Is it possible to make groups of called-station-id 's?
Hi All We are using FR 2.1.5 for authenticating wireless users against our LDAP database. Recently, our student wireless vlan is getting too large, and we wish to subdivide it. Currently we place users in the appropriate vlan based on the user type returned via the groupmembership_attribute as defined in modules/ldap. So if that attribute =student, we put them in student vlan. Our users file entry looks like: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Called-Station-Id =~ .*Wireless , Huntgroup-Name == WSS1, unbldap-Ldap-Group == student User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=student, Tunnel-Type=VLAN, Fall-Through = no To reduce the number of broadcast domains going out a wireless access point, we are thinking of placing all students in Building X into a student_vlanX. To do this, we need to identify all the APs in the building. For each AP in that building we'd have something like this in our users file (where 00-01-02-AA-BB-CC is the mac-address of an access point in building X): DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Called-Station-Id =~ 00-01-02-AA-BB-CC.*Wireless, Huntgroup-Name == WSS1, unbldap-Ldap-Group == student User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=student_vlanX, Tunnel-Type=VLAN, Fall-Through = no I'm quite certain this would work, however I was hoping there'd be some way similar to the huntgroups file (which I realize is for NAS's which our AP's are not acting as) that could group all our Access Point devices into a group s we wouldn't have to have a statement in the users file like the one above for every single wireless access point in our network. Any advice is appreciated. Thanks Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
showing NAS-IP of 127.0.01 instead of
Hi, I'm running FreeRADIUS Version 2.1.5. We are trying to do system authentication for some users. Doing this by creating huntgroups based on NAS-IP-Address, and then telling that huntgroup to use System for authentication. The problem is that although the Access-Request packet is shown as coming from the correct host, that host's ip address is not showing up as the NAS-IP-Address for that request. Instead, it's showing as 127.0.0.1 as seen below: rad_recv: Access-Request packet from host 192.168.27.7 port 53201, id=130, length=51 User-Name = xm7z1 User-Password = abc.123 NAS-IP-Address = 127.0.0.1 I'm wondering what could cause this? Any help is appreciated. Thanks Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: showing NAS-IP of 127.0.01 instead of
I just figured that out via a sniff. Thanks for the note. I'll go after the requesting software now. From: Garber, Neal [mailto:neal.gar...@energyeast.com] Sent: November 25, 2009 2:27 PM To: 'm...@unb.ca'; 'FreeRadius users mailing list' Subject: RE: showing NAS-IP of 127.0.01 instead of The problem is that although the Access-Request packet is shown as coming from the correct host, that host's ip address is not showing up as the NAS-IP-Address for that request. Instead, it's showing as 127.0.0.1 as seen below: I'm wondering what could cause this? Any help is appreciated. The NAS is sending that attribute within the request - ask the NAS vendor why they are sending 127.0.0.1. I've seen this issue with Lantronix console servers (not sure if that's the NAS you are using). They eventually updated their firmware to use the correct address. As a workaround, I did the following in the authorize section of the default server (before preprocess if you want huntgroup name lookup to work properly): if (NAS-IP-Address == 127.0.0.1) { update request { NAS-IP-Address := %{Client-IP-Address} } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: groupmembership and vlan assignment
Would it make more sense then to use a Perl program instead for the authorization and then have that program: - verify credentials against ldap. - do the regexp matching on the entitlement field? Thanks, Matt [EMAIL PROTECTED] -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Friday, August 01, 2008 8:27 AM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: groupmembership and vlan assignment Matt Ashfield wrote: Hmmm...welll I was hoping for another way to assign vlans based on ldap attributes, but I don't figure on rewriting rlm_ldap. You don't have to rewrite the whole module. Just change 100 lines in one function. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: groupmembership and vlan assignment
Is there a way to regexp checking on the group_membership field instead? Thanks Matt Ashfield [EMAIL PROTECTED] -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 3:23 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: groupmembership and vlan assignment Matt Ashfield wrote: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS, unbldap-Ldap-Group =~ .*staff1, Autz-Type := Ldap1, Auth-Type := Ldap1 The LDAP Group checking does *equality* checking, not regular expression checking. Sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: groupmembership and vlan assignment
That's what I was afraid of. Any suggestions to getting around this? Thanks Matt Ashfield [EMAIL PROTECTED] -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 3:23 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: groupmembership and vlan assignment Matt Ashfield wrote: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS, unbldap-Ldap-Group =~ .*staff1, Autz-Type := Ldap1, Auth-Type := Ldap1 The LDAP Group checking does *equality* checking, not regular expression checking. Sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: groupmembership and vlan assignment
Hmmm...welll I was hoping for another way to assign vlans based on ldap attributes, but I don't figure on rewriting rlm_ldap. Thanks Matt [EMAIL PROTECTED] -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2008 3:49 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: groupmembership and vlan assignment Matt Ashfield wrote: That's what I was afraid of. Any suggestions to getting around this? Edit the source code to rlm_ldap to implement regex checks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: groupmembership and vlan assignment
Nobody replied to my original post, and I got to thinking, would I be able to use wildcards in my users file to achieve this when looking for which Ldap-Group the user has been placed in? i.e. DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS, unbldap-Ldap-Group =~ .*staff1, Autz-Type := Ldap1, Auth-Type := Ldap1 Where unbldap-Ldap-Group gets set via groupmembership_attribute = eduPersonPrimaryAffiliation and eduPersonEntitlement: urn:mace:uni.ca:wireless?vlan=staff1 in LDAP Thanks Matt Ashfield [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Ashfield Sent: Wednesday, July 23, 2008 10:29 AM To: 'FreeRadius users mailing list' Subject: groupmembership and vlan assignment Hello We have been using the groupmembership attribute in radius.conf to assign users to the appropriate vlans. Up until now we've done it based on the type of LDAP user they are (ie, staff, student, faculty, etc..): groupmembership_attribute = eduPersonPrimaryAffiliation, (where eduPersonPrimaryAffliation=staff, student, facult, etc..) Unfortunately, our student vlans have grown significantly large and we want to take measures to make them smaller. We have looked into using LDAP entitlement fields. There are however a few issues here: - The eduPersonEntitlement attribute is not unique. A user record can have multiple instances of this attribute for each different entitlement they have. - The eduPersonEntitlement attribute has a value that is not simply the name of a vlan. It is typically something like: eduPersonEntitlement: urn:mace:uni.ca:wireless?vlan=student1 So I'd need to parse the value as well to pull out the vlan name, in this case student1. I'm unsure how to get around these two issues. Any suggestions are welcome. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
groupmembership and vlan assignment
Hello We have been using the groupmembership attribute in radius.conf to assign users to the appropriate vlans. Up until now we've done it based on the type of LDAP user they are (ie, staff, student, faculty, etc..): groupmembership_attribute = eduPersonPrimaryAffiliation, (where eduPersonPrimaryAffliation=staff, student, facult, etc..) Unfortunately, our student vlans have grown significantly large and we want to take measures to make them smaller. We have looked into using LDAP entitlement fields. There are however a few issues here: - The eduPersonEntitlement attribute is not unique. A user record can have multiple instances of this attribute for each different entitlement they have. - The eduPersonEntitlement attribute has a value that is not simply the name of a vlan. It is typically something like: eduPersonEntitlement: urn:mace:uni.ca:wireless?vlan=student1 So I'd need to parse the value as well to pull out the vlan name, in this case student1. I'm unsure how to get around these two issues. Any suggestions are welcome. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: xp sp3 and freeradius 2.0.5
I'm seeing the same problems with Vista devices: Sending Access-Accept of id 12 to 131.202.9.32 port 2048 User-Name = u3t98 Tunnel-Private-Group-Id:0 = Academic Tunnel-Type:0 = VLAN MS-MPPE-Recv-Key = 0xce1ea72659c68cceba45498192e03bbb73292f9cdc314bbdea6e5ede0302b86a MS-MPPE-Send-Key = 0xe2cafe2564df85dd04dddb4816c00c8afeea831cbbdb444b45789625771f6c9c EAP-Message = 0x03180004 Message-Authenticator = 0x Even though I have MPPE disabled in FR: mschap { # # As of 0.9, the mschap module does NOT support # reading from /etc/smbpasswd. # # If you are using /etc/smbpasswd, see the 'passwd' # module for an example of how to use /etc/smbpasswd # if use_mppe is not set to no mschap will # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 # #use_mppe = no use_mppe = no Thoughts? Matt Ashfield [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SecureW2 (List) Sent: Monday, July 07, 2008 10:58 AM To: 'FreeRadius users mailing list' Subject: RE: xp sp3 and freeradius 2.0.5 Dear Oxiel, Are you using wired or wireless 802.1x? I have been seeing issues on Windows XP SP3 WIRED 802.1X configurations when the MPPE keys are being sent by the RADIUS server (which are not used in (most) wired 802.1X setups): Sending Access-Accept of id 8 to 192.168.100.245 port 5001 User-Name = host/caja02.cosmart.bo MS-MPPE-Recv-Key = 0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9 MS-MPPE-Send-Key = 0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480 EAP-Message = 0x03090004 Message-Authenticator = 0x If you are using wired try disabling the MPPE keys in Freeradius. Regards, Tom -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Ivan Kalik Verzonden: maandag 7 juli 2008 15:32 Aan: freeradius-users@lists.freeradius.org Onderwerp: Re: xp sp3 and freeradius 2.0.5 Has anybody achieved to authenticate xp sp3 with default 802.1x client to freeradius ? You! Sending Access-Accept of id 8 to 192.168.100.245 port 5001 User-Name = host/caja02.cosmart.bo MS-MPPE-Recv-Key = 0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9 MS-MPPE-Send-Key = 0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480 EAP-Message = 0x03090004 Message-Authenticator = 0x Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR and PEAP question
-Password attribute in the request Wed Jun 11 09:42:02 2008 : Debug: auth: Failed to validate the user. Wed Jun 11 09:42:02 2008 : Auth: Login incorrect: [mda] (from client hh932 port 2 cli 00-11-25-81-1D-DA) Wed Jun 11 09:42:02 2008 : Debug: Delaying reject of request 1 for 1 seconds Wed Jun 11 09:42:02 2008 : Debug: Going to the next request Wed Jun 11 09:42:02 2008 : Debug: Waking up in 0.9 seconds. Wed Jun 11 09:42:03 2008 : Debug: Sending delayed reject for request 1 Sending Access-Reject of id 3 to 11.2.19.3 port 2048 Wed Jun 11 09:42:03 2008 : Debug: Waking up in 4.9 seconds. Wed Jun 11 09:42:08 2008 : Debug: Cleaning up request 1 ID 3 with timestamp +355 Wed Jun 11 09:42:08 2008 : Debug: Ready to process requests. Matt [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik Sent: Tuesday, June 10, 2008 11:21 AM To: freeradius-users@lists.freeradius.org Subject: RE: FR and PEAP question eapol_test from wpa_supplicant JRadius Simulator Ivan Kalik Kalik Informatika ISP Dana 10/6/2008, Matt Ashfield [EMAIL PROTECTED] piše: I'd like to test this with PEAP/MSCHAP requests if possible. Is there a howto? Clearly I'm down the wrong path here. Matt [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik Sent: Tuesday, June 10, 2008 11:02 AM To: freeradius-users@lists.freeradius.org Subject: RE: FR and PEAP question FreeRADIUS-Proxied-To == 127.0.0.1 will match only for eap requests. You can't test for it with pap requests (radtest). Ivan Kalik Kalik Informatika ISP Dana 10/6/2008, Matt Ashfield [EMAIL PROTECTED] piše: I thought it would get referenced because in my users file I have: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS, unbldap-Ldap-Group == staff, Autz-Type := Ldap1 User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=staff, Tunnel-Type=VLAN, Fall-Through = no And in huntgroups I have this. Although I am unsure if this is correct. UNBFWSS NAS-IP-Address == 127.0.0.1 Matt [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik Sent: Tuesday, June 10, 2008 10:36 AM To: freeradius-users@lists.freeradius.org Subject: RE: FR and PEAP question The password that is being supplied by radtest is in plain-text, should I be supplying it in ntPassword-encrypted format? No. It looks to me like I have something wrong with my authenticate section. My authorize section looks like: authorize { preprocess chap mschap suffix eap Autz-Type Ldap1 { redundant-load-balance{ unbldap unbldap2 } mschap } } Not really. You just haven't called that Autz-Type anywhere. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR and PEAP question
HI, Im now trying your suggestions for getting FR and PEAP working together. Below is the result of a radtest that I did. The password that is being supplied by radtest is in plain-text, should I be supplying it in ntPassword-encrypted format? It looks to me like I have something wrong with my authenticate section. My authorize section looks like: authorize { preprocess chap mschap suffix eap Autz-Type Ldap1 { redundant-load-balance{ unbldap unbldap2 } mschap } } The radtest result is below: rad_recv: Access-Request packet from host 127.0.0.1 port 32769, id=97, length=55 User-Name = mda User-Password = abc123 NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Tue Jun 10 10:07:34 2008 : Debug: +- entering group authorize Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Tue Jun 10 10:07:34 2008 : Debug: ++[preprocess] returns ok Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Tue Jun 10 10:07:34 2008 : Debug: ++[chap] returns noop Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Tue Jun 10 10:07:34 2008 : Debug: ++[mschap] returns noop Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Tue Jun 10 10:07:34 2008 : Debug: rlm_realm: No '@' in User-Name = mda, looking up realm NULL Tue Jun 10 10:07:34 2008 : Debug: rlm_realm: No such realm NULL Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Tue Jun 10 10:07:34 2008 : Debug: ++[suffix] returns noop Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Tue Jun 10 10:07:34 2008 : Debug: rlm_eap: No EAP-Message, not doing EAP Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Tue Jun 10 10:07:34 2008 : Debug: ++[eap] returns noop Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Tue Jun 10 10:07:34 2008 : Debug: ++[files] returns noop Tue Jun 10 10:07:34 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Tue Jun 10 10:07:34 2008 : Debug: auth: Failed to validate the user. Tue Jun 10 10:07:34 2008 : Auth: Login incorrect: [mda] (from client localhost port 0) Tue Jun 10 10:07:34 2008 : Debug: Delaying reject of request 0 for 1 seconds Tue Jun 10 10:07:34 2008 : Debug: Going to the next request Tue Jun 10 10:07:34 2008 : Debug: Waking up in 0.9 seconds. Tue Jun 10 10:07:35 2008 : Debug: Sending delayed reject for request 0 Sending Access-Reject of id 97 to 127.0.0.1 port 32769 Tue Jun 10 10:07:35 2008 : Debug: Waking up in 4.9 seconds. Tue Jun 10 10:07:40 2008 : Debug: Cleaning up request 0 ID 97 with timestamp +17 Tue Jun 10 10:07:40 2008 : Debug: Ready to process requests. Any assistance is appreciated. Thanks Matt [EMAIL PROTECTED] -Original Message- From: Thibault Le Meur [mailto:[EMAIL PROTECTED] Sent: Monday, May 26, 2008 11:00 AM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: FR and PEAP question Matt Ashfield a écrit : Hi, Were looking into using PEAP with MSChapV2, instead of PAP (dont want to use the SecureW2 client anymore) so are investigating ways to store the password in LDAP. According to http://deployingradius.com/documents/protocols/compatibility.html ,the options are storing the password in Clear-Text or in an NT Hash (ntlm_auth). In talking with our LDAP people, I was told the following: SunOne does not support nt-hash passwords. Supported formats are CLEAR, CRYPT, DES, NS-MTA-MD5 (Netscape MD5), SHA, and SSHA. Fedora Directory Server 1.1.0 supports CLEAR, CRYPT, DES, MD5, NS-MTA-MD5, SHA, SHA256, SHA384, SHA512, SSHA, SSHA256, SSHA384, and SSHA512. This means that your userPassword attribute must contain your password in the previously mentionned has forms. This userPassword attribute is used internally by your LDAP directory in order to authenticate your access (bind) to the LDAP server. It sounds to me like if we want to do PEAP/MSChapV2 wed have to store the password in cleartext? I would just like to verify this via this list. Not necessarily. You may _not_ want to use ldap binding as the authentication process
RE: FR and PEAP question
I'd like to test this with PEAP/MSCHAP requests if possible. Is there a howto? Clearly I'm down the wrong path here. Matt [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik Sent: Tuesday, June 10, 2008 11:02 AM To: freeradius-users@lists.freeradius.org Subject: RE: FR and PEAP question FreeRADIUS-Proxied-To == 127.0.0.1 will match only for eap requests. You can't test for it with pap requests (radtest). Ivan Kalik Kalik Informatika ISP Dana 10/6/2008, Matt Ashfield [EMAIL PROTECTED] piše: I thought it would get referenced because in my users file I have: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS, unbldap-Ldap-Group == staff, Autz-Type := Ldap1 User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=staff, Tunnel-Type=VLAN, Fall-Through = no And in huntgroups I have this. Although I am unsure if this is correct. UNBFWSS NAS-IP-Address == 127.0.0.1 Matt [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik Sent: Tuesday, June 10, 2008 10:36 AM To: freeradius-users@lists.freeradius.org Subject: RE: FR and PEAP question The password that is being supplied by radtest is in plain-text, should I be supplying it in ntPassword-encrypted format? No. It looks to me like I have something wrong with my authenticate section. My authorize section looks like: authorize { preprocess chap mschap suffix eap Autz-Type Ldap1 { redundant-load-balance{ unbldap unbldap2 } mschap } } Not really. You just haven't called that Autz-Type anywhere. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
deployingradius.com down?
I can't seem to get to deployingradius.com website. Anyone know if this is down? Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR failing
We have two FR servers (running 1.1.15) on Red Hat machines. We are using it to authenticate wireless users against an LDAP directory. Occasionally, one of the FR servers (it happens to each, just not at the same time), stops working. The service remains up, but it's like the conversation between radius and ldap doesn't work for some reason, and radius stops trying altogether afterwards. The log shows: Thu May 1 14:33:02 2008 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Thu May 1 14:33:02 2008 : Auth: Login incorrect: [rsmall] (from client unbsj111 port 32401 cli 00-1E-C2-C0-8E-36) Thu May 1 14:33:15 2008 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Thu May 1 14:33:15 2008 : Auth: Login incorrect: [anonymous] (from client hh2380 port 45380 cli 00-12-F0-D3-3C-03) Thu May 1 14:34:02 2008 : Error: Discarding duplicate request from client hh2380:20001 - ID: 200 due to unfinished request 1428 Any help is greatly appreciated. Thanks Matt A [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server instability
What kind of error messages are you getting in your log when it blows up? Quoting Phil Mayers [EMAIL PROTECTED]: On Mon, 2007-09-24 at 15:39 -0400, Nathan Hay wrote: I am a newbie, running 3 (for redundancy) FreeRadius servers (1.1.7) on SUSE 10 SP1 (32-bit) to authenticate our wireless clients (PEAP MSCHAPv2) to our eDirectory via LDAP. We average 800-900 simultaneous wireless clients (need to support a potential 4K in the future). The setup works well and authenticates users very quickly, but every couple days, the radiusd process will either blow up and start consuming 99% of the CPU or die altogether. More often it blows up. We had stability problems initially, even when the process was running, so I took everything out of the config that we didn't need and that seemed to help. First question; are you HUPing the daemon? If so, don't - it won't work well. Second question; if this happens reliably can you recompile from scratch: ./configure --enable-developer make make install ...and when it happens do this: gdb /usr/local/sbin/radiusd set pagination off set logging file /root/radiusd-wireless.txt set logging on attach $PID thread apply all bt full ...that'll give some details as to what the server is doing when it pegs the CPU. Other options are strace or (if your Linux system has it) SystemTap. The aim being to determine what it's doing when it goes wrong. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: randomly crashing
Saw this happen again last night. Last log entries I have are: Thu Sep 20 19:06:24 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Thu Sep 20 19:06:24 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Thu Sep 20 19:06:25 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Thu Sep 20 19:06:25 2007 : Auth: Login OK: [n2i7w] (from client localhost port 16689 cli 00-16-6F-07- 3F-71) Thu Sep 20 19:06:37 2007 : Auth: Login OK: [nagios] (from client nagios port 0) Thu Sep 20 19:06:49 2007 : Error: Discarding duplicate request from client hh2380:20006 - ID: 133 due to unfinished request 922 After the error it crashed. Not sure why I'm seeing this. Any thoughts are welcome!? thanks Matt [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Ashfield Sent: Tuesday, September 18, 2007 9:49 AM To: [EMAIL PROTECTED]; freeradius-users@lists.freeradius.org Subject: RE: randomly crashing version of FR? modules or backend auth system used? Using FR 1.1.5 and using mod_auth_ldap for auth - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: randomly crashing
version of FR? modules or backend auth system used? Using FR 1.1.5 and using mod_auth_ldap for auth - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
randomly crashing
Hi, We're running FR to authenticate users on our wireless network. It appears that radius is randomly stopping/crashing. I have checked logs, but have been unable to locate the problem and am wondering if someone could point me in a good location to look for reasons for the failure. I've checked the radius.log file for the past 2 failures, and all I see are: For the 2nd to last failure: Mon Sep 17 00:30:24 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Mon Sep 17 00:31:30 2007 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Mon Sep 17 00:31:30 2007 : Auth: Login incorrect: [s3n14] (from client hh2380 port 18045 cli 00-1B-63-C1-7E-00) Mon Sep 17 00:34:49 2007 : Auth: Login OK: [nagios] (from client nagios port 0) Mon Sep 17 00:34:58 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Sep 17 00:34:58 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Mon Sep 17 00:36:03 2007 : Error: Discarding duplicate request from client hh2380:20008 - ID: 173 due to unfinished request 36 And for the latest failure: Mon Sep 17 12:40:25 2007 : Auth: Login incorrect (rlm_ldap: Bind as user failed): [s8r1z] (from client localhost port 30831 c li 00-1A-73-82-59-7C) Mon Sep 17 12:40:25 2007 : Auth: Login incorrect: [s8r1z] (from client hh2380 port 30831 cli 00-1A-73-82-59-7C) Mon Sep 17 12:40:33 2007 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Mon Sep 17 12:40:33 2007 : Auth: Login incorrect: [c264c] (from client hh2380 port 30784 cli 00-11-24-C6-90-7E) In my /var/log/messages file there's nothing related to the failures. We use the following to start FR: /usr/local/sbin/radiusd -y Any advice is appreciated. Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
peap in users file?
Hi I'm trying to do PEAP authentication against a user listed in my users file instead of an AD or LDAP. I'm just doing this initially for some proof of concept stuff. I'm wondering how I need to set up the user in the users file? Currently my entry looks like: testuser User-Password == abc.123, Tunnel-Private-Group-Id=staff But when I run in debug mode I'm getting the following, which indicates to me perhaps I'm not setting the password correctly: modcall: entering group MS-CHAP for request 7 Thu May 24 15:56:47 2007 : Debug: modsingle[authenticate]: calling mschap (rlm_mschap) for request 7 Thu May 24 15:56:47 2007 : Debug: rlm_mschap: No User-Password configured. Cannot create LM-Password. Thu May 24 15:56:47 2007 : Debug: rlm_mschap: No User-Password configured. Cannot create NT-Password. Thu May 24 15:56:47 2007 : Debug: rlm_mschap: Told to do MS-CHAPv2 for testuser with NT-Password Thu May 24 15:56:47 2007 : Debug: rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. Thu May 24 15:56:47 2007 : Debug: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect Thu May 24 15:56:47 2007 : Debug: modsingle[authenticate]: returned from mschap (rlm_mschap) for request 7 Thu May 24 15:56:47 2007 : Debug: modcall[authenticate]: module mschap returns reject for request 7 Thu May 24 15:56:47 2007 : Debug: modcall: leaving group MS-CHAP (returns reject) for request 7 Thu May 24 15:56:47 2007 : Debug: rlm_eap: Freeing handler Thu May 24 15:56:47 2007 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 7 Thu May 24 15:56:47 2007 : Debug: modcall[authenticate]: module eap returns reject for request 7 Thu May 24 15:56:47 2007 : Debug: modcall: leaving group authenticate (returns reject) for request 7 Thu May 24 15:56:47 2007 : Debug: auth: Failed to validate the user. Any advice is appreciated. Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assign Vlan based on Inner Identity (was: Force Inner=Outer identity)
Hi All I doubt my original post was doable, , it probably doesn't make sense to ask FR to be able to force Inner=Outer identity. In that case, would it be possible to perform authorization based on the Inner identity instead of the Outer identity? Matt [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Ashfield Sent: May 2, 2007 11:29 AM To: 'FreeRadius users mailing list' Subject: Force Inner=Outer identity Hi All Using EAP-TTLS PAP with FR authenticated against LDAP. In looking at our monitoring software, it displays the user's outer identity. Problem is, a user can specify any userID as it's outer Identity and as long as it's a valid outer Identity, that's what shows up in our monitoring software. Makes user tracking quite difficult. Is there any way to force a users's outer identity to equal their inner identity? Thanks Matt Ashfield [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Force Inner=Outer identity
Hi All Using EAP-TTLS PAP with FR authenticated against LDAP. In looking at our monitoring software, it displays the user's outer identity. Problem is, a user can specify any userID as it's outer Identity and as long as it's a valid outer Identity, that's what shows up in our monitoring software. Makes user tracking quite difficult. Is there any way to force a users's outer identity to equal their inner identity? Thanks Matt Ashfield [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with Dell connection manager?
HI All We are running our wireless using FR to authenticate against LDAP. A user can login on a laptop, no problem, but when he then goes to a Dell laptop which uses a Dell Connection Manager program, it fails. The odd thing is is that in both cases there is an Access-Accept packet going out, except for the Dell, it does not assign a vlan (which is probably why it's failing). Since it's the same userID loggin in, I'm not sure why the vlan is not being passed. The only thing I can see is that the username field in the Access-Request is preceeded by \\ in the case of the Dell, and not so in the case of the working laptop. Here's the Access-Request from the one that works: rad_recv: Access-Request packet from host 172.17.0.1:20001, id=166, length=144 NAS-Port-Id = 2049/1 Calling-Station-Id = 00-15-E9-D9-94-85 Called-Station-Id = 00-15-E8-E0-E6-00:[EMAIL PROTECTED] Service-Type = Framed-User EAP-Message = 0x02010008016d6461 User-Name = mda NAS-Port = 4596 NAS-Port-Type = Wireless-802.11 NAS-Identifier = nortel NAS-IP-Address = 172.17.0.1 And here is the Access-Request from the one that does not work (notice the username field): rad_recv: Access-Request packet from host 172.17.0.1:20001, id=161, length=146 NAS-Port-Id = 2049/1 Calling-Station-Id = 00-13-02-77-97-CB Called-Station-Id = 00-15-E8-E0-E6-00:[EMAIL PROTECTED] Service-Type = Framed-User EAP-Message = 0x02010009015c6d6461 User-Name = \\mda NAS-Port = 4593 NAS-Port-Type = Wireless-802.11 NAS-Identifier = nortel NAS-IP-Address = 172.17.0.1 In both cases there is an access-accept, but vlan is only returned in the case of the first one. Any ideas on a workaround? Thanks for any advice. Cheers Matt Ashfield [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS not accepting the Access-Accept?
Ok thanks! I am definitely seeing the NAS request Administrative-User in the Access-Request packet. I guess I wsen't returning it! Thanks for your help. Matt -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: April 24, 2007 3:21 AM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: NAS not accepting the Access-Accept? Matt Ashfield wrote: HI, I have a network switch that I'm trying to configure to allow Console port authentication via RADIUS. In the documentation of the switch it says: To provide each user with appropriate levels of access to the switch, set the following username attributes on your RADIUS server: - R/W access -- Set the Service-Type field value to Administrative - Read-Only -- set the Service-Type field value to NAS-Prompt So, in my users file, I have defined a user: testuser NAS-IP-Address == 172.16.8.30, Cleartext-Password := testing, Service-Type ==Administrative-User Which matches if there's a request for administrative user. You also have to acknowledge that request in the response, otherwise the NAS will not let the administrator in: testuser NAS-IP-Address == 172.16.8.30, Cleartext-Password := testing, Service-Type ==Administrative-User Service-Type := Administrative-User However, when I run a packet capture, I see that no Radius attributes are being passed back to the NAS device. Shouldn't I be seeing the Administrative-User attribute? If you don't tell the server to send it back, no. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: restricting users access to clients?
HI, I realize this was a thread from over a month ago, but thought I'd ask anyway. I have my original post, followed by your reply, followed by my new question. First off, my original post: We're using FreeRadius to authenticating our wireless users (who's credentials are stored in LDAP). But we'd also like to use it to authenticate a select few users who need access to our networking gear. Our networking gear is setup to do this, but I'm not sure how to set this up in FreeRadius. I would assume that you'd specify in the clients.conf section which users are allowed access to that device, but in looking at the documentation for clients.conf, that doesn't seem to be the case. And your reply: You would want to use the special username DEFAULT. (Check the man page for users(5).) What I did (although this might be slightly hackish.) is I took a look at the attributes in the request that was being sent by the supplicant. I looked for attributes that were different between the wireless users and the network equipment users. For example, you might want to do something like: admin1 NAS-Port-Type == Virtual, Auth-Type = LDAP admin2 NAS-Port-Type == Virtual, Auth-Type = LDAP # This matches everyone else DEFAULT NAS-Port-Type == Virtual, Auth-Type := Reject # This will match all wireless users DEFAULT NAS-Port-Type == Wireless-802.11, Auth-Type = LDAP Of course, this will mean that your network admins will *only* be able to login via LDAP. You may need to configure some kind of Fall-Through if you want users to authenticate using some other mechanism in addition to LDAP. So this is not without its limitations, but this should give you some ideas to start from. -- John Guthrie [EMAIL PROTECTED] = My question here is, would doing what you mentioned above eliminate the possibility of users other than admin1 or admin2 authenticating to the network via that switch? What we're trying to do is rather odd I guess. On one hand, we want to use the switch as an 802.1x device for regular use. So it has to be able to authenticate at the switch port level via 802.1x. We currently have huntgroups for that and it works. We'd ALSO like to be able to use Radius to authenticate our comms staff when they telnet/login to switches mgmt interfaces. So while I think your suggestion above would work for that part, it would at the same time deny all my 802.1x users because of the Reject statement? I'm a bit confused, so any help is appreciated. Cheers Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
suggestions for multiple vlans in hundreds of switches
Hi, We'd like to use FR to assign users on our wired network to one of 30 different vlans on campus, based on an LDAP field. Currently, we are doing this with huntgroups. Namely, we create a huntgroup for the NAS (in our case, a network switch), and then in the users file, we put the following: DEFAULT Huntgroup-Name == mySWITCH1, Ldap-Group == staff User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=176, Tunnel-Type=VLAN, Fall-Through = no DEFAULT Huntgroup-Name == mySWITCH1, Ldap-Group == student User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=177, Tunnel-Type=VLAN, Fall-Through = no And so on...for other groups of user like faculty, admin, etc.. This seems to work. The issue is scale. I have would conceivably have to have a huntgroup definition in the huntgroups file for each NAS. And if I wanted 30 vlans, I'd have to have 30 definitions like the ones above in my users file for EACH one of my NAS's. I'm sure there's a simpler way of doing things that I'm missing. Any advice is appreciated. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: suggestions for multiple vlans in hundreds of switches
I was afraid someone would say that! Haha Matt -Original Message- From: Donny Jekels [mailto:[EMAIL PROTECTED] Sent: April 19, 2007 10:57 AM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: suggestions for multiple vlans in hundreds of switches you could extend your ldap schema and add a field for the vlan a user should belong too. then all you would need is to query that field and propogate the variable. Tunnel-Private-Group-Id=`%{private-vlan}` On 4/19/07, Matt Ashfield [EMAIL PROTECTED] wrote: Hi, We'd like to use FR to assign users on our wired network to one of 30 different vlans on campus, based on an LDAP field. Currently, we are doing this with huntgroups. Namely, we create a huntgroup for the NAS (in our case, a network switch), and then in the users file, we put the following: DEFAULT Huntgroup-Name == mySWITCH1, Ldap-Group == staff User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=176, Tunnel-Type=VLAN, Fall-Through = no DEFAULT Huntgroup-Name == mySWITCH1, Ldap-Group == student User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=177, Tunnel-Type=VLAN, Fall-Through = no And so on...for other groups of user like faculty, admin, etc.. This seems to work. The issue is scale. I have would conceivably have to have a huntgroup definition in the huntgroups file for each NAS. And if I wanted 30 vlans, I'd have to have 30 definitions like the ones above in my users file for EACH one of my NAS's. I'm sure there's a simpler way of doing things that I'm missing. Any advice is appreciated. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: suggestions for multiple vlans in hundreds of switches
Yeah, there's that too. We need to create these vlans within the edge switches as well. Once created, you shouldn't have to touch them again. Or you don't create them at the edge, and instead just create them in the core, however that kind of kills the advantage of extending your vlans to the edge. Matt Ashfield Network Analyst Integrated Technology Services University of New Brunswick (506) 447-3033 [EMAIL PROTECTED] -Original Message- From: robinson santos [mailto:[EMAIL PROTECTED] Sent: April 19, 2007 12:31 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: suggestions for multiple vlans in hundreds of switches Matt, how about the configuration that you have to have in the switch Can you Help me Robinson [EMAIL PROTECTED] On 4/19/07, Matt Ashfield [EMAIL PROTECTED] wrote: Hi, We'd like to use FR to assign users on our wired network to one of 30 different vlans on campus, based on an LDAP field. Currently, we are doing this with huntgroups. Namely, we create a huntgroup for the NAS (in our case, a network switch), and then in the users file, we put the following: DEFAULT Huntgroup-Name == mySWITCH1, Ldap-Group == staff User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=176, Tunnel-Type=VLAN, Fall-Through = no DEFAULT Huntgroup-Name == mySWITCH1, Ldap-Group == student User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=177, Tunnel-Type=VLAN, Fall-Through = no And so on...for other groups of user like faculty, admin, etc.. This seems to work. The issue is scale. I have would conceivably have to have a huntgroup definition in the huntgroups file for each NAS. And if I wanted 30 vlans, I'd have to have 30 definitions like the ones above in my users file for EACH one of my NAS's. I'm sure there's a simpler way of doing things that I'm missing. Any advice is appreciated. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
assigning vlan based on NAS and LDAP field?
HI all, We're using FR authenticating against LDAP to implement our wireless solution. Basically, we are looking at the LDAP field of record type and determining if it is a staff or a student, and assigning a vlan based on that. Pretty simple and it works. However, there are two issues with this: 1. We have a sister campus, on a different network, but who are sharing the same FR and LDAP servers for authentication. Obviously their NAS's are different than ours because we're in different physical locations and networks. With our current configuration, it looks like we have to define the exact same vlans id's and the same vlan eligibility rules (ie staff get vlan x and student get vlan y) in order for this to work. I guess I'm hoping there is a way to assign different vlans based on the NAS ip address in addition to the student/staff distinction. 2. This follows into our future wired side implementation of 802.1x. In this case, we don't want our staff/student wired users to be assigned to the same vlans as they would be if they were on wireless. Rather we'd prefer to break them up based on their NAS or something like that. Anyways, I realize this is quite an odd situation, but probably quite similar to what many EDU people are encountering. Any help/advice is greatly appreaciated. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
timeouts through a firewall?
Hi All We are seeing the following error: Error: rlm_ldap: ldap_search() failed: Timed out while waiting for server to respond. Please increase the timeout. Our radius server talks to our LDAP server through a firewall. I'm wondering if this has to do with the session lifetime setting on the firewall? If there are no authentications taking place (we're in testing mode, and it was at least 2-3 hours between client authentications), then I guess this connection/session could be timed out by the firewall? I just want to know if that makes sense before approaching the firewall guys and asking to increase the timeout. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
restricting users access to clients?
Hi, We're using FreeRadius to authenticating our wireless users (who's credentials are stored in LDAP). But we'd also like to use it to authenticate a select few users who need access to our networking gear. Our networking gear is setup to do this, but I'm not sure how to set this up in FreeRadius. I would assume that you'd specify in the clients.conf section which users are allowed access to that device, but in looking at the documentation for clients.conf, that doesn't seem to be the case. Any links/advice is appreciated. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: restricting users access to clients?
Ok, the users file it is! Thanks! I guess I was hoping for a link to an example of some sort. Because the user who would be given access is not explicitly defined in the users file (the users is defined in LDAP), I'm not sure how to setup a rule for that person. Thanks again, Cheers Matt [EMAIL PROTECTED] -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: March 14, 2007 3:50 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: restricting users access to clients? Matt Ashfield wrote: We're using FreeRadius to authenticating our wireless users (who's credentials are stored in LDAP). But we'd also like to use it to authenticate a select few users who need access to our networking gear. Our networking gear is setup to do this, but I'm not sure how to set this up in FreeRadius. Write rules in the users file. I would assume that you'd specify in the clients.conf section which users are allowed access to that device, but in looking at the documentation for clients.conf, that doesn't seem to be the case. No. The clients.conf file just defines clients. It doesn't do anything more than that. There's no reason code couldn't be written to permit that, though... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP and System users?
Hi, We've been working on having a setup that can authenticate users against LDAP via EAP (Chap) as well as System users. We can get it to do one or the other, but not both. Is it possible to do both? If so, how? Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP and System users?
I guess what I meant was that we'd want to authenticate the user in one of two ways: (1) as a System User. So the clients credentials would be compared against the system users, OR, if no such user exists (2) verify the client against credentials stored in LDAP. Both of these scenarios work individually. Meaning I can configure FR to authenticate System users. I can also configure FR to authenticate against LDAP. But we cannot seem to combine them and offer both options. Matt [EMAIL PROTECTED] -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: March 9, 2007 11:21 AM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: EAP and System users? Matt Ashfield wrote: We've been working on having a setup that can authenticate users against LDAP via EAP (Chap) as well as System users. http://deployingradius.com/documents/protocols/compatibility.html LDAP doesn't do CHAP, so I'm not sure what you mean. The only EAP methods that are compatible with /etc/password is EAP-GTC, or TTLS with tunneled PAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: guest acces?
I've uncommented the unix line in authenticate and left the /etc/shadow, /etc/group, /etc/password files commented out of the unix module definition part: unix { cache = no cache_reload = 600 #passwd = /etc/passwd #shadow = /etc/shadow #group = /etc/group radwtmp = ${logdir}/radwtmp } but am still getting the following in my log: Auth: rlm_unix: [baduser]: invalid password Debug: modsingle[authenticate]: returned from unix (rlm_unix) for request 0 Debug: modcall[authenticate]: module unix returns reject for request 0 I am 100% positive I'm putting the password in correctly. The user baduser has a shell of /sbin/nologin. Would that account for any of this? Thanks Matt [EMAIL PROTECTED] -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: March 2, 2007 4:47 AM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: guest acces? Matt Ashfield wrote: Now I know Alan does not recommend DEFAULT Auth-Type, but for here, I think it might be necessary. So in my users file, I added the following: DEFAULT Auth-Type := System Fall-Through = Yes Don't use :=, use =. Thinking that would allow my users who have accounts on the server to login. However, that is not working because in the logs in debug mode I see: Debug: modcall: group authorize returns ok for request 0 Debug: rad_check_password: Found Auth-Type System Debug: auth: type System Debug: ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. Debug: auth: Failed to validate the user. You deleted the unix entry from the authenticate section. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
guest acces?
Hi, I'm using EAP-TTLS-PAP aginst LDAP, however I want to provide guest access to users without adding these users to the LDAP directory. I know I could add them as local users to the /etc/raddb/users file, but that would involve a SIGHUP, and I'd prefer to avoid that if I could. Instead, what I'd like to do is create a user account on the radius server itself (with nologin, and an expiry, no rights, etc..). This could be done on-the-fly and therefore require no such SIGHUP. Now I know Alan does not recommend DEFAULT Auth-Type, but for here, I think it might be necessary. So in my users file, I added the following: DEFAULT Auth-Type := System Fall-Through = Yes Thinking that would allow my users who have accounts on the server to login. However, that is not working because in the logs in debug mode I see: Debug: modcall: group authorize returns ok for request 0 Debug: rad_check_password: Found Auth-Type System Debug: auth: type System Debug: ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. Debug: auth: Failed to validate the user. I'm sure it's something small I'm missing, but can't find it. That or this is not possible and I'm missing the reason why for that too! Any advice is appreciated. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
group question
Hi, I'm trying to set up a restricted users group to deny access to users so I don't have to create an entry for each one in the users file. Based on the WIKI FAQ, I found: The following entry denies access to a group of users. The same restrictions as above on location in the raddb/users file also apply: DEFAULT Group == disabled, Auth-Type := Reject Reply-Message = Your account has been disabled But where do I specify that group disabled? Is that a group on my linux system or is that group defined within Radius, and if so, where? Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pap/peap confusion
I'm pouring through the alphabet soup of all of this and have a few questions that keep popping up. During a pap conversation, the radius server ends up with the username/password passed to it from the client. It then encrypts the password to match the encryption of the stored password in ldap (or other directory) and tries a bind. Correct? During a PEAP conversation, the radius server also would end-up with a username/password received from the client (either via clear-text or via the mschap conversation). Why can it not then encrypt the password just like PAP did? Does it do the comparison to LDAP stored passwords via MSCHAP as well? Thanks for any info. Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-PEAP/MS-ChapV2 password storing options
Thanks for the link! BTW, I have nothing against SecureW2, but if we don't have to install an extra piece of software on 10,000 computers on campus, I'd like to avoid it! Matt -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: February 13, 2007 2:57 AM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: EAP-PEAP/MS-ChapV2 password storing options Matt Ashfield wrote: We're trying to implement username/password authentication and so far are using EAP-PAP (with secureW2 client) because our passwords are stored in LDAP in a 1-way encrypted hash. What's EAP-PAP? We're hoping to get away from this secureW2 implementation and would like to use Windows built-in authentication, which seems to be EAP-PEAP with MS-ChapV2 authentication. What's wrong with SecureW2? In order to get EAP-PEAP/MS-ChapV2 to work with FreeRadius, what are my options for storing the password in LDAP? Does it have to be clear-text? http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-PEAP/MS-ChapV2 password storing options
Hi All, I'm sure this is a simple question, and I thought I'd pose it here in hopes of a quick response. We're trying to implement username/password authentication and so far are using EAP-PAP (with secureW2 client) because our passwords are stored in LDAP in a 1-way encrypted hash. We're hoping to get away from this secureW2 implementation and would like to use Windows built-in authentication, which seems to be EAP-PEAP with MS-ChapV2 authentication. As such, we're meeting with the LDAP folks to negotiate how to store passwords in LDAP...soo...my question is: In order to get EAP-PEAP/MS-ChapV2 to work with FreeRadius, what are my options for storing the password in LDAP? Does it have to be clear-text? Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
a bit off-topic policy question
Hi All We're in the process of setting up our wireless system to use radius authentication against our usernames/passwords which are stored in LDAP. We have come across an issue in testing the radius server. We are using Freeradius. The way we have this setup is quite standard (I hope). The user associates to the AccessPoint (AP) and is prompted for authentication credentials for access to the network. The AP sends the client's username/password credentials to the Radius server. This connection is secured. The Radius server then attempts to bind to the ldap server (again, a secured connection) using the clients credentials. The issue we have is when running the Radius server in debug mode with full log-level, we see the cilent's username and password in clear-text as it attempts to bind to the LDAP server. Certainly we could change the debug mode level to not see this, but the fact that the ability to see that is available is troubling. I'm sure many others on this list use FreeRadius and I'm wondering what sort of policies you have in place to address this security risk. Anyone with high-level access to the box could certainly login, make a change to the debug level and capture sensitive login information. Any advice/feedback is appreciated. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authenticating question
Hi all, This is probably a bit newbie-ish, but I thought I'd try anyway. We are trying to authenticate users based on the username/password given AND the vlan they are authenticating from. Is this possible? A quick overview of our scenario is as follows: - Wireless service offering an SSID/VLAN for students and SSID/VLAN for staff. - Users connect to an SSID and are in the vlan associated for it. They are redirected to a portal where they must authenticate using radius - to -ldap authentication. We have this working. However, the question came up..what if a student connects to the Staff SSID/VLAN. His username/password would still authenticate correctly and he'd be given access at this point. But if we could get Radius to check and LDAP field which say which vlan he has access to, and allow or deny access to the network if the user is not currently in that vlan, then I guess that would be the ideal solution. Any suggestions are welcome. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authenticating question
Ok, Well that might be what I'm looking for. How do you get Radius to check for username,password and vlan/ssid? Can you do a quick cut/paste job of what I need to place in my conf files? Also what AP's are you using that allow you to get them to send the ssid/vlan to Radius? Just curious Thanks! Matt [EMAIL PROTECTED] -Original Message- From: Garber, Neal [mailto:[EMAIL PROTECTED] Sent: October 25, 2006 11:57 AM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: RE: authenticating question We are trying to authenticate users based on the username/password given AND the vlan they are authenticating from. Is this possible? Yes, if you can pass the information to freeradius. We currently do this by having our APs pass the SSID to which the user is connecting. It sounds like you aren't authenticating from the AP though, so you would need to do it differently. If you are authenticating from the portal and you have control over what it passes, then you can pass an attribute with the SSID or VLAN info. and then validate it during the authorize stage of freeradius processing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: assigning vlan based on LDAP attribute
I'm a bit confused on this one. I want my users vlan'd based on their affiliation (ie, staff, student) In my radiusd.conf file, under ldap, I've put: groupmembership_attribute = eduPersonPrimaryAffiliation Do I need to do more in my radiusd.conf file than that? I assume this means assign them to a group based on the value stored in the LDAP field eduPersonPrimaryAffiliation I then added to my users file: DEFAULT Huntgroup-Name == myAP, Ldap-Group == staff User-Name=`%{User-Name}`, Tunnel-Medium-Type=IEEE-802, Tunnel-Private-Group-Id=2, Tunnel-Type=VLAN, Fall-Through = no But this doesn't seem to work. My staff users do not get assigned to vlan 2. Do I need to make a huntgroup for myAP? If there's a link to an overview or something, it would be much appreciated. Any help is appreciated. Thanks Matt [EMAIL PROTECTED] -Original Message- From: Thibault Le Meur [mailto:[EMAIL PROTECTED] Sent: July 28, 2006 5:37 PM To: FreeRadius users mailing list; Thibault Le Meur Cc: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: assigning vlan based on LDAP attribute One way to do that is to use LDAP groups. If your users are in dedicated LDAP groups, then a rule like the following in your users file will do the trick: DEFAULT Huntgroup-Name == myAP, Ldap-Group == Engineering User-Name=`%{User-Name}`, radiusTunnelMediumType: IEEE-802 radiusTunnelType: VLAN radiusTunnelPrivateGroupId: 2 Fall-Through = no Sorry... my mistake, use the following rule instead: DEFAULT Huntgroup-Name == myAP, Ldap-Group == Engineering User-Name=`%{User-Name}`, Tunnel-Medium-Type=IEEE-802 Tunnel-Private-Group-Id=2 Tunnel-Type=VLAN Fall-Through = no Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE : assigning vlan based on LDAP attribute
My ldap section from radiusd.conf looks like: ldap { server = ldapserver.net.org identity = uid=name,dc=net,dc=org password = password basedn = ou=stuffdc=net,dc=org filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword groupmembership_attribute = eduPersonPrimaryAffiliation timeout = 4 timelimit = 3 net_timeout = 1 } My users file contains the following at the end: DEFAULT Huntgroup-Name == myAP, Ldap-Group == staff User-Name=`%{User-Name}`, Tunnel-Medium-Type=IEEE-802, Tunnel-Private-Group-Id=2, Tunnel-Type=VLAN, Fall-Through = no My huntgroups file has: myAPNAS-IP-Address == x.x.x.141 In my Debug I noticed that although I have them commented out of radiusd.conf, I still see: Debug: ldap: groupname_attribute = cn Debug: ldap: groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupO fUniqueNames)(uniquemember=%{Ldap-UserDn}))) You asked: * is your AP accepting Tunnel-Private-Group-Id=2 (I've got AP which uses other format). How do I check that? Thanks Matt -Original Message- From: Thibault Le Meur [mailto:[EMAIL PROTECTED] Sent: September 27, 2006 1:36 PM To: [EMAIL PROTECTED] Cc: 'FreeRadius users mailing list' Subject: RE : assigning vlan based on LDAP attribute I'm a bit confused on this one. I want my users vlan'd based on their affiliation (ie, staff, student) In my radiusd.conf file, under ldap, I've put: groupmembership_attribute = eduPersonPrimaryAffiliation That's a good start, but sending the whole ldap configuration section would help. Do I need to do more in my radiusd.conf file than that? I think you hould check that you do not have groupname_attribute and groupmembership_filter set. I assume this means assign them to a group based on the value stored in the LDAP field eduPersonPrimaryAffiliation I then added to my users file: DEFAULT Huntgroup-Name == myAP, Ldap-Group == staff User-Name=`%{User-Name}`, Tunnel-Medium-Type=IEEE-802, Tunnel-Private-Group-Id=2, Tunnel-Type=VLAN, Fall-Through = no There are several things to check here: * is the NAS-IP-ADDRESS of the AccessPoint defined in the huntgroup myAP in your huntgroups file ? * is your AP accepting Tunnel-Private-Group-Id=2 (I've got AP which uses other format). The best way to check this is to stop your radius server and run it manually with radiusd -X. Then send the debug log to the list (take care passwords are written cleartext). But this doesn't seem to work. My staff users do not get assigned to vlan 2. Do I need to make a huntgroup for myAP? Of course... Unless you remove the Huntgroup-Name == myAP, check item HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
assigning vlan based on LDAP attribute
Hi All, I'm trying to add a user to a vlan based on an ldap attribute. I've checked out: http://vuksan.com/linux/dot1x/802-1x-LDAP.html annd saw the following would have to be added to the user's ldap record: radiusTunnelMediumType: IEEE-802 radiusTunnelType: VLAN radiusTunnelPrivateGroupId: 2 If I don't want to actually insert that into the LDAP database, is it possible for Radius to figure out which vlan to assign to based on some other already existing LDAP attribute? For example, if I want to assign users whose userDepartment attribute equals ITS into vlan 3 and those who's userDepartment attribute equals HR into vlan 4? If so, could you give me a link to how to do that, or explain briefly? Thanks for your time, Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x with mschap-radius-ldap with ssha-1 passwords
Hi, I'm going to ask a follow-up questions here so I'll be better equipped to answer the same question from others when I explain that we cannot do 802.1x-PEAP with ssha-1 passwords stored in ldap. From what I understand, the reason this won't work is because ssha-1 passwords are 1-way encrypted and therefore cannot be decrypted by the radius server for comparison of user credentials. Correct? I guess the obvious question is why can't the Radius server simply perform a bind attempt to the LDAP server during authentication, as opposed to trying to compare the password received by the authenticator to the ssha-1 password stored in ldap? Thanks Matt Ashfield Network Analyst Integrated Technology Services University of New Brunswick (506) 447-3033 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: July 17, 2006 7:51 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: 802.1x with mschap-radius-ldap with ssha-1 passwords Matt Ashfield [EMAIL PROTECTED] wrote: I was afraid you'd say that. What would you suggest as a workaround for this problem? Could I do EAP-TTLS using the securew2 client instead? Yes. Or am I better off creating a 2nd password attribute on the LDAP directory that is maybe encoded as an NT-Password attribute or something like that. That works once everyone changes their password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TTLS-PAP-LDAP
I think I'm having similar problems. Trying to do EAP-TTLS against LDAP with passwords stored in ssha-1 I get the following in my debug: rlm_ldap: Added password {SSHA}sBKY63Qm0H8T/Rx25tveoZfGaYd9Rjk45TCrWA== in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user mda authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 4 modcall: group authorize returns ok for request 4 rad_check_password: Found Auth-Type ldap auth: type LDAP ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. The above seems to indicate to me that I was authorized, but not authenticated? Although in my radiusd.conf, I do have the following which I assumed was correct: pap { encryption_scheme = sha1 } Cheers Matt Ashfield [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Mayers Sent: July 15, 2006 8:09 AM To: FreeRadius users mailing list Subject: Re: EAP-TTLS-PAP-LDAP Rohaizam Abu Bakar wrote: Thanks Phil.. what a stupid move to paste all that passwd.. I've changed it as soon as i get ur mail... thanks again... cannot find any article related to repeating LDAP query for EAP... pls help.. You don't need to worry about the EAP. The EAP is working fine. It's the PAP request that lives inside the EAP that's failing. I think the problem coz by RADIUS cannot figure out to set Auth-Type and then it require plain passwd.. When I change password to plain. with the same setting.. it's working... It's definitely not that. Auth-Type is being set to Local, probably by the default entries in the users file, and the server is therefore trying to compare the passwords in the PAP requests with the ones frmo LDAP, which is correct. But as I said, your LDAP directory contains password of the form {crypt}sombytes. This is breaking it. You have three choices: 1. Upgrade the server to a version which can correctly deal with the {type} prefixes. 2. Re-format the passwords, either in the LDAP directory or with an external script, so that the {type} is stripped and the value set in the Crypt-Password attribute. For example, in radiusd.conf: modules { ldap { server = ... basedn = ... # do NOT copy the password attribute here, do it # in ldap.attrmap instead - see below for why # password_attribute # other config items } exec strip_password_header { wait = yes program = /usr/local/bin/strip_password_header.sh input_pairs = config output_pairs = config } } authorize { preprocess eap files Autz-Type ttls-inner-bit { ldap strip_password_header } } authenticate { eap } ...and in users: # Match the PAP inside bit of EAP-TTLS and set the Autz-Type so # that we only run the ldap query and crypt password rewrite then # Also set Auth-Type to Local so the radius server will check the # passwords DEFAULT Client-IP-Address == 127.0.0.1, Autz-Type := ttls-inner-bit, Auth-Type := Local ...and in ldap.attrmap: checkItem Crypt-Password userPassword ...and in /usr/local/bin/strip_password_header.sh: #!/bin/sh stripped_pw=`echo $CRYPT_PASSWORD | sed -e 's/^{crypt}//g'` echo Crypt-Password := \$stripped_pw\ Basically, what this does is: * do EAP * when the inner PAP request happens * fetch the {crypt}foobar from LDAP * rewrite it to foobar with a script * let the radius server compare the passwords 3. Stop copying the password over at all, and authenticate the PAP bit with an LDAP simple bind to the directory. See the archives for many posts about LDAP simple bind PAP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE : EAP-TTLS-PAP-LDAP
Nope, it's in my authorize section which is: authorize { preprocess chap mschap suffix eap ldap } My authenticate section (notice LDAP is commented out): authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix # Auth-Type LDAP { # ldap # } eap } The first line in my users file for my Access Point is: DEFAULT Auth-Type = ldap Fall-Through = 1 Matt Ashfield Network Analyst Integrated Technology Services University of New Brunswick (506) 447-3033 [EMAIL PROTECTED] -Original Message- From: Thibault Le Meur [mailto:[EMAIL PROTECTED] Sent: July 18, 2006 1:00 PM To: [EMAIL PROTECTED]; 'FreeRadius users mailing list' Subject: RE : EAP-TTLS-PAP-LDAP rad_check_password: Found Auth-Type ldap auth: type LDAP ERROR: Unknown value specified for Auth-Type. Cannot Is the ldap module defined in your authenticate section ? Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x with mschap-radius-ldap with ssha-1 passwords
Hi All I'm trying to do 802.1x authentication using freeradius against an LDAP directory which stores the userPassword in an ssha-1 hash. My question is, is this possible? If so, how do I configure mschap for ssha-1 passwords? Thanks for your time/advice, Cheers Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x with mschap-radius-ldap with ssha-1 passwords
I was afraid you'd say that. What would you suggest as a workaround for this problem? Could I do EAP-TTLS using the securew2 client instead? Or am I better off creating a 2nd password attribute on the LDAP directory that is maybe encoded as an NT-Password attribute or something like that. Thanks Matt Ashfield Network Analyst Integrated Technology Services University of New Brunswick (506) 447-3033 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: July 17, 2006 4:00 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: 802.1x with mschap-radius-ldap with ssha-1 passwords Matt Ashfield [EMAIL PROTECTED] wrote: I'm trying to do 802.1x authentication using freeradius against an LDAP directory which stores the userPassword in an ssha-1 hash. My question is, is this possible? If so, how do I configure mschap for ssha-1 passwords? You don't. It's impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
certificate requirements for EAP-PEAP using Radius-to-LDAP
Hi All I'm trying to do EAP-PEAP (with MSCHAPv2) radius authentication against an LDAP database with my passwords stored in clear text on the directory. I'm thinking my issues right now are with certificates. Can someone give me a quick explanation of what certificate requirements I need to have on my radius server for doing the NAS-radius conversation as well as the ldap authorization. Also, what certificates do I need for/from the LDAP server? Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: an infamous LDAP-FreeRadius question
Well, I think my TLS session is getting created. From what I can tell, it's the password part of it that's hurting me. I've attached output of my radius server debugging and my eap.conf file as well in hopes that someone could tell me what I'm doing wrong. Any helpful comments are appreaciated. Thanks Matt [EMAIL PROTECTED] -Original Message- From: Zoltan Ori [mailto:[EMAIL PROTECTED] Sent: July 11, 2006 12:33 PM To: [EMAIL PROTECTED]; 'FreeRadius users mailing list' Subject: Re: an infamous LDAP-FreeRadius question On Tuesday 11 July 2006 10:10, Matt Ashfield wrote: When I try to connect via 802.1x from a wireless client my Radius server debgging looks like below. Obviously the TLS session is not being setup correctly. I'm wondering about the private_key_password attribute. I just set it to whatever but that needs to correspond to a user on the LDAP server doesn't it? I'm not sure that's been set up. You might try not using an ldaps connection if your LDAP server allows it. Comment out all the TLS in the ldap section. This TLS/SSL connection to your LDAP server is a separate issue from 802.1x. That's just between the RADIUS server and LDAP. Once you've got everything else going, go back and work with the ldaps. The main thing is to change only one thing at a time. Then you'll know exactly what broke it and what didn't. I believe you had LDAP working before, didn't you? Zoltan Ori rad_recv: Access-Request packet from host x.x.x.201:6001, id=9, length=117 User-Name = mda NAS-IP-Address = x.x.x.201 Called-Station-Id = 00-02-2d-47-01-c4 Calling-Station-Id = 00-0e-35-36-48-f2 NAS-Identifier = AP3WJD Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02020008016d6461 Message-Authenticator = 0xed8b747d2337a8e91d9d695c7a538032 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = mda, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 2 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched DEFAULT at 153 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for mda radius_xlat: '(uid=mda)' radius_xlat: 'ou=people,dc=xxx,dc=ca' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap2.xxx.ca:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/openldap/cacerts/20060206_ldap2_xxx_ca.crt rlm_ldap: setting TLS Require Cert to demand rlm_ldap: bind as uid=authentication,dc=xxx,dc=ca/ to ldap2.xxx.ca:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=xxx,dc=ca, with filter (uid=mda) rlm_ldap: Added password {SSHA}sBKY63Qm0H8T/Rx25tveoZfGaYd9Rjk45TCrWA== in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user mda authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 9 to x.x.x.201:6001 EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0x12781dbe4ad8a8b6a39a6b1a10a66ff3 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host x.x.x.201:6001, id=10, length=207 User-Name = mda NAS-IP-Address = x.x.x.201 Called-Station-Id = 00-02-2d-47-01-c4 Calling-Station-Id = 00-0e-35-36-48-f2 NAS-Identifier = AP3WJD State = 0x12781dbe4ad8a8b6a39a6b1a10a66ff3 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02030050198000461603010041013d030144b4f47a9fe11441f57ca9dd26d559c7c46019c948498eda8473ea16c02bb7f41600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x0da3857c6f17213069273929fbadb4a1
RE: an infamous LDAP-FreeRadius question
I have LDAP configured and can do a cleartext radius authentication using username/passwords (using radtest). What I'd like to do is take the next step and do 802.1x authentication for my windows clients and I suppose that's where I was hoping to find some cleancut instructions on this as I've seen quite a bit of threads concerning this but as mentioned in my initial email, they can be tough to follow. Thanks Matt Ashfield [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: July 10, 2006 4:51 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: an infamous LDAP-FreeRadius question Matt Ashfield [EMAIL PROTECTED] wrote: What I didn't see (and I apologize if it's there) is if anyone has a HowTo or something similar on how to configure Freeradius for authentication against LDAP (not active directory) which has usernames and password stored on it in cleartext. Presumably I'd be using PEAP for this. The O'Reilly LDAP book has a good chapter on this. Other than that, just configure LDAP. It should read the passwords automatically (see ldap.attrmap). If you can get CHAP to work against LDAP, PEAP should follow immediately. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: an infamous LDAP-FreeRadius question
Actually, I only have the ldap -to- radius authentication when doing a radtest. There's no eap involved at that point. I think my issue of adding the EAP/802.1x stuff is where I'm hitting the snag. Matt Ashfield Network Analyst Integrated Technology Services University of New Brunswick (506) 447-3033 [EMAIL PROTECTED] -Original Message- From: Zoltan Ori [mailto:[EMAIL PROTECTED] Sent: July 11, 2006 12:33 PM To: [EMAIL PROTECTED]; 'FreeRadius users mailing list' Subject: Re: an infamous LDAP-FreeRadius question On Tuesday 11 July 2006 10:10, Matt Ashfield wrote: When I try to connect via 802.1x from a wireless client my Radius server debgging looks like below. Obviously the TLS session is not being setup correctly. I'm wondering about the private_key_password attribute. I just set it to whatever but that needs to correspond to a user on the LDAP server doesn't it? I'm not sure that's been set up. You might try not using an ldaps connection if your LDAP server allows it. Comment out all the TLS in the ldap section. This TLS/SSL connection to your LDAP server is a separate issue from 802.1x. That's just between the RADIUS server and LDAP. Once you've got everything else going, go back and work with the ldaps. The main thing is to change only one thing at a time. Then you'll know exactly what broke it and what didn't. I believe you had LDAP working before, didn't you? Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
an infamous LDAP-FreeRadius question
Hi All, I know this has been discussed at length on this list, but it's kinda confusing reading through the archive and making sense of all the threaded discussions. What I didn't see (and I apologize if it's there) is if anyone has a HowTo or something similar on how to configure Freeradius for authentication against LDAP (not active directory) which has usernames and password stored on it in cleartext. Presumably I'd be using PEAP for this. If anyone has this or can give a hand offline from this mailing list, that would be much appreciated. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html