subject:"Re\: Authentication\!\!"

Re: Authentication

2013-09-23 Thread Nikolaos Milas


On 23/9/2013 3:14 μμ, Free-Radius wrote:



I wonder if the Freeradius to authenticate a client by IP number, 
without using login and password, only the IP. If possible, how to do?


You can authenticate a client based on MAC Address. See 
http://wiki.freeradius.org/guide/Mac-Auth for various scenarios.


Of course not by IP number which can be manipulated.

Regards,
Nick
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication

2013-09-23 Thread ken.farrington

Just also beware that the MAC and be spoofed also with lots of programs :)


 On 23 September 2013 at 13:46 Nikolaos Milas nmi...@noa.gr wrote:

 On 23/9/2013 3:14 μμ, Free-Radius wrote:

 
  I wonder if the Freeradius to authenticate a client by IP number,
  without using login and password, only the IP. If possible, how to do?

 You can authenticate a client based on MAC Address. See
 http://wiki.freeradius.org/guide/Mac-Auth for various scenarios.

 Of course not by IP number which can be manipulated.

 Regards,
 Nick
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ken Farrington
Director
CCIE #12651

802 Limited
International House, 221 Bow Road, London, E3 2SJ, United Kingdom
Direct: +44 (0)7500 802802
ken.farring...@802.co.uk
http://www.802.co.uk


Disclaimer
This e-mail may contain information that is confidential, privileged or
otherwise protected from disclosure. If you are not an intended recipient of
this e-mail, do not duplicate or redistribute it by any means. Please delete it
and any attachments and notify the sender that you have received it in error.
Any views or opinions presented are solely those of the author and do not
necessarily represent those of 802 Limited or any subsidiary company of 802
Limited. This email may relate to or be sent from other members of the 802
Group. All rights reserved. 802 Limited. Registered in the UK. Company Number.
7962864.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication

2013-09-23 Thread Michael Schwartzkopff

Am Montag, 23. September 2013, 13:53:14 schrieb ken.farrington:
 Just also beware that the MAC and be spoofed also with lots of programs :)

Yes: ip link dev ... set addr ...

  On 23 September 2013 at 13:46 Nikolaos Milas nmi...@noa.gr wrote:
  
  On 23/9/2013 3:14 μμ, Free-Radius wrote:
   I wonder if the Freeradius to authenticate a client by IP number,
   without using login and password, only the IP. If possible, how to do?
  
  You can authenticate a client based on MAC Address. See
  http://wiki.freeradius.org/guide/Mac-Auth for various scenarios.
  
  Of course not by IP number which can be manipulated.
  
  Regards,
  Nick
  -
  List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html
 Ken Farrington
 Director
 CCIE #12651
 
 802 Limited
 International House, 221 Bow Road, London, E3 2SJ, United Kingdom
 Direct: +44 (0)7500 802802
 ken.farring...@802.co.uk
 http://www.802.co.uk
 
 
 Disclaimer
 This e-mail may contain information that is confidential, privileged or
 otherwise protected from disclosure. If you are not an intended recipient of
 this e-mail, do not duplicate or redistribute it by any means. Please
 delete it and any attachments and notify the sender that you have received
 it in error. Any views or opinions presented are solely those of the author
 and do not necessarily represent those of 802 Limited or any subsidiary
 company of 802 Limited. This email may relate to or be sent from other
 members of the 802 Group. All rights reserved. 802 Limited. Registered in
 the UK. Company Number. 7962864.
-- 
Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authentication by hostname

2013-07-23 Thread Mathieu Simon

Hi

Could it be you are in a AD environment - your request looks like to what I
see in my environment.
If so: Domain-joined Windows machines (for what I have tested) have a
computer account in AD.
This can be used by the Windows (never tested with domain-joined Macs or
Linux machines)
client to authenticate as machine against the network (using PEAP-MSCHAPv2).
Technically you don't authenticate by hostnames but you use the computers'
AD account.

Another way would be to use EAP-TLS with certificates on your machines.

If you implement the Samba/winbind way as described by
deployingradius.comyou can in authenticate computer
accounts. - It required me to tweak the LDAP default config for group-based
authorization, but In case this is what you
are looking for, ping back and I can show you LDAP filters i use.

If you are only into authentication, most likely the public pages will
already let you in, but
(at least on Debian wheezy) I had tomodify modules/mschap  as follows:

mschap {

...
with_ntdomain_hack = yes
...
# Debian
# ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}
# Mine (at least that made it work)
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}
...
}

-- Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authentication by hostname

2013-07-22 Thread Alan DeKok

Stefan Sticht wrote:
 I want to change a FreeRadius server to authenticate a few hosts by their 
 hostnames. 
 The hostnames would be stored in a config file.

  That's not how RADIUS works.

 How could I do this?

  You can't.

 This is the authentication request:
...
EAP-Message = 0x0201001401686f73742f544344452d3030303131

  That's EAP authentication.  You can't bypass the authentication.

  So... *why* do you want to do this?  What other alternatives do you have?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication using LDAP for 802.1x

2013-06-19 Thread Olivier Beytrison

On 19.06.2013 14:11, Marco Streich wrote:
 Hi all
 
 We have deployed FreeRADIUS on OS X before, but our configuration was rather 
 ugly. What we would do is authenticate users locally, having the machine 
 attached to our OpenDirectory server directly using the Connect Network 
 Account Server functionality provided by OS X.
 
 I have seen this question getting asked a lot but still wasn't able to fill 
 my gap in understanding the whole process. 

I will make it short and easy.

You can't do LDAP authentication with 802.1x. EAP needs the password of
the user in cleartext. if it's not in your ldap, you're screwed.

And the debug log explains it :
 WARNING: No known good password was found in LDAP.  Are you sure that the 
 user is configured correctly?
 [pap] WARNING! No known good password found for the user.  Authentication 
 may fail because of this.

[snip]

 At this moment, I cannot wrap my mind around what is going on here.
 
 I understand that ldap tries to authenticate the user by itself, instead of 
 handing it to the LDAP server. But what is different when I run radtest?
 
 Debug from radtest:
 ...
 # Executing group from file /etc/freeradius/sites-enabled/default
 +- entering group LDAP {...}
 [ldap] login attempt by a4 with password whatever
 [ldap] user DN: uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu
   [ldap] (re)connect to ldap.hopro.edu:389, authentication 1
   [ldap] bind as uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu/whatever to 
 ldap.hopro.edu:389
   [ldap] waiting for bind result ...
   [ldap] Bind was successful
 [ldap] user a4 authenticated successfully
 ++[ldap] returns ok
 ...

This works because you're doing PAP. with radtest the user password is
sent in cleartext. so YES you can authenticate with ldap because you can
BIND to the ldap with the provided password.

you don't have this password with 802.1x/EAP. you work only with
challenges, hash and keys.

Olivier

-- 

 Olivier Beytrison
 Network  Security Engineer, HES-SO Fribourg
 Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication using LDAP for 802.1x

2013-06-19 Thread A . L . M . Buxey

Hi,

 I will make it short and easy.
 
 You can't do LDAP authentication with 802.1x. EAP needs the password of
 the user in cleartext. if it's not in your ldap, you're screwed.

..EAP-TTLS/PAP ?  ;-)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication using LDAP for 802.1x

2013-06-19 Thread Phil Mayers


On 19/06/13 13:11, Marco Streich wrote:


When I run radtest from my laptop, the authentication is successful:


radtest does not send eap. Download the wpa_supplicant sources and 
compile eapol_test to test EAP.



WARNING: No known good password was found in LDAP.  Are you sure that the 
user is configured correctly?


This suggests your LDAP server does not contain, or is not returning, 
password info. So auth would probably have failed...




[ttls] eaptls_verify returned 11
[ttls]  TLS 1.0 Alert [length 0002], warning close_notify
TLS Alert read:warning:close notify
[ttls] WARNING: No data inside of the tunnel.


...except it never gets as far as the inner tunnel because the client 
drops the EAP session. Most likely the client doesn't trust the server cert.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication using LDAP for 802.1x

2013-06-19 Thread Matthew Newton

On Wed, Jun 19, 2013 at 02:49:21PM +0200, Olivier Beytrison wrote:
 On 19.06.2013 14:11, Marco Streich wrote:
  We have deployed FreeRADIUS on OS X before, but our
  configuration was rather ugly. What we would do is
  authenticate users locally, having the machine attached to our
  OpenDirectory server directly using the Connect Network
  Account Server functionality provided by OS X.

 I will make it short and easy.
 
 You can't do LDAP authentication with 802.1x. EAP needs the password of
 the user in cleartext. if it's not in your ldap, you're screwed.

Not entirely true.

With PAP (which is what radtest is doing) then you can work
without a cleartext password as auth is (generally) based on a
ldap bind.

With EAP-TTLS/PAP, you can also work with just the hash in ldap,
as (same as clear PAP) you get the password from the client to do
a bind with.

With EAP-TTLS/MSCHAP or PEAP/EAP-MSCHAP etc you need the cleartext
password from ldap - auth is done by checking this in FreeRADIUS,
not by a bind to ldap.


  [ldap] login attempt by a4 with password whatever
  [ldap] user DN: uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu
[ldap] (re)connect to ldap.hopro.edu:389, authentication 1
[ldap] bind as uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu/whatever to 
  ldap.hopro.edu:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
  [ldap] user a4 authenticated successfully
  ++[ldap] returns ok

 This works because you're doing PAP. with radtest the user password is
 sent in cleartext. so YES you can authenticate with ldap because you can
 BIND to the ldap with the provided password.
 
 you don't have this password with 802.1x/EAP. you work only with
 challenges, hash and keys.

Apple OS X can do EAP-TTLS/PAP as far as I am aware (native
Windows  8 can't), so this should work. I don't recognise the
error you're getting, though - it looks like the client gave up
and sent an empty packet.

Note you don't need ldap configured in the outer for 802.1X to
work - the outer is just doing EAP. It's the inner that will need
the ldap modules.


Some other comments -

Upgrade from 2.1.12 to 2.2.x, as there are security issues pre
2.2.x.

Save yourself some round trip packets by setting default_eap_type
= ttls in eap.conf

Save yourself some LDAP lookups by removing ldap from the outer.


Cheers

Matthew


-- 
Matthew Newton, Ph.D. m...@le.ac.uk

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication using LDAP for 802.1x

2013-06-19 Thread A . L . M . Buxey

Hi,

 Some other comments -
 
 Upgrade from 2.1.12 to 2.2.x, as there are security issues pre
 2.2.x.
 
 Save yourself some round trip packets by setting default_eap_type
 = ttls in eap.conf
 
 Save yourself some LDAP lookups by removing ldap from the outer.

..and save some more hits to LDAP by wrapping the call to it in the
authorization stage to just the EAP Identity packet :-)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication using LDAP for 802.1x

2013-06-19 Thread Olivier Beytrison

On 19.06.2013 16:02, a.l.m.bu...@lboro.ac.uk wrote:
 Hi,
 
 Some other comments -

 Upgrade from 2.1.12 to 2.2.x, as there are security issues pre
 2.2.x.

 Save yourself some round trip packets by setting default_eap_type
 = ttls in eap.conf

 Save yourself some LDAP lookups by removing ldap from the outer.
 
 ..and save some more hits to LDAP by wrapping the call to it in the
 authorization stage to just the EAP Identity packet :-)

That's pretty interesting, what's the if() you're doing to achieve that?


-- 

 Olivier Beytrison
 Network  Security Engineer, HES-SO Fribourg
 Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication using LDAP for 802.1x

2013-06-19 Thread Phil Mayers


On 19/06/13 15:32, Olivier Beytrison wrote:

On 19.06.2013 16:02, a.l.m.bu...@lboro.ac.uk wrote:

Hi,


Some other comments -

Upgrade from 2.1.12 to 2.2.x, as there are security issues pre
2.2.x.

Save yourself some round trip packets by setting default_eap_type
= ttls in eap.conf

Save yourself some LDAP lookups by removing ldap from the outer.


..and save some more hits to LDAP by wrapping the call to it in the
authorization stage to just the EAP Identity packet :-)


That's pretty interesting, what's the if() you're doing to achieve that?


He he he... if I recall correctly I came up with something like:

server inner-tunnel {
  authorize {
eap

# stop processing authorize on eap identity or mschap success/fail
if ((EAP-Type == 1) || (EAP-Message[0] =~ /^0x02..00061a..$/)) {
  noop
}
else {
  # rest of config goes here
}
  }
}

Note however that you can avoid this in master versions of the server 
with:


server inner-tunnel {
  authorize {
eap {
  ok = return
}
  }
}

...as the EAP module was updated to return ok on identity/mschap 
responses. Yet another reason to upgrade!

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication using LDAP for 802.1x

2013-06-19 Thread A . L . M . Buxey

Hi,

 He he he... if I recall correctly I came up with something like:

yes, thats the one. quoted as 'most evil unlang ever' if I recall
have used it on many occasions...does the job well

 ...as the EAP module was updated to return ok on identity/mschap
 responses. Yet another reason to upgrade!

yep...as well as proper pools of LDAP servers in 3.x

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication Using Framed-IP-Address

2013-03-07 Thread Arran Cudbard-Bell


On 7 Mar 2013, at 09:50, Russell Mike radius@gmail.com wrote:

 Dear Alan. De.  List Greetings
 
 May i please ask your opinion, if it possible to accept  reject users base 
 on Framed-IP-Address.

Yes if the Framed-IP-Address is available in the request. There are however, no 
IP specific operators,
so it's more difficult to check whether an IP address is in a certain range.

Also, Alan doesn't need his ego stroking any more, addressing questions to the 
list works just as well.

-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication Using Framed-IP-Address

2013-03-07 Thread Russell Mike

Hi Arran,

Thanks for the answer to my question. Nothing wrong to say thanks but
perhaps to see it from that angle.

Regards / RM --

On Thu, Mar 7, 2013 at 3:12 PM, Arran Cudbard-Bell 
a.cudba...@freeradius.org wrote:


 On 7 Mar 2013, at 09:50, Russell Mike radius@gmail.com wrote:

  Dear Alan. De.  List Greetings
 
  May i please ask your opinion, if it possible to accept  reject users
 base on Framed-IP-Address.

 Yes if the Framed-IP-Address is available in the request. There are
 however, no IP specific operators,
 so it's more difficult to check whether an IP address is in a certain
 range.

 Also, Alan doesn't need his ego stroking any more, addressing questions to
 the list works just as well.

 -Arran
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication with Juniper SA

2012-09-16 Thread Mik J



De : Fajar A. Nugraha l...@fajar.net

 On Sun, Sep 16, 2012 at 7:00 AM, Mik J mikyde...@yahoo.fr wrote:
 Hello,

 I don't know why I can't make my authentication working with Juniper secure 
 access

 I have a user
 ++--++++
 | id | username | attribute          | value      | op |
 ++--++++
 |  9 | t2       | Cleartext-Password | passsecret | == |
 ++--++++

Change the op to :=

... which you should've seen if you read the included doc/rlm_sql


Thank you for your answer Fajar, it helped although the authentication is not 
fully functional.
For now I'll read again the documentation.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication with Juniper SA

2012-09-16 Thread Mik J

 De : Mik J mikyde...@yahoo.fr
 De : Fajar A. Nugraha l...@fajar.net
 
  On Sun, Sep 16, 2012 at 7:00 AM, Mik J mikyde...@yahoo.fr wrote:
  Hello,
 
  I don't know why I can't make my authentication working with 
 Juniper secure access
 
  I have a user
  ++--++++
  | id | username | attribute          | value      | op |
  ++--++++
  |  9 | t2       | Cleartext-Password | passsecret | == |
  ++--++++
 
 Change the op to :=
 
 ... which you should've seen if you read the included doc/rlm_sql
 
 
 Thank you for your answer Fajar, it helped although the authentication is not 
 fully functional.
 For now I'll read again the documentation.

So here's what the documentation says:

 ==   Attribute == Value: As a check item, it matches if the named attribute 
is present in the request, AND has the given value.
= In my case, I wanted to compare the password sent by the Juniper device to 
the entry in the radcheck table. If the login and password matches then the 
check is positive. So the documentation seems to say that it should work with 
== or I don't understand.

:= Attribute := Value: Always matches as a check item, and replaces in 
the configuration items any attribute of the same name.  If no     
attribute of that name appears in the request, then this attribute is added.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication with Juniper SA

2012-09-16 Thread Fajar A. Nugraha

On Sun, Sep 16, 2012 at 3:09 PM, Mik J mikyde...@yahoo.fr wrote:

 So here's what the documentation says:

  ==   Attribute == Value: As a check item, it matches if the named 
 attribute is present in the request, AND has the given value.
 = In my case, I wanted to compare the password sent by the Juniper device 
 to the entry in the radcheck table. If the login and password matches then 
 the check is positive. So the documentation seems to say that it should work 
 with == or I don't understand.

No, that's not how it works.

If you want to check for other attributes (e.g. bind a user to a
particular Calling-Station-Id), you can use ==. But not for
password. More details below.


 := Attribute := Value: Always matches as a check item, and replaces in 
 the configuration items any attribute of the same name.  If no 
 attribute of that name appears in the request, then this attribute is added.

If you've read doc/rlm_sql, like I suggested, you would've seen
examples of what entry goes where. This is a start. Once that works,
you can read other docs to find out what they mean.

Regarding user-password, it's somewhat special. Old version of FR
manpage (e.g. http://swoolley.org/man.cgi/5/users) actually suggest
using ==. Don't use those, as they're outdated. A good explanation
on how it should be is included in the current version of FR. For
example, if you run man 5 users on up-to-date installation, you'd
see this snippet:


EXAMPLES

bob Cleartext-Password := hello

Requests containing the User-Name attribute, with value bob, will be
authenticated using the known good password hello.  There are no
reply items, so the reply will be empty.


known good password' is a configuration item (control item is
probably a better term). It tells the server this is what the correct
password for the user is.  You need to use :=, because you're NOT
directly comparing it to User-Password in incoming request.

The password that user sends might be in the form of User-Password
attribute (in which case the content will be the same as
cleartext-password that you store in the db), or they might come in
different form (e.g. Chap-Password). Since it might be different, you
can't compare it directly (thus, you can't use ==). Instead, you
need to tell the server what the correct password is (with := and
the attribute Cleartext-Password), and the server will then perform
the necessary processing, and then compare it to whatever attribute
the client sends.

Does that (simplified) explanation make sense?

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication with Juniper SA

2012-09-16 Thread Mik J

- Mail original -
 De : Fajar A. Nugraha l...@fajar.net
 À : Mik J mikyde...@yahoo.fr; FreeRadius users mailing list 
 freeradius-users@lists.freeradius.org
 Cc : 
 Envoyé le : Dimanche 16 septembre 2012 10h35
 Objet : Re: Authentication with Juniper SA
 
 On Sun, Sep 16, 2012 at 3:09 PM, Mik J mikyde...@yahoo.fr wrote:
 
  So here's what the documentation says:
 
   ==   Attribute == Value: As a check item, it matches if the 
 named attribute is present in the request, AND has the given value.
  = In my case, I wanted to compare the password sent by the 
 Juniper device to the entry in the radcheck table. If the login and password 
 matches then the check is positive. So the documentation seems to say that it 
 should work with == or I don't understand.
 
 No, that's not how it works.
 
 If you want to check for other attributes (e.g. bind a user to a
 particular Calling-Station-Id), you can use ==. But not for
 password. More details below.
 
 
  :=     Attribute := Value: Always matches as a check item, and 
 replaces in the configuration items any attribute of the same name.  If no    
   
    attribute of that name appears in the request, then this attribute is 
 added.
 
 If you've read doc/rlm_sql, like I suggested, you would've seen
 examples of what entry goes where. This is a start. Once that works,
 you can read other docs to find out what they mean.
 
 Regarding user-password, it's somewhat special. Old version of FR
 manpage (e.g. http://swoolley.org/man.cgi/5/users) actually suggest
 using ==. Don't use those, as they're outdated. A good 
 explanation
 on how it should be is included in the current version of FR. For
 example, if you run man 5 users on up-to-date installation, 
 you'd
 see this snippet:
 
 
 EXAMPLES
 
 bob     Cleartext-Password := hello
 
 Requests containing the User-Name attribute, with value bob, will be
 authenticated using the known good password hello.  
 There are no
 reply items, so the reply will be empty.
 
 
 known good password' is a configuration item (control item 
 is
 probably a better term). It tells the server this is what the correct
 password for the user is.  You need to use :=, because 
 you're NOT
 directly comparing it to User-Password in incoming request.
 
 The password that user sends might be in the form of User-Password
 attribute (in which case the content will be the same as
 cleartext-password that you store in the db), or they might come in
 different form (e.g. Chap-Password). Since it might be different, you
 can't compare it directly (thus, you can't use ==). Instead, 
 you
 need to tell the server what the correct password is (with := and
 the attribute Cleartext-Password), and the server will then perform
 the necessary processing, and then compare it to whatever attribute
 the client sends.
 
 Does that (simplified) explanation make sense?


Hello Fajar,
This is very clear now. My freeradius version is not so new (2.1.12)
Thank you very much for this explanation.
Have a nice week end

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication with Juniper SA

2012-09-16 Thread Fajar A. Nugraha

On Sun, Sep 16, 2012 at 4:20 PM, Mik J mikyde...@yahoo.fr wrote:
 The password that user sends might be in the form of User-Password
 attribute (in which case the content will be the same as
 cleartext-password that you store in the db), or they might come in
 different form (e.g. Chap-Password). Since it might be different, you
 can't compare it directly (thus, you can't use ==). Instead,
 you
 need to tell the server what the correct password is (with := and
 the attribute Cleartext-Password), and the server will then perform
 the necessary processing, and then compare it to whatever attribute
 the client sends.

 Does that (simplified) explanation make sense?


 Hello Fajar,
 This is very clear now. My freeradius version is not so new (2.1.12)

2.1.12 is actually new-enough, in that many distro still ships with
it, and it also needs Cleartext-Password := instead of ==.

There's a know security issue with anything under 2.2.0 though, so if
you're using anything older make sure the fix is backported (e.g. if
you're using debian/ubuntu make sure you use 2.1.12+dfsg-1.1). Ask
your distro support/forum/list for details.

Also, just in case I wasn't clear, you can still use == in newer
versions of FR (and you probably need to, for some situations). The
exception is only for user password, where you should use
Cleartext-Password := instead of User-Password ==.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication with Juniper SA

2012-09-15 Thread Fajar A. Nugraha

On Sun, Sep 16, 2012 at 7:00 AM, Mik J mikyde...@yahoo.fr wrote:
 Hello,

 I don't know why I can't make my authentication working with Juniper secure
 access

 I have a user
 ++--++++
 | id | username | attribute  | value  | op |
 ++--++++
 |  9 | t2   | Cleartext-Password | passsecret | == |
 ++--++++

Change the op to :=

... which you should've seen if you read the included doc/rlm_sql

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication issues with mysql + eap +md5

2012-04-23 Thread Alan DeKok

NorthPole wrote:
 i'm trying to get started with freeradius using mysql for storing the
 users and md5-eap type authentication
 but something is wrong with my configuration and I cant seem to be able to 
 login
 
 radiusd -X  produces the following: http://pastebin.com/jpNtX4Hb

  Please read it.  The messages are clear:

[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.

  And look for sql.  It doesn't appear in the debug output.

  You haven't configured the server to use SQL.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication issues with mysql + eap +md5

2012-04-23 Thread NorthPole

you are right!
my bad (I need to sleep more :p)
thx for your time :D

On Mon, Apr 23, 2012 at 5:36 PM, Alan DeKok al...@deployingradius.com wrote:
 NorthPole wrote:
 i'm trying to get started with freeradius using mysql for storing the
 users and md5-eap type authentication
 but something is wrong with my configuration and I cant seem to be able to 
 login

 radiusd -X  produces the following: http://pastebin.com/jpNtX4Hb

  Please read it.  The messages are clear:

 [pap] WARNING! No known good password found for the user.
 Authentication may fail because of this.

  And look for sql.  It doesn't appear in the debug output.

  You haven't configured the server to use SQL.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication problems

2012-04-19 Thread pessimist

O.K. Thanks everybody.  It would appear that the shared secret was being
passed incorrectly by NAS.  It now behaves as it should.  Don't understand
why FR1 worked with exactly the same NAS though.

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Authentication-problems-tp5644080p5651391.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication problems

2012-04-16 Thread Alan Buxey

a very quick look at your output and it seems like you are not calling 'sql' in 
your virtual-servers
at all

if you did, there'd be a call checking your SQL info - read and edit the 
sites-enabled/* files

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication problems

2012-04-16 Thread pessimist

Thanks for that. You're quite right.  I now feel more stupid than a very
stupid person. My only excuse is that I've installed so many times I've lost
track.  Probably of my marbles.  

Anyway I've now enabled sql and the new debug info is below.

FreeRADIUS Version 2.1.9, for host i386-redhat-linux-gnu, built on May 24
2010 at 16:22:24
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/postgresql/dialup.conf
including configuration file /etc/raddb/sqlippool.conf
including configuration file /etc/raddb/sql/postgresql/ippool.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
main {
user = radiusd
group = radiusd
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
 log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
 }
 security {
max_attributes = 200
reject_delay = 1
status_server = yes
 }
}
radiusd:  Loading Realms and Home Servers 
 proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
 }
 home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536

Re: Authentication problems

2012-04-16 Thread Alan Buxey

hi,

your NAS is sending a CHAP request not a PAP request , you have a plain text 
password
for PAP.  adjust NAS or your configuration/storage?   A database can only be 
queried
for values not as a challenge-response repository,

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication problems

2012-04-16 Thread pessimist

Thanks for the reply.  Don't quite understand.  The log suggests that pap is
returning noop and then that the auth type CHAP is found.  Then says that
chap authentication with a clear text password is failing.

Or am I reading this incorrectly?

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Authentication-problems-tp5644080p5644526.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication problems

2012-04-16 Thread Alan DeKok

pessimist wrote:
 Thanks for the reply.  Don't quite understand.  The log suggests that pap is
 returning noop and then that the auth type CHAP is found.  Then says that
 chap authentication with a clear text password is failing.
 
 Or am I reading this incorrectly?

  The debug output is clear.

  The password you supplied as the known good password doesn't match
the CHAP password in the packet.

  Either you typed the password wrong, or the known good password in
the DB is wrong.

  There are no other choices.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication problems

2012-04-16 Thread Alan Buxey

hi,

 Thanks for the reply.  Don't quite understand.  The log suggests that pap is
 returning noop and then that the auth type CHAP is found.  Then says that
 chap authentication with a clear text password is failing.
 

the incoming request contains this:

   CHAP-Challenge = 0x6e37280ebb86c255086f2ab80c521e24
   CHAP-Password = 0x005223d2d8d662465852923eae583ade21


if it was PAP is wouldnt have these values, it would just have User-Password = 
blahblah

so, CHAP module sees these values...and sets the auth-type to CHAP.   PAP module
is doing a noop because the auth-type has already been set.   

did you have this construction working in your older FR setup?  If so, you will 
need to check
yoru config to see what else you were doing. if not...i'd say change the 
ChilliSpot server to send
the request as PAP

alan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication problems

2012-04-16 Thread Jeff Donovan


On Apr 16, 2012, at 11:51 AM, pessimist wrote:

 Found Auth-Type = CHAP
 +- entering group CHAP {...}
 [chap] login attempt by ABC with CHAP password
 [chap] Using clear text password 123 for user ABC authentication.
 [chap] Password check failed
 ++[chap] returns reject
 Failed to authenticate the user.
 Using Post-Auth-Type Reject
 +- entering group REJECT {...}
 [attr_filter.access_reject]   expand: %{User-Name} - ABC
 attr_filter: Matched entry DEFAULT at line 11
 ++[attr_filter.access_reject] returns updated
 Delaying reject of request 0 for 1 seconds

greetings,

your output looks similar to mine. I recently setup a bunch of mac computers 
using 802.1x with hp/3com switches. 
try connecting with flat file username and password, bypass sql for now. verify 
radius works at with md5/leap, else set switch to eap and pass tickets.
-j

smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication according NAS

2012-02-06 Thread Alan Buxey

Hi,

 user admin with password toto could connect to NAS1/2/3/4 of Factory2
 user admin with password coco could connect to NAS1/2/3 of Factory1

if you want to keep it this simple, simply use hunt-groups. define
each NAS in seperate hunt-groups and add a hunt-group check item (eg
to users file or to sql check table)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication with multiple AD

2012-01-25 Thread NdK

Il 25/01/2012 11:19, Pavel Klochan ha scritto:
 Hi. I need advise/help with my problem.
 I'm trying to authenticate with 2 LDAP-servers from freeradius, but
 without success.
I'm just a newbie, but have you tried proxying requests to two different
local servers?

BYtE,
 Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication against multiple LDAP sources.

2012-01-06 Thread Alan DeKok

Stuart Lawson wrote:
 Looking for a bit of advice, I am starting to think I am chasing the
 impossible and will have to start to use Realms or proxies to resolve
 this issue.
 
 FreeRADIUS 2.1.7

  2.1.12 is out.

 However (output below) it attempts to do the authentication against
 both LDAP sources using the first suffix from the authorisation or
 carried over from the first Authentication attempt (I don't know
 which).

  Yes... the User-DN is set from the query done during authorize.

  The short answer is don't have duplicate user names.

  The server is intended to work with unique user names.  It's possible
to configure it with duplicate user names, but it's more complicated.

  You'll need to update your configuration.  Maybe set the LDAP-User-DN
manually during authentication.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication via ntlm_auth with check the user group

2011-12-09 Thread Сергей Усов


Hi

I'm add into sites-enabled/inner-tunnel

authorize {
...

if (Ldap-Group == %{AD-Group}) {
ok
}
else {
reject
}
}

It's work for peap authentification, but if I use certificate 
authentication, the module ldap do not work



08.12.2011 20:34, Alan DeKok пишет:

Сергей Усов wrote:
   

Thanks, Alan, it works.

I have another question. Can I check the user's group for authentication
via TTLS?
 

   Put any group checking into the inner-tunnel server.  That's what
it's for.

   Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
   





smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication via ntlm_auth with check the user group

2011-12-09 Thread Alan DeKok

Сергей Усов wrote:
 It's work for peap authentification, but if I use certificate
 authentication, the module ldap do not work

  Exactly.  When certificate authentication is used, you are NOT doing
username/password authentication.  That's what certificate
authentication is for.  And the ldap module does username/password checks.

  So.. the two are not really compatible.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication via ntlm_auth with check the user group

2011-12-09 Thread Сергей Усов


Here is an authentication request from the certificate:

rad_recv: Access-Request packet from host 192.168.213.210 port 1390, 
id=8, length=224

Message-Authenticator = 0x6d9c4039c9d8b314ca0bb11bf518f5a0
Service-Type = Framed-User
User-Name = r...@pomorsu.ru
Framed-MTU = 1488
Called-Station-Id = 00-17-9A-D1-44-39:localnet1
Calling-Station-Id = 00-1F-3C-3D-DF-8C
NAS-Identifier = D-Link Access Point
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message = 0x020800190175736f77735f61646d40706f6d6f7273752e7275
NAS-IP-Address = 192.168.213.210
NAS-Port = 1
NAS-Port-Id = STA port # 1


There is a user name. It can not be used to check via LDAP?


Сергей Усов wrote:
   

It's work for peap authentification, but if I use certificate
authentication, the module ldap do not work
 

   Exactly.  When certificate authentication is used, you are NOT doing
username/password authentication.  That's what certificate
authentication is for.  And the ldap module does username/password checks.

   So.. the two are not really compatible.

   Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
   





smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication via ntlm_auth with check the user group

2011-12-09 Thread Alan DeKok

Сергей Усов wrote:
 Here is an authentication request from the certificate:
..
 There is a user name. It can not be used to check via LDAP?

  Check WHAT via LDAP?

  Passwords?  Of course not.

  You've been very careful to *not* say what you really want to do, and
to *not* say what you've configured, and to *not* say what happens when
the server receives EAP-TLS packets, and to *not* say what you expect to
happen.

  You're asking vague and useless questions.  So the answers are vague
and useless.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication via ntlm_auth with check the user group

2011-12-08 Thread Сергей Усов


Thanks, Alan, it works.

I have another question. Can I check the user's group for authentication 
via TTLS?


07.12.2011 18:32, Alan DeKok пишет:

Сергей Усов wrote:
   

I have changed inner_tunnel, but unsuccessfully
 

   You didn't do what I said, so I'm not surprised it didn't work.

   Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
   





smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication via ntlm_auth with check the user group

2011-12-08 Thread Alan DeKok

Сергей Усов wrote:
 Thanks, Alan, it works.
 
 I have another question. Can I check the user's group for authentication
 via TTLS?

  Put any group checking into the inner-tunnel server.  That's what
it's for.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication via ntlm_auth with check the user group

2011-12-07 Thread Fajar A. Nugraha

On Wed, Dec 7, 2011 at 4:11 PM, Сергей Усов us...@pomorsu.ru wrote:
 Hi

 I try to configure authentication via ntlm_auth to check the user group. All
 authentication attempts are rejected

What does the debug log say when the authentications are rejected?

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication via ntlm_auth with check the user group

2011-12-07 Thread Сергей Усов


Thanks for your reply




radiusd:  Loading Virtual Servers 
server { # from file /etc/freeradius/radiusd.conf
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_mschap
 Module: Instantiating module mschap from file 
/etc/freeradius/modules/mschap

  mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key 
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} 
--challenge=%{mschap:Challenge:-00} 
--nt-response=%{mschap:NT-Response:-00} 
--require-membership-of=POMORSU+%{AD-Group}

  }



Ready to process requests.
rad_recv: Access-Request packet from host 192.168.213.210 port 1067, 
id=0, length=210

Message-Authenticator = 0x76f5e1499b3c78689adf8fb623dc7c4e
Service-Type = Framed-User
User-Name = POMORSU\\rahs
Framed-MTU = 1488
Called-Station-Id = 04-11-9A-D1-44-39:localnet1
Calling-Station-Id = 00-1F-3C-3D-DF-8C
NAS-Identifier = D-Link Access Point
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message = 0x021201504f4d4f5253555c75736f7773
NAS-IP-Address = 192.168.213.210
NAS-Port = 1
NAS-Port-Id = STA port # 1
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default

+- entering group authorize {...}
++[preprocess] returns ok
++- entering policy extract_ssid {...}
+++? if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
? Evaluating (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
- TRUE
+++? if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
- TRUE
+++- entering if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
{...}

expand: %{7} - localnet1
[request] returns ok
? if (Called-Station-SSID == localnet1)
? Evaluating (Called-Station-SSID == localnet1) - TRUE
? if (Called-Station-SSID == localnet1) - TRUE
- entering if (Called-Station-SSID == localnet1) {...}
+[request] returns ok
- if (Called-Station-SSID == localnet1) returns ok
 ... skipping else for request 0: Preceding if was taken
+++- if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
returns ok

+++ ... skipping else for request 0: Preceding if was taken
++- policy extract_ssid returns ok
[suffix] No '@' in User-Name = POMORSU\rahs, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 0 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Flushing SSL sessions (of #0)
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.213.210 port 1067
EAP-Message = 0x010100061920
Message-Authenticator = 0x
State = 0x140c0338140d1ab54c20eb7bf1588770
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.213.210 port 1067, 
id=1, length=315

Message-Authenticator = 0x52b3370475dcad2571d8a4ef20d46246
Service-Type = Framed-User
User-Name = POMORSU\\rahs
Framed-MTU = 1488
State = 0x140c0338140d1ab54c20eb7bf1588770
Called-Station-Id = 04-11-9A-D1-44-39:localnet1
Calling-Station-Id = 00-1F-3C-3D-DF-8C
NAS-Identifier = D-Link Access Point
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 54Mbps 802.11g
EAP-Message = 
0x020100691980005f160301005a015603014ede257a500dcb4913694c60469b783a7bdaa0d482ac13baa056619eb2d75c3718002f00350005000ac013c014c009c00a00320038001300040115ff0100010a0006000400170018000b00020100

NAS-IP-Address = 192.168.213.210
NAS-Port = 1
NAS-Port-Id = STA port # 1
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default

+- entering group authorize {...}
++[preprocess] returns ok
++- entering policy extract_ssid {...}
+++? if (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)
? Evaluating (Called-Station-Id =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
- TRUE
+++? if

Re: Authentication via ntlm_auth with check the user group

2011-12-07 Thread Alan DeKok

  You need to update the AD-Group in the inner-tunnel virtual server,
not in the default one.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication via ntlm_auth with check the user group

2011-12-07 Thread Сергей Усов


I have changed inner_tunnel, but unsuccessfully

server inner-tunnel {
authorize {
preprocess
extract_ssid
mschap
suffix
update control {
   Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
expiration
logintime
pap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
eap
}
}

07.12.2011 15:36, Alan DeKok пишет:

   You need to update the AD-Group in the inner-tunnel virtual server,
not in the default one.

   Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
   





smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication via ntlm_auth with check the user group

2011-12-07 Thread Alan DeKok

Сергей Усов wrote:
 I have changed inner_tunnel, but unsuccessfully

  You didn't do what I said, so I'm not surprised it didn't work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication with different port and users

2011-10-07 Thread Alan DeKok

Alan Kong wrote:
 Hi,
 I used to have freeradius(old version) installed on Solaris and have 2
 separate processes listening on port 1812 and 1645. They authenticate 2
 groups of different users.
 I upgraded and installed freeradius 2.1.11 on CentOS 5.6. According to
 radiusd.conf, I could get freeradius listen on different ports. Can I
 config the ports authenticate different groups of users using
 /etc/passwd?

  Yes.  Configure two different virtual servers.

  See raddb/sites-available/README for some basic discussion.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authentication sub in perl

2011-10-04 Thread Alan Buxey


...as said in the original thread when I noted your request was EAP and your 
server had no EAP support (which you've now fixed)...this is an EAP 
request...and if you haven't really broken your config then the server will use 
the inner-tunnel virtual serverso you need to add your call to the perl 
module into the authenticate section of that virtual-server

alan
--
Message may be brief as it has been sent from my mobile

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authentication sub in perl

2011-10-03 Thread Jonathan Gazeley


On 03/10/11 13:48, Alex rsm wrote:

Alan,

Thank you for the response.
How can I build the FreeRADIUS with EAP support? I checked the configure
and Makefile anc couldn't figure it out


No need to edit the Makefile. You need to install a package called 
something like openssl-devel and then attempt to build FreeRADIUS again.


Jonathan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authentication sub in perl

2011-10-03 Thread Alan Buxey

Hi,

Thank you for the response.
How can I build the FreeRADIUS with EAP support? I checked the configure
and Makefile anc couldn't figure it out

did you build it yourself then? if so, then what platform? as that will decide
the package name.

ssl-devel, ssl-devl, openssl-devel, openssl-dev are the usual names of the 
required
RPM or PKG file that must be installed if you'd piped the output of the 
./configure
stage through grep eg

./configure --with-whatever-options | grep WARN

you'd see all the warnings about functionality that wont work because of lack
of development headers/libraries

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: authentication sub in perl

2011-10-03 Thread Alex rsm



I've built FreeRadius2.1.11 from src files on ubuntu 8.04 server:
# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:Ubuntu 8.04.4 LTS
Release:8.04
Codename:   hardy



# ./configure | grep WARN
configure: WARNING: snmpget not found - Simultaneous-Use and checkrad.pl may 
not work
configure: WARNING: snmpwalk not found - Simultaneous-Use and checkrad.pl may 
not work
configure: WARNING: pcap library not found, silently disabling the RADIUS 
sniffer.
configure: WARNING: silently not building rlm_counter.
configure: WARNING: FAILURE: rlm_counter requires:  libgdbm.
configure: WARNING: FAILURE: rlm_dbm requires:  (ndbm.h or gdbm/ndbm.h or 
gdbm-ndbm.h) (libndbm or libgdbm or libgdbm_compat).
configure: WARNING: silently not building rlm_dbm.
configure: WARNING: silently not building rlm_eap_tls.
configure: WARNING: FAILURE: rlm_eap_tls requires: OpenSSL.
configure: WARNING: silently not building rlm_eap_peap.
configure: WARNING: FAILURE: rlm_eap_peap requires: OpenSSL.
configure: WARNING: silently not building rlm_eap_ikev2.
configure: WARNING: FAILURE: rlm_eap_ikev2 requires:  libeap-ikev2 
EAPIKEv2/connector.h.
configure: WARNING: the TNCS library isn't found!
configure: WARNING: silently not building rlm_eap_tnc.
configure: WARNING: FAILURE: rlm_eap_tnc requires:  -lTNCS.
configure: WARNING: silently not building rlm_eap_ttls.
configure: WARNING: FAILURE: rlm_eap_ttls requires: OpenSSL.
configure: WARNING: silently not building rlm_ippool.
configure: WARNING: FAILURE: rlm_ippool requires:  libgdbm.
configure: WARNING: neither krb5 'k5crypto' nor 'crypto' libraries are found!
configure: WARNING: the comm_err library isn't found!
configure: WARNING: silently not building rlm_krb5.
configure: WARNING: FAILURE: rlm_krb5 requires:  krb5.h krb5.
configure: WARNING: silently not building rlm_ldap.
configure: WARNING: FAILURE: rlm_ldap requires:  libldap_r ldap.h.
configure: WARNING: silently not building rlm_otp.
configure: WARNING: FAILURE: rlm_otp requires:  openssl-libs openssl-includes 
openssl-includes openssl-includes openssl-includes openssl-includes.
configure: WARNING: silently not building rlm_pam.
configure: WARNING: FAILURE: rlm_pam requires:  libpam.
configure: WARNING: silently not building rlm_perl.
configure: WARNING: FAILURE: rlm_perl requires:  libperl.so libperl.so.
configure: WARNING: silently not building rlm_python.
configure: WARNING: FAILURE: rlm_python requires:  Python.h libpython2.5.
configure: WARNING: silently not building rlm_sql_iodbc.
configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h.
configure: WARNING: MySQL libraries not found. Use --with-mysql-lib-dir=path.
configure: WARNING: MySQL headers not found. Use 
--with-mysql-include-dir=path.
configure: WARNING: silently not building rlm_sql_mysql.
configure: WARNING: FAILURE: rlm_sql_mysql requires: libmysqlclient_r mysql.h.
configure: WARNING: silently not building rlm_sql_postgresql.
configure: WARNING: FAILURE: rlm_sql_postgresql requires:  libpq-fe.h libpq.
configure: WARNING: oracle headers not found.  Use 
--with-oracle-include-dir=path.
configure: WARNING: silently not building rlm_sql_oracle.
configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h.
configure: WARNING: silently not building rlm_sql_unixodbc.
configure: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h.


# apt-get install OpenSSL
Reading package lists... Done
Building dependency tree   
Reading state information... Done
E: Couldn't find package OpenSSL

# apt-get install ssl-devel
Reading package lists... Done
Building dependency tree   
Reading state information... Done
E: Couldn't find package ssl-devel
.
















 Date: Mon, 3 Oct 2011 16:32:44 +0100
 From: a.l.m.bu...@lboro.ac.uk
 To: freeradius-users@lists.freeradius.org
 Subject: Re: authentication sub in perl
 
 Hi,
 
 Thank you for the response.
 How can I build the FreeRADIUS with EAP support? I checked the configure
 and Makefile anc couldn't figure it out
 
 did you build it yourself then? if so, then what platform? as that will decide
 the package name.
 
 ssl-devel, ssl-devl, openssl-devel, openssl-dev are the usual names of the 
 required
 RPM or PKG file that must be installed if you'd piped the output of the 
 ./configure
 stage through grep eg
 
 ./configure --with-whatever-options | grep WARN
 
 you'd see all the warnings about functionality that wont work because of lack
 of development headers/libraries
 
 alan
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authentication sub in perl

2011-10-03 Thread Alan DeKok

Alex rsm wrote:
 # apt-get install OpenSSL
...
 E: Couldn't find package OpenSSL

  Use *google* to find out the names of packages on your OS.  Or, search
the web pages of the OS vendor.

  It should be less work (and faster) than posting messages to this list.

  This isn't a FreeRADIUS problem.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authentication sub in perl

2011-10-03 Thread Alan Buxey

Yes yes, you've just confirmed what I said. I know you built it without openssl 
support...I was giving you advice on how to spot it, so that you can verify all 
is okay after you've installed the required development packages for openssl on 
your platformand Google can help you with that.

alan
--
Message may be brief as it has been sent from my mobile

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authentication sub in perl

2011-10-02 Thread Alan Buxey

Hi,

As I said only authorize sub is being called when receiving a REQUEST
and not authenticate sub.
So I need to change Auth-Type to be Perl?

authenticate fails quite simply because this is an EAP request...and your 
FreeRADIUS
had been built without EAP support. if you have EAP support, the server would
trigger the EAP mechanism...which sends the packet through to the inner-tunnel
virtual server and you would have to have the perl module listed in the
authenticate section of that VS


look,

FreeRADIUS Version 2.1.11, for host x86_64-unknown-linux-gnu, built on Sep
29 2011 at 14:33:46

snip

Ignoring EAP-Type/tls because we do not have OpenSSL support.
Ignoring EAP-Type/ttls because we do not have OpenSSL support.
Ignoring EAP-Type/peap because we do not have OpenSSL support.

snip

[eap] EAP packet type response id 1 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation

snip

[eap] Request found, released from the list
[eap] EAP NAK
[eap] NAK asked for unsupported type PEAP
[eap] No common EAP types found.
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject

...end of game


as you can see, sending the output of radiusd -X is very very useful
for those of us that want to help you.


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authentication sub in perl

2011-09-30 Thread Alan DeKok

Alex rsm wrote:
 I am trying to call an external perl function within authentication sub
 
 - functions are uncommented in modules/perl file
...
func_authenticate = authenticate
func_authorize = authorize
...

  The default example works.

 - subs are modified in /raddb/example.pl
 sub authenticate{
print TEST1\n;
 }
 
 sub authenticate {
print TEST2\n;
/usr/local/etc/raddb/test.pl;
 }
 
 When freeradius receives a REQUEST, only authenticate sub is called
 and not authenticate sub.

  That makes NO sense at all.

  You have TWO authenticate subroutines, and you expect that Perl will
magically call the one you want?

  Computers don't work that way.

 How can I enable authenticate to be called when a REQUEST is arrived?

  Ask a question that makes sense.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authentication sub in perl

2011-09-30 Thread Alan Buxey

Hi,

Hi,
 
I am trying to call an external perl function within authentication sub
 
- functions are uncommented in modules/perl file
   ...
   func_authenticate = authenticate
   func_authorize = authorize
   ...
 
- subs are modified in /raddb/example.pl
sub authenticate{
   print TEST1\n;
}
 
sub authenticate {
   print TEST2\n;
   /usr/local/etc/raddb/test.pl;
}
 
When freeradius receives a REQUEST, only authenticate sub is called and
not authenticate sub.
How can I enable authenticate to be called when a REQUEST is arrived?

huh? authenticate == authenticate

surely you meant to put authorize in one of those statements?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: authentication sub in perl

2011-09-30 Thread Alex rsm


my apology. It was a copy/paste typo:

sub authorize {
   print TEST1\n;
   # For debugging purposes only
#  log_request_attributes;

   # Here's where your authorization code comes
   # You can call another function from here:
   test_call;

   return RLM_MODULE_OK;
}

# Function to handle authenticate
sub authenticate {
   print TEST2\n;
   # For debugging purposes only
#  log_request_attributes;

   if ($RAD_REQUEST{'User-Name'} =~ /^baduser/i) {
  # Reject user and tell him why
  $RAD_REPLY{'Reply-Message'} = Denied access by rlm_perl function;
  return RLM_MODULE_REJECT;
   } else {
  # Accept user and set some attribute
  $RAD_REPLY{'h323-credit-amount'} = 100;
  return RLM_MODULE_OK;
   }
}




 Date: Fri, 30 Sep 2011 17:36:32 +0200
 From: al...@deployingradius.com
 To: freeradius-users@lists.freeradius.org
 Subject: Re: authentication sub in perl
 
 Alex rsm wrote:
  I am trying to call an external perl function within authentication sub
  
  - functions are uncommented in modules/perl file
 ...
 func_authenticate = authenticate
 func_authorize = authorize
 ...
 
   The default example works.
 
  - subs are modified in /raddb/example.pl
  sub authenticate{
 print TEST1\n;
  }
  
  sub authenticate {
 print TEST2\n;
 /usr/local/etc/raddb/test.pl;
  }
  
  When freeradius receives a REQUEST, only authenticate sub is called
  and not authenticate sub.
 
   That makes NO sense at all.
 
   You have TWO authenticate subroutines, and you expect that Perl will
 magically call the one you want?
 
   Computers don't work that way.
 
  How can I enable authenticate to be called when a REQUEST is arrived?
 
   Ask a question that makes sense.
 
   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authentication sub in perl

2011-09-30 Thread Alan Buxey

Hi,

debug?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: authentication sub in perl

2011-09-30 Thread Alex rsm

.
Sending delayed reject for request 1
Sending Access-Reject of id 1 to 10.0.0.31 port 50048
EAP-Message = 0x04020004
Message-Authenticator = 0x
Waking up in 3.9 seconds.
Cleaning up request 0 ID 0 with timestamp +22
Waking up in 1.0 seconds.
Cleaning up request 1 ID 1 with timestamp +22
Ready to process requests.





 Date: Fri, 30 Sep 2011 20:20:29 +0100
 From: a.l.m.bu...@lboro.ac.uk
 To: freeradius-users@lists.freeradius.org
 Subject: Re: authentication sub in perl
 
 Hi,
 
 debug?
 
 alan
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication probation for VLAN

2011-08-26 Thread Alexander Clouter

Arran Cudbard-Bell a.cudba...@freeradius.org wrote:
 
 * Tunnel-Private-Group-Id:0 = 5*
 
 string != integer
 
 Tunnel-Private-Group-Id is a string.
 
 Eww gross. Ok I thought unlang did the conversions automagically 
 But obviously not
 
Apparently it does work, the OP seems to neglected to mention that one 
chunk of the debug was for the outer layer, the other the inner auth :-/

Cheers

-- 
Alexander Clouter
.sigmonster says: Misfortunes arrive on wings and leave on foot.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication probation for VLAN

2011-08-26 Thread Arran Cudbard-Bell


On 26 Aug 2011, at 11:39, Alexander Clouter wrote:

 Arran Cudbard-Bell a.cudba...@freeradius.org wrote:
 
 * Tunnel-Private-Group-Id:0 = 5*
 
 string != integer
 
 Tunnel-Private-Group-Id is a string.
 
 Eww gross. Ok I thought unlang did the conversions automagically 
 But obviously not
 
 Apparently it does work, the OP seems to neglected to mention that one 
 chunk of the debug was for the outer layer, the other the inner auth :-/

Indeed. *stabby stabby* *sigh*.

I thought it was weird, because I remembered reading the code that did the 
automagical conversions :)

-Arran

Arran Cudbard-Bell
a.cudba...@freeradius.org

RADIUS - Half the complexity of Diameter


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication probation for VLAN

2011-08-25 Thread Arran Cudbard-Bell

 
 
 Also said that if I try to use the Tunnel-Private-Group-Id without the :0 
 at the end, appears in the logs that the attribute was not found, I mention 
 this because in several instances I saw on the internet was used only 
 Tunnel-Private -Group-Id (with :0 at the end)
 
 

Weird, trying using it in a string expansion (as a work around)
e.g. %{Tunnel-Private-Group-Id} == 5



Arran Cudbard-Bell
a.cudba...@freeradius.org

RADIUS - Half the complexity of Diameter


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication probation for VLAN

2011-08-25 Thread Alexander Clouter

joao...@gmail.com joao...@gmail.com wrote:
 
 This model is funcionaç, however have a problem (very serious), Radius does
 not know from which SSID the client is trying to authenticate, or whether it
 decides the basis solely of the Realm authentication of the client. I need
 to make the Radius check the VLAN that is associated with the request for
 user authentication. Check through the debug radius that an Access-Request
 packet has the following information:
 
 ...
 rad_recv: Access-Request packet from host 192.168.254.48 port 32769, id=204,
 length=184
 User-Name = joao@fpti
 Calling-Station-Id = 68-a3-c4-85-c5-89
 Called-Station-Id = 00-26-cb-94-65-60:FPTI
 NAS-Port = 29
 NAS-IP-Address = 192.168.254.48
 NAS-Identifier = WLC-PTI
 Airespace-Wlan-Id = 1
 Service-Type = Framed-User
 Framed-MTU = 1300
 NAS-Port-Type = Wireless-802.11
 Tunnel-Type:0 = VLAN
 Tunnel-Medium-Type:0 = IEEE-802
 * Tunnel-Private-Group-Id:0 = 5*

string != integer

Tunnel-Private-Group-Id is a string.

I have to do a similar thing to map a silly attribute coughed up by 
Cisco's useless WLC:
 policy.conf 
rewrite.quirk.wlc {
if (NAS-IP-Address == 172.16.3.124  NAS-Identifier == wlc-01) {
switch %{Airespace-Wlan-Id} {
case 1 {
update request {
NAS-Port-Id := eduroam
}
}
case 5 {
update request {
NAS-Port-Id := UTILICOM
}
}
case 6 {
update request {
NAS-Port-Id := BTOpenzone
}
}
case 7 {
update request {
NAS-Port-Id := soas-wpa-psk
}
}
case {
update request {
NAS-Port-Id := UNKNOWN
}
}
}

...
}


You should use (I am almost certain you should not be looking at tagged 
attributes, so drop the ':0' too):
 notice the  
if (Tunnel-Private-Group-Id == 5) {
[stuff]
}


Cheers

-- 
Alexander Clouter
.sigmonster says: Do not apply to broken skin.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication probation for VLAN

2011-08-25 Thread Arran Cudbard-Bell


On 25 Aug 2011, at 21:43, Alexander Clouter wrote:

 joao...@gmail.com joao...@gmail.com wrote:
 
 This model is funcionaç, however have a problem (very serious), Radius does
 not know from which SSID the client is trying to authenticate, or whether it
 decides the basis solely of the Realm authentication of the client. I need
 to make the Radius check the VLAN that is associated with the request for
 user authentication. Check through the debug radius that an Access-Request
 packet has the following information:
 
 ...
 rad_recv: Access-Request packet from host 192.168.254.48 port 32769, id=204,
 length=184
 User-Name = joao@fpti
 Calling-Station-Id = 68-a3-c4-85-c5-89
 Called-Station-Id = 00-26-cb-94-65-60:FPTI
 NAS-Port = 29
 NAS-IP-Address = 192.168.254.48
 NAS-Identifier = WLC-PTI
 Airespace-Wlan-Id = 1
 Service-Type = Framed-User
 Framed-MTU = 1300
 NAS-Port-Type = Wireless-802.11
 Tunnel-Type:0 = VLAN
 Tunnel-Medium-Type:0 = IEEE-802
 * Tunnel-Private-Group-Id:0 = 5*
 
 string != integer
 
 Tunnel-Private-Group-Id is a string.

Eww gross. Ok I thought unlang did the conversions automagically But 
obviously not

-Arran



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication probation for VLAN

2011-08-25 Thread joao...@gmail.com

OK friends,

I appreciate the help, I managed to solve.

Dear Alexander Clouter really the type of data is an integer, but that I had
already tested. But I appreciate the hint and attention.

The problem is that I'm using EAP (PEAP and TTLS) server and default routes
via internal proxy (or something) the request to the inner-tunnel, and when the
request arrived at the inner-tunnel not all attributes of the original
request were present in the package.
To solve, it took Enable the option copy_request_to_tunnel = yes in the
file eap.conf. This solved the problem.

I appreciate everyone's help.

2011/8/25 Arran Cudbard-Bell a.cudba...@freeradius.org


 On 25 Aug 2011, at 21:43, Alexander Clouter wrote:

  joao...@gmail.com joao...@gmail.com wrote:
 
  This model is funcionaç, however have a problem (very serious), Radius
 does
  not know from which SSID the client is trying to authenticate, or
 whether it
  decides the basis solely of the Realm authentication of the client. I
 need
  to make the Radius check the VLAN that is associated with the request
 for
  user authentication. Check through the debug radius that an
 Access-Request
  packet has the following information:
 
  ...
  rad_recv: Access-Request packet from host 192.168.254.48 port 32769,
 id=204,
  length=184
  User-Name = joao@fpti
  Calling-Station-Id = 68-a3-c4-85-c5-89
  Called-Station-Id = 00-26-cb-94-65-60:FPTI
  NAS-Port = 29
  NAS-IP-Address = 192.168.254.48
  NAS-Identifier = WLC-PTI
  Airespace-Wlan-Id = 1
  Service-Type = Framed-User
  Framed-MTU = 1300
  NAS-Port-Type = Wireless-802.11
  Tunnel-Type:0 = VLAN
  Tunnel-Medium-Type:0 = IEEE-802
  * Tunnel-Private-Group-Id:0 = 5*
 
  string != integer
 
  Tunnel-Private-Group-Id is a string.

 Eww gross. Ok I thought unlang did the conversions automagically But
 obviously not

 -Arran



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
João Paulo de Lima Barbosa
Fone: (45) 9938-8399
Blog: http://joao.us
Twitter: @joaocdc

O erro dos que tem poder é colocar barreiras para que ninguém os alcance,
incentivando-nos a buscar todas as formas que encontramos para alcança-los.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication Problem

2011-06-24 Thread Michell

Hello,

I am also getting this error:

Fri Jun 24 17:22:20 2011 : Error: [sql] Failed to check the terminal server
for user 'adroa...@domain.com.br'.
Fri Jun 24 17:22:20 2011 : Auth: Login OK: [adroa...@domain.com.br] (from
client server-auth-02 port 7853349 cli 00:0E:E8:EF:FF:FF)

Occasionally appeared well before and now after a reboot of my hubs (NAS
Mikrotik) several clients receive this message when requesting connection.
The client receives Ok connects but then disconnects, getting stuck in its
section table radacct. When he asks the same mistake new connection.

This drop in customers may be due to this error message?
Simultaneous-use already: =.

Some light?

Thank you!

Michell

2011/5/24 Marinko Tarlać mangi...@gmail.com

 Simultaneous-Use op should be := and not =



 On 05/24/2011 10:32 AM, Fajar A. Nugraha wrote:

 On Tue, May 24, 2011 at 3:20 PM, john decotjohnde...@yahoo.com  wrote:

 SELECT id, username, attribute, value, op  FROM radcheck
  WHERE username = BINARY 'bob'  ORDER BY id;

 +-+--+**+-++
 | id  | username | attribute  | value   | op |
 +-+--+**+-++
 | 384 | bob| Cleartext-Password | bob   | := |
 | 385 | bob| Simultaneous-Use   | 1   | =  |
 | 386 | bob| Expiration | 25 Jun 2011 | := |
 +-+--+**+-++
 3 rows in set (0.00 sec)

 That is odd. What happens when you remove Simultaneous-Use record for
 bob?


 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/**
 list/users.html http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication Problem

2011-06-24 Thread Fajar A. Nugraha

On Sat, Jun 25, 2011 at 3:28 AM, Michell bill.c...@gmail.com wrote:
 Hello,

 I am also getting this error:

 Fri Jun 24 17:22:20 2011 : Error: [sql] Failed to check the terminal server
 for user 'adroa...@domain.com.br'.
 Fri Jun 24 17:22:20 2011 : Auth: Login OK: [adroa...@domain.com.br] (from
 client server-auth-02 port 7853349 cli 00:0E:E8:EF:FF:FF)

 Occasionally appeared well before and now after a reboot of my hubs (NAS
 Mikrotik) several clients receive this message when requesting connection.
 The client receives Ok connects but then disconnects, getting stuck in its
 section table radacct. When he asks the same mistake new connection.

 This drop in customers may be due to this error message?
 Simultaneous-use already: =.

 Some light?

A quick look at rlm_sql.c shows it might be a problem with your
simul_verify_query on sql/*/dialup.conf.

What does it currently say? What happens when you execute it manually?
Running in debug mode (radiusd -X) or activating sql trace should
enable you to see the excat query it's executing.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication via SQL?

2011-06-12 Thread Alan DeKok

Jason Antman wrote:
 I was wondering if it is possible to have a sql authenticate{} section,
 and if so, how to define the queries?

  No.

 In the wiki, I find Many people ask if they can authenticate users to
 their SQL database however the answer is You are asking the wrong
 question. 
 
 So, my question is:
 When doing PAP (actually EAP-TTLS/PAP, in my case), how do I check a
 user's cleartext User-Password against one stored in a MySQL database?

  You don't.  FreeRADIUS selects the password from the database, and
then does authentication itself.  Comparing the password manually works
*only* for PAP.  If you use CHAP, MS-CHAP, etc. it won't work.

  Let FreeRADIUS do its job.  It's an authentication server.  Let MySQL
do its job.  It's a database.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication Problem

2011-05-24 Thread john decot

Seems there.


select * from radcheck where username='bob';
+-+--+++-+
| id  | username | attribute  | op | value   |
+-+--+++-+
| 386 | bob| Expiration | := | 25 Jun 2011 |
| 385 | bob| Simultaneous-Use   | =  | 1   |
| 384 | bob| Cleartext-Password | := | bob   |







From: Tim Sylvester tim.sylves...@networkradius.com
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Tue, May 24, 2011 10:42:35 AM
Subject: RE: Authentication Problem


 
 
From:freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org
[mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org]
] On Behalf Of john decot
Sent: Monday, May 23, 2011 9:36 PM
To: FreeRadius users mailing list
Subject: Re: Authentication Problem
 
I have backup from working server but still not working 
 
Please find the log:
 
success Log:
 
[sql]expand: %{User-Name} - rajnish
[sql] sql_set_user escaped user -- 'rajnish'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op  FROM 
radcheck  WHERE username = BINARY '%{SQL-User-Name}'  ORDER BY 
id - SELECT id, username, attribute, value, op  FROM radcheck 
 WHERE username = BINARY 'rajnish'  ORDER BY id
[sql] User found in radcheck table
 
tim The user “rajnish” was found in the radcheck table …
 
[sql] expand: SELECT id, username, attribute, value, op  FROM 
radreply  WHERE username = BINARY '%{SQL-User-Name}'  ORDER BY 
id - SELECT id, username, attribute, value, op  FROM radreply 
 WHERE username = BINARY 'rajnish'  ORDER BY id
[sql] expand: SELECT groupname  FROM usergroup  WHERE 
username = BINARY '%{SQL-User-Name}'  ORDER BY priority - SELECT 
groupname  FROM usergroup  WHERE username = BINARY 'rajnish'
 
 ORDER BY priority
[sql] expand: SELECT id, groupname, attribute,   Value, op  
 
FROM radgroupcheck   WHERE groupname = '%{Sql-Group}'   ORDER 
BY 
id - SELECT id, groupname, attribute,   Value, op   FROM 
radgroupcheck   WHERE groupname = '128kbps_Unlimited'   ORDER 
BY 
id
[sql] User found in group 128kbps_Unlimited
[sql] expand: SELECT id, groupname, attribute,   value, op  
 
FROM radgroupreply   WHERE groupname = '%{Sql-Group}'   ORDER 
BY 
id - SELECT id, groupname, attribute,   value, op   FROM 
radgroupreply   WHERE groupname = '128kbps_Unlimited'   ORDER 
BY 
id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
 
Failure Log:
 
[sql] expand: %{User-Name} - bob
[sql] sql_set_user escaped user -- 'bob'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op  FROM 
radcheck  WHERE username = BINARY '%{SQL-User-Name}'  ORDER BY 
id - SELECT id, username, attribute, value, op  FROM radcheck 
 WHERE username = BINARY 'bob'  ORDER BY id
 
tim The user “bob” was not found in the radcheck table …
 
[sql] expand: SELECT groupname  FROM usergroup  WHERE 
username = BINARY '%{SQL-User-Name}'  ORDER BY priority - SELECT 
groupname  FROM usergroup  WHERE username = BINARY 'bob'
 
 ORDER BY priority
[sql] expand: SELECT id, groupname, attribute,   Value, op  
 
FROM radgroupcheck   WHERE groupname = '%{Sql-Group}'   ORDER 
BY 
id - SELECT id, groupname, attribute,   Value, op   FROM 
radgroupcheck   WHERE groupname = '256kbps_Unlimited'   ORDER 
BY 
id
[sql] User found in group 256kbps_Unlimited
 
tim The user “bob” was found in the radgroup table …
 
[sql] expand: SELECT id, groupname, attribute,   value, op  
 
FROM radgroupreply   WHERE groupname = '%{Sql-Group}'   ORDER 
BY 
id - SELECT id, groupname, attribute,   value, op   FROM 
radgroupreply   WHERE groupname = '256kbps_Unlimited'   ORDER 
BY 
id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
rlm_checkval: Could not find item named Calling-Station-Id in request
rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
++[station-check] returns notfound
rlm_checkval: Could not find item named NAS-Identifier in request
rlm_checkval: Could not find attribute named NAS-Identifier in check pairs
++[NAS-check] returns notfound
++[expiration] returns noop
rlm_logintime: Checking Login-Time: 'Su-Sa-2400'
rlm_logintime: timestr returned unlimited
++[logintime] returns ok
[pap] WARNING! No known good password found for the user.  Authentication may 
fail

RE: Authentication Problem

2011-05-24 Thread Tim Sylvester

What do you get when you run this query?

 

SELECT id, username, attribute, value, op  FROM radcheck  WHERE 
username = BINARY 'bob'  ORDER BY id

 

From: john decot [mailto:johnde...@yahoo.com] 
Sent: Monday, May 23, 2011 11:24 PM
To: tim.sylves...@networkradius.com; FreeRadius users mailing list
Subject: Re: Authentication Problem

 

Seems there.

 

 

select * from radcheck where username='bob';

+-+--+++-+

| id  | username | attribute  | op | value   |

+-+--+++-+

| 386 | bob| Expiration | := | 25 Jun 2011 |

| 385 | bob| Simultaneous-Use   | =  | 1   |

| 384 | bob| Cleartext-Password | := | bob   |

 

 

 

 

  _  

From: Tim Sylvester tim.sylves...@networkradius.com
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Tue, May 24, 2011 10:42:35 AM
Subject: RE: Authentication Problem




 

 

From: 
freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org 
[mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org]
 On Behalf Of john decot
Sent: Monday, May 23, 2011 9:36 PM
To: FreeRadius users mailing list
Subject: Re: Authentication Problem

 

I have backup from working server but still not working 

 

Please find the log:

 

success Log:

 

[sql]expand: %{User-Name} - rajnish

[sql] sql_set_user escaped user -- 'rajnish'

rlm_sql (sql): Reserving sql socket id: 3

[sql] expand: SELECT id, username, attribute, value, op  FROM 
radcheck  WHERE username = BINARY '%{SQL-User-Name}'  ORDER BY 
id - SELECT id, username, attribute, value, op  FROM radcheck  
WHERE username = BINARY 'rajnish'  ORDER BY id

[sql] User found in radcheck table

 

tim The user “rajnish” was found in the radcheck table …

 

[sql] expand: SELECT id, username, attribute, value, op  FROM 
radreply  WHERE username = BINARY '%{SQL-User-Name}'  ORDER BY 
id - SELECT id, username, attribute, value, op  FROM radreply  
WHERE username = BINARY 'rajnish'  ORDER BY id

[sql] expand: SELECT groupname  FROM usergroup  WHERE 
username = BINARY '%{SQL-User-Name}'  ORDER BY priority - SELECT 
groupname  FROM usergroup  WHERE username = BINARY 'rajnish'
  ORDER BY priority

[sql] expand: SELECT id, groupname, attribute,   Value, op  
 FROM radgroupcheck   WHERE groupname = '%{Sql-Group}'   ORDER 
BY id - SELECT id, groupname, attribute,   Value, op   FROM 
radgroupcheck   WHERE groupname = '128kbps_Unlimited'   ORDER 
BY id

[sql] User found in group 128kbps_Unlimited

[sql] expand: SELECT id, groupname, attribute,   value, op  
 FROM radgroupreply   WHERE groupname = '%{Sql-Group}'   ORDER 
BY id - SELECT id, groupname, attribute,   value, op   FROM 
radgroupreply   WHERE groupname = '128kbps_Unlimited'   ORDER 
BY id

rlm_sql (sql): Released sql socket id: 3

++[sql] returns ok

 

Failure Log:

 

[sql] expand: %{User-Name} - bob

[sql] sql_set_user escaped user -- 'bob'

rlm_sql (sql): Reserving sql socket id: 3

[sql] expand: SELECT id, username, attribute, value, op  FROM 
radcheck  WHERE username = BINARY '%{SQL-User-Name}'  ORDER BY 
id - SELECT id, username, attribute, value, op  FROM radcheck  
WHERE username = BINARY 'bob'  ORDER BY id

 

tim The user “bob” was not found in the radcheck table …

 

[sql] expand: SELECT groupname  FROM usergroup  WHERE 
username = BINARY '%{SQL-User-Name}'  ORDER BY priority - SELECT 
groupname  FROM usergroup  WHERE username = BINARY 'bob'
  ORDER BY priority

[sql] expand: SELECT id, groupname, attribute,   Value, op  
 FROM radgroupcheck   WHERE groupname = '%{Sql-Group}'   ORDER 
BY id - SELECT id, groupname, attribute,   Value, op   FROM 
radgroupcheck   WHERE groupname = '256kbps_Unlimited'   ORDER 
BY id

[sql] User found in group 256kbps_Unlimited

 

tim The user “bob” was found in the radgroup table …

 

[sql] expand: SELECT id, groupname, attribute,   value, op  
 FROM radgroupreply   WHERE groupname = '%{Sql-Group}'   ORDER 
BY id - SELECT id, groupname, attribute,   value, op   FROM 
radgroupreply   WHERE groupname = '256kbps_Unlimited'   ORDER 
BY id

rlm_sql (sql): Released sql socket id: 3

++[sql] returns ok

rlm_checkval: Could not find item named Calling-Station-Id in request

rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs

++[station-check] returns notfound

Re: Authentication issues with Win7 and WPA/WPA2 Enterprise

2011-05-24 Thread Simon L.

Phil Mayers schrieb:
 On 05/23/2011 06:53 PM, Simon L. wrote:

 Please have a look at my new, attached debug log.

 The server you are proxying to sends a reject. Fix that server.
 -


Why accepts the home server a proxied request from radtest but not from
a wpa supplicant.
The home server can not talk eap. as the log shows the proxy is not
doing eap when it forwards a request. where is the difference?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication Problem

2011-05-24 Thread john decot

 SELECT id, username, attribute, value, op  FROM radcheck  
 WHERE 
username = BINARY 'bob'  ORDER BY id;
+-+--++-++
| id  | username | attribute  | value   | op |
+-+--++-++
| 384 | bob| Cleartext-Password | bob   | := |
| 385 | bob| Simultaneous-Use   | 1   | =  |
| 386 | bob| Expiration | 25 Jun 2011 | := |
+-+--++-++
3 rows in set (0.00 sec)







From: Tim Sylvester tim.sylves...@networkradius.com
To: john decot johnde...@yahoo.com; FreeRadius users mailing list 
freeradius-users@lists.freeradius.org
Sent: Tue, May 24, 2011 1:08:55 PM
Subject: RE: Authentication Problem


What do you get when you run this query?
 
SELECT id, username, attribute, value, op  FROM radcheck  WHERE 
username = BINARY 'bob'  ORDER BY id
 
From:john decot [mailto:johnde...@yahoo.com] 
Sent: Monday, May 23, 2011 11:24 PM
To: tim.sylves...@networkradius.com; FreeRadius users mailing list
Subject: Re: Authentication Problem
 
Seems there.
 
 
select * from radcheck where username='bob';
+-+--+++-+
| id  | username | attribute  | op | value   |
+-+--+++-+
| 386 | bob| Expiration | := | 25 Jun 2011 |
| 385 | bob| Simultaneous-Use   | =  | 1   |
| 384 | bob| Cleartext-Password | := | bob   |
 
 
 
 



From:Tim Sylvester tim.sylves...@networkradius.com
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Tue, May 24, 2011 10:42:35 AM
Subject: RE: Authentication Problem



 
 
From:freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org
[mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.org]
] On Behalf Of john decot
Sent: Monday, May 23, 2011 9:36 PM
To: FreeRadius users mailing list
Subject: Re: Authentication Problem
 
I have backup from working server but still not working 
 
Please find the log:
 
success Log:
 
[sql]expand: %{User-Name} - rajnish
[sql] sql_set_user escaped user -- 'rajnish'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op  FROM 
radcheck  WHERE username = BINARY '%{SQL-User-Name}'  ORDER BY 
id - SELECT id, username, attribute, value, op  FROM radcheck 
 WHERE username = BINARY 'rajnish'  ORDER BY id
[sql] User found in radcheck table
 
tim The user “rajnish” was found in the radcheck table …
 
[sql] expand: SELECT id, username, attribute, value, op  FROM 
radreply  WHERE username = BINARY '%{SQL-User-Name}'  ORDER BY 
id - SELECT id, username, attribute, value, op  FROM radreply 
 WHERE username = BINARY 'rajnish'  ORDER BY id
[sql] expand: SELECT groupname  FROM usergroup  WHERE 
username = BINARY '%{SQL-User-Name}'  ORDER BY priority - SELECT 
groupname  FROM usergroup  WHERE username = BINARY 'rajnish'
 
 ORDER BY priority
[sql] expand: SELECT id, groupname, attribute,   Value, op  
 
FROM radgroupcheck   WHERE groupname = '%{Sql-Group}'   ORDER 
BY 
id - SELECT id, groupname, attribute,   Value, op   FROM 
radgroupcheck   WHERE groupname = '128kbps_Unlimited'   ORDER 
BY 
id
[sql] User found in group 128kbps_Unlimited
[sql] expand: SELECT id, groupname, attribute,   value, op  
 
FROM radgroupreply   WHERE groupname = '%{Sql-Group}'   ORDER 
BY 
id - SELECT id, groupname, attribute,   value, op   FROM 
radgroupreply   WHERE groupname = '128kbps_Unlimited'   ORDER 
BY 
id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
 
Failure Log:
 
[sql] expand: %{User-Name} - bob
[sql] sql_set_user escaped user -- 'bob'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op  FROM 
radcheck  WHERE username = BINARY '%{SQL-User-Name}'  ORDER BY 
id - SELECT id, username, attribute, value, op  FROM radcheck 
 WHERE username = BINARY 'bob'  ORDER BY id
 
tim The user “bob” was not found in the radcheck table …
 
[sql] expand: SELECT groupname  FROM usergroup  WHERE 
username = BINARY '%{SQL-User-Name}'  ORDER BY priority - SELECT 
groupname  FROM usergroup  WHERE username = BINARY 'bob'
 
 ORDER BY priority
[sql] expand: SELECT id, groupname, attribute,   Value, op  
 
FROM radgroupcheck   WHERE groupname = '%{Sql-Group}'   ORDER 
BY 
id - SELECT id, groupname, attribute

Re: Authentication Problem

2011-05-24 Thread Fajar A. Nugraha

On Tue, May 24, 2011 at 3:20 PM, john decot johnde...@yahoo.com wrote:
 SELECT id, username, attribute, value, op          FROM radcheck
  WHERE username = BINARY 'bob'          ORDER BY id;
 +-+--++-++
 | id  | username | attribute          | value       | op |
 +-+--++-++
 | 384 | bob    | Cleartext-Password | bob       | := |
 | 385 | bob    | Simultaneous-Use   | 1           | =  |
 | 386 | bob    | Expiration         | 25 Jun 2011 | := |
 +-+--++-++
 3 rows in set (0.00 sec)

That is odd. What happens when you remove Simultaneous-Use record for bob?

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication Problem

2011-05-24 Thread john decot

Thats it ..  Problem was in operator I changed it to := and it works.

Thankyou Fajar 

From: Fajar A. Nugraha l...@fajar.net
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Tue, May 24, 2011 2:17:51 PM
Subject: Re: Authentication Problem

On Tue, May 24, 2011 at 3:20 PM, john decot johnde...@yahoo.com wrote:
 SELECT id, username, attribute, value, op  FROM radcheck
  WHERE username = BINARY 'bob'  ORDER BY id;
 +-+--++-++
 | id  | username | attribute  | value   | op |
 +-+--++-++
 | 384 | bob| Cleartext-Password | bob   | := |
 | 385 | bob| Simultaneous-Use   | 1   | =  |
 | 386 | bob| Expiration | 25 Jun 2011 | := |
 +-+--++-++
 3 rows in set (0.00 sec)

That is odd. What happens when you remove Simultaneous-Use record for bob?

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication Problem

2011-05-24 Thread Marinko Tarlać


Simultaneous-Use op should be := and not =


On 05/24/2011 10:32 AM, Fajar A. Nugraha wrote:

On Tue, May 24, 2011 at 3:20 PM, john decotjohnde...@yahoo.com  wrote:

SELECT id, username, attribute, value, op  FROM radcheck
  WHERE username = BINARY 'bob'  ORDER BY id;

+-+--++-++
| id  | username | attribute  | value   | op |
+-+--++-++
| 384 | bob| Cleartext-Password | bob   | := |
| 385 | bob| Simultaneous-Use   | 1   | =  |
| 386 | bob| Expiration | 25 Jun 2011 | := |
+-+--++-++
3 rows in set (0.00 sec)

That is odd. What happens when you remove Simultaneous-Use record for bob?



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication issues with Win7 and WPA/WPA2 Enterprise

2011-05-24 Thread Phil Mayers


On 24/05/11 08:35, Simon L. wrote:

Phil Mayers schrieb:

On 05/23/2011 06:53 PM, Simon L. wrote:


Please have a look at my new, attached debug log.


The server you are proxying to sends a reject. Fix that server.
-



Why accepts the home server a proxied request from radtest but not from
a wpa supplicant.


radtest sends (by default) a PAP request.

WPA-Supplicant sends EAP.


The home server can not talk eap. as the log shows the proxy is not


If the home server can't do EAP, how do you expect to proxy EAP to it?

What is the home server?


doing eap when it forwards a request. where is the difference?


802.1x requires EAP support at the radius server. If you are proxying 
the requests to another server, it requires EAP support there, too.


It *may* be possible to terminate the EAP at FreeRADIUS, and send the 
inner EAP as non-EAP, but this is hack, and I strongly advise against 
it. This will only work for EAP-TTLS/PAP and EAP-PEAP/MSCHAP


If you want to do that, put the proxy config into 
sites-enabled/inner-tunnel, and also see eap.conf:


 eap {
   peap {
proxy_tunneled_request_as_eap = yes
   }
 }
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication issues with Win7 and WPA/WPA2 Enterprise

2011-05-24 Thread Simon L.

Phil Mayers schrieb:
 On 24/05/11 08:35, Simon L. wrote:
 Phil Mayers schrieb:
 On 05/23/2011 06:53 PM, Simon L. wrote:

 Please have a look at my new, attached debug log.

 The server you are proxying to sends a reject. Fix that server.
 -


 Why accepts the home server a proxied request from radtest but not from
 a wpa supplicant.

 radtest sends (by default) a PAP request.

 WPA-Supplicant sends EAP.

 The home server can not talk eap. as the log shows the proxy is not

 If the home server can't do EAP, how do you expect to proxy EAP to it?

 What is the home server?
Thats the point, i don't want to proxy eap to the other freeradius (home
server).


 doing eap when it forwards a request. where is the difference?

 802.1x requires EAP support at the radius server. If you are proxying
 the requests to another server, it requires EAP support there, too.
I thought proxy_tunneled_request_as_eap = no would proxy without eap.
so i did this:
eap.conf:
eap {
...
   peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = proxy-inner-tunnel
   }
 }

proxy-inner-tunnel:
server proxy-inner-tunnel {
 authorize {
  update control {
  Proxy-To-Realm := NULL #I want to proxy realm NULL
  }
 }
 authenticate {
 eap
 }
 post-proxy {
 eap
 }
}


 It *may* be possible to terminate the EAP at FreeRADIUS, and send the
 inner EAP as non-EAP, but this is hack, and I strongly advise against
 it. This will only work for EAP-TTLS/PAP and EAP-PEAP/MSCHAP
the network between the two freeradius is not public or shared, so i
think that would be ok. My above solution proxied eap, but is your hack
just a old version ob my config?? I read several mails from last year,
where that problem is solved that way (more or less).

 If you want to do that, put the proxy config into
 sites-enabled/inner-tunnel, 
do you mean from proxy.conf or proxy-inner-tunnel?
 and also see eap.conf:

  eap {
peap {
 proxy_tunneled_request_as_eap = yes
}
  }
i had set it to no.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication issues with Win7 and WPA/WPA2 Enterprise

2011-05-24 Thread Alan Buxey

Hi,

 proxy-inner-tunnel:
 server proxy-inner-tunnel {
  authorize {
   update control {
   Proxy-To-Realm := NULL #I want to proxy realm NULL
   }
  }
  authenticate {
  eap
  }
  post-proxy {
  eap
  }
 }

dont set it to NULL - that keeps it very much local. instead set it to FOOBAR
and configure proxy.conf so that FOOBAR realm points to your other server.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication issues with Win7 and WPA/WPA2 Enterprise

2011-05-23 Thread Simon L.

Hi again,

now i got a real Problem.

 ...

 The debug you sent contains no reject. Please send a debug for this case.
   
   
 
 I will generate a separate log for the WPA2 scenario soon.

   


I have no problems with WPA/2 and local authentication anymore. But now
I try to proxy the requests to a another homeserver.

At first tried with radtest from localhost - the request was proxied and
accepted.

From a Win7 supplicant the homeserver says:
Login incorrect: [test/via Auth-Type = Local] (from client )
and of course a access-reject was following.

Please have a look at my new, attached debug log.


Tanks a lot!
Simon
FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on May 12 2011 at 
13:56:14
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file 
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file 
/usr/local/etc/raddb/sites-enabled/proxy-inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
main {
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = /usr/local
localstatedir =

Re: Authentication issues with Win7 and WPA/WPA2 Enterprise

2011-05-23 Thread Phil Mayers


On 05/23/2011 06:53 PM, Simon L. wrote:


Please have a look at my new, attached debug log.


The server you are proxying to sends a reject. Fix that server.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication Problem

2011-05-23 Thread Fajar A. Nugraha

On Tue, May 24, 2011 at 9:20 AM, john decot johnde...@yahoo.com wrote:
 Hi ,
    I have been using freeradius-server-2.1.10 . Dialupadmin is using for web
 based administration. It was working fine till yesterday. I have changed
 added attribute to check Max-All-Session.  Then I have face problem of
  No authenticate method (Auth-Type) found for the request: Rejecting the
 user

Max-All-Session alone should not cause that


 however the authorized section is working fine. After googling i have check
 with option default Auth-Type = Local but it was not success.

Normally you should never have to mess with Auth-Type, unless you're
doing some exotic setup (like LDAP bind with fallback to system user)

 this error
 occurs for new create user only , old user are authenticating normally.

 I have revert back my changes with removing attribute to check
 Max-All-Session but still the error exists.

... which again, simply confirms that Max-All-Session was not the
cause of the problem


        Please advise me.

You have changed something else and made it broken. Reverse that.
I use git to record changes in /etc/raddb so I can have a record of
what have changed. You might need something similar.

In the mean time, see
http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21
Since you say only some users experience it, compare the log for both
the working and non-working user.

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication Problem

2011-05-23 Thread john decot

From: Fajar A. Nugraha l...@fajar.net
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Tue, May 24, 2011 8:15:42 AM
Subject: Re: Authentication Problem

On Tue, May 24, 2011 at 9:20 AM, john decot johnde...@yahoo.com wrote:
 Hi ,
I have been using freeradius-server-2.1.10 . Dialupadmin is using for web
 based administration. It was working fine till yesterday. I have changed
 added attribute to check Max-All-Session.  Then I have face problem of
  No authenticate method (Auth-Type) found for the request: Rejecting the
 user

Max-All-Session alone should not cause that

 however the authorized section is working fine. After googling i have check
 with option default Auth-Type = Local but it was not success.

Normally you should never have to mess with Auth-Type, unless you're
doing some exotic setup (like LDAP bind with fallback to system user)

 this error
 occurs for new create user only , old user are authenticating normally.

 I have revert back my changes with removing attribute to check
 Max-All-Session but still the error exists.

... which again, simply confirms that Max-All-Session was not the
cause of the problem

Please advise me.

You have changed something else and made it broken. Reverse that.
I use git to record changes in /etc/raddb so I can have a record of
what have changed. You might need something similar.

In the mean time, see
http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21
Since you say only some users experience it, compare the log for both
the working and non-working user.

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication Problem

2011-05-23 Thread john decot

'  ORDER BY id
[sql] expand: SELECT groupname  FROM usergroup  WHERE username 
= 
BINARY '%{SQL-User-Name}'  ORDER BY priority - SELECT groupname
 
 FROM usergroup  WHERE username = BINARY 'bob'  ORDER BY 
priority
[sql] expand: SELECT id, groupname, attribute,   Value, op   
FROM radgroupcheck   WHERE groupname = '%{Sql-Group}'   ORDER 
BY 
id - SELECT id, groupname, attribute,   Value, op   FROM 
radgroupcheck   WHERE groupname = '256kbps_Unlimited'   ORDER 
BY 
id
[sql] User found in group 256kbps_Unlimited
[sql] expand: SELECT id, groupname, attribute,   value, op   
FROM radgroupreply   WHERE groupname = '%{Sql-Group}'   ORDER 
BY 
id - SELECT id, groupname, attribute,   value, op   FROM 
radgroupreply   WHERE groupname = '256kbps_Unlimited'   ORDER 
BY 
id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
rlm_checkval: Could not find item named Calling-Station-Id in request
rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
++[station-check] returns notfound
rlm_checkval: Could not find item named NAS-Identifier in request
rlm_checkval: Could not find attribute named NAS-Identifier in check pairs
++[NAS-check] returns notfound
++[expiration] returns noop
rlm_logintime: Checking Login-Time: 'Su-Sa-2400'
rlm_logintime: timestr returned unlimited
++[logintime] returns ok
[pap] WARNING! No known good password found for the user.  Authentication may 
fail because of this.
++[pap] returns noop
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[noresetcounter] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the 
user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - bob
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 246 to 127.0.0.1 port 58102
Waking up in 4.6 seconds.


Rgds,
John




From: Fajar A. Nugraha l...@fajar.net
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Tue, May 24, 2011 8:15:42 AM
Subject: Re: Authentication Problem

On Tue, May 24, 2011 at 9:20 AM, john decot johnde...@yahoo.com wrote:
 Hi ,
I have been using freeradius-server-2.1.10 . Dialupadmin is using for web
 based administration. It was working fine till yesterday. I have changed
 added attribute to check Max-All-Session.  Then I have face problem of
  No authenticate method (Auth-Type) found for the request: Rejecting the
 user

Max-All-Session alone should not cause that


 however the authorized section is working fine. After googling i have check
 with option default Auth-Type = Local but it was not success.

Normally you should never have to mess with Auth-Type, unless you're
doing some exotic setup (like LDAP bind with fallback to system user)

 this error
 occurs for new create user only , old user are authenticating normally.

 I have revert back my changes with removing attribute to check
 Max-All-Session but still the error exists.

... which again, simply confirms that Max-All-Session was not the
cause of the problem


Please advise me.

You have changed something else and made it broken. Reverse that.
I use git to record changes in /etc/raddb so I can have a record of
what have changed. You might need something similar.

In the mean time, see
http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21
Since you say only some users experience it, compare the log for both
the working and non-working user.

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentication Problem

2011-05-23 Thread Tim Sylvester

 

 

From:
freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.or
g
[mailto:freeradius-users-bounces+tim.sylvester=networkradius.com@lists.freer
adius.org] On Behalf Of john decot
Sent: Monday, May 23, 2011 9:36 PM
To: FreeRadius users mailing list
Subject: Re: Authentication Problem

 

I have backup from working server but still not working 

 

Please find the log:

 

success Log:

 

[sql]expand: %{User-Name} - rajnish

[sql] sql_set_user escaped user -- 'rajnish'

rlm_sql (sql): Reserving sql socket id: 3

[sql] expand: SELECT id, username, attribute, value, op  FROM
radcheck  WHERE username = BINARY '%{SQL-User-Name}'  ORDER
BY id - SELECT id, username, attribute, value, op  FROM radcheck
WHERE username = BINARY 'rajnish'  ORDER BY id

[sql] User found in radcheck table

 

tim The user rajnish was found in the radcheck table .

 

[sql] expand: SELECT id, username, attribute, value, op  FROM
radreply  WHERE username = BINARY '%{SQL-User-Name}'  ORDER
BY id - SELECT id, username, attribute, value, op  FROM radreply
WHERE username = BINARY 'rajnish'  ORDER BY id

[sql] expand: SELECT groupname  FROM usergroup  WHERE
username = BINARY '%{SQL-User-Name}'  ORDER BY priority - SELECT
groupname  FROM usergroup  WHERE username = BINARY 'rajnish'
ORDER BY priority

[sql] expand: SELECT id, groupname, attribute,   Value, op
FROM radgroupcheck   WHERE groupname = '%{Sql-Group}'
ORDER BY id - SELECT id, groupname, attribute,   Value, op
FROM radgroupcheck   WHERE groupname = '128kbps_Unlimited'
ORDER BY id

[sql] User found in group 128kbps_Unlimited

[sql] expand: SELECT id, groupname, attribute,   value, op
FROM radgroupreply   WHERE groupname = '%{Sql-Group}'
ORDER BY id - SELECT id, groupname, attribute,   value, op
FROM radgroupreply   WHERE groupname = '128kbps_Unlimited'
ORDER BY id

rlm_sql (sql): Released sql socket id: 3

++[sql] returns ok

 

Failure Log:

 

[sql] expand: %{User-Name} - bob

[sql] sql_set_user escaped user -- 'bob'

rlm_sql (sql): Reserving sql socket id: 3

[sql] expand: SELECT id, username, attribute, value, op  FROM
radcheck  WHERE username = BINARY '%{SQL-User-Name}'  ORDER
BY id - SELECT id, username, attribute, value, op  FROM radcheck
WHERE username = BINARY 'bob'  ORDER BY id

 

tim The user bob was not found in the radcheck table .

 

[sql] expand: SELECT groupname  FROM usergroup  WHERE
username = BINARY '%{SQL-User-Name}'  ORDER BY priority - SELECT
groupname  FROM usergroup  WHERE username = BINARY 'bob'
ORDER BY priority

[sql] expand: SELECT id, groupname, attribute,   Value, op
FROM radgroupcheck   WHERE groupname = '%{Sql-Group}'
ORDER BY id - SELECT id, groupname, attribute,   Value, op
FROM radgroupcheck   WHERE groupname = '256kbps_Unlimited'
ORDER BY id

[sql] User found in group 256kbps_Unlimited

 

tim The user bob was found in the radgroup table .

 

[sql] expand: SELECT id, groupname, attribute,   value, op
FROM radgroupreply   WHERE groupname = '%{Sql-Group}'
ORDER BY id - SELECT id, groupname, attribute,   value, op
FROM radgroupreply   WHERE groupname = '256kbps_Unlimited'
ORDER BY id

rlm_sql (sql): Released sql socket id: 3

++[sql] returns ok

rlm_checkval: Could not find item named Calling-Station-Id in request

rlm_checkval: Could not find attribute named Calling-Station-Id in check
pairs

++[station-check] returns notfound

rlm_checkval: Could not find item named NAS-Identifier in request

rlm_checkval: Could not find attribute named NAS-Identifier in check pairs

++[NAS-check] returns notfound

++[expiration] returns noop

rlm_logintime: Checking Login-Time: 'Su-Sa-2400'

rlm_logintime: timestr returned unlimited

++[logintime] returns ok

[pap] WARNING! No known good password found for the user.  Authentication
may fail because of this.

++[pap] returns noop

 

tim Make sure that bob is in the radcheck table in the MySQL database.
FreeRADIUS did not find the user bob in the radcheck table, and just
continued. 

 

Tim

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentication issues with Win7 and WPA/WPA2 Enterprise

2011-05-18 Thread Gary Gatten

I can't comment on your problem right now, but be aware there seem to be MANY 
issues with Windows 7.  Our config works PERFECT with XP, Apple IOS, and other 
basic stuff.  When we started testing Windows 7 (WPA2 Enterprise) we ran into 
all kinds of weirdness.  And just when we think we have a working config and 
have a few users start testing it breaks.

The web is littered with people having problems with Windows 7.  I'm convinced 
the W7 Supplicant is really broken.  In our environment FR doesn't even see the 
PEAP, just an MSCHAP, and that even fails!

Anyway...  Maybe if someone knows of a tool to dehash/decrypt the MSCHAP stuff 
I could actually see what's different in the requests between a working auth 
and a rejected auth.  Right now we're grasping at straws and can't figure out 
why MS is essentially doing nothing about this...

G


-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On 
Behalf Of Simon L.
Sent: Wednesday, May 18, 2011 10:27 AM
To: FreeRadius users mailing list
Subject: Authentication issues with Win7 and WPA/WPA2 Enterprise

Dear Users,

I hope you will be patient with me, its my first time with freeradius.

I have problems to authenticate Windows 7 Clients with freeradius.

Using WPA2-Enterprise results in Access-Rejects after one Request.
Using WPA-Enterprise results in about nine different Access-Challanges
and one final Access-Accept - that cant be right.

I have set up a testing scenario with the local test user bob. If local
authentication works properly i want to proxy all requests without EAP
to another freeradius server. I will have questions to that later :)

radtest from localhost an remotehost succeeded.

Setting:

Win7_Client-WLAN-WAP LinksysWRT54gl--MPLS-Network over
PPPoE---FreeRADIUS_proxy(FreeRADIUS_main)
Windows 7   dd-wrt v24 SP2  
Ubuntu Server 10.4.2,
freeradius 2.1.10 generic
   10.73.108.254
internal:
10.0.73.1  external: 213.x.x.x

I dont get a clue if the Problem is Windows, Certificates, Network oder
simply misconfigured freeradius.

certificates:
- i build the certs with and without that windows extension OID in
server.cnf with make from ../raddb/certs
- 2048 bit

Windows 7:
- installed ca.der as root cert in win7 and configured it for the
desired WiFi network
- for my eyes no difference in debug logs if validate server cert or not.
- unchecked using windows user or domain for auth
- EAP comes with PEAP/MSCHAPv2 as default - but the certs are for eap -
tls right?

WAP:
- WPA2 Enterprise with AES no accept packet possible until now
- WPA Enterprise with AES results in that 9-times Challenges until accept

freeRADIUS:
- compiled with installed openSSL dev lib
- default config as it comes out of the box, exept: added user bob with
cleartext password in users, added the WAP as client in clients.conf,
changed default_eap_type = peap and private_key_password =
MYSECRET_FROM_SERVER_CERT in eap.conf

configuration and stuff pls look at attached debug.log from running
radiusd -X
debug.log contains the output of radiusd -X with Access-Requests over
WPA-Enterprise.

I hope you got a hint for me.
Thanks !


Simon











font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system.
/font


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication issues with Win7 and WPA/WPA2 Enterprise

2011-05-18 Thread Phil Mayers


On 18/05/11 16:26, Simon L. wrote:


Using WPA2-Enterprise results in Access-Rejects after one Request.


That is not normal. WPA2 should be the same as WPA at the radius level.



Using WPA-Enterprise results in about nine different Access-Challanges
and one final Access-Accept - that cant be right.


That is normal. EAP exchanges are usually 9/10 request/challenge pairs 
followed by a final request/accept.



What exactly is your problem?



I have set up a testing scenario with the local test user bob. If local
authentication works properly i want to proxy all requests without EAP
to another freeradius server. I will have questions to that later :)

radtest from localhost an remotehost succeeded.


Sorry - radtest does not do EAP. radtest is not a valid test.


I dont get a clue if the Problem is Windows, Certificates, Network oder
simply misconfigured freeradius.


You haven't told us what the problem is. WPA-Enterprise is working for 
you - the radius server is sending an access-accept. What problem are 
you experiencing?




certificates:
- i build the certs with and without that windows extension OID in
server.cnf with make from ../raddb/certs


Why? You MUST include the OID.


- 2048 bit

Windows 7:
- installed ca.der as root cert in win7 and configured it for the
desired WiFi network
- for my eyes no difference in debug logs if validate server cert or not.


Validate server cert is done on the client. You won't see any 
difference on the server.



- unchecked using windows user or domain for auth
- EAP comes with PEAP/MSCHAPv2 as default - but the certs are for eap -
tls right?


PEAP uses TLS. PEAP needs certs too.



WAP:
- WPA2 Enterprise with AES no accept packet possible until now


As above - that's not normal.

The debug you sent contains no reject. Please send a debug for this case.


- WPA Enterprise with AES results in that 9-times Challenges until accept


As above - this is normal

Access-Accept means everything is working.

If you are still having problems after the Access-Accept, you need to 
describe what those problems are.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentication issues with Win7 and WPA/WPA2 Enterprise

2011-05-18 Thread Gary Gatten

One point of clarification:

PEAP uses TLS. PEAP needs certs too.

Not *all* peap uses TLS and hence needs certs.  The MS PEAP/MSCHAPv2 is a 
common example.

G



-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On 
Behalf Of Phil Mayers
Sent: Wednesday, May 18, 2011 10:52 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise

On 18/05/11 16:26, Simon L. wrote:

 Using WPA2-Enterprise results in Access-Rejects after one Request.

That is not normal. WPA2 should be the same as WPA at the radius level.


 Using WPA-Enterprise results in about nine different Access-Challanges
 and one final Access-Accept - that cant be right.

That is normal. EAP exchanges are usually 9/10 request/challenge pairs 
followed by a final request/accept.


What exactly is your problem?


 I have set up a testing scenario with the local test user bob. If local
 authentication works properly i want to proxy all requests without EAP
 to another freeradius server. I will have questions to that later :)

 radtest from localhost an remotehost succeeded.

Sorry - radtest does not do EAP. radtest is not a valid test.

 I dont get a clue if the Problem is Windows, Certificates, Network oder
 simply misconfigured freeradius.

You haven't told us what the problem is. WPA-Enterprise is working for 
you - the radius server is sending an access-accept. What problem are 
you experiencing?


 certificates:
 - i build the certs with and without that windows extension OID in
 server.cnf with make from ../raddb/certs

Why? You MUST include the OID.

 - 2048 bit

 Windows 7:
 - installed ca.der as root cert in win7 and configured it for the
 desired WiFi network
 - for my eyes no difference in debug logs if validate server cert or not.

Validate server cert is done on the client. You won't see any 
difference on the server.

 - unchecked using windows user or domain for auth
 - EAP comes with PEAP/MSCHAPv2 as default - but the certs are for eap -
 tls right?

PEAP uses TLS. PEAP needs certs too.


 WAP:
 - WPA2 Enterprise with AES no accept packet possible until now

As above - that's not normal.

The debug you sent contains no reject. Please send a debug for this case.

 - WPA Enterprise with AES results in that 9-times Challenges until accept

As above - this is normal

Access-Accept means everything is working.

If you are still having problems after the Access-Accept, you need to 
describe what those problems are.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system.
/font


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication issues with Win7 and WPA/WPA2 Enterprise

2011-05-18 Thread Phil Mayers


On 18/05/11 16:50, Gary Gatten wrote:

I can't comment on your problem right now, but be aware there seem to
be MANY issues with Windows 7.  Our config works PERFECT with XP,
Apple IOS, and other basic stuff.  When we started testing Windows
7 (WPA2 Enterprise) we ran into all kinds of weirdness.  And just
when we think we have a working config and have a few users start
testing it breaks.

The web is littered with people having problems with Windows 7.  I'm
convinced the W7 Supplicant is really broken.  In our environment FR
doesn't even see the PEAP, just an MSCHAP, and that even fails!


We have no problems with Windows 7. It works just fine. There don't seem 
to be significant differences between it and Windows XP SP3 from our 
point of view.




Anyway...  Maybe if someone knows of a tool to dehash/decrypt the
MSCHAP stuff I could actually see what's different in the requests
between a working auth and a rejected auth.  Right now we're grasping
at straws and can't figure out why MS is essentially doing nothing
about this...


Can you be more specific about what kind of script you want? I've got 
a bunch of python tools I use for testing here.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication issues with Win7 and WPA/WPA2 Enterprise

2011-05-18 Thread Phil Mayers


On 18/05/11 16:59, Gary Gatten wrote:

One point of clarification:

PEAP uses TLS. PEAP needs certs too.

Not *all* peap uses TLS and hence needs certs.  The MS PEAP/MSCHAPv2 is a 
common example.


Incorrect. PEAP *requires* a server certificate. The client does not 
need one.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentication issues with Win7 and WPA/WPA2 Enterprise

2011-05-18 Thread Gary Gatten

I would LOVE if W7 just worked!  People here are blaming FR and I'm trying to 
convince them it has nothing to do with it, but since the MSCHAP challenges / 
responses are hashed I can't PROVE it to them.

I have FR debugs of a working auth and a rejected auth.  I'd like to unhash 
the MSCHAP stuff to see in clear text what's getting sent back and forth so I 
can get a better idea of why the request is being rejected.

G


-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On 
Behalf Of Phil Mayers
Sent: Wednesday, May 18, 2011 11:01 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise

On 18/05/11 16:50, Gary Gatten wrote:
 I can't comment on your problem right now, but be aware there seem to
 be MANY issues with Windows 7.  Our config works PERFECT with XP,
 Apple IOS, and other basic stuff.  When we started testing Windows
 7 (WPA2 Enterprise) we ran into all kinds of weirdness.  And just
 when we think we have a working config and have a few users start
 testing it breaks.

 The web is littered with people having problems with Windows 7.  I'm
 convinced the W7 Supplicant is really broken.  In our environment FR
 doesn't even see the PEAP, just an MSCHAP, and that even fails!

We have no problems with Windows 7. It works just fine. There don't seem 
to be significant differences between it and Windows XP SP3 from our 
point of view.


 Anyway...  Maybe if someone knows of a tool to dehash/decrypt the
 MSCHAP stuff I could actually see what's different in the requests
 between a working auth and a rejected auth.  Right now we're grasping
 at straws and can't figure out why MS is essentially doing nothing
 about this...

Can you be more specific about what kind of script you want? I've got 
a bunch of python tools I use for testing here.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system.
/font


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentication issues with Win7 and WPA/WPA2 Enterprise

2011-05-18 Thread Gary Gatten

I don't recall doing anything with server certs either - but this was LONG ago. 
 Plus, you are FAR more knowledgeable than I in these matters so I defer to you 
and stand corrected.

The next sound you hear is my tail dragging on the ground as walk away, head 
down, in shame

-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On 
Behalf Of Phil Mayers
Sent: Wednesday, May 18, 2011 11:10 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise

On 18/05/11 16:59, Gary Gatten wrote:
 One point of clarification:

 PEAP uses TLS. PEAP needs certs too.

 Not *all* peap uses TLS and hence needs certs.  The MS PEAP/MSCHAPv2 is a 
 common example.

Incorrect. PEAP *requires* a server certificate. The client does not 
need one.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system.
/font


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication issues with Win7 and WPA/WPA2 Enterprise

2011-05-18 Thread Phil Mayers


On 18/05/11 17:10, Gary Gatten wrote:

I would LOVE if W7 just worked!  People here are blaming FR and I'm
trying to convince them it has nothing to do with it, but since the
MSCHAP challenges / responses are hashed I can't PROVE it to them.

I have FR debugs of a working auth and a rejected auth.  I'd like to
unhash the MSCHAP stuff to see in clear text what's getting sent
back and forth so I can get a better idea of why the request is being
rejected.



That isn't really how it works. MS-CHAP is a (reasonably) 
cryptographically secure protocol. You can't go backwards from:


MS-CHAP-Challenge = xxx
MS-CHAP2-Response = yyy

...to anything meaningful.

You *can* check that a given response is valid for a given challenge, if 
you know the password or nt hash.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentication issues with Win7 and WPA/WPA2 Enterprise

2011-05-18 Thread Gary Gatten

That's what I was afraid of...

Can you expand on this:

You *can* check that a given response is valid for a given challenge, if 
you know the password or nt hash.

TIA

G


-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On 
Behalf Of Phil Mayers
Sent: Wednesday, May 18, 2011 11:27 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise

On 18/05/11 17:10, Gary Gatten wrote:
 I would LOVE if W7 just worked!  People here are blaming FR and I'm
 trying to convince them it has nothing to do with it, but since the
 MSCHAP challenges / responses are hashed I can't PROVE it to them.

 I have FR debugs of a working auth and a rejected auth.  I'd like to
 unhash the MSCHAP stuff to see in clear text what's getting sent
 back and forth so I can get a better idea of why the request is being
 rejected.


That isn't really how it works. MS-CHAP is a (reasonably) 
cryptographically secure protocol. You can't go backwards from:

MS-CHAP-Challenge = xxx
MS-CHAP2-Response = yyy

...to anything meaningful.

You *can* check that a given response is valid for a given challenge, if 
you know the password or nt hash.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system.
/font


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication issues with Win7 and WPA/WPA2 Enterprise

2011-05-18 Thread Phil Mayers


On 18/05/11 17:10, Gary Gatten wrote:

I would LOVE if W7 just worked!  People here are blaming FR and I'm
trying to convince them it has nothing to do with it, but since the
MSCHAP challenges / responses are hashed I can't PROVE it to them.


As per previous posts:

Your Aruba wireless equipment is:

 a. Terminating the outer EAP-PEAP
 b. Translating the inner EAP-MSCHAPv2 to plain MS-CHAPv2

I strongly suspect this will be causing the problems you are having, and 
I even suspect I know how - I think it's probably clients typing in 
their username in mIxEd-CaSe, which will cause cryptographich (hash) 
mismatches at client and server without careful preservation of the EAP 
payload.


As per Neal Garber's post of 10th May, even FreeRADIUS had problems with 
this prior to 2.1.10


Are you / have you been able to:

 1. stop terminating the PEAP on the Aruba
 2. upgrade to FreeRADIUS 2.1.10

?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication issues with Win7 and WPA/WPA2 Enterprise

2011-05-18 Thread Phil Mayers


On 18/05/11 17:35, Gary Gatten wrote:

That's what I was afraid of...

Can you expand on this:

You *can* check that a given response is valid for a given challenge, if
you know the password or nt hash.


At length, but I would be here all day ;o)

Basically, I've got a python script that performs the MS-CHAP crypto. 
I'll see if I can stick it somewhere people can make use of it.


But FreeRADIUS does this right. There's no need for an external script 
(unless you're fiddling with the MS-CHAP module guts, which I was when I 
wrote it).


If FreeRADIUS is telling you the mschap response is wrong, it's wrong. 
Either:


 1. The client is sending wrong data
 2. The server has wrong data (password/hash)
 3. Something is fiddling with the data in transit

Since we *know* your Aruba kit is doing some fiddling, it
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication issues with Win7 and WPA/WPA2 Enterprise

2011-05-18 Thread Gary Gatten

I have a 2.1.10 server we are tesing with, but I thought the patch you 
mentioned wasn't in 2.1.10, I think Alan said he'd put it in 3.x?

We will be testing passing the entire *eap session to FR this afternoon.

- Original Message -
From: Phil Mayers [mailto:p.may...@imperial.ac.uk]
Sent: Wednesday, May 18, 2011 12:29 PM
To: freeradius-users@lists.freeradius.org 
freeradius-users@lists.freeradius.org
Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise

On 18/05/11 17:10, Gary Gatten wrote:
 I would LOVE if W7 just worked!  People here are blaming FR and I'm
 trying to convince them it has nothing to do with it, but since the
 MSCHAP challenges / responses are hashed I can't PROVE it to them.

As per previous posts:

Your Aruba wireless equipment is:

  a. Terminating the outer EAP-PEAP
  b. Translating the inner EAP-MSCHAPv2 to plain MS-CHAPv2

I strongly suspect this will be causing the problems you are having, and 
I even suspect I know how - I think it's probably clients typing in 
their username in mIxEd-CaSe, which will cause cryptographich (hash) 
mismatches at client and server without careful preservation of the EAP 
payload.

As per Neal Garber's post of 10th May, even FreeRADIUS had problems with 
this prior to 2.1.10

Are you / have you been able to:

  1. stop terminating the PEAP on the Aruba
  2. upgrade to FreeRADIUS 2.1.10

?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system.
/font

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication issues with Win7 and WPA/WPA2 Enterprise

2011-05-18 Thread Sven Hartge

Phil Mayers p.may...@imperial.ac.uk wrote:
 On 18/05/11 17:10, Gary Gatten wrote:

 I would LOVE if W7 just worked!  People here are blaming FR and I'm
 trying to convince them it has nothing to do with it, but since the
 MSCHAP challenges / responses are hashed I can't PROVE it to them.

 Are you / have you been able to:

  1. stop terminating the PEAP on the Aruba
  2. upgrade to FreeRADIUS 2.1.10

I can at least confirm the following from my Aruba setup here:

 a) _not_ terminating the outer EAP-PEAP in the Aruba and
 b) passing the whole thing to FR 2.1.10 works with any Windows I have 
so far encountered.
(as far as the other things like server certificate chain, etc. are
 correct.)

So the setup Win7-Aruba-FR _will_ work, if you don't let the Aruba
gear fiddle with your EAP.

Grüße,
Sven.

-- 
Sigmentation fault. Core dumped.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Authentication issues with Win7 and WPA/WPA2 Enterprise

2011-05-18 Thread Gary Gatten

Initial test results passing PEAP et al to FR (vs. Aruba terminating PEAP) and 
proxying MSCHAP APPEAR to work well.  Testing is by no means 100% complete, 
but so far so good.  Scenarios that used to result in a reject are now working 
as expected.  I had an initial problem 'cause I installed this to /devel/ to 
test with and I mucked something up and many files and dirs ended up directly 
unders /devel instead of for instance /devel/raddb/.  I created raddb and 
copied certs there and it was more happy.

FWIW: We are NOT using client certs at this time, we are using the 
PEAP/MSCHAPv2 and use my windows credentials option.

Thanks!

Gary


-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org 
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On 
Behalf Of Gary Gatten
Sent: Wednesday, May 18, 2011 12:41 PM
To: 'freeradius-users@lists.freeradius.org'
Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise

I have a 2.1.10 server we are tesing with, but I thought the patch you 
mentioned wasn't in 2.1.10, I think Alan said he'd put it in 3.x?

We will be testing passing the entire *eap session to FR this afternoon.

- Original Message -
From: Phil Mayers [mailto:p.may...@imperial.ac.uk]
Sent: Wednesday, May 18, 2011 12:29 PM
To: freeradius-users@lists.freeradius.org 
freeradius-users@lists.freeradius.org
Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise

On 18/05/11 17:10, Gary Gatten wrote:
 I would LOVE if W7 just worked!  People here are blaming FR and I'm
 trying to convince them it has nothing to do with it, but since the
 MSCHAP challenges / responses are hashed I can't PROVE it to them.

As per previous posts:

Your Aruba wireless equipment is:

  a. Terminating the outer EAP-PEAP
  b. Translating the inner EAP-MSCHAPv2 to plain MS-CHAPv2

I strongly suspect this will be causing the problems you are having, and 
I even suspect I know how - I think it's probably clients typing in 
their username in mIxEd-CaSe, which will cause cryptographich (hash) 
mismatches at client and server without careful preservation of the EAP 
payload.

As per Neal Garber's post of 10th May, even FreeRADIUS had problems with 
this prior to 2.1.10

Are you / have you been able to:

  1. stop terminating the PEAP on the Aruba
  2. upgrade to FreeRADIUS 2.1.10

?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system.
/font


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system.
/font


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication issues from Apple devices

2011-05-14 Thread Phil Mayers




Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by sandra with CHAP password
[chap] Using clear text password sandra for user sandra authentication.
[chap] Password check failed
++[chap] returns reject


Nothing very dramatic here - the chap-challange is wrong, almost 
certainly meaning the user entered the wrong password.


Now, since the user in this case is you testing, I guess it might be 
something else, but I'm not sure what. First thing - check and re-check 
that you're entering the password correctly, and something tedious like 
autocorrect isn't munging it!


How do clients log into the hotspot - is it via web intercept/redirect 
and an HTML form? Can you switch to HTTP (rather than HTTPS) and run a 
packet capture to see if the password coming from the client is good?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication issues from Apple devices

2011-05-14 Thread stentofon

The users connect through a chillispot captive portal, via HTTP.  HTTPS
causes too many problems with certificates, and the access point is
unencripted anyway, so security is not the issue.

I initally thought that the hotspot clients were simply making mistakes, but
i've been testing it all day with the iphone v blackberry and Windows 7 and
i'm fairly certain the password is going in ok.  I set the username and
password to be sandra : sandra for simplicity, as the autocorrect should
leave it alone.  I also set up an account as 1234 : 1234 and this also
failed only on the iphone.

For it to only affect Apple products, i had hoped that the debug message was
going to show some rubbish in the username to prove that there was some
issue with the input, but i can't see the issue when the debug message is
confirming that the correct username and password were supplied.

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Authentication-issues-from-Apple-devices-tp4394941p4395330.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Authentication issues from Apple devices

2011-05-14 Thread Phil Mayers


On 05/14/2011 10:08 AM, stentofon wrote:

The users connect through a chillispot captive portal, via HTTP.  HTTPS
causes too many problems with certificates, and the access point is
unencripted anyway, so security is not the issue.

I initally thought that the hotspot clients were simply making mistakes, but
i've been testing it all day with the iphone v blackberry and Windows 7 and
i'm fairly certain the password is going in ok.  I set the username and
password to be sandra : sandra for simplicity, as the autocorrect should
leave it alone.  I also set up an account as 1234 : 1234 and this also
failed only on the iphone.

For it to only affect Apple products, i had hoped that the debug message was
going to show some rubbish in the username to prove that there was some


No; the packet is well-formed.

The problem is that, in your failing case, the CHAP-Password is not 
valid for the given CHAP-Challenge and your plaintext password sandra.


That is, the client (Chilli) is sending invalid auth to FreeRADIUS.


issue with the input, but i can't see the issue when the debug message is
confirming that the correct username and password were supplied.


That's not what the debug message says. I assume you're referring to 
this line:


[chap] login attempt by sandra with CHAP password
[chap] Using clear text password sandra for user sandra authentication.

...which means I'm trying a login for 'sandra'. My (server-side) value 
for their clear text password is 'sandra'. It doesn't refer to anything 
the client sent (well, the username I guess).


CHAP is a challenge-response method. The NAS (Chilli) never sends the 
password to FreeRADIUS. Instead, it sends:


CHAP-Challenge = 16 random bytes
CHAP-Password = 1 byte ID + md5(ID + password + challenge)

The radius server then extracts the plaintext password from the SQL 
database, and the ID  challenge from the packet, computes it's own copy 
of CHAP-Password, and compares it to the packet.


In your failing case, they don't match, so authentication is denied 
(I've confirmed this by doing the MD5 manually in python - it's 
definitely invalid. I tried a few trivial variations of the password 
too, so see if I could figure out what the client was using - no dice)


I think the problem must be at the Chillispot end - it's breaking the 
CHAP somehow for iOS clients.


Since you're not using HTTPS, you could try getting a packet capture of 
a working and failing login HTTP session, and compare the two in detail 
- I'd be looking for the POSTed form data, and any HTTP headers that 
might affect the interpretation e.g. character encodings.


But this isn't really a FreeRADIUS problem I'm afraid.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

1 2 3 4 >

1 - 100 of 382 matches

Mail list logo