Re: Response-Packet-Type == Access-Challenge
On 7 Aug 2013, at 09:35, Olivier Beytrison wrote: > On 07.08.2013 08:51, Dominique Frise wrote: >> Did a fresh install from >> http://github.com/FreeRADIUS/freeradius-server/tree/v2.x.x >> >> ./radiusd -v >> radiusd: FreeRADIUS Version 2.2.1 (git #12be9f6), for host >> x86_64-unknown-linux-gnu, built on Aug 6 2013 at 21:51:33 >> Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. >> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A >> PARTICULAR PURPOSE. >> You may redistribute copies of FreeRADIUS under the terms of the >> GNU General Public License. >> For more information about these matters, see the file named COPYRIGHT. >> >> But still no luck :-( >> - >> rad_recv: Access-Challenge packet from host X.X.X.X port 1812, id=101, >> length=49 >>Reply-Message = "Enter OTP:" >>State = 0x38373131 >>Prompt = No-Echo >>Proxy-State = 0x313039 >> # Executing section post-proxy from file >> /usr/local/etc/raddb/sites-enabled/default >> +- entering group post-proxy {...} >> [eap] No pre-existing handler found >> ++[eap] returns noop >> ++? if (Response-Packet-Type == Access-Challenge) >> ? Evaluating (Response-Packet-Type == Access-Challenge) -> FALSE >> -- > > I made myself a test with the latest git HEAD (3.0) and indeed, this > also doesn't work. I'll have a look at it and see why it doesn't call > the paircmp callback. Because pair comparisons don't work in evaluated conditions currently. Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Response-Packet-Type == Access-Challenge
On 07.08.2013 08:51, Dominique Frise wrote: > Did a fresh install from > http://github.com/FreeRADIUS/freeradius-server/tree/v2.x.x > > ./radiusd -v > radiusd: FreeRADIUS Version 2.2.1 (git #12be9f6), for host > x86_64-unknown-linux-gnu, built on Aug 6 2013 at 21:51:33 > Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. > There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A > PARTICULAR PURPOSE. > You may redistribute copies of FreeRADIUS under the terms of the > GNU General Public License. > For more information about these matters, see the file named COPYRIGHT. > > But still no luck :-( > - > rad_recv: Access-Challenge packet from host X.X.X.X port 1812, id=101, > length=49 > Reply-Message = "Enter OTP:" > State = 0x38373131 > Prompt = No-Echo > Proxy-State = 0x313039 > # Executing section post-proxy from file > /usr/local/etc/raddb/sites-enabled/default > +- entering group post-proxy {...} > [eap] No pre-existing handler found > ++[eap] returns noop > ++? if (Response-Packet-Type == Access-Challenge) > ? Evaluating (Response-Packet-Type == Access-Challenge) -> FALSE > -- I made myself a test with the latest git HEAD (3.0) and indeed, this also doesn't work. I'll have a look at it and see why it doesn't call the paircmp callback. Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Response-Packet-Type == Access-Challenge
On 7 Aug 2013, at 07:51, Dominique Frise wrote: > On 08/06/2013 05:29 PM, Alan DeKok wrote: >> Dominique Frise wrote: >>> Is there any other flag/function that would indicate that an >>> Access-Challenge packet was received from the NAS? >> >> A NAS will NEVER send an Access-Challenge to the server. >> >> A proxy will receive an Access-Challenge from a home server. As was >> said, you need the latest code from the GIT to use that feature. >> >> Alan DeKok. >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > Did a fresh install from > http://github.com/FreeRADIUS/freeradius-server/tree/v2.x.x > > ./radiusd -v > radiusd: FreeRADIUS Version 2.2.1 (git #12be9f6), for host > x86_64-unknown-linux-gnu, built on Aug 6 2013 at 21:51:33 > Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. > There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A > PARTICULAR PURPOSE. > You may redistribute copies of FreeRADIUS under the terms of the > GNU General Public License. > For more information about these matters, see the file named COPYRIGHT. > > But still no luck :-( > - > rad_recv: Access-Challenge packet from host X.X.X.X port 1812, id=101, > length=49 > Reply-Message = "Enter OTP:" > State = 0x38373131 > Prompt = No-Echo > Proxy-State = 0x313039 > # Executing section post-proxy from file > /usr/local/etc/raddb/sites-enabled/default > +- entering group post-proxy {...} > [eap] No pre-existing handler found > ++[eap] returns noop > ++? if (Response-Packet-Type == Access-Challenge) > ? Evaluating (Response-Packet-Type == Access-Challenge) -> FALSE > -- Hmm ok. I thought this was fixed at the same time we allowed modification of Response-Packet-Type. I'll have a look at it. Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Response-Packet-Type == Access-Challenge
On 08/06/2013 05:29 PM, Alan DeKok wrote: Dominique Frise wrote: Is there any other flag/function that would indicate that an Access-Challenge packet was received from the NAS? A NAS will NEVER send an Access-Challenge to the server. A proxy will receive an Access-Challenge from a home server. As was said, you need the latest code from the GIT to use that feature. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Did a fresh install from http://github.com/FreeRADIUS/freeradius-server/tree/v2.x.x ./radiusd -v radiusd: FreeRADIUS Version 2.2.1 (git #12be9f6), for host x86_64-unknown-linux-gnu, built on Aug 6 2013 at 21:51:33 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. But still no luck :-( - rad_recv: Access-Challenge packet from host X.X.X.X port 1812, id=101, length=49 Reply-Message = "Enter OTP:" State = 0x38373131 Prompt = No-Echo Proxy-State = 0x313039 # Executing section post-proxy from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop ++? if (Response-Packet-Type == Access-Challenge) ? Evaluating (Response-Packet-Type == Access-Challenge) -> FALSE -- Any other idea? Dominique - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Response-Packet-Type == Access-Challenge
On 08/06/2013 05:29 PM, Alan DeKok wrote: Dominique Frise wrote: Is there any other flag/function that would indicate that an Access-Challenge packet was received from the NAS? A NAS will NEVER send an Access-Challenge to the server. A proxy will receive an Access-Challenge from a home server. As was said, you need the latest code from the GIT to use that feature. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yeah, sorry about this mistake. I actually wanted to mean the home server. ;-). I will then compile a fresh code. Thanks for your help, Dominique - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Response-Packet-Type == Access-Challenge
On 6 Aug 2013, at 16:38, a.l.m.bu...@lboro.ac.uk wrote: > Hi, > >> Is there any other flag/function that would indicate that an >> Access-Challenge packet was received from the NAS? > > dont know..I have the following on a 2.2.0 box in the authenticate section: > > if (handled && (Response-Packet-Type == Access-Challenge)) { > attr_filter.access_challenge.post-auth > handled # override the "updated" code from attr_filter > Right, but you're not attempting to change this in Post-Proxy which is a different code path, and was not allowed for philosophical reasons before 2.2.x. -Arran Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Response-Packet-Type == Access-Challenge
Hi, > Is there any other flag/function that would indicate that an > Access-Challenge packet was received from the NAS? dont know..I have the following on a 2.2.0 box in the authenticate section: if (handled && (Response-Packet-Type == Access-Challenge)) { attr_filter.access_challenge.post-auth handled # override the "updated" code from attr_filter note the (Response-Packet-Type == Access-Challenge) bit. what does your debug show you? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Response-Packet-Type == Access-Challenge
Dominique Frise wrote: > Is there any other flag/function that would indicate that an > Access-Challenge packet was received from the NAS? A NAS will NEVER send an Access-Challenge to the server. A proxy will receive an Access-Challenge from a home server. As was said, you need the latest code from the GIT to use that feature. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Response-Packet-Type == Access-Challenge
On 08/06/2013 03:36 PM, a.l.m.bu...@lboro.ac.uk wrote: Hi, I forgot to mention that I am using freeradius-2.2.0-2.el6.x86_64. Should this version support it or not? no, it wont support it. you need the latest code from the GIT to use that feature. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Is there any other flag/function that would indicate that an Access-Challenge packet was received from the NAS? Dominique - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Response-Packet-Type == Access-Challenge
Hi, > I forgot to mention that I am using freeradius-2.2.0-2.el6.x86_64. > Should this version support it or not? no, it wont support it. you need the latest code from the GIT to use that feature. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Response-Packet-Type == Access-Challenge
On 6 Aug 2013, at 13:20, Dominique Frise wrote: > On 08/06/2013 01:55 PM, Arran Cudbard-Bell wrote: >> >> On 6 Aug 2013, at 12:35, Dominique Frise wrote: >> >>> Hi, >>> >>> I have no luck with testing the Reponse-Packet-Type in the post-proxy >>> section, after "rad_recv: Access-Challenge packet..." >>> >>> Something like : >>> >>> post-proxy { >>> ... >>> if (Response-Packet-Type == Access-Challenge) { >>>... >>> } >>> ... >>> } >>> >>> >>> What am I doing wrong? >> >> Nothing. That's not officially supported. You may find it works in 2.x.x >> HEAD though :) >> >> Arran Cudbard-Bell >> FreeRADIUS Development Team >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > Thanks Arran, > > I forgot to mention that I am using freeradius-2.2.0-2.el6.x86_64. Should > this version support it or not? No. Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Response-Packet-Type == Access-Challenge
On 08/06/2013 01:55 PM, Arran Cudbard-Bell wrote: On 6 Aug 2013, at 12:35, Dominique Frise wrote: Hi, I have no luck with testing the Reponse-Packet-Type in the post-proxy section, after "rad_recv: Access-Challenge packet..." Something like : post-proxy { ... if (Response-Packet-Type == Access-Challenge) { ... } ... } What am I doing wrong? Nothing. That's not officially supported. You may find it works in 2.x.x HEAD though :) Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Arran, I forgot to mention that I am using freeradius-2.2.0-2.el6.x86_64. Should this version support it or not? Dominique - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Response-Packet-Type == Access-Challenge
On 6 Aug 2013, at 12:35, Dominique Frise wrote: > Hi, > > I have no luck with testing the Reponse-Packet-Type in the post-proxy > section, after "rad_recv: Access-Challenge packet..." > > Something like : > > post-proxy { > ... > if (Response-Packet-Type == Access-Challenge) { >... > } > ... > } > > > What am I doing wrong? Nothing. That's not officially supported. You may find it works in 2.x.x HEAD though :) Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Response-Packet-Type == Access-Challenge
Hi, I have no luck with testing the Reponse-Packet-Type in the post-proxy section, after "rad_recv: Access-Challenge packet..." Something like : post-proxy { ... if (Response-Packet-Type == Access-Challenge) { ... } ... } What am I doing wrong? Dominique - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-challenge timeout on IOS
On 4 Jul 2013, at 22:32, David Mitton wrote: > Oh for sure... > I used Cisco 1200s @ RSA and the Windows EAP interfaces > > I was always fighting with the system timing out the authentication before a > user would time in a token code. This frequently takes a minute or more, > because people have to get their token, often they wait for the code to > change, so they have a minute to read it, then type it in... > > On Windows 7, we had more problems, so I decided to explore some not well > understood options of the EAP interface. Their was on option that supposed > to take 60 seconds (so their Tech support told me) I tried it. > > It failed so quickly my head was spinning. I got out Wireshark and traced > the protocol. When this option was selected, the MS EAP/RADIUS client sent > an Session-Timeout value of 6! That AP killed the session faster than you > could type a character. Removing the option, the value Windows sends is 60. > > If you google hard you will find that some versions of Cisco APs have a > command line option to ignore the attribute and allow you to specify your own > value. > Mine honored the command, but did not have it in the Management GUI. > > I believe the "new" Windows EAPhost API now allows the EAP developer to set > this value. But there are other 1 minute timers hardwired into the Windows > EAP interface that I had to work around. Lower levels will time out authentication way before you hit the one minute mark. 15 seconds is the default on most NAS, and then you'll have to tune FreeRADIUS so it doesn't clear out it's EAP session cache. Just don't use this stuff for 802.1X. Web portals fine, email fine, just not anything to do with EAP, it won't work well. Most devices have support for client certificates, use those instead, they're just as easy to revoke as tokens, and you'll piss the end user off a hell of a lot less. Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-challenge timeout on IOS
Oh for sure... I used Cisco 1200s @ RSA and the Windows EAP interfaces I was always fighting with the system timing out the authentication before a user would time in a token code. This frequently takes a minute or more, because people have to get their token, often they wait for the code to change, so they have a minute to read it, then type it in... On Windows 7, we had more problems, so I decided to explore some not well understood options of the EAP interface. Their was on option that supposed to take 60 seconds (so their Tech support told me) I tried it. It failed so quickly my head was spinning. I got out Wireshark and traced the protocol. When this option was selected, the MS EAP/RADIUS client sent an Session-Timeout value of 6! That AP killed the session faster than you could type a character. Removing the option, the value Windows sends is 60. If you google hard you will find that some versions of Cisco APs have a command line option to ignore the attribute and allow you to specify your own value. Mine honored the command, but did not have it in the Management GUI. I believe the "new" Windows EAPhost API now allows the EAP developer to set this value. But there are other 1 minute timers hardwired into the Windows EAP interface that I had to work around. Dave. Quoting Phil Mayers : On 04/07/13 14:34, David Mitton wrote: Quoting Phil Mayers : On 04/07/13 11:00, Franks Andy (RLZ) IT Systems Engineer wrote: Hi, Session-timeout and Idle-timeout are attributes mentioned by the cisco docs but neither of these seem to be what I'm after. Neither are relevant; they're for established sessions, not timeouts in *establishing* one. - Actually, that is incorrect Session-Timeout _is_ used to control the authentication timeout, when in the initial AccReq. I'd quote the RFC, but I'm not at home. The *-Timeouts in the Acc-Accept control the session. Hmm, so it does; 5.27 of 2865 and 2.3.2 of 2869. However - does any equipment actually *honour* this? Also, I note the wording is very loose indeed - no MUST. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Access-challenge timeout on IOS
I'll give it a go. Thanks for the information guys. The cisco attribute list says Session-Timeout : Sets the maximum number of seconds of service to be provided to the user before the session terminates. This attribute value becomes the per-user "absolute timeout." Not that helpful, and why I discarded it as an option which might be useful. Let's see.. Thanks andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Phil Mayers Sent: 04 July 2013 15:28 To: freeradius-users@lists.freeradius.org Subject: Re: Access-challenge timeout on IOS On 04/07/13 14:34, David Mitton wrote: > Quoting Phil Mayers : > >> On 04/07/13 11:00, Franks Andy (RLZ) IT Systems Engineer wrote: >>> Hi, > >> >>> >>> Session-timeout and Idle-timeout are attributes mentioned by the >>> cisco docs but neither of these seem to be what I'm after. >> >> Neither are relevant; they're for established sessions, not timeouts >> in >> *establishing* one. >> - > Actually, that is incorrect Session-Timeout _is_ used to control the > authentication timeout, when in the initial AccReq. I'd quote the > RFC, but I'm not at home. The *-Timeouts in the Acc-Accept control the session. > Hmm, so it does; 5.27 of 2865 and 2.3.2 of 2869. However - does any equipment actually *honour* this? Also, I note the wording is very loose indeed - no MUST. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-challenge timeout on IOS
On 04/07/13 14:34, David Mitton wrote: Quoting Phil Mayers : On 04/07/13 11:00, Franks Andy (RLZ) IT Systems Engineer wrote: Hi, Session-timeout and Idle-timeout are attributes mentioned by the cisco docs but neither of these seem to be what I'm after. Neither are relevant; they're for established sessions, not timeouts in *establishing* one. - Actually, that is incorrect Session-Timeout _is_ used to control the authentication timeout, when in the initial AccReq. I'd quote the RFC, but I'm not at home. The *-Timeouts in the Acc-Accept control the session. Hmm, so it does; 5.27 of 2865 and 2.3.2 of 2869. However - does any equipment actually *honour* this? Also, I note the wording is very loose indeed - no MUST. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-challenge timeout on IOS
Quoting Phil Mayers : On 04/07/13 11:00, Franks Andy (RLZ) IT Systems Engineer wrote: Hi, Session-timeout and Idle-timeout are attributes mentioned by the cisco docs but neither of these seem to be what I'm after. Neither are relevant; they're for established sessions, not timeouts in *establishing* one. - Actually, that is incorrect Session-Timeout _is_ used to control the authentication timeout, when in the initial AccReq. I'd quote the RFC, but I'm not at home. The *-Timeouts in the Acc-Accept control the session. Some models/versions of Cisco APs cause me no end of grief getting timeouts long enough for users to enter their RSA token values. They use it to abort the session, when they should just retry. Dave. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-challenge timeout on IOS
Hi, >waits a long time until timing out waiting for user input. I'd like to >also discover how other NAS's behave using this and have found the timeout >on a particular cisco 1131 access point to be quite short. most NAS devices have configurable options for their RADIUS/EAP timers. note that you will need to adjust RADIUS server too - as the server also has its own timeout/clear-up timers >Session-timeout and Idle-timeout are attributes mentioned by the cisco >docs but neither of these seem to be what I'm after. they control the end clients, not the RADIUS clients (the NAS) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-challenge timeout on IOS
On 04/07/13 11:00, Franks Andy (RLZ) IT Systems Engineer wrote: Hi, I’m experimenting with a system involving an access-challenge to a NAS. It works fine with FR so far on, say, the cisco ipsec vpn client, which waits a long time until timing out waiting for user input. I’d like to also discoverhowother NAS’s behave using this and have found the timeout on a particular cisco 1131 access point to be quite short. Does anyone know if there’s a radius attribute I can send that will Not as far as I know. extend this timeout, or an internal setting that will change the default on the ap? Maybe. This usually depends on link-layer timers, e.g. EAPOL timeouts, IPSec/IKE timeouts, etc. rather than anything radius-related. Session-timeout and Idle-timeout are attributes mentioned by the cisco docs but neither of these seem to be what I’m after. Neither are relevant; they're for established sessions, not timeouts in *establishing* one. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access-challenge timeout on IOS
Hi, I'm experimenting with a system involving an access-challenge to a NAS. It works fine with FR so far on, say, the cisco ipsec vpn client, which waits a long time until timing out waiting for user input. I'd like to also discover how other NAS's behave using this and have found the timeout on a particular cisco 1131 access point to be quite short. Does anyone know if there's a radius attribute I can send that will extend this timeout, or an internal setting that will change the default on the ap? Session-timeout and Idle-timeout are attributes mentioned by the cisco docs but neither of these seem to be what I'm after. Thanks Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP post auth reject and access-challenge
On 10/06/13 17:29, Franks Andy (RLZ) IT Systems Engineer wrote: I'm also doing some stuff in the authorization section which can reject a user based on some ldap information. I thought I could perhaps just update the default tunnel post-auth reject section to not do a linelog if auth-type has been set to EAP but it doesn't work when clients are rejected in this ldap section; the EAP auth-type is set but it never authenticates as the reject is triggered first, and so a linelog would never be recorded in the inner tunnel post auth reject section. I hope that's not too confusing, it's hard to explain. Sorry, I didn't understand that last part. There are a bunch of different ways of solving the "logging twice" if that's the problem you're trying to solve. The easiest is to just not care - we have a similar logging system and log both the inner and outer rejects. Our log "inspection" script shows both, and we just look at the relevant one. Note that EAP sessions can fail in ways that never trigger the inner tunnel, but do set Module-Failure-Message, so you can't just "not log outer" and hope to catch all relevant debugging. You can also have inner accepts with outer rejects (e.g. if the client fails mutual auth) so again, logging just one will miss info. Without knowing what you're trying to accomplish and what your criteria are, I couldn't comment further - logging is a very individual thing that people have different ideas about. But my advice would be to solve this by post-processing the data, not by having extensive logic in your FR config. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP post auth reject and access-challenge
Hi, I have a setup that just does admin logins for NAS equipment, some of it presents via PAP and some of it peap/mschapv2. When the user is rejected I do a linelog or sql insert, capturing a failure reason from each module. Basically an EAP reject of a user creates two entries to the logging. I do failure logging within the inner-tunnel VS as well as the default because I wanted it to capture a failure reason to the line log based on the module-failure-reason string, which is lost after the eap session rejects and can't be seen in the default. As you commented in an email from last week, updating the outer.control variable to try and pass module-failure-reason doesn't work due to the access-challenge presenting a new session. I'm also doing some stuff in the authorization section which can reject a user based on some ldap information. I thought I could perhaps just update the default tunnel post-auth reject section to not do a linelog if auth-type has been set to EAP but it doesn't work when clients are rejected in this ldap section; the EAP auth-type is set but it never authenticates as the reject is triggered first, and so a linelog would never be recorded in the inner tunnel post auth reject section. I hope that's not too confusing, it's hard to explain. Thanks Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu s.org] On Behalf Of Phil Mayers Sent: 10 June 2013 16:02 To: freeradius-users@lists.freeradius.org Subject: Re: EAP post auth reject and access-challenge On 10/06/13 15:45, Franks Andy (RLZ) IT Systems Engineer wrote: > Hi, > >Just wondered if someone could explain the reason why, on rejection > of EAP authentication, an access challenge request is sent out to the > NAS, and whether it's something we can control or not? I assume you're referring to the fact that the inner tunnel reject is sent as an outer access-challenge? The packet flow is this: C: Access-Request EAP / TLS-setup S: Access-Challenge EAP / TLS-setup ... C: Access-Request EAP / TLS / inner access-request S: Access-Challenge EAP / TLS / inner access-reject C: Access-Request EAP / TLS [ack] S: Access-RejectEAP / reject Basically, the protocols send the inner reject as a TLS frame, so that the client can't be tricked by a fake reject. The client then ACKs it, and the server then sends the RADIUS-level reject. So no, you can't turn it off - it's part of the protocol specifications. Why is this a problem for you? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP post auth reject and access-challenge
On 10/06/13 15:45, Franks Andy (RLZ) IT Systems Engineer wrote: Hi, Just wondered if someone could explain the reason why, on rejection of EAP authentication, an access challenge request is sent out to the NAS, and whether it’s something we can control or not? I assume you're referring to the fact that the inner tunnel reject is sent as an outer access-challenge? The packet flow is this: C: Access-Request EAP / TLS-setup S: Access-Challenge EAP / TLS-setup ... C: Access-Request EAP / TLS / inner access-request S: Access-Challenge EAP / TLS / inner access-reject C: Access-Request EAP / TLS [ack] S: Access-RejectEAP / reject Basically, the protocols send the inner reject as a TLS frame, so that the client can't be tricked by a fake reject. The client then ACKs it, and the server then sends the RADIUS-level reject. So no, you can't turn it off - it's part of the protocol specifications. Why is this a problem for you? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP post auth reject and access-challenge
Hi, Just wondered if someone could explain the reason why, on rejection of EAP authentication, an access challenge request is sent out to the NAS, and whether it's something we can control or not? Thanks Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need to change response type to Access-Challenge from rlm_perl
To answer my own question, I found that using the return code RLM_MODULE_OK triggers the server to respond back with Access-Accept. If I used RLM_MODULE_HANDLED instead, the response packet type was set to what I expected it to be. This makes sense since I expect the client to exchange several messages with me before I finally trigger the Access-Accept message. On Mon, Feb 18, 2013 at 9:00 AM, Walter Goulet wrote: > Hi, > > Looking through archives for this exact question, I see a post from 2008 ( > http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg47423.html) > where this exact question was previously asked. > > Here is my server version info: > radiusd: FreeRADIUS Version 2.2.0, for host x86_64-unknown-linux-gnu, > built on Feb 17 2013 at 03:34:41 > > Here's my code: > > # Construct HTTP request > > my $authresult = > &authamis($RAD_REQUEST{'User-Name'},$RAD_REQUEST{'User-Password'}); > &radiusd::radlog(L_DBG, "Result after authamis call -> > $authresult"); > > if($authresult eq "true") { > $RAD_CHECK{'Response-Packet-Type'} = "Access-Challenge"; > $RAD_REPLY{'Reply-Message'} = "authentication successful"; > for (keys %RAD_REPLY) { > &radiusd::radlog(L_DBG, "RAD_REPLY: $_ = > $RAD_REPLY{$_}"); > } > for (keys %RAD_CHECK) { > &radiusd::radlog(L_DBG, "RAD_CHECK: $_ = > $RAD_CHECK{$_}"); > } > for (keys %RAD_CONFIG) { > &radiusd::radlog(L_DBG, "RAD_CONFIG: $_ = > $RAD_CONFIG{$_}"); > } > return RLM_MODULE_OK > } > else { > $RAD_REPLY{'Reply-Message'} = "authentication failure"; > return RLM_MODULE_REJECT; > } > > Here is the relevant debug output: > > Found Auth-Type = perl > # Executing group from file > /opt/app/freeradius/etc/raddb/sites-enabled/default > +- entering group perl {...} > rlm_perl: RAD_REQUEST: User-Name = test > rlm_perl: RAD_REQUEST: User-Password = 42594190 > rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.65.1 > rlm_perl: AMIS request: > http://amis.jdt.com:8080/auth/authenticate/test/42594190 > rlm_perl: Result after authamis call -> true > rlm_perl: RAD_REPLY: Reply-Message = authentication successful > rlm_perl: RAD_CHECK: Response-Packet-Type = Access-Challenge > rlm_perl: RAD_CHECK: Auth-Type = perl > rlm_perl: RAD_CONFIG: Auth-Type = perl > rlm_perl: Added pair User-Name = test > rlm_perl: Added pair User-Password = 42594190 > rlm_perl: Added pair NAS-IP-Address = 192.168.65.1 > rlm_perl: Added pair Reply-Message = authentication successful > rlm_perl: Added pair Response-Packet-Type = Access-Challenge > rlm_perl: Added pair Auth-Type = perl > ++[perl] returns ok > # Executing section post-auth from file > /opt/app/freeradius/etc/raddb/sites-enabled/default > +- entering group post-auth {...} > ++[exec] returns noop > Sending Access-Accept of id 81 to 192.168.65.1 port 53504 > Reply-Message = "authentication successful" > Finished request 0. > Going to the next request > > Clearly the Access-Challenge setting is not being honored by the server. > Is there another attribute that must be set to configure the response type? > > Thanks, > Walter > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need to change response type to Access-Challenge from rlm_perl
Hi, Looking through archives for this exact question, I see a post from 2008 ( http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg47423.html) where this exact question was previously asked. Here is my server version info: radiusd: FreeRADIUS Version 2.2.0, for host x86_64-unknown-linux-gnu, built on Feb 17 2013 at 03:34:41 Here's my code: # Construct HTTP request my $authresult = &authamis($RAD_REQUEST{'User-Name'},$RAD_REQUEST{'User-Password'}); &radiusd::radlog(L_DBG, "Result after authamis call -> $authresult"); if($authresult eq "true") { $RAD_CHECK{'Response-Packet-Type'} = "Access-Challenge"; $RAD_REPLY{'Reply-Message'} = "authentication successful"; for (keys %RAD_REPLY) { &radiusd::radlog(L_DBG, "RAD_REPLY: $_ = $RAD_REPLY{$_}"); } for (keys %RAD_CHECK) { &radiusd::radlog(L_DBG, "RAD_CHECK: $_ = $RAD_CHECK{$_}"); } for (keys %RAD_CONFIG) { &radiusd::radlog(L_DBG, "RAD_CONFIG: $_ = $RAD_CONFIG{$_}"); } return RLM_MODULE_OK } else { $RAD_REPLY{'Reply-Message'} = "authentication failure"; return RLM_MODULE_REJECT; } Here is the relevant debug output: Found Auth-Type = perl # Executing group from file /opt/app/freeradius/etc/raddb/sites-enabled/default +- entering group perl {...} rlm_perl: RAD_REQUEST: User-Name = test rlm_perl: RAD_REQUEST: User-Password = 42594190 rlm_perl: RAD_REQUEST: NAS-IP-Address = 192.168.65.1 rlm_perl: AMIS request: http://amis.jdt.com:8080/auth/authenticate/test/42594190 rlm_perl: Result after authamis call -> true rlm_perl: RAD_REPLY: Reply-Message = authentication successful rlm_perl: RAD_CHECK: Response-Packet-Type = Access-Challenge rlm_perl: RAD_CHECK: Auth-Type = perl rlm_perl: RAD_CONFIG: Auth-Type = perl rlm_perl: Added pair User-Name = test rlm_perl: Added pair User-Password = 42594190 rlm_perl: Added pair NAS-IP-Address = 192.168.65.1 rlm_perl: Added pair Reply-Message = authentication successful rlm_perl: Added pair Response-Packet-Type = Access-Challenge rlm_perl: Added pair Auth-Type = perl ++[perl] returns ok # Executing section post-auth from file /opt/app/freeradius/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 81 to 192.168.65.1 port 53504 Reply-Message = "authentication successful" Finished request 0. Going to the next request Clearly the Access-Challenge setting is not being honored by the server. Is there another attribute that must be set to configure the response type? Thanks, Walter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging Access-Challenge in detail log
Hi, We're using 2.1.12. We require a full log of everything that gets sent between a controller and freeradius. We've configured detail.log, inner-tunnel and default to log authentications and replies which work for us, but is there any way to also log Access-Challenge? I've read some very old posts that haven't helped. Thanks, John. -- John Carter Identity Networks jcar...@identitynetworks.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generate Access-Challenge from radius server
Arpit Jain wrote: > I need a access-challenge from radius server. I don't care. > What attributes should i send through radclient to generate > access-challenge from radius server. You already asked that. I already told you the answer. > Is there any specific configuration on radius server to generate the > access-challenge packet. You already asked that. I already told you the answer. If you don't understand my answer, ask a different question. If you don't like my answer, too bad. You can't do miracles with RADIUS simply by insisting you REALLY WANT something. Reality doesn't work that way. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generate Access-Challenge from radius server
I need a access-challenge from radius server. What attributes should i send through radclient to generate access-challenge from radius server. Is there any specific configuration on radius server to generate the access-challenge packet. On 25 Oct 2012 16:12, "Alan DeKok" wrote: > Arpit Jain wrote: > > I want to generate Access-Challenge from radius server on Access-Request > > packet while using CHAP. > > That's not how CHAP works. > > > But server is not generating challenge packet for any of the > > Access-request, i am using radclient. > > Because CHAP doesn't send Access-Challenge. > > > Please tell the configurations to be done on the radius server as well > > as attributes to be sent in Access-Request through radclient , so that > > radius server can send Access-Challenge packet while replying > > Access-Request packet. > > There is none. What you want to do is not part of standard RADIUS. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generate Access-Challenge from radius server
Arpit Jain wrote: > I want to generate Access-Challenge from radius server on Access-Request > packet while using CHAP. That's not how CHAP works. > But server is not generating challenge packet for any of the > Access-request, i am using radclient. Because CHAP doesn't send Access-Challenge. > Please tell the configurations to be done on the radius server as well > as attributes to be sent in Access-Request through radclient , so that > radius server can send Access-Challenge packet while replying > Access-Request packet. There is none. What you want to do is not part of standard RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Generate Access-Challenge from radius server
Hi, I want to generate Access-Challenge from radius server on Access-Request packet while using CHAP. But server is not generating challenge packet for any of the Access-request, i am using radclient. Please tell the configurations to be done on the radius server as well as attributes to be sent in Access-Request through radclient , so that radius server can send Access-Challenge packet while replying Access-Request packet. i am executing following command from radclient. *radclient -x server-ip-address auth secretkey* *User-Name = "testuser"* *CHAP-Password = "testing" * *ctrl+d* Thanks, Arpit - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: SV: SV: EXEC Access-challenge
Ignore My stupidity. I figured it out... I'll make a wiki and make my script public Med venlig hilsen | Best regards Thomas Raabo Senior Network Engineer CCIE #33466 _ t...@zitcom.dk | Direkte: +45 69 10 60 18 | Tlf.: +45 70 23 55 66 -Oprindelig meddelelse- Fra: freeradius-users-bounces+tr=zitcom...@lists.freeradius.org [mailto:freeradius-users-bounces+tr=zitcom...@lists.freeradius.org] På vegne af Thomas Raabo - Zitcom A/S Sendt: 11. oktober 2012 14:48 Til: FreeRadius users mailing list Emne: SV: SV: SV: EXEC Access-challenge Thanks phil... I´am close now. The only thing missing to getting this workin is getting the state number to the script. On the second run after the challenge I don't get the state number passed.. ++[logintime] returns noop [pap] Normalizing SHA-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop [ZOTP] expand: %{User-Name} -> test2 [ZOTP] expand: %{User-Password} -> test2 [ZOTP] expand: %{reply:Secret} -> 891a79d80c9f1cd2 [ZOTP] expand: %{reply:Pin} -> 0201 [ZOTP] expand: %{reply:Offset} -> 1 [ZOTP] expand: %{reply:State} -> Exec-Program output: Reply-Message += "Enter OTP", State += "12160", Exec-Program-Wait: value-pairs: Reply-Message += "Enter OTP", State += "12160", Exec-Program: returned: 9 ++[ZOTP] returns updated ++? if (updated) ? Evaluating (updated) -> TRUE ++? if (updated) -> TRUE ++- entering if (updated) {...} +++[control] returns updated +++[handled] returns handled ++- if (updated) returns handled Sending Access-Challenge of id 73 to 172.31.2.20 port 40108 Reply-Message += "Enter OTP" State += 0x3132313630 Should I not be able to get it out with reply:State in the exec? Med venlig hilsen | Best regards Thomas Raabo Senior Network Engineer CCIE #33466 _ t...@zitcom.dk | Direkte: +45 69 10 60 18 | Tlf.: +45 70 23 55 66 -Oprindelig meddelelse- Fra: freeradius-users-bounces+tr=zitcom...@lists.freeradius.org [mailto:freeradius-users-bounces+tr=zitcom...@lists.freeradius.org] På vegne af Phil Mayers Sendt: 11. oktober 2012 13:30 Til: freeradius-users@lists.freeradius.org Emne: Re: SV: SV: EXEC Access-challenge On 11/10/12 11:53, Thomas Raabo - Zitcom A/S wrote: > How do you change the order it phil? You type things in the right order. As per my original email, do this: authorize { ... YOUR_EXEC_MODULE if (updated) { ... } ... } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: SV: SV: EXEC Access-challenge
Ups. The output was copy-pasted wrong. Med venlig hilsen | Best regards Thomas Raabo Senior Network Engineer CCIE #33466 _ t...@zitcom.dk | Direkte: +45 69 10 60 18 | Tlf.: +45 70 23 55 66 -Oprindelig meddelelse- Fra: freeradius-users-bounces+tr=zitcom...@lists.freeradius.org [mailto:freeradius-users-bounces+tr=zitcom...@lists.freeradius.org] På vegne af Thomas Raabo - Zitcom A/S Sendt: 11. oktober 2012 14:48 Til: FreeRadius users mailing list Emne: SV: SV: SV: EXEC Access-challenge Thanks phil... I´am close now. The only thing missing to getting this workin is getting the state number to the script. On the second run after the challenge I don't get the state number passed.. ++[logintime] returns noop [pap] Normalizing SHA-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop [ZOTP] expand: %{User-Name} -> test2 [ZOTP] expand: %{User-Password} -> test2 [ZOTP] expand: %{reply:Secret} -> 891a79d80c9f1cd2 [ZOTP] expand: %{reply:Pin} -> 0201 [ZOTP] expand: %{reply:Offset} -> 1 [ZOTP] expand: %{reply:State} -> Exec-Program output: Reply-Message += "Enter OTP", State += "12160", Exec-Program-Wait: value-pairs: Reply-Message += "Enter OTP", State += "12160", Exec-Program: returned: 9 ++[ZOTP] returns updated ++? if (updated) ? Evaluating (updated) -> TRUE ++? if (updated) -> TRUE ++- entering if (updated) {...} +++[control] returns updated +++[handled] returns handled ++- if (updated) returns handled Sending Access-Challenge of id 73 to 172.31.2.20 port 40108 Reply-Message += "Enter OTP" State += 0x3132313630 Should I not be able to get it out with reply:State in the exec? Med venlig hilsen | Best regards Thomas Raabo Senior Network Engineer CCIE #33466 _ t...@zitcom.dk | Direkte: +45 69 10 60 18 | Tlf.: +45 70 23 55 66 -Oprindelig meddelelse- Fra: freeradius-users-bounces+tr=zitcom...@lists.freeradius.org [mailto:freeradius-users-bounces+tr=zitcom...@lists.freeradius.org] På vegne af Phil Mayers Sendt: 11. oktober 2012 13:30 Til: freeradius-users@lists.freeradius.org Emne: Re: SV: SV: EXEC Access-challenge On 11/10/12 11:53, Thomas Raabo - Zitcom A/S wrote: > How do you change the order it phil? You type things in the right order. As per my original email, do this: authorize { ... YOUR_EXEC_MODULE if (updated) { ... } ... } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: SV: SV: EXEC Access-challenge
Thomas Raabo - Zitcom A/S wrote: > The only thing missing to getting this workin is getting the state number to > the script. ... > [ZOTP] expand: %{reply:State} -> Are you sure it's in the reply? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: SV: SV: EXEC Access-challenge
Thanks phil... I´am close now. The only thing missing to getting this workin is getting the state number to the script. On the second run after the challenge I don't get the state number passed.. ++[logintime] returns noop [pap] Normalizing SHA-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop [ZOTP] expand: %{User-Name} -> test2 [ZOTP] expand: %{User-Password} -> test2 [ZOTP] expand: %{reply:Secret} -> 891a79d80c9f1cd2 [ZOTP] expand: %{reply:Pin} -> 0201 [ZOTP] expand: %{reply:Offset} -> 1 [ZOTP] expand: %{reply:State} -> Exec-Program output: Reply-Message += "Enter OTP", State += "12160", Exec-Program-Wait: value-pairs: Reply-Message += "Enter OTP", State += "12160", Exec-Program: returned: 9 ++[ZOTP] returns updated ++? if (updated) ? Evaluating (updated) -> TRUE ++? if (updated) -> TRUE ++- entering if (updated) {...} +++[control] returns updated +++[handled] returns handled ++- if (updated) returns handled Sending Access-Challenge of id 73 to 172.31.2.20 port 40108 Reply-Message += "Enter OTP" State += 0x3132313630 Should I not be able to get it out with reply:State in the exec? Med venlig hilsen | Best regards Thomas Raabo Senior Network Engineer CCIE #33466 _ t...@zitcom.dk | Direkte: +45 69 10 60 18 | Tlf.: +45 70 23 55 66 -Oprindelig meddelelse- Fra: freeradius-users-bounces+tr=zitcom...@lists.freeradius.org [mailto:freeradius-users-bounces+tr=zitcom...@lists.freeradius.org] På vegne af Phil Mayers Sendt: 11. oktober 2012 13:30 Til: freeradius-users@lists.freeradius.org Emne: Re: SV: SV: EXEC Access-challenge On 11/10/12 11:53, Thomas Raabo - Zitcom A/S wrote: > How do you change the order it phil? You type things in the right order. As per my original email, do this: authorize { ... YOUR_EXEC_MODULE if (updated) { ... } ... } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: SV: EXEC Access-challenge
On 11/10/12 11:53, Thomas Raabo - Zitcom A/S wrote: How do you change the order it phil? You type things in the right order. As per my original email, do this: authorize { ... YOUR_EXEC_MODULE if (updated) { ... } ... } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: SV: EXEC Access-challenge
How do you change the order it phil? Med venlig hilsen | Best regards Thomas Raabo Senior Network Engineer CCIE #33466 _ t...@zitcom.dk | Direkte: +45 69 10 60 18 | Tlf.: +45 70 23 55 66 -Oprindelig meddelelse- Fra: freeradius-users-bounces+tr=zitcom...@lists.freeradius.org [mailto:freeradius-users-bounces+tr=zitcom...@lists.freeradius.org] På vegne af Phil Mayers Sendt: 11. oktober 2012 12:44 Til: freeradius-users@lists.freeradius.org Emne: Re: SV: EXEC Access-challenge On 11/10/12 10:57, Thomas Raabo - Zitcom A/S wrote: > Thats seems like a way to go. > > But your right... Its very hard to find documentation on this topic. Sure. The assumption is that Access-Challenge methods are generated by auth method code in "rlm". It's a testament to how flexible the server is that you can *do* it in unlang/perl/etc. - but it's not well documented. > > > Changed it and now > > It seems that update check I checket way before th script. > > ++[sql] returns ok > ++[expiration] returns noop > ++[logintime] returns noop > [pap] Normalizing SHA-Password from hex encoding > [pap] WARNING: Auth-Type already set. Not setting to PAP > ++[pap] returns noop I think this is in the wrong order. You've checked for "updated" before you've run the "exec" command. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: EXEC Access-challenge
On 11/10/12 10:57, Thomas Raabo - Zitcom A/S wrote: Thats seems like a way to go. But your right... Its very hard to find documentation on this topic. Sure. The assumption is that Access-Challenge methods are generated by auth method code in "rlm". It's a testament to how flexible the server is that you can *do* it in unlang/perl/etc. - but it's not well documented. Changed it and now It seems that update check I checket way before th script. ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing SHA-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop I think this is in the wrong order. You've checked for "updated" before you've run the "exec" command. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: EXEC Access-challenge
Thats seems like a way to go. But your right... Its very hard to find documentation on this topic. Changed it and now It seems that update check I checket way before th script. ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing SHA-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop ++? if (updated) ? Evaluating (updated) -> FALSE ++? if (updated) -> FALSE Found Auth-Type = otp # Executing group from file /etc/raddb/sites-enabled/default +- entering group otp {...} [pap] login attempt with password "test2" [pap] Using SHA1 encryption. [pap] User authenticated successfully ++[pap] returns ok [OTP] expand: %{User-Name} -> test2 [OTP] expand: %{User-Password} -> test2 [OTP] expand: %{reply:Secret} -> 891a79d80c9f1cd2 [OTP] expand: %{reply:Pin} -> 0201 [OTP] expand: %{reply:Offset} -> 1 Exec-Program output: Reply-Message += "Enter SMS", State += "12536", Exec-Program-Wait: value-pairs: Reply-Message += "Enter SMS", State += "12536", Exec-Program: returned: 9 ++[OTP] returns updated Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test2 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 145 to 172.31.2.20 port 56003 Reply-Message += "Enter SMS" State += 0x3132353336 Waking up in 4.9 seconds. Cleaning up request 0 ID 145 with timestamp +1 Ready to process requests. Med venlig hilsen | Best regards Thomas Raabo Senior Network Engineer CCIE #33466 _ t...@zitcom.dk | Direkte: +45 69 10 60 18 | Tlf.: +45 70 23 55 66 -Oprindelig meddelelse- Fra: freeradius-users-bounces+tr=zitcom...@lists.freeradius.org [mailto:freeradius-users-bounces+tr=zitcom...@lists.freeradius.org] På vegne af Phil Mayers Sendt: 11. oktober 2012 10:56 Til: freeradius-users@lists.freeradius.org Emne: Re: EXEC Access-challenge On 10/11/2012 09:23 AM, Thomas Raabo - Zitcom A/S wrote: > I´am trying to create a php OTP script with challenge reponse. > > echo "Reply-Message += \"Enter SMS\",\n"; > > echo "State += \"$random\",\n"; > > echo "Response-Packet-Type = \"Access-Challenge\",\n"; I think that needs to be a control item, not a reply item, and you can't set reply & control items from an "exec" script at the same time. Therefore, I'm not sure you can do that with an exec script alone. See: http://lists.freeradius.org/pipermail/freeradius-users/2012-September/062606.html (ignore the non-technical bits, the poster was being... combative) ...and maybe: http://lists.freeradius.org/pipermail/freeradius-users/2012-July/061953.html I think something like the following might be what you need: authorize { ... myexec if (updated) { update control { Response-Packet-Type := Access-Challenge } handled } ... } ...and make your "exec" script return "updated" (9) The server isn't really rigged for scripts/unlang sending Access-Challenge, so this is not a well-explored area. If someone who is using this could write a wiki article detailing the considerations, that would be great. It seems to be a common requirement. I'm guessing the Google "2-step" auth and imitators have rekindled interest in OTP? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EXEC Access-challenge
On 10/11/2012 09:23 AM, Thomas Raabo - Zitcom A/S wrote: I´am trying to create a php OTP script with challenge reponse. echo "Reply-Message += \"Enter SMS\",\n"; echo "State += \"$random\",\n"; echo "Response-Packet-Type = \"Access-Challenge\",\n"; I think that needs to be a control item, not a reply item, and you can't set reply & control items from an "exec" script at the same time. Therefore, I'm not sure you can do that with an exec script alone. See: http://lists.freeradius.org/pipermail/freeradius-users/2012-September/062606.html (ignore the non-technical bits, the poster was being... combative) ...and maybe: http://lists.freeradius.org/pipermail/freeradius-users/2012-July/061953.html I think something like the following might be what you need: authorize { ... myexec if (updated) { update control { Response-Packet-Type := Access-Challenge } handled } ... } ...and make your "exec" script return "updated" (9) The server isn't really rigged for scripts/unlang sending Access-Challenge, so this is not a well-explored area. If someone who is using this could write a wiki article detailing the considerations, that would be great. It seems to be a common requirement. I'm guessing the Google "2-step" auth and imitators have rekindled interest in OTP? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EXEC Access-challenge
I´am trying to create a php OTP script with challenge reponse. echo "Reply-Message += \"Enter SMS\",\n"; echo "State += \"$random\",\n"; echo "Response-Packet-Type = \"Access-Challenge\",\n"; exit(4); Reply and State gets sent to the client. But I can´t seem to get challenge response to work. Has anyone done this time off stuff before and is it even possible? Found Auth-Type = otp # Executing group from file /etc/raddb/sites-enabled/default +- entering group otp {...} [OTP] expand: %{User-Name} -> test2 [OTP] expand: %{User-Password} -> test2 [OTP] expand: %{reply:Secret} -> 891a79d80c9f1cd2 [OTP] expand: %{reply:Pin} -> 0201 [OTP] expand: %{reply:Offset} -> 1 Exec-Program output: Reply-Message += "Enter SMS", State += "21427", Response-Packet-Type = "Access-Challenge", Exec-Program-Wait: value-pairs: Reply-Message += "Enter SMS", State += "21427", Response-Packet-Type = "Access-Challenge", Exec-Program: returned: 4 ++[OTP] returns handled There was no response configured: rejecting request 15 Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test2 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 15 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 15 Sending Access-Reject of id 66 to 172.31.2.20 port 42617 Reply-Message += "Enter SMS" State += 0x3231343237 My sites-enabled authorize { preprocess chap mschap suffix eap { ok = return } unix files sql expiration logintime pap update control { Auth-Type := otp } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type otp { OTP pap } unix eap } My exec module exec OTP { wait = yes program = "/etc/raddb/otp.php %{User-Name} %{User-Password} %{reply:Secret} %{reply:Pin} %{reply:Offset}"" input_pairs = request output_pairs = reply } Med venlig hilsen | Best regards Thomas Raabo Senior Network Engineer CCIE #33466 [Beskrivelse: Beskrivelse: cid:image001.jpg@01CB9163.2FCD3AC0] _ t...@zitcom.dk<mailto:t...@zitcom.dk> | Direkte: +45 69 10 60 18 | Tlf.: +45 70 23 55 66 <>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Client which supports PAP Access-Challenge
Hello everyone, find attached the new and improved version for checking pap access challenge: (minisqueeze) [~/work/smsotpd] ./pap_challenge_request.pl Enter username: directory\Administrator Enter password: server response type = Access-Reject (3) (minisqueeze) [~/work/smsotpd] ./pap_challenge_request.pl Enter username: directory\Administrator Enter password: server response type = Access-Challenge (11) Enter otp: 97350 server response type = Access-Accept (2) Cheers, Thomas pap_challenge_request.pl Description: Perl program ATTRIBUTE User-Name 1 string ATTRIBUTE User-Password 2 string ATTRIBUTE CHAP-Password 3 octets ATTRIBUTE NAS-IP-Address 4 ipaddr ATTRIBUTE NAS-Port5 integer ATTRIBUTE Service-Type6 integer ATTRIBUTE Framed-Protocol 7 integer ATTRIBUTE Framed-IP-Address 8 ipaddr ATTRIBUTE Framed-IP-Netmask 9 ipaddr ATTRIBUTE Framed-Routing 10 integer ATTRIBUTE Filter-Id 11 string ATTRIBUTE Framed-MTU 12 integer ATTRIBUTE Framed-Compression 13 integer ATTRIBUTE Login-IP-Host 14 ipaddr ATTRIBUTE Login-Service 15 integer ATTRIBUTE Login-TCP-Port 16 integer ATTRIBUTE Reply-Message 18 string ATTRIBUTE Callback-Number 19 string ATTRIBUTE Callback-Id 20 string ATTRIBUTE Framed-Route22 string ATTRIBUTE Framed-IPX-Network 23 ipaddr ATTRIBUTE State 24 octets ATTRIBUTE Class 25 octets ATTRIBUTE Vendor-Specific 26 octets ATTRIBUTE Session-Timeout 27 integer ATTRIBUTE Idle-Timeout28 integer ATTRIBUTE Termination-Action 29 integer ATTRIBUTE Called-Station-Id 30 string ATTRIBUTE Calling-Station-Id 31 string ATTRIBUTE NAS-Identifier 32 string ATTRIBUTE Proxy-State 33 octets ATTRIBUTE Login-LAT-Service 34 string ATTRIBUTE Login-LAT-Node 35 string ATTRIBUTE Login-LAT-Group 36 octets ATTRIBUTE Framed-AppleTalk-Link 37 integer ATTRIBUTE Framed-AppleTalk-Network38 integer ATTRIBUTE Framed-AppleTalk-Zone 39 string ATTRIBUTE CHAP-Challenge 60 octets ATTRIBUTE NAS-Port-Type 61 integer ATTRIBUTE Port-Limit 62 integer ATTRIBUTE Login-LAT-Port 63 string - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Client which supports PAP Access-Challenge
Hello Matthew, > Forget that - I've not had enough coffee yet today :) You need to > respond to the challenge, not send one yourself... exactly, however the Authen::Radius perl module saved my day: #!/usr/bin/perl -w # Thomas Glanzmann 16:06 2012-05-21 # First Argument is username, second argument is password # Authen::Radius requires a legacy dictionary without advanced # keywords like encrypted or $INCLUDEs use strict; use warnings FATAL => 'all'; use Authen::Radius; my $r = new Authen::Radius(Host => '127.0.0.1', Secret => 'testing123'); Authen::Radius->load_dictionary('/home/sithglan/work/smsotpd/dictionary'); $r->add_attributes ( { Name => 'User-Name', Value => $ARGV[0] }, { Name => 'User-Password', Value => $ARGV[1] }, ); $r->send_packet(ACCESS_REQUEST) || die; my $type = $r->recv_packet(); print "server response type = $type\n"; my $state = undef; for $a ($r->get_attributes()) { if ($a->{Name} eq 'State') { $state = $a->{RawValue}; } } print "Enter otp: "; my $otp = ; chomp($otp); $r->add_attributes ( { Name => 'User-Name', Value => $ARGV[0] }, { Name => 'User-Password', Value => $otp }, ); $r->send_packet(ACCESS_REQUEST) || die; $type = $r->recv_packet(); print "server response type = $type\n"; # Execution: (minisqueeze) [~/work/smsotpd] ./pap_challenge_request.pl 'administra...@directory.gmvl.de' 'password' server response type = 11 Enter otp: 82701 server response type = 2 # radiusd -X rad_recv: Access-Request packet from host 127.0.0.1 port 49189, id=40, length=71 User-Name = "administra...@directory.gmvl.de" User-Password = "password" # Executing section authorize from file /local/freeradius-server-2.1.9/etc/raddb/sites-enabled/default +- entering group authorize {...} [preprocess]expand: %{User-Name} -> administra...@directory.gmvl.de [preprocess]expand: %{User-Name} -> administra...@directory.gmvl.de [preprocess] hints: Matched DEFAULT at 4 [preprocess]expand: %{1}@DIRECTORY.GMVL.DE -> administra...@directory.gmvl.de ++[preprocess] returns ok [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[smsotp] returns ok Found Auth-Type = smsotp # Executing group from file /local/freeradius-server-2.1.9/etc/raddb/sites-enabled/default +- entering group smsotp {...} rlm_krb5: verify_krb_v5_tgt: host key not found : Configuration file does not specify default realm ++[krb5] returns ok rlm_smsotp: Generate OTP rlm_smsotp: Uniq id is 5500455282 rlm_smsotp: Sending Access-Challenge. ++[smsotp] returns handled Sending Access-Challenge of id 40 to 127.0.0.1 port 49189 Reply-Message = "Enter Mobile PIN:" State = 0x35353030343535323832 Finished request 18. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 49189, id=41, length=102 Reply-Message = "Enter Mobile PIN:" State = 0x35353030343535323832 User-Name = "administra...@directory.gmvl.de" User-Password = "82701" # Executing section authorize from file /local/freeradius-server-2.1.9/etc/raddb/sites-enabled/default +- entering group authorize {...} [preprocess]expand: %{User-Name} -> administra...@directory.gmvl.de [preprocess]expand: %{User-Name} -> administra...@directory.gmvl.de [preprocess] hints: Matched DEFAULT at 4 [preprocess]expand: %{1}@DIRECTORY.GMVL.DE -> administra...@directory.gmvl.de ++[preprocess] returns ok [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok rlm_smsotp: Found reply to access challenge (AUTZ), Adding Auth-Type 'smsotp-reply' ++[smsotp] returns ok Found Auth-Type = smsotp-reply # Executing group from file /local/freeradius-server-2.1.9/etc/raddb/sites-enabled/default +- entering group smsotp-reply {...} rlm_smsotp: Found reply to access challenge rlm_smsotp: SocketReply is OK ++[smsotp] returns ok # Executing section post-auth from file /local/freeradius-server-2.1.9/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 41 to 127.0.0.1 port 49189 Finished request 19. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Client which supports PAP Access-Challenge
On Mon, May 21, 2012 at 02:23:12PM +0100, Matthew Newton wrote: > Looks like radclient has support: Forget that - I've not had enough coffee yet today :) You need to respond to the challenge, not send one yourself... Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Client which supports PAP Access-Challenge
Hi Thomas, On Mon, May 21, 2012 at 02:41:26PM +0200, Thomas Glanzmann wrote: > > You should not be getting a challenge with PAP, so there is no need > > for a test client for it. > > for Citrix Netscaler and VMware View 5.1 if you want to support > two-factor authentication for example with rlm_smsotp this is necessary. Hmm interesting - thanks. New one to me. > However there is currently no test client for it that I'm aware of. The > Net::Radius::Packet perl library is probably the quickest approch to get > something working, I'll post it here, if I got one. Looks like radclient has support: radclient.c:1007 } else if (strcmp(argv[2], "challenge") == 0) { if (server_port == 0) server_port = getport("radius"); if (server_port == 0) server_port = PW_AUTH_UDP_PORT; packet_code = PW_ACCESS_CHALLENGE; So use 'challenge' instead of acct, auth, status, etc. Cheers, Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Client which supports PAP Access-Challenge
Hello Matthew, > You should not be getting a challenge with PAP, so there is no need > for a test client for it. for Citrix Netscaler and VMware View 5.1 if you want to support two-factor authentication for example with rlm_smsotp this is necessary. However there is currently no test client for it that I'm aware of. The Net::Radius::Packet perl library is probably the quickest approch to get something working, I'll post it here, if I got one. See also: http://wiki.freeradius.org/Rlm_smsotp http://thread.gmane.org/gmane.comp.dial-up.freeradius.user/86365 Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Client which supports PAP Access-Challenge
On Mon, May 21, 2012 at 02:17:30PM +0200, Thomas Glanzmann wrote: > I'm interested in a radius test client which supports pap > ACCESS-Challenge. Can anyone point me to one or to a library which You should not be getting a challenge with PAP, so there is no need for a test client for it. Matthew -- Matthew Newton, Ph.D. Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Test Client which supports PAP Access-Challenge
Hello, I'm interested in a radius test client which supports pap ACCESS-Challenge. Can anyone point me to one or to a library which allows me to easily write on preferrably in perl? Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RFC compliance for Access Challenge
sanal kumar kariazhath wrote: > As per RFC, it looks like the Access Challenge must not contain any > attributes other than Reply-Message, State, Vendor-Specific, > Session-Timeout and Idle-Timeout. Alan Buxey already had a good response. Mine is: Who cares? What problem does it create? A fanatical dedication to RFC compliance is wrong. For the simple reason that the RFCs are often wrong. I know because I wrote RFC 5080, which talks about what's wrong with other RFCs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RFC compliance for Access Challenge
Cool Thanks a lot for the quick response and info... :-) Thanks, -Sanal On Mon, Dec 12, 2011 at 6:36 PM, Alan Buxey wrote: > Hi, > > >Would like to know why Free Radius is putting the user configuration > data > > in Access Challenge ? > > as per attrs.access_challenge > > > # This configuration file is used to remove almost all of the > # attributes From an Access-Challenge message. The RFC's say > # that an Access-Challenge packet can contain only a few > # attributes. We enforce that here. > # > DEFAULT >EAP-Message =* ANY, >State =* ANY, >Message-Authenticator =* ANY, >Reply-Message =* ANY, >Proxy-State =* ANY, >Session-Timeout =* ANY, >Idle-Timeout =* ANY > > this would suggest strongly that you arent actually USING this filter to > follow the RFCs that you are so strongly advocating in your post - this > filter file is define in modules/attrs > > attr_filter attr_filter.access_challenge { >key = %{User-Name} >attrsfile = ${confdir}/attrs.access_challenge > } > > > > nowread the sites-enabled/default as provided with the server, scroll > down to the 'eap' authentication and then you'll see the next 12 lines have > the bit that will enable this filter. its commented out by default because > its an RFC that not many people care about (having seen junk from IAS/NPS > and > ACS, FreeRADIUS is already *quite* RFC compliant without tis extra bit of > OCD ;-) > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RFC compliance for Access Challenge
Hi, >Would like to know why Free Radius is putting the user configuration data > in Access Challenge ? as per attrs.access_challenge # This configuration file is used to remove almost all of the # attributes From an Access-Challenge message. The RFC's say # that an Access-Challenge packet can contain only a few # attributes. We enforce that here. # DEFAULT EAP-Message =* ANY, State =* ANY, Message-Authenticator =* ANY, Reply-Message =* ANY, Proxy-State =* ANY, Session-Timeout =* ANY, Idle-Timeout =* ANY this would suggest strongly that you arent actually USING this filter to follow the RFCs that you are so strongly advocating in your post - this filter file is define in modules/attrs attr_filter attr_filter.access_challenge { key = %{User-Name} attrsfile = ${confdir}/attrs.access_challenge } nowread the sites-enabled/default as provided with the server, scroll down to the 'eap' authentication and then you'll see the next 12 lines have the bit that will enable this filter. its commented out by default because its an RFC that not many people care about (having seen junk from IAS/NPS and ACS, FreeRADIUS is already *quite* RFC compliant without tis extra bit of OCD ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RFC compliance for Access Challenge
Hi, As per RFC, it looks like the Access Challenge must not contain any attributes other than Reply-Message, State, Vendor-Specific, Session-Timeout and Idle-Timeout. But if i put the configuration options as below for the EAP user 'USER5', then the access challenge from Free Radius server contains those attributes. USER5 Cleartext-Password := "xyz" Service-Type = Framed-User, Framed-IP-Address = 255.255.255.255, Framed-MTU = 576, Tunnel-Medium-Type = "6", Tunnel-Type = "VLAN", Tunnel-Private-Group-Id = 400, Please find the debug logs below: Version: radiusd: FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Jun 8 2011 at 15:45:1 Debug logs (Have changed the IP address) -- Ready to process requests. rad_recv: Access-Request packet from host AA.BB.CC.DD port 1812, id=38, length=94 NAS-IP-Address = DD.EE.AA.DD NAS-Port-Type = Ethernet NAS-Port = 43 Calling-Station-Id = "00-00-01-00-04-00" User-Name = "USER5" EAP-Message = 0x0239000a015553455235 Message-Authenticator = 0x8db99a77b408552561675e84e7840868 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "USER5", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 57 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry USER5 at line 215 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 38 to DD.EE.AA.DD port 65163 Service-Type = Framed-User Framed-IP-Address = 255.255.255.255 Framed-MTU = 576 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "400" EAP-Message = 0x013a00160410f646c8b9a0a056801f6d89a3d919ccc5 Message-Authenticator = 0x State = 0xda41235ada7b273294cf6090be1d930c Finished request 4. Going to the next request Waking up in 4.9 seconds. ------ Would like to know why Free Radius is putting the user configuration data in Access Challenge ? Appreciate the early response on the same, Thanks, -Sanal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Challenge with FreeRadius
hughdavid wrote: > I thought that we can configure FreeRadius to implement the methods, that > generate Access-Challenge messages for PAP protocol, and we can define some > logic scenarios for these challenge exchanges > > Apparently it is not possible with FreeRadius Yes, it is. But you need to write the code to make it do that. There is no pre-packaged configuration saying "implement Access-Challenge here" All Access-Challenge scenarios are tied to pre-existing authentication methods. e.g. EAP, SecurID, etc. If you're technical enough to implement your own Access-Challenge method, you're technical enough to *implement* your own Access-Challenge method. If you can't figure out how to implement Access-Challenge in the server (hint: there are examples), then you don't need to implement it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SecurID, Re: Access-Challenge with FreeRadius
David Mitton wrote: > e.g. some RADIUS servers will send A-C in PAP if they are authenticating > SecurID. (not recommended but it's out there) 2.1.12 includes an experimental rlm_securid. We expect to have an approved && production-ready version for the next release. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Challenge with FreeRadius
David, Thanks for your reply, it was very clear I thought that we can configure FreeRadius to implement the methods, that generate Access-Challenge messages for PAP protocol, and we can define some logic scenarios for these challenge exchanges Apparently it is not possible with FreeRadius Zhuoming -- View this message in context: http://freeradius.1045715.n5.nabble.com/Access-Challenge-with-FreeRadius-tp4978370p4978909.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Challenge with FreeRadius
The thread link posted has already git several answers in it...and ends quite clearly. Why are you trying to drag this up again? Some coursework? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Challenge with FreeRadius
And if you read that thread... you find that the short answer is you don't. There is no configuration option to generate messages. The authentication method implementation logic knows what interactions it supports and generates the appropriate messages. Some auth methods will never use an Access-Challenge, some always will (EAP). Some vary depending on the auth. e.g. some RADIUS servers will send A-C in PAP if they are authenticating SecurID. (not recommended but it's out there) Bottom line; you are framing the problem incorrectly and asking the wrong question. Dave. Quoting hughdavid : Hello, I am a new user of FreeRadius (on windows) I have the same question as this post: How to configure freeRADIUS server so it replies with a PAP "access-challenge" message on "access-request" from a client? http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-td4296727.html Any help is greatly appreciated! Thanks in advance Best Regards, Zhuoming (zhuoming.hu...@gmail.com) -- View this message in context: http://freeradius.1045715.n5.nabble.com/Access-Challenge-with-FreeRadius-tp4978370p4978370.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Challenge with FreeRadius
well i am working with a linux as server and don't have acess to the debug mod if i get anything I will tell to you On Wed, Nov 9, 2011 at 3:03 PM, hughdavid wrote: > Hello, > > I am a new user of FreeRadius (on windows) > I have the same question as this post: How to configure freeRADIUS server > so > it replies with a PAP "access-challenge" message on "access-request" from a > client? > > > http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-td4296727.html > > Any help is greatly appreciated! Thanks in advance > > Best Regards, > > Zhuoming (zhuoming.hu...@gmail.com) > > -- > View this message in context: > http://freeradius.1045715.n5.nabble.com/Access-Challenge-with-FreeRadius-tp4978370p4978370.html > Sent from the FreeRadius - User mailing list archive at Nabble.com. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- "Não se VAI à Igreja. Se É Igreja<http://www.youtube.com/watch?v=ifnJtkAnBq4> ." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access-Challenge with FreeRadius
Hello, I am a new user of FreeRadius (on windows) I have the same question as this post: How to configure freeRADIUS server so it replies with a PAP "access-challenge" message on "access-request" from a client? http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-td4296727.html Any help is greatly appreciated! Thanks in advance Best Regards, Zhuoming (zhuoming.hu...@gmail.com) -- View this message in context: http://freeradius.1045715.n5.nabble.com/Access-Challenge-with-FreeRadius-tp4978370p4978370.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius Access-Challenge and Apache
Hi, I have done this ... But I still don't have any luck (please see my last message.) Could the problem be related to the version of radius auth for apache in the Debian repos perhaps? Daniel > -Original Message- > From: freeradius-users-bounces+daniel.abels=leica- > microsystems@lists.freeradius.org [mailto:freeradius-users- > bounces+daniel.abels=leica-microsystems@lists.freeradius.org] On > Behalf Of Alan DeKok > Sent: Monday, 29 August 2011 8:25 PM > To: FreeRadius users mailing list > Subject: Re: Radius Access-Challenge and Apache > > Daniel Abels wrote: > > On the command line, this also works using radtest, see below: > > So... run the server in debugging mode, and see what happens when you > send it a packet from Apache. That information is useful. > > There's a *reason* we suggest using debugging mode. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius Access-Challenge and Apache
Hi Alan, Thank you for your response. I've been having a lot of trouble reaching the mailing list, my responses are not getting through. Hopefully this one will! Below is the output from the debug mode: rad_recv: Access-Request packet from host 127.0.0.1 port 1026, id=60, length=83 User-Name = "dra" User-Password = "*" Service-Type = Authenticate-Only NAS-Identifier = "debian-test-dra.vsl.com.au" NAS-IP-Address = 127.0.0.1 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "dra", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 54 ++[files] returns ok rlm_perl: Authorize Function Called rlm_perl: Authorization for >127.0.0.1< was granted... rlm_perl: Added pair User-Name = dra rlm_perl: Added pair NAS-Identifier = debian-test-dra.vsl.com.au rlm_perl: Added pair User-Password = * rlm_perl: Added pair Service-Type = Authenticate-Only rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair Auth-Type = Perl ++[perl] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = Perl # Executing group from file /etc/freeradius/sites-enabled/default +- entering group Perl {...} rlm_perl: Log Request Attributes Called rlm_perl:Request: >User-Name< = >dra< rlm_perl:Request: >User-Password< = >*< rlm_perl:Request: >NAS-Identifier< = >debian-test-dra.vsl.com.au< rlm_perl:Request: >Service-Type< = >Authenticate-Only< rlm_perl:Request: >NAS-IP-Address< = >127.0.0.1< rlm_perl: Authenticate Function Called rlm_perl: User: >dra< Authenticated, now sending access-challenge rlm_perl: Log Reply Attributes Called rlm_perl:Reply: >Reply-Message< = >Please Enter Code< rlm_perl:Reply: >State< = >challenge< rlm_perl: Added pair User-Name = dra rlm_perl: Added pair User-Password = * rlm_perl: Added pair NAS-Identifier = debian-test-dra.vsl.com.au rlm_perl: Added pair Service-Type = Authenticate-Only rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 rlm_perl: Added pair Reply-Message = Please Enter Code rlm_perl: Added pair State = challenge rlm_perl: Added pair Response-Packet-Type = Access-Challenge rlm_perl: Added pair Auth-Type = Perl ++[perl] returns handled Sending Access-Challenge of id 60 to 127.0.0.1 port 1026 Reply-Message = "Please Enter Code" State = 0x6368616c6c656e6765 Finished request 6. Going to the next request Waking up in 4.9 seconds. Cleaning up request 6 ID 60 with timestamp +148 Ready to process requests. The output to the browser at this point looks like this: (Firefox 6.0, but I have tried IE 8.0 too) http://imageshack.us/photo/my-images/856/authenticationrequired2.png/ I turned-up the logging level for Apache too, the following is a complete successful login: [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1185): Radius Auth for: debian-test-dra.vsl.com.au requests /test/ : file=/var/www/test/ [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(762): Found Radius Cookie, now check if it's valid... [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1191): Found cookie=8115747392e228c2f612d8fce9b384074e5c2035f36809adchallenge for user=dra : [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1195): with RADIUS challenge state set.\n [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(902): Sending packet on 127.0.0.1:1812 [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(): RADIUS server requested challenge for user dra [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1232): RADIUS authentication for user=dra password=* failed\n [Tue Aug 30 09:25:04 2011] [debug] mod_auth_radius-2.0.c(1239): Sending failure message to user=dra\n [Tue Aug 30 09:25:04 2011] [error] [client 10.10.240.240] user dra: authentication failure for "/test/": Password Mismatch [Tue Aug 30 09:25:04 2011] [debug] mod_deflate.c(615): [client 10.10.240.240] Zlib: Compressed 482 to 324 : URL /test/ [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1185): Radius Auth for: debian-test-dra.vsl.com.au requests /test/ : file=/var/www/test/ [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(762): Found Radius Cookie, now check if it's valid... [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1191): Found cookie=f94377b91a7b4e30ac0a3910ea54ec194e5c2048f36809adchallenge for user=dra : [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(1195): with RADIUS challenge state set.\n [Tue Aug 30 09:25:18 2011] [debug] mod_auth_radius-2.0.c(
Re: Radius Access-Challenge and Apache
Daniel Abels wrote: > On the command line, this also works using radtest, see below: So... run the server in debugging mode, and see what happens when you send it a packet from Apache. That information is useful. There's a *reason* we suggest using debugging mode. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius Access-Challenge and Apache
Hi all, I have developed a rlm_perl script for FreeRadius to provide an Access-Challenge response upon an initial successful login (i.e. enter username & password, receive access-challenge, then enter a code.) I'm having some trouble getting the an access-challenge "reply message" to display on a web browser. I'm not sure if I have something configured incorrectly, or If my expectations of what the apache module (mod-auth-radius) should be doing is wrong. According to the documentation from the mod_auth_radius README, when the module receives an "Access-Challenge" response: "...you'll see your username displayed, along with the RADIUS Reply-Message at the top of the authentication window." But I see no such reply-message in the browser. It just displays the same Authentication Realm message ("Radius Authentication Test") for each prompt (tested in Firefox.) I was expecting the reply-message (which is "Please Enter Code") to be displayed instead, is that possible? Upon examining the source code for the module, there appears to be code to handle this. Using Wireshark, it also appears that this message is not returned to the browser. Anyway, if the user enters the correct code at this point, they can reach the web page successfully, so the authentication side of things is not a problem. The server is Debian (squeeze) with freeradius (2.1.10+dfsg-2), apache (2.2.16-6+squeeze1) and libapache2-mod-auth-radius (1.5.8-1) The important portion of my apache configuration is below: # Radius Server Authentication AddRadiusAuth localhost:1812 testing123 5 AddRadiusCookieValid 5 # Test Radius Authentication Options Indexes FollowSymLinks MultiViews AuthType Basic AuthName "Radius Authentication Test" AuthBasicAuthoritative Off AuthBasicProvider radius AuthRadiusAuthoritative On AuthRadiusActive On Require valid-user I have performed other tests using a Cisco VPN concentrator and Cisco's VPN client on Windows 7, this works great - the "Access-Challenge" response works (It returns the message "Please Enter Code".) On the command line, this also works using radtest, see below: # radtest user testing localhost 10 testing123 Sending Access-Request of id 150 to 127.0.0.1 port 1812 User-Name = "user" User-Password = "testing" NAS-IP-Address = 127.0.1.1 NAS-Port = 10 rad_recv: Access-Challenge packet from host 127.0.0.1 port 1812, id=150, length=50 Reply-Message = "Please Enter Code" State = 0x6368616c6c656e6765 Any assistance on this matter would be greatly appreciated! Regards, Daniel Abels - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Access-Challenge
Yes, it works this way. But the requirements are for a two phase authentication. Sent from my iPhone On Jul 8, 2011, at 2:11 AM, "Fajar A. Nugraha" wrote: > On Fri, Jul 8, 2011 at 10:14 AM, Jamshid Abedi wrote: >> Hello, >> >> I've got Mobile OTP to work with FreeRadius, I'd like to take this one step >> further and turn this into a two phase process. The objective is to first >> take the pin, authenticate that and then communicate to the NAS with a >> challenge to receive the OTP from the user. I think this can be done via an >> access-challenge reply to the NAS. My question is how do I get FreeNAS to >> send an Access-Challenge once it has verified the PIN is correct? If anyone >> can kindly give me some hints or point me in the right direction. > > IMHO the simplest way would be just concatenate them together. e.g. if: > - your pin is 4 digits > - your OTP is 12 digits > - you use PAP > > then you can ask your users to put the 4 digit pin followed by 12 > digit OTP, so the password will be 16 digits. And since you use PAP, > you get User-Password attribute in the request which can easly be > split using unlang/regex into two components, which you can then > verifiy. > > -- > Fajar > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Access-Challenge
On Fri, Jul 8, 2011 at 10:14 AM, Jamshid Abedi wrote: > Hello, > > I've got Mobile OTP to work with FreeRadius, I'd like to take this one step > further and turn this into a two phase process. The objective is to first > take the pin, authenticate that and then communicate to the NAS with a > challenge to receive the OTP from the user. I think this can be done via an > access-challenge reply to the NAS. My question is how do I get FreeNAS to > send an Access-Challenge once it has verified the PIN is correct? If anyone > can kindly give me some hints or point me in the right direction. IMHO the simplest way would be just concatenate them together. e.g. if: - your pin is 4 digits - your OTP is 12 digits - you use PAP then you can ask your users to put the 4 digit pin followed by 12 digit OTP, so the password will be 16 digits. And since you use PAP, you get User-Password attribute in the request which can easly be split using unlang/regex into two components, which you can then verifiy. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about Access-Challenge
Hello, I've got Mobile OTP to work with FreeRadius, I'd like to take this one step further and turn this into a two phase process. The objective is to first take the pin, authenticate that and then communicate to the NAS with a challenge to receive the OTP from the user. I think this can be done via an access-challenge reply to the NAS. My question is how do I get FreeNAS to send an Access-Challenge once it has verified the PIN is correct? If anyone can kindly give me some hints or point me in the right direction. Thank you, JJ Abdi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with Access-Challenge configuration
Aa Stefan Winter-4, Thanks a lot, now i underspend how to configure my configuration It's what i need to hear! Have a nice day! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-tp4296727p4297576.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with Access-Challenge configuration
Hi, > My simple question: > How to configure freeRADIUS server so it replay "access-challenge" message > on "access-request" from a client? Alan's problem with this "simple" question of yours is that it's not just simple, but simplistic. RADIUS can convey *many different* authentication protocols which are all using an Access-Challenge to send challenge data back. The content of the Access-Challenge, and the configuration needed for that specific Access-Challenge, is significantly different. The fact that you ask the question like you did is a strong indication that you don't know about this fact. Please ask a question like How to configure freeRADIUS server so it replies with a CHAP "access-challenge" message on "access-request" from a client? How to configure freeRADIUS server so it replies with a MS-CHAP "access-challenge" message on "access-request" from a client? How to configure freeRADIUS server so it replies with a MS-CHAPv2 "access-challenge" message on "access-request" from a client? How to configure freeRADIUS server so it replies with a EAP-TLS "access-challenge" message on "access-request" from a client? How to configure freeRADIUS server so it replies with a EAP-TTLS "access-challenge" message on "access-request" from a client? How to configure freeRADIUS server so it replies with a PEAP "access-challenge" message on "access-request" from a client? See? You need to be more specific in your question before anyone here can give you an answer. Or better yet, read up on RADIUS, and/or EAP methods, and *then* ask a well-informed question. Greetings, Stefan Winter > -- > View this message in context: > http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-tp4296727p4297493.html > Sent from the FreeRadius - User mailing list archive at Nabble.com. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with Access-Challenge configuration
GreenUA wrote: > 1. "If you're debugging a RADIUS client you wrote, then this isn't a > FreeRADIUS question. " > It's freeRADIUS question because i need to configure freeRADIUS server If you know so much more than we do, why are you asking questions on this list? > 2. "> What methods? How i can configure it? > > If you don't know, you don't need Access-Challenges." > > If i don't now how to configure it, i don't need it? In such way why are you > replaying on mails from this forum? Yes. You *don't* configure it. If the authentication method requires Access-Challenge, then the Access-Challenge is automatically generated. If Access-Challenge is not automatically generated, then you don't need it. > Again sorry if my question not correct, and don't worry i'm not writing > RADIUS client. Well, you said you were. > My simple question: > How to configure freeRADIUS server so it replay "access-challenge" message > on "access-request" from a client? My answer (again) is "you don't". If you keep asking the question, then it's clear you don't understand the answer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with Access-Challenge configuration
To Alan DeKok-2 Sorry, for my maybe inconsistent question. I try to explain: 1. "If you're debugging a RADIUS client you wrote, then this isn't a FreeRADIUS question. " It's freeRADIUS question because i need to configure freeRADIUS server 2. "> What methods? How i can configure it? If you don't know, you don't need Access-Challenges." If i don't now how to configure it, i don't need it? In such way why are you replaying on mails from this forum? I want to configure, and i don't know how, that's why i posted my question here. FROM RFC: "If all conditions are met and the RADIUS server wishes to issue a challenge to which the user must respond, the RADIUS server sends an "Access-Challenge" response. It MAY include a text message to be displayed by the client to the user prompting for a response to the challenge, and MAY include a State attribute." But there is noting about: what conditions, "server wishes", etc. 3. "As a hint: people who don't understand the RADIUS protocol shouldn't write RADIUS clients. " Again sorry if my question not correct, and don't worry i'm not writing RADIUS client. My simple question: How to configure freeRADIUS server so it replay "access-challenge" message on "access-request" from a client? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-tp4296727p4297493.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with Access-Challenge configuration
GreenUA wrote: > What methods? How i can configure it? If you don't know, you don't need Access-Challenges. > I need to see how my client process challenge response. And i can't generate > that message. If you're debugging a RADIUS client you wrote, then this isn't a FreeRADIUS question. As a hint: people who don't understand the RADIUS protocol shouldn't write RADIUS clients. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with Access-Challenge configuration
"Specific authentication methods allow for Access-Challenges. If you're not using one of those methods, you won't get Access-Challenges." What methods? How i can configure it? Maybe my post was not clear enough. "You're trying to solve one problem, but not saying what it is. You've somehow convinced yourself that Access-Challenges are the solution to that problem. So you're asking questions about that instead. What, exactly, is the problem, and why do you think Access-Challenges are the solution? " I'm not trying to configure correct authorization via RADIUS server it's not my main goal. I just want to configure and send back "Access-challenge" message to the client side. I need to see how my client process challenge response. And i can't generate that message. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-tp4296727p4297457.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with Access-Challenge configuration
GreenUA wrote: > In my configuration RADIUS checks login and password, so it returns > "Access-accept" or "Access-reject". That's what a RADIUS server does. Specific authentication methods allow for Access-Challenges. If you're not using one of those methods, you won't get Access-Challenges. You're trying to solve one problem, but not saying what it is. You've somehow convinced yourself that Access-Challenges are the solution to that problem. So you're asking questions about that instead. What, exactly, is the problem, and why do you think Access-Challenges are the solution? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with Access-Challenge configuration
OK guys ) Ha Ha i know about "windows must die..." but i can't do nothing with that. Give me examples for Linux... what files i need to configure, maybe i should use another "Auth-Type" or something else... Thanks to Alexander Clouter for FAQ links, but this is debugging and it will be useful if configuration exist and you don't know why it doesn't work. My question was how to "say" RADIUS server send "Access-Challenge" for client "Access-request" In my configuration RADIUS checks login and password, so it returns "Access-accept" or "Access-reject". -- View this message in context: http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-tp4296727p4297438.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with Access-Challenge configuration
Arran Cudbard-Bell wrote: > > On Apr 11, 2011, at 1:40 PM, Alexander Clouter wrote: > >> GreenUA wrote: >>> >>> I reviewed RFC and FAQ, but i can't fined sane info about >>> configuration of freeRADIUS server (on Windows) to send >>> access-challenge message on access-request. >>> >> ...because running FreeRADIUS is not a sane thing to do. > > Shouldn't that be running Windows is not a sane thing to do? :P > Bah, and it would have looked so awesome if I didn't screw it up. *ahem* ...because running FreeRADIUS on Windows is not a sane thing to do. Cheers -- Alexander Clouter .sigmonster says: Some restrictions may apply. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with Access-Challenge configuration
On Apr 11, 2011, at 1:40 PM, Alexander Clouter wrote: > GreenUA wrote: >> >> I reviewed RFC and FAQ, but i can't fined sane info about >> configuration of freeRADIUS server (on Windows) to send >> access-challenge message on access-request. >> > ...because running FreeRADIUS is not a sane thing to do. Shouldn't that be running Windows is not a sane thing to do? :P - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with Access-Challenge configuration
GreenUA wrote: > > I reviewed RFC and FAQ, but i can't fined sane info about > configuration of freeRADIUS server (on Windows) to send > access-challenge message on access-request. > ...because running FreeRADIUS is not a sane thing to do. > My configuration is (users.conf): > > [snipped AWOL radiusd.conf file] > > Guys pls help me with the answer or if it's possible give me some link > or manual in which i can fined the answer. > The best links on FreeRADIUS can be found at: http://wiki.freeradius.org/index.php/FAQ#Debugging_it_yourself http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21 Cheers -- Alexander Clouter .sigmonster says: Check your local listings. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help me with Access-Challenge configuration
I reviewed RFC and FAQ, but i can't fined sane info about configuration of freeRADIUS server (on Windows) to send access-challenge message on access-request. My configuration is (users.conf): test Auth-Type := Local, User-Password == "test" Service-Type = Login-User, Login-IP-Host = 192.99.98.119, Login-Service = Telnet, CS_Priv_Level = 2, Reply-Message = "Hello, %u. Wellcome from RADIUS. You are Administrator" For such configuration RADIUS server (receive access-request)checks Login + Pass and if they are correct sends "Reply-Message" with right "CS_Priv_Level" for Client (access-accept). But i need to validate one more parameter from client and sent for him access-challenge, and i don't know how to configure my RADIUS server to send "Access-challenge". Guys pls help me with the answer or if it's possible give me some link or manual in which i can fined the answer. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-tp4296727p4296727.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access challenge on empty password
http://freeradius.1045715.n5.nabble.com/file/n4275090/radius.log radius.log Fajar A. Nugraha-2 wrote: > > if you have a problem, post the output of > debug mode (radiusd -X) > I am sorry. I try to get the rhythm. Log is attached. -- View this message in context: http://freeradius.1045715.n5.nabble.com/access-challenge-on-empty-password-tp4273381p4275090.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access challenge on empty password
On Fri, Apr 1, 2011 at 3:43 PM, izotov wrote: > > Alan DeKok-2 wrote: >> >> Have you tried running the server in debugging mode as suggested in >> the FAQ, README, INSTALL, "man" page, and daily on this list? >> > > Yes, I always do so. But this time it did not help me to find the answer. I think what Alan means, if you have a problem, post the output of debug mode (radiusd -X) so others can help you troubleshoot the issue by reading and interpreting what's in the output. Simply saying "I always do so" but not providing the log is like saying "I have a problem, I don't know how to solve it, and I don't want to give any details about it either. Can you help me?" -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access challenge on empty password
Alan DeKok-2 wrote: > > Have you tried running the server in debugging mode as suggested in > the FAQ, README, INSTALL, "man" page, and daily on this list? > Yes, I always do so. But this time it did not help me to find the answer. -- View this message in context: http://freeradius.1045715.n5.nabble.com/access-challenge-on-empty-password-tp4273381p4274962.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access challenge on empty password
izotov wrote: > I did not configure so (it must be a default). Where is that configuration > entry? Have you tried running the server in debugging mode as suggested in the FAQ, README, INSTALL, "man" page, and daily on this list? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access challenge on empty password
I did not configure so (it must be a default). Where is that configuration entry? -- View this message in context: http://freeradius.1045715.n5.nabble.com/access-challenge-on-empty-password-tp4273381p4274862.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access challenge on empty password
izotov wrote: > Hi, > I use pam_radius with openssh on a FreeBSD box. When I authenticate, and for > the first time I simply enter an empty password then the second time I am > prompted for the password characters are echoed on the terminal. > As I can see my freeradius server responses an access challenge to request > with an existing user and empty password combo. > Is this a normal behaviour? How can I configure the system not to do so? Why have you configured the server to respond with an Access-Challenge? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
access challenge on empty password
Hi, I use pam_radius with openssh on a FreeBSD box. When I authenticate, and for the first time I simply enter an empty password then the second time I am prompted for the password characters are echoed on the terminal. As I can see my freeradius server responses an access challenge to request with an existing user and empty password combo. Is this a normal behaviour? How can I configure the system not to do so? Thanks! -- View this message in context: http://freeradius.1045715.n5.nabble.com/access-challenge-on-empty-password-tp4273381p4273381.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to test authentication process using Access-Challenge response
Thanks Alan and Peter for your fast answers. After doing some tests with the suggested tools I found no "ready to use" simulator for testing 2 step authentication with challenge response messages. I tried Jradius simulator which also seems not to have this feature. I will try to code myself something with the suggested libraries and tools. Thanks, Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to test authentication process using Access-Challenge response
Gregor Bruhin wrote: > Is there a way to test the whole authentication process, including > access-challenge packets without using a real radius client device? Use "radclient". You will likely need to hack the source. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to test authentication process using Access-Challenge response
You can use TinyRadius with JMeter to bulk load queries. There are a number of different radius client tools you can use. On Sat, Feb 5, 2011 at 1:30 PM, Gregor Bruhin wrote: > Hi, > > I'm currently playing around with freeradius to implement a two-way > authentication using smsotp. > > Is there a way to test the whole authentication process, including > access-challenge packets without using a real radius client device? > > Many thanks and best regards, Greg > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to test authentication process using Access-Challenge response
Hi, I'm currently playing around with freeradius to implement a two-way authentication using smsotp. Is there a way to test the whole authentication process, including access-challenge packets without using a real radius client device? Many thanks and best regards, Greg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending an attribute with the Access-Accept instead of Access-Challenge
On 01/12/2011 06:50 PM, Vivek Umasuthan wrote: Thanks for the reply. use_tunneled_reply = yes ...in the "peap {}" section of "eap.conf" I did this after you mentioned it. Just some more clarification... You need to add the attribute in the "inner-tunnel" virtual server, Do you mean I edit the 'inner-tunnel' file in /etc/freeradius/sites-available and add the attribute there? In there should it be added under "update outer.reply {}" section under "post-auth{}"? No. That's what "use_tunneled_reply" does. You just need to return the attributes to the inner request. When I tried that, the server complains as shown below upon start /etc/freeradius/sites-enabled/inner-tunnel[340]: ERROR: Unknown vendor name in attribute name "Session-Timout" Read what it says carefully... You've typo-ed "Timeout" as "Timout" /etc/freeradius/sites-enabled/inner-tunnel[262]: Errors parsing post-auth section. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending an attribute with the Access-Accept instead of Access-Challenge
> /etc/freeradius/sites-enabled/inner-tunnel[340]: ERROR: Unknown vendor > name in attribute name "Session-Timout" > /etc/freeradius/sites-enabled/inner-tunnel[262]: Errors parsing > post-auth section. Sorry there was a spelling mistake in the attribute as can be seen above. It works fine now. Let me try it out and see if its doing what I need. Thanks for the help. Vivek - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending an attribute with the Access-Accept instead of Access-Challenge
Thanks for the reply. > use_tunneled_reply = yes > ...in the "peap {}" section of "eap.conf" I did this after you mentioned it. Just some more clarification... > You need to add the attribute in the "inner-tunnel" virtual server, Do you mean I edit the 'inner-tunnel' file in /etc/freeradius/sites-available and add the attribute there? In there should it be added under "update outer.reply {}" section under "post-auth{}"? When I tried that, the server complains as shown below upon start /etc/freeradius/sites-enabled/inner-tunnel[340]: ERROR: Unknown vendor name in attribute name "Session-Timout" /etc/freeradius/sites-enabled/inner-tunnel[262]: Errors parsing post-auth section. Vivek Umasuthan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending an attribute with the Access-Accept instead of Access-Challenge
On 12/01/11 16:33, Vivek Umasuthan wrote: Hi All, I am testing 802.1x support on our platform and I'm having trouble figuring out how to include some attributes with Access-Accept. I read the 'users' file man page but could not get the answer. You need to add the attribute in the "inner-tunnel" virtual server, and ensure you've set: use_tunneled_reply = yes ...in the "peap {}" section of "eap.conf" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sending an attribute with the Access-Accept instead of Access-Challenge
Hi All, I am testing 802.1x support on our platform and I'm having trouble figuring out how to include some attributes with Access-Accept. I read the 'users' file man page but could not get the answer. So my user is as shown below in the users file qatesterCleartext-Password := "qatester" Session-Timeout = 20, Termination-Action = 1 Now the authorization works fine but the Session-Timeout attribute is ncluded in the Access-Challenge message as I understand. I want to send it with the Access-Accept message. I have copied debug information below. ## Debug Infor Starts ## rad_recv: Access-Request packet from host 192.168.0.159 port 4999, id=66, length=106 Calling-Station-Id = "00-1A-6B-66-DD-7E" NAS-Port = 1 User-Name = "qatester" NAS-IP-Address = 192.168.0.159 Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0202000d017161746573746572 Message-Authenticator = 0x29d87ac1ec4ca82352df5fe82cc5849e # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "qatester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry qatester at line 139 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 66 to 192.168.0.159 port 4999 Session-Timeout = 20 Termination-Action = RADIUS-Request EAP-Message = 0x0103001604109e9fffb0d5e6393e5ef410df900b8d2f Message-Authenticator = 0x State = 0x68cd38bb68ce3cd51b0b4c1f6b1aa976 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.159 port 4999, id=67, length=117 Calling-Station-Id = "00-1A-6B-66-DD-7E" NAS-Port = 1 User-Name = "qatester" NAS-IP-Address = 192.168.0.159 Service-Type = Framed-User Framed-MTU = 1500 State = 0x68cd38bb68ce3cd51b0b4c1f6b1aa976 EAP-Message = 0x020300060319 Message-Authenticator = 0x7a4fba042bc71fbee8de9b56077c2ca8 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "qatester", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry qatester at line 139 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 67 to 192.168.0.159 port 4999 Session-Timeout = 20 Termination-Action = RADIUS-Request EAP-Message = 0x010400061920 Message-Authenticator = 0x State = 0x68cd38bb69c921d51b0b4c1f6b1aa976 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.159 port 4999, id=68, length=233 Calling-Station-Id = "00-1A-6B-66-DD-7E" NAS-Port = 1 User-Name = "qatester" NAS-IP-Address = 192.168.0.159 Service-Type = Framed-User Framed-MTU = 1500 State = 0x68cd38bb69c921d51b0b4c1f6b1aa976 EAP-Message = 0x0204007a19800070160301006b016703014d2dbcb9a99cbfaf828b78feb5deaaf1ee341152fe91df965d169a89dee7048e18002f00350005000ac013c014c009c00a00320038001300040126ff0100010d000b087161746573746572000a0006000400170018000b00020100 Message-Authenticator = 0xa246d84f9ddb81f240afcf2e322c88c9 # Executing section authorize from fil
Access-Challenge and...
Saman Kwok wrote: > Hi , > I am happing problem that I couldn't resolve alone. > If anyone in the list could help me will be appreciated. > > I have access point EnGenius 2610 and I run freeradius under RHEL5. > RHEL5 have two ethernet card, eth0 : 192.168.1.4 to Internet, eth1 to > Wifi Client with IP 192.168.0.1 (Client is Windows XP). > > Client authenticated with MS-Chapv2. I had installed ca_cert.der in XP. > > when I run radiusd -X everytime seem fine. ... > Sending Access-Challenge of id 4 to 192.168.0.3 port 1024 > Reply-Message = "Hello, GRACELIA-4E4DD9\\gracelia" > EAP-Message = 0x010e00061920 > Message-Authenticator = 0x > State = 0x1b2c209a1b2239d39cc5bd6f4ac49d46 > Finished request 18. > Going to the next request > Waking up in 4.9 seconds. > Cleaning up request 18 ID 4 with timestamp +307 > Ready to process requests. > > But it keep looping Access-Challege and Access-Request without > Access-Reject or authenticated. I believe the certificate already have OID. Fix the certificates so that the client likes them. Nothing else will solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no response to Access-Challenge
Vieri wrote: > Sending Access-Challenge of id 46 to 10.215.146.130 port 2048 > EAP-Message = 0x010200061920 > Message-Authenticator = 0x > State = 0x2bd535b12bd72c983ec1de5e3f93e675 > Finished request 18. > Going to the next request > Waking up in 4.9 seconds. > Cleaning up request 18 ID 46 with timestamp +771 > Ready to process requests. Read the FAQ and raddb/eap.conf. Look for "Access-Challenge" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
no response to Access-Challenge
Hi, Sorry for the rookie question but I'd like to know what I can make of the following: I have just one wireless device, an access point and a freeradius server. When the supplicant tries to connect I can see the following messages in FR over and over: rad_recv: Access-Request packet from... ... Sending Access-Challenge of id 46 to 10.215.146.130 port 2048 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x2bd535b12bd72c983ec1de5e3f93e675 Finished request 18. Going to the next request Waking up in 4.9 seconds. Cleaning up request 18 ID 46 with timestamp +771 Ready to process requests. There are quite a few Access-Request/Access-Challenge pairs (it goes on for about a minute or two) until the supplicant finally succeeds to connect with TLS handshakes and so on (WPA2+AES+EAP-TLS). What can be causing this delay? It's as if the "conversation were out of sync" or as if one side weren't "listening". Could it be AP, the client supplicant, the wlan driver? If I were to use a packet sniffer like wireshark, what "filter" could I apply and what should I look for? Ideas are welcome. Thanks Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Filter Access-Challenge Attributes
Thanks On Fri, Oct 30, 2009 at 6:42 AM, Alan DeKok wrote: > Ben Wiechman wrote: > > Is the following stub for filtering Access-Challenge attributes from > > sites-available/default for future use? > > There are some typos that are fix in the git "stable" branch. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html