Re: EAP MSK: how is it transported between server and authenticator
After an EAP authentication which supports key derivation (MSK) how does freeradius transport the MSK to an NAS(authenticator)? I.e., what kind of attribute is used? EAP-Message would be the obvious candidate. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP MSK: how is it transported between server and authenticator
Richard Chan wrote: After an EAP authentication which supports key derivation (MSK) how does freeradius transport the MSK to an NAS(authenticator)? I.e., what kind of attribute is used? Run an EAP method. Look in the Access-Accept for attributes named key. There is an IETF draft on encrypted RADIUS attributes (which specifically mentions EAP MSK): http://www.ietf.org/internet-drafts/draft-zorn-radius-encattr-14.txt but this seems too recent to be actually used in the field (besides including undefined magic numbers). It's not relevant. Browsing another RADIUS server document (Cisco Secure ACS), there is a RADIUS Key Wrap secret that can be configured. Presumably this is used to send MSKs between server and authenticator, That's not relevant, either. I couldn't find a similar configuration parameter in the freeradius config files, either radiusd.conf (http://wiki.freeradius.org/Radiusd.conf) or the client side ( http://wiki.freeradius.org/Clients.conf). The MSK isn't configured. It's mandated by the EAP method. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius reply multivalue VSA question.
Not sure which file should I add the update reply? Authorize section of default or whatever virtual server is doing the authorization. I added in ldap.attrmap. Unlang doesn't work in module configuration files - only server configuration. Also you mentioned about script..is that shell/perl script? Yes, you can use exec/perl modules to launch them. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP MSK: how is it transported between server and authenticator
On Fri, Oct 10, 2008 at 4:31 PM, Alan DeKok [EMAIL PROTECTED]wrote: Richard Chan wrote: After an EAP authentication which supports key derivation (MSK) how does freeradius transport the MSK to an NAS(authenticator)? I.e., what kind of attribute is used? Run an EAP method. Look in the Access-Accept for attributes named key. Can you provide a reference such an attribute defined? A glance through http://freeradius.org/rfc/attributes.html doesn't show any key attributes other than those related to MS-CHAP. Are you referring to the attribute 'EAP-Master-Session-Key' in http://tools.ietf.org/html/draft-aboba-radext-wlan-00#page-6. This attribute seems to do exactly what I was asking but this draft is superseded by a later version which no longer provides an attribute to transfer MSKs. http://www.ietf.org/internet-drafts/draft-aboba-radext-wlan-08.txt There is an IETF draft on encrypted RADIUS attributes (which specifically mentions EAP MSK): http://www.ietf.org/internet-drafts/draft-zorn-radius-encattr-14.txt but this seems too recent to be actually used in the field (besides including undefined magic numbers). It's not relevant. Disagree - it explicitly suggests a way to transport wrapped MSKs between NAS and EAP Server. How would you do it otherwise? Browsing another RADIUS server document (Cisco Secure ACS), there is a RADIUS Key Wrap secret that can be configured. Presumably this is used to send MSKs between server and authenticator, That's not relevant, either. Disagree again - it's relevant insofar as it indicates that Cisco considers a need to do key wrapping between NAS and EAP Server. Unfortunately the document doesn't explicitly mention that the 'RADIUS Key Wrap' shared secret is used to encrypt MSKs nor does it explain how it is used. I couldn't find a similar configuration parameter in the freeradius config files, either radiusd.conf (http://wiki.freeradius.org/Radiusd.conf) or the client side ( http://wiki.freeradius.org/Clients.conf). The MSK isn't configured. It's mandated by the EAP method. I was not referring to MSK (I know that this is an artifact of the EAP method). I was referring to the KEK that is used to encrypt the MSK between FreeRADIUS and NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem installing freeradius
Hi, I'm trying to fetch radius from git and install it on my ubuntu server. I'm having some issues compiling radius... Here's what I'm doing; get [EMAIL PROTECTED]:~# git clone git://git.freeradius.org/freeradius-server.git radiusd Initialized empty Git repository in /root/radiusd/.git/ remote: Counting objects: 59514, done. remote: Compressing objects: 100% (14414/14414), done. remote: Total 59514 (delta 46293), reused 57698 (delta 44971) Receiving objects: 100% (59514/59514), 11.36 MiB | 2308 KiB/s, done. Resolving deltas: 100% (46293/46293), done. update [EMAIL PROTECTED]:~# cd radiusd/ [EMAIL PROTECTED]:~/radiusd# git pull origin master:master Already up-to-date. configure ... configure: creating ./config.status config.status: creating Makefile config.status: creating config.h make make[6]: Leaving directory `/root/radiusd/src/modules/frs_detail' Making all in frs_dhcp... make[6]: Entering directory `/root/radiusd/src/modules/frs_dhcp' /bin/sh /root/radiusd/libtool --mode=compile gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/radiusd/src -I/root/radiusd/libltdl -c frs_dhcp.c libtool: compile: gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/radiusd/src -I/root/radiusd/libltdl -c frs_dhcp.c -fPIC -DPIC -o .libs/frs_dhcp.o frs_dhcp.c:183: error: 'RAD_LISTEN_DHCP' undeclared here (not in a function) make[6]: *** [frs_dhcp.lo] Error 1 make[6]: Leaving directory `/root/radiusd/src/modules/frs_dhcp' make[5]: *** [common] Error 2 make[5]: Leaving directory `/root/radiusd/src/modules' make[4]: *** [all] Error 2 make[4]: Leaving directory `/root/radiusd/src/modules' make[3]: *** [common] Error 2 make[3]: Leaving directory `/root/radiusd/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/root/radiusd/src' make[1]: *** [common] Error 2 make[1]: Leaving directory `/root/radiusd' make: *** [all] Error 2 I tried configuring without dhcp (even though it is not enabled by default anyway...) ./configure --without-dhcp but still get same error Can somebody advise please? Companies Act 2006 : http://www.londonmet.ac.uk/companyinfo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please Help!
Hello Guys Im new in radius, I am using CentOS 5 in my radius server. Where I can find the scripts in generating various Certificates? This is for my Server-(Access Point)-Client connections. Any help would be appreciated. Thanks, Niel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP MSK: how is it transported between server and authenticator
Phil Mayers wrote: See my other email. MSK is not sent to the nas. SSK (derived from MSK) is, and it's sent in the attributes: Hmm... the MSK *is* sent in the MS-MPPE-*-Key attributes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please Help!
Thanks a lot guys :D effort appreciated :) 2008/10/10 [EMAIL PROTECTED] raddb/certs Ivan Kalik Kalik Informatika ISP Dana 10/10/2008, niel m [EMAIL PROTECTED] piše: Hello Guys Im new in radius, I am using CentOS 5 in my radius server. Where I can find the scripts in generating various Certificates? This is for my Server-(Access Point)-Client connections. Any help would be appreciated. Thanks, Niel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP MSK: how is it transported between server and authenticator
Alan DeKok wrote: Phil Mayers wrote: See my other email. MSK is not sent to the nas. SSK (derived from MSK) is, and it's sent in the attributes: Hmm... the MSK *is* sent in the MS-MPPE-*-Key attributes. Yes, sorry - I am getting my terminology mixed up. The thing I called MSK is in fact the EMSK The thing I calls SSK is in fact the MSK - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP MSK: how is it transported between server and authenticator
EAP-Message would be the obvious candidate. I don't think this can be correct: EAP-Message is used between NAS and FreeRadius to encapsulate the EAP protocol between client and server. The NAS couldn't tell that a particular EAP-Message should terminate at itself in order to extract an MSK; it would just de-capsulate and pass the payload to the peer (functioning as an EAP proxy). Notice the Zorn draft RFC doesn't use EAP-Message; it puts an encrypted MSK in an extended attribute. This kind of makes sense since it would be clear to the NAS that it is the intended termination point. My question was how is it done today in the field (pre this draft becoming and RFC). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP MSK: how is it transported between server and authenticator
Simul-posting - tks! - I think that answers my question on what goes on in real deployments today. I have a couple of quibbles though: You don't give the MSK to the NAS, that would defeat the entire point - MSK is private between the radius server and EAP client, and is used to derive further keys. According to RFC5247 the MSK is potentially transported to the NAS in what it calls Phase Ib 'AAA Key transport'. Quoting Since existing TSK derivation and transport techniques depend solely on the MSK, in existing implementations, this is the only keying material replicated in the AAA key transport phase 1b. I don't see that this RFC prohibits transport of MSK outside the EAP server(it mentions another secret the EMSK - not used by any EAP method at the moment - that it absolutely forbids leaving the EAP server), Furthermore you wouldn't want the RADIUS server to have to know every SSK-derivation scheme that crops-up between NAS and user. I thought the reason for allowing full MSK export to the NAS is precisely the separation of duties: EAP Server only needs to know how to derive MSK ; it is private to the NAS/User what encryption scheme is used and only they need to know how to derive SSKs. With this understanding I can see the point of the Zorn draft - it is used to transport the full MSK between NAS and EAP Server instead of making the EAP Server responsible for deriving TSKs (transient session keys - what you call SSKs) and only communicating the TSKs to the NAS. Your thoughts on this? OT - I hypothesize that the reason the EAP-Master-Session-Key attribute was dropped from the latest version of the Aboba radext wlan draft https://datatracker.ietf.org/drafts/draft-aboba-radext-wlan/ is because the Zorn draft provides a more general way to communicate encrypted data within RADIUS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS-Identifier
Hi, running successfull freeradius in 1.x version, i'm looking for some free radius documentation to the NAS-Identifier. Couldn't find anything in the doc or wiki. Anyone who can point me to some docs? I do have now an additional NAS which sends an different NAS-Identifier, but I do currently not know how to take advantage of them. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Dialup admin questions
To fix your warning about mktime(), edit the file function.php3, go to line 95 and the function should look like this. function date2time($date) { list($day,$time)=explode(' ',$date); $day = explode('-',$day); $time = explode(':',$time); #$timest = mktime($time[0],$time[1],$time[2],$day[1],$day[2],$day[0]); $timest = mktime(0,0,0,$day[1],$day[2],$day[0]); return $timest; } I had the same problem and that was the fix for me. Good luck.. [EMAIL PROTECTED] wrote: 1. Can I see the statistics or aren't they passed, too? They will come up once you connect to the accounting. 2. Is there an alternative with which I can edit the configuration files etc via webinterface? You can use things like OpenOffice if it is installed and you connect via KVM or VNC. Normally you connect with ssh (putty) and use joe or such text editors. Chap from daloRadius used to post here some time ago. You can try that and see. 3. How can I fix this warning message: Warning: mktime() expects parameter 1 to be long, string given in /usr/share/freeradius-dialupadmin/lib/functions.php3 on line 95 That's something to do with php. That extension is .php3 so it probably wasn't updated for quite some time. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup admin questions
Does it make it sense to use dialup admin for administration if the freeRADIUS server uses the active directory for authentification? Not a lot. You won't be able to do any user administration (add users, change passwords,...) Because I have the following errors in the interface: Warning: asort() expects parameter 1 to be array, null given in /usr/share/freeradius-dialupadmin/htdocs/accounting.php3 on line 47 Warning: mktime() expects parameter 1 to be long, string given in /usr/share/freeradius-dialupadmin/lib/functions.php3 on line 95 Warning: mktime() expects parameter 1 to be long, string given in /usr/share/freeradius-dialupadmin/lib/functions.php3 on line 95 DEBUG(SQL,MYSQL DRIVER): Query: SELECT COUNT(radacctid) AS res_1,sum(acctsessiontime) AS res_2,sum(acctoutputoctets) AS res_3 FROM radacct WHERE username LIKE '%' AND acctstoptime = '2008-10-11 00:00:00' AND acctstoptime = '2008-10-11 23:59:59' ; Database query failed: Table 'radius.radacct' doesn't exist DEBUG(SQL,MYSQL DRIVER): Query: SELECT COUNT(radacctid) AS res_1,sum(acctsessiontime) AS res_2,sum(acctoutputoctets) AS res_3 FROM radacct WHERE username LIKE '%' AND acctstoptime = '2008-10-03 00:00:00' AND acctstoptime = '2008-10-03 23:59:59' ; Database query failed: Table 'radius.radacct' doesn't exist How should I fix them? It's looking for the accounting database. Check your sql.conf settings. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP MSK: how is it transported between server and authenticator
Let me rephrase my question in another way (hopefully clearer): NAS acting as EAP pass-thru' device USER -- NAS --- FREERADIUS +++EAP+==EAP over RADIUS== () EAP over RADIUS uses EAP-Message attribute. After EAP completes we have: USER -- NAS --- FREERADIUS MSK MSK ...but the NAS needs the MSK to do whatever layer 2 encryption scheme.. ..so... USER -- NAS --- FREERADIUS MSK = MSK () HOW?? Ivan Kalik [EMAIL PROTECTED] suggests EAP-Message; but I think this is only used in not in Alan DeKok suggests 'Access-Accept for attributes named key'. I couldn't find any such attributes, and further more where would you configure the KEK (Key encryption key) to wrap the MSK? I hope this makes more sense. Example NAS: The following NAS actually allows you to configure an AES Key Wrap secret http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/c42sol.html#wp1236008 This document goes on to say that it works with a key-wrap compliant RADIUS authentication server. Is FreeRadius such a key-wrap compliant RADIUS authentication server. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP MSK: how is it transported between server and authenticator
Richard Chan wrote: Let me rephrase my question in another way (hopefully clearer): NAS acting as EAP pass-thru' device USER -- NAS --- FREERADIUS +++EAP+==EAP over RADIUS== () EAP over RADIUS uses EAP-Message attribute. After EAP completes we have: USER -- NAS --- FREERADIUS MSK MSK ...but the NAS needs the MSK to do whatever layer 2 encryption scheme.. ..so... USER -- NAS --- FREERADIUS MSK = MSK () HOW?? See my other email. MSK is not sent to the nas. SSK (derived from MSK) is, and it's sent in the attributes: MS-MPPE-Send-Key MS-MPPE-Recv-Key ...even if the EAP method is not MS-CHAP based. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please Help!
Thanks a lot guys :D effort appreciated :) 2008/10/10 [EMAIL PROTECTED] raddb/certs Ivan Kalik Kalik Informatika ISP Dana 10/10/2008, niel m [EMAIL PROTECTED] piše: Hello Guys Im new in radius, I am using CentOS 5 in my radius server. Where I can find the scripts in generating various Certificates? This is for my Server-(Access Point)-Client connections. Any help would be appreciated. Thanks, Niel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP MSK: how is it transported between server and authenticator
Richard Chan wrote: Simul-posting - tks! - I think that answers my question on what goes on in real deployments today. I have a couple of quibbles though: You don't give the MSK to the NAS, that would defeat the entire point - MSK is private between the radius server and EAP client, and is used to derive further keys. According to RFC5247 the MSK is potentially transported to the NAS in what it calls Phase Ib 'AAA Key transport'. Yes sorry, as per my other email I am getting my terminology confused. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP MSK: how is it transported between server and authenticator
Richard Chan wrote: EAP-Message would be the obvious candidate. I don't think this can be correct: EAP-Message is used between NAS and FreeRadius to encapsulate the EAP protocol between client and server. The NAS couldn't tell that a particular EAP-Message should terminate at itself in order to extract an MSK; it would just de-capsulate and pass the payload to the peer (functioning as an EAP proxy). Notice the Zorn draft RFC doesn't use EAP-Message; it puts an encrypted MSK in an extended attribute. This kind of makes sense since it would be clear to the NAS that it is the intended termination point. My question was how is it done today in the field (pre this draft becoming and RFC). There are two sets of keys. MSK is the master session key. In most (all?) EAP method, it's derived by both the client and radius server independently e.g. using Diffie-Hellman or via their mutual shared secret. SSK is the session key; it's used to actually encrypt the traffic on the wire, and is generated by the client and radius server from the MSK. The SSK is also communicated from the radius server to the NAS. Every implementation of 802.1x I've seen uses the MS-CHAP key attributes to communicate the SSK to the NAS; even if the EAP method isn't MS-CHAP. See section 3.16 of RFC3580 You don't give the MSK to the NAS, that would defeat the entire point - MSK is private between the radius server and EAP client, and is used to derive further keys. From what I can see, that Zorn draft is just an attempt to standardise how you encrypt request/reply attributes. Frankly I can't imagine why they're suggesting sending the MSK over radius - it defeats the entire point. The whole draft seems suspect IMHO. RadSec is a far more effective way of protecting the contents of a radius packet, with provably better security. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Dialup admin questions
1. Can I see the statistics or aren't they passed, too? They will come up once you connect to the accounting. 2. Is there an alternative with which I can edit the configuration files etc via webinterface? You can use things like OpenOffice if it is installed and you connect via KVM or VNC. Normally you connect with ssh (putty) and use joe or such text editors. Chap from daloRadius used to post here some time ago. You can try that and see. 3. How can I fix this warning message: Warning: mktime() expects parameter 1 to be long, string given in /usr/share/freeradius-dialupadmin/lib/functions.php3 on line 95 That's something to do with php. That extension is .php3 so it probably wasn't updated for quite some time. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please Help!
raddb/certs Ivan Kalik Kalik Informatika ISP Dana 10/10/2008, niel m [EMAIL PROTECTED] piše: Hello Guys Im new in radius, I am using CentOS 5 in my radius server. Where I can find the scripts in generating various Certificates? This is for my Server-(Access Point)-Client connections. Any help would be appreciated. Thanks, Niel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regex remove realm from username
Hi.. I searched thru the forums but not getting the right username after using regex. The request I am getting is : [EMAIL PROTECTED] and I need to strip everything after @ and pass the username as test. I am using ldap for auth. This is the config I have in ldap. if (User-Name =~ /^([EMAIL PROTECTED])(@.*)$/) { // just want to dblchck is the right regex update request { Stripped-User-Name := %{0} } } filter = (uid=%{Stripped-User-Name}) //filter = (uid=%{Stripped-User-Name:-%{User-Name}}) //filter = (uid=%{Stripped-User-Name}) encryption_scheme = crypt I get the following while ldap lookup expand: (uid=%{Stripped-User-Name}) - (uid=) Here is the radius -X log ; rad_recv: Access-Request packet from host 216.2.193.1 port 55751, id=107, length=65 User-Name = [EMAIL PROTECTED] User-Password = test123 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Looking up realm google.com for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm google.com ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++- entering group rlm_ldap: - authorize rlm_ldap: performing user authorization for [EMAIL PROTECTED] expand: (uid=%{Stripped-User-Name}) - (uid=) expand: dc=xyz,dc=net,o=internet - dc=xyz,dc=net,o=internet rlm_ldap: ldap_get_conn: Checking Id: 0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap md5 and cisco 1250 ap?
Hi All, I'm trying to get am MacOS 10.5 client to connect to a cisco 1250 ap running IOS 12.4(10b) authenticating against Freeradius 1.1.7 on Ubuntu (8.04). Yeh md5 is a bad idea, but it should be a simple first step. The only changes I made to the default Freeradius config were to add the client info for the 1250 and one user: jon Cleartext-Password := password Freeradius sends: Sending Access-Accept of id 56 to 192.168.32.10 port 1645 EAP-Message = 0x03020004 Message-Authenticator = 0x User-Name = jon Finished request 95 Which the AP sees: *Mar 1 17:13:08.871: RADIUS: Received from id 1645/54 192.168.32.34:1812, Access-Accept, len 49 *Mar 1 17:13:08.871: RADIUS: authenticator 80 F5 FE FA 84 E9 7A EB - C9 D0 0C F2 E5 07 9C 02 *Mar 1 17:13:08.871: RADIUS: EAP-Message [79] 6 *Mar 1 17:13:08.871: RADIUS: 03 02 00 04[] *Mar 1 17:13:08.871: RADIUS: Message-Authenticato[80] 18 *Mar 1 17:13:08.871: RADIUS: 61 20 78 47 53 68 E0 80 20 7F 10 04 95 CE 64 9D [a xGSh?? ?d?] *Mar 1 17:13:08.871: RADIUS: User-Name [1] 5 jon *Mar 1 17:13:08.871: RADIUS(00B0): Received from id 1645/54 *Mar 1 17:13:08.871: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes *Mar 1 17:13:09.919: %DOT11-7-AUTH_FAILED: Station 001e.c2b7.f0de Authentication failed But note the AUTH_FAILED at the. The Mac client then just spins retrying athentication. I must be missing something so stupidly obvious noone else has ever missed it, as I can't seem to find anyone onlline who's had trouble with simple md5 auth... Help? Thanks, -Jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-Identifier
Stefan Eck (gmail) wrote: running successfull freeradius in 1.x version, i'm looking for some free radius documentation to the NAS-Identifier. Couldn't find anything in the doc or wiki. http://freeradius.org/rfc/attributes.html Anyone who can point me to some docs? I do have now an additional NAS which sends an different NAS-Identifier, but I do currently not know how to take advantage of them. It's just an attribute. What do you want to do with it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap md5 and cisco 1250 ap?
Jonathan D. Proulx wrote: I'm trying to get am MacOS 10.5 client to connect to a cisco 1250 ap running IOS 12.4(10b) authenticating against Freeradius 1.1.7 on Ubuntu (8.04). You cannot use EAP-MD5 for wireless authentication. It's impossible. Yeh md5 is a bad idea, but it should be a simple first step. The only changes I made to the default Freeradius config were to add the client info for the 1250 and one user: Or, you could follow the EAP guide for 2.1.x at my web site: http://deployingradius.com It's *very* easy to set up in 2.x. There's even a Mac package in Darwin ports. See the download link on the main web page. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap md5 and cisco 1250 ap?
On Fri, Oct 10, 2008 at 07:23:17PM +0200, Alan DeKok wrote: : You cannot use EAP-MD5 for wireless authentication. It's impossible. Well, that makes it sery simple! : Or, you could follow the EAP guide for 2.1.x at my web site: : :http://deployingradius.com : : It's *very* easy to set up in 2.x. There's even a Mac package in :Darwin ports. See the download link on the main web page. I've been sort of following that (Thanks), didn't realize I was a major rev behind, though that explains why certs wasn't a simple make in the version I have. so upward (to 2.x) and onward and straight to ttls. Thanks, -jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap md5 and cisco 1250 ap?
On Fri, Oct 10, 2008 at 01:41:15PM -0400, Jonathan D. Proulx wrote: :so upward (to 2.x) and onward and straight to ttls. I seem to have actually gone backward here. Local radtest is now failing with the fresh 2.1.1 install. all default except added a user to users: jon Cleartext-Password := password radiusd -s -X seems to start happily but doesn't seem to source the users file, as best I can tell (not listed amoung the many including configuration file lines): rad_recv: Access-Request packet from host 127.0.0.1 port 54793, id=121, length=55 User-Name = jon User-Password = password NAS-IP-Address = 192.168.32.34 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = jon, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated [files] users: Matched entry jon at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password password [pap] Using CRYPT encryption. [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - jon attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated -Jon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN Radius with expiry Windows domain password expiration
: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = /etc//raddb/attrs.access_reject key = %{User-Name} } } } server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /etc//raddb/huntgroups hints = /etc//raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_detail Module: Instantiating auth_log detail auth_log { detailfile = /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating ntdomain realm ntdomain { format = prefix delimiter = ignore_default = no ignore_null = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } Module: Checking accounting {...} for more modules to load Module: Instantiating detail detail { detailfile = /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = /etc//raddb/attrs.accounting_response key = %{User-Name} } Module: Checking session {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating reply_log detail reply_log { detailfile = /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } } } radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 0 } listen { type = acct ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 10.1.1.6 port 1086, id=7, length=187 User-Name = voila\\test NAS-Port = 1231 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = 204.112.1.1 Calling-Station-Id = 204.112.1.1 Tunnel-Client-Endpoint:0 = 204.112.1.1 MS-CHAP-Challenge = 0x36d49923fd91c9278280554b4eba353f MS-CHAP2-Response = 0x572d60ba1df18e11d0a20a3e9919126a0e3814caf0302452f2c32c894d5678b939353e20ea160 NAS-IP-Address = 10.1.1.6 NAS-Port-Type = Virtual +- entering group authorize ++[preprocess] returns ok expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radius/radacct/10.2.1.6/auth-detail-20081010 rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.2.1.6/auth-detail-20081010 expand: %t - Fri Oct 10 10:41:08 2008 ++[auth_log] returns ok ++[chap] returns noop rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok rlm_realm: No '@' in User-Name = voila\test, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_realm: No '' in User-Name = voila\test, looking up realm NULL rlm_realm: No such realm NULL ++[ntdomain] returns noop ++[unix] returns notfound rlm_ldap: Entering ldap_groupcmp() expand: dc=voila,dc=com - dc=voila,dc=com expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) - (sAMAccountName=test) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.1.16.130:389, authentication 0 rlm_ldap: bind as cn=project,cn=users,dc=voila,dc=com/pR0j3cT1 to 10.1.16.130:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=voila,dc=com, with filter (sAMAccountName=test) rlm_ldap: ldap_release_conn: Release Id: 0 expand: (|((objectClass=group)(member=%{check:Ldap-UserDn}))((objectClass=GroupOfNames)(member=%{check:Ldap-UserDn}))) - (|((objectClass=group)(member=CN\3dtest\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))((objectClass=GroupOfNames)(member=CN\3dtest\2cCN\3dUsers\2cDC\3dvoila\2cDC\3dcom))) rlm_ldap: ldap_get_conn
ldap/krb5 auth and access point Authentication methods ?
Hello, We are using openldap/kerberos (MIT) and just bought 2 CISCO Aironet 1250. I'd like to use freeradius to auth. our users. I read that freeradius can use openldap and kerberos, so i suppose I will setup these for auth. Most of my Wi-Fi users will be Windows/Mac Os and I'd like to avoid custom installation on the laptops. The question is : Which auth method should I use on the access points ? tx ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regex remove realm from username
2008/10/10 Eric Martell [EMAIL PROTECTED]: Hi.. I searched thru the forums but not getting the right username after using regex. The request I am getting is : [EMAIL PROTECTED] and I need to strip everything after @ and pass the username as test. Is there some reason you don't just create a local realm in proxy.conf and use the 'strip' keyword? realm google.com { type= radius authhost= LOCAL accthost= LOCAL strip } Thanks, Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html