Re: Password Encryption
rrperez wrote: Thanks for the response David, Now, I have solved the problem locally by putting an attribute in the ldap.attrmap but then another problem appears through the wireless network, MSCHAPv2 fails. ... Is there a way for me to solve the mschapv2 error? Store the passwords in a form which is compatible with MS-CHAP. http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Virtual Servers Localhost
Etienne Philip Pretorius wrote: I need to make localhost select the correct virtual server based on a custom attribute that is passed to Freeradius. Virtual servers don't work that way. I have three virtual servers, and I use scripts to inject radius accounting packets into the radius server and I would like to ideally select the correct virtual server based on this custom attribute. Or, you could have the server listen on multiple ports, and update the scripts to select the correct port. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Of accounting data and security
On 2010/08/09 11:14 PM, Alan DeKok wrote: The accounting data is sent in the clear on a LAN. This shouldn't be a problem. If you're sending accounting data across the Internet, use IPSec. Don't even pretend to use anything else. RADIUS (and TACACS+) security is simply not as good as IPSec. Hi, I've also got a need to implement security in the near furture. I've not started yet, but my problem is that the embedded devices that I use do not have enough flash to install the encryption needed for ipsec. My thinking was to use radsecproxy-freeradius (my nas, coova, supports radsec). Any comments on ipsec vs radsec? Thanks, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Of accounting data and security
Hi, My thinking was to use radsecproxy-freeradius (my nas, coova, supports radsec). Any comments on ipsec vs radsec? RADIUS with TLS over TCP (what some define as 'RADSec') is good. cant wait until all mainstream RADIUS servers support it natively. until then, RADSecproxy will do what you want alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password Encryption
Thanks for the response Alan, I just need to store the user passwords on my ldap server to be in the form of clear-text or nt hash. I read some documentation that microsoft clients only authenticate with MS-CHAP/v2. What if I use the EAP-GTC for my wireless authentication, is that possible? -- View this message in context: http://old.nabble.com/Password-Encryption-tp29393526p29395757.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sizo Nsibande invites you to use Boxbe
I'd like to share approved contacts with you on Boxbe Here's the link: https://www.boxbe.com/register?tc=4159834829_1430679976 -Sizo This message was sent at the request of ooz...@gmail.com. If you want to opt-out of invitations from Boxbe members, use this link: https://www.boxbe.com/unsubscribe?email=freeradius-us...@lists.freeradius.orgtc=4159834829_1430679976 Boxbe, Inc. | 2390 Chestnut Street #201 | San Francisco, CA 94123 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Of accounting data and security
Thanks Alan, At the moment we have restricted the accounting data to a layer 2 VPLS segment however I'll investigate the use of IPSEC as well to let those that worry about these things sleep better at night. n On Tue, Aug 10, 2010 at 3:53 AM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, My thinking was to use radsecproxy-freeradius (my nas, coova, supports radsec). Any comments on ipsec vs radsec? RADIUS with TLS over TCP (what some define as 'RADSec') is good. cant wait until all mainstream RADIUS servers support it natively. until then, RADSecproxy will do what you want alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rlm_Perl question
Thank you Baically what I have done is this. I wanting to use freeradius to be the radius server for a few of my hotspots. They use two different NAS devices.Now the problem I faced is that both NASes use different VSA's for limiting users bandwidth. So my perl script will check the NAS-Identifier and cross reference it with a table in the DB and collect the appropriate NAS device. Then I have a attribute in the radcheck table called databank, I take the value of that attribute and put it together with the attribute that my NAS will understand. This all seems to be ok, the only thing I need to do now is, when the accounting-stop packet arrives, I need to be able to take sum(acctinputoctets+acctoutputoctets) and subtract that from the total of Databank. This way no matter if a user is coming from hostpot with device A to hotspot with device B the amount of data that he can move will be constant. I can right the script, but I am not sure where to do it. How can you right a script to act on accounting-stop packet? Thanks On Mon, Aug 9, 2010 at 9:44 AM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, I see know that it was my fault (obviously it was going to be). I am using sql, and not the users file as the guide ( http://wiki.freeradius.org/Rlm_perl) suggests. I added Auth-Type attribute into the table and I know cannot login with the user baduser. So radcheck used to look like this +--+--+---++-+ | id | username | attribute | op | value | +--+--+---++-+ 8813 | baduser | password | == | baduser +--+--+---++-+ it now looks like this. +--+--+---++-+ | id | username | attribute | op | value | +--+--+---++-+ | 8813 | baduser | password | == | baduser | | 8814 | baduser | Auth-Type | = | Perl| +--+--+---++-+ using a recent version of FR? if so, change that first line to be | 8813 | baduser | cleartext-password | := | baduser | (as per the docs!) your initial question.'what is /^baduser/i ?' - its a quick function that checks the User-Name attribute and see if it matches (and begins with) the word 'baduser' (and is case insensitive). its a quick demo to show that things that you can do if you were to do this in production, you'd probably have an array of 'bad users' and do a loop function in which you check User-Name against all members of that array (and return a found or not found code back to the routine that fired off the checkeg if (baduser() ){ } etc. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius accounting issues
Subject: Re: Freeradius accounting issues From: a.cudba...@googlemail.com Date: Fri, 6 Aug 2010 15:19:24 -0700 To: freeradius-users@lists.freeradius.org On Aug 6, 2010, at 3:12 PM, Marinko Tarlac wrote: Or you can simple make small changes in SQL queries for accounting and you won't need to use unlang... What do you have exactly in mind? I guess if you really just want to: update this entries after a certain time has pass I have thinking in that these days that option too. Then that's easy enough with a simple update query, however it's generally a bad idea to just close out sessions because they've run on too long. Unless of course you don't care about the accuracy of your accounting database. -Arran Arran Cudbard-Bell wrote: Actually, option 4. If your NAS supports interim updates, you can add an additional field to the accounting database, and update the timestamp in this field every time an interim update packet is received. Then run a cron job to check for timestamps which are older than the interim update period and close those entries. You can do the updates with unlang and SQL xlat. -Arran On Aug 6, 2010, at 2:53 PM, Siryx XL wrote: Hi everyone. I got freeradius to AAA the access to a Cisco Routers. If for some reason you disconnect because the router power off, an accounting finish packets is not sent to my radius, so in the DB looks like the user is still logged in an example: mysql select radacctid,username,acctstarttime,acctstoptime from radacct where username = jhon.doe and acctstarttime 2010-08-05 07:45:30; +---+-+--+-+ | radacctid | username | acctstarttime | acctstoptime| +--- +-+-+-+ | 93760 | jhon.doe | 2010-08-05 07:45:31 | NULL | | 93761 | jhon.doe | 2010-08-05 07:45:50 | NULL | | 93762 | jhon.doe | 2010-08-05 07:52:23 | NULL | What can I do to update this entries after a certain time has pass, or do something else so fix those entries? Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap authentication using free radius
Hello, We recently had a event during which our radius server lost connectivity to our Active Directory server. all the network gear could contact radius so none fell back to the backup authentication method (local), but because AD was down we couldn't get into our devices. is there a way to use some locally stored password in free radius if the ldap server cant be reached? Thanks, Aqdas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap authentication using free radius
Am 10.08.2010 um 16:54 schrieb Aqdas Muneer: Hello, We recently had a event during which our radius server lost connectivity to our Active Directory server. all the network gear could contact radius so none fell back to the backup authentication method (local), but because AD was down we couldn't get into our devices. is there a way to use some locally stored password in free radius if the ldap server cant be reached? You can for example use the users file. Thanks, Aqdas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap authentication using free radius
so this is what i have in my users file. how can i make it so that the admin account is only used if AD is inaccessible? admin Huntgroup-Name == network-admin, Cleartext-Password := x Service-Type := NAS-Prompt-User, cisco-avpair := shell:priv-lvl=15 DEFAULT Huntgroup-Name == network-admin, Ldap-Group == networkadmins Service-Type := NAS-Prompt-User, cisco-avpair := shell:priv-lvl=15, Auth-Type := LDAP On Tue, Aug 10, 2010 at 10:59 AM, Nicolas Goutte nicolas.gou...@extragroup.de wrote: Am 10.08.2010 um 16:54 schrieb Aqdas Muneer: Hello, We recently had a event during which our radius server lost connectivity to our Active Directory server. all the network gear could contact radius so none fell back to the backup authentication method (local), but because AD was down we couldn't get into our devices. is there a way to use some locally stored password in free radius if the ldap server cant be reached? You can for example use the users file. Thanks, Aqdas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Import to MySQL from Flat Files
Hi Guys I was wondering if there was any easy way to import the accounting packets recorded in the flat files located at /var/log/freeradius/radacct into a MySQL database... My entries in the flat files looks like this (entry stripped) :- Wed Jul 7 22:37:39 2010 NAS-IP-Address = x.x.x.x NAS-Identifier = rbggs2 Called-Station-Id = xx Framed-Protocol = GPRS-PDP-Context Service-Type = Framed-User NAS-Port-Type = Virtual NAS-Port = xx Calling-Station-Id = xx Acct-Status-Type = Stop Framed-IP-Address = 10.0.1.46 Acct-Session-Id = 29D015A2275DA802 User-Name = xx Acct-Input-Octets = 7453 Acct-Output-Octets = 5195 Acct-Input-Packets = 108 Acct-Output-Packets = 53 Acct-Terminate-Cause = User-Request Acct-Authentic = RADIUS Acct-Delay-Time = 0 3GPP-PDP-Type = 0 3GPP-SGSN-Address = x.x.x.x 3GPP-GGSN-Address = x.x.x.x Acct-Unique-Session-Id = 684b91e88bf31a83 Timestamp = 1278535059 Request-Authenticator = Verified Thanks, Gabriel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC based authentication
Chun (Andrew) Xu wrote: You will need EAP-MD5 to do authentication with Juniper EX switch as authenticator. Enable eap in your authorize and authenticate section. The default settings in eap.conf should work without any tweaks. Great. That worked smoothly. Thank you! freenetMail - Der zuverlässige E-Mail-Dienst von freenet.de Jetzt kostenlose E-Mail-Adresse mit 1 GB Speicher und Profi-Spamschutz sichern! http://tls.freenet.de/tipp/1gb-speicher/index.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC based authentication
rad_recv: Access-Request packet from host 10.10.10.254 port 58798, id=45, length=118 User-Name = aa7f9c90 NAS-Port = 119 EAP-Message = 0x021101616130303030376639633930 Message-Authenticator = 0x4ab3cccda64e92e76dfa2a97172cebca Acct-Session-Id = 8O2.1x81eb00c2 NAS-Identifier = EX4200-VC NAS-Port-Type = Virtual +- entering group authorize {...} ++[preprocess] returns ok ++[files] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 45 to 10.10.10.254 port 58798 Waking up in 4.9 seconds. Cleaning up request 0 ID 45 with timestamp +62 Ready to process requests. and on the switch it remains on: ge-1/0/4.0 Role: Authenticator Administrative state: Auto Supplicant mode: Multiple Number of retries: 3 Quiet period: 60 seconds Transmit period: 30 seconds Mac Radius: Disabled Mac Radius Strict: Enabled Reauthentication: Enabled Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 2 Guest VLAN member: Number of connected supplicants: 1 Supplicant: aa7f9c90, AA:00:00:7F:9C:90 Operational state: Authenticating Authentcation method: Radius Authenticated VLAN: configured/default Reauthentication due in 0 seconds Any clues? You've enabled 802.1x, not MAC-based VLANs. You'll need to configure 802.1x at the servers or configure MAC-based auth at the switch. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Import to MySQL from Flat Files
One option is to configure FR to be a detail file reader which will import the files and can write them to the database. Start by looking at the decoupled-accounting file in the sites-available directory. It shows how to setup a detail file reader. Tim From: freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.or g [mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freer adius.org] On Behalf Of Gabriel Marais Sent: Tuesday, August 10, 2010 8:13 AM To: freeradius-users@lists.freeradius.org Subject: Import to MySQL from Flat Files Hi Guys I was wondering if there was any easy way to import the accounting packets recorded in the flat files located at /var/log/freeradius/radacct into a MySQL database... My entries in the flat files looks like this (entry stripped) :- Wed Jul 7 22:37:39 2010 NAS-IP-Address = x.x.x.x NAS-Identifier = rbggs2 Called-Station-Id = xx Framed-Protocol = GPRS-PDP-Context Service-Type = Framed-User NAS-Port-Type = Virtual NAS-Port = xx Calling-Station-Id = xx Acct-Status-Type = Stop Framed-IP-Address = 10.0.1.46 Acct-Session-Id = 29D015A2275DA802 User-Name = xx Acct-Input-Octets = 7453 Acct-Output-Octets = 5195 Acct-Input-Packets = 108 Acct-Output-Packets = 53 Acct-Terminate-Cause = User-Request Acct-Authentic = RADIUS Acct-Delay-Time = 0 3GPP-PDP-Type = 0 3GPP-SGSN-Address = x.x.x.x 3GPP-GGSN-Address = x.x.x.x Acct-Unique-Session-Id = 684b91e88bf31a83 Timestamp = 1278535059 Request-Authenticator = Verified Thanks, Gabriel __ Information from ESET NOD32 Antivirus, version of virus signature database 5354 (20100810) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting info
Hi all, Does freeradius support receiving Interim-Update with the accounting info? meaning updating the radacct table with user usage / session time at regular intervals? Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: MAC based authentication
Phil Mayers wrote: You've enabled 802.1x, not MAC-based VLANs. You'll need to configure 802.1x at the servers or configure MAC-based auth at the switch. I thought I'd. Indeed authentication is working now, however the switch doesn't assign clients to the VLAN the RADIUS server instructs to. May be off-topic, but would you mind give me hint? The EX monitor output gives me: Aug 10 17:57:42.740610 Processing authentication response complete Aug 10 17:57:42.740657 authentication client Aug 10 17:57:42.740723 Sending message to authentication client Aug 10 17:57:42.742750 Received message from authentication client Aug 10 17:57:42.742815 reply: 1aba028 rply_hdr: 1abc000 bytes_remnant :0 len:2757 reply_len:2757 Aug 10 17:57:42.742845 hdr_bytes_read 0 Aug 10 17:57:42.742865 len read : 28 reply_len: 2735 Aug 10 17:57:42.742917 bytes_remnant 2707 tot_bytes_read 28 Aug 10 17:57:42.742954 bytes_read 2707 Aug 10 17:57:42.742974 Creating background job to process reply from authentication client Aug 10 17:57:42.743103 Entering background job to process message from authentication client Aug 10 17:57:42.743132 process_auth_reply len:2735 Aug 10 17:57:42.743157 Received VLAN ID/name 110 from authentication server Aug 10 17:57:42.743199 Invoking state machine for authentication response for mac address AA:00:00:7F:9C:90 Aug 10 17:57:42.743223 on intf ge-1/0/4.0 . ... and r...@ex4200-vc show dot1x interface 802.1X Information: Interface Role State MAC address User ge-1/0/4.0 Authenticator Authenticated AA:00:00:7F:9C:90 aa7f9c90 However: r...@ex4200-vc show vlans PRIV0 Name Tag Interfaces PRIV0 110 None r...@ex4200-vc show vlans default Name Tag Interfaces default ge-1/0/4.0*, ge-1/0/5.0* That's odd, since I think I did everything appropriate. A snippt from configuration: interfaces { . .. ge-1/0/4 { unit 0 { family ethernet-switching; } } ge-1/0/5 { unit 0 { family ethernet-switching; } } . .. protocols { . .. dot1x { traceoptions { file dot1x; flag state; flag dot1x-debug; } authenticator { authentication-profile-name auth; interface { ge-1/0/4.0 { supplicant multiple; mac-radius { restrict; } } ge-1/0/5.0 { supplicant multiple; mac-radius { restrict; } } } } . .. access { radius-server { 10.10.10.10 { . .. } } profile auth { authentication-order radius; radius { authentication-server 10.10.10.10; } } } vlans { . .. PRIV0 { vlan-id 110; } } freenetMail mobil – Alle E-Mails auf Ihrem Handy versenden und empfangen. Jetzt kinderleicht und kostenlos einrichten. http://tls.freenet.de/tipp/handymail/index.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Suffix authentication
I hope someone can help me. I have written in about this problem before so please forgive me, but it is still plaguing me : ) Quickly, my problem is users cannot log in using usern...@domain but can login fine with domain\username. One person mentioned the realms module, but when I look at it the default conf looks fine. The delimiter is correctly set to '@'. I tried adding my domains to the realm module by copying the default suffix config and using my domain info but that causes FR to fail its sanity check. I am using MSCHAPv2 with PEAP authentication and when the user fails the logon with usern...@domain the ntlm_auth program reports a bad password even though the same user will have no problem with domain\username. Also, the FR wiki says the realms file is depreciated ... so what am I supposed to do? What would be really great would be a script I could use to determine the domain of the user BEFORE they reach ntlm_auth so I can prepopulate the command with the correct domain and just forget this suffix stuff : ) I think the best place for this would be in the mschap module but what is the language? Would it be unlang or regular bash scripting? Thanks for any assistance! Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
curious network problem
Message-Authenticator = 0x User-Name = john [ttls] Got tunneled Access-Accept [eap] Freeing handler rlm_eap_ttls: Freeing handler for user john ++[eap] returns ok +- entering group post-auth {...} [reply_log] expand: /var/log/freeradius/radacct/%{Client-IP- Address}/reply-detail-%Y%m%d - /var/log/freeradius/radacct/127.0.0.1/reply- detail-20100810 [reply_log] /var/log/freeradius/radacct/%{Client-IP-Address}/reply- detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/reply- detail-20100810 [reply_log] expand: %t - Tue Aug 10 17:19:34 2010 ++[reply_log] returns ok [sql] expand: %{User-Name} - anonymous [sql] sql_set_user escaped user -- 'anonymous' [sql] expand: %{User-Password} - [sql] ... expanding second conditional [sql] expand: %{Chap-Password} - [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap- Password}}', '%{reply:Packet-Type}', '%S') - INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'anonymous', '', 'Access-Accept', '2010-08-10 17:19:34') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'anonymous', '', 'Access- Accept', '2010-08-10 17:19:34') rlm_sql (sql): Reserving sql socket id: 1 rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 7 to 127.0.0.1 port 40609 MS-MPPE-Recv-Key = 0x1e4491c233d0270c4f3bc4829f088dfbc8dcd8ba6541683752b76e424ffea8de MS-MPPE-Send-Key = 0x64317ca56d6213c2e04813b157c9e923ed8d33b7dd0f6a8fd51aacb8c5bd790c EAP-Message = 0x03070004 Message-Authenticator = 0x User-Name = anonymous Finished request 35. Going to the next request Waking up in 4.9 seconds. Cleaning up request 28 ID 0 with timestamp +4232 Cleaning up request 29 ID 1 with timestamp +4232 Cleaning up request 30 ID 2 with timestamp +4232 Cleaning up request 31 ID 3 with timestamp +4232 Cleaning up request 32 ID 4 with timestamp +4232 Cleaning up request 33 ID 5 with timestamp +4232 Cleaning up request 34 ID 6 with timestamp +4232 Cleaning up request 35 ID 7 with timestamp +4232 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Accounting info
Does freeradius support receiving Interim-Update with the accounting info? meaning updating the radacct table with user usage / session time at regular intervals? Yes. You need to make sure that your NAS is configured to send the updates. Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: MAC based authentication
I really think the VLAN assignment problem is related to your EX4200 VC. FreeRadius had done its job. You probably have to contact JTAC. BTW, which version of JUNOS are you running on the EX4200 VC? The latest version JTAC recommended is 10.0S6.1. Hope this will help. -Original Message- From: freeradius-users-bounces+cxu=unbsj...@lists.freeradius.org [mailto:freeradius-users-bounces+cxu=unbsj...@lists.freeradius.org] On Behalf Of ralfhe...@freenet.de Sent: August 10, 2010 1:11 PM To: freeradius-users@lists.freeradius.org Subject: RE: RE: MAC based authentication Phil Mayers wrote: You've enabled 802.1x, not MAC-based VLANs. You'll need to configure 802.1x at the servers or configure MAC-based auth at the switch. I thought I'd. Indeed authentication is working now, however the switch doesn't assign clients to the VLAN the RADIUS server instructs to. May be off-topic, but would you mind give me hint? The EX monitor output gives me: Aug 10 17:57:42.740610 Processing authentication response complete Aug 10 17:57:42.740657 authentication client Aug 10 17:57:42.740723 Sending message to authentication client Aug 10 17:57:42.742750 Received message from authentication client Aug 10 17:57:42.742815 reply: 1aba028 rply_hdr: 1abc000 bytes_remnant :0 len:2757 reply_len:2757 Aug 10 17:57:42.742845 hdr_bytes_read 0 Aug 10 17:57:42.742865 len read : 28 reply_len: 2735 Aug 10 17:57:42.742917 bytes_remnant 2707 tot_bytes_read 28 Aug 10 17:57:42.742954 bytes_read 2707 Aug 10 17:57:42.742974 Creating background job to process reply from authentication client Aug 10 17:57:42.743103 Entering background job to process message from authentication client Aug 10 17:57:42.743132 process_auth_reply len:2735 Aug 10 17:57:42.743157 Received VLAN ID/name 110 from authentication server Aug 10 17:57:42.743199 Invoking state machine for authentication response for mac address AA:00:00:7F:9C:90 Aug 10 17:57:42.743223 on intf ge-1/0/4.0 . ... and r...@ex4200-vc show dot1x interface 802.1X Information: Interface Role State MAC address User ge-1/0/4.0 Authenticator Authenticated AA:00:00:7F:9C:90 aa7f9c90 However: r...@ex4200-vc show vlans PRIV0 Name Tag Interfaces PRIV0 110 None r...@ex4200-vc show vlans default Name Tag Interfaces default ge-1/0/4.0*, ge-1/0/5.0* That's odd, since I think I did everything appropriate. A snippt from configuration: interfaces { . .. ge-1/0/4 { unit 0 { family ethernet-switching; } } ge-1/0/5 { unit 0 { family ethernet-switching; } } . .. protocols { . .. dot1x { traceoptions { file dot1x; flag state; flag dot1x-debug; } authenticator { authentication-profile-name auth; interface { ge-1/0/4.0 { supplicant multiple; mac-radius { restrict; } } ge-1/0/5.0 { supplicant multiple; mac-radius { restrict; } } } } . .. access { radius-server { 10.10.10.10 { . .. } } profile auth { authentication-order radius; radius { authentication-server 10.10.10.10; } } } vlans { . .. PRIV0 { vlan-id 110; } } freenetMail mobil – Alle E-Mails auf Ihrem Handy versenden und empfangen. Jetzt kinderleicht und kostenlos einrichten. http://tls.freenet.de/tipp/handymail/index.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: MAC based authentication
I forgot to mention one thing. I am using VLAN name instead of VLAN ID to do dynamic VLAN assignment. It works for me. You could try the followings. aa7f9c90Auth-Type := EAP, Cleartext-Password == aa7f9c90 Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = PRIV0 -Original Message- From: freeradius-users-bounces+cxu=unbsj...@lists.freeradius.org [mailto:freeradius-users-bounces+cxu=unbsj...@lists.freeradius.org] On Behalf Of ralfhe...@freenet.de Sent: August 10, 2010 1:11 PM To: freeradius-users@lists.freeradius.org Subject: RE: RE: MAC based authentication Phil Mayers wrote: You've enabled 802.1x, not MAC-based VLANs. You'll need to configure 802.1x at the servers or configure MAC-based auth at the switch. I thought I'd. Indeed authentication is working now, however the switch doesn't assign clients to the VLAN the RADIUS server instructs to. May be off-topic, but would you mind give me hint? The EX monitor output gives me: Aug 10 17:57:42.740610 Processing authentication response complete Aug 10 17:57:42.740657 authentication client Aug 10 17:57:42.740723 Sending message to authentication client Aug 10 17:57:42.742750 Received message from authentication client Aug 10 17:57:42.742815 reply: 1aba028 rply_hdr: 1abc000 bytes_remnant :0 len:2757 reply_len:2757 Aug 10 17:57:42.742845 hdr_bytes_read 0 Aug 10 17:57:42.742865 len read : 28 reply_len: 2735 Aug 10 17:57:42.742917 bytes_remnant 2707 tot_bytes_read 28 Aug 10 17:57:42.742954 bytes_read 2707 Aug 10 17:57:42.742974 Creating background job to process reply from authentication client Aug 10 17:57:42.743103 Entering background job to process message from authentication client Aug 10 17:57:42.743132 process_auth_reply len:2735 Aug 10 17:57:42.743157 Received VLAN ID/name 110 from authentication server Aug 10 17:57:42.743199 Invoking state machine for authentication response for mac address AA:00:00:7F:9C:90 Aug 10 17:57:42.743223 on intf ge-1/0/4.0 . ... and r...@ex4200-vc show dot1x interface 802.1X Information: Interface Role State MAC address User ge-1/0/4.0 Authenticator Authenticated AA:00:00:7F:9C:90 aa7f9c90 However: r...@ex4200-vc show vlans PRIV0 Name Tag Interfaces PRIV0 110 None r...@ex4200-vc show vlans default Name Tag Interfaces default ge-1/0/4.0*, ge-1/0/5.0* That's odd, since I think I did everything appropriate. A snippt from configuration: interfaces { . .. ge-1/0/4 { unit 0 { family ethernet-switching; } } ge-1/0/5 { unit 0 { family ethernet-switching; } } . .. protocols { . .. dot1x { traceoptions { file dot1x; flag state; flag dot1x-debug; } authenticator { authentication-profile-name auth; interface { ge-1/0/4.0 { supplicant multiple; mac-radius { restrict; } } ge-1/0/5.0 { supplicant multiple; mac-radius { restrict; } } } } . .. access { radius-server { 10.10.10.10 { . .. } } profile auth { authentication-order radius; radius { authentication-server 10.10.10.10; } } } vlans { . .. PRIV0 { vlan-id 110; } } freenetMail mobil – Alle E-Mails auf Ihrem Handy versenden und empfangen. Jetzt kinderleicht und kostenlos einrichten. http://tls.freenet.de/tipp/handymail/index.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting info
Currently I use 2.1.4. This functionality is supported in 2.14 release?. Regards On Tue, Aug 10, 2010 at 6:54 PM, Tim Sylvester tim.sylves...@networkradius.com wrote: Does freeradius support receiving Interim-Update with the accounting info? meaning updating the radacct table with user usage / session time at regular intervals? Yes. You need to make sure that your NAS is configured to send the updates. Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rlm_Perl question
Ok, I believe that I may have done this. In the dialup.conf file I edited accounting_stop_query to update my attribute. It is the only place were I saw anything happening on account-stop. Hope that is correct. On Tue, Aug 10, 2010 at 3:20 PM, Tyller D tyll...@gmail.com wrote: Thank you Baically what I have done is this. I wanting to use freeradius to be the radius server for a few of my hotspots. They use two different NAS devices.Now the problem I faced is that both NASes use different VSA's for limiting users bandwidth. So my perl script will check the NAS-Identifier and cross reference it with a table in the DB and collect the appropriate NAS device. Then I have a attribute in the radcheck table called databank, I take the value of that attribute and put it together with the attribute that my NAS will understand. This all seems to be ok, the only thing I need to do now is, when the accounting-stop packet arrives, I need to be able to take sum(acctinputoctets+acctoutputoctets) and subtract that from the total of Databank. This way no matter if a user is coming from hostpot with device A to hotspot with device B the amount of data that he can move will be constant. I can right the script, but I am not sure where to do it. How can you right a script to act on accounting-stop packet? Thanks On Mon, Aug 9, 2010 at 9:44 AM, Alan Buxey a.l.m.bu...@lboro.ac.ukwrote: Hi, I see know that it was my fault (obviously it was going to be). I am using sql, and not the users file as the guide ( http://wiki.freeradius.org/Rlm_perl) suggests. I added Auth-Type attribute into the table and I know cannot login with the user baduser. So radcheck used to look like this +--+--+---++-+ | id | username | attribute | op | value | +--+--+---++-+ 8813 | baduser | password | == | baduser +--+--+---++-+ it now looks like this. +--+--+---++-+ | id | username | attribute | op | value | +--+--+---++-+ | 8813 | baduser | password | == | baduser | | 8814 | baduser | Auth-Type | = | Perl| +--+--+---++-+ using a recent version of FR? if so, change that first line to be | 8813 | baduser | cleartext-password | := | baduser | (as per the docs!) your initial question.'what is /^baduser/i ?' - its a quick function that checks the User-Name attribute and see if it matches (and begins with) the word 'baduser' (and is case insensitive). its a quick demo to show that things that you can do if you were to do this in production, you'd probably have an array of 'bad users' and do a loop function in which you check User-Name against all members of that array (and return a found or not found code back to the routine that fired off the checkeg if (baduser() ){ } etc. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS and default user?!
Hi, I want to secure my WPA network with PEAP-MSCHAPv2 and EAP-TLS. The first one already works (including LDAP server) but the second one fails. This is the output of freeradius -X: n Ready to process requests. rad_recv: Access-Request packet from host 192.168.200.151 port 2049, id=0, length=111 NAS-IP-Address = 192.168.200.151 Called-Station-Id = 0016b6a3ee04 Calling-Station-Id = 001de0121c0d NAS-Identifier = 0016b6a3ee04 NAS-Port = 3 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020501 Message-Authenticator = 0x31e54d9d928ba685321f40fd2d46667a +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Proxy reply, or no User-Name. Ignoring. ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 5 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: UserIdentity Unknown rlm_eap: Identity Unknown, authentication failed rlm_eap: Failed in handler ++[eap] returns invalid auth: Failed to validate the user. Login incorrect: [no User-Name attribute/via Auth-Type = EAP] (from client ap port 3 cli 001de0121c0d) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - ++[attr_filter.access_reject] returns noop Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 0 to 192.168.200.151 port 2049 Waking up in 4.9 seconds. Cleaning up request 0 ID 0 with timestamp +106 Ready to process requests. As client I use Windows XP SP2. I searched a lot in the net and all I found was that the supplicant should be broken because it should send a username along. Well, I can not image this because then this would be mentioned in ANY of these tutorials. Maybe I also need to add a special default entry to the users file? I played around but still I did not get it working. Can anybody give me a hint where to start? Regards, Luke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and default user?!
Lukas Haase wrote: I searched a lot in the net and all I found was that the supplicant should be broken because it should send a username along. Yes. The supplicant is broken. *Or* you somehow managed to get it to do 802.1X with an empty user name. Well, I can not image this because then this would be mentioned in ANY of these tutorials. Maybe I also need to add a special default entry to the users file? No. The supplicant is broken. I played around but still I did not get it working. Can anybody give me a hint where to start? Fix the supplicant. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Suffix authentication
Sallee, Stephen (Jake) wrote: Quickly, my problem is users cannot log in using usern...@domain but can login fine with domain\username. So... what is different in the debug log between the two requests? One person mentioned the realms module, but when I look at it the default conf looks fine. The delimiter is correctly set to '@'. I tried adding my domains to the realm module by copying the default suffix config and using my domain info but that causes FR to fail its sanity check. Because you made some random change without understanding how the server works, or reading the documentation. I am using MSCHAPv2 with PEAP authentication and when the user fails the logon with usern...@domain the ntlm_auth program reports a bad password even though the same user will have no problem with domain\username. Also, the FR wiki says the realms file is depreciated ... so what am I supposed to do? Read proxy.conf. It defines the realm names. The realms module just searches the User-Name in various ways (suffix, prefix, ntdomain), and then sees if there is a matching realm. What would be really great would be a script I could use to determine the domain of the user BEFORE they reach ntlm_auth so I can prepopulate the command with the correct domain and just forget this suffix stuff : ) I think the best place for this would be in the mschap module but what is the language? Would it be unlang or regular bash scripting? The default config documents how to define realms. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PPTP auth vs samba-ldap, 691
Greetings, Trying to get FreeRADIUS 2.1.8 to authenticate VPN users for PfSense's PPTP server. I am having an issue similar to the one in this old list post: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg40632.html. When I try to log into the VPN from a Windows client, I get the error message: Error 691: Access was denied because the user name and/or password was invalid on the domain., but radius logs show Access-Accept. My major difference is that I am using a LDAP backend which contains NT passwords (it is also the LDAP backend for my samba server). Tried fiddling with mppe and encryption settings in the mschap module, but always get the same results. freeradius -X debug below, as always any reply would be great. rad_recv: Access-Request packet from host 192.168.1.55 port 43210, id=116, length=166 NAS-Identifier = pfsense.local NAS-Port = 0 NAS-Port-Type = Virtual Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = 192.168.1.153 User-Name = cjohnson MS-CHAP-Challenge = 0xbc4e68fb2822b769cef9f48f6420925f MS-CHAP2-Response = 0x0100991b81f3bbq3859d8qa75ae826662d869584dde386742b71bc7c72fca79a678ebf1fee00b74a36e2 server vpn { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = cjohnson, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] Entering ldap_groupcmp() [vpn] expand: dc=corp,dc=example,dc=com - dc=corp,dc=example,dc=com [vpn] expand: %{Stripped-User-Name} - [vpn] ... expanding second conditional [vpn] expand: %{User-Name} - cjohnson [vpn] expand: ((objectClass=posixAccount)(uid=%{%{Stripped-User-Name}:-%{User-Name}})) - ((objectClass=posixAccount)(uid=cjohnson)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 192.168.1.99:389, authentication 0 [ldap] bind as cn=admin,dc=corp,dc=example,dc=com/s3cr3t to 192.168.1.99:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=corp,dc=example,dc=com, with filter ((objectClass=posixAccount)(uid=cjohnson)) [ldap] ldap_release_conn: Release Id: 0 [vpn] WARNING: Deprecated conditional expansion :-. See man unlang for details [vpn] ... expanding second conditional [vpn] expand: %{User-Name} - cjohnson [vpn] expand: ((objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}})) - ((objectClass=posixGroup)(memberUid=cjohnson)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=corp,dc=example,dc=com, with filter ((cn=VPN)((objectClass=posixGroup)(memberUid=cjohnson))) rlm_ldap::ldap_groupcmp: User found in group VPN [ldap] ldap_release_conn: Release Id: 0 [vpn] users: Matched entry DEFAULT at line 5 ++[vpn] returns ok [ldap] performing user authorization for cjohnson [ldap] expand: %{Stripped-User-Name} - [ldap] ... expanding second conditional [ldap] expand: %{User-Name} - cjohnson [ldap] expand: ((objectClass=posixAccount)(uid=%{%{Stripped-User-Name}:-%{User-Name}})) - ((objectClass=posixAccount)(uid=cjohnson)) [ldap] expand: dc=corp,dc=example,dc=com - dc=corp,dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=corp,dc=example,dc=com, with filter ((objectClass=posixAccount)(uid=cjohnson)) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] sambaNtPassword - NT-Password == 0x4039323544423042363155514544454138343541433236383039324641284532 [ldap] sambaLmPassword - LM-Password == 0x31453142303834334239323343314141443342354235313430333545 [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user cjohnson authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = Accept Auth-Type = Accept, accepting the user expand: Great Success! - Great Success! Login OK: [cjohnson] (from client 192.168.1.55 port 0 cli 192.168.1.153) Great Success! +- entering group post-auth {...} ++[exec] returns noop } # server vpn Sending Access-Accept of id 116 to 192.168.1.55 port 43210 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 116 with timestamp +23 Ready to process requests. --CJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco WLC4402 - 802.1X - Android - Tunnel-Priv-Group-ID Failure
Hello All, There are quite a few components coming into play here so I'm not exactly sure whats breaking where. Let me start with explaining our setup: We use cisco 1142 agn lightweight access points connected to a 4402 Wireless Lan Controller This controller is doing radius authentication off of Freeradius 1.1.8 (with FreeBSD as the Host OS) on our primary ssid. When people authenticate it replies with Tunnel-Private-Group-ID based on their username/group. This puts them in the correct vlan for their department. This works perfectly fine with our Apple Laptops, iPhones, and iPads. However when I join with my Android phone or my n900 (maemo), I get put in the default vlan for the SSID. After some digging I found the following: When joining from the Apple devices, the User-Name comes accross as Tue Aug 10 17:13:03 2010 User-Name = some...@somehwere.net When Joining from my Android, it comes accross as: Tue Aug 10 11:26:53 2010 User-Name = 1fT6ESzC4Dbj9oIpiJjjfg== (A few chars changed to prevent the username from being figured out) This somehow is authenticating correctly because I get an IP address (in the incorrect vlan) and can surf the net, and if I mistype the password I get an authentication failure. However when it tries to do a match for the username to determine their group/vlan it fails because we don't have any users with that user name. Has anyone seen this before or have any leads I should follow? Thanks! -=Tom Donnelly - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco WLC4402 - 802.1X - Android - Tunnel-Priv-Group-ID Failure
When Joining from my Android, it comes accross as: Tue Aug 10 11:26:53 2010 User-Name = 1fT6ESzC4Dbj9oIpiJjjfg== (A few chars changed to prevent the username from being figured out) This somehow is authenticating correctly because I get an IP address (in the incorrect vlan) and can surf the net, and if I mistype the password I get an authentication failure. However when it tries to do a match for the username to determine their group/vlan it fails because we don't have any users with that user name. Has anyone seen this before or have any leads I should follow? Do a promiscuous packet capture and verify the Outer Identity the Android phone is sending in the EAP-Identity-Response. If it matches the User-Name above then you've found your problem. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and default user?!
Hi, Am 10.08.2010 22:20, schrieb Alan DeKok: Lukas Haase wrote: I searched a lot in the net and all I found was that the supplicant should be broken because it should send a username along. Yes. The supplicant is broken. Thank you. Seems so. Windows is broken! ARGH! (Works with a different XP machine) Regards, Luke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[OT?] Systemwide authentication on Windows
Hi, I think I have a simple question: Today I upgraded from WPA-PSK to WPA Enterprise and use PEAP-MSCHAPv2 for users (using logins) now and I want to use EAP-TLS for machines. How can I configure a WinXP machine such that login is *not* associated to a user but to the machine? As such, WLAN connection should be established before logon! (e.g. for roaming profiles) It just works with WPA-PSK.. I tried to add the client certificate for EAP-TLS to the computer certificate store. But the certificate is only found if it is in the user's store :-( This can't be true?! there must be a way to connect the whole machine using a certificate (not just the current user) , mustn't it? Regards, Luke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using postauth_users and Access-Reject
I have figured out where my mistake was. I needed to have the users file being used in the authorize section, but I shouldn't have had Auth-Type := Accept at the end of each line for the Groups, otherwise if the Auth-Type is set to Accept the authenticate section is never run through. So now this is how I have my configuration: In my sites-enabled/default: authorize { # Update the Huntgroup-Name based on the Src IP Address IP address LDAP object. update request { Huntgroup-Name := %{ldap:ldap:///ou=Elements,ou=Applications,o=Identities?l?sub?cn=%{Packet-Src-IP-Address}}; } ldap files } authenticate { ldap } The in my users file I have: --- DEFAULT Huntgroup-Name == GRP1, Ldap-Group == cn=Generic,ou=Radius,ou=Applications,o=Identities Service-Type = Login-User, Cisco-AVPair = shell:priv-lvl=15 DEFAULT Auth-Type := Reject --- This way the auth-type is set to Reject if it doesn't match with any group. Then it runs through the authenticate section and checks the password for the user. Works a treat!! If you want me to write a Wiki article for this I am more than happy to do so. On Tue, Aug 10, 2010 at 10:18 AM, Peter Lambrechtsen plambrecht...@gmail.com wrote: On Mon, Aug 9, 2010 at 6:31 PM, Alan DeKok al...@deployingradius.comwrote: Peter Lambrechtsen wrote: Using FreeRadius 2.1.7 and trying to get the postauth_users to return an access reject however it always seems to return either a noop or ok. .. And this is what is in my postauth_users file: DEFAULT Auth-Type := REJECT Post-Auth-Type = Reject, Hmm... you are trying to change the *authentication* type to reject after the *authenticate* section has been executed. This won't work. Right, so this is my business use case and I think I have figured out the best way, but would love your input. 1) We have a centralised LDAP directory which holds all employees. We have an IDM solution which provisions employees into the LDAP directory based on their role as driven out of the HR system. This is a very robust and automated system which the team I look after maintains. 2) There a lot of Network Elements (NAS's) such as Routers, and Telco DSLAMs and a raft of other devices used for both customer and employees to login. These need to be grouped into nas group types, so that we can AA customers and employees to permit them to login to those groups of devices. I am using Huntgroup's to group the NAS's together. This is driven out of LDAP. In my authorize section I have the following: authorize { update request { Huntgroup-Name := %{ldap:ldap:///ou=Elements,ou=Applications,o=Identities?l?sub?cn=%{Packet-Src-IP-Address}}; } ldap } This way I create Group objects as the IP address of the source NAS in the LDAP directory with a location or L attribute set to the Huntgroup-Name I want set. This works very effectivly to set the Huntgroup name. I also have ldap so that the incoming account is also looked up to see if it exists. 3) We want to drive access to the elements using a user being a member of a certain LDAP group. 4) We want to make sure the username and password is correct for the user entered. So in the authenticate we have: authenticate { Auth-Type LDAP { ldap } } 5) The NAS's have a number of different profiles (admin, r/w, r/o etc) and each NAS group has a different group of VSA's they want back. So in the postauth_users file I have the following: DEFAULT Huntgroup-Name == NAS1, Ldap-Group == cn=admin,ou=Profiles,ou=Riverstone,ou=Applications,o=Identities, Auth-Type := Accept Service-Type = Login-User, Riverstone-User-Level = 15 DEFAULT Huntgroup-Name == NAS1, Ldap-Group == cn=guest,ou=Profiles,ou=Riverstone,ou=Applications,o=Identities, Auth-Type := Accept Service-Type = Login-User, Riverstone-User-Level = 1 DEFAULT Huntgroup-Name == NAS2, Ldap-Group == cn=admin,ou=Profiles,ou=Cisco,ou=Applications,o=Identities, Auth-Type := Accept Service-Type = Login-User, Cisco-AVPair = shell:priv-lvl=15 And so on.. The issue I had was if none of the Huntgroups matched to the user being a member of group x, I needed to return a access-reject. The only way I could achieve this was to add onto the end of the postauth_users file: DEFAULT Auth-Type := Reject Reply-Message = Reject And in my post-auth section have: post-auth { files if (%{reply:Reply-Message} == Reject) { reject } } Ideally I would assume if the Auth-Type := Reject then the return should be RLM_MODULE_REJECT. No. Setting Auth-Type := Reject is useful ONLY in the authorize section, *before* the authentication section has been run. It doesn't reject the user immediately. Instead, it tells the server to run the reject authentication method. So
Re: Cisco WLC4402 - 802.1X - Android - Tunnel-Priv-Group-ID Failure
Thomas Donnelly wrote: When Joining from my Android, it comes accross as: Tue Aug 10 11:26:53 2010 User-Name = 1fT6ESzC4Dbj9oIpiJjjfg== Arg. Base-64 encoded? (A few chars changed to prevent the username from being figured out) This somehow is authenticating correctly because I get an IP address (in the incorrect vlan) and can surf the net, and if I mistype the password I get an authentication failure. However when it tries to do a match for the username to determine their group/vlan it fails because we don't have any users with that user name. As *always*, run the server in debugging mode to see why. Has anyone seen this before or have any leads I should follow? I haven't seen it before. The follow-up should be to go after the Android developers, and tell them this is a stupid idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PPTP auth vs samba-ldap, 691
Cory Johnson wrote: When I try to log into the VPN from a Windows client, I get the error message: Error 691: Access was denied because the user name and/or password was invalid on the domain., but radius logs show Access-Accept. You misconfigured the server, and broke it. My major difference is that I am using a LDAP backend which contains NT passwords (it is also the LDAP backend for my samba server). It's not using the NT Passwords. See the debug log. Tried fiddling with mppe and encryption settings in the mschap module, but always get the same results. The issue isn't the mschap module. It's elsewhere. freeradius -X debug below, as always any reply would be great. rad_recv: Access-Request packet from host 192.168.1.55 port 43210, id=116, length=166 NAS-Identifier = pfsense.local NAS-Port = 0 NAS-Port-Type = Virtual Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = 192.168.1.153 User-Name = cjohnson MS-CHAP-Challenge = 0xbc4e68fb2822b769cef9f48f6420925f MS-CHAP2-Response = 0x0100991b81f3bbq3859d8qa75ae826662d869584dde386742b71bc7c72fca79a678ebf1fee00b74a36e2 ... Found Auth-Type = Accept Auth-Type = Accept, accepting the user You have configured the server to *force* Auth-Type. Don't do that. The Auth-Type := Accept forces the server to *not* do MS-CHAP authentication. The client sees that the required MS-CHAP data is missing from the response, and concludes that the server is broken, or lying to it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: curious network problem
Antony King wrote: The 'live' server is a centos5.5 box. I've tried with the standard freeradius2 package (version 2.1.7) and a version compiled from SRPMS in case there was a problem with ttls in that version. The configuration was copied over from the test server, with new keys generated but otherwise unchanged. Were the certs re-generated? They depend on the keys. Locally, it authenticates correctly, using the first of the two commands above. If I try and authenticate from a remote system (eg, a NAS or my test server), it refuses to do the ttls negotiation. This is the kind of problem where I would suggest don't even try to debug it. Instead, follow the EAP howto on my web site (http://deployingradius.com). It will be faster and less work to re-create a working system, than to debug a broken one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using postauth_users and Access-Reject
Peter Lambrechtsen wrote: I have figured out where my mistake was. I needed to have the users file being used in the authorize section, but I shouldn't have had Auth-Type := Accept at the end of each line for the Groups, otherwise if the Auth-Type is set to Accept the authenticate section is never run through. That's pretty much what I was trying to explain earlier. When you posted another config snippet that *didn't* follow my advice, I lost interest in the thread. I have *no* idea why so many people insist on forcing Auth-Type. It causes problems in 99.9% of the situations, including this one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP group check on inner-tunnel.
Jason Fenner wrote: However, when I test PEAP using eapol_test authentication also works fine, but the ldap group checking occurs only on the outer-tunnel username. In this case, the outer tunnel is created using the username anonymous. This user doesn't exist in AD, so a failure is the response. In inner-tunnel post-auth I have this snippet: update outer.reply { User-Name = %{request:User-Name} } And go read the LDAP configuration. Is it look for %{User-Name}, or %{reply:User-Name} ? My understanding was that this should copy the real username from the inner tunnel to the outer tunnel. To the *reply* list. That's what you said. You've read enough of the documentation to explicitly reference the request list above, so you know it's different from the reply or outer.reply list. Now go apply that knowledge further. This should then allow ldap groupcheck to test the correct username. No. I never see a ldap check on the inner tunnel at all. Because you didn't configure ldap in the raddb/sites-available/inner-tunnel virtual server. This is documented. I see this strange output in debug in relation to the snipet above: .. I would think that outer.reply should return ok or something other then noop. No. It returns noop for some esoteric reasons. But that's a distraction, and not the source of the real problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [OT?] Systemwide authentication on Windows
Lukas Haase wrote: I think I have a simple question: Today I upgraded from WPA-PSK to WPA Enterprise and use PEAP-MSCHAPv2 for users (using logins) now and I want to use EAP-TLS for machines. .. I tried to add the client certificate for EAP-TLS to the computer certificate store. But the certificate is only found if it is in the user's store :-( This is really a Windows questions. This can't be true?! there must be a way to connect the whole machine using a certificate (not just the current user) , mustn't it? There is a way. Windows usually auto-provisions machine certificates via Active Directory. See the Windows documentation for more details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using postauth_users and Access-Reject
On Wed, Aug 11, 2010 at 12:40 PM, Alan DeKok al...@deployingradius.comwrote: Peter Lambrechtsen wrote: I have figured out where my mistake was. I needed to have the users file being used in the authorize section, but I shouldn't have had Auth-Type := Accept at the end of each line for the Groups, otherwise if the Auth-Type is set to Accept the authenticate section is never run through. That's pretty much what I was trying to explain earlier. When you posted another config snippet that *didn't* follow my advice, I lost interest in the thread. Fair enough, you do get a lot of silly setup questions which you answer most of the time ;) I have *no* idea why so many people insist on forcing Auth-Type. It causes problems in 99.9% of the situations, including this one. Understood, I had just taken examples off the internet about how to setup LDAP Auth, which was very misleading by having the Auth-Type being set which caused all of my issues in the first place. My offer still stands to write up a wiki entry for this, as it seems to be quite a common question and use case that could be answered with a wiki entry. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [OT?] Systemwide authentication on Windows
Hi, Thank you for your reply! Am 11.08.2010 02:46, schrieb Alan DeKok: Lukas Haase wrote: [...] This is really a Windows questions. Yes, I was not sure, that is way I set [OT?]... This can't be true?! there must be a way to connect the whole machine using a certificate (not just the current user) , mustn't it? There is a way. Windows usually auto-provisions machine certificates via Active Directory. I am not sure if this is really required for EAP-TLS. After searching for all possible keyworks I think I have found the correct term: Machine authentication. Unfortunately there is really very few information on this issue. I found some posts on this list but none did help. Here is one: http://lists.cistron.nl/pipermail/freeradius-users/2006-May/msg00810.html I think it has just something to do with the certificates: I need to set special stuff for a machine certificate. Here is what I did: * Set extendedKeyUsage = 1.3.6.1.5.5.7.3.2 * Set CN to computername (also tried computername.fqdn) * Set E-Mail address to computername (also tried computername.fqdn) * Signed with root cert * Imported this (including the CA root cert) with mmc into the certificate store for local computer * Double clicking the certificate seems that everything is correct But when I want to connect I just get something like Could not login onto the network because no certificate found (Es wurde kein Zertifikat gefunden, um Sie am Netzwerk anzumelden). What else could be missing? Regards, Luke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Suffix authentication
I have found a working solution for my environment and wanted to share it with the list in case it may help someone else. In my proxy.conf file I added the following -- realm domainName1 { } Realm domainName2{ } -- That fixed my realm problem, not sure why... We use Microsoft AD and ntlm_auth for authenticating our users through MSCHAPv2 tunneled through a peap session. I have 2 domains one is a child of the other the FreeRADIUS server is joined to the parent domain so it can authenticate users from both domains but passing the correct domain for the user request was a bugger! In the end what I got to work was modifying the ntlm_auth statement at the bottom of the mschap module to be the following: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --domain=%{outer.request:Realm} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} *** --domain=%{outer.request:Realm} was the key, now the realm of the request is passed to the ntlm_auth script perfectly and the user is authenticated like we all love them to be : ) This does seem to break the domain\username style of logging in though ... but due to time constraints this will have to do for now. Thanks to everyone who everyone who helped out, especially Alan. Thank you. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o rg] On Behalf Of Alan DeKok Sent: Tuesday, August 10, 2010 3:42 PM To: FreeRadius users mailing list Subject: Re: Suffix authentication Sallee, Stephen (Jake) wrote: Quickly, my problem is users cannot log in using usern...@domain but can login fine with domain\username. So... what is different in the debug log between the two requests? One person mentioned the realms module, but when I look at it the default conf looks fine. The delimiter is correctly set to '@'. I tried adding my domains to the realm module by copying the default suffix config and using my domain info but that causes FR to fail its sanity check. Because you made some random change without understanding how the server works, or reading the documentation. I am using MSCHAPv2 with PEAP authentication and when the user fails the logon with usern...@domain the ntlm_auth program reports a bad password even though the same user will have no problem with domain\username. Also, the FR wiki says the realms file is depreciated ... so what am I supposed to do? Read proxy.conf. It defines the realm names. The realms module just searches the User-Name in various ways (suffix, prefix, ntdomain), and then sees if there is a matching realm. What would be really great would be a script I could use to determine the domain of the user BEFORE they reach ntlm_auth so I can prepopulate the command with the correct domain and just forget this suffix stuff : ) I think the best place for this would be in the mschap module but what is the language? Would it be unlang or regular bash scripting? The default config documents how to define realms. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco WLC4402 - 802.1X - Android - Tunnel-Priv-Group-ID Failure
--On 10 August 2010 17:24 -0500 Thomas Donnelly tad1...@gmail.com wrote: Hello All, There are quite a few components coming into play here so I'm not exactly sure whats breaking where. Let me start with explaining our setup: We use cisco 1142 agn lightweight access points connected to a 4402 Wireless Lan Controller This controller is doing radius authentication off of Freeradius 1.1.8 (with FreeBSD as the Host OS) on our primary ssid. When people authenticate it replies with Tunnel-Private-Group-ID based on their username/group. This puts them in the correct vlan for their department. This works perfectly fine with our Apple Laptops, iPhones, and iPads. However when I join with my Android phone or my n900 (maemo), I get put in the default vlan for the SSID. After some digging I found the following: When joining from the Apple devices, the User-Name comes accross as Tue Aug 10 17:13:03 2010 User-Name = some...@somehwere.net When Joining from my Android, it comes accross as: Tue Aug 10 11:26:53 2010 User-Name = 1fT6ESzC4Dbj9oIpiJjjfg== (A few chars changed to prevent the username from being figured out) This somehow is authenticating correctly because I get an IP address (in the incorrect vlan) and can surf the net, and if I mistype the password I get an authentication failure. However when it tries to do a match for the username to determine their group/vlan it fails because we don't have any users with that user name. Has anyone seen this before or have any leads I should follow? Hi Tom, Several small devices (phones etc) send a string such as above as the *outer* user-name - if you don't like this you need to re-config the device where possible [1]. More importantly, it seems you might be deciding VLAN based on the outer user-name in the request - this is bad (arbitrarily spoofable). You should use the EAP inner user-name. * Upgrading to 2.1.x will make the inner/outer sessions much easier to configure and verify. * Running radiusd -X [ post here] will confirm if this is the problem. [1] Maemo: After configuring, you need to click the Advanced-settings button, change to the EAP page, select 'Use manual user name' and enter whatever you want in the box. ( http://www.wireless.bris.ac.uk/getconnected/services/eduroam/go-anything/#anomalies ) Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html