Re: Windows Client Authentification bevore Domain logon
System pocztowy Galtex S.A. informuje, iz Twoja wiadomosc zostala dostarczona Wiadomosc wygenerowana automatycznie przez system pocztowy uzytkownika belskia Prosze na ta wiadomosc nie odpowiadac. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: not to return the detault attributes in reject?
kevin wrote: Still not sure how to handle with rlm_exec. Can anybody give me more details? Maybe another solution.. in users file TART with: DEFAULT Auth-Type := Reject Fall-Through = Yes kevin Thor Spruyt wrote: kevin wrote: How can I return Reject-Packet without default attributes? It seems that the default attributes in the users file are returned regardless of Accept or Reject. I don't want to give a hint to hacker who can try a lot of rejects. Is there a way? Somebody suggested Exec-Program-Wait = reject.sh before. But, it didn't work for me. rlm_exec - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Client Authentification bevore Domain logon
Thanks for the answert Alan, but what do you mean that it should be made more prominent in EAP-Conf? Could you give me detailed instructions how i can get this OID to my certificates?ArminFreeRadius users mailing list freeradius-users@lists.freeradius.org schrieb am 25.08.05 17:35:11:Ben Walding [EMAIL PROTECTED] wrote: And then I stumbled on this http://lists.cistron.nl/pipermail/freeradius-users/2004-July/034141.html 1.3.6.1.4.1.311.17.2 After I started adding that OID to my machine certs, everything started working wonderfully.That OID is added by the cert creation script in the "scripts"directory, but it! should be made more prominent in eap.conf, too.Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: salt-encrypted VSAs?
Alan DeKok [EMAIL PROTECTED] writes: =?iso-8859-1?Q?Bj=F8rn_Mork?= [EMAIL PROTECTED] wrote: My problem seems to be that FreeRADIUS will only encrypt string or octet values, while Juniper has defined salt encrypted integer and ipaddr VSAs too. Try setting encrypt=2 for attribute 59. That should work there. Yup. Thanks. I should have seen that 2 was the correct method. For the non-string attributes, it may be possible to patch src/lib/radius.c to decrypt them, too. I wouldn't be surprised if the patch was only a few lines. But either you need C experience to write the patch, or you need to supply the packet data to someone who can write the patch. This seems to do the job: --- freeradius-1.0.4/src/lib/radius.c Sun Dec 19 21:11:54 2004 +++ freeradius-1.0.4-bmork/src/lib/radius.c Fri Aug 26 11:15:03 2005 @@ -488,8 +488,6 @@ case PW_TYPE_INTEGER: case PW_TYPE_IPADDR: - *length_ptr += 4; - if (vsa_length_ptr) *vsa_length_ptr += 4; if (reply-type == PW_TYPE_INTEGER ) { /* If tagged, the tag becomes the MSB of the value */ @@ -510,9 +508,23 @@ */ lvalue = reply-lvalue; } - memcpy(ptr, lvalue, 4); - ptr += 4; - total_length += 4; + + len = 4; + if (reply-flags.encrypt == FLAG_ENCRYPT_TUNNEL_PASSWORD) { + if (!original) { + librad_log(ERROR: No request packet, cannot encrypt Tunnel-Password attribute in the reply.); + return -1; + } + memcpy(reply-strvalue, lvalue, len); /* NOTE: destroys the original text attribute */ + rad_tunnel_pwencode(reply-strvalue, len, secret, original-vector); + memcpy(ptr, reply-strvalue, len); + } else { + memcpy(ptr, lvalue, len); + } + *length_ptr += len; + if (vsa_length_ptr) *vsa_length_ptr += len; + ptr += len; + total_length += len; break; /* Any chance of getting something like this into the 1.0 branch, or should I prepare a nicer patch for CVS HEAD instead? There is also this dictionary update to go with it, but it's pretty useless without the patch: Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A cluster of freeradius servers
Hi, I want to deploy the next configuration: I have a proxy radius server (freeradius) who redirect its requests to another freeradius server. I have another freeradius server with the same configuration as this last one. What I want is to configure the proxy radius to proxy requests to one of these servers. It this fail, then it should ask to the other one. If this posible with freeradius? How do I do it? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA)/ \\ http://www.um.es/atica _(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A cluster of freeradius servers
Angel L. Mateo wrote: I want to deploy the next configuration: I have a proxy radius server (freeradius) who redirect its requests to another freeradius server. I have another freeradius server with the same configuration as this last one. What I want is to configure the proxy radius to proxy requests to one of these servers. It this fail, then it should ask to the other one. If this posible with freeradius? How do I do it? Look at the examples in raddb/proxy.conf. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius server not responding to radtest
Hello, do you have localhost with that shared secret in your clients.conf file? Is there a firewall blocking the requests? (nmap -sU -p 1812 localhost) Regards, Benedikt bratislava:/usr/local/etc/raddb# radtest test test localhost 0 test - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius server not responding to radtest
It is in clients.conf with the secret 'test'. Scanning it with -P0 shows that port 1812 is open|filtered, but scanning without -P0 shows host is down. Cheers, Ben Benedikt Panzer wrote: Hello, do you have localhost with that shared secret in your clients.conf file? Is there a firewall blocking the requests? (nmap -sU -p 1812 localhost) Regards, Benedikt bratislava:/usr/local/etc/raddb# radtest test test localhost 0 test - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP issues
Hi All, Thanks for the previous help that everyone offered, I got the freeradius up and running. I can authenticate using a test account I created in the users file, using the radius itself and also using my VPN box. I set this server up originally to authenticate WI-Fi users usign 802.1x and PEAP. This is where it fails. and the result is consistent with two different wireless manifacturer. the debug section is below. I like to thank anyone in advance for any suggestions or help that you may offer. Take Care, [EMAIL PROTECTED] Nothing to do. Sleeping until we see a request. *debug section of freeradius***start** rad_recv: Access-Request packet from host 172.31.31.31:1517, id=11, length=122 NAS-IP-Address = 172.31.31.31 NAS-Port-Type = Wireless-802.11 NAS-Port = 45 Framed-MTU = 1400 User-Name = guest Calling-Station-Id = 0011f5161423 Called-Station-Id = 0001f444a3b4 NAS-Identifier = HALLWAY4D04 EAP-Message = 0x0201000a016775657374 Message-Authenticator = 0x972393b17e8182216a4fd0dd08622f42 modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module chap returns noop rlm_eap: EAP packet type notification id 1 length 10 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated rlm_realm: No '@' in User-Name = guest, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched guest at 85 users: Matched DEFAULT at 165 modcall[authorize]: module files returns ok modcall[authorize]: module mschap returns noop modcall: group authorize returns updated rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [guest/no User-Password attribute] (from client 4-3w3.hccs.edu port 45 cli 0011f5161423) Delaying request 12 for 1 seconds Finished request 12 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 11 to 172.31.31.31:1517 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 12 ID 11 with timestamp 430f42cc Nothing to do. Sleeping until we see a request. *debug section of freeradius***end** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP issues
Remove the Auth-Type Local From the guest account. Let freeradius figure out to do EAP on it's own. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of allan.borman Sent: Friday, August 26, 2005 12:32 PM To: FreeRadius users mailing list Subject: PEAP issues Hi All, Thanks for the previous help that everyone offered, I got the freeradius up and running. I can authenticate using a test account I created in the users file, using the radius itself and also using my VPN box. I set this server up originally to authenticate WI-Fi users usign 802.1x and PEAP. This is where it fails. and the result is consistent with two different wireless manifacturer. the debug section is below. I like to thank anyone in advance for any suggestions or help that you may offer. Take Care, [EMAIL PROTECTED] Nothing to do. Sleeping until we see a request. *debug section of freeradius***start** rad_recv: Access-Request packet from host 172.31.31.31:1517, id=11, length=122 NAS-IP-Address = 172.31.31.31 NAS-Port-Type = Wireless-802.11 NAS-Port = 45 Framed-MTU = 1400 User-Name = guest Calling-Station-Id = 0011f5161423 Called-Station-Id = 0001f444a3b4 NAS-Identifier = HALLWAY4D04 EAP-Message = 0x0201000a016775657374 Message-Authenticator = 0x972393b17e8182216a4fd0dd08622f42 modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module chap returns noop rlm_eap: EAP packet type notification id 1 length 10 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated rlm_realm: No '@' in User-Name = guest, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched guest at 85 users: Matched DEFAULT at 165 modcall[authorize]: module files returns ok modcall[authorize]: module mschap returns noop modcall: group authorize returns updated rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Login incorrect: [guest/no User-Password attribute] (from client 4-3w3.hccs.edu port 45 cli 0011f5161423) Delaying request 12 for 1 seconds Finished request 12 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 11 to 172.31.31.31:1517 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 12 ID 11 with timestamp 430f42cc Nothing to do. Sleeping until we see a request. *debug section of freeradius***end** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Excluding non-NAS from simultaneous-use checks
I'm looking for a way to exclude some sources of RADIUS authentication requests from being subjected to the simultaneous-use checks. Basically we use RADIUS for more than just dialin, simultaneous-use is not applicable to these services. I found the following thread on the Cistron mailing list which would solve my problem if I were still running Cistron. http://lists.cistron.nl/pipermail/cistron-radius/2002-June/003861.html Setting the RAS type to none appears to have no effect for FreeRADIUS. Is there another way to accomplish this with FreeRADIUS? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
16 bit attr decoding..
I am currently working with the CVS (1.1.0) HEAD version of FreeRADIUS. It is using the SQL module with the Lucent 16bit atributes turned on. To make sure we have the most attributes available, I have merged the Ascend dictionary (more specifically, the just the VALUEs), because the CVS dictionary.lucent had none. Just attributes. I have been using Lucent-Modem-Modulation (code 305) and Lucent-Modulation (code 20106) in the SQL statements to discern which one would be coming from our NAS (MAX TNT running TAOS v11), and it looks as though Lucent-Modem-Modulation is currently being sent. Now, while I was testing this last week I was receiving: Lucent-Modem = v90/v34/v92/etc instead of this week: Lucent-Modem-Modulation = 1/2/18/etc Is there a possible reason it used code 20106 last week and now code 305? Also, is there a reason I'm being given numerical values back instead of what they represent? Here is the current state of the relevant portion of our dictionary.lucent: ATTRIBUTE Lucent-Modem-Modulation 305 integer ... ... ATTRIBUTE Lucent-Modulation 20106 integer .. .. VALUE Lucent-Modulation v90 1 VALUE Lucent-Modulation v34 2 VALUE Lucent-Modulation v17 3 VALUE Lucent-Modulation v23 4 VALUE Lucent-Modulation v21 5 VALUE Lucent-Modulation k56flex 6 VALUE Lucent-Modulation v22bis7 VALUE Lucent-Modulation v32 8 VALUE Lucent-Modulation bell212 9 VALUE Lucent-Modulation bell103 10 VALUE Lucent-Modulation v22 11 VALUE Lucent-Modulation vFC 12 VALUE Lucent-Modulation v33 13 VALUE Lucent-Modulation bell208 14 VALUE Lucent-Modulation v29 15 VALUE Lucent-Modulation v27 16 VALUE Lucent-Modulation none 17 VALUE Lucent-Modulation v92 18 VALUE Lucent-Modem-Modulation v90 1 VALUE Lucent-Modem-Modulation v34 2 VALUE Lucent-Modem-Modulation v17 3 VALUE Lucent-Modem-Modulation v23 4 VALUE Lucent-Modem-Modulation v21 5 VALUE Lucent-Modem-Modulation k56flex 6 VALUE Lucent-Modem-Modulation v22bis7 VALUE Lucent-Modem-Modulation v32 8 VALUE Lucent-Modem-Modulation bell212 9 VALUE Lucent-Modem-Modulation bell103 10 VALUE Lucent-Modem-Modulation v22 11 VALUE Lucent-Modem-Modulation vFC 12 VALUE Lucent-Modem-Modulation v33 13 VALUE Lucent-Modem-Modulation bell208 14 VALUE Lucent-Modem-Modulation v29 15 VALUE Lucent-Modem-Modulation v27 16 VALUE Lucent-Modem-Modulation none 17 VALUE Lucent-Modem-Modulation v92 18 Thanks, Wes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL radacct not updated
Hi Thor, I'm just posting this to thank you for your help and let you know that it was appreciated and also to help anyone else with a similar problem to see the solution. In order to enable the accounting packets between Chilli and Radius I removed all of the pin holes in my ADSL modem and instead set up a NAT default server pointing to my Radius/WEB/Jabber/POP/SMTP/SMPP/Apache server. This allows all of the trafic arriving to the ADSL modem to pass through to the server and solved the problem. I not sure about the security of this fix so I'm setting up a firewall on the server. This will give me better control over the trafic than the ADSL modem did. Anyway once again thanks a million Thor you pointed me in the right direction and saved me another week with no sleep. Regards, Sean Bracken http://freetextworld.com http://topup.ie http://swarmhotspots.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL radacct not updated
sean wrote: In order to enable the accounting packets between Chilli and Radius I removed all of the pin holes in my ADSL modem and instead set up a NAT default server pointing to my Radius/WEB/Jabber/POP/SMTP/SMPP/Apache server. This allows all of the trafic arriving to the ADSL modem to pass through to the server and solved the problem. I not sure about the security of this fix so I'm setting up a firewall on the server. This will give me better control over the trafic than the ADSL modem did. Remember for your next projects :) Always check that what you expect also happens (in this case traffic arriving at your server). -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP issues
allan.borman [EMAIL PROTECTED] wrote: This is where it fails. and the result is consistent with two different wireless manifacturer. the debug section is below. I like to thank anyone in advance for any suggestions or help that you may offer. ... rad_check_password: Found Auth-Type Local auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Don't set Auth-Type := Local. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Excluding non-NAS from simultaneous-use checks
Dan Siemon [EMAIL PROTECTED] wrote: I'm looking for a way to exclude some sources of RADIUS authentication requests from being subjected to the simultaneous-use checks. Don't set Simultaneous-Use. Setting the RAS type to none appears to have no effect for FreeRADIUS. Is there another way to accomplish this with FreeRADIUS? Set it to other. See clients.conf Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 16 bit attr decoding..
Wesley Spadola [EMAIL PROTECTED] wrote: Now, while I was testing this last week I was receiving: Lucent-Modem = v90/v34/v92/etc instead of this week: Lucent-Modem-Modulation = 1/2/18/etc The NAS sends those attributes, and FreeRADIUS logs them. Is there a possible reason it used code 20106 last week and now code 305? Also, is there a reason I'm being given numerical values back instead of what they represent? Here is the current state of the relevant portion of our dictionary.lucent: What changed in your system the last week? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: usage of exec to get LDAP value..
haizam [EMAIL PROTECTED] wrote: I've tried to map new attributes in ldap.attrmap but for every match in users file.. it will return both new attributes but the sessiontimeout still ruturn no value.. Yes. Did you read the rest of my response? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius server not responding to radtest
Ben, Not sure if this is much help or not but what does your clients.conf file say? If you don't have your localhost address 127.0.0.1 in clients.conf then the server will not respond. I think it is usually an access reject message but you never know. I also noticed that you have no defined IP address for that box either. Have you tried defining an IP address on the server and then send your radtest to that IP? If so what was the output? James On Fri, 2005-08-26 at 15:54 +0100, Ben Dowling wrote: Hi, I have managed to get freeradius installed and running but I cannot get radtest to authenticate with the server, or even to connect to it! When I run radtest I recieve the following output: bratislava:/usr/local/etc/raddb# radtest test test localhost 0 test Sending Access-Request of id 60 to 127.0.0.1:1812 User-Name = test User-Password = test NAS-IP-Address = bratislava.wapsol.de NAS-Port = 0 Re-sending Access-Request of id 60 to 127.0.0.1:1812 User-Name = test User-Password = y\034\026\033\255\2447\014\254[;\270\257Um NAS-IP-Address = bratislava.wapsol.de NAS-Port = 0 And it continues to re-send, eventually producing the message radclient: no response from server for ID 60. Does anyone know why the radius server does not respond? The output from radiusd is shown below. Thanks in advance, Ben bratislava:/usr/local/etc/raddb# radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/local/lib/ main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/freeradius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /var/run/freeradius/freeradius.pid main: user = freerad main: group = freerad main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/freeradius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/etc/raddb/certs/server-cert.pem tls: certificate_file = /usr/local/etc/raddb/certs/server-cert.pem tls: CA_file = /usr/local/etc/raddb/certs/root.pem tls: private_key_password = (null) tls: dh_file = /usr/local/etc/raddb/certs/dh tls: random_file = /usr/local/etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap: Loaded and initialized type tls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile =