Re: freeradius = MS IAS passthrough
So, I made sure all of our settings were configured correctly in proxy.conf and in clients.conf. the way we tested, was i had the IAS server set the reply message to yes like John mentioned. This helped a great deal. What's happening, is when i use the radclient to auth DIRECTLY to the IAS server, i get an Access-Accept response. However, when i use the proxy, they are receiving an encrypted password...either that or an incorrectly encrypted password that cannot be decrypted by their IAS. I am using the Password attribute with radclient rather than User-Password, so i believe when i was using radclient it was sending an unencrypted password. When i run radiusd -X, I am able to see his password, so I'm assuming it's being relayed in plain-text is this correct? or does debug mode decrypt the password for my viewing pleasure? I guess the root of my question is, Does IAS send plain-text passwords? Also is there a way i can send the password to IAS via an encryption method that it can understand without making a global change? this can't be done in proxy.conf, so would the answer than be user specific? On the IAS end the reason why they can't auth is their problem - their proxy is stripping the realm info from teh username and just sending us user@, i.e. no realm info, but how do i set the FR proxy to relay the login info via an encryption method that can be understood by IAS? they accept the following auth methods - MS-CHAP, MS-CHAP V2, CHAP, and PAP. Thanks for your help again guys (gals)! -Ian Savoy John Horne wrote: On Wed, 2007-05-16 at 17:12 -0400, Ian Savoy wrote: Is there anything else? Hi, Not sure if it's still relevant but with our IAS servers the sysadmin made sure it set the reply message to yes. If you test from freeradius to the IAS server using the 'radtest' command, and run freeradius as 'radiusd -X', you should then see something like this from radiusd: rad_recv: Access-Accept packet from host 10.1.2.3:1812, id=0, length=74 Proxy-State = 0x323235 Framed-Protocol = PPP Reply-Message = Yes Service-Type = Framed-User John. -- Ian Savoy Webforce Systems, Inc Operations Support/UNIX Engineer CompTIA A+ Certified Professional Tech. Support: 614-899-9257 x22 Website: http://www.ewebforce.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius = MS IAS passthrough
Ian Savoy wrote: What's happening, is when i use the radclient to auth DIRECTLY to the IAS server, i get an Access-Accept response. However, when i use the proxy, they are receiving an encrypted password...either that or an incorrectly encrypted password that cannot be decrypted by their IAS. Then the shared secret is wrong. I am using the Password attribute with radclient rather than User-Password, They are the same attribute. so i believe when i was using radclient it was sending an unencrypted password. When i run radiusd -X, I am able to see his password, so I'm assuming it's being relayed in plain-text is this correct? or does debug mode decrypt the password for my viewing pleasure? It decrypts the password so you can see it. I guess the root of my question is, Does IAS send plain-text passwords? I'm not sure what you mean by that. The RADIUS protocol specifies that passwords are encrypted when sent over the wire, but the shared secret allows each RADIUS server to turn that encrypted password into a plain-text one. So if IAS is sending something to FreeRADIUS, IAS has the password in clear text. It's encrypted on the Ethernet. FreeRADIUS decrypts it to clear text. Also is there a way i can send the password to IAS via an encryption method that it can understand without making a global change? this can't be done in proxy.conf, so would the answer than be user specific? The question makes no sense. There is one way for clear text passwords to be sent over the wire. If it's not working, the shared secret is wrong. On the IAS end the reason why they can't auth is their problem - their proxy is stripping the realm info from teh username and just sending us user@, i.e. no realm info, but how do i set the FR proxy to relay the login info via an encryption method that can be understood by IAS? Huh? Who's sending what to who? You've just said multiple servers are proxying to each other. they accept the following auth methods - MS-CHAP, MS-CHAP V2, CHAP, and PAP. RADIUS servers don't change authentication protocols. If the client sends X, a proxy will forward X to the home server. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius = MS IAS passthrough
Does anyone have any specific tweaks to get MS IAS and freeradius talking? We're trying to share resources with another isp in the area - their IAS server needs to be able to auth against our freeradius server, and visa versa with our freeradius to their IAS. A link to a tutorial would be so nice :) I've looked in the dictionaries, but i'm afraid i don't know enough about IAS to really make any sense out of it...other than the fact that it just doesn't work. So, hints, tips, tricks, and/or tutorials would be oh so lovely :) Thanks in advance -Ian Savoy -- Ian Savoy Webforce Systems, Inc Operations Support/UNIX Engineer CompTIA A+ Certified Professional Tech. Support: 614-899-9257 x22 Website: http://www.ewebforce.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius = MS IAS passthrough
by the way, we are dealing with freeradius 1.1.3. Ian Savoy wrote: Does anyone have any specific tweaks to get MS IAS and freeradius talking? We're trying to share resources with another isp in the area - their IAS server needs to be able to auth against our freeradius server, and visa versa with our freeradius to their IAS. A link to a tutorial would be so nice :) I've looked in the dictionaries, but i'm afraid i don't know enough about IAS to really make any sense out of it...other than the fact that it just doesn't work. So, hints, tips, tricks, and/or tutorials would be oh so lovely :) Thanks in advance -Ian Savoy -- Ian Savoy Webforce Systems, Inc Operations Support/UNIX Engineer CompTIA A+ Certified Professional Tech. Support: 614-899-9257 x22 Website: http://www.ewebforce.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius = MS IAS passthrough
Realms Jory Privett WCCS - Original Message - From: Ian Savoy [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, May 16, 2007 3:29 PM Subject: Re: freeradius = MS IAS passthrough by the way, we are dealing with freeradius 1.1.3. Ian Savoy wrote: Does anyone have any specific tweaks to get MS IAS and freeradius talking? We're trying to share resources with another isp in the area - their IAS server needs to be able to auth against our freeradius server, and visa versa with our freeradius to their IAS. A link to a tutorial would be so nice :) I've looked in the dictionaries, but i'm afraid i don't know enough about IAS to really make any sense out of it...other than the fact that it just doesn't work. So, hints, tips, tricks, and/or tutorials would be oh so lovely :) Thanks in advance -Ian Savoy -- Ian Savoy Webforce Systems, Inc Operations Support/UNIX Engineer CompTIA A+ Certified Professional Tech. Support: 614-899-9257 x22 Website: http://www.ewebforce.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius = MS IAS passthrough
Ya, we have realms setup, however we're failing to auth against each other. Jory Privett wrote: Realms Jory Privett WCCS - Original Message - From: Ian Savoy [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, May 16, 2007 3:29 PM Subject: Re: freeradius = MS IAS passthrough by the way, we are dealing with freeradius 1.1.3. Ian Savoy wrote: Does anyone have any specific tweaks to get MS IAS and freeradius talking? We're trying to share resources with another isp in the area - their IAS server needs to be able to auth against our freeradius server, and visa versa with our freeradius to their IAS. A link to a tutorial would be so nice :) I've looked in the dictionaries, but i'm afraid i don't know enough about IAS to really make any sense out of it...other than the fact that it just doesn't work. So, hints, tips, tricks, and/or tutorials would be oh so lovely :) Thanks in advance -Ian Savoy -- Ian Savoy Webforce Systems, Inc Operations Support/UNIX Engineer CompTIA A+ Certified Professional Tech. Support: 614-899-9257 x22 Website: http://www.ewebforce.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ian Savoy Webforce Systems, Inc Operations Support/UNIX Engineer CompTIA A+ Certified Professional Tech. Support: 614-899-9257 x22 Website: http://www.ewebforce.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius = MS IAS passthrough
Check the config and make sure that each unit has the other set up as a client and that the handle the realms correctly. Also make sure that you have a Remote Access Policy properly configured on the IAS machine. Jory Privett WCCS - Original Message - From: Ian Savoy [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, May 16, 2007 3:37 PM Subject: Re: freeradius = MS IAS passthrough Ya, we have realms setup, however we're failing to auth against each other. Jory Privett wrote: Realms Jory Privett WCCS - Original Message - From: Ian Savoy [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, May 16, 2007 3:29 PM Subject: Re: freeradius = MS IAS passthrough by the way, we are dealing with freeradius 1.1.3. Ian Savoy wrote: Does anyone have any specific tweaks to get MS IAS and freeradius talking? We're trying to share resources with another isp in the area - their IAS server needs to be able to auth against our freeradius server, and visa versa with our freeradius to their IAS. A link to a tutorial would be so nice :) I've looked in the dictionaries, but i'm afraid i don't know enough about IAS to really make any sense out of it...other than the fact that it just doesn't work. So, hints, tips, tricks, and/or tutorials would be oh so lovely :) Thanks in advance -Ian Savoy -- Ian Savoy Webforce Systems, Inc Operations Support/UNIX Engineer CompTIA A+ Certified Professional Tech. Support: 614-899-9257 x22 Website: http://www.ewebforce.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ian Savoy Webforce Systems, Inc Operations Support/UNIX Engineer CompTIA A+ Certified Professional Tech. Support: 614-899-9257 x22 Website: http://www.ewebforce.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius = MS IAS passthrough
Is there anything else? Jory Privett wrote: Check the config and make sure that each unit has the other set up as a client and that the handle the realms correctly. Also make sure that you have a Remote Access Policy properly configured on the IAS machine. Jory Privett WCCS - Original Message - From: Ian Savoy [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, May 16, 2007 3:37 PM Subject: Re: freeradius = MS IAS passthrough Ya, we have realms setup, however we're failing to auth against each other. Jory Privett wrote: Realms Jory Privett WCCS - Original Message - From: Ian Savoy [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, May 16, 2007 3:29 PM Subject: Re: freeradius = MS IAS passthrough by the way, we are dealing with freeradius 1.1.3. Ian Savoy wrote: Does anyone have any specific tweaks to get MS IAS and freeradius talking? We're trying to share resources with another isp in the area - their IAS server needs to be able to auth against our freeradius server, and visa versa with our freeradius to their IAS. A link to a tutorial would be so nice :) I've looked in the dictionaries, but i'm afraid i don't know enough about IAS to really make any sense out of it...other than the fact that it just doesn't work. So, hints, tips, tricks, and/or tutorials would be oh so lovely :) Thanks in advance -Ian Savoy -- Ian Savoy Webforce Systems, Inc Operations Support/UNIX Engineer CompTIA A+ Certified Professional Tech. Support: 614-899-9257 x22 Website: http://www.ewebforce.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ian Savoy Webforce Systems, Inc Operations Support/UNIX Engineer CompTIA A+ Certified Professional Tech. Support: 614-899-9257 x22 Website: http://www.ewebforce.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Ian Savoy Webforce Systems, Inc Operations Support/UNIX Engineer CompTIA A+ Certified Professional Tech. Support: 614-899-9257 x22 Website: http://www.ewebforce.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius = MS IAS passthrough
Never say: it just doesn't work. show us. Run radiusd -X and show us what is happening when you try and tell us what you think should be happening. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius = MS IAS passthrough
On Wed 16 May 2007, Ian Savoy wrote: Ya, we have realms setup, however we're failing to auth against each other. Then you either have the wrong shared secret between your 2 servers, or you are testing the wrong user/password. What you are trying to do is trivial and covered by the documentation in FreeRADIUS's config files. Also, for security reasons (and others) please upgrade to FreeRADIUS 1.1.6 Regards -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius = MS IAS passthrough
On Wed, 2007-05-16 at 17:12 -0400, Ian Savoy wrote: Is there anything else? Hi, Not sure if it's still relevant but with our IAS servers the sysadmin made sure it set the reply message to yes. If you test from freeradius to the IAS server using the 'radtest' command, and run freeradius as 'radiusd -X', you should then see something like this from radiusd: rad_recv: Access-Accept packet from host 10.1.2.3:1812, id=0, length=74 Proxy-State = 0x323235 Framed-Protocol = PPP Reply-Message = Yes Service-Type = Framed-User John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html