Re: MS-CHAP2-Response is incorrect + invalid NT-Password
hello, i'm still stuck and don't know how to make it work i added in ldap.attrmap: checkItem Cleartext-Password userPassword checkItem NT-passworduserPassword but i stil have: [ldap] expand: %{User-Name} - bernard [ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=bernard) [ldap] expand: dc=example,dc=com - dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=example,dc=com, with filter (cn=bernard) [ldap] Added User-Password = test in check items [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword - NT-Password == 0x7465737420 [ldap] userPassword - Cleartext-Password == test [ldap] looking for reply items in directory... [ldap] user bernard authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} *[mschap] Invalid NT-Password [mschap] Told to do MS-CHAPv2 for bernard with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect* ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject I don't understand why i still got an invalid NT-Password. thanks for your help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Hi i have little question. I use Freeradius with mysql an a dd-wrt Linksys Router as NAS. How can i setup a MAC Adress auth that user do not need login and Passwort ? THX Axel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2-Response is incorrect + invalid NT-Password
can i post all the debug output? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hi,
Axel Grimm wrote: Hi i have little question. I use Freeradius with mysql an a dd-wrt Linksys Router as NAS. How can i setup a MAC Adress auth that user do not need login and Passwort ? THX Axel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html if you use chillispot on dd-wrt , add these funtion select enable on macauth add on additional macpasswd password and then add mac address to your radcheck as? xx-xx-xx-xx-xx-xx rebooot your router and test it. -- http://www.EasyHorpak.com - ???,???,???,?,?? http://www.EasyZoneCorp.net - ? internet ? Hotpsot ??? PPPoE ,Anti NetCut, Mac spoof http://www.thai-school.net - ,? ? EasyZone SuperLink - ?? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2-Response is incorrect + invalid NT-Password
sorry for spamming, i just want to understand *OpenLDAP knows the clear text password:* [ldap] userPassword - Cleartext-Password == test [ldap] userPassword - NT-Password == 0x7465737420 *= supposed to be the hash password* [ldap] looking for reply items in directory... [ldap] user bernard authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} *Is the inner tunnel part of the MSCHAPv2 is failing because it doesn't kwow the way of dealing with the password supplied ?* *Adding into ldap.attrmap the userPassword - NT-Password is enough to produce a correct NT hash password? *[mschap] Invalid NT-Password * * [mschap] Told to do MS-CHAPv2 for bernard with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = \nE=691 R=1 EAP-Message = 0x040a0004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = \nE=691 R=1 EAP-Message = 0x040a0004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2-Response is incorrect + invalid NT-Password
Hi, [ldap] userPassword - Cleartext-Password == test note the space at the end. your password is 'test ' not just 'test' is this deliberate? check your LDAP! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2-Response is incorrect + invalid NT-Password
Am 15.03.2010 um 11:35 schrieb omega bk: sorry for spamming, i just want to understand OpenLDAP knows the clear text password: [ldap] userPassword - Cleartext-Password == test [ldap] userPassword - NT-Password == 0x7465737420 = supposed to be the hash password I doub very much that this is a hash: 0x74: t 0x65: e 0x73: s 0x74: t 0x20: space (all in ASCII) Have you tried *not* to define a NT-Password and let Freeradius calculate from the Cleartext-Password what it needs? [...] Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2-Response is incorrect + invalid NT-Password
thank u for your quick reply i fixed bernard's password in ldap so: [ldap] userPassword - Cleartext-Password == test [ldap] userPassword - NT-Password == 0x74657374 i added the password_radius_attribute = NT-Password but still the same: [mschap] Told to do MS-CHAPv2 for bernard with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect 2010/3/15 Alan Buxey a.l.m.bu...@lboro.ac.uk Hi, [ldap] userPassword - Cleartext-Password == test note the space at the end. your password is 'test ' not just 'test' is this deliberate? check your LDAP! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2-Response is incorrect + invalid NT-Password
Hi, [mschap] Told to do MS-CHAPv2 for bernard with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect get rid of the NT-Password LDAP hook if you're not using it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2-Response is incorrect + invalid NT-Password
Hi, you mean by commenting mschap in autorize and authenticate section? thanks 2010/3/15 Alan Buxey a.l.m.bu...@lboro.ac.uk Hi, [mschap] Told to do MS-CHAPv2 for bernard with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect get rid of the NT-Password LDAP hook if you're not using it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2-Response is incorrect + invalid NT-Password
forgot what i said. i commented the line: #checkItem NT-password userPassword in ldap.attrmap and it works!! THANK U ALAN you saved me 2010/3/15 omega bk omeg...@gmail.com Hi, you mean by commenting mschap in autorize and authenticate section? thanks 2010/3/15 Alan Buxey a.l.m.bu...@lboro.ac.uk Hi, [mschap] Told to do MS-CHAPv2 for bernard with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect get rid of the NT-Password LDAP hook if you're not using it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2-Response is incorrect + invalid NT-Password
another question? how freeradius deal with simultaneous mutiple access? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap auto header MS-CHAPv2
hi, how can i handle encrypted users's ldap password ? pap reckognize my ssha1 from base64 encoding = because of the auto_header to yes but it looks like MS-CHAP does not kwow how to deal with... [ldap] Added User-Password = {SSHA}2FJYOM+C3mqL2g6wOhcLfjMY2XdoQ4bi in check items [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword - Cleartext-Password == {SSHA}2FJYOM+C3mqL2g6wOhcLfjMY2XdoQ4bi [ldap] looking for reply items in directory... [ldap] user bernard authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing SSHA1-Password from base64 encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for bernard with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject thank u - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2-Response is incorrect + invalid NT-Password
Hi, another question? why not. how freeradius deal with simultaneous mutiple access? read the mailing list archives? read the documents that come with the product? doc/Simultaneous-Use alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap auto header MS-CHAPv2
Hi, how can i handle encrypted users's ldap password ? depends what you want to do read the docs and you will see what youc an do with what back-end eg http://deployingradius.com/documents/protocols/compatibility.html this shows that LDAP is just a basic store of info...you cannot do eg challenhe-response with a basic store. if you want to do that kind of fund and games with mschap then you need to bind the FR server to eg AD and use the ntlm_auth method of getting people authenticated. this is also well documented. http://deployingradius.com/documents/configuration/active_directory.html alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap auto header MS-CHAPv2
no i don't have AD. in other word, i cannot use windows xp supplicant *EAP-MSCHAPv2 *to make the authentication protocol to authenticate users in openldap database using ssha1 password, that's right?* * 2010/3/15 Alan Buxey a.l.m.bu...@lboro.ac.uk Hi, how can i handle encrypted users's ldap password ? depends what you want to do read the docs and you will see what youc an do with what back-end eg http://deployingradius.com/documents/protocols/compatibility.html this shows that LDAP is just a basic store of info...you cannot do eg challenhe-response with a basic store. if you want to do that kind of fund and games with mschap then you need to bind the FR server to eg AD and use the ntlm_auth method of getting people authenticated. this is also well documented. http://deployingradius.com/documents/configuration/active_directory.html alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
vrf-aware vpdn / l2tp termination / cisco-avpair
Hello all, I am using FreeRadius 2.1.8 with MySQL to authenticate BBA users. I get L2TP sessions from my ISP (=LAC) arriving in VRF l2tp_vrf which I want to terminate in a different VRF (e.g. inet_vrf). Basic authentication works as long as I do not intruduce cisco-avpair attributes. Which ones do I need? I tried lcp:interface-config#1=ip vrf forwarding (inet_vrf) and ip:vrf-id:=inet_vrf in my radgroupreply table - without success. From the debug radius authentication I see AAA Unsupported Attr: interface and parse unknown cisco vsa vrf-id:. Here are some parts of my Cisco config: aaa authentication login default local aaa authentication ppp default group radius aaa authorization exec default local aaa authorization network default group radius aaa accounting delay-start aaa accounting update newinfo aaa accounting exec default action-type start-stop group radius aaa accounting network default action-type start-stop broadcast group radius aaa accounting connection default action-type start-stop group radius aaa session-id common vpdn-group 1 accept-dialin protocol l2tp virtual-template 1 terminate-from hostname LAC vpn vrf l2tp_vrf source-ip xxx.xxx.xxx.xxx local name LNS l2tp tunnel password 0 xyz ip mtu adjust interface Virtual-Template1 mtu 1460 ip unnumbered Loopback0 no snmp trap link-status peer default ip address pool INET_ADDR_POOL no keepalive ppp mru match ppp authentication pap callin ppp ipcp mask 255.255.255.255 end What am I missing? Thanks in advance! Cheers, Alexander ++---+++--+ | id | GroupName | Attribute | op | Value | ++---+++--+ | 1 | dynamic | Framed-Protocol| = | PPP | | 2 | dynamic | Framed-MTU | = | 1460 | | 3 | dynamic | Framed-Compression | = | None | | 4 | dynamic | Service-Type | = | Framed | | 5 | dynamic | Session-Timeout| = | 86400 | | 6 | dynamic | Idle-Timeout | = | 3600 | | 7 | dynamic | cisco-avpair | = | ip:ip-unnumbered=lo0 | | 8 | dynamic | cisco-avpair | = | ip:vrf-id:=inet_vrf | | 9 | dynamic | cisco-avpair | = | ip:dns-servers=192.92.138.35 193.81.83.2 | ++---+++--+rad_recv: Access-Request packet from host xxx.xxx.50.254 port 1645, id=117, length=134 Framed-Protocol = PPP User-Name = dummy User-Password = dummypass Calling-Station-Id = xxx Called-Station-Id = corporate.xyz Connect-Info = 864 NAS-Port-Type = Virtual NAS-Port = 106 NAS-Port-Id = Uniq-Sess-ID106 Service-Type = Framed-User NAS-IP-Address = xxx.xxx.50.254 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = dummy, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok [sql] expand: %{User-Name} - dummy [sql] sql_set_user escaped user -- 'dummy' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dummy' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dummy' ORDER BY id [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM usergroup WHERE username = 'dummy' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dynamic' ORDER BY id [sql] User found in group dynamic [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply
Re: ldap auto header MS-CHAPv2
Hi, no i don't have AD. in other word, i cannot use windows xp supplicant EAP-MSCHAPv2 to make the authentication protocol to authenticate users in openldap database using ssha1 password, that's right? correct: http://deployingradius.com/documents/protocols/oracles.html PEAPv0/MS-CHAPv2 requires MSCHAPv2 - thats challenge response. the client never supplies the real password - therefore you cannot compare to a password stored in LDAP. what you need to use is an EAP method that uses PAPeg EAP-TTLSv0/PAP try using a supplicant on the windows machine that gives you this eg http://open1x.sourceforge.net/ http://www.securew2.com/ ...or grab a Mac OSX machine to do further testing - they have TTLS/PAP support natively. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap auto header MS-CHAPv2
On Monday 15 March 2010 13:42:11 Alan Buxey wrote: Hi, no i don't have AD. in other word, i cannot use windows xp supplicant EAP-MSCHAPv2 to make the authentication protocol to authenticate users in openldap database using ssha1 password, that's right? correct: http://deployingradius.com/documents/protocols/oracles.html PEAPv0/MS-CHAPv2 requires MSCHAPv2 - thats challenge response. the client never supplies the real password - therefore you cannot compare to a password stored in LDAP. what you need to use is an EAP method that uses PAPeg EAP-TTLSv0/PAP You can use EAP-PEAP as long as you store also samba NT/LM hashes in LDAP (sambaLMPassword and sambaNTPassword). If you have these hashes you may use Windows XP built-in supplicant. try using a supplicant on the windows machine that gives you this eg http://open1x.sourceforge.net/ http://www.securew2.com/ ...or grab a Mac OSX machine to do further testing - they have TTLS/PAP support natively. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamically assign realm name when using DEFAULT realm
I am using FreeRADIUS Version 1.1.3, for host i686-redhat-linux-gnu I am trying to take the username of a format 'realm/username' and have FreeRADIUS take the 'realm' and pass it on in a sql query using %{Realm} and take the 'username' and pass it on with %{SQL-User-Name}. I have found I can do a DEFAULT realm, but the realm is passed on as DEFAULT instead of the name of the realm that was tried. Is there a better way to get the realm the user entered and pass it on in a SQL query? I have a SQL table with usernames and locations. When a user authenticates I want the username to match the username field only if the realm matches the location field in the database. Jer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
convert mysql from ICRadius to Free
We can't find any info how to do this, but we can't be the first, either. Anybody got howtos or recipes for converting MySQL db? Len - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting on msql
hi, just want to manage accounting on mysql so i coyed the schema.sql in /etc/freeradius, did mysql -u root -p accounting schema.sql and i got this. *ERROR 1064 (42000) at line 17: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '[radacct] ( [RadAcctId] [numeric](21, 0) IDENTITY (1, 1) NOT NULL , [AcctSessi' at line 1* i compare the schema.sql to one at http://wiki.freeradius.org/MS-SQL_DDL_script , nothing changed. somebody as a clue? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to handle challenge response using PAM auth in FreeRadius
Hello, I am developing a PAM module for radius server. The radius server is configured to use PAM auth. It reads /etc/pam.d/radiusd and loads it on receiving auth request. The PAM module talks to external Authentication server and sometimes gets back Challenge Respose. How can this be returned back to radius server from pam_sm_authenticate from my PAM module ? Please note that this is different than what pam_radius_auth.c does. pam_radius_auth.c talks to radius directly via network where as my module directly gets loaded by Radius. Why should not there be a way to return Challenge Respose from linux PAM back to it's loader ? Can this possible linux limitation be overcome by radius calling another exported function for PAM module covering all scenarios including Challenge Response ? Where should I look into in the freeradius codebase, if I were to add that functionality ? with best regards, The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Statements and opinions expressed in this e-mail may not represent those of the company. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately and delete the material from any computer. Please see our legal details at http://www.cryptocard.com CRYPTOCard Inc. is registered in the province of Ontario, Canada with Business number 80531 6478. CRYPTOCard Europe is limited liability company registered in England and Wales (with registered number 05728808 and VAT number 869 3979 41); its registered office is Aztec Centre, Aztec West, Almondsbury, Bristol, UK, BS32 4TD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to handle challenge response using PAM auth in FreeRadius
On 03/15/2010 12:16 PM, Rajendra Hegde wrote: Hello, I am developing a PAM module for radius server. The radius server is configured to use PAM auth. It reads /etc/pam.d/radiusd and loads it on receiving auth request. The PAM module talks to external Authentication server and sometimes gets back Challenge Respose. How can this be returned back to radius server from pam_sm_authenticate from my PAM module ? Please note that this is different than what pam_radius_auth.c does. pam_radius_auth.c talks to radius directly via network where as my module directly gets loaded by Radius. Why should not there be a way to return Challenge Respose from linux PAM back to it's loader ? Can this possible linux limitation be overcome by radius calling another exported function for PAM module covering all scenarios including Challenge Response ? Where should I look into in the freeradius codebase, if I were to add that functionality ? with best regards, Your question is a bit muddled. I'm not sure if you asking how to forward the challenge through RADIUS back to the client or if you're just asking how to handle a pam conversation within your authentication module. If it's the former, then the answer is you can't do that in general. On the other hand if all you want to know is how to handle a pam conversation the take a look at rlm_pam.c and see the function PAM_conv and read the man page for pam_conv. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting on msql
Hi, just want to manage accounting on mysql so i coyed the schema.sql in /etc/freeradius, did mysql -u root -p accounting schema.sql and i got this. ERROR 1064 (42000) at line 17: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '[radacct] ( [RadAcctId] [numeric](21, 0) IDENTITY (1, 1) NOT NULL , [AcctSessi' at line 1 that'd be the Microsoft SQL you've tried using (mssql) i compare the schema.sql to one at http://wiki.freeradius.org/MS-SQL_DDL_script , nothing changed. I repeat...that'd be mssql you've just tried using, NOT MySQL. if you want to use MySQL, then please use the MySQL schema, the MySQL commands and please follow the MySQL documentation. not sure where your schema woudl by lying around on you OS... but you can easily grab it from the source - its in the radd/sql/mysql/ directory and has the following line near the top # Database schema for MySQL rlm_sql module# ..then simply use the dialup.conf etc (basically, configure sql.conf and add/uncomment the relevant lines in the default and inner-tunnel virtual servers) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to handle challenge response using PAM auth in FreeRadius
Hello, The scenario is like this : {remote client } - {radius} --- {PAM} {Extern Athenticator} Now when the external authenticator sends challenge to PAM, I do not see a easy way to pass the challenge text back to the radius. Please note that pam_sm_authenticate allows either SUCCESS or FAILURE return but not Challnege text return. Thanks, From: John Dennis [mailto:jden...@redhat.com] Sent: Mon 3/15/2010 12:56 PM To: FreeRadius users mailing list Cc: Rajendra Hegde Subject: Re: How to handle challenge response using PAM auth in FreeRadius On 03/15/2010 12:16 PM, Rajendra Hegde wrote: Hello, I am developing a PAM module for radius server. The radius server is configured to use PAM auth. It reads /etc/pam.d/radiusd and loads it on receiving auth request. The PAM module talks to external Authentication server and sometimes gets back Challenge Respose. How can this be returned back to radius server from pam_sm_authenticate from my PAM module ? Please note that this is different than what pam_radius_auth.c does. pam_radius_auth.c talks to radius directly via network where as my module directly gets loaded by Radius. Why should not there be a way to return Challenge Respose from linux PAM back to it's loader ? Can this possible linux limitation be overcome by radius calling another exported function for PAM module covering all scenarios including Challenge Response ? Where should I look into in the freeradius codebase, if I were to add that functionality ? with best regards, Your question is a bit muddled. I'm not sure if you asking how to forward the challenge through RADIUS back to the client or if you're just asking how to handle a pam conversation within your authentication module. If it's the former, then the answer is you can't do that in general. On the other hand if all you want to know is how to handle a pam conversation the take a look at rlm_pam.c and see the function PAM_conv and read the man page for pam_conv. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Statements and opinions expressed in this e-mail may not represent those of the company. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately and delete the material from any computer. Please see our legal details at http://www.cryptocard.com CRYPTOCard Inc. is registered in the province of Ontario, Canada with Business number 80531 6478. CRYPTOCard Europe is limited liability company registered in England and Wales (with registered number 05728808 and VAT number 869 3979 41); its registered office is Aztec Centre, Aztec West, Almondsbury, Bristol, UK, BS32 4TD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to handle challenge response using PAM auth in FreeRadius
On 03/15/2010 01:12 PM, Rajendra Hegde wrote: Hello, The scenario is like this : {remote client } - {radius} --- {PAM} {Extern Athenticator} Now when the external authenticator sends challenge to PAM, I do not see a easy way to pass the challenge text back to the radius. Please note that pam_sm_authenticate allows either SUCCESS or FAILURE return but not Challnege text return. I gave you the answer, it's done with pam_conv, you should read the code in rlm_pam.c. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mac Auth with MySQL
Hello, I'll try to make Mac Authentication with MySQL backend. But I always rejected. Mac Authentication only works if I add like the following lines into the /etc/raddb/users. 90:4 C: E5: 6C: 7E: B6 Auth-Type: = Accept I use OpenBSD 4.6, FreeRadius 2.1.3 and MySQL 5.0.83. What should I do, to make it work with MySQL ? mysql use radius; Database changed mysql select * from radcheck; ++---+---++-+ | id | username | attribute | op | value | ++---+---++-+ | 2 | 90:4C:E5:6C:7E:B6 | Password | == | testpwd | ++---+---++-+ 1 row in set (0.00 sec) mysql select * from radusergroup; +---+---+--+ | username | groupname | priority | +---+---+--+ | 90:4C:E5:6C:7E:B6 | xs4all|1 | +---+---+--+ 1 row in set (0.00 sec) mysql select * from radgroupreply; ++---+---+++ | id | groupname | attribute | op | value | ++---+---+++ | 3 | xs4all| Auth-Type | := | Accept | ++---+---+++ 1 row in set (0.00 sec) radiusd -X -xx Tue Mar 16 00:38:10 2010 : Debug: } Tue Mar 16 00:38:10 2010 : Debug: (Loaded rlm_files, checking if it's valid) Tue Mar 16 00:38:10 2010 : Debug: Module: Linked to module rlm_files Tue Mar 16 00:38:10 2010 : Debug: Module: Instantiating files Tue Mar 16 00:38:10 2010 : Debug: files { Tue Mar 16 00:38:10 2010 : Debug: usersfile = /etc/raddb/users Tue Mar 16 00:38:10 2010 : Debug: acctusersfile = /etc/raddb/acct_users Tue Mar 16 00:38:10 2010 : Debug: preproxy_usersfile = /etc/raddb/preproxy_users Tue Mar 16 00:38:10 2010 : Debug: compat = no Tue Mar 16 00:38:10 2010 : Debug: } Tue Mar 16 00:38:10 2010 : Debug: (Loaded rlm_sql, checking if it's valid) Tue Mar 16 00:38:10 2010 : Debug: Module: Linked to module rlm_sql Tue Mar 16 00:38:10 2010 : Debug: Module: Instantiating sql Tue Mar 16 00:38:10 2010 : Debug: sql { Tue Mar 16 00:38:10 2010 : Debug: driver = rlm_sql_mysql Tue Mar 16 00:38:10 2010 : Debug: server = localhost Tue Mar 16 00:38:10 2010 : Debug: port = Tue Mar 16 00:38:10 2010 : Debug: login = radius Tue Mar 16 00:38:10 2010 : Debug: password = passwordradius Tue Mar 16 00:38:10 2010 : Debug: radius_db = radius Tue Mar 16 00:38:10 2010 : Debug: read_groups = yes Tue Mar 16 00:38:10 2010 : Debug: sqltrace = no Tue Mar 16 00:38:10 2010 : Debug: sqltracefile = /var/log/radius/sqltrace.sql Tue Mar 16 00:38:10 2010 : Debug: readclients = yes Tue Mar 16 00:38:10 2010 : Debug: deletestalesessions = yes Tue Mar 16 00:38:10 2010 : Debug: num_sql_socks = 5 Tue Mar 16 00:38:10 2010 : Debug: sql_user_name = %{User-Name} Tue Mar 16 00:38:10 2010 : Debug: default_user_profile = Tue Mar 16 00:38:10 2010 : Debug: nas_query = SELECT id, nasname, shortname, type, secret FROM nas Tue Mar 16 00:38:10 2010 : Debug: authorize_check_query = SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id Tue Mar 16 00:38:10 2010 : Debug: authorize_reply_query = SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id Tue Mar 16 00:38:10 2010 : Debug: authorize_group_check_query = SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id Tue Mar 16 00:38:10 2010 : Debug: authorize_group_reply_query = SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id Tue Mar 16 00:38:10 2010 : Debug: accounting_onoff_query = UPDATE radacct SET acctstoptime = '%S', acctsessiontime= unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime = '%S' Tue Mar 16 00:38:10 2010 : Debug: accounting_update_query = UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets= '%{%{Acct-Output-Gigawords}:-0}' 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username= '%{SQL-User-Name}' AND nasipaddress= '%{NAS-IP-Address}' Tue Mar 16
RE: How to handle challenge response using PAM auth in FreeRadius
pam_conv is good for holding interactive conversation locally for applications such as login, su etc. When used with radius server pam_conv failed to do prompt at remote_client. Please note that we are not interested in local convesation where PAM is located. The remote client I have used is one of the test applications from the radius suite. Let me aks you further. note: A and B are machines. {client @ A} --- {radius at B} -- {PAM @ B} Now when I tested as said above, a call to pam_conv in PAM module at machine B did nothing. Are you sure it does prompt with a message at client @ A ? I look forward to your reply. Thanks, From: John Dennis [mailto:jden...@redhat.com] Sent: Mon 3/15/2010 1:51 PM To: Rajendra Hegde Cc: FreeRadius users mailing list Subject: Re: How to handle challenge response using PAM auth in FreeRadius On 03/15/2010 01:12 PM, Rajendra Hegde wrote: Hello, The scenario is like this : {remote client } - {radius} --- {PAM} {Extern Athenticator} Now when the external authenticator sends challenge to PAM, I do not see a easy way to pass the challenge text back to the radius. Please note that pam_sm_authenticate allows either SUCCESS or FAILURE return but not Challnege text return. I gave you the answer, it's done with pam_conv, you should read the code in rlm_pam.c. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Statements and opinions expressed in this e-mail may not represent those of the company. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately and delete the material from any computer. Please see our legal details at http://www.cryptocard.com CRYPTOCard Inc. is registered in the province of Ontario, Canada with Business number 80531 6478. CRYPTOCard Europe is limited liability company registered in England and Wales (with registered number 05728808 and VAT number 869 3979 41); its registered office is Aztec Centre, Aztec West, Almondsbury, Bristol, UK, BS32 4TD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac Auth with MySQL
Hi, I'll try to make Mac Authentication with MySQL backend. But I always rejected. Mac Authentication only works if I add like the following lines into the /etc/raddb/users. 90:4 C: E5: 6C: 7E: B6 Auth-Type: = Accept I use OpenBSD 4.6, FreeRadius 2.1.3 and MySQL 5.0.83. What should I do, to make it work with MySQL ? very easy. just set the username to the MAC address and set the value of the clear text password to be the MAC address to. i dont know WHY you've set the value to 'testpwd' - when you use MAC authentication, then the password is the MAC. ie Database changed mysql select * from radcheck; ++---+---++-+ | id | username | attribute | op | value | ++---+---++-+ | 2 | 90:4C:E5:6C:7E:B6 | Password | == | testpwd | ++---+---++-+ nope. use this id usernameattribute op value 10 90:4C:E5:6C:7E:B6 Cleartext-Password := 90:4C:E5:6C:7E:B6 Tue Mar 16 00:40:41 2010 : Debug: WARNING: Are you sure you don't mean Cleartext-Password? see that hint? if your kit doesnt transmit the correct details in the RADIUS - ie it doesnt transmit the MAC as the password, then you'll have to set the Accept..but that can also be done in the SQL! eg id usernameattribute op value 11 90:4C:E5:6C:7E:B6 Auth-Type := Accept alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac Auth with MySQL
On Tue, Mar 16, 2010 at 2:33 AM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, I'll try to make Mac Authentication with MySQL backend. But I always rejected. Mac Authentication only works if I add like the following lines into the /etc/raddb/users. 90:4 C: E5: 6C: 7E: B6 Auth-Type: = Accept I use OpenBSD 4.6, FreeRadius 2.1.3 and MySQL 5.0.83. What should I do, to make it work with MySQL ? very easy. just set the username to the MAC address and set the value of the clear text password to be the MAC address to. i dont know WHY you've set the value to 'testpwd' - when you use MAC authentication, then the password is the MAC. ie Database changed mysql select * from radcheck; ++---+---++-+ | id | username | attribute | op | value | ++---+---++-+ | 2 | 90:4C:E5:6C:7E:B6 | Password | == | testpwd | ++---+---++-+ nope. use this id username attribute op value 10 90:4C:E5:6C:7E:B6 Cleartext-Password := 90:4C:E5:6C:7E:B6 Tue Mar 16 00:40:41 2010 : Debug: WARNING: Are you sure you don't mean Cleartext-Password? see that hint? if your kit doesnt transmit the correct details in the RADIUS - ie it doesnt transmit the MAC as the password, then you'll have to set the Accept..but that can also be done in the SQL! eg id username attribute op value 11 90:4C:E5:6C:7E:B6 Auth-Type := Accept it work's. Thank's alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eapol_test retransmits 10 times
Thanks for the note. i restored the values of RADIUS_CLIENT_FIRST_WAIT andRADIUS_CLIENT_MAX_ENTRIES to their original values. But, changing RADIUS_CLIENT_MAX_RETRIES from 10 to 0 or any value does not make any difference. It still sends access-request 10 times. I am doing make eapol_test followed by cp eapol_test /usr/local/bin/ I wrote to hos...@lists.shmoo.com, but no response. thanks for your time. thanks, rajitha. From: Jouni Malinen jkmali...@gmail.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Sat, March 13, 2010 1:47:17 AM Subject: Re: eapol_test retransmits 10 times On Thu, Mar 11, 2010 at 12:16 AM, R C rc_w...@yahoo.com wrote: My eapol_test retransmits 10 times even though i set the RADIUS_CLIENT_MAX_RETRIES to 0. How can i avoid it retransmitting 10 times? It retransmits 10 times every 150 seconds. Why did you change RADIUS_CLIENT_FIRST_WAIT and RADIUS_CLIENT_MAX_ENTRIES values in addition to just the maximum retries count? #define RADIUS_CLIENT_MAX_ENTRIES 0 This breaks the RADIUS client code since you do not leave any room for storing pending entries. PS. If you have questions related to eapol_test implementation or details, the hostap mailing list would be better target for them.. - Jouni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to handle challenge response using PAM auth in FreeRadius
Perhaps you could explain why you're writing your own PAM module, rather than using the one that comes with FreeRADIUS. Then, explain why PAM conversation questions are for the FreeRADIUS list, and not the PAM list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html