Re: Users credentials?
Le mercredi 26 juin 2013 à 00:59 +0100, Arran Cudbard-Bell a écrit : this credentials with a php app in the background? Yes you could. you will just need to create a php condition that create the user into your database(radcheck table at least), that will be treaten as soon the html form is sent(when user click on the button) and just before your php code to send the redirection to the hotspot auth page. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticate without password or wrong password
Hi , I want some certain users to authenticate even if they don't provide a password or the password they enter is not right. Can you guide me on this please? I think I must put a user in to a group and if the user is in that group I am to authenticate them even if they don't provide password or the password they provide is not true. Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate without password or wrong password
On 26 Jun 2013, at 12:16, Omer Faruk SEN omerf...@gmail.com wrote: Hi , I want some certain users to authenticate even if they don't provide a password or the password they enter is not right. Can you guide me on this please? I think I must put a user in to a group and if the user is in that group I am to authenticate them even if they don't provide password or the password they provide is not true. What type of authentication? Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate without password or wrong password
User Authentication for UserPassword On Wed, Jun 26, 2013 at 2:44 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 26 Jun 2013, at 12:16, Omer Faruk SEN omerf...@gmail.com wrote: Hi , I want some certain users to authenticate even if they don't provide a password or the password they enter is not right. Can you guide me on this please? I think I must put a user in to a group and if the user is in that group I am to authenticate them even if they don't provide password or the password they provide is not true. What type of authentication? Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
inactive users can authenticate
Hi there, i have an uptodate Debian derivate with samba4. The base_filter rule in the modules/ldap file is not accepted. There i gave sambaacctflags but nothing happens. still all users get accepted. in Base_filter I can write what I want, it always like skips this point. So everyone can login, also the disabled accounts. Kind regards Mihajlo -- Adfinis SyGroup AG Mihajlo Joksimovic, System Engineer Güterstrasse 86 | CH-4053 Basel Tel. 061 333 80 33 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate without password or wrong password
did your protocol support mac auth? Le mercredi 26 juin 2013 à 14:16 +0300, Omer Faruk SEN a écrit : Hi , I want some certain users to authenticate even if they don't provide a password or the password they enter is not right. Can you guide me on this please? I think I must put a user in to a group and if the user is in that group I am to authenticate them even if they don't provide password or the password they provide is not true. Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate without password or wrong password
On 26/06/13 12:54, Omer Faruk SEN wrote: User Authentication for UserPassword That's not a type of authentication. For example, are you using EAP for 802.1x/Wi-Fi, and if so, which EAP outer and inner methods? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: inactive users can authenticate
Mihajlo Joksimovic wrote: i have an uptodate Debian derivate with samba4. The base_filter rule in the modules/ldap file is not accepted. There i gave sambaacctflags but nothing happens. still all users get accepted. in Base_filter I can write what I want, it always like skips this point. So everyone can login, also the disabled accounts. If only there was a way to debug this. That was documented in the man page. Or the web pages. Or daily on this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: inactive users can authenticate
On Wed, Jun 26, 2013 at 9:27 AM, Alan DeKok al...@deployingradius.com wrote: Mihajlo Joksimovic wrote: i have an uptodate Debian derivate with samba4. The base_filter rule in the modules/ldap file is not accepted. There i gave sambaacctflags but nothing happens. still all users get accepted. in Base_filter I can write what I want, it always like skips this point. So everyone can login, also the disabled accounts. If only there was a way to debug this. That was documented in the man page. Or the web pages. Or daily on this list. That's funny. :) Because Alan makes us smile, I'll add: radiusd -X -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: inactive users can authenticate
On 26 Jun 2013, at 16:49, Mathieu Simon mathieu@gmail.com wrote: G'day all I've been working with Mihailo on this matter although he's been more into it I try to provide the data you ask for: Prelude: A Samba-disabled user has the following sambaAcctFlags in the LDAP Directory during an ldapsearch i.e.: The user kw978 used for this is a disabled user and thus ldapsearch lists: sambaAcctFlags: [UD ] A not-disabled user would have: sambaAcctFlags: [U ] The radtest command used was: radtest -x kw978 TestRadius1234$ localhost 10 testing123 Now what follows is the output of 'freeradius -X' with the authentication test. Using '-t mschap' doesn't change anything so I guess testing with PAP is (yet?) ok. I hope that help shedding some light - as you can see base_filter is read while starting the daemon, but no matter what is set in base_filter, even invalid stuff, it's simply going to get ignored. The server does LDAP group matching with if-else unlang statements - removing them didnt change the behaviour so I don't think they're the cause. Weird. Well if no one on the list can spot an obvious issue it's probably worth upgrading to 3.0.0 and using the module there. It's much better. else, have you tried the same query with something like ldapsearch? Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Users credentials?
Hi, I'm staring to check freeradius functions, I will return with more questions, thanks!!! On Tue, Jun 25, 2013 at 11:22 PM, yzy-oui-fi yzy-oui...@hotmail.fr wrote: ** Le mercredi 26 juin 2013 à 00:59 +0100, Arran Cudbard-Bell a écrit : this credentials with a php app in the background? Yes you could. you will just need to create a php condition that create the user into your database(radcheck table at least), that will be treaten as soon the html form is sent(when user click on the button) and just before your php code to send the redirection to the hotspot auth page. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: inactive users can authenticate
Couple of things: IIRC the account control flags are checked by the mschap module, which I see is running before the LDAP lookup - try moving mschap after LDAP in authorise Second, I can't remember if mschap checks the acct control flags in authorize or authenticate. If the latter you'll need to move away from using LDAP bind for auth -- Sent from my phone with, please excuse brevity and typos- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Hi, thanx for your reply i also tried using patch in http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120914/13b2c044/attachment.ksh but unfortunately, when i already connect with one device successfully, i try another device the result another device is rejected by server any idea? thanx for your time and your answer best regard On Fri, Jun 21, 2013 at 6:31 PM, Iliya Peregoudov iperegu...@cboss.ruwrote: On 20.06.2013 17:56, raptor raptor wrote: my users format 1510019760806391@wlan.mnc001.**mcc510.3gppnetwork.org1510019760806...@wlan.mnc001.mcc510.3gppnetwork.orgEAP-Type := SIM EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE**4D, EAP-Sim-SRES1 = 0x DD287535, EAP-Sim-KC1 = 0x 7F743521EBabb000, EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C1**4B, EAP-Sim-SRES2 = 0x BFf89ad2, EAP-Sim-KC2 = 0x 1C7098005Fea8c00, EAP-Sim-Rand3 = 0x 26CC8DB02C9848c7BBCC2790E3F091**3B, EAP-Sim-SRES3 = 0x 17172cc6, EAP-Sim-KC3 = 0x BF34bf34D4ca4c00, Syntax error here. There should be no comma at the end of stanza. Due to comma next non-blank line is also considered to be part of this stanza. So next stanza (1510080325656501) will not be parsed correctly. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=2, length=215 User-Name = 1510080325656501@wlan.mnc008.**mcc510.3gppnetwork.org1510080325656...@wlan.mnc008.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 001adc019b98 NAS-Identifier = 48f8b315461a NAS-Port = 2 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x023801313531303038303332** 3536353635303140776c616e2e6d6e**633030382e6d63633531302e336770** 706e6574776f726b2e6f7267 Message-Authenticator = 0x1e6d83334fd94f359c5fda46d916**ce7e [skipped] ++[files] returns noop rlm_files was unable to find stanza for 1510080325656501 due to before mentioned syntax error. [eap] processing type sim can not initiate sim, no RAND1 attribute EAP-Sim-Rand1 attribute is not found in reply list. I don't know why. rlm_sim_files earlier said that it successfully found auth vectors. Definitely rlm_sim_files not working as expected. Try to fix syntax error in users file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap sim authorization problem
Hi IIiya, thanx for your answer i tried to fix syntax error in in users file and also i tried using patch in http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120914/13b2c044/attachment.ksh but unfortunately, the result is same, my first device can connect to internet and the second device can't connect if my first device is already connect thanx for your time and your answer best regards On Fri, Jun 21, 2013 at 6:31 PM, Iliya Peregoudov iperegu...@cboss.ruwrote: On 20.06.2013 17:56, raptor raptor wrote: my users format 1510019760806391@wlan.mnc001.**mcc510.3gppnetwork.org1510019760806...@wlan.mnc001.mcc510.3gppnetwork.orgEAP-Type := SIM EAP-Sim-Rand1 = 0x 326258E6F77C40f3866DB25DEA60AE**4D, EAP-Sim-SRES1 = 0x DD287535, EAP-Sim-KC1 = 0x 7F743521EBabb000, EAP-Sim-Rand2 = 0x FD9989BD90AD4a03962E6C08C000C1**4B, EAP-Sim-SRES2 = 0x BFf89ad2, EAP-Sim-KC2 = 0x 1C7098005Fea8c00, EAP-Sim-Rand3 = 0x 26CC8DB02C9848c7BBCC2790E3F091**3B, EAP-Sim-SRES3 = 0x 17172cc6, EAP-Sim-KC3 = 0x BF34bf34D4ca4c00, Syntax error here. There should be no comma at the end of stanza. Due to comma next non-blank line is also considered to be part of this stanza. So next stanza (1510080325656501) will not be parsed correctly. rad_recv: Access-Request packet from host 192.168.2.1 port 2048, id=2, length=215 User-Name = 1510080325656501@wlan.mnc008.**mcc510.3gppnetwork.org1510080325656...@wlan.mnc008.mcc510.3gppnetwork.org NAS-IP-Address = 192.168.2.1 Called-Station-Id = 48f8b315461a Calling-Station-Id = 001adc019b98 NAS-Identifier = 48f8b315461a NAS-Port = 2 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x023801313531303038303332** 3536353635303140776c616e2e6d6e**633030382e6d63633531302e336770** 706e6574776f726b2e6f7267 Message-Authenticator = 0x1e6d83334fd94f359c5fda46d916**ce7e [skipped] ++[files] returns noop rlm_files was unable to find stanza for 1510080325656501 due to before mentioned syntax error. [eap] processing type sim can not initiate sim, no RAND1 attribute EAP-Sim-Rand1 attribute is not found in reply list. I don't know why. rlm_sim_files earlier said that it successfully found auth vectors. Definitely rlm_sim_files not working as expected. Try to fix syntax error in users file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius outer identity
Hi guys , i have freeradius server that authenticate with LDAP and set up was working fine , but when the client specifies the outer identity (some dummy user name ) Radius server taking that dummy user name as actual username , because of that LDAP authentication fails . (Authentication proceeds working file if the client not specifying any outer identity) Can you guys please advice , how to fix this issue Thank You John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
