Re: EAP-TTLS (PAP) not working with NT domain - debian freeradius 1.1.7
James McOrmond wrote: As per previous emails, since i'm using samba/ldap i'm able to pull the nt/lmpassword fields directly out of the ldap. Should this method negate the use of the ntlm_auth method? Yes. See ldap.attrmap. The LDAP module uses this to map LDAP attributes to RADIUS attributes. Once FreeRADIUS has an NT hash, it can authenticate users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
new dictionary problem....
Hi all, I know there already was this problem posted on the list, but I still have problems adding a new dictionary file to freeradius; Could anyone please state the steps I have to follow to manually attach a new dictionary to my installed freeradius. Thank you ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new dictionary problem....
Cristian Novac wrote: Hi all, I know there already was this problem posted on the list, but I still have problems adding a new dictionary file to freeradius; Can you explain what the problems are? Could anyone please state the steps I have to follow to manually attach a new dictionary to my installed freeradius. See raddb/dictionary. There are examples in it. Do you have *specific* questions? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: auth-type local trouble in 2.0.1
Alan DeKok wrote:
Oleg Kozheltsev wrote:
And for accounting Exec-Program don't work anymore... So I create exec
acc_call { program = } module too (with auth_call module).
Now I with freeradius 2.0.1 :)
If you list exec in the post-auth section, then Exec-Program and
Exec-Program-Wait will work again for authentication requests.
But generally, you should use the unlang feature to run programs.
It's much more flexible than using Exec-Program. See man unlang.
Thanks for clear answer. Will try this
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius web administration
Hi, I've follow the instruction on the link to configure dialup admin. i've a problem with the php3 scripts. when test the configuration in localhost the home page appears and on the right top we have the scripts .php3 which appears. i'm using redhat 9 with php 4. please can you help me to find solutions. To: freeradius-users@lists.freeradius.org Subject: RE: freeradius web administration Date: Fri, 7 Mar 2008 11:53:24 +0100 From: [EMAIL PROTECTED] http://wiki.freeradius.org/Dialup_admin Ivan Kalik Kalik Informatika ISP Dana 7/3/2008, parfait kouassi nda [EMAIL PROTECTED] piše: I'm using my freeradius server like proxy, and i want to administrate it in web mode page with dialupadmin. what is the files that i must configure? _ Découvrez Windows Live Spaces et créez votre site Web perso en quelques clics ! http://spaces.live.com/signup.aspx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Appelez vos amis de PC à PC -- C'EST GRATUIT http://get.live.com/messenger/overview- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRad 2.0.2, l2tp CHAP problem
Is the password in the database encrypted? If it is: http://deployingradius.com/documents/protocols/compatibility.html If it isn't - post the radiusd -X debug. Ivan Kalik Kalik Informatika ISP Dana 25/3/2008, srdjan mish [EMAIL PROTECTED] piše: Hi, I have a problem while autorizing with chap password Problem is next: I have Allied Telesys NAS, it sends User-Name, CHAP Password and NAS IP, radius does everything ok, but when it comes to part where he compares password it says: Wrong password... I was debugging with -X -xx, and FR resolves password OK. It gets password from MySql database... Why am I asking for help is next: When I use radiusTest software from windows machine, send same data as NAS sends, authorisation goes OK... Please help, how can I set it up to work for me - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRad 2.0.2, l2tp CHAP problem
Hi, I have a problem while autorizing with chap password Problem is next: I have Allied Telesys NAS, it sends User-Name, CHAP Password and NAS IP, radius does everything ok, but when it comes to part where he compares password it says: Wrong password... I was debugging with -X -xx, and FR resolves password OK. It gets password from MySql database... Why am I asking for help is next: When I use radiusTest software from windows machine, send same data as NAS sends, authorisation goes OK... Please help, how can I set it up to work for me- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new dictionary problem....
Alan DeKok wrote: Cristian Novac wrote: Hi all, I know there already was this problem posted on the list, but I still have problems adding a new dictionary file to freeradius; Can you explain what the problems are? Could anyone please state the steps I have to follow to manually attach a new dictionary to my installed freeradius. See raddb/dictionary. There are examples in it. Do you have *specific* questions? I simply added a file named dictionary.xx in the share/freeradius dir which contains some attribute declarations; for ex: ATTRIBUTE SFid11 octets I mentioned this file (dictionary.xx) in the dictionary file: $INCLUDE dictionary.xx I also added some code to freeradius2.0 for some specific issue I have to solve; Here in my code, I call da=dict_attrbyname(myattr) function; It works well for attributes defined in other dictionaries than mine;but For SFid (my attribute), the da-attr field has the value 1622474763(da-attr=1622474763) instead of 11 after the call of dict_attrbyname(..) function. That's why I thought my dictionary wasn't well installed(because this function, used in the same place, works ok for any other attribute from other dictionary, if passed as parameter) Thank you again for your attention and I hope you may help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new dictionary problem....
Hi, Hi all, I know there already was this problem posted on the list, but I still have problems adding a new dictionary file to freeradius; Could anyone please state the steps I have to follow to manually attach a new dictionary to my installed freeradius. stick it into the dictionary directory along with all the other dictionaries and ensure that it is mentioned in the main dictionary file. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new dictionary problem....
It's me againI solved the problem. I apologize for bothering. Thank you for your advices. Cristian Novac wrote: Alan DeKok wrote: Cristian Novac wrote: Hi all, I know there already was this problem posted on the list, but I still have problems adding a new dictionary file to freeradius; Can you explain what the problems are? Could anyone please state the steps I have to follow to manually attach a new dictionary to my installed freeradius. See raddb/dictionary. There are examples in it. Do you have *specific* questions? I simply added a file named dictionary.xx in the share/freeradius dir which contains some attribute declarations; for ex: ATTRIBUTE SFid11 octets I mentioned this file (dictionary.xx) in the dictionary file: $INCLUDE dictionary.xx I also added some code to freeradius2.0 for some specific issue I have to solve; Here in my code, I call da=dict_attrbyname(myattr) function; It works well for attributes defined in other dictionaries than mine;but For SFid (my attribute), the da-attr field has the value 1622474763(da-attr=1622474763) instead of 11 after the call of dict_attrbyname(..) function. That's why I thought my dictionary wasn't well installed(because this function, used in the same place, works ok for any other attribute from other dictionary, if passed as parameter) Thank you again for your attention and I hope you may help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry Anthony Cope is out of the office until 31/03/2008
I will be out of the office starting Tue 25/03/2008 and will not return until Mon 31/03/2008. I will respond to your message when I return. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap+radius authentication problem
Dear all, I have configured freeradius with ldap backed as given in http://freeradius.org/radiusd/doc/ldap_howto.txt. The user get authorized but the authentication failed. The detail output is here: Ready to process requests. rad_recv: Access-Request packet from host a.b.c.d:3272, id=0, length=47 User-Name = abc User-Password = 12345 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for abc radius_xlat: '(uid=abc)' radius_xlat: 'ou=users,ou=radius,dc=whitehouse,dc=edu' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to x.x.x.x:389, authentication 0 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: bind as cn=Manager,dc=whitehouse,dc=edu/password to x.x.x.x:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,ou=radius,dc=whitehouse,dc=edu, with filter (uid=abc) rlm_ldap: Added password 12345 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user abc authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ldap auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by abc with password 12345 rlm_ldap: user DN: uid=abc,ou=users,ou=radius,dc=whitehouse,dc=edu rlm_ldap: (re)connect to x.x.x.x:389, authentication 1 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: bind as uid=abc,ou=users,ou=radius,dc=whitehouse,dc=edu/12345 to x.x.x.x:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials modcall[authenticate]: module ldap returns reject for request 0 modcall: leaving group LDAP (returns reject) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Can anyone help me?? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM in MSCHAP
Hi, i've got back to problem : as i mentioned i have plain text stored passwords (atrib UserPassword) in ldap, and i want to change it to crypt, or mda5. Mschap need NT-Password , which is the best way to solve it? I do not want to store NT-Password value in LDAP, or there is no other choice? What about that ntlm_auth - it will create from crypt nt and send it to mschap? Thanks in advance! David 2008/3/5 Alan DeKok [EMAIL PROTECTED]: David Hláčik wrote: Hi, I have working configuration of PPTPD (Windows VPN) trought Radius to LDAP stored users. The think is ,that it accepts only plain text stored passwords in ldap becouse of very well known NT-Password for MSCHAPv2 ... Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=boss --challenge=09c34801a6bafab3 --nt-response=e9aa9365702850c20847566b84c4c729efbac9d014ff1301 Exec-Program output: NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc0da) That's an error from winbindd. Does ntlm_auth work from the command line? http://deployingradius.com/documents/configuration/active_directory.html If not, don't bother trying FreeRADIUS until ntlm_auth works from the command-line. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM in MSCHAP
http://deployingradius.com/documents/protocols/compatibility.html Have a look at the mschap row and you will see what can and what can't work. Ivan Kalik Kalik Informatika ISP Dana 25/3/2008, David Hláčik [EMAIL PROTECTED] piše: Hi, i've got back to problem : as i mentioned i have plain text stored passwords (atrib UserPassword) in ldap, and i want to change it to crypt, or mda5. Mschap need NT-Password , which is the best way to solve it? I do not want to store NT-Password value in LDAP, or there is no other choice? What about that ntlm_auth - it will create from crypt nt and send it to mschap? Thanks in advance! David 2008/3/5 Alan DeKok [EMAIL PROTECTED]: David Hláčik wrote: Hi, I have working configuration of PPTPD (Windows VPN) trought Radius to LDAP stored users. The think is ,that it accepts only plain text stored passwords in ldap becouse of very well known NT-Password for MSCHAPv2 ... Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=boss --challenge=09c34801a6bafab3 --nt-response=e9aa9365702850c20847566b84c4c729efbac9d014ff1301 Exec-Program output: NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc0da) That's an error from winbindd. Does ntlm_auth work from the command line? http://deployingradius.com/documents/configuration/active_directory.html If not, don't bother trying FreeRADIUS until ntlm_auth works from the command-line. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x maschine auth with SSL?
Heya, i'm a bit stuck. My xp box should auth with ssl cert - works ok so far. But how to assign vlan? When doing this with user, i put my user + pass into users file - works. But for ssl cert? I want my xp box authentificated by ssl cert and after that, my user should logon to his vlan. So that i have a protected vlan for my boxes (to avoid giving access to my auth server to foreign notebooks) and after that, if someone of my users log in, he will be transfered to his vlan... hope you understand... Thanksalot! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM in MSCHAP
David Hláčik wrote: as i mentioned i have plain text stored passwords (atrib UserPassword) in ldap, and i want to change it to crypt, or mda5. Don't. Mschap need NT-Password , which is the best way to solve it? Store passwords in clear-text. Anything else is a bad idea. I do not want to store NT-Password value in LDAP, or there is no other choice? What about that ntlm_auth - it will create from crypt nt and send it to mschap? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap+radius authentication problem
amir shrestha wrote: I have configured freeradius with ldap backed as given in http://freeradius.org/radiusd/doc/ldap_howto.txt. The user get authorized but the authentication failed. ... rlm_ldap: bind as uid=abc,ou=users,ou=radius,dc=whitehouse,dc=edu/12345 to x.x.x.x:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials There isn't much more to say. The supplied password is wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x maschine auth with SSL?
if I understand you correctly you wanna do this enable EAP on your Cisco switch; where all ports are in shutdown mode. a user on your XP box has a User Cert which is passed through EAP to your Freeradius box; the freeradius authenticates the user with his certificate DN etc. then instructes the switch to no shut the port and assign that port to a predefined VLAN you allocated for that user or other guest users in your database. i.e. if [ cn=bla,ou=bla,dc=id10t,dc=net == match }; then $vlan = 100; fi let me know if you wanna do this as described above. and how did you get it to work with username and password? On Tue, Mar 25, 2008 at 7:23 AM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Heya, i'm a bit stuck. My xp box should auth with ssl cert - works ok so far. But how to assign vlan? When doing this with user, i put my user + pass into users file - works. But for ssl cert? I want my xp box authentificated by ssl cert and after that, my user should logon to his vlan. So that i have a protected vlan for my boxes (to avoid giving access to my auth server to foreign notebooks) and after that, if someone of my users log in, he will be transfered to his vlan... hope you understand... Thanksalot! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 35, Issue 80
No, it is ClearText-Password...
I told, when I test with same attributes, but with RadiusTest software, it
works... I think it is something about NAS Type or something like
that...
I can post -X, but it only says Wrong password, nothing more...
radiusd -X:
FreeRADIUS Version 2.0.2, for host i686-suse-linux-gnu, built on Mar 10 2008
at 14:15:45
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/snmp.conf
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sql/mysql/dialup1.conf
including configuration file /etc/raddb/sql/mysql/dialup2.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 35000
allow_core_dumps = yes
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = no
security {
max_attributes = 200
reject_delay = 0
status_server = yes
}
}
client Router {
ipaddr = 192.168.1.1
netmask = 16
require_message_authenticator = no
secret = secrettest
shortname = LocalRouter
nastype = other
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = /etc/raddb/huntgroups
hints = /etc/raddb/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_sql
Module: Instantiating sql_instance1
sql sql_instance1 {
driver = rlm_sql_mysql
server = localhost
port =
login = radius
password = lozinka
radius_db = radius
read_groups = yes
sqltrace = no
sqltracefile = /var/log/radius/sqltrace.sql
readclients = no
deletestalesessions = yes
num_sql_socks = 10
sql_user_name = %{User-Name}
default_user_profile =
nas_query = SELECT id,nasname,shortname,type,secret FROM nas
authorize_check_query = SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
authorize_reply_query = SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
authorize_group_check_query = SELECT id, groupname, attribute, value, op
FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id
authorize_group_reply_query = SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id
accounting_onoff_query = UPDATE radacct SET acctstoptime = '%S',
acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime),
acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay =
%{%{Acct-Delay-Time}:-0} WHERE acctsessiontime = 0 AND acctstoptime = NULL
AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime = '%S'
accounting_update_query = UPDATE radacct SET framedipaddress =
'%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}',
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' 32 |
'%{%{Acct-Input-Octets}:-0}', acctoutputoctets =
'%{%{Acct-Output-Gigawords}:-0}' 32 |
Error when testing FreeRadius
Dear all, I have installed FreeRadius in Windows XP Professional but I keep getting this error ehen testing: radclient:dict_init:couldn't open dictionary freeradisu/etct/raddb/dictionary:No such file or directory. Is there anyone who has an idea about this error? Thanks in advance. Kind regards Moise Ndala _ Express yourself with free Messenger emoticons. Get them today! http://g.msn.ca/ca55/207- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error when testing FreeRadius
Moses Ndala wrote: I have installed FreeRadius in Windows XP Professional How? There is no official Windows binary available. Maybe you're thinking of freeradius.net? That's based on FreeRADIUS, but not part of the official distribution. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 35, Issue 80
srdjan mish wrote: No, it is ClearText-Password... I told, when I test with same attributes, but with RadiusTest software, it works... I think it is something about NAS Type or something like that... I can post -X, but it only says Wrong password, nothing more... Then the password is wrong, OR the MD5 functions on your system aren't working correctly. There really isn't much else that can go wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x maschine auth with SSL?
hi, you wouldnt be able to have the post in shutdown mode - or EAP would never be undertaken. you need to configure the cisco switch so that it does 802.1x authentication (see cisco docs on how to configure the switch for 802.1x and for RADIUS) then you simply configure FreeRADIUS to send back the VLAN attribute - the switch can be configured so that no EAP or unsuccesful EAP gets different VLAN alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x maschine auth with SSL?
Hi, thanks for replys! i'm very sorry, there is a little missunderstanding :( Switch works ok so far, so nothing needs to be done there. My client is xp box with logon client which can do maschine auth and prompt the user for his name and pass... So i use ssl to auth the maschine (has a general cert like clientofmycompany). before that i just used user+pw for the box, which worked and i had user+pw in my users file... to provide vlan id, you know? now i read when using ssl, i don't need the user+pw stuff in my users file - but how assign vlan then? And after all that stuff, if user logs on, a new 802.1x request is send out, which uses ssl + user + pw (ttls) to put him in his home vlan. Now better? sorry for the missunderstanding :( Thanksalot! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x maschine auth with SSL?
alan, thank, was trying to follow mr hot pants' grammar. On Tue, Mar 25, 2008 at 10:18 AM, [EMAIL PROTECTED] wrote: hi, you wouldnt be able to have the post in shutdown mode - or EAP would never be undertaken. you need to configure the cisco switch so that it does 802.1x authentication (see cisco docs on how to configure the switch for 802.1x and for RADIUS) then you simply configure FreeRADIUS to send back the VLAN attribute - the switch can be configured so that no EAP or unsuccesful EAP gets different VLAN alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x maschine auth with SSL?
Hi, i'm very sorry, there is a little missunderstanding :( Switch works ok so far, so nothing needs to be done there. My client is xp box with logon client which can do maschine auth and prompt the user for his name and pass... So i use ssl to auth the maschine (has a general cert like clientofmycompany). before that i just used user+pw for the box, which worked and i had user+pw in my users file... to provide vlan id, you know? now i read when using ssl, i don't need the user+pw stuff in my users file - but how assign vlan then? And after all that stuff, if user logs on, a new 802.1x request is send out, which uses ssl + user + pw (ttls) to put him in his home vlan. ok, so the auth is now via the TLS module - so you will need to use any of the other methods to send back VLAN attributes - users, sql, perl, python etc - any of them will do - you just need to think on what basis you will be assigning the VLAN... eg UserName? IP? NAS? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Hi Ivan,
Sorry to get back to you early as I did not had ldap access :(
After adding radiusAuthType on ONE uid it is working fine now.
But now the issue is, I have some cases where the MAC address are stored
multiple times in Ldap. Thus the ldap query is failing.
Please check the log below. Can you please suggest me any workaround? Will
really appreciate.
Thanks and Regards.
Test Case 1 :: 1 UID
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = 0014F846C199, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 0014F846C199
expand: %{Stripped-User-Name} -
expand: %{User-Name} - 0014F846C199
expand: ((did=%{%{Stripped-User-Name}:-%{User-Name}})) -
((did=0014F846C199))
expand: ou=roles,o=entitlement - ou=roles,o=entitlement
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=roles,o=entitlement, with filter
((did=0014F846C199))
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute radiusAuthType as RADIUS attribute Auth-Type == Accept
rlm_ldap: looking for reply items in directory...
rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
rlm_ldap: user 0014F846C199 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [0014F846C199/via Auth-Type = Accept] (from client samir port 0)
Sending Access-Accept of id 39 to 216.2.193.1 port 38625
Finished request 3.
Test Case 2 :: Multiple UIDs
rad_recv: Access-Request packet from host 216.2.193.1 port 37788, id=38,
length=34
User-Name = 0014F846C199
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = 0014F846C199, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 0014F846C199
expand: %{Stripped-User-Name} -
expand: %{User-Name} - 0014F846C199
expand: ((uid=%{%{Stripped-User-Name}:-%{User-Name}})) -
((uid=0014F846C199))
expand: ou=roles,o=entitlement - ou=roles,o=entitlement
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=roles,o=entitlement, with filter
((uid=0014F846C199))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
auth: Failed to validate the user.
Login incorrect (rlm_ldap: User not found): [0014F846C199/no User-Password
attribute] (from client samir port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - 0014F846C199
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
- Original Message
From: Ivan Kalik [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Thursday, March 20, 2008 1:01:11 PM
Subject: Re: MACAddress silent authentication in LDAP using freeradius2.0.2
Bit confusing..do you want me to create entries in
ldap as,
No:
uid = 001122334455
radiusAuthType = Accept
Forget about the device entries. radius authenticates users. Have a look
at the filter configured in ldap section of radiusd.conf
If yes, what additional changes I have to do in
freeradius and how I can return devicename along the
freeradius reply?
And what would you do with that? Groups? Than create a group entries for
them and use memberof in (mac) user entry.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ-
List
Re: EAP-TTLS (PAP) not working with NT domain - debian freeradius 1.1.7
Alan DeKok wrote: James McOrmond wrote: As per previous emails, since i'm using samba/ldap i'm able to pull the nt/lmpassword fields directly out of the ldap. Should this method negate the use of the ntlm_auth method? Yes. See ldap.attrmap. The LDAP module uses this to map LDAP attributes to RADIUS attributes. Once FreeRADIUS has an NT hash, it can authenticate users. Ok, so should I comment out the mschap section where the ntlm_auth command/method is defined? What about the other auth types? ms-chap/peap/eap-mschapv2,eap-gtc, will they work with the ntpassword pulled from ldap? -- James A. McOrmond ([EMAIL PROTECTED]) Network Administrator Xandros Corporation, Ottawa, Canada. Morpheus: ...after a century of war I remember that which matters most: *We are still HERE!* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Auth-Test accounts in users file
Is it possible/appropriate to have some test accounts in the users file, along with an Auth-Type set to which auth type this account can be used for? We're testing a client that we're building (based on wpa_supplicant on linux), so would like to confirm the different auth methods are actually connecting as configured. I was thinking something like: test-pap Auth-Type = PAP, User-Password := pap-test test-chap Auth-Type = CHAP, User-Password := chap-test I guess the question is how to do all the options that are inside EAP.. -- James A. McOrmond Network Administrator Xandros Corporation, Ottawa, Canada. Morpheus: ...after a century of war I remember that which matters most: *We are still HERE!* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dhcp+radius
Hi, How do I configure Radius server to work with DHCP server, so the client will authenticate with Radius first before DHCP will assign it an IP? Kevin SZ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
frammed ip adress
Hi, in my working solution, i have pptp (vpn) configured with radius using LDAP. Each user has a value Framed IP Adress which will assign him exact IP adress. Currently i am rebuilding ldap structure to groups. And i want the users which will be members of group foo , to have dynamically assignet ip adresses from pool 10.123.40.0/255.255.255.0 . How can i achieve ? Which radius attributes should i use? Thanks a lot! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius, Cisco SSC, eDirectory, EAP/(T)TLS Problem
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi there,
we use Freeradius (1.1.0 from sles10) to provide 802.1x on all wired
switches in the company. As backend we have Novell eDir where all users
are stored. We also use per user vlans, which are stored in the eDir.
This setup is working so far. Now we want to secure the authentification
by ssl certificates (to protect the client from foreign server getting
their credentials, and the eDir from foreign clients - to avoid
brute force attacks). Our idea was:
Using a general certificate to identify every supplicant/client and
use this cert to protect the tunnel where user/pass is provided.
We have configured a guest-vlan (2) on the cisco switch where all
unauthentificated or unknown supplicants/clients get into. The next
vlan (4) is for supplicants/clients which have the right cert installed,
and last but not least the users own vlan (300).
- From vlan 2 you're not allowed to do anything beside stageing the
client (for new installations). At vlan 4 you may connect to a few
servers (to get your box ready for production when no user is setup) and
300 is a fully working vlan.
For now this works a bit. It seems that you cannot use just a cert
to get into the vlan 4 (you need user + user defined in users file, at
least for the cisco client, who *needs* a user when using a cert..).
Beside that, i noticed that when using a wrong ssl cert and user+pw
(to get vlan300) freeradius *first* checks the edirectory, and THEN
the eap/ttls stuff - shouldn't this be exactly the other way around?
Our config looks like:
radius.conf:
modules {
eap {
default_eap_type = ttls
ignore_unknown_eap_types = no
tls {
private_key_file = key
certificate_file = cert
CA_file = ca.crt
}
ttls {
private_key_file = key
certificate_file = cert
CA_file = ca.cert
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
}
ldap {
server = edir.company.lan
port = 636
identify = cn=freeradius,o=admin
password = xxx
basedn = o=company
tls_mode = yes
...
edir_account_policy_check = yes
}
files {
# defaultstuff
}
}
authorize {
preprocess
eap
ldap
}
authenticate {
eap
Auth-Type LDAP {
ldap
}
}
post-auth {
ldap
Post-Auth-Type REJECT {
ldap
}
}
users:
DEFAULT Auth-Type = LDAP
Tunnel-Type := VLAN,
Tunnel-Medium-Type := IEEE-802,
Fall-Through = Yes
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes,
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
So why doesn't it check the tunnel (ssl) first and stops if the client
has no valid cert?
I think i just overlooked something... but i'm a bit puzzled now...
Regards and thanks,
Sven Michels
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH6X6yQoCguWUBzBwRArY8AJ4/BiDsM4rnxoHfmYUkMNLKjOhGbgCcCtnM
dzeTmRQRC7qB8QlhiVlOG6w=
=vAqe
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, Cisco SSC, eDirectory, EAP/(T)TLS Problem
Hi, Beside that, i noticed that when using a wrong ssl cert and user+pw (to get vlan300) freeradius *first* checks the edirectory, and THEN the eap/ttls stuff - shouldn't this be exactly the other way around? err, no, because you have told it to behave like this. change the order of the modules in authorize and athenticate sections of your config if you want it any other way! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius, Cisco SSC, eDirectory, EAP/(T)TLS Problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, [EMAIL PROTECTED] wrote: Beside that, i noticed that when using a wrong ssl cert and user+pw (to get vlan300) freeradius *first* checks the edirectory, and THEN the eap/ttls stuff - shouldn't this be exactly the other way around? err, no, because you have told it to behave like this. change the order of the modules in authorize and athenticate sections of your config if you want it any other way! erm? so, the sections are used from down to top? *scratches head* Regards, Sven -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH6YYnQoCguWUBzBwRAuovAKCRUH7RZPg+0MSooVilGLZ+dfGj7QCfe2Y+ iu/uSPlXZN//NppDESm5jkw= =gTzR -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: frammed ip adress
Pool-Name. Have a look at ippool section of radiusd.conf. Ivan Kalik Kalik Informatika ISP Dana 25/3/2008, David Hláčik [EMAIL PROTECTED] piše: Hi, in my working solution, i have pptp (vpn) configured with radius using LDAP. Each user has a value Framed IP Adress which will assign him exact IP adress. Currently i am rebuilding ldap structure to groups. And i want the users which will be members of group foo , to have dynamically assignet ip adresses from pool 10.123.40.0/255.255.255.0 . How can i achieve ? Which radius attributes should i use? Thanks a lot! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MACAddress silent authentication in LDAP using freeradius2.0.2
After adding radiusAuthType on ONE uid it is working fine now. But now the issue is, I have some cases where the MAC address are stored multiple times in Ldap. Thus the ldap query is failing. Please check the log below. Can you please suggest me any workaround? Will really appreciate. Only the obvious one: don't put multiple mac uids in the directory. uid needs to be unique. BTW, where do multiple entries come from? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dhcp+radius
There is nothing to configure. It works that way. Ivan Kalik Kalik Informatika ISP Dana 25/3/2008, Kevin Zhang [EMAIL PROTECTED] piše: Hi, How do I configure Radius server to work with DHCP server, so the client will authenticate with Radius first before DHCP will assign it an IP? Kevin SZ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: dhcp+radius
Hi Ivan, Thanks for your reply. But how do DHCP know NOT to give the IP to the client When the authentication fail on RADIUS? Kevin SZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik Sent: Tuesday, March 25, 2008 4:51 PM To: FreeRadius users mailing list Subject: Re: dhcp+radius There is nothing to configure. It works that way. Ivan Kalik Kalik Informatika ISP Dana 25/3/2008, Kevin Zhang [EMAIL PROTECTED] piše: Hi, How do I configure Radius server to work with DHCP server, so the client will authenticate with Radius first before DHCP will assign it an IP? Kevin SZ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: dhcp+radius
Because it will never be asked for one. PPP negotaiation will not reach that stage. Ivan Kalik Kalik Informatika ISP Dana 25/3/2008, Kevin Zhang [EMAIL PROTECTED] piše: Hi Ivan, Thanks for your reply. But how do DHCP know NOT to give the IP to the client When the authentication fail on RADIUS? Kevin SZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik Sent: Tuesday, March 25, 2008 4:51 PM To: FreeRadius users mailing list Subject: Re: dhcp+radius There is nothing to configure. It works that way. Ivan Kalik Kalik Informatika ISP Dana 25/3/2008, Kevin Zhang [EMAIL PROTECTED] piše: Hi, How do I configure Radius server to work with DHCP server, so the client will authenticate with Radius first before DHCP will assign it an IP? Kevin SZ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dhcp+radius
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Kevin Zhang wrote: Hi Ivan, Thanks for your reply. But how do DHCP know NOT to give the IP to the client When the authentication fail on RADIUS? When you configure your switch, you can tell him what to do when auth fails. You can shutdown the port or put him into another vlan - without dhcp for example. HTH, Sven -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH6ZUZQoCguWUBzBwRAvIRAKCt8fL1/Z9V89UwnbD864cCO3/8dwCfUaCe xDu+BoIAxx7nqKdHqQQ2/JM= =8B6r -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: dhcp+radius
Hi Ivan, Thanks again for the reply. Actually my scenario is like this: I have a box needs to be installed via PXE. The box will send out its mac address to get the ip of tftp server and the location of pxelinux.0. Without Radius, the box will talk to DHCP server directly for all The information it needs. If I want to implement the authentication Using RADIUS so net boot will continue only after the authentication succeed. I just want to know where RADIUS fit into this model step by step. Kevin SZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik Sent: Tuesday, March 25, 2008 5:03 PM To: FreeRadius users mailing list Subject: RE: dhcp+radius Because it will never be asked for one. PPP negotaiation will not reach that stage. Ivan Kalik Kalik Informatika ISP Dana 25/3/2008, Kevin Zhang [EMAIL PROTECTED] piše: Hi Ivan, Thanks for your reply. But how do DHCP know NOT to give the IP to the client When the authentication fail on RADIUS? Kevin SZ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik Sent: Tuesday, March 25, 2008 4:51 PM To: FreeRadius users mailing list Subject: Re: dhcp+radius There is nothing to configure. It works that way. Ivan Kalik Kalik Informatika ISP Dana 25/3/2008, Kevin Zhang [EMAIL PROTECTED] piše: Hi, How do I configure Radius server to work with DHCP server, so the client will authenticate with Radius first before DHCP will assign it an IP? Kevin SZ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dhcp+radius
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, if you don't mind i answer ;) Kevin Zhang wrote: Hi Ivan, Thanks again for the reply. Actually my scenario is like this: I have a box needs to be installed via PXE. The box will send out its mac address to get the ip of tftp server and the location of pxelinux.0. Without Radius, the box will talk to DHCP server directly for all The information it needs. If I want to implement the authentication Using RADIUS so net boot will continue only after the authentication succeed. I just want to know where RADIUS fit into this model step by step. IMHO nope. pxeboot occours at the beginning when nothing is running on the box. So all you have at this time is your pxeloader, no supplicant. You need a kind of isolated lan where you can install via. pxe (and maybe nothing else) and after your client is installed (make sure that you have a supplicant/radiusclient installed on it) you can use your radius to get into another vlan. Regards, Sven -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH6ZvZQoCguWUBzBwRArleAJ9YjR6nVzfBqhJwgJb/UcyzheYyEQCcCgAw 4mQaELzSUj+0USKALuhdmTw= =aZN2 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
