RE: Version 3.0.0 has been released
Congratulations! Thank you again for all of the countless hours you spend on improving the best and most flexible RADIUS server. One question though - is there a typo in the V2 upgrade link below? When I click on it I get a 404 error.. Upgrading instructions are available here: https://github.com/FreeRADIUS/freeradius-server/blob/release_branch_3.0.0/raddb/README.rst - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cache for machine authentication
Can someone tell me if it is possible in FR to cache in memory (for a short amount of time) Calling-Station-Id from successful machine authentications so that subsequent user authentications can test whether the user is connecting from an authorized device? This is a feature that is available with Cisco ACS version 5 (using attribute Was-Machine-Authenticated) that I am trying to emulate in FR. If it's possible and anyone can share ideas, I would appreciate it. I thought about using a database, but it seems horribly inneficient compared to caching something in memory. I know I could write a custom module or use perl and maintain the cache in a file, but I don't want to reinvent the wheel and I'm hoping there's an easier and more efficient way to accomplish this.. Thanks for your time.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ntlm_auth in freeradius
i cant find the ntlm_auth file in my OS , is it coming with freeradius or we have to install it separately . It's part of Samba. A simple google search for ntlm_auth would have answered that question for you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: DHCP on FreeBSD 8.2
I am getting the following errors during compilation on my FreeBSD 8.2 OS: /usr/include/net/if_arp.h:47: error: expected specifier-qualifier-list before 'u_short' /usr/include/net/if_arp.h:88: error: field 'arp_pa' has incomplete type /usr/include/net/if_arp.h:89: error: field 'arp_ha' has incomplete type /usr/include/net/if_arp.h:115: error: expected specifier-qualifier-list before 'u_long' Try adding the following includes before those that are already in the file freeradius-server/src/lib/dhcp.c: #include sys/socket.h #include sys/types.h - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius with multiple clients
yes i said that freeradius with coovachilli works but with the access point i think send another request so it fails.. Yes, you did say that. But, I have no idea what you mean by i think send another request so it fails? As I said before, read the FAQ (it will tell you to provide debug output): http://wiki.freeradius.org/FAQ#It+still+doesn%27t+work%21 If you want help, provide details of what you're trying to accomplish and debug output from a request that is failing. Otherwise, you're just wasting everyone's time. If I said to you, my car doesn't work, is that enough information for you to tell me what's wrong with it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius with multiple clients
but i have problems to the ap... The didn't login... Do you really think this is enough information for someone to help you? Did you read the FAQ? http://wiki.freeradius.org/FAQ#It+still+doesn%27t+work%21 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Blackberry disabled server certificates query
if you leave the box unchecked disable server certificate validation then the blackberry connects fine if you uncheck connection fails failed to connect. You wrote, ...if you leave it unchecked... (it)... connects fine if you uncheck (it the) connection fails??? Did you mean to say if you leave it *checked* it connects fine?? If so, checking the box is telling your Blackberry NOT to validate the RADIUS server's certificate. If you don't validate the certificate, there's a risk that you could be passing your credentials to an untrusted RADIUS server (if someone impersonates your wireless network name). Best practice, for RADIUS, is to use a cert generated from a private CA that you control, or at least trust. In this case, you would need to configure your Blackberry's to validate that the certificate is signed by the CA you expect (which means they would need the CA's cert installed - I assume this is possible with Blackberry's, but I don't own one and I don't know how difficult it is to distribute a cert to the Blackberry's or how many you have). You need to decide whether to accept the risk or not. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Unlang issue
Try:
if ((Client-IP-Address == x) || (Client-IP-Address == y)) {
}
No joy :-(. For now, I ended up doing:
if (Called-Station-Id) {
if (Client-IP-Address == x) {
update request {
Huntgroup-Name :=
}
}
elsif (Client-IP-Address == y) {
update request {
Huntgroup-Name :=
}
}
}
Not as efficient, but it works. I'll retest the old unlang code after I
upgrade later this year.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unlang issue
I'm running FR 2.1.6 (I know - I plan to upgrade later this year). Is there
anything wrong syntactically with the following code or is this a bug that was
fixed since 2.1.6?
if (Client-IP-Address == 172.20.16.28 || Client-IP-Address ==
172.20.204.10)) {
update request {
Huntgroup-Name := GlobalRoaming
}
}
#
# If NAS is an autonomous AP, get SSID from Cisco-AVPair
#
if (Huntgroup-Name == EEProdAP || \
Huntgroup-Name == EETestAP) {
if (Cisco-AVPair =~ /ssid=(.*)/) {
update request {
SSID-Name = %{1}
}
}
}
I ask because the first if statement only works if the Client-IP-Address
matches the first address listed (172.20.16.28). I would expect that it would
evaluate to true if Client-IP-Address matches either of the addresses. Here's
a snippet of debug output that illustrates the problem - it doesn't appear to
finish the logical or comparison:
Info: ++? if (Called-Station-Id (Client-IP-Address == 172.20.16.28 ||
Client-IP-Address == 172.20.204.10))
Info: ? Evaluating (Called-Station-Id ) - TRUE
Info:expand: %{Client-IP-Address} - 172.20.204.10
Info: ++? if (Huntgroup-Name == EEProdAP || Huntgroup-Name == EETestAP)
Info: (Attribute Huntgroup-Name was not found)
When I switch the order of the addresses for the logical or, I see the
following in debug (it does the comparison and returns TRUE):
Info: ++? if (Called-Station-Id (Client-IP-Address == 172.20.204.10 ||
Client-IP-Address == 172.20.16.28))
Info: ? Evaluating (Called-Station-Id ) - TRUE
Info:expand: %{Client-IP-Address} - 172.20.204.10
Info: ?? Evaluating (Client-IP-Address == 172.20.204.10 ) - TRUE
Info: ?? Skipping (Client-IP-Address == 172.20.16.28)
Info: ++? if (Called-Station-Id (Client-IP-Address == 172.20.204.10 ||
Client-IP-Address == 172.20.16.28)) - TRUE
Info: ++- entering if (Called-Station-Id (Client-IP-Address ==
172.20.204.10 || Client-IP-Address ==
172.20.16.28)) {...}
Info: +++[request] returns ok
Info: ++- if (Called-Station-Id (Client-IP-Address == 172.20.204.10 ||
Client-IP-Address == 172.20.16.28)) returns ok
Info: ++? if (Huntgroup-Name == EEProdAP || Huntgroup-Name == EETestAP)
Info: ? Evaluating (Huntgroup-Name == EEProdAP ) - FALSE
Info: ? Evaluating (Huntgroup-Name == EETestAP) - FALSE
Info: ++? if (Huntgroup-Name == EEProdAP || Huntgroup-Name == EETestAP) -
FALSE
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Unlang issue
Ok, thanks Alan. I'll split it into two if stmts as a workaround for now..
BTW, when posting the code and trying to make it look nicer, I mangled it. The
original code really looked like this:
if (Called-Station-Id (Client-IP-Address == 172.20.16.28 || \
Client-IP-Address == 172.20.204.10)) {
update request {
Huntgroup-Name := GlobalRoaming
}
}
Sorry for the confusion..
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Unlang issue
Try:
if ((Client-IP-Address == x) || (Client-IP-Address == y)) {
}
Thanks for the suggestion Phil. I'll give that a try..
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Yet another multiple SSID setup question
It's failing on the inner tunnel with an error that
it has no value specified for the auth type,
but shouldn't that be set by the eap module?
It didn't say no value, it said unknown value. The
debug output showed the value of Auth-Type as
eap_cuesta:
Found Auth-Type = eap_cuesta
WARNING: Unknown value specified for Auth-Type. Cannot perform
requested action.
The problem is that the Auth-Type (eap_cuesta)
doesn't exist in your inner-tunnel-cuesta
authenticate section. You are also missing
mschap_cuesta in the authorize section.
Try this:
inner tunnel:
authorize {
suffix
mschap_cuesta
eap_cuesta {
ok = return
}
}
authenticate {
mschap_cuesta
eap_cuesta
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS Questions
You didn't give much information regarding your environment, so some of the responses below are based upon assumptions: that you manage all devices that are connecting, that they are joined to your A/D domain and that you are using the Windows supplicant. You haven't said what version of Windows you are running and what version of FreeRADIUS you are running! Currently with Windows machines I can't just connect to the SSID and enter in a username and password. I have to go and manually add the SSID, modify some settings; If you are referring to PEAP vs. TLS, that's a Windows XP issue. XP defaults to TLS and won't connect automatically if you are using PEAP. However, you can push wireless policy to your Windows devices using A/D group policy and set this up automatically. specifically turning off validating server certificate This is a bad idea as you could be passing your credentials to someone else's RADIUS server. It's best to generate a certificate signed by an internal Certificate Authority and require a cert signed by that CA in your 802.1x config. This too can be pushed to Windows devices as part of your A/D policy assuming they are joined to your domain and run Windows. turning off automatically use my Windows login, and turning on User or computer authentication mode. Why do you want to use manual authentication as opposed to automatic? If the machines that are connecting are joined to your A/D domain, you may want to consider using machine authentication. User authentication, in the current release, doesn't support MS-CHAP password change. Also, user authentication with the Windows supplicant requires the presence of cached credentials (because you logon locally first and then connect to the wireless network) which may not match current A/D credentials. error messsage was: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. Use sudo wbinfo or run it as root if you don't use sudo. That said, wbinfo isn't used by FreeRADIUS to authenticate to A/D (ntlm_auth is used for PEAP/MS-CHAPv2). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP SHA1 Password, EAP-PAP and Dynamic VLAN
Actually i've already a configuration to dynamic assing VLAN ID with MS-CHAPv2 What reply attribute(s) are you passing to the switch in this case? I've done some tests.. can actually authenticated based on the logs and the switch info, but Dynamic VLAN isn't configured on the switch ports. If you are authenticating successfully, then check what attributes are being returned to the switch and compare to the scenario above when you said it worked! Then, fix your config to return the proper attribute with the proper value. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RADIUS Questions
I don't think that I'm using the supplicant but I could be wrong. The supplicant is the software on the client device that manages wireless profiles/connections. If Windows controls the wireless connections (Wireless Zero Config service) then you are using the Windows supplicant. I'm running FreeRadius 2.1.7-7.e15 ( I believe this is the latest) with freeradius2-krb5-2.1.7-7.e15 and freeradius2- utils-2.1.7-7.e15. 2.1.7 is old! 2.1.11 is the latest version of FreeRADIUS.. I'm pretty sure I'm using PEAP. This would be obvious in the wireless settings on the device. I realize that and I'm going to work on using our wild card cert to better secure this. However the question still arises on will our SSL cert validate properly on a Windows system. When I initially set this up I never saw anything regarding and 802.11x config. After updating I seem to remember seeing this config file mentioned. Windows clients require that certain extensions be present in the certificate (you can thank Microsoft for that - it's not a FreeRADIUS issue). If most of the machines are not joined to your domain and are personal devices and you want easy access, you'll want to use a certificate signed by a CA that's in the Windows root CA list. Just be aware that this is not as secure as an internal or self-signed cert. because any certificate from the CA you choose would be accepted (even if it's from someone else's RADIUS server); but, the alternative is that you would need to distribute the CA's cert to each user that wants to connect. I can't answer your question regarding whether your SSL cert will validate properly on Windows because you haven't said how it was generated? Is it self-signed? Is it signed by a CA that's in the root CA list of a device you were using to test? Does it include the required Windows extensions? There have been considerable discussion on the mailing list regarding the creation of certs that will work with Windows clients. Google is your friend (along with the doc inside the FR files). Like I mentioned above not all, actually few machines, are managed via our AD server. I would love to change this but it would require far more administrative changes that I'm unable to make. Makes sense.. Like I mentioned our Windows versions vary from XP to 7. I thought, but can't verify right now, that starting with Vista, Windows will connect using PEAP without manual wireless configuration (i.e., it doesn't assume TLS as a default the way XP does). Perhaps your only issue with Vista/7 is that the cert doesn't have the required extensions or isn't signed by a CA that's in the root CA list of the device? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LEAP Authentication?
It does. It is a Aironet 350 device and it has internal RADIUS as well, which we are able to authenticate against(using LEAP). Is this for WLSE authentication to the AP? If not, do you have other options other than LEAP? If so, avoid LEAP as many others have said. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Sending Reply-Message in Access-Reject (PEAP/MSCHAPv2)
so, in inner-tunnel post-auth, set outer.reply to be whatever you want.. you can then, in the outer layer, query/check or use that reply. There's an additional round trip after the failure which is why Phil said it needs to be saved. I had a patch to save/restore it; but, it needs rework and I don't have the time to do it now.. :-( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ntlm_auth authentication results logging messages
I found a similar user in an old thread who submitted a patch: (http://freeradius.1045715.n5.nabble.com/Capturing-ntlm-auth-failure- reasons-in-rlm-mschap-td2791760.html) And it appears that this patch made it into the rlm_mschap.c module code: I submitted that patch and it was included in FR v1. Unfortunately, a change in v2 regressed this functionality. In v2, there's now an additional round trip, so the ntlm_auth results need to be saved - they are saved, in the current version, for success; but, not for failure. I submitted another patch for v2 last year that saves the ntlm_auth results for failures as well; but, it required rework (Alan wanted it split into two separate patches) and I haven't had a chance to rework it yet. Other, really nice mschap patches have been submitted since then (thank you Phil), so the rework, for me, is now a bit more. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Relation between NAS and FreeRADIUS
I want to ask that NAS provide internet or FreeRADIUS. What does that mean? I mean i should connect internet connection to NAS or FreeRADIUS. Try rephrasing your question and provide more background on what you are trying to accomplish.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MSCHAP / NTLM_AUTH failure on expired AD password; out of sync cached creds / AD password.
FR is configured to send the auth request to AD (MSCHAP only, Aruba terminates PEAP) using NTLM_AUTH. Why do you want Aruba to terminate PEAP? If it IS expired, MSCHAP (or NTLM_AUTH) seems to always return a reject. See below... Also, with new users an account is created with a temp / one time password and their account is set to user must change password at first logon. This results in a similar failure - the supplicant never pops a box prompting to CHANGE password, it just prompts to reenter because of the failure - which is obviously worthless. For now, this is working as designed because FR doesn't support password change via MSCHAP. Recently, there was a thread talking about supporting retry and Phil Mayers wrote and submitted a patch to provide retry password change for MSCHAP (thank you Phil:) ). But, I'm not sure that code will make it into 2.1.11 because I haven't seen a lot of people posting I tested it and it works fine messages. Of course, Alan would know for sure... I THOUGHT MSCHAPv2 can recognize a password expired state and actually allow a user to change it via MSCHAPv2 functions. True, but see above. We have a similar failure when the laptops cached credentials are out of sync with AD. This might be fixed with Phil's patch. Feel free to test it and report your findings.. Another option is to use machine authentication (assuming the machines connecting are all members of your AD domain). Then, while the user is logged off, the machine logs on. The user logon then goes to the domain since it already has a network connection. That would eliminate the bad cached credentials issue and the expired password issue. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP/MSCHAPv2 failing with Windows 7
In the PEAP properties, EAP-MSCHAP v2, if you DISABLE automatically use my windows logon name and password and instead enter the credentials manually it works. What version of FR are you running? If it's 2.1.10, try it with 2.1.10. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP/MSCHAPv2 failing with Windows 7
In the PEAP properties, EAP-MSCHAP v2, if you DISABLE automatically use my windows logon name and password and instead enter the credentials manually it works. Look at: http://freeradius.1045715.n5.nabble.com/MSCHAP-Authentication-Issue-td2785146.html to see if this is your problem (look at the table in the post). If so and you're running a version 2.1.10, upgrade as this problem is fixed in 2.1.10.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP/MSCHAPv2 failing with Windows 7
I can/will upgrade, but the symptoms lead me to believe its a windows thing. What leads you to believe an FR upgrade would fix it? I sent another response with more info. The issue I'm thinking of is one we talked about quite a while ago (I asked if you could test it). It's the one where the case (i.e., upper vs. lower) of the User-Name differs between the inner and outer tunnels. Take a look at the link I included in my last response. In it, there's a table that showed the results of tests I performed. It was with XP not Win7, but the same *may* apply. I would look in the debug output at the Access-Requests and compare the User-Name attributes for inner and outer tunnels to see if they are *exactly* the same (it's case-sensitive as it is used to construct the challenge/response. I thought of this because my testing produced different results depending upon whether credentials were passed automatically (which is a symptom you described). Look at the table in: http://freeradius.1045715.n5.nabble.com/MSCHAP-Authentication-Issue-td2785146.html to see what I mean.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP/MSCHAPv2 failing with Windows 7
One additional note: the fixes that went into 2.1.10 extract (verbatim) the client username from the EAP-MSCHAPv2 response, and pass that through to the rlm_mschap module as an extra attribute. You're right Phil. It's been too long since I wrote that patch. Gary: Forget what I said about comparing User-Name in inner vs outer tunnels. You would need to look at the User-Name attribute vs. the username contained in the MSCHAP response. If you have a test server, I would test it with 2.1.10 after you get Aruba not to be the termination point for PEAP.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: about FreeRadius+radiusmanager+mikrotik
some of my user trying to login Mikrotik but they cant first time.. You may find that it will be easier for people to help you if you provide specific details about the problems you are having and what you've done in an attempt to fix the problems. You should start by doing Internet searches to see if someone else had the same problem(s) and what was done to fix it. If you can't find anything relevant, post the debug output of a failure. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS-CHAPv2 password change implementation
I have spent the last few days writing the code to allow rlm_mschap and rlm_eap_mschapv2 to support password changes. This is huge Phil! Thanks for taking the time to write this enhancement. I will test it in our environment over the couple weeks and report findings. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: unlang question
i have made my modifications Perhaps if you show us the modifications, someone might be able to suggest what's wrong. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Limiting user accounts for specific devices
so it would need to be set per IP address or range only for the limits so that the other users in AD can be used for that Have you thought about using huntgroups to group your NAS together and then authorize based upon Huntgroup-Name? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Grant access for all users before login
Ok machine authentication works now with computer name from samba. i can assign vlans also. The switch port appears as up, BUT i can't ping the machine und i can't login with new users that never before use this machine (no local useraccount). Why i doesn't get network access after successful machine authentification!? If your authentication is successful and you're sure the port is being put in the correct VLAN, then you should use standard network troubleshooting techniques. Not that it's in scope for this list, but here are some thought starters: - Does the device have an IP address? - If so, is it in the VLAN you expected? - Are the network mask and default gateway correct? - Can you ping the switch to which you are connected? - When you ping the switch, do you get an ARP response? - Are there ACL's or firewalls that might be blocking traffic to other networks? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Grant access for all users before login
When a user gets his login prompt, no access to the network is allowed because they first get access when they login and freeradius can perform an ldap check with the username. But when a new user wants to login or the user uses an different computer, the user dosen't exist on this machine - so they can't login - no network connection -can't load profile - no local user. Use machine authentication (if wireless, use automatic connect). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Logging ntlm authentication
Could you please share the perl scripts and the corresponding configuration in radiusd.conf like authorize and post-auth section related to these logs? Unfortunately, I would need to get a release from my company as the code belongs to them. I cannot post it at this time. You may want to look at the linelog module (depending upon what version of FR you are running). If you're not familiar with perl, that might be easier for you to implement. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Logging ntlm authentication
Could you please summarize what you did to log the output from ntlm_auth and MS_CHAP-Error? Sure. I should mention that other options are available now that didn't exist when I created the solution below... I have a PERL script that runs during authorize that obtains user/group or machine/container permissions for the NAS in question from XML files to determine whether the entity is authorized and it creates a Log-Data reply attribute containing all non-sensitive request attributes. This is then written to syslog during post-auth by another PERL script. Our help desk and others use a .Net application that I wrote to display/filter the data from the current or past log files in a grid control. The log contains specifics of the request, authorization and authentication results/messages and reply attributes. Does that answer your question? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: %RAD_REPLY hash problem
Yes, I know :) but it would be better if we can solve that I agree, but I haven't found a better solution (i.e., that's what I do to workaround the problem). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Assign VLANS based on AD groups.
Now that I have authentication working. I would like to assign users to VLANS based on AD group membership. Any examples would be appreciated. Did you look here? http://wiki.freeradius.org/HP (search for Dynamic VLAN assignment) There area a number of ways to set reply attributes depending upon your setup (unlang, PERL script, etc.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: %RAD_REPLY hash problem
My problem is that rlm_perl duplicate an attribute in %RAD_REPLY hash. I'm not sure if this will fix it, but try: use constant RLM_MODULE_UPDATED= 8;# /* OK (pairs modified) */ then change return RLM_MODULE_OK to: return RLM_MODULE_UPDATED; If this doesn't fix it, you can always delete the undesired member from the hash before you return. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy Issue
DeKok, Alan wrote: It's a permanent change. See latest git for a fix. Thanks Alan. I just retested and, uh, don't shoot the messenger, but now it dies in event.c:cleanup_delay(): Debug: Waking up in 11.4 seconds. Error: ASSERT FAILED event.c[536]: (request-child_state == REQUEST_CLEANUP_DELAY) || (request-child_state == REQUEST_DONE) [1]+ Abort trap: 6 radiusd -X (wd: ~/freeradius-server) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy Issue
shrug Assertions are there to catch sanity failures. In this case, the request was treated as done without being explicitly marked done. Do a git pull. :) Looks much better - thanks again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy Issue
Ah... I don't usually do builds tests without pthreads. Actually, I am building/testing with pthreads. However, I was running in debug mode (radiusd -X). The problem does not occur when I don't start radiusd with -X. Some additional debug code in event.c shows the following sequence of events: radiusd.c:main spawn_flag = FALSE (due to -X flag) event.c:radius_event_init have_children = spawn_flag event.c:request_pre_handler request-child_state = REQUEST_RUNNING event.c:no_response_to_proxied_request: request-child_state = REQUEST_RUNNING event.c:wait_a_bit request-child_state == REQUEST_RUNNING !have_children radiusd dies with ASSERT FAILED.. Hmm... the assert isn't on line 1175 in current git, Ugh.. I tested originally with pre-2.1.0, then retested with current git, then posted the output from the original test duh. Delete the assert, and replace it with a goto that jumps down to the case REQUEST_DONE statement. I can do that; but, are you saying this should be a permanent change because REQUEST_RUNNING REQUEST_QUEUED are valid states even if not threading? If not, shouldn't the assignments be changed not to use REQUEST_RUNNING if not threading? Seems like we wouldn't want the server to die just because we're debugging and I'd rather not have to maintain a local change (to delete the assert) if I don't have to.. Thanks and I'm sorry for the 20 questions, I'm just trying to better understand the issue.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Issue
I'm testing proxying of authentications (it's not something I've done before so this could be my problem). I have a pool with 2 home servers defined in proxy.conf. For now, both servers are unreachable (blocked by a firewall). I'm using git head 2.1.x branch and I'm testing using eapol_test. The failure is repeatable, while the server is performing no other work, and occurs after the client retries twice (so three Access-Requests are sent to FR) and after the 3rd request, it wakes up from sleeping and dies: Wed Oct 13 14:44:17 2010 : Debug: Waking up in 11.3 seconds. Wed Oct 13 14:44:28 2010 : Error: ASSERT FAILED event.c[1175]: We do not have threads, but the request is marked as queued or running in a child thread == NULL [1]+ Abort trap: 6 radiusd -X (wd: /usr/local/etc/raddb) Any ideas? I can post complete debug output if needed and/or parts of my config. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Microsoft SoH Support
Thanks to a lot of work by Phil Mayers, the server now has support for Microsoft SoH in PEAP, normal RADIUS (MS VPN gateway), and in DHCP. Wow! That *must* have been a lot of work! Thank you Phil. Does this mean FreeRADIUS can now act as a Health Policy Server? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with MSCHAP
[peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. You need to look earlier in your debug output to see why it was rejected (that's what this error message means) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Last call for 2.1.10
Last call for 2.1.10 I haven't had a chance to rework the patch for saving replies after a PEAP/TTLS reject (been very busy at work). I'll try to get to it today; but, I assume it's too late for 2.1.10 at this point, right? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Logging ntlm authentication
Uh... eapol-test supports TTLS. See the FreeRADIUS source: src/tests/eap-ttls-*.conf Ugh.. I should have checked the doc. I should be able to do the TTLS change independently (i.e., you can ignore the post to the devel list related to this). Thanks for enlightening me :-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Logging ntlm authentication
Hmm... OK. The issue appears to be that the tunneled reply is saved for Access-Accept, but not Access-Reject. See accept_vps in rlm_eap_peap/*. Something similar needs to be done for reject, and for TTLS. You are a gentleman and a scholar! I have made the changes as you suggested for PEAP and tested PEAP-MSCHAPv2. It works! I am now able to log the output from ntlm_auth and MS-CHAP-Error. I'm also excited about the improved TLS logging in 2.1.10. I will add the code for TTLS now. Unfortunately, I don't have a way to test that as I don't believe eapol_test supports TTLS and we don't use it. I suppose someone else can test it once I upload the patch (which I will do after I make the TTLS changes). Thanks again Alan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Logging ntlm authentication
but it seems the next packet sent is a Challenge, not reject/accept. Therefore the message does not persist until reject/accept time. Hmm.. It seems I've heard that before: http://lists.cistron.nl/pipermail/freeradius-users/2009-August/msg00326.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Logging ntlm authentication
Fixed in 2.1.9. Great (I guess missed that in the change log). Was the change to eliminate the extra round trip? If so, would you accept a patch to set Module-Failure-Message upon failure of ntlm_auth in rlm_mschap (as was originally implemented in the fix for bug 398 in v1.1.4)? Thanks Alan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Logging ntlm authentication
I'll take a look... Thanks. I'd like to get some feedback on the pre-release of 2.1.10, especially the changes to the proxy code. I'll download the latest 2.1.10 tomorrow; unfortunately, I won't have a chance to test it until next week. Also, we don't use proxying, at the moment, but I will report any issues I find with other areas. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Logging ntlm authentication
IIRC, it was to remember replies better. When the inner tunnel returns accept and the outer sends a challenge... remember the accept for later. I just cloned and built the latest 2.1.10 to do some testing. I did a PEAP-MSCHAPv2 authentication, with bad credentials, using eapol_test. What I found seems to indicate the problem I was referring to still exists in 2.1.10 (probably because I wasn't clear enough in describing the issue). It seems that after ntlm_auth fails, it sends the EAP failure via an Access-Challenge. Then, after it receives the response in the next Access-Request, it sends Access-Reject. This is how it behaved prior to 2.1.9 also (this is what I meant by extra round trip in a previous post). The problem is that any information stored in an attribute, after the ntlm_auth failure, will not survive the subsequent Access-Challenge, Access-Request. I can post the debug output if you'd like to see it. When I originally discovered this, I suggested storing the ntlm_auth output in the eap handler so it could be saved in Module-Failure-Message when the response to the EAP failure is received. Is there a better approach? If you tell me your preference, I'd be willing to create a patch.. Thanks for your time Alan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Password Policy - Expired Password - mschap
Understanding the security risks... is there an example of
setting Post-Auth-Type REJECT {...} to override the reject
force the response to Auth-Accept?
If you want to change all REJECTs to ACCEPT so that authentication always
succeeds, then you are effectively eliminating the requirement for 802.1x
authentication for network connectivity. If it's not required, why not just
turn off port security on your switches? If it is required, why would you want
to do the above?
It seems that what you really want is the ability to change the expired
password via MSCHAP which isn't currently supported in FreeRADIUS (as I said in
a previous post). If you are going to write a patch, develop one to provide
this functionality..
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Password Policy - Expired Password - mschap
if you enable the ldap/(opendirectory) option to require user to change password on next login the client is unable to connect. FreeRADIUS doesn't support password changes via MSCHAP. Historically, Samba didn't even support it until a couple of years ago. I believe support for this functionality was added to Samba 3.0.24 using a new helper protocol called ntlm-change-password-1. I posted something to the list asking if there was interest quite a while ago. Implementing this new helper protocol is not a trivial change to FreeRADIUS. Unfortunately, I haven't had enough free time to devote to implementing it yet. If you have the time to create the patch, I'll be one of the testers ;-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Bug #17 (MS-CHAP user names)
I've done some minor editing to the patches, and put them into the code for 2.1.10. I just downloaded and installed 2.1.10 on my test server. So far, everything looks good. Thank you Alan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius2 and Samba3x
Sending Access-Accept of id 225 to 10.4.1.2 port 2452 Reply-Message := Authorized Users Only MS-CHAP2-Success = 0x01533d39444636303933394145343137463835384143443632443 9374137343844413541313936 MS-MPPE-Recv-Key = 0xd81d386eb6bd95dcd85badccd21036b4 MS-MPPE-Send-Key = 0x1415b0a4e0f2d9063a9b0d0e92e2869b MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 Wed Jul 14 11:18:38 2010 : Info: Finished request 8. Wed Jul 14 11:18:38 2010 : Debug: Going to the next request Wed Jul 14 11:18:38 2010 : Debug: Waking up in 4.9 seconds. Wed Jul 14 11:18:43 2010 : Info: Cleaning up request 8 ID 225 with timestamp +665 Wed Jul 14 11:18:43 2010 : Info: Ready to process requests. Any ideas? Any ideas about what - the server returned Access-Accept?? Is this not what you wanted? What problem are you trying to solve? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius2 and Samba3x
Any ideas about what - the server returned Access-Accept?? Is this not what you wanted? What problem are you trying to solve? That my VPN session still doesn't establish. I get back that the user can't be authenticated. What are you using as the NAS? Did you check the documentation to see if there are attributes it expects to receive on Access-Accept? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR proxy to ACS and NPS with MS CHAP v2
will most appreciate your expert opinion. Post debug output! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Wanted: Commercial FreeRADIUS Support
Have you looked here: http://networkradius.com/ Even if you aren't able to provide support, I'd be interested in any suggestions for where to get support from. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: log request to Freeradius server from unknown client
Hi, I'm trying to log request to my Freeradius server from unknown client... Look in the radius.log file - it is also logged there - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Why is not working ntlm_auth for ms-chap ? It would be easier to answer your question if you included the debug output for a rejected request as opposed to just the startup messages.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius With EAP-TTLS-LDAP and EAP-PEAP-AD
I attached the logs for freeradius -X The logs you attached just show the startup output, not an actual request that was rejected. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Log the 802.1x session
From what I've read, supplicants can send an EAPOL-Logoff message to If the requirement is to determine when the user disconnects, isn't this best handled by accounting data? That is, if the authenticator supports sending Accounting-Request packets to RADIUS, then when the user disconnects, it should send an Acct-Status-Type=stop request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Pre-release of Version 2.1.8
At approximately 08:40 something happens, and a lot of servers are flagged as dead or zombie. This could of course have been caused by network problems, but there was no such problem at this time. Proxying goes over the same interface as When it fails, is it always at night? If so, could it be related to network load - perhaps backups that are running? You could try capturing the output from a continuous ping to see if you start getting timeouts or really long response times between FR and one of the proxy servers that are having problems (obviously you'd want to check before, during and after the problem occurs). Said differently, maybe this isn't a FreeRadius problem.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Pre-release of Version 2.1.8
This limit is around 8K packets in 2.1.x, and will be 64K packets in 2.2.x. So if you're getting 500 packets/s for a home server, 16s after it goes down, all 8k slots will be used. I'm not sure if this is feasible and/or easy to implement, but I thought I'd ask.. As a suggestion, can there be a separate pool for each home server? It seems like increasing the limit of a shared pool just lengthens the time before the same problem can occur. If each home server had a separate pool, then one home server could not affect the others, regardless of the size of the pool. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Logins against AD failing in *most* cases. Can see why, butdon't*understand* why.
It never occurred to me that the Cisco controllers could be our issue... Though I have just checked with a colleague and he did try restarting them after hours yesterday, and it didn't help matters. If you can find out what setting you changed that would be ideal, but probably best to email me directly as this is getting somewhat off-topic for the list. Sorry for the delay in responding Dan. I've been waiting for the engineer who worked on the problem to find his notes. He just E-mailed me today and said that it was NOT an issue with the WLC. Rather, Cisco told him to uncheck the CA in the WZC preferred network; save the config; recheck the CA; save the config again. At the time of the problem, he gave me the impression the issue was with the WLC, given that on a prior occasion, rebooting the WLC made the problem disappear. In any case, just to rule out the client rejecting the server's cert, another option is to *temporarily* uncheck the validate server certificate checkbox and see if you can successfully connect. If you can, that confirms that this is the problem (as Alan already pointed out). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Logins against AD failing in *most* cases. Can see why, but don't*understand* why.
I am perfectly willing to accept that you may be right and this may be my issue, I just don't understand how it has suddenly become a problem. Are you using a Cisco Wireless LAN Controller (WLC)? We had a similar issue with our Cisco 2112 WLC (EAP conversation stops on the NAS/supplicant side). For what it's worth, our WLC was working fine for a while and then suddenly stopped. A reboot fixed it one time, but then it eventually failed again and a reboot didn't fix it. It was resolved by changing a setting in the WLC (I'll get you the details if it's applicable). Neal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: showing NAS-IP of 127.0.01 instead of
The problem is that although the Access-Request packet is shown as coming
from the correct host,
that host's ip address is not showing up as the NAS-IP-Address for that
request. Instead, it's showing
as 127.0.0.1 as seen below:
I'm wondering what could cause this? Any help is appreciated.
The NAS is sending that attribute within the request - ask the NAS vendor why
they are sending 127.0.0.1. I've seen this issue with Lantronix console
servers (not sure if that's the NAS you are using). They eventually updated
their firmware to use the correct address. As a workaround, I did the
following in the authorize section of the default server (before preprocess if
you want huntgroup name lookup to work properly):
if (NAS-IP-Address == 127.0.0.1) {
update request {
NAS-IP-Address := %{Client-IP-Address}
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ntlm_auth and AD authentication
Hmm. I have two sets of authentication I care about, VPN Users, and Cisco switches. I'd like to be able to control access to each of those separately (different AD Security Groups, and different shared keys). I'm not sure what you mean by different shared keys - can you clarify? Also, perhaps I do not understand your requirement; but, I think you mean authorization, not authentication above. Authentication is validation of a user/password combination. Authorization is checking to determine what type of access (if any) a user should have to a device. If I haven't misunderstood what you're trying to do, then I would determine the type of access the user has in the authorization section. Personally, I use a perl module for authorization because we have many different types of devices/groups, including controlling access to several wireless networks. The perl module obtains the user's groups from LDAP (including their default group which isn't in the memberOf attribute) and uses a hash that specifies user/group/machine/container to nas mappings and optionally allows returning custom vsa's. This may be overkill for you, I'm not sure.. You could define multiple mschap modules (that's where ntlm_auth is defined) and use unlang to call the appropriate module. But, this would quickly become unmanageable if you have many different groups you want to test during authorization. If all you will ever have is two groups, then I suppose it wouldn't be an issue. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SSID based authentication
If I want an enduser to be able to connect to the same SSID on multiple AP´s then I can not use Called-Station-ID since it also includes information about the mac address for a specific AP. So how do I do to be able to authenticate by just using the SSID and not the mac address for a specific AP? Check your AP documentation to see if it can send an attribute containing the SSID. On the Cisco AP's that we use, it is sent in Cisco-AVPair. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + OpenLdap + WindowsXP(Wifi)
Have any idea ? Where can i find the solution ? When i trying connect freeradius server with wireless over access point i get this error: snip Tue Oct 13 12:00:45 2009 : Debug: rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. The error you're looking for is earlier that what you posted. Look at the previous round trip in the debug output to see why it failed.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Update on MS-CHAP Authentication / Bug 17
Here's some feedback I received (off-list) regarding the patch for bug 17.. I received an E-mail from someone experiencing the userid case sensitivity issue with EAP/MS-CHAPv2 in FR. He applied the patch attached to bug 17 and confirmed that it fixed the problem for him. I too have the patch applied (for about 6 weeks now) to two of our FR servers and haven't seen any issues. Neal -Original Message- From: Garber, Neal Sent: Friday, October 02, 2009 1:58 AM To: 'Marco D'Ettorre' Subject: RE: MS-CHAP Authentication / Bug 17 Thank you for sharing your experience Marco. At some point, I'd like to post your information to the FreeRADIUS list as Alan DeKok wanted to see positive feedback from testers before he accepted my patch. Is that Ok? Thanks again for your time and I'm pleased that the patch helped resolve your problem. Neal -Original Message- From: Marco D'Ettorre Sent: Thursday, October 01, 2009 4:55 PM To: Garber, Neal Subject: Re: MS-CHAP Authentication / Bug 17 Hi Neal, I applied your patch to 2.1.7. Before writing you I was testing v1.1.8; then I tried 2.1.7 before applying the patch (with the same issue) and finally with your patch. The issue is solved. Now I can logon the workstation with both upper and lower cases, and automatic ms-chap authentication always works. I have not still wrote you an email because I did like to include more details, extract of log files and configurations, but I was too busy with other activities to do. I'll send you some details as soon as possible. Thank you Marco Garber, Neal ha scritto: Hi Marco, Did you have a chance to apply the patch and test? If I can help, let me know.. Neal *From:* 'Marco D'Ettorre' *Sent:* Wednesday, September 23, 2009 5:31 PM *To:* Garber, Neal *Subject:* Re: MS-CHAP Authentication / Bug 17 Hi Neal, I'm having the problem and I'd like to solve it as quick as possible. I am a fan of opensource developing (my main interest is testing OpenLDAP, and I'm also one of the manteiners of italian OpenLDAP ML), and I'll be very happy to help you if I can. I will post you the results of my tests (and a description of the environment). Thank you M. - Neal Garber ha scritto: Absolutely! You can get it from http://bugs.freeradius.org http://bugs.freeradius.org/ (then enter 17 for the bug number). Thanks for your interest. Out of curiosity, are you having the problem described in the bug or are you just a kind soul who wants to help me by testing this? Neal *From:* Marco D'Ettorre *Sent:* Wednesday, September 23, 2009 12:31 PM *To:* Garber, Neal *Subject:* MS-CHAP Authentication / Bug 17 Hi, is your patch available for download? Thanks M. *Ing. Marco D'Ettorre* Consultant *SysNet s.r.l.* *Gruppo Partners Associates* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS with 2 certs/CAs etc
Hi Alan, First, I don't profess to be an eap expert and what follows is based upon my understanding of how eap and RADIUS work.. I'm also interested to see if anyone else has any other thoughts.. anyway, in summary, your RADIUS server has to answer to the old clients and the new clients. What is the best practice way or configuration to ensure that your RADIUS server can be both people...old servercert+old_CA and new servertcert+new_CA so that it can deal with both types of clients. I'm not sure if this is best practice and it certainly doesn't apply to all environments, but we control WiFi settings on our laptops using A/D group policy. This way, we can quickly push out changes and/or new certificates. Then, if the RADIUS server certificate changes, it requires that the user logon via wired network to get policy updates before they can connect to our WiFi network. As far as dual certificates, we do that, but for a different reason. I use one virtual server and some unlang to direct the request at a specific eap instance (I have 2 instances). I use one eap instance for internal WiFi networks (i.e., Corporate machines connecting to our internal network) and present an internally signed cert. I have another eap instance for guest users which presents a publicly signed cert (to avoid the cumbersome process of distributing our internal CA's cert to the guests and teaching them how to install it on their system). I determine which eap instance to call based upon the SSID to which they are connecting (which is in a request attribute). So, it is possible to accomplish this with one server. However, unless you have a way to distinguish between machines that have received the new cert and machines that haven't, I can't think of a way for you to accomplish what you want. If it's WiFi authentication, perhaps you could create a new SSID and have machines with the new cert connect to the new SSID (not difficult if you're changing which SSID is automatic and what cert. is acceptable through an automated method, e.g. A/D group policy). The problem you have is that it's not FR that is causing the rejection. Rather, the client is rejecting the RADIUS server's certificate which causes the eap tunnel creation to fail. You can't force the client to try again in this case and even if you could, how would you know that the 2nd try should go to a different eap instance (it's a new request and you can't make decisions based upon the results of historical requests that I know of). I'm thinking 2 virtual serversone with old eap.conf and the other with neweap.conf with each virtual server ready to deal with each type of client - but then how to direct the incoming EAP to the right way. One or 2 virtual servers could work. Your last question is the issue - you need a way to determine whether the client connecting has the new cert. because if you present the wrong one, the SSL connection will fail. Once the tunnel creation fails, the client would need to send a new request in order to try again. I cant see the normal fall-through group working --because the client has to create the EAP tunnel... or would a normal fallthrough system work... we send it to eap1 and if it fails send it to eap2 (which should be okay if client config okay!) ? I don't think so because the client is causing the tunnel creation to fail because the certificate wasn't acceptable. If this were possible, then someone could create an SSID that matches yours and keep trying various certificates until it found one you liked. The purpose of the server certificate validation is to reduce the probability that someone can spoof your infrastructure (which is why using internal certs is better because someone on the outside, in theory, couldn't digitally sign a cert. from your internal CA, but they could easily get a cert. from Verisign). I can envisage fronting it with a.n.other RADIUS solution which will proxy the request through a remote server list UNTIL it doesnt get a REJECT back.. but i dont want additional software in the mix I don't think this will help for the reasons I described above.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS with 2 certs/CAs etc
as Alan Dekok said...deploy a new CA in advanced and then sign server with that new CA and put cert into place. I read Alan's reply and it's logical (as usual ;-) ). Perhaps it wasn't stated because it was intuitively obvious, but the only thing I would add is that when the new CA cert is deployed to the clients, their wireless config should also be changed to accept both the new and old CA. This way, when you eventually switch FR to the cert signed by the new CA, it will be accepted. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Redundant SQL
Source code patched.
Thanks..
The redundant sections work just fine
for normal queries to radcheck radreply. If you're doing %{...},
then the redundant sections don't apply.
Ah, now I understand. I abandoned redundant and used if/elsif instead in my
dynamic_client virtual server:
if (%{sqlaugs: SELECT ...}'}) {
update control {
FreeRADIUS-Client-IP-Address = %{Packet-Src-IP-Address}
FreeRADIUS-Client-Shortname = %{sqlaugs: SELECT ...}'}
FreeRADIUS-Client-Secret = %{sqlaugs: SELECT ...}'}
FreeRADIUS-Client-NAS-Type = %{sqlaugs: SELECT ...}'}
}
}
elsif (%{sqlroch: SELECT ...}'}) {
update control {
FreeRADIUS-Client-IP-Address = %{Packet-Src-IP-Address}
FreeRADIUS-Client-Shortname = %{sqlroch: SELECT ...}'}
FreeRADIUS-Client-Secret = %{sqlroch: SELECT ...}'}
FreeRADIUS-Client-NAS-Type = %{sqlroch: SELECT ...}'}
}
}
This works great. Thanks again for your help Alan..
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAP Authentication / Bug 17
I've been running 2.1.6 in Production with the patch from Bug 17, for a month, and everything has been working fine. As a reminder, this patch corrects a bug in MS-CHAP with the calculation of the MS-CHAPv1 challenge passed to ntlm_auth. It causes inappropriate Logon Failure errors, in certain circumstances having to do with the case of the userid and the logon method (see the bug report and previous posts for more details if you didn't follow the thread). Others have reported this problem in the past and the workaround has been to create all users in a specific case and force the userid to the same case in FR. (I'd really like to see this fix incorporated in the code, as other RADIUS servers don't have this userid case-sensitivity issue and this gives people an opportunity to cast stones at FR.) Arran: You seemed a bit interested in this patch - have you had the time/desire to apply and test it? If anyone else has some time to apply and test the patch, it is very much appreciated. Thanks in advance for your assistance and feedback.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS-CHAP Authentication / Bug 17
Alan, Thank you for taking the time to review the patch and for your feedback. has a look at this but it's only of interest for classic MS-CHAP activity rather than MSCHAPv2 in PEAP or TTLS - correct? (in this case we wouldnt use this function or be able to test this at our site...but logically it all looks sane) Actually, the problem definitely impacts PEAP/MSCHAPv2 (and I believe TTLS/MSCHAPv2 also because it's an error in MS-CHAP, but we don't use TTLS so I can't test that). (I haven't thought about it enough to know whether it affects v1, but it definitely occurs with v2 as that's where I found it.) The problem occurs when the client creates the MS-CHAPv2 response and uses a userid whose case differs from what FR subsequently uses to create the challenge for ntlm_auth. a few changes though (?) - its 'delimiter', not 'delimeter' ;-) True, but I just copied that line from what was already in the code. I'm ok with fixing the spelling error as part of this patch though ;-) and...some RDEBUG2 starts with a white space and others print tight to the line - reason for such differences? I was trying to mimic some of the existing code (when in Rome ;-) )... For instance, there was already an RDEBUG2 for: RDEBUG2( NT Domain delimeter found, should we have enabled with_ntdomain_hack?); I'm not opposed to eliminating the leading spaces if you think it is more readable. BTW, I just fixed one of the attachments (rlm_eap_mschapv2.c patch). I inadvertently had all 3 patches included in that one file - the replacement now only contains the changes for rlm_eap_mschapv2.c. Sorry about the confusion.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS-CHAP Authentication / Bug 17
hmm, okay - I'll only be able to introduce core systrems with this patch in place after 2nd October - we currently have a change freeze on main systems until then That's fabulous. Thanks for your time and willingness to test. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS-CHAP Authentication / Bug 17
google search for 'define:delimeter' Did you mean: define:delimiter Top 2 results shown :-) You are clearly correct given the root of the word delimiter is delimit (not delimet) :-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Lower case to Upper case in Calling-Station-Id at policy.conf
Did you create an alias in modules/perl that uses this script for authorize?
Did you add the alias name to the authorize section of your default server?
What return value are you using in the script (RLM_UPDATED)?
-Original Message-
From: freeradius-users-bounces+neal.garber=energyeast@lists.freeradius.org
[mailto:freeradius-users-bounces+neal.garber=energyeast@lists.freeradius.org]
On Behalf Of Hilton Guaraldi
Sent: Friday, September 18, 2009 1:13 PM
To: FreeRadius users mailing list
Subject: Re: Lower case to Upper case in Calling-Station-Id at policy.conf
Ok...
I tried $RAD_REQUEST{'Calling-Station-Id'} =
uc($RAD_REQUEST{'Calling-Station-Id'}).
I guess in the sub authorize of example.pl ..The only file
I saw sub authorize in...
If I am wrong, please help me what is the correct file!
Running radiusd -X nothing happens in MAC address. If it is
00-18-e7-41-ad-c2, it remains the same, not 00-18-E7-41-AD-C2, :-(
Must I include example.pl to radius in order to do
$RAD_REQUEST{'Calling-Station-Id'} =
uc($RAD_REQUEST{'Calling-Station-Id'}) work?
Guaraldi
2009/9/18 Alexander Clouter a...@digriz.org.uk:
Hi,
Hilton Guaraldi guara...@gmail.com wrote:
How can I use uc function below in order to change lower case to upper case?
Ex. 00-18-e7-41-ad-c2--- 00-18-E7-41-AD-C2
In the policy.conf:
When I last nosied through the source code there is no way. I normally
make sure all the polies are case insensitive *in* FreeRADIUS and when
things get spat out to my SQL server I slip 'lower(...)' around the MAC
addresses going in that direction.
The only other way is to have a Perl script doing the work for you, but
as you can use case insensitive regex to replace string matching, I
would say it is not worth it.
Cheers
--
Alexander Clouter
.sigmonster says: Idleness is the holiday of fools.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Pre-release of 2.1.7
Does it apply cleanly to the current git head? I created it about 2 weeks ago against the then current git head. It changes rlm_eap_mschapv2.c, rlm_mschap.c radius.h. I don't believe any of these have changed in the past 2 weeks, so it should still apply cleanly. I've been running with it applied for several weeks now without issues. If you have a chance to test it, that would be great Arran. Thanks.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Pre-release of 2.1.7
It won't make 2.1.8. Please submit a bug report and attach the patch. My preference for the patch is to split it into 2-3 pieces. Bug # 17 created with separate attachments for each file changed. Messing with functionality in the MSCHAP module is a bit worrisome, as it's pretty core to a lot of systems. I understand and share your concern. Perhaps some people would be willing to apply the patch and test it before it is included in a release to get additional confirmation that it doesn't break anything. Thanks for your continued support Alan.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Using multiple certificates
I have been asked it it possible to run two SSIDs on our wireless, lets call them A and B that authorise against a FreeRADIUS server running as two virtual servers radiusA and radiusB. I have two EAP instances for the purpose of serving 2 different certificates; so, what you want to do is definitely possible. I server both from the same virtual server and use unlang to determine which certificate to serve based upon SSID. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Pre-release of 2.1.7
Build it, install it, and see if there are issues. On FreeBSD 7.2 with libtool 2.2.6a: - Built - Installed - Tested EAP-PEAP/MSCHAPv2, rlm_perl with no issues so far No LD_PRELOAD needed for libperl.so with libtool 2.2.6. Do you think the MS-CHAP related patch I submitted will make 2.1.8? Should I submit a bug report for it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl / libtool / libltdl problem
Does this mean you are also having this problem with 2.2.6a of libtool/libltdl? There isn't a permanent solution that I know of yet. However, there is a workaround that you can use for now: LD_PRELOAD=path_to_libperl.so /usr/local/sbin/radiusd Where path_to_libperl.so is the full path for that file (e.g., it's /usr/local/lib/perl5/5.8.9/mach/CORE/libperl.so on one of my systems). -Original Message- From: freeradius-users-bounces+neal.garber=energyeast@lists.freeradius.org [mailto:freeradius-users-bounces+neal.garber=energyeast@lists.freeradius.org] On Behalf Of Anton Brinyov Sent: Sunday, August 23, 2009 6:17 PM To: FreeRadius users mailing list Subject: Re: rlm_perl / libtool / libltdl problem Hi, It means, there isn't solution for this problem now? Thanks, Anton 2009/8/18 Garber, Neal neal.gar...@energyeast.com: Did I mention that I hate libtool and libltdl? They're close to *causing* more problems than they solve. Yes, on several occasions that I recall :) I share your sentiments... I actually started removing libltdl a while ago. See src/main/modules.c. Look for WITHOUT_LIBLTDL. I'll bet that if you spent a bit of time hacking the source, you could get it to build run *without* libltldl. At that point, the stupid can't load library issues will go away. If I get some spare time (what's that :)), I'll see what I can do.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS 8021.x PEAP failing
I've been playing around with conf/module files trying to strip the DOMAIN out of my login request - but no luck! Have you tried with_ntdomain_hack = yes in the mschap module config? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS 8021.x PEAP failing
Yup, that line is there. Much of the doc online is WAY out of date, so I'm wondering if by actually RTFM first I broke something? Ok. This may sound crazy and it may not be your problem, but, I thought I'd mention it anyway.. Look at the samAccountName attribute in A/D for a user that is failing and see if it is all lowercase. If not and the userid wasn't entered with the exact case in A/D, then you may receive Logon failure in some circumstances. Check to see if your debug output shows Logon failure from ntlm_auth. If so, you may be having the same problem I've seen (incorrect MS-CHAPv1 challenge created by rlm_mschap because the User-Name attribute doesn't exactly match the userid in the MS-CHAPv2 response packet's Name field). I have a patch for this problem that I just finished testing earlier today. I need to clean it up a bit (remove excess debug code) and then I will submit it. If this is affecting you, logging on with cached credentials, entering the user/password manually or logging on with the userid in correct case is a workaround. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl / libtool / libltdl problem
Did I mention that I hate libtool and libltdl? They're close to *causing* more problems than they solve. Yes, on several occasions that I recall :) I share your sentiments... I actually started removing libltdl a while ago. See src/main/modules.c. Look for WITHOUT_LIBLTDL. I'll bet that if you spent a bit of time hacking the source, you could get it to build run *without* libltldl. At that point, the stupid can't load library issues will go away. If I get some spare time (what's that :)), I'll see what I can do.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unlang Question/Problem
I haven't had much sleep the past few days and just wanted another set of eyes
on an issue I'm having. Also, I won't be able to do more testing until
tomorrow (user/equip. unavailable) and wanted to try to fix it before then.
I'm running FR 2.1.6 with patches to rlm_mschap rlm_eap_mschapv2 to correct a
problem with case-sensitive userids. Anyway, the patch was working great for
user auth. and failing for machine auth. I used some unlang to get around the
issue. I haven't done a lot with unlang (and yes I read the man page), so I
may be missing something simple. I'm doing 802.1x authentication from Windows
supplicant with PEAP/MS-CHAPv2. Here's the authenticate section of my
inner-tunnel server:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
if (User-Name =~ /host\/(.*)\.energyeast\.net/i) {
update request {
Ntlm-Auth-Username = %{1}$
}
updated
}
else {
update request {
Ntlm-Auth-Username = %{User-Name}
}
updated
}
mschap-inner
}
Auth-Type LDAP {
ldap
}
eap-internal
eap-comodo
}
First, if I didn't include updated after the update request actions, then
it would return reject. Is that normal (I didn't call a module in there)?
Should the unlang be outside of the Auth-Type MS-CHAP block? Also,
Ntlm-Auth-Username is expanded, there's a [request] returns reject. I think
this is the source of the problem, but I don't understand where the reject is
coming from. The mschap module that follows returns OK, but the subsequent
eap-comodo module returns reject with no explanation in the debug. Do I need
something like:
eap-comodo {
ok = return
}
Here's the relevant debug output:
Tue Aug 18 15:41:15 2009 : Info: Found Auth-Type = eap-comodo
Tue Aug 18 15:41:15 2009 : Info: +- entering group authenticate {...}
Tue Aug 18 15:41:15 2009 : Info: [eap-comodo] Request found, released from the
list
Tue Aug 18 15:41:15 2009 : Info: [eap-comodo] EAP/mschapv2
Tue Aug 18 15:41:15 2009 : Info: [eap-comodo] processing type mschapv2
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] +- entering group MS-CHAP {...}
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ++? if (User-Name =~
/host\/(.*)\.energyeast\.net/i)
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ? Evaluating (User-Name =~
/host\/(.*)\.energyeast\.net/i) - TRUE
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ++? if (User-Name =~
/host\/(.*)\.energyeast\.net/i) - TRUE
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] ++- entering if (User-Name =~
/host\/(.*)\.energyeast\.net/i) {...}
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] expand: %{1}$ - US62695C$
Tue Aug 18 15:41:15 2009 : Info: [mschapv2] +++[request] returns reject
Tue Aug 18 15:41:15 2009 : Info: +++[updated] returns updated
Tue Aug 18 15:41:15 2009 : Info: ++- if (User-Name =~
/host\/(.*)\.energyeast\.net/i) returns updated
Tue Aug 18 15:41:15 2009 : Info: ++ ... skipping else for request 124:
Preceding if was taken
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] No Cleartext-Password
configured. Cannot create LM-Password.
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] No Cleartext-Password
configured. Cannot create NT-Password.
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] Using MS-CHAP Response Name
(host/US62695C.energyeast.net) to construct MS-CHAPv1 challenge
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] rlm_mschap:
mschap_authenticate: Creating challenge hash with username:
host/US62695C.energyeast.net
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] Told to do MS-CHAPv2 for
host/US62695C.energyeast.net with NT-Password
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] No trailing :- after variable
at %{Ntlm-Auth-UserName:-None}}
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] WARNING: Deprecated conditional
expansion :-. See man unlang for details
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] expand:
--username=%{%{Ntlm-Auth-UserName:-None}} - --username=US62695C$
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] mschap2: d1
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] Using MS-CHAP Response Name
(host/US62695C.energyeast.net) to construct MS-CHAPv1 challenge
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] rlm_mschap: mschap_xlat:
Creating challenge hash with username: host/US62695C.energyeast.net
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] expand:
--challenge=%{mschap:Challenge:-00} - --challenge=943b358133b5bcac
Tue Aug 18 15:41:15 2009 : Info: [mschap-inner] expand:
--nt-response=%{mschap:NT-Response:-00} -
--nt-response=121180cc778e59746acb8c12aa6bb9ab7ab2099604c750eb
RE: MSChap via ntlm_auth problem
I tried to use aythentication via Active Directory domain. FreeRadius 2.1.6 return error: Try removing the single double quote () just before the last right curly brace (}) at the bottom of the mschap file - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_perl / libtool / libltdl problem
I've had FR 2.1.6 running on a FreeBSD 7.2 test server for some time now. When
I applied the rlm_mschap / rlm_eap_mschap patch I worked on over the weekend
(which is working great btw - I will upload it shortly), I now get the
following error on FR startup:
Can't load '/usr/local/lib/perl5/5.8.8/mach/auto/Data/Dumper/Dumper.so' for
module Data::Dumper:
/usr/local/lib/perl5/5.8.8/mach/auto/Data/Dumper/Dumper.so: Undefined symbol
Perl_sv_cmp at /usr/local/lib/perl5/5.8.8/mach/XSLoader.pm line 70.
at /usr/local/lib/perl5/5.8.8/mach/Data/Dumper.pm line 36
My friend google tells me that others have had this problem in the past (esp.
on Debian) and the workaround is to use LD_PRELOAD=path_to_libperl.so
/usr/local/sbin/radiusd
This does, in fact, work; but, isn't very satisfying as a permanent solution.
I believe that libtool and libltdl were updated during the install of the patch
and this is the source of the problem. I'm now running FreeBSD 7.2 with
libltdl-2.2.6a libtool-2.2.6a (they were at 2.2.5 before).
Is anyone aware of any compatibility issues with libtool/libltdl 2.2.6a and
FreeRADIUS?
Anyone have a more permanent solution that avoids the LD_PRELOAD ugliness?
I've tried rebuilding FR from the port with no subsequent patches and received
the same result (FR wouldn't start without the LD_PRELOAD). I also tried using
the portdowngrade port to downgrade libtool libltdl back to 2.2.5 which
didn't seem to have this problem. However, it only displayed 2.2.6a (i.e., I
couldn't downgrade). rlm_perl seems to be pointing to the proper libperl.so as
shown below:
ldd output on rlm_perl.so shows:
/usr/local/lib/freeradius-2.1.6/rlm_perl.so:
libfreeradius-radius-2.1.6.so =
/usr/local/lib/freeradius-2.1.6/libfreeradius-radius-2.1.6.so (0x2816c000)
libperl.so = /usr/local/lib/perl5/5.8.8/mach/CORE/libperl.so
(0x28187000)
libm.so.4 = /lib/libm.so.4 (0x28294000)
libcrypt.so.3 = /lib/libcrypt.so.3 (0x282aa000)
libutil.so.5 = /lib/libutil.so.5 (0x282c2000)
libtool output for rlm_perl:
libtool: install: warning: relinking `rlm_perl.la'
libtool: install: (cd
/usr/ports/net/freeradius2/work/freeradius-server-2.1.6/src/modules/rlm_perl;
/bin/sh /usr/local/bin/libtool --mode=relink cc -release 2.1.6 -module
-export-dynamic -L/usr/local/lib -pthread -o rlm_perl.la -rpath
/usr/local/lib/freeradius-2.1.6 rlm_perl.lo rlm_perl.c
/usr/ports/net/freeradius2/work/freeradius-server-2.1.6/src/lib/libfreeradius-radius.la
-Wl,-R/usr/local/lib/perl5/5.8.8/mach/CORE -pthread -Wl,-E -L/usr/local/lib
/usr/local/lib/perl5/5.8.8/mach/auto/DynaLoader/DynaLoader.a
-L/usr/local/lib/perl5/5.8.8/mach/CORE -lperl -lm -lcrypt -lutil )
*** Warning: Linking the shared library rlm_perl.la against the
*** static library /usr/local/lib/perl5/5.8.8/mach/auto/DynaLoader/DynaLoader.a
is not portable!
libtool: relink: cc -shared .libs/rlm_perl.o -Wl,-rpath
-Wl,/usr/local/lib/freeradius-2.1.6 -L/usr/local/lib
-L/usr/local/lib/freeradius-2.1.6 -lfreeradius-radius -pthread
/usr/local/lib/perl5/5.8.8/mach/auto/DynaLoader/DynaLoader.a
-L/usr/local/lib/perl5/5.8.8/mach/CORE -lperl -lm -lcrypt -lutil -pthread
-Wl,-R/usr/local/lib/perl5/5.8.8/mach/CORE -pthread -Wl,-E -pthread -pthread
-pthread -pthread -Wl,-soname -Wl,rlm_perl-2.1.6.so -o .libs/rlm_perl-2.1.6.so
libtool: install:
/usr/ports/net/freeradius2/work/freeradius-server-2.1.6/install-sh -c -c
.libs/rlm_perl-2.1.6.soT /usr/local/lib/freeradius-2.1.6/rlm_perl-2.1.6.so
libtool: install: (cd /usr/local/lib/freeradius-2.1.6 { ln -s -f
rlm_perl-2.1.6.so rlm_perl.so || { rm -f rlm_perl.so ln -s rlm_perl-2.1.6.so
rlm_perl.so; }; })
libtool: install:
/usr/ports/net/freeradius2/work/freeradius-server-2.1.6/install-sh -c -c
.libs/rlm_perl.lai /usr/local/lib/freeradius-2.1.6/rlm_perl.la
libtool: install:
/usr/ports/net/freeradius2/work/freeradius-server-2.1.6/install-sh -c -c
.libs/rlm_perl.a /usr/local/lib/freeradius-2.1.6/rlm_perl.a
libtool: install: chmod 644 /usr/local/lib/freeradius-2.1.6/rlm_perl.a
libtool: install: ranlib /usr/local/lib/freeradius-2.1.6/rlm_perl.a
Thanks, in advance, for any help you can provide..
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MSCHAP Authentication Issue
I will now proceed to create a patch. The MS-CHAP2-Response attribute created by rlm_eap_mschapv2 does not include the Name field from the MS-CHAP response packet (as I suspected). I thought the cleanest way to pass the Name field was to create another attribute in rlm_eap_mschapv2 before it calls rlm_mschap (I chose NTLM-User-Name as it's in the dictionary and I couldn't find it used anywhere). I have coded/compiled the changes (radius.h changed to include PW_NTLM_USER_NAME; rlm_eap_mschapv2.c changed to create NTLM-User-Name request attribute before calling rlm_mschap.c; rlm_mschap.c changed to use NTLM-User-Name to construct MS-CHAPv1 challenge if it exists and it is same as User-Name (case-insensitive compare considering with_ntdomain_hack too). If no NTLM-User-Name found then use User-Name. If the attributes are different, then log error and reject. I will try to get back to work this weekend to do testing. My plan is to get this working over the weekend and submit the patches by Monday. Does this sound like a reasonable solution? If not, feel free to suggest a different approach and I will make changes before submitting the patch files. BTW, if I should be sending these type of messages to the devel list, please let me know. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MSCHAP Authentication Issue
BTW, if I should be sending these type of messages to the devel list, please let me know. I would suggest that should be the case :-) Uh, sorry about that. I rarely see anything on that list so I thought maybe it was no longer in use. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MSCHAP Authentication Issue
I rarely see anything on that list Ugh. I guess I would have if I looked at the sender more closely.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP / mschapv2 Error Messages
Depends on the NAS. But yeah, doing this breaks things. The best thing you can do is log the error in the post-auth section. In V1 of FR, the rlm_mschap module used to create a Module-Failure-Message request attribute containing the output of ntlm_auth, if ntlm_auth failed (rlm_ldap does this too on user not found). This code was removed in V2. I've tried adding it back in but it doesn't work because in V2 another trip occurs after the failure. So, the Module-Failure-Message attribute no longer exists when the reject is issued. I'd like to capture the ntlm_auth output for logging purposes and need it available when the reject is sent. I've thought about storing it in the eap handler so it survives the next trip; but, I'm not sure if this is the best alternative. Does this seem like a reasonable solution or can you think of a better approach? Just to be clear, I'm not proposing sending this info back to the NAS, just capturing it for logging (so that if the user calls our help desk, they can determine why the authentication failed by looking in the log). Thanks for your advice.. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MSCHAP Authentication Issue
I realize that this issue has been brought up many times in the past. However, I believe I have new information that I haven't seen reported before.. I'm having a problem with Windows XP supplicant authenticating to FR with PEAP/MSCHAPv2 where authentication fails sometimes depending upon various factors. The same device I'm using to test wireless authentication, never has an issue authenticating to my old dain-bramaged Cisco ACS servers. As a result, I decided to investigate what might be different about FreeRadius (perhaps Samba I thought, but didn't want to make assumptions). I don't profess to be an MS-CHAP expert, so what I'm about to say may be completely off-base.. After performing many tests (see below) and reviewing RFC2579 and the code in rlm_mschap.c, I'm hypothesizing that the problem is with how rlm_mschap calculates the challenge hash that is passed to ntlm_auth. Specifically, rlm_mschap uses the User-Name attribute as part of the calculation of the hash. What I'm finding is that, in some cases, the User-Name attribute doesn't match the case of the Name field in the MS-CHAP response (i.e., the userid is the same, it just differs in case). In the tests I've performed, when these userids don't match in case, I get a Logon Failure from ntlm_auth. I'd really like this to just work as is commonly said around these parts without additional gymnastics (such as changing all userids to lowercase). Does this seem like a plausible explanation for what's happening? If not, does anyone have any other ideas? I need to resolve this in order to retire two old and cranky (and fairly useless because they don't really do authorization) ACS servers! I'm going to try a change to rlm_mschap so it passes the Name field from the MS-CHAP response to the challenge_hash function (as opposed to the User-Name attribute) to see if that resolves the issue. I realize that ultimately it's Windows fault that it doesn't pass the userid with consistent case (i.e., Identity vs. MS-CHAP response); but, I don't want the ACS server to be seen as a better, more tolerant solution. So, it would be great to make FR more tolerant of this aberrant behaviour. Thanks in advance for any advice/help/suggestions you can provide.. Here's what I tested and what I observed that caused me to draw the above conclusion: Background: Windows XP SP3 laptop using std. Windows wireless supplicant EAP/PEAP/MS-CHAPv2 - Cisco 1232AP - FR 2.1.6 (with rlm_perl patch) running on FreeBSD 7.2. In all the tests below, the same SSID, wireless network configuration on the laptop, AP, userid and password were used (the domain and user listed below are contrived, but are representative of the case I saw in the debug output). Laptop Logon Method Wireless Credentials Passed Man/Auto MS-CHAP Response Packet Name field User-Name Request Attribute ntlm_auth Authentication Result Domain logon (via Ethernet) with all lowercase userid entered on gina Manually entered all lowercase userid when supplicant prompted MYDOMAIN\myuser MYDOMAIN\myuser SUCCESS Domain logon (via Ethernet) with all lowercase userid entered on gina Supplicant configured to auto. pass Windows credentials MYDOMAIN\MyuseR MYDOMAIN\myuser Logon failure (0xc06d) Locally cached credentials (on laptop) with all lowercase userid entered on gina Manually entered all uppercase userid when supplicant prompted MYUSER MYUSER SUCCESS Locally cached credentials (on laptop) with all lowercase userid entered on gina Manually entered all lowercase userid when supplicant prompted myuser myuser SUCCESS Locally cached credentials (on laptop) with all lowercase userid entered on gina Supplicant configured to auto. pass Windows credentials MYDOMAIN\MyuseR MYDOMAIN\MyuseR SUCCESS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MSCHAP Authentication Issue
Well... that's a good reason to make sure we do it right. Any day where we can replace another RADIUS server with FreeRADIUS is a good day. My feelings exactly :) I suspect that it will. The mschap module should also pass the Name field when calling ntlm_auth, too. And maybe print a warning if the fields are different. I constructed a test program by extracting challenge_hash from rlm_mschap.c (and all supporting functions). I then extracted the peer challenge, authenticator challenge and NT-Response from the debug output of a failed request (User-Name was all lowercase, Name field was mixed case). I called challenge_hash with the all lowercase userid (to ensure it generated the same challenge as the failed request) - the challenge was identical. I then generated another challenge with the userid from the Name field in the response. Then, I executed ntlm_auth manually with the original challenge and the new challenge. The original failed (as I expected) and, low and behold, the new challenge (created using the Name field's userid) succeeded! I will now proceed to create a patch. I was planning to do a strncasecmp to ensure the only difference between the userid part of User-Name and the userid part of the Name field is case. If there are non-case differences, do you think a RLM_REJECT is in order or do you think it should just warn and use whatever is present (I can't think of a normal case where this would occur, but if you think this is better, then I would definitely use the Name field for the username parameter too)? I was thinking of rejecting the request, in this case, so this couldn't be used to bypass authorization. Interestingly, I copied the challenge and response from a successful and failed attempt and manually called ntlm_auth varying the case of the --username parameter and it didn't affect the results. In other words, --username=MYUSER or --username=myuser or --username=MyuseR all behave the same if the --challenge and --nt-response are correct). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mschap auth for multiple realms off different domain ctlrs?
radiusd.conf[723] Failed to link to module 'rlm_mschap_co1': Shared object
rlm_mschap_co1.so not found, required by radiusd
radiusd.conf[1949] Unknown module mschap_co1.
radiusd.conf[1949] Failed to parse mschap_co1 entry.
Did you create 3 instances of mschap using aliases like below?
mschap {
.
.
.
}
mschap mschap_co1 {
.
.
}
mschap mschap_co2 {
.
.
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl problems]
I know how to patch. I was just trying to find out what was the error. Igor: I hope you weren't offended by my assumption - I wasn't sure, based upon your comment, and I was just trying to help. If I offended you, I apologize. By the way, out of curiosity, did the patch work for you on 2.1.7 also? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl problems]
I didn't try it yet and i am not very good in C. Error that I and Neal had is something regarding OS or...? I don't see anyone else having this problem except me and Neal. The error is in rlm_perl and appears related to thread data management, not the O/S and not perl (I run FreeBSD and you run CentOS; we even have different versions of perl). Boian can explain the change far better than I can; but, my interpretation of the change is that the thread specific data key is now created upon perl module instantiation and stored with the instance data (so there's now a separate key for each perl instance we defined in FreeRadius). (Perhaps someone will correct me if I interpreted it incorrectly.) When you say you're not good in C, if you are mean you are unsure how to apply the patch, try this: 1. Put the .diff file in the directory with rlm_perl.c (src/modules/rlm_perl is the directory). 2. Then use the patch command to update rlm_perl.c (it creates rlm_perl.c.orig as a backup and updates rlm_perl.c): patch rlm_perl.c rlm_perl.diff 3. Rebuild/install FreeRadius from source 4. Test 5. Say thank you to Boian (and Ivan as he helped also).. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Captive portal: can I use chap or pap in conjunction with ntlm_auth?
Do you have any ideas about getting chilispot to work with users who
are retrieved from AD via winbind and ntlm_auth
I don't know Chilispot, but if it can pass a cleartext password, then you can
use ntlm_auth in a script to do the authentication. For other devices that
send an A/D user and a cleartext password in User-Password, I use ldap in the
authorization section and then:
Auth-Type ldap {
perl_ntlm
}
In the authentication section after ms-chap and eap. In the script you call
ntlm_auth and parse the response.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl problems]
Boian, SUCCESS! Thank you , thank you, thank you! I applied the patch to my test 2.1.6 system and it eliminated the Seg Fault and all of the strange behaviour. My perl scripts now function as they do in Production. I am extremely grateful for the time you spent debugging this issue and creating a patch in such a timely manner. I hope Igor experiences a similar euphoria.. Thanks again.. -Original Message- From: freeradius-users-bounces+neal.garber=energyeast@lists.freeradius.org [mailto:freeradius-users-bounces+neal.garber=energyeast@lists.freeradius.org] On Behalf Of Boian Jordanov Sent: Monday, July 27, 2009 10:09 AM To: si...@blic.net; FreeRadius users mailing list Cc: Boian Jordanov Subject: Re: rlm_perl problems] On Jul 26, 2009, at 12:59 AM, si...@blic.net si...@blic.net wrote: Igor wrote: I have tried 2.1.7 and got same error. I will try to compile it with --enable-developer and see if i can find out anything from gdb output. I realy don't know why would this happen because exactly the same setup worked on older releases. All i did was to compile the new version (2.1.6) and then copy old raddb dir. I am not sure why i got so many no debugging symbols found but i did per doc/bugs instructions. This is gdb output: Try attached patch. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: rlm_eap: Failed to store handler
freeradius 2.1.1-6 crashes in a few minutes and shows this error Error: rlm_eap: Failed to store handler. There is documentation that describes what to do if FreeRadius crashes. Look in the file doc/bugs in the distribution and it gives specific instructions for using gdb to produce information about the crash. Also, is 2.1.1-6 really the version printed by the radiusd -v command? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_perl problems
I've been debating sending a similar message to the list as well. I am also
experiencing the same problem with 2.1.6 (undefined subroutines that *clearly*
exist in the script) and Seg Faults. I have reinstalled perl and then
reinstalled FreeRadius to see if I can work around the issue with no success.
Even the example.pl that comes with FR 2.1.6 fails. Currently, I have some of
my scripts disabled to workaround the problem.
-Original Message-
From: freeradius-users-bounces+neal.garber=energyeast@lists.freeradius.org
[mailto:freeradius-users-bounces+neal.garber=energyeast@lists.freeradius.org]
On Behalf Of Igor Smitran
Sent: Friday, July 24, 2009 8:30 AM
To: freeradius-users@lists.freeradius.org
Subject: rlm_perl problems]
I am using Freeradius 2.1.6.
I have a working setup of freeradius with perl scripts inside authorize
and accounting sections.
Everything works great when i am using only one script.
But. if i add another script to do some other stuff for example in
post-auth section i get errors in log and freeradius dies.
Error i get is:
Error: rlm_perl: perl_embed:: module =
/etc/raddb/config_dialup/perl_script_2.pl , func = post_auth exit
status= Undefined subroutine main::post_auth called.
My perl setup is like this:
perl perl_script_1 {
module = ${confdir}/config_dialup/perl_script_1.pl
func_authorize = authorize_check_username
func_accounting = accounting_check_username
}
perl perl_script_2 {
module = ${confdir}/config_dialup/perl_script_2.pl
}
If i put everything into one script, like this:
perl perl_script_1 {
module = ${confdir}/config_dialup/perl_script_1.pl
func_authorize = authorize_check_username
func_accounting = accounting_check_username
}
perl perl_script_2 {
module = ${confdir}/config_dialup/perl_script_1.pl
}
then everything is ok. Did any of you had these problems?
Thank you
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
