RE: Freeradius-Users Digest, Vol 5, Issue 91 [faked-from][heur] [sls]
-Original Message- From: [EMAIL PROTECTED][EMAIL PROTECTED] Sent: 05-09-28 19:06:04 To: freeradius-users@lists.freeradius.orgfreeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 5, Issue 91 [faked-from][heur] [sls] Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: AccountingReq message authenticator (Michael Lecuyer) 2. Re: Questions about upgrading Freeradius (Linda Pagillo) 3. Re: Expose RADIUS packet's identifier (Alan DeKok) 4. Re: Questions about upgrading Freeradius (Alan DeKok) 5. Re: Chap,LDAP and Passwords :) (Alan DeKok) 6. Re: Crashes with 1.0.4/1.0.5, perhaps connected with slow LDAP backend? (Alan DeKok) 7. Re: EAP-TLS reject if CN not in MySQL (Alan DeKok) 8. Re: Questions about upgrading Freeradius (Dusty Doris) 9. Re: Questions about upgrading Freeradius (Linda Pagillo) -- Message: 1 Date: Wed, 28 Sep 2005 10:48:42 -0400 From: Michael Lecuyer [EMAIL PROTECTED] Subject: Re: AccountingReq message authenticator To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=windows-1252; format=flowed There is no way to generate a message authenticator in an Accounting-Request packet the usual way it's generated for an Access-Request. The accounting packet is signed by the client therefore there cannot be two signatures created for the entire the packet. By the very nature of creating signature the second signature will alter the packet's contents invalidating the first signature. The Message-Authenticator can be only one of two things. Either it's calculated as a hash of the attributes or it's a random number (like the Access-Request authenticator). From your information I suspect it's the former. You might try using the traditional MA calculation for the MA on just the attributes with an empty (zeroed) MA present and back patch the MA. If this works please let me know. Or, if someone has accounting packets generated with proper MA's please send them to me and I'll try some standard hashes. The MA is traditionally created as an MD5-HMAC of the shared secret and the entire packet's contents with an empty (16 byte) Message-Authenticator. For an accounting packet MA use just the attribute block instead of the entire packet try just the attributes with the empty MA. Ashwin Gobind wrote: Hi. Is there anyway to generate a message authenticator for an accounting request packet. At the moment I am using JRadius, I need to send an accounting request message to another radius server. However after I add the message authenticator and send to to another server, the other server complains about “Invalid message authenticator” (Shared secret is incorrect). Here is some code : //Proxy request to the wap gateway DatagramSocket socket = new DatagramSocket(); socket.setSoTimeout(5000); //Generate authenticator MessageDigest md5 = MessageDigest.getInstance(MD5); md5.reset(); md5.update((byte)req.getCode()); md5.update((byte)req.getIdentifier()); int length = req.getBytes().length; byte [] authenticator = req.getAuthenticator(); byte [] attributeBytes = req.getAttributeBytes(req.getAttributes(),0); for (int z=0; z authenticator.length ; z++ ) RadiusLog.debug(Autenticator[+z+] Before = + authenticator[z]); RadiusLog.debug(Autenticator Length: + authenticator.length); RadiusLog.debug(Attributes Length: + attributeBytes.length); RadiusLog.debug(Paket Length:
expr in SQL no working
I am running Fedora FC4 with FR 1.0.4 (yum updated) with MySQL 4.1.12. I am trying to use in rad_reply table for Session-Timeout with the following value: `%{expr: %{sql:SELECT IF(NOW() = user_stoptime, (TIME_TO_SEC(TIMEDIFF(user_stoptime, IF(NOW() = user_starttime, now(), DATE_SUB(user_stoptime, INTERVAL 1 SECOND), 1) FROM phs_user WHERE user_username='%{User-Name}'}}` This doesn't work as the Session-Timeout value is not assigned. The sql statement alone works fine and returns the correct value. I then tried to get a simple expression up and running in rad_reply: AttrOp Value Session-Timeout = `%{expr:3600 - 300}` No success. In debug mode I can see that the expr module is loaded: Module: Loaded expr Module: Instantiated expr (expr) I then compiled and installed 1.0.5 ... with the same result. Then I created a user in the ./raddb/users file and assigned the Session-Timeout with above SQL statement and it works fine. What is wrong getting the Session-Timeout from the rad_reply table? When I assign a fixed value, e.g. 3500 in the sql row, it works fine. Anything with MySQL collation maybe? I changed it to different languages ... no success. This is the debug output when I use the users file, when using sql, I do not get this. Debug: rlm_sql (sql): - sql_xlat Debug: radius_xlat: 'gunther' Debug: rlm_sql (sql): sql_set_user escaped user -- 'gunther' Debug: radius_xlat: 'SELECT IF(NOW() = user_stoptime, TIME_TO_SEC(TIMEDIFF(user_stoptime, IF(NOW() = user_starttime, now(), DATE_SUB(user_stoptime, INTERVAL 1 SECOND, 1) FROM phs_user WHERE user_username='gunther4'' Debug: radius_xlat: '/var/log/radius/sqltrace.sql' Debug: rlm_sql (sql): Reserving sql socket id: 2 Debug: rlm_sql_mysql: query: SELECT IF(NOW() = user_stoptime, TIME_TO_SEC(TIMEDIFF(user_stoptime, IF(NOW() = user_starttime, now(), DATE_SUB(user_stoptime, INTERVAL 1 SECOND, 1) FROM phs_user WHERE user_username='gunther4' Debug: rlm_sql (sql): - sql_xlat finished Debug: rlm_sql (sql): Released sql socket id: 2 Debug: radius_xlat: ' 1' Debug: radius_xlat: '1' When I use the sql table, sql_xlat is not in the debug output. Gunther - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
working rlm_perl example
Hi there, does anyone have a working example of rlm_perl authenticating a user I have tried the example.pl and it still gives me a access-reject message. TIA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: working rlm_perl example
[EMAIL PROTECTED] wrote: I have tried the example.pl and it still gives me a access-reject message. Please provide your rlm_perl configuration and debug output of radiusd -X -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS - FreeBSD - Segmentation fault
Hi Alan and others, are there any new findings in context to the problem with FreeRADIUS(rlm_sql_mysql?) 1.0.4 under FreeBSD? I have just tested it with FreeBSD5.4-Release and FreeRADIUS out of the ports and the problem still exists: --- rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 Segmentation fault (core dumped) --- Thomas Krause (Webmatic) [EMAIL PROTECTED] wrote: I tried both, version 1.0.4 (from ports) and 1.0.5 - and both crashed. Also I tried with mysql 4.0.26 with the same result. It looks like the bug exists *only* on FreeBSD. For the life of me, I can't figure out why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Christian Meutes systems engineer -- claranet gmbh internet service provider tel +49 (0) 69 - 40 80 18 - 300 email: [EMAIL PROTECTED] http://www.claranet.de/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: installing problem on Debian
In the compile you have to manually specify which library to use Run configure with this: --with-rlm-perl-lib-dir=/usr/lib/libperl.so J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Alexei Chetroi Verzonden: zondag 2 oktober 2005 13:21 Aan: FreeRadius users mailing list Onderwerp: Re: installing problem on Debian On Sun, Oct 02, 2005 at 04:10:17AM +0200, Ciolo_-^DusT^-_WebMaster wrote: Date: Sun, 2 Oct 2005 04:10:17 +0200 From: Ciolo_-^DusT^-_WebMaster [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Subject: installing problem on Debian *** Warning: Linking the shared library rlm_perl.la against the *** static library /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a is not portable! rm -fr .libs/rlm_perl.la .libs/rlm_perl.* .libs/rlm_perl-1.0.0-pre0.* gcc -shared rlm_perl.lo -L/usr/local/lib /usr/lib/perl/5.8/auto/DynaLoader/DynaLoader.a -L/usr/lib/perl/5.8/CORE -lperl -ldl -lm -lpthread -lc -lcrypt -lnsl -lresolv -lpthread -Wl,-E -Wl,-soname -Wl,rlm_perl-1.0.0-pre0.so -o .libs/rlm_perl-1.0.0-pre0.so /usr/bin/ld: cannot find -lperl collect2: ld returned 1 exit status make[6]: *** [rlm_perl.la] Error 1 make[6]: Leaving directory Do you have libperl-dev package installed? Best wishes -- Alexei Chetroi Smile... Tomorrow will be worse. (c) Murphy's Law - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP and LDAP
Hi there, New questions are ready. :) I have radiusd.conf authorize { chap preprocess suffix mschap ldap } ... authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } } ... I am making VPN server with PPPD with radius module as NAS. Passwords are stored in LDAP database in clear text format. When i use PAP in connection setting, it works pretty fine ( connection is established) but with chap: What does it mean login attempt ? Mon Oct 3 02:16:05 2005 : Debug: rlm_ldap: checking if remote access for dmitry is allowed by dialupAccess Mon Oct 3 02:16:05 2005 : Debug: rlm_ldap: Password header not found in password qazxsw for user dmitry Mon Oct 3 02:16:05 2005 : Debug: rlm_ldap: looking for check items in directory... Mon Oct 3 02:16:05 2005 : Debug: rlm_ldap: looking for reply items in directory... Mon Oct 3 02:16:05 2005 : Debug: rlm_ldap: user dmitry authorized to use remote access Mon Oct 3 02:16:05 2005 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Mon Oct 3 02:16:05 2005 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 3 Mon Oct 3 02:16:05 2005 : Debug: modcall[authorize]: module ldap returns ok for request 3 Mon Oct 3 02:16:05 2005 : Debug: modcall: group authorize returns ok for request 3 Mon Oct 3 02:16:05 2005 : Debug: rad_check_password: Found Auth-Type CHAP Mon Oct 3 02:16:05 2005 : Debug: auth: type CHAP Mon Oct 3 02:16:05 2005 : Debug: Processing the authenticate section of radiusd.conf Mon Oct 3 02:16:05 2005 : Debug: modcall: entering group Auth-Type for request 3 Mon Oct 3 02:16:05 2005 : Debug: modsingle[authenticate]: calling chap (rlm_chap) for request 3 Mon Oct 3 02:16:05 2005 : Debug: rlm_chap: login attempt by dmitry with CHAP password Mon Oct 3 02:16:05 2005 : Debug: rlm_chap: Could not find clear text password for user dmitry Mon Oct 3 02:16:05 2005 : Debug: modsingle[authenticate]: returned from chap (rlm_chap) for request 3 Mon Oct 3 02:16:05 2005 : Debug: modcall[authenticate]: module chap returns invalid for request 3 Mon Oct 3 02:16:05 2005 : Debug: modcall: group Auth-Type returns invalid for request 3 Mon Oct 3 02:16:05 2005 : Debug: auth: Failed to validate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CHAP and LDAP
are you sure that you have passwords in ldap in cleartext format? Mon Oct 3 02:16:05 2005 : Debug: rlm_ldap: checking if remote access for dmitry is allowed by dialupAccess Mon Oct 3 02:16:05 2005 : Debug: rlm_ldap: Password header not found in password qazxsw for user dmitry Mon Oct 3 02:16:05 2005 : Debug: rlm_ldap: looking for check items in directory... Mon Oct 3 02:16:05 2005 : Debug: rlm_ldap: looking for reply items in directory... Mon Oct 3 02:16:05 2005 : Debug: rlm_ldap: user dmitry authorized to use remote access Mon Oct 3 02:16:05 2005 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Mon Oct 3 02:16:05 2005 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 3 Mon Oct 3 02:16:05 2005 : Debug: modcall[authorize]: module ldap returns ok for request 3 Mon Oct 3 02:16:05 2005 : Debug: modcall: group authorize returns ok for request 3 so the user dmitry is found in the ldap, and authorize succeeds. Mon Oct 3 02:16:05 2005 : Debug: rad_check_password: Found Auth-Type CHAP Mon Oct 3 02:16:05 2005 : Debug: auth: type CHAP Mon Oct 3 02:16:05 2005 : Debug: Processing the authenticate section of radiusd.conf Mon Oct 3 02:16:05 2005 : Debug: modcall: entering group Auth-Type for request 3 Mon Oct 3 02:16:05 2005 : Debug: modsingle[authenticate]: calling chap (rlm_chap) for request 3 Mon Oct 3 02:16:05 2005 : Debug: rlm_chap: login attempt by dmitry with CHAP password Mon Oct 3 02:16:05 2005 : Debug: rlm_chap: Could not find clear text password for user dmitry here radius complains that it can't find a cleartext password for the user dmitry. check your ldap configs again to see that passwords are in cleartext. if you're using openldap, you have to set the password-hash to {CLEARTEXT}, and that actually doesn't work in current stable versions of openldap. if you don't have any value set, then I think it uses SHA by default but I'm not sure on that one. if you're using some other type of ldap server, read the appropriate docs and check over your config files once again. because PAP authentication does work, that also leads me to believe that the problem is not with freeradius, but with the passwords in ldap. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation Fault - 1.0.5
dynamic linker can find ldap lib... since within directory /usr/local/lib.. 133:-lldap.2 = /usr/local/lib/libldap.so.2 134:-lldap_r.2 = /usr/local/lib/libldap_r.so.2 so last option will be ./configure --disable-shared --haizam - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, September 30, 2005 23:01 Subject: Re: Segmentation Fault - 1.0.5 Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: cleaning up old files... recompile... and still segmentation fault... but worse than before.. since the daemon cannot even up.. seems problem with rlm_ldap... That's bug #98. Either link statically, or put the libraries rlm_ldap needs in a place where the dynamic linker can find them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: working rlm_perl example
I did the following configuration and it is working well with me. Try it, and let me it is working or not. user file: --- DEFAULT Auth-Type := perl --- radiusd.conf - modules area: perl { module = /usr/local/etc/example.pl func_accounting = accounting func_authenticate = authenticate func_authorize = authorize func_preacct = preacct func_checksimul = checksimul func_xlat = xlat } authorize { preprocess chap suffix perl file } authenticate { Auth-Type Perl { perl } } Yours, Abdul Lateef Computer Programmer HATIF COM Mob: +974 - 5405022 Tel: +974 - 4883068 ICQ: 276994704 YM!: abdul_zu Fax: +974 - 4883063 Doha Qatar http://www.hatif.com __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql (sql): Unsupported Acct-Status-Type = 15
I am using FreeRadius 1.0.5. I have configured accounting with sql. When I run radiusd -X and watch what happens when I try to pass a record to FreeRadius, I see the following: rlm_sql (sql): Unsupported Acct-Status-Type = 15 modcall[accounting]: module sql returns noop for request 1 vi /usr/local/etc/raddb/dictionary $INCLUDE/usr/local/share/freeradius/dictionary $INCLUDE/usr/local/etc/ser/dictionary.ser vi /usr/local/share/freeradius/dictionary snip VALUE Acct-Status-TypeFailed 15 /snip vi /usr/local/etc/ser/dictionary.ser snip VALUE Acct-Status-Type Failed 15 # RFC2866, acc /snip I've tried removing $INCLUDE /usr/local/etc/ser/dictionary.ser from /usr/local/etc/raddb/dictionary but the problem persists. I'm sure there's a configuration step I've missed. Could anyone suggest some other things to check? Thanks Cameron - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAPv2, MySQL, Freeradius
Dan Russell [EMAIL PROTECTED] wrote: If I used a third party tool like mkntpwd to create NT Hashes, could I put premade hashes in the database and use them to authenticate ... Is there any specific config change I would need to make to enable this? No. It should work in the default config. How does freeradius identify that the password has already been NT hashed? Because you put it into the NT-Password attribute, instead of the User-Password attribute. What stops it from encrypting whatever it finds in the radcheck table for the password? I have no idea what question you're asking. So far as I can tell, the answer is it doesn't work that way. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html