Authentication by validating RADIUS attribute value
--- Begin Message --- Hi all, I am using FreeRADIUS1.1.1 and Fedora directory server7.2 as the LDAP backend to store all the user information. I configured RADIUS to contact LDAP server for authenticate the user request. I have to implement the following requirement, For each user in the LDAP server i will set some value to the RADIUS attribute , say for eg Filter-ID = 100 If an authentication request comes to the RADIUS server it will contact the LDAP server, if the user is present in the LDAP server the RADIUS will authenticate the user. What i want is, i want to authenticate the user by validating the value of the RADIUS attribute in LDAP server. For example if the Filter-ID is 100 for user 'jack' i have to authenticate. If 'jack' has Filter-ID as 123 i should not authenticate. Is i have to call a script before authenticating an user? If it is so how i can call and from which file i have to define the entries? What are the various methods by which i can achieve the above? Anyone pls help me to get rid of the problem. Thanks in advance. Pls give me the complete details. --- Regards, Hariharan.R --- End Message --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication by validating RADIUS attribute value
Hi all, I am using FreeRADIUS1.1.1 and Fedora directory server7.2 as the LDAP backend to store all the user information. I configured RADIUS to contact LDAP server for authenticate the user request. I have to implement the following requirement, For each user in the LDAP server i will set some value to the RADIUS attribute , say for eg Filter-ID = 100 If an authentication request comes to the RADIUS server it will contact the LDAP server, if the user is present in the LDAP server the RADIUS will authenticate the user. What i want is, i want to authenticate the user by validating the value of the RADIUS attribute in LDAP server. For example if the Filter-ID is 100 for user 'jack' i have to authenticate. If 'jack' has Filter-ID as 123 i should not authenticate. Is i have to call a script before authenticating an user? If it is so how i can call and from which file i have to define the entries? What are the various methods by which i can achieve the above? Anyone pls help me to get rid of the problem. Thanks in advance. Pls give me the complete details. --- Regards, ___ No banners. No pop-ups. No kidding. Make My Way your home on the Web - http://www.myway.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Questions about debug output
I have a few questions about the debug output from an ultimately successful EAP-TTLS-CHAP authentication. Consider this snippet: ... rad_recv: Access-Request packet from host 192.168.1.228:1045, id=210, length=166 User-Name = "anonymous" NAS-IP-Address = 192.168.1.228 Connect-Info = "CONNECT 802.11" Called-Station-Id = "000b6b8c03f9" Calling-Station-Id = "00146c6f2e75" NAS-Identifier = "00-14-6c-6f-2e-75" NAS-Port-Type = Wireless-802.11 NAS-Port = 15 NAS-Port-Id = "15" Framed-MTU = 1400 State = 0x656cef9c49bb7e305b809bc113ece6c4 EAP-Message = 0x020700061500 Message-Authenticator = 0xfd14176dee74fed4980d51bbf880b8a6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 7 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 173 ... 1. First, what does this mean: 'module "chap" returns noop for request 3?' My client uses CHAP, so why doesn't "chap," here, return ok? What does "noop" mean? 2. I read in a comment in the out-of-the-box eap.conf file that it is customary to specify "anonymous" for the "name of the user 'outside' of the tunnel" with ttls { use_tunneled_reply = yes }. Is the User-Name field in the above Access-Request this outside user name? 3. Is the User-Name in the Access-Request the same as what I've seen called the "outer identity?" 4. Is just using "anonymous" okay? Should I include a realm, e.g., [EMAIL PROTECTED] Is there something I lose by not specifying a realm in User-Name (everything seems to work okay so far)? 5. What does "No EAP Start" mean? 6. Why does modcall[authorize] say "Matched entry DEFAULT at line 173" here and in the subsequent challenge response (not shown), whereas later in the challenge response it says "Matched entry plong at line 76" ("plong" is the name part of the inner identity, if I'm using the terminology correctly)? Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius + 802.1X
Emerson <[EMAIL PROTECTED]> wrote: > My freeradius work ok, and i put dhcp to work together, but not work, > anyone can answer this for me ? Ask on a DHCP list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius + 802.1X
Hi, i posted 2 messages with Radius + Dhcp and Radius with ip pool, but for this answers, i learn that radius don't have anithing with dhcp, and ip pool work with connections PPP. But I need to deliver ip's to my clients, they use wifi hardware 802.1X. Why i deliver ip's for them ? My freeradius work ok, and i put dhcp to work together, but not work, anyone can answer this for me ? Anyone have any experience with it ? Thank's. Emerson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql variable substitution clarification
On Fri, 2006-07-07 at 14:18 -0400, Alan DeKok wrote: > Guy Fraser <[EMAIL PROTECTED]> wrote: > > The attributes are not named like they were in Cistron dictionaries. > > They all start with "X-". > > There's still a bug: > > Reply-Message = `%{Reply-Message:-x%{User-Password}x}` > > returns "xbob" for the standard test of user "bob/bob". > > Patch is given below. > > Index: src/main/xlat.c > === > RCS file: /source/radiusd/src/main/xlat.c,v > retrieving revision 1.72.2.7.2.1 > diff -u -r1.72.2.7.2.1 xlat.c > --- src/main/xlat.c 8 Dec 2005 12:47:56 - 1.72.2.7.2.1 > +++ src/main/xlat.c 7 Jul 2006 18:24:08 - > @@ -533,7 +533,7 @@ >* useless if we found what we need >*/ > if (found) { > - while((*p != '\0') && (openbraces > 0)) { > + while((*p != '\0') && (openbraces > *open)) { > /* >* Handle escapes outside of the loop. >*/ > Thank you, I'll give it a shot. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql variable substitution clarification
Guy Fraser <[EMAIL PROTECTED]> wrote: > The attributes are not named like they were in Cistron dictionaries. > They all start with "X-". There's still a bug: Reply-Message = `%{Reply-Message:-x%{User-Password}x}` returns "xbob" for the standard test of user "bob/bob". Patch is given below. Index: src/main/xlat.c === RCS file: /source/radiusd/src/main/xlat.c,v retrieving revision 1.72.2.7.2.1 diff -u -r1.72.2.7.2.1 xlat.c --- src/main/xlat.c 8 Dec 2005 12:47:56 - 1.72.2.7.2.1 +++ src/main/xlat.c 7 Jul 2006 18:24:08 - @@ -533,7 +533,7 @@ * useless if we found what we need */ if (found) { - while((*p != '\0') && (openbraces > 0)) { + while((*p != '\0') && (openbraces > *open)) { /* * Handle escapes outside of the loop. */ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql variable substitution clarification
On Fri, 2006-07-07 at 11:19 -0600, Guy Fraser wrote: > On Fri, 2006-07-07 at 11:02 -0600, Guy Fraser wrote: > > I have run into an issue where we now have different types of > > NAS servers. I would like to use %{Connect-Info} if available > > or a string formatted from two attributes like : > > > > D%{Ascend-Data-Rate}_X%{Ascend-Xmit-Rate} > > > > This is how I tried to do it : > > > > ConnectInfo_stop = \ > > '%{Connect-Info:-D%{Ascend-Data-Rate}_X%{Ascend-Xmit-Rate}}' > > > > This is what I get when %{Connect-Info} is not available : > > > > "D_X" > > > > I haven't seen any examples where two attributes are combined > > to make one attribute. > > > > Thanks > > > I figured it out when running debug for some other reason, sorry > for the stupid question. > > Reason : > > X-Ascend-Disconnect-Cause = PPP-Rcv-Terminate-Req > X-Ascend-Connect-Progress = LAN-Session-Up > X-Ascend-Data-Rate = 26400 > X-Ascend-PreSession-Time = 32 > X-Ascend-Pre-Input-Octets = 364 > X-Ascend-Pre-Output-Octets = 253 > X-Ascend-Pre-Input-Packets = 15 > X-Ascend-Pre-Output-Packets = 13 > X-Ascend-First-Dest = 209.115.142.9 > X-Ascend-Xmit-Rate = 26400 > X-Ascend-Modem-PortNo = 21 > X-Ascend-Modem-SlotNo = 16 > X-Ascend-Modem-ShelfNo = 1 > > The attributes are not named like they were in Cistron dictionaries. > They all start with "X-". > > Thanks anyway. Foiled again :^( I changed it to : ConnectInfo_stop = \ '%{Connect-Info:-D%{X-Ascend-Data-Rate}_X%{X-Ascend-Xmit-Rate}}' Now I get stuff like : "D26400" Help would still be appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql variable substitution clarification
On Fri, 2006-07-07 at 11:02 -0600, Guy Fraser wrote: > I have run into an issue where we now have different types of > NAS servers. I would like to use %{Connect-Info} if available > or a string formatted from two attributes like : > > D%{Ascend-Data-Rate}_X%{Ascend-Xmit-Rate} > > This is how I tried to do it : > > ConnectInfo_stop = \ > '%{Connect-Info:-D%{Ascend-Data-Rate}_X%{Ascend-Xmit-Rate}}' > > This is what I get when %{Connect-Info} is not available : > > "D_X" > > I haven't seen any examples where two attributes are combined > to make one attribute. > > Thanks > I figured it out when running debug for some other reason, sorry for the stupid question. Reason : X-Ascend-Disconnect-Cause = PPP-Rcv-Terminate-Req X-Ascend-Connect-Progress = LAN-Session-Up X-Ascend-Data-Rate = 26400 X-Ascend-PreSession-Time = 32 X-Ascend-Pre-Input-Octets = 364 X-Ascend-Pre-Output-Octets = 253 X-Ascend-Pre-Input-Packets = 15 X-Ascend-Pre-Output-Packets = 13 X-Ascend-First-Dest = 209.115.142.9 X-Ascend-Xmit-Rate = 26400 X-Ascend-Modem-PortNo = 21 X-Ascend-Modem-SlotNo = 16 X-Ascend-Modem-ShelfNo = 1 The attributes are not named like they were in Cistron dictionaries. They all start with "X-". Thanks anyway. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql variable substitution clarification
I have run into an issue where we now have different types of NAS servers. I would like to use %{Connect-Info} if available or a string formatted from two attributes like : D%{Ascend-Data-Rate}_X%{Ascend-Xmit-Rate} This is how I tried to do it : ConnectInfo_stop = \ '%{Connect-Info:-D%{Ascend-Data-Rate}_X%{Ascend-Xmit-Rate}}' This is what I get when %{Connect-Info} is not available : "D_X" I haven't seen any examples where two attributes are combined to make one attribute. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x authentication
"Jin Fan" <[EMAIL PROTECTED]> wrote: > To further describe my challenge, here is debugging output from > freeradius. One line says, "rlm_eap: Failed in EAP select". The *important* message is: > rlm_eap: EAP-NAK asked for EAP-Type/peap > rlm_eap: No such EAP type peap The client is asking for PEAP, and you didn't configure the server to do peap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session Log
fvt3 <[EMAIL PROTECTED]> wrote: > Is there a session log in freeradius? I want to find > out who logged on and how much time they have until > there session is timeout. Is there such a thing? $ man radwho Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address accounted in Hex
Graeme Hinchliffe <[EMAIL PROTECTED]> wrote: > these are hex values, not octal, and it seems to be an intermittent > thing. Dang. Those bugs are hard to track down. > Are dictionaries loaded each time a child is started? or just once > and then kept in memory? The server doesn't start any children. The dictionaries are loaded once, and cached as long as it's running. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Standalone FreeRadius EAP-SIM Configuration Recipe?
"Duncan Glendinning" <[EMAIL PROTECTED]> wrote: > I'm attempting to configure FreeRadius to use EAP-SIM, in a standalone > fashion (i.e., the GSM tuples are stored locally). Does a 'recipe' exist to > appropriately FreeRadius to do so? Not really, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius ip pool
FWIW, I had a problem in this area, too. Bottom line: DHCP follows authentication. I'm a newbie and just got FreeRADIUS to authenticate my wifi phone for the first time last night. Yay! Prior to that, I noticed that my phone wasn't getting an IP address through DHCP and thought that that might be one reason why my authentication requests were being rejected somehow (remember, I don't know what I'm doing. I knew that authentication was happening at the data-link layer, but I thought the lack of an IP address might be hindering further progress. Anyway, once I got the FreeRADIUS server to authenticate my phone (needed 'Auth-Type = Local, User-Password := "123"', not 'Auth-Type := Local, User-Password == "123"'; still not sure about those operators, though), the phone got its network addresses from DHCP! IOW, authentication must succeed before the phone initiates DHCP. Looking back, of course this makes sense--through FreeRADIUS, the phone is granted access to the IP network, on which the DHCP server resides. Duh. Details: After burning my fingers (and a colleague's) attempting to build FreeRADIUS on Linux, I used Win32 version from http://www.freeradius.net/. Works great. WAP TKIP EAP-TTLS PAP/CHAP Used NAS on Netgear WG302 WiFi SIP VoIP phone Paul Stefan Winter wrote: Hi, (please respond to the list, not me privately. Others may have the same question) yes, my clients using 802.1X. I make a DHCP Server together with freeradius, but he don't deliver ip's. I want to know if the radius have any configuration for this, to work with a DHCP server. In fact, others _did_ have the same question. Reading the list archives would have helped. .1X authentication and DHCP have *nothing* to do with each other. If you have a DHCP server and it doesn't talk to your authenticated clients, that's a completely FreeRADIUS unrelated problem. Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP -> LDAP for WPA2
Hi, > I'm very impressed. I installed this and all of my complaints and > concerns are answered! Now, i'm assuming and hoping the linux wpa > supplicant also supports this... Sure thing :-) It's Free Open Source Software after all :-) > > Uh. You should consider that you will have _no_ link-layer encryption > > when using captive portals. And connections can be hijacked. And with a > > shared key, you have no accountability. And the shared key will flow over > > the net unencrypted, so anyone can pick it up and abuse your network. > > OTOH, what's so secret about a user name? User names are the _public_ > > parts of credentials, it's the passwords that are critical. > > If you really don't want usernames to be important at all, use EAP-TLS. > > The client certificate will identify you, no matter what garbage you put > > into the user name. > > Captive portals are a step back with regards to security. > > Well, i was going to use wpa2 with a preshared key which would provide > the link-layer encryption (as i understand it) but then require a > username and password as another step in case the key got leaked. You're > right about the accountability, but are you sure about the shared key > going over the net unencrypted? This doesn't sound right... You would need to have the user enter his username and password on the captive portal server. From there on up to the RADIUS server, it would be clear text (unless you do some black magic with a PAP to EAP-TTLS gateway, which is possible, but no fun). The wireless link would be encrypted though, so it wouldn't be as bad as *just* the captive portal. > Since we're talking about our ldap directory, which we use for pretty > much *everything*, having a list of usernames gives an attacker a > starting point for trying brute force attacking. This could also be used > as a starting point for identity theft or spamming. That's pretty much arguable. If you indeed use that username for "everything" the probability that it is spied as the user enters it somewhere, leaves it on a scrap paper, tells it his "best friend" while having a beer etc. is *far* higher than someone sniffing IP traffic between your supplicant and your RADIUS server. Unless the RADIUS server is at the other end of the world. > EAP-TLS probably is the most secure way to do things though it does > require installing certs. I'll definitely be giving it consideration That's for the hardcore paranoid people, right. But if you are happy with SecureW2 and EAP-TTLS: that's perfectly fine. > Thanks again for all your help - i'm feeling pretty happy with my setup > now, Great! Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP -> LDAP for WPA2
Stefan Winter wrote: >> I'm searching through my dell wireless wlan card utility and i'm pretty sure >> i can't hide it. Are dell breaking any rfcs or other standards that i can >> take them up on? > > No. It's optional. If Dell doesn't do it, bad luck. But you can always > install > a supplicant that does it, for example at www.securew2.com (very nice > supplicant, IMO). I'm very impressed. I installed this and all of my complaints and concerns are answered! Now, i'm assuming and hoping the linux wpa supplicant also supports this... > Uh. You should consider that you will have _no_ link-layer encryption when > using captive portals. And connections can be hijacked. And with a shared > key, you have no accountability. And the shared key will flow over the net > unencrypted, so anyone can pick it up and abuse your network. > OTOH, what's so secret about a user name? User names are the _public_ parts > of > credentials, it's the passwords that are critical. > If you really don't want usernames to be important at all, use EAP-TLS. The > client certificate will identify you, no matter what garbage you put into the > user name. > Captive portals are a step back with regards to security. > Well, i was going to use wpa2 with a preshared key which would provide the link-layer encryption (as i understand it) but then require a username and password as another step in case the key got leaked. You're right about the accountability, but are you sure about the shared key going over the net unencrypted? This doesn't sound right... Since we're talking about our ldap directory, which we use for pretty much *everything*, having a list of usernames gives an attacker a starting point for trying brute force attacking. This could also be used as a starting point for identity theft or spamming. EAP-TLS probably is the most secure way to do things though it does require installing certs. I'll definitely be giving it consideration Thanks again for all your help - i'm feeling pretty happy with my setup now, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: rlm_sql_mysql: MYSQL Error
Hi all, I am using freeradius 1.1.0. The backend is mysql 5.0.22 which is located on a different server on the same network. My configuration is as follows: I am doing some stress testing to benchmark my infrastructure. I use SIPp for the same. The SIPp sends the calls to cisco gateway, the cisco gateway sends the authentication request to freeradius server. The radius server queries the mysql database and once the authentication is successful and the call is completed; the accounting request is also passed to the radius server by cisco which in turn is sent to the mysql database. Now I kept the SIPp at rate of 45 calls per second, but after say 10 to 15 minutes the radius server dies. This is the message I could see in the log: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 Error: rlm_sql_mysql: MYSQL Error: Cannot get resultFri Jul 7 14:18:46 2006 : Error: rlm_sql_mysql: MYSQL Error:Fri Jul 7 14:18:46 2006 : Error: rlm_sql_mysql: MYSQL Error: No FieldsFri Jul 7 14:18:46 2006 : Error: rlm_sql_mysql: MYSQL error:Fri Jul 7 14:18:46 2006 : Info: rlm_sql_mysql: Starting connect to MySQL server for #4Fri Jul 7 14:18:46 2006 : Error: rlm_sql (sql): failed after re-connect. I tried googling the archive but could not get a proper solution. One more thing; I had configured rlm_mysql using the following command: ./configure --without-thread. Could this be a cause of some problem, I did this as the radius was not finding mysql libraries. Can someone please help on this. Thanks in advance. w/regards, Jayesh Nambiar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x authentication
Hi, all: To further describe my challenge, here is debugging output from freeradius. One line says, "rlm_eap: Failed in EAP select". I must have set up eap wrong. Could anyone help me out here? Btw, in the following example, user "TRPZEDU\\jfan" tries to authenticate through 802.1x. Thanks. Jin rad_recv: Access-Request packet from host 192.168.3.26:2, id=89, length=157 NAS-Port-Id = "1/1" Calling-Station-Id = "00-0B-BE-D4-50-46" Called-Station-Id = "00-0B-0E-13-74-C0:hotspot" Service-Type = Framed-User User-Name = "TRPZEDU\\jfan" State = 0xdcfe3f22dc8680c7b0e05b3d498b6090 EAP-Message = 0x020200060319 NAS-Identifier = "Trapeze" NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 192.168.3.26 Message-Authenticator = 0xc846da111c9f48b4a5570fff318767a2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "TRPZEDU\jfan", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 users: Matched entry TRPZEDU\jfan at line 228 modcall[authorize]: module "files" returns ok for request 6 radius_xlat: 'TRPZEDU\\jfan' rlm_sql (sql): sql_set_user escaped user --> 'TRPZEDU\\jfan' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'TRPZEDU=5C=5C=5C=5Cjfan' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 3 rlm_sql (sql): User TRPZEDU\\jfan not found in radcheck radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'TRPZEDU=5C=5C=5C=5Cjfan' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'TRPZEDU=5C=5C=5C=5Cjfan' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): User TRPZEDU\\jfan not found in radgroupcheck rlm_sql (sql): User not found rlm_sql (sql): Released sql socket id: 3 modcall[authorize]: module "sql" returns notfound for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: No such EAP type peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 6 modcall: group authenticate returns invalid for request 6 auth: Failed to validate the user. Delaying request 6 for 1 seconds Finished request 6 Going to the next request Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 89 to 192.168.3.26:2 EAP-Message = 0x04020004 Message-Authenticator = 0x Trapeze-VLAN-Name = "vlan10" Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 88 with timestamp 44ae6d5d Cleaning up request 6 ID 89 with timestamp 44ae6d5d Nothing to do. Sleeping until we see a request. From: [EMAIL PROTECTED] on behalf of Jin Fan Sent: Thu 7/6/2006 5:22 PM To: FreeRadius users mailing list Subject: 802.1x authentication Hi, All: I need some pointers on how to set up 802.1x (PEAP/MSCHAP v.2) authentication in freeradius. Generating certificates? Modifying configurations? Jin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP -> LDAP for WPA2
> "Most supplicants". So there's a chance that a supplicant might not do > so? Yes. It's implementation-specific. The Win XP built-in supplicant for example does not do it. > Is the Identity in the EAP-Message in the first packet always the > same as the User-name i see in all packets? Yes, that's what the RFC demands. > I'm searching through my dell wireless wlan card utility and i'm pretty sure > i can't hide it. Are dell breaking any rfcs or other standards that i can > take them up on? No. It's optional. If Dell doesn't do it, bad luck. But you can always install a supplicant that does it, for example at www.securew2.com (very nice supplicant, IMO). > This is quite worrying for me as it seems to make the setup quite > insecure instead of making it more secure as i had originally hoped. > Perhaps a shared key and a captive portal would provide better security. > I understand the weakness, but i dont see that it would be weaker than a > shared key alone and has the advantage of not allowing the username to > be read by any arbitrary person. Uh. You should consider that you will have _no_ link-layer encryption when using captive portals. And connections can be hijacked. And with a shared key, you have no accountability. And the shared key will flow over the net unencrypted, so anyone can pick it up and abuse your network. OTOH, what's so secret about a user name? User names are the _public_ parts of credentials, it's the passwords that are critical. If you really don't want usernames to be important at all, use EAP-TLS. The client certificate will identify you, no matter what garbage you put into the user name. Captive portals are a step back with regards to security. Greetings, Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpuGNzTxR9ms.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FW: mpd+freeradius+AD
Thank you so much Nikos! -Original Message- From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED] Sent: Friday, June 30, 2006 4:57 PM To: freeradius-users@lists.freeradius.org Cc: Егоров Сергей Subject: Re: FW: mpd+freeradius+AD On Friday 30 June 2006 11:57, Егоров Сергей wrote: > Ok, this is my users file > > > testAuth-Type := MS-CHAP > Framed-IP-Address = 192.168.10.65 > DEFAULT Auth-Type := MS-CHAP > > And this is freeradius log, then I connect to mpd via test account: > > Login OK: [test/] (from client localhost port 0 > cli 192.168.12.126) Sending Access-Accept of id 121 to 127.0.0.1 port 49791 > Framed-IP-Address = 192.168.10.65 > MS-CHAP2-Success = > 0x01533d424543343039384343413934433832344138443146393830364138413345323 >6394441413430 MS-MPPE-Recv-Key = 0x0bbdc1d49670112e799bd5a86b084808 > MS-MPPE-Send-Key = 0x0df81127464f94a443c13e7e683f5251 > MS-MPPE-Encryption-Policy = 0x0002 > MS-MPPE-Encryption-Types = 0x0004 > rad_recv: Accounting-Request packet from host 127.0.0.1:54511, id=119, > length=139 NAS-Identifier = "testradius.ion.ru" > NAS-Port = 0 > NAS-Port-Type = Virtual > Service-Type = Framed-User > Framed-Protocol = PPP > Calling-Station-Id = "192.168.12.126" > User-Name = "test" > Framed-IP-Address = 192.168.10.12 > Acct-Status-Type = Start > Acct-Session-Id = "1652038-pptp0" > Acct-Multi-Session-Id = "1652038-pptp0" > Acct-Link-Count = 1 > Acct-Authentic = RADIUS > Sending Accounting-Response of id 119 to 127.0.0.1 port 54511 > > In this log freeradius said that account test OK, and his address > 192.168.10.65. But mpd replace it this his own. How could I improve it? > use radius-ip read more here /usr/local/share/doc/mpd/mpd22.html > > > -Original Message- > From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 29, 2006 7:05 PM > To: Undisclosed.Recipients : > Cc: Егоров Сергей > Subject: Re: FW: mpd+freeradius+AD > > On Thursday 29 June 2006 15:28, Егоров Сергей wrote: > > >This is Framed-IP-Address in radius dialect. > > > > Thanks for explaining freeradius basic concepts. I understood, that to > > assign IP to user I should use users freeradius file. But I couldn't > > configure it correctly. Now I have only one line in this file > > > > DEFAULT Auth-Type := MS-CHAP > > > > I've add another string (for user test), but it doesn't correct > > > > test Auth-Type := MS-CHAP, > > Try without the comma > > run the server in debug mode(radiusd -X) > and use radclient > > >Framed-IP-Address = 192.168.10.65, > > I think you can put this in AD. Don't know... > > > That should I fix? > > > > > > -Original Message- > > From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED] > > Sent: Monday, June 26, 2006 5:09 PM > > To: freeradius-users@lists.freeradius.org > > Cc: Егоров Сергей > > Subject: Re: mpd+freeradius+AD > > > > On Monday 26 June 2006 14:04, Егоров Сергей wrote: > > > Thanks for reply. > > > > > > >You can use one of the three firewalls avaliable in the base > > > > system(ipfw, > > > > > > > > >ipf and pf), however mpd comes with a small dictionary that uses > > > > > > > > ipfw(8) >and you can easily define some filter bound to an interface > > > > (bound to a >username) via a radius reply attribute, let filter be a > > > > pipe(for bandwidth >control) or a packet filtering expression. > > > > > > That's fine for filtering vpn users access to local net. But how could > > > I assign specific IP for specific user in AD? > > > > > > > Your questions don't clearly tell where your problem is. > > > >Active Directory? mpd? or FreeRADIUS? You should define > > > >them better in order to get help from the list. > > > > > > My goal is to replace VPN server, based on win2003, with FreeBSD one. > > > WIN 2003 can do 1 and 2 in my questions, so I have to realize how to > > > setup this in mpd + freeradius. I already authenticate users from AD > > > group: > > > > > > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > > > --username=%{Stripped-User-Name:-%{User-Name:-None}} > > > --challenge=%{mschap:Challenge:-00} > > > --nt-response=%{mschap:NT-Response:-00} > > > --require-membership-of=EXAMPLE+VPN_Allowed". > > > > > > But I have several vpn groups and need to setup timeouts on each one. > > > > setup timeout? This looks like Session-Timeout in radius dialect. > > > > > Also > > > I need to I assign specific IP for specific user in AD. > > > > This is Framed-IP-Address in radius dialect. > > > > > Looks like > > > FreeRadius should respond for this. > > > > Yes, you have to have basic understanding of what radius is. All of these > > are very basic setup. I don't know how FreeRADIUS interacts with AD and > > what info it should get from AD. So, try searching (or asking) for active > > directory and FreeRADIUS. Keep t
Session Log
Is there a session log in freeradius? I want to find out who logged on and how much time they have until there session is timeout. Is there such a thing? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius ip pool
Hi, (please respond to the list, not me privately. Others may have the same question) > yes, my clients using 802.1X. > I make a DHCP Server together with freeradius, but he don't deliver ip's. > I want to know if the radius have any configuration for this, to work > with a DHCP server. In fact, others _did_ have the same question. Reading the list archives would have helped. .1X authentication and DHCP have *nothing* to do with each other. If you have a DHCP server and it doesn't talk to your authenticated clients, that's a completely FreeRADIUS unrelated problem. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpYmPeSASauL.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Standalone FreeRadius EAP-SIM Configuration Recipe?
Hello, I’m attempting to configure FreeRadius to use EAP-SIM, in a standalone fashion (i.e., the GSM tuples are stored locally). Does a ‘recipe’ exist to appropriately FreeRadius to do so? It appears that the documentation is not complete, and I haven’t found reference to such a configuration in the last 6 months or archives. I want to be able to use a USB SIM card reader along with EAP-SIM to authenticate a wireless supplicant. Thanks for your help, Duncan --- [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS/PAP -> LDAP for WPA2
Stefan Winter wrote: > > The thing about anonymous outer identity is that it doesn't matter what you > put in there. If your real name is "iamcool" and your password > is "evencooler" you can happily send "foobar" as Identity. Authentication > will only depend on what's inside the tunneled PAP request. Most supplicants > allow to specify the outer identity to your liking. > That said, there is one exception: if you are using roaming, the realm part > of > the username must be the correct one, otherwise the request can't be routed > to the correct server. > "Most supplicants". So there's a chance that a supplicant might not do so? Is the Identity in the EAP-Message in the first packet always the same as the User-name i see in all packets? I'm searching through my dell wireless wlan card utility and i'm pretty sure i can't hide it. Are dell breaking any rfcs or other standards that i can take them up on? This is quite worrying for me as it seems to make the setup quite insecure instead of making it more secure as i had originally hoped. Perhaps a shared key and a captive portal would provide better security. I understand the weakness, but i dont see that it would be weaker than a shared key alone and has the advantage of not allowing the username to be read by any arbitrary person. Thanks for the further explanation of the RADIUS protocol - i think i will take your advice about the configuration files and leave well enough alone:) John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address accounted in Hex
On 6 Jul 2006, at 22:20, Alan DeKok wrote: Graeme Hinchliffe <[EMAIL PROTECTED]> wrote: What would cause FreeRADIUS to output in this manner, we have summized that if it sees a none ASCII byte in the field it would convert the whole field into a hex representation to stop trying to write binary to the db. No, it should print out non-ASCII bytes as octal in that case. It will create octal attributes if it can't find the attribute in the dictionaries. these are hex values, not octal, and it seems to be an intermittent thing. example session ID 0x464631304646464635383230333045322d3434363938363135 and the dictionaries are installed in /usr/share/freeradius where they have been since initial install on this system. The dictionary includes the rfc dictionaries at the start which includes the Acct- Session-Id attribute. Are dictionaries loaded each time a child is started? or just once and then kept in memory? Graeme - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Username in MySQL with regexp
DEFAULT, just like in the "users" file. Alan DeKok. What do i have to set for further reply-item settings in the User-Name column? I have more than one Username which should be checked against a regexp and then should reply individual items. Sorry but i dont understand you answer :-( Christian Meutes systems engineer -- claranet gmbh internet service provider tel +49 (0) 69 - 40 80 18 - 300 email: [EMAIL PROTECTED] http://www.claranet.de/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html