Re: Is there a simple way to restrict a user in the 'users' file to access only a specific ip addr/device?
Ahh. yes. Ignore my reply. I neglected to read the history and assumed thet you wanted to restrict which network devices certain groups of users should be able to access AFTER they are connected. -Peter On Tue 16 Jan 2007 12:00, Jan Mulders wrote: Hoping to be more helpful here, I know how to implement this functionality in freeradius, but only when using a mysql database backend (which is a good idea for most setups using more than about 20 users). I am assuming you want to control user logins to multiple NASes and this is what you meant by user 'x' can only login to IP addr 'y' and /or 'z'. If you need to just filter traffic based on real network devices, for example where Y and Z are IP addresses on your network, you can safely ignore my first radgroupcheck entry below that restricts NAS choice. If you get a standard mysql setup working, all you need to do is add the user's password to radcheck (for table names username,attribute,op,value you should have bobengineer,User-Password,==,nortel), and add the user to a group in radgroup (username, group = bobengineer,engineers). then you can set group-specific policies by putting entries in radgroupcheck and radgroupreply, such as...: radgroupcheck: [groupname,attribute,op,value] engineers,NAS-IP-Address,==,11.22.33.44(all engineers connecting must do so from NAS with IP addrss 11.22.33.44) engineers, Pool-Name,==,engineers_pool (all engineers connecting will be assigned an IP from the 'engineers' IP pool, which means you can firewall them off using IPTables (or the Shorewall frontend to iptables, which I recommend using) or something similar) Basically this provides you with both tools you will need - the ability to restrict where users can log into, and the ability to restrict what IP address users recieve. You'll need to set up rlm_ippool to automatically assign IPs, and you'll want to make sure your NAS devices send accounting packets (accounting start/stop are important - also if accounting stop's aren't sent, you'll run out of IP addresses). Hope this is a little more helpful than the usually flippent replies on the mailing list, I was in the same boat before too :-) thanks, Jan On 16/01/07, Peter Nixon [EMAIL PROTECTED] wrote: Yep. Its called a firewall... -Peter On Tue 02 Jan 2007 20:39, Ellis, Scott 1 (N-Comptel Inc.) wrote: I am using PAM for auth-type in my users file. Is there a simple way to say that user 'x' can only login to IP addr 'y' and /or 'z'? I have groups of engrs, admins, and operators and need to discriminate who can access which device Scott -Original Message- From: Ellis, Scott 1 (N-Comptel Inc.) Sent: Tuesday, January 02, 2007 11:40 AM To: 'FreeRadius users mailing list' Cc: Ellis, Scott 1 (N-Comptel Inc.) Subject: RE: How to restrict users /PAM to specific NAS devices?? I have looked it over, but I am still not clear. I was thinking that I could use huntgroups to map devices to specific groups, but then I am not clear on how to restrict users ('users' file) to those groups. I know this has probably been done most everywhere in one form or another. Any examples that show the actual entries in the approp. files? Thanks, Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] us .org] On Behalf Of Alan DeKok Sent: Tuesday, January 02, 2007 9:43 AM To: FreeRadius users mailing list Subject: Re: How to restrict users /PAM to specific NAS devices?? Ellis, Scott 1 (N-Comptel Inc.) wrote: I am using PAM for Auth-Type. I want to be able to either 1) restrict the devices the user has access to (admins,operators, etc) by username and/or 2) preferably carve into groups my network gear/NAS devices and then assign users to groups. See man rlm_passwd. It's documentation describes how to create groups like this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpWeh7g11f05.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bypassing freeradius accounting?
On Wed 17 Jan 2007 00:12, Tas Dionisakos wrote: I have successfully setup a freeradius, mysql, chillispot. Im just wondering if there is a way to allow free sites for my users, without radius accounting? I guessing that an IP table rules will do the job, as in allow a subnet range to bypass accounting. Has anyone successfully done this before, maybe some IP tables rules? Hi Tas I guess you should ask this on the chillispot list Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpGJEBB0Y8lc.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: building 1.4 (CentOS 4.4) MYSQL 99% home [unclas]
On Wed 17 Jan 2007 04:57, Long wrote: Probably a file or directory has the wrong permissions. When you run in debug with -X the server runs as root. When you run for real it changes to user radiusd or whatever you set up. Try strace -e open,stat -f radiusd and look for EPERM line Are all the log files in /var/log/radius writable by the user you are running radiusd as? -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgp2zE5WZ5F7R.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building from CVS
Hi, I wanted to try the Pre2.0 release in the CVS to see if the TLS locking code fixed the problem I had with the SSL errors in PEAP. I downloaded the snapshot from ftp.freeradius.org freeradius-server-snapshot-20070116.tar.bz2 I'm building on Debian, so I wanted to package it (Especially since it not really released code yet) I unzipped it, and ran fakeroot dpkg-buildpackage -b -uc It failed with: checking how to run the C++ preprocessor... /lib/cpp configure: error: C++ preprocessor /lib/cpp fails sanity check See `config.log' for more details. make: *** [stamp-build] Error 1 netdev:/tmp/freeradius-server-snapshot-20070116# Config.log is as follows do you have GCC plus all its other dependencies installed? looks like configure cant find you compiler, link libraries or headers! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: building 1.4 (CentOS 4.4) MYSQL 99% home
Hi, Thanks to help from many folks here, tonight I got one property up and running on our new server. THANK YOU! Now, another question. When I start radius with radiusd or /usr/local/sbin/radiusd, I get a brief message reading configuration file...; then, doing ps aux | grep radiusd returns nothing but my grep. If I start radius with radiusd -X all runs smoothly. Clearly, I need to be able to start it in normal mode and be able to verify its process; what am I doing wrong here? Version 1.4. read /var/log/radiusd/radiusd.log or wherever the log files go. possibly file permissions - do you run as radiusd user? can the files be read by radiusd? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: building 1.4 (CentOS 4.4) MYSQL 99% home [unclas]
Hi, Long wrote: BTW - I have it configued in radiusd.conf to run under nobody:nobody. Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hey Andrew, I'm sure you've checked it, but was there anything interesting in radius.log? /var/log/messages? and is the /var/log/radius directory writable by 'nobody' user? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building from CVS
King, Michael wrote: I unzipped it, and ran fakeroot dpkg-buildpackage -b -uc It failed with: checking how to run the C++ preprocessor... /lib/cpp configure: error: C++ preprocessor /lib/cpp fails sanity check See `config.log' for more details. make: *** [stamp-build] Error 1 apt-get install g++ -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS certificate question
Hi all, I've install freeradius-1.1.3,use it with AP Aironet 1100 doing EAP-TLS and works very well. I still confuse about certificate, is all client certificate created under 1 root ca, can be authenticated against freeradius that started with different server certificate? is it possible to set things like this root ca / | \ / |\ / | \ server1 server2 server3 --- --- --- | | | | | | client1 client2 client3 I don't want client1 to be authenticated against server2 or server3. thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: building 1.4 (CentOS 4.4) MYSQL 99% home [unclas]
Are all the log files in /var/log/radius writable by the user you are running radiusd as? Configured to run as nobody:nobody. chmod -R nodody:nobody /usr/local/var/log/radiusd allows me to run it as nobody now, but if I do radiusd radlog the radlog still only contains the first line Starting - reading configuration files... - although it does run and I can ps the process. Should I change permissions on all the other (/usr/local/etc/raddb..., /usr/local/share/freeradius...) files? I would very much appreciate a dir-by-dir listing of someone else's permissions, including the relevant libraries. Is there anything wrong with my radiusd radlog (as root), considering I am including the while the process drops to background anyway? And does the user need to have a real shell, as nobody is nologin? -Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A couple of questions PoPToP+FreeRadius+IAS
My configuration is: [poptop pptpd pppd][freeradius]-[Microsoft IAS][ADS] pptpd is 1.3.3 pppd is 2.4.4 freeradius is 1.1.3 Clients go from internet, make auth via MS IAS, but accounting does freeradius. All seems good. Clients go OK. Auth and accounting seems OK too. But, I have couple of questions 1. Accounting of Calling-station-id returns only first 4 characters of user's IP address. I noticed that if some user enters using his remote IP like 77.122.215.143 the record of his Calling-Station-Id would be Calling-Station-Id = 1.77 which are first 4 symbols of IP address in back order. What's goin' wrong? I suppose that calling-station-id should be whole IP address. 2. Radius does not understand some attributes from client. a) Jan 14 12:37:14 shata pppd[25046]: rc_avpair_gen: received unknown attribute 25 of length 30: 0x333B0427013700010A1701C735C490B2116B014C b) Jan 11 22:29:02 shata pppd[19185]: RADIUS: wrong service type 4 for user21 But I know that these are VALUEService-TypeDialback-Framed-User4 and ATTRIBUTE MS-CHAP2-Response 25 octets as they are written in the dictionary file. For the first case users can not login. Radius refuse them by wrong service type. In second case users login OK but I what to know why there is error anyway. What is wrong here? Thank for replies, --- Oleg. -- View this message in context: http://www.nabble.com/A-couple-of-questions-PoPToP%2BFreeRadius%2BIAS-tf2997630.html#a8346050 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
setting user profile depending on realms?
Hi list! We have an internal LAN with several VLANs, each corresponding the the unix group of the users. This VLAN information is stored in OpenLDAP (via radiusprofiledn), and that works :-) But we want to give our users the possibility to get into a special VLAN, in particular one which is called Internetcafe (in which the can use special services). I thought of doing this by adding a realm to the username, so the users can either use username or [EMAIL PROTECTED] and gets the appropriate VLAN. To do this i added the following line in /etc/raddb/users: DEFAULT User-Name =~ @ic$, User-Profile := cn=InternetCafe,ou=VLAN,o=Testnet But this works only if i do not have a radiusprofiledn attribute in the users entry in OpenLDAP, otherwise it works. Is there a way to override the userprofile given back by the freeradius if the user adds a @ic (or whatever realm) ? Or is there even a better way to achieve this goal and i am thinking in a completly wrong direction? Thanks in advance for any hints! Regards Markus -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 -- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS certificate question
kemas wrote: Hi all, I've install freeradius-1.1.3,use it with AP Aironet 1100 doing EAP-TLS and works very well. I still confuse about certificate, is all client certificate created under 1 root ca, can be authenticated against freeradius that started with different server certificate? I haven't tried it, but it's possible, yes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : A couple of questions PoPToP+FreeRadius+IAS
2. Radius does not understand some attributes from client. a) Jan 14 12:37:14 shata pppd[25046]: rc_avpair_gen: received unknown attribute 25 of length 30: 0x333B0427013700010A1701C735C490B2116B014C b) Jan 11 22:29:02 shata pppd[19185]: RADIUS: wrong service type 4 for user21 But I know that these are VALUEService-TypeDialback-Framed-User4 and ATTRIBUTE MS-CHAP2-Response 25 octets as they are written in the dictionary file. There must be a mistake in your /etc/radiusclient/dictionary file. Check that you use a 'INCLUDE /etc/radiusclient/dictionary.microsoft' line and not a '$INCLUDE /etc/radiusclient/dictionary.microsoft' Check also the permissions ont he dictionary files. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A couple of questions PoPToP+FreeRadius+IAS
Marxy wrote: 1. Accounting of Calling-station-id returns only first 4 characters of user's IP address. If that's what the RADIUS client is sending, then the only solution is to fix the client so it sends the correct information. 2. Radius does not understand some attributes from client. a) Jan 14 12:37:14 shata pppd[25046]: rc_avpair_gen: received unknown attribute 25 of length 30: 0x333B0427013700010A1701C735C490B2116B014C b) Jan 11 22:29:02 shata pppd[19185]: RADIUS: wrong service type 4 for user21 The client doesn't understand the response of the server. Again, the only solution is to fix the client. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to send tome clients to the same detail file
El mar, 07-11-2006 a las 18:29 -0500, Alan DeKok escribió: Angel L. Mateo [EMAIL PROTECTED] wrote: But now I want to send all the logs for requests from a group of clients (defined as a huntgroup) to the same files, and the request for all other clients as now (classified with the IP address of the client). Is there any way to redefine this files for a set of clients? Yes. Define an attribute, and set it per-client. Then use that attribute in the expansion of the detailfile. Hello, After a lot of time, I have taken up again this issue. I want a a group of radius clients (defined in the same huntgroup) to log their request (detail and auth-detail files) in the same file. So I have redefine my logs files as: detail { detailfile = ${radacctdir}/%{Huntgroup-Name:-%{Client-IP-Address}}/detail-%Y%m%d detailperm = 0600 } detail auth_log { detailfile = ${radacctdir}/%{Huntgroup-Name:-%{Client-IP-Address}}/auth-detail-%Y%m%d detailperm = 0600 } So if I have a client defined in a huntgroup, it logs to the huntgroup's log files and if not, it logs to a directory identify by its client ip address. My problem is that this is working fine for the auth-detail file, but detail file is still logging individually, without using the Huntgroup-Name variable. Any idea? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Feeding an LDAP replyItem to an MS-CHAPv2 ntlm_auth request
Haas Florian wrote: The tricky part is that XP's supplicant, which supplies the username as DOMAIN\\Username while a user is logged on, supplies a username in the form of host/computername.my.domain otherwise -- this corresponds to the servicePrincipalName attribute on the machine's object in MSAD. This is of course a format that ntlm_auth can't deal with. Why not? There's a reason that the ntlm_auth configuration is editable in the mschap module. Just edit it to do whatever you want. If all else fails, replace ntlm_auth with a Perl script that looks at the environment variables, and determines the proper arguments to use. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : A couple of questions PoPToP+FreeRadius+IAS
It seems no mistakes in dictionary file. It is standard one from RH distribution. BTW, freeradius use $INCLUDE, not INCLUDE as you advised. With INCLUDE you will see something like -- Wed Jan 17 14:48:41 2007 : Error: Errors reading dictionary: dict_init: /etc/raddb/dictionary[14] invalid keyword INCLUDE -- Thibault LE MEUR wrote: There must be a mistake in your /etc/radiusclient/dictionary file. Check that you use a 'INCLUDE /etc/radiusclient/dictionary.microsoft' line and not a '$INCLUDE /etc/radiusclient/dictionary.microsoft' Check also the permissions ont he dictionary files. -- View this message in context: http://www.nabble.com/A-couple-of-questions-PoPToP%2BFreeRadius%2BIAS-tf2997630.html#a8409674 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: A couple of questions PoPToP+FreeRadius+IAS
Alan DeKok-4 wrote: Marxy wrote: 1. Accounting of Calling-station-id returns only first 4 characters of user's IP address. If that's what the RADIUS client is sending, then the only solution is to fix the client so it sends the correct information. My radius client is standard radiusclient software. But it seems no settings for that in its /etc/radiusclient/radiusclient.conf Alan DeKok-4 wrote: 2. Radius does not understand some attributes from client. a) Jan 14 12:37:14 shata pppd[25046]: rc_avpair_gen: received unknown attribute 25 of length 30: The client doesn't understand the response of the server. Again, the only solution is to fix the client. Yes. You are quite right. I add missing attributes to radiusclient dictionary file. ATTRIBUTE MS-CHAP2-Response 25 string ATTRIBUTE Acct-Input-Packets 47 integer ATTRIBUTE Acct-Output-Packets 48 integer And this problem has gone. Alan DeKok-4 wrote: 0x333B0427013700010A1701C735C490B2116B014C b) Jan 11 22:29:02 shata pppd[19185]: RADIUS: wrong service type 4 for user21 The line that describes service-type 4 was already in radiusclient dictionary file VALUE Service-TypeCallback-Framed-User4 But it does not help. -- View this message in context: http://www.nabble.com/A-couple-of-questions-PoPToP%2BFreeRadius%2BIAS-tf2997630.html#a8410303 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
One question about Access-Request packet
Hi, i have one question: Why when i try auth. by laptop-wifi over linksys then it's send that request: rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0, length=119 User-Name = rka NAS-IP-Address = 192.168.1.245 Called-Station-Id = 001217694588 Calling-Station-Id = 0014a41e7112 NAS-Identifier = 001217694588 NAS-Port = 61 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000801726b61 Message-Authenticator = 0x794e9d729e673a6c41b875855ae5a464 Request without User-Password - and that is problem with auth. When i try auth. over lan my PC send request: rad_recv: Access-Request packet from host 10.44.3.15:62963, id=66, length=55 User-Name = rka User-Password = qazwsxedc NAS-IP-Address = 255.255.255.255 NAS-Port = 0 And the auth. is correct. Where is the problem? Maybe with Linksys? This is WPA54G. Thanks a lot for help BR, -- Rafal Kaminski http://blstream.com email: [EMAIL PROTECTED] jid: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : RE : A couple of questions PoPToP+FreeRadius+IAS
It seems no mistakes in dictionary file. It is standard one from RH distribution. BTW, freeradius use $INCLUDE, not INCLUDE as you advised. With INCLUDE you will see something like -- Wed Jan 17 14:48:41 2007 : Error: Errors reading dictionary: dict_init: /etc/raddb/dictionary[14] invalid keyword INCLUDE -- I'm talking about the radiusclient library's dictionaries, not the Freeradius ones: the ones that can be found on your PopTop server, not the Freeradius server. Look at the path I worte: it's not /etc/raddb/dictionary, but /etc/radiusclient/dictionnary. The issue here, is that the radiusclient package doesn't come with the necessary dictionaries. So check on you PopTop server that the /etc/radiusclient/dictionary contains an 'INCLUDE' and not '$INCLUDE' for the dictionary.microsoft file. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : A couple of questions PoPToP+FreeRadius+IAS
-Message d'origine- De : [EMAIL PROTECTED] radius.org [mailto:[EMAIL PROTECTED] sts.freeradius.org] De la part de Marxy Envoyé : mercredi 17 janvier 2007 14:39 À : freeradius-users@lists.freeradius.org Objet : Re: A couple of questions PoPToP+FreeRadius+IAS Alan DeKok-4 wrote: Marxy wrote: 1. Accounting of Calling-station-id returns only first 4 characters of user's IP address. If that's what the RADIUS client is sending, then the only solution is to fix the client so it sends the correct information. My radius client is standard radiusclient software. But it seems no settings for that in its /etc/radiusclient/radiusclient.conf Alan DeKok-4 wrote: 2. Radius does not understand some attributes from client. a) Jan 14 12:37:14 shata pppd[25046]: rc_avpair_gen: received unknown attribute 25 of length 30: The client doesn't understand the response of the server. Again, the only solution is to fix the client. Yes. You are quite right. I add missing attributes to radiusclient dictionary file. ATTRIBUTE MS-CHAP2-Response 25 string ATTRIBUTE Acct-Input-Packets 47 integer ATTRIBUTE Acct-Output-Packets 48 integer It might not be enough. Could you check this post and give it a try ? http://lists.freeradius.org/pipermail/freeradius-users/2007-January/059299.h tml Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One question about Access-Request packet
Rafał Kamiński wrote: Why when i try auth. by laptop-wifi over linksys then it's send that request: ... Request without User-Password - and that is problem with auth. The authentication method is called EAP. It's the way wireless is supposed to work. See eap.conf. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : One question about Access-Request packet
Hi, i have one question: Why when i try auth. by laptop-wifi over linksys then it's send that request: rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0, length=119 User-Name = rka NAS-IP-Address = 192.168.1.245 Called-Station-Id = 001217694588 Calling-Station-Id = 0014a41e7112 NAS-Identifier = 001217694588 NAS-Port = 61 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000801726b61 Message-Authenticator = 0x794e9d729e673a6c41b875855ae5a464 Request without User-Password - and that is problem with auth. This is normal because it is an EAP authentication request: so this is not a problem for authentication as long as you have enabled and configured EAP in the freeradius configuration (see eap.conf). Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : A couple of questions PoPToP+FreeRadius+IAS
Thibault LE MEUR wrote: The client doesn't understand the response of the server. Again, the only solution is to fix the client. Yes. You are quite right. I add missing attributes to radiusclient dictionary file. ATTRIBUTE MS-CHAP2-Response 25 string ATTRIBUTE Acct-Input-Packets 47 integer ATTRIBUTE Acct-Output-Packets 48 integer It might not be enough. It is enough 'cause I had add all microsoft vendor's attributes early. Thanks. I have another unsolved probems. -- View this message in context: http://www.nabble.com/A-couple-of-questions-PoPToP%2BFreeRadius%2BIAS-tf2997630.html#a8412105 Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
3ComSwitch Login
Hi All, Sorry team, but I still problem to authenticate a valid Administrator User in 3Com Swithc, my question is anyone implemented this feature ? I really don't know where to start the solution in freeradius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius working with quintum cms
Hi all, Can someone share his experiance with me in getting freeradius work with quintum CMS ? goksie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3ComSwitch Login
Hi Alexandre, I think you need RADIUS to return the Service-Type attribute as Administrative for it to work. -Vineet Alexandre Soares wrote: Hi All, Sorry team, but I still problem to authenticate a valid Administrator User in 3Com Swithc, my question is anyone implemented this feature ? I really don't know where to start the solution in freeradius - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Feeding an LDAP replyItem to an MS-CHAPv2 ntlm_auth request
Hello. Why not? There's a reason that the ntlm_auth configuration is editable in the mschap module. Just edit it to do whatever you want. If all else fails, replace ntlm_auth with a Perl script that looks at the environment variables, and determines the proper arguments to use. Ahem. From my original message you may have read that your suggestion describes precisely what I am trying to implement, and that modifying the parameters passed to ntlm_auth is exactly my intention. I also understand that I could use a wrapper script or possibly do all sorts of things with %{exec:} and/or %{expr:}. I could also do some simple text mangling with the User-Name attribute as passed by the XP supplicant. However, the most elegant way of working around the servicePrincipalName that XP seems to provide when no user is logged on[1], would be to query MSAD for the corresponding sAMAccountName, and use that for NTLM authentication. I could write some Perl or Python or shell script that retrieves that information from MSAD, invoke that script via %{exec:}, and put its output in the ntlm_auth command arguments (or invoke it instead of ntlm_auth, for that matter). However, it seems sort of ridiculous to run an additional LDAP query for just that purpose, considering all the relevant information should already be available to FreeRADIUS at that point. So, to clarify my original question. What I want is this: 1. Put the value of an LDAP attribute (sAMAccountName) into a variable when the user is authorized in LDAP. 2. Access that variable when the user is being authenticated via MS-CHAPv2, and put it into the --username argument of ntlm_auth. I do understand that this would require registering said variable in dictionary and ldap.attrmap. I also understand that I need to set up a proper filter in the configuration of the ldap module, for correct authorization of the user that's being identified by it servicePrincipalName in this case. I have done all that. What else would I need, if what I'm trying to do is at all possible? Cheers, Florian [1] Yes, a rant about the XP supplicant providing wrong data in this case is in order, however that's not going to persuade my customer to switch to Ubuntu. :-) The information contained in this e-mail message is privileged and confidential and is for the exclusive use of the addressee. The person who receives this message and who is not the addressee, one of his employees or an agent entitled to hand it over to the addressee, is informed that he may not use, disclose or reproduce the contents thereof. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SPLAT question
Hello, This pertains to Feeradius 1.1.0. I am having trouble setting up freeradius and Checkpoint's Secureplatform Pro (SPLAT) firewall (which is a stripped down Linux) so that administrators logging into the firewalls will be authenticated by the freeradius server. According to the SPLAT pro user guide I should be able to set up a group on the firewall and I should not have to define all the individual users on the firewall. Once the user enters the username and password that info will be passed to the freeradius server along with the group (which is already defined on the firewall). When I start the freeradius server with the -AX switches I really don't see it reading the following that I set up in the radiusd.conf file: passwd etc_group { filename = /etc/freeradius/group format = =Group-Name:::*,User-Name hashsize = 50 ignorenislike = yes allowmultiplekeys = yes delimiter = : } I'm not sure if this is how you tell it to look in the group file and not sure why I do not see this in the messages when I start freeradius??? Is anybody else doing this and if so can you provide some guidance? Thanks so much. Regards, Patrick Enright Information Security Architecture Team [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] * The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please resend this communication to the sender and delete the original message or any copy of it from your computer system. Thank you. * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SPLAT question
Enright Patrick - penrig wrote: I’m not sure if this is how you tell it to look in the group file and not sure why I do not see this in the messages when I start freeradius….??? G'day Patrick, You've defined the etc_group module but you also need to instantiate it. Add etc_group to the authorize { } section further down in radiusd.conf. -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS certificate question
On Wed, 2007-01-17 at 13:36 +0100, Alan DeKok wrote: kemas wrote: Hi all, I've install freeradius-1.1.3,use it with AP Aironet 1100 doing EAP-TLS and works very well. I still confuse about certificate, is all client certificate created under 1 root ca, can be authenticated against freeradius that started with different server certificate? I haven't tried it, but it's possible, yes. is there any howto or link about it? maybe someone would share the light thanks Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
monitoring freeradius with nagios
All, When trying to use the radauth tool from nagios to monitor freeradius, I get the following in the freeradius log: Error: WARNING: Malformed RADIUS packet from host ... too long (length 18432 maximum 4096) radtest seems to be ok. has anyone else experienced this or knows what is wrong? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Does the Users file still support auth-type :=PAM in ver 1.1.4?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: monitoring freeradius with nagios
Mike wrote: All, When trying to use the radauth tool from nagios to monitor freeradius, I get the following in the freeradius log: Error: WARNING: Malformed RADIUS packet from host ... too long (length 18432 maximum 4096) radtest seems to be ok. has anyone else experienced this or knows what is wrong? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html G'day Mike, Fire up wireshark or tcpdump and have a look what's actually in the packets. -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: help
Hi Alan, Now everything works but the Active Directory authentication,Please see the following output from $ Radiusd -X when a wireless client uses administrator logon into the chillispot web logon page: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32772, id=0, length=223 User-Name = administrator CHAP-Challenge = 0xa784482e8ac92fd573e87bbbad9ca58f CHAP-Password = 0x00f54cc04e288eec67feff0b13e9448bd2 NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.5 Calling-Station-Id = 00-16-6F-79-91-F4 Called-Station-Id = 00-05-5D-9E-0F-94 NAS-Identifier = nas01 Acct-Session-Id = 45aec9a9 NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0x97668bae73249b0dd4755ab03d364f34 WISPr-Logoff-URL = http://192.168.182.1:3990/logoff; Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = administrator, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched DEFAULT at 153 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_chap: login attempt by administrator with CHAP password rlm_chap: Could not find clear text password for user administrator modcall[authenticate]: module chap returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32772, id=0, length=223 Sending Access-Reject of id 0 to 127.0.0.1:32772 --- Walking the entire request list --- Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 45aecedc Nothing to do. Sleeping until we see a request. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Wan Sent: Friday, 5 January 2007 11:26 AM To: FreeRadius users mailing list Subject: RE: help Hi Alan, Many thanks for your help. Now the kerberos service and the Samba service are running now, I have followed your instructions on your webpage, but I still have experenced the similar issue, please see the folloewing: [EMAIL PROTECTED] ~]# net join -U Administrator Administrator's password: [2007/01/05 10:10:15, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot find KDC for requested realm [2007/01/05 10:10:15, 0] utils/net_ads.c:ads_startup(186) ads_connect: Cannot find KDC for requested realm Joined domain MBUS. [EMAIL PROTECTED] ~]# wbinfo -a administrator%password plaintext password authentication failed Could not authenticate user administrator%password with plaintext password could not obtain winbind separator! could not obtain winbind domain name! challenge/response password authentication failed Could not authenticate user administrator with challenge/response Would you please give me some hints so I could try it again. All I need is to allow the freeradius server and Chillispot to hand over the authentication (for wireless client) to the Win2k3 Active Directory. To be able to achive that, I have to make sure the above two steps are working (at moment they are not working). Many thanks again in advance. Regards John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, 14 December 2006 12:20 PM To: FreeRadius users mailing list Subject: Re: help John Wan wrote: Would you please give me some hints how to start the Kerberos server and how to solve the issue of ads_connect: Invalid credentials. Unfortunately, I'm not a kerberos or Samba expert. I know just enough to follow the script. If it doesn't work, I suggest asking on the Samba / kerberos lists. i.e. the people who wrote the software are the ones most likely to be able to help you. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Building from CVS
-Original Message- apt-get install g++ Thank you. Apparently, this would be my first Debian box that didn't have g++ out of the box. (I've built more than 10 following the same cookbook that our office wrote) I guess gcc and gpp weren't enough. It built... Well it's building as I type. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: monitoring freeradius with nagios
On Wed, 17 Jan 2007, Mike wrote: |-All, |-When trying to use the radauth tool from nagios to monitor |-freeradius, I get the following in the freeradius log: |- |-Error: WARNING: Malformed RADIUS packet from host ... too long (length |-18432 maximum 4096) |- |-radtest seems to be ok. has anyone else experienced this or knows |-what is wrong? I know what some monitoring tool I used a while ago (whats up Gold I think) I had to add the Ip of the whatsup server as a NAS to the allowed list with the shared secret to monitor an old livingston radius server. I have not tried with my Freeradius box yet, but I think I might just to see. The FR is not in production as of yet so I'm not worried about it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap: SSL error
On 17/01/2007, at 4:47 PM, Alan DeKok wrote: James Lever wrote: Wed Jan 17 08:00:11 2007 : Error: TLS_accept:error in SSLv3 read client certificate A That just means there's no client certificate. Interesting given I'm only allowing EAP-TLS access to my wireless LAN (or attempting to) Below is the log output when run in full debugging (excerpt) -- rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: TLS 1.0 Handshake [length 0be8], Certificate chain-depth=1, error=0 -- User-Name = clientCN -- BUF-Name = :30 2007 : Info: Ready to process requests. -- subject = /C=AU/issuerDN -- issuer = /C=AU/issuerDN -- verify return:1 radius_xlat: 'clientCN' rlm_eap_tls: checking certificate CN (clientCN) with xlat'ed value (clientCN) chain-depth=0, error=0 -- User-Name = clientCN -- BUF-Name = clientCN -- subject = /C=AU/clientDN -- issuer = /C=AU/issuerDN -- verify return:1 TLS_accept: SSLv3 read client certificate A rlm_eap_tls: TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: TLS 1.0 Handshake [length 0106], CertificateVerify TLS_accept: SSLv3 read certificate verify A rlm_eap_tls: TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully rlm_eap: SSL error error::lib(0):func(0):reason(0) SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 -- When I try to do the same with a Certificate from another CA it fails as expected. So why does the EAP-TLS login work even though it complains that no certificate was received? Is the certificate actually validated and hence there really was no error, or is FreeRADIUS or OpenSSL authorising where it should not? cheers, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SPLAT question
Enright Patrick - penrig wrote: When I start the freeradius server with the –AX switches I really don’t see it reading the following that I set up in the radiusd.conf file: passwd etc_group { filename = /etc/freeradius/group format = =Group-Name:::*,User-Name You can't use the Group-Name attribute. That's reserved for Unix groups. You have to define your own attribute. See man rlm_passwd for examples/ I’m not sure if this is how you tell it to look in the group file See man rlm_passwd. It gives examples. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: monitoring freeradius with nagios
Mike wrote: All, When trying to use the radauth tool from nagios to monitor freeradius, I get the following in the freeradius log: Error: WARNING: Malformed RADIUS packet from host ... too long (length 18432 maximum 4096) radtest seems to be ok. has anyone else experienced this or knows what is wrong? I haven't seen it. I note that 18432 is hex 0x7200. I suspect that the NAGIOS people missed a 'htons()' somewhere, and the field should be 0x0072. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help
John Wan wrote: Hi Alan, Now everything works but the Active Directory authentication,Please see the following output from $ Radiusd -X when a wireless client uses administrator logon into the chillispot web logon page: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32772, id=0, length=223 User-Name = administrator CHAP-Challenge = 0xa784482e8ac92fd573e87bbbad9ca58f CHAP-Password = 0x00f54cc04e288eec67feff0b13e9448bd2 See my web page. You CANNOT do CHAP authentication to AD. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html