /opt/fedora-ds/alias/intCA.pem
tls_require_cert= "demand"
access_attr = "uid"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
authorize {
preprocess
suffix
ntdomain
eap
files
ldap
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
eap
}
If I force the Mac or Windows supplicants to use TTLS-PAP, the request is never
passed to radiusd. I don't know what's going on but my AP (Aruba 200) seems to
be detecting that something isn't right with its AAA server and not passing the
request on. If I change the supplicants to use their default settings, the
requests are sent to FreeRadius, but the requests fail. Again, the Aruba seems
to think that something is wrong and presents its certificate instead of my
server's. At one point, I had the clients seeing the server's certificate but I
can't seem to get back in that state. So I don't think my AP is broken, I'm
pretty sure it's my FreeRadius config that's broken. The users file is
unchanged and the proper entries are in clients.
Yes, I've run the server in debug mode (there are no requests coming in).
Thanks,
-richard
Have a burning question?
Go to www.Answers.yahoo.com and get answers from real people who know.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in sending PAP Authentication with radclient
Hamzeh Motahari <[EMAIL PROTECTED]> wrote: > What should we do if we want send password using MD5 method? RADIUS doesn't support sending MD5 passwords in a packet. > If "radclient" doesn't support this, can you suggest an open source > radius client which can do this? No RADIUS client can do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem in sending PAP Authentication with radclient
Hello We have set PAP scheme to MD5 in "radius.conf". Now we can't authenticate users using "radclient". When configuration changes from 'MD5' to 'Clear text', every thing is good. What should we do if we want send password using MD5 method? If "radclient" doesn't support this, can you suggest an open source radius client which can do this? Thanks. Yahoo! Photos Got holiday prints? See all the ways to get quality prints in your hands ASAP.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP - Userbase with EAP-TTLS/PAP authentication
On Fri, 10 Sep 2004, Emil Kokor wrote:
> Hi!
>
> My userbase is LDAP.
> The LDIF looks like:
>
> dn: uid=ekokor, ou=People, dc=wss-stuttgart,dc=de
> userPassword:: e1NTSEF9ZDNCZGZmWkFVQVZxa01SV1lJMGVZUTNnRThVcFdPNTE=
>
> UserPassword is "emil" == "{SSHA}d3BdffZAUAVqkMRWYI0eYQ3gE8UpWO51"
> (only for testing purposes)
>
> I'm using FreeRADIUS 1.0.0 with OpenSSL 0.9.7d (now without problems after I used
> --disable-shared option).
>
> For authentication I should use (I think so) EAP-TTLS/PAP because of LDAP-Userbase
> and
> crypted passwords.
>
>
> In users-File there is only one default entry to deny access for a group of users.
>
> Are the settings so far ok?
> Because it doesn't work.
>
>
> radiusd.conf:
>
> authenticate {
> Auth-Type PAP {
> pap
> }
>
> # Auth-Type CHAP {
> # chap
> # }
> # Auth-Type MS-CHAP {
> # mschap
> # }
> # Auth-Type LDAP {
> # ldap
> # }
> eap
Please configure authentication through the ldap module not the pap module.That
should make things work.
And as suggested in the FAQ and the documentation, run the server in debug mode
(radiusd -X).
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP - Userbase with EAP-TTLS/PAP authentication
Hi!
My userbase is LDAP.
The LDIF looks like:
dn: uid=ekokor, ou=People, dc=wss-stuttgart,dc=de
userPassword:: e1NTSEF9ZDNCZGZmWkFVQVZxa01SV1lJMGVZUTNnRThVcFdPNTE=
loginShell: /bin/bash
uidNumber: 5966
gidNumber: 831
objectClass: posixAccount
objectClass: account
objectClass: top
objectClass: shadowAccount
objectClass: radiusprofile
uid: ekokor
gecos: S27064
shadowLastChange: 12405
cn: Emil Kokor
homeDirectory: /home/schueler/K3fti1/ekokor
radiusGroupName: allowed
UserPassword is "emil" == "{SSHA}d3BdffZAUAVqkMRWYI0eYQ3gE8UpWO51"
(only for testing purposes)
I'm using FreeRADIUS 1.0.0 with OpenSSL 0.9.7d (now without problems after I used
--disable-shared option).
For authentication I should use (I think so) EAP-TTLS/PAP because of LDAP-Userbase and
crypted passwords.
In users-File there is only one default entry to deny access for a group of users.
Are the settings so far ok?
Because it doesn't work.
radiusd.conf:
pap {
encryption_scheme = crypt
}
..
..
ldap {
server = "localhost"
identity = "cn=Manager,dc=wss-stuttgart,dc=de"
password = wlan
basedn = "ou=People,dc=wss-stuttgart,dc=de"
filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusProfile))"
base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
#access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
groupname_attribute = radiusGroupName
groupmembership_filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusProfile))"
groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}
..
..
files {
usersfile = ${confdir}/users
#acctusersfile = ${confdir}/acct_users
# If you want to use the old Cistron 'users' file
# with FreeRADIUS, you should change the next line
# to 'compat = cistron'. You can the copy your 'users'
# file from Cistron.
compat = no
}
..
..
authorize {
preprocess
auth_log
# attr_filter
# chap
# mschap
suffix
eap
files
ldap
}
..
..
authenticate {
Auth-Type PAP {
pap
}
# Auth-Type CHAP {
# chap
# }
# Auth-Type MS-CHAP {
# mschap
# }
# Auth-Type LDAP {
# ldap
# }
eap
}
eap.conf:
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
tls {
.
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
}
users:
only
DEFAULT Ldap-Group == "disabled", Auth-Type := Reject
Reply-Message = "Sie sind nicht berechtigt!"
signature.asc
Description: OpenPGP digital signature
