?
Cheers,
Thomas
--
Thomas Glanzmann tho...@glanzmann.de Landline +49 9131 6 14 720
Diplom-Informatiker Univ. Facsimile +49 9131 6 14 721
Rathsbergerstrasse 28
D-91054 Erlangen - Burgberg, Germanyhttp://thomas.glanzmann.de/
-
List info/subscribe/unsubscribe? See http
Hello Alan,
Freeradius does not build from source. Yes. It does. But you are
compiling some random external flavour. Download the source from
freeradius.org and report what happens.
my subject line was misleading. I meant that the Debian package is so
broken that it doesn't even compile from
Hello Alan,
Yes. It does. But you are compiling some random external flavour.
Download the source from freeradius.org and report what happens
yes, you're right and I just noticed that the freeradius git tree
contains a Debian folder which build packages which not only compile,
now I try to
Hello Arran,
Can't load '/usr/lib/perl5/auto/Authen/Krb5/Simple/Simple.so' for module
Authen::Krb5::Simple: /usr/lib/perl5/auto/Authen/Krb5/Simple/Simple.so:
undefined symbol: PL_thr_key at /usr/lib/perl/5.14/DynaLoader.pm line 184.
* http://www.perlmonks.org/?node_id=1008893
The
Hello,
* Thomas Glanzmann tho...@glanzmann.de [2013-07-21 18:24]:
hints = /etc/freeradius/mods-config/preprocess/hints
I noticed that the wrong hints file was specified, however after
updating, it still does not work, but the output now looks different:
Ready to process requests
Hello Arran,
You can of course 'make deb' in the top level directory of the current
Git HEAD (which will very soon be 2.2.1) and make your own debian
packages.
that is fine with me and works perfect. I was not aware of that option, but now
I know that it is out there, it is the way to go.
Hello Arran,
DEFAULT User-Name =~ ^v104([^@]+)
User-Name := %{1}@V104.GMVL.DE
Can you got some debug output or even just the value of the User-Name?
It may just be the escaping is less crazy than it used to be.
username is: v104\Administrator but radius puts it internally as
Hello Arran,
Can you provide a backtrace please? I'll see if I can fix it.
Program received signal SIGSEGV, Segmentation fault.
0x08052f8a in rad_authenticate (request=0x863f138) at src/main/auth.c:542
542 (auth_item-da-attr ==
PW_USER_PASSWORD)) {
(gdb) bt
Hello Alan,
I bleieve hitns is going the way of the dodo eventually - unlang can
do the work for you eg
if (%{User-Name} =~ ^v104([^@]+) ) {
update request {
%{User-Name} := %{1}@V104.GMVL.DE
}
}
I tried:
server default {
listen {
Hello Arran,
Oh I have a pretty good idea of what's gone on. Could you git pull and
rebuild. You'll probably see an abort this time round.
I did a
git pull
# Wipe the working directory clean
git reset --hard HEAD; git clean -f -x -d
./configure --prefix=/local/freeradius-head; make -j; make
Hello Arran,
Something was caching the pointer to request-password when it
shouldn't have. Should be fixed now.
I pulled the fix and can no longer reproduce the issue, I tried with 100
authentications in a row. Thank you for fixing it.
Cheers,
Thomas
-
List info/subscribe/unsubscribe?
Hello Sergii,
Is it possible to use OTP with ms-chap authorization?
no, it is _not_.
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello Sergii,
don't use the C daemon it has to many moving parts. I later wrote a perl
module which is easy to use.
See:
http://thomas.glanzmann.de/smsotpd.2012-10-05.tar.bz2
Follow the instructions in smsotpd.2012-10-05/rlm_perl/README
If you have any further questions, let me know, but this
Hello Stéphane,
can you please send a screenshot of your View Radius Configuration, your
full configuration and the full debugging output which includes an
authentication request from pap_challenge_request.pl and from View.
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See
Hello Stéphane,
It works. Thank you. Yes, the radiusd process listen on some
multiples ports and i was wrong when i put the value 1812 on VMware
View.
for the list. The problem was that View was configured to port 1812
which does not do SMSOTP with my configuration, so we reconfigured it to
Hello Lasse,
* Lasse Odden lasse.od...@gmail.com [2013-01-24 11:48]:
Long time since we spoke, but you told me you should try to find time
to do a new video with instructions. Could you please help me out
with this installation?
I currently don't have the time, but if you have specific
Hallo Lasse,
I'm struggeling with the implemation of the smsotp, and I came over
this post:
http://readlist.com/lists/lists.freeradius.org/freeradius-users/11/55876.html
Do you have an updated video with this perl implementation you could
send me?
I'll record an e-mail tomorrow, and send
Hello Bryan,
[root@radiusdev ~]# rpm -qa | grep mysql
mysql-5.1.61-4.el6.x86_64
mysql-devel-5.1.61-4.el6.x86_64
mysql-libs-5.1.61-4.el6.x86_64
mysql-server-5.1.61-4.el6.x86_64
they all belong to same release.
Do I need all of those or is one causing me the issue still with the
faults?
Hello Franks,
* Franks Andy (RLZ) IT Systems Engineer andy.fra...@sath.nhs.uk [2012-09-09
01:19]:
The first thing I'm not clear on is the function of the users file
that's related to the Berkeley_db script. I'm not sure I understand why
it's needed. Is this a database of acceptable users that
Hello Arran,
What is the server missing as of 2.2.0 that requires the use of rlm_perl?
I'm not aware of the FreeRadius internals but you can simply look at the
FreeRadius Module rlm_smsotp. This is what happens.
- User authenticates with PAP
- The server answer will be of
Hello Henk,
I've looked closely at your video and accomplishment with smsotp,
congrats!
thank you. However the video shows something that is outdated. I now
wrote a perl module for rlm_perl which does it much better without all
the moving parts.
Did you also had a look at OATH TOTP instead
Hello Fajar,
http://wiki.freeradius.org/modules/Rlm_smsotp
yes, I just clicked on the first on google and was supprised when it was
gone.
Probably just upgrade/link-changed effect.
Might be.
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See
Hello,
can you not configure RADIUS server to do PAP + Challenge so that it
asks for username/password followed by one or more Access-Challenge?
If yes, how would you configure freeradius server to throw
Access-Challenge to radius client?
yes, you can. The easiest way is to grab:
Hello,
I just noticed that the rlm_smsotpd website I wrote in the wiki is gone.
Was that on purpose or an error that happened when the wiki was updated?
I pulled a version out of google cache so that I still have the few
words I have written there.
Cheers,
Thomas
-
List
Hello Rod,
I think the A-C is supported with EAP type authentication? not the PAP.
it is supported with both types. However in EAP it is used for something
entirely different. With PAP it is used with a challenge. Maybe this
thread brings you up to speed. But please use the rlm_perl
Hello Joël,
jodan@otpradius:~/work/smsotpd$ ./pap_challenge_request.pl
Enter username: dsp1A00113
Enter password:
server response type = Access-Challenge (11)
Enter otp: 89003
server response type = Access-Accept (2)
Yeah, it works !! The step 1 is achieved :o)
that is good to hear.
Hello Joël,
I've adjusted some paths and other little things.
Freeradius is up
smsotpd is up
I've populated the berkeley db with my identifiant
don't use the smsotpd, use the rlm_perl which is a complete different
setup. The mininimal config you find in the README in the
Hello Joël,
I'm trying to develop my own two-factor-authentication with
freeradius.
the fastest way to do that is to grab
http://thomas.glanzmann.de/smsotpd.2012-08-16.tar.bz2
and modify the rlm_perl implementation. That is very straight forward.
But it is not so clear for me to set up
Hello everyone,
today I wrote a new version of sms otp in perl utilizing rlm_perl. If I
would have realized earlier how powerful rlm_perl is I would have gone
with that solution in the first place. You can find the code here:
http://thomas.glanzmann.de/smsotpd.2012-07-28.tar.bz2
This code allows
Hello,
I have Citrix Netscaler which authenticates user against active
directory with PAP. First against Active Directory using krb5 and second
against smsotp using a PAP Access challenge. If someone knows a username
he can type in multiple times the right username with the wrong password
and can
Hello George,
How can one uninstall the Freeradius 2.1.1 from Ubuntu 12 LTS
# Run this command to find out the name of the radius server package
dpkg -l | grep -i radius
# Purge (deinstall and remove configuration files) of the package
dpkg -P name of packet
Cheers,
Thomas
-
List
Hello Alan,
[ sorry for the late response, I read that mailinglist only every few days ]
The tar file seems strange. There's a smsotpd.2012-06-04c directory,
but most of the files seem to have a smsotpd.2012-06-04 prefix.
*Without* the directory:
thank you for telling me. There was a slash
Hello everyone,
here is a c implementation of the smsotpd.
http://thomas.glanzmann.de/smsotpd.2012-06-04.tar.bz2
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello everyone,
find a video which describes the setup of a freeradius server here:
http://thomas.glanzmann.de/smsotp.pdf
http://thomas.glanzmann.de/smsotp.swf
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello,
I'm interested in a radius test client which supports pap
ACCESS-Challenge. Can anyone point me to one or to a library which
allows me to easily write on preferrably in perl?
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello Matthew,
You should not be getting a challenge with PAP, so there is no need
for a test client for it.
for Citrix Netscaler and VMware View 5.1 if you want to support
two-factor authentication for example with rlm_smsotp this is necessary.
However there is currently no test client for it
Hello Matthew,
Forget that - I've not had enough coffee yet today :) You need to
respond to the challenge, not send one yourself...
exactly, however the Authen::Radius perl module saved my day:
#!/usr/bin/perl -w
# Thomas Glanzmann 16:06 2012-05-21
# First Argument is username, second
Hello everyone,
find attached the new and improved version for checking pap access
challenge:
(minisqueeze) [~/work/smsotpd] ./pap_challenge_request.pl
Enter username: directory\Administrator
Enter password:
server response type = Access-Reject (3)
(minisqueeze) [~/work/smsotpd]
Hello Alan,
Torsten Lehmann wrote:
http://wiki.freeradius.org/ (or faq) returns:
Forbidden
* Alan DeKok al...@deployingradius.com [2012-05-09 09:44]:
It works for me. We upgraded the machine, and had a few problems with
editing the wiki. But it should be OK now.
for me it does not, I
Hello everyone,
* Thomas Glanzmann tho...@glanzmann.de [2012-05-09 09:58]:
for me it does not, I still have the problem. If you want I can record
the problem for you as flash video. I'm using github to authenticate.
I have problem editing the page, accessing is fine. But Arran seems to
fix
Hallo Axel,
Dein Deutsch ist gut, aber ich antworte auf Englisch.
You can download the daemon from the freeradius mailing list or the
attachment of this e-mail, I configured the following:
users:
DEFAULT Auth-Type := smsotp
sites-enabled/default:
authenticate {
Auth-Type smsotp {
Hello Axel,
Thanks a lot for your answer. Yet I see the complete process :-) If I
just want a normal PAP authent, It's just the same as your
configuration, but instead of ntlm_auth I let PAP, no?
yes, and use the following users entries:
Administrator Cleartext-Password := password,
Hello Jason,
The passwords are weakly encrypted using a mechanism that is basically
an XOR of the password and an MD5 hash of the request authenticator
and the shared secret.
thanks for the thorough explanation, I'll go with IPSEC or openvpn. I
recall reading in Bruce Schneiers book 'Secret
Hello Andreas,
How to tell freeradius, that after successful MSCHAP auth against AD
it must browse AD via LDAP and check that te username belongs to
specified group?
I think, you need to write a script that makes sure that the user is
part of a specific group. I would do that in perl, because
Hello Matthew,
Why do in perl what you can do in FR directly? That will just
slow things down.
if (!(Ldap-group == 'cn=group,dc=example,dc=com')) {
reject
}
will this work with nested groups?
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See
Hello,
I wonder if the radius encryption between radius client and radius is
secure enough if you choose a decent password like the following:
'O([G6krj\9[9FN#GVn(/|9+8h5vq2!W*J:OrA;2Uvk1G*z~-6'emgQV 2X5iDa('
Or if someone should always protect the connection between radius client
to radius server
Hello,
(c) use IPSec for connectivity
or if you don't like the complexity that comes with ipsec, use OpenVPN
or any other VPN software.
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello Alan,
Authenticator must be wrong
You're wasting your time.
You're right. I found the problem. The proprietary radius client chokes
on the \ in the username, I can't believe it. However it is working
for me now. Who do I need to approach in order to submit the 'smsotpd'
perl
Hello Alan,
If it's small, email it to the list. Otherwise, use github.
find smsotpd.pl attached. Please consider it for upstream. If you reject
it, please let me know exactly what needs to be changed in order to
accept it to upstream.
You can't write to the wiki via git. You have to use
Hello Alan,
Possibly. If so, the proprietary client doesn't implement RADIUS.
thanks a lot. However, I'm going to hunt that one down, because I think
I'm very close to solve it and than I'll document it here. As soon as
the product is released to the public I'll also add a wiki entry or
howto
Hello Mercier,
According to the Radius RFC, Chapter 2.1 Challenge-response
(http://www.ietf.org/rfc/rfc2865.txt), I read that it's possible to
activate a challenge-reponse (Access-Request, Access-Challenge,
Access-Request, Access-Accept) with Radius, is that possible with Free
Radius, and if
Hello Alan,
my initial thought that the state may only contain numbers, was wrong.
Now I want to verify that the message authenticator sent by freeradius
is correct, can you please walk me through how to do that?
I also added debugging code to freeradius so that it tells me that it
creates the
Hello Alan,
PAP. And only PAP. And sometimes not even there.
I now installed a commercial radius server (Nordic Edge) which supports
it and I sniffed a successful exchange. You can find it here:
http://upload.glanzmann.de/radius.pcap
Could you please let me know if it is possible to
Hallo Alan,
here is the nordic edge radius server pcap:
http://upload.glanzmann.de/radius.pcap
here is the freeradius server pcap:
http://upload.glanzmann.de/freeradius.pcap
What I don't get is, when I compare the two 'Access-Challenges' they look very
similar to me. However my propiertary
Hello Alan,
Any idea what freeradius does different here?
the only difference I see here is that radius has a hex number in the
state field while the propietary has digits. I assume that is why my
propiertary client chokes.
I'll try to configure freeradius to produce digits as well and retry
Hello,
I have a propiertary radius client which I want to authenticate against
freeradius the following way:
- User types is username: directory\Administrator password:secret
- Freeradius authenticates against active directory.
This already works
- From the documentation
Hello Alan,
Which authentication method? This matters a lot.
I configured it to use MSCHAPv2 (but they also support PAP, CHAP and
MSCHAPv1)
After authenticating to RADIUS, you may get another prompt if
the RADIUS server responded with a supported Access Challenge.
Hello Alan,
MSCHAPv2
So when I said it was impossible, what did you think that meant?
a) keep working on it
b) try something else
your e-mail arrived after I did the 'progress'. Can you tell me for
which other authentication (pap, chap, mschapv1) methods it works?
Cheers,
Thomas
Hello Alan,
your e-mail arrived after I did the 'progress'. Can you tell me for
which other authentication (pap, chap, mschapv1) methods it works?
I configured it to use pap, and I have now the same behaviour using pap,
mschapv1 and mschapv2. The client sends a 'Access Request' the server
59 matches
Mail list logo
