Re: Access-challenge timeout on IOS
On 04/07/13 11:00, Franks Andy (RLZ) IT Systems Engineer wrote: Hi, I’m experimenting with a system involving an access-challenge to a NAS. It works fine with FR so far on, say, the cisco ipsec vpn client, which waits a long time until timing out waiting for user input. I’d like to also discoverhowother NAS’s behave using this and have found the timeout on a particular cisco 1131 access point to be quite short. Does anyone know if there’s a radius attribute I can send that will Not as far as I know. extend this timeout, or an internal setting that will change the default on the ap? Maybe. This usually depends on link-layer timers, e.g. EAPOL timeouts, IPSec/IKE timeouts, etc. rather than anything radius-related. Session-timeout and Idle-timeout are attributes mentioned by the cisco docs but neither of these seem to be what I’m after. Neither are relevant; they're for established sessions, not timeouts in *establishing* one. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-challenge timeout on IOS
Hi, waits a long time until timing out waiting for user input. I'd like to also discover how other NAS's behave using this and have found the timeout on a particular cisco 1131 access point to be quite short. most NAS devices have configurable options for their RADIUS/EAP timers. note that you will need to adjust RADIUS server too - as the server also has its own timeout/clear-up timers Session-timeout and Idle-timeout are attributes mentioned by the cisco docs but neither of these seem to be what I'm after. they control the end clients, not the RADIUS clients (the NAS) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-challenge timeout on IOS
Quoting Phil Mayers p.may...@imperial.ac.uk: On 04/07/13 11:00, Franks Andy (RLZ) IT Systems Engineer wrote: Hi, Session-timeout and Idle-timeout are attributes mentioned by the cisco docs but neither of these seem to be what I'm after. Neither are relevant; they're for established sessions, not timeouts in *establishing* one. - Actually, that is incorrect Session-Timeout _is_ used to control the authentication timeout, when in the initial AccReq. I'd quote the RFC, but I'm not at home. The *-Timeouts in the Acc-Accept control the session. Some models/versions of Cisco APs cause me no end of grief getting timeouts long enough for users to enter their RSA token values. They use it to abort the session, when they should just retry. Dave. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-challenge timeout on IOS
On 04/07/13 14:34, David Mitton wrote: Quoting Phil Mayers p.may...@imperial.ac.uk: On 04/07/13 11:00, Franks Andy (RLZ) IT Systems Engineer wrote: Hi, Session-timeout and Idle-timeout are attributes mentioned by the cisco docs but neither of these seem to be what I'm after. Neither are relevant; they're for established sessions, not timeouts in *establishing* one. - Actually, that is incorrect Session-Timeout _is_ used to control the authentication timeout, when in the initial AccReq. I'd quote the RFC, but I'm not at home. The *-Timeouts in the Acc-Accept control the session. Hmm, so it does; 5.27 of 2865 and 2.3.2 of 2869. However - does any equipment actually *honour* this? Also, I note the wording is very loose indeed - no MUST. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Access-challenge timeout on IOS
I'll give it a go. Thanks for the information guys. The cisco attribute list says Session-Timeout : Sets the maximum number of seconds of service to be provided to the user before the session terminates. This attribute value becomes the per-user absolute timeout. Not that helpful, and why I discarded it as an option which might be useful. Let's see.. Thanks andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Phil Mayers Sent: 04 July 2013 15:28 To: freeradius-users@lists.freeradius.org Subject: Re: Access-challenge timeout on IOS On 04/07/13 14:34, David Mitton wrote: Quoting Phil Mayers p.may...@imperial.ac.uk: On 04/07/13 11:00, Franks Andy (RLZ) IT Systems Engineer wrote: Hi, Session-timeout and Idle-timeout are attributes mentioned by the cisco docs but neither of these seem to be what I'm after. Neither are relevant; they're for established sessions, not timeouts in *establishing* one. - Actually, that is incorrect Session-Timeout _is_ used to control the authentication timeout, when in the initial AccReq. I'd quote the RFC, but I'm not at home. The *-Timeouts in the Acc-Accept control the session. Hmm, so it does; 5.27 of 2865 and 2.3.2 of 2869. However - does any equipment actually *honour* this? Also, I note the wording is very loose indeed - no MUST. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-challenge timeout on IOS
Oh for sure... I used Cisco 1200s @ RSA and the Windows EAP interfaces I was always fighting with the system timing out the authentication before a user would time in a token code. This frequently takes a minute or more, because people have to get their token, often they wait for the code to change, so they have a minute to read it, then type it in... On Windows 7, we had more problems, so I decided to explore some not well understood options of the EAP interface. Their was on option that supposed to take 60 seconds (so their Tech support told me) I tried it. It failed so quickly my head was spinning. I got out Wireshark and traced the protocol. When this option was selected, the MS EAP/RADIUS client sent an Session-Timeout value of 6! That AP killed the session faster than you could type a character. Removing the option, the value Windows sends is 60. If you google hard you will find that some versions of Cisco APs have a command line option to ignore the attribute and allow you to specify your own value. Mine honored the command, but did not have it in the Management GUI. I believe the new Windows EAPhost API now allows the EAP developer to set this value. But there are other 1 minute timers hardwired into the Windows EAP interface that I had to work around. Dave. Quoting Phil Mayers p.may...@imperial.ac.uk: On 04/07/13 14:34, David Mitton wrote: Quoting Phil Mayers p.may...@imperial.ac.uk: On 04/07/13 11:00, Franks Andy (RLZ) IT Systems Engineer wrote: Hi, Session-timeout and Idle-timeout are attributes mentioned by the cisco docs but neither of these seem to be what I'm after. Neither are relevant; they're for established sessions, not timeouts in *establishing* one. - Actually, that is incorrect Session-Timeout _is_ used to control the authentication timeout, when in the initial AccReq. I'd quote the RFC, but I'm not at home. The *-Timeouts in the Acc-Accept control the session. Hmm, so it does; 5.27 of 2865 and 2.3.2 of 2869. However - does any equipment actually *honour* this? Also, I note the wording is very loose indeed - no MUST. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-challenge timeout on IOS
On 4 Jul 2013, at 22:32, David Mitton da...@mitton.com wrote: Oh for sure... I used Cisco 1200s @ RSA and the Windows EAP interfaces I was always fighting with the system timing out the authentication before a user would time in a token code. This frequently takes a minute or more, because people have to get their token, often they wait for the code to change, so they have a minute to read it, then type it in... On Windows 7, we had more problems, so I decided to explore some not well understood options of the EAP interface. Their was on option that supposed to take 60 seconds (so their Tech support told me) I tried it. It failed so quickly my head was spinning. I got out Wireshark and traced the protocol. When this option was selected, the MS EAP/RADIUS client sent an Session-Timeout value of 6! That AP killed the session faster than you could type a character. Removing the option, the value Windows sends is 60. If you google hard you will find that some versions of Cisco APs have a command line option to ignore the attribute and allow you to specify your own value. Mine honored the command, but did not have it in the Management GUI. I believe the new Windows EAPhost API now allows the EAP developer to set this value. But there are other 1 minute timers hardwired into the Windows EAP interface that I had to work around. Lower levels will time out authentication way before you hit the one minute mark. 15 seconds is the default on most NAS, and then you'll have to tune FreeRADIUS so it doesn't clear out it's EAP session cache. Just don't use this stuff for 802.1X. Web portals fine, email fine, just not anything to do with EAP, it won't work well. Most devices have support for client certificates, use those instead, they're just as easy to revoke as tokens, and you'll piss the end user off a hell of a lot less. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Challenge with FreeRadius
well i am working with a linux as server and don't have acess to the debug mod if i get anything I will tell to you On Wed, Nov 9, 2011 at 3:03 PM, hughdavid hughdavid1...@yahoo.fr wrote: Hello, I am a new user of FreeRadius (on windows) I have the same question as this post: How to configure freeRADIUS server so it replies with a PAP access-challenge message on access-request from a client? http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-td4296727.html Any help is greatly appreciated! Thanks in advance Best Regards, Zhuoming (zhuoming.hu...@gmail.com) -- View this message in context: http://freeradius.1045715.n5.nabble.com/Access-Challenge-with-FreeRadius-tp4978370p4978370.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Não se VAI à Igreja. Se É Igrejahttp://www.youtube.com/watch?v=ifnJtkAnBq4 . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Challenge with FreeRadius
The thread link posted has already git several answers in it...and ends quite clearly. Why are you trying to drag this up again? Some coursework? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Challenge with FreeRadius
hughdavid wrote: I thought that we can configure FreeRadius to implement the methods, that generate Access-Challenge messages for PAP protocol, and we can define some logic scenarios for these challenge exchanges Apparently it is not possible with FreeRadius Yes, it is. But you need to write the code to make it do that. There is no pre-packaged configuration saying implement Access-Challenge here All Access-Challenge scenarios are tied to pre-existing authentication methods. e.g. EAP, SecurID, etc. If you're technical enough to implement your own Access-Challenge method, you're technical enough to *implement* your own Access-Challenge method. If you can't figure out how to implement Access-Challenge in the server (hint: there are examples), then you don't need to implement it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access challenge on empty password
I did not configure so (it must be a default). Where is that configuration entry? -- View this message in context: http://freeradius.1045715.n5.nabble.com/access-challenge-on-empty-password-tp4273381p4274862.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access challenge on empty password
izotov wrote: I did not configure so (it must be a default). Where is that configuration entry? Have you tried running the server in debugging mode as suggested in the FAQ, README, INSTALL, man page, and daily on this list? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access challenge on empty password
Alan DeKok-2 wrote: Have you tried running the server in debugging mode as suggested in the FAQ, README, INSTALL, man page, and daily on this list? Yes, I always do so. But this time it did not help me to find the answer. -- View this message in context: http://freeradius.1045715.n5.nabble.com/access-challenge-on-empty-password-tp4273381p4274962.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access challenge on empty password
On Fri, Apr 1, 2011 at 3:43 PM, izotov karoly.arnhof...@gmail.com wrote: Alan DeKok-2 wrote: Have you tried running the server in debugging mode as suggested in the FAQ, README, INSTALL, man page, and daily on this list? Yes, I always do so. But this time it did not help me to find the answer. I think what Alan means, if you have a problem, post the output of debug mode (radiusd -X) so others can help you troubleshoot the issue by reading and interpreting what's in the output. Simply saying I always do so but not providing the log is like saying I have a problem, I don't know how to solve it, and I don't want to give any details about it either. Can you help me? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access challenge on empty password
http://freeradius.1045715.n5.nabble.com/file/n4275090/radius.log radius.log Fajar A. Nugraha-2 wrote: if you have a problem, post the output of debug mode (radiusd -X) I am sorry. I try to get the rhythm. Log is attached. -- View this message in context: http://freeradius.1045715.n5.nabble.com/access-challenge-on-empty-password-tp4273381p4275090.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access challenge on empty password
izotov wrote: Hi, I use pam_radius with openssh on a FreeBSD box. When I authenticate, and for the first time I simply enter an empty password then the second time I am prompted for the password characters are echoed on the terminal. As I can see my freeradius server responses an access challenge to request with an existing user and empty password combo. Is this a normal behaviour? How can I configure the system not to do so? Why have you configured the server to respond with an Access-Challenge? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Challenge in freeRadius server
Thank you very much Ivan for your detailed response. I will check it and respond you. Regards, Dhandapani Ivan Kalik wrote: Not sure how ssh/telnet will handle. That depends on your pam radius module. I believe freeradius hosted module can handle it. Don't know for others. But I assume, other than password it may request for additional RSA key generated to access a particular machine or something similar to that. Why? Server already knows it's RSA key. This has nothing to do with user authentication. Also, does NAS need any installation to support Access-Challenge like CHAP? It needs pam module that supports it. BTW chap doesn't have Access-Challenge in the authentication process. Nor mschap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Access-Challenge-in-freeRadius-server-tp24025860p24048486.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Challenge in freeRadius server
I am trying to authorize the ssh and telnet login users of my Redhat Linux machine using freeRadius server. I am able to test Access-Accept and Access-Reject with right and wrong credentials respectively by configuring the file '/etc/pam.d/sshd' with entry pam_radius_auth.so. But I do not know how to achieve and test the Access-Challenge concept. Do you need to? ssh and telnet supplicants tend not to use protocols with challenge-response exchange. I mean what type of input will result in Access Challenge (I know it happens when we provide partial login information but not sure how to achieve with login in real time)? Send an eap request (eapol_test). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Challenge in freeRadius server
Thanks Ivan for the clarification. I am just setting up the tool eapol_test to test it. Thanks. But I am also investigating whether it is possible to achieve Access Challenge with ssh/telnet without using any other tools. Could you please help if you have done it before? And also may I know why it is not advised to support Access Challenge for ssh or telnet. Regards, Dhandapani Ivan Kalik wrote: I am trying to authorize the ssh and telnet login users of my Redhat Linux machine using freeRadius server. I am able to test Access-Accept and Access-Reject with right and wrong credentials respectively by configuring the file '/etc/pam.d/sshd' with entry pam_radius_auth.so. But I do not know how to achieve and test the Access-Challenge concept. Do you need to? ssh and telnet supplicants tend not to use protocols with challenge-response exchange. I mean what type of input will result in Access Challenge (I know it happens when we provide partial login information but not sure how to achieve with login in real time)? Send an eap request (eapol_test). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Access-Challenge-in-freeRadius-server-tp24025860p24033950.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Challenge in freeRadius server
And also may I know why it is not advised to support Access Challenge for ssh or telnet. Nothing to do with what's advisable but with what's available. Will pam module on ssh/telnet server be able to handle a challenge and know what to do with it? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Challenge in freeRadius server
Thanks Ivan. Not sure how ssh/telnet will handle. But I assume, other than password it may request for additional RSA key generated to access a particular machine or something similar to that. Regards, Dhandapani Ivan Kalik wrote: And also may I know why it is not advised to support Access Challenge for ssh or telnet. Nothing to do with what's advisable but with what's available. Will pam module on ssh/telnet server be able to handle a challenge and know what to do with it? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Access-Challenge-in-freeRadius-server-tp24025860p24035107.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Challenge in freeRadius server
Thanks Ivan. Not sure how ssh/telnet will handle. But I assume, other than password it may request for additional RSA key generated to access a particular machine or something similar to that. Also, does NAS need any installation to support Access-Challenge like CHAP? Regards, Dhandapani Ivan Kalik wrote: And also may I know why it is not advised to support Access Challenge for ssh or telnet. Nothing to do with what's advisable but with what's available. Will pam module on ssh/telnet server be able to handle a challenge and know what to do with it? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/Access-Challenge-in-freeRadius-server-tp24025860p24040267.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Challenge in freeRadius server
Not sure how ssh/telnet will handle. That depends on your pam radius module. I believe freeradius hosted module can handle it. Don't know for others. But I assume, other than password it may request for additional RSA key generated to access a particular machine or something similar to that. Why? Server already knows it's RSA key. This has nothing to do with user authentication. Also, does NAS need any installation to support Access-Challenge like CHAP? It needs pam module that supports it. BTW chap doesn't have Access-Challenge in the authentication process. Nor mschap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Access-Challenge authentication via both LDAP and SecurID
Thanks Alan for the quick responses. We will look for other solutions in the meantime. Thanks, Amy _ It's simple! Sell your car for just $40 http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fsecure%2Dau%2Eimrworldwide%2Ecom%2Fcgi%2Dbin%2Fa%2Fci%5F450304%2Fet%5F2%2Fcg%5F801459%2Fpi%5F1004813%2Fai%5F859641_t=762955845_r=tig_OCT07_m=EXT- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Challenge authentication via both LDAP and SecurID
Amy Hawke wrote: Both the LDAP authentication and proxying to RSA are working properly. To get the two working together I have tried changing the response for the LDAP auth from Access-Accept to Access-Challenge if the request comes from the correct NAS-IP. That won't work. Can you say what you're trying to do? What NAS equipment are you using? Can the Access-Accept be changed to an Access-Challenge? Not right now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Access-Challenge authentication via both LDAP and SecurID
Both the LDAP authentication and proxying to RSA are working properly. To get the two working together .. you need a two factor authentication manager. Freeradius isn't one. I don't know of any open source ones. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Access-Challenge authentication via both LDAP and SecurID
Can you say what you're trying to do? What NAS equipment are you using? We would like to get two factor authentication working using the username/password from our current LDAP directories and then username/RSA token code. The RSA product is unable to connect to our current directories, so if possible we would like to perform the first step using FreeRADIUS and then proxy the second part of the request through to the RSA Authentication manager. It is for a VPN setup utilising CISCO ASA5550. Thanks, Amy _ Want to marry your mail? Combine your email accounts here! http://livelife.ninemsn.com.au/article.aspx?id=669758 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Challenge authentication via both LDAP and SecurID
Amy Hawke wrote: We would like to get two factor authentication working using the username/password from our current LDAP directories and then username/RSA token code. That will likely *not* work. The NAS has to support this behavior, and usually doesn't. The RSA product is unable to connect to our current directories, so if possible we would like to perform the first step using FreeRADIUS and then proxy the second part of the request through to the RSA Authentication manager. We're currently working to get FreeRADIUS integrated with the RSA token libraries. There are licensing restrictions, so the resulting code will likely not be part of the official release. But it should be available. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Access-Challenge authentication via both LDAP and SecurID
Both the LDAP authentication and proxying to RSA are working properly. To get the two working together I have tried changing the response for the LDAP auth from Access-Accept to Access-Challenge if the request comes from the correct NAS-IP. if(NAS-IP-Address == 10.0.0.1){ update control{ Response-Packet-Type := Access-Challenge } updated } After the authentication is performed further attributes have been added. if(NAS-IP-Address == 10.0.0.1){ update reply{ Packet-Type := Access-Challenge State := 1 Reply-Message := Token Code } ok } This gives the following reply. Packet-Type = Access-Accept Packet-Type = Access-Challenge State = 0x31 Reply-Message = Token Code The following is the debug output: ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop users: Matched entry DEFAULT at line 193 ++[files] returns ok ++? if (NAS-IP-Address == 10.0.0.1) ? Evaluating (NAS-IP-Address == 10.0.0.1) - TRUE ++? if (NAS-IP-Address == 10.0.0.1) - TRUE ++- entering if (NAS-IP-Address == 10.0.0.1) +++[control] returns ok +++[updated] returns updated ++- if (NAS-IP-Address == 10.0.0.1) returns updated rlm_ldap: - authorize rlm_ldap: performing user authorization for bob WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=bob) expand: ou=people,...- ou=people,... rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,..., with filter (uid=bob) rlm_ldap: Added the eDirectory password password00 in check items as Cleartext-Password rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute eduPersonPrincipalName as RADIUS attribute Principal-Name == bob rlm_ldap: LDAP attribute ... rlm_ldap: LDAP attribute ... rlm_ldap: LDAP attribute ... rlm_ldap: LDAP attribute ... rlm_ldap: looking for reply items in directory... rlm_ldap: user bob authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (NAS-IP-Address == 10.0.0.1) ? Evaluating (NAS-IP-Address == 10.0.0.1) - TRUE ++? if (NAS-IP-Address == 10.0.0.1) - TRUE ++- entering if (NAS-IP-Address == 10.0.0.1) +++[reply] returns ok +++[ok] returns ok ++- if (NAS-IP-Address == 10.0.0.1) returns ok ++[expiration] returns noop ++[logintime] returns noop Can the Access-Accept be changed to an Access-Challenge? Thanks _ Need a new place to rent, share or buy? Let ninemsn property help http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fninemsn%2Eseek%2Ecom%2Eau%2F%3Ftracking%3Dsk%3Atl%3Ask%3Anine%3A0%3Ahottag%3Achange_t=757263783_r=SEEK_tagline_m=EXT - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Access-Challenge with Avaya
Nobody can help me? - Romain Mercier - Technicien réseau et sécurité Université d'Angers - CRI Service Systèmes Réseaux 40 rue de Rennes 49035 Angers Cedex - France _ De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ius.org] De la part de Romain Mercier Envoyé : mardi 13 mars 2007 12:10 À : 'FreeRadius users mailing list' Objet : Access-Challenge with Avaya Hello ! I am having troubles with Avaya P334T switch. I am trying to authenticate users directly connected to ports of the switch. I have configured the switch well I think because the acces-request is sent to the radius but then the radius send an access-challenge to the switch and nothing is done after. There is no answer of the switch and the user cannot access the network but it is not rejected by the radius. I think the problem come from the switch because authentication on a wireless access-point connected on this switch works fine. Did anybody encounter the same problem? Any idea? Thanks for your help - Romain Mercier - Technicien réseau et sécurité Université d'Angers - CRI Service Systèmes Réseaux 40 rue de Rennes 49035 Angers Cedex - France - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Access-challenge attributes
Many thanks Alan. D/ -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Alan DeKok Envoyé : mardi 22 novembre 2005 20:23 À : FreeRadius users mailing list Objet : Re: Access-challenge attributes MINODIER David RD-RESA-LAN [EMAIL PROTECTED] wrote: Is it normal that the attributes contained in the access-accept packet are also contained in the Access-Challenge packets sent by Freeradius ? Yes, it can be considered a bug. Is there a way to force Freeradius to return the attributes associated to the user in the access-accept packet only ? Not really. This should be fixed in the next major revision of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-challenge attributes
MINODIER David RD-RESA-LAN [EMAIL PROTECTED] wrote: Is it normal that the attributes contained in the access-accept packet are also contained in the Access-Challenge packets sent by Freeradius ? Yes, it can be considered a bug. Is there a way to force Freeradius to return the attributes associated to the user in the access-accept packet only ? Not really. This should be fixed in the next major revision of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access-challenge
Thanks Alan. Would please answer another question in-line below. Alan DeKok wrote: Srinivasa Rao Chigurupati [EMAIL PROTECTED] wrote: 1. Will FreeRadius challenges with access-challenge if auth-type is PAP? No. Read the RFC's for how PAP works. 2. How FreeRadius understands incoming Radius access-request packet contains PAP authentication information, CHAP authentication information or MS-CHAP authentication information or other authentication information? It looks in the packets. I think if access-request packet contains user-password attribute, FreeRadius authenticates with PAP. If access-request packet contains chap-password attribute, FreeRadius authenticates with CHAP. Am I correct? How MS-CHAP and other authentication methods are identified from access-request by FreeRadius? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Thanks Regards Srinivasa Rao Chigurupati - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access-challenge
Srinivasa Rao Chigurupati [EMAIL PROTECTED] wrote: I think if access-request packet contains user-password attribute, FreeRadius authenticates with PAP. If access-request packet contains chap-password attribute, FreeRadius authenticates with CHAP. Am I correct? How MS-CHAP and other authentication methods are identified from access-request by FreeRadius? That information is in the packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access-challenge
Srinivasa Rao Chigurupati [EMAIL PROTECTED] wrote: 1. Will FreeRadius challenges with access-challenge if auth-type is PAP? No. Read the RFC's for how PAP works. 2. How FreeRadius understands incoming Radius access-request packet contains PAP authentication information, CHAP authentication information or MS-CHAP authentication information or other authentication information? It looks in the packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Challenge
Srinivasa Rao Chigurupati [EMAIL PROTECTED] wrote: What are the different authentication methods requiring Access-Challenge supported by freeRadius? Can anyone give atleast one real time example where Access-Challenge is seen? Look on google for Access-Challenge. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Challenge
Hi Alan, Thanks for reply. Thanks to all members of this group for great support to other members. What are the different authentication methods requiring Access-Challenge supported by freeRadius? Can anyone give atleast one real time example where Access-Challenge is seen? Alan DeKok wrote: Srinivasa Rao Chigurupati [EMAIL PROTECTED] wrote: When will Radius Server will challenge with Access-Challenge packet during authentication? Is it depends on any configuration? It depends on the authentication method used. Some require Access-Challenge, so FreeRADIUS implements it. Some don't require Access-Challenge, so FreeRADIUS doesn't implement it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Thanks Regards Srinivasa Rao Chigurupati - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Challenge
Srinivasa Rao Chigurupati [EMAIL PROTECTED] wrote: When will Radius Server will challenge with Access-Challenge packet during authentication? Is it depends on any configuration? It depends on the authentication method used. Some require Access-Challenge, so FreeRADIUS implements it. Some don't require Access-Challenge, so FreeRADIUS doesn't implement it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: access-challenge question
Ok, I will look elsewhere for client info. But what about my server question? In freeradius, how do I set the RADIUS packet code to 11? So that when a client contacts the server, an access-challenge will be issued? Can you help me with the correct syntax? I assume it is done in the users file. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, November 03, 2004 10:45 PM To: [EMAIL PROTECTED] Subject: Re: access-challenge question Matt [EMAIL PROTECTED] wrote: First, I am new to the RADIUS protocol, and appreciate your help. I'm working with a python web-interface and a remote server running freeradius-current. Using the web-interface, I'm trying to get the client to print very verbose information about the transaction with the server (as verbose as possible). I suggest asking the authors of the python code how to get debugging information from the client. This has nothing to do with FreeRADIUS. I believe I need to print more detail about the client side. So... fix the client, or ask the people who wrote the client to fix it. Any advise on getting more verbose/complete output from the client side is much appreciated. Ask the people who wrote the client. Don't ask here, I doubt anyone here can help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access-challenge question
Matt [EMAIL PROTECTED] wrote: Ok, I will look elsewhere for client info. But what about my server question? In freeradius, how do I set the RADIUS packet code to 11? If you're trying to send a challenge for the same reasons as your last message, the answer is you're wasting your time. Access-Challenge doesn't work that way. If you want to challenge the client as part of an authentication protocol, the answer is that the protocol is already supported in FreeRADIUS, and you don't have to do anything additional to make the server send challenges. If you're trying to write your own authentication protocol using Access-Challenge, then I suggest discussing that, first. Once the protocol is designed correctly, then you can configure the server to use it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access-challenge question
Matt [EMAIL PROTECTED] wrote: First, I am new to the RADIUS protocol, and appreciate your help. I'm working with a python web-interface and a remote server running freeradius-current. Using the web-interface, I'm trying to get the client to print very verbose information about the transaction with the server (as verbose as possible). I suggest asking the authors of the python code how to get debugging information from the client. This has nothing to do with FreeRADIUS. I believe I need to print more detail about the client side. So... fix the client, or ask the people who wrote the client to fix it. Any advise on getting more verbose/complete output from the client side is much appreciated. Ask the people who wrote the client. Don't ask here, I doubt anyone here can help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html