Re: Wpa Supplicant on Win XP with SP 2
Queenie de Melo wrote: When I use windows as my suplicant, I do not get all the optioons supported by my AP. The AP does not support *any* EAP types. EAP types are supported *only* by the supplicant. But In case I RightClick on the wireless connection in the Network connections, and goto properties-- Wireless Network tab and uncheck option Use windows to configure my wireless network settings, then my D-Link Utility pops up with gives me all the options ex: PEAP with MD5 (windows gives me only PEAP with MSCHAPv2 option only) Is there anyone who has faced the same and resolved it. Does windows need a patch etc? The native Windows supplicant supports only a few EAP types. If you want more, see SecureW2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: hostapd + freeradius + windows users problem
Jouni Malinen wrote: The following RFC 3580 Chapter 2.1 text is one reason for hostapd behavipr: Hmm... OK. As far as I can tell, that is describing multiple re-authentications for a single RADIUS session. Should the Supplicant decide to change its identity (e.g., switch between user and machine credentials) without stopping the session (disassociate/EAPOL-Logoff), I don't see how the Authenticator (NAS) should handle this case. That's really a problem with RADIUS. There is no definition of what defines a session. It sounds like you are asking to arbitrarily pick the first identity (or create a new session, which would not comply with this RFC 3850 text) while hostapd is arbitrarily picking the last used identity within the same session. Look at it from the point of view of the RADIUS server, or the administrator running it. A session starts, with a particular User-Name, an Acct-Session-Id, and a bunch of other attributes identifying the session. Then at some later point, the same Acct-Session-Id is used with a *different* set of attributes identifying the session. This is confusing. The administrator *cannot* rely on Acct-Session-Id to uniquely identify sessions, and then ignore other attributes such as User-Name. There are just too many broken NASes that send the same Acct-Session-Id for completely independent sessions. So... the administrator has to rely on a *collection* of attributes as identifying the session. That collection traditionally includes User-Name. This means that changing User-Name in the middle of a session will wreak havoc with people's accounting setups. The NAS, of course, is stuck in the middle here. If the supplicant suddenly changes it's EAP identity on re-authentication, it's not unreasonable for the NAS to simply copy that into the User-Name attribute. But this means that the supplicant is broken (IMHO). If the supplicant can't keep the same identity during a session, that seems very strange to me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: hostapd + freeradius + windows users problem
User goa connects and when he turns machine off, new user host/filteria(his machine name) appears. Maybe the problems is inside hostapd(which I can't find), but I don't understand why host/filteria is updated with goa info. Hello That is the same what i have seen (with vista and windows xp sp3) on my WiFi-installation (cisco wireless lan Controller with freeradius and sambadomain with useres and machines in openldap) On startup windows per default makes a host(machine) authentication then he makes a user(domain) -authentication and on logout again a host(machine) authentication. If i understand it right its like your problem - and for me this is a impostation of the client(supplicant)=windows - this isthe same problem describes 2 days bevore to this list - look : http://lists.freeradius.org/pipermail/freeradius-users/2008-November/msg00263.html by luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: rlm_counter: Failed to open file /etc/raddb/db.daily:, Permission denied
Hi,
I got the same issue and I solved it modifying the file :
/usr/local/etc/raddb/radiusd.conf
I replaced the line :
db_dir = $(raddbdir)
By :
db_dir = ${raddbdir}
I use freeRadius 2.0.5 on a freeBSD 6.3
[EMAIL PROTECTED] a crit:
Message: 2
Date: Thu, 13 Nov 2008 18:21:17 -0500
From: Ted Lum [EMAIL PROTECTED]
Subject: Re: rlm_counter: Failed to open file /etc/raddb/db.daily:
Permission denied
To: Alan DeKok [EMAIL PROTECTED]
Cc: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
The default user and group have not been modified.
The server DOES NOT run as root. It always starts as root, but changes
its self.
...from radiusd.conf
# We STRONGLY recommend that you run the server with as few permissions
# as possible. That is, if you're not using shadow passwords, the
# user and group items below should be set to radius'.
They are:
user = radiusd
group = radiusd
In fact, the db.daily file was created by the application and this is
the sole reason for the file's ownership being what it is.
In addition I have moved the location to /tmp where everyone has
permission and it still fails.
This is a ps after "service start radiusd":
UIDPID PPID C STIME TTY TIME CMD
radiusd 6909 1 0 Nov12 ?00:00:00 /usr/sbin/radiusd
This is a ps after "/usr/sbin/radiusd -X":
UIDPID PPID C STIME TTY TIME CMD
radiusd 6998 6933 5 15:48 pts/000:00:00 /usr/sbin/radiusd -X
This is a ps after "strace /usr/sbin/radiusd":
UIDPID PPID C STIME TTY TIME CMD
radiusd 7004 1 0 15:50 ?00:00:00 /usr/sbin/radiusd
In all cases its running as radiusd.
So, any more ideas on how to fix this?
-Ted-
Alan DeKok wrote:
Ted Lum wrote:
Any idea how to fix this?
Don't edit the default configuration files to break them.
The default configuration files have the server running as root.
You've changed that to a user who does NOT have permission to read the
configuration files.
Wed Nov 12 21:29:16 2008 : Error: rlm_counter: Failed to open file
/etc/raddb/db.daily: Permission denied
...
/etc/raddb
-rw--- 1 radiusd radiusd 12312 Nov 12 21:29 db.daily
The server isn't running as user "radiusd/radiusd". Fix that.
This works:
# /usr/sbin/radiusd -X
Becuse you're running it as root.
This works:
# strace /usr/sbin/radiusd
Because you're running it as root.
This does not work:
# service radiusd start
Starting RADIUS server:[FAILED]
Because it changes UID's, and does not run as root.
Alan DeKok.
--
Romain Mercier
Universit d'Angers -
Direction des Systmes d'Infrormation
Service Systmes et Rseaux
Tel/Fax : 02-41-22-67-62/51
@ : [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: hostapd + freeradius + windows users problem
Alan DeKok wrote: Jouni Malinen wrote: The following RFC 3580 Chapter 2.1 text is one reason for hostapd behavipr: Hmm... OK. As far as I can tell, that is describing multiple re-authentications for a single RADIUS session. Should the Supplicant decide to change its identity (e.g., switch between user and machine credentials) without stopping the session (disassociate/EAPOL-Logoff), I don't see how the Authenticator (NAS) should handle this case. That's really a problem with RADIUS. There is no definition of what defines a session. It sounds like you are asking to arbitrarily pick the first identity (or create a new session, which would not comply with this RFC 3850 text) while hostapd is arbitrarily picking the last used identity within the same session. Look at it from the point of view of the RADIUS server, or the administrator running it. A session starts, with a particular User-Name, an Acct-Session-Id, and a bunch of other attributes identifying the session. Then at some later point, the same Acct-Session-Id is used with a *different* set of attributes identifying the session. This is confusing. For what it's worth - the cisco lightweight wireless platform does the same thing (changes the username) and as you say, it's confusing. IMHO it's annoying and wrong. It renders the accounting much, much less useful for the legal purposes one might use it for i.e. identifying mis-use. I think it's a mistake to conflate the wireless association with an 802.1x session. It also seems clear to me that the passage referenced in RFC 3580, when it says status of the session, really ought to include the username - if that's not part of the status, I don't know what is. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Service-Type based on Unix group of the user
Hi, I am running FreeRADIUS Version 1.1.7 for host i386-redhat-linux-gnu and I have finally managed to get it to work. I use Allied Telesyn routers and used SSH to authenticate to it. To get a more flexible method I decided to go to Radius authentication, using the passwd of the server in wich FreeRADIUS is installed to authenticate the people who need to access the router. Each person who access it have an Unix account on the server. My users file is: DEFAULT Auth-Type = System Service-Type = 7, Login-Service = Telnet The main problem now is that not everyone who have an account in the server should be able to access the router. So I wanted to change the Service-Type parameter according to the group of each user. Is that possible? Thank you for your support and sorry for the bad english. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP and server certificate
Just to be sure, all EAP types require the radius server to have a certificate right? and this certificate, i.e. it's parent needs to be installed in the supplicants, right? -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: hostapd + freeradius + windows users problem
Jouni Malinen wrote: The exact behavior here depends on the definition of session. From hostapd viewpoint, IEEE 802.11 association is the session and there is nothing that would prevent the Supplicant from changing its identity string (User-Name in RADIUS) during the re-association if an EAPOL reauthenticaton occurs (either from client/Supplicant request as is the case here or based on Authenticator timer). Sure, that definition of session could be modified to arbitrarily start a new session should the Supplicant decide to use a different identity in re-authentication within the same association, but I would like to see a specific requirement for this in an RFC before changing hostapd behavior. Hostapd should not change. The supplicants that change Identity in the middle of a session need to be fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: hostapd + freeradius + windows users problem
On Fri, Nov 14, 2008 at 1:41 AM, [EMAIL PROTECTED] wrote: b. The authorizations are changed as a result of a successful re-authentication. In this case, the Service Unavailable (15) termination cause is used. For accounting purposes, the portion of the session after the authorization change is treated as a separate session. It would be quite reasonable to interpret change of user credentials as change of authorization. It may look like that in some cases, but I do not think that this would be a generic solution. NAS does not simply have enough information to figure out when authorization changes (whatever that exactly means). One example of a changing public (i.e., visible to NAS) user identity is in EAP-SIM and EAP-AKA which support identity privacy and fast re-authentication using a temporary identity that is sent in EAP-Response/Identity. If IEEE 802.1X Authenticator triggers reauthentication during the same 802.11 association, the User-Name attribute will change even though the real credentials (SIM/USIM) remains the same. NAS has no way of knowing this; only AS and Supplicant know how to map the temporary identity to the permanent identity for the same credential. - Jouni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[main_pool] Could not find Pool-Name attribute
Hello I'm trying to use the ippool for wlan users. But without success. I now get tis error: [main_pool] Could not find Pool-Name attribute . And I have no idea why. The logile can be read at: http://pastebin.com/m50a78a30 Thanks for every help. robbe -- View this message in context: http://www.nabble.com/-main_pool--Could-not-find-Pool-Name-attribute-tp20481663p20481663.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service-Type based on Unix group of the user
Then move reply attributes to a different DEFAULT entry: DEFAULT Auth-Type = System Fall-Through = yes DEFAULT Group = whatever Service-Type = whatever Ivan Kalik Kalik Informatika ISP Dana 14/11/2008, Artur Rodrigues [EMAIL PROTECTED] piše: Hi, I am running FreeRADIUS Version 1.1.7 for host i386-redhat-linux-gnu and I have finally managed to get it to work. I use Allied Telesyn routers and used SSH to authenticate to it. To get a more flexible method I decided to go to Radius authentication, using the passwd of the server in wich FreeRADIUS is installed to authenticate the people who need to access the router. Each person who access it have an Unix account on the server. My users file is: DEFAULT Auth-Type = System Service-Type = 7, Login-Service = Telnet The main problem now is that not everyone who have an account in the server should be able to access the router. So I wanted to change the Service-Type parameter according to the group of each user. Is that possible? Thank you for your support and sorry for the bad english. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and old ACC/Ericsson Tigris
I am upgrading an old machine to a newer version of FreeRadius and i am having a few problems. on old system the user file was similar to: user1 Password=whatever user2 Password=kdkdkd etc I hae ried to copy this idea over to the new version along with the old dictionaries but its not working, it reports everything is ok but when we dial in to authenticate using radiusd -X we get messages reporting No authenticate method (Auth-Type) config found for the request, what should I set it to ? also if I try a radtest using same username/password, it reports unknown attribute User-Password. Anyone help me with this ? Thanks Ian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [main_pool] Could not find Pool-Name attribute
You have not enabled the module which is supposed to provide Pool-Name from the configuration in inner-tunnel. But forget that. AP is going to use DHCP to assign IP address and will ignore Framed-IP-Address. Ivan Kalik Kalik Informatika ISP Dana 14/11/2008, robbe [EMAIL PROTECTED] piše: Hello I'm trying to use the ippool for wlan users. But without success. I now get tis error: [main_pool] Could not find Pool-Name attribute . And I have no idea why. The logile can be read at: http://pastebin.com/m50a78a30 Thanks for every help. robbe -- View this message in context: http://www.nabble.com/-main_pool--Could-not-find-Pool-Name-attribute-tp20481663p20481663.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Referencing a redundant-load-balance set within users file
Change use_tunneled_reply to yes in peap section of eap.conf.
Ivan Kalik
Kalik Informatika ISP
Dana 14/11/2008, Tod A. Sandman [EMAIL PROTECTED] piše:
Ivan Kalik wrote:
Why don't you map that in ldap.attrmap?
Thanks so much. I removed all LDAP settings from users, and I have
TTLS-PAP working fine with redundant LDAP for authorization and
Kerberos for Authentication.
Now I can't get the only other mode we need: PEAP/MSChapv2. LDAP
authorization is working fine, and the ntlm-auth authentication works
fine, but required attributes are not being sent back in the
Access-Accept packet.
Unlike when I connect via TTLS-PAP, the Access-Accept does not include
some required attributes. The debug output shows them getting set
properly within sites-enabled/inner-tunnel and getting updated with
update outer.reply, but they get dropped before the Access-Accept
packet.
I haven't touched sites-enabled/default.
I enabled ldap in sites-enabled/inner-tunnel, and afterwards I do
an update outer.reply, i.e.:,
redundant-load-balance redundant_ldap {
ldap1
ldap2
ldap3
}
update outer.reply {
Cisco-AVPair := %{reply:Connect-Info}
Class := OU=%{reply:Connect-Info}
}
and the debug output shows this working.
But the Access-Accept does not include these attributes as it does
when I use TTLS-PAP.
I tried moving the update outer.reply to the post-auth section, but
this did not help.
My config is quite close to the default. The only PEAP related change
I made was to update modules/mschap with the correct ntlm_auth line.
Thanks for any ideas.
Tod Sandman
Sr. Systems Administrator
Middleware Development Integration
Rice University
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and old ACC/Ericsson Tigris
I am upgrading an old machine to a newer version of FreeRadius and i am having a few problems. on old system the user file was similar to: user1 Password=whatever user2 Password=kdkdkd etc I hae ried to copy this idea over to the new version along with the old dictionaries but its not working, Don't do that. Don't butcher the new installation. Instead, copy the entries from the old users file and adapt them to the new format: user1 Cleartext-Password := whatever You don't need to set Auth-Type in new version - server does that by itself. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + OpenLDAP + MSCHAPv2
Hello, I'm running FreeRADIUS on a shiny-new CentOS 5.2 machine. I'm trying to figure out how to configure FreeRADIUS to authenticate against an OpenLDAP server using MSCHAPv2. I Googled a lot of different phrases, and came up with some things that were mildly helpful. Right now, I have FreeRADIUS authenticating against the LDAP server without using MSCHAPv2, but I'm not understanding how to now activate the MSCHAPv2 part. Can anyone point me towards some information about activating MSCHAPv2 in this kind of setup? Tim Gustafson SOE Webmaster UC Santa Cruz [EMAIL PROTECTED] 831-459-5354 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
I'm running FreeRADIUS on a shiny-new CentOS 5.2 machine. I'm trying to figure out how to configure FreeRADIUS to authenticate against an OpenLDAP server using MSCHAPv2. I Googled a lot of different phrases, and came up with some things that were mildly helpful. Right now, I have FreeRADIUS authenticating against the LDAP server without using MSCHAPv2, but I'm not understanding how to now activate the MSCHAPv2 part. Can anyone point me towards some information about activating MSCHAPv2 in this kind of setup? There is nothing to do. It's already active in default configuration. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
There is nothing to do. It's already active in default configuration. Really? Because the default config seems to want to use ntlm_auth to authenticate mschapv2 users, which is a samba helper designed to authenticate a user against a samba server, not an OpenLDAP server. I'm thinking what I need is a replacement for ntlm_auth that goes against an OpenLDAP server rather than using the samba libraries, no? Tim Gustafson SOE Webmaster UC Santa Cruz [EMAIL PROTECTED] 831-459-5354 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
There is nothing to do. It's already active in default configuration. Really? Because the default config seems to want to use ntlm_auth to authenticate mschapv2 users, which is a samba helper designed to authenticate a user against a samba server, not an OpenLDAP server. ntlm_auth line is commented out by default. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
ntlm_auth line is commented out by default. Ok, I see that. From what I understand, MSCHAPv2 needs access to the unencrypted user password, and OpenLDAP doesn't offer that. I'm guessing I'll have to add an unencrypted password field to the LDAP server to make this work, but that's not been made clear in any documentation. And, how do you tell the FreeRADIUS eap/peap/MSCHAPv2 client to use the LDAP server as opposed to text files or PAM? I'm attaching my radiusd.conf to this e-mail, any comments would be greatly appreciated. I stripped out all the comments and removed the modules I wasn't using (like SQL stuff and unix/PAM/etc). Tim Gustafson SOE Webmaster UC Santa Cruz [EMAIL PROTECTED] 831-459-5354 radiusd.conf Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: hostapd + freeradius + windows users problem
Hostapd should not change. The supplicants that change Identity in the middle of a session need to be fixed. I've tried with Ubuntu machine and it's doing things as expected so I can keep tracking users login time and bandwidth(although sometimes there are no User-Request inside Termination Cause, but that's not important to me). It's known there are many Windows machines all over there, I don't know how people aren't having this issue with supplicant. As I can see, there is not much to do with hostapd/freeradius config to solve this (I think EAP-AKA and EAP-SIM aren't designed for my network setup). Thanks for all comments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.0.5 - complex multi-ldap server, multi-branch authentication/authorization needed
We seek to take advantage of FreeRadius 2.0.5's ability to run multiple
virtual servers.
All our other servers are working except one, which has a complex
authentication.
As a stand-alone configuration this looks as follows:
## MODULES CONFIGURATION ##
modules {
ldap dirnet{
server = directory.sub.main.com
port = 389
identity =
cn=acsAgent,ou=agents,ou=network,dc=main,dc=com
password = xx
basedn = ou=network,dc=main,dc=com
filter =
((objectclass=kuAuthAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))
.
.
.
groupmembership_filter =
((objectClass=GroupOfUniqueNames)(uniquemember=uid=%{Stripped-User-Nam
e:-%{User-Name}}*))
.
.
}
ldap dirnode{
server = directory.main.com
port = 389
identity = cn=wireless-agent,ou=agents,ou=Academic
Computing,ou=units,dc=main,dc=com
password = yyy
basedn = dc=main,dc=com
filter =
((objectclass=kuAuthAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))
groupmembership_filter =
((objectClass=kuAuthAccount)(eduPersonEntitlement=*)(uid=%{Stripped-Us
er-Name:-%{User-Name}}*))
groupmembership_attribute = eduPersonEntitlement
groupname_attribute = eduPersonEntitlement
access_attr = uid
.
.
.
}
server {
authenticate {
## Use LDAP Authentication
Auth-Type DIRNODE {
dirnode
}
Auth-Type DIRNET {
dirnet
}
}
authorize {
## Use LDAP Authorization via files config in 'users'
files
}
And the users file looks like
DEFAULT dirnet-Ldap-Group ==
cn=AuthorizedGuestVendorMAINAnywhereUsers,ou=IT,ou=groups,ou=network,dc
=main,dc=com, Auth-Type := DIRNET
Class =
%{dirnet:ldap:///ou=authaccounts,ou=network,dc=main,dc=com?eduPersonEnt
itlement?sub?uid=%{User-Name},
Fall-Through = no
DEFAULT dirnet-Ldap-Group ==
cn=VPNPHONES,ou=IT,ou=groups,ou=network,dc=main,dc=com, Auth-Type :=
DIRNET
Class = urn:mace:main.com:RINGS:group:main_anywhere:vpnphone,
Fall-Through = no
DEFAULT User-Profile :=
uid=%{Stripped-User-Name:-%{User-Name}},ou=authaccounts,dc=main,dc=com
, Auth-Type := DIRNODE
Class =
%{dirnode:ldap:///ou=authaccounts,dc=main,dc=com?eduPersonEntitlement?s
ub?uid=%{User-Name},
Fall-Through = no
DEFAULT Auth-Type := REJECT
Reply-Message = User Login Rejected
--
I've gotten as far as:
modules {
## LDAP Server configuration
ldap {
}
## LDAP User-to-Group mapping
files {
usersfile = ${confdir}/guest_vendor_mainanywhere_users
acctusersfile = /dev/null
preproxy_usersfile = /dev/null
compat = no
}
}
authenticate {
## Use LDAP Authentication (entry in modules/ldap)
Auth-Type LDAP {
dirnode
}
Auth-Type LDAP {
dirnet
}
}
authorize {
## Use LDAP Authorization via files config in 'users' (entry in
modules/
ldap)
dirnode
dirnet
}
and the ldap file entries as
ldap dirnet {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = directory.sub.main.com
port = 389
identity =
cn=acsAgent,ou=agents,ou=network,dc=main,dc=com
password = xx
basedn = ou=network,dc=main,dc=com
filter =
((objectclass=kuAuthAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))
.
.
.
groupmembership_filter =
((objectClass=GroupOfUniqueNames)(uniquemember=uid=%{Stripped-User-Nam
e:-%{User-Name}}*))
.
.
}
ldap dirnode{
server = directory.main.com
port = 389
identity = cn=wireless-agent,ou=agents,ou=Academic
Computing,ou=units,dc=main,dc=com
password = yyy
basedn = dc=main,dc=com
filter =
((objectclass=kuAuthAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))
groupmembership_filter =
((objectClass=kuAuthAccount)(eduPersonEntitlement=*)(uid=%{Stripped-Us
er-Name:-%{User-Name}}*))
groupmembership_attribute = eduPersonEntitlement
groupname_attribute = eduPersonEntitlement
access_attr = uid
.
.
.
}
with the users file intact
Any suggestions as to how to configure, especially the authorize
section to allow trying both dirnode and dirnet would be welcome.
(As it is now, dirnode auth works, but dirnet
Re: Service-Type based on Unix group of the user
Thank you. I'll try it out. 2008/11/14 [EMAIL PROTECTED] Then move reply attributes to a different DEFAULT entry: DEFAULT Auth-Type = System Fall-Through = yes DEFAULT Group = whatever Service-Type = whatever Ivan Kalik Kalik Informatika ISP Dana 14/11/2008, Artur Rodrigues [EMAIL PROTECTED] piše: Hi, I am running FreeRADIUS Version 1.1.7 for host i386-redhat-linux-gnu and I have finally managed to get it to work. I use Allied Telesyn routers and used SSH to authenticate to it. To get a more flexible method I decided to go to Radius authentication, using the passwd of the server in wich FreeRADIUS is installed to authenticate the people who need to access the router. Each person who access it have an Unix account on the server. My users file is: DEFAULT Auth-Type = System Service-Type = 7, Login-Service = Telnet The main problem now is that not everyone who have an account in the server should be able to access the router. So I wanted to change the Service-Type parameter according to the group of each user. Is that possible? Thank you for your support and sorry for the bad english. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
ntlm_auth line is commented out by default. Ok, I see that. From what I understand, MSCHAPv2 needs access to the unencrypted user password, and OpenLDAP doesn't offer that. I'm guessing I'll have to add an unencrypted password field to the LDAP server to make this work, but that's not been made clear in any documentation. Yes, it needs clear text or NT hashed password. You can store plain text in userPassword. http://deployingradius.com/documents/protocols/compatibility.html And, how do you tell the FreeRADIUS eap/peap/MSCHAPv2 client to use the LDAP server as opposed to text files or PAM? By listing ldap in authorize. I'm attaching my radiusd.conf to this e-mail, any comments would be greatly appreciated. I stripped out all the comments and removed the modules I wasn't using (like SQL stuff and unix/PAM/etc). And so much more (peap is misconfigured, as is ldap, mschap auth type is gone, there is nothing to get the password from ...). That will not work. Get the server working with the default configuration. Remove one thing at the time, testing that the server can start and authenticate users (and reject when needed). You have also removed all the logging and accounting so you will have no idea what is server doing. And use current version. This is something old. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
And so much more (peap is misconfigured, as is ldap, mschap auth type is gone, there is nothing to get the password from ...). That will not work. I have fixed that; the copy that I sent you was indeed broken. I can now authenticate using standard (non-MSCHAP) authentication against the LDAP server. I haven't been able to get the radeapclient program working yet - it keeps crashing with an error that apparently was fixed in 1.1.5, but I don't have that version. And use current version. This is something old. radiusd: FreeRADIUS Version 1.1.3, for host i686-redhat-linux-gnu, built on May 10 2007 at 12:30:17 This is what was provided when I did a yum install freeradius on a new CentOS 5.2 box. Because of the nature of the network here, I'm strongly discouraged from using anything other than Yum and the base CentOS repositories to install packages, since there are a dozen or so people here that all have to be able to administer these machines over the long-term. I'll try to e-mail the package maintainers for CentOS, but I'm not holding my breath. Tim Gustafson SOE Webmaster UC Santa Cruz [EMAIL PROTECTED] 831-459-5354 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_counter: Failed to open file /etc/raddb/db.daily:, Permission denied
Wow, had to look at that for a while before I spotted the difference.
Mine, however, already uses {}, so that's not it either. Thanks though.
-Ted-
Romain Mercier wrote:
Hi,
I got the same issue and I solved it modifying the file :
/usr/local/etc/raddb/radiusd.conf
I replaced the line :
db_dir = $(raddbdir)
By :
db_dir = ${raddbdir}
I use freeRadius 2.0.5 on a freeBSD 6.3
[EMAIL PROTECTED] a écrit :
Message: 2
Date: Thu, 13 Nov 2008 18:21:17 -0500
From: Ted Lum [EMAIL PROTECTED]
Subject: Re: rlm_counter: Failed to open file /etc/raddb/db.daily:
Permission denied
To: Alan DeKok [EMAIL PROTECTED]
Cc: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
The default user and group have not been modified.
The server DOES NOT run as root. It always starts as root, but changes
its self.
...from radiusd.conf
# We STRONGLY recommend that you run the server with as few permissions
# as possible. That is, if you're not using shadow passwords, the
# user and group items below should be set to radius'.
They are:
user = radiusd
group = radiusd
In fact, the db.daily file was created by the application and this is
the sole reason for the file's ownership being what it is.
In addition I have moved the location to /tmp where everyone has
permission and it still fails.
This is a ps after service start radiusd:
UIDPID PPID C STIME TTY TIME CMD
radiusd 6909 1 0 Nov12 ?00:00:00 /usr/sbin/radiusd
This is a ps after /usr/sbin/radiusd -X:
UIDPID PPID C STIME TTY TIME CMD
radiusd 6998 6933 5 15:48 pts/000:00:00 /usr/sbin/radiusd -X
This is a ps after strace /usr/sbin/radiusd:
UIDPID PPID C STIME TTY TIME CMD
radiusd 7004 1 0 15:50 ?00:00:00 /usr/sbin/radiusd
In all cases its running as radiusd.
So, any more ideas on how to fix this?
-Ted-
Alan DeKok wrote:
Ted Lum wrote:
Any idea how to fix this?
Don't edit the default configuration files to break them.
The default configuration files have the server running as root.
You've changed that to a user who does NOT have permission to read the
configuration files.
Wed Nov 12 21:29:16 2008 : Error: rlm_counter: Failed to open file
/etc/raddb/db.daily: Permission denied
...
/etc/raddb
-rw--- 1 radiusd radiusd 12312 Nov 12 21:29 db.daily
The server isn't running as user radiusd/radiusd. Fix that.
This works:
# /usr/sbin/radiusd -X
Becuse you're running it as root.
This works:
# strace /usr/sbin/radiusd
Because you're running it as root.
This does not work:
# service radiusd start
Starting RADIUS server:[FAILED]
Because it changes UID's, and does not run as root.
Alan DeKok.
--
Romain Mercier
Université d'Angers - Direction des Systèmes d'Infrormation
Service Systèmes et Réseaux
Tel/Fax : 02-41-22-67-62/51
@ : [EMAIL PROTECTED]
--
This message has been scanned for viruses and
dangerous content by *MailScanner* http://www.mailscanner.info/, and is
believed to be clean.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
Tim Gustafson wrote: I have fixed that; the copy that I sent you was indeed broken. I can now authenticate using standard (non-MSCHAP) authentication against the LDAP server. I haven't been able to get the radeapclient program working yet - it keeps crashing with an error that apparently was fixed in 1.1.5, but I don't have that version. Run eapol_test from wpa_supplicant instead of radeapclient. It'd better. See my web site for instructions on doing this. And use current version. This is something old. radiusd: FreeRADIUS Version 1.1.3, for host i686-redhat-linux-gnu, built on May 10 2007 at 12:30:17 This is what was provided when I did a yum install freeradius on a new CentOS 5.2 box. Because of the nature of the network here, I'm strongly discouraged from using anything other than Yum and the base CentOS repositories to install packages, since there are a dozen or so people here that all have to be able to administer these machines over the long-term. I'll try to e-mail the package maintainers for CentOS, but I'm not holding my breath. If you're not paying someone for CentOS support, install FreeRADIUS 2.1.1. That's really the only version *we* can support. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_counter: Failed to open file /etc/raddb/db.daily:, Permission denied
SOLVED: Found the problem. Its the dreaded SELinux. Its tripping over
one of the policies.
Ted Lum wrote:
Wow, had to look at that for a while before I spotted the difference.
Mine, however, already uses {}, so that's not it either. Thanks though.
-Ted-
Romain Mercier wrote:
Hi,
I got the same issue and I solved it modifying the file :
/usr/local/etc/raddb/radiusd.conf
I replaced the line :
db_dir = $(raddbdir)
By :
db_dir = ${raddbdir}
I use freeRadius 2.0.5 on a freeBSD 6.3
[EMAIL PROTECTED] a écrit :
Message: 2
Date: Thu, 13 Nov 2008 18:21:17 -0500
From: Ted Lum [EMAIL PROTECTED]
Subject: Re: rlm_counter: Failed to open file /etc/raddb/db.daily:
Permissiondenied
To: Alan DeKok [EMAIL PROTECTED]
Cc: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
The default user and group have not been modified.
The server DOES NOT run as root. It always starts as root, but
changes its self.
...from radiusd.conf
# We STRONGLY recommend that you run the server with as few
permissions
# as possible. That is, if you're not using shadow passwords, the
# user and group items below should be set to radius'.
They are:
user = radiusd
group = radiusd
In fact, the db.daily file was created by the application and this
is the sole reason for the file's ownership being what it is.
In addition I have moved the location to /tmp where everyone has
permission and it still fails.
This is a ps after service start radiusd:
UIDPID PPID C STIME TTY TIME CMD
radiusd 6909 1 0 Nov12 ?00:00:00 /usr/sbin/radiusd
This is a ps after /usr/sbin/radiusd -X:
UIDPID PPID C STIME TTY TIME CMD
radiusd 6998 6933 5 15:48 pts/000:00:00 /usr/sbin/radiusd -X
This is a ps after strace /usr/sbin/radiusd:
UIDPID PPID C STIME TTY TIME CMD
radiusd 7004 1 0 15:50 ?00:00:00 /usr/sbin/radiusd
In all cases its running as radiusd.
So, any more ideas on how to fix this?
-Ted-
Alan DeKok wrote:
Ted Lum wrote:
Any idea how to fix this?
Don't edit the default configuration files to break them.
The default configuration files have the server running as root.
You've changed that to a user who does NOT have permission to read the
configuration files.
Wed Nov 12 21:29:16 2008 : Error: rlm_counter: Failed to open file
/etc/raddb/db.daily: Permission denied
...
/etc/raddb
-rw--- 1 radiusd radiusd 12312 Nov 12 21:29 db.daily
The server isn't running as user radiusd/radiusd. Fix that.
This works:
# /usr/sbin/radiusd -X
Becuse you're running it as root.
This works:
# strace /usr/sbin/radiusd
Because you're running it as root.
This does not work:
# service radiusd start
Starting RADIUS server:[FAILED]
Because it changes UID's, and does not run as root.
Alan DeKok.
--
Romain Mercier
Université d'Angers - Direction des Systèmes d'Infrormation
Service Systèmes et Réseaux
Tel/Fax : 02-41-22-67-62/51
@ : [EMAIL PROTECTED]
--
This message has been scanned for viruses and
dangerous content by *MailScanner* http://www.mailscanner.info/,
and is
believed to be clean.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP-EAP-MD5 failure with freeradius-2.1.1
Dear All,
Kndly help with the following setup:
SETUP;
wifi client (Windows-XPservice pack 2) - AP
--- freeradius-2.1.1 on red hat fedora-9
auth type:PEAP-EAP-MD5
wpa-enterprise (external Radius Server)
user: client
password :test123
I trying to use WPA-Enterprise using PEAP,EAP-MD5 as authentication type and
freeradius-2.1.1 as external radius server.
It fails to authenticate.
Attached are the log files and wireshark captures from the freeradius-2.1.1.
Regards
Prasad
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.199 port 1376, id=90,
length=182
User-Name = client
NAS-IP-Address = 192.168.0.199
NAS-Identifier = test.5gwireless.com
NAS-Port = 0
Called-Station-Id = 00-0B-6B-87-01-BD:test
Calling-Station-Id = 00-1C-F0-9B-64-E5
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11
EAP-Message = 0x020300061900
State = 0x49595b094b5a4202775fa048860f1f11
Message-Authenticator = 0x536599f560d86a4c509be7a69f47084e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = client, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 90 to 192.168.0.199 port 1376
EAP-Message =
0x010402c719004e071ea95e3d7726e47f44c7cada8299cb134d5f0fbc491f7a1b8dcf8b014cc36f95a4d15cddcc861f2fa61c5433d2f417cdceda75620bd687128300957c99c8e8a1ed728f992ad98187abb16d10be7f4728242a89d18cf3b909fc50ea7b0044e32483860426732d83c107bc648fa7326fc71665dfa6cf601088713b4f36b9a942fdf56e5ca530bace2a81b8db083bc3015d0cd19db23d09c59b765f3bf182ac28b46327160301020d0c0002090080ca6b6b090d42dbd654e500e15188e1f8db31d77b18d37bae34d299d06c5e6b5a59b670a81389f7101ee8b070444fb8587b8d26e797175d316e46411dbd7d700ac3fbe0b85496
EAP-Message =
0xcae6ec2286040c046c79931d291755387e002808e0d95d2c0276f20623955173768285a1e80665364ff7971f05d91421dbcac745d421f74d28730001020080c919d0d6645d3629a3339f2d830832bbd4d18f0f6932285a063c7732540f1d037a53528fa61ea6c751eac9e64141a8c884c4221494a1619edb4ef83e08ef7b5500d970762ea5821e5a12e46ecb12aab281bebba9af5c94d4458e78928fcfef5629f6fc381ce9804832e54463a92fb03f425ce27eed791932585d670bbc1339db01000b33870443ed640a21bc007ff5481a947ea18bafcd5af55b3f00f0a03ec504e2cf093e8d506f1d1916c1d82c7b26db60eaab7ed89cc760559eaf144d
EAP-Message =
0xaa038d4d59aaac90489b936a6fe2cdb931214fa2fb22d5fd999d8fd41c3438918c17d5d4a415a7cf91de037c318d1183f3aa98e2bfbe642cefdfc8ce6c3163862323baf4f9eb9e9ad175d106d4ced3679a46a2bf67572ba12b6631cf3aadf43b34121fa915fee0ccf9f5aa322e70600c47eefbe0070a08ac77ff117f548d38fe62401c32263aa9a30f9e2d30a39af60e79355c4a3989bd659676f2de96174cfd7ea3e40d48d3ba5d76dfc89f95ec3013e068cab6abe6b55a43639c385b8933d5a967b94116030100040e00
Message-Authenticator = 0x
State = 0x49595b094a5d4202775fa048860f1f11
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.199 port 1376, id=91,
length=376
User-Name = client
NAS-IP-Address = 192.168.0.199
NAS-Identifier = test.5gwireless.com
NAS-Port = 0
Called-Station-Id = 00-0B-6B-87-01-BD:test
Calling-Station-Id = 00-1C-F0-9B-64-E5
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11
EAP-Message =
0x020400c8198000be160301008610820080921071c4c63cc4670634284452c1843e64dc3503e4ff15ab50d3402443f221d512966eeb9c8321a6b2f2dbda5960513a8deff8b54a3e38daac6ed006819df33f60a272ed93cbeca74ffd0ff7d22e22fb61ea177d938ad361b83fa9be6c6f332469d83657361268ef9c6b9e34a85ce3772395a5f127c1e08383c210aa7867f5ef140301000101160301002895b81e66dbea1f5ae2271fa4ed91741693c7d1fc4bc0b1449f2f68cba0fc095c56725f85057164f1
State = 0x49595b094a5d4202775fa048860f1f11
Message-Authenticator = 0xde20d26aea8d5ecf5fe8fd8e38f5414d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = client, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 4 length 200
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
