Hi,
I am using FreeRADIUS Version 0.7.1 on a Linux Redhat 7.0 version.
I am authenticating a particular user by EAP and want to send
Session-timeout and Termination-Action attributes to that user in
Access-Accept packet. But these two attributes are being included
in Access-challenge packet sent to NAS. But Termination-Action is
unacceptable to the NAS in a Access-challenge packet.
How to send Termination-Action only in Access-Accept and
not in Access-challenge?
In general, how to control the set of attributes to be included
in Access-challenge and Access-Accept separately?
Please reply soon.
-----Original Message-----
From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]
Sent: Monday, March 03, 2003 6:57 PM
To: [EMAIL PROTECTED]
Subject: Freeradius-Users digest, Vol 1 #1593 - 15 msgs
Send Freeradius-Users mailing list submissions to
[EMAIL PROTECTED]
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.cistron.nl/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: EAP-TLS auth failure (Dmitri Belimov)
2. Re: EAP-TLS auth failure (Artur Hecker)
3. =?iso-8859-1?Q?FreeRADIUS_&_MD5_authentication?= ([EMAIL PROTECTED])
4. Re: FreeRADIUS & MD5 authentication (Artur Hecker)
5. realms & wildcards (Josh Howlett)
6. RADIUS has to remember previous challenge value in EAP-MD5/Challenge ? (mimi)
7. =?iso-8859-1?Q?Re:_FreeRADIUS_&_MD5_authentication?= ([EMAIL PROTECTED])
8. Re: FreeRADIUS & MD5 authentication (Artur Hecker)
9. Re: User freezing!!! (Eric)
10. Re: User freezing!!! (Evren Yurtesen)
11. Re: EAP-TLS auth failure (Dmitri Belimov)
12. Is it known bug in freeradius? (checkrad) (Dyachek Andrey)
13. PAP, CHAP and MSCHAP with DB2 (Christian Gabriel Charette)
14. Re: PAP, CHAP and MSCHAP with DB2 (3APA3A)
15. Re: EAP-TLS auth failure (Artur Hecker)
--__--__--
Message: 1
Date: Mon, 3 Mar 2003 16:42:22 +0900
From: Dmitri Belimov <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: EAP-TLS auth failure
Reply-To: [EMAIL PROTECTED]
Hi Artur
> you need exactly the following:
>
> > cert-clt.p12
> > cert-srv.pem
> > root.pem
For client authorization I use xsupplicant - http://www.open1x.org/
xsupplicat config file
MegaWiFi:id = radiotest
MegaWiFi:cert = radiotest.der
MegaWiFi:key = radiotest.pem
MegaWiFi:root = root.pem
MegaWiFi:auth = EAP
MegaWiFi:type = wireless
from root.pem I remove private key
> and no private key should be in root.pem (though it doesn't matter
> now)
>
>
> > Radiusd.conf
> >
> > CA_file = ${confdir}/eap-test/root.pem
private key from root.pem is remove
but authentification also failure
at system console typing error message:
30630:error:0906D06C:lib(9):func(109):reason(108):pem_lib.c:632:Expectig: DH PARAMETERS
It is normal??
Dmitri.
--__--__--
Message: 2
Date: Mon, 03 Mar 2003 09:38:54 +0100
From: Artur Hecker <[EMAIL PROTECTED]>
Organization: ENST Paris
To: [EMAIL PROTECTED]
Subject: Re: EAP-TLS auth failure
Reply-To: [EMAIL PROTECTED]
hi
> For client authorization I use xsupplicant - http://www.open1x.org/
> xsupplicat config file
>=20
> MegaWiFi:id =3D radiotest
> MegaWiFi:cert =3D radiotest.der
> MegaWiFi:key =3D radiotest.pem
> MegaWiFi:root =3D root.pem
> MegaWiFi:auth =3D EAP
> MegaWiFi:type =3D wireless
>=20
> from root.pem I remove private key=20
i'm not familar with xsupplicant, sorry. i hope you added the client=20
certificate WITH private key somewhere. what's this key field? shouldn't=20
it be the key of the private key of the client certificate?
> private key from root.pem is remove
as i said to you: it should be removed but it doesn't matter here. it=20
was not supposed to correct the problem.
> at system console typing error message:
>=20
> 30630:error:0906D06C:lib(9):func(109):reason(108):pem_lib.c:632:Expecti=
g: DH PARAMETERS
>=20
> It is normal??
i don't know, that looks like xsupplicant for me.
ciao
artur
--=20
Artur Hecker
D=E9partement Informatique et R=E9seaux, ENST Paris
http://www.infres.enst.fr/~hecker
--__--__--
Message: 3
Date: Mon, 3 Mar 2003 09:37:35 +0100
Subject: =?iso-8859-1?Q?FreeRADIUS_&_MD5_authentication?=
From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
To: "=?iso-8859-1?Q?freeradius-users?=" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Hello friends,=0D=0A=0D=0AI'd like to know which are the right files I mu=
st configure in my FreeRADIUS server to allow a client to authenticate wi=
th MD5 algorithm.=0D=0A=0D=0AThanks very much,=0D=0Aemi=0D=0A=0D=0A
--__--__--
Message: 4
Date: Mon, 03 Mar 2003 09:48:10 +0100
From: Artur Hecker <[EMAIL PROTECTED]>
Organization: ENST Paris
To: [EMAIL PROTECTED]
Subject: Re: FreeRADIUS & MD5 authentication
Reply-To: [EMAIL PROTECTED]
do you mean for password hiding in pap or do you mean with EAP-MD5?
there is a howto for eap-md5 in the doc directory of freeradius (at=20
least online).
[EMAIL PROTECTED] wrote:
> Hello friends,
>
> I'd like to know which are the right files I must configure in my
> FreeRADIUS server to allow a client to authenticate with MD5
> algorithm.
>
> Thanks very much, emi
>
>
>
>
> - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--=20
Artur Hecker
D=E9partement Informatique et R=E9seaux, ENST Paris
http://www.infres.enst.fr/~hecker
--__--__--
Message: 5
Subject: realms & wildcards
From: Josh Howlett <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Organization: University of Bristol
Date: 03 Mar 2003 08:50:11 +0000
Reply-To: [EMAIL PROTECTED]
Is it possible to select a realm using wildcards?
ie.
realm foo* {
...
}
realm *bar {
...
}
Thanks, josh.
--
-----------------------------------------------------------
Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: [EMAIL PROTECTED]
------------------------------------------------------------
---
--__--__--
Message: 6
From: "mimi" <[EMAIL PROTECTED]>
To: "freeradius-users" <[EMAIL PROTECTED]>
Subject: RADIUS has to remember previous challenge value in EAP-MD5/Challenge ?
Date: Mon, 3 Mar 2003 17:51:46 +0900
Reply-To: [EMAIL PROTECTED]
Previous message didn't post in human readable.
I want to know how to erase message which I posted. Is that impossible ?
In freeradius-0.2, the state attribute :
info = challenge + time
state = info + hmac(info, key)
If we use multi-radius servers and NAS uses round-robin ?
NAS get the challenge from one server and send the response to another.
To verify it,server can use the secret instead. This will be easy..
In EAP-MD5/Challenge, for verify user password, server has to know the
challenge value which it sent.
In this case, one server knows the challenge value because it sent the
challenge-request.
But the others don't know how to verify user password because they don't
know the challenge value.
In the state attribute, challenge is not a challenge value to encrypt the
password.
NAS never send the challenge value which server sent.
To verify the password, another server will send the challenge-request to
NAS,
and NAS will send response to the other server.
And again and again.... :(
How do you think about this ?
Does freeradius can extract the previous challenge value from the
challenge-response packet ?
How about the state attribute including the challenge value which
NAS(exactly, not NAS but user terminal) use to encrypt password ?
This will be crash with other algorithm(TLS etc.) ?
Like this..
info = IDEA(challenge + time, secret)
state = info + hmac(info, secret)
or
info = challenge + time + hmac(challenge + time, secret)
state = IDEA (info, secret)
The server can get challenge value and verify the user password.
--__--__--
Message: 7
Date: Mon, 3 Mar 2003 10:01:29 +0100
Subject: =?iso-8859-1?Q?Re:_FreeRADIUS_&_MD5_authentication?=
From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
To: "=?iso-8859-1?Q?freeradius-users?=" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
I mean EAP-MD5. Do you exactly know where in doc directory I can find the=
informations I need?=0D=0A=0D=0Athank you=0D=0A=0D=0A=0D=0Ado you mean f=
or password hiding in pap or do you mean with EAP-MD5?=0D=0Athere is a ho=
wto for eap-md5 in the doc directory of freeradius (at =0D=0Aleast online=
)[EMAIL PROTECTED] wrote:=0D=0A > Hello friends,=0D=0A =
>=0D=0A > I'd like to know which are the right files I must configure in =
my=0D=0A > FreeRADIUS server to allow a client to authenticate with MD5=0D=
=0A > algorithm.=0D=0A >=0D=0A > Thanks very much, emi=0D=0A >=0D=0A >=0D=
=0A >=0D=0A >=0D=0A > - List info/subscribe/unsubscribe? See=0D=0A > http=
://www.freeradius.org/list/users.html=0D=0A=0D=0A=0D=0A-- =0D=0AArtur Hec=
ker=0D=0AD=E9partement Informatique et R=E9seaux, ENST Paris=0D=0Ahttp://=
www.infres.enst.fr/~hecker=0D=0A=0D=0A=0D=0A- =0D=0AList info/subscribe/u=
nsubscribe? See http://www.freeradius.org/list/users.html=0D=0A
--__--__--
Message: 8
Date: Mon, 03 Mar 2003 10:34:43 +0100
From: Artur Hecker <[EMAIL PROTECTED]>
Organization: ENST Paris
To: [EMAIL PROTECTED]
Subject: Re: FreeRADIUS & MD5 authentication
Reply-To: [EMAIL PROTECTED]
http://www.freeradius.org/doc/EAP-MD5.html
[EMAIL PROTECTED] wrote:
> I mean EAP-MD5. Do you exactly know where in doc directory I can find t=
he informations I need?
>=20
> thank you
>=20
>=20
> do you mean for password hiding in pap or do you mean with EAP-MD5?
> there is a howto for eap-md5 in the doc directory of freeradius (at=20
> least online).
>=20
>=20
> [EMAIL PROTECTED] wrote:
> > Hello friends,
> >
> > I'd like to know which are the right files I must configure in my
> > FreeRADIUS server to allow a client to authenticate with MD5
> > algorithm.
> >
> > Thanks very much, emi
> >
> >
> >
> >
> > - List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>=20
>=20
--=20
Artur Hecker
D=E9partement Informatique et R=E9seaux, ENST Paris
http://www.infres.enst.fr/~hecker
--__--__--
Message: 9
From: Eric <[EMAIL PROTECTED]>
Organization: Winline
To: [EMAIL PROTECTED]
Subject: Re: User freezing!!!
Date: Mon, 3 Mar 2003 15:48:57 +0500
Reply-To: [EMAIL PROTECTED]
I use chinese nas hardware by Huawei (QuidwayA8010 refiner).
Maybe somebody knows with what type of nas (in radius) it compartible?
Now I'm use "other" type. But I have staled session with it.
Thanks.
On Saturday 01 March 2003 18:17, Kostas Kalevras wrote:
> On Thu, 27 Feb 2003, Eric wrote:
> > Hi, all
> >
> > I use freeradius with MySQL & I have problem with user freezing.
> > I'm turn off any accounting & logging except MySQL (such as radutmp,
> > radwtmp). My radius server works pretty well except one thing:
> > When my users is disconnects unexpectedly (telephone line rapture & e=
tc.)
> > in the database his still online (AcctStopTime is still 0000-00-00
> > 00:00:00) & as effect his can't reconnect (radius tells him such logi=
n
> > already exists). To solve it I'm every day check radacct table for
> > redundancy
> > AcctStopTime=3D0000-00-00 00:00:00 & delete all this records. I do th=
is
> > manualy every day. My users thinks that somebody steals his password.
> >
> > Question: How can I check for existance of incorrect entries & delete=
it
> > automatically or at all debar from appearance of it?
>
> The fact that you get stale sessions in your database means that your N=
AS
> does not work that well. It should always send accounting-stops. Also y=
ou
> should setup the nas type in clients.conf so that freeradius can first =
ask
> the nas about if the user is logged in before rejecting him. If you do =
this
> then if the NAS reports back that the user is not logged in and we have=
a
> stale entry in the database then we zap that entry.
>
> > Thanks in advance.
> >
> > Regards, Eric.
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
--__--__--
Message: 10
Date: Mon, 3 Mar 2003 11:06:21 +0200 (WET)
From: Evren Yurtesen <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: User freezing!!!
Reply-To: [EMAIL PROTECTED]
AFAIK the 'other' type doesnt make any checks on the NAS if a user logged
on or not. Radius then relies on the accounting packets received from the
NAS. If you know little perl then you can perhaps make an addition to
radcheck script.
Evren
On Mon, 3 Mar 2003, Eric wrote:
> I use chinese nas hardware by Huawei (QuidwayA8010 refiner).
> Maybe somebody knows with what type of nas (in radius) it compartible?
> Now I'm use "other" type. But I have staled session with it.
> Thanks.
>
>
> On Saturday 01 March 2003 18:17, Kostas Kalevras wrote:
> > On Thu, 27 Feb 2003, Eric wrote:
> > > Hi, all
> > >
> > > I use freeradius with MySQL & I have problem with user freezing.
> > > I'm turn off any accounting & logging except MySQL (such as radutmp,
> > > radwtmp). My radius server works pretty well except one thing:
> > > When my users is disconnects unexpectedly (telephone line rapture & etc.)
> > > in the database his still online (AcctStopTime is still 0000-00-00
> > > 00:00:00) & as effect his can't reconnect (radius tells him such login
> > > already exists). To solve it I'm every day check radacct table for
> > > redundancy
> > > AcctStopTime=0000-00-00 00:00:00 & delete all this records. I do this
> > > manualy every day. My users thinks that somebody steals his password.
> > >
> > > Question: How can I check for existance of incorrect entries & delete it
> > > automatically or at all debar from appearance of it?
> >
> > The fact that you get stale sessions in your database means that your NAS
> > does not work that well. It should always send accounting-stops. Also you
> > should setup the nas type in clients.conf so that freeradius can first ask
> > the nas about if the user is logged in before rejecting him. If you do this
> > then if the NAS reports back that the user is not logged in and we have a
> > stale entry in the database then we zap that entry.
> >
> > > Thanks in advance.
> > >
> > > Regards, Eric.
> > >
> > >
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--__--__--
Message: 11
Date: Mon, 3 Mar 2003 20:43:23 +0900
From: Dmitri Belimov <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: EAP-TLS auth failure
Reply-To: [EMAIL PROTECTED]
Hi Artur
> i'm not familar with xsupplicant, sorry. i hope you added the client
> certificate WITH private key somewhere. what's this key field?
> shouldn't it be the key of the private key of the client certificate?
May I post to you my certs in your private mail??
> > at system console typing error message:
> >
> > 30630:error:0906D06C:lib(9):func(109):reason(108):pem_lib.c:632:Exp
> > ectig: DH PARAMETERS
> >
> > It is normal??
>
> i don't know, that looks like xsupplicant for me.
This message is send freeradiusd when EAP-TLS authentification is begin.
Dmitri.
--__--__--
Message: 12
From: "Dyachek Andrey" <[EMAIL PROTECTED]>
To: "=?koi8-r?B?RnJlZVJhZGl1cyDywdPT2czLwQ==?=" <[EMAIL PROTECTED]>
Subject: Is it known bug in freeradius? (checkrad)
Date: Mon, 3 Mar 2003 18:39:04 +0600
Reply-To: [EMAIL PROTECTED]
Hi,
I have freerdaus-0.8.1 and Mandake9 and portslave.
I use Simultaneous-Use :=1.
When second attemp of login is determing, freeradius runs checkrad.
* When I manualy run it - script works correctly. *
Inspite of exit code of checkrad, freeradius send stop-package to 1st
sesion,
and permit access to second session of the same user. So it's possible to
have 2 conected users.
So now I have to use "nastype=other" instead of "nastype=portslave" in
clients.conf.
What's wrong in freeradius?
Andrey
--__--__--
Message: 13
Date: Mon, 03 Mar 2003 09:40:47 -0300
From: "Christian Gabriel Charette" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: PAP, CHAP and MSCHAP with DB2
Reply-To: [EMAIL PROTECTED]
Hello all,
I am new in this mailing list, so my question might be stupid, please =
don't be bothered.
I need to configure Freeradius to accept PAP, CHAP and MSCHAP methods. =
The user passwords are stored cleartext in a DB2.
Is posible this configuration? Could you give an example, thanks!
=20
Thank you very much for your help,
Christian
=20
--__--__--
Message: 14
Date: Mon, 3 Mar 2003 15:47:29 +0300
From: 3APA3A <[EMAIL PROTECTED]>
Organization: http://www.security.nnov.ru
To: [EMAIL PROTECTED],
"Christian Gabriel Charette" <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: PAP, CHAP and MSCHAP with DB2
Reply-To: [EMAIL PROTECTED]
Dear Christian Gabriel Charette,
Yes, it's possible. Please read documentation.
--Monday, March 3, 2003, 3:40:47 PM, you wrote to
Note:
Unless otherwise noted, the information provided by this mail does not represent
the official statements or views of Ionic Microsystems.
Privileged/Confidential information may be contained in this message and may be
subject to legal privilege. Access to this e-mail by anyone other than the intended is
unauthorised. If you are not the intended recipient (or responsible for delivery of
the message to such person), you may not use, copy, distribute or deliver this message
(or any part of its contents ) to anyone or take any action in reliance on it. In such
case, you should destroy this message, and notify us immediately. If you have received
this email in error, please notify us immediately by e-mail or telephone and delete
the e-mail from any computer.
If you or your employer does not consent to internet e-mail messages of this kind,
please notify us immediately. All reasonable precautions have been taken to ensure no
viruses are present in this e-mail. As our company cannot accept responsibility for
any loss or damage arising from the use of this e-mail or attachments we recommend
that you subject these to your virus checking procedures prior to use.
<<application/ms-tnef>>
