Any PAM authentication module with libradius(3)?
Hello, Somebody knows why pam_radius_auth authentication module doesn't use libradius(3) for grater flexibility? There is any equivalent PAM authentication module available that relays on libradius(3)? Best Regards Mugur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Acct-Interim-Interval not working
Hello all, I am using freeradius 2.1.6 on FreeBSD 7.2 and using rp-pppoe server 3.10 on gentoo linux. During live session it is not updating acct-input/ouput-octets. Earlier with mpd pppoe server on freebsd it was working fine accounting input and output octets were updating every 5mins as configured in mpd server but now I have migrated my pppoe server to rp-pppoe and it's not updating account values. I have set in radgroupreply table as: 34 | Unlimited Premium | Acct-Interim-Interval | := | 300 | 35 | Unlimited Premium | Acct-Status-Type | := | Interim-Update I want to create mrtg graph of users online but due to this problem I am not able to. Any help? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: AW: AW: Freeradius + LDAP password trouble
It´s work. I write into the ldap.attrmap: checkItem Cleartext-Password userPassword In the sites-available/default, I comment out everything except ldap, eap And I activate LDAP in the sites-available/inner-tunnel authorize. Thank you for help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius XP Client without certificate
I need some help again. Is it possible to use Freeradius without certificate on the XP client? If I connect to the WLAN with my Iphone, I don’t need the certificate. Lionne Stangier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
http://knmc8.topapothecary.eu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius XP Client without certificate
Lionne Stangier wrote: I need some help again. Is it possible to use Freeradius without certificate on the XP client? XP requires at least a root certificate for 802.1X authentication. If I connect to the WLAN with my Iphone, I don’t need the certificate. It's either doing WEP, or it's ignoring the server certificate. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ignoring client certificates
Hi, Is there any option/configuration so that we can ignore the certificates sent by user? I am using eap-ttls mschapv2 and want to authenticate user by its password only not by certificate sent by user. Please help ,Regards Vijay Badola P We have responsibility to the environment. Before printing this e-mail or any other document, let's ask ourselves whether we need a hard copy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Freeradius XP Client without certificate
Is it possible to use Freeradius without certificate on the XP client? XP requires at least a root certificate for 802.1X authentication. Hmm .. That’s impractical. If some guests come and want to login we need to install the certificates first. If I connect to the WLAN with my Iphone, I don’t need the certificate. It's either doing WEP, or it's ignoring the server certificate. No. It doesn’t use WEP and it doesn’t ignoring the certificate. The certificate is on the phone. You only connect to the WLAN and the background settings filled automatic. Lionne Stangier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP reply with opt82
Thanks Alan, but git pull said that local sources are up to date. I've even downloaded them again to another server (no previous versions of freeradius at it) according to http://git.freeradius.org/ $ git clone git://git.freeradius.org/freeradius-server.git $ cd freeradius-server $ git fetch origin v2.1.x:v2.1.x $ git checkout v2.1.x dhcp.c has this changes: http://github.com/alandekok/freeradius-server/commit/7d44b0a545a50012aaa60ba996cc976d15745d08 dictionary.dhcp is from 2.1.10 but result is the same (tcpdump): Agent-Information Option 82, length 6: Unknown SubOption 0, length 4: 0x: 01e3 0420 Agent-Information Option 82, length 8: Unknown SubOption 0, length 6: 0x: 001f cab0 ef00 What am I doing wrong? - Original Message - From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, July 20, 2010 01:54 Subject: Re: DHCP reply with opt82 Alex wrote: FreeRADIUS Version 2.1.10 (from git sources). I'm using dhcp feature of freeradius to assign static ips to computers dynamically. $ git pull $ (cd src/lib;make) (cd src/main;make) but both this two values (0x000401e30420 and 0x00060000) are assigned to DHCP-Relay-Agent-Information. tcpdump shows both as opt82 suboption 0: 5206000401e30420 520800060000 Need help in setting this options correctly. Double-check that you're using the dictionary.dhcp file that comes with 2.1.10. *Don't* use the file that comes with 2.1.9. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius clients using libradius library with EAP-TTLS/MS-CHAPv2
Hello, FreeRADIUS server supports EAP-TTLS with MS-CHAPv2. But there is any way to build client applications with libradius library using EAP-TTLS with MS-CHAPv2? Thanks Mugur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Freeradius XP Client without certificate
Lionne Stangier wrote: Is it possible to use Freeradius without certificate on the XP client? XP requires at least a root certificate for 802.1X authentication. Hmm .. That’s impractical. If some guests come and want to login we need to install the certificates first. That's how EAP works. If you don't like it, go back 10 years, and change the standards. If I connect to the WLAN with my Iphone, I don’t need the certificate. It's either doing WEP, or it's ignoring the server certificate. No. It doesn’t use WEP and it doesn’t ignoring the certificate. The certificate is on the phone. You only connect to the WLAN and the background settings filled automatic. That disagrees with what you said earlier: 1) it doesn't need certs 2) the cert is on the phone Be consistent. It's impossible to help you if your story changes from message to message. And you can't change the way some things work. EAP-TLS methods require certificates. Don't blame me, or FreeRADIUS for that. All other products on the market have the same restrictions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP reply with opt82
Alex wrote: Thanks Alan, but git pull said that local sources are up to date. Or... git pull origin v2.1.x:v2.1.x dhcp.c has this changes: http://github.com/alandekok/freeradius-server/commit/7d44b0a545a50012aaa60ba996cc976d15745d08 Yes, that should be it. dictionary.dhcp is from 2.1.10 Are you *sure*? The version in the source is from 2.1.10. What about the installed version? (/usr/local/share/freeradius/...) Go *check*. but result is the same (tcpdump): Agent-Information Option 82, length 6: Unknown SubOption 0, length 4: 0x: 01e3 0420 Agent-Information Option 82, length 8: Unknown SubOption 0, length 6: 0x: 001f cab0 ef00 What am I doing wrong? Probably not using the right dictionary, or the right version of the server. When I perform the test that's in the git commit message, I get the correct sub-option format. Please try that. If you don't get the correct suboptions, then you need to use the right dictionary and/or the right source code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius clients using libradius library with EAP-TTLS/MS-CHAPv2
ABULIUS, MUGUR (MUGUR) wrote: Hello, FreeRADIUS server supports EAP-TTLS with MS-CHAPv2. But there is any way to build client applications with libradius library using EAP-TTLS with MS-CHAPv2? See wpa_supplicant, and the eapol_test program. The FreeRADIUS library does *not* support client applications which use EAP-TTLS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring client certificates
Vijay Badola wrote: Hi, Is there any option/configuration so that we can ignore the certificates sent by user? Source code modifications. See the OpenSSL API. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: Freeradius XP Client without certificate
That disagrees with what you said earlier: 1) it doesn't need certs 2) the cert is on the phone I mean you must not manually install the certificate. And you can't change the way some things work. EAP-TLS methods require certificates. Don't blame me, or FreeRADIUS for that. All other products on the market have the same restrictions. I don’t blame you or Freeradius, becuase that’s not a Freeradius problem. Pity, that an Iphone can load the certificate automatic and XP Laptop not! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP reply with opt82
Sources, server version and dictionary was ok.
The problem was in using old attributes:
DHCP-Agent-Circuit-Id := %{request:DHCP-Agent-Circuit-Id}
DHCP-Agent-Remote-Id := %{request:DHCP-Agent-Remote-Id}
Changed them to:
DHCP-Relay-Circuit-Id := %{request:DHCP-Relay-Circuit-Id}
DHCP-Relay-Remote-Id := %{request:DHCP-Relay-Remote-Id}
and now it works without any problem.
Debug still shows old attibute DHCP-Agent-Circuit-Id and doesn't show remote
id at all:
Received DHCP-Discover of id 4a76b25e from 1.1.1.1:67 to 0.0.0.0:67
DHCP-Opcode = Client-Message
DHCP-Hardware-Type = Ethernet
DHCP-Hardware-Address-Length = 6
DHCP-Hop-Count = 1
DHCP-Transaction-Id = 1249292894
DHCP-Number-of-Seconds = 0
DHCP-Flags = 0
DHCP-Client-IP-Address = 0.0.0.0
DHCP-Your-IP-Address = 0.0.0.0
DHCP-Server-IP-Address = 0.0.0.0
DHCP-Gateway-IP-Address = 1.1.1.1
DHCP-Client-Hardware-Address = 00:11:22:33:44:55
DHCP-Message-Type = DHCP-Discover
DHCP-Client-Identifier = 00:11:22:33:44:55
DHCP-Hostname = test
DHCP-Parameter-Request-List = DHCP-Subnet-Mask
DHCP-Parameter-Request-List = DHCP-Broadcast-Address
DHCP-Parameter-Request-List = DHCP-Time-Offset
DHCP-Parameter-Request-List = DHCP-Classless-Static-Route
DHCP-Parameter-Request-List = DHCP-Router-Address
DHCP-Parameter-Request-List = DHCP-Domain-Name
DHCP-Parameter-Request-List = DHCP-Domain-Name-Server
DHCP-Parameter-Request-List = DHCP-Hostname
DHCP-Agent-Circuit-Id = 0x000401e30420
- Original Message -
From: Alan DeKok al...@deployingradius.com
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Tuesday, July 20, 2010 16:01
Subject: Re: DHCP reply with opt82
Alex wrote:
Thanks Alan,
but git pull said that local sources are up to date.
Or... git pull origin v2.1.x:v2.1.x
dhcp.c has this changes:
http://github.com/alandekok/freeradius-server/commit/7d44b0a545a50012aaa60ba996cc976d15745d08
Yes, that should be it.
dictionary.dhcp is from 2.1.10
Are you *sure*? The version in the source is from 2.1.10. What about
the installed version? (/usr/local/share/freeradius/...) Go *check*.
but result is the same (tcpdump):
Agent-Information Option 82, length 6:
Unknown SubOption 0, length 4:
0x: 01e3 0420
Agent-Information Option 82, length 8:
Unknown SubOption 0, length 6:
0x: 001f cab0 ef00
What am I doing wrong?
Probably not using the right dictionary, or the right version of the
server.
When I perform the test that's in the git commit message, I get the
correct sub-option format. Please try that. If you don't get the
correct suboptions, then you need to use the right dictionary and/or the
right source code.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP reply with opt82
Alex Jaliashvili wrote:
The problem was in using old attributes:
DHCP-Agent-Circuit-Id := %{request:DHCP-Agent-Circuit-Id}
DHCP-Agent-Remote-Id := %{request:DHCP-Agent-Remote-Id}
Uh... no. The dictionary.dhcp that is included with 2.1.10 has the
*same* definition for those attributes.
ATTRIBUTE DHCP-Agent-Circuit-Id 1 octets
ATTRIBUTE DHCP-Agent-Remote-Id2 octets
ATTRIBUTE DHCP-Relay-Circuit-Id 1 octets
ATTRIBUTE DHCP-Relay-Remote-Id2 octets
They are in the DHCP-Relay-Agent-Information TLV.
If you have ANYTHING ELSE for these attributes, then you are not using
the correct dictionary.
Changed them to:
DHCP-Relay-Circuit-Id := %{request:DHCP-Relay-Circuit-Id}
DHCP-Relay-Remote-Id := %{request:DHCP-Relay-Remote-Id}
and now it works without any problem.
Which indicates that you're not using the correct dictionary.dhcp file.
Debug still shows old attibute DHCP-Agent-Circuit-Id and doesn't show
remote id at all:
If the debug log shows DHCP-Agent-Circuit-Id, it's because you are
using the OLD dictionary.dhcp file. Go fix that.
The OLD file had DHCP-Agent-* listed LAST, which over-rode any
previous definitions.
The only issue left in the version you have is that it looks like the
*first* attribute inside of option 82 is printed in debug mode, and the
others aren't printed. But a tcpdump shows that all of them are in
the packet.
I'll put a fix for the debug output for 2.1.10.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any PAM authentication module with libradius(3)?
ABULIUS, MUGUR (MUGUR) wrote: Hello, Somebody knows why pam_radius_auth authentication module doesn’t use libradius(3) for grater flexibility? Because it was written before the RADIUS libraries. And what greater flexibility do you want? There is any equivalent PAM authentication module available that relays on libradius(3)? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Any PAM authentication module with libradius(3)?
And what greater flexibility do you want?
Something like
client hostname|ip-address|ip-network {
attribute = value
}
that is specified like for clients.conf
Best Regards
Mugur
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any PAM authentication module with libradius(3)?
ABULIUS, MUGUR (MUGUR) wrote:
And what greater flexibility do you want?
Something like
client hostname|ip-address|ip-network {
attribute = value
}
that is specified like for clients.conf
Uh... the PAM library is a client. So having a client definition
doesn't make sense. And nothing in the clients.conf file lets you set
*radius* attributes.
Perhaps you could explain what you want to *do* with the changes.
Simply saying allow more complex config files isn't useful.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy everyone
hi list! i'm setting up my freeradius architecture with a single proxy and multiple servers; here's my scenario: freeradius server # 1 - my own server [realm local.net] freeradius server # 2 - external server [realm ext.net] freeradius proxy - i know everything about users i proxy towards my server [# 1] but i don't know anything about users i proxy towards external server [# 2]. i would proxy every_usern...@ext.net just to log requests. so this is my question for you: can i use rlm_realm to proxy an entire realm without knowing the usernames just to trace auth/acct requests? or i'm crazy at all? i hope you'll understand my question. ;) thanks, duffy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redirection to the NAS of an external CoA request
Here are a few lines from my cfg files:
In radiusd.conf:
proxy_requests = yes
$INCLUDE proxy.conf
In proxy.conf:
#(this is where I want to forward)
home_server aruba {
type = coa
ipaddr = xx.yy.110.148
port = 1812
src_ipaddr = xx.yy.110.128
coa {
# Initial retransmit interval: 1..5
irt = 2
# Maximum Retransmit Timeout: 1..30 (0 == no maximum)
mrt = 16
# Maximum Retransmit Count: 1..20 (0 == retransmit forever)
mrc = 5
# Maximum Retransmit Duration: 5..60
mrd = 30
}
secret = testing123
}
home_server_pool to_aruba {
home_server = aruba
}
###Not really sure about the validity of the last 3 lines...
And now I'm puzzled as to how to set the Home-server-pool
as stated in recv-coa section of coa:
recv-coa {
# CoA Disconnect packets can be proxied in the same
# way as authentication or accounting packets.
# Just set Proxy-To-Realm, or Home-Server-Pool, and the
# packets will be proxied.
I tried to find the way that it is done for authentication packet
and did not succeed.
Also I just want to know if my understanding about the whole
process of proxying the CoA is right:
The default server config file is of no use here, in the coa
I have to state somehow that I want the request to be forwarded
to the controller and in the proxy.conf file I have to create
this controller-server so that freeradius won't complain about
an unknown IP address.
Jean
Alan DeKok-2 wrote:
newtownz wrote:
I'm trying to figure out how to send a CoA from freeRadius
to the NAS. The set-up I have involves two servers and an
Aruba controller.
i.e. proxying CoA packets through FreeRADIUS to the NAS.
While this should work, it's not a deeply tested scenario.
In this test set-up the client authenticates locally on the
freeRadius server. The server listen on port 3799 for a CoA request
that is generated from another computer, the freeRadius accepts
the request and sends a ACK to the generator but it does not
send anything to the NAS,
Did you configure the server to proxy the CoA request? Look for
proxy in raddb/sites-available/coa in 2.1.9.
I tried to supply in the request a
NAS-IP-Address attribute and also tried with Packet-Dst-IP-Address
with no success. Also tried different things in CoA and Originate-CoA
with the same results.
Well.. the coa documents exactly what you need to do. Trying random
*undocumented* things won't make it work.
The goal I'm trying to reach is to supply the user-name in the
CoA request that will force the client to silently reconnect and
in the meantime I will have changed the Access-List accessible to
the client.
Use a Disconnect-Request packet to make the client disconnect.
1: Is it possible to send a CoA request to the freeRadius server
and then have it relay the request to the Aruba controller?
Yes. This is called proxying
2: If it is possible what do I have to put in the configs file
and where?
This is documented.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
View this message in context:
http://old.nabble.com/Redirection-to-the-NAS-of-an-external-CoA-request-tp29206196p29216134.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy everyone
marco perugini wrote: so this is my question for you: can i use rlm_realm to proxy an entire realm without knowing the usernames just to trace auth/acct requests? Yes. That's what realms are for. People have been doing this with RADIUS since 1995 or so. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redirection to the NAS of an external CoA request
newtownz wrote:
And now I'm puzzled as to how to set the Home-server-pool
as stated in recv-coa section of coa:
recv-coa {
...
update control {
Home-Server-Pool := to_aruba
}
...
}
I tried to find the way that it is done for authentication packet
and did not succeed.
raddb/proxy.conf documents proxying for Access-Request
Accounting-Request packets.
Also I just want to know if my understanding about the whole
process of proxying the CoA is right:
The default server config file is of no use here, in the coa
I have to state somehow that I want the request to be forwarded
to the controller and in the proxy.conf file I have to create
this controller-server so that freeradius won't complain about
an unknown IP address.
Yes. You have to define WHERE it will be proxied. Since RADIUS uses
shared secrets, you have to define the shared secret, too.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Interim-Interval not working
Bishal wrote: I am using freeradius 2.1.6 on FreeBSD 7.2 and using rp-pppoe server 3.10 on gentoo linux. During live session it is not updating acct-input/ouput-octets. Is the NAS sending packets with those fields? What does debug mode say? Earlier with mpd pppoe server on freebsd it was working fine accounting input and output octets were updating every 5mins as configured in mpd server but now I have migrated my pppoe server to rp-pppoe and it's not updating account values. Well... this really sounds like an issue with rp-pppoe. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AD groups in user file for dynamic Vlans
Hello Freeradiususers,
I m trying to get freeradius to send vlan id to some group in AD( win 2003),
but it seems that radius can not pull out the info. about the groups even that
the radius is joined in AD. Radius ignores the group and goes back to the
default or preferred Vlan. I m runing the last vers. of FreeRadius, her is my
config :
DEFAULT Ldap-Group == X, NAS-IP-Address == xxx.xxx.xxx.xxx
Service-Type = Login-User,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 210,
Fall-Through = no
When I remove the Ldap-Group then radius can send a req. to vlan 210.
Just for info I m abel to pull out info. via wbinfo -g, I wonder if we have
to do something in :
/etc/freeradius/modules/mschap in last lines:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=AD
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
}
Any sugg.
Best regards
Saleh Abuzid
Gunnerus gate 1
Høgskolen i Sør-Trøndlag (HiST)
SPO-IKT
Avdelingsingeniør
tlf: 73559672
E-mail: saleh.abu...@hist.no
Saleh Abuzid
Gunnerus gate 1
Høgskolen i Sør-Trøndlag (HiST)
SPO-IKT
Avdelingsingeniør
tlf: 73559672
E-mail: saleh.abu...@hist.no
Saleh Abuzid
Gunnerus gate 1
Høgskolen i Sør-Trøndlag (HiST)
SPO-IKT
Avdelingsingeniør
tlf: 73559672
E-mail: saleh.abu...@hist.no
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and ADSL-Agent-Circuit-Id
Greetings, I would like to be able to incorporate processing of ADSL-Agent-Circuit-Id into my freeradius / mysql environment. I have a stock debian / freeradius2 server with a local mysql database, and my bras is correctly getting this attribute to me and I see it under freeradius -X. I would like to implement a policy of 'ignore username/password' and instead authenticate based on the presence of this attribute and the database entry corresponding to it. I do not want to simply overwrite User-Name with the attribute, I really want to only peform this step if the attribute is actualy present otherwise proceed normally for chap/pap. So I guess the question is, how can I conditionally authenticate based on presence of this attribute (and a corresponding db entry saying Auth-type = Accept or Reject)? Previous posters suggesting overwriting User-Name open up a hole where if anyone just makes their username the same as a valid circuit ID, they'd be allowed and really I want to enforce it based on the presence of the acutal attribute itself. Mike- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and ADSL-Agent-Circuit-Id
Ad this into the authorize section:
authorize {
if %{ADSL-Agent-Circuit-Id} {
update request {
User-Name := %{ADSL-Agent-Circuit-Id}
Password := %{ADSL-Agent-Circuit-Id}
}
}
Make sure that to add the User-Name (ADSL-Agent-Circuit-Id) to radcheck and
set the password to the value of ADSL-Agent-Circuit-Id.
++---+++---+
| id | username | attribute | op | value |
++---+++---+
| 226529 | adslagent | Cleartext-Password | := | adslagent |
++---+++---+
1 row in set (0.00 sec)
Tim
-Original Message-
From: freeradius-users-
bounces+tim.sylvester=networkradius@lists.freeradius.org
[mailto:freeradius-users-
bounces+tim.sylvester=networkradius@lists.freeradius.org] On Behalf
Of Mike
Sent: Tuesday, July 20, 2010 12:37 PM
To: FreeRadius users mailing list
Subject: freeradius and ADSL-Agent-Circuit-Id
Greetings,
I would like to be able to incorporate processing of
ADSL-Agent-Circuit-Id into my freeradius / mysql environment. I have a
stock debian / freeradius2 server with a local mysql database, and my
bras is correctly getting this attribute to me and I see it under
freeradius -X. I would like to implement a policy of 'ignore
username/password' and instead authenticate based on the presence of
this attribute and the database entry corresponding to it. I do not
want
to simply overwrite User-Name with the attribute, I really want to only
peform this step if the attribute is actualy present otherwise proceed
normally for chap/pap. So I guess the question is, how can I
conditionally authenticate based on presence of this attribute (and a
corresponding db entry saying Auth-type = Accept or Reject)?
Previous posters suggesting overwriting User-Name open up a hole where
if anyone just makes their username the same as a valid circuit ID,
they'd be allowed and really I want to enforce it based on the presence
of the acutal attribute itself.
Mike-
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ADSL-Agent-Circuit-Id
Tim Sylvester wrote:
Ad this into the authorize section:
authorize {
if %{ADSL-Agent-Circuit-Id} {
update request {
User-Name := %{ADSL-Agent-Circuit-Id}
Password := %{ADSL-Agent-Circuit-Id}
}
}
Make sure that to add the User-Name (ADSL-Agent-Circuit-Id) to radcheck and
set the password to the value of ADSL-Agent-Circuit-Id.
++---+++---+
| id | username | attribute | op | value |
++---+++---+
| 226529 | adslagent | Cleartext-Password | := | adslagent |
++---+++---+
This opens up a security hole I wish to avoid - if someone knows what my
circuit Id's look like, and that database is used in any context where a
user can send an id/password to authenticate that does NOT have
ADSL-Agent-Cirtcuit-Id in it, then I've created a bunch of known user
id's for the bad guys to use. I am happy having a non-default sql
database schema but I think I really need the sql lookup to be being
based on ADSL-Agent-Circuit-Id and not User-Name.
Mike-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and ADSL-Agent-Circuit-Id
This opens up a security hole I wish to avoid - if someone knows what my circuit Id's look like, and that database is used in any context where a user can send an id/password to authenticate that does NOT have ADSL-Agent-Cirtcuit-Id in it, then I've created a bunch of known user id's for the bad guys to use. I am happy having a non-default sql database schema but I think I really need the sql lookup to be being based on ADSL-Agent-Circuit-Id and not User-Name. OK. Read the docs on modifying the SQL schema and the SQL queries. Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: Freeradius XP Client without certificate
On 07/20/2010 01:12 PM, Lionne Stangier wrote: That disagrees with what you said earlier: 1) it doesn't need certs 2) the cert is on the phone I mean you must not manually install the certificate. And you can't change the way some things work. EAP-TLS methods require certificates. Don't blame me, or FreeRADIUS for that. All other products on the market have the same restrictions. I don’t blame you or Freeradius, becuase that’s not a Freeradius problem. Pity, that an Iphone can load the certificate automatic and XP Laptop not It's a damn shame. The XP supplicant has held back 802.1x by a decade. HOWEVER - you can fix this by getting a wireless cert from a commercial provider which is in XPs CA store by default (e.g. verisign). You then need to write tedious instructions telling which 20 boxes to tick in Windows to make sure it does the right thing, but at least you don't have to visit the machine or download anything to it... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and ADSL-Agent-Circuit-Id
This opens up a security hole I wish to avoid - if someone knows what my circuit Id's look like, and that database is used in any context where a user can send an id/password to authenticate that does NOT have ADSL-Agent-Cirtcuit-Id in it, then I've created a bunch of known user id's for the bad guys to use. I am happy having a non-default sql database schema but I think I really need the sql lookup to be being based on ADSL-Agent-Circuit-Id and not User-Name. OK. You could try a few other things: Change the radcheck entry to: ++---+---++---+ | id | username | attribute | op | value | ++---+---++---+ | 226529 | adslagent | ADSL-Agent-Circuit-Id | := | adslagent | ++---+---++---+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
