Radius Squid authentication REJECT
Hi All,
I have successfully configure freeradius with mysql. i can radtest using
command :
sudo radtest alice password 192.168.2.3 1812 testing123
Sending Access-Request of id 187 to 192.168.2.3 port 1812
User-Name = alice
User-Password = password
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x
rad_recv: Access-Accept packet from host 192.168.2.3 port 1812,
id=187, length=20
Now i try squid using radius authentication.
i followed step by step from :
http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043
But i got error message log on cache.log
Warning: Received invalid reply digest from server
Warning: Received invalid reply digest from server
Warning: Received invalid reply digest from server
squid_rad_auth: No response from RADIUS server
On radius -X debug there is error message like bellow :
Sending duplicate reply to client localprivate port 42003 – ID: 2
Sending Access-Reject of id 2 to 192.168.2.3 port 42003
Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.3 port 42003,
id=2, length=63
Sending duplicate reply to client localprivate port 42003 – ID: 2
Sending Access-Reject of id 2 to 192.168.2.3 port 42003
Waking up in 0.9 seconds.
Found Auth-Type = PAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {…}
[pap] login attempt with password “b9?I? +�(�Ч�Y�?”
[pap] Using clear text password “password”
[pap] Passwords don’t match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the
shared secret on the server and the NAS!
Using Post-Auth-Type REJECT
What is that error ? How i can solve this
Thanks
--
*M.Iftakhul Anwar*
Meruvian Integrator
High Performance Computing / Cloud Computing (HPC/CC)
Office Phone : 021-93586577
Mobile Phone : 085215331477
Blog : http://blog.mervpolis.com/roller/anwar
FB : http://www.facebook.com/troya.adromeda
Website : www.meruvian.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Squid authentication REJECT
Hello,
did you do what the warning says and double checked the shared secret?
As far as I see the squid_rad_auth.conf does not use quotation marks () to
delimit the shared secret. Hence, perhaps you have trailing white spaces or
something like that at the end of the line. Delete the line secret in
squid_rad_auth.conf and type it again. I really mean to delete it in order to
get rid of unprintable characters you might not see.
Matthias
Am Donnerstag 11 April 2013, 15:47:33 schrieb Iftakhul Anwar:
Hi All,
I have successfully configure freeradius with mysql. i can radtest using
command :
sudo radtest alice password 192.168.2.3 1812 testing123
Sending Access-Request of id 187 to 192.168.2.3 port 1812
User-Name = alice
User-Password = password
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x
rad_recv: Access-Accept packet from host 192.168.2.3 port 1812,
id=187, length=20
Now i try squid using radius authentication.
i followed step by step from :
http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043
But i got error message log on cache.log
Warning: Received invalid reply digest from server
Warning: Received invalid reply digest from server
Warning: Received invalid reply digest from server
squid_rad_auth: No response from RADIUS server
On radius -X debug there is error message like bellow :
Sending duplicate reply to client localprivate port 42003 – ID: 2
Sending Access-Reject of id 2 to 192.168.2.3 port 42003
Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.3 port 42003,
id=2, length=63
Sending duplicate reply to client localprivate port 42003 – ID: 2
Sending Access-Reject of id 2 to 192.168.2.3 port 42003
Waking up in 0.9 seconds.
Found Auth-Type = PAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {…}
[pap] login attempt with password “b9?I? +�(�Ч�Y�?”
[pap] Using clear text password “password”
[pap] Passwords don’t match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the
shared secret on the server and the NAS!
Using Post-Auth-Type REJECT
What is that error ? How i can solve this
Thanks
--
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe
Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
e-Mail: matthias.h.na...@gmail.com
ICQ: 499797758
Skype: nagmat84
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Squid authentication REJECT
Hi Matthias,
I don't use on my squid_rad_auth.conf.No space on my scret.
This is my squid_rad_auth.conf
server 192.168.2.3
secret testing123
On my radcheck, i also using Cleartext-Password on my racheck table
Any another clue ?
Thanks
On Thu, Apr 11, 2013 at 3:59 PM, Matthias Nagel
matthias.h.na...@gmail.comwrote:
Hello,
did you do what the warning says and double checked the shared secret?
As far as I see the squid_rad_auth.conf does not use quotation marks ()
to delimit the shared secret. Hence, perhaps you have trailing white spaces
or something like that at the end of the line. Delete the line secret in
squid_rad_auth.conf and type it again. I really mean to delete it in order
to get rid of unprintable characters you might not see.
Matthias
Am Donnerstag 11 April 2013, 15:47:33 schrieb Iftakhul Anwar:
Hi All,
I have successfully configure freeradius with mysql. i can radtest using
command :
sudo radtest alice password 192.168.2.3 1812 testing123
Sending Access-Request of id 187 to 192.168.2.3 port 1812
User-Name = alice
User-Password = password
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x
rad_recv: Access-Accept packet from host 192.168.2.3 port 1812,
id=187, length=20
Now i try squid using radius authentication.
i followed step by step from :
http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043
But i got error message log on cache.log
Warning: Received invalid reply digest from server
Warning: Received invalid reply digest from server
Warning: Received invalid reply digest from server
squid_rad_auth: No response from RADIUS server
On radius -X debug there is error message like bellow :
Sending duplicate reply to client localprivate port 42003 – ID: 2
Sending Access-Reject of id 2 to 192.168.2.3 port 42003
Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.3 port 42003,
id=2, length=63
Sending duplicate reply to client localprivate port 42003 – ID: 2
Sending Access-Reject of id 2 to 192.168.2.3 port 42003
Waking up in 0.9 seconds.
Found Auth-Type = PAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {…}
[pap] login attempt with password “b9?I? +�(�Ч�Y�?”
[pap] Using clear text password “password”
[pap] Passwords don’t match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the
shared secret on the server and the NAS!
Using Post-Auth-Type REJECT
What is that error ? How i can solve this
Thanks
--
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe
Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
e-Mail: matthias.h.na...@gmail.com
ICQ: 499797758
Skype: nagmat84
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
*M.Iftakhul Anwar*
Meruvian Integrator
High Performance Computing / Cloud Computing (HPC/CC)
Office Phone : 021-93586577
Mobile Phone : 085215331477
Blog : http://blog.mervpolis.com/roller/anwar
FB : http://www.facebook.com/troya.adromeda
Website : www.meruvian.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Squid authentication REJECT
Hello,
Am Donnerstag 11 April 2013, 16:07:08 schrieb Iftakhul Anwar:
Hi Matthias,
I don't use on my squid_rad_auth.conf
I know, that is the reason why I asked you to check for non-printable
characters AFTER your shared secret.
No space on my scret.
And what is between the last printable character of your secret and the new
line?
Matthias
This is my squid_rad_auth.conf
server 192.168.2.3
secret testing123
On my radcheck, i also using Cleartext-Password on my racheck table
Any another clue ?
Thanks
On Thu, Apr 11, 2013 at 3:59 PM, Matthias Nagel
matthias.h.na...@gmail.comwrote:
Hello,
did you do what the warning says and double checked the shared secret?
As far as I see the squid_rad_auth.conf does not use quotation marks ()
to delimit the shared secret. Hence, perhaps you have trailing white spaces
or something like that at the end of the line. Delete the line secret in
squid_rad_auth.conf and type it again. I really mean to delete it in order
to get rid of unprintable characters you might not see.
Matthias
Am Donnerstag 11 April 2013, 15:47:33 schrieb Iftakhul Anwar:
Hi All,
I have successfully configure freeradius with mysql. i can radtest using
command :
sudo radtest alice password 192.168.2.3 1812 testing123
Sending Access-Request of id 187 to 192.168.2.3 port 1812
User-Name = alice
User-Password = password
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x
rad_recv: Access-Accept packet from host 192.168.2.3 port 1812,
id=187, length=20
Now i try squid using radius authentication.
i followed step by step from :
http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043
But i got error message log on cache.log
Warning: Received invalid reply digest from server
Warning: Received invalid reply digest from server
Warning: Received invalid reply digest from server
squid_rad_auth: No response from RADIUS server
On radius -X debug there is error message like bellow :
Sending duplicate reply to client localprivate port 42003 – ID: 2
Sending Access-Reject of id 2 to 192.168.2.3 port 42003
Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.3 port 42003,
id=2, length=63
Sending duplicate reply to client localprivate port 42003 – ID: 2
Sending Access-Reject of id 2 to 192.168.2.3 port 42003
Waking up in 0.9 seconds.
Found Auth-Type = PAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {…}
[pap] login attempt with password “b9?I? +�(�Ч�Y�?”
[pap] Using clear text password “password”
[pap] Passwords don’t match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the
shared secret on the server and the NAS!
Using Post-Auth-Type REJECT
What is that error ? How i can solve this
Thanks
--
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe
Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
e-Mail: matthias.h.na...@gmail.com
ICQ: 499797758
Skype: nagmat84
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe
Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
e-Mail: matthias.h.na...@gmail.com
ICQ: 499797758
Skype: nagmat84
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Squid authentication REJECT
I just use enter after my shared secret.
Any suggestions ?
On Thu, Apr 11, 2013 at 4:17 PM, Matthias Nagel
matthias.h.na...@gmail.comwrote:
Hello,
Am Donnerstag 11 April 2013, 16:07:08 schrieb Iftakhul Anwar:
Hi Matthias,
I don't use on my squid_rad_auth.conf
I know, that is the reason why I asked you to check for non-printable
characters AFTER your shared secret.
No space on my scret.
And what is between the last printable character of your secret and the
new line?
Matthias
This is my squid_rad_auth.conf
server 192.168.2.3
secret testing123
On my radcheck, i also using Cleartext-Password on my racheck table
Any another clue ?
Thanks
On Thu, Apr 11, 2013 at 3:59 PM, Matthias Nagel
matthias.h.na...@gmail.comwrote:
Hello,
did you do what the warning says and double checked the shared secret?
As far as I see the squid_rad_auth.conf does not use quotation marks
()
to delimit the shared secret. Hence, perhaps you have trailing white
spaces
or something like that at the end of the line. Delete the line
secret in
squid_rad_auth.conf and type it again. I really mean to delete it in
order
to get rid of unprintable characters you might not see.
Matthias
Am Donnerstag 11 April 2013, 15:47:33 schrieb Iftakhul Anwar:
Hi All,
I have successfully configure freeradius with mysql. i can radtest
using
command :
sudo radtest alice password 192.168.2.3 1812 testing123
Sending Access-Request of id 187 to 192.168.2.3 port 1812
User-Name = alice
User-Password = password
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x
rad_recv: Access-Accept packet from host 192.168.2.3 port 1812,
id=187, length=20
Now i try squid using radius authentication.
i followed step by step from :
http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043
But i got error message log on cache.log
Warning: Received invalid reply digest from server
Warning: Received invalid reply digest from server
Warning: Received invalid reply digest from server
squid_rad_auth: No response from RADIUS server
On radius -X debug there is error message like bellow :
Sending duplicate reply to client localprivate port 42003 – ID: 2
Sending Access-Reject of id 2 to 192.168.2.3 port 42003
Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.3 port 42003,
id=2, length=63
Sending duplicate reply to client localprivate port 42003 – ID: 2
Sending Access-Reject of id 2 to 192.168.2.3 port 42003
Waking up in 0.9 seconds.
Found Auth-Type = PAP
# Executing group from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {…}
[pap] login attempt with password “b9?I? +�(�Ч�Y�?”
[pap] Using clear text password “password”
[pap] Passwords don’t match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the
shared secret on the server and the NAS!
Using Post-Auth-Type REJECT
What is that error ? How i can solve this
Thanks
--
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe
Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
e-Mail: matthias.h.na...@gmail.com
ICQ: 499797758
Skype: nagmat84
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe
Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
e-Mail: matthias.h.na...@gmail.com
ICQ: 499797758
Skype: nagmat84
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
*M.Iftakhul Anwar*
Meruvian Integrator
High Performance Computing / Cloud Computing (HPC/CC)
Office Phone : 021-93586577
Mobile Phone : 085215331477
Blog : http://blog.mervpolis.com/roller/anwar
FB : http://www.facebook.com/troya.adromeda
Website : www.meruvian.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Squid authentication REJECT
Hello,
perhaps it is an encoding problem between the browser and squid. You should
check what kind of encoding squid expects the browser to use and what encoding
the browser actually uses. But this is not a radius problem, hence I cannot
help you on that problem.
Anyway, somewhere on the link browser - squid - radius the password gets
screwed up. If the problem was between the browser and squid, the user name
likely would screwed up, too. Hence, I still believe the problem is between
squid and radius. But if a wrong secret isn't the solution, I am out. Sorry.
Regards, Matthias
Am Donnerstag 11 April 2013, 16:35:33 schrieb Iftakhul Anwar:
I just use enter after my shared secret.
Any suggestions ?
On Thu, Apr 11, 2013 at 4:17 PM, Matthias Nagel
matthias.h.na...@gmail.comwrote:
Hello,
Am Donnerstag 11 April 2013, 16:07:08 schrieb Iftakhul Anwar:
Hi Matthias,
I don't use on my squid_rad_auth.conf
I know, that is the reason why I asked you to check for non-printable
characters AFTER your shared secret.
No space on my scret.
And what is between the last printable character of your secret and the
new line?
Matthias
This is my squid_rad_auth.conf
server 192.168.2.3
secret testing123
On my radcheck, i also using Cleartext-Password on my racheck table
Any another clue ?
Thanks
On Thu, Apr 11, 2013 at 3:59 PM, Matthias Nagel
matthias.h.na...@gmail.comwrote:
Hello,
did you do what the warning says and double checked the shared secret?
As far as I see the squid_rad_auth.conf does not use quotation marks
()
to delimit the shared secret. Hence, perhaps you have trailing white
spaces
or something like that at the end of the line. Delete the line
secret in
squid_rad_auth.conf and type it again. I really mean to delete it in
order
to get rid of unprintable characters you might not see.
Matthias
Am Donnerstag 11 April 2013, 15:47:33 schrieb Iftakhul Anwar:
Hi All,
I have successfully configure freeradius with mysql. i can radtest
using
command :
sudo radtest alice password 192.168.2.3 1812 testing123
Sending Access-Request of id 187 to 192.168.2.3 port 1812
User-Name = alice
User-Password = password
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x
rad_recv: Access-Accept packet from host 192.168.2.3 port 1812,
id=187, length=20
Now i try squid using radius authentication.
i followed step by step from :
http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043
But i got error message log on cache.log
Warning: Received invalid reply digest from server
Warning: Received invalid reply digest from server
Warning: Received invalid reply digest from server
squid_rad_auth: No response from RADIUS server
On radius -X debug there is error message like bellow :
Sending duplicate reply to client localprivate port 42003 – ID: 2
Sending Access-Reject of id 2 to 192.168.2.3 port 42003
Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.3 port 42003,
id=2, length=63
Sending duplicate reply to client localprivate port 42003 – ID: 2
Sending Access-Reject of id 2 to 192.168.2.3 port 42003
Waking up in 0.9 seconds.
Found Auth-Type = PAP
# Executing group from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {…}
[pap] login attempt with password “b9?I? +�(�Ч�Y�?”
[pap] Using clear text password “password”
[pap] Passwords don’t match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the
shared secret on the server and the NAS!
Using Post-Auth-Type REJECT
What is that error ? How i can solve this
Thanks
--
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe
Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
e-Mail: matthias.h.na...@gmail.com
ICQ: 499797758
Skype: nagmat84
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe
Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
e-Mail: matthias.h.na...@gmail.com
ICQ: 499797758
Skype: nagmat84
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131
Re: Radius Squid authentication REJECT
On 11 Apr 2013, at 10:35, Iftakhul Anwar an...@meruvian.org wrote: I just use enter after my shared secret. Any suggestions ? There are three possibilities * The shared secret is wrong in the squid radius file * The shared secret is wrong in the freeradius clients file * Squid is broken (I think this unlikely) As you've not posted a full debug log, all we can do is guess. My guess is that radtest is using the secret defined in clients.conf:client 127.0.0.1/8 and squid is using the secret defined in clients.conf:client 192.168.2.3 Post a full log, and we can probably do more than guess. Adam Bishop gpg: 0x6609D460 Janet, the UK's research and education network. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need both Local (MySQL database) and Active directory authentications.
Hi all,
I have set up Freeradius (v.2.1.10) to do password authentication from
MySQL database and it works fine but now I need to make some users be able
to authenticate against Active directory accounts. I’ve setup winbind to
authenticate windows accounts and it works but as a result freeradius lost
ability to authenticate by local database.
So if I comment the line:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
in /modules/mschap file then local database authentication works fine but
Active directory doesn’t. With uncommented ntlm_auth Active directory works
but local database doesn’t.
The WiFi access points that queries the radius using WPA-Enterprise, so
passwords encrypted in EAP messages and so there is no another way to
validate the passwords, it have to go through mschap module anyway.
Is there a way to tell mschap to use ntlm_auth depending on field in MySQL
table and use the internal mechanisms if plain text passwords available in
the MySQL table?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Squid authentication REJECT
Hi Adam,
I'm sorry my previous attachment too large,
This attachment log of radiusd -X output when i try to login using user =
alice with passwrod=password
Thanks
On Thu, Apr 11, 2013 at 8:02 PM, Iftakhul Anwar an...@meruvian.org wrote:
Hi Adam,
This attachment log of radiusd -X output when i try to login using user =
alice with passwrod=password
On Thu, Apr 11, 2013 at 4:55 PM, Adam Bishop adam.bis...@ja.net wrote:
On 11 Apr 2013, at 10:35, Iftakhul Anwar an...@meruvian.org wrote:
I just use enter after my shared secret.
Any suggestions ?
There are three possibilities
* The shared secret is wrong in the squid radius file
* The shared secret is wrong in the freeradius clients file
* Squid is broken (I think this unlikely)
As you've not posted a full debug log, all we can do is guess.
My guess is that radtest is using the secret defined in
clients.conf:client 127.0.0.1/8 and squid is using the secret defined in
clients.conf:client 192.168.2.3
Post a full log, and we can probably do more than guess.
Adam Bishop
gpg: 0x6609D460
Janet, the UK's research and education network.
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
*M.Iftakhul Anwar*
Meruvian Integrator
High Performance Computing / Cloud Computing (HPC/CC)
Office Phone : 021-93586577
Mobile Phone : 085215331477
Blog : http://blog.mervpolis.com/roller/anwar
FB : http://www.facebook.com/troya.adromeda
Website : www.meruvian.org
--
*M.Iftakhul Anwar*
Meruvian Integrator
High Performance Computing / Cloud Computing (HPC/CC)
Office Phone : 021-93586577
Mobile Phone : 085215331477
Blog : http://blog.mervpolis.com/roller/anwar
FB : http://www.facebook.com/troya.adromeda
Website : www.meruvian.org
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module acct_unique from file
/usr/local/etc/raddb/modules/acct_unique
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier,
NAS-Port
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module detail from file
/usr/local/etc/raddb/modules/detail
detail {
detailfile =
/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module attr_filter.accounting_response from file
/usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = /usr/local/etc/raddb/attrs.accounting_response
key = %{User-Name}
relaxed = no
}
reading pairlist file /usr/local/etc/raddb/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module radutmp from file
/usr/local/etc/raddb/modules/radutmp
radutmp {
filename = /usr/local/var/log/radius/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module attr_filter.access_reject from file
/usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = /usr/local/etc/raddb/attrs.access_reject
key = %{User-Name}
relaxed = no
}
reading pairlist file /usr/local/etc/raddb/attrs.access_reject
} # modules
} # server
server inner-tunnel { # from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for
Re: Radwho doesn't show full name
Hello, Could you please check and confirm whether it works for you in freeradius 2? Best regards Marek Dnia 5 kwietnia 2013 0:47 mkeram lt;mke...@o2.plgt; napisał(a): Hello, I have installed Debian Squeeze 6.0 with freeradius 2.1.10 + accel-ppp (PPPoE). Everything is working fine, but radwho and radwho -s doesn't return full username fetched from /etc/passwd. All users have real linux account and proper entry in /etc/freeradius/users. All details login and passwords are included in users file. In old freeradius 1.1.3 I got radwho output: zycha AnetaZych PPP S338 Sun 16:28 127.0.0.1 192.168.1.223 -where AnetaZych is full name fetched from /etc/passwd in new I have: zycha zycha PPP S338 Sun 16:28 127.0.0.1 192.168.1.223 Could you please advice where should I change configuration? I have made strace on radwho and I didn't find and information for checking file /etc/passwd. Please advice Best regards Marek - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Squid authentication REJECT
Iftakhul Anwar wrote: This attachment log of radiusd -X output when i try to login using user = alice with passwrod=password You need to read it, and the responses to your messages. You've been told what's wrong, and how to fix it. Stop thinking you understand it, and read the responses. Stop thinking that you've got it configured correctly, and go fix it. It's not hard. The only reason it doesn't work is because you're not following instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need both Local (MySQL database) and Active directory authentications.
ffgch2 wrote:
I have set up Freeradius (v.2.1.10)
Upgrade to v2.2.0.
to do password authentication from
MySQL database and it works fine but now I need to make some users be
able to authenticate against Active directory accounts. I’ve setup
winbind to authenticate windows accounts and it works but as a result
freeradius lost ability to authenticate by local database.
You need to figure out when users will be checked against SQL, and
when they will be checked against AD. Right now, you've configured
FreeRADIUS to use both. Which isn't what you want.
So if I comment the line:
Don't randomly change things. It won't work.
Is there a way to tell mschap to use ntlm_auth depending on field in
MySQL table and use the internal mechanisms if plain text passwords
available in the MySQL table?
No. There are better ways.
See raddb/modules/mschap. You can control when ntlm_auth is called.
See man unlang. You can configure policies. Read the debug output.
What you want is this:
authorize {
...
sql
if (ok) {
update control {
MS-CHAP-Use-NTLM-Auth := No
}
}
...
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compile with ldap support
On 04/10/2013 10:24 PM, Alan DeKok wrote: Chris Taylor wrote: How do I check that I have them installed I have the openldap rpm installed. This is really a question for your OS vendor. How about man rpm? Or google? If you're working on a Fedora/RHEL/CentOS etc. type system then yum-builddep is your friend. I know you're trying to build from source and not build an RPM but if you have a srpm or spec file you can use yum-builddep to get your build dependencies installed. Or you can look at a spec file and find all the BuildRequires and install those. Think of a rpm spec file as a recipe for building. If you're not sure what ingredients you need then consult the recipe. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Squid authentication REJECT
Hi, look: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! there. incorrect shared secret...as already said several times in this thread...OR the squid code is broken. if this is working fine, then because its PAP you will see the password in User-Password clear as day. you dont, its all corrupted, because incorrect shared secret. put eg radtest onto the squid box and check that you can fire off a dumb RADIUS query to your FR box from the squid box alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Squid authentication REJECT
I'm sorry i really newbie. Actually my shared password is default using testing123.This is my configuration on my squid_rad_auth.conf squid_rad_auth.conf - server 192.168.2.3 secret testing123 and this is my configuration on squid.conf # TAG: auth_param #auth_param basic program /etc/squid3/squid_radius_auth -f /etc/squid3/squid_rad_auth.conf auth_param basic program /etc/squid3/squid_radius_auth -f /usr/local/squid/etc/squid_radius_auth.conf auth_param basic children 5 auth_param basic realm web-proxy auth_param basic credentialsttl 5 minutes auth_param basic casesensitive off acl radius-auth proxy_auth REQUIRED # TAG: http_access http_access allow radius-auth http_access allow localhost any something wrong ? i suspicious in log: [pap] login attempt with password “b9?I? +�(�Ч�Y�?” [pap] Using clear text password “password” [pap] Passwords don’t match Is it because of different authentification method between squid and radius ? On Thu, Apr 11, 2013 at 10:35 PM, a.l.m.bu...@lboro.ac.uk wrote: Hi, look: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! there. incorrect shared secret...as already said several times in this thread...OR the squid code is broken. if this is working fine, then because its PAP you will see the password in User-Password clear as day. you dont, its all corrupted, because incorrect shared secret. put eg radtest onto the squid box and check that you can fire off a dumb RADIUS query to your FR box from the squid box alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *M.Iftakhul Anwar* Meruvian Integrator High Performance Computing / Cloud Computing (HPC/CC) Office Phone : 021-93586577 Mobile Phone : 085215331477 Blog : http://blog.mervpolis.com/roller/anwar FB : http://www.facebook.com/troya.adromeda Website : www.meruvian.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question on certificates before deep dive into EAP-TLS
G'day
As a (hopefully) answer-able question to those experienced with EAP-TLS
that I've
been twisting my brain:
Usually I've seen example for EAP-TLS setups that used a server-side
certificate
issued from the same CA as the one it should allow EAP-TLS clients who
present
their certificate to FR.
Am I guessing correctly that CA_file can contain a different list of CA(s)
than the server certificate that is shown to the client? (Taken from
Debian's FR 2.1.12)
eap.conf:
tls {
[...]
certificate_file = /etc/freeradius/ssl/cert.p
# Trusted Root CA list
CA_file = /etc/univention/ssl/ucsCA/CAcert.pem
[...]
The real-life example would be that people could use PEAP-MSCHAPv2 for
credential-based logins (server certificate being signed by a trusted
external CA)
while some devices could login using EAP-TLS but only when they present
a certificate from an internal CA (that usually isn't being trusted by
devices
outside of control of IT department).
Best regards
Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Squid authentication REJECT
Hi, Actually my shared password is default using testing123.This is my configuration on my squid_rad_auth.conf as previously discussed, you are not sending full output of radiusd -X and so we are having to guess. we cannot guess your problems away at least send us your clients.conf from FreeRADIUS alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Squid authentication REJECT
Hi, Hi, previously i've attached my log as attachment :) no, you havent :-( all you have attached is the stuff that you felt you wanted to send. without sending the FULL output of radiusd -X FROM THE START we cannot see where you have gone wrong. HOW can we help if you dont give us the information we request? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Squid authentication REJECT
Hi,
I'm sorry,
This is response log from radiusd -X when i try long using usr:alice
password: password
Cleaning up request 3 ID 4 with timestamp +116
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4,
length=63
User-Name = alice
User-Password = \335\307-\245#ˎ!7\036f\023\217\3630\257
NAS-Port = 111
NAS-Port-Type = Async
NAS-IP-Address = 192.168.2.3
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = alice, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} - alice
[sql] sql_set_user escaped user -- 'alice'
rlm_sql (sql): Reserving sql socket id: 0
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id - SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'alice' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY
id - SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'alice' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority - SELECT
groupname FROM radusergroup WHERE username = 'alice'
ORDER BY priority
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password \DD\C7-\A5#\CB?!7?f??\F30\AF
[pap] Using clear text password password
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the shared
secret on the server and the NAS!
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - alice
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 4 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 4
Sending Access-Reject of id 4 to 192.168.2.3 port 55467
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4,
length=63
Sending duplicate reply to client localprivate port 55467 - ID: 4
Sending Access-Reject of id 4 to 192.168.2.3 port 55467
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4,
length=63
Sending duplicate reply to client localprivate port 55467 - ID: 4
Sending Access-Reject of id 4 to 192.168.2.3 port 55467
Waking up in 3.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4,
length=63
Sending duplicate reply to client localprivate port 55467 - ID: 4
Sending Access-Reject of id 4 to 192.168.2.3 port 55467
Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4,
length=63
Sending duplicate reply to client localprivate port 55467 - ID: 4
Sending Access-Reject of id 4 to 192.168.2.3 port 55467
Waking up in 1.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.3 port 55467, id=4,
length=63
Sending duplicate reply to client localprivate port 55467 - ID: 4
Sending Access-Reject of id 4 to 192.168.2.3 port 55467
Waking up in 0.9 seconds.
Cleaning up request 4 ID 4 with timestamp +122
Ready to process requests.
On Thu, Apr 11, 2013 at 11:22 PM, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Hi, previously i've attached my log as attachment :)
no, you havent :-(
all you have attached is the stuff that you felt you wanted to send.
without sending
the FULL output of radiusd -X FROM THE START we cannot see where you have
gone wrong.
HOW can we help if you dont give us the information we request?
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
*M.Iftakhul Anwar*
Meruvian Integrator
High Performance Computing / Cloud Computing (HPC/CC)
Office Phone : 021-93586577
Mobile Phone : 085215331477
Blog : http://blog.mervpolis.com/roller/anwar
FB : http://www.facebook.com/troya.adromeda
Website : www.meruvian.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Squid authentication REJECT
Hi, Hi, I'm sorry, This is response log from radiusd -X when i try long using usr:alice one more time. please do not send us what you feel like sending us. please just simply send us the output of radiusd -X FROM THE VERY START right up to where is says 'Ready to process requests do not send us the authentication attempt or anything else. everything else is pointless to send. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Squid authentication REJECT
Iftakhul Anwar wrote: This is response log from radiusd -X when i try long using usr:alice password: password No, it's not. You need to follow instructions. If you ask questions and ignore the answers, that's rude. Either follow instructions, or stop posting the same questions. If you don't follow instructions, you will be unsubscribed and banned from the list. Following instructions shouldn't be hard. Do it, or else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRadius 2.1.10 PEAP/MSCHAPv2 w/ Active Directory
Hello all,
I'm new to freeRadius and am using freeRadius version 2.1.10 for some lab
testing. I've got freeradius extracting users and passwords from an
Active Directory database. I'm using PEAP/MSCHAPv2. All configs have
been working until about a week or so ago. All of a sudden, my mschapv2
challenge/response is not correct.
Not sure where exactly the problem is occurring so I've posted the debug
output below. If other config files are necessary, I can post them too.
Thank for any help. Trevor
rad_recv: Access-Request packet from host 127.0.0.1 port 50066, id=2,
length=81
User-Name = TheAdmin
NAS-Port = 0
NAS-IP-Address = 127.0.0.1
EAP-Message = 0x021001747265766f7261646d696e
Message-Authenticator = 0x1f8e3dc1fcbafac6481c9fe22c8449e5
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = TheAdmin, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 0 length 16
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] Entering ldap_groupcmp()
[files] expand: dc=commslab,dc=local - dc=commslab,dc=local
[files] expand: %{Stripped-User-Name} -
[files] ... expanding second conditional
[files] expand: %{User-Name} - TheAdmin
[files] expand:
((objectclass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}*))
- ((objectclass=user)(sAMAccountName=TheAdmin*))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=commslab,dc=local, with filter
((objectclass=user)(sAMAccountName=TheAdmin*))
[ldap] ldap_release_conn: Release Id: 0
[files] expand:
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
-
(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember=)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=commslab,dc=local, with filter
((cn=Commslab_Domain_Users)(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember=
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in
CN=TheAdmin,OU=Users,OU=commslab,DC=commslab,DC=local, with filter
(objectclass=*)
[ldap] performing search in
CN=Commslab_Enterprise_Admins,OU=Groups,OU=commslab,DC=commslab,DC=local,
with filter (cn=Commslab_Domain_Users)
[ldap] object not found
[ldap] performing search in CN=Domain
Admins,CN=Users,DC=commslab,DC=local, with filter
(cn=Commslab_Domain_Users)
[ldap] object not found
rlm_ldap::groupcmp: Group Commslab_Domain_Users not found or user not a
member
[ldap] ldap_release_conn: Release Id: 0
[ldap] Entering ldap_groupcmp()
[files] expand: dc=commslab,dc=local - dc=commslab,dc=local
[files] expand:
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
-
(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember=)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=commslab,dc=local, with filter
((cn=Commslab_Enterprise_Admins)(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember=
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in
CN=TheAdmin,OU=Users,OU=commslab,DC=commslab,DC=local, with filter
(objectclass=*)
[ldap] performing search in
CN=Commslab_Enterprise_Admins,OU=Groups,OU=commslab,DC=commslab,DC=local,
with filter (cn=Commslab_Enterprise_Admins)
rlm_ldap::ldap_groupcmp: User found in group Commslab_Enterprise_Admins
[ldap] ldap_release_conn: Release Id: 0
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) - FALSE
++? if (!control:Auth-Type) - FALSE
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate --- Not sure why were trying TLS
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 2 to 127.0.0.1 port 50066
EAP-Message = 0x010100061920
Message-Authenticator = 0x
State = 0xc823e63dc822ff81c661e84e3a0d59ca
Re: freeRadius 2.1.10 PEAP/MSCHAPv2 w/ Active Directory
trevor_marq...@selinc.com wrote: Hello all, I'm new to freeRadius and am using freeRadius version 2.1.10 Upgrade to 2.2.0. It has a number of issues fixed. for some lab testing. I've got freeradius extracting users and passwords from an Active Directory database. I'm using PEAP/MSCHAPv2. All configs have been working until about a week or so ago. All of a sudden, my mschapv2 challenge/response is not correct. Not sure where exactly the problem is occurring so I've posted the debug output below. If other config files are necessary, I can post them too. Well... the debug output seems pretty clear. *Exec-Program output: Access denied (0xc022)* *Exec-Program-Wait: plaintext: Access denied (0xc022)* ... *Login incorrect (mschap: External script says Access denied What is unclear about that? ntlm_auth is running, and AD is returning that error. No amount of poking FreeRADIUS will fix an AD access issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on certificates before deep dive into EAP-TLS
Mathieu Simon wrote: Usually I've seen example for EAP-TLS setups that used a server-side certificate issued from the same CA as the one it should allow EAP-TLS clients who present their certificate to FR. Yes. Am I guessing correctly that CA_file can contain a different list of CA(s) than the server certificate that is shown to the client? Yes. It contains a list of valid CAs. The real-life example would be that people could use PEAP-MSCHAPv2 for credential-based logins (server certificate being signed by a trusted external CA) While that works, it's not recommended. It means that the client will trust *any* certificate signed by that CA, for network access. It's usually a bad idea. while some devices could login using EAP-TLS but only when they present a certificate from an internal CA (that usually isn't being trusted by devices outside of control of IT department). That works. The client will need *both* CAs. But why be this complicated? Just use one CA, which is for both EAP-TLS and PEAP. It can issue client certs to some machines, and *not* issue client certs to others. You don't need one CA per EAP method. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Performing an additional check on the credentials
I successfully managed to deploy a freeradius server and created a python
script which does an additional check on the user (incoming request). I
checked the internet (resources for freeradius are pretty horrible) and
only found a thread which explains some basics about adding a python script
to the process.
Right now I have it inside /etc/freeradius/sites-enabled/default under the
authorize section:
update control {
Auth-Type := `/usr/bin/python /etc/test.py '%{User-Name}'
'%{User-Password}'`
}
My test.py file spits Reject or Accept. I also have sql authentication
setup with freeradius and the problem is that, if my script returns Accept
any other authorization request under is ignored; response will still be an
Accept even if sql check rejects the user.
From what I understand I should pass a noop instead of Accept to allow
freeradius to continue and only pass Reject if I need to reject the user
but If I respond with noop the server complains (probably because it
expects a reply for Auth-Type as I coded it).
Someone on serverfault suggested I shouldnt use unlang to call a python
script and I should use rlm_python but I really have no idea how to even
start calling my script.
Any ideas? Maybe I need to add my code to the Authentication. section? How?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Performing an additional check on the credentials
Romeo Mihalcea wrote:
I successfully managed to deploy a freeradius server and created a
python script which does an additional check on the user (incoming
request). I checked the internet (resources for freeradius are pretty
horrible)
Well... the server comes with a lot of documentation. Searching
random pages on the internet isn't a good idea.
and only found a thread which explains some basics about
adding a python script to the process.
That isn't well documented because no one has contributed documentation.
Right now I have it inside /etc/freeradius/sites-enabled/default under
the authorize section:
update control {
Auth-Type := `/usr/bin/python /etc/test.py '%{User-Name}'
'%{User-Password}'`
}
While that works, I wouldn't recommend doing it. It's just using
python as an external script. i.e. there's no python-specific
documentation needed. You could use `/bin/echo Accept` to get much the
same affect.
My test.py file spits Reject or Accept. I also have sql authentication
No... the SQL module does authorization checks. They really are
different, and the difference is important. See the wiki for more
discussion on this topic.
setup with freeradius and the problem is that, if my script returns
Accept any other authorization request under is ignored; response will
still be an Accept even if sql check rejects the user.
Yes, that's what you told it to do. Which is why the FAQ says to
*not* set Auth-Type. It's almost always wrong.
From what I understand I should pass a noop instead of Accept to allow
freeradius to continue and only pass Reject if I need to reject the user
but If I respond with noop the server complains (probably because it
expects a reply for Auth-Type as I coded it).
No. noop isn't an authentication type. You're mixing multiple
topics without a clear understanding of any of them.
Someone on serverfault suggested I shouldnt use unlang to call a python
script and I should use rlm_python but I really have no idea how to even
start calling my script.
Any ideas? Maybe I need to add my code to the Authentication. section? How?
What you want to do? Please explain what you have, and what you want.
Right now you're describing a solution that doesn't work. You're
not describing a problem. There's really no point in trying to fix the
solution until the problem is clear. If we do, we'll be stuck on
miscommunication and misunderstanding.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Squid authentication REJECT
Hi All Thanks i've successfull configure squid using radius authentification. Actually i need install squid from source with parameter bellow when compile that source ( http://wiki.squid-cache.org/ConfigExamples/Authenticate/Radius) *--enable-basic-auth-helpers=squid_radius_auth* Previously i used squid3 from apt-get . Thanks :) * * * * * * On Fri, Apr 12, 2013 at 12:36 AM, Alan DeKok al...@deployingradius.comwrote: Iftakhul Anwar wrote: This is response log from radiusd -X when i try long using usr:alice password: password No, it's not. You need to follow instructions. If you ask questions and ignore the answers, that's rude. Either follow instructions, or stop posting the same questions. If you don't follow instructions, you will be unsubscribed and banned from the list. Following instructions shouldn't be hard. Do it, or else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *M.Iftakhul Anwar* Meruvian Integrator High Performance Computing / Cloud Computing (HPC/CC) Office Phone : 021-93586577 Mobile Phone : 085215331477 Blog : http://blog.mervpolis.com/roller/anwar FB : http://www.facebook.com/troya.adromeda Website : www.meruvian.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on certificates before deep dive into EAP-TLS
Hi Am 11.04.2013 20:08, schrieb Alan DeKok: snip! The real-life example would be that people could use PEAP-MSCHAPv2 for credential-based logins (server certificate being signed by a trusted external CA) While that works, it's not recommended. It means that the client will trust *any* certificate signed by that CA, for network access. It's usually a bad idea. Correct, that for sure isn't what I'd want :-) certificate_file - the server-side certificate - would contain the certificate (and it's trust chain) by the trusted CA. CA_file would only contain the internal CA, such as that only those signed by the one internal CA IT has control over it, would be accepted by FR. (oh and I'd want to have a regularly up-to-date revocation list...) snip! You don't need one CA per EAP method. Sure, I am only looking for the server-side certificate (certificate_file) being signed by a CA that most devices trust - since most of the users are going to use PEAP-MSCHAPv2 with devices not under direct controll of IT. Telling students how to install a internal CA root isn't going to work, it already didn't work for teachers in the past ... But allowing only (internal) devices with certs from the internal CA through CA_file would allow us to more easily integrate those non-personal but school-owned devices. I just hope I'm not telling complete bullshit... ;-) Thank you Alan for your time to answer! -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
