Re: free RADIUS server + return class attribute
I want to configure the freeRADIUS server to return the CLASS attribute in the ACCESS-ACCEPT message,. I tried adding the attribute for a user in users file : vinay Auth-type:=CHAP,User-Password=vinay,Class=Admin The attribute is parsed. But when i try to connect with a RADIUS client, the freeRADIUS server crashes. What is the correct method of passing attributes from RADIUS server to the RADIUS Client? Reading instructions in a file you are editing tends to help. Or man pages (man 5 users). Not a single item on that line is correct (don't use auth-type, don't use user-password, where does reply item go). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
I am a little confused with this... tnt-4 wrote: ntlm_auth in mschap module works only for - mschap requests. It will not work for pap requests. Normally, ntlm_auth is set in the MSCHAP module. Authentication requests from logging into the system, like SSH, uses PAP? Is there anyway that I can get the server using pam_radius to get authentication from the radius server? And the server, in turn gets the authentication from ActiveDirectory? I am quite new to this, and might have problem understanding clearly... Instructions first show you how to set up and test ntlm_auth with pap requests. Simply: don't remove users file entry setting ntlm_auth auth-type; don't remove ntlm_auth from authenticate; keep ntlm_auth exec module. Just keep those things and pap requests will work as well. The only thing to change is operator in users file: DEFAULT Auth-Type = ntlm_auth (= not :=). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP-EAP-MD5 failure with freeradius-2.1.1
Hi Alan, Thanks for yot reply. Bassically i have wireless adapter which has a utility supporting peap-eapmd5 on Windows XP service pack 2. Is there any way to Know whether the supplicant is the problem in case of peap-eap-md5, as with the utility peap-eap-mschapv2 works. Yes. By doing what you have been asked. Does plain EAP-MD5 work? Alan DeKok. - Test your server installation by sending EAP-MD5 request (wired XP, eapol_test, JRadius Simulator). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: again: 802.1x auto login with win login/pass
Hi all, I have a problem, can't authenticate my user with win login user/pass. I use: - 802.1x - newest freeradius, and ubuntu 8.4 - eap-tls - win xp sp2 client, use automatic win logon and pass When Automatically use my Windows login name and password is unchecked on the windows, i type user/pass and my radius is accept the request. and everything is okay. But, When i try it with automatic win login/pass, the radius reject the request. I set the with-ntdomain-hack=yes to preprocess and it cut the domain part. its seems okay but still reject. I have good user settings. what is the problem? password encription? No. the debug log: rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=228, length=160 .. User-Name = DOMAIN\\Joe .. [suffix] No '@' in User-Name = Joe, looking up realm NULL .. [eap] Identity does not match User-Name, setting from EAP Identity. .. You are rewriting the User-Name. Don't do that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html when I use the with-ntdomain-hack=no the result is : rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=137, length=200 NAS-IP-Address = 192.168.1.1 NAS-Port = 50003 Cisco-NAS-Port = FastEthernet0/3 NAS-Port-Type = Ethernet User-Name = DOMAIN\\Joe Called-Station-Id = 00-09-B7-94-CA-83 Calling-Station-Id = 00-13-D4-E7-B3-FB Service-Type = Framed-User Framed-MTU = 1500 State = 0xd2b62910daab305146382a3fd0fd1f65 EAP-Message = 0x021d00261900170301001b4857496f15b6b51dff76c2cd1e72b58feb956122b8ae08030ba37d Message-Authenticator = 0x2361c53f5b43fce8fdfa4799b5112dde +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = DOMAIN\Joe, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 29 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [DOMAIN\\Joe/via Auth-Type = EAP] (from client switch port 50003 cli 00-13-D4-E7-B3-FB) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - DOMAIN\Joe attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 29 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 29 Sending Access-Reject of id 137 to 192.168.1.1 port 1812 EAP-Message = 0x041d0004 Message-Authenticator = 0x rejected too. GH - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: again: 802.1x auto login with win login/pass
Hi all, I have a problem, can't authenticate my user with win login user/pass. I use: - 802.1x - newest freeradius, and ubuntu 8.4 - eap-tls - win xp sp2 client, use automatic win logon and pass When Automatically use my Windows login name and password is unchecked on the windows, i type user/pass and my radius is accept the request. and everything is okay. But, When i try it with automatic win login/pass, the radius reject the request. I set the with-ntdomain-hack=yes to preprocess and it cut the domain part. its seems okay but still reject. I have good user settings. what is the problem? password encription? log: when windows send automaticly the login and pass: Auth: Login incorrect: [Joe/via Auth-Type = EAP] (from client switch port 50003 cli 00-13-D4-E7-B3-FB) Auth: Login incorrect: [Joe/via Auth-Type = EAP] (from client switch port 50003 cli 00-13-D4-E7-B3-FB) Auth: Login incorrect: [joe/via Auth-Type = EAP] (from client switch port 50003 cli 00-13-D4-E7-B3-FB) when I type the l/p: Auth: Login OK: [Joe/via Auth-Type = EAP] (from client switch port 0 via TLS tunnel) Auth: Login OK: [Joe/via Auth-Type = EAP] (from client switch port 50003 cli 00-13-D4-E7-B3-FB) snip Two quick simple questions, is your windows password the same as the radius server password? radius server password means the password after the username in the users file? or anything else? users file contains: Joe Cleartext-Password:= pass The biggest thing with this that I have seen is Windows, the password may not be the same as what you may type in. If it works in manual mode, I wouldn't think it is anything else but user/pass not working right. The EAP messages you see (Joe/via Auth-Type = EAP) shows that the encrypted tunnel is correct, and since manual mode works, password encryption is working as well. I would double check the passwords first, I checked the uname and pass in the users file, this u/p and the win logon/pass is same. This u/p is not the same with the client certificate u/p. my passwords: for server cert: private_key_password = pass for client cert: test/test for winlogin: Joe/joepass in users file: Joe/joepass I created the cerst like certs/README said, and then set tls modul. I installed the server cert and the client cert to the windows client, and the client cert asked the pass and I wrote it in, and that was correct. This was all what I do with the certs. Yes, it works good with manual mode, when I type it... I think something wrong with the password encription or the windows send it to the radius in wrong format... I don't know. make sure that the cert profiles seem to match for windows auto mode, sry I dont understand, what have to check? and then if that fails, run radius in debug (radiusd -xxx) and see what is breaking in that debug then run that forward to the list. ~Seann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap backend and Realm
[EMAIL PROTECTED] wrote: Here is the debug of radiusd (attached file) You are playing a dangerous game by reusing an old radiusd.conf. [ldap] expand: %{control:My-BaseDN} - ou\3dpeople\2cdc\3ddr4\2cdc\3dcnrs\2cdc\3dfr basedn expansion went well. rlm_ldap: bind as uid=Manager,%{control:My-BaseDN}/sirc2 to ldapauth.cnrs-gif.fr:389 But identity didn't. It looks like you will have to create 8 ldap instances and switch between them: switch %{Realm} { case domain1 { ldap1} case ... } This should go instead of ldap in authorize. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Ivan Alan. It works by defining multiple ldap in my config. -- Mustapha BOUIKHIF Service Systèmes d'Information CNRS - DR4 tel: +33 1 69 82 33 97 fax: +33 1 69 82 33 39 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: again: 802.1x auto login with win login/pass
when I use the with-ntdomain-hack=no the result is : Where is that line? You should enable it in mschap module. It shouldn't have any effect on EAP Identity. [peap] Had sent TLV failure. User was rejected earlier in this session. Debug you posted is useless. You have deleted the important bits. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Test Radius Client supporting PEAP-EAP MD5
Hi, Can anyone suggest a test radius client supporting PEAP with EAP MD5 ? I have tried JRadius Simuator , RadiusTest n others but could not get the option of PEAP with EAP MD5. Incase anyone has come across, please let me know. Warm regards Queenie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
attribute filter
Hi folk, I am using attribute filter on my radius proxy server to filter attributes (Tunnel-Type, Tunnel-Medium-Type, Trapeze-VLAN-Name=Tunnel-Private-Group-Id) received from the home server for multiple realms (authentification and authorisation attributes are stored in ldap database). Let's say for realm dr4.cnrs.fr I would like that only VLAN1 and VLAN2 are permitted. So I activated rlm_attr_filter and my attrs file contain this section: Service-Type == Login-User, Proxy-State =* ANY, . . . Tunnel-Type == VLAN, Tunnel-Medium-Type == IEEE-802, Trapeze-VLAN-Name == VLAN1, Trapeze-VLAN-Name == VLAN2, Tunnel-Private-Group-Id == VLAN1, Tunnel-Private-Group-Id == VLAN2, But It doesn't work unless I set those attributes to * ANY (Trapeze-VLAN-Name =* ANY, Tunnel-Private-Group-Id = * ANY, ...) Thanks for help and clues. -- Mustapha BOUIKHIF Service Systèmes d'Information CNRS - DR4 tel: +33 1 69 82 33 97 fax: +33 1 69 82 33 39 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Radius Client supporting PEAP-EAP MD5
wpa_supplicant eapol_test. Ivan Kalik Kalik Informatika ISP Dana 18/11/2008, Queenie de Melo [EMAIL PROTECTED] piše: Hi, Can anyone suggest a test radius client supporting PEAP with EAP MD5 ? I have tried JRadius Simuator , RadiusTest n others but could not get the option of PEAP with EAP MD5. Incase anyone has come across, please let me know. Warm regards Queenie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attribute filter
Let's say for realm dr4.cnrs.fr I would like that only VLAN1 and VLAN2 are permitted. Use unlang and -=. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attribute filter
[EMAIL PROTECTED] a écrit : Let's say for realm dr4.cnrs.fr I would like that only VLAN1 and VLAN2 are permitted. Use unlang and -=. excuse me Ivan, I don't understand. can you explain more... thanks. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Mustapha BOUIKHIF Service Systèmes d'Information CNRS - DR4 tel: +33 1 69 82 33 97 fax: +33 1 69 82 33 39 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attribute filter
Let's say for realm dr4.cnrs.fr I would like that only VLAN1 and VLAN2 are permitted. Use unlang and -=. excuse me Ivan, I don't understand. can you explain more... thanks. You say attr.filter is not working (and provide no debug) for you. Use unlang instead. Read man unlang and see what is -= for. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: again: 802.1x auto login with win login/pass
when I use the with-ntdomain-hack=no the result is : Where is that line? You should enable it in mschap module. It shouldn't have any effect on EAP Identity. I use it in preprocess file, now I set it in mschap module too [peap] Had sent TLV failure. User was rejected earlier in this session. Debug you posted is useless. You have deleted the important bits. I think peap is work good, don't it? ( ... [peap] (other): SSL negotiation finished successfully ... [peap] EAPTLS_SUCCESS ... ) machap module: mschap { with_ntdomain_hack = no } - eap.conf file: eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 leap { } gtc { #challenge = Password: auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = pass private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random fragment_size = 1024 include_length = yes cache { enable = no lifetime = 24 # hours max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = inner-tunnel } peap default_eap_type = mschapv2 virtual_server = inner-tunnel } mschapv2 { } } -- here is the debug, I hope it is usefull: [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] TLS 1.0 Handshake [length 084e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 97 to 192.168.1.1 port 1812 EAP-Message = 0x0103040019c0088b160301002a022603014922ab54fa757c7768f8d465c3e5679f3e35b71e1933e5aad7ad7d60b6ea8d290400160301084e0b00084a000847000396308203923082027aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3038313131323134313231355a170d3039313131323134313231355a306c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e311330110603550403130a736572766572636572743120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a02820101009cf50fd32f4c11e95fb8dc2e365a1d0246c0dd39e616ed0621a36edea241836b39bd38ab2b008b2c1f00f8034d31664e0557ef16daa4bb8bc6ba05765b46be150ed10a90e18a960a1f634a300c1a EAP-Message = 0x40ab58da8da31c607e05e359781ed7bc73b443c21c46eca871ae4fe72627cae7b5222852bc50b9d843f4e53469f51cf84726dca616c85e804c839b438a187a28e03872af3a01265ffd51d37f15c2df5007e264948a2b44ddf367268123db200c007408528d35296009e884ef9ecc648a754ef6e674d33abbc466178cf1c51b91cdf50d235e70bdb043237d47809a89fb628f3be91d318ffbe70b7df70cf74e8ff0b2fb66996b64863074f2daef8da1ac411d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100a966a877dac3f553bc1350f31aa5e89da01a9b3cd7d3488016 EAP-Message = 0x63fd1c780ae69af09d1200e1d3aaf514ee8fecc8e182a4e5e900727a4988e9e644fb5fc351a3553558a96ebed4db761b2d1c4cd5ac978ae2234d02ca514a4f4fc4ff5e13cd2f805b3f1b50e9bcd42a32487d04160d3d6eee0b5d15890f2d7cbd201ccdfad9806f2d2b993e71e341d817ef31ff6c8906f89b2a5673a7368d166a2244a65f2de426e322dbcfb114e8d9c08ebadae09c411838c274b4834b4eaa6aee7590b643bcff77057eb94525185e1cf3e760f675d104ff5fdd43f5e8b119806300db9913112fb38ae30721c6702080822add762cf9101134bc2159370d4739f94f41bcce10940004ab308204a73082038fa00302010202090089def0 EAP-Message = 0x223a727e53300d06092a8648 Message-Authenticator =
Re: again: 802.1x auto login with win login/pass
Hegedus Gabor wrote: ... and here is the first part of debug: main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /usr/local/var/run/radiusd/radiusd.pid checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 nastype = other } client 192.168.1.0/24 { require_message_authenticator = no secret = cisco shortname = switch } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = status-server ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = auto auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = /usr/local/var/log/radius/radwtmp } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = Password: auth_type = PAP } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = /usr/local/etc/raddb/certs/server.pem certificate_file = /usr/local/etc/raddb/certs/server.pem CA_file = /usr/local/etc/raddb/certs/ca.pem private_key_password = pass dh_file = /usr/local/etc/raddb/certs/dh random_file = /usr/local/etc/raddb/certs/random fragment_size = 1024 include_length = yes check_crl = no cipher_list = DEFAULT cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = inner-tunnel } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = inner-tunnel } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = /usr/local/etc/raddb/users acctusersfile = /usr/local/etc/raddb/acct_users preproxy_usersfile = /usr/local/etc/raddb/preproxy_users compat = no } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating
Re: PEAP-EAP-MD5 failure with freeradius-2.1.1
Prasad Parab wrote: Hi Alan, Thanks for yot reply. Bassically i have wireless adapter which has a utility supporting peap-eapmd5 on Windows XP service pack 2. Is there any way to Know whether the supplicant is the problem in case of peap-eap-md5, as with the utility peap-eap-mschapv2 works. Setup as follow: Yes, we understand how wireless setups work. Please stop posting the setup diagram in every message. They don't help. Try another supplicant, such as eapol_test. See my web site for instructions. If eapol_test works and Windows doesn't, I'd say that Windows is broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
switch/case in radiusd.conf (was: ldap backend and Realm)
switch %{Realm} { case domain1 { I'm admittedly feeling totally stupid, but is this syntax documented anywhere? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: switch/case in radiusd.conf (was: ldap backend and Realm)
man unlang Ken On Tue, Nov 18, 2008 at 01:51:11PM +0100, Edgar Fu? wrote: switch %{Realm} { case domain1 { I'm admittedly feeling totally stupid, but is this syntax documented anywhere? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ssh cleartext-password ? INCORRECT
First of all let me say that I am using: FreeRADIUS Version 2.2.0, for host i686-pc-linux-gnu. I am trying to configure pam-radius-auth and freeRADIUS to allow users to ssh into a box and radius will appropriately match their permissions and etc. I've come across a problem that I am unable to solve, (I have a little over two months of experience with linux and even less with RADIUS and PAM) I have managed to get freeRADIUS running and I can do; 'radtest steve testing localhost 10 testing123' And i receive; Access-Accept packet from host 127.0.0.1 port 1812, id=114, length=71 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Filter-Id = std.ppp Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Now my problem occurs when I attempt to switch over to using ssh. I have configures the files; (The beginning of) /etc/pam.d/sshd auth required pam_env.so # [1] auth required pam_env.so envfile=/etc/default/locale auth sufficient /lib/security/pam_radius_auth.so debug @include common-auth ... And the matching shared secret for the server and pam_radius_auth.conf I've notices something in the logs which i have marked with ''. Anyhelp is greatly appreciated. Here is the relavent part of the log from radiusd -X Using 'radtest steve testing localhost 10 testing123' rad_recv: Access-Request packet from host 127.0.0.1 port 58878, id=34, length=57 User-Name = steve User-Password = testing NAS-IP-Address = 127.0.0.1 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = steve, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry steve at line 76 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password testing [pap] Using clear text password testing [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 34 to 127.0.0.1 port 58878 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Framed-Filter-Id = std.ppp Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Finished request 0. Going to the next request
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
Ok, I've upgraded to FreeRADIUS 2.0.5 on a FreeBSD box (the FreeBSD ports is more up-to-date than the CentOS Yum repositories apparently). However, upon reading the documentation in modules/ldap, I see this: # However, LDAP can be used for authentication ONLY when the # Access-Request packet contains a clear-text User-Password # attribute. LDAP authentication will NOT work for any other # authentication method. # # This means that LDAP servers don't understand EAP. If you # force Auth-Type = LDAP, and then send the server a # request containing EAP authentication, then authentication # WILL NOT WORK. So, does this mean that you can't do MSCHAPv2 against an LDAP server, or am I missing something again? Tim Gustafson SOE Webmaster UC Santa Cruz [EMAIL PROTECTED] 831-459-5354 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authenticating to an Windows AD
Folks, I have freeradius running on a fedora linux box. I want to use it for authentication from an Apache web server using the radius interface. That part is working, and I'm able to authenticate web users only if they have a local account on the freeradius server. I want freeradius to authenticate against a Windows Active Directory. I installed Samba and am running Winbind, and wbinfo/ntlm_auth both are able to authenticate from the command line assuming I give it a valid username and password. What module in freeradius do I use to authenticate through Winbind? Could someone point me in the right direction please. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
See: http://deployingradius.com/documents/protocols/oracles.html Ken On Tue, Nov 18, 2008 at 01:29:48PM -0800, Tim Gustafson wrote: Ok, I've upgraded to FreeRADIUS 2.0.5 on a FreeBSD box (the FreeBSD ports is more up-to-date than the CentOS Yum repositories apparently). However, upon reading the documentation in modules/ldap, I see this: # However, LDAP can be used for authentication ONLY when the # Access-Request packet contains a clear-text User-Password # attribute. LDAP authentication will NOT work for any other # authentication method. # # This means that LDAP servers don't understand EAP. If you # force Auth-Type = LDAP, and then send the server a # request containing EAP authentication, then authentication # WILL NOT WORK. So, does this mean that you can't do MSCHAPv2 against an LDAP server, or am I missing something again? Tim Gustafson SOE Webmaster UC Santa Cruz [EMAIL PROTECTED] 831-459-5354 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating to an Windows AD
I should have mentioned it's FreeRadius 2.1.1. -Mike On Tue, 18 Nov 2008, Mike Diggins wrote: Folks, I have freeradius running on a fedora linux box. I want to use it for authentication from an Apache web server using the radius interface. That part is working, and I'm able to authenticate web users only if they have a local account on the freeradius server. I want freeradius to authenticate against a Windows Active Directory. I installed Samba and am running Winbind, and wbinfo/ntlm_auth both are able to authenticate from the command line assuming I give it a valid username and password. What module in freeradius do I use to authenticate through Winbind? Could someone point me in the right direction please. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authenticating to an Windows AD
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO worked for me. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Mike Diggins Sent: Tuesday, November 18, 2008 3:43 PM To: FreeRadius users mailing list Subject: Re: authenticating to an Windows AD I should have mentioned it's FreeRadius 2.1.1. -Mike On Tue, 18 Nov 2008, Mike Diggins wrote: Folks, I have freeradius running on a fedora linux box. I want to use it for authentication from an Apache web server using the radius interface. That part is working, and I'm able to authenticate web users only if they have a local account on the freeradius server. I want freeradius to authenticate against a Windows Active Directory. I installed Samba and am running Winbind, and wbinfo/ntlm_auth both are able to authenticate from the command line assuming I give it a valid username and password. What module in freeradius do I use to authenticate through Winbind? Could someone point me in the right direction please. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authenticating to an Windows AD
Updated manual: http://deployingradius.com/documents/configuration/active_directory.html Ivan Kalik Kalik Informatika ISP Dana 18/11/2008, Danner, Mearl [EMAIL PROTECTED] piše: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO worked for me. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Mike Diggins Sent: Tuesday, November 18, 2008 3:43 PM To: FreeRadius users mailing list Subject: Re: authenticating to an Windows AD I should have mentioned it's FreeRadius 2.1.1. -Mike On Tue, 18 Nov 2008, Mike Diggins wrote: Folks, I have freeradius running on a fedora linux box. I want to use it for authentication from an Apache web server using the radius interface. That part is working, and I'm able to authenticate web users only if they have a local account on the freeradius server. I want freeradius to authenticate against a Windows Active Directory. I installed Samba and am running Winbind, and wbinfo/ntlm_auth both are able to authenticate from the command line assuming I give it a valid username and password. What module in freeradius do I use to authenticate through Winbind? Could someone point me in the right direction please. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
Tim Gustafson wrote: Ok, I've upgraded to FreeRADIUS 2.0.5 on a FreeBSD box (the FreeBSD ports is more up-to-date than the CentOS Yum repositories apparently). However, upon reading the documentation in modules/ldap, I see this: ... So, does this mean that you can't do MSCHAPv2 against an LDAP server, or am I missing something again? A lot of the confusion here is terminology. People talk about pulling a password from a database and doing authentication in RADIUS as authenticating against LDAP. This is technically *not* correct. In short, LDAP doesn't do MS-CHAPv2. You can't do MS-CHAPv2 against an LDAP server. You CAN have FreeRADIUS read the clear-text password from LDAP, and then have FreeRADIUS do the MS-CHAPv2 authentication. Thinking of it in this way is the *correct* way. It also has impacts on attitudes towards network design, requirements, etc. If you think of it as doing MS-CHAPv2 against LDAP, it will be difficult to design a system based on how things really work... because the conceptual model underlying the design is wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ssh cleartext-password ? INCORRECT
And the matching shared secret for the server and pam_radius_auth.conf .. Using 'ssh [EMAIL PROTECTED]' password: testing rad_recv: Access-Request packet from host 127.0.0.1 port 26561, id=106, length=83 User-Name = steve User-Password = \010\n\r\177INCORRECT .. WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Obviously, shared secrets don't match. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: again: 802.1x auto login with win login/pass
User-Name = ROUTER\\Hege Create (local) ream ROUTER { } in proxy.conf. ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = ROUTER\Hege, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 Uncomment ntdomain in authorize in inner-tunnel virtual server (it's just below suffix). If doesn't work, enable with-ntdomain-hack in mschap module. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authenticating to an Windows AD
Thanks very much for the pointer. That looks like what I want, however, after following those instructions, when I run radiusd -X, I get this error: /usr/local/etc/raddb/users[50]: Parse error (check) for entry user: Unknown value ntlm_auth for attribute Auth-Type Errors reading /usr/local/etc/raddb/users /usr/local/etc/raddb/modules/files[7]: Instantiation failed for module files /usr/local/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module files. /usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. I added this to the top of the users file: userAuth-Type := ntlm_auth Any idea what is causing that? I think I followed the instructions correctly. -Mike On Tue, 18 Nov 2008, [EMAIL PROTECTED] wrote: Updated manual: http://deployingradius.com/documents/configuration/active_directory.html Ivan Kalik Kalik Informatika ISP Dana 18/11/2008, Danner, Mearl [EMAIL PROTECTED] piše: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO worked for me. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Mike Diggins Sent: Tuesday, November 18, 2008 3:43 PM To: FreeRadius users mailing list Subject: Re: authenticating to an Windows AD I should have mentioned it's FreeRadius 2.1.1. -Mike On Tue, 18 Nov 2008, Mike Diggins wrote: Folks, I have freeradius running on a fedora linux box. I want to use it for authentication from an Apache web server using the radius interface. That part is working, and I'm able to authenticate web users only if they have a local account on the freeradius server. I want freeradius to authenticate against a Windows Active Directory. I installed Samba and am running Winbind, and wbinfo/ntlm_auth both are able to authenticate from the command line assuming I give it a valid username and password. What module in freeradius do I use to authenticate through Winbind? Could someone point me in the right direction please. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authenticating to an Windows AD
Thanks very much for the pointer. That looks like what I want, however, after following those instructions, when I run radiusd -X, I get this error: /usr/local/etc/raddb/users[50]: Parse error (check) for entry user: Unknown value ntlm_auth for attribute Auth-Type Errors reading /usr/local/etc/raddb/users /usr/local/etc/raddb/modules/files[7]: Instantiation failed for module files /usr/local/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module files. /usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. I added this to the top of the users file: userAuth-Type := ntlm_auth Any idea what is causing that? I think I followed the instructions correctly. Just add ntlm_auth to authenticate section of inner-tunnel virtual server as well. You need to add it to all enabled servers, not just default. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html