Re: Authentication
On 23/9/2013 3:14 μμ, Free-Radius wrote: I wonder if the Freeradius to authenticate a client by IP number, without using login and password, only the IP. If possible, how to do? You can authenticate a client based on MAC Address. See http://wiki.freeradius.org/guide/Mac-Auth for various scenarios. Of course not by IP number which can be manipulated. Regards, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication
Just also beware that the MAC and be spoofed also with lots of programs :) On 23 September 2013 at 13:46 Nikolaos Milas nmi...@noa.gr wrote: On 23/9/2013 3:14 μμ, Free-Radius wrote: I wonder if the Freeradius to authenticate a client by IP number, without using login and password, only the IP. If possible, how to do? You can authenticate a client based on MAC Address. See http://wiki.freeradius.org/guide/Mac-Auth for various scenarios. Of course not by IP number which can be manipulated. Regards, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication
Am Montag, 23. September 2013, 13:53:14 schrieb ken.farrington: Just also beware that the MAC and be spoofed also with lots of programs :) Yes: ip link dev ... set addr ... On 23 September 2013 at 13:46 Nikolaos Milas nmi...@noa.gr wrote: On 23/9/2013 3:14 μμ, Free-Radius wrote: I wonder if the Freeradius to authenticate a client by IP number, without using login and password, only the IP. If possible, how to do? You can authenticate a client based on MAC Address. See http://wiki.freeradius.org/guide/Mac-Auth for various scenarios. Of course not by IP number which can be manipulated. Regards, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ken Farrington Director CCIE #12651 802 Limited International House, 221 Bow Road, London, E3 2SJ, United Kingdom Direct: +44 (0)7500 802802 ken.farring...@802.co.uk http://www.802.co.uk Disclaimer This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Any views or opinions presented are solely those of the author and do not necessarily represent those of 802 Limited or any subsidiary company of 802 Limited. This email may relate to or be sent from other members of the 802 Group. All rights reserved. 802 Limited. Registered in the UK. Company Number. 7962864. -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication by hostname
Hi Could it be you are in a AD environment - your request looks like to what I see in my environment. If so: Domain-joined Windows machines (for what I have tested) have a computer account in AD. This can be used by the Windows (never tested with domain-joined Macs or Linux machines) client to authenticate as machine against the network (using PEAP-MSCHAPv2). Technically you don't authenticate by hostnames but you use the computers' AD account. Another way would be to use EAP-TLS with certificates on your machines. If you implement the Samba/winbind way as described by deployingradius.comyou can in authenticate computer accounts. - It required me to tweak the LDAP default config for group-based authorization, but In case this is what you are looking for, ping back and I can show you LDAP filters i use. If you are only into authentication, most likely the public pages will already let you in, but (at least on Debian wheezy) I had tomodify modules/mschap as follows: mschap { ... with_ntdomain_hack = yes ... # Debian # ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} # Mine (at least that made it work) ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} ... } -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication by hostname
Stefan Sticht wrote: I want to change a FreeRadius server to authenticate a few hosts by their hostnames. The hostnames would be stored in a config file. That's not how RADIUS works. How could I do this? You can't. This is the authentication request: ... EAP-Message = 0x0201001401686f73742f544344452d3030303131 That's EAP authentication. You can't bypass the authentication. So... *why* do you want to do this? What other alternatives do you have? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
On 19.06.2013 14:11, Marco Streich wrote: Hi all We have deployed FreeRADIUS on OS X before, but our configuration was rather ugly. What we would do is authenticate users locally, having the machine attached to our OpenDirectory server directly using the Connect Network Account Server functionality provided by OS X. I have seen this question getting asked a lot but still wasn't able to fill my gap in understanding the whole process. I will make it short and easy. You can't do LDAP authentication with 802.1x. EAP needs the password of the user in cleartext. if it's not in your ldap, you're screwed. And the debug log explains it : WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [pap] WARNING! No known good password found for the user. Authentication may fail because of this. [snip] At this moment, I cannot wrap my mind around what is going on here. I understand that ldap tries to authenticate the user by itself, instead of handing it to the LDAP server. But what is different when I run radtest? Debug from radtest: ... # Executing group from file /etc/freeradius/sites-enabled/default +- entering group LDAP {...} [ldap] login attempt by a4 with password whatever [ldap] user DN: uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu [ldap] (re)connect to ldap.hopro.edu:389, authentication 1 [ldap] bind as uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu/whatever to ldap.hopro.edu:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user a4 authenticated successfully ++[ldap] returns ok ... This works because you're doing PAP. with radtest the user password is sent in cleartext. so YES you can authenticate with ldap because you can BIND to the ldap with the provided password. you don't have this password with 802.1x/EAP. you work only with challenges, hash and keys. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
Hi, I will make it short and easy. You can't do LDAP authentication with 802.1x. EAP needs the password of the user in cleartext. if it's not in your ldap, you're screwed. ..EAP-TTLS/PAP ? ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
On 19/06/13 13:11, Marco Streich wrote: When I run radtest from my laptop, the authentication is successful: radtest does not send eap. Download the wpa_supplicant sources and compile eapol_test to test EAP. WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? This suggests your LDAP server does not contain, or is not returning, password info. So auth would probably have failed... [ttls] eaptls_verify returned 11 [ttls] TLS 1.0 Alert [length 0002], warning close_notify TLS Alert read:warning:close notify [ttls] WARNING: No data inside of the tunnel. ...except it never gets as far as the inner tunnel because the client drops the EAP session. Most likely the client doesn't trust the server cert. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
On Wed, Jun 19, 2013 at 02:49:21PM +0200, Olivier Beytrison wrote: On 19.06.2013 14:11, Marco Streich wrote: We have deployed FreeRADIUS on OS X before, but our configuration was rather ugly. What we would do is authenticate users locally, having the machine attached to our OpenDirectory server directly using the Connect Network Account Server functionality provided by OS X. I will make it short and easy. You can't do LDAP authentication with 802.1x. EAP needs the password of the user in cleartext. if it's not in your ldap, you're screwed. Not entirely true. With PAP (which is what radtest is doing) then you can work without a cleartext password as auth is (generally) based on a ldap bind. With EAP-TTLS/PAP, you can also work with just the hash in ldap, as (same as clear PAP) you get the password from the client to do a bind with. With EAP-TTLS/MSCHAP or PEAP/EAP-MSCHAP etc you need the cleartext password from ldap - auth is done by checking this in FreeRADIUS, not by a bind to ldap. [ldap] login attempt by a4 with password whatever [ldap] user DN: uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu [ldap] (re)connect to ldap.hopro.edu:389, authentication 1 [ldap] bind as uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu/whatever to ldap.hopro.edu:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user a4 authenticated successfully ++[ldap] returns ok This works because you're doing PAP. with radtest the user password is sent in cleartext. so YES you can authenticate with ldap because you can BIND to the ldap with the provided password. you don't have this password with 802.1x/EAP. you work only with challenges, hash and keys. Apple OS X can do EAP-TTLS/PAP as far as I am aware (native Windows 8 can't), so this should work. I don't recognise the error you're getting, though - it looks like the client gave up and sent an empty packet. Note you don't need ldap configured in the outer for 802.1X to work - the outer is just doing EAP. It's the inner that will need the ldap modules. Some other comments - Upgrade from 2.1.12 to 2.2.x, as there are security issues pre 2.2.x. Save yourself some round trip packets by setting default_eap_type = ttls in eap.conf Save yourself some LDAP lookups by removing ldap from the outer. Cheers Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
Hi, Some other comments - Upgrade from 2.1.12 to 2.2.x, as there are security issues pre 2.2.x. Save yourself some round trip packets by setting default_eap_type = ttls in eap.conf Save yourself some LDAP lookups by removing ldap from the outer. ..and save some more hits to LDAP by wrapping the call to it in the authorization stage to just the EAP Identity packet :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
On 19.06.2013 16:02, a.l.m.bu...@lboro.ac.uk wrote: Hi, Some other comments - Upgrade from 2.1.12 to 2.2.x, as there are security issues pre 2.2.x. Save yourself some round trip packets by setting default_eap_type = ttls in eap.conf Save yourself some LDAP lookups by removing ldap from the outer. ..and save some more hits to LDAP by wrapping the call to it in the authorization stage to just the EAP Identity packet :-) That's pretty interesting, what's the if() you're doing to achieve that? -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
On 19/06/13 15:32, Olivier Beytrison wrote: On 19.06.2013 16:02, a.l.m.bu...@lboro.ac.uk wrote: Hi, Some other comments - Upgrade from 2.1.12 to 2.2.x, as there are security issues pre 2.2.x. Save yourself some round trip packets by setting default_eap_type = ttls in eap.conf Save yourself some LDAP lookups by removing ldap from the outer. ..and save some more hits to LDAP by wrapping the call to it in the authorization stage to just the EAP Identity packet :-) That's pretty interesting, what's the if() you're doing to achieve that? He he he... if I recall correctly I came up with something like: server inner-tunnel { authorize { eap # stop processing authorize on eap identity or mschap success/fail if ((EAP-Type == 1) || (EAP-Message[0] =~ /^0x02..00061a..$/)) { noop } else { # rest of config goes here } } } Note however that you can avoid this in master versions of the server with: server inner-tunnel { authorize { eap { ok = return } } } ...as the EAP module was updated to return ok on identity/mschap responses. Yet another reason to upgrade! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication using LDAP for 802.1x
Hi, He he he... if I recall correctly I came up with something like: yes, thats the one. quoted as 'most evil unlang ever' if I recall have used it on many occasions...does the job well ...as the EAP module was updated to return ok on identity/mschap responses. Yet another reason to upgrade! yep...as well as proper pools of LDAP servers in 3.x alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Using Framed-IP-Address
On 7 Mar 2013, at 09:50, Russell Mike radius@gmail.com wrote: Dear Alan. De. List Greetings May i please ask your opinion, if it possible to accept reject users base on Framed-IP-Address. Yes if the Framed-IP-Address is available in the request. There are however, no IP specific operators, so it's more difficult to check whether an IP address is in a certain range. Also, Alan doesn't need his ego stroking any more, addressing questions to the list works just as well. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Using Framed-IP-Address
Hi Arran, Thanks for the answer to my question. Nothing wrong to say thanks but perhaps to see it from that angle. Regards / RM -- On Thu, Mar 7, 2013 at 3:12 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 7 Mar 2013, at 09:50, Russell Mike radius@gmail.com wrote: Dear Alan. De. List Greetings May i please ask your opinion, if it possible to accept reject users base on Framed-IP-Address. Yes if the Framed-IP-Address is available in the request. There are however, no IP specific operators, so it's more difficult to check whether an IP address is in a certain range. Also, Alan doesn't need his ego stroking any more, addressing questions to the list works just as well. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication with Juniper SA
De : Fajar A. Nugraha l...@fajar.net On Sun, Sep 16, 2012 at 7:00 AM, Mik J mikyde...@yahoo.fr wrote: Hello, I don't know why I can't make my authentication working with Juniper secure access I have a user ++--++++ | id | username | attribute | value | op | ++--++++ | 9 | t2 | Cleartext-Password | passsecret | == | ++--++++ Change the op to := ... which you should've seen if you read the included doc/rlm_sql Thank you for your answer Fajar, it helped although the authentication is not fully functional. For now I'll read again the documentation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication with Juniper SA
De : Mik J mikyde...@yahoo.fr De : Fajar A. Nugraha l...@fajar.net On Sun, Sep 16, 2012 at 7:00 AM, Mik J mikyde...@yahoo.fr wrote: Hello, I don't know why I can't make my authentication working with Juniper secure access I have a user ++--++++ | id | username | attribute | value | op | ++--++++ | 9 | t2 | Cleartext-Password | passsecret | == | ++--++++ Change the op to := ... which you should've seen if you read the included doc/rlm_sql Thank you for your answer Fajar, it helped although the authentication is not fully functional. For now I'll read again the documentation. So here's what the documentation says: == Attribute == Value: As a check item, it matches if the named attribute is present in the request, AND has the given value. = In my case, I wanted to compare the password sent by the Juniper device to the entry in the radcheck table. If the login and password matches then the check is positive. So the documentation seems to say that it should work with == or I don't understand. := Attribute := Value: Always matches as a check item, and replaces in the configuration items any attribute of the same name. If no attribute of that name appears in the request, then this attribute is added. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication with Juniper SA
On Sun, Sep 16, 2012 at 3:09 PM, Mik J mikyde...@yahoo.fr wrote: So here's what the documentation says: == Attribute == Value: As a check item, it matches if the named attribute is present in the request, AND has the given value. = In my case, I wanted to compare the password sent by the Juniper device to the entry in the radcheck table. If the login and password matches then the check is positive. So the documentation seems to say that it should work with == or I don't understand. No, that's not how it works. If you want to check for other attributes (e.g. bind a user to a particular Calling-Station-Id), you can use ==. But not for password. More details below. := Attribute := Value: Always matches as a check item, and replaces in the configuration items any attribute of the same name. If no attribute of that name appears in the request, then this attribute is added. If you've read doc/rlm_sql, like I suggested, you would've seen examples of what entry goes where. This is a start. Once that works, you can read other docs to find out what they mean. Regarding user-password, it's somewhat special. Old version of FR manpage (e.g. http://swoolley.org/man.cgi/5/users) actually suggest using ==. Don't use those, as they're outdated. A good explanation on how it should be is included in the current version of FR. For example, if you run man 5 users on up-to-date installation, you'd see this snippet: EXAMPLES bob Cleartext-Password := hello Requests containing the User-Name attribute, with value bob, will be authenticated using the known good password hello. There are no reply items, so the reply will be empty. known good password' is a configuration item (control item is probably a better term). It tells the server this is what the correct password for the user is. You need to use :=, because you're NOT directly comparing it to User-Password in incoming request. The password that user sends might be in the form of User-Password attribute (in which case the content will be the same as cleartext-password that you store in the db), or they might come in different form (e.g. Chap-Password). Since it might be different, you can't compare it directly (thus, you can't use ==). Instead, you need to tell the server what the correct password is (with := and the attribute Cleartext-Password), and the server will then perform the necessary processing, and then compare it to whatever attribute the client sends. Does that (simplified) explanation make sense? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication with Juniper SA
- Mail original - De : Fajar A. Nugraha l...@fajar.net À : Mik J mikyde...@yahoo.fr; FreeRadius users mailing list freeradius-users@lists.freeradius.org Cc : Envoyé le : Dimanche 16 septembre 2012 10h35 Objet : Re: Authentication with Juniper SA On Sun, Sep 16, 2012 at 3:09 PM, Mik J mikyde...@yahoo.fr wrote: So here's what the documentation says: == Attribute == Value: As a check item, it matches if the named attribute is present in the request, AND has the given value. = In my case, I wanted to compare the password sent by the Juniper device to the entry in the radcheck table. If the login and password matches then the check is positive. So the documentation seems to say that it should work with == or I don't understand. No, that's not how it works. If you want to check for other attributes (e.g. bind a user to a particular Calling-Station-Id), you can use ==. But not for password. More details below. := Attribute := Value: Always matches as a check item, and replaces in the configuration items any attribute of the same name. If no attribute of that name appears in the request, then this attribute is added. If you've read doc/rlm_sql, like I suggested, you would've seen examples of what entry goes where. This is a start. Once that works, you can read other docs to find out what they mean. Regarding user-password, it's somewhat special. Old version of FR manpage (e.g. http://swoolley.org/man.cgi/5/users) actually suggest using ==. Don't use those, as they're outdated. A good explanation on how it should be is included in the current version of FR. For example, if you run man 5 users on up-to-date installation, you'd see this snippet: EXAMPLES bob Cleartext-Password := hello Requests containing the User-Name attribute, with value bob, will be authenticated using the known good password hello. There are no reply items, so the reply will be empty. known good password' is a configuration item (control item is probably a better term). It tells the server this is what the correct password for the user is. You need to use :=, because you're NOT directly comparing it to User-Password in incoming request. The password that user sends might be in the form of User-Password attribute (in which case the content will be the same as cleartext-password that you store in the db), or they might come in different form (e.g. Chap-Password). Since it might be different, you can't compare it directly (thus, you can't use ==). Instead, you need to tell the server what the correct password is (with := and the attribute Cleartext-Password), and the server will then perform the necessary processing, and then compare it to whatever attribute the client sends. Does that (simplified) explanation make sense? Hello Fajar, This is very clear now. My freeradius version is not so new (2.1.12) Thank you very much for this explanation. Have a nice week end - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication with Juniper SA
On Sun, Sep 16, 2012 at 4:20 PM, Mik J mikyde...@yahoo.fr wrote: The password that user sends might be in the form of User-Password attribute (in which case the content will be the same as cleartext-password that you store in the db), or they might come in different form (e.g. Chap-Password). Since it might be different, you can't compare it directly (thus, you can't use ==). Instead, you need to tell the server what the correct password is (with := and the attribute Cleartext-Password), and the server will then perform the necessary processing, and then compare it to whatever attribute the client sends. Does that (simplified) explanation make sense? Hello Fajar, This is very clear now. My freeradius version is not so new (2.1.12) 2.1.12 is actually new-enough, in that many distro still ships with it, and it also needs Cleartext-Password := instead of ==. There's a know security issue with anything under 2.2.0 though, so if you're using anything older make sure the fix is backported (e.g. if you're using debian/ubuntu make sure you use 2.1.12+dfsg-1.1). Ask your distro support/forum/list for details. Also, just in case I wasn't clear, you can still use == in newer versions of FR (and you probably need to, for some situations). The exception is only for user password, where you should use Cleartext-Password := instead of User-Password ==. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication with Juniper SA
On Sun, Sep 16, 2012 at 7:00 AM, Mik J mikyde...@yahoo.fr wrote: Hello, I don't know why I can't make my authentication working with Juniper secure access I have a user ++--++++ | id | username | attribute | value | op | ++--++++ | 9 | t2 | Cleartext-Password | passsecret | == | ++--++++ Change the op to := ... which you should've seen if you read the included doc/rlm_sql -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with mysql + eap +md5
NorthPole wrote: i'm trying to get started with freeradius using mysql for storing the users and md5-eap type authentication but something is wrong with my configuration and I cant seem to be able to login radiusd -X produces the following: http://pastebin.com/jpNtX4Hb Please read it. The messages are clear: [pap] WARNING! No known good password found for the user. Authentication may fail because of this. And look for sql. It doesn't appear in the debug output. You haven't configured the server to use SQL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with mysql + eap +md5
you are right! my bad (I need to sleep more :p) thx for your time :D On Mon, Apr 23, 2012 at 5:36 PM, Alan DeKok al...@deployingradius.com wrote: NorthPole wrote: i'm trying to get started with freeradius using mysql for storing the users and md5-eap type authentication but something is wrong with my configuration and I cant seem to be able to login radiusd -X produces the following: http://pastebin.com/jpNtX4Hb Please read it. The messages are clear: [pap] WARNING! No known good password found for the user. Authentication may fail because of this. And look for sql. It doesn't appear in the debug output. You haven't configured the server to use SQL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problems
O.K. Thanks everybody. It would appear that the shared secret was being passed incorrectly by NAS. It now behaves as it should. Don't understand why FR1 worked with exactly the same NAS though. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authentication-problems-tp5644080p5651391.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problems
a very quick look at your output and it seems like you are not calling 'sql' in your virtual-servers at all if you did, there'd be a call checking your SQL info - read and edit the sites-enabled/* files alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problems
Thanks for that. You're quite right. I now feel more stupid than a very stupid person. My only excuse is that I've installed so many times I've lost track. Probably of my marbles. Anyway I've now enabled sql and the new debug info is below. FreeRADIUS Version 2.1.9, for host i386-redhat-linux-gnu, built on May 24 2010 at 16:22:24 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/postgresql/dialup.conf including configuration file /etc/raddb/sqlippool.conf including configuration file /etc/raddb/sql/postgresql/ippool.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/control-socket main { user = radiusd group = radiusd allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/radius libdir = /usr/lib/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536
Re: Authentication problems
hi, your NAS is sending a CHAP request not a PAP request , you have a plain text password for PAP. adjust NAS or your configuration/storage? A database can only be queried for values not as a challenge-response repository, alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problems
Thanks for the reply. Don't quite understand. The log suggests that pap is returning noop and then that the auth type CHAP is found. Then says that chap authentication with a clear text password is failing. Or am I reading this incorrectly? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authentication-problems-tp5644080p5644526.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problems
pessimist wrote: Thanks for the reply. Don't quite understand. The log suggests that pap is returning noop and then that the auth type CHAP is found. Then says that chap authentication with a clear text password is failing. Or am I reading this incorrectly? The debug output is clear. The password you supplied as the known good password doesn't match the CHAP password in the packet. Either you typed the password wrong, or the known good password in the DB is wrong. There are no other choices. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problems
hi, Thanks for the reply. Don't quite understand. The log suggests that pap is returning noop and then that the auth type CHAP is found. Then says that chap authentication with a clear text password is failing. the incoming request contains this: CHAP-Challenge = 0x6e37280ebb86c255086f2ab80c521e24 CHAP-Password = 0x005223d2d8d662465852923eae583ade21 if it was PAP is wouldnt have these values, it would just have User-Password = blahblah so, CHAP module sees these values...and sets the auth-type to CHAP. PAP module is doing a noop because the auth-type has already been set. did you have this construction working in your older FR setup? If so, you will need to check yoru config to see what else you were doing. if not...i'd say change the ChilliSpot server to send the request as PAP alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problems
On Apr 16, 2012, at 11:51 AM, pessimist wrote: Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by ABC with CHAP password [chap] Using clear text password 123 for user ABC authentication. [chap] Password check failed ++[chap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - ABC attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds greetings, your output looks similar to mine. I recently setup a bunch of mac computers using 802.1x with hp/3com switches. try connecting with flat file username and password, bypass sql for now. verify radius works at with md5/leap, else set switch to eap and pass tickets. -j smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication according NAS
Hi, user admin with password toto could connect to NAS1/2/3/4 of Factory2 user admin with password coco could connect to NAS1/2/3 of Factory1 if you want to keep it this simple, simply use hunt-groups. define each NAS in seperate hunt-groups and add a hunt-group check item (eg to users file or to sql check table) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication with multiple AD
Il 25/01/2012 11:19, Pavel Klochan ha scritto: Hi. I need advise/help with my problem. I'm trying to authenticate with 2 LDAP-servers from freeradius, but without success. I'm just a newbie, but have you tried proxying requests to two different local servers? BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication against multiple LDAP sources.
Stuart Lawson wrote: Looking for a bit of advice, I am starting to think I am chasing the impossible and will have to start to use Realms or proxies to resolve this issue. FreeRADIUS 2.1.7 2.1.12 is out. However (output below) it attempts to do the authentication against both LDAP sources using the first suffix from the authorisation or carried over from the first Authentication attempt (I don't know which). Yes... the User-DN is set from the query done during authorize. The short answer is don't have duplicate user names. The server is intended to work with unique user names. It's possible to configure it with duplicate user names, but it's more complicated. You'll need to update your configuration. Maybe set the LDAP-User-DN manually during authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication via ntlm_auth with check the user group
Hi I'm add into sites-enabled/inner-tunnel authorize { ... if (Ldap-Group == %{AD-Group}) { ok } else { reject } } It's work for peap authentification, but if I use certificate authentication, the module ldap do not work 08.12.2011 20:34, Alan DeKok пишет: Сергей Усов wrote: Thanks, Alan, it works. I have another question. Can I check the user's group for authentication via TTLS? Put any group checking into the inner-tunnel server. That's what it's for. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication via ntlm_auth with check the user group
Сергей Усов wrote: It's work for peap authentification, but if I use certificate authentication, the module ldap do not work Exactly. When certificate authentication is used, you are NOT doing username/password authentication. That's what certificate authentication is for. And the ldap module does username/password checks. So.. the two are not really compatible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication via ntlm_auth with check the user group
Here is an authentication request from the certificate: rad_recv: Access-Request packet from host 192.168.213.210 port 1390, id=8, length=224 Message-Authenticator = 0x6d9c4039c9d8b314ca0bb11bf518f5a0 Service-Type = Framed-User User-Name = r...@pomorsu.ru Framed-MTU = 1488 Called-Station-Id = 00-17-9A-D1-44-39:localnet1 Calling-Station-Id = 00-1F-3C-3D-DF-8C NAS-Identifier = D-Link Access Point NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020800190175736f77735f61646d40706f6d6f7273752e7275 NAS-IP-Address = 192.168.213.210 NAS-Port = 1 NAS-Port-Id = STA port # 1 There is a user name. It can not be used to check via LDAP? Сергей Усов wrote: It's work for peap authentification, but if I use certificate authentication, the module ldap do not work Exactly. When certificate authentication is used, you are NOT doing username/password authentication. That's what certificate authentication is for. And the ldap module does username/password checks. So.. the two are not really compatible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication via ntlm_auth with check the user group
Сергей Усов wrote: Here is an authentication request from the certificate: .. There is a user name. It can not be used to check via LDAP? Check WHAT via LDAP? Passwords? Of course not. You've been very careful to *not* say what you really want to do, and to *not* say what you've configured, and to *not* say what happens when the server receives EAP-TLS packets, and to *not* say what you expect to happen. You're asking vague and useless questions. So the answers are vague and useless. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication via ntlm_auth with check the user group
Thanks, Alan, it works. I have another question. Can I check the user's group for authentication via TTLS? 07.12.2011 18:32, Alan DeKok пишет: Сергей Усов wrote: I have changed inner_tunnel, but unsuccessfully You didn't do what I said, so I'm not surprised it didn't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication via ntlm_auth with check the user group
Сергей Усов wrote: Thanks, Alan, it works. I have another question. Can I check the user's group for authentication via TTLS? Put any group checking into the inner-tunnel server. That's what it's for. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication via ntlm_auth with check the user group
On Wed, Dec 7, 2011 at 4:11 PM, Сергей Усов us...@pomorsu.ru wrote: Hi I try to configure authentication via ntlm_auth to check the user group. All authentication attempts are rejected What does the debug log say when the authentications are rejected? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication via ntlm_auth with check the user group
Thanks for your reply radiusd: Loading Virtual Servers server { # from file /etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_mschap Module: Instantiating module mschap from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=POMORSU+%{AD-Group} } Ready to process requests. rad_recv: Access-Request packet from host 192.168.213.210 port 1067, id=0, length=210 Message-Authenticator = 0x76f5e1499b3c78689adf8fb623dc7c4e Service-Type = Framed-User User-Name = POMORSU\\rahs Framed-MTU = 1488 Called-Station-Id = 04-11-9A-D1-44-39:localnet1 Calling-Station-Id = 00-1F-3C-3D-DF-8C NAS-Identifier = D-Link Access Point NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x021201504f4d4f5253555c75736f7773 NAS-IP-Address = 192.168.213.210 NAS-Port = 1 NAS-Port-Id = STA port # 1 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++- entering policy extract_ssid {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) - TRUE +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) - TRUE +++- entering if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) {...} expand: %{7} - localnet1 [request] returns ok ? if (Called-Station-SSID == localnet1) ? Evaluating (Called-Station-SSID == localnet1) - TRUE ? if (Called-Station-SSID == localnet1) - TRUE - entering if (Called-Station-SSID == localnet1) {...} +[request] returns ok - if (Called-Station-SSID == localnet1) returns ok ... skipping else for request 0: Preceding if was taken +++- if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) returns ok +++ ... skipping else for request 0: Preceding if was taken ++- policy extract_ssid returns ok [suffix] No '@' in User-Name = POMORSU\rahs, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 0 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Flushing SSL sessions (of #0) [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.213.210 port 1067 EAP-Message = 0x010100061920 Message-Authenticator = 0x State = 0x140c0338140d1ab54c20eb7bf1588770 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.213.210 port 1067, id=1, length=315 Message-Authenticator = 0x52b3370475dcad2571d8a4ef20d46246 Service-Type = Framed-User User-Name = POMORSU\\rahs Framed-MTU = 1488 State = 0x140c0338140d1ab54c20eb7bf1588770 Called-Station-Id = 04-11-9A-D1-44-39:localnet1 Calling-Station-Id = 00-1F-3C-3D-DF-8C NAS-Identifier = D-Link Access Point NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020100691980005f160301005a015603014ede257a500dcb4913694c60469b783a7bdaa0d482ac13baa056619eb2d75c3718002f00350005000ac013c014c009c00a00320038001300040115ff0100010a0006000400170018000b00020100 NAS-IP-Address = 192.168.213.210 NAS-Port = 1 NAS-Port-Id = STA port # 1 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++- entering policy extract_ssid {...} +++? if (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) ? Evaluating (Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) - TRUE +++? if
Re: Authentication via ntlm_auth with check the user group
You need to update the AD-Group in the inner-tunnel virtual server, not in the default one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication via ntlm_auth with check the user group
I have changed inner_tunnel, but unsuccessfully server inner-tunnel { authorize { preprocess extract_ssid mschap suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } expiration logintime pap } authenticate { Auth-Type MS-CHAP { mschap } eap } session { radutmp } post-auth { } pre-proxy { } post-proxy { eap } } 07.12.2011 15:36, Alan DeKok пишет: You need to update the AD-Group in the inner-tunnel virtual server, not in the default one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication via ntlm_auth with check the user group
Сергей Усов wrote: I have changed inner_tunnel, but unsuccessfully You didn't do what I said, so I'm not surprised it didn't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication with different port and users
Alan Kong wrote: Hi, I used to have freeradius(old version) installed on Solaris and have 2 separate processes listening on port 1812 and 1645. They authenticate 2 groups of different users. I upgraded and installed freeradius 2.1.11 on CentOS 5.6. According to radiusd.conf, I could get freeradius listen on different ports. Can I config the ports authenticate different groups of users using /etc/passwd? Yes. Configure two different virtual servers. See raddb/sites-available/README for some basic discussion. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication sub in perl
...as said in the original thread when I noted your request was EAP and your server had no EAP support (which you've now fixed)...this is an EAP request...and if you haven't really broken your config then the server will use the inner-tunnel virtual serverso you need to add your call to the perl module into the authenticate section of that virtual-server alan -- Message may be brief as it has been sent from my mobile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication sub in perl
On 03/10/11 13:48, Alex rsm wrote: Alan, Thank you for the response. How can I build the FreeRADIUS with EAP support? I checked the configure and Makefile anc couldn't figure it out No need to edit the Makefile. You need to install a package called something like openssl-devel and then attempt to build FreeRADIUS again. Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication sub in perl
Hi, Thank you for the response. How can I build the FreeRADIUS with EAP support? I checked the configure and Makefile anc couldn't figure it out did you build it yourself then? if so, then what platform? as that will decide the package name. ssl-devel, ssl-devl, openssl-devel, openssl-dev are the usual names of the required RPM or PKG file that must be installed if you'd piped the output of the ./configure stage through grep eg ./configure --with-whatever-options | grep WARN you'd see all the warnings about functionality that wont work because of lack of development headers/libraries alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authentication sub in perl
I've built FreeRadius2.1.11 from src files on ubuntu 8.04 server: # lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 8.04.4 LTS Release:8.04 Codename: hardy # ./configure | grep WARN configure: WARNING: snmpget not found - Simultaneous-Use and checkrad.pl may not work configure: WARNING: snmpwalk not found - Simultaneous-Use and checkrad.pl may not work configure: WARNING: pcap library not found, silently disabling the RADIUS sniffer. configure: WARNING: silently not building rlm_counter. configure: WARNING: FAILURE: rlm_counter requires: libgdbm. configure: WARNING: FAILURE: rlm_dbm requires: (ndbm.h or gdbm/ndbm.h or gdbm-ndbm.h) (libndbm or libgdbm or libgdbm_compat). configure: WARNING: silently not building rlm_dbm. configure: WARNING: silently not building rlm_eap_tls. configure: WARNING: FAILURE: rlm_eap_tls requires: OpenSSL. configure: WARNING: silently not building rlm_eap_peap. configure: WARNING: FAILURE: rlm_eap_peap requires: OpenSSL. configure: WARNING: silently not building rlm_eap_ikev2. configure: WARNING: FAILURE: rlm_eap_ikev2 requires: libeap-ikev2 EAPIKEv2/connector.h. configure: WARNING: the TNCS library isn't found! configure: WARNING: silently not building rlm_eap_tnc. configure: WARNING: FAILURE: rlm_eap_tnc requires: -lTNCS. configure: WARNING: silently not building rlm_eap_ttls. configure: WARNING: FAILURE: rlm_eap_ttls requires: OpenSSL. configure: WARNING: silently not building rlm_ippool. configure: WARNING: FAILURE: rlm_ippool requires: libgdbm. configure: WARNING: neither krb5 'k5crypto' nor 'crypto' libraries are found! configure: WARNING: the comm_err library isn't found! configure: WARNING: silently not building rlm_krb5. configure: WARNING: FAILURE: rlm_krb5 requires: krb5.h krb5. configure: WARNING: silently not building rlm_ldap. configure: WARNING: FAILURE: rlm_ldap requires: libldap_r ldap.h. configure: WARNING: silently not building rlm_otp. configure: WARNING: FAILURE: rlm_otp requires: openssl-libs openssl-includes openssl-includes openssl-includes openssl-includes openssl-includes. configure: WARNING: silently not building rlm_pam. configure: WARNING: FAILURE: rlm_pam requires: libpam. configure: WARNING: silently not building rlm_perl. configure: WARNING: FAILURE: rlm_perl requires: libperl.so libperl.so. configure: WARNING: silently not building rlm_python. configure: WARNING: FAILURE: rlm_python requires: Python.h libpython2.5. configure: WARNING: silently not building rlm_sql_iodbc. configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h. configure: WARNING: MySQL libraries not found. Use --with-mysql-lib-dir=path. configure: WARNING: MySQL headers not found. Use --with-mysql-include-dir=path. configure: WARNING: silently not building rlm_sql_mysql. configure: WARNING: FAILURE: rlm_sql_mysql requires: libmysqlclient_r mysql.h. configure: WARNING: silently not building rlm_sql_postgresql. configure: WARNING: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: WARNING: oracle headers not found. Use --with-oracle-include-dir=path. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h. # apt-get install OpenSSL Reading package lists... Done Building dependency tree Reading state information... Done E: Couldn't find package OpenSSL # apt-get install ssl-devel Reading package lists... Done Building dependency tree Reading state information... Done E: Couldn't find package ssl-devel . Date: Mon, 3 Oct 2011 16:32:44 +0100 From: a.l.m.bu...@lboro.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: authentication sub in perl Hi, Thank you for the response. How can I build the FreeRADIUS with EAP support? I checked the configure and Makefile anc couldn't figure it out did you build it yourself then? if so, then what platform? as that will decide the package name. ssl-devel, ssl-devl, openssl-devel, openssl-dev are the usual names of the required RPM or PKG file that must be installed if you'd piped the output of the ./configure stage through grep eg ./configure --with-whatever-options | grep WARN you'd see all the warnings about functionality that wont work because of lack of development headers/libraries alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication sub in perl
Alex rsm wrote: # apt-get install OpenSSL ... E: Couldn't find package OpenSSL Use *google* to find out the names of packages on your OS. Or, search the web pages of the OS vendor. It should be less work (and faster) than posting messages to this list. This isn't a FreeRADIUS problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication sub in perl
Yes yes, you've just confirmed what I said. I know you built it without openssl support...I was giving you advice on how to spot it, so that you can verify all is okay after you've installed the required development packages for openssl on your platformand Google can help you with that. alan -- Message may be brief as it has been sent from my mobile - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication sub in perl
Hi, As I said only authorize sub is being called when receiving a REQUEST and not authenticate sub. So I need to change Auth-Type to be Perl? authenticate fails quite simply because this is an EAP request...and your FreeRADIUS had been built without EAP support. if you have EAP support, the server would trigger the EAP mechanism...which sends the packet through to the inner-tunnel virtual server and you would have to have the perl module listed in the authenticate section of that VS look, FreeRADIUS Version 2.1.11, for host x86_64-unknown-linux-gnu, built on Sep 29 2011 at 14:33:46 snip Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. snip [eap] EAP packet type response id 1 length 8 [eap] No EAP Start, assuming it's an on-going EAP conversation snip [eap] Request found, released from the list [eap] EAP NAK [eap] NAK asked for unsupported type PEAP [eap] No common EAP types found. [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject ...end of game as you can see, sending the output of radiusd -X is very very useful for those of us that want to help you. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication sub in perl
Alex rsm wrote: I am trying to call an external perl function within authentication sub - functions are uncommented in modules/perl file ... func_authenticate = authenticate func_authorize = authorize ... The default example works. - subs are modified in /raddb/example.pl sub authenticate{ print TEST1\n; } sub authenticate { print TEST2\n; /usr/local/etc/raddb/test.pl; } When freeradius receives a REQUEST, only authenticate sub is called and not authenticate sub. That makes NO sense at all. You have TWO authenticate subroutines, and you expect that Perl will magically call the one you want? Computers don't work that way. How can I enable authenticate to be called when a REQUEST is arrived? Ask a question that makes sense. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication sub in perl
Hi, Hi, I am trying to call an external perl function within authentication sub - functions are uncommented in modules/perl file ... func_authenticate = authenticate func_authorize = authorize ... - subs are modified in /raddb/example.pl sub authenticate{ print TEST1\n; } sub authenticate { print TEST2\n; /usr/local/etc/raddb/test.pl; } When freeradius receives a REQUEST, only authenticate sub is called and not authenticate sub. How can I enable authenticate to be called when a REQUEST is arrived? huh? authenticate == authenticate surely you meant to put authorize in one of those statements? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authentication sub in perl
my apology. It was a copy/paste typo: sub authorize { print TEST1\n; # For debugging purposes only # log_request_attributes; # Here's where your authorization code comes # You can call another function from here: test_call; return RLM_MODULE_OK; } # Function to handle authenticate sub authenticate { print TEST2\n; # For debugging purposes only # log_request_attributes; if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) { # Reject user and tell him why $RAD_REPLY{'Reply-Message'} = Denied access by rlm_perl function; return RLM_MODULE_REJECT; } else { # Accept user and set some attribute $RAD_REPLY{'h323-credit-amount'} = 100; return RLM_MODULE_OK; } } Date: Fri, 30 Sep 2011 17:36:32 +0200 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: authentication sub in perl Alex rsm wrote: I am trying to call an external perl function within authentication sub - functions are uncommented in modules/perl file ... func_authenticate = authenticate func_authorize = authorize ... The default example works. - subs are modified in /raddb/example.pl sub authenticate{ print TEST1\n; } sub authenticate { print TEST2\n; /usr/local/etc/raddb/test.pl; } When freeradius receives a REQUEST, only authenticate sub is called and not authenticate sub. That makes NO sense at all. You have TWO authenticate subroutines, and you expect that Perl will magically call the one you want? Computers don't work that way. How can I enable authenticate to be called when a REQUEST is arrived? Ask a question that makes sense. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication sub in perl
Hi, debug? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authentication sub in perl
. Sending delayed reject for request 1 Sending Access-Reject of id 1 to 10.0.0.31 port 50048 EAP-Message = 0x04020004 Message-Authenticator = 0x Waking up in 3.9 seconds. Cleaning up request 0 ID 0 with timestamp +22 Waking up in 1.0 seconds. Cleaning up request 1 ID 1 with timestamp +22 Ready to process requests. Date: Fri, 30 Sep 2011 20:20:29 +0100 From: a.l.m.bu...@lboro.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: authentication sub in perl Hi, debug? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication probation for VLAN
Arran Cudbard-Bell a.cudba...@freeradius.org wrote: * Tunnel-Private-Group-Id:0 = 5* string != integer Tunnel-Private-Group-Id is a string. Eww gross. Ok I thought unlang did the conversions automagically But obviously not Apparently it does work, the OP seems to neglected to mention that one chunk of the debug was for the outer layer, the other the inner auth :-/ Cheers -- Alexander Clouter .sigmonster says: Misfortunes arrive on wings and leave on foot. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication probation for VLAN
On 26 Aug 2011, at 11:39, Alexander Clouter wrote: Arran Cudbard-Bell a.cudba...@freeradius.org wrote: * Tunnel-Private-Group-Id:0 = 5* string != integer Tunnel-Private-Group-Id is a string. Eww gross. Ok I thought unlang did the conversions automagically But obviously not Apparently it does work, the OP seems to neglected to mention that one chunk of the debug was for the outer layer, the other the inner auth :-/ Indeed. *stabby stabby* *sigh*. I thought it was weird, because I remembered reading the code that did the automagical conversions :) -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication probation for VLAN
Also said that if I try to use the Tunnel-Private-Group-Id without the :0 at the end, appears in the logs that the attribute was not found, I mention this because in several instances I saw on the internet was used only Tunnel-Private -Group-Id (with :0 at the end) Weird, trying using it in a string expansion (as a work around) e.g. %{Tunnel-Private-Group-Id} == 5 Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication probation for VLAN
joao...@gmail.com joao...@gmail.com wrote: This model is funcionaç, however have a problem (very serious), Radius does not know from which SSID the client is trying to authenticate, or whether it decides the basis solely of the Realm authentication of the client. I need to make the Radius check the VLAN that is associated with the request for user authentication. Check through the debug radius that an Access-Request packet has the following information: ... rad_recv: Access-Request packet from host 192.168.254.48 port 32769, id=204, length=184 User-Name = joao@fpti Calling-Station-Id = 68-a3-c4-85-c5-89 Called-Station-Id = 00-26-cb-94-65-60:FPTI NAS-Port = 29 NAS-IP-Address = 192.168.254.48 NAS-Identifier = WLC-PTI Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 * Tunnel-Private-Group-Id:0 = 5* string != integer Tunnel-Private-Group-Id is a string. I have to do a similar thing to map a silly attribute coughed up by Cisco's useless WLC: policy.conf rewrite.quirk.wlc { if (NAS-IP-Address == 172.16.3.124 NAS-Identifier == wlc-01) { switch %{Airespace-Wlan-Id} { case 1 { update request { NAS-Port-Id := eduroam } } case 5 { update request { NAS-Port-Id := UTILICOM } } case 6 { update request { NAS-Port-Id := BTOpenzone } } case 7 { update request { NAS-Port-Id := soas-wpa-psk } } case { update request { NAS-Port-Id := UNKNOWN } } } ... } You should use (I am almost certain you should not be looking at tagged attributes, so drop the ':0' too): notice the if (Tunnel-Private-Group-Id == 5) { [stuff] } Cheers -- Alexander Clouter .sigmonster says: Do not apply to broken skin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication probation for VLAN
On 25 Aug 2011, at 21:43, Alexander Clouter wrote: joao...@gmail.com joao...@gmail.com wrote: This model is funcionaç, however have a problem (very serious), Radius does not know from which SSID the client is trying to authenticate, or whether it decides the basis solely of the Realm authentication of the client. I need to make the Radius check the VLAN that is associated with the request for user authentication. Check through the debug radius that an Access-Request packet has the following information: ... rad_recv: Access-Request packet from host 192.168.254.48 port 32769, id=204, length=184 User-Name = joao@fpti Calling-Station-Id = 68-a3-c4-85-c5-89 Called-Station-Id = 00-26-cb-94-65-60:FPTI NAS-Port = 29 NAS-IP-Address = 192.168.254.48 NAS-Identifier = WLC-PTI Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 * Tunnel-Private-Group-Id:0 = 5* string != integer Tunnel-Private-Group-Id is a string. Eww gross. Ok I thought unlang did the conversions automagically But obviously not -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication probation for VLAN
OK friends, I appreciate the help, I managed to solve. Dear Alexander Clouter really the type of data is an integer, but that I had already tested. But I appreciate the hint and attention. The problem is that I'm using EAP (PEAP and TTLS) server and default routes via internal proxy (or something) the request to the inner-tunnel, and when the request arrived at the inner-tunnel not all attributes of the original request were present in the package. To solve, it took Enable the option copy_request_to_tunnel = yes in the file eap.conf. This solved the problem. I appreciate everyone's help. 2011/8/25 Arran Cudbard-Bell a.cudba...@freeradius.org On 25 Aug 2011, at 21:43, Alexander Clouter wrote: joao...@gmail.com joao...@gmail.com wrote: This model is funcionaç, however have a problem (very serious), Radius does not know from which SSID the client is trying to authenticate, or whether it decides the basis solely of the Realm authentication of the client. I need to make the Radius check the VLAN that is associated with the request for user authentication. Check through the debug radius that an Access-Request packet has the following information: ... rad_recv: Access-Request packet from host 192.168.254.48 port 32769, id=204, length=184 User-Name = joao@fpti Calling-Station-Id = 68-a3-c4-85-c5-89 Called-Station-Id = 00-26-cb-94-65-60:FPTI NAS-Port = 29 NAS-IP-Address = 192.168.254.48 NAS-Identifier = WLC-PTI Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 * Tunnel-Private-Group-Id:0 = 5* string != integer Tunnel-Private-Group-Id is a string. Eww gross. Ok I thought unlang did the conversions automagically But obviously not -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- João Paulo de Lima Barbosa Fone: (45) 9938-8399 Blog: http://joao.us Twitter: @joaocdc O erro dos que tem poder é colocar barreiras para que ninguém os alcance, incentivando-nos a buscar todas as formas que encontramos para alcança-los. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Problem
Hello, I am also getting this error: Fri Jun 24 17:22:20 2011 : Error: [sql] Failed to check the terminal server for user 'adroa...@domain.com.br'. Fri Jun 24 17:22:20 2011 : Auth: Login OK: [adroa...@domain.com.br] (from client server-auth-02 port 7853349 cli 00:0E:E8:EF:FF:FF) Occasionally appeared well before and now after a reboot of my hubs (NAS Mikrotik) several clients receive this message when requesting connection. The client receives Ok connects but then disconnects, getting stuck in its section table radacct. When he asks the same mistake new connection. This drop in customers may be due to this error message? Simultaneous-use already: =. Some light? Thank you! Michell 2011/5/24 Marinko Tarlać mangi...@gmail.com Simultaneous-Use op should be := and not = On 05/24/2011 10:32 AM, Fajar A. Nugraha wrote: On Tue, May 24, 2011 at 3:20 PM, john decotjohnde...@yahoo.com wrote: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'bob' ORDER BY id; +-+--+**+-++ | id | username | attribute | value | op | +-+--+**+-++ | 384 | bob| Cleartext-Password | bob | := | | 385 | bob| Simultaneous-Use | 1 | = | | 386 | bob| Expiration | 25 Jun 2011 | := | +-+--+**+-++ 3 rows in set (0.00 sec) That is odd. What happens when you remove Simultaneous-Use record for bob? - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Problem
On Sat, Jun 25, 2011 at 3:28 AM, Michell bill.c...@gmail.com wrote: Hello, I am also getting this error: Fri Jun 24 17:22:20 2011 : Error: [sql] Failed to check the terminal server for user 'adroa...@domain.com.br'. Fri Jun 24 17:22:20 2011 : Auth: Login OK: [adroa...@domain.com.br] (from client server-auth-02 port 7853349 cli 00:0E:E8:EF:FF:FF) Occasionally appeared well before and now after a reboot of my hubs (NAS Mikrotik) several clients receive this message when requesting connection. The client receives Ok connects but then disconnects, getting stuck in its section table radacct. When he asks the same mistake new connection. This drop in customers may be due to this error message? Simultaneous-use already: =. Some light? A quick look at rlm_sql.c shows it might be a problem with your simul_verify_query on sql/*/dialup.conf. What does it currently say? What happens when you execute it manually? Running in debug mode (radiusd -X) or activating sql trace should enable you to see the excat query it's executing. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication via SQL?
Jason Antman wrote: I was wondering if it is possible to have a sql authenticate{} section, and if so, how to define the queries? No. In the wiki, I find Many people ask if they can authenticate users to their SQL database however the answer is You are asking the wrong question. So, my question is: When doing PAP (actually EAP-TTLS/PAP, in my case), how do I check a user's cleartext User-Password against one stored in a MySQL database? You don't. FreeRADIUS selects the password from the database, and then does authentication itself. Comparing the password manually works *only* for PAP. If you use CHAP, MS-CHAP, etc. it won't work. Let FreeRADIUS do its job. It's an authentication server. Let MySQL do its job. It's a database. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Problem
Seems there. select * from radcheck where username='bob'; +-+--+++-+ | id | username | attribute | op | value | +-+--+++-+ | 386 | bob| Expiration | := | 25 Jun 2011 | | 385 | bob| Simultaneous-Use | = | 1 | | 384 | bob| Cleartext-Password | := | bob | From: Tim Sylvester tim.sylves...@networkradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tue, May 24, 2011 10:42:35 AM Subject: RE: Authentication Problem From:freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org [mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org] ] On Behalf Of john decot Sent: Monday, May 23, 2011 9:36 PM To: FreeRadius users mailing list Subject: Re: Authentication Problem I have backup from working server but still not working Please find the log: success Log: [sql]expand: %{User-Name} - rajnish [sql] sql_set_user escaped user -- 'rajnish' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'rajnish' ORDER BY id [sql] User found in radcheck table tim The user “rajnish” was found in the radcheck table … [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = BINARY 'rajnish' ORDER BY id [sql] expand: SELECT groupname FROM usergroup WHERE username = BINARY '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM usergroup WHERE username = BINARY 'rajnish' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '128kbps_Unlimited' ORDER BY id [sql] User found in group 128kbps_Unlimited [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '128kbps_Unlimited' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok Failure Log: [sql] expand: %{User-Name} - bob [sql] sql_set_user escaped user -- 'bob' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'bob' ORDER BY id tim The user “bob” was not found in the radcheck table … [sql] expand: SELECT groupname FROM usergroup WHERE username = BINARY '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM usergroup WHERE username = BINARY 'bob' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '256kbps_Unlimited' ORDER BY id [sql] User found in group 256kbps_Unlimited tim The user “bob” was found in the radgroup table … [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '256kbps_Unlimited' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[station-check] returns notfound rlm_checkval: Could not find item named NAS-Identifier in request rlm_checkval: Could not find attribute named NAS-Identifier in check pairs ++[NAS-check] returns notfound ++[expiration] returns noop rlm_logintime: Checking Login-Time: 'Su-Sa-2400' rlm_logintime: timestr returned unlimited ++[logintime] returns ok [pap] WARNING! No known good password found for the user. Authentication may fail
RE: Authentication Problem
What do you get when you run this query? SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'bob' ORDER BY id From: john decot [mailto:johnde...@yahoo.com] Sent: Monday, May 23, 2011 11:24 PM To: tim.sylves...@networkradius.com; FreeRadius users mailing list Subject: Re: Authentication Problem Seems there. select * from radcheck where username='bob'; +-+--+++-+ | id | username | attribute | op | value | +-+--+++-+ | 386 | bob| Expiration | := | 25 Jun 2011 | | 385 | bob| Simultaneous-Use | = | 1 | | 384 | bob| Cleartext-Password | := | bob | _ From: Tim Sylvester tim.sylves...@networkradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tue, May 24, 2011 10:42:35 AM Subject: RE: Authentication Problem From: freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org [mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org] On Behalf Of john decot Sent: Monday, May 23, 2011 9:36 PM To: FreeRadius users mailing list Subject: Re: Authentication Problem I have backup from working server but still not working Please find the log: success Log: [sql]expand: %{User-Name} - rajnish [sql] sql_set_user escaped user -- 'rajnish' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'rajnish' ORDER BY id [sql] User found in radcheck table tim The user “rajnish” was found in the radcheck table … [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = BINARY 'rajnish' ORDER BY id [sql] expand: SELECT groupname FROM usergroup WHERE username = BINARY '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM usergroup WHERE username = BINARY 'rajnish' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '128kbps_Unlimited' ORDER BY id [sql] User found in group 128kbps_Unlimited [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '128kbps_Unlimited' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok Failure Log: [sql] expand: %{User-Name} - bob [sql] sql_set_user escaped user -- 'bob' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'bob' ORDER BY id tim The user “bob” was not found in the radcheck table … [sql] expand: SELECT groupname FROM usergroup WHERE username = BINARY '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM usergroup WHERE username = BINARY 'bob' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '256kbps_Unlimited' ORDER BY id [sql] User found in group 256kbps_Unlimited tim The user “bob” was found in the radgroup table … [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '256kbps_Unlimited' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[station-check] returns notfound
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
Phil Mayers schrieb: On 05/23/2011 06:53 PM, Simon L. wrote: Please have a look at my new, attached debug log. The server you are proxying to sends a reject. Fix that server. - Why accepts the home server a proxied request from radtest but not from a wpa supplicant. The home server can not talk eap. as the log shows the proxy is not doing eap when it forwards a request. where is the difference? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Problem
SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'bob' ORDER BY id; +-+--++-++ | id | username | attribute | value | op | +-+--++-++ | 384 | bob| Cleartext-Password | bob | := | | 385 | bob| Simultaneous-Use | 1 | = | | 386 | bob| Expiration | 25 Jun 2011 | := | +-+--++-++ 3 rows in set (0.00 sec) From: Tim Sylvester tim.sylves...@networkradius.com To: john decot johnde...@yahoo.com; FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tue, May 24, 2011 1:08:55 PM Subject: RE: Authentication Problem What do you get when you run this query? SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'bob' ORDER BY id From:john decot [mailto:johnde...@yahoo.com] Sent: Monday, May 23, 2011 11:24 PM To: tim.sylves...@networkradius.com; FreeRadius users mailing list Subject: Re: Authentication Problem Seems there. select * from radcheck where username='bob'; +-+--+++-+ | id | username | attribute | op | value | +-+--+++-+ | 386 | bob| Expiration | := | 25 Jun 2011 | | 385 | bob| Simultaneous-Use | = | 1 | | 384 | bob| Cleartext-Password | := | bob | From:Tim Sylvester tim.sylves...@networkradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tue, May 24, 2011 10:42:35 AM Subject: RE: Authentication Problem From:freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org [mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org] ] On Behalf Of john decot Sent: Monday, May 23, 2011 9:36 PM To: FreeRadius users mailing list Subject: Re: Authentication Problem I have backup from working server but still not working Please find the log: success Log: [sql]expand: %{User-Name} - rajnish [sql] sql_set_user escaped user -- 'rajnish' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'rajnish' ORDER BY id [sql] User found in radcheck table tim The user “rajnish” was found in the radcheck table … [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = BINARY 'rajnish' ORDER BY id [sql] expand: SELECT groupname FROM usergroup WHERE username = BINARY '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM usergroup WHERE username = BINARY 'rajnish' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '128kbps_Unlimited' ORDER BY id [sql] User found in group 128kbps_Unlimited [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '128kbps_Unlimited' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok Failure Log: [sql] expand: %{User-Name} - bob [sql] sql_set_user escaped user -- 'bob' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'bob' ORDER BY id tim The user “bob” was not found in the radcheck table … [sql] expand: SELECT groupname FROM usergroup WHERE username = BINARY '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM usergroup WHERE username = BINARY 'bob' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute
Re: Authentication Problem
On Tue, May 24, 2011 at 3:20 PM, john decot johnde...@yahoo.com wrote: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'bob' ORDER BY id; +-+--++-++ | id | username | attribute | value | op | +-+--++-++ | 384 | bob | Cleartext-Password | bob | := | | 385 | bob | Simultaneous-Use | 1 | = | | 386 | bob | Expiration | 25 Jun 2011 | := | +-+--++-++ 3 rows in set (0.00 sec) That is odd. What happens when you remove Simultaneous-Use record for bob? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Problem
Thats it .. Problem was in operator I changed it to := and it works. Thankyou Fajar From: Fajar A. Nugraha l...@fajar.net To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tue, May 24, 2011 2:17:51 PM Subject: Re: Authentication Problem On Tue, May 24, 2011 at 3:20 PM, john decot johnde...@yahoo.com wrote: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'bob' ORDER BY id; +-+--++-++ | id | username | attribute | value | op | +-+--++-++ | 384 | bob| Cleartext-Password | bob | := | | 385 | bob| Simultaneous-Use | 1 | = | | 386 | bob| Expiration | 25 Jun 2011 | := | +-+--++-++ 3 rows in set (0.00 sec) That is odd. What happens when you remove Simultaneous-Use record for bob? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Problem
Simultaneous-Use op should be := and not = On 05/24/2011 10:32 AM, Fajar A. Nugraha wrote: On Tue, May 24, 2011 at 3:20 PM, john decotjohnde...@yahoo.com wrote: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'bob' ORDER BY id; +-+--++-++ | id | username | attribute | value | op | +-+--++-++ | 384 | bob| Cleartext-Password | bob | := | | 385 | bob| Simultaneous-Use | 1 | = | | 386 | bob| Expiration | 25 Jun 2011 | := | +-+--++-++ 3 rows in set (0.00 sec) That is odd. What happens when you remove Simultaneous-Use record for bob? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 24/05/11 08:35, Simon L. wrote: Phil Mayers schrieb: On 05/23/2011 06:53 PM, Simon L. wrote: Please have a look at my new, attached debug log. The server you are proxying to sends a reject. Fix that server. - Why accepts the home server a proxied request from radtest but not from a wpa supplicant. radtest sends (by default) a PAP request. WPA-Supplicant sends EAP. The home server can not talk eap. as the log shows the proxy is not If the home server can't do EAP, how do you expect to proxy EAP to it? What is the home server? doing eap when it forwards a request. where is the difference? 802.1x requires EAP support at the radius server. If you are proxying the requests to another server, it requires EAP support there, too. It *may* be possible to terminate the EAP at FreeRADIUS, and send the inner EAP as non-EAP, but this is hack, and I strongly advise against it. This will only work for EAP-TTLS/PAP and EAP-PEAP/MSCHAP If you want to do that, put the proxy config into sites-enabled/inner-tunnel, and also see eap.conf: eap { peap { proxy_tunneled_request_as_eap = yes } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
Phil Mayers schrieb: On 24/05/11 08:35, Simon L. wrote: Phil Mayers schrieb: On 05/23/2011 06:53 PM, Simon L. wrote: Please have a look at my new, attached debug log. The server you are proxying to sends a reject. Fix that server. - Why accepts the home server a proxied request from radtest but not from a wpa supplicant. radtest sends (by default) a PAP request. WPA-Supplicant sends EAP. The home server can not talk eap. as the log shows the proxy is not If the home server can't do EAP, how do you expect to proxy EAP to it? What is the home server? Thats the point, i don't want to proxy eap to the other freeradius (home server). doing eap when it forwards a request. where is the difference? 802.1x requires EAP support at the radius server. If you are proxying the requests to another server, it requires EAP support there, too. I thought proxy_tunneled_request_as_eap = no would proxy without eap. so i did this: eap.conf: eap { ... peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = no virtual_server = proxy-inner-tunnel } } proxy-inner-tunnel: server proxy-inner-tunnel { authorize { update control { Proxy-To-Realm := NULL #I want to proxy realm NULL } } authenticate { eap } post-proxy { eap } } It *may* be possible to terminate the EAP at FreeRADIUS, and send the inner EAP as non-EAP, but this is hack, and I strongly advise against it. This will only work for EAP-TTLS/PAP and EAP-PEAP/MSCHAP the network between the two freeradius is not public or shared, so i think that would be ok. My above solution proxied eap, but is your hack just a old version ob my config?? I read several mails from last year, where that problem is solved that way (more or less). If you want to do that, put the proxy config into sites-enabled/inner-tunnel, do you mean from proxy.conf or proxy-inner-tunnel? and also see eap.conf: eap { peap { proxy_tunneled_request_as_eap = yes } } i had set it to no. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
Hi, proxy-inner-tunnel: server proxy-inner-tunnel { authorize { update control { Proxy-To-Realm := NULL #I want to proxy realm NULL } } authenticate { eap } post-proxy { eap } } dont set it to NULL - that keeps it very much local. instead set it to FOOBAR and configure proxy.conf so that FOOBAR realm points to your other server. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
Hi again, now i got a real Problem. ... The debug you sent contains no reject. Please send a debug for this case. I will generate a separate log for the WPA2 scenario soon. I have no problems with WPA/2 and local authentication anymore. But now I try to proxy the requests to a another homeserver. At first tried with radtest from localhost - the request was proxied and accepted. From a Win7 supplicant the homeserver says: Login incorrect: [test/via Auth-Type = Local] (from client ) and of course a access-reject was following. Please have a look at my new, attached debug log. Tanks a lot! Simon FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on May 12 2011 at 13:56:14 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/control-socket main { allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir =
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 05/23/2011 06:53 PM, Simon L. wrote: Please have a look at my new, attached debug log. The server you are proxying to sends a reject. Fix that server. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Problem
On Tue, May 24, 2011 at 9:20 AM, john decot johnde...@yahoo.com wrote: Hi , I have been using freeradius-server-2.1.10 . Dialupadmin is using for web based administration. It was working fine till yesterday. I have changed added attribute to check Max-All-Session. Then I have face problem of No authenticate method (Auth-Type) found for the request: Rejecting the user Max-All-Session alone should not cause that however the authorized section is working fine. After googling i have check with option default Auth-Type = Local but it was not success. Normally you should never have to mess with Auth-Type, unless you're doing some exotic setup (like LDAP bind with fallback to system user) this error occurs for new create user only , old user are authenticating normally. I have revert back my changes with removing attribute to check Max-All-Session but still the error exists. ... which again, simply confirms that Max-All-Session was not the cause of the problem Please advise me. You have changed something else and made it broken. Reverse that. I use git to record changes in /etc/raddb so I can have a record of what have changed. You might need something similar. In the mean time, see http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21 Since you say only some users experience it, compare the log for both the working and non-working user. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Problem
From: Fajar A. Nugraha l...@fajar.net To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tue, May 24, 2011 8:15:42 AM Subject: Re: Authentication Problem On Tue, May 24, 2011 at 9:20 AM, john decot johnde...@yahoo.com wrote: Hi , I have been using freeradius-server-2.1.10 . Dialupadmin is using for web based administration. It was working fine till yesterday. I have changed added attribute to check Max-All-Session. Then I have face problem of No authenticate method (Auth-Type) found for the request: Rejecting the user Max-All-Session alone should not cause that however the authorized section is working fine. After googling i have check with option default Auth-Type = Local but it was not success. Normally you should never have to mess with Auth-Type, unless you're doing some exotic setup (like LDAP bind with fallback to system user) this error occurs for new create user only , old user are authenticating normally. I have revert back my changes with removing attribute to check Max-All-Session but still the error exists. ... which again, simply confirms that Max-All-Session was not the cause of the problem Please advise me. You have changed something else and made it broken. Reverse that. I use git to record changes in /etc/raddb so I can have a record of what have changed. You might need something similar. In the mean time, see http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21 Since you say only some users experience it, compare the log for both the working and non-working user. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication Problem
' ORDER BY id [sql] expand: SELECT groupname FROM usergroup WHERE username = BINARY '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM usergroup WHERE username = BINARY 'bob' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '256kbps_Unlimited' ORDER BY id [sql] User found in group 256kbps_Unlimited [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '256kbps_Unlimited' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[station-check] returns notfound rlm_checkval: Could not find item named NAS-Identifier in request rlm_checkval: Could not find attribute named NAS-Identifier in check pairs ++[NAS-check] returns notfound ++[expiration] returns noop rlm_logintime: Checking Login-Time: 'Su-Sa-2400' rlm_logintime: timestr returned unlimited ++[logintime] returns ok [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[noresetcounter] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - bob attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 246 to 127.0.0.1 port 58102 Waking up in 4.6 seconds. Rgds, John From: Fajar A. Nugraha l...@fajar.net To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tue, May 24, 2011 8:15:42 AM Subject: Re: Authentication Problem On Tue, May 24, 2011 at 9:20 AM, john decot johnde...@yahoo.com wrote: Hi , I have been using freeradius-server-2.1.10 . Dialupadmin is using for web based administration. It was working fine till yesterday. I have changed added attribute to check Max-All-Session. Then I have face problem of No authenticate method (Auth-Type) found for the request: Rejecting the user Max-All-Session alone should not cause that however the authorized section is working fine. After googling i have check with option default Auth-Type = Local but it was not success. Normally you should never have to mess with Auth-Type, unless you're doing some exotic setup (like LDAP bind with fallback to system user) this error occurs for new create user only , old user are authenticating normally. I have revert back my changes with removing attribute to check Max-All-Session but still the error exists. ... which again, simply confirms that Max-All-Session was not the cause of the problem Please advise me. You have changed something else and made it broken. Reverse that. I use git to record changes in /etc/raddb so I can have a record of what have changed. You might need something similar. In the mean time, see http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21 Since you say only some users experience it, compare the log for both the working and non-working user. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication Problem
From: freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.or g [mailto:freeradius-users-bounces+tim.sylvester=networkradius.com@lists.freer adius.org] On Behalf Of john decot Sent: Monday, May 23, 2011 9:36 PM To: FreeRadius users mailing list Subject: Re: Authentication Problem I have backup from working server but still not working Please find the log: success Log: [sql]expand: %{User-Name} - rajnish [sql] sql_set_user escaped user -- 'rajnish' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'rajnish' ORDER BY id [sql] User found in radcheck table tim The user rajnish was found in the radcheck table . [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = BINARY 'rajnish' ORDER BY id [sql] expand: SELECT groupname FROM usergroup WHERE username = BINARY '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM usergroup WHERE username = BINARY 'rajnish' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '128kbps_Unlimited' ORDER BY id [sql] User found in group 128kbps_Unlimited [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '128kbps_Unlimited' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok Failure Log: [sql] expand: %{User-Name} - bob [sql] sql_set_user escaped user -- 'bob' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = BINARY 'bob' ORDER BY id tim The user bob was not found in the radcheck table . [sql] expand: SELECT groupname FROM usergroup WHERE username = BINARY '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM usergroup WHERE username = BINARY 'bob' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '256kbps_Unlimited' ORDER BY id [sql] User found in group 256kbps_Unlimited tim The user bob was found in the radgroup table . [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '256kbps_Unlimited' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok rlm_checkval: Could not find item named Calling-Station-Id in request rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[station-check] returns notfound rlm_checkval: Could not find item named NAS-Identifier in request rlm_checkval: Could not find attribute named NAS-Identifier in check pairs ++[NAS-check] returns notfound ++[expiration] returns noop rlm_logintime: Checking Login-Time: 'Su-Sa-2400' rlm_logintime: timestr returned unlimited ++[logintime] returns ok [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop tim Make sure that bob is in the radcheck table in the MySQL database. FreeRADIUS did not find the user bob in the radcheck table, and just continued. Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication issues with Win7 and WPA/WPA2 Enterprise
I can't comment on your problem right now, but be aware there seem to be MANY issues with Windows 7. Our config works PERFECT with XP, Apple IOS, and other basic stuff. When we started testing Windows 7 (WPA2 Enterprise) we ran into all kinds of weirdness. And just when we think we have a working config and have a few users start testing it breaks. The web is littered with people having problems with Windows 7. I'm convinced the W7 Supplicant is really broken. In our environment FR doesn't even see the PEAP, just an MSCHAP, and that even fails! Anyway... Maybe if someone knows of a tool to dehash/decrypt the MSCHAP stuff I could actually see what's different in the requests between a working auth and a rejected auth. Right now we're grasping at straws and can't figure out why MS is essentially doing nothing about this... G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Simon L. Sent: Wednesday, May 18, 2011 10:27 AM To: FreeRadius users mailing list Subject: Authentication issues with Win7 and WPA/WPA2 Enterprise Dear Users, I hope you will be patient with me, its my first time with freeradius. I have problems to authenticate Windows 7 Clients with freeradius. Using WPA2-Enterprise results in Access-Rejects after one Request. Using WPA-Enterprise results in about nine different Access-Challanges and one final Access-Accept - that cant be right. I have set up a testing scenario with the local test user bob. If local authentication works properly i want to proxy all requests without EAP to another freeradius server. I will have questions to that later :) radtest from localhost an remotehost succeeded. Setting: Win7_Client-WLAN-WAP LinksysWRT54gl--MPLS-Network over PPPoE---FreeRADIUS_proxy(FreeRADIUS_main) Windows 7 dd-wrt v24 SP2 Ubuntu Server 10.4.2, freeradius 2.1.10 generic 10.73.108.254 internal: 10.0.73.1 external: 213.x.x.x I dont get a clue if the Problem is Windows, Certificates, Network oder simply misconfigured freeradius. certificates: - i build the certs with and without that windows extension OID in server.cnf with make from ../raddb/certs - 2048 bit Windows 7: - installed ca.der as root cert in win7 and configured it for the desired WiFi network - for my eyes no difference in debug logs if validate server cert or not. - unchecked using windows user or domain for auth - EAP comes with PEAP/MSCHAPv2 as default - but the certs are for eap - tls right? WAP: - WPA2 Enterprise with AES no accept packet possible until now - WPA Enterprise with AES results in that 9-times Challenges until accept freeRADIUS: - compiled with installed openSSL dev lib - default config as it comes out of the box, exept: added user bob with cleartext password in users, added the WAP as client in clients.conf, changed default_eap_type = peap and private_key_password = MYSECRET_FROM_SERVER_CERT in eap.conf configuration and stuff pls look at attached debug.log from running radiusd -X debug.log contains the output of radiusd -X with Access-Requests over WPA-Enterprise. I hope you got a hint for me. Thanks ! Simon font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 18/05/11 16:26, Simon L. wrote: Using WPA2-Enterprise results in Access-Rejects after one Request. That is not normal. WPA2 should be the same as WPA at the radius level. Using WPA-Enterprise results in about nine different Access-Challanges and one final Access-Accept - that cant be right. That is normal. EAP exchanges are usually 9/10 request/challenge pairs followed by a final request/accept. What exactly is your problem? I have set up a testing scenario with the local test user bob. If local authentication works properly i want to proxy all requests without EAP to another freeradius server. I will have questions to that later :) radtest from localhost an remotehost succeeded. Sorry - radtest does not do EAP. radtest is not a valid test. I dont get a clue if the Problem is Windows, Certificates, Network oder simply misconfigured freeradius. You haven't told us what the problem is. WPA-Enterprise is working for you - the radius server is sending an access-accept. What problem are you experiencing? certificates: - i build the certs with and without that windows extension OID in server.cnf with make from ../raddb/certs Why? You MUST include the OID. - 2048 bit Windows 7: - installed ca.der as root cert in win7 and configured it for the desired WiFi network - for my eyes no difference in debug logs if validate server cert or not. Validate server cert is done on the client. You won't see any difference on the server. - unchecked using windows user or domain for auth - EAP comes with PEAP/MSCHAPv2 as default - but the certs are for eap - tls right? PEAP uses TLS. PEAP needs certs too. WAP: - WPA2 Enterprise with AES no accept packet possible until now As above - that's not normal. The debug you sent contains no reject. Please send a debug for this case. - WPA Enterprise with AES results in that 9-times Challenges until accept As above - this is normal Access-Accept means everything is working. If you are still having problems after the Access-Accept, you need to describe what those problems are. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication issues with Win7 and WPA/WPA2 Enterprise
One point of clarification: PEAP uses TLS. PEAP needs certs too. Not *all* peap uses TLS and hence needs certs. The MS PEAP/MSCHAPv2 is a common example. G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, May 18, 2011 10:52 AM To: freeradius-users@lists.freeradius.org Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 16:26, Simon L. wrote: Using WPA2-Enterprise results in Access-Rejects after one Request. That is not normal. WPA2 should be the same as WPA at the radius level. Using WPA-Enterprise results in about nine different Access-Challanges and one final Access-Accept - that cant be right. That is normal. EAP exchanges are usually 9/10 request/challenge pairs followed by a final request/accept. What exactly is your problem? I have set up a testing scenario with the local test user bob. If local authentication works properly i want to proxy all requests without EAP to another freeradius server. I will have questions to that later :) radtest from localhost an remotehost succeeded. Sorry - radtest does not do EAP. radtest is not a valid test. I dont get a clue if the Problem is Windows, Certificates, Network oder simply misconfigured freeradius. You haven't told us what the problem is. WPA-Enterprise is working for you - the radius server is sending an access-accept. What problem are you experiencing? certificates: - i build the certs with and without that windows extension OID in server.cnf with make from ../raddb/certs Why? You MUST include the OID. - 2048 bit Windows 7: - installed ca.der as root cert in win7 and configured it for the desired WiFi network - for my eyes no difference in debug logs if validate server cert or not. Validate server cert is done on the client. You won't see any difference on the server. - unchecked using windows user or domain for auth - EAP comes with PEAP/MSCHAPv2 as default - but the certs are for eap - tls right? PEAP uses TLS. PEAP needs certs too. WAP: - WPA2 Enterprise with AES no accept packet possible until now As above - that's not normal. The debug you sent contains no reject. Please send a debug for this case. - WPA Enterprise with AES results in that 9-times Challenges until accept As above - this is normal Access-Accept means everything is working. If you are still having problems after the Access-Accept, you need to describe what those problems are. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 18/05/11 16:50, Gary Gatten wrote: I can't comment on your problem right now, but be aware there seem to be MANY issues with Windows 7. Our config works PERFECT with XP, Apple IOS, and other basic stuff. When we started testing Windows 7 (WPA2 Enterprise) we ran into all kinds of weirdness. And just when we think we have a working config and have a few users start testing it breaks. The web is littered with people having problems with Windows 7. I'm convinced the W7 Supplicant is really broken. In our environment FR doesn't even see the PEAP, just an MSCHAP, and that even fails! We have no problems with Windows 7. It works just fine. There don't seem to be significant differences between it and Windows XP SP3 from our point of view. Anyway... Maybe if someone knows of a tool to dehash/decrypt the MSCHAP stuff I could actually see what's different in the requests between a working auth and a rejected auth. Right now we're grasping at straws and can't figure out why MS is essentially doing nothing about this... Can you be more specific about what kind of script you want? I've got a bunch of python tools I use for testing here. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 18/05/11 16:59, Gary Gatten wrote: One point of clarification: PEAP uses TLS. PEAP needs certs too. Not *all* peap uses TLS and hence needs certs. The MS PEAP/MSCHAPv2 is a common example. Incorrect. PEAP *requires* a server certificate. The client does not need one. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication issues with Win7 and WPA/WPA2 Enterprise
I would LOVE if W7 just worked! People here are blaming FR and I'm trying to convince them it has nothing to do with it, but since the MSCHAP challenges / responses are hashed I can't PROVE it to them. I have FR debugs of a working auth and a rejected auth. I'd like to unhash the MSCHAP stuff to see in clear text what's getting sent back and forth so I can get a better idea of why the request is being rejected. G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, May 18, 2011 11:01 AM To: freeradius-users@lists.freeradius.org Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 16:50, Gary Gatten wrote: I can't comment on your problem right now, but be aware there seem to be MANY issues with Windows 7. Our config works PERFECT with XP, Apple IOS, and other basic stuff. When we started testing Windows 7 (WPA2 Enterprise) we ran into all kinds of weirdness. And just when we think we have a working config and have a few users start testing it breaks. The web is littered with people having problems with Windows 7. I'm convinced the W7 Supplicant is really broken. In our environment FR doesn't even see the PEAP, just an MSCHAP, and that even fails! We have no problems with Windows 7. It works just fine. There don't seem to be significant differences between it and Windows XP SP3 from our point of view. Anyway... Maybe if someone knows of a tool to dehash/decrypt the MSCHAP stuff I could actually see what's different in the requests between a working auth and a rejected auth. Right now we're grasping at straws and can't figure out why MS is essentially doing nothing about this... Can you be more specific about what kind of script you want? I've got a bunch of python tools I use for testing here. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication issues with Win7 and WPA/WPA2 Enterprise
I don't recall doing anything with server certs either - but this was LONG ago. Plus, you are FAR more knowledgeable than I in these matters so I defer to you and stand corrected. The next sound you hear is my tail dragging on the ground as walk away, head down, in shame -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, May 18, 2011 11:10 AM To: freeradius-users@lists.freeradius.org Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 16:59, Gary Gatten wrote: One point of clarification: PEAP uses TLS. PEAP needs certs too. Not *all* peap uses TLS and hence needs certs. The MS PEAP/MSCHAPv2 is a common example. Incorrect. PEAP *requires* a server certificate. The client does not need one. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 18/05/11 17:10, Gary Gatten wrote: I would LOVE if W7 just worked! People here are blaming FR and I'm trying to convince them it has nothing to do with it, but since the MSCHAP challenges / responses are hashed I can't PROVE it to them. I have FR debugs of a working auth and a rejected auth. I'd like to unhash the MSCHAP stuff to see in clear text what's getting sent back and forth so I can get a better idea of why the request is being rejected. That isn't really how it works. MS-CHAP is a (reasonably) cryptographically secure protocol. You can't go backwards from: MS-CHAP-Challenge = xxx MS-CHAP2-Response = yyy ...to anything meaningful. You *can* check that a given response is valid for a given challenge, if you know the password or nt hash. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication issues with Win7 and WPA/WPA2 Enterprise
That's what I was afraid of... Can you expand on this: You *can* check that a given response is valid for a given challenge, if you know the password or nt hash. TIA G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, May 18, 2011 11:27 AM To: freeradius-users@lists.freeradius.org Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 17:10, Gary Gatten wrote: I would LOVE if W7 just worked! People here are blaming FR and I'm trying to convince them it has nothing to do with it, but since the MSCHAP challenges / responses are hashed I can't PROVE it to them. I have FR debugs of a working auth and a rejected auth. I'd like to unhash the MSCHAP stuff to see in clear text what's getting sent back and forth so I can get a better idea of why the request is being rejected. That isn't really how it works. MS-CHAP is a (reasonably) cryptographically secure protocol. You can't go backwards from: MS-CHAP-Challenge = xxx MS-CHAP2-Response = yyy ...to anything meaningful. You *can* check that a given response is valid for a given challenge, if you know the password or nt hash. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 18/05/11 17:10, Gary Gatten wrote: I would LOVE if W7 just worked! People here are blaming FR and I'm trying to convince them it has nothing to do with it, but since the MSCHAP challenges / responses are hashed I can't PROVE it to them. As per previous posts: Your Aruba wireless equipment is: a. Terminating the outer EAP-PEAP b. Translating the inner EAP-MSCHAPv2 to plain MS-CHAPv2 I strongly suspect this will be causing the problems you are having, and I even suspect I know how - I think it's probably clients typing in their username in mIxEd-CaSe, which will cause cryptographich (hash) mismatches at client and server without careful preservation of the EAP payload. As per Neal Garber's post of 10th May, even FreeRADIUS had problems with this prior to 2.1.10 Are you / have you been able to: 1. stop terminating the PEAP on the Aruba 2. upgrade to FreeRADIUS 2.1.10 ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 18/05/11 17:35, Gary Gatten wrote: That's what I was afraid of... Can you expand on this: You *can* check that a given response is valid for a given challenge, if you know the password or nt hash. At length, but I would be here all day ;o) Basically, I've got a python script that performs the MS-CHAP crypto. I'll see if I can stick it somewhere people can make use of it. But FreeRADIUS does this right. There's no need for an external script (unless you're fiddling with the MS-CHAP module guts, which I was when I wrote it). If FreeRADIUS is telling you the mschap response is wrong, it's wrong. Either: 1. The client is sending wrong data 2. The server has wrong data (password/hash) 3. Something is fiddling with the data in transit Since we *know* your Aruba kit is doing some fiddling, it - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
I have a 2.1.10 server we are tesing with, but I thought the patch you mentioned wasn't in 2.1.10, I think Alan said he'd put it in 3.x? We will be testing passing the entire *eap session to FR this afternoon. - Original Message - From: Phil Mayers [mailto:p.may...@imperial.ac.uk] Sent: Wednesday, May 18, 2011 12:29 PM To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 17:10, Gary Gatten wrote: I would LOVE if W7 just worked! People here are blaming FR and I'm trying to convince them it has nothing to do with it, but since the MSCHAP challenges / responses are hashed I can't PROVE it to them. As per previous posts: Your Aruba wireless equipment is: a. Terminating the outer EAP-PEAP b. Translating the inner EAP-MSCHAPv2 to plain MS-CHAPv2 I strongly suspect this will be causing the problems you are having, and I even suspect I know how - I think it's probably clients typing in their username in mIxEd-CaSe, which will cause cryptographich (hash) mismatches at client and server without careful preservation of the EAP payload. As per Neal Garber's post of 10th May, even FreeRADIUS had problems with this prior to 2.1.10 Are you / have you been able to: 1. stop terminating the PEAP on the Aruba 2. upgrade to FreeRADIUS 2.1.10 ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
Phil Mayers p.may...@imperial.ac.uk wrote: On 18/05/11 17:10, Gary Gatten wrote: I would LOVE if W7 just worked! People here are blaming FR and I'm trying to convince them it has nothing to do with it, but since the MSCHAP challenges / responses are hashed I can't PROVE it to them. Are you / have you been able to: 1. stop terminating the PEAP on the Aruba 2. upgrade to FreeRADIUS 2.1.10 I can at least confirm the following from my Aruba setup here: a) _not_ terminating the outer EAP-PEAP in the Aruba and b) passing the whole thing to FR 2.1.10 works with any Windows I have so far encountered. (as far as the other things like server certificate chain, etc. are correct.) So the setup Win7-Aruba-FR _will_ work, if you don't let the Aruba gear fiddle with your EAP. Grüße, Sven. -- Sigmentation fault. Core dumped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication issues with Win7 and WPA/WPA2 Enterprise
Initial test results passing PEAP et al to FR (vs. Aruba terminating PEAP) and proxying MSCHAP APPEAR to work well. Testing is by no means 100% complete, but so far so good. Scenarios that used to result in a reject are now working as expected. I had an initial problem 'cause I installed this to /devel/ to test with and I mucked something up and many files and dirs ended up directly unders /devel instead of for instance /devel/raddb/. I created raddb and copied certs there and it was more happy. FWIW: We are NOT using client certs at this time, we are using the PEAP/MSCHAPv2 and use my windows credentials option. Thanks! Gary -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Gary Gatten Sent: Wednesday, May 18, 2011 12:41 PM To: 'freeradius-users@lists.freeradius.org' Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise I have a 2.1.10 server we are tesing with, but I thought the patch you mentioned wasn't in 2.1.10, I think Alan said he'd put it in 3.x? We will be testing passing the entire *eap session to FR this afternoon. - Original Message - From: Phil Mayers [mailto:p.may...@imperial.ac.uk] Sent: Wednesday, May 18, 2011 12:29 PM To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise On 18/05/11 17:10, Gary Gatten wrote: I would LOVE if W7 just worked! People here are blaming FR and I'm trying to convince them it has nothing to do with it, but since the MSCHAP challenges / responses are hashed I can't PROVE it to them. As per previous posts: Your Aruba wireless equipment is: a. Terminating the outer EAP-PEAP b. Translating the inner EAP-MSCHAPv2 to plain MS-CHAPv2 I strongly suspect this will be causing the problems you are having, and I even suspect I know how - I think it's probably clients typing in their username in mIxEd-CaSe, which will cause cryptographich (hash) mismatches at client and server without careful preservation of the EAP payload. As per Neal Garber's post of 10th May, even FreeRADIUS had problems with this prior to 2.1.10 Are you / have you been able to: 1. stop terminating the PEAP on the Aruba 2. upgrade to FreeRADIUS 2.1.10 ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues from Apple devices
Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by sandra with CHAP password [chap] Using clear text password sandra for user sandra authentication. [chap] Password check failed ++[chap] returns reject Nothing very dramatic here - the chap-challange is wrong, almost certainly meaning the user entered the wrong password. Now, since the user in this case is you testing, I guess it might be something else, but I'm not sure what. First thing - check and re-check that you're entering the password correctly, and something tedious like autocorrect isn't munging it! How do clients log into the hotspot - is it via web intercept/redirect and an HTML form? Can you switch to HTTP (rather than HTTPS) and run a packet capture to see if the password coming from the client is good? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues from Apple devices
The users connect through a chillispot captive portal, via HTTP. HTTPS causes too many problems with certificates, and the access point is unencripted anyway, so security is not the issue. I initally thought that the hotspot clients were simply making mistakes, but i've been testing it all day with the iphone v blackberry and Windows 7 and i'm fairly certain the password is going in ok. I set the username and password to be sandra : sandra for simplicity, as the autocorrect should leave it alone. I also set up an account as 1234 : 1234 and this also failed only on the iphone. For it to only affect Apple products, i had hoped that the debug message was going to show some rubbish in the username to prove that there was some issue with the input, but i can't see the issue when the debug message is confirming that the correct username and password were supplied. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authentication-issues-from-Apple-devices-tp4394941p4395330.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication issues from Apple devices
On 05/14/2011 10:08 AM, stentofon wrote: The users connect through a chillispot captive portal, via HTTP. HTTPS causes too many problems with certificates, and the access point is unencripted anyway, so security is not the issue. I initally thought that the hotspot clients were simply making mistakes, but i've been testing it all day with the iphone v blackberry and Windows 7 and i'm fairly certain the password is going in ok. I set the username and password to be sandra : sandra for simplicity, as the autocorrect should leave it alone. I also set up an account as 1234 : 1234 and this also failed only on the iphone. For it to only affect Apple products, i had hoped that the debug message was going to show some rubbish in the username to prove that there was some No; the packet is well-formed. The problem is that, in your failing case, the CHAP-Password is not valid for the given CHAP-Challenge and your plaintext password sandra. That is, the client (Chilli) is sending invalid auth to FreeRADIUS. issue with the input, but i can't see the issue when the debug message is confirming that the correct username and password were supplied. That's not what the debug message says. I assume you're referring to this line: [chap] login attempt by sandra with CHAP password [chap] Using clear text password sandra for user sandra authentication. ...which means I'm trying a login for 'sandra'. My (server-side) value for their clear text password is 'sandra'. It doesn't refer to anything the client sent (well, the username I guess). CHAP is a challenge-response method. The NAS (Chilli) never sends the password to FreeRADIUS. Instead, it sends: CHAP-Challenge = 16 random bytes CHAP-Password = 1 byte ID + md5(ID + password + challenge) The radius server then extracts the plaintext password from the SQL database, and the ID challenge from the packet, computes it's own copy of CHAP-Password, and compares it to the packet. In your failing case, they don't match, so authentication is denied (I've confirmed this by doing the MD5 manually in python - it's definitely invalid. I tried a few trivial variations of the password too, so see if I could figure out what the client was using - no dice) I think the problem must be at the Chillispot end - it's breaking the CHAP somehow for iOS clients. Since you're not using HTTPS, you could try getting a packet capture of a working and failing login HTTP session, and compare the two in detail - I'd be looking for the POSTed form data, and any HTTP headers that might affect the interpretation e.g. character encodings. But this isn't really a FreeRADIUS problem I'm afraid. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html