Re: Post Auth Configurations
On Thu, Jul 18, 2013 at 10:46 AM, Alan DeKok al...@deployingradius.com wrote:
Navodit Bhardwaj wrote:
For each Access-Request recieved and authenticated successfully I want
to do following:
1. Verify if Access-Request contains a parameter i.e IMEI of mobile
2. If Not, send Access-Reject. Else,
3. compare IMEI to value in database and assign a 32bit hex number in
Access-Accept
You should be able to just write this in unlang. Write down which
attributes you have, and what values you're looking for. Then, write
the logic.
Navodit,
I just asked a similar question and this is the logic I added to my
default site, right after 'preprocess':
if (CVPN3000-Tunnel-Group-Name == 'Bookstore') {
if (SQL-Group == 'RADIUS:bookstore') {
noop
}
else {
reject
}
}
What the above logic says is:
If the user is requesting to be in the Bookstore VPN group then if
they are part of the RADIUS:bookstore group, continue (noop), else
reject them.
You'll need to change 'CVPN3000-Tunnel-Group-Name' and 'Bookstore',
and remove the second 'if' statement.
Basically, I am doing a second authentication after initial
authentication (PAP, CHAP) is successful.
Don't do that. Do it *before* PAP or CHAP. In the authorize section.
Alan,
I've got a similar question that dovetails into this discussion.
Suppose I wanted to reject certain users and wanted the Reply-Message
to be customized per user authenticating, but I want to ensure that I
am not leaking the customized message. Is there a way to test the
user/pw combo first and *then* perform unlang logic?
Thanks,
-mz
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple entries per radius_check table
Greetings, I am using a Pg datastore to hold authentication data and using the Pg module for FR to hook into it. I am using a basic view for the radius_check table: # SELECT * from radius_check_users where username = 'mzagrabe'; id | username | attribute| op | value ---+--+++ 1 | mzagrabe | Crypt-Password | := | $1$somehash I'd also like to have the option of denying users with something like: atlas-# SELECT * from radius_sanction where username = 'mzagrabe'; id | username | attribute | op | value ---+--+---++ 1 | mzagrabe | Auth-Type | := | Reject (1 row) I'd like to create a UNION of these two views so that both records would be returned when FR queried for 'mzagrabe'. Is it enough to ensure that the Reject records appears before the Crypt-Password records in the resulting UNION for FR to reject the request? Any other advice or hints? Thanks! -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple entries per radius_check table
On Mon, Jul 1, 2013 at 3:30 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 1 Jul 2013, at 17:59, Matt Zagrabelny mzagr...@d.umn.edu wrote: Greetings, I am using a Pg datastore to hold authentication data and using the Pg module for FR to hook into it. I am using a basic view for the radius_check table: # SELECT * from radius_check_users where username = 'mzagrabe'; id | username | attribute| op | value ---+--+++ 1 | mzagrabe | Crypt-Password | := | $1$somehash I'd also like to have the option of denying users with something like: atlas-# SELECT * from radius_sanction where username = 'mzagrabe'; id | username | attribute | op | value ---+--+---++ 1 | mzagrabe | Auth-Type | := | Reject (1 row) I'd like to create a UNION of these two views so that both records would be returned when FR queried for 'mzagrabe'. Is it enough to ensure that the Reject records appears before the Crypt-Password records in the resulting UNION for FR to reject the request? It can appear before or after, it doesn't matter. https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_pap/rlm_pap.c#L330 Great! Thanks, Arran! Sincerely, -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
something like huntgroups?
Greetings! Our Cisco VPN concentrator is sending some RADIUS attributes in the request packet and if certain values appear, then I'd like to only allow a subset of users to login. I've looked at: http://wiki.freeradius.org/SQL-Huntgroup-HOWTO/dbeef165862fe9ba7ef6f7d011889d1f7212cf9b the SQL Huntgroup howto and it seemed close, but the scenario that I am looking at is slightly different and I am getting mixed up. I am hoping for some help. Here is my scenario: We have a generic VPN profile that we'd like to allow *all* users to login to - this works well. When users login to the secret profile, then the following VPN attribute is included in the request: Vendor-3076-Attr-146 = 0x554d44 The attribute and value are known and constant, thus I can make decisions on them. Users who are in the secret group should be able to login to *both* the generic profile (which does not have the Vendor-3076-Attr-146 = 0x554d44 pair) and the secret profile, which does have the pair. If a user is not in the secret group, then their login should fail if the Vendor-3076-Attr-146 = 0x554d44 pair is in the request. Thanks for any advice or design input! Cheers, -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: inactive users can authenticate
On Wed, Jun 26, 2013 at 9:27 AM, Alan DeKok al...@deployingradius.com wrote: Mihajlo Joksimovic wrote: i have an uptodate Debian derivate with samba4. The base_filter rule in the modules/ldap file is not accepted. There i gave sambaacctflags but nothing happens. still all users get accepted. in Base_filter I can write what I want, it always like skips this point. So everyone can login, also the disabled accounts. If only there was a way to debug this. That was documented in the man page. Or the web pages. Or daily on this list. That's funny. :) Because Alan makes us smile, I'll add: radiusd -X -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate SSH users against Freeradius
On Mon, May 20, 2013 at 12:58 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I have: (A) One Freeradius server on Debian 6: freeradius installation and client.conf configuration (B) Another Debian 6 box with sshd: libpam-radius-auth installation (C) Several Windows and Linux ssh clients In (A) freeradius server, can I define the ssh users in client.conf file only ??? clients.conf is for the FR clients - not the users. computer1 running FR computer2 running sshd computer2 is the client and belongs in the clients.conf file. In (B) debian sshd box server, do I have to install a radius client in addition to libpam-radius-auth package ??? And do I have to define any ssh user here ?? FR is doing whatever you want it to do in the PAM stack. We only have it perform the authentication, but you could also have it perform authorization, IIRC. You will (also) need to set up local users or a central user repository (LDAP, SQL, etc.) Check libnss-* packages for anything other than /etc/passwd: % apt-cache search libnss libnss-gw-name - nss module that names the current gateway’s IP address libnss-cache - NSS module for using nsscache-generated files libnss-db - NSS module for using Berkeley Databases as a naming service libnss-extrausers - nss module to have an additional passwd, shadow and group file libnss-ldap - NSS module for using LDAP as a naming service libnss-lwres - NSS module for using bind9's lwres as a naming service libnss-myhostname - nss module providing fallback resolution for the current hostname libnss-mysql-bg - NSS module for using MySQL as a naming service libnss-pgsql2 - NSS module for using PostgreSQL as a naming service libpam-ccreds - Pam module to cache authentication credentials libpam-ldap - Pluggable Authentication Module for LDAP libnss3 - Network Security Service libraries libnss3-1d - Network Security Service libraries - transitional package libnss3-dbg - Debugging symbols for the Network Security Service libraries libnss3-dev - Development files for the Network Security Service libraries libnss3-tools - Network Security Service tools libnss-mdns - NSS module for Multicast DNS name resolution libnss-ldapd - NSS module for using LDAP as a naming service nslcd - Daemon for NSS and PAM lookups using LDAP nss-passwords - read passwords from a Mozilla keyring nss-updatedb - Cache name service directories in DB format nsscache - asynchronously synchronise local NSS databases with remote directory services libpathfinder-dev - Development files for pathfinder libpathfinder-nss-1 - Pathfinder integration Library for LibNSS libnss-rainbow2 - nss library for rainbow libnss-winbind - Samba nameservice integration plugins winbind - Samba nameservice integration server libnss-sss - Nss library for the System Security Services Daemon libnss-sshsock2 - NSS module using an ssh socket connection Please, I need a good howto because I'm lost. You will need to read a lot to get up to speed. -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question to authenticate switches and Linux boxes
On Wed, May 8, 2013 at 3:26 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I'm new at Freeredius as an AAA sever in a Linux box and I need to authenticate Allied switches and Debian/Centos boxes. What package/module do I have to install in adition to freeradius ??? For the Debian clients you might want: libpam-radius-auth You can use apt-cache to search for things: % apt-cache search radius pam freeradius - high-performance and highly configurable RADIUS server libpam-radius-auth - The PAM RADIUS authentication module yardradius - YARD Radius Authorization and Accounting Server And what authentication procedure do I have ti use in order to let universal AAA ??? I don't understand this question. -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: design question
On Tue, Mar 5, 2013 at 9:17 PM, Arran Cudbard-Bell
a.cudba...@freeradius.org wrote:
On 5 Mar 2013, at 18:03, Matt Zagrabelny mzagr...@d.umn.edu wrote:
On Mon, Mar 4, 2013 at 4:28 PM, Arran Cudbard-Bell
a.cudba...@freeradius.org wrote:
You know SQL supports groups right? and that a group matching can be
conditional on attributes in the request? and that you can add aditional
config items to client definitions to mark them as a special devices?
Hi Arran,
Thanks for the reply. I've grepped the wiki and mailing list archives
and could not answer the following:
What do I change in the nas table (in the database) to mark the
network boxes as special devices? I see the schema as:
CREATE TABLE nas (
id SERIAL PRIMARY KEY,
nasname VARCHAR(128) NOT NULL,
shortname VARCHAR(32) NOT NULL,
type VARCHAR(30) NOT NULL DEFAULT 'other',
ports int4,
secret VARCHAR(60) NOT NULL,
server VARCHAR(64),
community VARCHAR(50),
description VARCHAR(200)
);
Is it the server field? If so, could you also briefly explain how to
apply that to group matching? (I have added users to groups using the
usergroup table, but haven't touched the radgroupcheck/reply yet.)
So long as you're using static devices in clients.conf you can use the xlat
expansion %{client:config item}.
I am using static devices, but I am using a nas table in a PG
database. Does that affect the xlat expansion? I already had a
'shortname' (but not a group field) in the table schema and tried:
authorize {
update request {
Client-Group := %{client:shortname}
}
sql
}
Here is a snippet of the 'freeradius -X' output:
++[files] returns noop
expand: %{client:shortname} -
++[request] returns noop
[sql] expand: %{Stripped-User-Name} -
[sql] ... expanding second conditional
You can see that the expand didn't work as expected.
Data in the table looks like:
atlas= SELECT * from radius_nas limit 1;
id | nasname | shortname | type | secret | server
+-+---+--+-+
72 | ups| ups | | sUperS3cret |
(1 row)
And also the configuration in dialup.conf:
nas_query = SELECT id, nasname, shortname, type, secret, server FROM
${nas_table}
Any ideas?
Thanks,
-mz
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: design question
On Mon, Mar 4, 2013 at 4:28 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: You know SQL supports groups right? and that a group matching can be conditional on attributes in the request? and that you can add aditional config items to client definitions to mark them as a special devices? Hi Arran, Thanks for the reply. I've grepped the wiki and mailing list archives and could not answer the following: What do I change in the nas table (in the database) to mark the network boxes as special devices? I see the schema as: CREATE TABLE nas ( id SERIAL PRIMARY KEY, nasname VARCHAR(128) NOT NULL, shortname VARCHAR(32) NOT NULL, type VARCHAR(30) NOT NULL DEFAULT 'other', ports int4, secret VARCHAR(60) NOT NULL, server VARCHAR(64), community VARCHAR(50), description VARCHAR(200) ); Is it the server field? If so, could you also briefly explain how to apply that to group matching? (I have added users to groups using the usergroup table, but haven't touched the radgroupcheck/reply yet.) Thanks for any help! -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
design question
Greetings, I am configuring a general purpose RADIUS server that any number of clients can connect to for authn - it uses a PostgreSQL DB as the backend datastore. I would also like to setup a secondary RADIUS server listening on a different port (ie. 1814) and use the same Pg DB as a backend, but use a restricted view as the users table, then configure devices (certain network gear) that wish to only allow users in the restricted view to use that secondary RADIUS server and corresponding port. I am currently using Debian 6.0 with corresponding FR 2.1.10+dfsg-2+squeeze1. My questions are these: Has anyone here setup a second instance of FR running on the same system as their primary instance, but with different configs? Do you have any suggestions for layout or keeping configs/logs straight? Or said another way, how much confusion will there be in /etc/freeradius (default Debian config dir) due to the second instance? Is it worth it, just to have a single system have all of your RADIUS servers or should I just stand up another virtual server and use that instead? Thanks for any help or hints! -matt zagrabelny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: design question
On Mon, Mar 4, 2013 at 3:27 PM, Olivier Beytrison oliv...@heliosnet.org wrote:
On 04.03.2013 22:17, Olivier Beytrison wrote:
On 04.03.2013 21:56, Matt Zagrabelny wrote:
Greetings,
I am configuring a general purpose RADIUS server that any number of
clients can connect to for authn - it uses a PostgreSQL DB as the
backend datastore. I would also like to setup a secondary RADIUS
server listening on a different port (ie. 1814) and use the same Pg DB
as a backend, but use a restricted view as the users table, then
configure devices (certain network gear) that wish to only allow users
in the restricted view to use that secondary RADIUS server and
corresponding port.
You can use the same listen ports, but group clients (which mean NAS) in
two groups, and assign a specific virtual server for each groups, with
different policy, database lookup and such.
Just to add, I think you should define a virtual server with a default
virtual_server in the listen {} section, then for your specific NAS that
needs special policy/authn, simply specify a different virtual_server in the
client {} section
I also wanted to add that you'll find all the information you need here
http://wiki.freeradius.org/config/Virtual-server (but my @#°@¦§¬ mail client
sent the mail instead of pasting the link) :)
Hi Olivier,
Thanks for the replies. I'll start digesting that wiki page soon*.
I'm not sure if Debian patched the 2.1.10 line to take care of any
grievous bugs, but if we start hitting them, we may need to upgrade.
FWIW, we were/are running 1.1.0 on Solaris, so we'll be excited to
have the new bugs to deal with. :)
Cheers,
-mz
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam.d ssh radius
On Tue, Feb 12, 2013 at 3:50 PM, T W gqma...@yahoo.com wrote: All, I got this working at the end of last year, but now I've having trouble. I'm setting up SSH access using RADIUS auth on a Ubuntu 12.10 system. Im using the latest version of libpam-radius-auth (1.3.17-0ubuntu4) and have followed the readme along with many other explanations and can not get it working. I'm getting the same error even when I try on different VM's running different versions of Ubuntu. The error PAM (sshd) illegal module type: auth makes it sound like it does not support the auth method. Anyone else run into this? Haven't run into what you've described, but we do use the RADIUS client PAM module as you've noted. Our /etc/pam.d/sshd looks like: # PAM configuration for the Secure Shell service # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. auth required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale auth sufficient pam_radius_auth.so # Standard Un*x authentication. #@include common-auth # Disallow non-root logins when /etc/nologin exists. accountrequired pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. @include common-account # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. # This includes a dynamically generated part from /run/motd.dynamic # and a static (admin-editable) part from /etc/motd. sessionoptional pam_motd.so motd=/run/motd.dynamic noupdate sessionoptional pam_motd.so # [1] # Print the status of the user's mailbox upon successful login. sessionoptional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. sessionrequired pam_limits.so # Set up SELinux capabilities (need modified pam) # session required pam_selinux.so multiple # Standard Un*x password updating. @include common-password Hope that helps. -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian (Squeeze) FreeRadius package missing config files
On Wed, Nov 21, 2012 at 9:18 AM, David Gethings dgethi...@juniper.net wrote: Hi All, It appears that the Debian package for freeradius 2.1.10 does not install the configuration files. At least that is what is happening on my system. As I try to resolve this is it possible to get a copy of the config files from some other location? David, Would you run: apt-cache policy freeradius ? The config files do get placed in /etc/freeradius, so there was an error somewhere along the line during your install. % dpkg-deb -c freeradius-common_2.1.10+dfsg-2+squeeze1_all.deb | grep etc drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/ drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/freeradius/ -rw-r--r-- root/root 27201 2012-09-11 12:07 ./etc/freeradius/radiusd.conf -rw-r--r-- root/root 877 2012-09-11 12:07 ./etc/freeradius/dictionary % dpkg-deb -c freeradius_2.1.10+dfsg-2+squeeze1_amd64.deb | grep etc drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/ drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/freeradius/ drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/freeradius/modules/ -rw-r--r-- root/root 3357 2012-09-11 12:07 ./etc/freeradius/modules/otp -rw-r--r-- root/root 1255 2012-09-11 12:07 ./etc/freeradius/modules/attr_filter -rw-r--r-- root/root 269 2012-09-11 12:07 ./etc/freeradius/modules/dynamic_clients -rw-r--r-- root/root 509 2012-09-11 12:07 ./etc/freeradius/modules/cui -rw-r--r-- root/root 1232 2012-09-11 12:07 ./etc/freeradius/modules/smsotp -rw-r--r-- root/root 558 2012-09-11 12:07 ./etc/freeradius/modules/expr -rw-r--r-- root/root 5267 2012-09-11 12:07 ./etc/freeradius/modules/ldap -rw-r--r-- root/root 347 2012-09-11 12:07 ./etc/freeradius/modules/mac2vlan -rw-r--r-- root/root 571 2012-09-11 12:07 ./etc/freeradius/modules/pap -rw-r--r-- root/root 1968 2012-09-11 12:07 ./etc/freeradius/modules/passwd -rw-r--r-- root/root 1587 2012-09-11 12:07 ./etc/freeradius/modules/perl -rw-r--r-- root/root 3289 2012-09-11 12:07 ./etc/freeradius/modules/echo -rw-r--r-- root/root 601 2012-09-11 12:07 ./etc/freeradius/modules/sqlcounter_expire_on_login -rw-r--r-- root/root 139 2012-09-11 12:07 ./etc/freeradius/modules/chap -rw-r--r-- root/root 2104 2012-09-11 12:07 ./etc/freeradius/modules/mschap -rw-r--r-- root/root 379 2012-09-11 12:07 ./etc/freeradius/modules/ntlm_auth -rw-r--r-- root/root 1661 2012-09-11 12:07 ./etc/freeradius/modules/preprocess -rw-r--r-- root/root 680 2012-09-11 12:07 ./etc/freeradius/modules/mac2ip -rw-r--r-- root/root 2162 2012-09-11 12:07 ./etc/freeradius/modules/sql_log -rw-r--r-- root/root 4465 2012-09-11 12:07 ./etc/freeradius/modules/inner-eap -rw-r--r-- root/root 1510 2012-09-11 12:07 ./etc/freeradius/modules/radutmp -rw-r--r-- root/root 559 2012-09-11 12:07 ./etc/freeradius/modules/policy -rw-r--r-- root/root 642 2012-09-11 12:07 ./etc/freeradius/modules/pam -rw-r--r-- root/root 2903 2012-09-11 12:07 ./etc/freeradius/modules/counter -rw-r--r-- root/root 2502 2012-09-11 12:07 ./etc/freeradius/modules/linelog -rw-r--r-- root/root 543 2012-09-11 12:07 ./etc/freeradius/modules/unix -rw-r--r-- root/root 847 2012-09-11 12:07 ./etc/freeradius/modules/realm -rw-r--r-- root/root 1088 2012-09-11 12:07 ./etc/freeradius/modules/logintime -rw-r--r-- root/root 1336 2012-09-11 12:07 ./etc/freeradius/modules/attr_rewrite -rw-r--r-- root/root 2134 2012-09-11 12:07 ./etc/freeradius/modules/detail -rw-r--r-- root/root 273 2012-09-11 12:07 ./etc/freeradius/modules/digest -rw-r--r-- root/root 1724 2012-09-11 12:07 ./etc/freeradius/modules/detail.log -rw-r--r-- root/root 442 2012-09-11 12:07 ./etc/freeradius/modules/sradutmp -rw-r--r-- root/root 1522 2012-09-11 12:07 ./etc/freeradius/modules/files -rw-r--r-- root/root 816 2012-09-11 12:07 ./etc/freeradius/modules/etc_group -rw-r--r-- root/root 924 2012-09-11 12:07 ./etc/freeradius/modules/detail.example.com -rw-r--r-- root/root 354 2012-09-11 12:07 ./etc/freeradius/modules/smbpasswd -rw-r--r-- root/root 548 2012-09-11 12:07 ./etc/freeradius/modules/expiration -rw-r--r-- root/root 1376 2012-09-11 12:07 ./etc/freeradius/modules/checkval -rw-r--r-- root/root 3526 2012-09-11 12:07 ./etc/freeradius/modules/wimax -rw-r--r-- root/root 2200 2012-09-11 12:07 ./etc/freeradius/modules/ippool -rw-r--r-- root/root 420 2012-09-11 12:07 ./etc/freeradius/modules/always -rw-r--r-- root/root 766 2012-09-11 12:07 ./etc/freeradius/modules/exec -rw-r--r-- root/root 153 2012-09-11 12:07 ./etc/freeradius/modules/krb5 -rw-r--r-- root/root 287 2012-09-11 12:07 ./etc/freeradius/modules/opendirectory -rw-r--r-- root/root 457 2012-09-11 12:07 ./etc/freeradius/modules/acct_unique -rw-r--r-- root/root 1604 2012-09-11 12:07 ./etc/freeradius/huntgroups -rw-r--r-- root/root 3042 2012-09-11
Re: buffer overflow on mschap reject
On 06/12/12 15:20, Alan DeKok wrote: Matt Richards wrote: Hello, I have got radius setup to authenticate wireless clients using MS-CHAP and everything works correctly if the entered user / pass is correct. If the password is wrong, however, I get a buffer overflow error and radiusd dies. You probably set the retry_msg to a very long string. I did have a retry_msg which was left as the default value of retry_msg = Re-enter (or reset) the password After I commented out this line the problem went away. Thanks for your help. I'm guessing this shouldn't crash with the example config? maybe the mschap stuff bloats the reply too much? *** buffer overflow detected ***: radiusd terminated === Backtrace: = Reading doc/bugs would help here. I can replicate this issue with radtest. Do you have a minimal config which could help? Does anybody know why this might be happening? If you require any additional info please let me know. One thing I was thinking about trying it going back a few versions of ntlm_auth and tring again. Its interesting how I don't seem to be able to find any information relating to this on the Internet. The error path here is very small. i.e. ~15 lines of code. Running the server under valgrind would help, too. But first build it with debugging symbols. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: buffer overflow on mschap reject
On 06/13/12 13:04, alan buxey wrote: Hi, I did have a retry_msg which was left as the default value of retry_msg = Re-enter (or reset) the password After I commented out this line the problem went away. Thanks for your help. I'm guessing this shouldn't crash with the example config? maybe the mschap stuff bloats the reply too much? doesnt crash here - what code release are you using? # ntlm_auth -V Version 3.5.15 # radiusd -X | head -1 FreeRADIUS Version 2.1.11, for host x86_64-pc-linux-gnu, built on Jun 11 2012 at 11:10:29 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
buffer overflow on mschap reject
Hello,
I have got radius setup to authenticate wireless clients using MS-CHAP
and everything works correctly if the entered user / pass is correct.
If the password is wrong, however, I get a buffer overflow error and
radiusd dies.
I get the follow on the console when this happens ...
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: rer
[mschap] Told to do MS-CHAPv2 for rer with NT-Password
[mschap]expand: --username=%{mschap:User-Name:-None} - --username=rer
[mschap] No NT-Domain was found in the User-Name.
[mschap]expand: %{mschap:NT-Domain} -
[mschap]... expanding second conditional
[mschap]expand: --domain=%{%{mschap:NT-Domain}:-WC1} - --domain=WC1
[mschap] mschap2: 5f
[mschap] Creating challenge hash with username: rer
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=a20a6c5d363dd4b6
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=5182a275d21751ab7007e8de241d8d516215a95d3384ccf9
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
*** buffer overflow detected ***: radiusd terminated
=== Backtrace: =
/lib/libc.so.6(__fortify_fail+0x37)[0x7fea6d97c427]
/lib/libc.so.6(+0xe8150)[0x7fea6d97a150]
/lib/libc.so.6(+0xe76eb)[0x7fea6d9796eb]
/lib/libc.so.6(__snprintf_chk+0x7b)[0x7fea6d9795bb]
/usr/lib64/freeradius/rlm_mschap-2.1.11.so(+0x31bb)[0x7fea6c24a1bb]
radiusd(modcall+0xb4b)[0x41c4bb]
radiusd(indexed_modcall+0xd3)[0x418b53]
/usr/lib64/freeradius/rlm_eap_mschapv2-2.1.11.so(+0x166a)[0x7fea696d366a]
/usr/lib64/freeradius/rlm_eap-2.1.11.so(+0x2f76)[0x7fea6bc39f76]
/usr/lib64/freeradius/rlm_eap-2.1.11.so(eaptype_select+0x176)[0x7fea6bc3a926]
/usr/lib64/freeradius/rlm_eap-2.1.11.so(+0x2739)[0x7fea6bc39739]
radiusd(modcall+0xb4b)[0x41c4bb]
radiusd(indexed_modcall+0xd3)[0x418b53]
radiusd(rad_authenticate+0x985)[0x40a075]
/usr/lib64/freeradius/rlm_eap_peap-2.1.11.so(eappeap_process+0x976)[0x7fea698d8f26]
/usr/lib64/freeradius/rlm_eap_peap-2.1.11.so(+0x1825)[0x7fea698d7825]
/usr/lib64/freeradius/rlm_eap-2.1.11.so(+0x2f76)[0x7fea6bc39f76]
/usr/lib64/freeradius/rlm_eap-2.1.11.so(eaptype_select+0x176)[0x7fea6bc3a926]
/usr/lib64/freeradius/rlm_eap-2.1.11.so(+0x2739)[0x7fea6bc39739]
radiusd(modcall+0xb4b)[0x41c4bb]
radiusd(indexed_modcall+0xd3)[0x418b53]
radiusd(rad_authenticate+0x985)[0x40a075]
radiusd(radius_handle_request+0x52)[0x424d42]
radiusd(thread_pool_addrequest+0x9)[0x425039]
radiusd[0x4269e6]
/usr/lib/libfreeradius-radius-2.1.11.so(fr_event_loop+0x33b)[0x7fea6e04860b]
radiusd(main+0x55a)[0x41cd2a]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7fea6d8b0ba6]
radiusd[0x408fe9]
The version of freeradius i'm running is ...
FreeRADIUS Version 2.1.11, for host x86_64-pc-linux-gnu, built on Jun 11
2012 at 11:10:29
I can replicate this issue with radtest.
Does anybody know why this might be happening? If you require any
additional info please let me know. One thing I was thinking about
trying it going back a few versions of ntlm_auth and tring again. Its
interesting how I don't seem to be able to find any information relating
to this on the Internet.
Thanks,
Matt.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cisco WAP/FreeRadius/OpenLDAP
Hi All,
having trouble setting up my RADIUS(FreeRADIUS Version 2.1.7) to
auth to my openldap server (openldap-2.3.43-12.el5_6.7) on CentOS 5.5.
i am trying to configure EAP-TLS and think i am pretty close. I am
currently wondering if possibly i have an incorrect mapping in the
ldap.attrs file (it is completely default right now).running
'radiusd -X' i do see some errors such as:
rlm_ldap: performing search in dc=currensee,dc=com, with filter (uid=anonymous)
rlm_ldap: object not found
[ldap] search failed
but later down the path of the session it looks like things are going
ok , seeing a bunch of EAP challeges and it expanding the username
and stuff being put in to the inner-tunnel. However, in the end:
rlm_ldap: performing search in dc=currensee,dc=com, with filter (uid=marguin2)
[ldap] checking if remote access for marguin2 is allowed by uid
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure
that the user is configured correctly?
my ldap attribute for password is userPassword and i have tried
changing the values in the ldap.attrs to match this but that did not
help. Here is the full output of the run of radiusd in debug mode.
Any insight is appreciated:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=181, length=132
User-Name = anonymous
Framed-MTU = 1400
Called-Station-Id = 64a0.e729.b890
Calling-Station-Id = 1c65.9d32.fb68
Service-Type = Login-User
Message-Authenticator = 0x247be03937ef0698a7ad23d2f86aa54b
EAP-Message = 0x0202000e01616e6f6e796d6f7573
NAS-Port-Type = Wireless-802.11
NAS-Port = 799
NAS-Port-Id = 799
NAS-IP-Address = 192.168.10.31
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = anonymous, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 2 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for anonymous
[ldap] expand: %{Stripped-User-Name} -
[ldap] expand: %{User-Name} - anonymous
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=anonymous)
[ldap] expand: dc=currensee,dc=com - dc=currensee,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.local.currensee.com:389, authentication 0
rlm_ldap: bind as
cn=radius,ou=Services,dc=currensee,dc=com/c17ad5805204465ab39d11e0381272c5
to ldap.local.currensee.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=currensee,dc=com, with filter (uid=anonymous)
rlm_ldap: object not found
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
[eap] EAP packet type response id 2 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
Found Auth-Type = EAP
Found Auth-Type = EAP
Warning: Found 2 auth-types on request for user 'anonymous'
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 181 to 192.168.10.31 port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x
State = 0x12d3382012d02152159f345e3e0c333a
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=182, length=228
User-Name = anonymous
Framed-MTU = 1400
Called-Station-Id = 64a0.e729.b890
Calling-Station-Id = 1c65.9d32.fb68
Service-Type = Login-User
Message-Authenticator = 0x07f8f2c72439114d5efd54762efa740b
EAP-Message =
0x0203005c19001603010051014d03014ea9917e4e0fee76b71533a74710796e73ac02e494439b92a5338ee6d1f1bcd92600390038003500160013000a00330032002f00050004001500120009001400110008000600030100
NAS-Port-Type = Wireless-802.11
NAS-Port = 799
NAS-Port-Id = 799
State = 0x12d3382012d02152159f345e3e0c333a
NAS-IP-Address = 192.168.10.31
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = anonymous, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 3 length 92
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found,
Re: cisco WAP/FreeRadius/OpenLDAP
://www.impulse.com -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20111027/66f79dc6/attachment.html -- Message: 4 Date: Thu, 27 Oct 2011 21:00:00 +0200 From: Alan DeKok al...@deployingradius.com Subject: Re: Failed to load module jradius To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 4ea9aa30.3020...@deployingradius.com Content-Type: text/plain; charset=UTF-8 Travis Dimmig wrote: I don?t seem to be able to get freeRadius to load the ?jradius? module. My steps are as follows: ... ?radiusd ?X? gives: /usr/local/etc/raddb/sites-enabled/default[443]: Failed to load module jradius. It should give more than that. Look at the *previous* lines to see the real cause of the problem. Alan DeKok. -- Message: 5 Date: Thu, 27 Oct 2011 18:59:33 + From: Travis Dimmig tdim...@impulse.com Subject: RE: Failed to load module jradius To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 2ecc69012853fb42a8adaba5eb3b4b800c9d1...@dsm-mail01.dsm.net Content-Type: text/plain; charset=us-ascii Figured it out. The jradius.conf needs to be in /usr/local/etc/raddb/modules. I swear it used to be one directory up... Anyway, I don't know if it's the freeRadius team or the JRadius team that maintains this plugin, but the config file is not automatically copied into the modules directory even when freeRadius is compiled with jradius support. Travis From: freeradius-users-bounces+tdimmig=impulse@lists.freeradius.org [mailto:freeradius-users-bounces+tdimmig=impulse@lists.freeradius.org] On Behalf Of Travis Dimmig Sent: Thursday, October 27, 2011 2:29 PM To: FreeRadius users mailing list Subject: Failed to load module jradius I don't seem to be able to get freeRadius to load the jradius module. My steps are as follows: wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.12.tar.gz tar -xzvf freeradius-server-2.1.12.tar.gz cd freeradius-server-2.1.12 echo rlm_jradius src/modules/stable ./configure make make install cp src/modules/rlm_jradius/jradius./conf /usr/local/etc/raddb I configure jradius.conf to point to my JRadius server, and add jradius to the accounting section of sites-enabled. radiusd -X gives: /usr/local/etc/raddb/sites-enabled/default[443]: Failed to load module jradius. /usr/local/etc/raddb/sites-enabled/default[378]: Errors parsing accounting section. I have verified that the jradius libraries have been compiled and installed /usr/local/lib. I've managed to comile freeRadius with the jradius module before just fine.not sure what the problem is now. Any help would be greatly appreciated. Travis Dimmig Software Development Specialist Impulse Point www.impulse.comhttp://www.impulse.com -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20111027/392fa3ba/attachment.html -- Message: 6 Date: Thu, 27 Oct 2011 21:01:21 +0200 From: Alan DeKok al...@deployingradius.com Subject: Re: cisco WAP/FreeRadius/OpenLDAP To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 4ea9aa81.50...@deployingradius.com Content-Type: text/plain; charset=ISO-8859-1 Matt Arguin wrote: having trouble setting up my RADIUS(FreeRADIUS Version 2.1.7) to auth to my openldap server (openldap-2.3.43-12.el5_6.7) on CentOS 5.5. i am trying to configure EAP-TLS Then you don't need LDAP. EAP-TLS does authentication based on client certificates. It doesn't use passwords. Why are you using EAP-TLS LDAP? What do you expect it to do? Alan DeKok. -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 78, Issue 124 * -- This email and any files transmitted with it are confidential and intended solely for the addressee. If you received this email in error, please do not disclose the contents to anyone; kindly notify the sender by return email and delete this email and any attachments from your system. © 2011 Currensee Inc. is a member of the National Futures Association (NFA) Member ID 0403251 | Over the counter retail foreign currency (Forex) trading may involve significant risk of loss. It is not suitable for all investors and you should make sure you understand the risks involved before trading and seek independent advice if necessary. Performance, strategies and charts shown are not necessarily predictive of any particular result and past performance is no indication of future results. Investor returns may vary from Trade Leader returns based
TTLS OSX Airport Connection Dropping
I have a setup with four Linksys E4200 wireless routers all sharing the same SSID. All are configured to authenticate against the same freeradius server via WPA 2 enterprise. I have freeradius (2.1.7) setup to authenticate against activedirectory using ntlm_auth via TTLS and mschap. Android and iOS connect correctly with this setup. Windows connects correctly as well, but is using PEAP instead of TTLS. The problem occurs with OSX (running latest build - 10.6.8). When connecting via Airport, it connects, then the text Authenticated via TTLS briefly appears, then it switches back to saying Authenticating... During this time the wireless will remain connected for 2-3 hours, until it disconnects. After that, Airport prompts for the wireless username / password again (even though these are supposed to be automatically remembered). Turning off / on airport always resolves the issue and gives another 2-3 hours of connectivity. The error occurs in four macbook pro's tested. Thanks so much for any help! If someone could point me in some direction, that would be great. The log containing the conversation between an OSX machine and freeradius is available at: http://nofouls.com/images/radlog.txt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Using an external CA certificate
Thanks Alex,
that was spot on and fixed the issue, much appreciated.
-Original Message-
From:
freeradius-users-bounces+matt.langthorpe=pmb.ox.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+matt.langthorpe=pmb.ox.ac...@lists.freeradius.org]
On Behalf Of Alexander Clouter
Sent: 01 March 2011 13:30
To: freeradius-users@lists.freeradius.org
Subject: Re: Using an external CA certificate
Matt Langthorpe matt.langtho...@pmb.ox.ac.uk wrote:
Having a bit of trouble following the official freeradius wiki when it
comes to certificates. Basically I have my own certificate which I
want to use. I have a ***.crt file which was sent by my issuer, and a
private.pem file which was created when I made my CSR request using
openssl.
alex@chipmunk:~$ unzip 10133697.zip
Archive: 10133697.zip
extracting: 10133697.ca-bundle
extracting: 10133697.crt
alex@chipmunk:~$ cat 10133697.crt 10133697.ca-bundle server.pem
The infernal folks at Comodo seemed to have changed their process recently so
that you get the bundle, the old style approach was:
$ cat 10133697.crt TERENASSLCA.crt UTNAddTrustServer_CA.crt
AddTrustExternalCARoot.crt server.pem
Now in your 'eap.conf' file use the following and you should be set:
private_key_password = secret
private_key_file = ${certdir}/server.key certificate_file =
${certdir}/server.pem
FYI, if you have to do a similar thing with Apache, you want:
SSLEngine on
SSLCertificateFile /etc/apache2/certs/example/10133697.crt
SSLCertificateKeyFile /etc/apache2/certs/example/privkey.pem
SSLCertificateChainFile /etc/apache2/certs/example/10133697.ca-bundle
I have uploaded the two files into my raddb/certs folder, but am
unsure as to where to point to them in my eap.conf? I notice none of
the cert files listed in eap.conf have a *.crt extension which is a
bit confusing.
This is UNIX, file extensions are generally meaningless and should be ignored.
Cheers
--
Alexander Clouter
.sigmonster says: I think the world is run by C students.
-- Al McGuire
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP problem?
Hi list,
I'm pretty sure this issue is straight forward but I've searched the list and
cant come up with an answer.
I'm usuing freeradius 2.19 on cent OS 5.5
Im trying to auth users from a NAC box (Bradford campus manager) against an AD
domain using freeradius.
All works fine when I point an AP at freeradius, but things fail when using
our NAC to forward requests to FreeRadius. I suspect the problem is that the
NAC is trying to use PAP, but im not sure how to really resolve the problem.
Here are my logs:
Ready to process requests.
rad_recv: Access-Request packet from host 129.67.147.204 port 32960, id=174,
length=78
User-Name = SAMBA_TEST
User-Password = password
NAS-Identifier = pmbcm01.pmb.ox.ac.uk
NAS-IP-Address = 129.67.147.204
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radius/radacct/129.67.147.204/auth-detail-20110303
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/129.67.147.204/auth-detail-20110303
[auth_log] expand: %t - Thu Mar 3 11:45:17 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = SAMBA_TEST, looking up realm NULL [suffix] No
such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for SAMBA_TEST [ldap] WARNING: Deprecated
conditional expansion :-. See man unlang for details [ldap] expand:
((sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -
((sAMAccountName=SAMBA_TEST)) [ldap] expand:
cn=Users,dc=PMB,dc=OX,dc=AC,dc=UK - cn=Users,dc=PMB,dc=OX,dc=AC,dc=UK
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 129.67.147.225:389, authentication 0
rlm_ldap: bind as cn=samba,cn=Users,dc=PMB,dc=OX,dc=AC,dc=UK/password to
129.67.147.225:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in cn=Users,dc=PMB,dc=OX,dc=AC,dc=UK, with filter
((sAMAccountName=SAMBA_TEST)) [ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user SAMBA_TEST authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - SAMBA_TEST
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds Going to the next request Waking up
in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 174 to 129.67.147.204 port 32960 Waking up in 4.9
seconds.
Cleaning up request 0 ID 174 with timestamp +
Cheers,
Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using an external CA certificate
Hi List, Having a bit of trouble following the official freeradius wiki when it comes to certificates. Basically I have my own certificate which I want to use. I have a ***.crt file which was sent by my issuer, and a private.pem file which was created when I made my CSR request using openssl. I have uploaded the two files into my raddb/certs folder, but am unsure as to where to point to them in my eap.conf? I notice none of the cert files listed in eap.conf have a *.crt extension which is a bit confusing. Thanks in advance, Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting EAP-TLS based on cert Subject field [RESOLVED]
On 1/28/2011 3:48 AM, Alan DeKok wrote:
Put the unlang in the authenticate section, after eap:
Auth-Type eap {
eap
if (...) {
...
}
}
Thank you!! That did the trick. The entirety of my authenticate
section is now:
authenticate {
Auth-Type Kerberos {
krb5
}
Auth-Type eap {
eap
if ( %{TLS-Client-Cert-Subject} =~ /\/OU=Evil\// ) {
reject
}
}
}
And it works perfectly. Thank you!
As for Windows XP dealing with the rejection
You're sending a *radius* reject. It doesn't include an EAP-Message
with an *EAP* reject. So you need to create a fake one:
update reply {
EAP-Message := 0x
}
That can work sometimes...
Ah, thanks for the tip. I added this in the Post-Auth-Type REJECT
section:
if ( %{control:Auth-Type} == EAP ) {
update reply {
EAP-Message := 0x04010004
}
}
The code seems to work as expected, but Windows XP still doesn't seem to
handle it sensibly. But I can live with that.
Thank you, Alan!
-Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rejecting EAP-TLS based on cert Subject field
For years, we've been doing simple EAP-TLS with various versions of
FreeRADIUS. Now, a new requirement has come down to me such that radius
will have to reject certain valid client certs based on a string in the
Subject field of the client cert.
I've met this need (using 2.1.11 from git) with a simple bit of unlang
in post-auth{}:
if ( %{TLS-Client-Cert-Subject} =~ /OU=Evil/ ) {
reject
}
It works, but there are two non-ideal things about the way it works:
1) Windows XP doesn't seem to notice the rejection and keeps retrying
for a minute or two, ultimately failing to show any failure/error
message to the user.
2) The rejection is not logged in radiusd.log; rather, three Auth:
Login OK lines are logged (the repetition is due to XP's retries)
Is there any way I can address these two issues? I did try putting the
above unlang into eap.conf's tls{} section (where check_cert_issuer and
check_cert_cn would be), in hopes that the rejection would occur during
the auth rather than after it, but the code doesn't seem to have any
effect there.
Thanks in advance for any clues...
-Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting EAP-TLS based on cert Subject field
On 1/27/2011 1:14 PM, Alan Buxey wrote:
you are authenticating...and then rejecting in the post-auth
stage. you really need to break the process in the authentication
stage.
Thanks. That's actually my goal. But unlang isn't allowed in
authenticate{}, and my attempts to sneak it into the authentication
phase via the tls{} section in eap.conf didn't seem to work.
Any other ways to do it?
I'd thought of using rlm_perl, but couldn't see that the cert fields are
passed to the module.
Thanks,
-Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting EAP-TLS based on cert Subject field
On 1/27/2011 1:24 PM, Matt Garretson wrote:
Thanks. That's actually my goal. But unlang isn't allowed in
authenticate{}, and my attempts to sneak it into the authentication
phase via the tls{} section in eap.conf didn't seem to work.
Any other ways to do it?
Replying to myself here I got a bit closer to my goal by putting
this in the verify{} subsection of tls{} :
tmpdir = /tmp/radiusd
client = /usr/local/bin/checkcert %{TLS-Client-Cert-Filename}
Where /usr/local/bin/checkcert contains:
#!/bin/sh
if /usr/bin/openssl x509 -in $1 -noout -text | \
/bin/grep -q Subject:.* OU=Evil, ; then
RC=1
else
RC=0
fi
exit $RC
The XP client still tries three times (duh), but at least radius.log reflects
a failure:
Error: TLS_accept: error in SSLv3 read client certificate B
Error: rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Error: SSL: SSL_read failed in a system call (-1), TLS session fails.
Auth: Login incorrect (TLS Alert write:fatal:certificate unknown): [snip]
Still, it would be nice if I could use unlang (or something) to match against
%{TLS-Client-Cert-Subject} during the authenticate stage somehow. Is there
a way that I'm missing?
Thanks,
-Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting EAP-TLS based on cert Subject field
On 1/27/2011 3:41 PM, Matt Garretson wrote: The XP client still tries three times (duh), but at least radius.log reflects a failure: Error: TLS_accept: error in SSLv3 read client certificate B Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Auth: Login incorrect (TLS Alert write:fatal:certificate unknown): [snip] *sigh* I left out the first (and most useful) logging line in the above: Auth: rlm_eap_tls: Certificate CN (eviluser) fails external verification! So, again, it's better than what I'd had before, but not as elegant as I was hoping. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting EAP-TLS based on cert Subject field
On 1/27/2011 3:03 PM, Phil Mayers wrote:
I've met this need (using 2.1.11 from git) with a simple bit of unlang
in post-auth{}:
if ( %{TLS-Client-Cert-Subject} =~ /OU=Evil/ ) {
reject
}
Just put this in the authorize section? If it's early in the EAP
conversation, TLS-Client-* won't be set so won't match, meaning this
will succeed as soon as yo uget that far.
I'm not sure I follow you here. Are you saying that there is a place in
the authorize section where TLS-Client-* _would_ be accessible to
unlang? I've tried it in a few places (before eap, after eap, at the
top of the section, at the bottom of the section) and it seemed to have
no effect. But it's entirely possible that I missed something during
these tests.
Correct. Unlang is only processed in authorize-like steps, not arbitrary
bits of the config.
I can understand that. But given that the eap module has access to some
client cert fields during authentication (e.g. check_cert_issuer and
check_cert_cn), it would be nice to be able to access these and other
client cert fields with unlang (or something similar) at that stage.
But, admittedly, I'm way over my head here :-) so I'll make do with
one of the methods described earlier in this thread.
Thanks,
-Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Check line and radgroupcheck evaluation question
Hello,
Are check lines in the users file short-circuit AND evaluated from
left to right? Extrapolating this presumption out to radgroupcheck
when using a MySQL database, are the check items evaluated simply in
order of column id value (ie. the order they are returned from the
SELECT)?
authorize_group_check_query = SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id
Just trying to wrap my head around how one might do something useful
with radgroupcheck. I guess you are supposed to be able to match some
condition on the row whose group matches with the lowest column ID and
then subsequent rows that also have the same matching group (with
higher column ID's) can be used to set attributes or look for further
requisite conditions?
I am actually wanting to reject connections when groups of users come
in on the wrong huntgroup. I've seen significant discussion and
confusion in the mailing list archives in regards to this. Most of the
time I see people say use radcheck to reject. I did spot a gem from
Ivan Kalik, though, which led me down this path.
However, the issue remains:
I do not want the user to be rejected per se. I only want the user to be
rejected if her own huntgroup as stored in radgroupcheck is different from
he huntgroup of the Called-Station-Id in the radhuntgroup table. The goal
is to prevent a user to login to a hotspot router, that does not belong to
the huntgroup the user belongs to.
Hm, and what do you think:
Huntgroup-Name != Test, Auth-Type := Reject
that does? As a joke, put them in radgroupcheck and see if it does
*exactly* what you have described.
Thanks for your help,
-M
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Check line and radgroupcheck evaluation question
As usual, thanks Alan. I appreciate the help. -M On Wed, Jun 16, 2010 at 7:55 AM, Alan DeKok al...@deployingradius.com wrote: Matt Hite wrote: Are check lines in the users file short-circuit AND evaluated from left to right? Yes. Extrapolating this presumption out to radgroupcheck when using a MySQL database, are the check items evaluated simply in order of column id value (ie. the order they are returned from the SELECT)? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap/eap/mschapv2 + MySQL
I'd love to use inner-tunnel if I could get it to work. so..whats the error then - radiusd -X - it should be quite obvious Alan: I believe I posted the errors I have been getting. I have posted the debug output in previous posts in this thread. If there is more information that you think I should be giving pleas le me know. -- mattsig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap/eap/mschapv2 + MySQL
Ok, well like I said, mysql wasn't being queried by the inner-tunnel server. Still not clear on why that was happening, but I worked around it by commenting out inner-tunnel as the virtual server to use for peap. So the default server is being used and working. er, it wasnt working when you proxy to inner-tunnel because SQL *WASNT* configured in your inner-tunnel section... go have a look at your inner-tunnel config again and tell me where 'sql' appears in your authenticate section? now see how you have it configured in your 'default' hmm.. well as far as I can tell, 'sql' isn't supposed to be in the authenticate section. In my default config it is in the authorize section just as it is in inner-tunnel. When I did try to add it to authenticate, I get an error on startup: inner-tunnel[223]: SQL modules aren't allowed in 'authenticate' sections -- they have no such method. inner-tunnel[223]: Failed to parse sql entry. if you use inner-tunnel then you have far more efficient config and server CPU usage etc. I'd love to use inner-tunnel if I could get it to work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
peap/eap/mschapv2 + MySQL
Hello list,
First of all: freeradius-2.1.8, Mysql 5.1.41 on Ubuntu 10.04 / Airport
Extreme v7.5
I'm having trouble authenticating users with EAP/mschapv2 against a
mysql database. Users authenticate fine if they are in the users file.
Here's the main problem it seems from the debug output:
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for oogabooga with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Now I've read a million posts on the web, including this list where
people have reported the same problem. In most cases the problem was
that the inner-tunnel server wasn't configured for sql. I definitely
have sql on in the inner-tunnel file (which I will post in a sec). The
mysql server IS being queried on the initial request, but not in
inner-tunnel. Can someone please shed some light on this for me
please.
Here is my inner-tunnel file and debug output (long).
Thanks, Matt
/etc/freeradius/sites-enabled/inner-tunnel :
server inner-tunnel {
authorize {
chap
mschap
unix
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
sql
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
} # inner-tunnel server block
debug output:
rad_recv: Access-Request packet from host 10.20.20.254 port 65023,
id=181, length=153
User-Name = oogabooga
NAS-IP-Address = 10.20.20.254
NAS-Port = 0
Called-Station-Id = F8-1E-DF-FC-8C-82:xyz
Calling-Station-Id = 00-17-F2-45-F7-CF
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11
EAP-Message = 0x028d000e016f6f6761626f6f6761
Message-Authenticator = 0x9388a95b4d72cd941931671109245b66
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = oogabooga, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 141 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{Stripped-User-Name} -
[sql] ... expanding second conditional
[sql] expand: %{User-Name} - oogabooga
[sql] expand: %{%{User-Name}:-DEFAULT} - oogabooga
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} - oogabooga
[sql] sql_set_user escaped user -- 'oogabooga'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'oogabooga' ORDER
BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'oogabooga'
ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'oogabooga' ORDER
BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'oogabooga'
ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -
SELECT groupname FROM radusergroup WHERE username
= 'oogabooga' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup
WHERE username = 'oogabooga' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found
Re: peap/eap/mschapv2 + MySQL
Now I've read a million posts on the web, including this list where people have reported the same problem. In most cases the problem was that the inner-tunnel server wasn't configured for sql. I definitely have sql on in the inner-tunnel file (which I will post in a sec). The mysql server IS being queried on the initial request, but not in inner-tunnel. Can someone please shed some light on this for me please. Ok, well like I said, mysql wasn't being queried by the inner-tunnel server. Still not clear on why that was happening, but I worked around it by commenting out inner-tunnel as the virtual server to use for peap. So the default server is being used and working. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Log IP address (Calling-Station-Id?) of failed authentication attempts
Hello.
I would like to log the client IP of failed successful
authentications to my RADIUS-enabled switches. Right now
failed/success show up like this:
radiusd[13877]: Login incorrect: [xyzzy] (from client SW-2745-C1.sv4 port 0)
radiusd[13877]: Login OK: [plugh] (from client SW-2745-C1.sv4 port 0)
It looks like I can possibly enable auth_badpass and auth_goodpass in
radiusd.conf and then set:
msg_goodpass = %{Calling-Station-Id}
msg_badpass = %{Calling-Station-Id}
Is this going about it the right way?
Also, I really don't want the failed passwords to get logged. (I don't
want to see my colleagues plain-text passwords.) If I do use the
aforementioned technique, am I also going to see passwords? I'm
guessing yes.
Thanks for your help and insight.
-M
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log IP address (Calling-Station-Id?) of failed authentication attempts
Was a bit confused with this one. You can't actually use msg_goodpass
and/or msg_badpass unless auth_goodpass and/or auth_badpass is set to
yes. Doing this DOES force logging of passwords. (Comments in
radiusd.conf seem to confirm.)
Did a bit more digging (ie. checked out source code and looked at it).
It appears the functionality to log client IP (Calling-Station-Id) is
already there -- you only need auth = yes in radiusd.conf enabled.
Enabling auth_badpass = yes and/or auth_goodpass = yes and
msg_goodpass/msg_badpass to include %{Calling-Station-Id} is not
necessary.
Specifically, there is a function in auth.c called auth_name() that is
called during radlog_request(). This function will expand
Calling-Station-Id for inclusion in the log message.
It appears the actual NAS equipment I am using (Force10) just doesn't
send a Calling-Station-Id; hence FreeRADIUS doesn't log it. Works fine
with Cisco kit though.
Mystery solved!
-M
On Sun, May 9, 2010 at 1:19 AM, Alan DeKok al...@deployingradius.com wrote:
Matt Hite wrote:
It looks like I can possibly enable auth_badpass and auth_goodpass in
radiusd.conf and then set:
msg_goodpass = %{Calling-Station-Id}
msg_badpass = %{Calling-Station-Id}
Yes.
Is this going about it the right way?
Yes.
Also, I really don't want the failed passwords to get logged. (I don't
want to see my colleagues plain-text passwords.) If I do use the
aforementioned technique, am I also going to see passwords? I'm
guessing yes.
No. See auth_badpass and auth_goodpass configuration items. If
they're set to no, passwords are not logged.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log the 802.1x session
On Fri, Apr 9, 2010 at 8:46 AM, Rosario Lumia ery...@gmail.com wrote: Sorry for my (very) bad english. Only for clearness: I'd want to know if there is a way to log the end of a 802.1x session. I mean: a client turn off his wireless card and (I think) AP can (??) send a message to freeradius because the association between client and AP is lost. My question was: is it possible? Your answer was very clear. Answer: probably not. From what I've read, supplicants can send an EAPOL-Logoff message to an authenticator (ie. an AP/switch). The authenticator could then disable the port. I can't think of any good reason the authenticator would send this message to RADIUS. I've also read that Windows clients will send an EAPOL-Start message when a user logs off instead of an EAPOL-Logoff. Neither of these are really good methods for determining whether an association between a client and an AP is lost. -M - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log the 802.1x session
On Fri, Apr 9, 2010 at 12:11 PM, Garber, Neal neal.gar...@energyeast.com wrote: From what I've read, supplicants can send an EAPOL-Logoff message to If the requirement is to determine when the user disconnects, isn't this best handled by accounting data? That is, if the authenticator supports sending Accounting-Request packets to RADIUS, then when the user disconnects, it should send an Acct-Status-Type=stop request. Absolutely. While I've not played with 802.1X + accounting personally, it looks like there is decent support in Cisco kit: http://www-europe.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_ieee802_pba.html#wp1280467 -M - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On 01/04/2010, at 1:44 PM, Matt Harlum wrote: On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the validating issue in Windows. I was wrong it should be Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | Cleartext-Password | := | password123 | My configuration was wrong it'd seem, I hadn't noticed as I'm primarily using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to 2.x Regards, Matt Harlum To me it seems that name/password was accepted so I have no clue where is the problem.. The password was NOT accepted. It was *ignored*. And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On 01/04/2010, at 8:40 PM, Bruno Kremel wrote: 2010/4/1 Matt Harlum m...@cactuar.net: On 01/04/2010, at 1:44 PM, Matt Harlum wrote: On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the validating issue in Windows. I was wrong it should be Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | Cleartext-Password | := | password123 | My configuration was wrong it'd seem, I hadn't noticed as I'm primarily using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to 2.x Regards, Matt Harlum To me it seems that name/password was accepted so I have no clue where is the problem.. The password was NOT accepted. It was *ignored*. And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you for answer.. You are right with that sql it is some mess in daloradius, but I tryed to disable SQL and use /etc/freeradius/users file instead, but I am stuck on Attempting to authenticate now.. log says this: Are you trying to use EAP-TTLS? Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.3.1 port 1320, id=0, length=137 Cleaning up request 39 ID 0 with timestamp +589 User-Name = pokus NAS-IP-Address = 192.168.3.1 Called-Station-Id = 00259c523046 Calling-Station-Id = 001e650eb532 NAS-Identifier = 00259c523046 NAS-Port = 9 Framed-MTU = 1400 State = 0x53b1704550ba694fbe3359243d2a2638 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020b00061900 Message-Authenticator = 0x5fde19c57e8672a11c18b0b34d8c3acd +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = pokus, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 11 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 EAP-Message = 0x010c00061900 Message-Authenticator = 0x State = 0x53b1704557bd694fbe3359243d2a2638 Finished request 40. Going to the next request Waking up in 4.9 seconds. Cleaning up request 40 ID 0 with timestamp +589 Ready to process requests. Hard for me to tell what's going wrong here, radiusd -X should give more diagnostic information that would help also, what was the exact section of your users file like? with obfuscated login credentials of course. That Access-Challenge should authenticate my client if I am not wrong, but it still shows me validating identity and the attempting to authenticate... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with PEAP/MSCHAPv2
Hi, What OS is the client machine running? It would seem like an issue with the client to me. Regards, Matt Harlum On 31/03/2010, at 8:31 PM, Christian Pinedo Zamalloa wrote: wrong version num ber - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: What should be there? Beacuse I don't know I am using Daloradius web interafce for adding data to database, so I just loaded default daloradius sql which was intendet (according to readme od daloradius) for 2.X Freeradius... and added accounts in web interface... Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the validating issue in Windows. To me it seems that name/password was accepted so I have no clue where is the problem.. The password was NOT accepted. It was *ignored*. And what is that Accept-Accept on the end of the log?... also radtest gives me Accept-Accept only on correct login and password so I think that it's not that SQL... As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius says it is listening on port 1812, but isn't
Hi, I'm running Freeradius 2.1.6 on MacOSX 10.5.7 on a Dual-G4 867Mhz PowerMac Since march last year I've had 2.1.6 installed however it's been switched off for the last few months. Recently I powered it back on and have run system updates etc and got to the point I am now When I launch FreeRadius it says it is listening on *:1812 for auth however my AP is unable to connect, and trying telnet on port 1812 results in Connection Refused I've tried reverting the configuration to default but it hasn't worked. running radiusd -x does not throw any errors Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. Anyone have any ideas as to why this would be happening all of a sudden? perhaps the system updates broke it? Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius says it is listening on port 1812, but isn't
On 24/03/2010, at 8:21 PM, Fajar A. Nugraha wrote: On Wed, Mar 24, 2010 at 3:51 PM, Matt Harlum m...@cactuar.net wrote: Hi, I'm running Freeradius 2.1.6 on MacOSX 10.5.7 on a Dual-G4 867Mhz PowerMac Since march last year I've had 2.1.6 installed however it's been switched off for the last few months. Recently I powered it back on and have run system updates etc and got to the point I am now When I launch FreeRadius it says it is listening on *:1812 for auth however my AP is unable to connect, unable to connect is the result. Many things can cause it, from incorrent radius IP/secret settings on AP to firewalls blocking packets. Checked both which are correct, no firewalls enabled and trying telnet on port 1812 results in Connection Refused you can't test UDP with telnet. Try the included radtest and radclient Ahh ok, I'll give those a try I've tried reverting the configuration to default but it hasn't worked. running radiusd -x does not throw any errors does it print incoming packets and process it? does tcpdump (or whatever packet capture tools you have) shows incoming packets? It doesn't show anything when connection attempts are made, I'll let you know how I go with netcat and the radtest tools Thanks -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius says it is listening on port 1812, but isn't
Hi, I believe the problem is now resolved The only things I changed was that my hosts file was wrong, the IP for the servers FQDN was incorrect but I'm not sure this is what it was I also turned off ip forwarding with sysctl -w net.inet.ip.forwarding=0 Even though natd, and the firewall have been disabled. must be a weird OSX thing Sorry for wasting your time guys and thanks for the help Regards, Matt Harlum On 24/03/2010, at 8:27 PM, Matt Harlum wrote: On 24/03/2010, at 8:21 PM, Fajar A. Nugraha wrote: On Wed, Mar 24, 2010 at 3:51 PM, Matt Harlum m...@cactuar.net wrote: Hi, I'm running Freeradius 2.1.6 on MacOSX 10.5.7 on a Dual-G4 867Mhz PowerMac Since march last year I've had 2.1.6 installed however it's been switched off for the last few months. Recently I powered it back on and have run system updates etc and got to the point I am now When I launch FreeRadius it says it is listening on *:1812 for auth however my AP is unable to connect, unable to connect is the result. Many things can cause it, from incorrent radius IP/secret settings on AP to firewalls blocking packets. Checked both which are correct, no firewalls enabled and trying telnet on port 1812 results in Connection Refused you can't test UDP with telnet. Try the included radtest and radclient Ahh ok, I'll give those a try I've tried reverting the configuration to default but it hasn't worked. running radiusd -x does not throw any errors does it print incoming packets and process it? does tcpdump (or whatever packet capture tools you have) shows incoming packets? It doesn't show anything when connection attempts are made, I'll let you know how I go with netcat and the radtest tools Thanks -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple radius servers with the same CA
Hi, is it possible that make server generated a new CA etc? I'd recommend making a copy of the current CA cert on each machine and doing a diff Regards, Matt Harlum On 24/03/2010, at 9:21 PM, sphaero wrote: Hi All, I've been searching the archives for a while on some guidance into setting up multiple radius servers using the same CA for use with EAP/TTLS. I've generated a CA which is distributed to all the clients (i.e. SecureW2). I've got 2 radius servers for redundancy. All NAS devices have two radius server configured. I'm using the scripts from freeradius 2.0 to generate the certificates according to instructions in the README. I've setup the ca.cnf and server.cnf (not using eap/tls so I skip clients.cf). On the primary radius server I generated the certificates by issuing: make Now on the second radius server I just copy the following files: /certs/ca.pem /certs/ca.key /certs/ca.der /certs/*.cnf /certs/Makefile /certs/README /certs/xpextensions and issue: make server make dh This seems to have worked. But is this really correct? I'm renewing one radius server and did this procedure again but now I'm receiving chain could not be validated errors in SecureW2. Radius log seems fine however EAP communication is not finished which corresponds with the client stopping communication since it can't validate the certificate. I'm really getting lost in the SSL jungle? I would really like to understand how this is done right, since it is about security. Rg, Arnaud -- View this message in context: http://old.nabble.com/Multiple-radius-servers-with-the-same-CA-tp28013061p28013061.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple radius servers with the same CA
Hi,
John covered pretty much everything I was going to say
I'd recommend choosing a machine to generate your keys and certs on and
sticking with that, otherwise you'll end up with SSL Certs with clashing serial
numbers
Plus it'll allow you to revoke certificates later if need be
Regards,
Matt Harlum
On 24/03/2010, at 11:30 PM, John Dennis wrote:
On 03/24/2010 06:21 AM, sphaero wrote:
Hi All,
I've been searching the archives for a while on some guidance into setting
up multiple radius servers using the same CA for use with EAP/TTLS.
I've generated a CA which is distributed to all the clients (i.e. SecureW2).
I've got 2 radius servers for redundancy. All NAS devices have two radius
server configured.
I'm using the scripts from freeradius 2.0 to generate the certificates
according to instructions in the README. I've setup the ca.cnf and
server.cnf (not using eap/tls so I skip clients.cf).
On the primary radius server I generated the certificates by issuing:
make
Now on the second radius server I just copy the following files:
/certs/ca.pem
/certs/ca.key
/certs/ca.der
/certs/*.cnf
/certs/Makefile
/certs/README
/certs/xpextensions
and issue:
make server
make dh
This seems to have worked. But is this really correct?
I'm renewing one radius server and did this procedure again but now I'm
receiving chain could not be validated errors in SecureW2. Radius log
seems fine however EAP communication is not finished which corresponds with
the client stopping communication since it can't validate the certificate.
I'm really getting lost in the SSL jungle? I would really like to understand
how this is done right, since it is about security.
It would help to read the Makefile and understand it. Your goal is to produce
multiple certificates, each with a unique subject (e.g. the host name of the
radius server) and have it signed by the ca. There is no need to do this
process on each machine, the creation of certs can be done on any machine.
Find the part of the Makefile which says this:
Create a new server certificate, signed by the above CA.
If you make the target server.pem target (e.g. make server) it will cause the
Makefile to execute a series of commands to produce the certificate starting
with a CSR (Certificate Signing Request). Note, the server.csr target depends
on server.cnf so make sure you edit this for each server whose certificate
you want to generate (see the req(1) man page to understand how the
certificate subject, e.g. DN, may be specified).
But also note in the Makefile that server.crt is dependent on ca.key and
ca.pem, which themselves are dependent on ca.cnf. If when you copy the files
the ca.cnf file ends up with a newer timestamp than ca.key or ca.pem then a
new ca will be created, you don't want that. You can either fix the
timestamps using touch or just make all the certs on one machine so you don't
have to worry about the ca being recreated.
After you've created your certificates on the one machine (don't foget to
rename the server.{crt,p12,pem} files) dump them out using
openssl x509 -in XXX.pem -inform PEM -text
and verify each has the certificate subject you expected.
Then verify the each cert with:
openssl verify -CAfile ca.pem XXX.pem
If that succeeds you'll know each is successfully signed by the same ca and
you can distribute that ca to your clients. Then copy your server certs to
your RADIUS hosts, don't forget to edit the config so certificate names match
how you named your certs (it will no longer be server.{crt,p12,pem}.
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius says it is listening on port 1812, but isn't
After my previous email I've successfully re-installed my custom config and am able to auth my clients again Regards, Matt Harlum On 25/03/2010, at 12:11 AM, Gary Gatten wrote: If u really want 2 knw the issue, undo the changes one by one until it breaks again. - Original Message - From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wed Mar 24 04:56:19 2010 Subject: Re: Freeradius says it is listening on port 1812, but isn't Hi, I believe the problem is now resolved The only things I changed was that my hosts file was wrong, the IP for the servers FQDN was incorrect but I'm not sure this is what it was I also turned off ip forwarding with sysctl -w net.inet.ip.forwarding=0 Even though natd, and the firewall have been disabled. must be a weird OSX thing Sorry for wasting your time guys and thanks for the help Regards, Matt Harlum On 24/03/2010, at 8:27 PM, Matt Harlum wrote: On 24/03/2010, at 8:21 PM, Fajar A. Nugraha wrote: On Wed, Mar 24, 2010 at 3:51 PM, Matt Harlum m...@cactuar.net wrote: Hi, I'm running Freeradius 2.1.6 on MacOSX 10.5.7 on a Dual-G4 867Mhz PowerMac Since march last year I've had 2.1.6 installed however it's been switched off for the last few months. Recently I powered it back on and have run system updates etc and got to the point I am now When I launch FreeRadius it says it is listening on *:1812 for auth however my AP is unable to connect, unable to connect is the result. Many things can cause it, from incorrent radius IP/secret settings on AP to firewalls blocking packets. Checked both which are correct, no firewalls enabled and trying telnet on port 1812 results in Connection Refused you can't test UDP with telnet. Try the included radtest and radclient Ahh ok, I'll give those a try I've tried reverting the configuration to default but it hasn't worked. running radiusd -x does not throw any errors does it print incoming packets and process it? does tcpdump (or whatever packet capture tools you have) shows incoming packets? It doesn't show anything when connection attempts are made, I'll let you know how I go with netcat and the radtest tools Thanks -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Memory Leak on version 2.1.3
Hi, Even though you're running it in production I'd recommend updating every now and again. IMHO it's worth it, RADIUS is used for Authentication after all. I tend to keep a copy of my last build in case I need to revert anyway. Regards, Matt Harlum On 25/03/2010, at 10:35 AM, Zhang, Ge (Gina) wrote: The server is in production and we won't upgrade for a while. Where to find the changelog? Thanks for your help! Regards, Gina -Original Message- From: freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.freeradius.org [mailto:freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.freeradius.org] On Behalf Of Gary Gatten Sent: Wednesday, March 24, 2010 6:31 PM To: 'freeradius-users@lists.freeradius.org' Subject: Re: Memory Leak on version 2.1.3 there are at least 3 newer versions. Have you tried the latest and/or read the changelog? - Original Message - From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wed Mar 24 18:24:54 2010 Subject: Memory Leak on version 2.1.3 Hi, I am using 2.1.3 freeradius server and found memory leak. I use ttls+mschapv2 for authentication. After each authentication, the memory usage increases. Is there a patch fix for this? Thanks, Gina Zhang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Users Groups
Can you clarify this statement:
but my user still got the privilege to connect to all the routers in
the network
Do you send a specific RADIUS attribute, like a VSA? Or are you making
this statement based upon receiving an Access-Accept?
-M
On Thu, Mar 11, 2010 at 5:16 AM, Siryx XL djsi...@hotmail.com wrote:
Yes... i did it.
When I run freeradius in debug mode (radiusd -X) I see that the nasipaddress
make a match with radhuntgroup, but nothing happen after that, just the
default process of authentication.
Date: Wed, 10 Mar 2010 14:58:08 -0800
Subject: Re: Users Groups
From: li...@beatmixed.com
To: freeradius-users@lists.freeradius.org
Did you perform step #3 in the How-To?
radiusd.conf:
update request {
Huntgroup-Name := %{sql:select groupname from radhuntgroup where
nasipaddress=\%{NAS-IP-Address}\}
}
On Wed, Mar 10, 2010 at 12:53 PM, Siryx XL djsi...@hotmail.com wrote:
I tried the huntgroups but it didn't work.
I use this guide http://wiki.freeradius.org/SQL_Huntgroup_HOWTO because
i'm
using MySQL to store all my users, huntgroups, etc.
I create the huntgroup table, associate the nasipaddres to a group,
create
the radgroupchek, and associate my user with the group; but my user
still
got the privilege to connect to all the routers in the network.
Something is missing? thanks for the help.
Date: Sat, 6 Mar 2010 07:20:27 +1300
Subject: Re: Users Groups
From: plambrecht...@gmail.com
To: freeradius-users@lists.freeradius.org
On Sat, Mar 6, 2010 at 5:42 AM, John Dennis jden...@redhat.com wrote:
On 03/05/2010 11:31 AM, Siryx XL wrote:
Hi everyone.
I'm using FreeRADIUS Version 2.1.1, I use it to control the access to a
routers networks.
I want to permit certain users to get access to some routers and deny
access to another routers. Like group the users per routers, I read some
documentation, but i can't make it work.
Have you tried using huntgroups?
Me I always use huntgroups + ldap as that way the groups are managed in
your
LDAP directory.
http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg1.html
Hotmail: Powerful Free email with security by Microsoft. Get it now.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Hotmail: Free, trusted and rich email service. Get it now.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Users Groups
Did you perform step #3 in the How-To?
radiusd.conf:
update request {
Huntgroup-Name := %{sql:select groupname from radhuntgroup where
nasipaddress=\%{NAS-IP-Address}\}
}
On Wed, Mar 10, 2010 at 12:53 PM, Siryx XL djsi...@hotmail.com wrote:
I tried the huntgroups but it didn't work.
I use this guide http://wiki.freeradius.org/SQL_Huntgroup_HOWTO because i'm
using MySQL to store all my users, huntgroups, etc.
I create the huntgroup table, associate the nasipaddres to a group, create
the radgroupchek, and associate my user with the group; but my user still
got the privilege to connect to all the routers in the network.
Something is missing? thanks for the help.
Date: Sat, 6 Mar 2010 07:20:27 +1300
Subject: Re: Users Groups
From: plambrecht...@gmail.com
To: freeradius-users@lists.freeradius.org
On Sat, Mar 6, 2010 at 5:42 AM, John Dennis jden...@redhat.com wrote:
On 03/05/2010 11:31 AM, Siryx XL wrote:
Hi everyone.
I'm using FreeRADIUS Version 2.1.1, I use it to control the access to a
routers networks.
I want to permit certain users to get access to some routers and deny
access to another routers. Like group the users per routers, I read some
documentation, but i can't make it work.
Have you tried using huntgroups?
Me I always use huntgroups + ldap as that way the groups are managed in your
LDAP directory.
http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg1.html
Hotmail: Powerful Free email with security by Microsoft. Get it now.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan and freeradius
On Wed, Mar 3, 2010 at 10:44 AM, Phil Mayers p.may...@imperial.ac.uk wrote: but how to set the fail VLAN and guest VLAN to Y ??? Setting the Fail and Guest VLAN by radius doesn't make any sense. The Fail vlan is what to use when the radius server is unavailable. The Guest vlan is what to do when the client doesn't do 802.1x i.e. no radius. So you can't set these over radius. Look in the Cisco documentation for information on: dot1x auth-fail vlan vlan-id and dot1x guest-vlan vlan-id -M - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is it possible to make groups of called-station-id 's?
Hi All
We are using FR 2.1.5 for authenticating wireless users against our LDAP
database. Recently, our student wireless vlan is getting too large, and we
wish to subdivide it.
Currently we place users in the appropriate vlan based on the user type
returned via the groupmembership_attribute as defined in modules/ldap. So if
that attribute =student, we put them in student vlan. Our users file entry
looks like:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Called-Station-Id =~ .*Wireless
, Huntgroup-Name == WSS1, unbldap-Ldap-Group == student
User-Name=`%{User-Name}`,
Tunnel-Private-Group-Id=student,
Tunnel-Type=VLAN,
Fall-Through = no
To reduce the number of broadcast domains going out a wireless access point,
we are thinking of placing all students in Building X into a student_vlanX.
To do this, we need to identify all the APs in the building. For each AP in
that building we'd have something like this in our users file (where
00-01-02-AA-BB-CC is the mac-address of an access point in building X):
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Called-Station-Id =~
00-01-02-AA-BB-CC.*Wireless, Huntgroup-Name == WSS1, unbldap-Ldap-Group ==
student
User-Name=`%{User-Name}`,
Tunnel-Private-Group-Id=student_vlanX,
Tunnel-Type=VLAN,
Fall-Through = no
I'm quite certain this would work, however I was hoping there'd be some way
similar to the huntgroups file (which I realize is for NAS's which our AP's
are not acting as) that could group all our Access Point devices into a
group s we wouldn't have to have a statement in the users file like the one
above for every single wireless access point in our network.
Any advice is appreciated.
Thanks
Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Device specific Access-Accept attributes and granular user group control
Hello -- I am running freeradius2-2.1.7 with MySQL as the backend datastore. I've got a deployment up and running supporting the admin login to about 200 switches from a single vendor. I'm looking to expand my deployment and thus some new requirements have surfaced. Requirements: - Different brands of gear should get different VSAs and/or general attributes returned in Access-Accept messages. For example, if I log in from a Cisco device, I should get a different RADIUS attribute sent back than when logging in from a F5 or a NetScreen. - Some users can log into certain groups of devices, others should not be able to I'm fairly certain the #2 requirement will require the user of huntgroups. Does anyone have any idea how to accomplish requirement #1? Thanks for your help in pointing me in the right direction. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting SQL Entries
Hello list. I have been testing FreeRADIUS for a project we are looking at running to authenticate users for Giganews. I have got the authentication part working well, and the authentication attempts get logged correctly into MySQL. Now, I am trying to log the session details, such as data to and from the host. I've tried various configs, FAQs and similar without little luck. I am slightly stumped as to where to look now. Can anyone offer any help or advice. Thank you. M -- freeradius: FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep 7 2008 at 23:35:34 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
showing NAS-IP of 127.0.01 instead of
Hi, I'm running FreeRADIUS Version 2.1.5. We are trying to do system authentication for some users. Doing this by creating huntgroups based on NAS-IP-Address, and then telling that huntgroup to use System for authentication. The problem is that although the Access-Request packet is shown as coming from the correct host, that host's ip address is not showing up as the NAS-IP-Address for that request. Instead, it's showing as 127.0.0.1 as seen below: rad_recv: Access-Request packet from host 192.168.27.7 port 53201, id=130, length=51 User-Name = xm7z1 User-Password = abc.123 NAS-IP-Address = 127.0.0.1 I'm wondering what could cause this? Any help is appreciated. Thanks Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: showing NAS-IP of 127.0.01 instead of
I just figured that out via a sniff. Thanks for the note. I'll go after the
requesting software now.
From: Garber, Neal [mailto:neal.gar...@energyeast.com]
Sent: November 25, 2009 2:27 PM
To: 'm...@unb.ca'; 'FreeRadius users mailing list'
Subject: RE: showing NAS-IP of 127.0.01 instead of
The problem is that although the Access-Request packet is shown as coming
from the correct host,
that host's ip address is not showing up as the NAS-IP-Address for that
request. Instead, it's showing
as 127.0.0.1 as seen below:
I'm wondering what could cause this? Any help is appreciated.
The NAS is sending that attribute within the request - ask the NAS vendor
why they are sending 127.0.0.1. I've seen this issue with Lantronix console
servers (not sure if that's the NAS you are using). They eventually updated
their firmware to use the correct address. As a workaround, I did the
following in the authorize section of the default server (before preprocess
if you want huntgroup name lookup to work properly):
if (NAS-IP-Address == 127.0.0.1) {
update request {
NAS-IP-Address := %{Client-IP-Address}
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-release of 2.1.7
Builds okay on Fedora 7 and Fedora 10: ./configure --with-system-libtool --prefix=/opt/radius --localstatedir=/var make tests also passes on both, FWIW. But I won't be able to actually install it for a week or two. Alan, thanks for all of your hard work on FreeRADIUS! -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reloading CRL for EAP-TLS
Are you planing improve CRL support in version 2.0 in some near future? What do you mean by better support? Are you asking for a way to update CRLs without a bounce of freeradius? -- Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS EAP-TLS and SSL certificate chains
Remember when you put your Root CA file (and perhaps the CRL for that CA) into your certificate directory, and ran 'c_rehash cert directory'? Well - it's just like that. You might have had RootCA.pem with the Verisign CA certificate. Personally - I like to have a separate file for each intermediate CA certificate in the chain. When you think you are done - you can test the validity of your new certificate like this: openssl verify -crl_check -CApath certificate path /path/to/certificate-file/server.pem.cert Hope this helps. Give it a go and let us know if you have any problems. -- Matt On Fri, Feb 13, 2009 at 12:11 PM, Meyers, Dan d.mey...@lancaster.ac.uk wrote: I'm sure I must just be being thick with our FreeRADIUS config, but i've completed failed to find anything online or in the docs explaining *what* i'm doing wrong, so i'm posting here. We've had a FreeRADIUS server set up for some time now, with an SSL certificate directly signed by one of Verisign's root CA's, for the purposes of doing EAP-TLS domain auth. This worked fine on both FreeRADIUS 1.1.7 and 2.0.5. However our cert is due to expire in a month, and it would appear no one issues root signed certs any more, they're all cert chains. Obviously with things like apache this is fine, as you install the chain bundle file at the same time as your actual cert, and the chain gets passed to the client, who follows it to a root CA they do already trust. I'm having trouble working out how to do this with FreeRADIUS however. All the info I can find suggests that if I edit my certificate file so that it contains multiple certs, from least trusted at the top (my server cert) down the chain and file to the one which has been signed by a root CA the user's machine will already trust, then machines will follow the chain as expected and accept the certificate. However if I do this, and have a chain file of the same format as I use successfully on the web server (i.e. multiple BEGIN and END blocks with a single cert between each pair), then my client machines still fail to pick up the chain, and thus can't validate the certificate. Am I missing something blindingly obvious with regards to how to do certificate chains in FreeRADIUS? If so, please tell me what. Thanks -- Dan Meyers Network Specialist, Lancaster University E-Mail: d.mey...@lancaster.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Provisioning for EAP-TLS Networks
How do you get the certificates on the device in the first place? Well - that's the problem. I would like for there be a USB cable method of putting the key material on the device. Then we could build some nifty client script to automate the provisioning. But these devices in particular don't have that. As it is - we need to setup some ad-hoc or other non-routed WLAN with PSK or WEP security, put the device(s) on there and at that point the devices can pull the certs down via http or tftp. So, here's how it goes in our test environment. We have the 'production' WLAN which must remain WPA2/EAP-TLS. For compliance there is no flexibility of the security of that WLAN. *sigh* OK no worries it makes it a cool problem to solve. :-) So I've just got a laptop temporarily setup with a little ad-hoc network for provisioning the phones via tftp. These will be in a dozen remote locations so I need to build a solution enabling rapid provisioning of the devices with minimal local technical oversight. -- Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Certificate Provisioning for EAP-TLS Networks
I am running FreeRadius at my company on a WLAN - using SSL key material issued by our internal certificate authority. All is well. However a pretty big limitation of this security architecture is of course getting the SSL key material onto the devices. In our case - the devices are SIP phones with no wired ethernet connection. I know there are other sites with similar issues. I would like to hear some ideas on what folks are doing to manage SSL key material on devices. This would include initial key provisioning and re-keying when certs expire. Presently ours expire every 90 days. Thoughts? -- Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
On Nov 14 Tim Gustafson wrote:
I'm running FreeRADIUS on a shiny-new CentOS 5.2 machine.
The easiest way to install the latest FreeRADIUS on CentOS I know of is to
visit http://koji.fedoraproject.org/koji/packageinfo?packageID=298, find
the latest source RPM and rebuild it. It's a small amount of work, but
will stop people saying upgrade a lot..
I'm trying to figure out how to configure FreeRADIUS to authenticate
against an OpenLDAP server using MSCHAPv2. I Googled a lot of different
phrases, and came up with some things that were mildly helpful. Right
now, I have FreeRADIUS authenticating against the LDAP server without
using MSCHAPv2, but I'm not understanding how to now activate the
MSCHAPv2 part.
I have it working. You need to check your ldap.attrmap (or whatever you've
set dictionary_mapping to) points at the right LDAP field. I use the
samba schema, so:
checkItem NT-Password sambaNtPassword
Then your debug log should include entries like:
rlm_ldap: sambaNtPassword - NT-Password == 0x
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
..but this is OK, since with mschap before ldap in your authorize{}
block, FreeRADIUS will handle the challenge-response stuff correctly for
MSCHAPv2 using the NT hash from OpenLDAP. Make sure you bind to OpenLDAP
with sufficient privilege to read the NT hash!
HTH
Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [awful patch] Multiple levels of TLS nesting is invalid.
On Oct 15 Alan DeKok wrote:
Matt Bernstein wrote:
So saith FreeRADIUS 2.1.1, but I wasn't trying to do multiple levels of
TLS nesting. I'm trying to use virtual servers so that a single radiusd
can terminate TTLS/PEAP for multiple subrealms, _and_ use the
inner-tunnel trick, keeping the configs completely independent for each
subrealm.
If you have one server certificate for TTLS, you don't need this extra
layer of nesting.
We will have multiple server certificates; our departments are rather
independent here.
This allows me to hook up different departments with different
AAA infrastructures into one radius set-up for our eduroam service.
My default server has a pair of listen{} blocks, and little else:
authorize {
suffix
update control {
Virtual-Server = %{Realm}
}
What does this achieve? Does it avoid the first layer of proxying? My
set-up is working without it, AFAICT:
server default {
+- entering group authorize {...}
[suffix] Looking up realm dcs.qmul.ac.uk for User-Name = [EMAIL PROTECTED]
[suffix] Found realm dcs.qmul.ac.uk
[suffix] Adding Realm = dcs.qmul.ac.uk
[suffix] Proxying request from user username to realm dcs.qmul.ac.uk
[suffix] Preparing to proxy authentication request to realm dcs.qmul.ac.uk
++[suffix] returns updated
} # server default
Sending proxied request internally to virtual server.
server dcs {
+- entering group authorize {...}
[dcs-eap] EAP packet type response id 3 length 149
..etc..
..and dcs has its own EAP config, which references a virtual_server
dcs-inner for the PEAP/TTLS innards, which has _its_ own EAP config.
That's... complicated.
A famous aphorism of Butler Lampson goes: All problems in computer science
can be solved by another level of indirection... Kevlin Henney's corollary
to this is, ...except for the problem of too many layers of indirection.
(from http://en.wikipedia.org/wiki/Abstraction_layer)
Maybe the inner eap config can be the same for the inner virtual
servers, but the server{} blocks will necessarily be different.
I'm trying to normalise it, rather than complicate it.
My problem is that eap.c (line 219), as called by dcs-inner, notices
the request has a grandparent, and assumes it's multiple layers of TLS
nesting. Interestingly, the comment omits the magic word TLS. I think
perhaps that the virtual servers appear to count as layers. Anyway, this
braindead patch makes it work for me:
Which pretty much removes the limits on nested queries. I understand
I agree; I put the great-grandparent check in there to catch runaway
loops. I never said my fix was right.
why you're doing this, but I'm not sure what the side effects are.
Sure. If you're not, I haven't a prayer. ;) My guess is that the eap.c
code predates the virtual servers, so when eap.c was written its
assumption that the nesting must be TLS could well have been true, but
today newer code-paths exist which weird hairy people expect to work..
I have run into another bug: if I instantiate rlm_ldap in my servers
dcs-inner and maths-inner, it seems to use the base DN for
maths-inner (instantiated second) for queries from dcs-inner.
Am I just being too weird and hairy? Or should I use a separate radiusd
and raddb for each subrealm, as is the case with my production FreeRADIUS
1.1 set-up?
Cheers
Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [awful patch] Multiple levels of TLS nesting is invalid.
At 14:19 +0200 Alan DeKok wrote:
Matt Bernstein wrote:
We will have multiple server certificates; our departments are rather
independent here.
Ugh. There's not really any good reason for this. If the
departmental certs are signed by a university CA, then you can still get
away with one server instance.
I'm not claiming there's no technical solution. On the other hand, our
departments don't trust each other more in a political way.
We don't really have a university PKI. For eduroam, it's arguable that you
want your server cert as local to your user base as possible. Our Maths
users have no reason to trust a server certificate issued by my
department.
update control {
Virtual-Server = %{Realm}
}
What does this achieve?
What I said in my previous message:
If you have one server certificate for TTLS, you don't need this extra
layer of nesting. The TTLS PEAP modules will look for a *dynamic*
definition of the virtual server for the inner-tunnel.
OK, thanks: sorry I didn't understand that before.
Does it avoid the first layer of proxying?
It does what I said it does.
OK, so without a single CA it doesn't help us.
My set-up is working without it, AFAICT:
Yes, I did read your message. I did see the point where you said your
configuration worked. Maybe I was trying to describe how you could
acheive your goal *without* source code patches.
OK. I think the only way to avoid carrying my filthy patch is to run
multiple non-virtual servers.
Maybe the inner eap config can be the same for the inner virtual
servers, but the server{} blocks will necessarily be different.
Well, yes. That's the point of virtual servers.
I have run into another bug: if I instantiate rlm_ldap in my servers
dcs-inner and maths-inner, it seems to use the base DN for
maths-inner (instantiated second) for queries from dcs-inner.
As always, debug mode.
Sorry--I'll start a new reply on this point.
Am I just being too weird and hairy? Or should I use a separate radiusd
and raddb for each subrealm, as is the case with my production
FreeRADIUS 1.1 set-up?
It's a little complicated. Unnecessarily so, IMHO.
I'm trying to allow different departments to use eduroam with whatever AAA
backends they want without the bother of having to run a RADIUS server. My
institution might be unusual in that there are multiple backends--even
within our computing service--but the reasons behind this are not
necessarily technical.
I hope this makes where I'm coming from a little clearer.
Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [awful patch] Multiple levels of TLS nesting is invalid.
At 14:19 +0200 Alan DeKok wrote:
I have run into another bug: if I instantiate rlm_ldap in my servers
dcs-inner and maths-inner, it seems to use the base DN for
maths-inner (instantiated second) for queries from dcs-inner.
As always, debug mode.
By this point we've correctly walked from default - dcs - dcs-inner.
But.. as dcs-inner invokes rlm_ldap, it's using the wrong ldap instance:
server dcs-inner {
+- entering group authorize {...}
[dcs-inner-preprocess] hints: Matched DEFAULT at 1
++[dcs-inner-preprocess] returns ok
++? if (%{User-Name} =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/)
expand: %{User-Name} - mb
? Evaluating (%{User-Name} =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) -
TRUE
++? if (%{User-Name} =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) - TRUE
++- entering if (%{User-Name} =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/)
{...}
expand: %{1} - mb
+++[request] returns ok
++- if (%{User-Name} =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) returns
ok
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[dcs-inner-eap] No EAP-Message, not doing EAP
++[dcs-inner-eap] returns noop
rlm_ldap: Entering ldap_groupcmp()
[dcs-inner-files] expand: dc=maths,dc=qmul,dc=ac,dc=uk -
dc=maths,dc=qmul,dc=ac,dc=uk
[dcs-inner-files] expand: (uid=%{Stripped-User-Name}) - (uid=mb)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldapserver.maths.qmul.ac.uk:389, authentication 0
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: starting TLS
rlm_ldap: bind as cn=radiusd,dc=maths,dc=qmul,dc=ac,dc=uk/ to
ldapserver.maths.qmul.ac.uk:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=maths,dc=qmul,dc=ac,dc=uk, with filter
(uid=mb)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
My radius.conf includes:
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE ${confdir}/dcs/modules.conf
$INCLUDE ${confdir}/maths/modules.conf
}
instantiate {
}
$INCLUDE ${confdir}/dcs/server
$INCLUDE ${confdir}/maths/server
NB x/modules.conf includes x/inner/modules.conf and x/server includes
x/inner/server for x in {dcs, maths}. The server files, modulo these
includes, only contain server{} blocks.
If I transpose the $INCLUDE ${confdir}/x/server lines, then it uses the
dcs LDAP instance, AFAICT:
server dcs-inner {
+- entering group authorize {...}
[dcs-inner-preprocess] hints: Matched DEFAULT at 1
++[dcs-inner-preprocess] returns ok
++? if (%{User-Name} =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/)
expand: %{User-Name} - mb
? Evaluating (%{User-Name} =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) -
TRUE
++? if (%{User-Name} =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) - TRUE
++- entering if (%{User-Name} =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/)
{...}
expand: %{1} - mb
+++[request] returns ok
++- if (%{User-Name} =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) returns
ok
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[dcs-inner-eap] No EAP-Message, not doing EAP
++[dcs-inner-eap] returns noop
rlm_ldap: Entering ldap_groupcmp()
[dcs-inner-files] expand: dc=dcs,dc=qmul,dc=ac,dc=uk -
dc=dcs,dc=qmul,dc=ac,dc=uk
[dcs-inner-files] expand: %{Stripped-User-Name} - mb
[dcs-inner-files] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=mb)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to mortar.dcs.qmul.ac.uk:389, authentication 0
rlm_ldap: setting TLS CACert File to /etc/raddb/dcs/certs/DCS_CA_cert.pem
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: starting TLS
rlm_ldap: bind as
cn=radiusd,ou=Infrastructure,dc=dcs,dc=qmul,dc=ac,dc=uk/xx to
mortar.dcs.qmul.ac.uk:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dcs,dc=qmul,dc=ac,dc=uk, with filter (uid=mb)
rlm_ldap: ldap_release_conn: Release Id: 0
${confdir}/dcs/inner/server references ${confdir}/dcs/inner/ldap.common
which contains
identity = cn=radiusd,ou=Infrastructure,dc=dcs,dc=qmul,dc=ac,dc=uk
basedn = dc=dcs,dc=qmul,dc=ac,dc=uk
etc. whereas ${confdir}/maths/inner/server references
${confdir}/maths/inner/ldap.common which contains
identity = cn=radiusd,dc=maths,dc=qmul,dc=ac,dc=uk
basedn = dc=maths,dc=qmul,dc=ac,dc=uk
and so on.
I'm guessing that such parameters aren't scoped locally enough.
HTH
Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[awful patch] Multiple levels of TLS nesting is invalid.
So saith FreeRADIUS 2.1.1, but I wasn't trying to do multiple levels of
TLS nesting. I'm trying to use virtual servers so that a single radiusd
can terminate TTLS/PEAP for multiple subrealms, _and_ use the inner-tunnel
trick, keeping the configs completely independent for each subrealm. This
allows me to hook up different departments with different AAA
infrastructures into one radius set-up for our eduroam service.
My default server has a pair of listen{} blocks, and little else:
authorize {
suffix
}
authenticate {
}
So, rlm_realm finds my virtual servers in proxy.conf, eg:
realm dcs.qmul.ac.uk {
nostrip
virtual_server = dcs
}
..and dcs has its own EAP config, which references a virtual_server
dcs-inner for the PEAP/TTLS innards, which has _its_ own EAP config.
My problem is that eap.c (line 219), as called by dcs-inner, notices the
request has a grandparent, and assumes it's multiple layers of TLS
nesting. Interestingly, the comment omits the magic word TLS. I think
perhaps that the virtual servers appear to count as layers. Anyway, this
braindead patch makes it work for me:
--- freeradius-server-2.1.1/src/modules/rlm_eap/eap.c.orig 2008-09-25
09:41:26.0 +0100
+++ freeradius-server-2.1.1/src/modules/rlm_eap/eap.c 2008-10-14
15:19:53.800553926 +0100
@@ -216,10 +216,13 @@
/*
* Multiple levels of nesting are invalid.
*/
- if (handler-request-parent handler-request-parent-parent) {
- RDEBUG2(Multiple levels of TLS nesting is invalid.);
+ if (handler-request-parent handler-request-parent-parent
handler-request-parent-parent-parent ) {
+ RDEBUG2(Multiple levels of TLS nesting is really invalid.);
return EAP_INVALID;
}
+ if (handler-request-parent handler-request-parent-parent) {
+ RDEBUG2(Multiple levels of nesting is thought invalid, continuing
anyway.);
+ }
/*
* Figure out what to do.
..and my radiusd -X output now looks like this:
Found Auth-Type = dcs-inner-eap
+- entering group authenticate {...}
[dcs-inner-eap] Request found, released from the list
[dcs-inner-eap] Multiple levels of nesting is thought invalid, continuing
anyway.
[dcs-inner-eap] EAP/mschapv2
[dcs-inner-eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] Found NT-Password
[mschap] Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[dcs-inner-eap] returns handled
So.. I hope this is useful. Do drop me a mail on- or off-list on
mb/[EMAIL PROTECTED], if you want any further information or if
I'm not being clear enough.
Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: groupmembership and vlan assignment
Would it make more sense then to use a Perl program instead for the authorization and then have that program: - verify credentials against ldap. - do the regexp matching on the entitlement field? Thanks, Matt [EMAIL PROTECTED] -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Friday, August 01, 2008 8:27 AM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: groupmembership and vlan assignment Matt Ashfield wrote: Hmmm...welll I was hoping for another way to assign vlans based on ldap attributes, but I don't figure on rewriting rlm_ldap. You don't have to rewrite the whole module. Just change 100 lines in one function. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: groupmembership and vlan assignment
Is there a way to regexp checking on the group_membership field instead? Thanks Matt Ashfield [EMAIL PROTECTED] -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 3:23 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: groupmembership and vlan assignment Matt Ashfield wrote: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS, unbldap-Ldap-Group =~ .*staff1, Autz-Type := Ldap1, Auth-Type := Ldap1 The LDAP Group checking does *equality* checking, not regular expression checking. Sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: groupmembership and vlan assignment
That's what I was afraid of. Any suggestions to getting around this? Thanks Matt Ashfield [EMAIL PROTECTED] -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 3:23 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: groupmembership and vlan assignment Matt Ashfield wrote: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS, unbldap-Ldap-Group =~ .*staff1, Autz-Type := Ldap1, Auth-Type := Ldap1 The LDAP Group checking does *equality* checking, not regular expression checking. Sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: groupmembership and vlan assignment
Hmmm...welll I was hoping for another way to assign vlans based on ldap attributes, but I don't figure on rewriting rlm_ldap. Thanks Matt [EMAIL PROTECTED] -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2008 3:49 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: groupmembership and vlan assignment Matt Ashfield wrote: That's what I was afraid of. Any suggestions to getting around this? Edit the source code to rlm_ldap to implement regex checks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: groupmembership and vlan assignment
Nobody replied to my original post, and I got to thinking, would I be able to use wildcards in my users file to achieve this when looking for which Ldap-Group the user has been placed in? i.e. DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS, unbldap-Ldap-Group =~ .*staff1, Autz-Type := Ldap1, Auth-Type := Ldap1 Where unbldap-Ldap-Group gets set via groupmembership_attribute = eduPersonPrimaryAffiliation and eduPersonEntitlement: urn:mace:uni.ca:wireless?vlan=staff1 in LDAP Thanks Matt Ashfield [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Ashfield Sent: Wednesday, July 23, 2008 10:29 AM To: 'FreeRadius users mailing list' Subject: groupmembership and vlan assignment Hello We have been using the groupmembership attribute in radius.conf to assign users to the appropriate vlans. Up until now we've done it based on the type of LDAP user they are (ie, staff, student, faculty, etc..): groupmembership_attribute = eduPersonPrimaryAffiliation, (where eduPersonPrimaryAffliation=staff, student, facult, etc..) Unfortunately, our student vlans have grown significantly large and we want to take measures to make them smaller. We have looked into using LDAP entitlement fields. There are however a few issues here: - The eduPersonEntitlement attribute is not unique. A user record can have multiple instances of this attribute for each different entitlement they have. - The eduPersonEntitlement attribute has a value that is not simply the name of a vlan. It is typically something like: eduPersonEntitlement: urn:mace:uni.ca:wireless?vlan=student1 So I'd need to parse the value as well to pull out the vlan name, in this case student1. I'm unsure how to get around these two issues. Any suggestions are welcome. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
groupmembership and vlan assignment
Hello We have been using the groupmembership attribute in radius.conf to assign users to the appropriate vlans. Up until now we've done it based on the type of LDAP user they are (ie, staff, student, faculty, etc..): groupmembership_attribute = eduPersonPrimaryAffiliation, (where eduPersonPrimaryAffliation=staff, student, facult, etc..) Unfortunately, our student vlans have grown significantly large and we want to take measures to make them smaller. We have looked into using LDAP entitlement fields. There are however a few issues here: - The eduPersonEntitlement attribute is not unique. A user record can have multiple instances of this attribute for each different entitlement they have. - The eduPersonEntitlement attribute has a value that is not simply the name of a vlan. It is typically something like: eduPersonEntitlement: urn:mace:uni.ca:wireless?vlan=student1 So I'd need to parse the value as well to pull out the vlan name, in this case student1. I'm unsure how to get around these two issues. Any suggestions are welcome. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Keeping a set amount of detail logs
On Thu, Jul 17, 2008 at 7:49 AM, Alan DeKok [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: I've enabled detail auth_log and detail reply_log (it'd be great if there was a way to tie auths and replies together from the different log files somehow) and FreeRadius is creating new logs each day. I'm assuming that I'll need to take care of removing old logs on my own? Otherwise I'll be filling my disk up pretty quickly. Yes. See logrotate, or any one of many log rotation tools. Right, I'm familiar with logrotate. The problem is that FreeRadius is rotating the logs already and I don't know of a way to get logrotate to just keep track of a set number of logfiles that it doesn't rotate itself. ie., keep 10 logfiles only - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: POP3
Alan DeKok wrote: Slava wrote: Could anyone tell me if there exists a solution to integrate FR with a POP3 server Look for patches to let cucipop do RADIUS authentication. If there are none, maybe cucipop does PAM authentication. You could then use the PAM RADIUS module. FWIW, Qpopper also can use PAM, although I haven't tried it myself: http://www.eudora.com/products/unsupported/qpopper/faq.html#PAM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: xp sp3 and freeradius 2.0.5
I'm seeing the same problems with Vista devices:
Sending Access-Accept of id 12 to 131.202.9.32 port 2048
User-Name = u3t98
Tunnel-Private-Group-Id:0 = Academic
Tunnel-Type:0 = VLAN
MS-MPPE-Recv-Key =
0xce1ea72659c68cceba45498192e03bbb73292f9cdc314bbdea6e5ede0302b86a
MS-MPPE-Send-Key =
0xe2cafe2564df85dd04dddb4816c00c8afeea831cbbdb444b45789625771f6c9c
EAP-Message = 0x03180004
Message-Authenticator = 0x
Even though I have MPPE disabled in FR:
mschap {
#
# As of 0.9, the mschap module does NOT support
# reading from /etc/smbpasswd.
#
# If you are using /etc/smbpasswd, see the 'passwd'
# module for an example of how to use /etc/smbpasswd
# if use_mppe is not set to no mschap will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
#use_mppe = no
use_mppe = no
Thoughts?
Matt Ashfield
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of SecureW2 (List)
Sent: Monday, July 07, 2008 10:58 AM
To: 'FreeRadius users mailing list'
Subject: RE: xp sp3 and freeradius 2.0.5
Dear Oxiel,
Are you using wired or wireless 802.1x?
I have been seeing issues on Windows XP SP3 WIRED 802.1X configurations when
the MPPE keys are being sent by the RADIUS server (which are not used in
(most) wired 802.1X setups):
Sending Access-Accept of id 8 to 192.168.100.245 port 5001
User-Name = host/caja02.cosmart.bo
MS-MPPE-Recv-Key =
0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9
MS-MPPE-Send-Key =
0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480
EAP-Message = 0x03090004
Message-Authenticator = 0x
If you are using wired try disabling the MPPE keys in Freeradius.
Regards,
Tom
-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Namens Ivan Kalik
Verzonden: maandag 7 juli 2008 15:32
Aan: freeradius-users@lists.freeradius.org
Onderwerp: Re: xp sp3 and freeradius 2.0.5
Has anybody achieved to authenticate xp sp3 with default 802.1x client to
freeradius ?
You!
Sending Access-Accept of id 8 to 192.168.100.245 port 5001
User-Name = host/caja02.cosmart.bo
MS-MPPE-Recv-Key =
0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9
MS-MPPE-Send-Key =
0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480
EAP-Message = 0x03090004
Message-Authenticator = 0x
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Goodbye SNMP, hello statistics.
Exciting stuff! On Fri, Jun 20, 2008 at 2:48 PM, Alan DeKok [EMAIL PROTECTED] wrote: I've commited some code (~1K LoC) to CVS head that will go into 2.0.6. In short, there's no point in using SNMP any more. The good news is that the Status-Server packet is overloaded to get all sorts of statistics that weren't available in SNMP. For more information, see: share/dictionary.freeradius Some comments: - the statistics can ONLY be queried from localhost. This will not be changed. - You can ask for ALL auth statistics (across all listen sockets) - Or, specify a socket IP/port, and it will return the stats for that socket. - You can do this for auth/acct sockets independently - you can query statistics for one client, and optionally specify the server IP/port (if the listen section has it's own clients) - you can ask for total auth/acct packets that are proxied to home servers - you can ask for total auth/acct packets that are sent to individual home servers. - you can tell when a home server was marked dead / alive, and how many requests have been sent, but not responded to. - you can ask for stats on the internal queues in the server (e.g. if it's busy, there will be many packets waiting, and all of the child threads will be doing work) The end result is that it's simpler to implement than SNMP, has fewer issues, and returns more data than the SNMP statistics would return. Enjoy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/eDirectory/802.1X authentication issue
See why I say I don't know a whole lot about how all this works?? :) So it sounds like I don't even need LDAP, but it's helpful for at least I know it is possible to use EAP-TLS, and then use some attribute from the certificate and query LDAP about it. If that's the case in your configuration, you should be able to see that from the config files in your $raddb directory. You can post the config if you have questions. Matt On Wed, Jun 11, 2008 at 6:44 PM, Newall, Bryce [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, June 11, 2008 10:30 AM To: FreeRadius users mailing list Subject: Re: FreeRadius/eDirectory/802.1X authentication issue We need to have FreeRADIUS speak LDAP with Novell eDirectory, and be able to authenticate wireless clients using EAP-TLS (or even EAP-TTLS, but we're using TLS right now). Er... EAP-TLS means that it won't normally do user lookups in LDAP. See why I say I don't know a whole lot about how all this works?? :) So it sounds like I don't even need LDAP, but it's helpful for at least testing the RADIUS configuration with a program like NTRadPing to make sure it's working correctly before jumping into the EAP-TLS setup. And you should ugprade to 2.0.5. It makes 1.1.0 look as bad as IAS. SLES 10 SP2 still ships with FreeRADIUS 1.1.0. Go figure. Any suggestions as to where to find some good HOWTO docs? I went through the FreeRADIUS Wiki, but it wasn't very complete. Thanks! Bryce Newall Systems Administrator Poway Unified School District (858) 679-2576 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR and PEAP question
-Password
attribute in the request
Wed Jun 11 09:42:02 2008 : Debug: auth: Failed to validate the user.
Wed Jun 11 09:42:02 2008 : Auth: Login incorrect: [mda] (from client hh932 port
2 cli 00-11-25-81-1D-DA)
Wed Jun 11 09:42:02 2008 : Debug: Delaying reject of request 1 for 1 seconds
Wed Jun 11 09:42:02 2008 : Debug: Going to the next request
Wed Jun 11 09:42:02 2008 : Debug: Waking up in 0.9 seconds.
Wed Jun 11 09:42:03 2008 : Debug: Sending delayed reject for request 1
Sending Access-Reject of id 3 to 11.2.19.3 port 2048
Wed Jun 11 09:42:03 2008 : Debug: Waking up in 4.9 seconds.
Wed Jun 11 09:42:08 2008 : Debug: Cleaning up request 1 ID 3 with timestamp +355
Wed Jun 11 09:42:08 2008 : Debug: Ready to process requests.
Matt
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik
Sent: Tuesday, June 10, 2008 11:21 AM
To: freeradius-users@lists.freeradius.org
Subject: RE: FR and PEAP question
eapol_test from wpa_supplicant
JRadius Simulator
Ivan Kalik
Kalik Informatika ISP
Dana 10/6/2008, Matt Ashfield [EMAIL PROTECTED] piše:
I'd like to test this with PEAP/MSCHAP requests if possible. Is there a
howto? Clearly I'm down the wrong path here.
Matt
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Ivan Kalik
Sent: Tuesday, June 10, 2008 11:02 AM
To: freeradius-users@lists.freeradius.org
Subject: RE: FR and PEAP question
FreeRADIUS-Proxied-To == 127.0.0.1 will match only for eap requests. You
can't test for it with pap requests (radtest).
Ivan Kalik
Kalik Informatika ISP
Dana 10/6/2008, Matt Ashfield [EMAIL PROTECTED] piše:
I thought it would get referenced because in my users file I have:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS,
unbldap-Ldap-Group == staff, Autz-Type := Ldap1
User-Name=`%{User-Name}`,
Tunnel-Private-Group-Id=staff,
Tunnel-Type=VLAN,
Fall-Through = no
And in huntgroups I have this. Although I am unsure if this is correct.
UNBFWSS NAS-IP-Address == 127.0.0.1
Matt
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Ivan Kalik
Sent: Tuesday, June 10, 2008 10:36 AM
To: freeradius-users@lists.freeradius.org
Subject: RE: FR and PEAP question
The password that is being supplied by radtest is in plain-text, should I
be
supplying it in ntPassword-encrypted format?
No.
It looks to me like I have something wrong with my authenticate section.
My authorize section looks like:
authorize {
preprocess
chap
mschap
suffix
eap
Autz-Type Ldap1 {
redundant-load-balance{
unbldap
unbldap2
}
mschap
}
}
Not really. You just haven't called that Autz-Type anywhere.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR and PEAP question
HI,
Im now trying your suggestions for getting FR and PEAP working together.
Below is the result of a radtest that I did.
The password that is being supplied by radtest is in plain-text, should I be
supplying it in ntPassword-encrypted format?
It looks to me like I have something wrong with my authenticate section.
My authorize section looks like:
authorize {
preprocess
chap
mschap
suffix
eap
Autz-Type Ldap1 {
redundant-load-balance{
unbldap
unbldap2
}
mschap
}
}
The radtest result is below:
rad_recv: Access-Request packet from host 127.0.0.1 port 32769, id=97,
length=55
User-Name = mda
User-Password = abc123
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Tue Jun 10 10:07:34 2008 : Debug: +- entering group authorize
Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling preprocess
(rlm_preprocess) for request 0
Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 0
Tue Jun 10 10:07:34 2008 : Debug: ++[preprocess] returns ok
Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling chap
(rlm_chap) for request 0
Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from chap
(rlm_chap) for request 0
Tue Jun 10 10:07:34 2008 : Debug: ++[chap] returns noop
Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling mschap
(rlm_mschap) for request 0
Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from
mschap (rlm_mschap) for request 0
Tue Jun 10 10:07:34 2008 : Debug: ++[mschap] returns noop
Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling suffix
(rlm_realm) for request 0
Tue Jun 10 10:07:34 2008 : Debug: rlm_realm: No '@' in User-Name =
mda, looking up realm NULL
Tue Jun 10 10:07:34 2008 : Debug: rlm_realm: No such realm NULL
Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from
suffix (rlm_realm) for request 0
Tue Jun 10 10:07:34 2008 : Debug: ++[suffix] returns noop
Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling eap
(rlm_eap) for request 0
Tue Jun 10 10:07:34 2008 : Debug: rlm_eap: No EAP-Message, not doing EAP
Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from eap
(rlm_eap) for request 0
Tue Jun 10 10:07:34 2008 : Debug: ++[eap] returns noop
Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling files
(rlm_files) for request 0
Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from
files (rlm_files) for request 0
Tue Jun 10 10:07:34 2008 : Debug: ++[files] returns noop
Tue Jun 10 10:07:34 2008 : Debug: auth: No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user
Tue Jun 10 10:07:34 2008 : Debug: auth: Failed to validate the user.
Tue Jun 10 10:07:34 2008 : Auth: Login incorrect: [mda] (from client
localhost port 0)
Tue Jun 10 10:07:34 2008 : Debug: Delaying reject of request 0 for 1 seconds
Tue Jun 10 10:07:34 2008 : Debug: Going to the next request
Tue Jun 10 10:07:34 2008 : Debug: Waking up in 0.9 seconds.
Tue Jun 10 10:07:35 2008 : Debug: Sending delayed reject for request 0
Sending Access-Reject of id 97 to 127.0.0.1 port 32769
Tue Jun 10 10:07:35 2008 : Debug: Waking up in 4.9 seconds.
Tue Jun 10 10:07:40 2008 : Debug: Cleaning up request 0 ID 97 with timestamp
+17
Tue Jun 10 10:07:40 2008 : Debug: Ready to process requests.
Any assistance is appreciated.
Thanks
Matt
[EMAIL PROTECTED]
-Original Message-
From: Thibault Le Meur [mailto:[EMAIL PROTECTED]
Sent: Monday, May 26, 2008 11:00 AM
To: [EMAIL PROTECTED]; FreeRadius users mailing list
Subject: Re: FR and PEAP question
Matt Ashfield a écrit :
Hi,
Were looking into using PEAP with MSChapV2, instead of PAP (dont
want to use the SecureW2 client anymore) so are investigating ways to
store the password in LDAP.
According to
http://deployingradius.com/documents/protocols/compatibility.html ,the
options are storing the password in Clear-Text or in an NT Hash
(ntlm_auth).
In talking with our LDAP people, I was told the following:
SunOne does not support nt-hash passwords. Supported formats are
CLEAR, CRYPT, DES, NS-MTA-MD5 (Netscape MD5), SHA, and SSHA.
Fedora Directory Server 1.1.0 supports CLEAR, CRYPT, DES, MD5,
NS-MTA-MD5, SHA, SHA256, SHA384, SHA512, SSHA, SSHA256, SSHA384, and
SSHA512.
This means that your userPassword attribute must contain your password
in the previously mentionned has forms. This userPassword attribute is
used internally by your LDAP directory in order to authenticate your
access (bind) to the LDAP server.
It sounds to me like if we want to do PEAP/MSChapV2 wed have to store
the password in cleartext? I would just like to verify this via this list.
Not necessarily. You may _not_ want to use ldap binding as the
authentication process
RE: FR and PEAP question
I'd like to test this with PEAP/MSCHAP requests if possible. Is there a
howto? Clearly I'm down the wrong path here.
Matt
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Ivan Kalik
Sent: Tuesday, June 10, 2008 11:02 AM
To: freeradius-users@lists.freeradius.org
Subject: RE: FR and PEAP question
FreeRADIUS-Proxied-To == 127.0.0.1 will match only for eap requests. You
can't test for it with pap requests (radtest).
Ivan Kalik
Kalik Informatika ISP
Dana 10/6/2008, Matt Ashfield [EMAIL PROTECTED] piše:
I thought it would get referenced because in my users file I have:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS,
unbldap-Ldap-Group == staff, Autz-Type := Ldap1
User-Name=`%{User-Name}`,
Tunnel-Private-Group-Id=staff,
Tunnel-Type=VLAN,
Fall-Through = no
And in huntgroups I have this. Although I am unsure if this is correct.
UNBFWSS NAS-IP-Address == 127.0.0.1
Matt
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Ivan Kalik
Sent: Tuesday, June 10, 2008 10:36 AM
To: freeradius-users@lists.freeradius.org
Subject: RE: FR and PEAP question
The password that is being supplied by radtest is in plain-text, should I
be
supplying it in ntPassword-encrypted format?
No.
It looks to me like I have something wrong with my authenticate section.
My authorize section looks like:
authorize {
preprocess
chap
mschap
suffix
eap
Autz-Type Ldap1 {
redundant-load-balance{
unbldap
unbldap2
}
mschap
}
}
Not really. You just haven't called that Autz-Type anywhere.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS with different CA per user?
In our company, we do have certificates signed by multiple Certificate Authorities...but there is a hierarchy. So, some users come in from Domain A (root CA) some come in from Domain B (intermediate CA). So then it's easyjust maintain the CA_path containing the root and any necessary intermediate CAs. On Sat, Jun 7, 2008 at 11:48 AM, SecureW2 (List) [EMAIL PROTECTED] wrote: Frank, It is not really a configuration issue, but more an Identity Management issue. It is not common to have a CA per user, but a CA per domain. And per domain you have users. So: User X from domain A has CA 1. User Y from domain B has CA 2. If this is what you are trying to achieve you can simply setup a configuration per domain/realm of these users. Regards, Tom -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:freeradius-users-bounces+list freeradius-users-bounces%2Blist= [EMAIL PROTECTED] Namens Frank Sweetser Verzonden: vrijdag 6 juni 2008 20:07 Aan: freeradius-users@lists.freeradius.org Onderwerp: EAP-TLS with different CA per user? I have a configuration which I need, but haven't been able to figure out how to make freeradius do it. I have two users, A and B, both authenticating over wireless using EAP- TLS. User A has a certificate which has been signed by CA X, and B has one signed by CA Y. What I need is to tell freeradius that certificates presented by user A should only be checked against CA X, and similarly B only by Y. Putting both X and Y in the same CA list won't work in this case due to what appears to be a limitation in OpenSSL. I've been over all the existing docs I can find, and I haven't been able any way to do this. Anyone have any suggestion what I might try? -- Frank Sweetser fs at wpi.edu | For every problem, there is a solution that WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP TLS Authentication failing!!!! Unknown CA
I'm happy to be wrong about this, but in my experience, this parameter: -CApath ca.pem Needs to be an actual path, not a PEM CA file, where you have performed these steps: download certificate authority cert in PEM format run c_rehash . (openssl script) On Thu, May 15, 2008 at 10:37 AM, Avinash Patil [EMAIL PROTECTED] wrote: Hi All, I am trying to use authenticate one embedded WLAN device with using freeRadius server 2.0.4 I have radiusd.conf,client.conf files as per my configuration. I have created certificates using bootstrap script.Values in ca.cnf,client.cnf and server.cnf have been modified accordingly. I have copied ca.pem, client.pem to device filesystem.Private key has been extracted from client.pem. Since last week I am trying to authenticate freeradius server but I am getting error like Unknown CA. Please see attached radius logs. When I verify client certificate using openssl verify -CApath ca.pem client.pem I see following error: Error 20 at depth 0 lookup : unable to get local issuer certificate. Device is already tested with Windows 2003 server's TLS(of course with different set of certificates :) ) and it is working fine. What will be possible reason behind this and where am I going wrong? Appreciate your help. Thanks and Regards, Avinash. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
deployingradius.com down?
I can't seem to get to deployingradius.com website. Anyone know if this is down? Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR failing
We have two FR servers (running 1.1.15) on Red Hat machines. We are using it to authenticate wireless users against an LDAP directory. Occasionally, one of the FR servers (it happens to each, just not at the same time), stops working. The service remains up, but it's like the conversation between radius and ldap doesn't work for some reason, and radius stops trying altogether afterwards. The log shows: Thu May 1 14:33:02 2008 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Thu May 1 14:33:02 2008 : Auth: Login incorrect: [rsmall] (from client unbsj111 port 32401 cli 00-1E-C2-C0-8E-36) Thu May 1 14:33:15 2008 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Thu May 1 14:33:15 2008 : Auth: Login incorrect: [anonymous] (from client hh2380 port 45380 cli 00-12-F0-D3-3C-03) Thu May 1 14:34:02 2008 : Error: Discarding duplicate request from client hh2380:20001 - ID: 200 due to unfinished request 1428 Any help is greatly appreciated. Thanks Matt A [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't compile on Centos 5.1 x86_64
Sergio Belkin wrote: I can't compile freeradius-2.0.2 on Centos 5.1 x86_64. It outputs: /usr/lib/libltdl.so: could not read symbols: File in wrong format collect2: ld returned 1 exit status You might try using your system's own libtool. Try these configure options: --with-system-libtool --disable-ltdl-install It might not help, but it's probably worth a shot. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Administering with MySQL DB
The nas table definition can be found at the bottom of this page http://wiki.freeradius.org/MySQL_DDL_script make sure to set: readclients = yes (probably at the bottom of sql.conf) the column names in the nas table are pretty self-explanatory after you have that set up. Just be sure to re-start radius after you make changes to that table since it's read at startup. On Jan 18, 2008 1:18 PM, Andy Smith [EMAIL PROTECTED] wrote: Hi, thanks, Ive looked at this and its a good guide to initial install but doesnt seem to provide any detailed info on how to administer the data in the tables. IE there is a sample of some data from a test system but this doesnt even mention the NAS table, how are other people administering their systems? thanks! Andy. * FreeRadius Wiki is a good starting point. SQL Howto* - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Dread Pirate Roberts: Truly, you have a dizzying intellect. Vizzini: WAIT TILL I GET GOING! Where was I? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0.0 has been released
Alan T DeKok wrote: January 10, 2007 - Version 2.0.0 has been released. Congratulations, and thanks for all your hard work on FreeRADIUS! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stopping LDAP searches during each part of EAP session?
I have a freeradius server configured to do both EAP-TLS and LDAP auth. It
works great so far. If I have a cert. configured, then I'm authenticated
with the cert. If I don't have a cert then I get prompted for my un/pw on
my NAS's Captive Portal page, which then passes my username/password on to
the Radius server which then checks my LDAP server if my un/pw are correct.
When I look through the debug logs, however, I see that the rlm_ldap module
is doing an LDAP search for my username during each stage of the EAP
session. Is there a way to configure freeradius so that it won't try LDAP
auth in the middle of an EAP session?
Here's my radiusd.conf:
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid
user = radius
group = radius
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 8192
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = after
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 0
status_server = yes
}
proxy_requests = no
$INCLUDE ${confdir}/clients.conf
snmp= no
thread pool {
start_servers = 10
max_servers = 128
min_spare_servers = 3
max_spare_servers = 20
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
}
ldap {
server = ldap.mycompany.com
basedn = ou=people,dc=mycompany,dc=com
filter =
((accountInstance=wireless)(uid=%{Stripped-User-Name:-%{User-Name}}))
start_tls = yes
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 25
timeout = 10
timelimit = 10
net_timeout = 1
access_attr_used_for_allow = yes
}
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = %
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = \\
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
}
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = yes
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = no
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always
Re: Server instability
What kind of error messages are you getting in your log when it blows up? Quoting Phil Mayers [EMAIL PROTECTED]: On Mon, 2007-09-24 at 15:39 -0400, Nathan Hay wrote: I am a newbie, running 3 (for redundancy) FreeRadius servers (1.1.7) on SUSE 10 SP1 (32-bit) to authenticate our wireless clients (PEAP MSCHAPv2) to our eDirectory via LDAP. We average 800-900 simultaneous wireless clients (need to support a potential 4K in the future). The setup works well and authenticates users very quickly, but every couple days, the radiusd process will either blow up and start consuming 99% of the CPU or die altogether. More often it blows up. We had stability problems initially, even when the process was running, so I took everything out of the config that we didn't need and that seemed to help. First question; are you HUPing the daemon? If so, don't - it won't work well. Second question; if this happens reliably can you recompile from scratch: ./configure --enable-developer make make install ...and when it happens do this: gdb /usr/local/sbin/radiusd set pagination off set logging file /root/radiusd-wireless.txt set logging on attach $PID thread apply all bt full ...that'll give some details as to what the server is doing when it pegs the CPU. Other options are strace or (if your Linux system has it) SystemTap. The aim being to determine what it's doing when it goes wrong. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: randomly crashing
Saw this happen again last night. Last log entries I have are: Thu Sep 20 19:06:24 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Thu Sep 20 19:06:24 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Thu Sep 20 19:06:25 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Thu Sep 20 19:06:25 2007 : Auth: Login OK: [n2i7w] (from client localhost port 16689 cli 00-16-6F-07- 3F-71) Thu Sep 20 19:06:37 2007 : Auth: Login OK: [nagios] (from client nagios port 0) Thu Sep 20 19:06:49 2007 : Error: Discarding duplicate request from client hh2380:20006 - ID: 133 due to unfinished request 922 After the error it crashed. Not sure why I'm seeing this. Any thoughts are welcome!? thanks Matt [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Ashfield Sent: Tuesday, September 18, 2007 9:49 AM To: [EMAIL PROTECTED]; freeradius-users@lists.freeradius.org Subject: RE: randomly crashing version of FR? modules or backend auth system used? Using FR 1.1.5 and using mod_auth_ldap for auth - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: randomly crashing
version of FR? modules or backend auth system used? Using FR 1.1.5 and using mod_auth_ldap for auth - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
randomly crashing
Hi, We're running FR to authenticate users on our wireless network. It appears that radius is randomly stopping/crashing. I have checked logs, but have been unable to locate the problem and am wondering if someone could point me in a good location to look for reasons for the failure. I've checked the radius.log file for the past 2 failures, and all I see are: For the 2nd to last failure: Mon Sep 17 00:30:24 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Mon Sep 17 00:31:30 2007 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Mon Sep 17 00:31:30 2007 : Auth: Login incorrect: [s3n14] (from client hh2380 port 18045 cli 00-1B-63-C1-7E-00) Mon Sep 17 00:34:49 2007 : Auth: Login OK: [nagios] (from client nagios port 0) Mon Sep 17 00:34:58 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Sep 17 00:34:58 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Mon Sep 17 00:36:03 2007 : Error: Discarding duplicate request from client hh2380:20008 - ID: 173 due to unfinished request 36 And for the latest failure: Mon Sep 17 12:40:25 2007 : Auth: Login incorrect (rlm_ldap: Bind as user failed): [s8r1z] (from client localhost port 30831 c li 00-1A-73-82-59-7C) Mon Sep 17 12:40:25 2007 : Auth: Login incorrect: [s8r1z] (from client hh2380 port 30831 cli 00-1A-73-82-59-7C) Mon Sep 17 12:40:33 2007 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Mon Sep 17 12:40:33 2007 : Auth: Login incorrect: [c264c] (from client hh2380 port 30784 cli 00-11-24-C6-90-7E) In my /var/log/messages file there's nothing related to the failures. We use the following to start FR: /usr/local/sbin/radiusd -y Any advice is appreciated. Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: randomly crashing
Hi... Matt Ashfield wrote: We're running FR to authenticate users on our wireless network. It appears that radius is randomly stopping/crashing. I have checked logs, but have been unable to locate the problem and am wondering if someone could point me For what it's worth (probably not much!)... a month ago, I was having random segfaults with a new installation of 1.1.7 on Fedora 7 x86_64. In most cases, the crash seemed to correspond with this log entry you've mentioned: Mon Sep 17 00:31:30 2007 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request My segfault would typically occur right after the above log entry. Analyzing with gdb usually gave a serpentine backtrace into threading libraries and SSL-related functions -- well beyond my ability to debug. I was about to give up, when an openssl package update was issued by Fedora (0.9.8b-14.fc7, around August 14). The changelog wasn't very descriptive, but ever since updating the openssl RPMs, freeradius hasn't segfaulted at all. Was it an SSL bugfix that fixed it? Beats me. Maybe it was simply the running of ldconfig after the update. Maybe it was something else entirely. But the point is, it might pay to make sure your libraries are in order. :) (Previously I'd also had seeming 64-bit library issues with Kerberos which were causing Freeradius crashes.) -Matt PS: I do still see the Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap error maybe 5-10 times a day, but the Freeradius daemon no longer crashes from them. And the client auth succeeds on the retry ~30 seconds later. Never saw this behavior with Freeradius 1.1.2, but I wouldn't be surprised if it was happening back then, and that 1.1.7 simply has more verbose logging of such occurrences now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: building RPM from source
Fred Zinsli wrote: I am attempting to build an RPM from source on my FC5 box. Try to get a more recent source RPM from a repository, and then tweak the spec file to fit your needs. The Fedora builds will support MySQL by default. It'd be easier than trying to write your own spec file from scratch. The current version in Fedora 7 is 1.1.6, and 1.1.7 is available in the development repo. (I am running 1.1.7 built from the devel source RPM.) -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: building RPM from source
Fred Zinsli wrote: I have got a copy of 1.1.7 source but my issue is that I don't know how to enable mysql in the spec file. The spec file that comes in the Fedora source RPM I suggested shows you exactly how to do it. In fact, it's done for you. :) Also, do I have to have mysql installed on the build machine to enable mysql suppport? Yes, both the mysql and mysql-devel packages would be required. You don't need mysql-server installed, unless of course you want to run the MySQL server on that machine. (The spec file also requires some other packages, which you can easily snip out if you don't actually need to build/use the stuff which depends on them.) But /usr/include/mysql doesn't exist on the machine. I'm guessing none of the MySQL packages are installed. Try: yum install mysql mysql-devel. -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfault with -X and rlm_krb5 under Fedora 7 x86_64
Alan DeKok wrote: That would seem to be the case, yes. But it's very weird. Doubly so since there's no code in rlm_krb5 that depends on debug_flag = 2. So... the culprit is likely elsewhere. Exactly where it is located is difficult to say. Thanks, Alan. Just a quick update... upon looking deeper, it looks like it might be an autoconf/libtool issue with x86_64 under Fedora 7. If I come up with any potentially useful info, I'll post it here. Sorry for the noise. -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segfault with -X and rlm_krb5 under Fedora 7 x86_64
This may be a Fedora/Kerberos issue rather than a Freeradius issue, but...
Has anyone experienced radiusd -X segfaulting when using rlm_krb5?
This is under Fedora 7 (x86_64), with freeradius 1.1.6 and 2.0.0-pre1
built from source tarballs. (I am trying to migrate to this environment
from a working freeradius-1.1.0 / Fedora Core 2 / i686 installation.)
The segfault is actually occurring in the Kerberos libraries, which
means that Freeradius might not be the issue, however the segfault
occurs only when radiusd is given -X or -sfxx options. I.e.
radiusd -sfx and radiusd work as expected, and do not segfault.
(One thing off the top of my head: Does this point to something
possibly happening when debug_flag is = 2 ?)
The killer request: radtest testuser testpass localhost 1 testing123
Below are my users and radiusd.conf files. Full gdb output from a
segfault case follows.
So, this isn't a bug report... i'm just hoping for tips on how to
proceed... thanks in advance for any clues.
-Matt
### begin complete users file ###
DEFAULT Auth-Type:=Kerberos
### end complete users file ###
### begin partial radiusd.conf ###
# stuff that was changed from the default 1.1.6 radiusd.conf :
prefix = /opt/radius
localstatedir = /var
user = radiusd
group = radiusd
log_auth = yes
proxy_requests = no
modules {
krb5 {
keytab = radius-krb5.keytab
service_principal = radius
}
}
authenticate {
Auth-Type Kerberos {
krb5
}
}
### end partial radiusd.conf ###
### begin gdb output ###
[EMAIL PROTECTED] raddb]# gdb radiusd
GNU gdb Red Hat Linux (6.6-15.fc7rh)
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB. Type show warranty for details.
This GDB was configured as x86_64-redhat-linux-gnu...
Using host libthread_db library /lib64/libthread_db.so.1.
(gdb) run -X
Starting program: /usr/local/sbin/radiusd -X
[Thread debugging using libthread_db enabled]
[New Thread 46912517212928 (LWP 25560)]
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /opt/radius/etc/raddb/clients.conf
Config: including file: /opt/radius/etc/raddb/snmp.conf
Config: including file: /opt/radius/etc/raddb/eap.conf
Config: including file: /opt/radius/etc/raddb/sql.conf
main: prefix = /opt/radius
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /opt/radius/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /opt/radius/sbin/checkrad
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /opt/radius/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded Kerberos
krb5: keytab = radius-krb5.keytab
krb5: service_principal = radius
rlm_krb5: krb5_init ok
Module: Instantiated krb5 (krb5)
Module: Loaded PAP
pap: encryption_scheme = crypt
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded preprocess
preprocess: huntgroups = /opt/radius/etc/raddb/huntgroups
preprocess: hints = /opt/radius/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack
RE: MSCHAPv2 with 1.1.4
Tried that already. cobb Cleartext-Password := secret It just spits out an error that says I didn't use User-Password and fails: Thread 1 handling request 0, (1 handled so far) NAS-Identifier = localhost NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = 127.0.0.1 User-Name = [EMAIL PROTECTED] MS-CHAP2-Response = 0x01013410fa7660ac21dc93c5313bcab77f15e601cdc04a6c368aed b66db426dff79111702aa7dbf9d3bb MS-CHAP-Challenge = 0xc171ce27fd0fc0189daf86b649fe8588 Service-Type = 47 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module mschap returns ok for request 0 modcall: entering group for request 0 rlm_realm: Looking up realm guests for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm guests rlm_realm: Adding Stripped-User-Name = cobb rlm_realm: Proxying request from user cobb to realm guests rlm_realm: Adding Realm = guests rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 0 rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module ntdomain returns noop for request 0 modcall: leaving group (returns noop) for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry cobb at line 2 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 0 modcall: leaving group MS-CHAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED] (from client localhost port 0 cli 127.0.0.1) Found Post-Auth-Type Processing the post-auth section of radiusd.conf modcall: entering group REJECT for request 0 DBUS Method Call to com.lockdownnetworks.RadiusEvents:/ on com.lockdownnetworks.RadiusEvents Early exit of processing return values. Finished with dbus method. modcall[post-auth]: module dbus returns reject for request 0 modcall: leaving group REJECT (returns reject) for request 0 Delaying request 0 for 1 seconds Finished request 0 Going to the next request Thread 1 waiting to be assigned a request rad_recv: Access-Request packet from host 127.0.0.1:32776, id=181, length=161 Sending Access-Reject of id 181 to 127.0.0.1 port 32776 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 181 with timestamp 467ae04a Nothing to do. Sleeping until we see a request. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] dius.org] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 21, 2007 11:30 AM To: FreeRadius users mailing list Subject: Re: MSCHAPv2 with 1.1.4 users file: cobb User-Password==secret (also tried Cleartext-Password with same results) Wrong operator (==) for Cleartext-Password. Use := cobb Cleartext-Password := secret Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MSCHAPv2 with 1.1.4
Hello, thats why. you cant use a plain password. alan [Cobb] What should I use? I have tried User-Password==, Cleartext-Password:=, Cleartext-Password==, NT-Password==0x0123456789abcdef..., NT-Password==0123456789abcdef.. All complain that the NT Response is invalid and all but User-Password complain that the User-Password is not supplied. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
