Re: Strip off the domain part from the User-Name
Hi, On Friday 01 April 2011 18:32:21 Phil Mayers wrote: On 01/04/11 13:43, Thomas Wunder wrote: [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] Found NT-Password [mschap] ERROR: User-Name (winmac\tom1) is not the same as MS-CHAP Name (tom1) from EAP-MSCHAPv2 What client are you using? My client is an HP ProCurve 2910al edge switch and I'm trying to connect to it via the 802.1X (wired) supplicant which is natively included in Win7 Professional. (As I said in my very first post the whole process of 802.1X authentication/authorization works well unless I check the Automatically use my Windows logon name and password (and domain if any). option what I actually have to) It's sending: EAP-Identity username=winmac\tom ...then a 2nd packet: EAP-MSCHAP username=tom What I found particularly strange is the line of output where it says PEAP: Setting User-Name to winmac\tom1. Is this done by the server side PEAP implementation or is this related to the client (Windows?) side behavior? I don't like my solution of just commenting things out in the code and therefore I'd really prefer something more adequate... regards Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Strip off the domain part from the User-Name
On 04/04/2011 07:57 AM, Thomas Wunder wrote: Hi, On Friday 01 April 2011 18:32:21 Phil Mayers wrote: On 01/04/11 13:43, Thomas Wunder wrote: [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] Found NT-Password [mschap] ERROR: User-Name (winmac\tom1) is not the same as MS-CHAP Name (tom1) from EAP-MSCHAPv2 What client are you using? My client is an HP ProCurve 2910al edge switch and I'm trying to connect to it via the 802.1X (wired) supplicant which is natively included in Win7 Professional. (As I said in my very first post the whole process of 802.1X authentication/authorization works well unless I check the Automatically use my Windows logon name and password (and domain if any). option what I actually have to) So it's the windows7 native supplicant? Then frankly I don't understand how you can be having these problems. Loads and loads of people use 802.1x under Windows (including Win7) to a FreeRadius server without problems. The code which is causing you issues is common to both the ntlm_auth helper-mode and internal mschap implementations, so everyone is hitting that code path. FWIW I think the code does the right thing - EAP-Identity replies should be the same as the inner MSCHAP username, and attempts to change username should be rejected. The only thing I can suggest it starting again from scratch with a clean install, and making one change at a time. Sorry I can't be more help. It's sending: EAP-Identity username=winmac\tom ...then a 2nd packet: EAP-MSCHAP username=tom What I found particularly strange is the line of output where it says PEAP: Setting User-Name to winmac\tom1. Is this done by the server side PEAP implementation or is this related to the client (Windows?) side behavior? It's complicated, but basically after the PEAP tunnel has been established, FreeRADIUS asks the client for the username and sets it from the reply - so it's the server doing it, from client data. The packet flow inside the PEAP (SSL) tunnel is as follows: server: EAP-Identity request client: EAP-Identity response username=winmac\tom server: EAP-MSCHAP challenge client: EAP-MSCHAP response=xxx username=tom ...See the problem? The client is changing the username. This could be abused for malicious purposes if allowed, so it's denied. But it doesn't happen to anyone else. It's possible the Use my login credentials option is broken under Win7. AFAIK most people don't use it. Is the machine in question (WINMAC) a domain member? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
I want to insert Quintum-h323-remote-address value to radacct table at sql/db/dialup.conf i have made my modifications but i see entries like h323-remote-address=3D10.241.1.202 which is h323-remote-address=10.241.1.202 but I only want 10.241.1.202 (IP address) My entry at details file: Quintum-h323-remote-address = h323-remote-address=10.100.250.150 I want 10.100.250.150 PS: I know there is a hack for quintum but for some reason I am forced not to use it. I have looked at unlang but unable to find a solution for that. Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
bug
hello. I deleted an entry in the database , yet it returns,, and session time is 59000 seconds. i check the openvpn server but no user is connected and it is continously updating the last update in sql table. also, even if i turn off the NAS,, the entry still updates by itself.. (a ghost??) can anyone point out what other factors might causing this update? what files? pls help thanks- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: unlang question
i have made my modifications Perhaps if you show us the modifications, someone might be able to suggest what's wrong. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 problem
Hi,
PEAP can work with or without client certs. Both run through the tls
instance; that is no error. The problem is much rather here:
Sending Access-Challenge of id 219 to ... port 32769
Waking up in 2.0 seconds.
Cleaning up request 0 ID 219 with timestamp +3
WARNING:
!!
WARNING: !! EAP session for state 0x3abc7e1c3abf6764 did not finish!
WARNING: !! Please read
http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!
Ready to process requests.
The client probably doesn't like the server certificate, and stops
talking to the server.
When you cloned your RADIUS server, did you give the clone a different
certificate afterwards? FreeRADIUS will generate a sample one on first
start. If your client only trusts the old one, it won't talk to the new
one...
Greetings,
Stefan Winter
eap.conf:
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
tls {
certdir= /etc/hostcertkey
cadir = /etc/cacert
dh_file = ${certdir}/dh
private_key_file = ${certdir}/roaming.key
certificate_file = ${certdir}/roaming.pem
CA_file = ${cadir}/chain.txt
dh_file = ${certdir}/dh
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = DEFAULT
}
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
#use_tunneled_reply = yes
virtual_server = eduroam-inner-tunnel
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
#use_tunneled_reply = yes
#proxy_tunneled_request_as_eap = yes
virtual_server = eduroam-inner-tunnel
}
mschapv2 {
}
}
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 problem
Hi,
thanks for your reply.
Am 04.04.2011 16:27, schrieb Stefan Winter:
Hi,
PEAP can work with or without client certs. Both run through the tls
instance; that is no error. The problem is much rather here:
Sending Access-Challenge of id 219 to ... port 32769
Waking up in 2.0 seconds.
Cleaning up request 0 ID 219 with timestamp +3
WARNING:
!!
WARNING: !! EAP session for state 0x3abc7e1c3abf6764 did not finish!
WARNING: !! Please read
http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!
Ready to process requests.
The client probably doesn't like the server certificate, and stops
talking to the server.
When you cloned your RADIUS server, did you give the clone a different
certificate afterwards? FreeRADIUS will generate a sample one on first
start. If your client only trusts the old one, it won't talk to the new
one...
The original radius has a trusted certificate, signed by our CA. The
clone has also a trusted certificate with its DN registred in DNS.
I edited the corresponding section in eap.conf and placed the filename
of the new certificate- and keyfile.
private_key_file = ${certdir}/roaming.key
certificate_file = ${certdir}/roaming.pem
The certificates were generate with the same attributes (exept the DN).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 problem
Jürgen Stader wrote:
When you cloned your RADIUS server, did you give the clone a different
certificate afterwards?
Since you didn't answer that question directly, it looks like a yes.
The original radius has a trusted certificate, signed by our CA. The
clone has also a trusted certificate with its DN registred in DNS.
I edited the corresponding section in eap.conf and placed the filename
of the new certificate- and keyfile.
private_key_file = ${certdir}/roaming.key
certificate_file = ${certdir}/roaming.pem
The certificates were generate with the same attributes (exept the DN).
Which avoids answering the question.
The solution to the problem is simple. The answer is in front of you.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 problem
Am 04.04.2011 18:02, schrieb Alan DeKok:
Jürgen Stader wrote:
When you cloned your RADIUS server, did you give the clone a different
certificate afterwards?
Since you didn't answer that question directly, it looks like a yes.
You' re right, but you can read this out of the lines. The two machines
have different certificates. Signed from same CA.
The original radius has a trusted certificate, signed by our CA. The
clone has also a trusted certificate with its DN registred in DNS.
I edited the corresponding section in eap.conf and placed the filename
of the new certificate- and keyfile.
private_key_file = ${certdir}/roaming.key
certificate_file = ${certdir}/roaming.pem
The certificates were generate with the same attributes (exept the DN).
Which avoids answering the question.
The solution to the problem is simple. The answer is in front of you.
Alan DeKok.
Looks like i'm blind...please give me a hint ;-)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: bug
hi, turn on sqltrace and turn on tcpdump - you will find what is causing it alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to make a NAS(Cisco) send MSCHAP request
hi, To all Cisco guys out there how can I make a NAS(Cisco 2960 switch) to send MSCHAP requests to FR server instead of PAP requests. what makes you even think it can? are you talking about the cisco switch device itself for local admin access etc or are you talking about end clients using 802.1X on that switch? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Custom sql post-auth help
Hi,
I'm trying to get similar logging in mysql to what you see with:
log {
...
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
Login OK: [user/pass] (from client client port 0)
I've found how to log accepts and rejects using the sql module in the
post-auth section, but I'm unsure how to insert the client info (name or IP
is fine).
Here's what I've tried:
sql/mysql/dialup.conf
postauth_query = INSERT INTO ${postauth_table} \
(username, pass, reply, authdate, nas_ip, nas_id)
\
VALUES ( \
'%{User-Name}', \
'%{%{User-Password}:-%{Chap-Password}}', \
'%{NAS-Identifier}', \
'%{reply:Packet-Type}', '%S', \
'%{NAS-IP-Address}')
It doesn't appear that the NAS-IP-Address has any data at this point in
the chain, the debug output shows this as the query run:
rlm_sql (sql) in sql_postauth: query is INSERT INTO
radpostauth (username, pass, nas_id, reply,
authdate, nas_ip) VALUES ( 'X', '', 'Y', 'Access-Accept',
'2011-04-04 13:56:33', '')
Is there another variable I can use to get the client name/ip inserted into
the db? Is this even possible in post-auth?
Thanks in advance,
--
Trey Briggs
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 problem
Hi, The solution to the problem is simple. The answer is in front of you. Alan DeKok. Looks like i'm blind...please give me a hint ;-) Dude... supplicants are typically configured to trust only the exact one certificate that is in the RADIUS Server (CN=... is in the supplicant conf). If you change the Subject in the cert... the supplicant won't like it any more. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
