Re: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user

[Alan DeKok]

Johnny R wrote:
 * is the cipher login/password which comes from CopSpot(or any
   captive portal) deciphered before ipcop sends it to
   freeradius-server? (It's a kind of question which can not be asked
   here but ... never know)

  I have no idea what that means.

 * the authentication type set in ipcop is just radius (and its
   ip), so I don't understand why the packet contains CHAP?

  shrug Go ask the ipcop people.

 according
 to http://deployingradius.com/documents/configuration/active_directory.html,
 centralizing the authentication in samba will work fine, but I want to
 do it against ldap. I think, what's wrong here is that I added users by
 smbldap-useradd, not simply ldapadd (which won't work actually, it says:
 invalid credentials) ... 
 
 * So how can I force freeradius to use pap

  You can't.  The NAS (ipcop) determines what to put in the
Access-Request, not FreeRADIUS.

  You need to put the clear-text password into the database.  That's the
only thing you can do to FreeRADIUS which will help.

 (to be able to
   authenticate it against ldap) even the passwd/login is tls
   ciphered (from chilispot)I m really convinced that that's not
   possible, even senseless but I have to know why ...

  I have no idea what that means.

 Finally, once again, I really want to thank the list for your
 availability, the freeradius dev. team, because this is a success for
 the open source community.
 Thanks,

  It's what I do...

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Users file or mysql database; radpostauth table

[David Seira]

Hi all!


I'm trying to implement a freeradius server and I have several questions.
The freeradius version used is 2.1.8.

 First of all, I want to put a freeradius to manage a net with about 400~500
users. I don't know which method for manage users choose; users file or
mysql database?

I think manage users with a file is faster but the management is worse and
mysql database is easily management but I think is slower than other.

What do you think about? Which is the best option?


Another question is referent a freeradius + mysql. I do a test and save the
users passwords with SHA1 in the radcheck table. Then I activated the
radpostauth logging table. The problem is in this table (when a user is
logged in) the pass is stored in plain-text, without encryption. Is possible
to store the pass encrypted with SHA1 in radpostauth table?

Thanks for all.

Regards,
David Seira
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using Nas IP Adress as client key

[Alan DeKok]

Johan Meiring wrote:
 This works very well, but has a few irritating (not showstopping) side
 effects.
 
 1)  Sometimes we have more than one Nas behind the same natted connection.
 This means that they all have to have the same shared secret.
 
 2)  Also it happens that a different Nas ends up behind a previous Nas's
 IP (dynamically assigned broadband IP) and then the shared secret
 is again rejected.

  Yup.  That's a limitation of RADIUS.

 Within a corporate/large telco's network, the Nas's (802.11x switches or
 Dslams) are generally behind fixed IPs,  but for the hotspot world any
 Nas source IP goes.
 
 Is it not a maybe a good idea to start considering a different key to
 identify the Nas by.

  Use SSH, or SSL.  Create an SSH or OpenVPN connection between the NAS
and the server.  That avoids most of the problems.

 In clients.conf (or for dynamic clients) a paramter (nas-key) that
 could be Src-IP or Nas-Id.  i.e. you can choose the key that
 identifies a spesific Nas/client and therefore the shared secret.
 
 
 Does it sound like a bad idea?

  Yes.  It means that it's even easier to spoof the packets.

 How difficult would such a change in Freeradius be?
 (I've not read the source code yet, just throwing an idea out there).

  It might not be hard... but it won't go into the main release.

 Opinions?

  Lots.

 PS:  I realise that tunneling the radius traffic is a different solution
 to the same problem, but in our case not always easy to implement.  (The
 only extra layer I would love to see is RadSec.)

  In progress.  But that requires upgrading the NASes, too.  That's much
harder than upgrading FreeRADIUS.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Multiple instance of proxy

[Alan DeKok]

brisston...@free.fr wrote:
 I have a question about proxy request with freeradius : is it possible to run
 multiple instance of proxy (not the same but the same daemon) which use
 different realm configuration.

  Yes.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Users file or mysql database; radpostauth table

[Alan DeKok]

David Seira wrote:
  First of all, I want to put a freeradius to manage a net with about
 400~500 users. I don't know which method for manage users choose; users
 file or mysql database?

  Whatever makes you happy.

 I think manage users with a file is faster but the management is worse
 and mysql database is easily management but I think is slower than other.
 
 What do you think about? Which is the best option?

  For 500 users, the speed of MySQL isn't an issue.

 Another question is referent a freeradius + mysql. I do a test and save
 the users passwords with SHA1 in the radcheck table. Then I activated
 the radpostauth logging table. The problem is in this table (when a user
 is logged in) the pass is stored in plain-text, without encryption. Is
 possible to store the pass encrypted with SHA1 in radpostauth table?

  No.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_sql error, can't expand User-Password and Chap-Password, help me !

[VU VAN HUNG]

szymon roczniak wrote:

On Thu, Apr 22, 2010 at 05:38:04PM +0700, VU VAN HUNG wrote:
  

szymon roczniak wrote:


On Thu, Apr 22, 2010 at 04:50:50PM +0700, VU VAN HUNG wrote:
  

I know, but in the output,  I see the following lines:

*sql] expand: %{User-Password} -
[sql] expand: %{Chap-Password} - *
no information about User-Password and Chap-Password, and the query, 



I hope I'm not completely wrong here but this is probably because you're using
EAP not PAP or CHAP so these attributes are not set.

  
which insert into radpostauth, is error. I dont know why.  Do you have 
any suggests about this problem ?



the query results in an error because the username column in missing (or
misspelled) in the table:

  
rlm_sql (sql) in sql_postauth: Database query error - Unknown column 
'username' in 'field list'*




  

Thanks szymon for your help.
I edited some columns' name in radius database,  so users could connect 
to wireless network successfully. But I still dont know how to configure 
Radius Server using PAP and CHAP instead of EAP, because I explore my 
configuration in radiusd.conf and  see nothing wronng. Hope someones 
give me suggests about this problem.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Users file or mysql database; radpostauth table

[VU VAN HUNG]

Alan DeKok wrote:

David Seira wrote:
  

 First of all, I want to put a freeradius to manage a net with about
400~500 users. I don't know which method for manage users choose; users
file or mysql database?



  Whatever makes you happy.

  

I think manage users with a file is faster but the management is worse
and mysql database is easily management but I think is slower than other.

What do you think about? Which is the best option?



  For 500 users, the speed of MySQL isn't an issue.

  

Another question is referent a freeradius + mysql. I do a test and save
the users passwords with SHA1 in the radcheck table. Then I activated
the radpostauth logging table. The problem is in this table (when a user
is logged in) the pass is stored in plain-text, without encryption. Is
possible to store the pass encrypted with SHA1 in radpostauth table?



  No.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  
Hi everyones, I'm a newbie in Radius. I just want to ask do I have to 
configure users file if use mysql to manage the users ?

Vu Hung,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_sql error, can't expand User-Password and Chap-Password, help me !

[szymon roczniak]

On Fri, Apr 23, 2010 at 03:22:44PM +0700, VU VAN HUNG wrote:
 szymon roczniak wrote:
  On Thu, Apr 22, 2010 at 05:38:04PM +0700, VU VAN HUNG wrote:
  szymon roczniak wrote:
  On Thu, Apr 22, 2010 at 04:50:50PM +0700, VU VAN HUNG wrote:
 I edited some columns' name in radius database,  so users could connect 
 to wireless network successfully. But I still dont know how to configure 
 Radius Server using PAP and CHAP instead of EAP, because I explore my 

In order to have PAP or CHAP working you need your NAS to send either
User-Password or CHAP-Password attribute. If you look at your log file again
you'll see that both the pap and the chap module return noop, this is because
these attributes are not present in the query. 

 configuration in radiusd.conf and  see nothing wronng. Hope someones 

That's probably because there's nothing wrong with your radius configuration
;)

-- 
Szymon Roczniak
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_sql error, can't expand User-Password and Chap-Password, help me !

[VU VAN HUNG]

szymon roczniak wrote:

In order to have PAP or CHAP working you need your NAS to send either
User-Password or CHAP-Password attribute. If you look at your log file again
you'll see that both the pap and the chap module return noop, this is because
these attributes are not present in the query. 

  
I query some information to nas table of radius database, but pap and 
chap modules still return noop. How do I make NAS send User-Password or 
CHAP-Password attribute ?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_sql error, can't expand User-Password and Chap-Password, help me !

[Alan DeKok]

VU VAN HUNG wrote:
 How do I make NAS send User-Password or CHAP-Password attribute ?

  Read the NAS documentation.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Users file or mysql database; radpostauth table

[Alan DeKok]

VU VAN HUNG wrote:
 Hi everyones, I'm a newbie in Radius. I just want to ask do I have to
 configure users file if use mysql to manage the users ?

  You don't *have* to configure a user in the users file.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using Nas IP Adress as client key

[Timothy]

Depending on your hardware, you might want to try radsecproxy.  It does
currently have a 16 character password limit though

Johan Meiring wrote:
 Hi all,

 The radius spec currently identifies a Nas (client) by the Nas's IP
 address
 (Packet-Src-Ip-Addres?).  That is how radius works.

 We have a bunch of hotspots out in the field which could be behind any
 kind
 of internet connection.  Broadband/Dynamic IP, natted, etc.

 Because we have no idea where a spesific Nas's traffic might come from
 we've
 implemented dynamic-clients.  Using rlm_raw we use the Nas-Identifier
 to lookup the shared secret in a database, and the client gets
 dynamically created.  (Thanks Alan for the help with this one!!)

 This works very well, but has a few irritating (not showstopping) side
 effects.

 1)  Sometimes we have more than one Nas behind the same natted
 connection.
 This means that they all have to have the same shared secret.

 2)  Also it happens that a different Nas ends up behind a previous Nas's
 IP (dynamically assigned broadband IP) and then the shared secret
 is again rejected.

 Within a corporate/large telco's network, the Nas's (802.11x switches
 or Dslams) are generally behind fixed IPs,  but for the hotspot world
 any Nas source IP goes.

 Is it not a maybe a good idea to start considering a different key
 to identify the Nas by.

 In clients.conf (or for dynamic clients) a paramter (nas-key) that
 could be Src-IP or Nas-Id.  i.e. you can choose the key that
 identifies a spesific Nas/client and therefore the shared secret.


 Does it sound like a bad idea?

 How difficult would such a change in Freeradius be?
 (I've not read the source code yet, just throwing an idea out there).

 Opinions?


 PS:  I realise that tunneling the radius traffic is a different
 solution to the same problem, but in our case not always easy to
 implement.  (The only extra layer I would love to see is RadSec.)



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Using Radiusclient to implement a radius client on Windows platform?

[Joshua Lim]

Hi I'm a newbie, hope someone can help me.  I'm trying to implementing a 
radius client on Windows platform to work with freeradius.  I intend to 
use VC++ or Delphi.  radiusclient is for linux platform, can i adapt it 
for Windows?


Grateful for any pointers.  :)

Rgds,
Joshua

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Multiple instance of proxy

[brisstony21]

Selon Alan DeKok al...@deployingradius.com:

 brisston...@free.fr wrote:
  I have a question about proxy request with freeradius : is it possible to
 run
  multiple instance of proxy (not the same but the same daemon) which use
  different realm configuration.

   Yes.

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



Thanks but... can you explain me how can I do? I try to put realm section in
server section but it doesn't work. Can you help me please?

Thanks in advance
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius 2.1.8 and MySQL

[John Gammons]

All,

I have a 2.1.8 freeradius server running and have recently added MySQL
into the mix.  I am attempting to authenticate a user via EAP-TTLS
with a PAP inner (for simplicities sake atm).  The user is valid, in
the DB with Cleartext-Password, and auths fine when doing a radtest
(PAP), however, when EAP-TTLS is thrown in the mix it fails with the
following no auth type config'd error.  I also attempted to place an
Auth-Type == PAP into the DB, but that didn't help the EAP auth.  When
I remove MySQL, and revert to the users file, the user auths fine even
with EAP-TTLS and a PAP inner.  I have been scratching my head on this
one trying different settings and DB entries and looking at the logs,
but am failing to see what I am missing.  Any ideas?

Thanks,
John

++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = testing, looking up realm NULL
[suffix] Found realm NULL
[suffix] Adding Stripped-User-Name = testing
[suffix] Adding Realm = NULL
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
Failed to authenticate the user.
Login incorrect: [testing/password] (from client purewave port 0 cli
00:1d:8f:00:03:4d via TLS tunnel)
} # server inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Multiple instance of proxy

[John Gammons]

This configuration is located in proxy.conf.

To proxy any @MYREALM1 requests to one server, and @MYREALM2 to
another, you would enter something like the following in that file

realm MYREALM1 {
   authhost= radius.company1.com:1600
   accthost= radius.company1.com:1601
   secret  = testing123
   nostrip
}

realm MYREALM2 {
   authhost= radius.company2.com:1812
   accthost= radius.company2.com:1813
   secret  = testing123
   nostrip
}

There are a lot of options, but it is explained in great detail in proxy.conf.

Hope that helps.

John


On Fri, Apr 23, 2010 at 8:38 AM,  brisston...@free.fr wrote:
 Selon Alan DeKok al...@deployingradius.com:

 brisston...@free.fr wrote:
  I have a question about proxy request with freeradius : is it possible to
 run
  multiple instance of proxy (not the same but the same daemon) which use
  different realm configuration.

   Yes.

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 Thanks but... can you explain me how can I do? I try to put realm section in
 server section but it doesn't work. Can you help me please?

 Thanks in advance
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Multiple instance of proxy

[brisstony21]

Selon John Gammons jgamm...@gmail.com:

 This configuration is located in proxy.conf.

 To proxy any @MYREALM1 requests to one server, and @MYREALM2 to
 another, you would enter something like the following in that file

 realm MYREALM1 {
authhost= radius.company1.com:1600
accthost= radius.company1.com:1601
secret  = testing123
nostrip
 }

 realm MYREALM2 {
authhost= radius.company2.com:1812
accthost= radius.company2.com:1813
secret  = testing123
nostrip
 }

 There are a lot of options, but it is explained in great detail in
 proxy.conf.

 Hope that helps.

 John


 On Fri, Apr 23, 2010 at 8:38 AM,  brisston...@free.fr wrote:
  Selon Alan DeKok al...@deployingradius.com:
 
  brisston...@free.fr wrote:
   I have a question about proxy request with freeradius : is it possible
 to
  run
   multiple instance of proxy (not the same but the same daemon) which use
   different realm configuration.
 
    Yes.
 
    Alan DeKok.
  -
  List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html
 
 
 
  Thanks but... can you explain me how can I do? I try to put realm section
 in
  server section but it doesn't work. Can you help me please?
 
  Thanks in advance
  -
  List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html


Thanks for your reply. I have already understand that but my real problem is
that I would authorize realms in terms of proxy. Example :

I have 3 realms. Each of them is associated to one server declared in
site-enabled directory :
- realm1 - server1
- realm2 - server2
- realm3 - server3

and 2 proxy :
- proxy1
- proxy2

I want to authorize the first proxy to manage realm1 and realm2 and the second
proxy to manage all the realms. I don't find anything in the proxy.conf

If you want I would like to configure it like this :

server proxy1 {

   listen {}
   realm1 { // go to server 1}
   realm2 { // go to server 2}

   authorize {}
   ...
}

server proxy1 {

   listen {}
   realm1 { // go to server 1}
   realm2 { // go to server 2}
   realm3 { // go to server 3}

   authorize {}
   ...
}

Thanks in advance
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Block access by Tunnel client IP?

[ST Wong (ITSC)]

 Hi all,

I'm using freeradius 2.1.3.Would like to know if it's possible to
block access (maybe in users file) by checking  following criteria ?

Acct-Tunnel-Client-Endpoint:0 = 137.*.*.* 

Would anyone please help?  Thanks.

Regards,
/ST Wong  (st-w...@cuhk.edu.hk)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Multiple instance of proxy

[Alan DeKok]

brisston...@free.fr wrote:
 I want to authorize the first proxy to manage realm1 and realm2 and the second
 proxy to manage all the realms. I don't find anything in the proxy.conf

  The realms are global.  If you want to limit them to a particular
server, you will need to check for the realms that are allowed, and
permit them.  All other realms should be blocked.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius 2.1.8 and MySQL

[Alan DeKok]

John Gammons wrote:
 All,
 
 I have a 2.1.8 freeradius server running and have recently added MySQL
 into the mix.  I am attempting to authenticate a user via EAP-TTLS
 with a PAP inner (for simplicities sake atm).  The user is valid, in
 the DB with Cleartext-Password, and auths fine when doing a radtest
 (PAP), however, when EAP-TTLS is thrown in the mix it fails with the
 following no auth type config'd error.

  Edit raddb/sites-available/inner-tunnel.  Add sql there in the same
places you added it in sites-available/default.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Block access by Tunnel client IP?

[Alan DeKok]

ST Wong (ITSC) wrote:
  Hi all,
 
 I'm using freeradius 2.1.3.Would like to know if it's possible to
 block access (maybe in users file) by checking  following criteria ?
 
 Acct-Tunnel-Client-Endpoint:0 = 137.*.*.* 
 
 Would anyone please help?  Thanks.

$ man unlang

  It explains how to match attributes, how to do regex matches, and how
to reject users.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using Radiusclient to implement a radius client on Windows platform?

[Alan DeKok]

Joshua Lim wrote:
 Hi I'm a newbie, hope someone can help me.  I'm trying to implementing a
 radius client on Windows platform to work with freeradius.  I intend to
 use VC++ or Delphi.  radiusclient is for linux platform, can i adapt it
 for Windows?

  You'll have to hack the source code.  It's not really portable right now.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using Radiusclient to implement a radius client on Windows platform?

[Joshua Lim]

Hi Alan,

Thanks, how about using the pgina radius plugin?
http://userpage.fu-berlin.de/~holger/radiusplugin/RADIUSplugin-0.3src.zip

It has code taken from pam_radius_auth

Is pam_radius_auth using radiusclient?

Rgds,
Joshua


Alan DeKok wrote:

Joshua Lim wrote:
  

Hi I'm a newbie, hope someone can help me.  I'm trying to implementing a
radius client on Windows platform to work with freeradius.  I intend to
use VC++ or Delphi.  radiusclient is for linux platform, can i adapt it
for Windows?



  You'll have to hack the source code.  It's not really portable right now.

  Alan DeKok.


  


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Multiple instance of proxy

[brisstony21]

Selon Alan DeKok al...@deployingradius.com:

 brisston...@free.fr wrote:
  I want to authorize the first proxy to manage realm1 and realm2 and the
 second
  proxy to manage all the realms. I don't find anything in the proxy.conf

   The realms are global.  If you want to limit them to a particular
 server, you will need to check for the realms that are allowed, and
 permit them.  All other realms should be blocked.

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html


Thanks.

Can you send me an example plz... I don't know how can I do that.

Thanks in advance.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html