FR + AD host/ machine/ workstation authentication
Im after some documentation on setting up host authentication on freeradius (or an example config). This url here looks like what I need http://support.novell.com/docs/Tids/Solutions/10100693.html but their instructions are pretty lousy For machine-based authentication or user based authentication, modify the RADIUSD.CONF file by adding the following lines: doesnt say where or what section to add said lines to and we all know how touchy the radiusd.conf file is. My files are configured according to this howto: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO and user authentication is working fine. I need host/ machine authentication for laptops that will connect wirelessly to a domain (- need machine auth) before logon. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
I trigger machine logon attempt by booting the laptop or logging out of an active session (both seem to work). Near as I can tell the xp machine floods the radius server with authentication attempts. All seem to fail but the last one but it has no effect the machine does not connect to the network. Here is the output of radiusd -X -f -- Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) exec: wait = no exec: program = /usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password} exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) Module: Instantiated exec (ntlm_auth) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/raddb/certs/cert-srv.pem tls: certificate_file = /etc/raddb/certs/cert-srv.pem tls: CA_file = /etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /etc/raddb/certs/dh tls: random_file = /dev/urandom tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) tls: cipher_list = (null) tls: check_cert_issuer = (null) rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = (null) mschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Module: Instantiated mschap (mschap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no Module: Instantiated files
Re: Plug-in Question
Hi Alan! On 7/5/07, Alan DeKok [EMAIL PROTECTED] wrote: George Beitis wrote: ... I will use a policy engine to do that and i want to overwrite the final decision if the user is not authorized based on my policy. Is postauth the right place to do this? Yes. But you can't turn a reject into an accept. You can only turn an accept into a reject. Isn't authorize better place for that? Even name suggests authorization should be done there... ;) Just wondering whether there's a good reason for not doing it in authorize and postpone it until post-auth. Besides using more common order of authentication and authorization steps. th. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
Hi, This url here looks like what I need http://support.novell.com/docs/Tids/Solutions/10100693.html but their instructions are pretty lousy For machine-based authentication or user based authentication, modify the RADIUSD.CONF file by adding the following lines: doesnt say where or what section to add said lines to and we all know how touchy the radiusd.conf file is. those parts can go pretty much anywhere in the main config file - eg stick them at the end of the file. from what I can see of the log the NTLM is working fine - the NTKEY reply matched and its all okay. which leaves me to assume that a config on the client isnt correct - is the machine configured to validate the RADIUS server and does it have the correct 'tick' for the certificate and host name for the server to validate? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plug-in Question
On 7/6/07, George Beitis [EMAIL PROTECTED] wrote: you actually made a very good point :) I didn't realize there was an authorize part in the work flow of freeradius. That would be before postauth, are there any other steps after authorize and before post auth? For (non-proxied) authentication requests, steps should be: authorize authenticate post-auth See relevant sections of radiusd.conf or radiusd debug output. th. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plug-in Question
for proxied ones would the last 2 remain the same? regards George Tomas Hoger wrote: On 7/6/07, George Beitis [EMAIL PROTECTED] wrote: you actually made a very good point :) I didn't realize there was an authorize part in the work flow of freeradius. That would be before postauth, are there any other steps after authorize and before post auth? For (non-proxied) authentication requests, steps should be: authorize authenticate post-auth See relevant sections of radiusd.conf or radiusd debug output. th. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco VRF + Radius
Hi all, anybody has experience in setting up FR to support IP VRF for cisco equipments? Can you point me to some clear and simple configuration guide for doing that? TIA, Francesco. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plug-in Question
On 7/6/07, George Beitis [EMAIL PROTECTED] wrote: for proxied ones would the last 2 remain the same? No. authorize pre-proxy post-proxy post-auth th. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installing FR 1.1.6
Lisa Casey wrote: Hi, I have a FreeBSD 5.3 machine that I want to install Freeradius on. The Freeradius that was in the ports on this machine was FR 1.0.1 and that was kind of old so I updated the ports collection and now the FR port that I have is Freeradius 1.1.6 When I typed make, I got this error: On FreeBSD before 6.2 ports system unfortunately can not set default X11BASE by itself so please help it a bit by setting X11BASE=${LOCALBASE} in make.conf. On the other hand, if you do wish to use non-default X11BASE, please set variable USE_NONDEFAULT_X11BASE. *** Error code 1 IMHO, you would be best off upgrading to FreeBSD 6.2, then upgrading your ports to RELENG_6_2 as well. However, either way, even if not beneficial in this case, it is always a good thing to read /usr/ports/UPDATING prior to upgrading ports. Also, take a look at the portupgrade port. Steve - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
Jacob Jarick wrote: This url here looks like what I need http://support.novell.com/docs/Tids/Solutions/10100693.html but their instructions are pretty lousy For machine-based authentication or user based authentication, modify the RADIUSD.CONF file by adding the following lines: doesnt say where or what section to add said lines to If it's not clear, you don't understand how the configuration files work. and we all know how touchy the radiusd.conf file is. Ah, yes. There's nothing quite like asking for help and insulting the project in the same message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
config on client follows exactly what the howto reccomends with the 1 change of checking authenticate as computer when computer information is available. Which as you can see does attempt to auth. The cert options are set as in this picture: http://wiki.freeradius.org/Image:117F01D2C7856F9F.png I just reread this section here on the howto Certificate validation is strongly recommended for wireless configurations, and optional for wired deployments. Select « Validate server certificate » and check ONLY the CA for your FreeRADIUS server (the one you installed above). Also select « Connect to these servers » and enter the Common Name of the server certificate. If you are configuring a wired ethernet interface, you can leave certificate verification off in your supplicants: just deselect « Validate server certificate ». Either way, select « EAP-MSCHAP v2 » as authentication method. Click the « Configure » button next. So I will enable cert validation retry and post back. Cheers for the info /tip :) On 7/6/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, This url here looks like what I need http://support.novell.com/docs/Tids/Solutions/10100693.html but their instructions are pretty lousy For machine-based authentication or user based authentication, modify the RADIUSD.CONF file by adding the following lines: doesnt say where or what section to add said lines to and we all know how touchy the radiusd.conf file is. those parts can go pretty much anywhere in the main config file - eg stick them at the end of the file. from what I can see of the log the NTLM is working fine - the NTKEY reply matched and its all okay. which leaves me to assume that a config on the client isnt correct - is the machine configured to validate the RADIUS server and does it have the correct 'tick' for the certificate and host name for the server to validate? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plug-in Question
Tomas Hoger wrote: Isn't authorize better place for that? Even name suggests authorization should be done there... ;) No. authorize is run before authentication for historical reasons. Policies should really be applied *after* a user authenticates, which means post-auth. Just wondering whether there's a good reason for not doing it in authorize and postpone it until post-auth. Besides using more common order of authentication and authorization steps. The common order is authentication, then authorization. FreeRADIUS mixes up the names for historical reasons. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
quick question, should machine authentication work if I follow the howto on a base system or will I need to add attr_rewrite's as suggested in the novell howto. On 7/6/07, Jacob Jarick [EMAIL PROTECTED] wrote: config on client follows exactly what the howto reccomends with the 1 change of checking authenticate as computer when computer information is available. Which as you can see does attempt to auth. The cert options are set as in this picture: http://wiki.freeradius.org/Image:117F01D2C7856F9F.png I just reread this section here on the howto Certificate validation is strongly recommended for wireless configurations, and optional for wired deployments. Select « Validate server certificate » and check ONLY the CA for your FreeRADIUS server (the one you installed above). Also select « Connect to these servers » and enter the Common Name of the server certificate. If you are configuring a wired ethernet interface, you can leave certificate verification off in your supplicants: just deselect « Validate server certificate ». Either way, select « EAP-MSCHAP v2 » as authentication method. Click the « Configure » button next. So I will enable cert validation retry and post back. Cheers for the info /tip :) On 7/6/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, This url here looks like what I need http://support.novell.com/docs/Tids/Solutions/10100693.html but their instructions are pretty lousy For machine-based authentication or user based authentication, modify the RADIUSD.CONF file by adding the following lines: doesnt say where or what section to add said lines to and we all know how touchy the radiusd.conf file is. those parts can go pretty much anywhere in the main config file - eg stick them at the end of the file. from what I can see of the log the NTLM is working fine - the NTKEY reply matched and its all okay. which leaves me to assume that a config on the client isnt correct - is the machine configured to validate the RADIUS server and does it have the correct 'tick' for the certificate and host name for the server to validate? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
[EMAIL PROTECTED] wrote: ... those parts can go pretty much anywhere in the main config file - eg stick them at the end of the file. Nope. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VRF + Radius
Francesco Cristofori schrieb: Hi all, anybody has experience in setting up FR to support IP VRF for cisco equipments? Can you point me to some clear and simple configuration guide for doing that? Putting a User into a certain VRF is quite simple: vrfuser User-Password == topsecret Cisco-AVPair += lcp:interface-config#1=ip vrf forwarding \ VRFNAME, Framed-IP-Address = x.x.x.x, ... -- Gerald (ax/tc) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Update reply packets from proxy servers
Hi! I have radius1 confiured as proxy radius to radius2. Users like [EMAIL PROTECTED] are proxied to radius2 which authtenticate these usernames. Question 1: Radius2 returns me the following reply packet if auth is succesfully: Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Framed-Routing = None Reply-Message = Auth successful I need to strip Framed-IP-Address and Framed-IP-Netmask, then my radius1 should assign an ip address from a pool. How can I do that? Question 2: How can I send a different Nas-Ip-address to radius2. Now my NAS has an ip address ip1, and I want to change the ip address of the NAS when the request packet goes(is proxied) to radius2. Is it possible? Thanks. Luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plug-in Question
The common order is authentication, then authorization. FreeRADIUS mixes up the names for historical reasons. It's a long shot, but: wouldn't it make sense to clear the wording for 2.0? I know, it would break all existing configs out there, but manually working through the config is needed anyways... I know that this wording startled me quite a bit when I was new here... Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
Hi, quick question, should machine authentication work if I follow the howto on a base system or will I need to add attr_rewrite's as suggested in the novell howto. you will need to do the attr_rewrites or the host name wont be munged properly alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VRF + Radius
Only thing you need to set on Freeradius is cisco hack so it would deal with av-pairs correctly. Than add av-pairs to user or group configuration and they will work. If you are looking for a Cisco guide how to set up VRF with Radius: http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455a7a.html#wp1056866 Only thing you need to modify from Cisco configuration example are names of the attributes (not service-type but Service-Type etc.) and operator for (multiple) av-pairs (not = but +=). Ivan Kalik Kalik Informatika ISP Dana 6/7/2007, Francesco Cristofori [EMAIL PROTECTED] piše: Hi all, anybody has experience in setting up FR to support IP VRF for cisco equipments? Can you point me to some clear and simple configuration guide for doing that? TIA, Francesco. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
Hi, those parts can go pretty much anywhere in the main config file - eg stick them at the end of the file. Nope. sorry, yes - they must go into the config file BEFORE they are instantiated before a module. ie if you are calling them from authorize, then put them into the config before that section. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plug-in Question
Stefan Winter wrote: It's a long shot, but: wouldn't it make sense to clear the wording for 2.0? I know, it would break all existing configs out there, but manually working through the config is needed anyways... I know that this wording startled me quite a bit when I was new here... It's worth doing. The problem is we can't call the post-authentication step authorize, because that will confuse everyone upgrading from 1.x. I think the default configuration should be pre-auth, auth, and post-auth. We can still accept authorize as a synonym for pre-auth in the short term. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plug-in Question
Alan DeKok wrote: Tomas Hoger wrote: Isn't authorize better place for that? Even name suggests authorization should be done there... ;) No. authorize is run before authentication for historical reasons. Policies should really be applied *after* a user authenticates, which means post-auth. But thats not how modules are currently configured to work. So policies have to be applied in *authorize* if SQL or LDAP is used for authorisation. Authorisation has to be done before authentication when proxying, as the server will only proxy at the of the authorise section Btw Server appears to be leaking scary amounts of memory, i'm going to try and track it down to something in the config... After 50,000 pap authentications (running in parallel sets of 15) it had leaked about 20mb , and was still increasing I set the threads to die after 100 authentications, but didn't seem to make any difference. Will try with standard config/32bit build and get back to you. Haven't found any new bugs recently ... well only ones created by my own stupidity ;) Be interested to see how return codes are when they work properly . Keep up the good work :) -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Leaks
Arran Cudbard-Bell wrote: Btw Server appears to be leaking scary amounts of memory, i'm going to try and track it down to something in the config... That's not good. After 50,000 pap authentications (running in parallel sets of 15) it had leaked about 20mb , and was still increasing I set the threads to die after 100 authentications, but didn't seem to make any difference. Will try with standard config/32bit build and get back to you. Valgrind on a 32-bit Intel system? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plug-in Question
Hi Alan! On 7/6/07, Alan DeKok [EMAIL PROTECTED] wrote: Isn't authorize better place for that? Even name suggests authorization should be done there... ;) No. authorize is run before authentication for historical reasons. Yes I do understand authorize is run before authenticate and I do understand why modules are called in authorize even if they don't do anything related to authorization. And as Arran pointed out, there are situations when applying policies in feasible and is done in practice. Policies should really be applied *after* a user authenticates, which means post-auth. Yes, authenticate, authorize is the order most commonly used. But I think it may still be acceptable to apply policies before authenticating user, e.g. if authentication if more expensive (either in terms of time or CPU usage). Few examples: - authentication is done by remote radius - no need to proxy request if we know / can tell in advance that request will be rejected anyway - application of policy take less time then lookup of user in external DB (SQL, LDAP) - however, proper ordering of modules in authorize must be taken into account Thanks for your feedback! th. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plug-in Question
Tomas Hoger wrote: Yes, authenticate, authorize is the order most commonly used. But I think it may still be acceptable to apply policies before authenticating user, e.g. if authentication if more expensive (either in terms of time or CPU usage). Few examples: Yes. I've had that discussion before (off-list) with people who are surprised that FreeRADIUS permits policies to be run before users are authenticated. e.g. Users on NAS X aren't supposed to do EAP. So if they try, reject them immediately. This also mitigates certain kinds of DoS attacks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying without nostrip
Hi everyone: I want to proxy requests with i2t realm to a i2t.server.com The problem is that if I use nostrip directive in the proxy.conf of the proxy server, all works fine. But I need to store logins in the i2t.server.com without the realm name, so I use this configuration from the proxy.conf in the proxy server: realm i2t { type= radius authhost= 192.168.2.2:1812 accthost= 192.168.2.2:1813 secret = testing123 strip } The result of the execution in the i2t.server.com is: [EMAIL PROTECTED]:/etc/freeradius# freeradius -X Starting - reading configuration files ... . . . Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.1:1814, id=0, length=150 User-Name = user1 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 Called-Station-Id = 00-0C-29-81-54-F3: Calling-Station-Id = 00-0C-29-EC-7D-9D Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 0Mbps 802.11 EAP-Message = 0x0209000e01757365723140693274 Message-Authenticator = 0xae40c811e106af74fc216d522466a797 Proxy-State = 0x3335 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = user1, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 9 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry user1 at line 1 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.2.1 port 1814 Proxy-State = 0x3335 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 468e1d50 Nothing to do. Sleeping until we see a request. rad_recv: Accounting-Request packet from host 192.168.2.1:1814, id=0, length=159 Acct-Session-Id = 468D84AB-000D Acct-Status-Type = Stop Acct-Authentic = RADIUS User-Name = user1 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 Called-Station-Id = 00-0C-29-81-54-F3: Calling-Station-Id = 00-0C-29-EC-7D-9D NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 0Mbps 802.11 Acct-Session-Time = 301 Event-Timestamp = Jul 6 2007 12:48:16 CEST Acct-Terminate-Cause = Idle-Timeout Proxy-State = 0x3336 Processing the preacct section of radiusd.conf modcall: entering group preacct for request 1 modcall[preacct]: module preprocess returns noop for request 1 rlm_acct_unique: Hashing 'NAS-Port = 0,Client-IP-Address = 192.168.2.1,NAS-IP-Address = 192.168.1.1,Acct-Session-Id = 468D84AB-000D,User-Name = user1' rlm_acct_unique: Acct-Unique-Session-ID = e9f7ae8a84e4857d. modcall[preacct]: module acct_unique returns ok for request 1 rlm_realm: No '@' in User-Name = user1, looking up realm NULL rlm_realm: No such realm NULL modcall[preacct]: module suffix returns noop for request 1 modcall[preacct]: module files returns noop for request 1 modcall: leaving group preacct (returns ok) for request 1 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 1 radius_xlat: '/var/log/freeradius/radacct/192.168.2.1/detail-20070706' rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.2.1/detail-20070706 modcall[accounting]: module detail returns ok for request 1 modcall[accounting]: module unix returns ok for request 1 radius_xlat: '/var/log/freeradius/radutmp' radius_xlat: 'user1' modcall[accounting]: module radutmp returns ok for request 1 modcall: leaving group accounting (returns ok) for request 1
Re: Proxying without nostrip
[EMAIL PROTECTED] wrote: The problem is that if I use nostrip directive in the proxy.conf of the proxy server, all works fine. But I need to store logins in the i2t.server.com without the realm name, so I use this configuration from the proxy.conf in the proxy server: You can't strip usernames when doing EAP. It makes EAP stop working. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
So long and thanks for the help
Hi, All, I've changed jobs this week, and am no longer working with freeRADIUS, but wanted to thank the folks here for the help I've received and for all the work that's gone into freeRADIUS. If I ever run into a need for an AAA server, I'll be back, but probably not before 2.0.0 is obsolete and questions about it elicit a response of why would you use that old thing?!? Thanks again! -ethan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SIGHUP working?
On 7/6/07, Alan DeKok [EMAIL PROTECTED] wrote: Roy Walker wrote: I've spent a fair amount of time looking into proper HUP handling. It turns out *no one* does it well. Almost all daemons simply restart. Alan DeKok. talking again about it.. as you already know, my problem is CRL reloading. Is it too bad if I modify the rlm_eap_tls code to reload the CRL/CA cert when needed? (i.e. when there's an EAP TLS auth going on)? I'm willing to give it at least a try with ver 1.1.6 which I'm currently using -- In a sea of glass shards, I hear you screaming --icchan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Add $ to end of machine account uid
I need machines to be able to authenticate so that when a user who has never logged onto a computer can, by the machine have an active network connection and pulling the credentials from the samba-ldap domain. I have a realm setup to strip the domain/ part of the username which works fine, but I need to figure out how to add a $ at the end of anything that tries to connect as uid=host/computername. I'm sure I can figure out how to strip the host prefix, but can't quit figure out how to add the $ to the end. Thanks. -- Cody Jarrett IT Freedom [EMAIL PROTECTED] Office: 512.419.0070 Fax: 512.419.0080 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add $ to end of machine account uid
Hi, I need machines to be able to authenticate so that when a user who has never logged onto a computer can, by the machine have an active network connection and pulling the credentials from the samba-ldap domain. I have a realm setup to strip the domain/ part of the username which works fine, but I need to figure out how to add a $ at the end of anything that tries to connect as uid=host/computername. I'm sure I can figure out how to strip the host prefix, but can't quit figure out how to add the $ to the end. Thanks. use the link on the novell site as per the discussions earlier today. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SIGHUP working?
inverse wrote: talking again about it.. as you already know, my problem is CRL reloading. Is it too bad if I modify the rlm_eap_tls code to reload the CRL/CA cert when needed? (i.e. when there's an EAP TLS auth going on)? I'm willing to give it at least a try with ver 1.1.6 which I'm currently using If you need it, yes. The main problem with reloading CRL's like that is it can take a relatively long time. So an authentication session might time out. But it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuration for EAP-SIM
Can anyone direct me to an example eap.conf entry to use EAP-SIM? I have looked but I don't see an example. Cheers, Garvin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users Digest, Vol 27, Issue 24
Peter Nixon [EMAIL PROTECTED] said: And different pool names in each instance Yup, although obviously the Pool-Name is set up independently of the sqlippool instances. I have some unlang at the start of 'authorize' section that sets the Pool-Name based on a mix of NAS IP and Calling-Station-Id. I also have some NAS's in the main 'dialup' Huntgroup that do their own pool assignments (so I don't set a Pool-Name). So I've wrapped the group stuff inside a test ... Post-Auth-Type alaweb { if (%{control:Pool-Name}) { group { ... } } } (I tried wrapping it round the whole of the Post-Auth-Type block, but FR doesn't like that) Anyway, that part now works famously, thank you. My one remaining question is, what should the 'accounting' section look like? As far as I can tell, the accounting queries always return OK (except if there was some kind of database problem) regardless of whether a table row was affected or not. Which is to be expected I suppose, as 'notfound' isn't normally relevant in an accounting query. But I obviously need to apply the right instance, so I get the right pool-key for the allocate/clear queries. So I guess I'll have to wrap some unlang around it like ... if (%{control:Pool-Name}) { if (%{control:Huntgroup-Name == dialup) { sqlippool_dialup } elsif (%{control:Huntgroup-Name == wireless) { sqlippool_wireless } } Just out of interest, what would the recommended 'accounting' config look like for the Wiki example? Thankyou for being so patient! You are welcome. Everyone is/was helped by someone when they start out :-) I'm definitely at that a little knowledge is a dangerous thing stage with FR. :) I do fully intend to try and pay forward some of the help I've been getting by building a Wireless and Dialup with MySQL Cookbook for the wiki, once I've gotten this all sorted out! Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add $ to end of machine account uid
I've about got it, but now I am getting an eap error about the username isn't correct. I added this about preprocess: attr_rewrite add-dollar-sign { attribute = User-Name searchfor = ^host/(.*) searchin = packet new_attribute = no replacewith = %{1}$ } I've added add-dollar-sign to authorize { section. rad_recv: Access-Request packet from host 10.1.22.11:2135, id=64, length=168 NAS-IP-Address = 10.1.22.11 NAS-Port-Type = Wireless-802.11 NAS-Port = 12 Framed-MTU = 1400 User-Name = host/itf-toshiba-asd Calling-Station-Id = 000e35ff2a82 Called-Station-Id = 00186ecfa600 NAS-Identifier = ap01.intranet.domain.com EAP-Message = 0x02010019234486f73742f6974662d746f73686962612d617364 Message-Authenticator = 0x2b72b4ab80aaf3aa96b4613f3ab872341d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 radius_xlat: '^host/(.*)' radius_xlat: 'itf-toshiba-asd$' rlm_attr_rewrite: Changed value for attribute User-Name from 'host/itf-toshiba-asd' to 'itf-toshiba-asd$' modcall[authorize]: module add-dollar-sign returns ok for request 2 modcall[authorize]: module preprocess returns ok for request 2 modcall[authorize]: module chap returns noop for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_realm: No '\' in User-Name = itf-toshiba-asd$, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module DOMAIN returns noop for request 2 rlm_eap: EAP packet type response id 1 length 25 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 2 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'dc=domain,dc=com' radius_xlat: '(uid=itf-toshiba-asd$)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=domain,dc=com, with filter (uid=itf-toshiba-asd$) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '((objectClass=posixGroup)(memberUid=itf-toshiba-asd$))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=domain,dc=com, with filter ((cn=wireless)((objectClass=posixGroup)(memberUid=itf-toshiba-asd$))) rlm_ldap::ldap_groupcmp: User found in group wireless rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module files returns notfound for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for itf-toshiba-asd$ radius_xlat: '(uid=itf-toshiba-asd$)' radius_xlat: 'dc=domain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=domain,dc=com, with filter (uid=itf-toshiba-asd$) rlm_ldap: checking if remote access for itf-toshiba-asd$ is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value [W ] op=21 rlm_ldap: Adding sambaNTPassword as NT-Password, value 78389E5DE0CCA3A288568FADB746063D op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user itf-toshiba-asd$ authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 2 modcall: leaving group authenticate (returns invalid) for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds [EMAIL PROTECTED] wrote: Hi, I need machines to be able to authenticate so that when a user who has never logged onto a computer can, by the machine have an active network connection and pulling the credentials from the samba-ldap domain. I have a realm setup to strip the domain/ part of the username which works fine, but I need to figure out how to add a $ at the end of anything that tries to connect as uid=host/computername. I'm sure I can figure out how to strip the host prefix, but can't quit figure out how to add the $ to the end. Thanks. use the link on the novell site as per the discussions earlier today. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 27, Issue 24
On Fri 06 Jul 2007, Hugh Messenger wrote: Peter Nixon [EMAIL PROTECTED] said: And different pool names in each instance Yup, although obviously the Pool-Name is set up independently of the sqlippool instances. I have some unlang at the start of 'authorize' section that sets the Pool-Name based on a mix of NAS IP and Calling-Station-Id. I also have some NAS's in the main 'dialup' Huntgroup that do their own pool assignments (so I don't set a Pool-Name). So I've wrapped the group stuff inside a test ... Post-Auth-Type alaweb { if (%{control:Pool-Name}) { group { ... } } } (I tried wrapping it round the whole of the Post-Auth-Type block, but FR doesn't like that) Anyway, that part now works famously, thank you. My one remaining question is, what should the 'accounting' section look like? As far as I can tell, the accounting queries always return OK (except if there was some kind of database problem) regardless of whether a table row was affected or not. Which is to be expected I suppose, as 'notfound' isn't normally relevant in an accounting query. yep. thats exactly what they are supposed to do. But I obviously need to apply the right instance, so I get the right pool-key for the allocate/clear queries. So I guess I'll have to wrap some unlang around it like ... if (%{control:Pool-Name}) { if (%{control:Huntgroup-Name == dialup) { sqlippool_dialup } elsif (%{control:Huntgroup-Name == wireless) { sqlippool_wireless } } Nope. Accounting does not know which Pool-Name was used, or even IF a pool was used or not Just out of interest, what would the recommended 'accounting' config look like for the Wiki example? Just list them both. Either your pools overlap (probably not a good idea) and the same IP will be updated in both modules or that don't overlap (the normal, recommended way), or they overlap, but you have virtualised everything based on some other attribute like Called-Station-Id. (You will of course need to be running VRF or NAT inbetween your NASes with overlapping IP ranges) and in this case you will have modified the sql to make this work. (This is how I am deployed, but I doubt many people outside of other GSM or MPLS operators have this setup) Thankyou for being so patient! You are welcome. Everyone is/was helped by someone when they start out :-) I'm definitely at that a little knowledge is a dangerous thing stage with FR. :) I do fully intend to try and pay forward some of the help I've been getting by building a Wireless and Dialup with MySQL Cookbook for the wiki, once I've gotten this all sorted out! great :-) Even just fixing existing pages that you feel are unclear is helpfull as you are a new comer and have found by trial and error which bits are difficult to understand. That was years ago for many of the wiki authors :-) -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add $ to end of machine account uid
Hi, I've about got it, but now I am getting an eap error about the username isn't correct. I added this about preprocess: attr_rewrite add-dollar-sign { attribute = User-Name searchfor = ^host/(.*) searchin = packet new_attribute = no replacewith = %{1}$ } you cannot play with User-Name - that is returned in the EAP conversation and if it has changed then the auth wont work. copy the value to eg Stripped-User-Name and then use that variable to do the auth with (as per that example page) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Shared secret is incorrect - but it is identical!
Alan DeKok wrote: (1) The shared secret is wrong (2) The code is buggy There are no alternatives. This is often due to broken MD5 libraries, or 32/64-bit issues. But FreeRADIUS hasn't had those kind of bugs for *years*. Yep, you were right, there must be some corruption or crap on the Fedora system I was using as a test client. I installed 1.1.6 on a Suse box I have, copied exactly the same raddb onto it, and radtest worked first time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add $ to end of machine account uid
Ok, did that, and the connection gets farther now. I don't quite understand how to get the other modules to use the stripped-user-name now. rlm_attr_rewrite: Added attribute Stripped-User-Name with value 'host/itf-toshiba-asd' modcall[authorize]: module copy.user-name returns ok for request 6 radius_xlat: '^host/(.*)' radius_xlat: 'itf-toshiba-asd$' rlm_attr_rewrite: Changed value for attribute Stripped-User-Name from 'host/itf-toshiba-asd' to 'itf-toshiba-asd$' modcall[authorize]: module add-dollar-sign returns ok for request 6 modcall[authorize]: module chap returns noop for request 6 modcall[authorize]: module preprocess returns ok for request 6 modcall[authorize]: module mschap returns noop for request 6 rlm_realm: No '\' in User-Name = host/itf-toshiba-asd, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module DOMAIN returns noop for request 6 rlm_eap: EAP packet type response id 7 length 102 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 6 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'dc=domain,dc=com' radius_xlat: '(uid=itf-toshiba-asd$)' _ rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = a0203913657d182f94d6ad94beee83e800686f73742f6974662d746f73686962612d617364 PEAP: Setting User-Name to host/itf-toshiba-asd attr_rewrite copy.user-name { attribute = Stripped-User-Name new_attribute = yes searchfor = searchin = packet replacewith = %{User-Name} } attr_rewrite add-dollar-sign { attribute = Stripped-User-Name searchfor = ^host/(.*) searchin = packet new_attribute = no replacewith = %{1}$ } authorize { copy.user-name add-dollar-sign chap preprocess mschap DOMAIN eap files ldap } [EMAIL PROTECTED] wrote: Hi, I've about got it, but now I am getting an eap error about the username isn't correct. I added this about preprocess: attr_rewrite add-dollar-sign { attribute = User-Name searchfor = ^host/(.*) searchin = packet new_attribute = no replacewith = %{1}$ } you cannot play with User-Name - that is returned in the EAP conversation and if it has changed then the auth wont work. copy the value to eg Stripped-User-Name and then use that variable to do the auth with (as per that example page) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding an attribute to an incoming Access-Request
I have played with this a bit and can't seem to get it working... I need to add the NAS-Port = 0 attribute to an incoming request if it is not set. This is currently breaking my sqlippool config and the upstream partner making the requests is not giving me a NAS-Port attribute. It looks like this should be done in the preprocess section, however the hints looks like it only works with a username and huntgroups doesn't really do what I need... Anyone got an idea? Thanks, Roy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Converting clients to clients.conf
Hi, Is there any easy way to convert a freeradius clients file to a clients.conf file? I have several dozen entries in my clients file and if I have to convert this by hand it's going to be a lot of typing... Lisa Casey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Converting clients to clients.conf
Lisa Casey wrote: Hi, Is there any easy way to convert a freeradius clients file to a clients.conf file? I have several dozen entries in my clients file and if I have to convert this by hand it's going to be a lot of typing... Lisa Casey Attached are a couple of ugly Perl scripts I used when we migrated from Cistron to FreeRADIUS a couple of years ago. I don't know if they'll work with FreeRADIUS client files. Regards, Richard Siddall #!/usr/bin/perl -w # clients.migrate - migrate Cistron-style clients file to FreeRADIUS-style clients.conf sub write_realm { my ($realm, $type, $options) = @_; print realm $realm {\n\ttype\t= radius\n\tauthhost\t= $type\n\taccthost\t= $type\n}\n\n } while (ARGV) { if (/^\s*([\w\.]+)\s+(\w+)\s+(\w+)\s*$/) { write_realm($1, $2, $3); } } #!/usr/bin/perl -w # clients.migrate - migrate Cistron-style clients file to FreeRADIUS-style clients.conf sub write_client { my ($client, $secret) = @_; print client $client {\n\tsecret = $secret\n\tshortname = $client\n}\n\n } while (ARGV) { if (/^\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+(\w+)\s*$/) { write_client($1, $2); } elsif (/^\s*(\w+)\s+(\w+)\s*$/) { write_client($1, $2); } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Adding an attribute to an incoming Access-Request
Added this to the hints file: DEFAULT Suffix == , Strip-User-Name = No Hint = GPRS, NAS-Port = 0 Worked. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] s.org] On Behalf Of Roy Walker Sent: Friday, July 06, 2007 3:15 PM To: FreeRadius users mailing list Subject: Adding an attribute to an incoming Access-Request I have played with this a bit and can't seem to get it working... I need to add the NAS-Port = 0 attribute to an incoming request if it is not set. This is currently breaking my sqlippool config and the upstream partner making the requests is not giving me a NAS-Port attribute. It looks like this should be done in the preprocess section, however the hints looks like it only works with a username and huntgroups doesn't really do what I need... Anyone got an idea? Thanks, Roy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration for EAP-SIM
locate src/tests/eapsim Ivan Kalik Kalik Informatika ISP Dana 6/7/2007, Garvin Haslett [EMAIL PROTECTED] piše: Can anyone direct me to an example eap.conf entry to use EAP-SIM? I have looked but I don't see an example. Cheers, Garvin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html