Re: SQL IP Pool maximum timeout.
On Tue 10 Jul 2007, Dave wrote: Hugh Messenger wrote: On Behalf Of Dave said: Yes accounting is working well from the NAS Are you sure the NAS is sending 'interim update' accounting packets, not just start/stop? My NAS is currently NOT sending interm updates, but there is an option to use that, just wasn't sure what it did, or how it would apply to me, but it makes sense, that it extends the lease time, do all NAS's send interim updates? on the DSL side of my operation I don't see any interim updates until the user logs off (or lost carrier) (this is a proxied operation to me) I don't have control of that NAS, only my wireless NAS Then we have found the problem. Basically you need to set the expiry time greater then the time in between in interim accounting updates. If you don't get interim accounting updates set the expiry time to larger than your maximim possible session length. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with NULL realm..
But, can Freeradius 2.x.x read a realm table instead of proxy.conf file? I guess FreeRadius 2.xx will make things easier? Éxitos, grandes clásicos y novedades. Un millón de canciones en MSN Music. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with NULL realm..
The other and slightly easier alternative is to set ignore_null = yes on your realm module so that users without a realm won't match the module, and then use: select foo from bar where Username='%{Stripped-User-Name:-%{User-Name}}' and realm='${Realm:-pop.co.za}' Being lazy - I'm starting here. (Also - less impact on existing users) It's probably the most sensible thing to do Changed 'ignore_null' to yes.. Smiled - and tried to dial-in rad_recv: Access-Request packet from host 160.124.0.97:1645, id=81, length=106 NAS-IP-Address = 160.124.0.97 NAS-Port = 70 Cisco-NAS-Port = Async70 NAS-Port-Type = Async User-Name = mje Called-Station-Id = 0800 User-Password = verysecret Service-Type = Framed-User Framed-Protocol = PPP Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module preprocess returns ok for request 7 modcall[authorize]: module chap returns noop for request 7 modcall[authorize]: module mschap returns noop for request 7 rlm_realm: No '@' in User-Name = mje, skipping NULL due to config. *** Line above suggests the 'ignore_null' worked *** modcall[authorize]: module suffix returns noop for request 7 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 7 radius_xlat: 'mje' rlm_sql (sql): sql_set_user escaped user -- 'mje' radius_xlat: 'SELECT userid as id,UserName,'Password' as Attribute,password as Value,'==' as op FROM useracct WHERE Username='' AND realm='pop.co.za' AND . Something stole my username ??? Well, something in your SQL query is wrong. The default queries use %{SQL-User-Name} which is set to %{Stripped-User-Name:-%{User-Name}} which will work with and without a realm match. If you've changed that e.g. to make the queries use %{Stripped-User-Name} directly then it'll fail because of course now the realm module isn't matching, so no Stripped-User-Name is being set. I'm not too sure of the logic here. I've left the NULL realm in proxy.conf uncommented - so its 'live'. Yes - but you've told the realm module to ignore_null, so it'll never match and a user will never be in that realm. It seems that the 'NULL' realm matched... then skipped (?) - so I got a null username and a null realm (all the other info got through!) You got a null *STRIPPED* user name. Use the conditional expansion as above and per the default configs. Looks like the SQL logic works though... I just hate complicating the SQL queries even more than I already have! I guess FreeRadius 2.xx will make things easier? Well no - if you break the SQL queries then 2.x will fail too ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setup question : mschap + perl authentication
On Mon, 2007-07-09 at 22:44 +0100, Arran Cudbard-Bell wrote: Alan DeKok wrote: Johan wrote: I'm wondering if it's possible to authenticate a user who is using mschap authentication with perl. Sure. Just re-write all of the MS-CHAP authentication protocol in rlm_mschap in Perl. But why the heck would you want to do that? You know i've been thinking of doing that in PHP (PHP Based supplicant for weblogin via RADIUS), i'm sure it's possible... and it would be of some benefit, just the RFC makes my head hurt... one of the few times I've regreted not studying computer science. *sigh* something to do with hashing the nt hash using different sha functions. I suggested this to a BlueSocket rep after my 802.1x talk at NetworkShop 2006 (I think...) to get over the problems of PAP on eduroam - but my suggestion went further and was to do it in JavaScript on the browser, have the server simply act as a relay. I imagine that'd be even trickier. I got about an hour into coding it and lost the will to live... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setup question : mschap + perl authentication
Phil Mayers wrote: On Mon, 2007-07-09 at 22:44 +0100, Arran Cudbard-Bell wrote: Alan DeKok wrote: Johan wrote: I'm wondering if it's possible to authenticate a user who is using mschap authentication with perl. Sure. Just re-write all of the MS-CHAP authentication protocol in rlm_mschap in Perl. But why the heck would you want to do that? You know i've been thinking of doing that in PHP (PHP Based supplicant for weblogin via RADIUS), i'm sure it's possible... and it would be of some benefit, just the RFC makes my head hurt... one of the few times I've regreted not studying computer science. *sigh* something to do with hashing the nt hash using different sha functions. I suggested this to a BlueSocket rep after my 802.1x talk at NetworkShop 2006 (I think...) to get over the problems of PAP on eduroam - but my suggestion went further and was to do it in JavaScript on the browser, have the server simply act as a relay. I imagine that'd be even trickier. I got about an hour into coding it and lost the will to live... Trying to code an MSCHAP client in JS thats just insane ?! But kudos for trying. It appears that there is actually a wrapper class in the pecl repository to do PAP , ChapMD5, MSChapV1 MSChapV2. You'd need the Radius extension installed, though that too can be downloaded from pecl. What exactly was the issue with doing PAP over Eduroam ? Was it people being afraid of passing weakly encrypted passphrases around the interweb, or home sites just not bothering to implement PAP on their Radius servers ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setup question : mschap + perl authentication
Hi, What exactly was the issue with doing PAP over Eduroam ? Was it people being afraid of passing weakly encrypted passphrases around the interweb, or home sites just not bothering to implement PAP on their Radius servers ? No, the issue is a different one: you will have to enter your credentials on the visited site, and it will either a) be able to see them (using outright PAP) b) send you a beautiful/ugly PHP/JS piece of code to encrypt stuff - but then the user would need to trust that piece of code from an inst he doesn't know Both of these give the visited inst a chance to get hold of your credentials. With EAP and TLS tunnels, this is conceptually not possible and is thus stronger. eduroam security standards don't allow that your password is visible anywhere but at home (if at all). Note that the interweb thingy is not that critical, it can be overcome: visited inst RADIUS server gets PAP credentials, initiates its own EAP-TTLS-PAP session to home, puts user's credentials in it. Authenticates user and relays the outcome as PAP reply. This solves the en-route problem, but cannot overcome the problem that still the visited inst *has* your password. Note also that your problems _can_ be solved quite cleanly, but without RADIUS. Put your captive portal behind a AAI infrastructure such as Shibboleth. Workflow is: - user gets captive portal page - is asked Where are you from - enters realm or selects text box - Firewall for his IP address is opened _only_ for his home AAI place - gets redirected to his own AAI place (can verify TLS cert, connection is encrypted) - authenticates at home, gets cookie / session ID so that captive portal gets informed that he's properly authenticated - firewall opens for all traffic That way, the user only reveals his credentials to home, not the visited inst. There is a nice paper and prototype impl of this for Shibboleth, I can look up the source if you're interested. Why don't we do that then? The wireless link is still unencrypted with this ansatz. Again a violation of our security mimimums. And this problem is a lot harder to solve than authentication above. We would probably need to go to the IEEE asking for a WPA2-Noauth-JustEncrypt profile, where the AP just hands out a EAPoL-Key to the client, performing no prior authentication. This would just encrypt the link, and authentication could take palce with the above thing. *Then*, web-redirect is again a viable alternative. But going to the IEEE is not exactly a walk in the park. Greetings, Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap auth based on user acc and dialupaccess attr
Im currently trying to setup FR to authenticate a user / machine regardless of password .. In the end I hope to have the ldap check if dialup access is allowed, if it is then check if user / pass is correct via ntlm. This makes no sense. If you are going to authenticate users regardless of the password (based on that dialup flag), what is the point in checking passwords with ntlmauth (or Ldap)? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : PEAP certificates, signing requirements and examples
I have read and used the make_cert_command = ${certdir}/bootstrap; its excellent tool but it only creates clientAuth and serverAuth and does not add PEAP which ofcourse one can add by himself. Eventhough freeradius will authenticate some supplicants will require users to first time save the cert. Windows supplicants the oids : xpclient_ext and xpserver_ext and on MAC supplicants ? ; it usually pops up message the server certificate is not trusted because there no explicit trust settings - this seem to require the setting of eap oid. The question is what is the difference between web server and radius server certificates with respect to ssl and wireless in the context of EAP, PEAP. Does it matter if the cn is the SSID of the wireless network for radius server auth and server domain name for webserver auth? [ PEAP ] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 extendedKeyUsage = 1.3.6.1.5.5.7.3.1 [ clientAuth ] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ serverAuth ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 == Benjamin K. Eshun - Message d'origine De : Alan DeKok [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Lundi, 9 Juillet 2007, 18h12mn 28s Objet : Re: PEAP certificates, signing requirements and examples Eshun Benjamin wrote: Hi All, I came across this infomation and tought it would be nice to drop it here. Eventhough it is ssl issue it has to do with PEAP. Just to discuss; any comments. This is documented in eap.conf, among other places. It's on the Wiki, in the script files that create the test certificates for the server, etc. In 2.0, a brand-new install of the server will automatically create test certificates with the right OID's for Windows. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users Digest, Vol 27, Issue 44
I've changed the client declaration thus so that the CIDR matches the subnet mask for a Class B IP address: client 169.254.188.217/16 { secret = testing123 shortname = belkin-at-garvin } But it still doesn't work. Is this what was meant or is it the 169.254.0.0 network number that is at fault? Garvin. -- Message: 5 Date: Mon, 09 Jul 2007 19:25:01 +0100 From: [EMAIL PROTECTED] Subject: Re: Any successes with Belkin Wireless Access Point. To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 Your AP IP address is from Automatic Private IP Addressing range. Routing is not going to work there. Make a proper /30 network between AP and the PC. Ivan Kalik Kalik Informatika ISP Dana 9/7/2007, Garvin Haslett [EMAIL PROTECTED] pi?e: I have a tiny test network consisting of a Belkin Wireless Access Point (FCC: K7SF5D7132A) connected by an ethernet cable to a Windows machine with an Intel network card. I'm running FreeRADIUS.net-1.1.5-r0.0.3 and configure the client thus: client 169.254.188.217 { secret = testing123 shortname = belkin-at-garvin } When I connect to the AP I can see packets getting through to the network card using ethereal but nothing appears in the radius.log. When I disconnect from the AP the device's MAC still appears in the AP's list and it is reported as being Authenticated! Can anyone tell me what I have missed in the configuration? Garvin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap/peap oid on certs
Hi Alan, You are doing good job and kudos to your team. Just want some clarafication on this issue. make_cert_command = ${certdir}/bootstrap; its excellent tool but it only creates clientAuth and serverAuth and does not add PEAP which ofcourse one can add by himself. Eventhough freeradius will authenticate some supplicants will require users to first time save the cert. Windows supplicants the oids : xpclient_ext and xpserver_ext and on MAC supplicants ? ; it usually pops up message the server certificate is not trusted because there no explicit trust settings what explicit trust settings is it looking for - does it require the setting of eap oid ?. The question is what is the difference between web server and radius server certificates with respect to ssl and wireless in the context of EAP, PEAP. Does it matter if the cn is the SSID of the wireless network for radius server auth and server domain name for webserver auth? [ PEAP ] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 extendedKeyUsage = 1.3.6.1.5.5.7.3.1 [ clientAuth ] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ serverAuth ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 == Benjamin K. Eshun _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users Digest, Vol 27, Issue 44
XP won't route to APIPA address. Make a /30 network in a different private IP range. Or you can switch on Internet Connection sharing on XP, NIC wil be fixed to 192.168.0.1 and it will behave like a mini-router (DHCP etc.). Just fix the IP address on AP (so you have a single address in clients.conf) and leave the rest on automatic. Ivan Kalik Kalik Informatika ISP Dana 10/7/2007, Garvin Haslett [EMAIL PROTECTED] piše: I've changed the client declaration thus so that the CIDR matches the subnet mask for a Class B IP address: client 169.254.188.217/16 { secret = testing123 shortname = belkin-at-garvin } But it still doesn't work. Is this what was meant or is it the 169.254.0.0 network number that is at fault? Garvin. -- Message: 5 Date: Mon, 09 Jul 2007 19:25:01 +0100 From: [EMAIL PROTECTED] Subject: Re: Any successes with Belkin Wireless Access Point. To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 Your AP IP address is from Automatic Private IP Addressing range. Routing is not going to work there. Make a proper /30 network between AP and the PC. Ivan Kalik Kalik Informatika ISP Dana 9/7/2007, Garvin Haslett [EMAIL PROTECTED] pi?e: I have a tiny test network consisting of a Belkin Wireless Access Point (FCC: K7SF5D7132A) connected by an ethernet cable to a Windows machine with an Intel network card. I'm running FreeRADIUS.net-1.1.5-r0.0.3 and configure the client thus: client 169.254.188.217 { secret = testing123 shortname = belkin-at-garvin } When I connect to the AP I can see packets getting through to the network card using ethereal but nothing appears in the radius.log. When I disconnect from the AP the device's MAC still appears in the AP's list and it is reported as being Authenticated! Can anyone tell me what I have missed in the configuration? Garvin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting exec when Acct-Status-Type == Stop
hello all, i have added the following lines in acct_users file DEFAULT Acct-Status-Type == Start Exec-Program-Wait = "/usr/local/start.sh" DEFULT Acct-Status-Type == Stop Exec-Program-Wait = "/usr/lcal/stop.sh" started radius in debug mode and i haven't seen Exec-Program-Wait executing those scripts. It works fine, however, I want to execute different script depending on the user group. Iread froma DB for passing my radius attributes. I pass attribute Exec-Program-Wait and each username executes its one scriptwell. However, how can I say to the freeradius that it does the same when a username does a Acct-Status-Type == stop using my DB instead of acct_users file? Thanks! Ofertas y reservas para viajar por todo el mundo. Organiza y contrata tus viajes aquí. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setup question : mschap + perl authentication
credentials in it. Authenticates user and relays the outcome as PAP reply. This solves the en-route problem, but cannot overcome the problem that still the visited inst *has* your password. Ah yes, I can see that being a problem, damn this means we can't offer any JRS authenticated services other than wireless and wired network access. We were planning on a few kiosks dotted around campus... though in theory if those Kiosks supported EAP Based login, the tunnel would be between the Kiosk and the users Home RADIUS server... Would this be acceptable, Or would the fact that we could still theoretically capture the users credentials from the login screen be an issue ? Note also that your problems _can_ be solved quite cleanly, Shibboleth is in no way clean ! It's an evil necessary... actually the Idea is good ,Just the WAYF page is just so horribly cludgy. I think the idea of a pre-login form on the authenticated service would be a good idea. You enter your username string [EMAIL PROTECTED], this sets a identification cookie containing that string and redirects you to your home gateway (using a central list of domain-gateway mappings) . You then provide your password at your home gateway, which then directs you back to the page where you were originally sent from. No nasty WAYF pages. Unfortunately this would mean you could be identified, and I know thats a big feature of Shibboleth... that Service providers don't know who's using their service, just that they've been authorised to do so. *sigh* there must be a solution , just no ones figured it out yet . but without RADIUS. Put your captive portal behind a AAI infrastructure such as Shibboleth. Workflow is... Were implementing shibboleth already, due to go live summer 2008... That way, the user only reveals his credentials to home, not the visited inst. There is a nice paper and prototype impl of this for Shibboleth, I can look up the source if you're interested. I've read more shibboleth technical documentation than I would care to already, but thanks for the offer . Why don't we do that then? The wireless link is still unencrypted with this ansatz. Again a violation of our security mimimums. And this problem is a lot harder to solve than authentication above. We would probably need to go to the IEEE asking for a WPA2-Noauth-JustEncrypt profile, where the AP just hands out a EAPoL-Key to the client, performing no prior authentication. This would just encrypt the link, and authentication could take palce with the above thing. *Then*, web-redirect is again a viable alternative. But going to the IEEE is not exactly a walk in the park. No, quite. So this would be a kind of walled garden approach using shibboleth for authentication ? Greetings, Stefan Regards, Arran -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setup question : mschap + perl authentication
Hi, Ah yes, I can see that being a problem, damn this means we can't offer any JRS authenticated services other than wireless and wired network access. We were planning on a few kiosks dotted around campus... though in theory if those Kiosks supported EAP Based login, the tunnel would be between the Kiosk and the users Home RADIUS server... Would this be acceptable, Or would the fact that we could still theoretically capture the users credentials from the login screen be an issue ? Note also that your problems _can_ be solved quite cleanly, Shibboleth is in no way clean ! It's an evil necessary... actually the Idea is good ,Just the WAYF page is just so horribly cludgy. I think the idea of a pre-login form on the authenticated service would be a good idea. install pGina on the kiosk systems, for example...and let those kiosk systems talk directly back to your ORPS RADIUS server. the request will then be proxied through to the home site if they are a visitor (ie dont enter your realm) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: setup question : mschap + perl authentication
Hi, Ah yes, I can see that being a problem, damn this means we can't offer any JRS authenticated services other than wireless and wired network access. We were planning on a few kiosks dotted around campus... though in theory if those Kiosks supported EAP Based login, the tunnel would be between the Kiosk and the users Home RADIUS server... Would this be acceptable, Or would the fact that we could still theoretically capture the users credentials from the login screen be an issue ? Well, Alan mentioned pGina, and that would sort of fulfill the security requirements. It's still somewhat borderline, because you are supposed to enter something on an untrusted computer (mind keyboard sniffers et al). eduroam was meant as a WLAN infrastructure for *your own* laptop. An exact border on where to stop calling things eduroam remains to be drawn. Application-layer authentication is usually something to be taken care of by an application-level AAI infrastructure. Note also that your problems _can_ be solved quite cleanly, Shibboleth is in no way clean ! It's an evil necessary... actually the Idea is good ,Just the WAYF page is just so horribly cludgy. I think the idea of a pre-login form on the authenticated service would be a good idea. You enter your username string [EMAIL PROTECTED], this sets a identification cookie containing that string and redirects you to your home gateway (using a central list of domain-gateway mappings) . You then provide your password at your home gateway, which then directs you back to the page where you were originally sent from. No nasty WAYF pages. Not working heavily on AAI stuff other than eduroam, I can take it easy here and just say: *shrug* however you implement it, I don't particularly care. RADIUS. Put your captive portal behind a AAI infrastructure such as Shibboleth. Workflow is... Were implementing shibboleth already, due to go live summer 2008... That way, the user only reveals his credentials to home, not the visited inst. There is a nice paper and prototype impl of this for Shibboleth, I can look up the source if you're interested. I've read more shibboleth technical documentation than I would care to already, but thanks for the offer . That one actually made me laugh :-) I guess Shibboleth even beats the legendary 12-pound UNIX manuals. No, quite. So this would be a kind of walled garden approach using shibboleth for authentication ? It's not a walled garden: eduroam's sister project eduGAIN (educational GEANT Authentication Infrastructure) provides tools to cross technology borders, i.e. if you have a non-Shibboleth Identity Provider for your credentials and a Shibboleth service, eduGAIN will translate the requests from one language to another and make them interoperate. So, in short, ANY AAI infrastructure will do (as long as an eduGAIN adapter [bridging element] exists). So, it's not like you are tied to Shibboleth. We have a cross-federation service already between PAPI and Shibboleth, A-Select soon to come... But I guess we're drifting off-topic here... sorry. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AD + Static IP Address
Hello, Our users connect from our internal lan to the internet through pptp connection ( so we can control when they login and how much they use the net). LAN PPTPInternet I'm using active directory for authentication (rlm_ldap for PAP and ntlm_auth for mschap) and authorization with groups and everything. Everything works like a charm! The problem is that I've setup a few with internal static ip addresses (192.168.12.X range) and a few with our valid ip address range (85.15.X.X range). I'm assigning these ip addresses in Active Directory through msRadiusFramedIPAdrress attribute. Users with static ip address of 85.X are getting their static ip addresses, but not users in 192.X range. (they get 255.255.255.255) After digging for a while I noticed I could assigned ip addresses up to 127.255.255.255 and get the ip assigned. Right after 128.0.0.0 the static ip will not get assigned to the user. Apparently the 4 byte integer in the active directory for msRadiusFramedIPAddress is being treated as a signed integer, so anything more then 127.255.255.255 is treated as a negative value and an invalid value. Is there a setting to treat this 4 byte as an unsigned integer? A setting? Or this is a bug? Thank you in advance, And thank you for this great software :) Cheers, parham - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging failed authentications....
Hi, I would like to be able to log failed authentications but I don't find it anywhere. And ideally I would like to put it into a MySQL table. Can anyone advice on this please? Thanks AJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : PEAP certificates, signing requirements and examples
Eshun Benjamin wrote: I have read and used the make_cert_command = ${certdir}/bootstrap; its excellent tool but it only creates clientAuth and serverAuth and does not add PEAP Huh? What do you mean by that? ... it usually pops up message the server certificate is not trusted because there no explicit trust settings - this seem to require the setting of eap oid. No. If you get that message, then the OID is in the certificate, and PEAP is working. The message simply says that the certificate isn't signed by a root CA your system knows about. The question is what is the difference between web server and radius server certificates with respect to ssl and wireless in the context of EAP, PEAP. Ask Microsoft. [ PEAP ] ... There's no need to post the OID's in every message. We've seen them before. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any successes with Belkin Wireless Access Point?
I've now configured the the clients as such: client 172.16.0.0/16 { secret = testing123 shortname = belkin-at-garvin } The IP address of the network card on my Windows machine is 172.16.1.1. While the corresponding value for the Access point is 172.16.1.2. Subnet masks in both cases is 255.255.0.0 However, still no sign of traffic destined for the Radius server. Garvin. -- Message: 2 Date: Tue, 10 Jul 2007 11:24:01 +0100 From: [EMAIL PROTECTED] Subject: RE: Freeradius-Users Digest, Vol 27, Issue 44 To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 XP won't route to APIPA address. Make a /30 network in a different private IP range. Or you can switch on Internet Connection sharing on XP, NIC wil be fixed to 192.168.0.1 and it will behave like a mini-router (DHCP etc.). Just fix the IP address on AP (so you have a single address in clients.conf) and leave the rest on automatic. Ivan Kalik Kalik Informatika ISP Dana 10/7/2007, Garvin Haslett [EMAIL PROTECTED] pi?e: I've changed the client declaration thus so that the CIDR matches the subnet mask for a Class B IP address: client 169.254.188.217/16 { secret = testing123 shortname = belkin-at-garvin } But it still doesn't work. Is this what was meant or is it the 169.254.0.0 network number that is at fault? Garvin. -- Message: 5 Date: Mon, 09 Jul 2007 19:25:01 +0100 From: [EMAIL PROTECTED] Subject: Re: Any successes with Belkin Wireless Access Point. To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 Your AP IP address is from Automatic Private IP Addressing range. Routing is not going to work there. Make a proper /30 network between AP and the PC. Ivan Kalik Kalik Informatika ISP Dana 9/7/2007, Garvin Haslett [EMAIL PROTECTED] pi?e: I have a tiny test network consisting of a Belkin Wireless Access Point (FCC: K7SF5D7132A) connected by an ethernet cable to a Windows machine with an Intel network card. I'm running FreeRADIUS.net-1.1.5-r0.0.3 and configure the client thus: client 169.254.188.217 { secret = testing123 shortname = belkin-at-garvin } When I connect to the AP I can see packets getting through to the network card using ethereal but nothing appears in the radius.log. When I disconnect from the AP the device's MAC still appears in the AP's list and it is reported as being Authenticated! Can anyone tell me what I have missed in the configuration? Garvin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
use_tunneled_reply
Hello all, can anybody exaplain me the meaning of the attribute use_tunneled_reply in the peap configuration? what is the difference in the behaviour of PEAP if I set this option to yes or no? Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.0 - vmps feature, inaccuracies on FreeNAC
Hi, Thanks for taking the time to respond, I understand better, see the answers inline below.. ... http://lists.cistron.nl/pipermail/freeradius-users/2006- August/056121.html FreeNAC is announced: The 'plan' is for the project to move forward to eventually become THE OpenSource Enterprise tool for dynamic VLAN assignment and LAN/WLAN authentication. Uh... right. FreeRADIUS hasn't been doing that already for nearly a decade? FreeRADIUS is *crushing* Cisco and Microsoft in the AAA space. It's doing LAN WLAN authentication daily for hundreds of millions of users. There is *nothing* in the WLAN authentication space (open source or otherwise) that competes with FreeRADIUS. I *regularly* here about sites with 10+ million users switching to FreeRADIUS. I was thinking in a very different way. The idea was not to create any tensions or competition with other OpenSource products. My focus was to offer LAN Access Control, what many people call NAC. To me there was no solution for that, from systems management point of view. So I created the DB and GUI around OpenVMPS, added switch/router scanning, integration with other network tools and a GUI. We did not try to replace OpenVMPS, or FreeRadius, but make them easier to use in one specific environment: LAN control. When I said become THE OpenSource Enterprise tool for dynamic VLAN.., it was a call to ask people to help and work, not a declaration against other tools like Freeradius. I like the idea of setting a goal. And FreeNAC is going to become THE project for LAN WLAN authentication... by tying in FreeRADIUS as a subsidiary project? Honestly, what reaction did you expect? It wasn't a provocation, really. I did not think FreeRadius sees itself as a NAC server. It's one thing to say we've written a web gui that administers VMPS and RADIUS. It's another thing *entirely* to say that a project funded by a large company is going to tie in FreeRADIUS, and become THE market leader in the space. Hang on, I meant to use FreeRadius for the 802.1x, my focus was to add whatever additional DB modules, interfaces, or GUIs were necessary. A pity we didn't discuss this along time ago.. ... FreeNAC, like some other projects, appears largely to be a way to generate consulting revenue. That isn't a bad thing, as people have to make money. But don't pretend that it's an open project because your boss tells you to (1) work on it, and to (2) accept patches from other people. Actually no, it was first and foremost a GPL project with the aim of publishing the work done so far. I really consider it to be an open project, it was, and still is my first priority to create an OpenSurce GPL project that could live with or without its initial sponsor, Swisscom Innovations. No boss told me to work on it, its been my idea from day 1. The idea of the consulting is to try and get some funding to ensure the long term survival. I did not think of GPL and funding as mutually exclusive, but you do? - Good luck getting patches added if they conflict with the corporate agenda The community are free to change FreeNAC themselves, and submit patches, ... which may or may not be accepted. Is there anyone *other* than a Swisscom employee who has CVS commit access to FreeNAC? You can have SVN access if you want. Any developer can have it if he takes the time. All I ask is that, like in most projects there is a phase where people get to know each other, communicate, and ensure patches do not create major stability problems. For similar examples, see ISC, and the third-party patches to Bind and dhcpd. There are patches floating around for features used by many sites. Those patches are tested, widely used, in wide demand, and aren't included in the main distribution. The reasons they're not included aren't nefarious... just reality. Is the ISC GPL? In contrast, FreeRADIUS adds features that people need. If a patch works, and enough people say they're using it, the patch goes in. (Modulu some editorial re-writes). This is the way it's worked for almost a decade, and this is the way it will *always* work. Good. Perhaps you could explain your CVS commit policy, or what we should do differently? ... if we don't do it fast enough. That is what OpenSource is about. The core team is not closed to Swisscom Innovation people either. I'll welcome anyone with the motivation, skills and time. This is, I repeat, a GPL - OpenSource project. ... started by a company, with the core team being solely company employees. There are many open source, GPL projects that work that way. But they make it clear they're corporate projects with community input. They don't pretend they're community projects. The ones that try to co-opt community projects encounter hostility from that community. My intention *is* to create a community with a consulting spinoff, not the other way
Recommended AP for test purposes.
Further to a previous I believe I'm using an AP that does not act as a NAS. In particular there are no aspects of the security page that ask for Radius configuration. I'm using a Belkin Wireless G Universal Range Extender/Access Point (FCC: K7SF5D7132A). Can anyone confirm my suspicions? If so, can anyone recommend a reliable AP suitable for doing some testing on. Thanks in anticipation of replies, Garvin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Recommended AP for test purposes.
I use a Linksys WRT54G. Works great. Mearl -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Garvin Haslett Sent: Tuesday, July 10, 2007 10:39 AM To: freeradius-users@lists.freeradius.org Subject: Recommended AP for test purposes. Further to a previous I believe I'm using an AP that does not act as a NAS. In particular there are no aspects of the security page that ask for Radius configuration. I'm using a Belkin Wireless G Universal Range Extender/Access Point (FCC: K7SF5D7132A). Can anyone confirm my suspicions? If so, can anyone recommend a reliable AP suitable for doing some testing on. Thanks in anticipation of replies, Garvin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging failed authentications....
Ackbar Joolia wrote: I would like to be able to log failed authentications but I don't find it anywhere. And ideally I would like to put it into a MySQL table. Can anyone advice on this please? Please read section 6.3 of the FAQ: http://wiki.freeradius.org/FreeRADIUS_Wiki:FAQ#How_do_I_log_failed_login_attempts_in_a_SQL_database.3F -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: use_tunneled_reply
Hi, Hello all, can anybody exaplain me the meaning of the attribute use_tunneled_reply in the peap configuration? what is the difference in the behaviour of PEAP if I set this option to yes or no? attributes you send back wont get passed if you dont use it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Recommended AP for test purposes.
Hi, If so, can anyone recommend a reliable AP suitable for doing some testing on. a basic SOHO wifi AP? Linksys WRT54GS or WRT54GL alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Recommended AP for test purposes.
I've used DD-WRT(with chillispot) based buffalo whr-hp-g54 with captive portal and worked like a charm. parham -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] org] On Behalf Of Danner, Mearl Sent: Tuesday, July 10, 2007 7:12 PM To: FreeRadius users mailing list Subject: RE: Recommended AP for test purposes. I use a Linksys WRT54G. Works great. Mearl -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Garvin Haslett Sent: Tuesday, July 10, 2007 10:39 AM To: freeradius-users@lists.freeradius.org Subject: Recommended AP for test purposes. Further to a previous I believe I'm using an AP that does not act as a NAS. In particular there are no aspects of the security page that ask for Radius configuration. I'm using a Belkin Wireless G Universal Range Extender/Access Point (FCC: K7SF5D7132A). Can anyone confirm my suspicions? If so, can anyone recommend a reliable AP suitable for doing some testing on. Thanks in anticipation of replies, Garvin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Re : PEAP certificates, signing requirements and examples
I have read and used the make_cert_command = ${certdir}/bootstrap; its excellent tool but it only creates clientAuth and serverAuth and does not add PEAP Huh? What do you mean by that? You have clarified, There's no need to post the OID's in every message. We've seen them before. ... it usually pops up message the server certificate is not trusted because there no explicit trust settings - this seem to require the setting of eap oid. No. If you get that message, then the OID is in the certificate, and PEAP is working. The message simply says that the certificate isn't signed by a root CA your system knows about. I get this message even with certificate signed by root CA. And also by intermediate CA. Thanks Alan, I have to ask Apple. == Benjamin K. Eshun - Message d'origine De : Alan DeKok [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Mardi, 10 Juillet 2007, 14h55mn 34s Objet : Re: Re : PEAP certificates, signing requirements and examples Eshun Benjamin wrote: I have read and used the make_cert_command = ${certdir}/bootstrap; its excellent tool but it only creates clientAuth and serverAuth and does not add PEAP Huh? What do you mean by that? ... it usually pops up message the server certificate is not trusted because there no explicit trust settings - this seem to require the setting of eap oid. No. If you get that message, then the OID is in the certificate, and PEAP is working. The message simply says that the certificate isn't signed by a root CA your system knows about. The question is what is the difference between web server and radius server certificates with respect to ssl and wireless in the context of EAP, PEAP. Ask Microsoft. [ PEAP ] ... There's no need to post the OID's in every message. We've seen them before. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: R: Cisco VRF + Radius
You don't need to set up vrf templates if everyone is going to use the default radius server and default authentication and au6thorization groups. It's optional. Thanks Ivan, now it's clear I don't need templates... What does debug radius and debug ppp negotiation on Cisco say about why was the Framed-IP-Address rejected. If it fails on IPCP then your route is the problem. Since it all goes well without it ... Yes, the problem was on the nas side. Now it seems to understand and correctly assign the IP address to the cpe. Ivan Kalik Kalik Informatika ISP Thanks, Francesco Cristofori. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : use_tunneled_reply
It is explained in the config file. # The reply attributes sent to the NAS are # usually based on the name of the user # 'outside' of the tunnel (usually # 'anonymous'). If you want to send the # reply attributes based on the user name # inside of the tunnel, then set this # configuration entry to 'yes', and the reply # to the NAS will be taken from the reply to # the tunneled request. # # allowed values: {no, yes} # the PEAP module also has these configuration # items, which are the same as for TTLS. == Benjamin K. Eshun - Message d'origine De : Manuel Sanchez Cuenca [EMAIL PROTECTED] À : freeradius-users@lists.freeradius.org Envoyé le : Mardi, 10 Juillet 2007, 17h07mn 43s Objet : use_tunneled_reply Hello all, can anybody exaplain me the meaning of the attribute use_tunneled_reply in the peap configuration? what is the difference in the behaviour of PEAP if I set this option to yes or no? Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 - vmps feature, inaccuracies on FreeNAC
VMPS is only one part of the problem. Do you want to add a Database, Client Security tools/interfaces, policy engine, interfaces to AntiVirus servers, scanners, Patch servers, and so to FreeRadius? Yes. By implementing EAP-TNC. I thought Freeradius concentrates on the authentication protocols, not the network integration aspects? Perhaps you could explain, if FreeRadius supported EAP-TNC, why I as a medium/large organisation would possibly want to use FreeNAC? Bearing in mind that (correct me if I'm wrong) FreeNAC consists of: * a database schema * a web editor for said database * a gui editor for said database (bleh) * a freeradius config to authenticate off that database * a patched version of openvmps to query off that database * yet another re-implementation of netdisco (www.netdisco.org) talking to the same database * some helper utilities for pulling info from SMS/Wsus We (for example) already have a network/vlan/switchh/host/router database, SQL schema and SQL servers, web interface to same, device management/discover/polling and helper utilties hooked up to wsus. I'm not saying what FreeNAC is doing is wrong, but it does not help to represent it as something it's not. I would have understood this a lot more: FreeNAC is a standard database schema, GUI and set of management tools for running access-controlled LAN networks. It uses FreeRadius and OpenVMPS, running against MySQL, to perform its job. If you're interested, perhaps I can make some constructive suggestions about ways FreeNAC could offer actual added value to medium/large orgs. All this is, of course, my personal opinion (and I've got to tell you, you've zero chance of selling to us because we don't work that way, but anyway... ;o): * a GPLed, ActiveX / Java / other browser-based endpoint posture assessment client, for use in fallback non-802.1x (walled-garden) mode. * contribute working EAP-TNC to FreeRadius * contribute working PEAPv2 and whatever-the-vista-posture-protocol is called * liase with the FreeRadius SQL developers to come up with the most appropriate SQL schema; ideally (from your PoV) the FreeNAC SQL schema could become the default for new FreeRadius installs. Hope that perspective is useful. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Recommended AP for test purposes.
Parham Beheshti wrote: I've used DD-WRT(with chillispot) based buffalo whr-hp-g54 with captive portal and worked like a charm. parham However DD-WRT running with *proper* 802.1x authentication doesn't support RADIUS Accounting, so you'll only ever be able to capture post auth records. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 - vmps feature, accuracies on FreeNAC
[EMAIL PROTECTED] wrote: My focus was to offer LAN Access Control, what many people call NAC. Switches already do 802.1x for LAN access control. They use RADIUS. To me there was no solution for that, from systems management point of view. Packet Fence is widely known and widely used. Netreg is older, but perhaps not as actively developed. There were existing solutions in this space before FreeNAC was started. It wasn't a provocation, really. I did not think FreeRadius sees itself as a NAC server. Again, you are not understanding. The announcement didn't say the NAC solution. It said the WLAN authentication solution. The reality is that FreeRADIUS is already the WLAN authentication solution. And, of course, when I point that out, you try to pretend my attitude is because your project is doing NAC. The idea of the consulting is to try and get some funding to ensure the long term survival. I did not think of GPL and funding as mutually exclusive, but you do? I said FreeNAC, like some other projects, appears largely to be a way to generate consulting revenue. That isn't a bad thing, as people have to make money. If you have to ask whether or not I think GPL funding is mutually exclusive: a) you didn't read my post b) you read it, but you didn't understand it c) you're being a jackass You can have SVN access if you want. Great! Do I get part of the funding from selling the enterprise version? Do I have to participate in supporting the enterprise version? Do I even *know* who's buying the enterprise version? Given corporate agendas, the reality is that there will be two core teams. One composed of Swisscom people who deal with the enterprise customers, and another, which includes the community. This is not anything nefarious on the part of Swisscom, but it's the only way to make these kinds of dual corporate/community projects work. The only way to have *one* core team is to set up a legal FreeNAC entity separate from Swisscom, and have membership determined by FreeNAC, not by Swisscom. i.e. That's how everyone else on the planet runs these kinds of projects. Your disclaimer that it's a community effort is a little disingenuous. Is the ISC GPL? Does Google have a search engine? Good. Perhaps you could explain your CVS commit policy, or what we should do differently? That was the CVS commit policy. My intention *is* to create a community with a consulting spinoff, not the other way around. That's not the way the project is structured right now. Look at Packet Fence for a NAC solution that's widely deployed, and which makes a clear distinction between the community and corporate areas. As regards WLAN, I only mentioned that as an aim, because its turns out that if you doing LAN access control on wired LAN, its useful if it can do wireless too. Yes. So it makes sense for you to claim that by integrating FreeRADIUS, you would become the leader in WLAN authentication. It's like me saying I'm the King of Linux because I burned a CD the other day with Linux on it. Well it's a pity I didn't know that, that really was not the aim, but I guess the damage is done now. If your aim was collaboration, it would be clear in everything you say and do that your aim was collaboration. Instead, the words you use are synonyms for subsume and take over. VMPS is only one part of the problem. Do you want to add a Database, Client Security tools/interfaces, policy engine, interfaces to AntiVirus servers, scanners, Patch servers, and so to FreeRadius? I thought Freeradius concentrates on the authentication protocols, not the network integration aspects? I see. Apache is an implementation of the HTTP protocol, and doesn't include any kind of integration with databases, policies, client tools, management interfaces, policy engines, etc. Right? Isn't that how protocol implementations are done? Your view of FreeRADIUS as a simple implementation of the RADIUS protocol is either ridiculously naive, or very self-serving. If you had cared to look (and it's obvious that you haven't looked, or that you're pretending you haven't looked), FreeRADIUS has had database integration since the start, almost a decade ago. It has had client tools, and a management interface (dialup-admin) for almost a decade. It has had a policy engine for almost a decade. So far as network integration, FreeRADIUS is whatever the community needs it to be. If you read the web site, you'll see that it's grown to include a BSD licensed client implementation. It's grown to include VMPS. This allows it to do cross-protocol integration of information, and use it's policy engine to store that information in a database, and to display it in the administration interface that comes with the server. If the core value of FreeNAC is (s you said) at the policy level, then the release of a VMPS server with a powerful policy language and database
[no subject]
i have installed Freeradius with Mera Softswitch.but Radius have one problem of authentification: by the call between 4001 (calling Device) and 7090 (called Device) !! by debug : radiusd -X i can see : auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Delaying request 0 for 1 seconds any help ? and best regardes !Live.com Jouez et Gagnez des pc Windows Vista! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: accounting exec when Acct-Status-Type == Stop
Santiago Balaguer García said: DEFAULT Acct-Status-Type == Start Exec-Program-Wait = /usr/local/start.sh DEFULT Acct-Status-Type == Stop Exec-Program-Wait = /usr/lcal/stop.sh Not sure what other problems you might have, but you probably should have 'local' not 'lcal' in that script path for the Stop. -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting exec when Acct-Status-Type == Stop
Hugh Messenger wrote: Santiago Balaguer García said: DEFAULT Acct-Status-Type == Start Exec-Program-Wait = /usr/local/start.sh DEFULT Acct-Status-Type == Stop Exec-Program-Wait = /usr/lcal/stop.sh Not sure what other problems you might have, but you probably should have 'local' not 'lcal' in that script path for the Stop. And DEFAULT instead of DEFULT. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: accounting exec when Acct-Status-Type == Stop
Dennis Skinner quoth: Hugh Messenger wrote: Santiago Balaguer García said: DEFAULT Acct-Status-Type == Start Exec-Program-Wait = /usr/local/start.sh DEFULT Acct-Status-Type == Stop Exec-Program-Wait = /usr/lcal/stop.sh Not sure what other problems you might have, but you probably should have 'local' not 'lcal' in that script path for the Stop. And DEFAULT instead of DEFULT. LOL! It has been osberevd taht spleling misateks otfen go unontcied beacuse the huamn biarn is vrey good at auotmaitcally comnpesatnig for lteter tranpsosiitons and mising leters, to the exetnt that it can eevn read a praagrpah writetn lkie this witohut mcuh trobule. We tned to see waht we expcet to see, rather than what is writetn. Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap auth based on user acc and dialupaccess attr
On Tue, 2007-07-10 at 10:34 +0100, [EMAIL PROTECTED] wrote: Im currently trying to setup FR to authenticate a user / machine regardless of password .. In the end I hope to have the ldap check if dialup access is allowed, if it is then check if user / pass is correct via ntlm. This makes no sense. If you are going to authenticate users regardless of the password (based on that dialup flag), what is the point in checking passwords with ntlmauth (or Ldap)? i think the point of this is you can use the flag to disable access to the account without changing password if dialup access is off don't auth if it is on check password if password is right auth dialup access should be TRUE or FALSE though Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 - vmps feature, inaccuracies on FreeNAC
Hi, If you're interested, perhaps I can make some constructive suggestions about ways FreeNAC could offer actual added value to medium/large orgs. All this is, of course, my personal opinion (and I've got to tell you, you've zero chance of selling to us because we don't work that way, but anyway... ;o): I would go along with these things. obviously there IS a market for FreeNAC as we continually have questions about the PHP web front end admin tool which people seem to use. ..but then add the extras in too * integrated billing system * improved ability to print access tickets * add in support for trapeze/cisco/aruba specific extensions and location awareness * SNMP trap support for various edge events (eg physical client disconnect, so close accounting session) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD + Static IP Address
Check the attribute format. InetAddr shouldn't be doing that. Ivan Kalik Kalik Informatika ISP Dana 10/7/2007, Parham Beheshti [EMAIL PROTECTED] piše: Hello, Our users connect from our internal lan to the internet through pptp connection ( so we can control when they login and how much they use the net). LAN PPTPInternet I'm using active directory for authentication (rlm_ldap for PAP and ntlm_auth for mschap) and authorization with groups and everything. Everything works like a charm! The problem is that I've setup a few with internal static ip addresses (192.168.12.X range) and a few with our valid ip address range (85.15.X.X range). I'm assigning these ip addresses in Active Directory through msRadiusFramedIPAdrress attribute. Users with static ip address of 85.X are getting their static ip addresses, but not users in 192.X range. (they get 255.255.255.255) After digging for a while I noticed I could assigned ip addresses up to 127.255.255.255 and get the ip assigned. Right after 128.0.0.0 the static ip will not get assigned to the user. Apparently the 4 byte integer in the active directory for msRadiusFramedIPAddress is being treated as a signed integer, so anything more then 127.255.255.255 is treated as a negative value and an invalid value. Is there a setting to treat this 4 byte as an unsigned integer? A setting? Or this is a bug? Thank you in advance, And thank you for this great software :) Cheers, parham - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Recommended AP for test purposes.
I had a look at that device on Belkin site. It supports only pre-shared keys but not RADIUS infrastructure. It's really a repeater rather than an AP. Try Lynksys WRT54G. Ivan Kalik Kalik Informatika ISP Dana 10/7/2007, Garvin Haslett [EMAIL PROTECTED] piše: Further to a previous I believe I'm using an AP that does not act as a NAS. In particular there are no aspects of the security page that ask for Radius configuration. I'm using a Belkin Wireless G Universal Range Extender/Access Point (FCC: K7SF5D7132A). Can anyone confirm my suspicions? If so, can anyone recommend a reliable AP suitable for doing some testing on. Thanks in anticipation of replies, Garvin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 - vmps feature, inaccuracies on FreeNAC
Ok, as my email adress doesn't show, I'm also working wit Sean (yes, for the blue giant). I'll first answer some points raised by alan : - VMPS in FreeRadius was a surprise and is positive. - sure, you can get part of the funding (see later). On 10/07/07, Phil Mayers [EMAIL PROTECTED] wrote: VMPS is only one part of the problem. Do you want to add a Database, Client Security tools/interfaces, policy engine, interfaces to AntiVirus servers, scanners, Patch servers, and so to FreeRadius? Yes. By implementing EAP-TNC. I thought Freeradius concentrates on the authentication protocols, not the network integration aspects? Perhaps you could explain, if FreeRadius supported EAP-TNC, why I as a medium/large organisation would possibly want to use FreeNAC? Bearing in mind that (correct me if I'm wrong) FreeNAC consists of: * a database schema * a web editor for said database * a gui editor for said database (bleh) * a freeradius config to authenticate off that database * a patched version of openvmps to query off that database * yet another re-implementation of netdisco (www.netdisco.org) talking to the same database * some helper utilities for pulling info from SMS/Wsus More or less ok. We (for example) already have a network/vlan/switchh/host/router database, SQL schema and SQL servers, web interface to same, device management/discover/polling and helper utilties hooked up to wsus. Ok, so that's very similar. We also wanted that, didn't find any tools that met our requirements, implemented ours and went out with it. I'm not saying what FreeNAC is doing is wrong, but it does not help to represent it as something it's not. I would have understood this a lot more: FreeNAC is a standard database schema, GUI and set of management tools for running access-controlled LAN networks. It uses FreeRadius and OpenVMPS, running against MySQL, to perform its job. well, the website now shows FreeNAC is an OpenSource solution for LAN access control and dynamic Vlan management) first sentence is basically the same when replacing a standard database schema, GUI and set of management tools by solution - which is simpler. I guess we should highlight the based on aspect by putting it on the main page (cf packetfence). Would you find that OK ? If you're interested, perhaps I can make some constructive suggestions about ways FreeNAC could offer actual added value to medium/large orgs. All this is, of course, my personal opinion (and I've got to tell you, you've zero chance of selling to us because we don't work that way, but anyway... ;o): thanks a lot * a GPLed, ActiveX / Java / other browser-based endpoint posture assessment client, for use in fallback non-802.1x (walled-garden) mode. right. but I guess it should come after a 802.1x and a VPN client ... and those still don't exist * contribute working EAP-TNC to FreeRadius That's something already written by the [EMAIL PROTECTED] projects. Code is available here http://tnc.inform.fh-hannover.de/wiki/index.php/Download Is there any plan to integrate that in the official release ? * contribute working PEAPv2 and whatever-the-vista-posture-protocol is called to precise quickly : Vista posture protocol has been microsoft-standardized as IF-TNCCS-SOH (statement of health) - https://www.trustedcomputinggroup.org/specs/TNC/IF-TNCCS-SOH_v1.0_r8.pdf mixofunconfirmedbits Concerning those three points, in no particular order - We would really be happy to see the mentionned items implemented (in freeradius for TNC). - We have funding - but not unlimited nor for an undefine time period - Some of it could be assigned to implement those protocols. - Alan, before jumping the gun on that f word, it would be no strings attached (bounty-like, resulting code solely licensed under GPL in freeradius, copyright retained by the author, ...). - Coordination with other related opensource project, especially [EMAIL PROTECTED] /mixofunconfirmedbits * liase with the FreeRadius SQL developers to come up with the most appropriate SQL schema; ideally (from your PoV) the FreeNAC SQL schema could become the default for new FreeRadius installs. If I understood FreeRadius SQL correctly, the way chosen is a very minimalistic one, with very few formal definition. Therefore, it is also very flexible ... and apart from supporting eventual additionnal fields/functions due to the SOH extension, I have the impression that the DB format could (should) be left to the GUI/extra tools part ? BTW, I've also worked previously on IDS and I tried many tools (nmap, nessus, snmp) and meta-tools (netdisco, ...) to map a network and put that into some DB. So far, I did not found anything convincing that's wy we always end up with some custom database. I'll be happy to compare what we have (freenac db) with your db schema. Hope that perspective is useful. Well, technically, for full NAC, we also miss the post-connect aspects (cf packetfence) - but that's another story.
Re: AD + Static IP Address
[EMAIL PROTECTED] wrote: Check the attribute format. InetAddr shouldn't be doing that. It's Microsoft. ... I'm assigning these ip addresses in Active Directory through msRadiusFramedIPAdrress attribute. Users with static ip address of 85.X are getting their static ip addresses, but not users in 192.X range. (they get 255.255.255.255) After digging for a while I noticed I could assigned ip addresses up to 127.255.255.255 and get the ip assigned. Right after 128.0.0.0 the static ip will not get assigned to the user. Apparently the 4 byte integer in the active directory for msRadiusFramedIPAddress is being treated as a signed integer, so anything more then 127.255.255.255 is treated as a negative value and an invalid value. i.e. When FreeRADIUS queries the Microsoft software for the IP address, it doesn't get 1.2.3.4. It sometimes gets 123456789, and it sometimes gets -345567890. Unix systems can deal with IP addresses. They can treat large hex or decimal numbers as IP addresses. But they draw the line at negative numbers. Is there a setting to treat this 4 byte as an unsigned integer? A setting? Or this is a bug? Thank you in advance, It's a bug in the Microsoft software. And thank you for this great software :) Thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
Debug is quite clear about the problem. Ivan Kalik Kalik Informatika ISP Dana 10/7/2007, E. abdelghani [EMAIL PROTECTED] piše: i have installed Freeradius with Mera Softswitch.but Radius have one problem of authentification: by the call between 4001 (calling Device) and 7090 (called Device) !!by debug : radiusd -X i can see :auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the userauth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS!Delaying request 0 for 1 secondsany help ? and best regardes !Live.com Jouez et Gagnez des pc Windows Vista! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 - vmps feature, inaccuracies on FreeNAC
Thomas Dagonnier wrote: ... well, the website now shows FreeNAC is an OpenSource solution for LAN access control and dynamic Vlan management) shrug RADIUS been doing VLAN management for years. Maybe that's news, I don't know. I guess we should highlight the based on aspect by putting it on the main page (cf packetfence). Would you find that OK ? It would be politer than burying it elsewhere. right. but I guess it should come after a 802.1x and a VPN client ... and those still don't exist wpa_supplicant, xsupplicant, and SecureW2 are well-known GPL'd 802.1x clients. I've been in contact with those developers for years. There's already work on an open source 802.1x client with additional (i.e. NAC) features. Search the net. That's something already written by the [EMAIL PROTECTED] projects. Code is available here http://tnc.inform.fh-hannover.de/wiki/index.php/Download I was in contact with them when they first wrote the code, quite a while ago. Is there any plan to integrate that in the official release ? Last I checked (quite a whole ago), the code wasn't GPL'd. It looks like it's changed since then. After a quick look, perhaps. The formatting should really follow the FreeRADIUS standard, it has C++ style comments, and some things likely need to be cleaned up. There's also the issue of which license libtnc falls under. On top of that, they haven't requested that it be added to FreeRADIUS. - Alan, before jumping the gun on that f word, Perhaps you haven't been following my messages, or the history of FreeRADIUS. A number of features in FreeRADIUS have been funded by various companies. I don't object to funding, and I've never objected to funding. I have *no* clue why that message is so difficult to get across. I *do* object to corporate products claiming to be community based. The sheer mass of Swisscom branding on the FreeNAC site makes it look like something other than a community project. it would be no strings attached (bounty-like, resulting code solely licensed under GPL in freeradius, copyright retained by the author, ...). Bounty? No thanks. If you want to pay for a feature, then standard business practice is to use a contract. I don't have much nice to say about bounties. - Coordination with other related opensource project, especially [EMAIL PROTECTED] Which we've been doing for... years now. We've been very successful at it. Thanks for the offer of help, but we think we can manage. Maybe you're not clear on the positioning of FreeRADIUS versus FreeNAC. FreeRADIUS is almost a decade old. FreeNAC isn't. FreeRADIUS is used by most major ISP's. FreeNAC isn't. FreeRADIUS has an commanding market share in the LAN, WLAN, ISP, roaming, etc. authentication space. FreeNAC has minimal market share of the NAC market. FreeRADIUS has existing relationships with all major networking companies. FreeNAC doesn't. FreeRADIUS has a large active community with thousands of people on it's mailing list. FreeNAC doesn't. FreeRADIUS has a proven track record of being independent of any corporate agenda. FreeNAC doesn't. FreeRADIUS has an existing level of trust and acceptance in the community. FreeNAC doesn't. FreeRADIUS has existing relationships with *everyone* in the AAA space, and many people in the NAC space. FreeNAC doesn't. FreeRADIUS is writing industry standards in it's space. FreeNAC isn't. FreeRADIUS has done this *without* having open source and enterprise versions. FreeRADIUS has done this by first creating a community, and then a revenue stream. It sounds harsh when put that way. But the truth can be harsh. Remember, this isn't just a happy love festival of open source. There are multiple competing implementations of many open source solutions. Some succeed, some don't. On top of that, FreeRADIUS is winning in the AAA space against *Cisco* and *Microsoft*. FreeNAC just isn't on anyone's radar. So, good luck being successful. But don't expect us to be happy when your announcement makes it clear that you plan on building on our success, and treating FreeRADIUS as a subservient portion of FreeNAC. You wouldn't email Linus Torvalds and say that a FreeNAC product offering will become THE open source choice for Operating Systems. But you said pretty much the same thing here. And then wondered why it wasn't greeted with loud exclaims of joy. I'm still boggling a little at that one. A lot, I hope it'll start getting the two highly respectable but sometime emotive leaders on a more constructive mood (yes, I'll be flamed for that, I know, I know) I have a habit of pointing out inconsistencies and flaws in peoples arguments. I have a habit of bringing up inconvenient facts that people don't want to talk about. This is construed as negative by many people. PS : of course, I also have plans for total world domination - but I'll first start to become sean's boss. Then, I can move to
Re: ldap auth based on user acc and dialupaccess attr
On 7/11/07, Alan Walters [EMAIL PROTECTED] wrote: On Tue, 2007-07-10 at 10:34 +0100, [EMAIL PROTECTED] wrote: Im currently trying to setup FR to authenticate a user / machine regardless of password .. In the end I hope to have the ldap check if dialup access is allowed, if it is then check if user / pass is correct via ntlm. This makes no sense. If you are going to authenticate users regardless of the password (based on that dialup flag), what is the point in checking passwords with ntlmauth (or Ldap)? i think the point of this is you can use the flag to disable access to the account without changing password yes thats what I am after, this way users can still log into the domain on a wired connection but wireless access will be controlled by the dialupAccess attribute. if dialup access is off don't auth if it is on check password if password is right auth dialup access should be TRUE or FALSE though Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: AD + Static IP Address
Actually connecting to AD with Apache LDAP Studio, I see a negative number. Searched MS Site for a bit, couldn't find anything ... I'll probably just use the users file then... Thanks for your help Parham -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] org] On Behalf Of Alan DeKok Sent: Wednesday, July 11, 2007 12:40 AM To: FreeRadius users mailing list Subject: Re: AD + Static IP Address [EMAIL PROTECTED] wrote: Check the attribute format. InetAddr shouldn't be doing that. It's Microsoft. ... I'm assigning these ip addresses in Active Directory through msRadiusFramedIPAdrress attribute. Users with static ip address of 85.X are getting their static ip addresses, but not users in 192.X range. (they get 255.255.255.255) After digging for a while I noticed I could assigned ip addresses up to 127.255.255.255 and get the ip assigned. Right after 128.0.0.0 the static ip will not get assigned to the user. Apparently the 4 byte integer in the active directory for msRadiusFramedIPAddress is being treated as a signed integer, so anything more then 127.255.255.255 is treated as a negative value and an invalid value. i.e. When FreeRADIUS queries the Microsoft software for the IP address, it doesn't get 1.2.3.4. It sometimes gets 123456789, and it sometimes gets -345567890. Unix systems can deal with IP addresses. They can treat large hex or decimal numbers as IP addresses. But they draw the line at negative numbers. Is there a setting to treat this 4 byte as an unsigned integer? A setting? Or this is a bug? Thank you in advance, It's a bug in the Microsoft software. And thank you for this great software :) Thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 - vmps feature, inaccuracies on FreeNAC
Ok, we know and agree that freenac isn't in the same league as freeradius. The form of the announcement was a mistake we're now trying to correct. I'm really sorry it hurt you and would like you to formally accept my apologize for this bad communication. Would you agree to close that part of the discussion ? On 11/07/07, Alan DeKok [EMAIL PROTECTED] wrote: right. but I guess it should come after a 802.1x and a VPN client ... and those still don't exist wpa_supplicant, xsupplicant, and SecureW2 are well-known GPL'd 802.1x clients. I've been in contact with those developers for years. There's already work on an open source 802.1x client with additional (i.e. NAC) features. Search the net. sorry, this was a late email and I forgot important details like had in mind with additionnal (NAC) features and the for windows is implied by the vast majority of windows-based computers. so indeed, the most likely candidates are SecureW2 and open1x/opensea xsupplicant, but none of them are there yet. of course, a a GPLed, ActiveX / Java / other browser-based endpoint posture assessment client, for use in fallback non-802.1x (walled-garden) mode. could also work after 802.1x That's something already written by the [EMAIL PROTECTED] projects. Code is available here http://tnc.inform.fh-hannover.de/wiki/index.php/Download I was in contact with them when they first wrote the code, quite a while ago. Is there any plan to integrate that in the official release ? Last I checked (quite a whole ago), the code wasn't GPL'd. It looks like it's changed since then. After a quick look, perhaps. The formatting should really follow the FreeRADIUS standard, it has C++ style comments, and some things likely need to be cleaned up. There's also the issue of which license libtnc falls under. On top of that, they haven't requested that it be added to FreeRADIUS. so there's no plan, but a properly formatted, cleaned version would find its place ? (btw, libtnc is also GPL) it would be no strings attached (bounty-like, resulting code solely licensed under GPL in freeradius, copyright retained by the author, ...). Bounty? No thanks. If you want to pay for a feature, then standard business practice is to use a contract. I don't have much nice to say about bounties. again, wrongly written sentence : bounty-like was to refer to the no strings that the result would end up as part of FreeRadius - nothing else. Of course, it would be made using a contract (and I also don't really like bounties, for the record). Would you be open to implement Microsoft's IF-TNCCS-SOH in that context ? dago - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html