EAP/TLS security ?
Hello, It's not specially a question about freeradius but for for experts like you in 802.1x ;) I read this document http://www.cs.umd.edu/~waa/1x.pdf It said that 802.1x has a flaw : man in the middle attack Does it true or is the document deprecated ? I have another question : Considering security what is better : freeradius + EAP/TLS ? |--- WPA ? |--- 802.1X ? freeradius + EAP/TTLS? freeradius + PPTP ? Excuse for bad english Henri. (france) Créez gratuitement votre Yahoo! Mail avec 100 Mo de stockage ! Créez votre Yahoo! Mail Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. Téléchargez GRATUITEMENT ici !
Sql accounting error
Hi to all, we use freeradius 0.9 running on a linux box. After a system crash (the one with the mysql database) we have problem with the accounting. When we start the raedius it connects on the database but we have no record and in the log file we have always these errors: Error: rlm_sql (sql): Couldn't update SQL accounting for START packet - Duplicate entry '2336002' Error: rlm_sql: Couldn't insert SQL accounting STOP record - Duplicate entry '2336002' for key 1 Can someone help? Costas A. Christonis Networking Communications Centre Gallos Campus - University of Crete email: [EMAIL PROTECTED] http://www.ucnet.uoc.gr/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sql accounting error
CC Hi to all, CC we use freeradius 0.9 running on a linux box. CC After a system crash (the one with the mysql database) we have problem CC with the accounting. When we start the raedius it connects on the CC database but we have no record and in the log file we have always CC these errors: CC Error: rlm_sql (sql): Couldn't update SQL accounting for CC START packet - Duplicate entry '2336002' CC Error: rlm_sql: Couldn't insert SQL accounting STOP record - CC Duplicate entry '2336002' for key 1 CC Can someone help? I also want to add this error that we see when running in debug mode: rlm_sql_mysql: MYSQL check_error: 1062 received CC Costas A. Christonis CC Networking Communications Centre CC Gallos Campus - University of Crete CC email: [EMAIL PROTECTED] CC http://www.ucnet.uoc.gr/ Costas A. Christonis Networking Communications Centre Gallos Campus - University of Crete email: [EMAIL PROTECTED] http://www.ucnet.uoc.gr/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sql accounting error
this is the output of the debug mode... rlm_sql_mysql: MYSQL check_error: 1062 received rlm_sql: Couldn't insert SQL accounting STOP record - Duplicate entry '2336002' for key 1 rlm_sql (sql): Released sql socket id: 3 modcall[accounting]: module sql returns fail modcall: group accounting returns failCC CC Hi to all, CC we use freeradius 0.9 running on a linux box. CC After a system crash (the one with the mysql database) we have problem CC with the accounting. When we start the raedius it connects on the CC database but we have no record and in the log file we have always CC these errors: CC Error: rlm_sql (sql): Couldn't update SQL accounting for CC START packet - Duplicate entry '2336002' CC Error: rlm_sql: Couldn't insert SQL accounting STOP record - CC Duplicate entry '2336002' for key 1 CC Can someone help? CC Costas A. Christonis CC Networking Communications Centre CC Gallos Campus - University of Crete CC email: [EMAIL PROTECTED] CC http://www.ucnet.uoc.gr/ CC - CC List info/subscribe/unsubscribe? See CC http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco Wireless
http://www.missl.cs.umd.edu/wireless/eaptls/ http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm http://www.freeradius.org/doc/EAPTLS.pdf Try google search, there's many other HOWTO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS security ?
Hello, It's not specially a question about freeradius but for for experts like you in 802.1x ;) I read this document http://www.cs.umd.edu/~waa/1x.pdf It said that 802.1x has a flaw : man in the middle attack Does it true or is the document deprecated ? I have another question : Considering security what is better : freeradius + EAP/TLS ? |--- WPA ? |--- 802.1X ? freeradius + EAP/TTLS ? freeradius + PPTP ?--I never study this one. Hi, The more secure actually is WPA+802.1x-EAP/TLS, but there's disadvantage to use this method because you need PKI. And yes, it is weak versus man in the middle attack because , there isn't protection on control trafic, then it's possible to cause DOS...but I think, it isn't so easy to do!! WPA is a transition standard : In the new standard 802.11i, there's an EAP preauthentication before association with acces point to resolve this problem and it use AES to cypher wich is more secure than RC4. But it's new and it could change again. Fred.EVRARD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting
On Wed, 28 Jul 2004, Ken A wrote: Edgars wrote: i am writing my own program to get them in human-readable form:) Edgars Yep. I made some changes that make it easier for me to start from scratch with a language I'm more familiar with (perl) than to modify dialupadmin to do what I want, especially since I'm not very good with php, and there are many things in dialupadmin I would want to change. What do you mean by that? I added a couple of columns to the radacct table, so my records include several Ascend attributes not in the standard table: (Ascend-Disconnect-Cause, Ascend-XmitRate, Ascend-DataRate). And, I was getting duplicate STOP records in the radacct table, so I also put a unique index on (sessionid,username,nasipaddress) and changed the INSERT STOP record in sql.conf to a REPLACE INTO instead of INSERT INTO and that seems to have resolved the problem. Ken A Ken A wrote: Those of you that use mysql with freeradius, can anyone recommend some software for linux to process mysql radacct table logs? Do you just roll your own scripts to query the logs and make reports? Seems simple enough, but what are others doing? is always a good question :-) Thanks, Ken A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users digest, Vol 1 #3559 - 13 msgs
On Thu, 29 Jul 2004, Motovilov A.V. wrote:
furlfo Message: 10
furlfo From: Alan DeKok [EMAIL PROTECTED]
furlfo To: [EMAIL PROTECTED]
furlfo Subject: Re: Realms FreeRadius Callback.
furlfo Date: Wed, 28 Jul 2004 12:54:54 -0400
furlfo Reply-To: [EMAIL PROTECTED]
furlfo
furlfo Motovilov A.V. [EMAIL PROTECTED] wrote:
When i try to login with [EMAIL PROTECTED] The following info in my radius.log:
Wed Jul 28 10:09:46 2004 : Info: rlm_sql (sql): No matching entry in the database
for request from user [user]
Wed Jul 28 10:09:46 2004 : Auth: Login incorrect: [user/pass] (from client
c5300Samara1 port 22 cli 790019)
When i try to login with user The following info in my radius.log:
Wed Jul 28 10:10:53 2004 : Auth: Login OK: [user/pass] (from client c5300Samara1
port 43 cli 790019)
What Am I Doing Wrong?
furlfo
furlfo See sql_user_name in sql.conf. Read the comments above it.
furlfo
furlfo Alan DeKok.
If I use
sql_user_name = %{Stripped-User-Name}
I Get
Wed Jul 28 10:09:46 2004 : Info: rlm_sql (sql): No matching entry in the database
for request from user [user]
Wed Jul 28 10:09:46 2004 : Auth: Login incorrect: [user/pass] (from client
c5300Samara1 port 22 cli 790019)
If I use
sql_user_name = %{User-Name}
I Get
Wed Jul 28 10:09:46 2004 : Info: rlm_sql (sql): No matching entry in the database
for request from user [EMAIL PROTECTED]
Wed Jul 28 10:09:46 2004 : Auth: Login incorrect: [EMAIL PROTECTED]/pass] (from
client c5300Samara1 port 22 cli 790019)
In any case I Don't Get What I Want...
Please expound me? How the Realm Feature Works.
Thank In Advance!
As Alan said, read the comments in sql.conf.
You should set sql_user_name to:
sql_user_name = %{Stripped-User-Name:-%{User-Name:-DEFAULT}}
--
Best regards,
Motovilovmailto:[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Cisco LNS + Accounting data
On Wed, 28 Jul 2004, Nikolas Geyer wrote:
Add this to your Cisco config
aaa accounting update periodic 5
And that should send updates every 5 minutes. Also make sure you enable
gigawords or else any usage over 4GB will reset to 0 and wont count
properly. We had to make a small modification to FreeRADIUS sql.conf (as we
use MySQL for all auth and acct) to count and store gigawords which were;
accounting_update_query = UPDATE radacct SET AcctInputOctets =
'%{Acct-Input-Octets}', AcctInputGigawords = '%{Acct-Input-Gigawords}',
AcctOutputOctets = '%{Acct-Output-Octets}', AcctOutputGigawords
='%{Acct-Output-Gigawords}', FramedIPAddress = '%{Framed-IP-Address}' WHERE
AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND
NASIPAddress= '%{NAS-IP-Address}' AND NASIPAddress= '%{NAS-IP-Address}' AND
AcctStopTime = '-00-00 00:00:00'
accounting_stop_query = UPDATE ${acct_table2} SET AcctStopTime = '%S',
AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets =
'%{Acct-Input-Octets}', AcctInputGigawords = '%{Acct-Input-Gigawords}',
AcctOutputOctets = '%{Acct-Output-Octets}', AcctOutputGigawords =
'%{Acct-Output-Gigawords}', AcctTerminateCause = '%{Acct-Terminate-Cause}',
AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}'
WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}'
AND NASIPAddress = '%{NAS-IP-Address}' AND AcctStopTime =
0
And we added the AcctInputGigaWords and AcctOutputGigawords to the radacct
table.
You could use the expr module to calculate the correct value for
Acct-Input-Octets and Acct-Output-Octets. Probably something like:
%{expr: %{Acct-Input-Octets} + 1024*1024*1024*4*%{Acct-Input-Gigawords:-0}}
Hmm, maybe adding support for KB,MB,GB,TB in rlm_expr would be nice.
Hope that helps a bit... it works for us, so yeah :)
Nikolas Geyer.
- Original Message -
From: Russell Brenner [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, July 28, 2004 12:04 PM
Subject: Freeradius + Cisco LNS + Accounting data
Hi,
After checking out some the accounting data we've collected for our ADSL
users we obviously aren't getting usage data until we receieve a stop
record
for the customer (ie sometimes upto a week later) when the customers
disconnects.
This isn't really that useful for data reporting to customers as they
might
have exceeded their data usage but it won't display because they haven't
disconnected...
How can we combat this? I imagine other ISP's are collecting daily usage
data but... yeah its perplexed me :)
I was considering setting a Session-Limit variable for 24 hours, but I
don't
see this as being ideal with a ADSL 'always on' type service...
It'd be nice to have up to the minute (or as close to) stats at the
very
least have a daily update...
Russell.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Breaking because of max spawn threads, no DB Handles and dropping conflicting packets
On Wed, 28 Jul 2004, Jorge Cuevas wrote: Hello, I have accounting of aprox. 5000 concurrent calls, and I am storing only stop accounting packets in Mysql. Does anybody have any good recommendations on the tuning of mysql and freeradius? See doc/tuning_guide Make sure that the queries run on accounting stop processing only need to examine one or two rows (you can use EXPLAIN SELECT for that). As stated in the tuning guide: Add AcctUniqueId in the accounting_stop query. Especially if you have a lot of access servers or your NAS does not send very random Session-Ids. That way you will always have one candidate row to search for, instead of all the rows that have the same AcctSessionId I pressume you are using mysql with innodb. Tune innodb parameters (see the mysql manual for that). In general mysql should work ok if the queries run do not map to many candidate rows. That's the most important part. Set noatime on the partition holding your sql tables (if haven't done that already). Right now I have divided loads on different accounting ports (2 now, thinking of 3), max_servers of 256 on radiusd.conf on each configuration and 200 num_sql_socks in sql.conf The machine is a dual xeon with 2GB Mem Running Redhat 8 with kernel 2.4.18-14smp Thanks -- Jorge - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple session problem?
On Thu, 29 Jul 2004, Russell Brenner wrote: Hi guys, Having an odd problem, I don't have simultaneous use integrated yet but when a user already has a active session (not neccessairly and active L2TP session, but freeradius just doesn't have a stop record for them) and they are using a realm I get the following in the freeradius logs: Thu Jul 29 12:05:13 2004 : Auth: Multiple logins (max 1) [MPP attempt]: [snip@snip] (from client ains-L2TP-LNS-NSW port 872 cli snip) The same user can authenticate if they don't use the realm but the minute the realm is used I get the above error... any ideas? I'm using a Cisco 7200 VXR as a LNS/NAS... What NAS type should be set in clients.conf? Simultaneous-Use detection is not turned off by changing the nas type, but by not setting the Simultaneous-Use attribute. -- Kind Regards, Russell - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: machine authentication w/ w2k ad
On Wed, 28 Jul 2004, Willey Kurt D wrote: I have FreeRADIUS (1.0.0-pre2) doing user authentication with W2K AD (peap, mschap, ldap, ntlm_auth); thanks to the archived posts for the help!! I want to use user authentication for non-domain machines (students, home laptops, etc - done) and machine authentication for those in active directory (our computers). I modified the ldap attribs to check servicePrincipalName (host\computername) but of course the machine doesn't send a password for mschap... What does the machine send anyway? If you can answer that you can probably find out a way to authorize these calls. Is this something I can do with FreeRADIUS or do I need to look at IAS? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting
On Wed, 28 Jul 2004, Edgars wrote: i am writing my own program to get them in human-readable form:) Edgars Ken A wrote: Those of you that use mysql with freeradius, can anyone recommend some software for linux to process mysql radacct table logs? dialupadmin has a user statistics and a statistics page. It also has tot_stats and monthly_tot_stats to aggregate user accounting to per day or per month tables for easier statistics creation. Try starting from there. Do you just roll your own scripts to query the logs and make reports? Seems simple enough, but what are others doing? is always a good question :-) Thanks, Ken A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sql accounting error
On Thu, 29 Jul 2004, Costas Christonis wrote: Hi to all, we use freeradius 0.9 running on a linux box. After a system crash (the one with the mysql database) we have problem with the accounting. When we start the raedius it connects on the database but we have no record and in the log file we have always these errors: Error: rlm_sql (sql): Couldn't update SQL accounting for START packet - Duplicate entry '2336002' Error: rlm_sql: Couldn't insert SQL accounting STOP record - Duplicate entry '2336002' for key 1 Can someone help? Run CHECK TABLE Costas A. Christonis Networking Communications Centre Gallos Campus - University of Crete email: [EMAIL PROTECTED] http://www.ucnet.uoc.gr/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwtmp 2GB file size limit
Apache also dies when it hits the 2GB limit for a log file, so maybe it is an unwritten FS limit? -Drew -Original Message- From: Christian Balzer [mailto:[EMAIL PROTECTED] Sent: Thursday, July 29, 2004 9:11 AM To: [EMAIL PROTECTED] Subject: radwtmp 2GB file size limit Hello, the subject says it all and pretty much also sums up how I searched the archive to see if this was previously reported. If it escaped my search, sorry. This is Debian Sarge, thus freeradius 0.9.3. When the radwtmp file reaches 2GB freeradius dies w/o any trace in the logs, so it took me a few minutes to figure out what was going on. The OS/kernel/filesystem are NOT the limiting factor. I'm not sure what the desired behavior should be, as in to support larger files or terminate with klaxon sounds and warnings all over the logs and stderr, but clearly the current state of affairs leaves something to be desired. Though there are probably no security implications. Regards, Christian Balzer -- Christian BalzerNetwork/Systems EngineerNOC [EMAIL PROTECTED] Global OnLine Japan/Fusion Network Services http://www.gol.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwtmp 2GB file size limit
On Thu, 29 Jul 2004, Christian Balzer wrote: Hello, the subject says it all and pretty much also sums up how I searched the archive to see if this was previously reported. If it escaped my search, sorry. This is Debian Sarge, thus freeradius 0.9.3. When the radwtmp file reaches 2GB freeradius dies w/o any trace in the logs, so it took me a few minutes to figure out what was going on. The OS/kernel/filesystem are NOT the limiting factor. I'm not sure what the desired behavior should be, as in to support larger files or terminate with klaxon sounds and warnings all over the logs and stderr, but clearly the current state of affairs leaves something to be desired. Though there are probably no security implications. Recompile freeradius. In configure pass the option --with-large-files (by default it's not set). Regards, Christian Balzer -- Christian BalzerNetwork/Systems EngineerNOC [EMAIL PROTECTED] Global OnLine Japan/Fusion Network Services http://www.gol.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwtmp 2GB file size limit
Kostas wrote: Recompile freeradius. In configure pass the option --with-large-files (by default it's not set). I got hand rolled and Debian package freeradius servers , so I could do that. Though for maintainability reasons I prefer packages whenever possible. And in the end a silent death is never a good thing, IMHO. That said, is there anything that will make a freeradius compiled with that flag incompatible to a normal one? Because if so, that is where the Debian package maintainer will balk (same reason why INN is not compiled --with-large-files for Debian). Regards, Christian Balzer -- Christian BalzerNetwork/Systems EngineerNOC [EMAIL PROTECTED] Global OnLine Japan/Fusion Network Services http://www.gol.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple session problem?
Yes, the Simtaneous-Use attribute isn't set actually. I actually fixed this by switching the way the sessions are stored from radutmp to sql .. Works fine now incidentally. Not sure if that's just because the session table is clear tho Russell. On Thu, 29 Jul 2004, Russell Brenner wrote: Hi guys, Having an odd problem, I don't have simultaneous use integrated yet but when a user already has a active session (not neccessairly and active L2TP session, but freeradius just doesn't have a stop record for them) and they are using a realm I get the following in the freeradius logs: Thu Jul 29 12:05:13 2004 : Auth: Multiple logins (max 1) [MPP attempt]: [snip@snip] (from client ains-L2TP-LNS-NSW port 872 cli snip) The same user can authenticate if they don't use the realm but the minute the realm is used I get the above error... any ideas? I'm using a Cisco 7200 VXR as a LNS/NAS... What NAS type should be set in clients.conf? Simultaneous-Use detection is not turned off by changing the nas type, but by not setting the Simultaneous-Use attribute. -- Kind Regards, Russell - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Cisco LNS + Accounting data
Kostas Kalevras [EMAIL PROTECTED] wrote:
You could use the expr module to calculate the correct value for
Acct-Input-Octets and Acct-Output-Octets. Probably something like:
%{expr: %{Acct-Input-Octets} + 1024*1024*1024*4*%{Acct-Input-Gigawords:-0}}
rlm_expr handles 32-bit numbers only...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with NAS AND simultaneous restrictions
Karina [EMAIL PROTECTED] wrote: Hi, i want to restrict users to just one session, but i have this problem.. When i debug the requests of the NAS to the radius server i find this: rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radutmp: WARNING: checkrad will probably not work! Your NAS has to send that port information. If it doesn't, the server has no way of enforcing simultaneous use. I would suggest posting the Access-Request packets here. They may contain information which would explain *why* there's no port. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: machine authentication w/ w2k ad
On Wed, 28 Jul 2004, Willey Kurt D wrote: I have FreeRADIUS (1.0.0-pre2) doing user authentication with W2K AD (peap, mschap, ldap, ntlm_auth); thanks to the archived posts for the help!! I want to use user authentication for non-domain machines (students, home laptops, etc - done) and machine authentication for those in active directory (our computers). I modified the ldap attribs to check servicePrincipalName (host\computername) but of course the machine doesn't send a password for mschap... What does the machine send anyway? If you can answer that you can probably find out a way to authorize these calls. Kostas KalevrasNetwork Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone:+30 210 7721861 Here is the log of the failed try... The server is trying to use mschap; do I need to force it to another authentication? I am guessing yes... what do I use without breaking the user-based auth I have set up and working? THANKS!! rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ambrose,dc=sau,dc=edu, with filter ((servicePrincipalName=host/sauvxy5n.ambrose.sau.edu)(objectcategory=cn =computer,cn=schema,cn=configuration,dc=ambrose,dc=sau,dc=edu)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user host/sauvxy5n.ambrose.sau.edu authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/sauvxy5n.ambrose.sau.edu with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 6 modcall: group Auth-Type returns reject for request 6 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Securing a wireless network with users database in LDAP (Win and Mac OS-X clients)
On Thu, 29 Jul 2004, Christophe Boyanique wrote:
Hello,
I want to secure a wireless network (operated with Cisco Aironet 1200
aps) via freeradius connected to an OpenLDAP server; with clients
running Windows 2000, Windows XP and Mac OS-X (= 10.2).
I saw that EAP-MD5 is no recommended (and not supported by Windows XP
since SP1).
EAP-TLS is not a choice as there is no LDAP interaction from what I've
read on this mailing-list and other places.
Depends on what you mean by LDAP interaction. You can still use LDAP to
*authorize* the user. EAP-TLS just does certificate authentication so there's
not much LDAP interaction involved (apart from probably verifying the supplied
user certificate through LDAP, though that's not currently supported)
The best choice seems to be EAP-TTLS as it is supported by freeradius
and the selected clients. But I have some questions about the protocol
to use inside the TLS tunnel.
It seems that EAP-MD5 is not possible as passwords are stored in {CRYPT}
format in the LDAP.
I tried the EAP-MD5+LDAP feature and it works indeed with clear
passwords. I was wondering if it would be possible to patch the eap-md5
module to crypt the password sent by the supplicant before comparing it
with the one from the LDAP ?
Please read the CHAP/EAP-MD5 specification. That's not how the protocol works.
You *need* clear text passwords for EAP-MD5 to work.
I read some things about using PAP inside EAP-TTLS. It seems that
{CRYPT} passwords work with PAP as I see there is an encryption_scheme
parameter for PAP.
You can also use the ldap module for authentication instead of the pap module
(authentication through an ldap bind request).
But will PAP be supported by supplicants running on Windows and Mac OS-X ?
If you are going to use EAP-TTLS you must use the SecureW2 client since windows
do not support EAP-TTLS. SecureW2 supports PAP so you should be fine. I have no
idea about MacOS X though since it's a unix flavor maybe Xsupplicant can work on
it (Xsupplicant supports EAP-TTLS).
Thank you for your help,
Christophe.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
expiriation date format
Hello, What format of the date is accepted in expiration date of the account? Is it only for example: 5 Jun 2004 ? Or is something else allowed? bartosz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql accounting
Kostas Kalevras wrote: On Wed, 28 Jul 2004, Ken A wrote: Edgars wrote: i am writing my own program to get them in human-readable form:) Edgars Yep. I made some changes that make it easier for me to start from scratch with a language I'm more familiar with (perl) than to modify dialupadmin to do what I want, especially since I'm not very good with php, and there are many things in dialupadmin I would want to change. What do you mean by that? Sorry, that wasn't meant to suggest that there's anything wrong with dialupadmin. It's just overkill here. I don't do php, and my application is for support people who don't need much of the functionality of dialupadmin. I just need to lookup radacct records by UserName or IP, and display the accounting records for that user or ip, and be able to sort on any column quickly. ~150 lines of perl did it. Ken A I added a couple of columns to the radacct table, so my records include several Ascend attributes not in the standard table: (Ascend-Disconnect-Cause, Ascend-XmitRate, Ascend-DataRate). And, I was getting duplicate STOP records in the radacct table, so I also put a unique index on (sessionid,username,nasipaddress) and changed the INSERT STOP record in sql.conf to a REPLACE INTO instead of INSERT INTO and that seems to have resolved the problem. Ken A Ken A wrote: Those of you that use mysql with freeradius, can anyone recommend some software for linux to process mysql radacct table logs? Do you just roll your own scripts to query the logs and make reports? Seems simple enough, but what are others doing? is always a good question :-) Thanks, Ken A - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new postgresql querie
On Tue, 27 Jul 2004, Edgars wrote: Hi! i wan to put in a specific PostgreSQL table the NAS-IP-Address when some user are trying to connect to it. How to do it? Should i change authorize_reply_query or should i write a new one in postgresql.conf file? Thanx in advance! You could use the post auth query. Regards, Edgars - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: machine authentication w/ w2k ad
On Thu, 29 Jul 2004, Willey Kurt D wrote: On Wed, 28 Jul 2004, Willey Kurt D wrote: I have FreeRADIUS (1.0.0-pre2) doing user authentication with W2K AD (peap, mschap, ldap, ntlm_auth); thanks to the archived posts for the help!! I want to use user authentication for non-domain machines (students, home laptops, etc - done) and machine authentication for those in active directory (our computers). I modified the ldap attribs to check servicePrincipalName (host\computername) but of course the machine doesn't send a password for mschap... What does the machine send anyway? If you can answer that you can probably find out a way to authorize these calls. Kostas Kalevras Network Operations Center [EMAIL PROTECTED]National Technical University of Athens, Greece Work Phone: +30 210 7721861 Here is the log of the failed try... The server is trying to use mschap; do I need to force it to another authentication? I am guessing yes... what do I use without breaking the user-based auth I have set up and working? You can either try and find out what password the machine uses and put them in the machine entries in ldap (or just add them in the users file) or if you have a way to distinguish the machine sessions from user sessions (and i am talking about something more secure than just checking the username provided) you can just set Auth-Type to Accept for those sessions (in the users file). THANKS!! rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ambrose,dc=sau,dc=edu, with filter ((servicePrincipalName=host/sauvxy5n.ambrose.sau.edu)(objectcategory=cn =computer,cn=schema,cn=configuration,dc=ambrose,dc=sau,dc=edu)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user host/sauvxy5n.ambrose.sau.edu authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/sauvxy5n.ambrose.sau.edu with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 6 modcall: group Auth-Type returns reject for request 6 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwtmp 2GB file size limit
Apache also dies when it hits the 2GB limit for a log file, so maybe it is an unwritten FS limit? No, your Apache is not compiled with large files support (LSB). If you compile your own Apache ./configure it like this (if I remember corectly): CFLAGS='-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64' ./configure ... If you use a packaged Apache complain to your source of packages. -- damjan | This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/mschapv2 authentication options?
On Wed, Jul 28, 2004 at 06:06:02PM -0400, Alan DeKok wrote:
Dave Mussulman [EMAIL PROTECTED] wrote:
Thanks for the pointer. Knock on wood, I think I have things working.
This project is really amazing, and it's gotten really easy to setup
EAP. That's a big credit to its maintainers.
Thanks. I'm not sure everyone would agree on ease of use, but...
Well, almost a year ago I can recall struggling getting the certificates
made and PEAP not even being an option, so yay for progress.
You can set up the authorize section with configurable failover
(doc/configurable_failover), to say:
try users
try mysql
if not found, do something else...
Once the authorize section has determined which authentication
type to try for a user, it doesn't matter if the password is in
users, sql, or an NT domain.
Okay, I've done that. My authorize section looks like:
authorize {
preprocess
group {
files
#sql
mschap
chap
}
eap
}
but either I'm not doing that right, or there's something more
complicated with EAP calling mschap directly, because it's not working
how I would like. I would like it to check the local files (or sql)
first, and fail back to mschap/AD if the login is not present.
I've attached an snippet of an sdiff of the debug logs of two FreeRADIUS
configurations. The left side has the ntlm_auth line commented out, and
it's falling back to the files just fine. (I guess the rlm_mschap
module adds in the CHAP/MS encoding for plaintexted passwords.) The
code on the right has the ntlm_auth line in use, and the login fails
(since I wasn't using a valid AD login.) I don't understand enough
about how EAP tunnels to PEAP to MSCHAP, but somewhere pretty deep in
that line I'd like to interject the logic above.
Any help would be appreciated,
Dave
Processing the authorize section of radiusd.confProcessing the
authorize section of radiusd.conf
modcall: entering group authorize for request 6 modcall: entering
group authorize for request 6
modcall[authorize]: module preprocess returns ok for requ modcall[authorize]:
module preprocess returns ok for requ
modcall: entering group group for request 6 modcall: entering
group group for request 6
users: Matched chris at 56 users: Matched
chris at 56
modcall[authorize]: module files returns ok for request 6 modcall[authorize]:
module files returns ok for request 6
modcall[authorize]: module mschap returns noop for reques modcall[authorize]:
module mschap returns noop for reques
modcall[authorize]: module chap returns noop for request modcall[authorize]:
module chap returns noop for request
modcall: group group returns ok for request 6 modcall: group group
returns ok for request 6
rlm_eap: EAP packet type response id 7 length 64rlm_eap: EAP packet
type response id 7 length 64
rlm_eap: No EAP Start, assuming it's an on-going EAP conver rlm_eap: No EAP
Start, assuming it's an on-going EAP conver
modcall[authorize]: module eap returns updated for reques modcall[authorize]:
module eap returns updated for reques
modcall[authorize]: module preprocess returns ok for requ modcall[authorize]:
module preprocess returns ok for requ
modcall: group authorize returns updated for request 6 modcall: group
authorize returns updated for request 6
rad_check_password: Found Auth-Type EAPrad_check_password:
Found Auth-Type EAP
auth: type EAPauth: type EAP
Processing the authenticate section of radiusd.conf Processing the
authenticate section of radiusd.conf
modcall: entering group authenticate for request 6 modcall: entering
group authenticate for request 6
rlm_eap: Request found, released from the list rlm_eap: Request
found, released from the list
rlm_eap: EAP/mschapv2 rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2 rlm_eap: processing
type mschapv2
Processing the authenticate section of radiusd.conf Processing the
authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 6 modcall: entering
group Auth-Type for request 6
rlm_mschap: Told to do MS-CHAPv2 for chris with NT-Password rlm_mschap: Told to
do MS-CHAPv2 for chris with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys| radius_xlat: Running
registered xlat function of module mscha
modcall[authenticate]: module mschap returns ok for reque | mschap2: bb
modcall: group Auth-Type returns ok for request 6 | radius_xlat: Running
registered xlat function of module mscha
MSCHAP Success
Help writing attr_rewrite function
Hi,
I have serveral radius servers that will be receiving only accounting
data from a remote radius server. The remote radius server will
not be sending realm information. I am trying to use attr_rewrite
to add a realm to the username when the accounting data comes from
that specific server.
I have been looking for documentation regarding attr_rewrite and have
not been able to find much.
Can someone point me towards some documentation or provide a sample?
Is it possible to specify a conditional so that the realm is added
only when the accounting data comes from that IP? Or is that even necessary?
Based on the example in radiusd.conf, this is what I came up with.
Is this even close?
attr_rewrite addrealm {
attribute = User-Name
searchin = packet # may be packet, reply, or config
searchfor = $
replacewith = @xyz.com
#ignore_case = no
new_attribute = no
max_matches = 10
append = yes
}
Thanks,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Opinions on WLAN roaming
Hi all, Anybody going crazy with WLAN roaming implementations? I am! The Wispr standard has not been adopted at all... not surprisingly since it's too limited. Does anybody know if there's a better WLAN romaing standard under development? Regards, Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Opinions on WLAN roaming
Thor Spruyt wrote: Hi all, Anybody going crazy with WLAN roaming implementations? I am! do you mean crossing accesspoints without having to reauthenticate? cisco has a fastreconnect which isn't very well supported. we ended up setting up access points as repeaters which doesn't give very good range but it works. -Adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Opinions on WLAN roaming
I actually mean roaming between WISPs, like GSM roaming. I don't understand why they have called AP handover also roaming, it always confuses people :) - Original Message - From: Adam Shelley [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 29, 2004 10:21 PM Subject: Re: Opinions on WLAN roaming Thor Spruyt wrote: Hi all, Anybody going crazy with WLAN roaming implementations? I am! do you mean crossing accesspoints without having to reauthenticate? cisco has a fastreconnect which isn't very well supported. we ended up setting up access points as repeaters which doesn't give very good range but it works. -Adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Securing a wireless network with users database in LDAP (Win and Mac OS-X clients)
hi But will PAP be supported by supplicants running on Windows and Mac OS-X ? If you are going to use EAP-TTLS you must use the SecureW2 client since windows do not support EAP-TTLS. SecureW2 supports PAP so you should be fine. I have no idea about MacOS X though since it's a unix flavor maybe Xsupplicant can work on it (Xsupplicant supports EAP-TTLS). apparently, xsupplicant works, but with some modifications. however, since Mac OS X (10.3++) there is an integrated client which is more convenient and does support TTLS. http://images.apple.com/macosx/pdf/Security_in_Mac_OS_X.pdf, page 8 ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attribute 26 - VSA's
I am looking for help on understanding Attribute 26 and how to compile and utilize this attribue. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Opinions on WLAN roaming
hi actually, the WISPr BP by the Wi-Fi Alliance is not a standard, it's explicitly marked as non-normative of any kind and called best practice for WISP roaming. since Wi-Fi alliance still considers 802.1X as not wide-spread enough, they did not include it in their current recommendations but they also state that they will do it once (which is not suprising given 802.1X is included in WPA and 802.11i). since i think that WLAN without L2 access control is quite mindless in the general case, you should look at the 802.1X for roaming. now, 802.1X typically uses (but does not require) radius. additionally, since you are asking this at the freeradius list, i would say that WISP roaming basically equals radius roaming. now, the development is quite straightforward: make it be radius proxying and define additional attributes (if needed) for SLA purposes etc. divers optimizations are possible e.g. to avoid O(n^2) number of security associations, to avoid any common databases, to minimize the interdomain traffic and sim. to keep the high reactivity of the system (propagation of the changes applied to a user profile) in this scope, etc etc etc. i think some work has been already done on it and a lot is known from the basic radius management in a production environment. ciao artur Thor Spruyt wrote: I actually mean roaming between WISPs, like GSM roaming. I don't understand why they have called AP handover also roaming, it always confuses people :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/mschapv2 authentication options?
Dave Mussulman [EMAIL PROTECTED] wrote:
Okay, I've done that. My authorize section looks like:
authorize {
preprocess
group {
files
#sql
mschap
chap
}
eap
The group is pretty much meaningless, because you're not doing
anything with it.
but either I'm not doing that right, or there's something more
complicated with EAP calling mschap directly, because it's not working
how I would like. I would like it to check the local files (or sql)
first, and fail back to mschap/AD if the login is not present.
Outside, or inside of the TLS tunnel?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute 26 - VSA's
Steve Hutchison [EMAIL PROTECTED] wrote: I am looking for help on understanding Attribute 26 and how to compile and utilize this attribue. http://www.freeradius.org/rfc/attributes.html See Vendor-Specific. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rewriting User-Name attribute without rewrite_attr
I did some more poking around and finally found some threads on
using rewrite_attr to rewrite usernames to include a realm.
Unfortunately, this is not scalable enough for our needs. We will
have several thousand users, and I hate to image what the ardiusd.conf
file will look like if most of the usernames need to be rewrite to a new
[EMAIL PROTECTED]
Ideally I'd like to do a Berkeley DB lookup on the User-Name and
replace it with a new name. I figured out how to get the rlm_perl module
to work. As a trivial test, I try forcing the User-Name attribute to
another value with:
$RAD_REPLY{'User-Name'} = 'otheruser';
Testing it, I try to connect using username thisuser. The
debugging output from radiusd -x says:
rlm_perl: Added pair User-Name = otheruser
But when it does the password comparison, it seems to be using the
password for thisuser, and not the otheruser I forced it to.
Does setting $RAD_REPLY{'User-Name'} not work? Or is something else
at work here?
Steve
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
where i can get radius config information?
hello, where i can get some information about how to config freeradius with special device? for example, i will config 2 radius server, one for authentication, the other for accouting Regard Yyc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/mschapv2 authentication options?
On Thu, Jul 29, 2004 at 07:16:49PM -0400, Alan DeKok wrote:
Dave Mussulman [EMAIL PROTECTED] wrote:
Okay, I've done that. My authorize section looks like:
authorize {
preprocess
group {
files
#sql
mschap
chap
}
eap
The group is pretty much meaningless, because you're not doing
anything with it.
Okay, I'll read up on that.
but either I'm not doing that right, or there's something more
complicated with EAP calling mschap directly, because it's not working
how I would like. I would like it to check the local files (or sql)
first, and fail back to mschap/AD if the login is not present.
Outside, or inside of the TLS tunnel?
Inside, where the PEAP/MS-CHAPv2 supplied login is being verified.
Dave
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: where i can get radius config information?
- Original Message - From: Yyc [EMAIL PROTECTED] To: Post [EMAIL PROTECTED] Sent: Friday, July 30, 2004 5:14 AM Subject: where i can get radius config information? hello, where i can get some information about how to config freeradius with special device? for example, i will config 2 radius server, one for authentication, the other for accouting Information can be found on www.freeradius.org and www.google.com As to your setup: let the 'special device' send authenticaton packets to a certain radius and accounting packets to another radius, that's it. But before you start you might consider identifying your needs and requirements a bit more in detail, since that's what will drive your architecture. Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
