pam_radius_auth token user
This question appears in various forums time and time again though I've yet to discover a solution for it under linux. It *must* be a common issue The need exists to map users who are successfully authenticated via pam_radius_auth and who do not have a local account to a default 'token user'. FreeBSD's radius/pam module has a simple and obvious 'template_user' directive that suits this precise purpose well. Linux pam_radius_auth lacks this feature. Deploying centralized authentication only to require that all other user info be manually configured on each and every device anyway doesn't make any sense. Nor should it involve a full-blown and often unwieldy NIS (or similar) infrastructure to function. Surely I'm overlooking something. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regarding VLAN
Hi I tried sending tunneling attributes from Radius server and it shows sending those tunneling attributes.. But the access point doesnt seem to understand it anyway. I had configured both the access point and the switch for this.. What can be the problem Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: group definitions in users file
"ho" <[EMAIL PROTECTED]> wrote: > Is it possible to group the User entries and than give them the special > profile with the AVPairs? Yes. You can use Unix groups for this, or create your own groups. See "man rlm_passwd" for an example of creating groups. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help, Chap problem
Hello: I have this problem, i get this message in the log: "Tue Apr 11 14:43:18 2006 : Auth: Login incorrect (rlm_chap: Clear text password not available): [adexus/] (from client 3com port 268443649 cli 0010-a484-6e7a)" I set the users file as follow: adexus Auth-Type := CHAP, User-Password == "adexus" i configure the windows 2000 802.1x client how: EAP type: MD5 challenge Any idea Saludos Francisco Lagos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
group definitions in users file
Hi folks, my environment: I do AAA with freeradius as a radius-proxy in combination with ms-ias (only for the passwords ;-) )for cisco asa 5540-box, which is similar to a cisco pix firewall. in the future we have many, many entries for users with the same Cisco-AVPairs USER1 Proxy-To-Realm := IAS Service-Type = Framed-User, Framed-Protocoll = PPP, Cisco-AVPair += "ip:inacl# = permit udp any host A.B.C.D eq domain", Cisco-AVPair += "ip:inacl# = permit udp any host A.B.C.D eq domain", Cisco-AVPair += "ip:inacl# = permit tcp any host A.B.C.D eq 264", Cisco-AVPair += "ip:inacl# = permit tcp any host A.B.C.D eq 443", Cisco-AVPair += "ip:inacl# = permit udp any host A.B.C.D eq isakmp", Cisco-AVPair += "ip:inacl# = permit udp any host A.B.C.D eq 2746", Cisco-AVPair += "ip:inacl# = permit esp any host A.B.C.D", Cisco-AVPair += "ip:inacl# = deny tcp any any", Cisco-AVPair += "ip:inacl# = deny udp any any", Fall-Through = 0 Is it possible to group the User entries and than give them the special profile with the AVPairs? If not, what could be another good workaround for this problem? thanks marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql database in freeradius-1.1.1 ???
Hi, > src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql > > are lost in version 1.1.1, which i've downloaded 2 says ago? > > I've tried a find, but didn't have a match. doc/examples/mysql.sql ? granted, not many people look in the doc directory generally ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql database in freeradius-1.1.1 ???
thank you for answering so quickly, i found the file. sorry for posting with html. marco - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Tuesday, April 11, 2006 9:29 PM Subject: Re: sql database in freeradius-1.1.1 ??? "ho" <[EMAIL PROTECTED]> wrote: src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql are lost in version 1.1.1, which i've downloaded 2 says ago? doc/examples/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql database in freeradius-1.1.1 ???
"ho" <[EMAIL PROTECTED]> wrote: > src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql > > are lost in version 1.1.1, which i've downloaded 2 says ago? doc/examples/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql database in freeradius-1.1.1 ???
Hi, am i right that the database schemes under e.g. src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql are lost in version 1.1.1, which i've downloaded 2 says ago? I've tried a find, but didn't have a match. Can i use the same schema i've downloaded with version 1.0.4? Best regards marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
On Tue 11 Apr 2006 20:20, Alan DeKok wrote: > Nicolas Baradakis <[EMAIL PROTECTED]> wrote: > > Perhaps it's fine if the copyright owners distribute the binaries > > themselves, I don't know. > > Copyright owners can do whatever they want with their copyrighted > material, including changing the copyright, or distributing the > material in ways that are denied to others. > > > Aside the legal problem, I believe it's a great idea: we could provide > > an apt repository with the latest version of FreeRADIUS for Debian > > stable, testing and unstable. > > Ok. Let's get it set up. > > If we go down that route, though, I'd like to make RPM's available, > Solaris PKG's, etc. That involves some additional resources which > might not be readily available. I already make RPMs available on a sporadic basic for SUSE. I had a red carpet repo setup also, but havent maintained it recently... -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
Alan DeKok <[EMAIL PROTECTED]> wrote: > Nicolas Baradakis <[EMAIL PROTECTED]> wrote: > > Perhaps it's fine if the copyright owners distribute the binaries > > themselves, I don't know. > > Copyright owners can do whatever they want with their copyrighted > material, including changing the copyright, or distributing the > material in ways that are denied to others. > > > Aside the legal problem, I believe it's a great idea: we could provide > > an apt repository with the latest version of FreeRADIUS for Debian > > stable, testing and unstable. > > Ok. Let's get it set up. > > If we go down that route, though, I'd like to make RPM's available, > Solaris PKG's, etc. That involves some additional resources which > might not be readily available. I've had my eye on this package, it may help: http://www.autobuild.org/ I think even if we do this, I'd like to see the FreeRadius license change to allow linking against OpenSSL, the OpenSSL license to change to allow linking against GPL, and the GPL license to change to allow linking against whatever. - Tyler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
Nicolas Baradakis <[EMAIL PROTECTED]> wrote: > Perhaps it's fine if the copyright owners distribute the binaries > themselves, I don't know. Copyright owners can do whatever they want with their copyrighted material, including changing the copyright, or distributing the material in ways that are denied to others. > Aside the legal problem, I believe it's a great idea: we could provide > an apt repository with the latest version of FreeRADIUS for Debian > stable, testing and unstable. Ok. Let's get it set up. If we go down that route, though, I'd like to make RPM's available, Solaris PKG's, etc. That involves some additional resources which might not be readily available. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
Alan DeKok wrote: > How about an additional idea: I don't think it's a problem for > copyright owners to distribute binaries, so if we set up a mini apt > system (say apt.freeradius.org), we could put problematic debian > packages there. Perhaps it's fine if the copyright owners distribute the binaries themselves, I don't know. Aside the legal problem, I believe it's a great idea: we could provide an apt repository with the latest version of FreeRADIUS for Debian stable, testing and unstable. Indeed I think more people are installing Debian stable (Sarge) on a production server, but they get an old version of FreeRADIUS. (unless they compile it manually) Such a repository would help the Debian users to easily upgrade FreeRADIUS on their servers with the apt-get utility. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to implement radius with mysql
Hello. I am a new user of free radius the version that i use is 1.0.4-1. Anybody knows where can i find help to enable mysql with radius? Thank's Alex. ___ Do You Yahoo!? La mejor conexión a Internet y 2GB extra a tu correo por $100 al mes. http://net.yahoo.com.mx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Type and MySQL
Luca Corti wrote: > Now I'd like to specify "Acct-Type := DIALUP" in MySQL for a particular > group of users so that accounting for that group uses sql_dialup. > > Is this doable? Do I need to specify Acct-Type as a reply or check item? You need to specify Acct-Type during "preacct". It's doable if you can write an acct_users file to set the Acct-Type. If you need to do it with MySQL, I've seen a patch on the bugzilla. http://bugs.freeradius.org/show_bug.cgi?id=264 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
> -Original Message- > From: > [EMAIL PROTECTED] > ists.freer > adius.org > [mailto:freeradius-users-bounces+sburton=shepherd-construction > [EMAIL PROTECTED] > ts.freeradius.org]On Behalf Of Burton, Steven > Sent: 11 April 2006 16:15 > To: FreeRadius users mailing list > Subject: RE: How do I set up simple AD integration? > > > > > > -Original Message- > > From: > > [EMAIL PROTECTED] > > ists.freer > > adius.org > > [mailto:freeradius-users-bounces+sburton=shepherd-construction > > [EMAIL PROTECTED] > > ts.freeradius.org]On Behalf Of King, Michael > > Sent: 11 April 2006 15:40 > > To: FreeRadius users mailing list > > Subject: RE: How do I set up simple AD integration? > > > > > > > > > > Is there a how-to or tutorial for this simple case? I have > > > searched this list and google generally. I have read the > > > articles referred to on the FreeRadius home page and several > > > others and I still can't see how the configuration works. Any > > > and all help gratefully received. > > > > > > Steve. > > > > > > > > > As for the simple how to, they're a few, but none that I > > would consider > > easy to follow. > > > > What your looking for this the following lines: (I have > > two ntlm_auth > > Lines, the original that is commented out, and the one that I > > use. They > > are long, so they will break across lines, but they are not > > that way in > > my config file) > > > > > > # Windows sends us a username in the form of > > # DOMAIN\user, but sends the challenge response > > # based on only the user portion. This hack > > # corrects for that incorrect behavior. > > # > > with_ntdomain_hack = yes > > > > # The module can perform authentication itself, OR > > # use a Windows Domain Controller. This > configuration > > # directive tells the module to call the ntlm_auth > > # program, which will do the authentication, > > and return > > # the NT-Key. Note that you MUST have > "winbindd" and > > # "nmbd" running on the local machine for ntlm_auth > > # to work. See the ntlm_auth program documentation > > # for details. > > # > > # Be VERY careful when editing the following line! > > # > > #ntlm_auth = "/path/to/ntlm_auth --request-nt-key > > --username=%{Stripped-User-Name:-%{User-Name:-None}} > > --challenge=%{mschap:Challenge:-00} > > --nt-response=%{mschap:NT-Response:-00}" > > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > > --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} > > --nt-response=%{mschap:NT-Response}" > > This stanza is a enclosed with the mschap section, still > nothing ventured > I changed the line and unfolded it and ran radiusd -X. The > first request didn't match anything usefull and was rejected > by System. I tried again but ticked the box 'CHAP' on > NTRadPing and got the output: > > Starting - reading configuration files ... > reread_config: reading radiusd.conf > Config: including file: /usr/local/etc/raddb/proxy.conf > Config: including file: /usr/local/etc/raddb/clients.conf > Config: including file: /usr/local/etc/raddb/snmp.conf > Config: including file: /usr/local/etc/raddb/eap.conf > Config: including file: /usr/local/etc/raddb/sql.conf > main: prefix = "/usr/local" > main: localstatedir = "/var" > main: logdir = "/var/log" > main: libdir = "/usr/local/lib" > main: radacctdir = "/var/log/radacct" > main: hostname_lookups = no > main: max_request_time = 30 > main: cleanup_delay = 5 > main: max_requests = 1024 > main: delete_blocked_requests = 0 > main: port = 0 > main: allow_core_dumps = no > main: log_stripped_names = no > main: log_file = "/var/log/radius.log" > main: log_auth = no > main: log_auth_badpass = no > main: log_auth_goodpass = no > main: pidfile = "/var/run/radiusd/radiusd.pid" > main: user = "(null)" > main: group = "(null)" > main: usercollide = no > main: lower_user = "no" > main: lower_pass = "no" > main: nospace_user = "no" > main: nospace_pass = "no" > main: checkrad = "/usr/local/sbin/checkrad" > main: proxy_requests = yes > proxy: retry_delay = 5 > proxy: retry_count = 3 > proxy: synchronous = no > proxy: default_fallback = yes > proxy: dead_time = 120 > proxy: post_proxy_authorize = no > proxy: wake_all_if_all_dead = no > security: max_attributes = 200 > security: reject_delay = 1 > security: status_server = no > main: debug_level = 0 > read_config_files: reading dictionary > read_config_files: reading naslist > read_config_files: reading clients > read_config_files: reading realms > radiusd: entering modules setup > Module: Library search path is /usr/local/lib > Module: Loaded exec > exec: wait = yes > exec: program =
Re: How do I set up simple AD integration?
"Burton, Steven" <[EMAIL PROTECTED]> wrote: > This stanza is a enclosed with the mschap section, still nothing ventured > I changed the line and unfolded it and ran radiusd -X. The first > request didn't match anything usefull and was rejected by System. I > tried again but ticked the box 'CHAP' on NTRadPing and got the > output: You can't do CHAP to MS AD. It's impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
You would still needwith_ntdomain_hack = yes But that isn't your actual problem. It never called ntlm_auth > -Original Message- > From: > [EMAIL PROTECTED] > g > [mailto:[EMAIL PROTECTED] > adius.org] On Behalf Of Burton, Steven > Sent: Tuesday, April 11, 2006 11:15 AM > To: FreeRadius users mailing list > Subject: RE: How do I set up simple AD integration? > > > > > -Original Message- > > From: > > [EMAIL PROTECTED] > > ists.freer > > adius.org > > [mailto:freeradius-users-bounces+sburton=shepherd-construction > > [EMAIL PROTECTED] > > ts.freeradius.org]On Behalf Of King, Michael > > Sent: 11 April 2006 15:40 > > To: FreeRadius users mailing list > > Subject: RE: How do I set up simple AD integration? > > > > > > > > > > Is there a how-to or tutorial for this simple case? I > have searched > > > this list and google generally. I have read the articles > referred to > > > on the FreeRadius home page and several others and I > still can't see > > > how the configuration works. Any and all help gratefully received. > > > > > > Steve. > > > > > > > > > As for the simple how to, they're a few, but none that I would > > consider easy to follow. > > > > What your looking for this the following lines: (I have two > > ntlm_auth Lines, the original that is commented out, and > the one that > > I use. They are long, so they will break across lines, but > they are > > not that way in my config file) > > > > > > # Windows sends us a username in the form of > > # DOMAIN\user, but sends the challenge response > > # based on only the user portion. This hack > > # corrects for that incorrect behavior. > > # > > with_ntdomain_hack = yes > > > > # The module can perform authentication itself, OR > > # use a Windows Domain Controller. This > configuration > > # directive tells the module to call the ntlm_auth > > # program, which will do the authentication, and > > return > > # the NT-Key. Note that you MUST have > "winbindd" and > > # "nmbd" running on the local machine for ntlm_auth > > # to work. See the ntlm_auth program documentation > > # for details. > > # > > # Be VERY careful when editing the following line! > > # > > #ntlm_auth = "/path/to/ntlm_auth --request-nt-key > > --username=%{Stripped-User-Name:-%{User-Name:-None}} > > --challenge=%{mschap:Challenge:-00} > > --nt-response=%{mschap:NT-Response:-00}" > > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > > --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} > > --nt-response=%{mschap:NT-Response}" > > This stanza is a enclosed with the mschap section, still > nothing ventured > I changed the line and unfolded it and ran radiusd -X. The > first request didn't match anything usefull and was rejected > by System. I tried again but ticked the box 'CHAP' on > NTRadPing and got the output: > > Starting - reading configuration files ... > reread_config: reading radiusd.conf > Config: including file: /usr/local/etc/raddb/proxy.conf > Config: including file: /usr/local/etc/raddb/clients.conf > Config: including file: /usr/local/etc/raddb/snmp.conf > Config: including file: /usr/local/etc/raddb/eap.conf > Config: including file: /usr/local/etc/raddb/sql.conf > main: prefix = "/usr/local" > main: localstatedir = "/var" > main: logdir = "/var/log" > main: libdir = "/usr/local/lib" > main: radacctdir = "/var/log/radacct" > main: hostname_lookups = no > main: max_request_time = 30 > main: cleanup_delay = 5 > main: max_requests = 1024 > main: delete_blocked_requests = 0 > main: port = 0 > main: allow_core_dumps = no > main: log_stripped_names = no > main: log_file = "/var/log/radius.log" > main: log_auth = no > main: log_auth_badpass = no > main: log_auth_goodpass = no > main: pidfile = "/var/run/radiusd/radiusd.pid" > main: user = "(null)" > main: group = "(null)" > main: usercollide = no > main: lower_user = "no" > main: lower_pass = "no" > main: nospace_user = "no" > main: nospace_pass = "no" > main: checkrad = "/usr/local/sbin/checkrad" > main: proxy_requests = yes > proxy: retry_delay = 5 > proxy: retry_count = 3 > proxy: synchronous = no > proxy: default_fallback = yes > proxy: dead_time = 120 > proxy: post_proxy_authorize = no > proxy: wake_all_if_all_dead = no > security: max_attributes = 200 > security: reject_delay = 1 > security: status_server = no > main: debug_level = 0 > read_config_files: reading dictionary > read_config_files: reading naslist > read_config_files: reading clients > read_config_files: reading realms > radiusd: entering modules setup > Module: Library search path is /usr/local/lib > Module: Loaded
Re: How do I set up simple AD integration?
Steve, #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}" This stanza is a enclosed with the mschap section, still nothing ventured I changed the line and unfolded it and ran radiusd -X. The first request didn't match anything usefull and was rejected by System. I tried again but ticked the box 'CHAP' on NTRadPing and got the output: rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 0 rlm_chap: login attempt by "burst01" with CHAP password rlm_chap: Could not find clear text password for user burst01 modcall[authenticate]: module "chap" returns invalid for request 0 modcall: leaving group CHAP (returns invalid) for request 0 You can't do this. If you want to do ntlm_auth, you need to use an authentication protocol that provides FreeRADIUS with either the user's (1) cleartext credentials or (2) the user's NT credentials. CHAP won't work - it's impossible. However PAP will work, as will MS-CHAP. CHAP is different from MS-CHAP. best regards, josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
> -Original Message- > From: > [EMAIL PROTECTED] > ists.freer > adius.org > [mailto:freeradius-users-bounces+sburton=shepherd-construction > [EMAIL PROTECTED] > ts.freeradius.org]On Behalf Of King, Michael > Sent: 11 April 2006 15:40 > To: FreeRadius users mailing list > Subject: RE: How do I set up simple AD integration? > > > > > > Is there a how-to or tutorial for this simple case? I have > > searched this list and google generally. I have read the > > articles referred to on the FreeRadius home page and several > > others and I still can't see how the configuration works. Any > > and all help gratefully received. > > > > Steve. > > > > > As for the simple how to, they're a few, but none that I > would consider > easy to follow. > > What your looking for this the following lines: (I have > two ntlm_auth > Lines, the original that is commented out, and the one that I > use. They > are long, so they will break across lines, but they are not > that way in > my config file) > > > # Windows sends us a username in the form of > # DOMAIN\user, but sends the challenge response > # based on only the user portion. This hack > # corrects for that incorrect behavior. > # > with_ntdomain_hack = yes > > # The module can perform authentication itself, OR > # use a Windows Domain Controller. This configuration > # directive tells the module to call the ntlm_auth > # program, which will do the authentication, > and return > # the NT-Key. Note that you MUST have "winbindd" and > # "nmbd" running on the local machine for ntlm_auth > # to work. See the ntlm_auth program documentation > # for details. > # > # Be VERY careful when editing the following line! > # > #ntlm_auth = "/path/to/ntlm_auth --request-nt-key > --username=%{Stripped-User-Name:-%{User-Name:-None}} > --challenge=%{mschap:Challenge:-00} > --nt-response=%{mschap:NT-Response:-00}" > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} > --nt-response=%{mschap:NT-Response}" This stanza is a enclosed with the mschap section, still nothing ventured I changed the line and unfolded it and ran radiusd -X. The first request didn't match anything usefull and was rejected by System. I tried again but ticked the box 'CHAP' on NTRadPing and got the output: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" ms
RE: How do I set up simple AD integration?
> > Is there a how-to or tutorial for this simple case? I have > searched this list and google generally. I have read the > articles referred to on the FreeRadius home page and several > others and I still can't see how the configuration works. Any > and all help gratefully received. > > Steve. > As for the simple how to, they're a few, but none that I would consider easy to follow. What your looking for this the following lines: (I have two ntlm_auth Lines, the original that is commented out, and the one that I use. They are long, so they will break across lines, but they are not that way in my config file) # Windows sends us a username in the form of # DOMAIN\user, but sends the challenge response # based on only the user portion. This hack # corrects for that incorrect behavior. # with_ntdomain_hack = yes # The module can perform authentication itself, OR # use a Windows Domain Controller. This configuration # directive tells the module to call the ntlm_auth # program, which will do the authentication, and return # the NT-Key. Note that you MUST have "winbindd" and # "nmbd" running on the local machine for ntlm_auth # to work. See the ntlm_auth program documentation # for details. # # Be VERY careful when editing the following line! # #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response}" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I set up simple AD integration?
Burton, Steven wrote: > However, although I can see tantalizing references to 'ntlm_auth' and > 'ntdomain' and the like in various files I cannot see how to trigger an AD > lookup from a RADIUS request. So far all I have achieved is: You are doing well. Too many people try to jump directly to the end. I *think* AD = LDAP is the piece you are missing. See where that gets you. I don't use either, so beyond pointing you in that direction, I can't help much. You also prob don't need the sql.conf file as I didn't see mention of an SQL server anywhere. There is probably an ldap.conf file or an ldap section of the radius.conf that you should look at. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How do I set up simple AD integration?
Hi, I am trying to set up FreeRadius 1.1.1 on FreeBSD 6.0 REL with user integration with Active directory for a Windows 2003 domain currently in Win2000 mixed mode. My final object is to authenticate user-connections through a wireless AP. I have setup Samba 3 and successfully joined the Windows domain. I have tried: # wbinfo -u # wbinfo -g # wbinfo -a username%password # ntlm_auth --request-nt-key --domain= --username= and all ran/authenticated successfully. I have built and installed FreeRadius 1.1.1 from the FreeBSD port and copied: acct_users clients.conf dictionary eap.conf hints huntgroups preproxy_users proxy.conf radiusd.conf realms snmp.conf sql.conf users from the *.sample files provided and added my PC as a client (for NTRadPing) and a 802.11g AP with matching shared secrets and type 'other' I have uncommented the example user 'steve' in users and I can get an 'Access-Accept' using NTRadPing with Steve's credentials so I know that local users are working. If I point NTRadPing at our Funk SBR server and my Windows username and password I can get an 'Access-Accept' so, initially, I would like to emulate this operation before I get involved with MSCHAPv2 PEAP etc. However, although I can see tantalizing references to 'ntlm_auth' and 'ntdomain' and the like in various files I cannot see how to trigger an AD lookup from a RADIUS request. So far all I have achieved is: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "/usr/local/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/
Re: problem with oracle scheme - table radacct
On Mon 10 Apr 2006 23:21, Mathieu Legare wrote: > Using freeradius 1.1.0 on RHEL 4.0 update 3 with Oracle 9 database > backend for accounting, we discovered the following problem while trying > to add our wireless stuff to our RADIUS system. We've been using the > current setup for PPP login with a Cisco access server without any > problem. > > So the NAS is a Nortel WLAN Security Switch 2380 (more or less a Trapeze > device if i am not mistaken). The WLAN switch sends a "start > accounting" packet, unfortunalety the content of the %{NAS-Port-Id} > variable that the WLAN switch sends seems to be in the following format: > "2049/1" which is NOT a NUMERIC(12) (or integer if using the MySQL > driver). This cause an ORA-01722 error . We've changed the NasPortId > field type to VARCHAR2(15) to fix the problem. > > I really don't know if changing the type of the NasPortId field to > varchar2 can introduce other problems, so far we haven't notice any. Although I have not seen this type of value previously the RFC does device NAS-Port-Id as string so I will update all of the sample schemas to take this into account. Regards -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpaKx5IwxlTk.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Acct-Type and MySQL
Hello, I'm using MySQL as an authentication and accounting backend. I'd like to move the accounting for users in a particular group to a different table in the database. sql.conf: - sql sql_generic { ... } sql sql_dialup { ... } radiusd.conf: - accounting { ... Acct-Type DIALUP { sql_dialup } sql_generic } Now I'd like to specify "Acct-Type := DIALUP" in MySQL for a particular group of users so that accounting for that group uses sql_dialup. Is this doable? Do I need to specify Acct-Type as a reply or check item? thanks -- Luca Corti PGP Key ID 1F38C091 BOFH excuse of the moment: The kernel license has expired - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco AP 1240AG - PEAP/MSCHAPv2 with ntlm_auth
hi my situation: ive Windows 2003 Server Domaincontrollers. i use freeradius who authenticates the clients in the domain with ntlm_auth. only users they will be in the group "wireless" have access to the wireless: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=DOMAIN\\WIRELESS" my question is now: how can i realize that ive 2 ssid, one ssid=administrators, and the other ssid=users, i omit the "--require-membership-of=DOMAIN\\WIRELESS" on the ntlm authentication and make two groups in the active directory: -- wireless_admin - ssid1=adminis -- wireless_users - ssid2=users when the user is a member of admins he become the vlan and the ssid for Administrators, and when the user is a member of users he become the vlan and the ssid for Users. is that possible to configure it in the "/etc/raddb/users" like following, but without user1, instead of this a group... user1Auth-Type := EAP Cisco-AVPair := "ssid=admins", Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN user2Auth-Type := EAP Cisco-AVPair := "ssid=users", Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN somone has experience to associate ntlm and group differentiation... and how can i do that the Admins can also login via shell, and the user only authentication no shell or something like that? thx Konne - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can Juniper router or firewall configured on Free radius
Venu Gopal <[EMAIL PROTECTED]> writes: > Currently i'm doing testing on Netscreen boxes N25/50 > series, it works for authentication. If you could help > me in defining the privilege level commands on radius > server like cisco for netscreen boxes, it would be > great help. Take a look at share/dictionary.netscreen I haven't used these boxes myself, but the VSAs look pretty self-explanatory. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Digest & Messenger
dear Alan I changed the version of freeradius to 1.1.1 and we kept the last radiusd.conf file from 1.0.5 version unchanged. Belove you can see the excerpt of radiusd.conf file expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { # preprocess # auth_log # attr_filter # chap # mschap digest # eap sql } authenticate { # Auth-Type PAP { # pap # } # Auth-Type CHAP { # chap # } # Auth-Type MS-CHAP { # mschap # } digest # unix # eap } === When I test the server with some open source sip phones, everything is ok but when I want to test following user with MSN messenger , reject packet was received : user = server2_user1 password = test URI =[EMAIL PROTECTED] Method = REGISTER Algorithm = "MD5" Here it is the dubug of freeradius for this packet : rad_recv: Access-Request packet from host 10.10.1.3:2309, id=242, length=200 NAS-Identifier = "testrealm" Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x0a0f736572766572325f7573657231 Digest-Attributes = 0x02226530663765326631373633376638323638316463323461396262363264643637 Digest-Attributes = 0x06054d4435 User-Name = "server2_user1" Digest-Attributes = 0x04187369703a746573747265616c6d2e696369692e636f6d Digest-Response = "5f0fc8449eb607379d80ad34a83fe512" Digest-Attributes = 0x0114746573747265616c6d2e696369692e636f6d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 0 radius_xlat: 'server2_user1' rlm_sql (sql): sql_set_user escaped user --> 'server2_user1' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'server2_user1' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'server2_user1' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'server2_user1' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type DIGEST auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_digest: Converting Digest-Attributes to something sane... Digest-Method = "REGISTER" Digest-User-Name = "server2_user1" Digest-Nonce = "e0f7e2f17637f82681dc24a9bb62dd67" Digest-Algorithm = "MD5" Digest-URI = "sip:testrealm.icii.com" Digest-Realm = "testrealm.icii.com" A1 = server2_user1:testrealm.icii.com:test A2 = REGISTER:sip:testrealm.icii.com KD = 590b483ad6e6df65edb1826f5404e3a5:e0f7e2f17637f82681dc24a9bb62dd67:684a8ca612e13a06c419dc89351ac183 rlm_digest: FAILED authentication modcall[authenticate]: module "digest" returns reject for request 0 modcall: leaving group authenticate (returns reject) for request 0 auth: Failed to validate the user. === Now let's look at a correct authentication that was sent by open source sip phone. rad_recv: Access-Request packet from host 10.10.1.3:2773, id=22, length=200 NAS-Identifier = "testrealm" Digest-Attributes = 0x030a5245474953544552 Digest-Attributes = 0x0a0f736572766572325f7573657231 Digest-Attributes = 0x02226562376234336638333032613234656261343338313533366338346334393335 Digest-Attributes = 0x06054d4435 User-Name = "server2_user1" Digest-Attributes = 0x04187369703a746573747265616c6d2e696369692e636f6d Digest-Response = "d1b993f54dc5e242c4b67389188db5dd"
Modifying username before its handed off to other modules?
Hello, I need to modify the username attribute dynamically before its handed off to other modules. Is it possible to use the "rlm_attr_rewrite"-module in a simple perl script? I want to change usernumbers to username. Any ideas about that one? Thanks, David Lais [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
filter to authenticate posixAccount users
Hi, I was a little confused about radiusd.conf settings for ldap authentication. These are a few doubts i have ... 1) Is there any specific filter entry to authenticate posixAccount users? The default is filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" , will this work for posixAccount / shadowAccount users? 2) Do i need to comment the password_attribute = "userPassword" entry for successful bind to the ldap server? 3) Why does the entry : base_filter = "(objectclass=radiusprofile)" gets set when radiusd runs even though i comment it in the radiusd.conf file? Is the base filter entry required for ldap authentication? If yes, is the above default entry correct? I've tried rlm_ldap authentication but failed till now,i get the error message during authentication. rlm_ldap: Bind failed with invalid credentials However,bind is successful during authorization but fails during authentication... any ideas? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html