Re: Specific User Trace and multiple radiusd instant
On 15/05/2012 02:34, 全球无线联盟 wrote: 2. We tried to run multiple radiusd at same server while the second failed. Can anyone advise how to configure the server to run multiple radiusd simultaneously? Why do you need to do this? FreeRADIUS has virtual-server functionality, so you can create separate logical instances running a single daemon. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAP Errors
On 11/05/2012 13:35, Phil Mayers wrote: On 11/05/12 13:10, sgilmour wrote: --nt-response=46eb0f981a6121ad65e5726b0ee0e2097d610172204c7f24 Fri May 11 08:08:13 2012 : Debug: Exec-Program output: Access denied (0xc022) Fri May 11 08:08:13 2012 : Debug: Exec-Program-Wait: plaintext: Access denied (0xc022) Fri May 11 08:08:13 2012 : Debug: Exec-Program: returned: 1 Fri May 11 08:08:13 2012 : Info: [mschap] External script failed. Fri May 11 08:08:13 2012 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect The ntlm_auth helper is returning errors. Try the command from the CLI and examine the output. Check the permissions on the winbind socket (google for details) and SELinux contexts, if applicable. AD can return 0xc022 when for example the domain controller ntlm_auth/winbind is talking to can not contact the PDC. If you are continuing to have issues, and have completed Phil's suggestions, check the logs on your domain controllers for anomalies. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAPv2, allow_retry=yes, but no code to handle the retry?
Hi All, FR 2.1.x Git, doing PEAP against AD via ntlm_auth. I thought that with: allow_retry = yes [in modules/mschap] and send_error = yes [in modules/eap] ...FR has the functionality to take the second password attempt, and re-try it against AD i.e. The scenario outlined in section 9.1.4 of RFC2759: http://tools.ietf.org/html/rfc2759#section-9.1.4 I can't get it to work: Configuring as above does indeed make Windows re-prompt for the password if the first attempt is bad, but when this comes back to FR, nothing seems to be done with it. I've had a look at the code. From the little I can understand of it, the new challenge is generated into 'buffer', and sent back to the client in the MS-CHAP-Error attribute (C=new-challenge). However the challenge in buffer is not then put somewhere safe until the client sends it's response against the new challenge [having re-prompted the user for the correct password], and when the response comes in it isn't sent to do_mschap() Am I mistaken and this functionality hasn't been written yet? ...or have I mis-configured something? Debug snippet appended. Thanks, James ## INITIAL ATTEMPT WITH BAD PASSWORD: Debug: modsingle[authorize]: calling eduroamlocaleap-bris-ca (rlm_eap) for request 629 Debug: [eduroamlocaleap-bris-ca] EAP packet type response id 9 length 80 Debug: [eduroamlocaleap-bris-ca] No EAP Start, assuming it's an on-going EAP conversation Debug: modsingle[authorize]: returned from eduroamlocaleap-bris-ca (rlm_eap) for request 629 Debug: +++[eduroamlocaleap-bris-ca] returns updated Debug: ++- else else returns updated Debug: Found Auth-Type = eduroamlocaleap-bris-ca Debug: # Executing group from file /usr/local/etc/raddb/sites-enabled/eduroamlocal-inner Debug: +- entering group eduroamlocaleap-bris-ca {...} Debug: modsingle[authenticate]: calling eduroamlocaleap-bris-ca (rlm_eap) for request 629 Debug: [eduroamlocaleap-bris-ca] Request found, released from the list Debug: [eduroamlocaleap-bris-ca] EAP/mschapv2 Debug: [eduroamlocaleap-bris-ca] processing type mschapv2 Debug: [mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/eduroamlocal-inner Debug: [mschapv2] +- entering group MS-CHAP {...} Debug: [mschapv2] modsingle[authenticate]: calling eduroamlocalmschap (rlm_mschap) for request 629 Debug: [eduroamlocalmschap] Creating challenge hash with username: jh01...@bristol.ac.uk Debug: [eduroamlocalmschap] Told to do MS-CHAPv2 for jh01...@bristol.ac.uk with NT-Password Debug: [eduroamlocalmschap] expand: %{Stripped-User-Name} - jh01761 Debug: [eduroamlocalmschap] expand: --username=%{%{Stripped-User-Name}:-%{eduroamlocalmschap:User-Name}} - --username=jh01761 Debug: [eduroamlocalmschap] radius_xlat: Running registered xlat function of module eduroamlocalmschap for string 'Challenge' Debug: [eduroamlocalmschap] Creating challenge hash with username: jh01...@bristol.ac.uk Debug: [eduroamlocalmschap] expand: --challenge=%{eduroamlocalmschap:Challenge} - --challenge=3db717d83ec4e184 Debug: [eduroamlocalmschap] radius_xlat: Running registered xlat function of module eduroamlocalmschap for string 'NT-Response' Debug: [eduroamlocalmschap] expand: --nt-response=%{eduroamlocalmschap:NT-Response} - --nt-response=0b7588b2a33b43f7379d4bded3d69adcfbe5da07911b8485 Debug: [eduroamlocalmschap] External script failed. Debug: [eduroamlocalmschap] FAILED: MS-CHAP2-Response is incorrect Debug: modsingle[authenticate]: returned from eduroamlocalmschap (rlm_mschap) for request 629 Debug: ++[eduroamlocalmschap] returns reject Debug: ++? if (reject) Debug: RECURSING WITH ... reject) Debug: LOOKING AT reject) Debug: Comparison returned 1 Debug: ? Evaluating (reject) - TRUE Debug: GOT result 1 Debug: AT EOL - 1 Debug: AFTER RECURSION ... ) Debug: AT EOL - 1 Debug: ++? if (reject) - TRUE Debug: ++- entering if (reject) {...} Debug: ::: FROM 1 TO 25 MAX 26 Debug: ::: Examining UOB-Info-Type Debug: ::: APPENDING UOB-Info-Type FROM 0 TO 25 Debug: ::: TO in 25 out 26 Debug: ::: to[0] = EAP-Message Debug: ::: to[1] = FreeRADIUS-Proxied-To Debug: ::: to[2] = User-Name Debug: ::: to[3] = State Debug: ::: to[4] = Calling-Station-Id Debug: ::: to[5] = Called-Station-Id Debug: ::: to[6] = NAS-Port Debug: ::: to[7] = Cisco-AVPair Debug: ::: to[8] = NAS-IP-Address Debug: ::: to[9] = NAS-Identifier Debug: ::: to[10] = Airespace-Wlan-Id Debug: ::: to[11] = Service-Type Debug: ::: to[12] = Framed-MTU Debug: ::: to[13] = NAS-Port-Type Debug: ::: to[14] = Tunnel-Type Debug: ::: to[15] = Tunnel-Medium-Type Debug: ::: to[16] = Tunnel-Private-Group-Id Debug: ::: to[17] = UOB-Stripped-MAC Debug: ::: to[18] = Stripped-User-Name Debug: ::: to[19] = Realm Debug: ::: to[20] = EAP-Type Debug: ::: to[21] = MS-CHAP-Challenge Debug: ::: to[22] = MS-CHAP2-Response Debug: ::: to[23] = NTLM-User-Name Debug: ::: to[24] = Module-Failure-Message Debug: ::: to[25] = UOB-Info-Type Debug: +++[request] returns reject Debug:
Re: MS-CHAPv2, allow_retry=yes, but no code to handle the retry?
On 11/04/2012 17:24, James J J Hooper wrote: Hi All, FR 2.1.x Git, doing PEAP against AD via ntlm_auth. I thought that with: allow_retry = yes [in modules/mschap] and send_error = yes [in modules/eap] ...FR has the functionality to take the second password attempt, and re-try it against AD i.e. The scenario outlined in section 9.1.4 of RFC2759: http://tools.ietf.org/html/rfc2759#section-9.1.4 I can't get it to work: Configuring as above does indeed make Windows re-prompt for the password if the first attempt is bad, but when this comes back to FR, nothing seems to be done with it. I've had a look at the code. From the little I can understand of it, the new challenge is generated into 'buffer', and sent back to the client in the MS-CHAP-Error attribute (C=new-challenge). However the challenge in buffer is not then put somewhere safe until the client sends it's response against the new challenge [having re-prompted the user for the correct password], and when the response comes in it isn't sent to do_mschap() Am I mistaken and this functionality hasn't been written yet? ...or have I mis-configured something? Ok - More delving into the code (rlm_eap_mschapv2.c) seems to indicate that the bits missing in 2.1.x are possibly there in FR3: + + /* +* Pxarse the new challenge out of the +* MS-CHAP-Error, so that if the client +* issues a re-try, we will know which +* challenge value that they used. +*/ + n = sscanf(response-vp_strvalue, %*cE=%d R=%d C=%32s, err, retry, buf[0]); + if (n == 3) { +DEBUG2( Found new challenge from MS-CHAP-Error: err=%d retry=%d challenge=%s, err, retry, buf); + fr_hex2bin(buf, data-challenge, 16); + } else { + DEBUG2( Could not parse new challenge from MS-CHAP-Error: %d, n); + } So I'll see about getting an FR3 test instance going :) -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Minor typo in master/raddb/mods-available/mschap
--- mschap-orig 2012-04-08 00:39:44.0 +0100 +++ mschap-new 2012-04-08 00:41:06.0 +0100 @@ -78,3 +78,3 @@ # ntlm_auth_username = username: %{mschap:User-Name} -# ntlm_auth_domain = username: %{mschap:NT-Domain} +# ntlm_auth_domain = nt-domain: %{mschap:NT-Domain} -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Zombie Clarification
On 24/03/2012 13:13, Alan Buxey wrote: Hi, there was never any more on this thread, so just to add some final info Now, for whatever reason, the Windows box decides to discard some requests. Unfortunately, the error reporting is pretty weak (discarding invalid request). Our Windows guys are digging into this. It seems to be client specific, we suspect something with our recently changed certificate. I don't see how. Normal RADIUS doesn't use certificates. And if your home server *randomly* discards requests, then your priority should be to fix that. No amount of poking FreeRADIUS will make the home server magically work. No amount of poking FreeRADIUS will work around the fact that the home server is broken. Microsoft decided, in their wisdom, to just discard packets that arent right. this affects IAS and NPS. if your policy says, for example, NAS-Port-Type = Wireless-802.11 an the packet doesnt have that attribute...or its not Wireless-802.11..then the packet is just silently dropped. the RADIUS proxies throughout the proxy chain then think the server is dead status-server kicks in oh, guess what. they dont support that, so it stays marked dead. the remote proxies might be lucky...as their status-server will be answered by the proxy above them...which, if its FreeRADIUS or RADIATOR *will* respond in some way to show they are alive. IAS and NPS are a mess with proxied RADIUS - especially when there are policies involved. Further to what Alan says above IAS/NPS can report invalid request if it contains an attribute not in their dictionaries, or an attribute where the value does not match the type in their dictionaries. As NPS and IAS dictionaries are old, don't match the RFCs, and it seems MS never update the dictionaries, this means NPS and IAS discard a lot of valid packets! If you are proxying to IAS or NPS, filter the attributes very carefully before they hit the MS radius servers. Regards, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to Restrict All Users from Certain APs
On 25/01/2012 20:35, White III, Joe wrote: I'm running Freeradius 1.0.1 using MySQL as the database backend. I need to configure the server so that all users are restricted from using certain access points (i.e. guest network). It appears I need to use a DEFAULT user definition in the users file, but I can't find any examples to work from. Has someone else done this? If so, I'd give anything to see how you did it. Generally, you can only do this is if the requests from those certain APs have something which distinguishes them. Then you can match on this in the users file [using 'DEFAULT'] and set Auth-Type to Reject. Something like as documented!: https://github.com/alandekok/freeradius-server/blob/master/raddb/users If you are really still using 1.0.1 (Sept 2004!?), please do upgrade. Apart from the technical/security aspects, the current published documentation will apply ;) -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, problem with chap ?
On 01/12/2011 22:41, Piotr wrote: This is debug from l2tp/ipsec connection: CHAP-Password = 0x01972f0886c4e5e2f30e32053dbcf67504 [chap] login attempt by tom3 with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Login incorrect (rlm_chap: Clear text password not available): and here is debug from working connection for sslvpn: User-Password = bd8d9a [MOTP] expand: %{User-Password} - bd8d9a Exec-Program: returned: 0 ++[MOTP] returns ok Login OK: [tom3/bd8d9a] (from client ciscoasa port 5353472 cli 9.72.8.13) If you want FR to handle the CHAP for you: [chap] Cleartext-Password is required for authentication If FR doesn't know the correct password, you can't expect it to do CHAP. Change things so FR knows the password, or do plain text authn as per your first scenario. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorize all/any users for a PEAP, WPA2 enterprise setup
On 27/10/2011 00:51, Toby wrote: Hi all, I apologize in advance if this question has been answered previously but I have searched extensively and cannot find discussion of this particular topic. What I am wanting to setup, at least initially, is a WPA2 enterprise (802.11i) wireless access point that will authorize ANY user (accept all credentials/username-password combinations) and thereby provide encrypted wireless access as well as confirmation of the access point's identity, but not restrict which users can connect. Your body doesn't mention PEAP, but your subject does. If you have to use PEAP i.e. MS-CHAPv2 inner, it's not possible: http://wiki.freeradius.org/FAQ#How+do+I+permit+access+to+any+user+regardless+of+password%3F You could perhaps do it with TTLS/PAP. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius + ldap + ntlm
On 23/10/2011 16:02, Andreas Rudat wrote: Hello, I understand it correctly, that I can't use peap + mschapv2 with ldap? Im realy confused atm, what I can realy use, everytime I think its fine, I found another unsecure thing :/ To use PEAP/MS-CHAPv2, LDAP has to provide FR with either a plain text password, or the NTLM hash of the password. If your LDAP directly has plain text passwords, or NTLM hashes, then you can use it for authentication. You can use LDAP for authorization in any case. Regards, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL error after updating cert
On 21/10/2011 20:44, Eric Geier wrote: Hi, I’m trying to update my server’s cert, but getting errors after applying it: Fri Oct 21 12:26:45 2011 : Error: TLS Alert read:fatal:certificate expired Fri Oct 21 12:26:45 2011 : Error: TLS_accept:failed in SSLv3 read client certificate A Fri Oct 21 12:26:45 2011 : Error: rlm_eap: SSL error error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired Fri Oct 21 12:26:45 2011 : Error: rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. Says expired but I’m using the new cert, which is a renewal from a third-party CA and using the same private key. I apply it by inserting the text of the .crt file into the server-cert.pem file in the certs folder. I think that’s all I have to do and restart freeradius? 1) Check the date on the client system is correct 2) do: openssl -in /path/to/your/raddb/server-cert.pem -noout -text and verify the properties of the cert you have. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL error after updating cert
On 21/10/2011 22:31, Eric Geier wrote: Thanks for the reply! Yes, the clients are set with correct time/date. That command didn't work. Did you mean openssl verify command? I ran that and both the old cert (still valid for a few days) and the new cert (already valid) shows correct domain but then says: 2) do: openssl -in /path/to/your/raddb/server-cert.pem -noout -text and verify the properties of the cert you have. I forgot the x509, it should have been: openssl x509 -in /path/to/your/raddb/server-cert.pem -noout -text -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Policy construct for string concatenation
On 15/10/2011 12:14, Ray Scholl wrote: Good morning: So, I took all of your advice - example constructs, suggestion to do a little testing etc. I built a duplicate server and my question still remain. The construct I have - if ( clients_ldap-Ldap-Group == %{FreeRadius-Client-Shortname}%{'otp'} ) { How does the above match the below and previous examples you were given!? They're just strings. If you've done any kind of computer programming, string expansion should be familiar. (1) take the string ... (2) Expand everything which looks like %{NAME} (3) leave everything else alone. Hello, my name is %{User-Name} -- Hello, my name is bob Try: if (clients_ldap:Ldap-Group == %{FreeRadius-Client-Shortname}otp) { 1) Is clients_ldap an ldap instance name, or have you defined a new attribute clients_ldap-Ldap-Group ?? I've presumed it's an instance name thus the colon. If it's an attribute, then replace the colon above with the hyphen you had. 2) otp is a fixed string, %{anything} means a not-fixed string (an expansion). so you don't need the %{}. 3) How about sending us your radiusd -X from your duplicate server, then we can all see what's actually happenning? -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
On 14/10/2011 16:13, Martin Ubank wrote: Here’s the full output from ‘radiusd –X’: The bit at the top that tells us what radiusd has read from the config files is missing. It's not executing ntlm_auth by the looks of what you posted, so you need to look at why. The first bit of radiusd -X will tell you which files it's reading. Check it's reading your mschap file (the one you configured, not some other one). -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Terminate-Cause
On 15/10/2011 01:18, OzSpots - Carl Sawers wrote: Hi All, I have searched high and low for a Radacct Terminate cause description for Freeradius, the terminate cause states “Lost-Session” , anyone know what it refers too? Please set a subject when posting to a mailing list. http://freeradius.org/rfc/rfc2866.html#Acct-Terminate-Cause If you need to know precisely when your NAS sets one or other value for this attribute, you would have to ask the NAS manufacturer. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 / Freeradius / AD
On 13/10/2011 21:16, Kevin Chan wrote: Hi all, hopefully i got to the right group of people. We are trying to use Freeradius to do PEAP/MSCHAPv2 authentication against Active Directory (2003). Our realm is abc.acme.edu, but since Eduroam doesn't allow subdomain, end user has to use b...@acme.edu instead b...@abc.acme.edu as username. Presumably you are in the US? ... It's a shame that US eduroam seems to forbid subdomains for it's own institutions (lots of organisations doing eduroam in Europe use subdomain realms). My question is can you modify the realm behind the user's back? (during EAP process). I think this may mess things up... but you shouldn't need to *modify* the realm? [More info about your specifics please]? The realm on the outer ID will get the auth to your FR (anyth...@uni.edu). The realm [if present] on the inner ID is generally stripped before it goes to ntlm_auth against your AD). Regards, James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 / Freeradius / AD
On 13/10/2011 21:35, James J J Hooper wrote: On 13/10/2011 21:16, Kevin Chan wrote: Hi all, hopefully i got to the right group of people. We are trying to use Freeradius to do PEAP/MSCHAPv2 authentication against Active Directory (2003). Our realm is abc.acme.edu, but since Eduroam doesn't allow subdomain, end user has to use b...@acme.edu instead b...@abc.acme.edu as username. Presumably you are in the US? ... It's a shame that US eduroam seems to forbid subdomains for it's own institutions (lots of organisations doing eduroam in Europe use subdomain realms). I re-read http://www.eduroamus.org/node/29 ... It says that *you* shouldn't forward subdomains of your own realm to the national proxies, which would be filtered. This indeed makes sense for loop protection. ...and it implies only usernames of the form u...@institution.edu should be accepted, but it doesn't actually state that you can't use subdomains. I suppose it depends on how the routing on the US level eduroam proxies is set-up: if (Realm =~ /^(.+\.)?\.uni\.edu$/) { } or if (Realm =~ /^uni\.edu$/) { } -James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
git.freeradius.org
Hi Alan et al, I'm having trouble getting FR by git (was previously working): $ grep url .git/config url = git://git.freeradius.org/freeradius-server.git $ git pull origin v2.1.x:v2.1.x fatal: The remote end hung up unexpectedly Is there an issue with git.freeradius.org? (Is anyone else having the same issue?) ... or is it just me? -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.1.12 potential problem...
On 20/09/2011 11:38, denizaydin wrote: I can not see its giving this error while starting. Do I have to change installation directory or the library dirctory in the radiusd.conf? [10:15:39.9] gmake[11]: Entering directory `/home/network/Downloads/freeradius-server-2.1.12/src/modules/rlm_sql/drivers/rlm_sql_postgresql' [10:15:39.9] if [ x != x ]; then \ [10:15:39.9] /home/network/Downloads/freeradius-server-2.1.12/libtool --mode=install /home/network/Downloads/freeradius-server-2.1.12/install-sh -c -c \ [10:15:39.9] .la /usr/local/lib/.la || exit $?; \ [10:15:39.9] rm -f /usr/local/lib/-2.1.12.la; \ [10:15:39.9] ln -s .la /usr/local/lib/-2.1.12.la || exit $?; \ [10:15:39.9] fi DETAIL LOG file : http://freeradius.1045715.n5.nabble.com/file/n4822062/installtionlog.txt installtionlog.txt You have to read the output of ./configure ... [10:12:29.8] === configuring in ./drivers/rlm_sql_postgresql (/home/network/Downloads/freeradius-server-2.1.12/src/modules/rlm_sql/./drivers/rlm_sql_postgresql) [10:12:29.8] configure: running /bin/sh ./configure '--prefix=/usr/local' '--enable-ltdl-install' --cache-file=/dev/null --srcdir=. [10:12:30.0] checking for gcc... gcc [10:12:30.1] checking for C compiler default output file name... a.out [10:12:30.2] checking whether the C compiler works... yes [10:12:30.2] checking whether we are cross compiling... no [10:12:30.2] checking for suffix of executables... [10:12:30.3] checking for suffix of object files... o [10:12:30.3] checking whether we are using the GNU C compiler... yes [10:12:30.3] checking whether gcc accepts -g... yes [10:12:30.3] checking for gcc option to accept ISO C89... none needed [10:12:30.3] checking for libpq-fe.h... no [10:12:30.8] checking for PQconnectdb in -lpq... no [10:12:31.2] configure: WARNING: silently not building rlm_sql_postgresql. [10:12:31.2] configure: WARNING: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. Fix this, and then re-compile it. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.1.12 potential problem...
On 17/09/2011 01:56, Alan DeKok wrote: James J J Hooper wrote: Above won't work since: https://github.com/alandekok/freeradius-server/commit/1a00da32c13fb979e11748250da469c7ac4474a8 -James https://github.com/alandekok/freeradius-server/commit/1a00da In fact this dictionary change breaks other stuff too, e.g. below: I've pushed a fix already. Hi Alan, This doesn't seem to have reached github yet. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reverting Accept-Reject to Access-Accept
On 16/09/2011 17:24, Phil Mayers wrote: On 16/09/11 16:59, denizaydin wrote: Hi, I am using Version 2.1.11 for broadband PPP authentication. I want to put the unauthenticated users to a default service. I have to revert the access-reject message to access-accept because once CISCO ISG get a access-reject from the AAA server it's terminating the ppp with access-reject. Don't do that. Instead, don't reject the in the first place. For example: authorize { ... sql if (notfound) { update control { Auth-Type := Accept } } } Above won't work since: https://github.com/alandekok/freeradius-server/commit/1a00da32c13fb979e11748250da469c7ac4474a8 -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.1.12 potential problem...
Don't do that. Instead, don't reject the in the first place. For example: authorize { ... sql if (notfound) { update control { Auth-Type := Accept } } } Above won't work since: https://github.com/alandekok/freeradius-server/commit/1a00da32c13fb979e11748250da469c7ac4474a8 -James https://github.com/alandekok/freeradius-server/commit/1a00da In fact this dictionary change breaks other stuff too, e.g. below: [vpieap] Request found, released from the list [vpieap] EAP/mschapv2 [vpieap] processing type mschapv2 [mschapv2] WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. [mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/vpi-inner [vpieap] Freeing handler ++[vpieap] returns reject Failed to authenticate the user. and e.g: grep -R 'pairmake(Auth-Type, ' freeradius-server/src/* freeradius-server/src/modules/rlm_chap/rlm_chap.c: pairmake(Auth-Type, CHAP, T_OP_EQ)); freeradius-server/src/modules/rlm_digest/rlm_digest.c: pairmake(Auth-Type, DIGEST, T_OP_EQ)); -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different acctuniqueids with common keys?
On 06/09/2011 00:36, Rob Turner wrote: Default in modules/acct_unique: acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } The man page for rlm_acct_unique shows: acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Port } Anyone know when this was changed? Apparently, a long time ago: https://github.com/alandekok/freeradius-server/commits/master/raddb/modules/acct_unique -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
On 29/08/2011 15:13, Alan DeKok wrote: I've put some pre releases of 2.1.12 on the web site: http://git.freeradius.org/pre/ Please let me know if there are any problems. If not, this can become 2.1.12. All seems good so far. -James radmin show version FreeRADIUS Version 2.1.12, for host i686-pc-linux-gnu, built on Aug 30 2011 at 01:08:47 radmin show uptime Up since Thu Sep 1 04:02:20 2011 radmin stats client auth requests419006 responses 432061 accepts 56219 rejects 4154 challenges 371688 dup 44 invalid 0 malformed 0 bad_signature 0 dropped 65 unknown_types 0 radmin stats client acct requests93500 responses 93499 dup 0 invalid 0 malformed 0 bad_signature 0 dropped 0 unknown_types 0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OT: Cisco Disconnect-Request packets
On 24/08/2011 11:31, Jonathan Gazeley wrote: Hi all, Not directly related to FreeRADIUS but I gather people here have some experience with Cisco WiSMs and 802.1x. I'm trying to use radclient to craft a Disconnect-Request packet to disconnect a user on an 802.1x network. I've checked the RFCs for the Disconnect-Request packets and I believe I am providing all the necessary attributes to disconnect a user, however the WiSM always responds: rad_recv: Disconnect-NAK packet from host 172.17.107.211 port 3799, id=219, length=26 Error-Cause = Missing-Attribute I am sending packets like these: Sending Disconnect-Request of id 219 to 172.17.107.211 port 3799 User-Name = jg4461 Calling-Station-Id = 00:1b:63:08:b4:eb Framed-IP-Address = 172.21.107.197 Called-Station-Id = 00:21:55:ac:5b:60:ResNet-Wireless NAS-Port-Id = 29 NAS-Port-Type = Async Acct-Session-Id = jg44614ddcd9e6/00:1b:63:08:b4:eb/222935 NAS-IP-Address = 172.17.107.211 NAS-Port = 29 NAS-Identifier = wism11 So, does anyone know which attributes I must send to disconnect a user in this way? Is there an easier way of doing it? radclient -xs -f /tmp/disconnect.txt 172.17.107.210:3799 disconnect secret Sending Disconnect-Request of id 7 to 172.17.107.210 port 3799 User-Name = testu...@bristol.ac.uk Calling-Station-Id = 89:c6:65:99:39:52 Service-Type = Login-User rad_recv: Disconnect-ACK packet from host 172.17.107.210 port 3799, id=7, length=20 Total approved auths: 1 Total denied auths: 0 Total lost auths: 0 ...so it seems you need User-Name, Calling-Station-Id and Service-Type. -James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius cisco COA
On 21/08/2011 13:10, Arran Cudbard-Bell wrote: Wow ok a lot of CoA and DM questions lately. anyone have like experience to share ,,, Well it should be the same as any other CoA implementation, except IIRC its on port 1700 instead of 3779. Cisco wireless or wired? We're using Cisco WiSMs/WiSM2s [wireless]. You have to enable RFC3576 capability per radius server in the config. They use destination UDP/3799. The only gotcha we've had so far, is that the CoA packet has to come from the same source IP and *port* as the radius server is configured as in the WiSM config. Depending on how you are generating the CoA this may be problematic, but is easily solved with a line in your iptables config: *nat -A POSTROUTING -p udp --dport 3799 -d NAS-IP -j SNAT --to-source radius-server-IP:radius-listening-port COMMIT -James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate problems? Freeradius 2.1.10 on Debian squeeze
On 05/08/2011 17:00, John Dunning wrote: Greetings all, We've been running freeradius 1.x on Debian Lenny for some time with great success authenticating against Novell eDirectory/LDAP. Our Linux guru has moved on to exciting new opportunities and while the rest of us are decent at linux we're certainly missing his input here :) We're trying to update the system to Squeeze and move from eDirectory to Active Directory authentication to stay more easily within the debian package scope. I think I largely have the system setup to do EAP-TLS/PEAP/MS-CHAPv2 with Windows 7 supplicant but for some reason I can't seem to get the EAP-TLS tunnel to fire up. I've tried going through http://wiki.freeradius.org/Certificate_Compatibility with the delivered certs (which are evidently supposed to be compatible) but I seem to be missing something. I've got NTLM_AUTH working correctly (once I actually get that far), so I'm hoping that if I can get this cert issue figured out I'll be good to go. Using a Cisco AIR1220 AP and have tried both Windows 7 and android supplicants and get the same problem (see -X log below). Thanks in advance!! JD certificate_file = /etc/freeradius/certs/server.pem (1) Do: openssl x509 -in /etc/freeradius/certs/server.pem -noout -text Check that the output contains this: X509v3 Extended Key Usage: TLS Web Server Authentication ...If it doesn't see the OIDs comments in the FR wiki page. (2) Check that Windows 7 is correctly configured to trust your certificates. Refer to 15-19 on: http://www.wireless.bris.ac.uk/eduroam/instructions/go-vista/#wifi [obviously you need to trust your root CA, not mine though] For testing you can un-tick Validate server certificate, but you should never do this with real credentials, or with real users. (3) Android probably isn't a good OS to use for AAA testing, because depending on which version you have there are various bugs with it's enterprise wi-fi support. Regards, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Security issues with 1.1.3 flatfile
On 01/08/2011 22:08, d.tom.schm...@l-3com.com wrote: Currently running 1.1.3 on CentOS 5.x. Upgrade I am currently using the flat file option and it works just fine as long as the permissions on the file are: 664 RW-RW-R— Record in the file looks like: Tom tab Auth-Type := Local, User-Password := “tompass” This allows everyone to read the file – not good security. If I change the permissions to 660 RW-RW then freeRADIUS will not restart. Who owns the file? Which user does FR run as? If FR runs as 'radiusd' and the file is owned by root:root, then it's not surprising that FR cant read the file unless it is chmod o+r. [upgrade and] fix the permissions and it will work. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Yet another multiple SSID setup question
On 12/07/2011 02:50, Nick Kartsioukas wrote: I've been looking through the wiki and staring at the config files and I'm...confused. I've successfully gotten our Cisco WLC to authenticate against ActiveDirectory as well as a Sun LDAP server (just one at a time) via FreeRADIUS for a single test SSID, but now I'm trying to figure out how to split that into conditional checks. Before I go chopping up the existing config files and making a horrible mess of things, I wanted to verify a few things with the wisdom of the list. Okay...let's say I have an SSID for students and an SSID for staff. Students authenticate against LDAP, which stores passwords as salted SHA1 hashes. Staff authenticate against Windows ActiveDirectory. I've found where the WLC sends the SSID to FreeRADIUS, so I can get at that. My question is, how do I set up the EAP-TTLS/PAP session for the Student SSID and the separate PEAP/MSCHAPv2 session for the Staff SSID? Are these configured as different virtual servers? Or just different modules that I call from the users file like so: DEFAULT Auth-Type := student_module, Called-Station-SSID := student DEFAULT Auth-Type := staff_module, Called-Station-SSID := staff If so how do I set that up, as that would be two different eap.conf setups (wouldn't it)? Am I missing something obvious in the docs? Thanks for taking the time to help me out! If they are different SSIDs on the Cisco WLC, you should be able to assign different radius servers for each SSID. Do that, e.g: ssid1 - 192.0.2.1:1645 ssid2 - 192.0.2.1:1812 Then use a different FreeRADIUS virtual server to handle each (i.e. on virtual server listening on port 1812 , and one listening on port 1812). This way you can keep the intricacies of each separate. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth authentication results logging messages
On 19/05/2011 21:00, Garber, Neal wrote: I found a similar user in an old thread who submitted a patch: (http://freeradius.1045715.n5.nabble.com/Capturing-ntlm-auth-failure- reasons-in-rlm-mschap-td2791760.html) And it appears that this patch made it into the rlm_mschap.c module code: I submitted that patch and it was included in FR v1. Unfortunately, a change in v2 regressed this functionality. In v2, there's now an additional round trip, so the ntlm_auth results need to be saved - they are saved, in the current version, for success; but, not for failure. I submitted another patch for v2 last year that saves the ntlm_auth results for failures as well; but, it required rework (Alan wanted it split into two separate patches) and I haven't had a chance to rework it yet. Other, really nice mschap patches have been submitted since then (thank you Phil), so the rework, for me, is now a bit more. Note that needing the results saved is probably because you want to do something with the information in post-auth. John, if you just want to log the information you can do something like [in the inner-tunnel file]: authenticate { Auth-Type MS-CHAP { mschap { reject = 1 } if (reject) { linelog reject } } ... } The linelog module (or any other module you want to use e.g. SQL) can log to a file or syslog or somethingelse at this point. The information you want will be in the %{Module-Failure-Message} and %{reply:MS-CHAP-Error} attributes. We use linelog extensively to syslog to a file and then have a webpage that does the equivalent of tail the file and refresh routinely - very easy for the help desk staff to see what is going on without needing to ssh to anything. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap and xlat
On 17/05/2011 22:28, Frank Dornheim wrote: Dear FreeRADIUS users, i try to migrate my radius setup to LDAP. I use mainly the informations from Frank Ranner (http://lists.cistron.nl/pipermail/freeradius-users/2007-September/msg00205.html). Today i have a problem to understand the xlat statement in the hint file: DEFAULT Hint = `%{ldap:ldap:///ou=hosts,dc=whatever?radiusHuntgroupName?one?ipHostNumber=%{NAS-IP-Address}}` Can anybody explain that, step by step? (yes i read the rlm_ldap doku file and tryed the mailinglistsearch) Hint = : Set Hint to the value of the right hand side of the = %{...} : Variable to be expanded ldap: : process the next bit with the LDAP module. %{NAS-IP-Address} : The value of the NAS-IP-Address attribute in the request. ...e.g. 192.0.2.99 ldap:///ou=hosts,dc=whatever?radiusHuntgroupName?one?ipHostNumber=192.0.2.99 : LDAP URL as per http://www.ietf.org/rfc/rfc2255.txt -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct segfault in git v2.1.x
On 09/05/2011 12:22, Alan DeKok wrote: Alexander Clouter wrote: Updating to git's v2.1.x to go on a post-Easter bughunt and found the following accounting packet[1] seems to segfault freeradius: ... #1 0x403075d8 in fnmatch () from /lib/libc.so.6 #2 0x409da598 in do_detail (instance=0x114e50, request=0x43443240, packet=0x43446dd8, compat=value optimized out) at rlm_detail.c:301 Hmm... calling fnmatch() when the packet was *not* read from the detail file is a bad idea. Oops. On closer inspection, much of the logic in rlm_detail is broken. If you need the FreeRADIUS -X malarkey, then do ask, it is just tricker to get on a production box... :) Nah. I think the Feynman method is fine. 1) look at problem 2) think hard 3) write down solution Give me a bit and I'll push a change to git. It now seems to create a *directory* with the name that should be the detail *file*... custard radius # find ./ -type d ./ ./radacct ./radacct/eduroamalien-soh-bsql ./radacct/vpi-soh-bsql ./radacct/eduroamlocal-soh-bsql ./radacct/nomadicvpn-bsql ./radacct/uobgear ./radacct/eduroamlocal-inner ./radacct/eduroamlocal-bsql ./radacct/vpi ./radacct/eduroamalien-inner ./radacct/eduroamlocal ./radacct/vpi-inner ./radacct/eduroamalien ./radacct/nomadicvpn custard radius # killall -9 radiusd ; /usr/local/sbin/radiusd custard radius # tail -n 0 -f radius*.log SNIP == radiusd-eduroamlocal.log == Mon May 9 17:50:25 2011 : Error: [detail-bsql] rlm_detail: Couldn't open file /var/log/radius/radacct/eduroamlocal-bsql/detail-bsql.log: Is a directory Mon May 9 17:50:25 2011 : Error: [detail-bsql] rlm_detail: Couldn't open file /var/log/radius/radacct/eduroamlocal-bsql/detail-bsql.log: Is a directory ls -la also shows that radiusd has indeed created a directory with what should have been the file name. module config: custard radius # cat /usr/local/etc/serviceraddb/modules/detail-bsql | grep '[[:print:]]' | grep -v '#' detail detail-bsql { detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}-bsql/detail-bsql.log detailperm = 0600 header = %t } -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR 2.1.x git + SoH: ASSERT FAILED xlat.c[1048]: outlen 0
Hi All, Sorry for the sketchy details We got an ASSERT FAILED xlat.c[1048]: outlen 0 with a PEAP user. The bit of the -X I have is as below, and the soh virtual server config is attached. I have no further details at the moment because the client has gone away (and I've disabled SoH in the EAP module config in case they come back and knock it over again while I'm away). The same set-up has been fine with many other SoH clients previously. Can anyone point me in the right direction? The only think that came to mind was the packet getting a bit big with all those attributes? Thanks, James [updated] returns updated +++- if ((Calling-Station-Id) %{Calling-Station-Id} =~ /^%{config:policy.mac-addr}$/i) returns updated +++ ... skipping else for request 750: Preceding if was taken ++- policy create.uob-stripped-mac returns updated SoH-Supported = yes SoH-MS-Machine-OS-vendor = Microsoft SoH-MS-Machine-OS-version = 6 SoH-MS-Machine-OS-release = 0 SoH-MS-Machine-OS-build = 6000 SoH-MS-Machine-SP-version = 0 SoH-MS-Machine-SP-release = 0 SoH-MS-Machine-Processor = x86 SoH-MS-Machine-Name = AlexanderPC SoH-MS-Correlation-Id = 0x81aa82cd69f946f2bae142fd0fbfcc3e01cc09847027078c SoH-MS-Machine-Role = client SoH-MS-Windows-Health-Status = firewall ok snoozed=0 microsoft=0 up2date=1 enabled=0 SoH-MS-Windows-Health-Status = firewall ok snoozed=0 microsoft=0 up2date=1 enabled=0 SoH-MS-Windows-Health-Status = firewall ok snoozed=0 microsoft=1 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=0 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=0 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=0 enabled=1 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=0 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=1 up2date=0 enabled=0 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=0 enabled=1 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = auto-updates ok action=install by-policy=1 SoH-MS-Windows-Health-Status = security-updates error no-wsus-srv FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = abc...@bris.ac.uk Calling-Station-Id = 00:1b:77:xx:xx:xx Called-Station-Id = 00:3a:98:9d:17:30:eduroam NAS-Port = 29 NAS-IP-Address = 172.17.107.207 NAS-Identifier = wism7 Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 448 ASSERT FAILED xlat.c[1048]: outlen 0 -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- Config bits: server eduroamlocal-soh { authorize { if (SoH-Supported == no) { update config { Auth-Type = Accept } } else { detail-bsql update config { Auth-Type = Accept } detail detail-bsql { detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}-bsql/detail-bsql.log detailperm = 0600 header = %t } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.x git + SoH: ASSERT FAILED xlat.c[1048]: outlen 0
On 04/05/2011 11:24, Phil Mayers wrote: On 04/05/11 10:42, James J J Hooper wrote: [updated] returns updated +++- if ((Calling-Station-Id) %{Calling-Station-Id} =~ /^%{config:policy.mac-addr}$/i) returns updated +++ ... skipping else for request 750: Preceding if was taken ++- policy create.uob-stripped-mac returns updated Is that all? It jumps straight from the above to dumping the SoH packet? Yes SoH-Supported = yes SoH-MS-Machine-OS-vendor = Microsoft SoH-MS-Machine-OS-version = 6 SoH-MS-Machine-OS-release = 0 SoH-MS-Machine-OS-build = 6000 SoH-MS-Machine-SP-version = 0 SoH-MS-Machine-SP-release = 0 SoH-MS-Machine-Processor = x86 SoH-MS-Machine-Name = AlexanderPC SoH-MS-Correlation-Id = 0x81aa82cd69f946f2bae142fd0fbfcc3e01cc09847027078c SoH-MS-Machine-Role = client SoH-MS-Windows-Health-Status = firewall ok snoozed=0 microsoft=0 up2date=1 enabled=0 SoH-MS-Windows-Health-Status = firewall ok snoozed=0 microsoft=0 up2date=1 enabled=0 SoH-MS-Windows-Health-Status = firewall ok snoozed=0 microsoft=1 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 Ok, something has gone wildly wrong there Unless they really do have 3 firewall, 7 AV and 8 anti-spyware products installed! Indeed - We all know how messed up clients can get, so this one is probably due for some TLC (if I can get them to come in). up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=0 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=0 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=0 enabled=1 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=0 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=1 up2date=0 enabled=0 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=0 enabled=1 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = auto-updates ok action=install by-policy=1 SoH-MS-Windows-Health-Status = security-updates error no-wsus-srv FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = abc...@bris.ac.uk Calling-Station-Id = 00:1b:77:xx:xx:xx Called-Station-Id = 00:3a:98:9d:17:30:eduroam NAS-Port = 29 NAS-IP-Address = 172.17.107.207 NAS-Identifier = wism7 Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 448 ASSERT FAILED xlat.c[1048]: outlen 0 Config bits: server eduroamlocal-soh { authorize { if (SoH-Supported == no) { update config { Auth-Type = Accept } } else { detail-bsql What's the config for this module? As below i.e. a plain old detail module update config { Auth-Type = Accept } detail detail-bsql { detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}-bsql/detail-bsql.log detailperm = 0600 header = %t } -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.x git + SoH: ASSERT FAILED xlat.c[1048]: outlen 0
On 04/05/2011 11:37, Phil Mayers wrote: On 04/05/11 10:42, James J J Hooper wrote: Hi All, Sorry for the sketchy details We got an ASSERT FAILED xlat.c[1048]: outlen 0 with a PEAP user. The bit of the -X I have is as below, and the soh virtual server config is attached. I have no further details at the moment because the client has gone away (and I've disabled SoH in the EAP module config in case they come back and knock it over again while I'm away). The same set-up has been fine with many other SoH clients previously. Can anyone point me in the right direction? The only think that came to mind was the packet getting a bit big with all those attributes? From what I can tell, that's a pretty hard error condition to produce. xlat.c:1048 is inside xlat_copy, which is the default escaping function when radius_xlat is called with a NULL final argument. The assert means that there was no room left in the output buffer, but the very first check inside the while() loop in radius_xlat is: while (*p) { /* Calculate freespace in output */ freespace = outlen - (q - out); if (freespace = 1) break; A quick look at the code gives me the impression it should be pretty hard to trigger this error condition; I can't see how freespace 1 ever allows xlat_copy to be called. [updated] returns updated +++- if ((Calling-Station-Id) %{Calling-Station-Id} =~ /^%{config:policy.mac-addr}$/i) returns updated +++ ... skipping else for request 750: Preceding if was taken ++- policy create.uob-stripped-mac returns updated The above policy: where is that? It's clearly not in your SoH virtual server - is this the inner-tunnel stuff? Can we see the config? I suspect something in the SoH is triggering this when it dumps the AVPs. Both inner and outer configs start: -- server eduroamlocal-inner { authorize { create.uob-stripped-mac preprocess -- server eduroamlocal { authorize { create.uob-stripped-mac preprocess -- where create.uob-stripped-mac is: -- create.uob-stripped-mac { if((Calling-Station-Id) %{Calling-Station-Id} =~ /^%{config:policy.mac-addr}$/i) { update request { UOB-Stripped-MAC := %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} } updated } else { noop } } -- -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 10/04/2011 07:03, Alan DeKok wrote: James J J Hooper wrote: I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? Yes, thanks. Also, args to pairmove2 are wrong way around, as attached. -James p4.txt.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 10/04/2011 12:16, James J J Hooper wrote: On 10/04/2011 07:03, Alan DeKok wrote: James J J Hooper wrote: I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? Yes, thanks. Also, args to pairmove2 are wrong way around, as attached. After that last change (p4.txt.gz), I think it's now doing the right thing: * wpa_supplicant output matches Phil's (against W2k8 NPS), with the exception that M=... is always present. * With allow_retry = no, XP pop's up the usual 'enter credentials...' bubble, and box. * With allow_retry = yes, XP pops a click to process credentials bubble, then a type your password again box: http://www.wireless.bris.ac.uk/gfx/random/xp--retry-is-yes.png -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 10/04/2011 12:39, James J J Hooper wrote: On 10/04/2011 12:16, James J J Hooper wrote: On 10/04/2011 07:03, Alan DeKok wrote: James J J Hooper wrote: I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? Yes, thanks. Also, args to pairmove2 are wrong way around, as attached. After that last change (p4.txt.gz), I think it's now doing the right thing: * wpa_supplicant output matches Phil's (against W2k8 NPS), with the exception that M=... is always present. * With allow_retry = no, XP pop's up the usual 'enter credentials...' bubble, and box. * With allow_retry = yes, XP pops a click to process credentials bubble, then a type your password again box: http://www.wireless.bris.ac.uk/gfx/random/xp--retry-is-yes.png ...Although, when you correct the password in the 'allow_retry = yes popup, I don't think FR has got the bit to handle that yet: Found Auth-Type = eduroamalieneap-bris-sha-ca # Executing group from file /usr/local/etc/raddb/sites-enabled/eduroamalien-inner +- entering group eduroamalieneap-bris-sha-ca {...} [eduroamalieneap-bris-sha-ca] Request found, released from the list [eduroamalieneap-bris-sha-ca] EAP/mschapv2 [eduroamalieneap-bris-sha-ca] processing type mschapv2 rlm_eap_mschapv2: Unexpected response received *** [eduroamalieneap-bris-sha-ca] Handler failed in EAP/mschapv2 [eduroamalieneap-bris-sha-ca] Failed in EAP select ++[eduroamalieneap-bris-sha-ca] returns invalid Failed to authenticate the user. Login incorrect: [jh176...@bris.ac.uk] (from client JamesJJ port 256 cli 00-1a-4d-35-b0-5a via TLS tunnel) } # server eduroamalien-inner [peap] Got tunneled reply code 3 EAP-Message = 0x040c0004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x040c0004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 10/04/2011 12:57, James J J Hooper wrote: On 10/04/2011 12:39, James J J Hooper wrote: On 10/04/2011 12:16, James J J Hooper wrote: On 10/04/2011 07:03, Alan DeKok wrote: James J J Hooper wrote: I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? Yes, thanks. Also, args to pairmove2 are wrong way around, as attached. After that last change (p4.txt.gz), I think it's now doing the right thing: * wpa_supplicant output matches Phil's (against W2k8 NPS), with the exception that M=... is always present. * With allow_retry = no, XP pop's up the usual 'enter credentials...' bubble, and box. * With allow_retry = yes, XP pops a click to process credentials bubble, then a type your password again box: http://www.wireless.bris.ac.uk/gfx/random/xp--retry-is-yes.png ...Although, when you correct the password in the 'allow_retry = yes popup, I don't think FR has got the bit to handle that yet: Found Auth-Type = eduroamalieneap-bris-sha-ca # Executing group from file /usr/local/etc/raddb/sites-enabled/eduroamalien-inner +- entering group eduroamalieneap-bris-sha-ca {...} [eduroamalieneap-bris-sha-ca] Request found, released from the list [eduroamalieneap-bris-sha-ca] EAP/mschapv2 [eduroamalieneap-bris-sha-ca] processing type mschapv2 rlm_eap_mschapv2: Unexpected response received *** [eduroamalieneap-bris-sha-ca] Handler failed in EAP/mschapv2 [eduroamalieneap-bris-sha-ca] Failed in EAP select ++[eduroamalieneap-bris-sha-ca] returns invalid Failed to authenticate the user. Login incorrect: [jh176...@bris.ac.uk] (from client JamesJJ port 256 cli 00-1a-4d-35-b0-5a via TLS tunnel) } # server eduroamalien-inner [peap] Got tunneled reply code 3 EAP-Message = 0x040c0004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x040c0004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE I think it needs two things now: 1) Something like: @@ -433,8 +433,8 @@ static int mschapv2_authenticate(void *arg, EAP_HANDLER *handler) * a challenge. */ case PW_EAP_MSCHAPV2_RESPONSE: - if (data-code != PW_EAP_MSCHAPV2_CHALLENGE) { - radlog(L_ERR, rlm_eap_mschapv2: Unexpected response received); + if ((data-code != PW_EAP_MSCHAPV2_CHALLENGE) (data-code != PW_EAP_MSCHAPV2_FAILURE)) { + radlog(L_ERR, rlm_eap_mschapv2: Unexpected response received: %d, data-code); return 0; } ... because the response to our MSCHAPV2_FAILURE seems to be a MSCHAPV2_FAILURE 2) if (inst-retry_msg) { snprintf(buffer + 9, sizeof(buffer), C=); for (i = 0; i 16; i++) { snprintf(buffer + 12 + i*2, sizeof(buffer), %02x, fr_rand() 0xff); } This C=random needs to be saved and eventually make it's way in to data-challenge so that the line lower down: memcpy(challenge-vp_strvalue, data-challenge, MSCHAPV2_CHALLENGE_LEN); has the correct challenge, and can then process the clients retry correctly? (help, I havn't managed to work out the mechanism from the current challenge generation bits yet!) -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 08/04/2011 08:54, Alan DeKok wrote: Phil Mayers wrote: +1 - In my experience it's necessary to cater for windows' weirdness *first*. Most other clients have sane behaviours. I'm concerned about the we didn't do much windows testing line... Yup. I've just pushed some changes to the git v2.1.x branch. See: raddb/modules/mschap - allow_retry - retry_msg raddb/eap.socn - send_error The default is no change. See the documentation for how to test the new features. Hi Alan, I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? http://tools.ietf.org/html/draft-kamath-pppext-eap-mschapv2-01#page-12 ...as per attached diff? -James p3.txt.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
--On Wednesday, April 06, 2011 15:42:11 -0500 john.hayw...@wheaton.edu wrote: List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I don't know if this should be sent to the developers list instead. === Background === When there is a failure of the client to match the challenge of the server: According to rfc2759 a failure packet in section 6 a failure packet includes a message like: E=ee R=r C= V=vv M=msg where E is the error code, R 1/0 allow/disallow retry C an ascii version of the challenge V=3 and M= some text message. After this mschap failure message is sent by the server an acknowledgment which seems to be have a failure code should be returned from the client. At that point the server can close the eap connection with a failure. What the 2.1.10 code (and earlier) appears to do is after mschap is detected immediately close the eap connection with a failure. The effect for windows XP/7 machines connecting wirelessly using mschapv2 is that they are presented with a dialog box and can enter new credentials. What happens with mac/iphones/androids/ubuntu is that they appear to be confused and time out and re-send (at various rates) authentication attempts without presenting a dialog box to the user. For some environments (such as using Novell NDS to authenticate) if configured modules/ldap edir_account_policy_check=yes then these repeated failures result in account lock outs. Scenario: Institution requires periodic change of password - user uses a web site to change password - user forgets to update their mac/iphone/android - user turns on their mac/iphone/android - shortly after user cannot access any resources (such as blackboard/portal etc) because their account is locked out. == proposed fix Modify freeradius to follow rfc2759. This requires patches to two source files: o src/modules/rlm_mschap/rlm_mschap.c to include a message which conforms to rfc2759 o src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c to use the response created by rlm_mschap.c and send that back, also accept an authentication failure acknowledgment before sending eap failure packet. Below are the diffs: == Comments o Results: We have implemented this patch (along with the configuration change edir_account_policy_check=no) and observe: 1) no more lockouts 2) Mac/Iphones users are now presented with a dialog box where they can update their password. o Code: a) I don't like the 100 character msg variable - there is probably a better way to do this. b) There is probably a function in free radius library to do the sprintf which should be used. c) samba locked accounts should probably have a similar message generated if they are mschapv2. I would be happy if someone could look over these patches and incorporate the ideas into freeradius for future releases. Hi John, I had trouble applying the patches to 2.1.x git -- maybe because they got mushed during the email process. Adding the bits by hand seemed to work, and I can confirm the result is as you describe on an iPhone (that's all I had to hand to test). Attached are the two 'git diff' that I ended up with. -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- index c512018..3f3fc46 100644 --- a/src/modules/rlm_mschap/rlm_mschap.c +++ b/src/modules/rlm_mschap/rlm_mschap.c @@ -1239,9 +1239,21 @@ static int mschap_authenticate(void * instance, REQUEST *request) response-vp_octets + 26, nthashhash, do_ntlm_auth) 0) { RDEBUG2(FAILED: MS-CHAP2-Response is incorrect); + + /* JCH - changes to include challenge and message */ +char msg[100]; +strcpy(msg, E=691 R=0 C=); +int i, offset = strlen(msg); +char *ptr = msg[offset]; +for (i=0; i16; i++, ptr+=2) { + sprintf(ptr, %02X, response-vp_octets[i+2]); +} +*ptr = 0; +strcat(msg, V=3 M=May Need to reset cached password); + mschap_add_reply(request, request-reply-vps, *response-vp_octets, -MS-CHAP-Error, E=691 R=1, 9); +MS-CHAP-Error, msg, strlen(msg)); return RLM_MODULE_REJECT; } index bdf4668..051fe71 100644 --- a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c +++ b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c @@ -195,7 +195,9 @@ static int eapmschapv2_compose(EAP_HANDLER *handler, VALUE_PAIR *reply) case
Re: MS-CHAP-V2 with no retry
--On Thursday, April 07, 2011 13:33:33 +0100 James J J Hooper jjj.hoo...@bristol.ac.uk wrote: Attached are the two 'git diff' that I ended up with. gzipped so they don't get messed up. -James p1.txt.gz Description: Binary data p2.txt.gz Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 07/04/2011 13:33, James J J Hooper wrote: --On Wednesday, April 06, 2011 15:42:11 -0500 john.hayw...@wheaton.edu wrote: List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I don't know if this should be sent to the developers list instead. === Background === When there is a failure of the client to match the challenge of the server: According to rfc2759 a failure packet in section 6 a failure packet includes a message like: E=ee R=r C= V=vv M=msg where E is the error code, R 1/0 allow/disallow retry C an ascii version of the challenge V=3 and M= some text message. After this mschap failure message is sent by the server an acknowledgment which seems to be have a failure code should be returned from the client. At that point the server can close the eap connection with a failure. What the 2.1.10 code (and earlier) appears to do is after mschap is detected immediately close the eap connection with a failure. The effect for windows XP/7 machines connecting wirelessly using mschapv2 is that they are presented with a dialog box and can enter new credentials. What happens with mac/iphones/androids/ubuntu is that they appear to be confused and time out and re-send (at various rates) authentication attempts without presenting a dialog box to the user. For some environments (such as using Novell NDS to authenticate) if configured modules/ldap edir_account_policy_check=yes then these repeated failures result in account lock outs. Scenario: Institution requires periodic change of password - user uses a web site to change password - user forgets to update their mac/iphone/android - user turns on their mac/iphone/android - shortly after user cannot access any resources (such as blackboard/portal etc) because their account is locked out. == proposed fix Modify freeradius to follow rfc2759. This requires patches to two source files: o src/modules/rlm_mschap/rlm_mschap.c to include a message which conforms to rfc2759 o src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c to use the response created by rlm_mschap.c and send that back, also accept an authentication failure acknowledgment before sending eap failure packet. Below are the diffs: == Comments o Results: We have implemented this patch (along with the configuration change edir_account_policy_check=no) and observe: 1) no more lockouts 2) Mac/Iphones users are now presented with a dialog box where they can update their password. o Code: a) I don't like the 100 character msg variable - there is probably a better way to do this. b) There is probably a function in free radius library to do the sprintf which should be used. c) samba locked accounts should probably have a similar message generated if they are mschapv2. I would be happy if someone could look over these patches and incorporate the ideas into freeradius for future releases. Hi John, I had trouble applying the patches to 2.1.x git -- maybe because they got mushed during the email process. Adding the bits by hand seemed to work, and I can confirm the result is as you describe on an iPhone (that's all I had to hand to test). Attached are the two 'git diff' that I ended up with. Hi John, It works on Mac OS and iOS, but I havn't been able to get it to work as expected on XP or Win7: * Win7 does as it did before * XP: The [builtin] supplicant gets stuck at the 'tryng to authenticate' message. Could you forward your patches gzipped [so they don't get mangled] so I can verify I have patched the source correctly? Regards, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+ldap: Invalid DN syntax
On 02/04/2011 18:29, ziko wrote: Hello. I am using Freeradius 2 with openldap 2.3.43 on my CentOS 5. My OPenldap works grate without freeradius, and freeradius works without ldap. But i cant connect ldap and freeradius. my ldapsearch output: ldapsearch -x # extended LDIF # # LDAPv3 # base dc=my-domain,dc=com (default) with scope subtree ..^^...^^ my /etc/raddb/modules/ldap: ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = server2.**.ge identity = cn=Manager,dc=my-domain,dc=com password = ** basedn = dn=my-domain,dn=com ^^...^^ radiusd -X output: . rlm_ldap: performing search in dn=my-domain,dn=com, with filter (uid=gchkhetiani) rlm_ldap: ldap_search() failed: Invalid DN syntax There is rlm_ldap: ldap_search() failed: Invalid DN syntax error. How can I fix it? ...configure the basedn correctly!! wrong: basedn = dn=my-domain,dn=com correct:basedn = dc=my-domain,dc=com -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute NOT being returned in access-accept ?
On 30/03/2011 22:59, Robert Roll wrote: Freeradius Version 2.1.10 I'm trying to return a vendor attribute, but I don't seem to be seeing it in the access-accept ? I am inner tunneling to Peap, and you can see the attribute is there... Airespace-Interface-Name = wifi-chem-uconnect but I'm not seeing it in the packet from eapol and I'm also seeing it in the final Access-Accept sent from freeradius ? Sending Access-Accept of id 10 to 155.97.142.192 port 52965 MS-MPPE-Recv-Key = 0x0e6bf137da352024fe32478d9b9c2cdabbba6a94f9e185e16ce5601b8e4a8328 MS-MPPE-Send-Key = 0x99880b1843e321c484ceeb0ed19f55e2bbfa769f68e8783615beb220b13bb761 EAP-Message = 0x030a0004 Message-Authenticator = 0x User-Name = whatever From Peap --- [peap] Got tunneled reply RADIUS code 2 Airespace-Interface-Name = wifi-chem-uconnect MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 MS-MPPE-Send-Key = 0x7aa77766e328dcdf3e38555995889912 MS-MPPE-Recv-Key = 0x6af45f9c8437843caf8d2c2ea1f7d7d2 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = tstRad9 [peap] Tunneled authentication was successful. Set use_tunnelled_reply to yes in eap.conf: https://github.com/alandekok/freeradius-server/blob/14f534aa405cf0063bb10f4bc36493721e054246/raddb/eap.conf#L471 (also line 570 - once for TTLS, once for PEAP) -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: signed server certs
On 07/03/2011 21:42, John Dennis wrote: I changed default_eap_type=md5 to default_eap_type=ttls and now the Macs are able to authenticate without Certs or any configuration on their side!! ...remember though that working != secure [necessarily]. Clients defaulting to accept any radius server cert, or those that default to prompt the user, are vulnerable to rogue AP/credential stealing attacks etc. This may be acceptable in your environment, but if not, you'll still need to actively configure the client. I've seen statements on this list in the past asserting that if you have a server cert signed by a public CA (e.g. a CA the client is preconfigured to trust) it is a security vulnerability because clients will blindly trust they are connecting to server they expect when in fact it could be a rouge server impersonating the server. The above comment seems to fall into the same category. I have never understood this advice or it's rationale. I was hoping someone could explain it because it does not match my understanding of PKI, here's why: When a client negotiates a SSL/TLS session it's supposed to validate the server cert. In simplicity this is a 2 step process. 1) It validates the server cert to assure it's signed by a CA it trusts (possibly via a cert chain). 2) It then validates the certificate subject to make sure the server it thought it was connecting to appears in the certificate (either as the certificate subject or one of the certificate subject alternate names). If either 1 or 2 fails it should abort the connection. If it were possible on an SSL/TLS connection to impersonate another server then most of PKI would be a complete failure. So why does this group think PKI doesn't work? Hi John, Ok, first your (1) - matching a presented server cert to a pre-trusted CA cert on the client. This works and does exactly that. Consider this: * The client will validate my cert against the CA I signed it with. * The client will also validate a cert that badPerson has purchased from e.g. verisign Why - because an unconfigured EAP client will likely trust *all* root CAs (~like your web browser does by default). So, to mitigate this I can set my EAP client to only trust my CA e.g. verisign. ... but badPerson bought their cert from verisign too! ... so we have to move to the next level - your step (2), the CN. So how do we configure the client to trust the appropriate CN just that *configure it* ...an unconfigured/default config client will likely trust any CN. It is this step that is very different from the web. In the web world, the client can check the cert CN matches the DNS name that the user typed, and that this matches the reverse DNS of the IP that the cert came from. In the EAP world, there is no DNS, no IP, no way to determine the source of the cert at all. ...which is why there is nothing wrong with the mechanism, as long as you configure it properly. Some EAP clients do not let you specify a CN to match, so using a self-signed cert, and setting the client just to trust that CA mitigates the public CA vector. -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: signed server certs
On 07/03/2011 22:18, Arran Cudbard-Bell wrote: On Mar 7, 2011, at 4:05 PM, James J J Hooper wrote: On 07/03/2011 21:42, John Dennis wrote: I changed default_eap_type=md5 to default_eap_type=ttls and now the Macs are able to authenticate without Certs or any configuration on their side!! ...remember though that working != secure [necessarily]. Clients defaulting to accept any radius server cert, or those that default to prompt the user, are vulnerable to rogue AP/credential stealing attacks etc. This may be acceptable in your environment, but if not, you'll still need to actively configure the client. I've seen statements on this list in the past asserting that if you have a server cert signed by a public CA (e.g. a CA the client is preconfigured to trust) it is a security vulnerability because clients will blindly trust they are connecting to server they expect when in fact it could be a rouge server impersonating the server. The above comment seems to fall into the same category. I have never understood this advice or it's rationale. I was hoping someone could explain it because it does not match my understanding of PKI, here's why: When a client negotiates a SSL/TLS session it's supposed to validate the server cert. In simplicity this is a 2 step process. 1) It validates the server cert to assure it's signed by a CA it trusts (possibly via a cert chain). 2) It then validates the certificate subject to make sure the server it thought it was connecting to appears in the certificate (either as the certificate subject or one of the certificate subject alternate names). If either 1 or 2 fails it should abort the connection. If it were possible on an SSL/TLS connection to impersonate another server then most of PKI would be a complete failure. So why does this group think PKI doesn't work? Hi John, Ok, first your (1) - matching a presented server cert to a pre-trusted CA cert on the client. This works and does exactly that. Consider this: * The client will validate my cert against the CA I signed it with. * The client will also validate a cert that badPerson has purchased from e.g. verisign Why - because an unconfigured EAP client will likely trust *all* root CAs (~like your web browser does by default). So, to mitigate this I can set my EAP client to only trust my CA e.g. verisign. ... but badPerson bought their cert from verisign too! ... so we have to move to the next level - your step (2), the CN. So how do we configure the client to trust the appropriate CN just that *configure it* ...an unconfigured/default config client will likely trust any CN. That's not really true, even windows requires the user confirm that they trust the CN in the certificate unless the CA has been *explicitly* trusted, and none are by default. The CA would have to fail to verify that the domain used in the CN of the CSR was actually owned by the entity requesting the certificate Of course, that is true (on windows and mac) ... but Android? some linux? Windows Mobile? ... or the user would have to fail to manually validate the CN presented to them by the supplicant. I forgive my cynicism, but users click 'yes connect me', for one of two reasons: 1) they don't read the popup, and 'yes' usually means 'make it work' 2) they have no clue what the CN should be, so bristol.com, bristol.wifi.com, uni-wifi.co.uk, eduroam.wireless.bris.ac.uk are all just as good. (2) isn't the end user's fault ...the admin or the setup wizard should configure the CN validation for the end user. ...or the user gets popup panic and call IT support. Which comes full-circle: just configure it right in the first place ;-) -James -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2 and OSX clients no TLS
--On 6 March 2011 16:31:54 + Guy g...@britewhite.net wrote: On 6 Mar 2011, at 13:03, Phil Mayers wrote: On 03/05/2011 04:46 PM, Guy wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I'm setting up Freeradius2 (FreeRADIUS Version 2.1.7) for WPA Enterprise 2, and I have it basically working. my iPhone/iPad are able to authenticate and connect via the base station. However my Mac (OSX 10.6 Snow leopard) Laptops are having issues. I do not want to push out Client certificates to the laptops. I also do not want people to have to perform any customisations on the clients. When the laptop attempts to join the network I get a nice login window, with username/password. This is fine. However without playing with the network settings (802.1x settings). I'm not able to join the network because I do not have a client Cert: ... I changed default_eap_type=md5 to default_eap_type=ttls and now the Macs are able to authenticate without Certs or any configuration on their side!! ...remember though that working != secure [necessarily]. Clients defaulting to accept any radius server cert, or those that default to prompt the user, are vulnerable to rogue AP/credential stealing attacks etc. This may be acceptable in your environment, but if not, you'll still need to actively configure the client. -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
--On 04 March 2011 10:46 +0100 Alan DeKok al...@deployingradius.com wrote: Phil Mayers wrote: The FreeRadius EAP-MSCHAP (rlm_eap_mschap) has a hardcoded error message: E=691 R=0 Really? I don't see that. What I do see is that it doesn't copy the MS-CHAP-Error into the TLS tunnel. That could be fixed for 2.1.11, I guess. If someone can test it... Yes please, and will do. -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
--On Friday, March 04, 2011 11:49:50 +0100 Alan DeKok al...@deployingradius.com wrote: James J J Hooper wrote: That could be fixed for 2.1.11, I guess. If someone can test it... Yes please, and will do. Try this patch. You should see MSCHAP Failure in the debug log, where it wasn't there before. Try it for normal accounts which are locked out (SMB-Account-Ctrl = 1024) Alan DeKok. Hi Alan, Compile error ( result of patch .c attached): Making all in rlm_eap_mschapv2... gmake[9]: Entering directory `/usr/local/dnsnode/src/radiusd/20110105/freeradius-server/src/modules/rlm_eap/types/rlm_eap_mschapv2' /usr/local/dnsnode/src/radiusd/20110105/freeradius-server/libtool --mode=compile gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/usr/local/dnsnode/src/radiusd/20110105/freeradius-server/src -I../.. -I../../libeap -c rlm_eap_mschapv2.c mkdir .libs gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/usr/local/dnsnode/src/radiusd/20110105/freeradius-server/src -I../.. -I../../libeap -c rlm_eap_mschapv2.c -fPIC -DPIC -o .libs/rlm_eap_mschapv2.o rlm_eap_mschapv2.c: In function `mschapv2_authenticate': rlm_eap_mschapv2.c:658: error: called object is not a function rlm_eap_mschapv2.c:658: error: too few arguments to function `pairmove2' gmake[9]: *** [rlm_eap_mschapv2.lo] Error 1 gmake[9]: Leaving directory `/usr/local/dnsnode/src/radiusd/20110105/freeradius-server/src/modules/rlm_eap/types/rlm_eap_mschapv2' gmake[8]: *** [rlm_eap_mschapv2] Error 2 -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- rlm_eap_mschapv2.c--new1.gz Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
--On Friday, March 04, 2011 12:04:51 + James J J Hooper jjj.hoo...@bristol.ac.uk wrote: --On Friday, March 04, 2011 11:49:50 +0100 Alan DeKok al...@deployingradius.com wrote: James J J Hooper wrote: That could be fixed for 2.1.11, I guess. If someone can test it... Yes please, and will do. Try this patch. You should see MSCHAP Failure in the debug log, where it wasn't there before. Try it for normal accounts which are locked out (SMB-Account-Ctrl = 1024) Alan DeKok. Hi Alan, Compile error ( result of patch .c attached): rlm_eap_mschapv2.c: In function `mschapv2_authenticate': rlm_eap_mschapv2.c:658: error: called object is not a function rlm_eap_mschapv2.c:658: error: too few arguments to function `pairmove2' I've added the missing comma, and it's building now :-) -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
--On Friday, March 04, 2011 13:32:35 +0100 Alan DeKok al...@deployingradius.com wrote: Alan DeKok wrote: James J J Hooper wrote: rlm_eap_mschapv2.c: In function `mschapv2_authenticate': rlm_eap_mschapv2.c:658: error: called object is not a function rlm_eap_mschapv2.c:658: error: too few arguments to function `pairmove2' I've added the missing comma, and it's building now :-) Then you're using the git master branch, and not 2.1.x. Nope, my mistake. See the recent message for a better patch. *** With a bad password it does: [eduroamlocalmschap] expand: --nt-response=%{eduroamlocalmschap:NT-Response} - --nt-response=58a58ef81a7975443ce2f2ea61d6e66b11974cd3fbbf2b2d Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 [eduroamlocalmschap] External script failed. [eduroamlocalmschap] FAILED: MS-CHAP2-Response is incorrect ++[eduroamlocalmschap] returns reject rlm_eap_mschapv2: No MS-CHAPv2-Success or MS-CHAP-Error was found. [eduroamlocaleap-bris-sha-ca] Handler failed in EAP/mschapv2 [eduroamlocaleap-bris-sha-ca] Failed in EAP select ++[eduroamlocaleap-bris-sha-ca] returns invalid Failed to authenticate the user. Login incorrect (eduroamlocalmschap: External script says Logon failure (0xc06d)): [jh1...@bris.ac.uk] (from client custard-66 port 0 cli 99-88-77-66-55-44 via TLS tunnel) } # server eduroamlocal-inner [peap] Got tunneled reply code 3 MS-CHAP-Error = \tE=691 R=1 EAP-Message = 0x04090004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = \tE=691 R=1 EAP-Message = 0x04090004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eduroamlocaleap-bris-sha-ca] returns handled *** With a locked out user it does: server eduroamlocal-inner { Exec-Program output: Account locked out (0xc234) Exec-Program-Wait: plaintext: Account locked out (0xc234) Exec-Program: returned: 1 rlm_eap_mschapv2: No MS-CHAPv2-Success or MS-CHAP-Error was found. Login incorrect (eduroamlocalmschap: External script says Account locked out (0xc234)): [jh176...@bris.ac.uk] (from client custard-66 port 0 cli 99-88-77-66-55-44 via TLS tunnel) } # server eduroamlocal-inner MS-CHAP-Error = \007E=691 R=1 EAP-Message = 0x04070004 Message-Authenticator = 0x MS-CHAP-Error = \007E=691 R=1 EAP-Message = 0x04070004 Message-Authenticator = 0x attr_filter: Matched entry DEFAULT at line 1 Sending Access-Challenge of id 7 to 137.222.253.66 port 48817 EAP-Message = 0x0108002b19001703010020bfba7af9865436c3cbcd179868046228adb578769d6312fd4cb3caaf3626edc0 Message-Authenticator = 0x State = 0x2183e4ed268bfd6e277ccbd19a06e21c * Also, each time MS-CHAP-Error seems to be prefixed with a character - Is that intended? -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Caching techniques with ntlm_auth usage? (EAP-PEAP-MSchapV2)
--On 04 March 2011 12:34 -0500 John Douglass john.dougl...@oit.gatech.edu wrote: Group, Recently, my AD servers were patched by another support group and this caused a (small but noticeable) service outage for our WPA radius services (Radius 2.1.9) I can think of two things to investigate: * Recent Samba can do winbind credential caching IIRC - I haven't experimented with this so I'm not sure if it will work for this application. * Enable Fast Session Resumption: https://github.com/alandekok/freeradius-server/blob/master/raddb/modules/eap#L312 ... We dropped the hits on our DCs by 40% by doing this. N.B Resumed sessions will not touch your inner-tunnel config, so you have to make sure that you pay attention when (re-)assigning VLANs / other returned attributes based on username. -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New User and AD Question
On 27/02/2011 18:08, McNutt, Justin M. wrote: New member to the list, here. I have a question about AD computer-based authentication. Basically, how is it accomplished? I have Googled and Googled, but only found references to the fact that it *can* be done (mostly from archives of this list), but little reference on HOW to do it, other than that it has something to do with editing the realms file. I also went to #freeradius on FreeNode, but it seemed there was rarely anyone in the channel. So here I am. I'm running FreeRADIUS 2.1.7 from the RHEL 5 RPM (freeradius2-2.1.7-7.el5). It's running on an RHEL 5 virtual machine that is a member of an AD domain via Samba 3.5.4 (which was required to talk to the 2008R2 domain controllers). We have a multi-domain, single forest environment. I'm running two virtual servers, based on the defaults. I have the campus-main virtual server that is pretty much the exact same as the default, except that I have LDAP authentication enabled. This works perfectly and is able to authenticate users for all domains. I also have the campus-eap and campus-inner-tunnel virtual servers for EAP authentication that are the same as the default and inner-tunnel servers except for the names. (I copied them so I could make changes to the campus-XXX virtual servers and still have the originals for reference.) The EAP functions for clients using EAP-TTLS and EAP-PEAP work just fine for all users in all domains (authenticated via ntlm_auth) EXCEPT for the host\\computer.domain.name users (the computer accounts). I'd like to make this work, partly because a large number of the failed login attempts in my logs are from hosts that are valid domain members. Sooo... help? What's the basic idea behind making this work? Hi Justin, Could you send us the output of radiusd -X for a computer auth? If it works for users it should just work for machines. You'll need to make sure you have samba 3.0.23 [IIRC] [which you seem to have] and your ntlm_auth line has to have an appropriately formatted User-Name bit e.g. %{mschap:User-Name} (the mschap module will take host\\computer.domain.name and turn it in to computer$ automatically). -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address AVP missing
--On Friday, February 11, 2011 11:36:09 +0530 Rajkumar R rajkuma...@aricent.com wrote: Hi, This query is related to Cisco-7206 equipment behavior. Indeed, so you should be asking Cisco not FreeRADIUS We have a Cisco 7206(IOS12.2(33)) equipment associated with freeRadius server2.1.10. Upon PPPOE client start, dynamic IP is assigned from the IP-Pool to the PPPOE client. However this IP address, is not included in the Frame-IP-Address AVP sent in the Access-Request message from the NAS. Request to provide your inputs on this, as this is reported across other forums(unfortunately, no answers available there :)) Read RFC 2865. Section 5.8... [paraphrase] Framed-IP-Address is primarily so RADIUS can tell the NAS which IP to give to the client, not the other way around. Most NAS's not allocate an IP until authentication has succeeded. You may well be able to find the given IP from an accounting packet though. Use a DB to match things up. Regards, James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and Accounting
--On Thursday, February 10, 2011 08:25:13 -0500 David Peterson dav...@wirelessconnections.net wrote: I am working with a NAS that only sends accounting packets with the EAP style username. Other than matching up =7Bam=3D1=7df717cc32fff26ff29ca0baac5833f...@wimax.com with b...@wimax.com manually in the database are there other methods for achieving this? Configure RADIUS to send the inner User-Name b...@wimax.com back in the outer Access-Accept. Your NAS should then use this User-Name when Accounting (if it doesn't, you need to refer to your NAS manufacturer). Regards, James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to authenticate in case of multilingual characters
--On 04 February 2011 22:02 +0530 karnik jain karnik.j...@gmail.com wrote: Hi Alan, I have written multilingual character *∞ *directly in RADIUS server's *users file.* without encoding it into UTF-8. * * Do I need to write Username in *user file of RADIUS server *after converting it into UTF-8 to make the *whole thing work*? If Yes then How can I write UTF-8 characters into *users file of RADIUS server.* Do I need to write directly the *HEX of encoded characters* or some other way into the *users file of RADIUS server as shown in attached users file of RADIUS server*? * * I have double check that the UTF-8 Encoder of mine is working fine. Multilingual character = ∞ (infinity symbol) is having equivalent form in HEX = *0xe2889e* and UTF-8 encoding of *0xe2889e* is = *0xf8 0xb8 0xa2 0x9e.* *Can any one please look into to above issue * *and guide me How can I configure the files of free RADIUS server * *to use USER-NAME field other than **US-ASCII like * *Chinese etc.?* * * *Regards,* *Karnik jain* Hi Karnik, If you put UTF in the users file and UTF in the User-Name in the radius request it will work. For example: users: 現年快樂Auth-Type := Accept ...and then testing it: echo 'User-Name = 現年快樂' | radclient -x 137.222.253.91:16010 auth SECRET Sending Access-Request of id 161 to 137.222.253.91 port 16010 User-Name = 現年快樂 rad_recv: Access-Accept packet from host 137.222.253.91 port 16010, id=161, length=20 Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Radius logs
--On Tuesday, February 01, 2011 08:41:54 -0800 Brett Littrell blittr...@musd.org wrote: Hi All, Real quick and I am sure easy question here. I read through the unlang man page, really helped in getting a clue. One thing I was wondering though, is there a way to output text to the log based on a condition? What I mean is something like if x!=y then printf( x did not equal y). This would be for debugging and log review. Currently we use Cisco ACS, which with all it's limitations the one thing that is great about it is it's pass/fail logs. Our techs use them all the time to diagnose problems. If I could inject text strings into the logs when certain issues occur it would make it a lot easier to figure out scripts as well as make common issues easier for techs to troubleshoot. From what I can tell in the unlang man page it did not mention this, perhaps I missed it though. Hi Brett, It sounds like the linelog module may do what you need, in conjunction with unlang for the conditionals: https://github.com/alandekok/freeradius-server/blob/v2.1.x/raddb/modules/linelog Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.10 WARNING: Internal sanity check failed
On 13/01/2011 18:26, joanroldan wrote: I'm sorry! Try to rewrite the e-mail to a human mode ; ) Hi, I am configuring a freeradius for a institution for eduroam purposes, using Fedora 13 and with freeradius 2.1.10. The only EAP type supported is EAP-TTLS/PAP. I attach the radius -X output: ... So I have mainly tho doubts: First, one why this warning happens and how to solve it. Second one, is it normal that EAP-TTLS does not begin? Thanks in advance, Joan. Hi Joan, 1) This happens because you have made big changes to the default config. 2) You have configured FreeRADIUS to proxy the request to somewhere else. For eduroam, you usually need to configure it so that: * If the realm is one of your organisation's, the request is not proxied, but handled by FR * If the realm is blank or rubbish, the request can be immediately rejected. * If the realm is valid, and not your own organisations, you should proxy the request to your national RADIUS servers. I'd suggest going back to the default config. Read each file and get your TTLS/PAP working first, then add the proxying for other realms last. See also: http://www.ja.net/documents/services/janet-roaming/sussex-freeradius-case-study.pdf Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SoH patch (was Re: Microsoft SoH Support)
On 11/10/2010 22:14, James J J Hooper wrote: On 11/10/2010 12:37, Phil Mayers wrote: On 09/10/10 15:01, Garber, Neal wrote: Thanks to a lot of work by Phil Mayers, the server now has support for Microsoft SoH in PEAP, normal RADIUS (MS VPN gateway), and in DHCP. Wow! That *must* have been a lot of work! Thank you Phil. Does this mean FreeRADIUS can now act as a Health Policy Server? Yes, though it's not 100%. Specifically the code can challenge clients for an SoH, and the client will submit it and FreeRadius decode it. There is not (yet) support for FreeRadius generating and emitting an SoHR, because I don't have a working example of such, and decoding the MS-SOH spec is REALLY REALLY hard without at least some working data to compare to the awful spec language! Hi Phil, Alan, http://msdn.microsoft.com/en-us/library/cc251376%28v=PROT.10%29.aspx - Independent of the above states, the last bit of the third byte of the AU ClientStatusCode can take the value of 1 if the AU settings on the client are controlled by policy. Hi Guys, I've re-written the patch I originally forwarded to account for the third byte-first bit flag MS stuck in the middle of AU ClientStatusCode. As attached - still not pretty~~ -James diff --git a/src/main/soh.c b/src/main/soh.c index 9ea5698..e57a714 100644 --- a/src/main/soh.c +++ b/src/main/soh.c @@ -499,21 +499,23 @@ int soh_verify(REQUEST *request, VALUE_PAIR *sohvp, const uint8_t *data, unsigne case 3: /* auto updates */ s = auto-updates; - switch (hcstatus) { + /* The first bit of the second octet indicates if the case is by-policy (e.g. Group Policy) or not. + We ignore this bit in the switch, and then deal with it if necessary in each case */ + switch (hcstatus 0xfeff) { case 1: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn disabled, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn disabled by-policy=%i, s, hcstatus 0x0100 ? 1 : 0); break; case 2: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=check-only, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=check-only by-policy=%i, s, hcstatus 0x0100 ? 1 : 0); break; case 3: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=download, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=download by-policy=%i, s, hcstatus 0x0100 ? 1 : 0); break; case 4: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=install, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=install by-policy=%i, s, hcstatus 0x0100 ? 1 : 0); break; case 5: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn unconfigured, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn unconfigured by-policy=%i, s, hcstatus 0x0100 ? 1 : 0); break; case 0xc0ff0003: snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn service-down, s); - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with the mailing list?????
On 07/11/2010 10:32, mic...@casa.co.cu wrote: Hello Gentlemen, there are problems on the list and everyone is on vacation or just moved to see activity on the list? I repeat my previous message, only this time I'm more brief The silence was your answer: You would like FreeRADIUS to return an Idle-Timeout of 900 seconds, you configured it to do that, and you showed us it was doing that in the Access-Accept packet. Therefore there is no problem with FreeRADIUS. If your NAS doesn't respect the Idle-Timeout attribute, that is a problem with your NAS - Refer to it's documentation to find out: a) If it supports the Idle-Timeout attribute at all (If so it might have a bug - contact the NAS manufacturer). or b) If it supports a different method to do the same thing. Regards, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR 2.1.11git, Dead home server status server reply - possible minor bug
Hi Alan et al, {Running FR from GIT upto commit b42665d4475835f38fe71ef749e39cd22587bcfa, Sat Oct 9 17:52} Doing: /bin/echo Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 131, FreeRADIUS-Stats-Server-IP-Address = ., FreeRADIUS-Stats-Server-Port = 1812 | /usr/local/bin/radclient localhost:18120 status secret when the homeserver is dead I get back: Received response ID 178, code 2, length = 200 FreeRADIUS-Stats-Server-IP-Address = . FreeRADIUS-Stats-Server-Port = 1812 FreeRADIUS-Stats-Server-Outstanding-Requests = 0 FreeRADIUS-Stats-Server-State = Dead FreeRADIUS-Stats-Server-Time-Of-Death = Jan 6 1970 18:54:00 UTC FreeRADIUS-Total-Proxy-Access-Requests = 1651 FreeRADIUS-Total-Proxy-Access-Accepts = 122 FreeRADIUS-Total-Proxy-Access-Rejects = 60 FreeRADIUS-Total-Proxy-Access-Challenges = 1345 FreeRADIUS-Total-Proxy-Auth-Responses = 1527 FreeRADIUS-Total-Proxy-Auth-Duplicate-Requests = 0 FreeRADIUS-Total-Proxy-Auth-Malformed-Requests = 0 FreeRADIUS-Total-Proxy-Auth-Invalid-Requests = 0 FreeRADIUS-Total-Proxy-Auth-Dropped-Requests = 0 FreeRADIUS-Total-Proxy-Auth-Unknown-Types = 0 The date (Time-Of-Death) seems a little odd. I poked around in the code and got as far as the below, which looks possibly wrong, but I don't understand C enough to work out what to do with it from the surrounding code: /src/main/event.c: /* * Enable the zombie period when we notice that the home * server hasn't responded for a while. We back-date the * zombie period to when we last received a response from * the home server. */ home-state = HOME_STATE_ZOMBIE; home-zombie_period_start.tv_sec = home-last_packet; home-zombie_period_start.tv_sec = USEC / 2; {Apologies if I'm totally going in the wrong direction} Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
--On Monday, October 11, 2010 14:24:07 +0200 Alan DeKok al...@deployingradius.com wrote: Phil Mayers wrote: I've tested it with WinXP SP3, Vista and Win7. There is one compile fix needed which must have snuck through (attached) I deleted all references to the REQUEST structure from src/lib/soh.c. The library functions are for clients, not just the server. The code in git should now be up to date, and should compile. [I know it's work in progress, just FYI...] There are two unprotected fprintf in peap.c which appear to block the server if you run it daemonized [i.e. not -X]: $ grep -A 5 -B 5 JJJ ./src/modules/rlm_eap/types/rlm_eap_peap/peap.c rad_assert(t-soh_virtual_server != NULL); fake-server = t-soh_virtual_server; RDEBUG(Processing SoH request); debug_pair_list(fake-packet-vps); //JJJ fprintf(fr_log_fp, server %s {\n, fake-server); rad_authenticate(fake); //JJJ fprintf(fr_log_fp, } # server %s\n, fake-server); RDEBUG(Got SoH reply); debug_pair_list(fake-reply-vps); if (fake-reply-code != PW_AUTHENTICATION_ACK) { RDEBUG2(SoH was rejected); -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Microsoft SoH Support
On 11/10/2010 12:37, Phil Mayers wrote: On 09/10/10 15:01, Garber, Neal wrote: Thanks to a lot of work by Phil Mayers, the server now has support for Microsoft SoH in PEAP, normal RADIUS (MS VPN gateway), and in DHCP. Wow! That *must* have been a lot of work! Thank you Phil. Does this mean FreeRADIUS can now act as a Health Policy Server? Yes, though it's not 100%. Specifically the code can challenge clients for an SoH, and the client will submit it and FreeRadius decode it. There is not (yet) support for FreeRadius generating and emitting an SoHR, because I don't have a working example of such, and decoding the MS-SOH spec is REALLY REALLY hard without at least some working data to compare to the awful spec language! Hi Phil, Alan, http://msdn.microsoft.com/en-us/library/cc251376%28v=PROT.10%29.aspx - Independent of the above states, the last bit of the third byte of the AU ClientStatusCode can take the value of 1 if the AU settings on the client are controlled by policy. [We do a little of http://technet.microsoft.com/en-us/library/cc708449%28WS.10%29.aspx on our clients via our wireless set-up wizard to help them keep up to date with patches] ... Therefore patch attached {confd-by= format only a suggestion}. -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- --- soh.c-orig 2010-10-11 20:54:28.0 + +++ soh.c-new1 2010-10-11 21:02:49.0 + @@ -500,19 +500,34 @@ int soh_verify(VALUE_PAIR *sohvp, const s = auto-updates; switch (hcstatus) { case 1: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn disabled, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn disabled confd-by=user, s); break; case 2: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=check-only, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=check-only confd-by=user, s); break; case 3: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=download, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=download confd-by=user, s); break; case 4: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=install, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=install confd-by=user, s); break; case 5: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn unconfigured, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn unconfigured confd-by=user, s); + break; + case 0x0101: + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn disabled confd-by=policy, s); + break; + case 0x0102: + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=check-only confd-by=policy, s); + break; + case 0x0103: + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=download confd-by=policy, s
Re: Microsoft SoH Support
On 11/10/2010 22:14, James J J Hooper wrote: On 11/10/2010 12:37, Phil Mayers wrote: On 09/10/10 15:01, Garber, Neal wrote: Thanks to a lot of work by Phil Mayers, the server now has support for Microsoft SoH in PEAP, normal RADIUS (MS VPN gateway), and in DHCP. Wow! That *must* have been a lot of work! Thank you Phil. Does this mean FreeRADIUS can now act as a Health Policy Server? Yes, though it's not 100%. Specifically the code can challenge clients for an SoH, and the client will submit it and FreeRadius decode it. There is not (yet) support for FreeRadius generating and emitting an SoHR, because I don't have a working example of such, and decoding the MS-SOH spec is REALLY REALLY hard without at least some working data to compare to the awful spec language! Hi Phil, Alan, http://msdn.microsoft.com/en-us/library/cc251376%28v=PROT.10%29.aspx - Independent of the above states, the last bit of the third byte of the AU ClientStatusCode can take the value of 1 if the AU settings on the client are controlled by policy. [We do a little of http://technet.microsoft.com/en-us/library/cc708449%28WS.10%29.aspx on our clients via our wireless set-up wizard to help them keep up to date with patches] ... Therefore patch attached {confd-by= format only a suggestion}. ...I wonder if MS ever end up with: case 0x0105: snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn unconfigured confd-by=policy, s); Oh well, it's in the spec... -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radsniff build error (Re: Version 2.1.10 has been released)
Hi Alan, I'm getting a make error. I tried ./configure --without-radsniff but still the same... Is there a switch to disable building radsniff or do I have to get the PCAP libraries :( ./configure make ... .libs/radsniff.o(.text+0xd76): In function `main': /usr/local/dnsnode/src/radiusd/freeradius-server-2.1.10/src/main/radsniff.c:489: undefined reference to `pcap_dump_fopen' .libs/radsniff.o(.text+0xe8b):/usr/local/dnsnode/src/radiusd/freeradius-server-2.1.10/src/main/radsniff.c:467: undefined reference to `pcap_fopen_offline' collect2: ld returned 1 exit status gmake[4]: *** [radsniff] Error 1 gmake[4]: Leaving directory `/usr/local/dnsnode/src/radiusd/freeradius-server-2.1.10/src/main' gmake[3]: *** [main] Error 2 gmake[3]: Leaving directory `/usr/local/dnsnode/src/radiusd/freeradius-server-2.1.10/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/usr/local/dnsnode/src/radiusd/freeradius-server-2.1.10/src' gmake[1]: *** [src] Error 2 gmake[1]: Leaving directory `/usr/local/dnsnode/src/radiusd/freeradius-server-2.1.10' make: *** [all] Error 2 -James --On Tuesday, September 28, 2010 15:34:00 +0200 Alan DeKok al...@deployingradius.com wrote: Thanks to everyone for being patient. Version 2.1.10 has just been released. http://freeradius.org/ The changelog is quite large for a stable release. We've fixed a number of minor bugs. We've also added features which have been requested for a long time. Most notably: * Print out large WARNING message if we send an Access-Challenge for EAP, and receive no follow-up messages from the client. This means that when EAP has been misconfigured or not deployed correctly, the server will print a message in debug mode saying go read a specific page on the Wiki. That page contains detailed instructions for how to solve the problem. * Added support for TLS-Cert-* attributes. For details, see raddb/sites-available/default, post-auth section. This means that much more complex certificate checking can be done. * Updated more documentation to use Restructured Text format. Thanks to James Lockie. This makes the documentation simpler and easier to read. There are a number of other minor features which round out the server functionality. This makes it the best release for stability, documentation, and ease of use. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radsniff build error (Re: Version 2.1.10 has been released)
--On Tuesday, September 28, 2010 16:19:46 +0100 James J J Hooper jjj.hoo...@bristol.ac.uk wrote: Hi Alan, I'm getting a make error. I tried ./configure --without-radsniff but still the same... Is there a switch to disable building radsniff or do I have to get the PCAP libraries :( ...which in fact I already have (libpcap-0.8.3-12.el4_6.1), hence it's getting past the ./configure ok. I'll refine the question to, what's the easiest way to disable building radsniff? Cheers, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radsniff build error (Re: Version 2.1.10 has been released)
--On Tuesday, September 28, 2010 17:48:39 +0200 Alan DeKok al...@deployingradius.com wrote: James J J Hooper wrote: Hi Alan, I'm getting a make error. I tried ./configure --without-radsniff but still the same... Is there a switch to disable building radsniff or do I have to get the PCAP libraries :( There's no switch to disable radsniff. My guess is that you have an old version of libpcap, which doesn't support that call. The solution (for now) is to just edit src/main/Makefile/ Find the line saying: BINARIES+= radsniff and delete it. Do this *after* the configure' step. Ok - Thanks. If anyone else is in the same boat (RHEL4), comment this line too (so you can 'make install'): $(LIBTOOL) --mode=install $(INSTALL) -m 755 $(INSTALLSTRIP) radsniff$(EXEEXT) $(R)$(bindir) -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, samba, AD peap/mschap-v2 redundancy and Certificate
On 15/09/2010 19:43, John Dennis wrote: On 09/15/2010 02:21 PM, Alan Buxey wrote: Hi, seems okay For certificate, do we need a server certificate for both radius1 and radius2 if we want supplicant to verify the server certificate? you can use the same server certificate - so that the clients recognise them as the same - important if there is to be any failover have the CN to be eg radius.yourdomain Depends upon how aggressive the client is about validating the cert. The libraries I'm familiar with will take the CN of the subject do a DNS lookup and see if it matches the ip address on the socket. In which case I wouldn't expect the above to work. Context folks! - You are authenticating your network connection, there is no DNS at this point... and even if there was the NAS doesn't have an IP, it's an EAPoL transaction. Alan B is correct - use exactly the same certificate on the two servers. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a lot of memory inuse
--On 14 September 2010 17:01 +1000 Strong, Mark mstr...@tnsi.com wrote: Hi Guys, I have free radius 2.1.6, and it has quite a chunk of memory inuse at the moment, are there any known issues with this version and memory leaks? It's running on CentOS 4.7 32 bit, compiled with this version of MySQL 5.0.20a-0.rhel4 (which isn't standard on CentOS 4.7). I started with this source rpm freeradius-2.1.6-2.fc10.src.rpm And has handled 430,000 requests since it started approx one month ago. Hi Mark, * You haven't told us how much a lot of memory is. * Upgrade to 2.1.10 (release imminent) * All I can offer is a comparison based on probably totally different configurations: FreeRADIUS-Total-Access-Requests = 194758 FreeRADIUS-Total-Accounting-Requests = 48158 FreeRADIUS-Stats-Start-Time = Sep 12 2010 11:16:30 UTC Total memory usage = 23MB Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a lot of memory inuse
--On 14 September 2010 08:15 +0100 James J J Hooper jjj.hoo...@bristol.ac.uk wrote: --On 14 September 2010 17:01 +1000 Strong, Mark mstr...@tnsi.com wrote: Hi Guys, I have free radius 2.1.6, and it has quite a chunk of memory inuse at the moment, are there any known issues with this version and memory leaks? It's running on CentOS 4.7 32 bit, compiled with this version of MySQL 5.0.20a-0.rhel4 (which isn't standard on CentOS 4.7). I started with this source rpm freeradius-2.1.6-2.fc10.src.rpm And has handled 430,000 requests since it started approx one month ago. Hi Mark, * You haven't told us how much a lot of memory is. * Upgrade to 2.1.10 (release imminent) * All I can offer is a comparison based on probably totally different configurations: FreeRADIUS-Total-Access-Requests = 194758 FreeRADIUS-Total-Accounting-Requests = 48158 FreeRADIUS-Stats-Start-Time = Sep 12 2010 11:16:30 UTC Total memory usage = 23MB ... and of course: http://github.com/alandekok/freeradius-server/blob/v2.1.x/doc/ChangeLog -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging ntlm authentication
--On Tuesday, September 07, 2010 14:11:42 +0100 Sion mle...@gmail.com wrote: On Tue, Sep 7, 2010 at 8:45 AM, Alan DeKok al...@deployingradius.com wrote: Sion wrote: On Mon, Sep 6, 2010 at 12:54 PM, Alan DeKok al...@deployingradius.com wrote: Sion wrote: I've also tried outer.reply, but I'm still not seeing it show up in my logs. sigh And the debug log says... ? Just set use_tunneled_reply = yes That had already been set, this is my peap config: peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = inner-tunnel } Hi, Something like the below should copy the messge to the outer tunnel, but it seems the next packet sent is a Challenge, not reject/accept. Therefore the message does not persist until reject/accept time. authenticate { Auth-Type MS-CHAP { eduroamlocalmschap { reject = 1 } if (reject) { update outer.reply { MS-CHAP-Error := %{reply:MS-CHAP-Error} } reject = return } } ... } -James -- James J J Hooper University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco WLC4402 - 802.1X - Android - Tunnel-Priv-Group-ID Failure
--On 10 August 2010 17:24 -0500 Thomas Donnelly tad1...@gmail.com wrote: Hello All, There are quite a few components coming into play here so I'm not exactly sure whats breaking where. Let me start with explaining our setup: We use cisco 1142 agn lightweight access points connected to a 4402 Wireless Lan Controller This controller is doing radius authentication off of Freeradius 1.1.8 (with FreeBSD as the Host OS) on our primary ssid. When people authenticate it replies with Tunnel-Private-Group-ID based on their username/group. This puts them in the correct vlan for their department. This works perfectly fine with our Apple Laptops, iPhones, and iPads. However when I join with my Android phone or my n900 (maemo), I get put in the default vlan for the SSID. After some digging I found the following: When joining from the Apple devices, the User-Name comes accross as Tue Aug 10 17:13:03 2010 User-Name = some...@somehwere.net When Joining from my Android, it comes accross as: Tue Aug 10 11:26:53 2010 User-Name = 1fT6ESzC4Dbj9oIpiJjjfg== (A few chars changed to prevent the username from being figured out) This somehow is authenticating correctly because I get an IP address (in the incorrect vlan) and can surf the net, and if I mistype the password I get an authentication failure. However when it tries to do a match for the username to determine their group/vlan it fails because we don't have any users with that user name. Has anyone seen this before or have any leads I should follow? Hi Tom, Several small devices (phones etc) send a string such as above as the *outer* user-name - if you don't like this you need to re-config the device where possible [1]. More importantly, it seems you might be deciding VLAN based on the outer user-name in the request - this is bad (arbitrarily spoofable). You should use the EAP inner user-name. * Upgrading to 2.1.x will make the inner/outer sessions much easier to configure and verify. * Running radiusd -X [ post here] will confirm if this is the problem. [1] Maemo: After configuring, you need to click the Advanced-settings button, change to the EAP page, select 'Use manual user name' and enter whatever you want in the box. ( http://www.wireless.bris.ac.uk/getconnected/services/eduroam/go-anything/#anomalies ) Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2 and Samba3x
HI, Wed Jul 14 10:51:16 2010 : Info: [mschap] expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=a3492c6411f5548251a05606aa028964d34b69c58e61c7d5 Wed Jul 14 10:51:16 2010 : Debug: Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly. (0xc022) Wed Jul 14 10:51:16 2010 : Debug: Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly. (0xc022) Wed Jul 14 10:51:16 2010 : Debug: Exec-Program: returned: 1 ^^ is that not the problem? -James --On Wednesday, July 14, 2010 11:22:43 -0400 freerad...@corwyn.net wrote: We're in the process of upgrading from Windows 2003 to 2008 R2. Our Linux systems are CentOS 5.5. Looks like samba won't auth against 2008 r2. So we upgraded to samba 3x, but that appears to break freeradius. Hrm. We're using freeradius to auth VPN users that are connecting from a sonicwall firewall, using the windows l2tp client. freeradius2-2.1.8-2.el5 Here's the output from radiusd -xX rad_recv: Access-Request packet from host 10.4.1.2 port 2452, id=213, length=124 User-Name = useraccount MS-CHAP-Challenge = 0xc527897da16351a24f3a92d91b066df1 MS-CHAP2-Response = 0x0100f3dd5207d539bd0d7e1f7be50178d382a3492c6411f5548251a 05606aa028964d34b69c58e61c7d5 NAS-IP-Address = 10.4.1.2 NAS-Port = 0 Wed Jul 14 10:51:16 2010 : Info: server server_vpn { Wed Jul 14 10:51:16 2010 : Info: +- entering group authorize {...} Wed Jul 14 10:51:16 2010 : Info: ++[preprocess] returns ok Wed Jul 14 10:51:16 2010 : Info: [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' Wed Jul 14 10:51:16 2010 : Info: ++[mschap] returns ok Wed Jul 14 10:51:16 2010 : Debug: [ldap] Entering ldap_groupcmp() Wed Jul 14 10:51:16 2010 : Info: [files]expand: OU=Enterprise,DC=int,DC=example,DC=com - OU=Enterprise,DC=int,DC=example,DC=com Wed Jul 14 10:51:16 2010 : Info: [files]expand: %{Stripped-User-Name} - Wed Jul 14 10:51:16 2010 : Info: [files]... expanding second conditional Wed Jul 14 10:51:16 2010 : Info: [files]expand: %{User-Name} - useraccount Wed Jul 14 10:51:16 2010 : Info: [files]expand: ((sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})(objectClass=per son)) - ((sAMAccountname=useraccount)(objectClass=person)) Wed Jul 14 10:51:16 2010 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Wed Jul 14 10:51:16 2010 : Debug: [ldap] ldap_get_conn: Got Id: 0 Wed Jul 14 10:51:16 2010 : Debug: [ldap] attempting LDAP reconnection Wed Jul 14 10:51:16 2010 : Debug: [ldap] (re)connect to int.example.com:389, authentication 0 Wed Jul 14 10:51:16 2010 : Debug: [ldap] bind as CN=_sonicwall,OU=Service Accounts,OU=Special User Accounts,OU=Enterprise,DC=int,DC=example,DC=com/wvyjCHCd2LJHcNrmpr0I to int.example.com:389 Wed Jul 14 10:51:16 2010 : Debug: [ldap] waiting for bind result ... Wed Jul 14 10:51:16 2010 : Debug: [ldap] Bind was successful Wed Jul 14 10:51:16 2010 : Debug: [ldap] performing search in OU=Enterprise,DC=int,DC=example,DC=com, with filter ((sAMAccountname=useraccount)(objectClass=person)) Wed Jul 14 10:51:16 2010 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Jul 14 10:51:16 2010 : Info: [files]expand: (|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectCl ass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) - (|((objectClass=GroupOfNames)(member=CN\3dUser Account\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexampl e\2cDC\3dcom))((objectClass=GroupOfUniqueNames)(uniquemember=CN\3dUser Account\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexampl e\2cDC\3dcom))) Wed Jul 14 10:51:16 2010 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Wed Jul 14 10:51:16 2010 : Debug: [ldap] ldap_get_conn: Got Id: 0 Wed Jul 14 10:51:16 2010 : Debug: [ldap] performing search in OU=Enterprise,DC=int,DC=example,DC=com, with filter ((cn=VPN_Users)(|((objectClass=GroupOfNames)(member=CN\3dUser Account\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexampl e\2cDC\3dcom))((objectClass=GroupOfUniqueNames)(uniquemember=CN\3dUser Account\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexampl e\2cDC\3dcom Wed Jul 14 10:51:16 2010 : Debug: [ldap] object not found Wed Jul 14 10:51:16 2010 : Debug: [ldap] ldap_release_conn: Release Id: 0 Wed Jul 14 10:51:16 2010 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Wed Jul 14 10:51:16 2010 : Debug: [ldap] ldap_get_conn: Got Id: 0 Wed Jul 14 10:51:16 2010 : Debug: [ldap] performing search in CN=User Account,OU=IS,OU=Users,OU=Enterprise,DC=int,DC=example,DC=com, with filter (objectclass=*) Wed Jul 14 10:51:16 2010 : Debug: [ldap] performing search in CN=VPN_Users,OU=Security Groups,OU=Enterprise,DC=int,DC=example,DC=com, with
Re: Wanted: Commercial FreeRADIUS Support
http://www.google.co.uk/search?q=freeradius+commercial+supportbtnI=1 ?? On 16/06/2010 23:03, Jackal Admin wrote: Even if you aren't able to provide support, I'd be interested in any suggestions for where to get support from. Jackal Admin wrote: We have a a hotspot authentication system built on FreeRADIUS, MySQL, and PHP. It is not too complicated but we don't have the time to work on it ourselves. Looking for an expert or company to provide support, modification, and troubleshooting for this installation. E-mail to ad...@jackalwireless.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.9 Frequent SegFault, didn't happen with FR 2.1.8
--On Thursday, June 10, 2010 10:10:05 +0200 Alan DeKok al...@deployingradius.com wrote: James J J Hooper wrote: OK - GDB log attached. This is from git branch v2.1.x, up to and including 0e9ae1698ba55b16b149 (Cleaned up debug output to be readable - about 7 hours ago), but with c703fd595cb86f51e309 (Install cryptpasswd as radcrypt) reverted as it wouldn't 'make install' with this [see note below]. OK. I fixed both problems. Thanks for tracking it down, it made the fix much simpler. Do a 'git pull' for the v2.1.x branch, and re-build. It should now be OK. Hi Alan, Thanks for the swift fix - It's much happier now. -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.9 Frequent SegFault, didn't happen with FR 2.1.8
On 10/06/2010 22:20, Alan Buxey wrote: Hi, OK. I fixed both problems. Thanks for tracking it down, it made the fix much simpler. Do a 'git pull' for the v2.1.x branch, and re-build. It should now be OK. hmm, this is interesting...James, do you use COA at all? we dont but this code is still in there and we havent had such a crash. could this be an issue that gets masked by a newer version of GCC (ours are generally CentOS 5.5 boxes...) - we have around 2,200 simultaneous users using 802.1X during the working day currently so show stopping bugs generally get seen No - we don't use COA on these boxes [yet]. How many of your users are home, and how many visiting (or do you do any other proxying)? - Proxy replies seem to have been the trigger for that code path bug. We seem to have a steady hundred or so users that get proxied up to the ORPS: http://www.wireless.bris.ac.uk/gfx/random/eduroamvisitors.png -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.9 Frequent SegFault, didn't happen with FR 2.1.8
On 10/06/2010 22:42, James J J Hooper wrote: On 10/06/2010 22:20, Alan Buxey wrote: Hi, OK. I fixed both problems. Thanks for tracking it down, it made the fix much simpler. Do a 'git pull' for the v2.1.x branch, and re-build. It should now be OK. hmm, this is interesting...James, do you use COA at all? we dont but this code is still in there and we havent had such a crash. could this be an issue that gets masked by a newer version of GCC (ours are generally CentOS 5.5 boxes...) - we have around 2,200 simultaneous users using 802.1X during the working day currently so show stopping bugs generally get seen No - we don't use COA on these boxes [yet]. How many of your users are home, and how many visiting (or do you do any other proxying)? - Proxy replies seem to have been the trigger for that code path bug. We seem to have a steady hundred or so users that get proxied up to the ORPS: http://www.wireless.bris.ac.uk/gfx/random/eduroamvisitors.png ORPS = NRPS (brain error) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.9 Frequent SegFault, didn't happen with FR 2.1.8
On 09/06/2010 17:56, James J J Hooper wrote: Hi Alan, All, Since upgrading to 2.1.9, FR is segfaulting frequently (every 20 minutes with load, every ~8 hours with less load). Attached -X at startup, and the last 100 lines before segfault. If someone can explain how to drive GDB (or any other method to track this down), I'm happy to try it. I found the manual (http://freeradius.org/radiusd/doc/bugs) so am RTFMing... I'll follow up with results if I find anything. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.9 Frequent SegFault, didn't happen with FR 2.1.8
On 09/06/2010 21:17, James J J Hooper wrote: On 09/06/2010 17:56, James J J Hooper wrote: Hi Alan, All, Since upgrading to 2.1.9, FR is segfaulting frequently (every 20 minutes with load, every ~8 hours with less load). Attached -X at startup, and the last 100 lines before segfault. If someone can explain how to drive GDB (or any other method to track this down), I'm happy to try it. I found the manual (http://freeradius.org/radiusd/doc/bugs) so am RTFMing... I'll follow up with results if I find anything. OK - GDB log attached. This is from git branch v2.1.x, up to and including 0e9ae1698ba55b16b149 (Cleaned up debug output to be readable - about 7 hours ago), but with c703fd595cb86f51e309 (Install cryptpasswd as radcrypt) reverted as it wouldn't 'make install' with this [see note below]. On linux, 2.6.9-89.0.23.ELsmp, CentOS release 4.8. -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- Note re: cryptpasswd: /usr/local/dnsnode/src/radiusd/git-20100609/freeradius-server/install-sh -c -m 755 cryptpassword /usr/local/bin/radcrypt install: cryptpassword does not exist gmake[2]: *** [install] Error 1 Starting program: /usr/local/sbin/radiusd -X [Thread debugging using libthread_db enabled] [New Thread -1208649024 (LWP 2425)] Detaching after fork from child process 2491. Detaching after fork from child process 2907. Detaching after fork from child process 3334. Detaching after fork from child process 3372. Detaching after fork from child process 3374. Detaching after fork from child process 3375. Detaching after fork from child process 3376. Detaching after fork from child process 3379. Detaching after fork from child process 3381. Detaching after fork from child process 3412. Detaching after fork from child process 3424. Detaching after fork from child process 3425. Detaching after fork from child process 3427. Detaching after fork from child process 3436. Detaching after fork from child process 3437. Detaching after fork from child process 3547. Detaching after fork from child process 3628. Detaching after fork from child process 3630. Detaching after fork from child process 3631. Detaching after fork from child process 3633. Detaching after fork from child process 3635. Detaching after fork from child process 3636. Detaching after fork from child process 3638. Detaching after fork from child process 3653. Detaching after fork from child process 3659. Detaching after fork from child process 3661. Detaching after fork from child process 3708. Detaching after fork from child process 3711. Detaching after fork from child process 3713. Detaching after fork from child process 3714. Detaching after fork from child process 3716. Detaching after fork from child process 3718. Detaching after fork from child process 3772. Detaching after fork from child process 3774. Detaching after fork from child process 3775. Detaching after fork from child process 3777. Detaching after fork from child process 3779. Detaching after fork from child process 3781. Detaching after fork from child process 4214. Detaching after fork from child process 5039. Detaching after fork from child process 5041. Detaching after fork from child process 5787. Detaching after fork from child process 6157. Detaching after fork from child process 6159. Detaching after fork from child process 7359. Detaching after fork from child process 7484. Detaching after fork from child process 7839. Detaching after fork from child process 7840. Detaching after fork from child process 7891. Detaching after fork from child process 7904. Detaching after fork from child process 7906. Detaching after fork from child process 7932. Detaching after fork from child process 7934. Detaching after fork from child process 7936. Detaching after fork from child process 7938. Detaching after fork from child process 7990. Detaching after fork from child process 8005. Detaching after fork from child process 8016. Detaching after fork from child process 8018. Detaching after fork from child process 8027. Detaching after fork from child process 8028. Detaching after fork from child process 8030. Detaching after fork from child process 8062. Detaching after fork from child process 8154. Detaching after fork from child process 8502. Detaching after fork from child process 8504. Detaching after fork from child process 8926. Detaching after fork from child process 9864. Detaching after fork from child process 9883. Detaching after fork from child process 9884. Detaching after fork from child process 9886. Detaching after fork from child process 9890. Detaching after fork from child process 9956. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1208649024 (LWP 2425)] 0x08067c64 in received_proxy_response (packet=0x8430a20) at event.c:3075 3075} else if ((request-packet-code != request-proxy-code) * 1 Thread
Re: no access-accept with users file
On 25/05/2010 06:30, Robert Wilkinson wrote: I feel defeated. I was able to get an access-accept result. During my attempt to use MySQL it appears that I broke my configuration. I am using freeradius 2.1.8 on ubuntu 10.4 server. Here is my freeradius -X debug output: WARNING: Empty section. Using default return values. No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Hi Robert, What do you actually want it to do, auth against MySQL, or auth against the users file, both or something else? At the moment it seems to be configured to do nothing: WARNING: Empty section. Using default return values. No authenticate method (Auth-Type) configuration found for the request: Rejecting the user ... so, its doing nothing. I'd go back to the default config, and change one thing at a time, then test that it does what you expect, repeat until it works totally as you wish, or your break it. If the latter, revert the most recent config change. ... and the documentation: http://wiki.freeradius.org/SQL_HOWTO etc Regards, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free Radius testing....
On 16/05/2010 10:26, John Raja wrote: Hi, I have installed freeradius server in centos. I am trying to test with below mentioned command i am getting the error output as given below , Please help me out... I have created the username in the user file bobCleartext-Password := hello _Command_ # radtest bob bob localhost 1812 testing _Output_ Sending Access-Request of id 147 to 127.0.0.1 port 1812 User-Name = bob User-Password = bob NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Sending Access-Request of id 147 to 127.0.0.1 port 1812 User-Name = bob User-Password = bob NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Sending Access-Request of id 147 to 127.0.0.1 port 1812 User-Name = bob User-Password = bob NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 radclient: no response from server for ID 147 socket 3 Hi John, -- 3. DEBUGGING THE SERVER Run the server in debugging mode, (radiusd -X) and READ the output. We cannot emphasize this point strongly enough. The vast majority of problems can be solved by carefully reading the debugging output, which includes WARNINGs about common issues, and suggestions for how they may be fixed. -- Is the server running, is the shared secret correct, do you firewall traffic on the localhost interface? -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP vs srcIP
--On 01 April 2010 09:39 -0700 Marlon Duksa mdu...@gmail.com wrote: Hi everyone - Can anyone think of a reason why the NAS-IP and the scr-IP of the access-req packet should not be the same? If the NAS-IP is configurable in the NAS, then the NAS-IP can be set to the IP address other than the src-ip of the NAS that is used in reqular FreeRadius accounting/authorization packets. The source IP address of the NAS is normally the native interface address from which access-req was sent (but it can be configurable). The NAS-IP would be used to address NAS in CoA requests sent from the FreeRadius. We need this behavior to address certain deployment requirements. Radius proxying! An incoming radius packet may come via a proxy. Therefore that packet's src.ip = the proxies IP. The NAS-IP-Address attribute is set to whatever the NAS wants to send. Whether you can address a COA to the NAS-IP-Address depends on whether: * The NAS chose/was configured to send the IP it's COA listener is bound to in the NAS-IP-Address attribute. * Whether you can access that IP/port directly - If your NAS is configured only to talk via a RADIUS proxy, and everything else is firewalled out, direct replies (COA or otherwise) won't work. -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Insert Realm in mysql
--On 27 March 2010 12:07 +0600 Rabidinov M.A. tux...@mail.ru wrote: Hello, Freeradius-users. I use freeradius 2.1.8 with MySQL. Freeradius doesn't insert realm into radacct table. [suffix] Looking up realm un for User-Name = tux...@un [suffix] No such realm un ++[suffix] returns noop As seen, there is no any data in %{Realm}. Refer to man rlm_realm ...realms have to be defined in proxy.conf for suffix to recognise them: realm un { ... } Alternatively, use a regex in unlang to split the username as you wish. -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy same realm but different authentication protocol to different server
On 27/01/2010 09:39, piston wrote: I've try below at the end of authorize section if (control:Auth-Type := EAP) { update control { { Proxy-To-Realm == xyz.com } Your operators and nesting are wrong above... if (control:Auth-Type == EAP) { update control { Proxy-To-Realm := xyz.com } } -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Duplicating results for radtest
--On Wednesday, January 27, 2010 05:11:26 PM + Mark Smith mark.sm...@abelalarm.co.uk wrote: Please see attached radiusd -X dump file as requested. Mark Smith Systems Engineer -Original Message- From: Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk] Sent: 27 January 2010 14:39 To: mark.sm...@abelalarm.co.uk; FreeRadius users mailing list Subject: Re: Duplicating results for radtest radiusd -X then we can see what/where things are happening Hi Mark, Your -X doesn't seem to include an auth request... Could you send one that does? If you watch the -X during the auth request, you should be able to see when and why any attributes are added. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP Session resumption reply attributes
On 20/01/2010 23:36, Arran Cudbard-Bell wrote: On 1/17/2010 8:37 AM, Alexander Clouter wrote: James J J Hooperjjj.hoo...@bristol.ac.uk wrote: In order to also return e.g. VLAN IDs (that could be computed from the inner User-Name in a non-session-resumption enabled config), I can move the config that sets the VLAN to the outer tunnel post-auth ensure the inner tunnel sets: reply:outer User-Name to request:inner User-Name and then key my VLAN computation (in outer post-auth) from reply:User-Name. We have been doing authorisation depending on the outer layer since summer. How did you get around the my policy rejects you now, but i've already sent a tunneled success TLV in the TLS tunnel and you're now ignoring my EAP-Failure messages issue... or are you just happily ignoring it/ encouraging adoption of TTLS-PAP like I was? :) -Arran Our setup never changes its mind :-) Any valid credentials always get a connection. ...only whether that connection is Internet/port limited/captive redirect to web message server changes. This also avoids the 'wireless doesn't accept my password' queries at the helpdesk (which end up with the user messing around and perhaps turning off certificate validation to see if that fixes it etc). Instead facebook.com returns you're a virus infected monster - use a different PC to read your email. We've sent you instructions etc. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP Session resumption reply attributes
--On Thursday, January 21, 2010 10:05:36 AM + Alexander Clouter a...@digriz.org.uk wrote: James J J Hooper jjj.hoo...@bristol.ac.uk wrote: How did you get around the my policy rejects you now, but i've already sent a tunneled success TLV in the TLS tunnel and you're now ignoring my EAP-Failure messages issue... or are you just happily ignoring it/ encouraging adoption of TTLS-PAP like I was? :) Our setup never changes its mind :-) Any valid credentials always get a connection. ...only whether that connection is Internet/port limited/captive redirect to web message server changes. Arran is probably referring to that with EAP TLS reauth you are actually using the authentication (and possibly authorisation) credentials from a previous session that can even be a few days prior. You might decide to do some user focused authorisation in the post-auth section[1], for example you might reject a user if their user account has been disabled, or if they are in the wrong group or maybe they have been a Bad Bad Boy(tm) :) You might then have them marked 'disabled' in your LDAP tree however the EAP-TLS reauth bit never gets that farso you end up accepting them. That's precisely what I meant, although I didn't explain it. If the credentials where initially valid, for the life of the connecting device being able to resume it's session, we always send back an Access-Accept (even if their account is now disabled). We then outer post-post auth to put them in a suitable network. (i.e. Naughty users get a only a WRD to say so.) -James -- James J J Hooper Network Specialist Information Services University of Bristol +44 (0)117 331 7080 (17080 internal) -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to set default ENVIRONMENT for programs runned from cron?
On 20/01/2010 21:08, Коньков Евгений wrote: Hi If program runned from cron run another process like: curl or wget or anithign else located at PATH it says: can not find curl etc. NOTICE: when programm is runned from cron there is no PATH environment variable Does any know how to pass environment for programs runned from cron? Hi, This being the FreeRADIUS list, your question should probably be vaguely related to FreeRADIUS. http://www.google.com/search?q=crontab+set+path -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR2.1.8, EAP-Session-Resumed, src/modules/rlm_eap/libeap/eap_tls.c
Hi Alan, Is the value of EAP-Session-Resumed being set to the wrong value (zero, instead of one)? In src/modules/rlm_eap/libeap/eap_tls.c: /* * Mark the request as resumed. */ vp = pairmake(EAP-Session-Resumed, 0, T_OP_SET); if (vp) pairadd(request-packet-vps, vp); In share/dictionary.freeradius.internal: ATTRIBUTE EAP-Session-Resumed 1128integer VALUE EAP-Session-Resumed no 0 VALUE EAP-Session-Resumed yes 1 Apologies if I have misunderstood the code. -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP Session resumption reply attributes
Hi All, When a client does session resumption: cache { enable = yes} in eap.conf The session User-Name (from previous access-accept) is restored from the cache e.g: [ttls] Skipping Phase2 due to session resumption [ttls] Adding cached attributes to the reply: User-Name = ab1234 In order to also return e.g. VLAN IDs (that could be computed from the inner User-Name in a non-session-resumption enabled config), I can move the config that sets the VLAN to the outer tunnel post-auth ensure the inner tunnel sets: reply:outer User-Name to request:inner User-Name and then key my VLAN computation (in outer post-auth) from reply:User-Name. I can see other possibilities to do this (e.g. cache Tunnel-Private-Group-Id in the TLS session cache), but the above seems ok to me. Can anyone on the list spot any problems, something that I've missed / gotchas with the above? Many thanks, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP Session resumption reply attributes
On 17/01/2010 20:22, Alan Buxey wrote: Hi, One thing to remember, is for *your* users roaming at other universities to remember to remove the reply:User-Name attribute to protect the guilty. :) the best thing to do for this is to create a new virtual server - eg 'eduroam' - which is identical to your normal stuff EXCEPT that it doesnt return VLANs etc. just ensure that this virtual server is only called when a request comes from the national proxies (or perhaps, just not one of your own NAS - eg properly assign your own NAS to their own internal virtual server) - et voila...you cannot accidentally mess up remote connections etc yep - that's what we are already doing for eduroam ;-) -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does FreeRadius support different replies for same user via check-attributes?
--On Friday, January 08, 2010 03:35:00 PM +0100 Tobbe Millan ejp2...@tninet.se wrote: Hi! I would like a specific request item to set which attribute to reply. For example... IF; A request comes with User-Name: XXX, Password: YYY and Attribute A = Go1 The Access-Accept should include Attribute Go=Service1 BUT IF; A request comes with User-Name: XXX, Password: YYY and Attribute A = Go2 The Access-Accept should include Attribute Go=Service2 Is this possible? It is. http://freeradius.org/radiusd/man/unlang.html -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: winbindd_privileged error?
--On 08 January 2010 17:14 -0500 freerad...@corwyn.net wrote: I had everything working fine, and now it's not. (I use the ldap module to auth) When I look through the logs, I'm getting a winbindd_privileged error. I've seen that before, where you apply: chgrp radiusd /var/cache/samba/winbindd_privileged chmod g+rw /var/cache/samba/winbindd_privileged but that doesn't seem to be resolving in this case. I believe I did run yum update today and it updated samba. winbind won't start. Jan 8 17:09:45 ns5 winbindd[2086]: initialize_winbindd_cache: clearing cache and re-creating with version number 1 Jan 8 17:09:45 ns5 winbindd[2086]: [2010/01/08 17:09:45, 0] lib/util_sock.c:create_pipe_sock(1280) Jan 8 17:09:45 ns5 winbindd[2086]: invalid permissions on socket directory /var/cache/samba/winbindd_privileged So... what does the equivalent of: sudo ls -la /var/cache/samba/winbindd_privileged say on your system?? Perhaps you have lost the execute bit on your directory permissions? -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: winbindd_privileged error?
--On 08 January 2010 22:24 + James J J Hooper jjj.hoo...@bristol.ac.uk wrote: --On 08 January 2010 17:14 -0500 freerad...@corwyn.net wrote: I had everything working fine, and now it's not. (I use the ldap module to auth) When I look through the logs, I'm getting a winbindd_privileged error. I've seen that before, where you apply: chgrp radiusd /var/cache/samba/winbindd_privileged chmod g+rw /var/cache/samba/winbindd_privileged but that doesn't seem to be resolving in this case. I believe I did run yum update today and it updated samba. winbind won't start. Jan 8 17:09:45 ns5 winbindd[2086]: initialize_winbindd_cache: clearing cache and re-creating with version number 1 Jan 8 17:09:45 ns5 winbindd[2086]: [2010/01/08 17:09:45, 0] lib/util_sock.c:create_pipe_sock(1280) Jan 8 17:09:45 ns5 winbindd[2086]: invalid permissions on socket directory /var/cache/samba/winbindd_privileged So... what does the equivalent of: sudo ls -la /var/cache/samba/winbindd_privileged say on your system?? Perhaps you have lost the execute bit on your directory permissions? Further to previous... Samba: ./source/lib/util_sock.c ./source/nsswitch/winbindd_util.c ... it looks like your directory must be chmod 750, other than 750 gives you that error message. -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap2 over peap, how to use cleartext password defined on the freeradius server instead of using Windows AD?
On 07/01/2010 18:57, Difan Zhao wrote: Greetings! I did read the “*mschap*” module file and I did see that in order to use a *cleartext* password, I need to set “*MS-CHAP-Use-NTLM-Auth := No*” however I don’t know where to set it. I tried to set it in “*hints*” file like the following. I added it to the beginning of the file and the rest is just default. enseo_stb MS-CHAP-Use-NTLM-Auth := No The “*enseo_stb*” is the username. I do see that it matched the line in the *preprocess* in the debug however the authentication still failed. I don’t have this user account set in Windows AD. I do have it set in my *users* file. Enseo_stb Cleartext-Password := password Any advice?? Thank you!! In the config file for your EAP _inner-tunnel_: server inner-tunnel-server { authorize { ... update control { MS-CHAP-Use-NTLM-Auth := 0 } mschap ... } ... you could use unlang to wrap it in an if statement if you wanted to be selective about when to apply it. -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication against Active Directory page
On 22 Sep 2006, at 20:26, Alan DeKok wrote: http://deployingradius.com/documents/configuration/ active_directory.html It describes a minimal set of steps to take to get authentication working against Active Directory. It works in my limited tests, but if anyone runs into problems, please email me, and I'll update the page. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Does FreeRADIUS taint check (i.e. escape certain characters)? If not, does the plain text password auth bit of the page have security considerations? Regards, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication against Active Directory page
On 23 Sep 2006, at 12:56, Jonathan De Graeve wrote: Does somebody know when machine authentication is supported in samba and if there is a patch for the 3.0.14 (debian stable) version? I think it was 3.0.20b... (search the release notes for 'machine account' if you want to be sure). Don't know about a patch, but the source comes with instructions for building a debian package. Regards, James -- James J J Hooper Information Services University of Bristol -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 1.1.3 not forking child processes
On 8 Sep 2006, at 22:02, Alan DeKok wrote: Jonathan De Graeve [EMAIL PROTECTED] wrote: Hello, I just installed 1.1.3 on my system and it doesn't fork the 5 freeradius processes. (start_servers = 5) You're running Linux 2.6. It doesn't show multiple threads as separate processes. Alan DeKok. ps -efL | grep radius ... will show your 5 threads, if it only shows one, then one you only have! Regards, James -- James J J Hooper Information Services University of Bristol -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: download of 1.1.2.tar.gz broken
--On Thursday, August 24, 2006 10:23:14 -0500 Elizabeth Murray [EMAIL PROTECTED] wrote: I've been trying to download your latest and greatest. The link is not working. Error message is 550 /pub/radius/freeradius-1.1.2.tar.gz: No such file or directory The same is true for the PGP Signature Going here: ftp://ftp.freeradius.org/pub/radius/ 1.1.3 is there 1.1.2 seems to be in ftp://ftp.freeradius.org/pub/radius/old/ a new release ! ... Just appears the webpage hasn't been tweaked quite yet. Regards, James -- James J J Hooper, Information Services University of Bristol -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html