Re: Installation of FreeRadius on Solaris 10

[Jim Seymour]

[EMAIL PROTECTED] wrote:
> 
> Jim Seymour wrote:
> >   
> > Jas <[EMAIL PROTECTED]> wrote:
> > [snip]
> > > /usr/ccs/bin/ld -G -z defs -h libltdl.so.3 -o
> > > .libs/libltdl.so.3.1.0  ltdl.lo  -ldl -lnsl -lresolv
> > > -lsocket -lposix4 -lpthread -lcrypto -lssl -lc
> > > ld: fatal: library -lcrypto: not found
> > > ld: fatal: library -lssl: not found
> > [snip]
> >   
> > You're missing the libraries libcrypto and libssl.
> 
> But then, why does configure in the OPs log claim they
> are available:
> 
> > > checking for openssl/ssl.h... yes
> > > checking for DH_new in -lcrypto... yes
> > > checking for SSL_new in -lssl... yes
> 
> That's totally puzzling to me. I think there something
> else going on ... :-(

Hmmm... Good catch--I'd missed that.  How does configure determine
their existence, or lack thereof?  (I don't have FreeRADIUS installed
here at home, or I'd look.)

Jim
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Installation of FreeRadius on Solaris 10

[Jim Seymour]

Jas <[EMAIL PROTECTED]> wrote:
> 
> Hi All,
>  
> I would really appriciate, if you would kindly help me
> out.
[snip]
> /usr/ccs/bin/ld -G -z defs -h libltdl.so.3 -o
> .libs/libltdl.so.3.1.0  ltdl.lo  -ldl -lnsl -lresolv
> -lsocket -lposix4 -lpthread -lcrypto -lssl -lc
> ld: fatal: library -lcrypto: not found
> ld: fatal: library -lssl: not found
[snip]

You're missing the libraries libcrypto and libssl.  These are from
OpenSSL.  I would suggest you install the proper packages, already
built for you, from sunfreeware.com.

Jim
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FreeRADIUS 1.0.3 has been released

[Jim Seymour]

Abdul Lateef <[EMAIL PROTECTED]> wrote:
> 
> 
> Thanx for new version of freeradius.
> 
> It will be more easy if you can tell what are new
> features added in the new ver.?

You mean like those that were listed in the announcement email?

Jim
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: time request

[Jim Seymour]

Thiago Felipe de Andrade <[EMAIL PROTECTED]> wrote:

You'll probably get more help if you post your message to the list
in straight text instead of HTML.

Jim
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: radius + peap + wifi + mac os x

[Jim Seymour]

Vittore Zen <[EMAIL PROTECTED]> wrote:
> 
> Hi,
> 
> I'm using freeradius (+mysql) in a wireless infrastructure with a dozen 
> of linksys WAP54G access point (using AES).
> Authentication is PEAP with mschapv2.
> All go right when use Windows clients but no response using Mac Os X 
> clients.
> Any ideas? Someone says me that MacOsX use a tunnel with md5 nor mschapv2.
> Note that is server starts with -X no authentication is required from 
> MacOsX client.

I have a single Mac OS X client at work, an iBook, and it's working
fine with FreeRADIUS 1.0.2 and a NetGear FWAG114 (IIRC).

Jim
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Please resend this message to Kim Jones'

[Jim Seymour]

"Christopher Bootland" <[EMAIL PROTECTED]> wrote:
>
> 
> Why is Kim Jones at SimplyNet (?) harvesting addresses on this mailing list? 
> I can't think of a valid reason why a third-party needs to know.  Does 
> anybody have any more information?

Most likely what's happening is he, or whomever at his old email
address, is running lame email software that's auto-responding to
traffic from the mailing list.  This is, more often than not, the fault
of Windows-based malware that doesn't know any better than to
auto-respond to "bulk" or "list" precedence messages, or to messages
not addressed directly to the recipient.  The "X-Mailer: " in his auto-responses suggests this is another such example.

The list owner needs to manually remove "[EMAIL PROTECTED]" from the
mailing list.

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Wireless Authentication

[Jim Seymour]

Radius <[EMAIL PROTECTED]> wrote:
>
> 
> Does anyone have any links or on-line examples that show how to
> use FreeRadius to do 802.1x authentication?

>From the front page of , under "News!":

. 05 October, 2004 Setting up wireless authentication: 802.1X 
  Port Based Authentication HOWTO. This document provides a good 
  introduction to the concepts behind wireless authentication, 
  and to configuring and testing FreeRADIUS in wireless systems.

There's a link to the documentation in that paragraph, on that page.

Jim
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to implement challenge/response authentication

[Jim Seymour]

Terry lee <[EMAIL PROTECTED]> wrote:

You might have better luck if you turned off the HTML and posted in
straight text.

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS NETWORK

[Jim Seymour]

"Paulo C. Panaligan" <[EMAIL PROTECTED]> wrote:
> 
> WHAT MATERIALS DO I NEED TO SETUP A RADIUS NETWORK ON LINUX?

Paulo, you're not getting any useful answers because you're violating
every rule in the book on how to go about asking for help.  Briefly:
You're asking a group of people, this mailing list, to do all your work
for you, to spoon-feed you, as it were, without demonstrating any
willingness to expend any energy, time or resources of your own into
learning how to do things.

Mailing lists and other forums like this one do not exist to do your
work for you, but to help you get over rough spots and improve the
product/project through bug reports, etc.

I might note that students pestering mailing lists to do their
school-work for them are generally particularly unwelcome.  Ask for
help: Certainly.  Ask us to do your project for you: No.

I believe you'd be well-advised to read this:



Pay particular attention to the section entitled "Before You Ask."

Good luck.

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suggestions for freeradius restart wrapper (other than daemontool s)

[Jim Seymour]

Tariq Rashid <[EMAIL PROTECTED]> wrote:
> 
> 
> i know the FAQ mentions the daemontools for ensuring that the freeradiusd
> daemon is available in the event of an unlikely crash.

It also mentions /etc/inittab.

> 
> can anyone recommend another set of tools or scripts for managing the
> freeradius daemon - i don't like the way the daemontools is not consistent
> with the usual unix filesystem hierarchy.

The FreeRADIUS docs and "man inittab."

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Snmp trap

[Jim Seymour]

"Yoram Baruchian" <[EMAIL PROTECTED]> wrote:
> 
> Hi
> Does the snmp_trap utility is part of the operating system?
> Can I download it 
> thanks

Do you suppose you could stop sending this garbage:

> From [EMAIL PROTECTED]  Thu May  5 10:30:16 2005
> Message-Id: <[EMAIL PROTECTED]>
> From: <[EMAIL PROTECTED]>
> To: 
> Subject: WARNUNG: Es WURDE EIN VIRUS AN SIE GESENDET !!!
> X-Declude-Sender: [EMAIL PROTECTED] [127.0.0.1]
> X-Declude-Spoolname: D2ddd0de0aee0.GSC
> X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for 
> spam.
> Reply-To: freeradius-users@lists.freeradius.org
> X-Reply-To: <[EMAIL PROTECTED]>
> Date: Thu,  5 May 2005 16:29:49 +0200
> X-Bogosity: No, tests=bogofilter, spamicity=0.299055, version=0.9.1.2
> 
> 
> In einer der angehaengten Dateien wurde ein Virus gefunden. 
> Dieser infizierte EMail wurde geloescht. Bitte beachten Sie, 
> dass die Absenderadresse durch den Virus gefaelscht sein kann 
> und nicht dem tatsaechlichen Absender entsprechen muss!
> 
> 
> Mailserver:mail.schnell-im-netz.de
> Absender:[EMAIL PROTECTED]
> Virusname:[Outlook 'CR' Vulnerability]
> Dateiname:[No attachment]
> QuarantäneName:D2ddc14a700f4c46a.SMD
> 
> 
> 
> 
> Betreff:"RE: Snmp trap \ "
> 
> Dieser Service von schnell-im-netz ist kostenfrei.
> Falls Sie Fragen zu diesem Service haben, so können Sie gerne
> von Mo-Fr. 8:00 Uhr bis 17:00 Uhr unter 0800 / 94 94 94 5 zurückrufen,
> oder eine E-Mail an [EMAIL PROTECTED] senden.
> 
> 
> 
> IHR SCHNELL-IM-NETZ TEAM
> IMMER AKTUELL, IMMER VORN DABEI
> http://schnell-im-netz.de
> 
> 
> 
> D2ddc14a700f4c46a.SMD
> 
> 
> ===
> [Deleted due to dangerous content]
> 
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

to the mailing list?

(While you're at it, I note that the server that's sending that is not
the same one from which the email to which I'm replying originated.
It's not in the same country. the same Internet domain, or the same
block of network addresses.  Furthermore: It HELO's as team-co.il but
is really mail.schnell-im-netz.de, so the HELO is broken by RFC.)

Thank you,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WPA Auth w/users file

[Jim Seymour]

Nobody has any clues on how this might be accomplished?

Jim

[EMAIL PROTECTED] (Jim Seymour) wrote:
> 
> Vladimir Vuksan <[EMAIL PROTECTED]> wrote:
> > 
> > Homer Parker wrote:
> > 
> > >   I have the same problem as:
> > >
> > ><http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg15436.html>
> > >
> > >   Running Freeradius 1.0.1. I've made the changes listed in that thread,
> > >but.. I'm using the raddb/users file (only 7 entries), and am not
> > >finding a way to auth against My-Local-User-Name :( Any pointers, thwaps
> > >over the head, or pushes in the right direction appreciated ;)
> > >  
> > >
> > Send your debug log and configuration ?
> 
> I don't know as there's any point to that.  His problem is identical to
> the one discussed in the thread he referenced (started by me), except
> he's trying to authenticate against a "users" file, instead of an
> smbpasswd file.
> 
> In my case, I was able to do this, in order to use the new
> My-Local-User-Name variable:
> 
> /usr/local/etc/raddb/radiusd.conf:
> ...
> passwd etc_smbpasswd {
> filename = ...
> format = 
> "*My-Local-User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
> ...
> }
> ...
> 
> Of course: What's normally where "My-Local-User-Name" is, above, is
> simply "User-Name".
> 
> What Homer needs is a way to do the same thing for authenticating
> against the "users" file, if possible.  (Near as I can tell.)
> 
> (I had showed him how to reduce "PCNAME\\username" to "username", into
> My-Local-User-Name.)
> 
> Jim
> -- 
> Note: My mail server employs *very* aggressive anti-spam
> filtering.  If you reply to this email and your email is
> rejected, please accept my apologies and let me know via my
> web form at <http://jimsun.linxnet.com/scform.php>.
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAp/TSL authorization problem

[Jim Seymour]

Sergey Guriev <[EMAIL PROTECTED]> wrote:
> 
> ÷ ÓÏÏÂÝÅÎÉÉ ÏÔ 3 íÁÊ 2005 10:14 Vladimir Vuksan ÎÁÐÉÓÁÌ:
> 
> > Thu Apr 28 11:33:53 2005 : Debug: users: Matched entry www at line 228
> >
> >
> > Are you sure that the entry on line 228 has the correct password. I am not
> > quite sure where the [EMAIL PROTECTED] comes from.
> 
> 
>  Yes, I sure, becouse "Matched entry www at line 228" means Username and 
> password matched.

Hmmm... I thought it meant simply that the User-Name was a match.

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WPA Auth w/users file

[Jim Seymour]

Vladimir Vuksan <[EMAIL PROTECTED]> wrote:
> 
> Homer Parker wrote:
> 
> > I have the same problem as:
> >
> >
> >
> > Running Freeradius 1.0.1. I've made the changes listed in that thread,
> >but.. I'm using the raddb/users file (only 7 entries), and am not
> >finding a way to auth against My-Local-User-Name :( Any pointers, thwaps
> >over the head, or pushes in the right direction appreciated ;)
> >  
> >
> Send your debug log and configuration ?

I don't know as there's any point to that.  His problem is identical to
the one discussed in the thread he referenced (started by me), except
he's trying to authenticate against a "users" file, instead of an
smbpasswd file.

In my case, I was able to do this, in order to use the new
My-Local-User-Name variable:

/usr/local/etc/raddb/radiusd.conf:
...
passwd etc_smbpasswd {
filename = ...
format = 
"*My-Local-User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
...
}
...

Of course: What's normally where "My-Local-User-Name" is, above, is
simply "User-Name".

What Homer needs is a way to do the same thing for authenticating
against the "users" file, if possible.  (Near as I can tell.)

(I had showed him how to reduce "PCNAME\\username" to "username", into
My-Local-User-Name.)

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: verify server certificate XP supplicant ?

[Jim Seymour]

[Jeopardy-style follow-ups, mis-quoting and excess text corrected...]

"PhonTom" <[EMAIL PROTECTED]> wrote:
>> 
> [mailto:[EMAIL PROTECTED] Im Auftrag von
> [EMAIL PROTECTED]
>> Zitat von Riccardo Veraldi <[EMAIL PROTECTED]>:
>> 
>> > 
>> > Hello,
>> > I am using EAP-TLS. Windows XP, Cisco 1200 AP, freeradius.
>> > Everything is working fine unless I enable the "verify server 
>> > certificate" checkbox on XP.
>> > In this case I am not authenticated anymore by the radius server.
>> > I Cannot understand why. I have the CA certificate installed
>> > I cannot understand why it does not work.
>> > any hints ?
>> > thank you very much
>> > 
>> > Rick
>> 
>> I had the same problem,
>> 
>> If i take the software from wireless card evrything works.
>> i think its only a problem of windows not freeradius.
>> 
>> Alain
> 
> Hi!
> 
> That's right! I had the same problems during my tests. But I didn't try to
> solve the problem! Maybe there is a bug in Windows XP??

If it's not a "real" cert, issued by a real CA, traceable back to a
root cert server, it won't verify, yes?

I suppose it would also be possible to run your own cert server and
have the cert validate back to that, as well.

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: NT domain names and SQL authentication

[Jim Seymour]

"Diego M. Vadell" <[EMAIL PROTECTED]> wrote:
> 
> Hi,
>   I've been fighting my ignorance for a week now. I'm trying to setup
> FreeRadius with a Windows XP SP2 supplicant with mschap2 thru an
> "Orinocco" access point.
> I would like to use the username and password of the NT domain, but the
> only way I can get logged in is making XP ask me for the credentials.
> So to make it work, I add a line un users:
[snip]
> 

Go to this link: 

 

And follow the thread by clicking "Next" under "Thread Links" in the
upper left.  That may get you what you want.

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS version 1.0.2

[Jim Seymour]

"Jamal Taweel" <[EMAIL PROTECTED]> wrote:
> 
> Dear All,
> 
> Can anyone tell me, what are the bugs which are found in the previous
> versions that the new version overcomes them?
[snip]

Download the latest tarball (v1.0.2).  Unpack it.  Look in the "doc"
subdirectory.  You'll see a file named "ChangeLog."  Read it.  Then
you'll know.

Please tell your manglement the foolish disclaimers and warnings added
to all your email are both irritating and utterly worthless.  And
please turn off the HTML.  Thank you.

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Beginner question: Trying to secure a wlan

[Jim Seymour]

Tim Boneko <[EMAIL PROTECTED]> wrote:
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Hi,
> i installed freeradius 1.0.2 on Debian 3.1 (sarge) in order to protect
> my wlan (test for a production installation).
> I?m not yet sure how i want to secure the  net (encryption or mac auth),

MAC "auth" is worthless, as it is trivial for somebody to spoof a MAC
address.

[snip]
> However, freeradius doesn?t keep  anybody from connecting. Despite the
> running  daemon  the  network  is wide  open.
[snip]

A silly question, perhaps, but you *did* configure you wireless AP to
actually *use* the RADIUS server, did you not?

There's mention of, and a link to, the "802.1X Port-Based Authentication
HOWTO" right on FreeRADIUS' home page.

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Integrating with freeradius and postgresql.

[Jim Seymour]

"Brian Gao" <[EMAIL PROTECTED]> wrote:
> 
> Where I can get this IIRC?

Um... *cough*  "IIRC" == "If I Recall Correctly"

> 
> Thanks

You're welcome.

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Integrating with freeradius and postgresql.

[Jim Seymour]

"Brian Gao" <[EMAIL PROTECTED]> wrote:
> 
> 
> Just wondering if anyone has done "integrating with freeradius and
> postgresql"?

IIRC, the docs talk about doing just that.  Have you examined them?

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CA.all Not Working? Can't Generate New Certs

[Jim Seymour]

Zoltan Ori <[EMAIL PROTECTED]> wrote:
> 
> On Friday 01 April 2005 11:58, Jim Seymour wrote:
> > Zoltan Ori <[EMAIL PROTECTED]> wrote:
> > > On Friday 01 April 2005 11:45, Jim Seymour wrote:
> > > > No certificate matches private key
> > >
> > > That may be the problem.
> >
> > Indeed, it may well be.  But what does that *mean*?  What
> > "certificate?"  What "private key?"  I have no idea what it's
> > looking for or why.
> >
> 
> It might be that you are not a priveleged user or that old keys and certs are 
> stored on your system or openssl.cnf may be pointing to a different key than 
> the script generates. 
[snip]

It turns-out there's an easier way.  I changed the appropriate
variables in CA.certs and ran that, instead.  It succeeded.

Thanks for the follow-up.

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CA.all Not Working? Can't Generate New Certs

[Jim Seymour]

Zoltan Ori <[EMAIL PROTECTED]> wrote:
> 
> On Friday 01 April 2005 11:45, Jim Seymour wrote:
> > No certificate matches private key
> 
> That may be the problem. 

Indeed, it may well be.  But what does that *mean*?  What
"certificate?"  What "private key?"  I have no idea what it's 
looking for or why.

Thanks for the follow-up.

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/scform.php>.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

CA.all Not Working? Can't Generate New Certs

[Jim Seymour]

Hi,

I'd like to generate new certs, but whenever I run CA.all I get, after
the last phase:

...
Certificate is to be certified until Apr  1 16:15:07 2006 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
No certificate matches private key
14428:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too 
long:asn1_lib.c:140:
unable to load certificate
14429:error:0906D06C:PEM routines:PEM_read_bio:no start 
line:pem_lib.c:637:Expecting: TRUSTED CERTIFICATE

This happens both on the box on which I've installed FreeRADIUS and a
web server on which I actually once generated certs by another method
(I no longer recall).

Anybody have any idea what's up with this and what I have to do to get
new certs generated?

Thanks,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Solaris 8 and Freeradius

[Jim Seymour]

freeradius roime <[EMAIL PROTECTED]> wrote:
> 
> Hi everyone. 
> I've installed Freeradius 0.9.* on solaris 8 OS and it's installed
> successfull. But when i tried to run it using debugginh mode, i've
> received this text printed at the end of the textprinted.
> 
> rlm_eap: Loaded and initialized the type gtc
> rlm_eap: Invalid type name mschapv2 cannot be linked
> radiusd.conf[9]: eap: Module instantiation failed.
[snip]

Not sure what that message means (I'm a FR n00b, myself), but I just
installed 1.0.2 on a Sparc Solaris 8 system and, other than having to
diddle with library paths in LDFLAGS, during configure, it has run w/o
incident.

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

[Jim Seymour]

Artur Hecker <[EMAIL PROTECTED]> wrote:
> 
> would you mind writing down a small doc with your experiences?
> 
> i'm sure it would be nice to know for everyone.
[snip]

Actually, I had planned to do just that :).

First I need to find out why my MS-WinXP Pro laptop is prepending
"WindowsName\" to username, rather than, say, the workgroup name.

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

[Jim Seymour]

"Alan DeKok" <[EMAIL PROTECTED]> wrote:
> 
> [EMAIL PROTECTED] (Jim Seymour) wrote:
> > Clarification: Giving the server ADMINNB\jseymour works.  Giving it
> > just "jseymour" does not.
> 
>   Because the regex on the line above doesn't match.  So, do:
> 
> DEFAULT User-Name =~ blah
> My-Local-User-Name = "%{1}"
> 
> DEFAULT   
>   My-Local-User-Name = "%{My-Local-User-Name:-%{User-Name}}"
> 

Boy, I sure am missing some of the more obvious ones, aren't I?

Okay, that worked.  Thanks for all the help, Alan.  And all you
others, too!

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

[Jim Seymour]

[EMAIL PROTECTED] (Jim Seymour) wrote:
> 
> "Alan DeKok" <[EMAIL PROTECTED]> wrote:
> > 
> > [EMAIL PROTECTED] (Jim Seymour) wrote:
> [snip]
> > 
> > > Now, if possible, is there a way to persuade FreeRADIUS to try
> > > My-Local-User-Name, if available, Stripped-User-Name it it's not, and
> > > User-Name if Stripped-User-Name is not available?
> > 
> >   Sure.  But you'll need another layer of indirection, because
> > rlm_passwd takes an attribute name, not an "if/then/else" condition.
> > 
> > e.g. Key-For-RLM-Passwd = 
> > "%{My-Local-User-Name:-%{Stripped-User-Name:-%{User-Name}}}"
> > 
> >   Where that goes, though, is a little more complex.  It has to go
> > after "preproces", and after "realms", but before "passwd".  Find a
> > module which can do that, and you're set...
> 
> I tried putting that directly in the DEFAULT hint, following the
> My-Local-User-Name setting.  It doesn't appear to work.  Or maybe
> that's not a good place to put it?

Clarification: Giving the server ADMINNB\jseymour works.  Giving it
just "jseymour" does not.  Is it possible the Key-For-RLM-Passwd test
is failing?  That My-Local-User-Name is "set," even if empty, by the
regexp?

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

[Jim Seymour]

"Alan DeKok" <[EMAIL PROTECTED]> wrote:
> 
> [EMAIL PROTECTED] (Jim Seymour) wrote:
[snip]
> 
> > Now, if possible, is there a way to persuade FreeRADIUS to try
> > My-Local-User-Name, if available, Stripped-User-Name it it's not, and
> > User-Name if Stripped-User-Name is not available?
> 
>   Sure.  But you'll need another layer of indirection, because
> rlm_passwd takes an attribute name, not an "if/then/else" condition.
> 
> e.g. Key-For-RLM-Passwd = 
> "%{My-Local-User-Name:-%{Stripped-User-Name:-%{User-Name}}}"
> 
>   Where that goes, though, is a little more complex.  It has to go
> after "preproces", and after "realms", but before "passwd".  Find a
> module which can do that, and you're set...

I tried putting that directly in the DEFAULT hint, following the
My-Local-User-Name setting.  It doesn't appear to work.  Or maybe
that's not a good place to put it?

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

[Jim Seymour]

Stefan Winter <[EMAIL PROTECTED]> wrote:
> 
[snip]
> 
> Hope you haven't given up yet. In a later message you write:

Nah, I'm not that easy ;).

> 
[snip]
> 
> Which makes me think that both "suffix" and "ntdomain" are active in=20
> rlm_realms. Try turning off suffix, because suffix operates only on names=20
> formatted like [EMAIL PROTECTED] In your case I think it tries to find a=20
> suffix, doesn't, and then uses realm NONE because no realm delimiter is=20
> found. If you turn suffix off, the delimiter \ is found and the request is=
> =20
> set to the DEFAULT realm. Hopefully.

I removed Alan's fix', commented-out "suffix" and un-commented
"ntdomain."  No joy.

Thanks for the suggestion, though.

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

[Jim Seymour]

"Alan DeKok" <[EMAIL PROTECTED]> wrote:
> 
> [EMAIL PROTECTED] (Jim Seymour) wrote:
[snip]
> 
>   Hmm... the reason the "hints" thing didn't work is that the regex
> function expects '\' to be escaped, too.  This works for me:
> 
> DEFAULTUser-Name =~ "(.*)$"
>My-Local-User-Name = "%{1}"

  I should've thought of that!  It's not like I haven't
been working with regexps for about a million years.  That worked!
Thanks :).

Now, if possible, is there a way to persuade FreeRADIUS to try
My-Local-User-Name, if available, Stripped-User-Name it it's not, and
User-Name if Stripped-User-Name is not available?

> 
> > What rather astonishes me is that this either hasn't come up before,
> > tho I have a private email that indicates something like it has, or
> > that nobody's pursued it to the bitter end.  One would almost think
> > that Unix/Linux + Samba + Wireless + WPA + (Free)RADIUS was an unusual
> > combination.
> 
>   No, but having the machine name in the User-Name attribute isn't
> common.

It's just plain ol' vanilla MS-WinXP Pro SP1, with updated MS support
for the wireless stuff.  The machine is *not* in a MS-Win2k domain, as
I haven't yet got the servers upgraded to support those.  So the 'doze
PCs are all in plain old MS-Win workgroups for now.  You'd have to ask
Microsoft why 'doze does what it does.  Personally, I've long- since
given up trying to understand such things, and now simply try to find
ways to work around Microsoft's brain-dead designs.

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to authenticate only via username

[Jim Seymour]

Stefan Winter <[EMAIL PROTECTED]> wrote:
> 
> Hi!
> 
> > Any suggestion, how to authenticate only by username?
> > (any password should be valid).
> >
> > Any idea?
> 
> Auth-Type := Accept

Btw, a nit-pick: That's not "authentication."  It's "identification,"
at best.  And since it's not authenticated, it's not really even that.

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

[Jim Seymour]

Michael Griego <[EMAIL PROTECTED]> wrote:
> 
> Or you could make sure your DEFAULT realm is set up.  

Actually, a NULL realm was what I think you meant.

>   Your current 
> configuration should work if you have a DEFAULT realm in your 
> proxy.conf.  If it doesn't work using the default realm, change your 
> etc_smbpasswd line to use the Stripped-User-Name, but I think it should 
> already attempt to use it if its present.  It's not present, though, 
> because no realm is found.  The DEFAULT realm will catch all realm 
> instances that aren't specifically set up.

The NULL realm caught it, but the Stripped-User-Name is not stripped of
the stupid 'doze garbage pre-pended to it :(.  Observe:

  modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "ADMINNB\jseymour", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "ADMINNB\jseymour"
rlm_realm: Proxying request from user ADMINNB\jseymour to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.

*sigh*

I hate 'doze.

What rather astonishes me is that this either hasn't come up before,
tho I have a private email that indicates something like it has, or
that nobody's pursued it to the bitter end.  One would almost think
that Unix/Linux + Samba + Wireless + WPA + (Free)RADIUS was an unusual
combination.

Or maybe it is...  (That might explain a *lot*.)

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

[Jim Seymour]

Michael Griego <[EMAIL PROTECTED]> wrote:
> 
> Or you could make sure your DEFAULT realm is set up.  Your current 
> configuration should work if you have a DEFAULT realm in your 
> proxy.conf.  If it doesn't work using the default realm, change your 
> etc_smbpasswd line to use the Stripped-User-Name, but I think it should 
> already attempt to use it if its present.  It's not present, though, 
> because no realm is found.  The DEFAULT realm will catch all realm 
> instances that aren't specifically set up.

I did this in proxy.conf:

#
#  This realm is for ALL OTHER requests.
#
realm DEFAULT {
type= radius
authhost= LOCAL
accthost= LOCAL
}

I did this in radiusd.conf:

passwd etc_smbpasswd {
filename = /usr/local/samba/private/smbpasswd
format = "*Stripped-User-Name::LM-Password:...

No joy.

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

[Jim Seymour]

"Alan DeKok" <[EMAIL PROTECTED]> wrote:
> 
> [EMAIL PROTECTED] (Jim Seymour) wrote:
> > >   a) adding "ADMINNB\jseymour" as a user in the smb passwd file
> > 
> > That's not practical.  "ADMINNB" is that specific laptops NETBIOS
> > name.
> 
>   testing != deployment
> 
>   First, get it to work.  Then, get it to work in a real deployment.

Valid point :).  Okay, if I pre-pend "ADMINNB\" to my username in
smbpasswd, it works like a champ.

> 
> > >   If you want to use "jseymour" as a key for the smb passwd file,
> > > convince the server to use that string, and not any other.
> > 
> > Is there a way I can do it irrespective of the supposed "domain?"
> 
>   In "hints":
> 
> DEFAULT   User-Name =~ "\\(.*)$"
>   My-Local-User-Name = "%{1}"
> 
>   Then, in smb_passwd, use My-Local-User-Name as the key.  You will
> have to define it in the dictionaries, too.
> 
>   That should work, I think.

Nope.  Failure mode identical.

Jim

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

[Jim Seymour]

"Alan DeKok" <[EMAIL PROTECTED]> wrote:
> 
> [EMAIL PROTECTED] (Jim Seymour) wrote:
> > 
> > http://jimsun.linxnet.com/misc/radiusd.out-login_creds_w_hack+ntdomain_realm.txt
> ...
> >   modcall[authorize]: module "etc_smbpasswd" returns notfound for request 0
> 
>   The password isn't being added because the user "ADMINNB\jseymour"
> isn't being found in the smb passwd file.  That's the root cause of
> the problem.

I rather figured that.

> 
>   I suggest:
> 
>   a) adding "ADMINNB\jseymour" as a user in the smb passwd file

That's not practical.  "ADMINNB" is that specific laptops NETBIOS
name.  I'd have to have duplicated smbpasswd entries for every laptop
each user might choose to use--for every user.  Be far easier to do
what people seem to always do in my situation: Tell the end-users
they'll have to auth to the WLAN separately.

> 
>  or
> 
>   b) setting up realms, and using Stripped-User-Name as the key to
> smb_passwd.
> 
> ...
> >rlm_realm: Looking up realm "ADMINNB" for User-Name = "ADMINNB\jseymour"
> >rlm_realm: No such realm "ADMINNB"
> 
>   And therefore no Stripped-User-Name.

Separate realms for every laptop in the building would likewise be
impractical.

> 
>   If you want to use "jseymour" as a key for the smb passwd file,
> convince the server to use that string, and not any other.

Is there a way I can do it irrespective of the supposed "domain?"

Thanks for the follow-up, Alan.

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/scform.php>.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

[Jim Seymour]

Michael Griego <[EMAIL PROTECTED]> wrote:
> 
> I think I see what your problem is...
> 
> You need to reenable the ntdomain realm module that is preconfigured in 
> the server and be sure its called before your etc_smbpasswd module in 
> your authorize section.  You seem to have removed it, and, because of 
> that, it can't find the correct username in your smbpasswd file.

Nope.  I removed nothing.  I neither disabled not de-configured
anything.

I'm guessing that maybe what was "missing" was this bit?

authorize {
...
#
#  If you are using multiple kinds of realms, you probably
#  want to set "ignore_null = yes" for all of them.
#  Otherwise, when the first style of realm doesn't match,
#  the other styles won't be checked.
#
suffix
#   ntdomain
...
#
#  If you are using /etc/smbpasswd, and are also doing
#  mschap authentication, the un-comment this line, and
#  configure the 'etc_smbpasswd' module, above.
etc_smbpasswd
...
}

I un-commented "ntdomain".  No change.  The -X output can be seen at:


http://jimsun.linxnet.com/misc/radiusd.out-login_creds_w_hack+ntdomain_realm.txt

I even tried "ignore_null = yes" in the "realm ntdomain" config.  No
difference, either.

(And yes: I'm saving the config file(s) and starting radiusd anew for
each test :).)

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

[Jim Seymour]

Michael Griego <[EMAIL PROTECTED]> wrote:
> 
>rlm_mschap: No User-Password configured.  Cannot create LM-Password.
>rlm_mschap: No User-Password configured.  Cannot create NT-Password.
>rlm_mschap: Told to do MS-CHAPv2 for jseymour with NT-Password
>rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
>rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>modcall[authenticate]: module "mschap" returns reject for request 6
> 
> Above is where you're failing.  It looks like you had the passwd module 
> called in your authorize block in one of your previous emails and 
> removed it before you ran this debug, 
[snip]

Nope.  The only differences are:

1. Changed 'doze config back to "use login stuff"
2. Un-commented the "ntdomain hack" in mschap

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

[Jim Seymour]

Michael Griego <[EMAIL PROTECTED]> wrote:
> 
> Jim Seymour wrote:
> 
>  > So clearly that output indicates a successful username match, and
>  > just as clearly, setting "with_ntdomain_hack = yes" in the mschap
>  > module does not strip the leading "GARBAGE\" stuff.
> 
> You'll have to look quite a bit further down in the debugging output to 
> see that.  Please set "with_ntodomain_hack" in the mschap module to 
> "yes", then post the FULL debugging output.  It's too hard to guess what 
> you've got your server setup to do.

Okay, here you go:

http://jimsun.linxnet.com/misc/radiusd.out-login_creds_w_hack.txt

"ADMINNB" is the laptop's "Windows" name.  The username should be
pretty apparent ;).

Thanks for your help!

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/scform.php>.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

[Jim Seymour]

Michael Griego <[EMAIL PROTECTED]> wrote:
> 
> You should be
> 
> Jim Seymour wrote:
> > Willem Eradus <[EMAIL PROTECTED]> wrote:
> >>
> >>#
> >>#with_ntdomain_hack = no
> > 
> > 
> > I tried that.  Made no discernable difference.
> 
> Be sure you're using the with_ntdomain_hack in the mschap module 
> configuration, NOT the one in the preprocess module configuration.

Tried one, the other, and both.

Using separate creds in 'doze, I get this in the -X output:

rlm_passwd: Added LM-Password: 'users LM password' to config_items
rlm_passwd: Added NT-Password: 'users NT password' to config_items
rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U  ]' to config_items
rlm_passwd: Adding "Auth-Type = MS-CHAP"
  modcall[authorize]: module "etc_smbpasswd" returns ok for request 0

Using WinXP's login info, I see none of that.  Instead I get:

  modcall[authorize]: module "etc_smbpasswd" returns notfound for request 0

Next test: I reconfigured the XP box for separate, manually-entered
creds again, entered a correct username, but invalid password.  Again
I got:

rlm_passwd: Added LM-Password: 'users LM password' to config_items
rlm_passwd: Added NT-Password: 'users NT password' to config_items
rlm_passwd: Added SMB-Account-CTRL-TEXT: '[U  ]' to config_items
rlm_passwd: Adding "Auth-Type = MS-CHAP"
  modcall[authorize]: module "etc_smbpasswd" returns ok for request 0

So clearly that output indicates a successful username match, and
just as clearly, setting "with_ntdomain_hack = yes" in the mschap
module does not strip the leading "GARBAGE\" stuff.

Ghod I just love 'doze :/

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/scform.php>.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

[Jim Seymour]

Willem Eradus <[EMAIL PROTECTED]> wrote:
> 
> On Wed, 30 Mar 2005 06:50:37 -0500 (EST), Jim Seymour
> <[EMAIL PROTECTED]> wrote:
> > 
[snip]
> > 
> > One thing I notice is the client PC sending WINNAME\username, instead
> > of just username, if I tell it to use the Windows login info.
> > 
> > > [At least I think so; someone please correct me if I'm wrong]
> 
> I get [WI-1\\Willem Eradus/]
> 
> # Windows sends us a username in the form of
> # DOMAIN\user, but sends the challenge response
> # based on only the user portion.  This hack
> # corrects for that incorrect behavior.
> #
> #with_ntdomain_hack = no

I tried that.  Made no discernable difference.

Note, further down, in "preprocess," this:

# Windows NT machines often authenticate themselves as
# NT_DOMAIN\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
#
# This configuration entry SHOULD NOT be used.
# See the "realms" module for a better way to handle
# NT domains.
with_ntdomain_hack = no

I'm not at all clear on "realms" or what I should be doing in that
respect, if anything.

> 
> I believe the above should take care of the "domain" part, and some
> other attribute may hold a hash with the password. Did you try with -X
> enabled to see what attributes are being provided?

I've been running it in the foreground with -X.  That *is* what the
install docs say to do for testing, after all, and I do RTFM.  Well...
usually.  I'm not yet grokking much of what I'm seeing.

I'll keep plugging away.  Hopefully, sooner-or-later, either I'll trip
across the solution or somebody here will mention it.

Thanks for the follow-up.

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/scform.php>.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

[Jim Seymour]

Stefan Winter <[EMAIL PROTECTED]> wrote:
> 
> Hello!
> 
> > I've searched and searched, and tried every hint I could find, and
> > cannot seem to make it work using the "Windows login name and
> > password."  Is it possible?
> 
> Make your users set a password for their login on the XP machine. That is the 
> username/password combination XP will use for authentication when you check 
> the box.

Yes, I knew this.  Users have been using Samba shares on my Unix/Linux
servers for a number of years.

> Then list these users with the appropriate passwords in your radiusd backend 
> (smbpasswd in your case). 

They're *all* aleady in there.  (See above.)

>   Then it should work.

Not so far.  I'm wondering if I'm missing something in FreeRADIUS'
configuration?

One thing I notice is the client PC sending WINNAME\username, instead
of just username, if I tell it to use the Windows login info.

> [At least I think so; someone please correct me if I'm wrong]

Who am I to say you're wrong?  I've no idea what I'm doing ;).  But
it doesn't appear to be working.

Thanks for the follow-up.

Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRADIUS + 802.1x (WPA) + WinXP + smbpasswd

[Jim Seymour]

Hi,

Environment:

FreeRADIUS 1.0.2
WinXP Pro (patched)

I'm >almost< there.  I've got FreeRADIUS authenticating the WinXP Pro
client (Intel PRO/Wireless 2915 and NetGear FWAG114, btw) using the
smbpasswd file on the server *if* I configure XP *not* to use my
"Windows login name and password," which gets it to ask for username
and password the first time it sees the WLAN.  I'd prefer to let users
avoid (mucking-up) the additional step.

I've searched and searched, and tried every hint I could find, and
cannot seem to make it work using the "Windows login name and
password."  Is it possible?

Thanks,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at .

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html