SV: Controlling with Auth-Type a client must use
Hello Alan Thanks for the answer. But I allready did that !!! I configured my passwd module with kmdov3 works fine. I added the kmdov3 in the top pf the authorize section of sites-enabled/default preprocess # # If you want to have a log of authentication requests, # un-comment the following line, and the 'detail auth_log' # section, above. # auth_log kmdov3 ... .. Unix ... .. Pap But still the unix authorization is used and the client is rejected because of the invalid shell. Is it not possible to force a single client to use only one type of authorization etc. Kmdov3 ? Do I need to add something to the authentication section? Here is the full debug log of the client call and you can see that kmdov3 returns OK but the unix on fails with the invalid shell rad_recv: Access-Request packet from host 131.165.80.37 port 9183, id=169, length=61 User-Name = jmd User-Password = password NAS-IP-Address = 127.0.0.1 NAS-Port = 8158 NAS-Port-Type = Virtual Fri Jul 23 07:57:40 2010 : Info: +- entering group authorize {...} Fri Jul 23 07:57:40 2010 : Info: ++[preprocess] returns ok Fri Jul 23 07:57:40 2010 : Info: [kmdov3] Added crypt-Password: 'TLw0SiK4QfQxg' to config_items Fri Jul 23 07:57:40 2010 : Info: ++[kmdov3] returns ok Fri Jul 23 07:57:40 2010 : Info: [radius_group] Added Radius1-Group: 'wcs-superadmin' to request_items Fri Jul 23 07:57:40 2010 : Info: ++[radius_group] returns ok Fri Jul 23 07:57:40 2010 : Info: ++[chap] returns noop Fri Jul 23 07:57:40 2010 : Info: ++[mschap] returns noop Fri Jul 23 07:57:40 2010 : Info: [suffix] No '@' in User-Name = jmd, looking up realm NULL Fri Jul 23 07:57:40 2010 : Info: [suffix] No such realm NULL Fri Jul 23 07:57:40 2010 : Info: ++[suffix] returns noop Fri Jul 23 07:57:40 2010 : Info: [eap] No EAP-Message, not doing EAP Fri Jul 23 07:57:40 2010 : Info: ++[eap] returns noop Fri Jul 23 07:57:40 2010 : Auth: [unix] [jmd]: invalid shell [/bin/bash1] Fri Jul 23 07:57:40 2010 : Info: ++[unix] returns reject Fri Jul 23 07:57:40 2010 : Info: Using Post-Auth-Type Reject Fri Jul 23 07:57:40 2010 : Info: +- entering group REJECT {...} Fri Jul 23 07:57:40 2010 : Info: [attr_filter.access_reject]expand: %{User-Name} - jmd Fri Jul 23 07:57:40 2010 : Debug: attr_filter: Matched entry DEFAULT at line 11 Fri Jul 23 07:57:40 2010 : Info: ++[attr_filter.access_reject] returns updated Fri Jul 23 07:57:40 2010 : Info: Delaying reject of request 1 for 1 seconds Fri Jul 23 07:57:40 2010 : Debug: Going to the next request Fri Jul 23 07:57:40 2010 : Debug: Waking up in 0.9 seconds. Fri Jul 23 07:57:41 2010 : Info: Sending delayed reject for request 1 Sending Access-Reject of id 169 to 131.165.80.37 port 9183 Fri Jul 23 07:57:41 2010 : Debug: Waking up in 4.9 seconds. Fri Jul 23 07:57:46 2010 : Info: Cleaning up request 1 ID 169 with timestamp +89 Fri Jul 23 07:57:46 2010 : Info: Ready to process requests. Best regards Jan Madsen -Oprindelig meddelelse- Fra: freeradius-users-bounces+jmd=kmd...@lists.freeradius.org [mailto:freeradius-users-bounces+jmd=kmd...@lists.freeradius.org] På vegne af Alan DeKok Sendt: 22. juli 2010 14:20 Til: FreeRadius users mailing list Emne: Re: Controlling with Auth-Type a client must use Madsen.Jan JMD wrote: I’m using the module passwd working fine, and I have enabled unix authentication in my default section. Don't. Use pap. It can do crypt authentication. Thu Jul 22 13:22:21 2010 : Auth: [unix] [jmd]: invalid shell [/usr/bin/bash] Thu Jul 22 13:22:21 2010 : Info: ++[unix] returns reject Which is what the Unix module does. But what I want to do is to set the client ONLY to use kmdov3 as my authentication and not the Unix one. Is this possible? No. You want crypt authentication, without checking /etc/passwd. Use the pap module. When you say only to use kmdov3 as my authentication, it means you have confused authorization and authentication. They are *very* different. I have been trying to use the Auth-Type attribute, but can’t figure out how to tell that I want to use the kmdov3 authentication type. Don't. Don't set Auth-Type. In the default configuration, all you need to do is: 1) configure the kmdov3 module in raddb/modules 2) list kmdov3 in the authorize section *before* the pap module 3) authentication *will* work Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP dont decrypt
I need help with the pap module. I set modules/pap auto_header = yes, but if I start a test connect pap say: [pap] No clear-text password in the request. Not performing PAP. The password is MD5. Lionne Stangier Radius -X Its looks like the pap module can't load. - set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap-radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP userPassword mapped to RADIUS MD5-Password rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x825fe58 Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = /usr/local/var/log/radius/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } } # modules } # server server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = /usr/local/etc/raddb/users acctusersfile = /usr/local/etc/raddb/acct_users preproxy_usersfile = /usr/local/etc/raddb/preproxy_users compat = no } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile =
Fwd: return a special value in reply when simultaneous use
Hello again, I continue working on this, but I can't find the solution. Can I check the result of simul_count_query? Thank you again Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP dont decrypt
Lionne Stangier wrote: I need help with the pap module. I set modules/pap auto_header = yes, but if I start a test connect pap say: [pap] No clear-text password in the request. Not performing PAP. The password is MD5. You have edited the default configuration files and broken them. You deleted eap from the authorize section, and then sent the server and EAP request. Don't do that. And if the passwords are stored as MD5, go read: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP dont decrypt
Lionne Stangier wrote: I need help with the pap module. I set modules/pap auto_header = yes, but if I start a test connect pap say: [pap] No clear-text password in the request. Not performing PAP. The password is MD5. You have edited the default configuration files and broken them. You deleted eap from the authorize section, and then sent the server and EAP request. Don't do that. And if the passwords are stored as MD5, go read: http://deployingradius.com/documents/protocols/compatibility.html Some EAP methods (e.g. PEAP) will *not* work with MD5 hashed passwords. So don't even try. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: PAP dont decrypt
You have edited the default configuration files and broken them. You deleted eap from the authorize section, and then sent the server and EAP request. Don't do that. It was only a try ;) And if the passwords are stored as MD5, go read: http://deployingradius.com/documents/protocols/compatibility.html I know this side because of that I tested pap. Some EAP methods (e.g. PEAP) will *not* work with MD5 hashed passwords. So don't even try. I know that they don’t work. Clear Text passwords in the ldap are a no go. Cant pap encrypt the passwords and than eap or peap will start? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac-auth checking in sites-enabled/default
On 07/22/2010 11:50 PM, Tom Leach wrote: I'm currently using Freeradius v2.1.9 and I'm trying to write a condition in the authorize section to use a different module depending on whether Mac-auth or someother auth is being called. In reading the wiki (http://wiki.freeradius.org/Mac-Auth) it appears that I want to check (Chap-Password == hash(User-Name)) but I'm having a problem getting the unlang syntax correct. So far, I've tried: if (Chap-Password == hash(User-Name)){ which fails with: Consecutive conditions at (User-Name)) /etc/raddb/sites-enabled/default[62]: Errors parsing authorize section. AFAIK hash() or function calls in generall aren't a feature of unlang. Maybe the wiki page is listing pseudo-code? You want something like: if (User-Name =~ /..:..:..:..:..:../) { } ...or whatever format the mac address is in I guess. If you can be more specific about what the two incoming requests you want to distinguish look like, I can be more specific in a suggestion ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: PAP dont decrypt
On 07/23/2010 09:18 AM, Lionne Stangier wrote: You have edited the default configuration files and broken them. You deleted eap from the authorize section, and then sent the server and EAP request. Don't do that. It was only a try ;) Sadly, many people take a hatchet to the configs then seem surprised when things don't work! Best to make small changes one at a time and test them, and put your configs into version control so you can roll them back. And if the passwords are stored as MD5, go read: http://deployingradius.com/documents/protocols/compatibility.html I know this side because of that I tested pap. Some EAP methods (e.g. PEAP) will *not* work with MD5 hashed passwords. So don't even try. I know that they don’t work. Clear Text passwords in the ldap are a no go. Cant pap encrypt the passwords and than eap or peap will start? Won't work really means it. PEAP/MS-CHAP requires access to the plaintext password or NT/LM hashes, or access to a domain controller with such via use of the ntlm_auth helper and Samba. It is cryptographically impossible for it to be otherwise I'm afraid. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac-auth checking in sites-enabled/default
On Jul 23, 2010, at 1:31 AM, Phil Mayers wrote: On 07/22/2010 11:50 PM, Tom Leach wrote: I'm currently using Freeradius v2.1.9 and I'm trying to write a condition in the authorize section to use a different module depending on whether Mac-auth or someother auth is being called. In reading the wiki (http://wiki.freeradius.org/Mac-Auth) it appears that I want to check (Chap-Password == hash(User-Name)) but I'm having a problem getting the unlang syntax correct. So far, I've tried: if (Chap-Password == hash(User-Name)){ which fails with: Consecutive conditions at (User-Name)) /etc/raddb/sites-enabled/default[62]: Errors parsing authorize section. AFAIK hash() or function calls in generall aren't a feature of unlang. Maybe the wiki page is listing pseudo-code? The wiki is listing pseudo code. The examples below the pseudo code are in unlang... -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP search problem
I have FreeRADIUS 2.1.1 setup on SUS server 10.1 We are wanting to do a LDAP connection to Novell edirectory server for our users. From the debug out put the LDAP session binded corectly The searched part failed. I would like to know did the radius server send out the loging name as uid=53986067? as indicated below. rlm_ldap: performing search in ou=USERS,ou=ELS-FRERE,ou=AMATOLA,ou=HLT,o=EC, with filter (uid=53986067) When i do a ldapsearch -h 10.219.176.30 -b ou=USERS,ou=ELS-FRERE,ou=AMATOLA,ou=HLT,o=EC -x uid=53986067 I get no results. If i use -x cn=53986067 the user is found. I used radtest to do the testing Debug File --- FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu, built on Nov 19 2008 at 16:17:41 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/sql/mysql/counter.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/radius libdir = /usr/lib/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = yes auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } }autharise a user. client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 shortname = localhost nastype = other } client 10.219.139.253/24 { require_message_authenticator = no secret = freeradius shortname = DoHICTFrere nastype = other } client 10.219.220.2/23 { require_message_authenticator = no secret = qwerty123456 shortname = DoHICTFrere nastype = other } radiusd:
No-AUTH method
Hi, Dear Feeradius USER After correcting my default file in /etc/freeradius/sites-available, I've got the following errors after testing authentication: It's seems to be a missing authentification method in my configuration. We're using a CISCO4400 controler, and the 'Web RADIUS authentication' parameter is set to 'PAP' on my Controller./ Cleaning up request 1 ID 14 with timestamp +376 Waking up in 1.0 seconds. Cleaning up request 2 ID 15 with timestamp +377 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 40925, id=168, length=57 User-Name = irech User-Password = tmcqtv0 NAS-IP-Address = 192.168.55.150 NAS-Port = 10 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = irech, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [irech/tmcqtv0] (from client localhost port 10) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - irech attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 3 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 168 to 127.0.0.1 port 40925 Waking up in 4.9 seconds. Cleaning up request 3 ID 168 with timestamp +548 Ready to process requests. auth: No authenticate method (Auth-Type) configuration found for the re/q Could you help me to go on ? Best Regards -- __ Isabelle RECH LE RECIS Enssib Département informatique 17-21 Bd du 11 Novembre 1918 69623 Villeurbanne Cedex Tel : 04 72 44 43 34 http://www.enssib.fr/ __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: PAP dont decrypt
Sadly, many people take a hatchet to the configs then seem surprised when things don't work! Best to make small changes one at a time and test them, and put your configs into version control so you can roll them back. I test freeradius. I can roll back every time ;) Won't work really means it. PEAP/MS-CHAP requires access to the plaintext password or NT/LM hashes, or access to a domain controller with such via use of the ntlm_auth helper and Samba. It is cryptographically impossible for it to be otherwise I'm afraid. Hmm I will test samba ;) Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: LDAP search problem
When i do a ldapsearch -h 10.219.176.30 -b ou=USERS,ou=ELS-FRERE,ou=AMATOLA,ou=HLT,o=EC -x uid=53986067 I get no results. If i use -x cn=53986067 the user is found. Open the ldap modul config set: Filter = (cn=%{Stripped-User-Name:-%{User-Name}}) Lionne Stangier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No-AUTH method
Isabelle RECH wrote: It's seems to be a missing authentification method in my configuration. We're using a CISCO4400 controler, and the 'Web RADIUS authentication' parameter is set to 'PAP' on my Controller./ Did you configure a known good password for the user? rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. No. How do you expect the server to authenticate the user when it doesn't know who the user is, and it doesn't know which password is correct? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: PAP dont decrypt
Lionne Stangier wrote: You have edited the default configuration files and broken them. You deleted eap from the authorize section, and then sent the server and EAP request. Don't do that. It was only a try ;) The FAQ, man radiusd page, and other documentation all say to *not* butcher the default configuration. So... why did you do it? I know that they don’t work. Clear Text passwords in the ldap are a no go. Cant pap encrypt the passwords and than eap or peap will start? You're saying you read the page and understand it, but you're still asking how to do the impossible. This means you didn't understand the web page. And using Samba won't help. Samba is used to do MS-CHAP authentication to Active Directory. If you're not running Active Directory, there is *no* need to use Samba. You are are operating under the misconception that there is some magic configuration which will get PEAP working with MD5 passwords. No such configuration exists. It's impossible. Stop trying. Your messages on this list show that you do not believe the experts here, or the documentation that we wrote. If this is really the case, there is no reason for you to ask questions here. You have already decided we don't know what we're talking about, and you have no intention of following our advice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: Controlling with Auth-Type a client must use
Madsen.Jan JMD wrote: But still the unix authorization is used and the client is rejected because of the invalid shell. Because you listed unix in the authorization section. If you don't want to use the Unix module, delete it from the authorization section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP search problem
Wayne Van der Merwe wrote: I have FreeRADIUS 2.1.1 setup on SUS server 10.1 We are wanting to do a LDAP connection to Novell edirectory server for our users. From the debug out put the LDAP session binded corectly The searched part failed. I would like to know did the radius server send out the loging name as uid=53986067? as indicated below. rlm_ldap: performing search in ou=USERS,ou=ELS-FRERE,ou=AMATOLA,ou=HLT,o=EC, with filter (uid=53986067) Because: 1) the Access-Request contains 53986067 as the User-Name 2) the ldap module is configured to use uid=%{User-Name} This is all shown in the debug output. When i do a ldapsearch -h 10.219.176.30 -b ou=USERS,ou=ELS-FRERE,ou=AMATOLA,ou=HLT,o=EC -x uid=53986067 I get no results. If i use -x cn=53986067 the user is found. So... edit the ldap module configuration to use cn=%{User-Name} instead of uid. There's a reason the configuration files are text: they can be edited. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up pam_radius_auth
Mike J wrote: Now obviously is says there's a problem with the secret, but I believe I've setup the secret correctly in the configs I've shown above. Does anybody have any ideas what I'm doing wrong? Either the password is incorrect, or the MD5 calculations on the PAM or server side are broken. If this is a PPC system, the PAM module might not have been built correctly. You could also try install radclient on the same system as the PAM module. If radclient works and PAM doesn't, then the PAM module wasn't built correctly. See the pam_radius_auth.c file for how to build it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: return a special value in reply when simultaneous use
Hello again, I'm working with Freeradius 2.1.8 I'm using session (sql) to control simultaneous use. I would like to return a special value if an user try to access with credentials in use. I have it working adding a new attribute to request list whit the result of the simul_count_query, and checking this value later in post_auth section. session { if (%{Realm} == xxx.es) { update request { Num-Open-Session := %{sql:SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL} } sql } } post-auth { sql if (fail) { update reply { Codigo-Reject := Imposible-Contactar-Backend } reject } Post-Auth-Type REJECT { if (%{request:Num-Open-Session}){ update reply { Codigo-Reject = Sesion-Abierta } } else{ update reply { Codigo-Reject = Credenciales-Erroneas } } I think that this not is the better way to do, but... Thank you very much Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 63, Issue 86
Wayne Van der Merwe wrote: I have FreeRADIUS 2.1.1 setup on SUS server 10.1 We are wanting to do a LDAP connection to Novell edirectory server for our users. From the debug out put the LDAP session binded corectly The searched part failed. I would like to know did the radius server send out the loging name as uid=53986067? as indicated below. rlm_ldap: performing search in ou=USERS,ou=ELS-FRERE,ou=AMATOLA,ou=HLT,o=EC, with filter (uid=53986067) Because: 1) the Access-Request contains 53986067 as the User-Name 2) the ldap module is configured to use uid=%{User-Name} This is all shown in the debug output. When i do a ldapsearch -h 10.219.176.30 -b ou=USERS,ou=ELS-FRERE,ou=AMATOLA,ou=HLT,o=EC -x uid=53986067 I get no results. If i use -x cn=53986067 the user is found. So... edit the ldap module configuration to use cn=%{User-Name} instead of uid. There's a reason the configuration files are text: they can be edited. Alan DeKok. -- Noted After the change i have this problem in the debug output rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=USERS,ou=ELS-FRERE,ou=AMATOLA,ou=HLT,o=EC, with filter (cn=53986067) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user 53986067 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 The [ldap] No default NMAS login sequence how do i sort this out? and WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? is to do with a clear text password that radius needs to read from the LDAP server as per other posts. how or where do i sort this out. Is this also related to the NMAS login sequence? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP
Please don't reply to a digest message. It confuses message threading. Wayne Van der Merwe wrote: rlm_ldap: performing search in ou=USERS,ou=ELS-FRERE,ou=AMATOLA,ou=HLT,o=EC, with filter (cn=53986067) [ldap] No default NMAS login sequence You need to set eDir-Auth-Option. Read doc/RADIUS-LDAP-eDirectory The [ldap] No default NMAS login sequence how do i sort this out? It's documented. and WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? is to do with a clear text password that radius needs to read from the LDAP server as per other posts. how or where do i sort this out. It means that the server doesn't know how to authenticate the user. Is this also related to the NMAS login sequence? No idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to set properly failover ?
Hi guys I'm really trying but it's not easy to find somehitng in the documenatiion. I have 2 modules ntlm_auth_vpn1/2 and I like to do failover. I tried this but I was not sucesfull: In the modules I have 2 files, ntlm_auth_vpn1 and ntlm_auth_vpn2 In the sites-available/default I have: # Allow EAP authentication. eap ntlm_auth ntlm_auth_vpn { group { ntlm_auth_vpn1 { reject = 1 ok = return } ntlm_auth_vpn2 { reject = 1 ok = return } } } In my users file is: DEFAULT Auth-Type := ntlm_auth_vpn, Fall-Through = Yes What should be the correct syntax ? Freeradius is great tool , however every step forward is like a childbirth : ) What I'm really missing is what should be placed where. I'd really enjoy the new book . I hope it will be released soon : ) Thanks Pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to set properly failover ?
This how I do, but it's not the only way and may not feet your needs: In radiusd.conf, instantiate a redundant module: instantiate { ... redundant ha_auth_name { ntlm_auth_vpn1 ntlm_auth_vpn2 } ... } In default sites config, section authorize authorize { ... ha_auth_name ... } Quite simple and works great here for some other moduls (SQL) Hope it helps. Message original Date: Fri, 23 Jul 2010 18:45:30 +0200 From: freeradius-users-bounces+alexandre.chapellon=mana...@lists.freeradius.org (on behalf of Jevos, Peter peter.je...@oriflame.com) Subject: How to set properly failover ? To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Hi guys I'm really trying but it's not easy to find somehitng in the documenatiion. I have 2 modules ntlm_auth_vpn1/2 and I like to do failover. I tried this but I was not sucesfull: In the modules I have 2 files, ntlm_auth_vpn1 and ntlm_auth_vpn2 In the sites-available/default I have: # Allow EAP authentication. eap ntlm_auth ntlm_auth_vpn { group { ntlm_auth_vpn1 { reject = 1 ok = return } ntlm_auth_vpn2 { reject = 1 ok = return } } } In my users file is: DEFAULT Auth-Type := ntlm_auth_vpn, Fall-Through = Yes What should be the correct syntax ? Freeradius is great tool , however every step forward is like a childbirth : ) What I'm really missing is what should be placed where. I'd really enjoy the new book . I hope it will be released soon : ) Thanks Pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Certificate validation time
Hi, I'm using freeradius 2.1.1 and i created my certificates with the makefile and the config-files. Is it possible to rise the time the cerficate is valid, because if i change the entrys default_days and default_crl_days in the ca.cnf to an higher value, nothing happens after I recreat the certificates, everytime the certificate is only 30 days valid. Sorry for bad english -- View this message in context: http://old.nabble.com/Certificate-validation-time-tp29249676p29249676.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to set properly failover ?
Hi alex, thank you for your mail, helped a lot : ) Now it's working, no idea why and how but working : ) Here is my config: Users: DEFAULT Auth-Type := vpn_auth_name,Huntgroup-Name == vpn Fall-Through = Yes Radiusd.conf: instantiate { redundant vpn_auth_name { group { ntlm_auth_vpn1 { reject = 1 ok = return } ntlm_auth_vpn2 { reject = 1 ok = return } } And the sites-available/default: Authenticate { vpn_auth_name } Thanks , have a nice day p -Original Message- From: freeradius-users-bounces+peter.jevos=oriflame@lists.freeradius.org [mailto:freeradius-users-bounces+peter.jevos=oriflame@lists.freeradi us.org] On Behalf Of alexandre.chapel...@mana.pf Sent: Friday, July 23, 2010 7:44 PM To: FreeRadius users mailing list Subject: Re: How to set properly failover ? This how I do, but it's not the only way and may not feet your needs: In radiusd.conf, instantiate a redundant module: instantiate { ... redundant ha_auth_name { ntlm_auth_vpn1 ntlm_auth_vpn2 } ... } In default sites config, section authorize authorize { ... ha_auth_name ... } Quite simple and works great here for some other moduls (SQL) Hope it helps. Message original Date: Fri, 23 Jul 2010 18:45:30 +0200 From: freeradius-users-bounces+alexandre.chapellon=mana...@lists.freeradius.or g (on behalf of Jevos, Peter peter.je...@oriflame.com) Subject: How to set properly failover ? To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Hi guys I'm really trying but it's not easy to find somehitng in the documenatiion. I have 2 modules ntlm_auth_vpn1/2 and I like to do failover. I tried this but I was not sucesfull: In the modules I have 2 files, ntlm_auth_vpn1 and ntlm_auth_vpn2 In the sites-available/default I have: # Allow EAP authentication. eap ntlm_auth ntlm_auth_vpn { group { ntlm_auth_vpn1 { reject = 1 ok = return } ntlm_auth_vpn2 { reject = 1 ok = return } } } In my users file is: DEFAULT Auth-Type := ntlm_auth_vpn, Fall-Through = Yes What should be the correct syntax ? Freeradius is great tool , however every step forward is like a childbirth : ) What I'm really missing is what should be placed where. I'd really enjoy the new book . I hope it will be released soon : ) Thanks Pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate validation time
_Stefan_H wrote: I'm using freeradius 2.1.1 and i created my certificates with the makefile and the config-files. Is it possible to rise the time the cerficate is valid, because if i change the entrys default_days and default_crl_days in the ca.cnf to an higher value, nothing happens after I recreat the certificates, everytime the certificate is only 30 days valid. It's a bug on OpenSSL. It ignores those fields in the ca.cnf file. Later versions of FreeRADIUS have a fix. See the Makefile in 2.1.9. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Another LDAP/RADIUS integration problem.
OK, I had LDAP 'working' but radiusd -X was showing the old 'WARNING: No known good password was found in LDAP' errors. Ignoring much of the 'wisdom' on other sites to just ignore the error, I'm trying to squash all errors from the -X output. It was failing because the bind failed (due to a bad 'identity' line in the ldap module config), thus it didn't find a userPassword from LDAP, causing PAP to be skipped but since I had the 'ldap' module in the authenticate section of the sites file, it attempted to bind with the username/password supplied from the NAS to the ldap directory which worked, thus Accept-Accept was given. To correct the bind problem, I added an ACL to the directory to allow 'uid=admin,o=radtree' to access the userPassword attribute, then configured the ldap module to use 'uid=admin,o=radtree' as the identity and 'secret' as the password. Now the bind succeeds, the -X output says that it's mapping userPassword - Crypt-Password == {crypt}4gOgBZqZgtwIw (if I bind to the directory and search as uid=admin,o=radtree for the testuser account, the userPassword returned (after base64 decoding) is {crypt}4gOgBZqZgtwIw. If I run 'testpassword' with a salt of '4g' through the crypt(3) subroutine, I get '4gOgBZqZgtwIw', so the directory contains the correct password), I have checkItem Crypt-Password userPassword in the dictionary for this ldap module. Anyway, I'm still seeing one of the 'No known good password' errors and PAP is failing because the passwords don't match, and I'm not sure where the problem lies (obviously, the passwords don't match, but _why_). It looks like I'm getting the correct encrypted password back from the directory, and PAP is reporting a login attempt with the correct password The ldap module config (comments stripped out): ldap ldap-server1 { server = ldap://server1.coas.oregonstate.edu; port = 389 start_tls = yes identity = uid=admin,o=radtree password = secret basedn = ou=People,o=mydomain filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = yes cacertdir = /etc/pki/tls/certs/ require_cert= demand } dictionary_mapping = ${confdir}/ldap.pap.attrmap edir_account_policy_check = no # note, I've also removed the following two lines. password_attribute = userPassword auto_header = yes } The ldap module dictionary (ldap.pap.attrmap, a copy of ldap.attrmap with the addition of the following line): checkItem Crypt-Password userPassword radius -X output: FreeRADIUS Version 2.1.9, for host x86_64-unknown-linux-gnu, built on Jun 10 2010 at 15:26:46 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/ldap-hudson-radius including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/unix including
Re: Another LDAP/RADIUS integration problem.
Tom Leach wrote: To correct the bind problem, I added an ACL to the directory to allow 'uid=admin,o=radtree' to access the userPassword attribute, then configured the ldap module to use 'uid=admin,o=radtree' as the identity and 'secret' as the password. Now the bind succeeds, the -X output says that it's mapping userPassword - Crypt-Password == {crypt}4gOgBZqZgtwIw The Crypt-Password attribute is supposed to be the crypt'd version of the password *without* the {crypt} header. Change the mapping from userPassword - Crypt-Password to userPassword - User-Password, and it will work. The PAP module will look for the {crypt} header, and create a Crypt-Password with the appropriate value. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to set properly failover ?
Le vendredi 23 juillet 2010 à 20:09 +0200, Jevos, Peter a écrit : Hi alex, thank you for your mail, helped a lot : ) Now it's working, no idea why and how but working : ) Here is my config: Users: DEFAULT Auth-Type := vpn_auth_name,Huntgroup-Name == vpn Fall-Through = Yes Setting Auth-Type is discouraged. further more setting Auth-Type to a module name sounds like an error to me (but maybe am i mistaking) I think you can remove Auth-Type Radiusd.conf: instantiate { redundant vpn_auth_name { group { ntlm_auth_vpn1 { reject = 1 ok = return } ntlm_auth_vpn2 { reject = 1 ok = return } } Why are you using group inside redundant... I'm not sure this is usefull. Using ntlm_auth_vpn1 and ntlm_auth_vpn2 should be enough. Look here for more infos and example of how redundant modules are set: http://wiki.freeradius.org/Fail-over And the sites-available/default: Authenticate { vpn_auth_name } Thanks , have a nice day p -Original Message- From: freeradius-users-bounces+peter.jevos=oriflame@lists.freeradius.org [mailto:freeradius-users-bounces+peter.jevos=oriflame@lists.freeradi us.org] On Behalf Of alexandre.chapel...@mana.pf Sent: Friday, July 23, 2010 7:44 PM To: FreeRadius users mailing list Subject: Re: How to set properly failover ? This how I do, but it's not the only way and may not feet your needs: In radiusd.conf, instantiate a redundant module: instantiate { ... redundant ha_auth_name { ntlm_auth_vpn1 ntlm_auth_vpn2 } ... } In default sites config, section authorize authorize { ... ha_auth_name ... } Quite simple and works great here for some other moduls (SQL) Hope it helps. Message original Date: Fri, 23 Jul 2010 18:45:30 +0200 From: freeradius-users-bounces+alexandre.chapellon=mana...@lists.freeradius.or g (on behalf of Jevos, Peter peter.je...@oriflame.com) Subject: How to set properly failover ? To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Hi guys I'm really trying but it's not easy to find somehitng in the documenatiion. I have 2 modules ntlm_auth_vpn1/2 and I like to do failover. I tried this but I was not sucesfull: In the modules I have 2 files, ntlm_auth_vpn1 and ntlm_auth_vpn2 In the sites-available/default I have: # Allow EAP authentication. eap ntlm_auth ntlm_auth_vpn { group { ntlm_auth_vpn1 { reject = 1 ok = return } ntlm_auth_vpn2 { reject = 1 ok = return } } } In my users file is: DEFAULT Auth-Type := ntlm_auth_vpn, Fall-Through = Yes What should be the correct syntax ? Freeradius is great tool , however every step forward is like a childbirth : ) What I'm really missing is what should be placed where. I'd really enjoy the new book . I hope it will be released soon : ) Thanks Pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another LDAP/RADIUS integration problem.
On 07/23/2010 02:59 PM, Alan DeKok wrote: Tom Leach wrote: To correct the bind problem, I added an ACL to the directory to allow 'uid=admin,o=radtree' to access the userPassword attribute, then configured the ldap module to use 'uid=admin,o=radtree' as the identity and 'secret' as the password. Now the bind succeeds, the -X output says that it's mapping userPassword - Crypt-Password == {crypt}4gOgBZqZgtwIw The Crypt-Password attribute is supposed to be the crypt'd version of the password *without* the {crypt} header. Change the mapping from userPassword - Crypt-Password to userPassword - User-Password, and it will work. The PAP module will look for the {crypt} header, and create a Crypt-Password with the appropriate value. Hmm ... Just from looking at the rlm_ldap code (not actual testing) I thought if auto_header was set to True in the ldap config then rlm_ldap after looking up the configured password attribute would perform the steps you describe above. (strip the hash prefix and add a new attribute with the correct attribute type for the hash type) Am I confused? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Another LDAP/RADIUS integration problem.
John Dennis wrote: Just from looking at the rlm_ldap code (not actual testing) I thought if auto_header was set to True in the ldap config then rlm_ldap after looking up the configured password attribute would perform the steps you describe above. (strip the hash prefix and add a new attribute with the correct attribute type for the hash type) Am I confused? The auto-header should be off by default. I think it was off in the debug log posted earlier. And it shouldn't be used. The PAP module does all that, and more. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html