Re: pam_radius_auth issue
Mircea Harapu wrote:
I'm trying to make a ssh authentication with pam_radius_auth +
freeradius +
ldap
The problem is that radius is sending the password to ldap in clear
and
not
crypted with CRYPT as configured in ldap module .
Huh? pam_radius_auth sends the password to FreeRADIUS in the clear,
because that's what it does. FreeRADIUS sends this to LDAP because
LDAP doesn't understand anything else.
sending passwords in clear in a network is not secure . pam_radius_auth
does
have
md5 crypting capabilities . that's why you need to set radius key .
PAP sends the following radius request:
User-Name = Someuser
User-Password = somepassword
HOWEVER, the User-Password field in a radius packet is defined by RFC to
be encrypted with the radius shared secret.
The pam_radius_auth is sending User-Password without beeing encrypted .
I have set the same shared secret in /etc/raddb/server and clients.conf
At the radius server, the password field is decrypted and processed in
plaintext inside the radius server.
This is at least as secure as sending a plaintext password over the wire.
And there is NO configuration in the LDAP module to send the
password in crypted form. I think you're mistaking the configuration
that *reads* the password from LDAP for something else.
auto_header = yes
that means that it checks for encryption types .
I think Alan, as the main FreeRadius developer, is probably aware of
that feature. He is aware that it does NOT do what you claim.
auto_header is responsible for detecting the {type} header when the
userPassword attribute is *read from* the LDAP server. The {type} field
is stripped, and used to put the following value into the correct radius
config attribute e.g.
* {clear} - User-Password
* {crypt} - Crypt-Password
* {ssha} - SSHA-Password
...and so on.
*Then* the radius server processes a PAP request like so:
1. request comes in
User-Name = foo
User-Password = encrypted_with_radius_secret(bar)
2. authorize section is run
2a. ldap module is run - userPassword: {crypt}baAP5K9PT1lcc
2b. auto_header puts Crypt-Password = baAP5K9PT1lcc into config items
3. authenticate is run - Auth-Type = Local
3b. The radius server sees that Crypt-Password is set and does:
if (crypt(User-Password, 'ba')=='baAP5K9PT1lcc')
auth_ok;
I hope that is clear.
Your original mail stated:
I'm trying to make a ssh authentication with pam_radius_auth +
freeradius +
ldap
The problem is that radius is sending the password to ldap in clear and
not
crypted with CRYPT as configured in ldap module .
As Alan tried to explain to you, pam_auth_radius is doing nothing wrong.
What is undoubtedly happening is that you have the radius server
configured incorrectly.
I suspect you want it to do this:
1. request comes in
2. fetch password from ldap
3. compare crypted password from LDAP with password supplied
I suspect what it's actually doing is:
1. request comes in
2. ldap searched for user - found
3. password is checked by doing LDAP simple bind
If you want the first, configure the radius server to do that. Hint: see
the set_auth_type = no option on recent versions of the server, or
have the users file read:
DEFAULT Auth-Type := Local
Or, be more clear about what the problem is. It doesn't work how I
think it should does not help, especially when you are wrong in your
assumptions.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Fwd: IP Pool management]
Original Message Subject: IP Pool management From:[EMAIL PROTECTED] Date:Fri, July 21, 2006 10:16 am To: freeradius-users@lists.freeradius.org -- Hi, I am new to radius. I want to understand functionality of IP Pool management and 802.1x,means EAP,EAP-MD5,LEAP . How can I customize the same using free radius ? Thanxs to all Darshak - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
On 7/20/06, Thibault Le Meur [EMAIL PROTECTED] wrote:
Well isn't it a pb of rights ? Is the anonymous user able to search theopenldap directory for users entries ?Yes, the anonymous user is able to search.
What is the result of a simple ldapsearch with the same ldap filter.ldapsearch -x -b dc=,dc=it (uid=misterc)# extended LDIF## LDAPv3# base dc=,dc=it with scope subtree
# filter: (uid=misterc)# requesting: ALL## Vito Cu, utenti, .itdn: cn=Vito Cu,ou=utenti,dc=,dc=ituid: mistercdescription: bel giovinesn: Cucn: newperson
cn: Vito CuuserPassword:: e1NIQX1TQ01UU1l5cVpESHcvSXhqRUJGWHdQQnFTTXM9objectClass: radiusprofileobjectClass: inetOrgPersonradiusA10:21uthType: LDAP# search resultsearch: 2result: 0 Success
10:21# numResponses: 2# numEntries: 1 Have you got ACLs in your openldap directory configuration files ?
All the users have the rights.Well, after some changes in OpenLDAP config, this is the result:Fri Jul 21 11:15:51 2006 : Debug: Processing the authorize section of radiusd.conf
Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group authorize for request 0Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0Fri Jul 21 11:15:51 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall[authorize]: module eap returns noop for request 0Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: - authorizeFri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing user authorization for mistercFri Jul 21 11:15:51 2006 : Debug: radius_xlat: '(uid=misterc)'Fri Jul 21 11:15:51 2006 : Debug: radius_xlat: 'ou=utenti,dc=,dc=it'
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: attempting LDAP reconnection
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: (re)connect to 192.168.1.221:389, authentication 0Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: bind as cn=Manager,dc=,dc=it/PASSWORD to
192.168.1.221:389Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: waiting for bind result ...Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Bind was successfulFri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing search in ou=utenti,dc=,dc=it, with filter (uid=misterc)
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: checking if remote access for misterc is allowed by userPasswordFri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Added password {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= in check items
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for check items in directory...Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP op=21Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding userPassword as User-Password, value {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= op=21
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for reply items in directory...Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: user misterc authorized to use remote accessFri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall[authorize]: module ldap returns ok for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group authorize (returns ok) for request 0
Fri Jul 21 11:15:51 2006 : Debug: rad_check_password: Found Auth-Type LDAPFri Jul 21 11:15:51 2006 : Debug: auth: type LDAPFri Jul 21 11:15:51 2006 : Debug: Processing the authenticate section of
radiusd.confFri Jul 21 11:15:51 2006 : Debug: modcall: entering group LDAP for request 0Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling pap (rlm_pap) for request 0Fri Jul 21 11:15:51 2006 : Auth: rlm_pap: Attribute Password is required for authentication. Cannot use CHAP-Password.
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: returned from pap (rlm_pap) for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall[authenticate]: module pap returns invalid for request 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling ldap (rlm_ldap) for request 0Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: - authenticateFri Jul 21 11:15:51 2006 : Auth: rlm_ldap: Attribute User-Password is required for authentication. Cannot use CHAP-Password.
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: returned from ldap (rlm_ldap) for request 0Fri Jul 21 11:15:51 2006 : Debug: modcall[authenticate]: module ldap returns invalid for request 0
Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group LDAP (returns invalid) for request 0Fri Jul 21 11:15:51 2006 : Debug: auth: Failed to validate the user.Config files are the same of above.
Best regards.Giusy Venezia
-
List info/subscribe/unsubscribe? See
Re: configuring FreeRadius pools
Welli The problem is you still haven't exactly explained what you are trying to do with radius. Are you assigning the IP addresses from pools on radius or pools on the patton? Assuming that radius is assigning the pools, you simply need to create 2 of them. (Read the radiusd.conf the comments explain it) Then configure radius to return an address from the first pool by default, and the second pool when the patton sends whatever information it sends to say that the user is authed or valid or whatever. You need to figure that out as I dont have any experience with patton. RADIUS is not magic. It can only respond when asked a question, and it can only give an answer based on what it is asked. You therefore need to make sure that patton is asking 2 different questions, and configure your 2 different replies based on what question it is asking... radiusd -X (debug mode) is your friend in this instance.. Hope that Helps -Peter On Fri 21 Jul 2006 10:16, Elie Hani wrote: Thanks Alan, but this was not my problem. My problem is in configuring the IP pools, I need a way to configure the 2 pools of IPs which are one Fake and the other Real. I don't have a problem in redirection, it's in how to configure the 2 pools of IPs. Thanks Elie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, July 20, 2006 5:16 PM To: FreeRadius users mailing list Subject: Re: configuring FreeRadius pools Elie Hani [EMAIL PROTECTED] wrote: I want to configure 2 pools, the first one is a fake IP pool,where the dial up user on the patton gets an IP from this pool, and then he will enter the necessary information, once all the informations entered are true, he will reconnect with his new username, then he will get an IP from the other pool wich contains real IPs. This is called a captive portal. Please use on of those, which solves most of these problems for you, including IP allocation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpXWLupMxlKQ.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: FreeRadius+mysql+crypted passwords
Hi. Thanks for a reply. Have you any idea to configure it with crypted passwords stored in the database and with cisco accesspoint clients autentification? Now im using EAP/PEAP in cisco ap to authorize windows xp client (PEAP required). Thanks for any idea. Alan, dňa 21. júla 2006 ste napísali: Marek Soha - intrak.sk [EMAIL PROTECTED] wrote: I have configured FreeRadius+EAP/PEAP+mysql in working state...But now, i want to have encrypted passwords stored in mysql database (in that table where plaintext passwords are stored now). Can you give me an advice how to do that? If you store the passwords in encrypted form, then PEAP will stop working. Alan DeKok. Best regards S prianim pekneho dna ,_,Marek Soha (O,O) Student FEI, Odbor Informatika, TU Kosice ( ) [EMAIL PROTECTED] [EMAIL PROTECTED] 146-284-791 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: configuring FreeRadius pools
Well I'm trying to configure 2 pools of IPs, where these pools should be created? can it be done on the radius and this radius will take care of giving the IPs to the users? or should I configure a dhcp and relay it to the radius? I tried to configure on the radius , in the config file file, in the ippools section, 2 pools of IPs, but it didn't work. Thanks Elie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Nixon Sent: Friday, July 21, 2006 10:44 AM To: FreeRadius users mailing list Subject: Re: configuring FreeRadius pools Welli The problem is you still haven't exactly explained what you are trying to do with radius. Are you assigning the IP addresses from pools on radius or pools on the patton? Assuming that radius is assigning the pools, you simply need to create 2 of them. (Read the radiusd.conf the comments explain it) Then configure radius to return an address from the first pool by default, and the second pool when the patton sends whatever information it sends to say that the user is authed or valid or whatever. You need to figure that out as I dont have any experience with patton. RADIUS is not magic. It can only respond when asked a question, and it can only give an answer based on what it is asked. You therefore need to make sure that patton is asking 2 different questions, and configure your 2 different replies based on what question it is asking... radiusd -X (debug mode) is your friend in this instance.. Hope that Helps -Peter On Fri 21 Jul 2006 10:16, Elie Hani wrote: Thanks Alan, but this was not my problem. My problem is in configuring the IP pools, I need a way to configure the 2 pools of IPs which are one Fake and the other Real. I don't have a problem in redirection, it's in how to configure the 2 pools of IPs. Thanks Elie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, July 20, 2006 5:16 PM To: FreeRadius users mailing list Subject: Re: configuring FreeRadius pools Elie Hani [EMAIL PROTECTED] wrote: I want to configure 2 pools, the first one is a fake IP pool,where the dial up user on the patton gets an IP from this pool, and then he will enter the necessary information, once all the informations entered are true, he will reconnect with his new username, then he will get an IP from the other pool wich contains real IPs. This is called a captive portal. Please use on of those, which solves most of these problems for you, including IP allocation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
Well, after some changes in OpenLDAP config, this is the result:
So your first issue was openldap related...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: bind as
cn=Manager,dc=,dc=it/PASSWORD to 192.168.1.221:389
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: waiting for bind result ...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Bind was successful
Bind as manager is ok...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing search in
ou=utenti,dc=,dc=it, with filter (uid=misterc)
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: checking if remote access for
misterc is allowed by userPassword
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Added password
{SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= in check items
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for check items in
directory...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding radiusAuthType as
Auth-Type, value LDAP op=21
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding userPassword as
User-Password, value {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= op=21
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for reply items in
directory...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: user misterc authorized to use
remote access
Great rlm_ldap has retreived everything needed.
Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group authorize (returns
ok) for request 0
Now it's time to run the authenticate module
Fri Jul 21 11:15:51 2006 : Debug: rad_check_password: Found Auth-Type
LDAP
Fri Jul 21 11:15:51 2006 : Debug: auth: type LDAP
Fri Jul 21 11:15:51 2006 : Debug: Processing the authenticate section of
radiusd.conf
Ldap module will be used (that is to say a bind with the user's
credential will be attempted, provided that the request contains the
necessary data.
Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group LDAP for request 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling pap
(rlm_pap) for request 0
Fri Jul 21 11:15:51 2006 : Auth: rlm_pap: Attribute Password is required
for authentication. Cannot use CHAP-Password.
Well, it seems that your radius client is trying CHAP and not PAP. You
wrote in a previous mail that the request was:
rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217
User-Name = misterc
CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e
CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986
NAS-IP-Address = 0.0.0.0
Service-Type = Login-User
Framed-IP-Address = 192.168.182.2
Calling-Station-Id = XX-XX-XX-XX-XX-XX
Called-Station-Id = AA-AA-AA-AA-DD-AA
NAS-Identifier = nas01
Acct-Session-Id = 44bfd15d
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Message-Authenticator = 0xf61479bee3c987c66cca254dcfa39c0a
WISPr-Logoff-URL = http://192.168.182.1:3990/logoff;
That means that your client is trying MS-CHAP, and MS-CHAP can't be
used with something else than NT-Hash passwords or cleartext passwords
in the authorize backend (in your case LDAP).
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using mschap authentication without EAP
Thibault Le Meur wrote: rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217 User-Name = misterc CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986 That means that your client is trying MS-CHAP, and MS-CHAP can't be used with something else than NT-Hash passwords or cleartext passwords in the authorize backend (in your case LDAP). No, it does NOT. It means his client is trying CHAP. Not MS-CHAP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users file for NULL realm, LDAP for another
John Keimel wrote:
I have two Freeradius servers, one of which authenticates MAC addresses
for wireless, the other [EMAIL PROTECTED] for some other network
access.
I'd like to combine the two of them into one server. If the username
comes through without a realm (a MAC address) I'd like it to check the
users file. If it comes through with a realm, just check LDAP. If the
MAC address fails, it should never ever check LDAP. That just beats up
the LDAP server and the LDAP admin yells (with good reason!).
Use Autz-Type and 2nd files module, like so
modules {
files {
usersfile = ${confdir}/users
}
files files2 {
usersfile = ${confdir}/users2
}
ldap {
...
}
}
authorize {
preprocess
files
Autz-Type MAC {
files2
}
Autz-Type USER {
ldap
}
}
in ${confdir}/users:
DEFAULT User-Name =~ [EMAIL PROTECTED], Autz-Type := USER
DEFAULT Autz-Type := MAC
in ${confdir}/users2:
00-11-22-33-44-55 Whatever-Attributes == somevalue
Reply-Attribute-1 = foo,
Reply-Attribute-2 = bar
Should I be looking to do this just in the radiusd.conf? Or should I be
attempting to mangle some kind of proxy arrangement? Would anyone care
to share any sample configs for such a thing? It looks to me like there
may be several ways to do this and I'd like to spend the time building
up the best method. Proxy? Autz-type?
Autz-Type
Proxy is really intended for if you're going to send the request on
somewhere else. It *can* strip the username, but there are easier ways
to do it.
You could also configure a huntgroup based on various attributes e.g.
${confdir}/huntgroups:
ethernet NAS-Port-Type == Ethernet
vpn NAS-Port-Type == Async, NAS-IP-Address == my.vpn.server.ip
${confdir}/users:
DEFAULT Huntgroup-Name == ethernet, Autz-Type := MAC
DEFAULT Huntgroup-Name == vpn, Autz-Type := USER
...and so on
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth issue
Mircea Harapu wrote: PAP sends the following radius request: User-Name = Someuser User-Password = somepassword HOWEVER, the User-Password field in a radius packet is defined by RFC to be encrypted with the radius shared secret. The pam_radius_auth is sending User-Password without beeing encrypted . I have set the same shared secret in /etc/raddb/server and clients.conf I believe you are incorrect. Have you looked at the actual packets on the wire with a sniffer? Remember, when FreeRadius displays the packet, it has already decrypted it so of course you will see it in the clear in the FR debug output and logs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : Using mschap authentication without EAP
Thibault Le Meur wrote: rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0, length=217 User-Name = misterc CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986 That means that your client is trying MS-CHAP, and MS-CHAP can't be used with something else than NT-Hash passwords or cleartext passwords in the authorize backend (in your case LDAP). No, it does NOT. It means his client is trying CHAP. Not MS-CHAP You're right... sorry I was too fast in my reply... ;-) but the conclusion was about the same : use a cleartext password (except for the Nt-hash alternative ;-) ). Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP short question
Hi all, I've been watching the logs and my question is why localhost takes part in the process. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unsubscribe
Unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Droping clients from radius (they are connected into radius but they are not connected in their houses)
Hello all, I am with a very big problem. I have a system that uses PPPoE server to authenticate my clients into an FreeRadius server. The server is running ok but when something not expected happens in my clients (like a enery blackout or something like that) the user remains connected into my radius server. There is anyway I could make a test to see if the user is not online and them drop it? Att, Nataniel Klug - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access-Accept with invalid signature
I want to use mysql with freeradius and a default entry in the users file. Testing with radtest I get an Access-Accept which is ok. But there is an additional information, which irritates me and I have no idea, what it means. In case of an incorrect shared secret - as far as I know - no Access-Accept would have been sent. suse:/home/norbert # radtest nw123 xx localhost 0 1812 maxen Sending Access-Request of id 32 to 127.0.0.1 port 1812 User-Name = nw123 User-Password = xx NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Framed-Protocol = PPP rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=32, length=20 rad_decode: Received Access-Accept packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) The output of radiusd -AX does not show anything strange to me and can be found at: http://www.wegener-net.de/fr/typescript So, is the last message important or can it be ignored? Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory (Win2003) rlm_ldap
Thanks for the reply,I have checked the shared secret, and earlier in the debug you can see that it binds successfully. After which it attempt to authenticate the user with the credientials provided and fails, the only thing I can see is that it is changing the password provided into garbage and sending this to Active directory which is turing around and saying incorrect password. In all the examples I can find on the password sent is in clear test, so then why in my example is it encrypted? How do I undo this? On 7/20/06, Alan DeKok [EMAIL PROTECTED] wrote: Charlie B [EMAIL PROTECTED] wrote: Question:What is causing the password to be encrypted?It is not the password entered.Read the debug output: WARNING: Unprintable characters in the password. ?Double-check the shared secret on the server and the NAS!Alan DeKok.-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP short question
Hi, I've been watching the logs and my question is why localhost takes part in the process. Inner workings of FreeRADIUS. The inner authentication (within the EAP TLS tunnel) counts as a new request, coming from localhost. Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
unsubscribe This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message.Global Edge Software Ltd has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Global Edge Software Ltd reserves the right to monitor and review the content of all messages sent to or from this e-mail address - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : Using mschap authentication without EAP
All rightNow authentication works fine.Many thanks to all ones which have given me these useful advicesHave a nice dayThanks AgainGiusy Venezia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Droping clients from radius (they are connected into radius but they are not connected in their houses)
There is no such thing as user remains connected into my radius server. It's the client's (here PPPoE Server?) responsibility to act accordingly. In particular it should eventually update the accounting if a client/user is MIA. That might be near to the problem you are refering to. Best regards K .Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Where to find info about DEFAULT value
All, I see reference to setting DEFAULT in mysql database tables. I need to set the default value of Acct-Interim-Interval = 60s for all users. Can I just put this in my radreply table: user attribute op value --- DEFAULT, Acct-Interim-Interval, :=, 60 Will this make sure that any user that doesn't have this attribute set elswhere, will get 60? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Droping clients from radius (they are connected into radius but they are not connected in their houses)
Hoercher, I could not understand what you mean with this MIA. I will look for more info into my PPPoE-Server. Att, Nataniel Klug K. Hoercher escreveu: There is no such thing as user remains connected into my radius server. It's the client's (here PPPoE Server?) responsibility to act accordingly. In particular it should eventually update the accounting if a client/user is MIA. That might be near to the problem you are refering to. Best regards K .Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password Problem
Sorry for being such a noob, but what type of auth should I use? I'm going to go read the man to find out how to tell it to use crypted passwords... unless anyone feels like giving me a pointer:) The howto I used must have been a bad one. Thanks -- View this message in context: http://www.nabble.com/Password--Problem-tf1975280.html#a5438460 Sent from the FreeRadius - User forum at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Droping clients from radius (they are connected into radius but they are not connected in their houses)
On 7/21/06, Nataniel Klug [EMAIL PROTECTED] wrote: I could not understand what you mean with this MIA. I will look for more info into my PPPoE-Server. Hi, ok, sorry about that bit of levity. I meant missing in action in respect of your not connected users. As I said, freeradius doesn't keep some state of connected users, if they really aren't serviced anymore due to whatever circumstances, it doesn't know so unless told by something (looks like the mentioned PPPoE server here). As you didn't provide much detail I'm left to guessing around. So I talked about the accounting function of freeradius as something which might be seen as coming near to having a state by recording information it *gets*. So, if you cannot find suitable inforamtion in the documentation, please consider asking more specifically and provide as much information about your problem as possible. best regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Droping clients from radius (they are connected into radius but they are not connected in their houses)
Hoercher, Thank you so much for your time. I really think that it is a problem over my pppoe-server but it is something I cant change (its enbeded into a system box). The configuration to radius autentication are very limited. To solve the problem I made a script into my linux box that get info using net-snmp about the pppoe-users connected to the remote server. With this info I use radwho to tell me witch users are into radius database as online so with this two information I can make a script to diferentiate the files and tell me wich user is still logged in (in freeradius) that is not anymore online into pppoe-server. So I use radzap to drop the connection and allow the same login to get online again (I use simultaneous use = 1). This is not the best option, but it is working for now... ;) Att, Nataniel Klug .'. Hi, ok, sorry about that bit of levity. I meant missing in action in respect of your not connected users. As I said, freeradius doesn't keep some state of connected users, if they really aren't serviced anymore due to whatever circumstances, it doesn't know so unless told by something (looks like the mentioned PPPoE server here). As you didn't provide much detail I'm left to guessing around. So I talked about the accounting function of freeradius as something which might be seen as coming near to having a state by recording information it *gets*. So, if you cannot find suitable inforamtion in the documentation, please consider asking more specifically and provide as much information about your problem as possible. best regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why doesn't := Always match?
Paul Long wrote: A man page (http://www.die.net/doc/linux/man/man5/users.5.html) for the users file says, Attribute := Value ... Always matches as a check item... So does that mean, no matter what the value is, it will always Well, the wording might be a bit confusing. FreeRadius works the following way: 1. All attribute-value pairs that come in are the request pairs 2. Internal server attribute per-request are the config pairs 3. Attribute-value pairs to go back to the client are the reply pairs someuser User-Password := somevalue ...actually sets (unconditionally) the User-Password AVP in the config items. This password is *COMPARED* to the password supplied by the client in the request items. It's not a simple equality - a CHAP request will require a challenge/response calculation with the config password + request challenge and then an equality test of the chap response. match the attribute? I don't see that happening. As an experiment, I have a supplicant in a WiFi phone with user name of plong and password of 123. With the following entry in the users file: plongAuth-Type = Local, User-Password := 126 ...I assumed it would match even though the value is different; however, Though I realise the terminology might be initially confusing, how did you imagine a user with a password of 123 would be matched/accepted by a password of 126. it does not match, and the access request is rejected: rlm_chap: login attempt by plong with CHAP password rlm_chap: Using clear text password 126 for user plong authentication. rlm_chap: Pasword check failed To get it to match, I have to have the correct value: plongAuth-Type = Local, User-Password := 123 which results in this debug output: rlm_chap: login attempt by plong with CHAP password rlm_chap: Using clear text password 123 for user plong authentication. rlm_chap: chap user plong authenticated succesfully Yes... In fact, := behaves exactly like == in this case. What's the deal? Why doesn't := always match? Am I misunderstanding what it means to match? As per man(5) users: Attribute := Value Always matches as a check item, and replaces in the configuration items any attribute of the same name. If no attribute of that name appears in the request, then this attribute is added. As a reply item, it has an identical meaning, but for the reply items, instead of the request items. Basically, := is a force set operator. In a check item, it sets a check/config pair. In a reply item, it sets/forces a reply pair. See doc/aaa.txt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why doesn't := Always match?
Comments inline... Phil Mayers wrote: Paul Long wrote: A man page (http://www.die.net/doc/linux/man/man5/users.5.html) for the users file says, Attribute := Value ... Always matches as a check item... So does that mean, no matter what the value is, it will always Well, the wording might be a bit confusing. FreeRadius works the following way: 1. All attribute-value pairs that come in are the request pairs 2. Internal server attribute per-request are the config pairs 3. Attribute-value pairs to go back to the client are the reply pairs someuser User-Password := somevalue ...actually sets (unconditionally) the User-Password AVP in the config items. This password is *COMPARED* to the password supplied by the client in the request items. Okay, so then what is meant in the man page by Always matches a check item? Should it have said, Always checks a check item? :-) As is, it sounds like it always returns true. It's not a simple equality - a CHAP request will require a challenge/response calculation with the config password + request challenge and then an equality test of the chap response. match the attribute? I don't see that happening. As an experiment, I have a supplicant in a WiFi phone with user name of plong and password of 123. With the following entry in the users file: plongAuth-Type = Local, User-Password := 126 ...I assumed it would match even though the value is different; however, Though I realise the terminology might be initially confusing, how did you imagine a user with a password of 123 would be matched/accepted by a password of 126. I didn't expect it to match.accept. I was just playing around with values trying to better understand the operators. I have everything working the way I want--I was just going for extra credit. :-) it does not match, and the access request is rejected: rlm_chap: login attempt by plong with CHAP password rlm_chap: Using clear text password 126 for user plong authentication. rlm_chap: Pasword check failed To get it to match, I have to have the correct value: plongAuth-Type = Local, User-Password := 123 which results in this debug output: rlm_chap: login attempt by plong with CHAP password rlm_chap: Using clear text password 123 for user plong authentication. rlm_chap: chap user plong authenticated succesfully Yes... In fact, := behaves exactly like == in this case. What's the deal? Why doesn't := always match? Am I misunderstanding what it means to match? As per man(5) users: Attribute := Value Always matches as a check item, and replaces in the configuration items any attribute of the same name. If no attribute of that name appears in the request, then this attribute is added. As a reply item, it has an identical meaning, but for the reply items, instead of the request items. Basically, := is a force set operator. In a check item, it sets a check/config pair. So Always matches a check item just means that a check will be performed and says nothing about the outcome of that check? In a reply item, it sets/forces a reply pair. See doc/aaa.txt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth issue
Mircea Harapu [EMAIL PROTECTED] wrote: The pam_radius_auth is sending User-Password without beeing encrypted . If you know more about RADIUS than the people on this list, I'm curious why you're asking questions about it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: FreeRadius+mysql+crypted passwords
Marek Soha - intrak.sk [EMAIL PROTECTED] wrote: Have you any idea to configure it with crypted passwords stored in the database and with cisco accesspoint clients autentification? Now im using EAP/PEAP in cisco ap to authorize windows xp client (PEAP required). Please go back and read my reply. I already answered this. Asking the same question again is counter-productive. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuring FreeRadius pools
Elie Hani [EMAIL PROTECTED] wrote: Well I'm trying to configure 2 pools of IPs, where these pools should be created? In the server configuration? Using the ippool module? can it be done on the radius and this radius will take care of giving the IPs to the users? or should I configure a dhcp and relay it to the radius? There are no DHCP to RADIUS gateways. I tried to configure on the radius , in the config file file, in the ippools section, 2 pools of IPs, but it didn't work. That's a pretty pointless comment. See the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Accept with invalid signature
Norbert Wegener [EMAIL PROTECTED] wrote: rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=32, length=20 rad_decode: Received Access-Accept packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) That message would appear to be definitive. The output of radiusd -AX does not show anything strange to me and can be found at: http://www.wegener-net.de/fr/typescript For one, the password printed out in debugging mode is NOT what was sent from the client. And the only reason you got an Access-Accept is that password checking was bypassed completely (Auth-Type Accept) So, is the last message important or can it be ignored? It's important. Never ignore it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory (Win2003) rlm_ldap
Charlie B [EMAIL PROTECTED] wrote: I have checked the shared secret, and earlier in the debug you can see that it binds successfully. To LDAP? That doesn't matter. The shared secret isn't used there. After which it attempt to authenticate the user with the credientials provided and fails, the only thing I can see is that it is changing the password provided into garbage Because, as the message says, the shared secret is wrong. In all the examples I can find on the password sent is in clear test, so then why in my example is it encrypted? Because the shared secret is wrong. How do I undo this? Use the correct shared secret. I fail to understand why you're arguing when you could just go fix the shared secret, and prove to yourself that fixing it solves the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
