openLDAP authorization with PAP authentication

I have a working RADIUS server for localhost lookup, but when I try and authenticate with my HP Procurve 420 Wireless Access Point using these wireless connection methods with Ubuntu 10.04LTS: Wireless Security: WPA & WPA2 Enterprise Authentication: Tunneled TLS | Protected EAP (PEAP) Anony

Re: Fwd: ldap-radius integration

On 03/30/2012 05:46 PM, Stefan Winter wrote: Please don't write private mail to me with FreeRADIUS questions. Forwarding to freeradius-users. Original Message Subject:ldap-radius integration Date: Fri, 30 Mar 2012 12:35:53 -0700 From: exu...@gmail.com To: stefan

Re: Fwd: ldap-radius integration

> > could you give me some refrence material or the steps involved in integrating > radius and ldap? > Iam stuck with the error > [ldap] bind as > cn=Manager,ou=radius,dc=example,dc=com/{SSHA}N0HDoA07iBXb/qW6JmhxnkUeTkVex1mN > to 127.0.0.1:389 > [ldap] waiting for bind result ... > [ldap] L

Fwd: ldap-radius integration

Please don't write private mail to me with FreeRADIUS questions. Forwarding to freeradius-users. Original Message Subject:ldap-radius integration Date: Fri, 30 Mar 2012 12:35:53 -0700 From: exu...@gmail.com To: stefan.win...@restena.lu could you give me some re

Re: point to a new radius server for about 500 clients

On Fri, Mar 30, 2012 at 1:46 PM, Alan Buxey wrote: > Hi, > >> I have about 500 radius clients that are authenticating against 2 >> radius servers 192.168.1.10 and 192.168.2.10. >> >> We have a need to use new radius servers that are on different network >> 10.0.1.10 and 10.0.2.10. >> >> How do I f

Re: point to a new radius server for about 500 clients

Hi, > I have about 500 radius clients that are authenticating against 2 > radius servers 192.168.1.10 and 192.168.2.10. > > We have a need to use new radius servers that are on different network > 10.0.1.10 and 10.0.2.10. > > How do I force the radius clients to authenticate against the new > ra

point to a new radius server for about 500 clients

I have about 500 radius clients that are authenticating against 2 radius servers 192.168.1.10 and 192.168.2.10. We have a need to use new radius servers that are on different network 10.0.1.10 and 10.0.2.10. How do I force the radius clients to authenticate against the new radius servers short fr

Re: MSCHAPv2 followed by a smsotp authentication

Hello Alan, > Any idea what freeradius does different here? the only difference I see here is that radius has a hex number in the state field while the propietary has digits. I assume that is why my propiertary client chokes. I'll try to configure freeradius to produce digits as well and retry a

Re: MSCHAPv2 followed by a smsotp authentication

Hallo Alan, here is the nordic edge radius server pcap: http://upload.glanzmann.de/radius.pcap here is the freeradius server pcap: http://upload.glanzmann.de/freeradius.pcap What I don't get is, when I compare the two 'Access-Challenges' they look very similar to me. However my propiertary radiu

Re: MSCHAPv2 followed by a smsotp authentication

Hello Alan, > PAP. And only PAP. And sometimes not even there. I now installed a commercial radius server (Nordic Edge) which supports it and I sniffed a successful exchange. You can find it here: http://upload.glanzmann.de/radius.pcap Could you please let me know if it is possible to confi

Re: Proxy + copy accounting to passive home server

On Fri, Mar 30, 2012 at 7:37 PM, mimir wrote: > Hi Fajar, > > I also think that option. But, I can not configure it. > > I set up realms same in proxy.conf. But, how can we point it to > sites-available/copy-acct-to-home-server ? Basically you need to configure sites-available/default to write to

Re: FreeRADIUS + MySQL + DHCP Opt82

Fajar A. Nugraha-2 wrote > > On Fri, Mar 30, 2012 at 6:12 PM, IVB wrote: > >> Agent-Circuit-Id = 0x000403fc0001 > > let's start with that one. > >>  ( '00:12:23:56:78:9A', 'Agent-Circuit-ID', x'000403fc0001', '==' ), > > Does that work? > No. And this is the problem. Fajar A. Nugra

Re: Proxy + copy accounting to passive home server

I forgot to add. preacct also worked :) Thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5606585.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? Se

Re: Proxy + copy accounting to passive home server

Hi Fajar, I also think that option. But, I can not configure it. I set up realms same in proxy.conf. But, how can we point it to sites-available/copy-acct-to-home-server ? How can we configure it? I can only see explanation of config file comments. Thanks, -- View this message in context: htt

Re: AW: understanding

Hi, > I apologize for bothering you. I thought that somewhere might be a how-to to > solve this. yes, there are plenty of HOW-TOs - they all say to check the RADIUS server cert and configure the client properly - you are asking why. why? alan - List info/subscribe/unsubscribe? See http://www.f

Re: AW: AW: understanding

On 30/03/12 12:51, Heinrich, Sebastian wrote: I apologize for bothering you. I thought that somewhere might be a how-to to solve this. Unfortunately there's nothing to "solve". This is just how PEAP/MSCHAP works; there is a server cert, and for it to be secure, you must validate it. There

Re: Windows 7 prompting several times

Hi, > thanks for the brief reply. > I also think that the problem is that the NAS is asking the supplicant for > the password several times, before finally receiving the user's entry and > sending to radius. > I would like to solve the problem but since nobody yet find an answer. I > don't know wh

Re: FreeRADIUS + MySQL + DHCP Opt82

On Fri, Mar 30, 2012 at 6:12 PM, IVB wrote: > Agent-Circuit-Id = 0x000403fc0001 let's start with that one. >  ( '00:12:23:56:78:9A', 'Agent-Circuit-ID', x'000403fc0001', '==' ), Does that work? Shouldn't it be something like ( '00:12:23:56:78:9A', 'Agent-Circuit-ID', 0x000403fc0001, '==' ),

Re: understanding

Hi, > We don't want to install certificates on the clients, but the problem in that case, just get your RADIUS server signed by a CA that is already on the clientssomething like Thawte, Verisign etc. ie spend some money. if you dont want to spend some money, use your own self-signed CA (clos

AW: AW: understanding

I apologize for bothering you. I thought that somewhere might be a how-to to solve this. Thank you for help. I wish you nice weekend. Best Regards from Germany Sebastian Heinrich Techn. DV Aluminium Oxid Stade GmbH Johann-Rathje-Köser-Straße 21683 Stade email s.heinr...@aos-stade.de web

Re: Proxy + copy accounting to passive home server

On Fri, Mar 30, 2012 at 5:40 PM, mimir wrote: > Hello, > > I added same definition to acct_users > > DEFAULT Replicate-To-Realm := TEST1,Replicate-To-Realm += > TEST2,Replicate-To-Realm += TEST3 > > and it worked :) The earlier error is is probably my fault then. It might need to go on preacct se

Re: FreeRADIUS + MySQL + DHCP Opt82

Debug mode help me nothing. When I try to connect without Agent-* attributes in DB, I see in debug output 'User found in radcheck table' after performing "check" SQL. And finally I login successfully. When I try to connect with Agent-* attributes in DB, I don't see message 'User found in radcheck

Re: AW: AW: understanding

On Fri, Mar 30, 2012 at 5:23 PM, Phil Mayers wrote: > However: I'm sure everyone will agree with me when I say: > > YOU SHOULD CONFIGURE YOUR CLIENTS TO CHECK THE CERTIFICATE. Exactly :) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Windows 7 prompting several times

On 30/03/12 11:58, Morris, Andi wrote: Hi Ricardo, Sorry it was a brief answer but I'm also unsure of where to turn next with this, especially as you are seeing the same issue with different network hardware. Well, you guys need to debug your network hardware (and Ricardo needs to use a thread

Re: FreeRADIUS + MySQL + DHCP Opt82

Fajar A. Nugraha-2 wrote > > On Fri, Mar 30, 2012 at 4:29 PM, IVB wrote: >> I need help. >> >> Software: FreeRADIUS v2.1.11, MySQL v5.1.61. >> Hardware: RB SE100 under SEOS-6.4.1.4-Release >> >> BRAS sends Opt-82 related attributes in following format: >> > > What format? > Agent-Remote

RE: Windows 7 prompting several times

Hi Ricardo, Sorry it was a brief answer but I'm also unsure of where to turn next with this, especially as you are seeing the same issue with different network hardware. Cheers, Andi -Original Message- From: freeradius-users-bounces+amorris=cardiffmet.ac...@lists.freeradius.org [mailto

Re: Windows 7 prompting several times

Hi Andy, thanks for the brief reply. I also think that the problem is that the NAS is asking the supplicant for the password several times, before finally receiving the user's entry and sending to radius. I would like to solve the problem but since nobody yet find an answer. I don't know what to do

Re: Proxy + copy accounting to passive home server

Hello, I added same definition to acct_users DEFAULT Replicate-To-Realm := TEST1,Replicate-To-Realm += TEST2,Replicate-To-Realm += TEST3 and it worked :) I can send 3 servers same accounting messages. I wonder another thing. Is it possible to get log/error or sth else if one of the replicated

Re: Proxy + copy accounting to passive home server

Hi, Sorry, I wrote wrong in my previous post, I am trying to apply Replicate-To-Realm to send accounting messages to 20 servers from my radius server. I added as below in /sites-available/default accounting { update control { Replicate-To-Realm := TEST1 Replicate

Re: AW: AW: understanding

On 30/03/12 10:54, Heinrich, Sebastian wrote: Now I am totally confused. Fajar says that it is not so easy to crack the passwords and Phil says the opposite. I am not a hacker. Can anybody say that this would be easy to do or not: I didn't say it was easy. I said it was *possible*. And you're

RE: Windows 7 prompting several times

This ties in with what I was saying, that the NAS (switch/access point) is asking the supplicant for the password several times, before finally receiving the user's entry and sending it onto the radius to be accepted or denied, whichever the case may be. I still think the problem is supplicant/

Re: understanding

On 30/03/12 10:38, Fajar A. Nugraha wrote: How easy is it to crack such a password? An authentification wouldn't have happened but the attacker would have had the encrypted usernames and passwords. They won't. Not immediately. But MSCHAP is a complex (and old) algorithm, and it is possible

AW: AW: understanding

Now I am totally confused. Fajar says that it is not so easy to crack the passwords and Phil says the opposite. I am not a hacker. Can anybody say that this would be easy to do or not: "A CA certificate must be used at each client to authenticate the server to each client before the client subm

Re: Windows 7 prompting several times

Hi Alan DeKok, thanks for your reply. I think you don’t understand what my problem is. My main problem is to understand why when the user is asked to enter his credentials more than one time nothing reaches my freeradius server, the only communication requests remains between the Access Point and

Re: FreeRADIUS + MySQL + DHCP Opt82

On Fri, Mar 30, 2012 at 4:29 PM, IVB wrote: > I need help. > > Software: FreeRADIUS v2.1.11, MySQL v5.1.61. > Hardware: RB SE100 under SEOS-6.4.1.4-Release > > BRAS sends Opt-82 related attributes in following format: > What format? > > Attributes Agent-* described in radius dictionary as 'octet

Re: AW: understanding

On 30/03/12 10:18, Heinrich, Sebastian wrote: We don't want to install certificates on the clients, but the problem that is given in wikipedia is that anybody can install an access point with the same ssid and a client that would connect with it would give him his MSCHAP encrypted username and pa

Re: understanding

On Fri, Mar 30, 2012 at 4:18 PM, Heinrich, Sebastian wrote: > We don't want to install certificates on the clients, but the problem > that is given in wikipedia is that anybody can install an access point > with the same ssid and a client that would connect with it would give > him his MSCHAP encr

FreeRADIUS + MySQL + DHCP Opt82

I need help. Software: FreeRADIUS v2.1.11, MySQL v5.1.61. Hardware: RB SE100 under SEOS-6.4.1.4-Release BRAS sends Opt-82 related attributes in following format: Attributes Agent-* described in radius dictionary as 'octets'. Attributes ADSL-Agent-* described in radius dictionary as 'string'. I

AW: understanding

We don't want to install certificates on the clients, but the problem that is given in wikipedia is that anybody can install an access point with the same ssid and a client that would connect with it would give him his MSCHAP encrypted username and password. How easy is it to crack such a password?

Re: Proxy + copy accounting to passive home server

On Fri, Mar 30, 2012 at 4:01 PM, mimir wrote: > Hi, > > I installed latest version of freeradius and verified replicate module is > existing. > > I can run replication via editing proxy.conf and acct_user. ( but I can > replicate to only one server for now) > I need to copy accountings to 20 serve

Re: Proxy + copy accounting to passive home server

Hi, I installed latest version of freeradius and verified replicate module is existing. I can run replication via editing proxy.conf and acct_user. ( but I can replicate to only one server for now) I need to copy accountings to 20 servers. DEFAULT Proxy-To-Realm := TEST1 ( how can I add others

Re: Windows 7 prompting several times

Ricardo89 wrote: > Yes Alan, I see each request request hitting my LDAP server at least three > times. So... run the server in debug mode to see WHY it's hitting the LDAP server three times. Then, look at the debug log, and change the LDAP queries so that it only hits the LDAP server once.

Re: Windows 7 prompting several times

Hi Alan, thanks for your reply. Yes Alan, I see each request request hitting my LDAP server at least three times. When that problem of the user needs to enter their credentials more than one time, as I said in the previous post nothing gets to the Ldap server, in the best cases only at the third t

Re: understanding

On Fri, Mar 30, 2012 at 2:46 PM, Heinrich, Sebastian wrote: > Creating new certificates is only a security improveness when checking them? No > Is there any security improveness of creating new certificates and don't > checking them? Yes. See what I wrote earlier. I gave you my answers. If yo

Re: AW: understanding

Heinrich, Sebastian wrote: > But a TLS tunnel can be established with the standard certificates given in > the certs subdirectory. Creating new certificates is only a security > improveness when checking them? Yes. > Is there any security improveness of creating new certificates and don't >

AW: understanding

Actually the existing certificates in the certs subdirectory could be >> deleted but the authentification would work? >> >>> It would, if you DON'T use PEAP. If you ONLY use PAP or MSCHAPv2, >>> then >> you don't need certificates. >> >> But it would work with the standard certificates

Re: understanding

On Fri, Mar 30, 2012 at 2:21 PM, Heinrich, Sebastian wrote: >>> Actually the existing certificates in the certs subdirectory could be > deleted but the authentification would work? > >> It would, if you DON'T use PEAP. If you ONLY use PAP or MSCHAPv2, then > you don't need certificates. > > But it

AW: understanding

> From wikipedia, "PEAP is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel." > TLS always need a certificate. >> There is nothing checked if you don't check the checkbox 'check certificate'. > I

Re: Windows 7 prompting several times

Jens Weibler wrote: > The problem is: debian ist still using the version 2.1.10 - even in > sid... Is there a way to get this backported in the old version? No. You can build your own packages. That's why there's a "debian" directory in the source. Alan DeKok. - List info/subscribe/unsubs