Freeradius Authentication
I have configured a Freeradius2.1.7 with an openLDAP backend and I'm planning to established a different type of authentication. The plan was to create one password for all the users. And the users are checked by the Freeradius in the openLDAP directory. Is it possible? If so, can anyone help me configure my freeradius server. Thanks in advance. -- View this message in context: http://old.nabble.com/Freeradius-Authentication-tp29415473p29415473.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SqlCounter reload after initial authentication
I'm using Freeradius + Chillispot+MySql for hotspot. Sqlcounter noresetcounter works fine for prepaid access time, however the counter is loaded only once when the user first authenticate. This means that even if Max-All-Session changes after initial logon (as it happens when the user adds more credit) the user is session is still terminated at the end of the initial count down. How can I force Freeradius sqlcounter to re-load and begin counting down when Max-All-Session is updated after initial authentication? If this is not possible any workaround or hacks to accomplish this behaviour will be greatly appreciated. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last call for 2.1.10
Hi, I've just tried to compile with my usual set of configure flags, and got: /usr/bin/libtool --mode=link gcc -o radeapclient radeapclient.lo libeap/libfreeradius-eap.la -lnsl -lresolv -lpthread -lcrypto -lssl -lcrypto libtool: link: gcc -o .libs/radeapclient .libs/radeapclient.o libeap/.libs/libfreeradius-eap.so /root/freeradius-server-2.1.10-pre/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv -lpthread -lssl -lcrypto -Wl,-rpath -Wl,/usr/local/freeradius/2.1.10-pre/lib libeap/.libs/libfreeradius-eap.so: undefined reference to `radius_pairmake' collect2: ld returned 1 exit status gmake[6]: *** [radeapclient] Fehler 1 gmake[6]: Leaving directory `/root/freeradius-server-2.1.10-pre/src/modules/rlm_eap' in the middle of the build. System is openSUSE 11.1 32-Bit, gcc version 4.3.2 [gcc-4_3-branch revision 141291] (SUSE Linux) My configure flags are: ./configure --sysconfdir=/usr/local/freeradius/config/ --prefix=/usr/local/freeradius/2.1.10-pre --with-system-libtool Changing these to use built-in libtool does not change anything: gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/freeradius-server-2.1.10-pre/src -Ilibeap -c radeapclient.c -o radeapclient.o /dev/null 21 /root/freeradius-server-2.1.10-pre/libtool --mode=link gcc -o radeapclient radeapclient.lo libeap/libfreeradius-eap.la -lnsl -lresolv -lpthread -lcrypto -lssl -lcrypto gcc -o .libs/radeapclient .libs/radeapclient.o libeap/.libs/libfreeradius-eap.so -lssl -lcrypto -lnsl -lresolv -lpthread -Wl,--rpath -Wl,/usr/local/freeradius/2.1.10-pre/lib libeap/.libs/libfreeradius-eap.so: undefined reference to `radius_pairmake' collect2: ld returned 1 exit status gmake[6]: *** [radeapclient] Fehler 1 gmake[6]: Leaving directory `/root/freeradius-server-2.1.10-pre/src/modules/rlm_eap' Greetings, Stefan Winter Am 08.08.2010 23:14, schrieb Alan DeKok: Version 2.1.10 should be released soon. If there are any pressing issues people would like to get addressed, now is the time to speak up. The proposed change log is available online at: http://github.com/alandekok/freeradius-server/blob/v2.1.x/doc/ChangeLog There are a number of feature improvements in what's supposed to be a stable release. These improvements are limited to documentation updates, and changes to the client programs to make them easier to use. The main benefit most people should see is that radclient and radtest now make it easier to send MS-CHAP requests. The server now also listens on 127.0.0.1:18120 for the inner-tunnel virtual server. These two changes mean that the inner-tunnel portion of PEAP can be tested using nothing more than radtest a default server installation. This should help people debug PEAP issues. i.e. They can avoid the issue of but it works with radtest, when their passwords aren't compatible with MS-CHAP. There only major thing missing now is a DHCP pool allocation strategy. There's been more interest recently in using FreeRADIUS as a DHCP server, so patches to help would be most welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Why theauthhostoraccthostitem's value in real NULL can't be a home_server_pool in proxy.conf ?
Hi,
I want to proxy requests which's User-Name hasn't realm domain to a home
server pool, so I configure the realm NULL, but the radius server would
proxy the request to a nonexistent IP address. Why the authhost or
accthost item's value in real NULL can't be a home_server_pool in
proxy.conf ? How to configure it?
Any body can help me?
#realm NULL {
# authhost= radius.company.com:1600
# accthost= radius.company.com:1601
# secret = testing123
#}
Freddy Chu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last call for 2.1.10
On 2010/08/12 09:36 AM, Stefan Winter wrote: /root/freeradius-server-2.1.10-pre/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv -lpthread -lssl -lcrypto -Wl,-rpath -Wl,/usr/local/freeradius/2.1.10-pre/lib libeap/.libs/libfreeradius-eap.so: undefined reference to `radius_pairmake' collect2: ld returned 1 exit status gmake[6]: *** [radeapclient] Fehler 1 gmake[6]: Leaving directory `/root/freeradius-server-2.1.10-pre/src/modules/rlm_eap' Hi, Debian Lenny. 1) Please remember to update debian/changelog to 2.1.10 2) Same compile error: gcc -o .libs/radeapclient .libs/radeapclient.o libeap/.libs/libfreeradius-eap.so -lnsl -lresolv -lpthread -lssl -lcrypto -Wl,--rpath -Wl,/usr/lib/freeradius libeap/.libs/libfreeradius-eap.so: undefined reference to `radius_pairmake' collect2: ld returned 1 exit status make[7]: *** [radeapclient] Error 1 make[7]: Leaving directory `/usr/src/freeradius-2.1.10-git/freeradius-server/src/modules/rlm_eap' make[6]: *** [rlm_eap] Error 2 Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and Redundant LDAP Problems
Hi, I apologize for the inconvenience of sending the configuration files. I thought sending more detail would help :-). The below steps you provided still didn't work and ended with the same problem. Again I apologize. radiusd -X ? we cannot help without this information alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last call for 2.1.10
Stefan Winter wrote: libeap/.libs/libfreeradius-eap.so: undefined reference to `radius_pairmake' This was noted the other day. I committed a fix, and just pushed it back to the git repositories. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Authentication
rrperez wrote: I have configured a Freeradius2.1.7 with an openLDAP backend and I'm planning to established a different type of authentication. The plan was to create one password for all the users. And the users are checked by the Freeradius in the openLDAP directory. Is it possible? If so, can anyone help me configure my freeradius server. Read doc/rlm_ldap. See raddb/modules/ldap, and look for ldap in raddb/sites-available/default Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is Mikrotik-Rate-Limit used to limit users speed
PPTP+PPP+FreeRadius+MySQL It seems it doesn't work. -- Spacelee - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password Policy - Expired Password - mschap
Theparanoidone Theparanoidone wrote:
We are working on a patch.
Good, thanks.
We're of the opinion that Apple's version rlm_mschap / opendir included
with freeradius is missing something.
It appears they were only considering someone entering a failed
login/password combo... not a user with a password reset or an expired
password. Here is the line from opendir.c:
Pretty much, yes. Expired passwords, or password resets are failed
logins, just like incorrect passwords.
==
if (status != eDSNoErr)
{
errno = EACCES;
radlog(L_ERR, rlm_mschap: authentication failed %d, status); /* --
returns -14091 (eDSAuthMethodNotSupported) -14090 */
return RLM_MODULE_REJECT;
}
==
The comment provided makes it seem like they only expected error -14090...
So? It's a comment. It doesn't affect the way that the code operates.
-14090: eDSAuthFailed
0: eDSNoErr
But what about?
-14161: eDSAuthNewPasswordRequired
-14162: eDSAuthPasswordExpired
They all fall into the same class: failed authentication.
Possible solutions:
---
Solution 1) Edit the opendir.c module to simple detect error status -14161
and
-14162... and simply set the status to 0 instead.
Absolutely not. Expired passwords are *not* OK.
Solution 2) Try and rig up something in Post-Auth-Type REJECT {...} to
override
the failed login and force the response to Auth-Accept. Perhaps, some
pseudo
conf code that says if reject-message == -14162 || reject-message == -14161
...
then ok update auth-type := accept
No. That's just as bad.
(PS... looks like this has been an issue for awhile??? we are new to
freeradius... but I found your post here:
http://www.opensubscriber.com/message/freeradius-de...@lists.freeradius.org/5906511.html
from 3 years ago ... are we the only few interested in port security and a
password policy?)
Nonsense. That is not a good conclusion.
The real reason is that very few people do password changes via
MS-CHAP. Most people do it via Active Directory, LDAP, web pages, etc.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap fallback to local password
Aqdas Muneer wrote: i would like to configure freeradius so that it can failover to a local password when the ldap server cannot be contacted. i was able to create a admin account in the users file with cleartext password, but when i enable it, it becomes accessible even when ldap is up and running. we are running version 2.1.7 of freeradius. Read man unlang. Configure a section to do something if the ldap module returns fail. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SqlCounter reload after initial authentication
tadi...@verizon.net wrote: I'm using Freeradius + Chillispot+MySql for hotspot. Sqlcounter noresetcounter works fine for prepaid access time, however the counter is loaded only once when the user first authenticate. This means that even if Max-All-Session changes after initial logon (as it happens when the user adds more credit) the user is session is still terminated at the end of the initial count down. How can I force Freeradius sqlcounter to re-load and begin counting down when Max-All-Session is updated after initial authentication? If this is not possible any workaround or hacks to accomplish this behaviour will be greatly appreciated. You can't. The SQL counter module returns a Session-Timeout attribute to the NAS, and the *NAS* is the one enforcing the session length. If you update the database, the NAS doesn't know this, and still enforces the session length. Read the NAS documentation to see how it can extend existing sessions. If the documentation doesn't describe how to do it, it's impossible. And it's *not* a FreeRADIUS issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vendor Specific Attributes
Latha Krishnamurthi wrote: Is there a way to add vendor specific attributes to the RADIUS response without adding the vendor to the dictionary. What's so hard about adding a dictionary entry for the attribute? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last call for 2.1.10
On 2010/08/12 10:02 AM, Alan DeKok wrote: Stefan Winter wrote: libeap/.libs/libfreeradius-eap.so: undefined reference to `radius_pairmake' This was noted the other day. I committed a fix, and just pushed it back to the git repositories. I can confirm that it compiles on Debian Lenny now. Not tested it though. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Last call for 2.1.10
Hi, This was noted the other day. I committed a fix, and just pushed it back to the git repositories. Thanks. Re-pulled, compiled, installed, works with test requests. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Check Item Issue
I got this solved Attribute to be compared added to ldap.attrmap as an checkItem Kept compare_check_items as no in modules/ldap compare_check_items = no Created a checkval module to do the comparison. Then problem was no more. When I have compare_check_items = yes in modules/ldap it always gave me Pairs do not match. Nevertheless the problem is now solved. Thanks for the support. On Wed, Aug 11, 2010 at 2:12 PM, Alan DeKok al...@deployingradius.comwrote: Asin Silva wrote: I use freeradius version 2.1.3 and LDAP to authenticate ADSL users. I have a requirement to compare the NAS-Port-Id in the user request to the one in the LDAP. But when I test it, radius debug output says Pairs do not match. Rejecting user.. But the values in the request and LDAP are same. I'm not sure what's going on. Try it with the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap fallback to local password
So i tried it with an condition and still devices are accessible with the
local account even if ldap is running. so basically i can login to routers
either using my AD account or the local account in the users file. how can i
restrict this behavior to ldap failure only. below is my if statement in the
'default' file and the users 'file' config
ldap
if (fail) {
files
}
DEFAULT Huntgroup-Name == network-admin, Ldap-Group ==
networkadmins
Service-Type := NAS-Prompt-User,
cisco-avpair := shell:priv-lvl=15,
# Auth-Type := LDAP
#admin Huntgroup-Name == network-admin, Cleartext-Password :=
admin Cleartext-Password :=
Service-Type := NAS-Prompt-User,
cisco-avpair := shell:priv-lvl=15
DEFAULT Auth-Type := Reject
Reply-Message := Access Denied. Your attemp has been
logged.
On Thu, Aug 12, 2010 at 4:34 AM, Alan DeKok al...@deployingradius.comwrote:
Aqdas Muneer wrote:
i would like to configure freeradius so that it can failover to a local
password when the ldap server cannot be contacted. i was able to create
a admin account in the users file with cleartext password, but when i
enable it, it becomes accessible even when ldap is up and running. we
are running version 2.1.7 of freeradius.
Read man unlang. Configure a section to do something if the ldap
module returns fail.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + Cisco VPDN with multiple VRFs not working
On 08/12/2010 11:01 AM, Jasper Jans wrote: Freeradius v1.1.3 (default that ships with CentOS 5.5) using MySQL as an backend. freeradius 2.1.7 ships with RHEL 5.5 under the package name freeradius2. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password Policy - Expired Password - mschap
Greetings Alan~
Possible solutions:
---
Solution 1) Edit the opendir.c module to simple detect error status -14161
and
-14162... and simply set the status to 0 instead.
Absolutely not. Expired passwords are *not* OK.
Solution 2) Try and rig up something in Post-Auth-Type REJECT {...} to
override
the failed login and force the response to Auth-Accept. Perhaps, some
pseudo
conf code that says if reject-message == -14162 || reject-message == -14161
...
then ok update auth-type := accept
No. That's just as bad.
The real reason is that very few people do password changes via
MS-CHAP. Most people do it via Active Directory, LDAP, web pages, etc.
We are more than happy to perform the password change via LDAP(or apple's
opendirectory)... however, the client computer is unable to connect to the
network if they receive a failed authentication in the first step of 802.1x
port
security. In otherwords, the switch does not unlock the port until you
successfully authenticate, and therefore it appears the client login screen
doesn't know how to handle this case and is unable to display a password update
screen or communicate on the network. Am I missing some configuration to allow
LDAP to takeover?
I agree that expired passwords are bad, but in the case where the client
computer is completely blocked out due to a routine password expiration...
perhaps a configuration option to allow expired passwords / and password resets
is acceptable should a sysadmin choose to override this setting simply for
radius. After all, there is only one password that will allow a user to unlock
there account to update their old password... i.e. the user must present their
old password one more time (which means technically the old password is still
valid/good for one last task: updating the user password).
Understanding the security risks... is there an example of
setting Post-Auth-Type REJECT {...} to override the reject force the response
to Auth-Accept? I've tried a number of combinations in the default virtual
terminal (as another post said it is not processed in the inner tunnel), but I
have been unable to get it to work. Any examples?
Thank you!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Is Mikrotik-Rate-Limit used to limit users speed
We use this every day for wifi hotspots off a Mikrotik. It works without issues. From: freeradius-users-bounces+wiechman.lists=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+wiechman.lists=gmail@lists.freeradius.org] On Behalf Of Spacelee Sent: Thursday, August 12, 2010 3:30 AM To: FreeRadius users mailing list Subject: Is Mikrotik-Rate-Limit used to limit users speed PPTP+PPP+FreeRadius+MySQL It seems it doesn't work. -- Spacelee - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vendor Specific Attributes
Thanks for the prompt reply. I can defly do that, not an issue. I have a module running in freeradius. Assuming my module already handles delivering vendor specific attribute in the RADIUS response (this is available to me through some shared memory) and tomorrow there is a new vendor, then can I do it without releasing a new code ? Thanks, Latha. --- On Thu, 8/12/10, Alan DeKok al...@deployingradius.com wrote: From: Alan DeKok al...@deployingradius.com Subject: Re: Vendor Specific Attributes To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Thursday, August 12, 2010, 1:47 AM Latha Krishnamurthi wrote: Is there a way to add vendor specific attributes to the RADIUS response without adding the vendor to the dictionary. What's so hard about adding a dictionary entry for the attribute? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
issues when compiling freeradius 2.1.9 on solaris 10 x86
hi... i try to compile freeradius 2.1.9 on solaris 10, but i have some problems i install from freeware the following packages . gcc-3.4.6-sol10-x86-local and /libiconv-1.13.1-sol10-x86-local.gz and then i try to just have a simple compilation. # PATH=/usr/local/bin/:/usr/sfw/bin/:$PATH; export PATH # CC=gcc ./configure # gmake . . /Desktop/freeRadius/tmp/freeradius-server-2.1.9/libtool --mode=link gcc -release 2.1.9 \ -export-dynamic -o libfreeradius-radius.la -rpath /usr/local/lib dict.lo filters.lo hash.lo hmac.lo hmacsha1.lo isaac.lo log.lo misc.lo missing.lo md4.lo md5.lo print.lo radius.lo rbtree.lo sha1.lo snprintf.lo strlcat.lo strlcpy.lo token.lo udpfromto.lo valuepair.lo fifo.lo packet.lo event.lo getaddrinfo.lo vqp.lo heap.lo dhcp.lo gcc -shared -Wl,-h -Wl,libfreeradius-radius-2.1.9.so -o .libs/ libfreeradius-radius-2.1.9.so .libs/dict.o .libs/filters.o .libs/hash.o .libs/hmac.o .libs/hmacsha1.o .libs/isaac.o .libs/log.o .libs/misc.o .libs/missing.o .libs/md4.o .libs/md5.o .libs/print.o .libs/radius.o .libs/rbtree.o .libs/sha1.o .libs/snprintf.o .libs/strlcat.o .libs/strlcpy.o .libs/token.o .libs/udpfromto.o .libs/valuepair.o .libs/fifo.o .libs/packet.o .libs/event.o .libs/getaddrinfo.o .libs/vqp.o .libs/heap.o .libs/dhcp.o -lc (cd .libs rm -f libfreeradius-radius.so ln -s libfreeradius-radius-2.1.9.so libfreeradius-radius.so) false cru .libs/libfreeradius-radius.a dict.o filters.o hash.o hmac.o hmacsha1.o isaac.o log.o misc.o missing.o md4.o md5.o print.o radius.o rbtree.o sha1.o snprintf.o strlcat.o strlcpy.o token.o udpfromto.o valuepair.o fifo.o packet.o event.o getaddrinfo.o vqp.o heap.o dhcp.o gmake[4]: *** [libfreeradius-radius.la] Error 1 gmake[4]: Leaving directory `/Desktop/freeRadius/tmp/freeradius-server-2.1.9/src/lib' gmake[3]: *** [lib] Error 2 gmake[3]: Leaving directory `/Desktop/freeRadius/tmp/freeradius-server-2.1.9/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/Desktop/freeRadius/tmp/freeradius-server-2.1.9/src' gmake[1]: *** [src] Error 2 gmake[1]: Leaving directory `/Desktop/freeRadius/tmp/freeradius-server-2.1.9' gmake: *** [all] Error 2 what could be happend' thanks -- *Salu2 ;)* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.9 stop working
Ok Fine we made a RPM with The Git source and the radius is no more crashing so bug # 34 seems to be resolved. Thanks, Eric B. -Original Message- From: freeradius-users-bounces+eric.belliere=mail.mobistar...@lists.freeradius.org [mailto:freeradius-users-bounces+eric.belliere=mail.mobistar...@lists.freera dius.org] On Behalf Of freeradius-users-requ...@lists.freeradius.org Sent: Thursday 5 August 2010 12:00 To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 64, Issue 18 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Fwd: FreeRadius2MySQL (Alan Buxey) 2. Re: Freeradius 2.1.9 stop working (Alan Buxey) 3. Re: Freeradius 2.1.9 stop working (Johan Meiring) -- Message: 1 Date: Thu, 5 Aug 2010 10:02:53 +0100 From: Alan Buxey a.l.m.bu...@lboro.ac.uk Subject: Re: Fwd: FreeRadius2MySQL To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 20100805090253.ga20...@lboro.ac.uk Content-Type: text/plain; charset=us-ascii Hi, Can you please provide me with the link of document you talk about , http://wiki.freeradius.org/SQL_HOWTO alan -- Message: 2 Date: Thu, 5 Aug 2010 10:04:38 +0100 From: Alan Buxey a.l.m.bu...@lboro.ac.uk Subject: Re: Freeradius 2.1.9 stop working To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Cc: ROUSSEAU David david.rouss...@mail.mobistar.be Message-ID: 20100805090438.gb20...@lboro.ac.uk Content-Type: text/plain; charset=us-ascii Hi, Thanks Alan. But maybe you can update me with the out date of the RPM in 2.1.10? 2.1.10 isnt out yet. but when it is, then your package maintainers should ensure a new RPM is available. alan -- Message: 3 Date: Thu, 05 Aug 2010 11:19:48 +0200 From: Johan Meiring jmeir...@pcservices.co.za Subject: Re: Freeradius 2.1.9 stop working To: freeradius-users@lists.freeradius.org Message-ID: 4c5a8234.1040...@pcservices.co.za Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 2010/08/05 11:04 AM, Alan Buxey wrote: 2.1.10 isnt out yet. but when it is, then your package maintainers should ensure a new RPM is available. This page might tell you how to build an RPM from source. http://wiki.freeradius.org/Red_Hat_FAQ Use git as the source. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 64, Issue 18 smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and Redundant LDAP Problems
Per your suggestions from the last email I checked and the:
Un-comment the unix entry from the authorize section of
raddb/sites-available/default
Was un-commented and below is the output from trying to authenticate a user
that is a member of the DialupFS group and does not have an account in
/etc/passwd. For some reason it is falling though to PAP and saying No
authenticate method (Auth-Type) configuration found for the request:.
This behavior only started when I tried to implement redundant ldap servers
and in the users file having DEFAULT LDAP Groups for each LDAP module.
If I do not use the redundant LDAP servers and just place both LDAP servers
in the LDAP module like this it works correctly:
server =server1.somedomain.com, server2.somedomain.com
Thanks for your help
rad_recv: Access-Request packet from host 127.0.0.1 port 52514, id=166,
length=60
User-Name = testuser1
User-Password = testpassword
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = testuser1, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[ldap-server1] Entering ldap_groupcmp()
[files] expand: ou=people,o=test http://isu.edu/,o=isp -
ou=people,o=test http://isu.edu/,o=isp
[files] expand: %{Stripped-User-Name} -
[files] ... expanding second conditional
[files] expand: %{User-Name} - testuser1
[files] expand: (uid=%{%{Stripped-User-Name}:-
%{User-Name}}) - (uid=testuser1)
[ldap-server1] ldap_get_conn: Checking Id: 0
[ldap-server1] ldap_get_conn: Got Id: 0
[ldap-server1] attempting LDAP reconnection
[ldap-server1] (re)connect to
server1.somedomain.com:389http://frank.isos.isu.edu:389/,
authentication 0
[ldap-server1] bind as uid=raduser, ou=people, o=test http://isu.edu/,
o=isp/testpassword to server1.somedomain.com:389http://frank.isos.isu.edu:389/
[ldap-server1] waiting for bind result ...
[ldap-server1] Bind was successful
[ldap-server1] performing search in ou=people,o=test http://isu.edu/,o=isp,
with filter (uid=testuser1)
[ldap-server1] ldap_release_conn: Release Id: 0
[files] expand:
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
- (|((objectClass=GroupOfNames)(member=uid\3dtestuser1\2cou\3dpeople\2co\
3dtest http://3disu.edu/
\2co\3disp))((objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser1\2cou\3dpeople\2co\
3dtest http://3disu.edu/\2co\3disp)))
[ldap-server1] ldap_get_conn: Checking Id: 0
[ldap-server1] ldap_get_conn: Got Id: 0
[ldap-server1] performing search in
cn=DialupFS,ou=Groups,o=testhttp://isu.edu/,o=isp,
with filter
(|((objectClass=GroupOfNames)(member=uid\3dtestuser1\2cou\3dpeople\2co\
3dtest http://3disu.edu/
\2co\3disp))((objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser1\2cou\3dpeople\2co\
3dtest http://3disu.edu/\2co\3disp)))
[ldap-server1] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 166
++[files] returns ok
++- entering policy redundant {...}
[ldap-server1] performing user authorization for testuser1
[ldap-server1] expand: %{Stripped-User-Name} -
[ldap-server1] ... expanding second conditional
[ldap-server1] expand: %{User-Name} - testuser1
[ldap-server1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=testuser1)
[ldap-server1] expand: ou=people,o=test http://isu.edu/,o=isp -
ou=people,o=test http://isu.edu/,o=isp
[ldap-server1] ldap_get_conn: Checking Id: 0
[ldap-server1] ldap_get_conn: Got Id: 0
[ldap-server1] performing search in ou=people,o=test http://isu.edu/,o=isp,
with filter (uid=testuser1)
[ldap-server1] looking for check items in directory...
[ldap-server1] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap-server1] user testuser1 authorized to use remote access
[ldap rlm_ldap::ldap_groupcmp: User found in group
cn=DialupFS,ou=Groups,o=test http://isu.edu/,o=isp
-server1] ldap_release_conn: Release Id: 0
+++[ldap-server1] returns ok
++- policy redundant returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the
request:Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - testuser1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed
Re: Vendor Specific Attributes
Latha Krishnamurthi wrote: Thanks for the prompt reply. I can defly do that, not an issue. I have a module running in freeradius. Assuming my module already handles delivering vendor specific attribute in the RADIUS response (this is available to me through some shared memory) and tomorrow there is a new vendor, then can I do it without releasing a new code ? Update the dictionaries. That's what dictionaries are for. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: issues when compiling freeradius 2.1.9 on solaris 10 x86
maximatt wrote: false cru .libs/libfreeradius-radius.a dict.o filters.o hash.o hmac.o false is not a valid linker. Install the correct tools which let you compile software. This is not a FreeRADIUS problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Password Policy - Expired Password - mschap
Understanding the security risks... is there an example of
setting Post-Auth-Type REJECT {...} to override the reject
force the response to Auth-Accept?
If you want to change all REJECTs to ACCEPT so that authentication always
succeeds, then you are effectively eliminating the requirement for 802.1x
authentication for network connectivity. If it's not required, why not just
turn off port security on your switches? If it is required, why would you want
to do the above?
It seems that what you really want is the ability to change the expired
password via MSCHAP which isn't currently supported in FreeRADIUS (as I said in
a previous post). If you are going to write a patch, develop one to provide
this functionality..
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vendor Specific Attributes
Thanks Alan. Will do that. -Latha. --- On Thu, 8/12/10, Alan DeKok al...@deployingradius.com wrote: From: Alan DeKok al...@deployingradius.com Subject: Re: Vendor Specific Attributes To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Thursday, August 12, 2010, 12:40 PM Latha Krishnamurthi wrote: Thanks for the prompt reply. I can defly do that, not an issue. I have a module running in freeradius. Assuming my module already handles delivering vendor specific attribute in the RADIUS response (this is available to me through some shared memory) and tomorrow there is a new vendor, then can I do it without releasing a new code ? Update the dictionaries. That's what dictionaries are for. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + Cisco VPDN with multiple VRFs not working
John, Thanks for pointing that out to me. I'll update it to this version tomorrow. I dont expect a whole lot of difference with regards to this issue though but it never hurts to run a more recent version of the software. - Jasper On Thu, Aug 12, 2010 at 5:08 PM, John Dennis jden...@redhat.com wrote: On 08/12/2010 11:01 AM, Jasper Jans wrote: Freeradius v1.1.3 (default that ships with CentOS 5.5) using MySQL as an backend. freeradius 2.1.7 ships with RHEL 5.5 under the package name freeradius2. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password Policy - Expired Password - mschap
If you want to change all REJECTs to ACCEPT so that
authentication always succeeds, then you are effectively
eliminating the requirement for 802.1x authentication for
network connectivity. If it's not required, why not just turn
off port security on your switches?
If it is required, why would you want to do the above?
This is not what I am asking to do... I would like to add some conditions to
the
Post-Auth-Reject to *selectively* change the the response to accept. I am
asking the freeradius user list if anyone can provide me with just a basic
example to simply accept all... and then i'll add the appropriate modifications
from there. My attempts to modify anything in the Post-Auth-Reject have
failed,
and therefore I believe I'm doing something wrong and not interpreting the docs
correctly. I believe handling this in a config file would be better than
recompiling code. Are there any examples?
It seems that what you really want is the ability to change
the expired password via MSCHAP which isn't currently
supported in FreeRADIUS (as I said in a previous post).
If you are going to write a patch, develop one to provide this
functionality..
We have successfully implemented a test patch. This test patch moves away from
implementing mschapv2 in the client connection and specifying PAP. It changes
the opendirectory response, and only requires two lines of code to change in
rlm_opendirectory.c. I include the updated block of code here:
odResult = od_check_passwd(name, passwd);
switch(odResult)
{
/*
* We moved eDSAuthNewPasswordRequired and
eDSAuthPasswordExpired
* to the list of okay authentications.
*
* This allows a user to join the network, which should allow
* the user to complete a password update on the network through
* the standard client's password update cli/gui prompts.
*
* This may be a security risk to others. However, for our
business
* needs, we believe a correct but expired password means the
user did
* authenticate correctly, they simply just need to change
their
password
* at the soonest available time. This requires them to have
network access
* to do so which is why we changed this behavior.
*
* We believe this is better than having to micro-manage
hundreds of employees
* password resets.
*/
case eDSNoErr:
case eDSAuthNewPasswordRequired:
case eDSAuthPasswordExpired:
ret = RLM_MODULE_OK;
break;
case eDSAuthUnknownUser:
case eDSAuthInvalidUserName:
case eDSAuthAccountDisabled:
case eDSAuthAccountExpired:
case eDSAuthAccountInactive:
case eDSAuthInvalidLogonHours:
case eDSAuthInvalidComputer:
ret = RLM_MODULE_USERLOCK;
break;
default:
ret = RLM_MODULE_REJECT;
break;
}
The above code is tested, does work and will authenticate a user to the switch.
It piggybacks EAP-TTLS PAP via opendirectory and is a proof of concept.
We're starting simple to see if we want to make changes to mschapv2.
Long term to make a patch like this useful... perhaps a freeradius
configuration
option called allowExpiredPasswordsAndPasswordResets = yes could be
implemented (unless there is an easier way to do this in Post-Auth-Reject..
see my request above).
Here's the catch: We are now seeing a problem/bug on the Mac OSX client
computer with this. The client authenticates, and is now successfully presented
with a new password dialogue prompt upon login (great). However, in-between
the successful initial login screen, and the new password prompt screen, a
tcpdump reveals the Mac OSX Client sends an EAPOL Logoff packet to the switch
which then boots the client off the network again. Frustrating as there is no
reason to do this especially since the client successfully authenticated and
did
receive a full Access-Accept as expected. Even if we have successfully patched
the server... this may be a deal breaker due to Apple's client implementation.
We are discussing this with Apple now. When I get a chance, I will see if I
can
get a linux box to authenticate and prompt for a new password without sending a
logoff packet for comparison.
I am still interested in:
1) An example Auth-Post-Reject example (basic code block and where to place it
as my attempts have failed)
2) If anyone has any additional information about EAPOL Logoff packets being
transmitted on client password reset prompts, I'd be
Re: Password Policy - Expired Password - mschap
Theparanoidone Theparanoidone wrote: We have successfully implemented a test patch. This test patch moves away from implementing mschapv2 in the client connection and specifying PAP. It changes the opendirectory response, and only requires two lines of code to change in rlm_opendirectory.c. I include the updated block of code here: You are welcome to maintain this patch locally. i.e. on your system. git makes this easy. However, it cannot be added to the server. Long term to make a patch like this useful... perhaps a freeradius configuration option called allowExpiredPasswordsAndPasswordResets = yes could be implemented (unless there is an easier way to do this in Post-Auth-Reject.. see my request above). Check the password by hand, using a shell script. I am still interested in: 1) An example Auth-Post-Reject example (basic code block and where to place it as my attempts have failed) You can't turn a reject into an accept. 2) If anyone has any additional information about EAPOL Logoff packets being transmitted on client password reset prompts, I'd be interested in hearing about it. No one else does password changes that way. 3) A long term solution; I don't believe password expirations are that uncommon anymore with all the security requirements (HIPPA, PCI, etc etc) that depend upon this. Password change is not part of RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password Policy - Expired Password - mschap
Hi Alan~ Thank you for the reply; your response helps saves me some time. 3) A long term solution; I don't believe password expirations are that uncommon anymore with all the security requirements (HIPPA, PCI, etc etc) that depend upon this. Password change is not part of RADIUS. I am new to radius, and although it is now clear that expired passwords == user is blocked until they can authenticate from some other computer ... I'm just surprised. I guess an alternate method is to implement login scripts to check if a users password expiration is approaching, and if so... prompt the user to update it before it expires (via, email, popup, whatever). Is that what the rest of radius users do / a best practice? Thanks for all your help... all and all, freeradius is awesome. Thanks! - Original Message From: Alan DeKok al...@deployingradius.com To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Thu, August 12, 2010 2:52:43 PM Subject: Re: Password Policy - Expired Password - mschap Theparanoidone Theparanoidone wrote: We have successfully implemented a test patch. This test patch moves away from implementing mschapv2 in the client connection and specifying PAP. It changes the opendirectory response, and only requires two lines of code to change in rlm_opendirectory.c. I include the updated block of code here: You are welcome to maintain this patch locally. i.e. on your system. git makes this easy. However, it cannot be added to the server. Long term to make a patch like this useful... perhaps a freeradius configuration option called allowExpiredPasswordsAndPasswordResets = yes could be implemented (unless there is an easier way to do this in Post-Auth-Reject.. see my request above). Check the password by hand, using a shell script. I am still interested in: 1) An example Auth-Post-Reject example (basic code block and where to place it as my attempts have failed) You can't turn a reject into an accept. 2) If anyone has any additional information about EAPOL Logoff packets being transmitted on client password reset prompts, I'd be interested in hearing about it. No one else does password changes that way. 3) A long term solution; I don't believe password expirations are that uncommon anymore with all the security requirements (HIPPA, PCI, etc etc) that depend upon this. Password change is not part of RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password Policy - Expired Password - mschap
Theparanoidone Theparanoidone wrote: Password change is not part of RADIUS. I am new to radius, and although it is now clear that expired passwords == user is blocked until they can authenticate from some other computer ... I'm just surprised. RADIUS is a protocol which controls network access. If the users password has expired, it means that it is no longer valid for network access. Any other interpretation results in password expiry losing all meaning. I guess an alternate method is to implement login scripts to check if a users password expiration is approaching, and if so... prompt the user to update it before it expires (via, email, popup, whatever). Or, have the user call IT, and reset the password. Is that what the rest of radius users do / a best practice? They don't use password expiry, *or* they require users to reset their password before it expires. Thanks for all your help... all and all, freeradius is awesome. Thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
