Re: How can i authenticate my users against Active Directory?
On Wed, Jun 29, 2005, Schuster Christian wrote: > I googled a lot and found differend hints how to implement this. (ntlm, > pam-module), but no configuration example. ntlm_auth works well and has been discussed several times on this list (look at the archives). You can look at my config files : http://ramiel.via.ecp.fr/~endy/config-radius.tar.bz2 (authorization using an external script + MSCHAPv2 ntlm_auth authentication + SQL accounting) > Are there any manuals/helps or can someone discribe me how to implement > this? I have been looking for such a manual for a while a few months ago, but i found nothing comprehensive :( I plan on writing something when i have more time. -- Alexandre Coninx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC+EAP authentication
On Mon, Jun 13, 2005, Jefri bin Dahari wrote: > Hi, > > I plan to implement simultaneous MAC+EAP authentication for my wireless > users. From my observation, Freeradius can only do either MAC or EAP but > not MAC and EAP authentication. Can somebody gives me some hints on how to > do that? I check the MAC address during the authorization using an external perl script, and it works well. -- Alexandre Coninx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS Authentication
On Thu, Jun 09, 2005, "Ferreira, André" wrote: >If RADIUS receives and ACCESS-REQUEST packet, but RADIUS does not >authenticate >against its own database but an external server, does it also send an >ACCESS-REQUEST to the >external server? If your "external server" is a RADIUS server, yes it does. This is called RADIUS proxying : the server acts as a client for another RADIUS server. >And does the external server send and ACCESS-ACCEPT with REPLY_MESSAGE >information >If authentication is successful? What your external server does and returns is up to its configuration. -- Alexandre Coninx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Copyright and GPL infringement in tinyPEAP
On Sun, Jun 05, 2005, Alan DeKok wrote: > Your web site http:/www.tinypeap.com is distributing binaries built > at least in part from code that is derived from the FreeRADIUS server > project (http://www.freeradius.org). I refer you to the following > URL's: > > http://www.linksysinfo.org/modules.php?name=Forums&file=viewtopic&t=5649 Is there any news about this probable GPL infringement ? I would be glad to be informed of any news from the people from tinypeap.com. -- Endy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows 2000 supplicants and FreeRADIUS
On Tue, May 24, 2005, jay macias wrote: >i've successfuly set up windows xp supplicants; however, i'm stumped on >getting win2k to work. thank you in advance!!! Unfortunately, there is no integrated WPA supplicant in Windows 2000. You will have to use an external supplicant. Until now, i haven't found any free software doing that. There is a (proprietary) W2K WPA software available there : http://www.wirelesssecuritycorp.com/wsc/public/WPAAssistant.do . The basic version that does WPA-PSK is available at no cost (i didn't test it), but you must pay for the version with WPA-RADIUS support. -- Alexandre Coninx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute "User-Password" is required for authentication.
On Thu, Apr 14, 2005, Bob Mancker wrote: > I am currently working on a vpn server, and I use pptpd with freeradius and > trying to get pam authentication working. I want to setup freeradius > with pam authentication because I want to limit simulatenous logins > per user to 1. The two odd things I notice are this in > /var/log/messages: > Apr 15 11:12:30 server pppd[11599]: rc_avpair_new: unknown attribute 11 > Apr 15 11:12:30 server pppd[11599]: rc_avpair_new: unknown attribute 25 I've already faced this problem ; it's not linked with freeradius, but with the libradius (radius client), whose dictionnaries don't implement Microsoft's VSA by default. You must add a dictionary.microsoft file in your libradius dir (usually /etc/radiusclient) and add the "INCLUDE /etc/radiusclient/dictionary.microsoft" in your /etc/radiusclient/dictionary file You can't copy directly freeradius'dictionary.microsoft file to /etc/radiusclient : the formats are similar but not exactly the same. I spent a little time figuring out the differences between the two formats and adapting FR's dictionnary.microsoft to be used by libradius ; you can get my adapted file at http://ramiel/~endy/dictionary.microsoft The format may depend of libradius'version, so i don't guarantee anything. It's really a pain that there is no standard format (yet ?) for dictionnary files. -- Alexandre Coninx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication problem with ntlm_auth
On Wed, Apr 13, 2005, Sylvain Clerc wrote: > rlm_mschap: Told to do MS-CHAPv2 for radius with NT-Password > radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=radius' > Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=radius > password: Your ntlm_auth command line is incorrect : you only supply the username, so ntlm_auth runs in interactive mode and asks you the password. You should supply the Challenge and NT-Response attributes from the EAP-MACHAPv2 packet too. Try to modify the mschap section of your radiusd.conf by setting something like : ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" -- Alexandre Coninx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius & Active Directory?
On Thu, Apr 07, 2005, Sylvain Clerc wrote: > Hello all, > > My Freeradius server works quite well with system accounts but I must link an > Active Directory database to my server. > So, in view of that, I would have some informations : > > 1- I must work in eap-ttls mode (with md5 in the "tunneled encryption"), is > it compatible with Active Directory? If i remember correctly, Windows domain controlers can't understand anything but NT-encrypted passwords and cleartext passwords. Sorry. > 3- Has someone already had to configure freeradius like this? > > 4- If this configuration is impossible, what type of configuration for > freeradius can I use? I authenticate the users against a Windows (AD) domain with PEAP + MSCHAPv2 + ntlm_auth. It works well. -- Alexandre Coninx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP authentication + Windows DOMAIN
On Wed, Apr 06, 2005, Israel Fabio Alves wrote: > Hi, > > I try to authenticate user Windows XP + PEAP + MSCHAPV2. The > authetication using user + password + domain. > > Always occur de same error: rlm_eap: Identity does not match User-Name, > setting from EAP Identity. It means that the user name in the EAP message is different from the value of the User-Name RADIUS attribute. That's strange. Maybe your NAS is broken or misconfigured and do weird things. -- Alexandre Coninx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 1.0.0 PEAP SP2
On Tue, Mar 29, 2005, Mametz Laurent wrote: > Hello, > > I want to make an authentification with PEAP TLS. > I think that my tls tunnel works fine, but i can't authenticate any user > from my windows XP SP2. I have an AP netgear WG302, and my freeradius > run on Mandrake 10.1. > I read the FAQ and the news but, i am always in black ... > My conf. > users > --- > totoUser-Password == "toto" That is useless if you just want to authenticate by validating the client SSL certificate. > eap.conf > > eap { >peap { >default_eap_type = mschapv2 >} > } > >mschapv2 { >} Your freeradius is configured to do PEAP MSCHAPv2 by default, and not PEAP TLS. I suppose it's just a default behavior and it won't interfere if the supplicant explicitely requests PEAP TLS, but maybe you should disable the MSCHAP stuff and set default_eap_type = tls in the PEAP section. It would make your config file cleaner, if nothing else. > auth: type "EAP" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 3 > rlm_eap: Request found, released from the list > rlm_eap: EAP/peap > rlm_eap: processing type peap > rlm_eap_peap: Authenticate > rlm_eap_tls: processing TLS > rlm_eap_tls: Received EAP-TLS ACK message > eaptls_verify returned 3 > eaptls_process returned 3 >TLS_accept:error in SSLv3 read client certificate A > rlm_eap_peap: EAPTLS_SUCCESS > modcall[authenticate]: module "eap" returns handled for request 3 > modcall: group authenticate returns handled for request 3 > Sending Access-Challenge of id 27 to 134.214.202.181:1035 I don'y know OpenSSL and its obscure error messages well, but it seems to have a problem with your client certificate. If i were you, i would check that the right certificate and authentication method are selected in the client's configuration. -- Alexandre Coninx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication by mac adress, username and password
On Sat, Mar 19, 2005, Chris Knipe wrote: > One thing that I cannot for the love of life find... What is the script > supposed to return to FR, and how? First, the exec module looks at the script's exit code and returns ok if it is 0 or failed otherwise. That is the only thing i use. (BTW, it would be nice to have specific exit codes make the module return other codes like noop). But initially, i planned to return value pairs to FR, and had the same problem as you. I quickly looked at the code, and if i remember well, FR simply expects the script to return value pairs by writing them to the standard output, separated by carriage returns or comas. But i am a poor C coder and didn't test that, so i have no certitude. -- Alexandre Coninx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication by mac adress, username and password
On Fri, Mar 18, 2005, Chris Knipe wrote: > Why not just use Calling-Station-Id as a check item??? In fact, the logins and MAC addresses are in a postgreSQL database, along with much other data about our users. I certainly could have used the postgresql module (and i will probably try later), but i used an external script partly out of lazyness, and partly because when a user fails authorization, i want to do and log different things depending on the cause of the failure (unknown MAC, MAC owned by another user, disabled account, ...) > > -- > Chris. > > > - Original Message - > From: "Alexandre Coninx" <[EMAIL PROTECTED]> > To: > Sent: Friday, March 18, 2005 3:54 PM > Subject: Re: authentication by mac adress, username and password > > > >On Thu, Mar 17, 2005, Markus Krause wrote: > >>hi all, > >> > >>i want to authenticate users at a cisco router by checking the > >>mac-adress, the > >>username and the password. (how) can this be done using freeradius? > > > >Hello, > > > >I manage to do that by first checking the MAC during the authorization > >process with an external script (using the exec module), and then > >authenticating the user with user/password with wathever method you > >want to use (in my case PEAP-MSCHAPv2 + ntlm_auth, but any other should > >work). > > > >My radiusd.conf looks like this : > > > >modules { > >... > >exec mac_check { > >wait = yes > >program = "/path/to/your/script.pl %{User-Name} %{Calling-Station-Id}" > >input_pairs = request > >output_pairs = reply > >packet_type = Access-Request > >... > >} > >} > > > >authorize { > >preprocess > >auth_log > >mac_check > >mschap > >eap > >} > > > >authenticate { > >Auth-Type MS-CHAP { > >mschap > >} > >eap > >} > > > > > >The script is a simple perl script that connects to our members > >database, checks if the MAC is registered and belongs to the > >member trying to connect, and refuse (exit 1;) or accept (exit 0;) > >authorization based on that. > > > >There is probably a cleaner way to do that, but it works well. > > > >-- > >Endy > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Endy "Il y a besoin d'une bonne raison pour pleurer, mais pas pour sourire." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication by mac adress, username and password
On Thu, Mar 17, 2005, Markus Krause wrote: > hi all, > > i want to authenticate users at a cisco router by checking the mac-adress, the > username and the password. (how) can this be done using freeradius? Hello, I manage to do that by first checking the MAC during the authorization process with an external script (using the exec module), and then authenticating the user with user/password with wathever method you want to use (in my case PEAP-MSCHAPv2 + ntlm_auth, but any other should work). My radiusd.conf looks like this : modules { ... exec mac_check { wait = yes program = "/path/to/your/script.pl %{User-Name} %{Calling-Station-Id}" input_pairs = request output_pairs = reply packet_type = Access-Request ... } } authorize { preprocess auth_log mac_check mschap eap } authenticate { Auth-Type MS-CHAP { mschap } eap } The script is a simple perl script that connects to our members database, checks if the MAC is registered and belongs to the member trying to connect, and refuse (exit 1;) or accept (exit 0;) authorization based on that. There is probably a cleaner way to do that, but it works well. -- Endy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with PEAP
On Mon, Mar 14, 2005, Israel Fabio Alves wrote: > rlm_realm: Looking up realm "TESTE" for User-Name = "[EMAIL PROTECTED]" > rlm_realm: Found realm "TESTE" > rlm_realm: Adding Stripped-User-Name = "israel" > rlm_realm: Proxying request from user israel to realm TESTE > rlm_realm: Adding Realm = "TESTE" > rlm_realm: Preparing to proxy authentication request to realm "TESTE" > modcall: group pre-proxy returns ok for request 0 > Sending Access-Request of id 0 to 127.0.0.1:1812 That's weird. It seems that freeradius proxies the request to itself when it finds the realm. I don't know how and against what you want to authenticate, but that is probably not the desired behavior. I use PEAP + MSCHAPv2 with login/password authentication against the NT domain controlers. I don't know if that is exactly what you want to do or not, but teh relevant configuration files are available at http://ramiel.via.ecp.fr/~endy/config-radius.tar.gz if you want to have a look. hth, -- Endy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius eap-peap problém
On Thu, Feb 24, 2005, Patrice PAPOT wrote: > Hi All, > I use freeradius 1.0.2 in Eap-peap. > My configuration hardware is: PDA --> AP Cisco ---> Freeradius > Not of error on the log but i have a popup on the PDA saying the > certificate of the server has been emitted by a not recognized > authority. If you use the dummy certificates provided with FreeRadius, that's normal. You should turn off server certificate validation or install the dummy root CA certificate on your PDA during the tests, and use true certificates later. If you have already done that, it's strange but it is probably a problem with your PDA, not with FreeRADIUS. What OS and software does it run ? -- Endy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active directory + users files
On Tue, Feb 22, 2005, Alexandre Durand wrote: >Hi, > >I want to connect Active directory users with freeradius and PEAP. I use >samba with winbind to do this. In fact i use ntlm_auth command. > >But now i don't know how to configure users files to connect Active >directory users You don't have to configure anything in the users file to make AD authentication work. You can even disable the "files" module. What you should enable and/or configure is eap, tls, peap and mschap. -- Endy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html