Re: How to allow group login on some devices?
Martin Whinnery wrote: Now, I'd like to set up our switches to use radius to allow our technicians to login. And they are all members of an LDAP group. Let's call it cn=techies,ou=groups,dc=example,dc=org. I only want this to be the case for some client devices, namely our switches. Can anyone point me towards the documentation I should have read? The LDAP-Group attribute will check LDAP group membership. http://wiki.freeradius.org/Rlm_ldap You can put switches (or NASes) into groups via the Huntgroup. See raddb/huntgroups. Then... combine them. In the users file: DEFAULT LDAP-Group == techies, Huntgroup-Name != some-switches, Auth-Type := Reject (all on one line) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Documentation question
On 2010/07/21 10:37 PM, Alan DeKok wrote: The only reference book available now is the O'Reilly book. I don't recommend it, as I don't think it will help you. What *specifically* are you looking for? The Wiki, documentation, and my http://deployingradius.com/ site contain a lot of information about how the server works, config files, examples, etc. I find the best documentation to also be the doc/ folder as well as the example config files. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: Freeradius XP Client without certificate
This is well known. It is in the FAQ, and in the comments in raddb/eap.conf. In short, you did *not* get a certificate that Windows will accept. Read the documentation for details. Look for Windows. I know these problems, but the certificate support extensions. It's a cert that should be known in windows trusted root certs. That means theoretically windows have the cert and our server. But I think, I include the cert wrong at the radius server. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to display Auth-type in th log
Is it possible to display type of authentication ( Auth-type ) that the clients used during the authentication ? In 2.1.9, see msg_goodpass in radiusd.conf. You can out anything you want in there. Hi Alan Thank you for your answer. This feature is really useful, thanks. However how should look like the string for the Auth-Type ? I tried: msg_goodpass = , NAS: %{Calling-Station-Id}, Auth-Type: %{Auth-Type} but it doesn't work Probably there should be other string then Auth-Type inside the brackets Thank pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to display Auth-type in th log
Jevos, Peter wrote: Thank you for your answer. This feature is really useful, thanks. However how should look like the string for the Auth-Type ? I tried: msg_goodpass = , NAS: %{Calling-Station-Id}, Auth-Type: %{Auth-Type} but it doesn't work It's in the control list: ... %{control:Auth-Type} ... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to separate users to different server...
Environment: PPTP+PPP+FREERADIUS+MYSQL+LINUX I want to separate users, for example, there are 10 users user1, user2 ... user10 I want user1, user2 ... user5 can only login server1 I want user6.user10 can only login server2 if user1 login server2, could I sent a login failure? How to finish this task... Thanks... -- Spacelee - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: How to separate users to different server...
What I would do. Use the etc_group module Create som groups for your users Group1 Group2 Add the respective users to the correct groups In the users file I will create a line for each login server (client to the raidus server) Something like this: Client-IP-Address == [login server1], Radius-Group == ”[name of group]” Take a look at the module etc_group to see how you create a group. Then remember to add the group etc_group name to the authentication section of your radius site probably the sites-enabled/default Best regards Jan Madsen Fra: freeradius-users-bounces+jmd=kmd...@lists.freeradius.org [mailto:freeradius-users-bounces+jmd=kmd...@lists.freeradius.org] På vegne af Spacelee Sendt: 22. juli 2010 12:34 Til: FreeRadius users mailing list Emne: How to separate users to different server... Environment: PPTP+PPP+FREERADIUS+MYSQL+LINUX I want to separate users, for example, there are 10 users user1, user2 ... user10 I want user1, user2 ... user5 can only login server1 I want user6.user10 can only login server2 if user1 login server2, could I sent a login failure? How to finish this task... Thanks... -- Spacelee - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Controlling with Auth-Type a client must use
Hello Radius People I'm running freeradius 2.1.8 working great I'm using the radius servers to many different clients, specially Cisco nodes, and some Unix servers. I'm using the module passwd working fine, and I have enabled unix authentication in my default section. Now when a specific client try to send username password to my system the passwd modle is accepting the password fine, but the unix section is rejecting the password ending in a Access-Reject back to client Some debug here Thu Jul 22 13:22:21 2010 : Info: [kmdov3] Added crypt-Password: 'TLw0SiK4QfQxg' to config_items Thu Jul 22 13:22:21 2010 : Info: ++[kmdov3] returns ok ... .. . Thu Jul 22 13:22:21 2010 : Auth: [unix] [jmd]: invalid shell [/usr/bin/bash] Thu Jul 22 13:22:21 2010 : Info: ++[unix] returns reject I do know that the unix module reject because of a invalid shell, and chaning it to a valid shell fix this problem. But what I want to do is to set the client ONLY to use kmdov3 as my authentication and not the Unix one. Is this possible? I have been trying to use the Auth-Type attribute, but can't figure out how to tell that I want to use the kmdov3 authentication type. Best regards Jan Madsen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Controlling with Auth-Type a client must use
Madsen.Jan JMD wrote: I’m using the module passwd working fine, and I have enabled unix authentication in my default section. Don't. Use pap. It can do crypt authentication. Thu Jul 22 13:22:21 2010 : Auth: [unix] [jmd]: invalid shell [/usr/bin/bash] Thu Jul 22 13:22:21 2010 : Info: ++[unix] returns reject Which is what the Unix module does. But what I want to do is to set the client ONLY to use kmdov3 as my authentication and not the Unix one. Is this possible? No. You want crypt authentication, without checking /etc/passwd. Use the pap module. When you say only to use kmdov3 as my authentication, it means you have confused authorization and authentication. They are *very* different. I have been trying to use the Auth-Type attribute, but can’t figure out how to tell that I want to use the kmdov3 authentication type. Don't. Don't set Auth-Type. In the default configuration, all you need to do is: 1) configure the kmdov3 module in raddb/modules 2) list kmdov3 in the authorize section *before* the pap module 3) authentication *will* work Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to apply logical OR in the auth. modul
Hi I have in the modules/ntlm_auth_vpn command: exec ntlm_auth_vpn { wait = yes program = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --password=%{User-Password} --require-membership-of=domain1 } Is it possible to add another command ( with different domain ) and to add OR in order to choose which one will pass ? Something like this: exec ntlm_auth_vpn { wait = yes program = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --password=%{User-Password} --require-membership-of=domain1 OR program = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --password=%{User-Password} --require-membership-of=domain2 } It means that auth-type ntml_auth_vpn is right if one of these command will pass Thank pet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to apply logical OR in the auth. modul
Jevos, Peter wrote: I have in the modules/ntlm_auth_vpn command: .. Is it possible to add another command ( with different domain ) and to add OR in order to choose which one will pass ? Something like this: exec ntlm_auth_vpn { program = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --password=%{User-Password} --require-membership-of=domain1 OR program = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --password=%{User-Password} --require-membership-of=domain2 } It means that auth-type ntml_auth_vpn is right if one of these command will pass You can write a shell script to do that. There's no need to do anything in the server. #1/bin/sh /usr/bin/ntlm_auth ... if [ $? = 0]; then ... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to apply logical OR in the auth. modul
I have in the modules/ntlm_auth_vpn command: .. Is it possible to add another command ( with different domain ) and to add OR in order to choose which one will pass ? Something like this: exec ntlm_auth_vpn { program = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --password=%{User-Password} --require-membership-of=domain1 OR program = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --password=%{User-Password} --require-membership-of=domain2 } It means that auth-type ntml_auth_vpn is right if one of these command will pass You can write a shell script to do that. There's no need to do anything in the server. #1/bin/sh /usr/bin/ntlm_auth ... if [ $? = 0]; then ... Alan DeKok. Thank you Alan Yes I was thinking about it but I don't know how can I pass the aregumens to that script ( like mschap:User-Name and so on ) When and who will call this script ? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to apply logical OR in the auth. modul
Hi, I have in the modules/ntlm_auth_vpn command: there is another way to. simply make a second copy of that moduleeg have ntlm_auth_vpn1 and ntlm_auth_vpn2 (each configured with what you want/need) and then read: http://wiki.freeradius.org/Fail-over you can then have this sort of thing in your config group { ntlm_auth_vpn1 { reject = 1 ok = return } ntlm_auth_vpn2 { reject = 1 ok = return } } alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to apply logical OR in the auth. modul
Jevos, Peter wrote: Yes I was thinking about it but I don't know how can I pass the aregumens to that script ( like mschap:User-Name and so on ) When and who will call this script ? You can call the script instead of calling ntlm_auth. Passing arguments to the script is really a Unix shell scripting question. See man sh, or http://unixhelp.ed.ac.uk/scrpt/scrpt2.1.2.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to apply logical OR in the auth. modul
I have in the modules/ntlm_auth_vpn command: there is another way to. simply make a second copy of that moduleeg have ntlm_auth_vpn1 and ntlm_auth_vpn2 (each configured with what you want/need) and then read: http://wiki.freeradius.org/Fail-over you can then have this sort of thing in your config group { ntlm_auth_vpn1 { reject = 1 ok = return } ntlm_auth_vpn2 { reject = 1 ok = return } } Hi Alan, thank you for your answer. Yes , it's good idea, I can create another module ntlm_auth_vpn2 But how should I combine this group section with the my command: DEFAULT Auth-Type := ntlm_auth_vpn Fall-Through = Yes thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting up pam_radius_auth
Hi, I'm trying to get the the pam radius module to work. I've built a test radius server (FreeRADIUS Version 2.1.9) and I've setup a linux box with the pam radius module (1.3.17) The server seems to be setup properly to authenticate users: # radtest testing password 127.0.0.1 0 testing123 Sending Access-Request of id 87 to 127.0.0.1 port 1812 User-Name = testing User-Password = password NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=87, length=20 I have the following config on the server to correspond to my pam radius client: clients.conf: client testclient1 { ipaddr = CLIENTIP secret = testing123 require_message_authenticator = no shortname = testc1 nastype = other # localhost isn't usually a NAS... } And on the client (using pam_radius_auth) I have the following in /etc/raddb/server: # server[:port]shared_secret timeout (s) SERVERIP testing123 4 Now, when I try to authenticate my pam radius client, I get this in the client logs: Jul 22 10:22:45 (none) pamtest: pam_radius_auth: Got user name testing Jul 22 10:22:54 (none) pamtest: pam_radius_auth: Sending RADIUS request code 1 Jul 22 10:22:54 (none) pamtest: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 267885588. Jul 22 10:22:55 (none) pamtest: pam_radius_auth: packet from RADIUS server SERVERIP fails verification: The shared secret is probably incorrect. Jul 22 10:22:55 (none) pamtest: pam_radius_auth: All RADIUS servers failed to respond. Jul 22 10:22:55 (none) pamtest: pam_radius_auth: authentication failed And I get this on the radius server (running in debug mode, i.e. radiusd -X) rad_recv: Access-Request packet from host CLIENTIP port 18580, id=32, length=72 User-Name = testing User-Password = \237TqI\3335Q\231\025O\020bw\021;\362 NAS-Identifier = other NAS-Port = 17555 NAS-Port-Type = Virtual Service-Type = Authenticate-Only +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = testing, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry testing at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password ?TqI�5Q??O?bw?; [pap] Using clear text password password [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - testing attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 32 to CLIENTIP port 18580 Waking up in 4.9 seconds. Cleaning up request 0 ID 32 with timestamp +24 Ready to process requests. Now obviously is says there's a problem with the secret, but I believe I've setup the secret correctly in the configs I've shown above. Does anybody have any ideas what I'm doing wrong? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No known good password was found in LDAP
Hi, I have a setup with a laptop, access-point, wireless-controller, freeradius 2.1.8 (ubuntu 10.04) and SLES 10 eDirectory. When I put the username and password in the users file everything works fine (802.1x, PEAP) When I try to move authentication with the eDirectory with ldap, I get the Warning no known... but then the user is authorized. ([ldap] user aruba authorized to use remote access) [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=aruba) [ldap] expand: o=org - o=org [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to xxx.yyy.110.136:389, authentication 0 [ldap] bind as cn=admin,o=org/admin to xxx.yyy.110.136:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in o=org, with filter (uid=aruba) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user aruba authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 The password stored in eDirectory is valid. My understanding of eDirectory is that it will never let you see the actual password of a user, it will hash it first. Is this behavior of freeradius normal? Later in the process the user is rejected because no Auth-Type was found, is this related? Jean -- View this message in context: http://old.nabble.com/No-%22known-good%22-password-was-found-in-LDAP-tp29239201p29239201.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No known good password was found in LDAP
On 07/22/2010 08:26 PM, newtownz wrote: The password stored in eDirectory is valid. My understanding of eDirectory is that it will never let you see the actual password of a user, it will hash it first. Is this behavior of freeradius normal? There is eDirectory support in the rlm_ldap module which (I belive) does a special query to get a the universal password); see the docs for rlm_ldap. But you (or rather the FreeRadius bind DN) *will* need permissions to read the plaintext password or you're stuck. You need that password or the NT/LM hash to do PEAP/MS-CHAP. Later in the process the user is rejected because no Auth-Type was found, is this related? Yes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mac-auth checking in sites-enabled/default
I'm currently using Freeradius v2.1.9 and I'm trying to write a condition in the authorize section to use a different module depending on whether Mac-auth or someother auth is being called. In reading the wiki (http://wiki.freeradius.org/Mac-Auth) it appears that I want to check (Chap-Password == hash(User-Name)) but I'm having a problem getting the unlang syntax correct. So far, I've tried: if (Chap-Password == hash(User-Name)){ which fails with: Consecutive conditions at (User-Name)) /etc/raddb/sites-enabled/default[62]: Errors parsing authorize section. and: if (Chap-Password == hash %{request:User-Name}) { which fails with: Consecutive conditions at %{request:User-Name}) /etc/raddb/sites-enabled/default[62]: Errors parsing authorize section. So, it appears that I'm having a fundamental failure to understand the conditional statements in unlang. So, is the wiki old/out-of-date, just pseudo code, or is the hash function something that I need to write? My NAS doesn't send a Service-Type and the Calling-Station-Id is in a different format that I can munge to get into the same format as User-Name, but I thought the hash option would be the quickest. Thanks! Tom Leach - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html