How to use CRL by PEAP authentication
Hello,
I'm using FreeRADIUS-1.0.5 on Windows XP and Windows XP client.
And I'm attempting PEAP authentication.
I was using the certificate published by OpenSSL, I revoked this certificate.
(Herewith, this certificate's information was written on CRL.)
And I attempted PEAP authentication by this revoked certificate,
but authentication result was Access-Accept.
Is my setup amusing?
Please give me advice by all means.
A eap.conf is shown below.
//
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
#challenge = Password:
auth_type = PAP
}
tls {
private_key_password =
private_key_file = ${raddbdir}/newcerts/serverkey.pem
certificate_file = ${raddbdir}/newcerts/servercert.pem
CA_file = ${raddbdir}/newcerts/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
# fragment_size = 1024
# include_length = yes
CA_path = ${raddbdir}/newcerts/
check_crl = yes
check_cert_cn = %{User-Name}
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = no
}
mschapv2 {
}
}
--
Kouji Amemiya [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: After the manual's config, chap wont work with LDAP
Matt Juszczak wrote: Hi all, We've got our freeradius servers working with LDAP fine, except for CHAP. Originally, the logs were saying Invalid user \\user, but we fixed that by enabling an option in radiusd.conf. Now, when we dial up without encrypted password enabled, the connection comes through successfully. However, when we enable the encrypted password option and try again, we get: Thu Dec 15 18:12:52 2005 : Auth: Login incorrect (rlm_ldap: empty password supplied): [username/] (from client 123.123.123.123 port 3088 cli 2125550404) Its saying the password is empty, but we are indeed using a password. Does anyone have any ideas? We've followed the instructions in the FAQ (CHAP above LDAP in the authorize section, no := Auth-Type, etc.). it just doesn't seem to want to recognize that a password is being entered. For the record, no query hits the LDAP server during a CHAP authentication.. so its obviously something with the config of freeradius. You've posted no debugging output or config, so it's difficult to tell, but: To do CHAP, you must have: 1. The PLAINTEXT password in the LDAP server 2. The Radius server permitted to read that attribute 3. The ldap module configured to put whatever that attribute is (usually userPassword) into the radius User-Passord, using the password_attribute option of the ldap module 4. chap above pap in the authorize (which you've got) 5. chap anywhere in authenticate Thanks for any help! -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Phil Mayers wrote:
Christophe Gravier wrote:
My password are not stored in LDAP in clear text but hashed using SHA
algorythm, so this won't work ;-(
Ok, let's take a breath. First things first:
If your passwords are in SHA (which they are) your Radius server will
ONLY be able to answer PAP requests.
The very first log you sent in this thread indicates you have
ChilliSpot set to use CHAP:
rlm_ldap: - authenticate
rlm_ldap: Attribute User-Password is required for authentication.
Cannot use CHAP-Password.
modcall[authenticate]: module ldap returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
'''Cannot use CHAP-Password''' - indicates the request (from
ChilliSpot) came in with CHAP credentials.
First, fix that. See here:
http://archives.free.net.ph/message/20051025.180818.4d829f18.en.html
Next, since you have SHA passwords and can only answer PAP, you have
two choices:
1. Extract the SHA password and add it to the config items, then
configure the Radius servers PAP module to check it:
modules {
pap {
encryption_scheme = sha1
}
ldap {
# settings go here
}
}
authorize {
preprocess
ldap
}
authenticate {
Auth-Type PAP {
pap
}
}
HOWEVER - this may not work. The SHA that your LDAP server uses may
be slightly different (salting, keying) than the SHA FreeRadius uses.
Much more likely to trip you up though, is when ldap matches in
authorize, it will set Auth-Type = LDAP, so you either need to disable
that or otherwise make it work and there are about 6 different ways
of doing that. The most obvious would be to replace the above with:
modules { as before }
authorize { as before }
authenticate {
Auth-Type LDAP {
pap
}
}
I want to make set Auth-Type = LDAP working by making this Auth-Type
use the pap configuration. (correct me If I'm wrong).
I followed what you advises:
- configure chilli uamsecret and uampassword)
- put pap configuration in module section
- check ldap configration in module
- put ldap in authorize
- put Auth-Type LDAP { pap } in authentificate.
Now things got through pap indeed, but I'm told:
rlm_pap: No password (or empty password) to check against for for user
gravier.christophe
I think I totally misunderstand your sentence: Extract the SHA password
and add it to the config items. I thought it means to add the mapping
checkItem User-Password userPassword in ldap.attrmap (where
userPassword is my attribute for SHA password). As it didn't work I used
the password_attribute conf entry in ldap configuration (module
section), but as I expected it has the same consequence.
Could you please, be more precise about the extraction of SHA password ?
Is there an additional conf entry for pap in module section ?
Here is the complete trace:
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ist-guizay.univ-st-etienne.fr:389, authentication 0
rlm_ldap: bind as / to ist-guizay.univ-st-etienne.fr:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter
(uid=gravier.christophe)
rlm_ldap: checking if remote access for gravier.christophe is allowed by uid
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user gravier.christophe authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = gravier.christophe, looking up
realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry DEFAULT at line 158
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_pap: login attempt by gravier.christophe with password here the
trace prints my password in plain text, normal ?
rlm_pap: No password (or empty password) to check against for for user
gravier.christophe
modcall[authenticate]: module pap returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
But it might not work. Alternatively and probably simpler (but less
formally correct) is the 2nd method:
2. Configure the LDAP module to find the user, set Auth-Type==LDAP
then authenticate the user via simple bind:
authorize {
preprocess
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
}
...and assuming the ldap
Re: FreeRadius cannot Authenticate to Windows AD
Michael Calizo wrote: Hi, Same thing has happened, I still can not authenticate to WindowsAD. Same Error is displayed when i debug radiusd I put quotes arround password.. radtest user 'mypass' 192.168.1.1:1812 http://192.168.1.1:1812 1812 testing123 or radtest user 'mypass' 192.168.1.1:1812 http://192.168.1.1:1812 1812 testing123 What do you think is the problem? rlm_ldap: bind as cn=backops,cn=Admin,dc=domain,dc=com/passofbackops to 192.168.1.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf ...that's pretty clear. The identity/password combo you have is wrong. Or AD thinks it's wrong. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Christophe Gravier wrote:
Phil Mayers wrote:
Christophe Gravier wrote:
My password are not stored in LDAP in clear text but hashed using
SHA algorythm, so this won't work ;-(
Ok, let's take a breath. First things first:
If your passwords are in SHA (which they are) your Radius server will
ONLY be able to answer PAP requests.
The very first log you sent in this thread indicates you have
ChilliSpot set to use CHAP:
rlm_ldap: - authenticate
rlm_ldap: Attribute User-Password is required for authentication.
Cannot use CHAP-Password.
modcall[authenticate]: module ldap returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
'''Cannot use CHAP-Password''' - indicates the request (from
ChilliSpot) came in with CHAP credentials.
First, fix that. See here:
http://archives.free.net.ph/message/20051025.180818.4d829f18.en.html
Next, since you have SHA passwords and can only answer PAP, you have
two choices:
1. Extract the SHA password and add it to the config items, then
configure the Radius servers PAP module to check it:
modules {
pap {
encryption_scheme = sha1
}
ldap {
# settings go here
}
}
authorize {
preprocess
ldap
}
authenticate {
Auth-Type PAP {
pap
}
}
HOWEVER - this may not work. The SHA that your LDAP server uses may
be slightly different (salting, keying) than the SHA FreeRadius uses.
Much more likely to trip you up though, is when ldap matches in
authorize, it will set Auth-Type = LDAP, so you either need to
disable that or otherwise make it work and there are about 6
different ways of doing that. The most obvious would be to replace
the above with:
modules { as before }
authorize { as before }
authenticate {
Auth-Type LDAP {
pap
}
}
I want to make set Auth-Type = LDAP working by making this Auth-Type
use the pap configuration. (correct me If I'm wrong).
I followed what you advises:
- configure chilli uamsecret and uampassword)
- put pap configuration in module section
- check ldap configration in module
- put ldap in authorize
- put Auth-Type LDAP { pap } in authentificate.
Now things got through pap indeed, but I'm told:
rlm_pap: No password (or empty password) to check against for for user
gravier.christophe
I think I totally misunderstand your sentence: Extract the SHA
password and add it to the config items. I thought it means to add
the mapping checkItem User-Password userPassword in ldap.attrmap
(where userPassword is my attribute for SHA password). As it didn't
work I used the password_attribute conf entry in ldap configuration
(module section), but as I expected it has the same consequence.
Could you please, be more precise about the extraction of SHA password
? Is there an additional conf entry for pap in module section ?
Here is the complete trace:
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ist-guizay.univ-st-etienne.fr:389,
authentication 0
rlm_ldap: bind as / to ist-guizay.univ-st-etienne.fr:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter
(uid=gravier.christophe)
rlm_ldap: checking if remote access for gravier.christophe is allowed
by uid
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user gravier.christophe authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = gravier.christophe, looking up
realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry DEFAULT at line 158
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_pap: login attempt by gravier.christophe with password here
the trace prints my password in plain text, normal ?
rlm_pap: No password (or empty password) to check against for for user
gravier.christophe
modcall[authenticate]: module pap returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
But it might not work. Alternatively and probably simpler (but less
formally correct) is the 2nd method:
2. Configure the LDAP module to find the user, set Auth-Type==LDAP
then authenticate the user via simple bind:
authorize {
preprocess
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
Re: How to use CRL by PEAP authentication
On 12/16/05, Kouji Amemiya [EMAIL PROTECTED] wrote: I was using the certificate published by OpenSSL, I revoked this certificate. (Herewith, this certificate's information was written on CRL.) And I attempted PEAP authentication by this revoked certificate, but authentication result was Access-Accept. For peap you don't use a certificate on the client (better: supplicant) side, so it is not checked. What you seem to have revoked is the certficate the server presents to the supplicant, which has no part in deciding to authorize/authenticate the user. Why the supplicant doesn't refuse the supposedly revoked server certificate would be interesting (you could look into your setup, if the supplicant did check for the latest CRL of the certicate's issuer), but is unresponsive to your original question. Regards, Klaus Hörcher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
no inet from clients mysql tables topics
Hi again, thx 2 all who helped me until now with my freeradius project. I made many advancings but have 2 issues which I cant figure out. 1) My client gets authenticated if I use the users file (testentry from howto of Christoph Gravier) Sending Accounting-Response of id 2 to 192.168.0.8:32780 but it dont get authenticated if I use sql entries radius output: rad_recv: Access-Request packet from host 192.168.0.8:32782, id=0, length=199 User-Name = sqltest2 User-Password = sqltest2 NAS-IP-Address = 192.168.0.8 Service-Type = Login-User Framed-IP-Address = 192.168.182.3 Calling-Station-Id = 00-E0-98-35-00-28 Called-Station-Id = 00-02-B3-4C-95-89 NAS-Identifier = nas01 Acct-Session-Id = 43a2af62 NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0x79af42dc40dbe6235bcf8585938c6a02 WISPr-Logoff-URL = http://192.168.182.1:3990/logoff; Processing the authorize section of radiusd.conf modcall: entering group authorize for request 13 modcall[authorize]: module preprocess returns ok for request 13 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 13 radius_xlat: 'sqltest2' rlm_sql (sql): sql_set_user escaped user -- 'sqltest2' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'sqltest2' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 1 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'sqltest2' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'sqltest2' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'sqltest2' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 1 modcall[authorize]: module sql returns ok for request 13 modcall: group authorize returns ok for request 13 rad_check_password: Found Auth-Type System auth: type System Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 13 modcall[authenticate]: module unix returns notfound for request 13 modcall: group authenticate returns notfound for request 13 auth: Failed to validate the user. Login incorrect: [sqltest2/sqltest2] (from client 192er-testnetz port 0 cli 00-E0-98-35-00-28) my sql table (only radcheck entries, all others are empty): mysql select * from radcheck; ++--+---++--+ | id | UserName | Attribute | op | Value| ++--+---++--+ | 1 | mfred| User-Password | := | test | | 7 | sqltest | Password | := | sqltest | | 8 | sqltest2 | User-Password | := | sqltest2 | | 9 | sqltest3 | User-Password | == | sqltest3 | | 10 | argl | User-Password | == | argl | ++--+---++--+ I tried different Attribute/op entries as I dont know exactly which are good. The different howto's out there are not clear about this. Maybe its version dependent? --- 2) My next problem is that even if I get conneted with my local user I dont have Internet access from the clients. I only can ping 192.168.182.1 but nothing more. From the Server If you woulbe be so kind again and help me in these topics I would be very happy and my weekend is maybe saved this time :) br, mfred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: allowed characters in User-Password?
Alan DeKok wrote:
I miss something obvious, but although I printed out variables.txt
and read it several times I still don't get the point.
'%' is a special character.
From variables.txt I understand that variables are referred to
by %{name}.
Or, % followed by one character.
Do I get it right, I put 34fgT\%45 instead of 34fgT%45
in the users file?
Yes.
Which other special chars need to be treated this way?
None.
I'm still struggling on this subject.
Now that I have a test system available I made several tests with
various radius and dialin client parameters with the following
result: As long as a % is in the password, CHAP never works,
regardless of escaping with \% or not, while PAP always works.
Am I lost with CHAP and % in password or can I do anything else
with this problem?
nils-henner
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: bug in rlm_ldap?
I changed the users file as you recommended, the ldap.attrmap contains the additional line: checkItem User-Category primaryGroupID Unfortunately also in this case only the Reject entry matches, although the primaryGroupID seems to passed to User-Category: radiusd -AX . rlm_ldap: looking for check items in directory... ldap_get_values ldap_get_values rlm_ldap: Adding LDAP attribute primaryGroupID as RADIUS attribute User-Category == 515 ldap_get_values Did you get the second email I sent. I don't believe you can use that check item from ldap in the users file. Try the ldap-group options I sent over in the last email. That should work for you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: After the manual's config, chap wont work with LDAP
To do CHAP, you must have:
1. The PLAINTEXT password in the LDAP server
2. The Radius server permitted to read that attribute
3. The ldap module configured to put whatever that attribute is
(usually userPassword) into the radius User-Passord, using the
password_attribute option of the ldap module
4. chap above pap in the authorize (which you've got)
5. chap anywhere in authenticate
Hiya,
We have all of those set. The password is stored plain text in
userPassword. The radius server has read access to that attribute. The
ldap module is configured in radiusd.conf for that attribute. Chap is
above pap, and chap is also in authenticate {}.
The password is still showing up as blank when they dial up, before it
even hits the LDAP server. Is there debugging output I could send you
that might help with this?
Regards,
Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: bug in rlm_ldap?
Dusty Doris wrote:
Did you get the second email I sent. I don't believe you can use that
check item from ldap in the users file. Try the ldap-group options I
sent over in the last email. That should work for you.
Thank you, I got it and already tried that attribute. The behaviour is a
bit better, but does not really lead to the desired result, as the
client gets an:
Incoming RADIUS packet did not have correct Message-Authenticator - dropped
With a users file:
###
DEFAULT Ldap-Group == 515, Auth-Type := Accept
Framed-Type = Framed,
Tunnel-Type:1 = VLAN,
Tunnel-Medium-Type:1 = IEEE-802,
Tunnel-Private-Group-ID:1 = 100
DEFAULT Auth-Type := Reject
an ldap module:
ldap ldap1 {
server = globalcatalogue
port = 3268 #global catalogue server
identity = [EMAIL PROTECTED]
password = mypass
basedn = dc=MYDOM,dc=NET
filter =
((servicePrincipalName=%{Stripped-User-Name:-%{User-Name}})(objectClass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
ldap_debug= 0x
timeout = 40
timelimit = 30
net_timeout = 10
tls {
start_tls = no
}
dictionary_mapping = ${raddbdir}/ldap.attrmap
groupmembership_attribute = primaryGroupID
}
a files section of:
files files1 {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
and an authorize section:
authorize {
preprocess
eap
ldap1 {
notfound = reject
}
files1 {
notfound = reject
}
}
radiusd -AX gives me:
rlm_ldap::ldap_groupcmp: User found in group 515
rlm_ldap: ldap_release_conn: Release Id: 0
users: Matched entry DEFAULT at line 1
modcall[authorize]: module files1 returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Sending Access-Accept of id 0 to 149.246.133.44 port 32770
Tunnel-Type:1 = VLAN
Tunnel-Medium-Type:1 = IEEE-802
Tunnel-Private-Group-Id:1 = 100
Finished request 0
Seems ok, but unfortunately on the other side, the result is not that
good. Alan proposed eapol_test recently for testing of such
connections(thank you, very usefull) and this tool shows me:
...
Received RADIUS message
RADIUS message: code=2 (Access-Accept) identifier=0 length=38
Attribute 64 (?Unknown?) length=6
Attribute 65 (?Unknown?) length=6
Attribute 81 (?Unknown?) length=6
STA 00:00:00:00:00:02: Received RADIUS packet matched with a pending
request, round trip time 0.15 sec
No Message-Authenticator attribute found
Incoming RADIUS packet did not have correct Message-Authenticator - dropped
STA 00:00:00:00:00:02: No RADIUS RX handler found (type=0 code=2 id=0) -
dropping packet
EAPOL: startWhen -- 0
EAPOL test timed out
MPPE keys OK: 0 mismatch: 1
FAILURE
Any idea?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sqlcounter causing a segmentation fault
Hi, I am not too sure about how this should be handled, but hopefully someone can give me a hint As soon as I try to use the rlm_sqlcounter module and start the radiusd, it gives me a segmentation fault message. The last line before it crashes, radiusd -xx is giving me is the following Sqlcounter: safe-characters = @abc. / I am using a recent CVS. Cheers. S. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: bug in rlm_ldap?
Thank you, I got it and already tried that attribute. The behaviour is a bit better, but does not really lead to the desired result, as the client gets an: Incoming RADIUS packet did not have correct Message-Authenticator - dropped Well, at least you've got the ldap part working. The message-authenticator shouldn't have anything to do with ldap. It has to do with the packet between the radius server and the nas. Seems ok, but unfortunately on the other side, the result is not that good. Alan proposed eapol_test recently for testing of such connections(thank you, very usefull) and this tool shows me: ... Received RADIUS message RADIUS message: code=2 (Access-Accept) identifier=0 length=38 Attribute 64 (?Unknown?) length=6 Attribute 65 (?Unknown?) length=6 Attribute 81 (?Unknown?) length=6 STA 00:00:00:00:00:02: Received RADIUS packet matched with a pending request, round trip time 0.15 sec No Message-Authenticator attribute found Incoming RADIUS packet did not have correct Message-Authenticator - dropped STA 00:00:00:00:00:02: No RADIUS RX handler found (type=0 code=2 id=0) - dropping packet EAPOL: startWhen -- 0 EAPOL test timed out MPPE keys OK: 0 mismatch: 1 FAILURE I can't help on this part. I'd start a new thread with that error, so the subject line might draw some attention from someone that can. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 Support
Hi, it's me again. Now I'm trying to implement the IPv6 Freeradius, but I'm having some doubts. When I'm configuring Freeradius, is the same configuration that is used in IPv4, except in the clients file, where I must use IPv6 addresses. My doubt is: How and where did I configure the IPv6 attributes referred in RFC 3162 to RADIUS distribute them to Authenticated users? Please if is possible send to me a configuration example. Regards, Paulo Ferreira I don.t try Freeradius with IPv6 yet, but I have doubts with IPv6 Freeradius functioning. Why? Because I didn't arrange a machine for test it yet :) Did the communications between NAS and Freeradius, in IPv6 only networks, are made only with IPv6 packets (Access request packets, etc.)? Uh... you're asking if non-IPv6 packets are sent in an IPv6-only network. That makes *no* sense. No, I wanted an IPv6 only, but I wasn't sure if Freeradius was communicating with NAS in IPv6 only packets, or if it was encapsulating IPv6 attributes (RFC 3162) over IPv4 packets. Or did the IPv6 attributes (NAS-IPv6-Address, etc.) are encapsulated in IPv4 packets? Read the RFC's. The data in a RADIUS packet is completely independent of the IPv4 or IPv6 transport. I already red the RFC 3162, and I think that was the idea, but I asked to the list this questions to had sure. Good, that means that it works with packets in both network protocols, depending of NAS support. Alan DeKok. Thanks for the help, and I will try that when I will have opportunity. Regards, Paulo Ferreira - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No Reply Proxy for Accounting Requests
Does anyone know how to configure a proxy for the forwarding of no reply accounting requests? In particular I am interested in accounting start/stop packets. Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius cannot Authenticate to Windows AD
Michael, Try querying Active Directory with the ldapsearch utility. Here is an example. ldapsearch -LLL -h 1.2.3.4 -x -b 'dc=domain,dc=com' '(samaccountname=backops)' -D backops -w passofbackops This will make sure that the credentials are correct or not. Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Mayers Sent: December 16, 2005 1:55 AM To: FreeRadius users mailing list Subject: Re: FreeRadius cannot Authenticate to Windows AD Michael Calizo wrote: Hi, Same thing has happened, I still can not authenticate to WindowsAD. Same Error is displayed when i debug radiusd I put quotes arround password.. radtest user 'mypass' 192.168.1.1:1812 http://192.168.1.1:1812 1812 testing123 or radtest user 'mypass' 192.168.1.1:1812 http://192.168.1.1:1812 1812 testing123 What do you think is the problem? rlm_ldap: bind as cn=backops,cn=Admin,dc=domain,dc=com/passofbackops to 192.168.1.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf ...that's pretty clear. The identity/password combo you have is wrong. Or AD thinks it's wrong. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: no inet from clients mysql tables topics
ok,
I get point 1 solved but point 2 still exists
For the files:
I removed also files from the authorize section. There is now only
{preprocess, sql}
If you can help with point 2 that clients could not connect to internet
i am not angry about ;)
cu
mfred
Am Freitag, den 16.12.2005, 13:42 +0100 schrieb mfred:
Hi again,
thx 2 all who helped me until now with my freeradius project. I made
many advancings but have 2 issues which I cant figure out.
1)
My client gets authenticated if I use the users file (testentry from
howto of Christoph Gravier)
but it dont get authenticated if I use sql entries
2)
My next problem is that even if I get conneted with my local user I dont
have Internet access from the clients.
I only can ping 192.168.182.1 but nothing more.
From the Server
If you woulbe be so kind again and help me in these topics I would be
very happy and my weekend is maybe saved this time :)
br,
mfred
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No matching entry in the database for request from user
Bill Schoolfield [EMAIL PROTECTED] wrote: I just tested the exact same setup but this time accessing this radius server directly (instead of thru a proxy) and it works fine. So the proxy is changing something. Thoughts? Run it in debug mode, and compare the input packets sql queries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Reply Proxy for Accounting Requests
On Fri, 16 Dec 2005, David Bickle wrote: Does anyone know how to configure a proxy for the forwarding of no reply accounting requests? In particular I am interested in accounting start/stop packets. Thanks, What does forwarding of no reply accounting requests mean? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS packet did not have correct Message-Authenticator
I do an eap/tls authentication and after that an ad search. This works
so far.
But when setting the groupmembership in the ldap1 section, there are
problems.
I do not see the usual eap messages flying around, but nevertheless
radius sends an Access-Accept:
rlm_ldap::ldap_groupcmp: User found in group 515^M
rlm_ldap: ldap_release_conn: Release Id: 0^M
users: Matched entry DEFAULT at line 25^M
modcall[authorize]: module files returns ok for request 0^M
modcall: leaving group authorize (returns updated) for request 0^M
rad_check_password: Found Auth-Type Accept^M
rad_check_password: Auth-Type = Accept, accepting the user^M
Sending Access-Accept of id 0 to 149.246.133.44 port 32770^M
Tunnel-Type:0 = VLAN^M
Tunnel-Medium-Type:0 = 802^M
Tunnel-Private-Group-Id:0 = Core1^M
Finished request 0^M
On the client side, where I have eapol_test, I get an error:
STA 00:00:00:00:00:02: Received RADIUS packet matched with a pending
request, round trip time 0.24 sec
No Message-Authenticator attribute found
Incoming RADIUS packet did not have correct Message-Authenticator - dropped
STA 00:00:00:00:00:02: No RADIUS RX handler found (type=0 code=2 id=0) -
dropping packet
This is from my radiusd.conf:
When it is there, radius sends an Access-Accept.
ldap ldap1 {
server = globalcatalogue
port = 3268 #global catalogue server
identity = [EMAIL PROTECTED]
password = mypass
basedn = dc=MYDOM,dc=NET
filter =
((servicePrincipalName=%{Stripped-User-Name:-%{User-Name}})(objectClass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
ldap_debug= 0x
timeout = 40
timelimit = 30
net_timeout = 10
tls {
start_tls = no
}
dictionary_mapping = ${raddbdir}/ldap.attrmap
groupmembership_attribute = primaryGroupID
}
authorize {
preprocess
eap
ldap1 {
notfound = reject
}
files
}
The complete output of radius -AX is lengthy and therefore nor included.
It can be found at:
http://www.wegener-net.de/fr/bad-group , where the error occurs,
http://www.wegener-net.de/fr/ok-nogroup , where the authentication works
as expected.
As mentioned above, the only difference in the configuration is the use
of groupmembership.
Any hints are really appreciated.
Thanks
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No matching entry in the database for request from user
I did. Turns out it had nothing to do with the proxy. I had inadvertently placed a reply attribute as a check attribute in the db. That of course caused the lookup to fail. My apologies for the false alarm. Bill Alan DeKok wrote: Bill Schoolfield [EMAIL PROTECTED] wrote: I just tested the exact same setup but this time accessing this radius server directly (instead of thru a proxy) and it works fine. So the proxy is changing something. Thoughts? Run it in debug mode, and compare the input packets sql queries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Reply Proxy for Accounting Requests
In some versions of RADIUS it is possible using the proxy feature to forward accounting requests to a home radius server or some other 3rd party server without having to wait for a response packet. Typically this is accomplished by configuring an attribute (ie. IgnoreAccountingResponse) in the proxy section where the forwarding server is instructed to not wait for a reply. I have examined the proxy.conf file and there appears to be no equivalent functionality in FreeRadius. Is this true? Is there a work around? On 12/16/05 9:54 AM, Dusty Doris [EMAIL PROTECTED] wrote: On Fri, 16 Dec 2005, David Bickle wrote: Does anyone know how to configure a proxy for the forwarding of no reply accounting requests? In particular I am interested in accounting start/stop packets. Thanks, What does forwarding of no reply accounting requests mean? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS packet did not have correct Message-Authenticator
Norbert Wegener [EMAIL PROTECTED] wrote: I do not see the usual eap messages flying around, but nevertheless radius sends an Access-Accept: ... modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Accept Who sets that? The server doesn't do that by default. Some part of your configuration sets Auth-Type := Accept. As a result, the EAP module is not run during the authenticate stage, and no EAP-Message (or Message-Authenticator) gets sent back in the Access-Accept. I suggest walking through the debug log, looking at each module that's mentioned. Run the LDAP queries by hand, to see if they return Auth-Type = Accept. Look at the users file entries. My guess is that the entry at line 25 of the users file has the Accept. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS packet did not have correct Message-Authenticator
Alan DeKok wrote: Norbert Wegener [EMAIL PROTECTED] wrote: I do not see the usual eap messages flying around, but nevertheless radius sends an Access-Accept: ... modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Accept Who sets that? The server doesn't do that by default. Some part of your configuration sets Auth-Type := Accept. As a result, the EAP module is not run during the authenticate stage, and no EAP-Message (or Message-Authenticator) gets sent back in the Access-Accept. I suggest walking through the debug log, looking at each module that's mentioned. Run the LDAP queries by hand, to see if they return Auth-Type = Accept. Look at the users file entries. My guess is that the entry at line 25 of the users file has the Accept. Alan DeKok. Thank you Alan, although I have not yet found the culprit, it is calming to know the reason behind. I have read this and that documentation about freeradius during the past time, but this one I think, did never cross my way. Is there a document, where this behaviour is described? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS packet did not have correct Message-Authenticator
Norbert Wegener [EMAIL PROTECTED] wrote: although I have not yet found the culprit, it is calming to know the reason behind. I have read this and that documentation about freeradius during the past time, but this one I think, did never cross my way. Is there a document, where this behaviour is described? What behavior? That Auth-Type = Accept by-passes the EAP response? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS packet did not have correct Message-Authenticator
although I have not yet found the culprit, it is calming to know the reason behind. I have read this and that documentation about freeradius during the past time, but this one I think, did never cross my way. Is there a document, where this behaviour is described? I believe its your users file, from your previous messages on ldap. I had given you an example of using ldap-group to make sure you hit that check-item you want. That worked, but now your access-accept is cancelling the EAP. Sorry if I confused you, but I was just focusing on the ldap part, didn't even realize there was something else going in inside this. Perhaps you should change it from: DEFAULT Ldap-Group == 515, Auth-Type := Accept Framed-Type = Framed, Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802, Tunnel-Private-Group-ID:1 = 100 DEFAULT Auth-Type := Reject To: DEFAULT Ldap-Group == 515 Framed-Type = Framed, Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802, Tunnel-Private-Group-ID:1 = 100 DEFAULT Auth-Type := Reject ?? I have never used EAP, but I belive if you take out the Auth-Type := Accept, the server should pick up on the fact that it needs to do EAP and will continue with that part. Someone else will be able to give more insight on that part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 Support
Hi, Alan In a previous email, I asked you if Freeradius supports IPv6 authentications and you response to me that CVS version does. How and where did I configure the IPv6 attributes referred in RFC 3162 to RADIUS distribute them to Authenticated users? You use the IPv6 attributes from the dictionary, just like you use IPv4 attributes from the dictionary. Where I can get some documentation about this configuration? Version 1.0.5 does not listen on IPv6 addresses, so you can't use IPv6 clients, either. If I can't use IPv6 clients, how I can execute an IPv6 authentication? Did CVS version listening IPv6 addresses? Alan DeKok. Thanks in advance, Paulo Ferreira - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IPv6 Support
Paulo Alexandre Caceres Ferreira [EMAIL PROTECTED] wrote: In a previous email, I asked you if Freeradius supports IPv6 authentications and you response to me that CVS version does. Yes... so? You use the IPv6 attributes from the dictionary, just like you use IPv4 attributes from the dictionary. Where I can get some documentation about this configuration? Read your NAS documentation on what IPv6 attributes it takes. Version 1.0.5 does not listen on IPv6 addresses, so you can't use IPv6 clients, either. If I can't use IPv6 clients, how I can execute an IPv6 authentication? Is it really that hard to figure out? Did CVS version listening IPv6 addresses? Uh... why are you asking this again? Do you think the answer has changed? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAM client password change
I see that http://www.freeradius.org/pam_radius_auth/README says This is the PAM to RADIUS authentication module. It allows any Linux or Solaris machine to become a RADIUS client for authentication and password change requests. ^ OK! But then http://www.freeradius.org/pam_radius_auth/USAGE says The module takes a number of configuration options. Password changing is not implemented, as the RADIUS protocol does not ^ So README says yes, and USAGE says no. I want take all my users out of /etc/passwd and put them in a RADIUS server (running on the same host). And it would be nice if they could change their own passwords. But after reading the documents above, I don't know what to believe. Is this possible with pam_radius? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sqlcounter and something else than Session-Timeout
Currently rlm_sqlcounter sums all the session time used by a user, via a MySQL query (summing all the AcctSessionTime) and returns a coresponding Session-Timeout reply to the nas. Now, in my application, I limit users by bytes transfered, so I need to sum AcctInputOctets and AcctOutputOctets, compare that sum to a check attribute (let's call it Max-All-Transfer) and return a coresponding ChilliSpot-Max-Total-Octets. I beleive this is not configurable in rlm_sqlcounter? I could try to make a patch if someone is willing to help me and guide me a bit. -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
