SV: Controlling with Auth-Type a client must use
Hello Alan
Thanks for the answer.
But I allready did that !!!
I configured my passwd module with kmdov3 works fine.
I added the kmdov3 in the top pf the authorize section of sites-enabled/default
preprocess
#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
# auth_log
kmdov3
...
..
Unix
...
..
Pap
But still the unix authorization is used and the client is rejected because of
the invalid shell.
Is it not possible to force a single client to use only one type of
authorization etc. Kmdov3 ?
Do I need to add something to the authentication section?
Here is the full debug log of the client call and you can see that kmdov3
returns OK but the unix on fails with the invalid shell
rad_recv: Access-Request packet from host 131.165.80.37 port 9183, id=169,
length=61
User-Name = jmd
User-Password = password
NAS-IP-Address = 127.0.0.1
NAS-Port = 8158
NAS-Port-Type = Virtual
Fri Jul 23 07:57:40 2010 : Info: +- entering group authorize {...}
Fri Jul 23 07:57:40 2010 : Info: ++[preprocess] returns ok
Fri Jul 23 07:57:40 2010 : Info: [kmdov3] Added crypt-Password: 'TLw0SiK4QfQxg'
to config_items
Fri Jul 23 07:57:40 2010 : Info: ++[kmdov3] returns ok
Fri Jul 23 07:57:40 2010 : Info: [radius_group] Added Radius1-Group:
'wcs-superadmin' to request_items
Fri Jul 23 07:57:40 2010 : Info: ++[radius_group] returns ok
Fri Jul 23 07:57:40 2010 : Info: ++[chap] returns noop
Fri Jul 23 07:57:40 2010 : Info: ++[mschap] returns noop
Fri Jul 23 07:57:40 2010 : Info: [suffix] No '@' in User-Name = jmd, looking
up realm NULL
Fri Jul 23 07:57:40 2010 : Info: [suffix] No such realm NULL
Fri Jul 23 07:57:40 2010 : Info: ++[suffix] returns noop
Fri Jul 23 07:57:40 2010 : Info: [eap] No EAP-Message, not doing EAP
Fri Jul 23 07:57:40 2010 : Info: ++[eap] returns noop
Fri Jul 23 07:57:40 2010 : Auth: [unix] [jmd]: invalid shell [/bin/bash1]
Fri Jul 23 07:57:40 2010 : Info: ++[unix] returns reject
Fri Jul 23 07:57:40 2010 : Info: Using Post-Auth-Type Reject
Fri Jul 23 07:57:40 2010 : Info: +- entering group REJECT {...}
Fri Jul 23 07:57:40 2010 : Info: [attr_filter.access_reject]expand:
%{User-Name} - jmd
Fri Jul 23 07:57:40 2010 : Debug: attr_filter: Matched entry DEFAULT at line 11
Fri Jul 23 07:57:40 2010 : Info: ++[attr_filter.access_reject] returns updated
Fri Jul 23 07:57:40 2010 : Info: Delaying reject of request 1 for 1 seconds
Fri Jul 23 07:57:40 2010 : Debug: Going to the next request
Fri Jul 23 07:57:40 2010 : Debug: Waking up in 0.9 seconds.
Fri Jul 23 07:57:41 2010 : Info: Sending delayed reject for request 1
Sending Access-Reject of id 169 to 131.165.80.37 port 9183
Fri Jul 23 07:57:41 2010 : Debug: Waking up in 4.9 seconds.
Fri Jul 23 07:57:46 2010 : Info: Cleaning up request 1 ID 169 with timestamp +89
Fri Jul 23 07:57:46 2010 : Info: Ready to process requests.
Best regards
Jan Madsen
-Oprindelig meddelelse-
Fra: freeradius-users-bounces+jmd=kmd...@lists.freeradius.org
[mailto:freeradius-users-bounces+jmd=kmd...@lists.freeradius.org] På vegne af
Alan DeKok
Sendt: 22. juli 2010 14:20
Til: FreeRadius users mailing list
Emne: Re: Controlling with Auth-Type a client must use
Madsen.Jan JMD wrote:
I’m using the module passwd working fine, and I have enabled unix
authentication in my default section.
Don't. Use pap. It can do crypt authentication.
Thu Jul 22 13:22:21 2010 : Auth: [unix] [jmd]: invalid shell [/usr/bin/bash]
Thu Jul 22 13:22:21 2010 : Info: ++[unix] returns reject
Which is what the Unix module does.
But what I want to do is to set the client ONLY to use kmdov3 as my
authentication and not the Unix one. Is this possible?
No. You want crypt authentication, without checking /etc/passwd.
Use the pap module.
When you say only to use kmdov3 as my authentication, it means you
have confused authorization and authentication. They are *very* different.
I have been trying to use the Auth-Type attribute, but can’t figure out
how to tell that I want to use the kmdov3 authentication type.
Don't. Don't set Auth-Type. In the default configuration, all you
need to do is:
1) configure the kmdov3 module in raddb/modules
2) list kmdov3 in the authorize section *before* the pap module
3) authentication *will* work
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP dont decrypt
I need help with the pap module.
I set modules/pap auto_header = yes, but if I start a test connect pap say:
[pap] No clear-text password in the request. Not performing PAP.
The password is MD5.
Lionne Stangier
Radius -X
Its looks like the pap module can't load.
-
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap-radius mappings from file
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP userPassword mapped to RADIUS MD5-Password
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x825fe58
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = /usr/local/var/log/radius/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
} # modules
} # server
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = /usr/local/etc/raddb/huntgroups
hints = /usr/local/etc/raddb/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port
}
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = /usr/local/etc/raddb/users
acctusersfile = /usr/local/etc/raddb/acct_users
preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
compat = no
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
Fwd: return a special value in reply when simultaneous use
Hello again, I continue working on this, but I can't find the solution. Can I check the result of simul_count_query? Thank you again Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP dont decrypt
Lionne Stangier wrote: I need help with the pap module. I set modules/pap auto_header = yes, but if I start a test connect pap say: [pap] No clear-text password in the request. Not performing PAP. The password is MD5. You have edited the default configuration files and broken them. You deleted eap from the authorize section, and then sent the server and EAP request. Don't do that. And if the passwords are stored as MD5, go read: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP dont decrypt
Lionne Stangier wrote: I need help with the pap module. I set modules/pap auto_header = yes, but if I start a test connect pap say: [pap] No clear-text password in the request. Not performing PAP. The password is MD5. You have edited the default configuration files and broken them. You deleted eap from the authorize section, and then sent the server and EAP request. Don't do that. And if the passwords are stored as MD5, go read: http://deployingradius.com/documents/protocols/compatibility.html Some EAP methods (e.g. PEAP) will *not* work with MD5 hashed passwords. So don't even try. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: PAP dont decrypt
You have edited the default configuration files and broken them. You deleted eap from the authorize section, and then sent the server and EAP request. Don't do that. It was only a try ;) And if the passwords are stored as MD5, go read: http://deployingradius.com/documents/protocols/compatibility.html I know this side because of that I tested pap. Some EAP methods (e.g. PEAP) will *not* work with MD5 hashed passwords. So don't even try. I know that they don’t work. Clear Text passwords in the ldap are a no go. Cant pap encrypt the passwords and than eap or peap will start? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac-auth checking in sites-enabled/default
On 07/22/2010 11:50 PM, Tom Leach wrote:
I'm currently using Freeradius v2.1.9 and I'm trying to write a
condition in the authorize section to use a different module depending
on whether Mac-auth or someother auth is being called.
In reading the wiki (http://wiki.freeradius.org/Mac-Auth) it appears
that I want to check (Chap-Password == hash(User-Name)) but I'm having a
problem getting the unlang syntax correct.
So far, I've tried:
if (Chap-Password == hash(User-Name)){
which fails with:
Consecutive conditions at (User-Name))
/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section.
AFAIK hash() or function calls in generall aren't a feature of unlang.
Maybe the wiki page is listing pseudo-code?
You want something like:
if (User-Name =~ /..:..:..:..:..:../) {
}
...or whatever format the mac address is in I guess. If you can be more
specific about what the two incoming requests you want to distinguish
look like, I can be more specific in a suggestion ;o)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: PAP dont decrypt
On 07/23/2010 09:18 AM, Lionne Stangier wrote: You have edited the default configuration files and broken them. You deleted eap from the authorize section, and then sent the server and EAP request. Don't do that. It was only a try ;) Sadly, many people take a hatchet to the configs then seem surprised when things don't work! Best to make small changes one at a time and test them, and put your configs into version control so you can roll them back. And if the passwords are stored as MD5, go read: http://deployingradius.com/documents/protocols/compatibility.html I know this side because of that I tested pap. Some EAP methods (e.g. PEAP) will *not* work with MD5 hashed passwords. So don't even try. I know that they don’t work. Clear Text passwords in the ldap are a no go. Cant pap encrypt the passwords and than eap or peap will start? Won't work really means it. PEAP/MS-CHAP requires access to the plaintext password or NT/LM hashes, or access to a domain controller with such via use of the ntlm_auth helper and Samba. It is cryptographically impossible for it to be otherwise I'm afraid. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac-auth checking in sites-enabled/default
On Jul 23, 2010, at 1:31 AM, Phil Mayers wrote:
On 07/22/2010 11:50 PM, Tom Leach wrote:
I'm currently using Freeradius v2.1.9 and I'm trying to write a
condition in the authorize section to use a different module depending
on whether Mac-auth or someother auth is being called.
In reading the wiki (http://wiki.freeradius.org/Mac-Auth) it appears
that I want to check (Chap-Password == hash(User-Name)) but I'm having a
problem getting the unlang syntax correct.
So far, I've tried:
if (Chap-Password == hash(User-Name)){
which fails with:
Consecutive conditions at (User-Name))
/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section.
AFAIK hash() or function calls in generall aren't a feature of unlang. Maybe
the wiki page is listing pseudo-code?
The wiki is listing pseudo code. The examples below the pseudo code are in
unlang...
-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP search problem
I have FreeRADIUS 2.1.1 setup on SUS server 10.1
We are wanting to do a LDAP connection to Novell edirectory server for our
users.
From the debug out put the LDAP session binded corectly
The searched part failed.
I would like to know did the radius server send out the loging name as
uid=53986067? as indicated below.
rlm_ldap: performing search in ou=USERS,ou=ELS-FRERE,ou=AMATOLA,ou=HLT,o=EC,
with filter (uid=53986067)
When i do a ldapsearch -h 10.219.176.30 -b
ou=USERS,ou=ELS-FRERE,ou=AMATOLA,ou=HLT,o=EC -x uid=53986067
I get no results.
If i use -x cn=53986067 the user is found.
I used radtest to do the testing
Debug File
---
FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu, built on Nov 19 2008
at 16:17:41
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = yes
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}autharise a user.
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
shortname = localhost
nastype = other
}
client 10.219.139.253/24 {
require_message_authenticator = no
secret = freeradius
shortname = DoHICTFrere
nastype = other
}
client 10.219.220.2/23 {
require_message_authenticator = no
secret = qwerty123456
shortname = DoHICTFrere
nastype = other
}
radiusd:
No-AUTH method
Hi, Dear Feeradius USER
After correcting my default file in /etc/freeradius/sites-available,
I've got the following errors after testing authentication:
It's seems to be a missing authentification method in my configuration.
We're using a CISCO4400 controler, and the 'Web RADIUS authentication'
parameter
is set to 'PAP' on my Controller./
Cleaning up request 1 ID 14 with timestamp +376
Waking up in 1.0 seconds.
Cleaning up request 2 ID 15 with timestamp +377
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 40925, id=168,
length=57
User-Name = irech
User-Password = tmcqtv0
NAS-IP-Address = 192.168.55.150
NAS-Port = 10
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = irech, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [irech/tmcqtv0] (from client localhost port 10)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - irech
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 168 to 127.0.0.1 port 40925
Waking up in 4.9 seconds.
Cleaning up request 3 ID 168 with timestamp +548
Ready to process requests.
auth: No authenticate method (Auth-Type) configuration found for the re/q
Could you help me to go on ?
Best Regards
--
__
Isabelle RECH LE RECIS
Enssib
Département informatique
17-21 Bd du 11 Novembre 1918
69623 Villeurbanne Cedex
Tel : 04 72 44 43 34
http://www.enssib.fr/
__
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: PAP dont decrypt
Sadly, many people take a hatchet to the configs then seem surprised when things don't work! Best to make small changes one at a time and test them, and put your configs into version control so you can roll them back. I test freeradius. I can roll back every time ;) Won't work really means it. PEAP/MS-CHAP requires access to the plaintext password or NT/LM hashes, or access to a domain controller with such via use of the ntlm_auth helper and Samba. It is cryptographically impossible for it to be otherwise I'm afraid. Hmm I will test samba ;) Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: LDAP search problem
When i do a ldapsearch -h 10.219.176.30 -b
ou=USERS,ou=ELS-FRERE,ou=AMATOLA,ou=HLT,o=EC -x uid=53986067
I get no results.
If i use -x cn=53986067 the user is found.
Open the ldap modul config set:
Filter = (cn=%{Stripped-User-Name:-%{User-Name}})
Lionne Stangier
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No-AUTH method
Isabelle RECH wrote: It's seems to be a missing authentification method in my configuration. We're using a CISCO4400 controler, and the 'Web RADIUS authentication' parameter is set to 'PAP' on my Controller./ Did you configure a known good password for the user? rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. No. How do you expect the server to authenticate the user when it doesn't know who the user is, and it doesn't know which password is correct? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: PAP dont decrypt
Lionne Stangier wrote: You have edited the default configuration files and broken them. You deleted eap from the authorize section, and then sent the server and EAP request. Don't do that. It was only a try ;) The FAQ, man radiusd page, and other documentation all say to *not* butcher the default configuration. So... why did you do it? I know that they don’t work. Clear Text passwords in the ldap are a no go. Cant pap encrypt the passwords and than eap or peap will start? You're saying you read the page and understand it, but you're still asking how to do the impossible. This means you didn't understand the web page. And using Samba won't help. Samba is used to do MS-CHAP authentication to Active Directory. If you're not running Active Directory, there is *no* need to use Samba. You are are operating under the misconception that there is some magic configuration which will get PEAP working with MD5 passwords. No such configuration exists. It's impossible. Stop trying. Your messages on this list show that you do not believe the experts here, or the documentation that we wrote. If this is really the case, there is no reason for you to ask questions here. You have already decided we don't know what we're talking about, and you have no intention of following our advice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: Controlling with Auth-Type a client must use
Madsen.Jan JMD wrote: But still the unix authorization is used and the client is rejected because of the invalid shell. Because you listed unix in the authorization section. If you don't want to use the Unix module, delete it from the authorization section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP search problem
Wayne Van der Merwe wrote:
I have FreeRADIUS 2.1.1 setup on SUS server 10.1
We are wanting to do a LDAP connection to Novell edirectory server for
our users.
From the debug out put the LDAP session binded corectly
The searched part failed.
I would like to know did the radius server send out the loging name as
uid=53986067? as indicated below.
rlm_ldap: performing search in
ou=USERS,ou=ELS-FRERE,ou=AMATOLA,ou=HLT,o=EC, with filter (uid=53986067)
Because:
1) the Access-Request contains 53986067 as the User-Name
2) the ldap module is configured to use uid=%{User-Name}
This is all shown in the debug output.
When i do a ldapsearch -h 10.219.176.30 -b
ou=USERS,ou=ELS-FRERE,ou=AMATOLA,ou=HLT,o=EC -x uid=53986067
I get no results.
If i use -x cn=53986067 the user is found.
So... edit the ldap module configuration to use cn=%{User-Name}
instead of uid. There's a reason the configuration files are text:
they can be edited.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up pam_radius_auth
Mike J wrote: Now obviously is says there's a problem with the secret, but I believe I've setup the secret correctly in the configs I've shown above. Does anybody have any ideas what I'm doing wrong? Either the password is incorrect, or the MD5 calculations on the PAM or server side are broken. If this is a PPC system, the PAM module might not have been built correctly. You could also try install radclient on the same system as the PAM module. If radclient works and PAM doesn't, then the PAM module wasn't built correctly. See the pam_radius_auth.c file for how to build it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: return a special value in reply when simultaneous use
Hello again,
I'm working with Freeradius 2.1.8
I'm using session (sql) to control simultaneous use.
I would like to return a special value if an user try to access with
credentials in use.
I have it working adding a new attribute to request list whit the result of
the simul_count_query, and checking this value later in post_auth section.
session {
if (%{Realm} == xxx.es) {
update request {
Num-Open-Session := %{sql:SELECT COUNT(*) FROM
radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL}
}
sql
}
}
post-auth {
sql
if (fail) {
update reply {
Codigo-Reject := Imposible-Contactar-Backend
}
reject
}
Post-Auth-Type REJECT {
if (%{request:Num-Open-Session}){
update reply {
Codigo-Reject = Sesion-Abierta
}
}
else{
update reply {
Codigo-Reject = Credenciales-Erroneas
}
}
I think that this not is the better way to do, but...
Thank you very much
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 63, Issue 86
Wayne Van der Merwe wrote:
I have FreeRADIUS 2.1.1 setup on SUS server 10.1
We are wanting to do a LDAP connection to Novell edirectory server for
our users.
From the debug out put the LDAP session binded corectly
The searched part failed.
I would like to know did the radius server send out the loging name as
uid=53986067? as indicated below.
rlm_ldap: performing search in
ou=USERS,ou=ELS-FRERE,ou=AMATOLA,ou=HLT,o=EC, with filter (uid=53986067)
Because:
1) the Access-Request contains 53986067 as the User-Name
2) the ldap module is configured to use uid=%{User-Name}
This is all shown in the debug output.
When i do a ldapsearch -h 10.219.176.30 -b
ou=USERS,ou=ELS-FRERE,ou=AMATOLA,ou=HLT,o=EC -x uid=53986067
I get no results.
If i use -x cn=53986067 the user is found.
So... edit the ldap module configuration to use cn=%{User-Name}
instead of uid. There's a reason the configuration files are text:
they can be edited.
Alan DeKok.
--
Noted
After the change i have this problem in the debug output
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=USERS,ou=ELS-FRERE,ou=AMATOLA,ou=HLT,o=EC,
with filter (cn=53986067)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user 53986067 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
The [ldap] No default NMAS login sequence how do i sort this out?
and
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
is to do with a clear text password that radius needs to read from the LDAP
server as per other posts. how or where do i sort this out.
Is this also related to the NMAS login sequence?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP
Please don't reply to a digest message. It confuses message threading. Wayne Van der Merwe wrote: rlm_ldap: performing search in ou=USERS,ou=ELS-FRERE,ou=AMATOLA,ou=HLT,o=EC, with filter (cn=53986067) [ldap] No default NMAS login sequence You need to set eDir-Auth-Option. Read doc/RADIUS-LDAP-eDirectory The [ldap] No default NMAS login sequence how do i sort this out? It's documented. and WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? is to do with a clear text password that radius needs to read from the LDAP server as per other posts. how or where do i sort this out. It means that the server doesn't know how to authenticate the user. Is this also related to the NMAS login sequence? No idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to set properly failover ?
Hi guys
I'm really trying but it's not easy to find somehitng in the
documenatiion.
I have 2 modules ntlm_auth_vpn1/2 and I like to do failover.
I tried this but I was not sucesfull:
In the modules I have 2 files, ntlm_auth_vpn1 and ntlm_auth_vpn2
In the sites-available/default I have:
# Allow EAP authentication.
eap
ntlm_auth
ntlm_auth_vpn {
group {
ntlm_auth_vpn1 {
reject =
1
ok =
return
}
ntlm_auth_vpn2 {
reject =
1
ok =
return
}
}
}
In my users file is:
DEFAULT Auth-Type := ntlm_auth_vpn,
Fall-Through = Yes
What should be the correct syntax ?
Freeradius is great tool , however every step forward is like a
childbirth : )
What I'm really missing is what should be placed where.
I'd really enjoy the new book . I hope it will be released soon : )
Thanks
Pet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to set properly failover ?
This how I do, but it's not the only way and may not feet your needs:
In radiusd.conf, instantiate a redundant module:
instantiate {
...
redundant ha_auth_name {
ntlm_auth_vpn1
ntlm_auth_vpn2
}
...
}
In default sites config, section authorize
authorize {
...
ha_auth_name
...
}
Quite simple and works great here for some other moduls (SQL)
Hope it helps.
Message original
Date: Fri, 23 Jul 2010 18:45:30 +0200
From:
freeradius-users-bounces+alexandre.chapellon=mana...@lists.freeradius.org (on
behalf of Jevos, Peter peter.je...@oriflame.com)
Subject: How to set properly failover ?
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Hi guys
I'm really trying but it's not easy to find
somehitng in the documenatiion.
I have 2 modules ntlm_auth_vpn1/2 and I like to do
failover.
I tried this but I was not sucesfull:
In the modules I have 2 files, ntlm_auth_vpn1 and
ntlm_auth_vpn2
In the sites-available/default I have:
# Allow EAP authentication.
eap
ntlm_auth
ntlm_auth_vpn {
group {
ntlm_auth_vpn1 {
reject = 1
ok = return
}
ntlm_auth_vpn2 {
reject = 1
ok = return
}
}
}
In my users file is:
DEFAULT Auth-Type := ntlm_auth_vpn,
Fall-Through = Yes
What should be the correct syntax ?
Freeradius is great tool , however every step
forward is like a childbirth : )
What I'm really missing is what should be placed
where.
I'd really enjoy the new book . I hope it will be
released soon : )
Thanks
Pet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Certificate validation time
Hi, I'm using freeradius 2.1.1 and i created my certificates with the makefile and the config-files. Is it possible to rise the time the cerficate is valid, because if i change the entrys default_days and default_crl_days in the ca.cnf to an higher value, nothing happens after I recreat the certificates, everytime the certificate is only 30 days valid. Sorry for bad english -- View this message in context: http://old.nabble.com/Certificate-validation-time-tp29249676p29249676.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to set properly failover ?
Hi alex, thank you for your mail, helped a lot : )
Now it's working, no idea why and how but working : )
Here is my config:
Users:
DEFAULT Auth-Type := vpn_auth_name,Huntgroup-Name == vpn
Fall-Through = Yes
Radiusd.conf:
instantiate {
redundant vpn_auth_name {
group {
ntlm_auth_vpn1 {
reject = 1
ok = return
}
ntlm_auth_vpn2 {
reject = 1
ok = return
}
}
And the sites-available/default:
Authenticate {
vpn_auth_name
}
Thanks , have a nice day
p
-Original Message-
From:
freeradius-users-bounces+peter.jevos=oriflame@lists.freeradius.org
[mailto:freeradius-users-bounces+peter.jevos=oriflame@lists.freeradi
us.org] On Behalf Of alexandre.chapel...@mana.pf
Sent: Friday, July 23, 2010 7:44 PM
To: FreeRadius users mailing list
Subject: Re: How to set properly failover ?
This how I do, but it's not the only way and may not feet your needs:
In radiusd.conf, instantiate a redundant module:
instantiate {
...
redundant ha_auth_name {
ntlm_auth_vpn1
ntlm_auth_vpn2
}
...
}
In default sites config, section authorize
authorize {
...
ha_auth_name
...
}
Quite simple and works great here for some other moduls (SQL)
Hope it helps.
Message original
Date: Fri, 23 Jul 2010 18:45:30 +0200
From:
freeradius-users-bounces+alexandre.chapellon=mana...@lists.freeradius.or
g (on behalf of Jevos, Peter peter.je...@oriflame.com)
Subject: How to set properly failover ?
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Hi guys
I'm really trying but it's not easy to find
somehitng in the documenatiion.
I have 2 modules ntlm_auth_vpn1/2 and I like to do
failover.
I tried this but I was not sucesfull:
In the modules I have 2 files, ntlm_auth_vpn1 and
ntlm_auth_vpn2
In the sites-available/default I have:
# Allow EAP authentication.
eap
ntlm_auth
ntlm_auth_vpn {
group {
ntlm_auth_vpn1 {
reject = 1
ok = return
}
ntlm_auth_vpn2 {
reject = 1
ok = return
}
}
}
In my users file is:
DEFAULT Auth-Type := ntlm_auth_vpn,
Fall-Through = Yes
What should be the correct syntax ?
Freeradius is great tool , however every step
forward is like a childbirth : )
What I'm really missing is what should be placed
where.
I'd really enjoy the new book . I hope it will be
released soon : )
Thanks
Pet
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate validation time
_Stefan_H wrote: I'm using freeradius 2.1.1 and i created my certificates with the makefile and the config-files. Is it possible to rise the time the cerficate is valid, because if i change the entrys default_days and default_crl_days in the ca.cnf to an higher value, nothing happens after I recreat the certificates, everytime the certificate is only 30 days valid. It's a bug on OpenSSL. It ignores those fields in the ca.cnf file. Later versions of FreeRADIUS have a fix. See the Makefile in 2.1.9. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Another LDAP/RADIUS integration problem.
OK, I had LDAP 'working' but radiusd -X was showing the old 'WARNING: No
known good password was found in LDAP' errors. Ignoring much of the
'wisdom' on other sites to just ignore the error, I'm trying to squash
all errors from the -X output. It was failing because the bind failed
(due to a bad 'identity' line in the ldap module config), thus it didn't
find a userPassword from LDAP, causing PAP to be skipped but since I had
the 'ldap' module in the authenticate section of the sites file, it
attempted to bind with the username/password supplied from the NAS to
the ldap directory which worked, thus Accept-Accept was given.
To correct the bind problem, I added an ACL to the directory to allow
'uid=admin,o=radtree' to access the userPassword attribute, then
configured the ldap module to use 'uid=admin,o=radtree' as the identity
and 'secret' as the password. Now the bind succeeds, the -X output says
that it's mapping userPassword - Crypt-Password ==
{crypt}4gOgBZqZgtwIw (if I bind to the directory and search as
uid=admin,o=radtree for the testuser account, the userPassword returned
(after base64 decoding) is {crypt}4gOgBZqZgtwIw. If I run
'testpassword' with a salt of '4g' through the crypt(3) subroutine, I
get '4gOgBZqZgtwIw', so the directory contains the correct password), I
have checkItem Crypt-Password userPassword in the dictionary for this
ldap module.
Anyway, I'm still seeing one of the 'No known good password' errors
and PAP is failing because the passwords don't match, and I'm not sure
where the problem lies (obviously, the passwords don't match, but
_why_). It looks like I'm getting the correct encrypted password back
from the directory, and PAP is reporting a login attempt with the
correct password
The ldap module config (comments stripped out):
ldap ldap-server1 {
server = ldap://server1.coas.oregonstate.edu;
port = 389
start_tls = yes
identity = uid=admin,o=radtree
password = secret
basedn = ou=People,o=mydomain
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = yes
cacertdir = /etc/pki/tls/certs/
require_cert= demand
}
dictionary_mapping = ${confdir}/ldap.pap.attrmap
edir_account_policy_check = no
# note, I've also removed the following two lines.
password_attribute = userPassword
auto_header = yes
}
The ldap module dictionary (ldap.pap.attrmap, a copy of ldap.attrmap
with the addition of the following line):
checkItem Crypt-Password userPassword
radius -X output:
FreeRADIUS Version 2.1.9, for host x86_64-unknown-linux-gnu, built on
Jun 10 2010 at 15:26:46
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/ldap-hudson-radius
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/unix
including
Re: Another LDAP/RADIUS integration problem.
Tom Leach wrote:
To correct the bind problem, I added an ACL to the directory to allow
'uid=admin,o=radtree' to access the userPassword attribute, then
configured the ldap module to use 'uid=admin,o=radtree' as the identity
and 'secret' as the password. Now the bind succeeds, the -X output says
that it's mapping userPassword - Crypt-Password ==
{crypt}4gOgBZqZgtwIw
The Crypt-Password attribute is supposed to be the crypt'd version
of the password *without* the {crypt} header. Change the mapping from
userPassword - Crypt-Password to userPassword - User-Password, and
it will work.
The PAP module will look for the {crypt} header, and create a
Crypt-Password with the appropriate value.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to set properly failover ?
Le vendredi 23 juillet 2010 à 20:09 +0200, Jevos, Peter a écrit :
Hi alex, thank you for your mail, helped a lot : )
Now it's working, no idea why and how but working : )
Here is my config:
Users:
DEFAULT Auth-Type := vpn_auth_name,Huntgroup-Name == vpn
Fall-Through = Yes
Setting Auth-Type is discouraged. further more setting
Auth-Type to a module name sounds like an error to me (but maybe am i
mistaking)
I think you can remove Auth-Type
Radiusd.conf:
instantiate {
redundant vpn_auth_name {
group {
ntlm_auth_vpn1 {
reject = 1
ok = return
}
ntlm_auth_vpn2 {
reject = 1
ok = return
}
}
Why are you using group inside redundant... I'm not sure this is
usefull.
Using ntlm_auth_vpn1 and ntlm_auth_vpn2 should be enough. Look here for
more infos and example of how redundant modules are set:
http://wiki.freeradius.org/Fail-over
And the sites-available/default:
Authenticate {
vpn_auth_name
}
Thanks , have a nice day
p
-Original Message-
From:
freeradius-users-bounces+peter.jevos=oriflame@lists.freeradius.org
[mailto:freeradius-users-bounces+peter.jevos=oriflame@lists.freeradi
us.org] On Behalf Of alexandre.chapel...@mana.pf
Sent: Friday, July 23, 2010 7:44 PM
To: FreeRadius users mailing list
Subject: Re: How to set properly failover ?
This how I do, but it's not the only way and may not feet your needs:
In radiusd.conf, instantiate a redundant module:
instantiate {
...
redundant ha_auth_name {
ntlm_auth_vpn1
ntlm_auth_vpn2
}
...
}
In default sites config, section authorize
authorize {
...
ha_auth_name
...
}
Quite simple and works great here for some other moduls (SQL)
Hope it helps.
Message original
Date: Fri, 23 Jul 2010 18:45:30 +0200
From:
freeradius-users-bounces+alexandre.chapellon=mana...@lists.freeradius.or
g (on behalf of Jevos, Peter peter.je...@oriflame.com)
Subject: How to set properly failover ?
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Hi guys
I'm really trying but it's not easy to find
somehitng in the documenatiion.
I have 2 modules ntlm_auth_vpn1/2 and I like to do
failover.
I tried this but I was not sucesfull:
In the modules I have 2 files, ntlm_auth_vpn1 and
ntlm_auth_vpn2
In the sites-available/default I have:
# Allow EAP authentication.
eap
ntlm_auth
ntlm_auth_vpn {
group {
ntlm_auth_vpn1 {
reject = 1
ok = return
}
ntlm_auth_vpn2 {
reject = 1
ok = return
}
}
}
In my users file is:
DEFAULT Auth-Type := ntlm_auth_vpn,
Fall-Through = Yes
What should be the correct syntax ?
Freeradius is great tool , however every step
forward is like a childbirth : )
What I'm really missing is what should be placed
where.
I'd really enjoy the new book . I hope it will be
released soon : )
Thanks
Pet
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another LDAP/RADIUS integration problem.
On 07/23/2010 02:59 PM, Alan DeKok wrote:
Tom Leach wrote:
To correct the bind problem, I added an ACL to the directory to allow
'uid=admin,o=radtree' to access the userPassword attribute, then
configured the ldap module to use 'uid=admin,o=radtree' as the identity
and 'secret' as the password. Now the bind succeeds, the -X output says
that it's mapping userPassword - Crypt-Password ==
{crypt}4gOgBZqZgtwIw
The Crypt-Password attribute is supposed to be the crypt'd version
of the password *without* the {crypt} header. Change the mapping from
userPassword - Crypt-Password to userPassword - User-Password, and
it will work.
The PAP module will look for the {crypt} header, and create a
Crypt-Password with the appropriate value.
Hmm ...
Just from looking at the rlm_ldap code (not actual testing) I thought if
auto_header was set to True in the ldap config then rlm_ldap after
looking up the configured password attribute would perform the steps you
describe above. (strip the hash prefix and add a new attribute with the
correct attribute type for the hash type)
Am I confused?
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another LDAP/RADIUS integration problem.
John Dennis wrote: Just from looking at the rlm_ldap code (not actual testing) I thought if auto_header was set to True in the ldap config then rlm_ldap after looking up the configured password attribute would perform the steps you describe above. (strip the hash prefix and add a new attribute with the correct attribute type for the hash type) Am I confused? The auto-header should be off by default. I think it was off in the debug log posted earlier. And it shouldn't be used. The PAP module does all that, and more. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
