Re: free RADIUS server + return class attribute
I want to configure the freeRADIUS server to return the CLASS attribute in the ACCESS-ACCEPT message,. I tried adding the attribute for a user in users file : vinay Auth-type:=CHAP,User-Password=vinay,Class=Admin The attribute is parsed. But when i try to connect with a RADIUS client, the freeRADIUS server crashes. What is the correct method of passing attributes from RADIUS server to the RADIUS Client? Reading instructions in a file you are editing tends to help. Or man pages (man 5 users). Not a single item on that line is correct (don't use auth-type, don't use user-password, where does reply item go). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0 with Activedirectory Integration Failed
I am a little confused with this... tnt-4 wrote: ntlm_auth in mschap module works only for - mschap requests. It will not work for pap requests. Normally, ntlm_auth is set in the MSCHAP module. Authentication requests from logging into the system, like SSH, uses PAP? Is there anyway that I can get the server using pam_radius to get authentication from the radius server? And the server, in turn gets the authentication from ActiveDirectory? I am quite new to this, and might have problem understanding clearly... Instructions first show you how to set up and test ntlm_auth with pap requests. Simply: don't remove users file entry setting ntlm_auth auth-type; don't remove ntlm_auth from authenticate; keep ntlm_auth exec module. Just keep those things and pap requests will work as well. The only thing to change is operator in users file: DEFAULT Auth-Type = ntlm_auth (= not :=). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP-EAP-MD5 failure with freeradius-2.1.1
Hi Alan, Thanks for yot reply. Bassically i have wireless adapter which has a utility supporting peap-eapmd5 on Windows XP service pack 2. Is there any way to Know whether the supplicant is the problem in case of peap-eap-md5, as with the utility peap-eap-mschapv2 works. Yes. By doing what you have been asked. Does plain EAP-MD5 work? Alan DeKok. - Test your server installation by sending EAP-MD5 request (wired XP, eapol_test, JRadius Simulator). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: again: 802.1x auto login with win login/pass
Hi all, I have a problem, can't authenticate my user with win login user/pass.
I use:
- 802.1x
- newest freeradius, and ubuntu 8.4
- eap-tls
- win xp sp2 client, use automatic win logon and pass
When Automatically use my Windows login name and password is unchecked
on the windows, i type user/pass and my radius is accept the request.
and everything is okay.
But, When i try it with automatic win login/pass, the radius reject the
request.
I set the with-ntdomain-hack=yes to preprocess and it cut the domain part.
its seems okay but still reject.
I have good user settings.
what is the problem? password encription?
No.
the debug log:
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=228,
length=160
..
User-Name = DOMAIN\\Joe
..
[suffix] No '@' in User-Name = Joe, looking up realm NULL
..
[eap] Identity does not match User-Name, setting from EAP Identity.
..
You are rewriting the User-Name. Don't do that.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
when I use the with-ntdomain-hack=no the result is :
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=137,
length=200
NAS-IP-Address = 192.168.1.1
NAS-Port = 50003
Cisco-NAS-Port = FastEthernet0/3
NAS-Port-Type = Ethernet
User-Name = DOMAIN\\Joe
Called-Station-Id = 00-09-B7-94-CA-83
Calling-Station-Id = 00-13-D4-E7-B3-FB
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xd2b62910daab305146382a3fd0fd1f65
EAP-Message =
0x021d00261900170301001b4857496f15b6b51dff76c2cd1e72b58feb956122b8ae08030ba37d
Message-Authenticator = 0x2361c53f5b43fce8fdfa4799b5112dde
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = DOMAIN\Joe, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 29 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [DOMAIN\\Joe/via Auth-Type = EAP] (from client switch port
50003 cli 00-13-D4-E7-B3-FB)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - DOMAIN\Joe
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 29 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 29
Sending Access-Reject of id 137 to 192.168.1.1 port 1812
EAP-Message = 0x041d0004
Message-Authenticator = 0x
rejected too.
GH
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: again: 802.1x auto login with win login/pass
Hi all, I have a problem, can't authenticate my user with win login user/pass. I use: - 802.1x - newest freeradius, and ubuntu 8.4 - eap-tls - win xp sp2 client, use automatic win logon and pass When Automatically use my Windows login name and password is unchecked on the windows, i type user/pass and my radius is accept the request. and everything is okay. But, When i try it with automatic win login/pass, the radius reject the request. I set the with-ntdomain-hack=yes to preprocess and it cut the domain part. its seems okay but still reject. I have good user settings. what is the problem? password encription? log: when windows send automaticly the login and pass: Auth: Login incorrect: [Joe/via Auth-Type = EAP] (from client switch port 50003 cli 00-13-D4-E7-B3-FB) Auth: Login incorrect: [Joe/via Auth-Type = EAP] (from client switch port 50003 cli 00-13-D4-E7-B3-FB) Auth: Login incorrect: [joe/via Auth-Type = EAP] (from client switch port 50003 cli 00-13-D4-E7-B3-FB) when I type the l/p: Auth: Login OK: [Joe/via Auth-Type = EAP] (from client switch port 0 via TLS tunnel) Auth: Login OK: [Joe/via Auth-Type = EAP] (from client switch port 50003 cli 00-13-D4-E7-B3-FB) snip Two quick simple questions, is your windows password the same as the radius server password? radius server password means the password after the username in the users file? or anything else? users file contains: Joe Cleartext-Password:= pass The biggest thing with this that I have seen is Windows, the password may not be the same as what you may type in. If it works in manual mode, I wouldn't think it is anything else but user/pass not working right. The EAP messages you see (Joe/via Auth-Type = EAP) shows that the encrypted tunnel is correct, and since manual mode works, password encryption is working as well. I would double check the passwords first, I checked the uname and pass in the users file, this u/p and the win logon/pass is same. This u/p is not the same with the client certificate u/p. my passwords: for server cert: private_key_password = pass for client cert: test/test for winlogin: Joe/joepass in users file: Joe/joepass I created the cerst like certs/README said, and then set tls modul. I installed the server cert and the client cert to the windows client, and the client cert asked the pass and I wrote it in, and that was correct. This was all what I do with the certs. Yes, it works good with manual mode, when I type it... I think something wrong with the password encription or the windows send it to the radius in wrong format... I don't know. make sure that the cert profiles seem to match for windows auto mode, sry I dont understand, what have to check? and then if that fails, run radius in debug (radiusd -xxx) and see what is breaking in that debug then run that forward to the list. ~Seann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap backend and Realm
[EMAIL PROTECTED] wrote:
Here is the debug of radiusd (attached file)
You are playing a dangerous game by reusing an old radiusd.conf.
[ldap] expand: %{control:My-BaseDN} -
ou\3dpeople\2cdc\3ddr4\2cdc\3dcnrs\2cdc\3dfr
basedn expansion went well.
rlm_ldap: bind as uid=Manager,%{control:My-BaseDN}/sirc2 to
ldapauth.cnrs-gif.fr:389
But identity didn't.
It looks like you will have to create 8 ldap instances and switch between
them:
switch %{Realm} {
case domain1 { ldap1}
case ...
}
This should go instead of ldap in authorize.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Ivan Alan. It works by defining multiple ldap in my config.
--
Mustapha BOUIKHIF
Service Systèmes d'Information
CNRS - DR4
tel: +33 1 69 82 33 97
fax: +33 1 69 82 33 39
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: again: 802.1x auto login with win login/pass
when I use the with-ntdomain-hack=no the result is : Where is that line? You should enable it in mschap module. It shouldn't have any effect on EAP Identity. [peap] Had sent TLV failure. User was rejected earlier in this session. Debug you posted is useless. You have deleted the important bits. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Test Radius Client supporting PEAP-EAP MD5
Hi, Can anyone suggest a test radius client supporting PEAP with EAP MD5 ? I have tried JRadius Simuator , RadiusTest n others but could not get the option of PEAP with EAP MD5. Incase anyone has come across, please let me know. Warm regards Queenie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
attribute filter
Hi folk, I am using attribute filter on my radius proxy server to filter attributes (Tunnel-Type, Tunnel-Medium-Type, Trapeze-VLAN-Name=Tunnel-Private-Group-Id) received from the home server for multiple realms (authentification and authorisation attributes are stored in ldap database). Let's say for realm dr4.cnrs.fr I would like that only VLAN1 and VLAN2 are permitted. So I activated rlm_attr_filter and my attrs file contain this section: Service-Type == Login-User, Proxy-State =* ANY, . . . Tunnel-Type == VLAN, Tunnel-Medium-Type == IEEE-802, Trapeze-VLAN-Name == VLAN1, Trapeze-VLAN-Name == VLAN2, Tunnel-Private-Group-Id == VLAN1, Tunnel-Private-Group-Id == VLAN2, But It doesn't work unless I set those attributes to * ANY (Trapeze-VLAN-Name =* ANY, Tunnel-Private-Group-Id = * ANY, ...) Thanks for help and clues. -- Mustapha BOUIKHIF Service Systèmes d'Information CNRS - DR4 tel: +33 1 69 82 33 97 fax: +33 1 69 82 33 39 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Radius Client supporting PEAP-EAP MD5
wpa_supplicant eapol_test. Ivan Kalik Kalik Informatika ISP Dana 18/11/2008, Queenie de Melo [EMAIL PROTECTED] piše: Hi, Can anyone suggest a test radius client supporting PEAP with EAP MD5 ? I have tried JRadius Simuator , RadiusTest n others but could not get the option of PEAP with EAP MD5. Incase anyone has come across, please let me know. Warm regards Queenie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attribute filter
Let's say for realm dr4.cnrs.fr I would like that only VLAN1 and VLAN2 are permitted. Use unlang and -=. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attribute filter
[EMAIL PROTECTED] a écrit : Let's say for realm dr4.cnrs.fr I would like that only VLAN1 and VLAN2 are permitted. Use unlang and -=. excuse me Ivan, I don't understand. can you explain more... thanks. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Mustapha BOUIKHIF Service Systèmes d'Information CNRS - DR4 tel: +33 1 69 82 33 97 fax: +33 1 69 82 33 39 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: attribute filter
Let's say for realm dr4.cnrs.fr I would like that only VLAN1 and VLAN2 are permitted. Use unlang and -=. excuse me Ivan, I don't understand. can you explain more... thanks. You say attr.filter is not working (and provide no debug) for you. Use unlang instead. Read man unlang and see what is -= for. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: again: 802.1x auto login with win login/pass
when I use the with-ntdomain-hack=no the result is :
Where is that line? You should enable it in mschap module. It shouldn't
have any effect on EAP Identity.
I use it in preprocess file,
now I set it in mschap module too
[peap] Had sent TLV failure. User was rejected earlier in this session.
Debug you posted is useless. You have deleted the important bits.
I think peap is work good, don't it?
(
...
[peap] (other): SSL negotiation finished successfully
...
[peap] EAPTLS_SUCCESS
...
)
machap module:
mschap {
with_ntdomain_hack = no
}
-
eap.conf file:
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
leap {
}
gtc {
#challenge = Password:
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = pass
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
fragment_size = 1024
include_length = yes
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = inner-tunnel
}
peap
default_eap_type = mschapv2
virtual_server = inner-tunnel
}
mschapv2 {
}
}
--
here is the debug, I hope it is usefull:
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] TLS 1.0 Handshake [length 0041], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] TLS 1.0 Handshake [length 084e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 97 to 192.168.1.1 port 1812
EAP-Message =
0x0103040019c0088b160301002a022603014922ab54fa757c7768f8d465c3e5679f3e35b71e1933e5aad7ad7d60b6ea8d290400160301084e0b00084a000847000396308203923082027aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message =
0x301e170d3038313131323134313231355a170d3039313131323134313231355a306c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e311330110603550403130a736572766572636572743120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a02820101009cf50fd32f4c11e95fb8dc2e365a1d0246c0dd39e616ed0621a36edea241836b39bd38ab2b008b2c1f00f8034d31664e0557ef16daa4bb8bc6ba05765b46be150ed10a90e18a960a1f634a300c1a
EAP-Message =
0x40ab58da8da31c607e05e359781ed7bc73b443c21c46eca871ae4fe72627cae7b5222852bc50b9d843f4e53469f51cf84726dca616c85e804c839b438a187a28e03872af3a01265ffd51d37f15c2df5007e264948a2b44ddf367268123db200c007408528d35296009e884ef9ecc648a754ef6e674d33abbc466178cf1c51b91cdf50d235e70bdb043237d47809a89fb628f3be91d318ffbe70b7df70cf74e8ff0b2fb66996b64863074f2daef8da1ac411d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100a966a877dac3f553bc1350f31aa5e89da01a9b3cd7d3488016
EAP-Message =
0x63fd1c780ae69af09d1200e1d3aaf514ee8fecc8e182a4e5e900727a4988e9e644fb5fc351a3553558a96ebed4db761b2d1c4cd5ac978ae2234d02ca514a4f4fc4ff5e13cd2f805b3f1b50e9bcd42a32487d04160d3d6eee0b5d15890f2d7cbd201ccdfad9806f2d2b993e71e341d817ef31ff6c8906f89b2a5673a7368d166a2244a65f2de426e322dbcfb114e8d9c08ebadae09c411838c274b4834b4eaa6aee7590b643bcff77057eb94525185e1cf3e760f675d104ff5fdd43f5e8b119806300db9913112fb38ae30721c6702080822add762cf9101134bc2159370d4739f94f41bcce10940004ab308204a73082038fa00302010202090089def0
EAP-Message = 0x223a727e53300d06092a8648
Message-Authenticator =
Re: again: 802.1x auto login with win login/pass
Hegedus Gabor wrote:
...
and here is the first part of debug:
main {
prefix = /usr/local
localstatedir = /usr/local/var
logdir = /usr/local/var/log/radius
libdir = /usr/local/lib
radacctdir = /usr/local/var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /usr/local/var/run/radiusd/radiusd.pid
checkrad = /usr/local/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
nastype = other
}
client 192.168.1.0/24 {
require_message_authenticator = no
secret = cisco
shortname = switch
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = status-server
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = request
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = auto
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = /usr/local/var/log/radius/radwtmp
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = Password:
auth_type = PAP
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = /usr/local/etc/raddb/certs/server.pem
certificate_file = /usr/local/etc/raddb/certs/server.pem
CA_file = /usr/local/etc/raddb/certs/ca.pem
private_key_password = pass
dh_file = /usr/local/etc/raddb/certs/dh
random_file = /usr/local/etc/raddb/certs/random
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = DEFAULT
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = inner-tunnel
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = inner-tunnel
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = /usr/local/etc/raddb/users
acctusersfile = /usr/local/etc/raddb/acct_users
preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
compat = no
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating
Re: PEAP-EAP-MD5 failure with freeradius-2.1.1
Prasad Parab wrote: Hi Alan, Thanks for yot reply. Bassically i have wireless adapter which has a utility supporting peap-eapmd5 on Windows XP service pack 2. Is there any way to Know whether the supplicant is the problem in case of peap-eap-md5, as with the utility peap-eap-mschapv2 works. Setup as follow: Yes, we understand how wireless setups work. Please stop posting the setup diagram in every message. They don't help. Try another supplicant, such as eapol_test. See my web site for instructions. If eapol_test works and Windows doesn't, I'd say that Windows is broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
switch/case in radiusd.conf (was: ldap backend and Realm)
switch %{Realm} {
case domain1 {
I'm admittedly feeling totally stupid, but is this syntax documented
anywhere?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: switch/case in radiusd.conf (was: ldap backend and Realm)
man unlang
Ken
On Tue, Nov 18, 2008 at 01:51:11PM +0100, Edgar Fu? wrote:
switch %{Realm} {
case domain1 {
I'm admittedly feeling totally stupid, but is this syntax documented
anywhere?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ssh cleartext-password ? INCORRECT
First of all let me say that I am using:
FreeRADIUS Version 2.2.0, for host i686-pc-linux-gnu.
I am trying to configure pam-radius-auth and freeRADIUS to allow
users to ssh into a box and radius will appropriately match their
permissions and etc.
I've come across a problem that I am unable to solve, (I have a little
over two months of experience with linux and even less with RADIUS
and PAM) I have managed to get freeRADIUS running and I can do;
'radtest steve testing localhost 10 testing123'
And i receive;
Access-Accept packet from host 127.0.0.1 port 1812, id=114, length=71
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.16.3.33
Framed-IP-Netmask = 255.255.255.0
Framed-Routing = Broadcast-Listen
Filter-Id = std.ppp
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
Now my problem occurs when I attempt to switch over to
using ssh. I have configures the files;
(The beginning of) /etc/pam.d/sshd
auth required pam_env.so # [1]
auth required pam_env.so envfile=/etc/default/locale
auth sufficient /lib/security/pam_radius_auth.so debug
@include common-auth
...
And the matching shared secret for the server and pam_radius_auth.conf
I've notices something in the logs which i have marked with ''. Anyhelp
is greatly appreciated.
Here is the relavent part of the log from radiusd -X
Using 'radtest steve testing localhost 10 testing123'
rad_recv: Access-Request packet from host 127.0.0.1 port 58878, id=34,
length=57
User-Name =
steve
User-Password =
testing
NAS-IP-Address =
127.0.0.1
NAS-Port =
0
+- entering group authorize
{...}
++[preprocess] returns
ok
++[chap] returns
noop
++[mschap] returns
noop
[suffix] No '@' in User-Name = steve, looking up realm
NULL
[suffix] No such realm
NULL
++[suffix] returns
noop
[eap] No EAP-Message, not doing
EAP
++[eap] returns
noop
++[unix] returns
notfound
[files] users: Matched entry steve at line
76
++[files] returns
ok
++[expiration] returns
noop
++[logintime] returns
noop
++[pap] returns
updated
Found Auth-Type =
PAP
+- entering group PAP
{...}
[pap] login attempt with password
testing
[pap] Using clear text password
testing
[pap] User authenticated
successfully
++[pap] returns
ok
+- entering group post-auth
{...}
++[exec] returns
noop
Sending Access-Accept of id 34 to 127.0.0.1 port
58878
Service-Type =
Framed-User
Framed-Protocol =
PPP
Framed-IP-Address =
172.16.3.33
Framed-IP-Netmask =
255.255.255.0
Framed-Routing =
Broadcast-Listen
Framed-Filter-Id =
std.ppp
Framed-MTU =
1500
Framed-Compression =
Van-Jacobson-TCP-IP
Finished request
0.
Going to the next
request
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
Ok, I've upgraded to FreeRADIUS 2.0.5 on a FreeBSD box (the FreeBSD ports is more up-to-date than the CentOS Yum repositories apparently). However, upon reading the documentation in modules/ldap, I see this: # However, LDAP can be used for authentication ONLY when the # Access-Request packet contains a clear-text User-Password # attribute. LDAP authentication will NOT work for any other # authentication method. # # This means that LDAP servers don't understand EAP. If you # force Auth-Type = LDAP, and then send the server a # request containing EAP authentication, then authentication # WILL NOT WORK. So, does this mean that you can't do MSCHAPv2 against an LDAP server, or am I missing something again? Tim Gustafson SOE Webmaster UC Santa Cruz [EMAIL PROTECTED] 831-459-5354 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authenticating to an Windows AD
Folks, I have freeradius running on a fedora linux box. I want to use it for authentication from an Apache web server using the radius interface. That part is working, and I'm able to authenticate web users only if they have a local account on the freeradius server. I want freeradius to authenticate against a Windows Active Directory. I installed Samba and am running Winbind, and wbinfo/ntlm_auth both are able to authenticate from the command line assuming I give it a valid username and password. What module in freeradius do I use to authenticate through Winbind? Could someone point me in the right direction please. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
See: http://deployingradius.com/documents/protocols/oracles.html Ken On Tue, Nov 18, 2008 at 01:29:48PM -0800, Tim Gustafson wrote: Ok, I've upgraded to FreeRADIUS 2.0.5 on a FreeBSD box (the FreeBSD ports is more up-to-date than the CentOS Yum repositories apparently). However, upon reading the documentation in modules/ldap, I see this: # However, LDAP can be used for authentication ONLY when the # Access-Request packet contains a clear-text User-Password # attribute. LDAP authentication will NOT work for any other # authentication method. # # This means that LDAP servers don't understand EAP. If you # force Auth-Type = LDAP, and then send the server a # request containing EAP authentication, then authentication # WILL NOT WORK. So, does this mean that you can't do MSCHAPv2 against an LDAP server, or am I missing something again? Tim Gustafson SOE Webmaster UC Santa Cruz [EMAIL PROTECTED] 831-459-5354 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating to an Windows AD
I should have mentioned it's FreeRadius 2.1.1. -Mike On Tue, 18 Nov 2008, Mike Diggins wrote: Folks, I have freeradius running on a fedora linux box. I want to use it for authentication from an Apache web server using the radius interface. That part is working, and I'm able to authenticate web users only if they have a local account on the freeradius server. I want freeradius to authenticate against a Windows Active Directory. I installed Samba and am running Winbind, and wbinfo/ntlm_auth both are able to authenticate from the command line assuming I give it a valid username and password. What module in freeradius do I use to authenticate through Winbind? Could someone point me in the right direction please. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authenticating to an Windows AD
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO worked for me. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Mike Diggins Sent: Tuesday, November 18, 2008 3:43 PM To: FreeRadius users mailing list Subject: Re: authenticating to an Windows AD I should have mentioned it's FreeRadius 2.1.1. -Mike On Tue, 18 Nov 2008, Mike Diggins wrote: Folks, I have freeradius running on a fedora linux box. I want to use it for authentication from an Apache web server using the radius interface. That part is working, and I'm able to authenticate web users only if they have a local account on the freeradius server. I want freeradius to authenticate against a Windows Active Directory. I installed Samba and am running Winbind, and wbinfo/ntlm_auth both are able to authenticate from the command line assuming I give it a valid username and password. What module in freeradius do I use to authenticate through Winbind? Could someone point me in the right direction please. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authenticating to an Windows AD
Updated manual: http://deployingradius.com/documents/configuration/active_directory.html Ivan Kalik Kalik Informatika ISP Dana 18/11/2008, Danner, Mearl [EMAIL PROTECTED] piše: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO worked for me. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Mike Diggins Sent: Tuesday, November 18, 2008 3:43 PM To: FreeRadius users mailing list Subject: Re: authenticating to an Windows AD I should have mentioned it's FreeRadius 2.1.1. -Mike On Tue, 18 Nov 2008, Mike Diggins wrote: Folks, I have freeradius running on a fedora linux box. I want to use it for authentication from an Apache web server using the radius interface. That part is working, and I'm able to authenticate web users only if they have a local account on the freeradius server. I want freeradius to authenticate against a Windows Active Directory. I installed Samba and am running Winbind, and wbinfo/ntlm_auth both are able to authenticate from the command line assuming I give it a valid username and password. What module in freeradius do I use to authenticate through Winbind? Could someone point me in the right direction please. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
Tim Gustafson wrote: Ok, I've upgraded to FreeRADIUS 2.0.5 on a FreeBSD box (the FreeBSD ports is more up-to-date than the CentOS Yum repositories apparently). However, upon reading the documentation in modules/ldap, I see this: ... So, does this mean that you can't do MSCHAPv2 against an LDAP server, or am I missing something again? A lot of the confusion here is terminology. People talk about pulling a password from a database and doing authentication in RADIUS as authenticating against LDAP. This is technically *not* correct. In short, LDAP doesn't do MS-CHAPv2. You can't do MS-CHAPv2 against an LDAP server. You CAN have FreeRADIUS read the clear-text password from LDAP, and then have FreeRADIUS do the MS-CHAPv2 authentication. Thinking of it in this way is the *correct* way. It also has impacts on attitudes towards network design, requirements, etc. If you think of it as doing MS-CHAPv2 against LDAP, it will be difficult to design a system based on how things really work... because the conceptual model underlying the design is wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ssh cleartext-password ? INCORRECT
And the matching shared secret for the server and pam_radius_auth.conf .. Using 'ssh [EMAIL PROTECTED]' password: testing rad_recv: Access-Request packet from host 127.0.0.1 port 26561, id=106, length=83 User-Name = steve User-Password = \010\n\r\177INCORRECT .. WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Obviously, shared secrets don't match. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: again: 802.1x auto login with win login/pass
User-Name = ROUTER\\Hege
Create (local) ream ROUTER { } in proxy.conf.
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = ROUTER\Hege, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
Uncomment ntdomain in authorize in inner-tunnel virtual server (it's
just below suffix).
If doesn't work, enable with-ntdomain-hack in mschap module.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authenticating to an Windows AD
Thanks very much for the pointer. That looks like what I want, however, after following those instructions, when I run radiusd -X, I get this error: /usr/local/etc/raddb/users[50]: Parse error (check) for entry user: Unknown value ntlm_auth for attribute Auth-Type Errors reading /usr/local/etc/raddb/users /usr/local/etc/raddb/modules/files[7]: Instantiation failed for module files /usr/local/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module files. /usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. I added this to the top of the users file: userAuth-Type := ntlm_auth Any idea what is causing that? I think I followed the instructions correctly. -Mike On Tue, 18 Nov 2008, [EMAIL PROTECTED] wrote: Updated manual: http://deployingradius.com/documents/configuration/active_directory.html Ivan Kalik Kalik Informatika ISP Dana 18/11/2008, Danner, Mearl [EMAIL PROTECTED] piše: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO worked for me. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Mike Diggins Sent: Tuesday, November 18, 2008 3:43 PM To: FreeRadius users mailing list Subject: Re: authenticating to an Windows AD I should have mentioned it's FreeRadius 2.1.1. -Mike On Tue, 18 Nov 2008, Mike Diggins wrote: Folks, I have freeradius running on a fedora linux box. I want to use it for authentication from an Apache web server using the radius interface. That part is working, and I'm able to authenticate web users only if they have a local account on the freeradius server. I want freeradius to authenticate against a Windows Active Directory. I installed Samba and am running Winbind, and wbinfo/ntlm_auth both are able to authenticate from the command line assuming I give it a valid username and password. What module in freeradius do I use to authenticate through Winbind? Could someone point me in the right direction please. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authenticating to an Windows AD
Thanks very much for the pointer. That looks like what I want, however, after following those instructions, when I run radiusd -X, I get this error: /usr/local/etc/raddb/users[50]: Parse error (check) for entry user: Unknown value ntlm_auth for attribute Auth-Type Errors reading /usr/local/etc/raddb/users /usr/local/etc/raddb/modules/files[7]: Instantiation failed for module files /usr/local/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module files. /usr/local/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. I added this to the top of the users file: userAuth-Type := ntlm_auth Any idea what is causing that? I think I followed the instructions correctly. Just add ntlm_auth to authenticate section of inner-tunnel virtual server as well. You need to add it to all enabled servers, not just default. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
