FR + AD host/ machine/ workstation authentication
Im after some documentation on setting up host authentication on freeradius (or an example config). This url here looks like what I need http://support.novell.com/docs/Tids/Solutions/10100693.html but their instructions are pretty lousy For machine-based authentication or user based authentication, modify the RADIUSD.CONF file by adding the following lines: doesnt say where or what section to add said lines to and we all know how touchy the radiusd.conf file is. My files are configured according to this howto: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO and user authentication is working fine. I need host/ machine authentication for laptops that will connect wirelessly to a domain (- need machine auth) before logon. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
I trigger machine logon attempt by booting the laptop or logging out
of an active session (both seem to work).
Near as I can tell the xp machine floods the radius server with
authentication attempts. All seem to fail but the last one but it has
no effect the machine does not connect to the network.
Here is the output of radiusd -X -f
--
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
exec: wait = no
exec: program = /usr/bin/ntlm_auth ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
--password=%{User-Password}
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
Module: Instantiated exec (ntlm_auth)
Module: Loaded eap
eap: default_eap_type = peap
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /etc/raddb/certs/cert-srv.pem
tls: certificate_file = /etc/raddb/certs/cert-srv.pem
tls: CA_file = /etc/raddb/certs/demoCA/cacert.pem
tls: private_key_password = whatever
tls: dh_file = /etc/raddb/certs/dh
tls: random_file = /dev/urandom
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = (null)
tls: cipher_list = (null)
tls: check_cert_issuer = (null)
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = mschapv2
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = yes
mschap: passwd = (null)
mschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
Module: Instantiated mschap (mschap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /etc/raddb/users
files: acctusersfile = /etc/raddb/acct_users
files: preproxy_usersfile = /etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files
Re: Plug-in Question
Hi Alan! On 7/5/07, Alan DeKok [EMAIL PROTECTED] wrote: George Beitis wrote: ... I will use a policy engine to do that and i want to overwrite the final decision if the user is not authorized based on my policy. Is postauth the right place to do this? Yes. But you can't turn a reject into an accept. You can only turn an accept into a reject. Isn't authorize better place for that? Even name suggests authorization should be done there... ;) Just wondering whether there's a good reason for not doing it in authorize and postpone it until post-auth. Besides using more common order of authentication and authorization steps. th. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
Hi, This url here looks like what I need http://support.novell.com/docs/Tids/Solutions/10100693.html but their instructions are pretty lousy For machine-based authentication or user based authentication, modify the RADIUSD.CONF file by adding the following lines: doesnt say where or what section to add said lines to and we all know how touchy the radiusd.conf file is. those parts can go pretty much anywhere in the main config file - eg stick them at the end of the file. from what I can see of the log the NTLM is working fine - the NTKEY reply matched and its all okay. which leaves me to assume that a config on the client isnt correct - is the machine configured to validate the RADIUS server and does it have the correct 'tick' for the certificate and host name for the server to validate? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plug-in Question
On 7/6/07, George Beitis [EMAIL PROTECTED] wrote: you actually made a very good point :) I didn't realize there was an authorize part in the work flow of freeradius. That would be before postauth, are there any other steps after authorize and before post auth? For (non-proxied) authentication requests, steps should be: authorize authenticate post-auth See relevant sections of radiusd.conf or radiusd debug output. th. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plug-in Question
for proxied ones would the last 2 remain the same? regards George Tomas Hoger wrote: On 7/6/07, George Beitis [EMAIL PROTECTED] wrote: you actually made a very good point :) I didn't realize there was an authorize part in the work flow of freeradius. That would be before postauth, are there any other steps after authorize and before post auth? For (non-proxied) authentication requests, steps should be: authorize authenticate post-auth See relevant sections of radiusd.conf or radiusd debug output. th. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco VRF + Radius
Hi all, anybody has experience in setting up FR to support IP VRF for cisco equipments? Can you point me to some clear and simple configuration guide for doing that? TIA, Francesco. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plug-in Question
On 7/6/07, George Beitis [EMAIL PROTECTED] wrote: for proxied ones would the last 2 remain the same? No. authorize pre-proxy post-proxy post-auth th. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installing FR 1.1.6
Lisa Casey wrote:
Hi,
I have a FreeBSD 5.3 machine that I want to install Freeradius on. The
Freeradius that was in the ports on this machine was FR 1.0.1 and that was
kind of old so I updated the ports collection and now the FR port that I
have is Freeradius 1.1.6
When I typed make, I got this error:
On FreeBSD before 6.2 ports system unfortunately can not set default X11BASE
by itself so please help it a bit by setting X11BASE=${LOCALBASE} in
make.conf.
On the other hand, if you do wish to use non-default X11BASE, please set
variable USE_NONDEFAULT_X11BASE.
*** Error code 1
IMHO, you would be best off upgrading to FreeBSD 6.2, then upgrading
your ports to RELENG_6_2 as well.
However, either way, even if not beneficial in this case, it is always a
good thing to read /usr/ports/UPDATING prior to upgrading ports.
Also, take a look at the portupgrade port.
Steve
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
Jacob Jarick wrote: This url here looks like what I need http://support.novell.com/docs/Tids/Solutions/10100693.html but their instructions are pretty lousy For machine-based authentication or user based authentication, modify the RADIUSD.CONF file by adding the following lines: doesnt say where or what section to add said lines to If it's not clear, you don't understand how the configuration files work. and we all know how touchy the radiusd.conf file is. Ah, yes. There's nothing quite like asking for help and insulting the project in the same message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
config on client follows exactly what the howto reccomends with the 1 change of checking authenticate as computer when computer information is available. Which as you can see does attempt to auth. The cert options are set as in this picture: http://wiki.freeradius.org/Image:117F01D2C7856F9F.png I just reread this section here on the howto Certificate validation is strongly recommended for wireless configurations, and optional for wired deployments. Select « Validate server certificate » and check ONLY the CA for your FreeRADIUS server (the one you installed above). Also select « Connect to these servers » and enter the Common Name of the server certificate. If you are configuring a wired ethernet interface, you can leave certificate verification off in your supplicants: just deselect « Validate server certificate ». Either way, select « EAP-MSCHAP v2 » as authentication method. Click the « Configure » button next. So I will enable cert validation retry and post back. Cheers for the info /tip :) On 7/6/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, This url here looks like what I need http://support.novell.com/docs/Tids/Solutions/10100693.html but their instructions are pretty lousy For machine-based authentication or user based authentication, modify the RADIUSD.CONF file by adding the following lines: doesnt say where or what section to add said lines to and we all know how touchy the radiusd.conf file is. those parts can go pretty much anywhere in the main config file - eg stick them at the end of the file. from what I can see of the log the NTLM is working fine - the NTKEY reply matched and its all okay. which leaves me to assume that a config on the client isnt correct - is the machine configured to validate the RADIUS server and does it have the correct 'tick' for the certificate and host name for the server to validate? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plug-in Question
Tomas Hoger wrote: Isn't authorize better place for that? Even name suggests authorization should be done there... ;) No. authorize is run before authentication for historical reasons. Policies should really be applied *after* a user authenticates, which means post-auth. Just wondering whether there's a good reason for not doing it in authorize and postpone it until post-auth. Besides using more common order of authentication and authorization steps. The common order is authentication, then authorization. FreeRADIUS mixes up the names for historical reasons. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
quick question, should machine authentication work if I follow the howto on a base system or will I need to add attr_rewrite's as suggested in the novell howto. On 7/6/07, Jacob Jarick [EMAIL PROTECTED] wrote: config on client follows exactly what the howto reccomends with the 1 change of checking authenticate as computer when computer information is available. Which as you can see does attempt to auth. The cert options are set as in this picture: http://wiki.freeradius.org/Image:117F01D2C7856F9F.png I just reread this section here on the howto Certificate validation is strongly recommended for wireless configurations, and optional for wired deployments. Select « Validate server certificate » and check ONLY the CA for your FreeRADIUS server (the one you installed above). Also select « Connect to these servers » and enter the Common Name of the server certificate. If you are configuring a wired ethernet interface, you can leave certificate verification off in your supplicants: just deselect « Validate server certificate ». Either way, select « EAP-MSCHAP v2 » as authentication method. Click the « Configure » button next. So I will enable cert validation retry and post back. Cheers for the info /tip :) On 7/6/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, This url here looks like what I need http://support.novell.com/docs/Tids/Solutions/10100693.html but their instructions are pretty lousy For machine-based authentication or user based authentication, modify the RADIUSD.CONF file by adding the following lines: doesnt say where or what section to add said lines to and we all know how touchy the radiusd.conf file is. those parts can go pretty much anywhere in the main config file - eg stick them at the end of the file. from what I can see of the log the NTLM is working fine - the NTKEY reply matched and its all okay. which leaves me to assume that a config on the client isnt correct - is the machine configured to validate the RADIUS server and does it have the correct 'tick' for the certificate and host name for the server to validate? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
[EMAIL PROTECTED] wrote: ... those parts can go pretty much anywhere in the main config file - eg stick them at the end of the file. Nope. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VRF + Radius
Francesco Cristofori schrieb: Hi all, anybody has experience in setting up FR to support IP VRF for cisco equipments? Can you point me to some clear and simple configuration guide for doing that? Putting a User into a certain VRF is quite simple: vrfuser User-Password == topsecret Cisco-AVPair += lcp:interface-config#1=ip vrf forwarding \ VRFNAME, Framed-IP-Address = x.x.x.x, ... -- Gerald (ax/tc) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Update reply packets from proxy servers
Hi! I have radius1 confiured as proxy radius to radius2. Users like [EMAIL PROTECTED] are proxied to radius2 which authtenticate these usernames. Question 1: Radius2 returns me the following reply packet if auth is succesfully: Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Reply-Message = Auth successful I need to strip Framed-IP-Address and Framed-IP-Netmask, then my radius1 should assign an ip address from a pool. How can I do that? Question 2: How can I send a different Nas-Ip-address to radius2. Now my NAS has an ip address ip1, and I want to change the ip address of the NAS when the request packet goes(is proxied) to radius2. Is it possible? Thanks. Luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plug-in Question
The common order is authentication, then authorization. FreeRADIUS mixes up the names for historical reasons. It's a long shot, but: wouldn't it make sense to clear the wording for 2.0? I know, it would break all existing configs out there, but manually working through the config is needed anyways... I know that this wording startled me quite a bit when I was new here... Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
Hi, quick question, should machine authentication work if I follow the howto on a base system or will I need to add attr_rewrite's as suggested in the novell howto. you will need to do the attr_rewrites or the host name wont be munged properly alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VRF + Radius
Only thing you need to set on Freeradius is cisco hack so it would deal with av-pairs correctly. Than add av-pairs to user or group configuration and they will work. If you are looking for a Cisco guide how to set up VRF with Radius: http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455a7a.html#wp1056866 Only thing you need to modify from Cisco configuration example are names of the attributes (not service-type but Service-Type etc.) and operator for (multiple) av-pairs (not = but +=). Ivan Kalik Kalik Informatika ISP Dana 6/7/2007, Francesco Cristofori [EMAIL PROTECTED] piše: Hi all, anybody has experience in setting up FR to support IP VRF for cisco equipments? Can you point me to some clear and simple configuration guide for doing that? TIA, Francesco. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
Hi, those parts can go pretty much anywhere in the main config file - eg stick them at the end of the file. Nope. sorry, yes - they must go into the config file BEFORE they are instantiated before a module. ie if you are calling them from authorize, then put them into the config before that section. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plug-in Question
Stefan Winter wrote: It's a long shot, but: wouldn't it make sense to clear the wording for 2.0? I know, it would break all existing configs out there, but manually working through the config is needed anyways... I know that this wording startled me quite a bit when I was new here... It's worth doing. The problem is we can't call the post-authentication step authorize, because that will confuse everyone upgrading from 1.x. I think the default configuration should be pre-auth, auth, and post-auth. We can still accept authorize as a synonym for pre-auth in the short term. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plug-in Question
Alan DeKok wrote: Tomas Hoger wrote: Isn't authorize better place for that? Even name suggests authorization should be done there... ;) No. authorize is run before authentication for historical reasons. Policies should really be applied *after* a user authenticates, which means post-auth. But thats not how modules are currently configured to work. So policies have to be applied in *authorize* if SQL or LDAP is used for authorisation. Authorisation has to be done before authentication when proxying, as the server will only proxy at the of the authorise section Btw Server appears to be leaking scary amounts of memory, i'm going to try and track it down to something in the config... After 50,000 pap authentications (running in parallel sets of 15) it had leaked about 20mb , and was still increasing I set the threads to die after 100 authentications, but didn't seem to make any difference. Will try with standard config/32bit build and get back to you. Haven't found any new bugs recently ... well only ones created by my own stupidity ;) Be interested to see how return codes are when they work properly . Keep up the good work :) -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Leaks
Arran Cudbard-Bell wrote: Btw Server appears to be leaking scary amounts of memory, i'm going to try and track it down to something in the config... That's not good. After 50,000 pap authentications (running in parallel sets of 15) it had leaked about 20mb , and was still increasing I set the threads to die after 100 authentications, but didn't seem to make any difference. Will try with standard config/32bit build and get back to you. Valgrind on a 32-bit Intel system? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plug-in Question
Hi Alan! On 7/6/07, Alan DeKok [EMAIL PROTECTED] wrote: Isn't authorize better place for that? Even name suggests authorization should be done there... ;) No. authorize is run before authentication for historical reasons. Yes I do understand authorize is run before authenticate and I do understand why modules are called in authorize even if they don't do anything related to authorization. And as Arran pointed out, there are situations when applying policies in feasible and is done in practice. Policies should really be applied *after* a user authenticates, which means post-auth. Yes, authenticate, authorize is the order most commonly used. But I think it may still be acceptable to apply policies before authenticating user, e.g. if authentication if more expensive (either in terms of time or CPU usage). Few examples: - authentication is done by remote radius - no need to proxy request if we know / can tell in advance that request will be rejected anyway - application of policy take less time then lookup of user in external DB (SQL, LDAP) - however, proper ordering of modules in authorize must be taken into account Thanks for your feedback! th. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plug-in Question
Tomas Hoger wrote: Yes, authenticate, authorize is the order most commonly used. But I think it may still be acceptable to apply policies before authenticating user, e.g. if authentication if more expensive (either in terms of time or CPU usage). Few examples: Yes. I've had that discussion before (off-list) with people who are surprised that FreeRADIUS permits policies to be run before users are authenticated. e.g. Users on NAS X aren't supposed to do EAP. So if they try, reject them immediately. This also mitigates certain kinds of DoS attacks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying without nostrip
Hi everyone:
I want to proxy requests with i2t realm to a i2t.server.com
The problem is that if I use nostrip directive in the proxy.conf of the
proxy server, all works fine.
But I need to store logins in the i2t.server.com without the realm name,
so I use this configuration from the proxy.conf in the proxy server:
realm i2t {
type= radius
authhost= 192.168.2.2:1812
accthost= 192.168.2.2:1813
secret = testing123
strip
}
The result of the execution in the i2t.server.com is:
[EMAIL PROTECTED]:/etc/freeradius# freeradius -X
Starting - reading configuration files ...
.
.
.
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.2.1:1814, id=0, length=150
User-Name = user1
NAS-IP-Address = 192.168.1.1
NAS-Port = 0
Called-Station-Id = 00-0C-29-81-54-F3:
Calling-Station-Id = 00-0C-29-EC-7D-9D
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11
EAP-Message = 0x0209000e01757365723140693274
Message-Authenticator = 0xae40c811e106af74fc216d522466a797
Proxy-State = 0x3335
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = user1, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: EAP packet type response id 9 length 14
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 0
users: Matched entry user1 at line 1
modcall[authorize]: module files returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
modcall[authenticate]: module eap returns invalid for request 0
modcall: leaving group authenticate (returns invalid) for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 0 to 192.168.2.1 port 1814
Proxy-State = 0x3335
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 0 with timestamp 468e1d50
Nothing to do. Sleeping until we see a request.
rad_recv: Accounting-Request packet from host 192.168.2.1:1814, id=0,
length=159
Acct-Session-Id = 468D84AB-000D
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
User-Name = user1
NAS-IP-Address = 192.168.1.1
NAS-Port = 0
Called-Station-Id = 00-0C-29-81-54-F3:
Calling-Station-Id = 00-0C-29-EC-7D-9D
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11
Acct-Session-Time = 301
Event-Timestamp = Jul 6 2007 12:48:16 CEST
Acct-Terminate-Cause = Idle-Timeout
Proxy-State = 0x3336
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 1
modcall[preacct]: module preprocess returns noop for request 1
rlm_acct_unique: Hashing 'NAS-Port = 0,Client-IP-Address =
192.168.2.1,NAS-IP-Address = 192.168.1.1,Acct-Session-Id =
468D84AB-000D,User-Name = user1'
rlm_acct_unique: Acct-Unique-Session-ID = e9f7ae8a84e4857d.
modcall[preacct]: module acct_unique returns ok for request 1
rlm_realm: No '@' in User-Name = user1, looking up realm NULL
rlm_realm: No such realm NULL
modcall[preacct]: module suffix returns noop for request 1
modcall[preacct]: module files returns noop for request 1
modcall: leaving group preacct (returns ok) for request 1
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 1
radius_xlat: '/var/log/freeradius/radacct/192.168.2.1/detail-20070706'
rlm_detail:
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/freeradius/radacct/192.168.2.1/detail-20070706
modcall[accounting]: module detail returns ok for request 1
modcall[accounting]: module unix returns ok for request 1
radius_xlat: '/var/log/freeradius/radutmp'
radius_xlat: 'user1'
modcall[accounting]: module radutmp returns ok for request 1
modcall: leaving group accounting (returns ok) for request 1
Re: Proxying without nostrip
[EMAIL PROTECTED] wrote: The problem is that if I use nostrip directive in the proxy.conf of the proxy server, all works fine. But I need to store logins in the i2t.server.com without the realm name, so I use this configuration from the proxy.conf in the proxy server: You can't strip usernames when doing EAP. It makes EAP stop working. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
So long and thanks for the help
Hi, All, I've changed jobs this week, and am no longer working with freeRADIUS, but wanted to thank the folks here for the help I've received and for all the work that's gone into freeRADIUS. If I ever run into a need for an AAA server, I'll be back, but probably not before 2.0.0 is obsolete and questions about it elicit a response of why would you use that old thing?!? Thanks again! -ethan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SIGHUP working?
On 7/6/07, Alan DeKok [EMAIL PROTECTED] wrote: Roy Walker wrote: I've spent a fair amount of time looking into proper HUP handling. It turns out *no one* does it well. Almost all daemons simply restart. Alan DeKok. talking again about it.. as you already know, my problem is CRL reloading. Is it too bad if I modify the rlm_eap_tls code to reload the CRL/CA cert when needed? (i.e. when there's an EAP TLS auth going on)? I'm willing to give it at least a try with ver 1.1.6 which I'm currently using -- In a sea of glass shards, I hear you screaming --icchan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Add $ to end of machine account uid
I need machines to be able to authenticate so that when a user who has never logged onto a computer can, by the machine have an active network connection and pulling the credentials from the samba-ldap domain. I have a realm setup to strip the domain/ part of the username which works fine, but I need to figure out how to add a $ at the end of anything that tries to connect as uid=host/computername. I'm sure I can figure out how to strip the host prefix, but can't quit figure out how to add the $ to the end. Thanks. -- Cody Jarrett IT Freedom [EMAIL PROTECTED] Office: 512.419.0070 Fax: 512.419.0080 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add $ to end of machine account uid
Hi, I need machines to be able to authenticate so that when a user who has never logged onto a computer can, by the machine have an active network connection and pulling the credentials from the samba-ldap domain. I have a realm setup to strip the domain/ part of the username which works fine, but I need to figure out how to add a $ at the end of anything that tries to connect as uid=host/computername. I'm sure I can figure out how to strip the host prefix, but can't quit figure out how to add the $ to the end. Thanks. use the link on the novell site as per the discussions earlier today. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SIGHUP working?
inverse wrote: talking again about it.. as you already know, my problem is CRL reloading. Is it too bad if I modify the rlm_eap_tls code to reload the CRL/CA cert when needed? (i.e. when there's an EAP TLS auth going on)? I'm willing to give it at least a try with ver 1.1.6 which I'm currently using If you need it, yes. The main problem with reloading CRL's like that is it can take a relatively long time. So an authentication session might time out. But it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuration for EAP-SIM
Can anyone direct me to an example eap.conf entry to use EAP-SIM? I have looked but I don't see an example. Cheers, Garvin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users Digest, Vol 27, Issue 24
Peter Nixon [EMAIL PROTECTED] said:
And different pool names in each instance
Yup, although obviously the Pool-Name is set up independently of the
sqlippool instances. I have some unlang at the start of 'authorize' section
that sets the Pool-Name based on a mix of NAS IP and Calling-Station-Id.
I also have some NAS's in the main 'dialup' Huntgroup that do their own pool
assignments (so I don't set a Pool-Name). So I've wrapped the group stuff
inside a test ...
Post-Auth-Type alaweb {
if (%{control:Pool-Name}) {
group {
...
}
}
}
(I tried wrapping it round the whole of the Post-Auth-Type block, but FR
doesn't like that)
Anyway, that part now works famously, thank you.
My one remaining question is, what should the 'accounting' section look
like? As far as I can tell, the accounting queries always return OK (except
if there was some kind of database problem) regardless of whether a table
row was affected or not. Which is to be expected I suppose, as 'notfound'
isn't normally relevant in an accounting query.
But I obviously need to apply the right instance, so I get the right
pool-key for the allocate/clear queries. So I guess I'll have to wrap some
unlang around it like ...
if (%{control:Pool-Name}) {
if (%{control:Huntgroup-Name == dialup) {
sqlippool_dialup
}
elsif (%{control:Huntgroup-Name == wireless) {
sqlippool_wireless
}
}
Just out of interest, what would the recommended 'accounting' config look
like for the Wiki example?
Thankyou for being so patient!
You are welcome. Everyone is/was helped by someone when they start out :-)
I'm definitely at that a little knowledge is a dangerous thing stage with
FR. :)
I do fully intend to try and pay forward some of the help I've been getting
by building a Wireless and Dialup with MySQL Cookbook for the wiki, once
I've gotten this all sorted out!
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-- hugh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add $ to end of machine account uid
I've about got it, but now I am getting an eap error about the username
isn't correct.
I added this about preprocess:
attr_rewrite add-dollar-sign {
attribute = User-Name
searchfor = ^host/(.*)
searchin = packet
new_attribute = no
replacewith = %{1}$
}
I've added add-dollar-sign to authorize { section.
rad_recv: Access-Request packet from host 10.1.22.11:2135, id=64, length=168
NAS-IP-Address = 10.1.22.11
NAS-Port-Type = Wireless-802.11
NAS-Port = 12
Framed-MTU = 1400
User-Name = host/itf-toshiba-asd
Calling-Station-Id = 000e35ff2a82
Called-Station-Id = 00186ecfa600
NAS-Identifier = ap01.intranet.domain.com
EAP-Message = 0x02010019234486f73742f6974662d746f73686962612d617364
Message-Authenticator = 0x2b72b4ab80aaf3aa96b4613f3ab872341d
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
radius_xlat: '^host/(.*)'
radius_xlat: 'itf-toshiba-asd$'
rlm_attr_rewrite: Changed value for attribute User-Name from
'host/itf-toshiba-asd' to 'itf-toshiba-asd$'
modcall[authorize]: module add-dollar-sign returns ok for request 2
modcall[authorize]: module preprocess returns ok for request 2
modcall[authorize]: module chap returns noop for request 2
modcall[authorize]: module mschap returns noop for request 2
rlm_realm: No '\' in User-Name = itf-toshiba-asd$, looking up
realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module DOMAIN returns noop for request 2
rlm_eap: EAP packet type response id 1 length 25
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 2
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'dc=domain,dc=com'
radius_xlat: '(uid=itf-toshiba-asd$)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=domain,dc=com, with filter
(uid=itf-toshiba-asd$)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat: '((objectClass=posixGroup)(memberUid=itf-toshiba-asd$))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=domain,dc=com, with filter
((cn=wireless)((objectClass=posixGroup)(memberUid=itf-toshiba-asd$)))
rlm_ldap::ldap_groupcmp: User found in group wireless
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module files returns notfound for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for itf-toshiba-asd$
radius_xlat: '(uid=itf-toshiba-asd$)'
radius_xlat: 'dc=domain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=domain,dc=com, with filter
(uid=itf-toshiba-asd$)
rlm_ldap: checking if remote access for itf-toshiba-asd$ is allowed by uid
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value
[W ] op=21
rlm_ldap: Adding sambaNTPassword as NT-Password, value
78389E5DE0CCA3A288568FADB746063D op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user itf-toshiba-asd$ authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
modcall[authenticate]: module eap returns invalid for request 2
modcall: leaving group authenticate (returns invalid) for request 2
auth: Failed to validate the user.
Delaying request 2 for 1 seconds
[EMAIL PROTECTED] wrote:
Hi,
I need machines to be able to authenticate so that when a user who has
never logged onto a computer can, by the machine have an active network
connection and pulling the credentials from the samba-ldap domain. I
have a realm setup to strip the domain/ part of the username which works
fine, but I need to figure out how to add a $ at the end of anything
that tries to connect as uid=host/computername. I'm sure I can figure
out how to strip the host prefix, but can't quit figure out how to add
the $ to the end. Thanks.
use the link on the novell site as per the discussions earlier today.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 27, Issue 24
On Fri 06 Jul 2007, Hugh Messenger wrote:
Peter Nixon [EMAIL PROTECTED] said:
And different pool names in each instance
Yup, although obviously the Pool-Name is set up independently of the
sqlippool instances. I have some unlang at the start of 'authorize'
section that sets the Pool-Name based on a mix of NAS IP and
Calling-Station-Id.
I also have some NAS's in the main 'dialup' Huntgroup that do their own
pool assignments (so I don't set a Pool-Name). So I've wrapped the group
stuff inside a test ...
Post-Auth-Type alaweb {
if (%{control:Pool-Name}) {
group {
...
}
}
}
(I tried wrapping it round the whole of the Post-Auth-Type block, but FR
doesn't like that)
Anyway, that part now works famously, thank you.
My one remaining question is, what should the 'accounting' section look
like? As far as I can tell, the accounting queries always return OK
(except if there was some kind of database problem) regardless of whether
a table row was affected or not. Which is to be expected I suppose, as
'notfound' isn't normally relevant in an accounting query.
yep. thats exactly what they are supposed to do.
But I obviously need to apply the right instance, so I get the right
pool-key for the allocate/clear queries. So I guess I'll have to wrap
some unlang around it like ...
if (%{control:Pool-Name}) {
if (%{control:Huntgroup-Name == dialup) {
sqlippool_dialup
}
elsif (%{control:Huntgroup-Name == wireless) {
sqlippool_wireless
}
}
Nope. Accounting does not know which Pool-Name was used, or even IF a pool
was used or not
Just out of interest, what would the recommended 'accounting' config look
like for the Wiki example?
Just list them both.
Either your pools overlap (probably not a good idea) and the same IP will be
updated in both modules or that don't overlap (the normal, recommended way),
or they overlap, but you have virtualised everything based on some other
attribute like Called-Station-Id. (You will of course need to be running
VRF or NAT inbetween your NASes with overlapping IP ranges) and in this case
you will have modified the sql to make this work. (This is how I am
deployed, but I doubt many people outside of other GSM or MPLS operators
have this setup)
Thankyou for being so patient!
You are welcome. Everyone is/was helped by someone when they start out
:-)
I'm definitely at that a little knowledge is a dangerous thing stage
with FR. :)
I do fully intend to try and pay forward some of the help I've been
getting by building a Wireless and Dialup with MySQL Cookbook for the
wiki, once I've gotten this all sorted out!
great :-)
Even just fixing existing pages that you feel are unclear is helpfull as you
are a new comer and have found by trial and error which bits are difficult
to understand. That was years ago for many of the wiki authors :-)
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add $ to end of machine account uid
Hi,
I've about got it, but now I am getting an eap error about the username
isn't correct.
I added this about preprocess:
attr_rewrite add-dollar-sign {
attribute = User-Name
searchfor = ^host/(.*)
searchin = packet
new_attribute = no
replacewith = %{1}$
}
you cannot play with User-Name - that is returned in the EAP
conversation and if it has changed then the auth wont work.
copy the value to eg Stripped-User-Name and then use that variable
to do the auth with (as per that example page)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Shared secret is incorrect - but it is identical!
Alan DeKok wrote: (1) The shared secret is wrong (2) The code is buggy There are no alternatives. This is often due to broken MD5 libraries, or 32/64-bit issues. But FreeRADIUS hasn't had those kind of bugs for *years*. Yep, you were right, there must be some corruption or crap on the Fedora system I was using as a test client. I installed 1.1.6 on a Suse box I have, copied exactly the same raddb onto it, and radtest worked first time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add $ to end of machine account uid
Ok, did that, and the connection gets farther now. I don't quite
understand how to get the other modules to use the stripped-user-name now.
rlm_attr_rewrite: Added attribute Stripped-User-Name with value
'host/itf-toshiba-asd'
modcall[authorize]: module copy.user-name returns ok for request 6
radius_xlat: '^host/(.*)'
radius_xlat: 'itf-toshiba-asd$'
rlm_attr_rewrite: Changed value for attribute Stripped-User-Name from
'host/itf-toshiba-asd' to 'itf-toshiba-asd$'
modcall[authorize]: module add-dollar-sign returns ok for request 6
modcall[authorize]: module chap returns noop for request 6
modcall[authorize]: module preprocess returns ok for request 6
modcall[authorize]: module mschap returns noop for request 6
rlm_realm: No '\' in User-Name = host/itf-toshiba-asd, looking up
realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module DOMAIN returns noop for request 6
rlm_eap: EAP packet type response id 7 length 102
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 6
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'dc=domain,dc=com'
radius_xlat: '(uid=itf-toshiba-asd$)'
_
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message =
a0203913657d182f94d6ad94beee83e800686f73742f6974662d746f73686962612d617364
PEAP: Setting User-Name to host/itf-toshiba-asd
attr_rewrite copy.user-name {
attribute = Stripped-User-Name
new_attribute = yes
searchfor =
searchin = packet
replacewith = %{User-Name}
}
attr_rewrite add-dollar-sign {
attribute = Stripped-User-Name
searchfor = ^host/(.*)
searchin = packet
new_attribute = no
replacewith = %{1}$
}
authorize {
copy.user-name
add-dollar-sign
chap
preprocess
mschap
DOMAIN
eap
files
ldap
}
[EMAIL PROTECTED] wrote:
Hi,
I've about got it, but now I am getting an eap error about the username
isn't correct.
I added this about preprocess:
attr_rewrite add-dollar-sign {
attribute = User-Name
searchfor = ^host/(.*)
searchin = packet
new_attribute = no
replacewith = %{1}$
}
you cannot play with User-Name - that is returned in the EAP
conversation and if it has changed then the auth wont work.
copy the value to eg Stripped-User-Name and then use that variable
to do the auth with (as per that example page)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding an attribute to an incoming Access-Request
I have played with this a bit and can't seem to get it working... I need to add the NAS-Port = 0 attribute to an incoming request if it is not set. This is currently breaking my sqlippool config and the upstream partner making the requests is not giving me a NAS-Port attribute. It looks like this should be done in the preprocess section, however the hints looks like it only works with a username and huntgroups doesn't really do what I need... Anyone got an idea? Thanks, Roy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Converting clients to clients.conf
Hi, Is there any easy way to convert a freeradius clients file to a clients.conf file? I have several dozen entries in my clients file and if I have to convert this by hand it's going to be a lot of typing... Lisa Casey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Converting clients to clients.conf
Lisa Casey wrote:
Hi,
Is there any easy way to convert a freeradius clients file to a clients.conf
file? I have several dozen entries in my clients file and if I have to
convert this by hand it's going to be a lot of typing...
Lisa Casey
Attached are a couple of ugly Perl scripts I used when we migrated from
Cistron to FreeRADIUS a couple of years ago. I don't know if they'll
work with FreeRADIUS client files.
Regards,
Richard Siddall
#!/usr/bin/perl -w
# clients.migrate - migrate Cistron-style clients file to FreeRADIUS-style
clients.conf
sub write_realm {
my ($realm, $type, $options) = @_;
print realm $realm {\n\ttype\t= radius\n\tauthhost\t=
$type\n\taccthost\t= $type\n}\n\n
}
while (ARGV) {
if (/^\s*([\w\.]+)\s+(\w+)\s+(\w+)\s*$/) {
write_realm($1, $2, $3);
}
}
#!/usr/bin/perl -w
# clients.migrate - migrate Cistron-style clients file to FreeRADIUS-style
clients.conf
sub write_client {
my ($client, $secret) = @_;
print client $client {\n\tsecret = $secret\n\tshortname =
$client\n}\n\n
}
while (ARGV) {
if (/^\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+(\w+)\s*$/) {
write_client($1, $2);
} elsif (/^\s*(\w+)\s+(\w+)\s*$/) {
write_client($1, $2);
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Adding an attribute to an incoming Access-Request
Added this to the hints file: DEFAULT Suffix == , Strip-User-Name = No Hint = GPRS, NAS-Port = 0 Worked. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] s.org] On Behalf Of Roy Walker Sent: Friday, July 06, 2007 3:15 PM To: FreeRadius users mailing list Subject: Adding an attribute to an incoming Access-Request I have played with this a bit and can't seem to get it working... I need to add the NAS-Port = 0 attribute to an incoming request if it is not set. This is currently breaking my sqlippool config and the upstream partner making the requests is not giving me a NAS-Port attribute. It looks like this should be done in the preprocess section, however the hints looks like it only works with a username and huntgroups doesn't really do what I need... Anyone got an idea? Thanks, Roy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration for EAP-SIM
locate src/tests/eapsim Ivan Kalik Kalik Informatika ISP Dana 6/7/2007, Garvin Haslett [EMAIL PROTECTED] piše: Can anyone direct me to an example eap.conf entry to use EAP-SIM? I have looked but I don't see an example. Cheers, Garvin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
