Ubuntu FreeRadius does not recoginize some perl.so symbols and does not compile from source and is also outdated (Why is there no new version in SID? Is the package still maintained?)
the package. Also I do not understand why Debian and Ubuntu does not have the current version of the 2.2.x branch. It looks like the package is no longer maintained. I also do not see a current version in SID (for Debian and Ubuntu that is). So I wonder what is going on here? So for now I'm stuck with compiling FreeRadius by myself for Debian/Ubuntu. Has someone updated Debian packages somewhere? Cheers, Thomas -- Thomas Glanzmann tho...@glanzmann.de Landline +49 9131 6 14 720 Diplom-Informatiker Univ. Facsimile +49 9131 6 14 721 Rathsbergerstrasse 28 D-91054 Erlangen - Burgberg, Germanyhttp://thomas.glanzmann.de/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ubuntu FreeRadius does not recoginize some perl.so symbols and does not compile from source and is also outdated (Why is there no new version in SID? Is the package still maintained?)
Hello Alan, Freeradius does not build from source. Yes. It does. But you are compiling some random external flavour. Download the source from freeradius.org and report what happens. my subject line was misleading. I meant that the Debian package is so broken that it doesn't even compile from source (apt-get build-dep freeradius; apt-get source freeradius; cd freeradius-2.1.10+dfsg; debian/rules binary). I know that Freeradius compiles, I always use the following on Debian to get a version I can work with: sudo apt-get install ssh sudo gcc libssl-dev make openssl ./configure --with-openssl --prefix=/local/freeradius-server-2.2.0; make; make install I put the FreeRadius list on CC because I get technical solution from here. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ubuntu FreeRadius does not recoginize some perl.so symbols and does not compile from source and is also outdated (Why is there no new version in SID? Is the package still maintained?)
Hello Alan,
Yes. It does. But you are compiling some random external flavour.
Download the source from freeradius.org and report what happens
yes, you're right and I just noticed that the freeradius git tree
contains a Debian folder which build packages which not only compile,
now I try to migrate my configuration, but the hints no longer work. My
configuration is pretty simple:
(freeradius) [/etc/freeradius] cat sites-available/smsotp
server default {
listen {
ipaddr = *
type = auth
}
authenticate {
perl
}
authorize {
update control {
Auth-Type := perl
}
preprocess
}
preacct {
preprocess
acct_unique
}
accounting {
}
session {
}
}
(freeradius) [/etc/freeradius] cat hints
DEFAULT User-Name =~ ^v104([^@]+)
User-Name := %{1}@V104.GMVL.DE
DEFAULT User-Name =~ ^([^@]+)@v104.gmvl.de
User-Name := %{1}@V104.GMVL.DE
(freeradius) [/etc/freeradius] cat clients.conf
client 10.104.1.0 {
secret = testing123
shortname = netscaler
}
client 127.0.0.1 {
secret = testing123
shortname = cs-01
}
In freeradius-2.2.0 the v104\Administrator got rewritten in
administra...@v104.gmvl.de but with the curren version it does not work. Any
idea what I'm doing wrong?
(freeradius) [/etc/freeradius] freeradius -X
freeradius: FreeRADIUS Version 3.0.0 (git #adfdfe7), for host
x86_64-pc-linux-gnu, built on Jul 21 2013 at 17:07:13
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including dictionary file /etc/freeradius/dictionary
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/mods-enabled/
including configuration file /etc/freeradius/mods-enabled/preprocess
including configuration file /etc/freeradius/mods-enabled/perl
including files in directory /etc/freeradius/policy.d/
including configuration file /etc/freeradius/policy.d/dhcp
including configuration file /etc/freeradius/policy.d/control
including configuration file /etc/freeradius/policy.d/accounting
including configuration file /etc/freeradius/policy.d/cui
including configuration file /etc/freeradius/policy.d/eap
including configuration file /etc/freeradius/policy.d/operator-name
including configuration file /etc/freeradius/policy.d/canonicalization
including configuration file /etc/freeradius/policy.d/filter
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/smsotp
main {
security {
allow_core_dumps = no
}
}
main {
name = radiusd
prefix = /usr
localstatedir = /var
sbindir = /usr/sbin
logdir = /var/log/freeradius
run_dir = /var/run/radiusd
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = status-server
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Loading Clients
client 10.104.1.0 {
require_message_authenticator = no
secret = testing123
Re: Ubuntu FreeRadius does not recoginize some perl.so symbols and does not compile from source and is also outdated (Why is there no new version in SID? Is the package still maintained?)
Hello Arran, Can't load '/usr/lib/perl5/auto/Authen/Krb5/Simple/Simple.so' for module Authen::Krb5::Simple: /usr/lib/perl5/auto/Authen/Krb5/Simple/Simple.so: undefined symbol: PL_thr_key at /usr/lib/perl/5.14/DynaLoader.pm line 184. * http://www.perlmonks.org/?node_id=1008893 The error comes from a module compiled against threaded Perl while your Perl installation is not threaded (probably because you recompiled it). The solution is to recompile the module against the new Perl. strange. After recompiling the problem is not gone, but if I compile a different vesion (freeradius-2.2.0) from scratch it works, I will retry with the vanilla build. What are you talking about? I'm frustrated about that the Debian package is a) broken and b) outdated. I hope that someone updates uploads it to SID and fixes the above error for the current stable release. I put the list on CC because I get here very valuable input, like the hint that the problem is that FreeRadius was compiled against single threaded version of perl.so while the Authen::Krb5::Simple is compiled against multithreaded version of perl. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ubuntu FreeRadius does not recoginize some perl.so symbols and does not compile from source and is also outdated (Why is there no new version in SID? Is the package still maintained?)
Hello,
* Thomas Glanzmann tho...@glanzmann.de [2013-07-21 18:24]:
hints = /etc/freeradius/mods-config/preprocess/hints
I noticed that the wrong hints file was specified, however after
updating, it still does not work, but the output now looks different:
Ready to process requests.
rad_recv: Access-Request packet from host 10.104.1.0 port 64254, id=195,
length=58
User-Name = 'v104\\Administrator'
User-Password = 'Pa$$w0rd'
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/smsotp
(0) group authorize {
(0) - entering group authorize {...}
(0) update control {
(0) Auth-Type := perl
(0) } # update control = notfound
(0) preprocess :expand: ^v104\([^@]+) - '^v104\[^@]+))'
(0) preprocess :expand: ^([^@]+)@v104.gmvl.de -
'^([^@]+)@v104.gmvl.de'
(0) [preprocess] = ok
(0) Found Auth-Type = perl
(0) # Executing group from file /etc/freeradius/sites-enabled/smsotp
(0) group authenticate {
(0) - entering group authenticate {...}
rlm_perl: authenticate: user unknown in database
rlm_perl: Added pair User-Name = v104\\Administrator
rlm_perl: Added pair User-Password = Pa$$w0rd
rlm_perl: Added pair NAS-IP-Address = 10.104.1.0
rlm_perl: Added pair Auth-Type = perl
(0) [perl] = reject
(0) Failed to authenticate the user.
(0) Using Post-Auth-Type Reject
(0) WARNING: Unknown value specified for Post-Auth-Type. Cannot perform
requested action.
(0) Finished request 0.
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed reject
Sending Access-Reject of id 195 from 10.104.252.162 port 1812 to 10.104.1.0
port 64254
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 195 with timestamp +5
Ready to process requests.
Full output: http://pbot.rmdir.de/IRC6zW11GNEWEFpMx0a13w
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 3.0 hints, rlm_perl
Hello Arran,
You can of course 'make deb' in the top level directory of the current
Git HEAD (which will very soon be 2.2.1) and make your own debian
packages.
that is fine with me and works perfect. I was not aware of that option, but now
I know that it is out there, it is the way to go.
While trying that I also build a 3.0 GIT HEAD and there were a few
problems, I trippeled about:
- HINTS does not work the way it did before. Especially this no
longer works for me:
DEFAULT User-Name =~ ^v104([^@]+)
User-Name := %{1}@V104.GMVL.DE
- rlm_perl does not seem to register itself as module correctly
because I get the following error message as soon as I:
...
authorize {
update control {
Auth-Type := perl
}
}
...
Message is: (0) WARNING: Unknown value specified for Post-Auth-Type. Cannot
perform requested action.
Full Log: http://pbot.rmdir.de/IRC6zW11GNEWEFpMx0a13w
- freeradius gives me a segmentation fault as soon as I put 'perl' in
the authorize section and do one authentication request.
authorize {
perl
}
I really would like to work out all the above issues, is someone willing to
walk me through it? Otherwise I'll try myself, but I always appreciate all the
help I can get. ;-)
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
Hello Arran,
DEFAULT User-Name =~ ^v104([^@]+)
User-Name := %{1}@V104.GMVL.DE
Can you got some debug output or even just the value of the User-Name?
It may just be the escaping is less crazy than it used to be.
username is: v104\Administrator but radius puts it internally as
v104\\Administrator.
This is how it looks like in 2.2.0:
rad_recv: Access-Request packet from host 10.104.1.0 port 54489, id=59,
length=58
User-Name = v104\\Administrator
User-Password = Pa$$w0rd
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[control] returns notfound
[preprocess]expand: %{User-Name} - v104\Administrator
[preprocess] hints: Matched DEFAULT at 1
[preprocess]expand: %{1}@V104.GMVL.DE - administra...@v104.gmvl.de
++[preprocess] returns ok
Found Auth-Type = perl
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
rlm_perl: Added pair User-Name = administra...@v104.gmvl.de
rlm_perl: Added pair User-Password = Pa$$w0rd
rlm_perl: Added pair NAS-IP-Address = 10.104.1.0
rlm_perl: Added pair Reply-Message = Enter SMS one time password
rlm_perl: Added pair State = 72641523
rlm_perl: Added pair Response-Packet-Type = Access-Challenge
rlm_perl: Added pair Auth-Type = perl
No. That just means you don't have a reject {} section in Post-Auth,
it has nothing to do with the perl module.
I see, I'll try that and report back.
Can you provide a backtrace please? I'll see if I can fix it.
I'll do that.
I found another small bug in the debian packages generated by
debian/rules binary in the 2.2.0 release:
Initscript puts pid file in /var/run/freeradius
But Freeradius wants to put it in /var/run/radius, so it does not start:
Sun Jul 21 19:36:34 2013 : Error: Failed creating PID file
/var/run/radiusd/radiusd.pid: No such file or directory
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
Hello Arran,
Can you provide a backtrace please? I'll see if I can fix it.
Program received signal SIGSEGV, Segmentation fault.
0x08052f8a in rad_authenticate (request=0x863f138) at src/main/auth.c:542
542 (auth_item-da-attr ==
PW_USER_PASSWORD)) {
(gdb) bt
#0 0x08052f8a in rad_authenticate (request=0x863f138) at src/main/auth.c:542
#1 0x080741d3 in request_running (request=0x863f138, action=1) at
src/main/process.c:1185
#2 0x08073525 in request_queue_or_run (request=0x863f138, process=0x8074104
request_running) at src/main/process.c:828
#3 0x08074836 in request_receive (listener=0x8480c00, packet=0x863ef30,
client=0x81e4828, fun=0x8052a0b rad_authenticate) at src/main/process.c:1377
#4 0x080592ec in auth_socket_recv (listener=0x8480c00) at
src/main/listen.c:1449
#5 0x08079b09 in event_socket_handler (xel=0x846f640, fd=7, ctx=0x8480c00) at
src/main/process.c:3483
#6 0xf7d7e0cd in fr_event_loop (el=0x846f640) at src/lib/event.c:414
#7 0x0807ad91 in radius_event_process () at src/main/process.c:4272
#8 0x0806a384 in main (argc=2, argv=0xcc04) at src/main/radiusd.c:475
(gdb) p auth_item
$1 = (VALUE_PAIR *) 0x8482220
(gdb) p auth_item-da
$2 = (const DICT_ATTR *) 0x0
I was able to reproduce that on Ubuntu 12.04 (Precise Pangolin) x64 and Debian
Wheezy 32 Bit. If you need exact instruction on howto reproduce or
access to the system, send me a ssh key or e-mail.
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
Hello Alan,
I bleieve hitns is going the way of the dodo eventually - unlang can
do the work for you eg
if (%{User-Name} =~ ^v104([^@]+) ) {
update request {
%{User-Name} := %{1}@V104.GMVL.DE
}
}
I tried:
server default {
listen {
type = auth
ipaddr = *
}
authenticate {
perl
}
authorize {
update control {
Auth-Type := perl
}
if (%{User-Name} =~ /^v104([^@]+)/ ) {
update request {
%{User-Name} := %{1}@V104.GMVL.DE
}
}
}
accounting {
detail
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
}
There was one error I could figure out the right side of the regular
expressions have to be // and not , I fixed that but it does not
recognize the right hand side %{1}@V104.GMVL.DE. Accordin to [1] it
should be that, if I understand it correctly.
[1] http://freeradius.org/radiusd/man/unlang.html
thats more interesting. We run PERL with 3.x here and havent seen such
an issue wonder if your PERL environment is different
I'm running Debian Wheezy. libperl-dev - 5.14.2-21
it would be sooo much better for you to be running (or ready to run!)
3.x at this point in time
I work on it. :-)
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
Hello Arran,
Oh I have a pretty good idea of what's gone on. Could you git pull and
rebuild. You'll probably see an abort this time round.
I did a
git pull
# Wipe the working directory clean
git reset --hard HEAD; git clean -f -x -d
./configure --prefix=/local/freeradius-head; make -j; make install
And yes, I see an ABORT, what is going on?
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 47420, id=99, length=43
User-Name = 'bla'
User-Password = 'fasel'
(0) # Executing section authorize from file
/local/freeradius-head/etc/raddb/sites-enabled/smsotp
(0) group authorize {
(0) - entering group authorize {...}
(0) update control {
(0) Auth-Type := perl
(0) } # update control = notfound
(0) Found Auth-Type = perl
(0) # Executing group from file
/local/freeradius-head/etc/raddb/sites-enabled/smsotp
(0) group authenticate {
(0) - entering group authenticate {...}
rlm_perl: Added pair User-Name = bla
rlm_perl: Added pair User-Password = fasel
rlm_perl: Added pair Auth-Type = perl
(0) [perl] = reject
(0) Failed to authenticate the user.
(0) Using Post-Auth-Type Reject
(0) # Executing group from file
/local/freeradius-head/etc/raddb/sites-enabled/smsotp
(0) group REJECT {
(0) - entering group REJECT {...}
(0) attr_filter.access_reject : expand: %{User-Name} - 'bla'
(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) Finished request 0.
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed reject
Sending Access-Reject of id 99 from 0.0.0.0 port 1812 to 127.0.0.1 port 47420
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 33829, id=101,
length=43
User-Name = 'bla'
User-Password = 'fasel'
(1) # Executing section authorize from file
/local/freeradius-head/etc/raddb/sites-enabled/smsotp
(1) group authorize {
(1) - entering group authorize {...}
(1) update control {
(1) Auth-Type := perl
(1) } # update control = notfound
(1) Found Auth-Type = perl
(1) # Executing group from file
/local/freeradius-head/etc/raddb/sites-enabled/smsotp
(1) group authenticate {
(1) - entering group authenticate {...}
rlm_perl: Added pair User-Name = bla
rlm_perl: Added pair User-Password = fasel
rlm_perl: Added pair Auth-Type = perl
(1) [perl] = reject
(1) Failed to authenticate the user.
Program received signal SIGABRT, Aborted.
0xf7fdf430 in __kernel_vsyscall ()
(gdb) bt
#0 0xf7fdf430 in __kernel_vsyscall ()
#1 0xf7b92941 in *__GI_raise (sig=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2 0xf7b95d72 in *__GI_abort () at abort.c:92
#3 0xf7d47c83 in ?? () from /usr/lib/i386-linux-gnu/libtalloc.so.2
#4 0xf7d498cc in talloc_get_name () from /usr/lib/i386-linux-gnu/libtalloc.so.2
#5 0xf7d4bbde in _talloc_get_type_abort () from
/usr/lib/i386-linux-gnu/libtalloc.so.2
#6 0x08052f97 in rad_authenticate (request=0x863eeb8) at src/main/auth.c:541
#7 0x080741f3 in request_running (request=0x863eeb8, action=1) at
src/main/process.c:1185
#8 0x08073545 in request_queue_or_run (request=0x863eeb8, process=0x8074124
request_running) at src/main/process.c:828
#9 0x08074856 in request_receive (listener=0x8480a98, packet=0x863edb8,
client=0x81e4828, fun=0x8052a0b rad_authenticate) at src/main/process.c:1377
#10 0x0805930c in auth_socket_recv (listener=0x8480a98) at
src/main/listen.c:1449
#11 0x08079b29 in event_socket_handler (xel=0x846f4d8, fd=7, ctx=0x8480a98) at
src/main/process.c:3483
#12 0xf7d7e0cd in fr_event_loop (el=0x846f4d8) at src/lib/event.c:414
#13 0x0807adb1 in radius_event_process () at src/main/process.c:4272
#14 0x0806a3a4 in main (argc=2, argv=0xcc14) at src/main/radiusd.c:475
(gdb) quit
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3.0 hints, rlm_perl
Hello Arran, Something was caching the pointer to request-password when it shouldn't have. Should be fixed now. I pulled the fix and can no longer reproduce the issue, I tried with 100 authentications in a row. Thank you for fixing it. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any One-Time password system.
Hello Sergii, Is it possible to use OTP with ms-chap authorization? no, it is _not_. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any One-Time password system.
Hello Sergii, don't use the C daemon it has to many moving parts. I later wrote a perl module which is easy to use. See: http://thomas.glanzmann.de/smsotpd.2012-10-05.tar.bz2 Follow the instructions in smsotpd.2012-10-05/rlm_perl/README If you have any further questions, let me know, but this should get you started quick. To my knowledge freeradius 3.0 does now everything to do smsotp natively, but I never took the time to try it. The above solution is running in production for 3000 users. In the tar ball is also a smsotp test client. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about interaction Between Vmware View 5.1 and smsotp
Hello Stéphane, can you please send a screenshot of your View Radius Configuration, your full configuration and the full debugging output which includes an authentication request from pap_challenge_request.pl and from View. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about interaction Between Vmware View 5.1 and smsotp
Hello Stéphane, It works. Thank you. Yes, the radiusd process listen on some multiples ports and i was wrong when i put the value 1812 on VMware View. for the list. The problem was that View was configured to port 1812 which does not do SMSOTP with my configuration, so we reconfigured it to port 11812 and it worked. A little question, this is normal workflow = Client view ask for user/pass AD = ASk for OTP = ask again for user/passAD? If I remeber correctly you either should put the username as: domain\username or usern...@full.realm.de than it should ask only once. But the last time I configured it with View is one year ago. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Video installation for freeradius with smsotp
Hello Lasse, * Lasse Odden lasse.od...@gmail.com [2013-01-24 11:48]: Long time since we spoke, but you told me you should try to find time to do a new video with instructions. Could you please help me out with this installation? I currently don't have the time, but if you have specific question, ask me. Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Video installation for freeradius with smsotp
Hallo Lasse, I'm struggeling with the implemation of the smsotp, and I came over this post: http://readlist.com/lists/lists.freeradius.org/freeradius-users/11/55876.html Do you have an updated video with this perl implementation you could send me? I'll record an e-mail tomorrow, and send it to you. At least I hope that I find the time. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Segmentation Fault
Hello Bryan, [root@radiusdev ~]# rpm -qa | grep mysql mysql-5.1.61-4.el6.x86_64 mysql-devel-5.1.61-4.el6.x86_64 mysql-libs-5.1.61-4.el6.x86_64 mysql-server-5.1.61-4.el6.x86_64 they all belong to same release. Do I need all of those or is one causing me the issue still with the faults? What does 'find /usr -name libmysql\*.so' say? Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: smsotpd
Hello Franks, * Franks Andy (RLZ) IT Systems Engineer andy.fra...@sath.nhs.uk [2012-09-09 01:19]: The first thing I'm not clear on is the function of the users file that's related to the Berkeley_db script. I'm not sure I understand why it's needed. Is this a database of acceptable users that have access to the OTP function? exactly that function has two purposes: - The list of persons that can authenticate via Kerberos for the first stage of the authentication if you exchange it with somewthing else - The Number lookup Could this be set during an ldap group lookup perhaps, using an inbuilt freeradius attribute? Exactly. You could do a ldap lookup in FreeRadius and pass that as variable to the module, so that it could use that. The module seems to implement its own Kerberos authentication lookup - is this correct? It's not implementing it's own but using a perl Kerberos library, but you're correct that it does it's own Kerberos authentication and not in FreeRadius. The only reason it does so, is that I can account how many logins went wrong and than block authentication requests to the active directory, because in my case the active directory would lock the account which would make a deny of service attack possible if you know a username. Would an ntlm lookup also be possible by messing with the perl code and using the ntlm include instead of authen-krb5? Yes, that is possible, you can exchange it basically with everything you want, you can also do the first stage of the authentication in FreeRadius and use the perl module soley for smsotp. Do you have any plans to write something more generic, i.e. without the hard coded users file or file paths for other functions? At the moment I do not have the intention, however I probably will release a much more generic version without the password locking and that does the first stage of the authentication in FreeRadius Or is it just a proof of concept? I actually run it in pre production environment for 1500 users. Also do you plan some in-depth documentation? I also started in the wiki for the C-Implementation, but for anyone who understands PAP and PAP access challenge and Radius it is basically self explenatory, however this process took me almost 5 workdays myself. My FreeRadius knowlegde is limited, I used FreeRadius with eap-tls, 802.1q, 802.1x, Cisco ASA, Cisco 3560G, Cisco 2910, VMware View, Linux embedded devices and Citrix Netscaler. This module tied to freeradius could be extremely useful to our organisation but I'm not sure if at this point I understand it well enough or whether it will be robust in use. In production I had no problems and approx. 285 authentication requests already. I also ran an automated self test against it, both for the C and perl implementation for 24 hours and saw no problems. However in your case I would first to try to make it work, than develop an automated self test and if you feel comfortably enough to use, use it. I'd like ideally to use freeradius to do an ldap lookup, cross reference a group of users with access to OTP, bring back an email/phone number attribute through the ldap module and then use this in the OTP processing, whilst also doing some mysql / other sql storage of users' authentication details using OTP to fault find/audit from. I'll not implement it, but if I would do that, it would take me less than 4 hours. Basically what you need is to modify the rlm_perl implementation to only handle the pap access challenge and pass the information it needs using the already existing interface of rlm_perl (which is super powerful). Is this the kind of thing you might look at in the future or should I go and get linotp / rcdevs product? I'm quite busy for the next 5 days, if you want to wait 5 days, I could make something generic available and also document it. Of course, if you don't feel comfortable with it at the moment, go for another solution. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius OTP with OATH
Hello Arran, What is the server missing as of 2.2.0 that requires the use of rlm_perl? I'm not aware of the FreeRadius internals but you can simply look at the FreeRadius Module rlm_smsotp. This is what happens. - User authenticates with PAP - The server answer will be of access challenge type and includes two additional fields: - State: Random number (FreeRadius has to keep it an associate that with the generated otp) - Prompt At the same time a otp random number is also saved and associated with the state and the user and sent to the user for example using a SMS but it could of course use any other otp method for example with preshared key. - The client answeres and provide the state and otp in the 'passowrd' field. The server than has to verify: - Is the state corresponding to user name and otp? - Is the request still valid (timeout)? That's basically it. On the surface it seems all you're missing is random string generation? If it can't do that, than yes for the state and the otp value. With 3.0 you can define policies which have 'methods' that map to the different sections of the server, so you could write the whole thing as a virtual module. If you walk me through it, I would like to try that. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius OTP with OATH
Hello Henk, I've looked closely at your video and accomplishment with smsotp, congrats! thank you. However the video shows something that is outdated. I now wrote a perl module for rlm_perl which does it much better without all the moving parts. Did you also had a look at OATH TOTP instead of SMS authentication? This is a RFC (http://tools.ietf.org/html/rfc6238) as you may know. A user installs an app on their phone which implements this RFC (e.g. Google Authenticator) and it acts as a soft token. I did and evaluated it together with RADIUS. I've got this running with freeradius and the google authenticator PAM module. The downside of PAM is the lack of challenge-access and response support (AFAIK). If you want a challenge response integration like the user first needs to authenticate with username and password and than gets a challenge and needs to answer with a response that is possible. You could also tweak it that you leave the first step out. Just have a look at the rlm_perl implementation in http://thomas.glanzmann.de/smsotpd.2012-08-16.tar.bz2 Do you know of anything that supports OATH and TOTP natively with freeradius and can be used with the access-challenge/response system (or am I wrong about PAM not supporting that feature)? I think there was a module, but I don't recall, maybe ask the FreeRadius List, or grep in the modules directory. I take it on CC. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_smsotpd entry from wiki gone
Hello Fajar, http://wiki.freeradius.org/modules/Rlm_smsotp yes, I just clicked on the first on google and was supprised when it was gone. Probably just upgrade/link-changed effect. Might be. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP and A-C
Hello, can you not configure RADIUS server to do PAP + Challenge so that it asks for username/password followed by one or more Access-Challenge? If yes, how would you configure freeradius server to throw Access-Challenge to radius client? yes, you can. The easiest way is to grab: http://thomas.glanzmann.de/smsotpd.2012-08-16.tar.bz2 and follow the README in rlm_perl. Please also note that the test client that comes with radius does not support access challenges, maybe I'll write a patch for it but not right now. That is why I wrote my own test client in perl which is also included. Tell me if you need help, maybe I'll update the video on my website to include the rlm_perl implementation which is my favourite because it doesn't require a seperate daemon and works with most distros out of the box. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_smsotpd entry from wiki gone
Hello, I just noticed that the rlm_smsotpd website I wrote in the wiki is gone. Was that on purpose or an error that happened when the wiki was updated? I pulled a version out of google cache so that I still have the few words I have written there. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP and A-C
Hello Rod, I think the A-C is supported with EAP type authentication? not the PAP. it is supported with both types. However in EAP it is used for something entirely different. With PAP it is used with a challenge. Maybe this thread brings you up to speed. But please use the rlm_perl implementation I send you and _not_ the smsotpd because the perl implementation is much easier to setup, more reliable, less complexity and less moving parts. http://thread.gmane.org/gmane.comp.dial-up.freeradius.user/86365 Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VMware View 5.1 smsotp authentication with multiple realms [WAS: Re: Yeah, it works !!]
Hello Joël, jodan@otpradius:~/work/smsotpd$ ./pap_challenge_request.pl Enter username: dsp1A00113 Enter password: server response type = Access-Challenge (11) Enter otp: 89003 server response type = Access-Accept (2) Yeah, it works !! The step 1 is achieved :o) that is good to hear. One more question, have you setup several realms? It will be my case, and if you have some clues it must be a quick win. Yes, it will work with multiple realms. There is not much that you need to other than you need to use HINTS or any other way of rewriting in the radius server to rewrite the username to username@REALM. The REALM has to be written UPPERCASE otherwise it will not work. Once you have that achieved it will works if the radius server is able to resolve the ticket granting server for the REALM using DNS. You can use the following command to double check: apt-get install dnsutils dig _kerberos._udp.ww004.siemens.net srv # Exchange ww004.siemens.net with your REALM. In the DNS query the realm # can be lowercase because DNS is case insensitive. So the test environnemnt is functional, and i will test it against view 5.1 before the end of the week if my other tasks lets me quiet ;o) Let me know. VMware View 5.1 has a bug in there you need to configure it with this option uncheck: Enforce 2-factor and Windows username matching. Otherwise if your username contains a backslash as in domain\username the View Client will not send the acces challenge reply. I opened a bugreport with VMware, they have accepted it but decided not to fix it. If you need help with VMware View let me know. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SMSotpd, Something goes wrong :(
Hello Joël, I've adjusted some paths and other little things. Freeradius is up smsotpd is up I've populated the berkeley db with my identifiant don't use the smsotpd, use the rlm_perl which is a complete different setup. The mininimal config you find in the README in the corresponding directory. Use of uninitialized value $type in hash element at ./pap_challenge_request.pl line 51. this happens, when you have a way to old Authen::Radius module. On which distribution are you? Additionaly i suppose that i will need to change values regarding my corporate active directory. Could you point me out where it's needed ? No, rlm_perl expects the username already writen as username@REALM. it is possible to test the first stage krb5 with radtest ? huh !! I think it could be possible to answer to this question by myself .. ;o) Yes, it is. See the rlm_perl/README file. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Challenge/Response and rlm_example, I'm trying too ...
Hello Joël, I'm trying to develop my own two-factor-authentication with freeradius. the fastest way to do that is to grab http://thomas.glanzmann.de/smsotpd.2012-08-16.tar.bz2 and modify the rlm_perl implementation. That is very straight forward. But it is not so clear for me to set up smotp both c and perl version! So, is it possible to receive some advice, configuration files and code snippets to help me. I'll make a video ready which shows howto setup FreeRadius with smsotp from scratch and send it to you. For you example I developed this radius module for use with VMware View (when it was still a private beta) and now using it in production for 1500 users with Citrix Netscaler. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP followed by smsotp authentication [WAS: Re: MSCHAPv2 followed by a smsotp authentication]
Hello everyone, today I wrote a new version of sms otp in perl utilizing rlm_perl. If I would have realized earlier how powerful rlm_perl is I would have gone with that solution in the first place. You can find the code here: http://thomas.glanzmann.de/smsotpd.2012-07-28.tar.bz2 This code allows to do active directory authentication followed by sms one time password authentication using pap access challenge without using rlm_smsotpd or another daemon. It also has the ability to block calls to kerberos if a user has mistyped his or her password three times. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Avoid locked Active Directory Account when using PAP/krb5 against active directory
Hello, I have Citrix Netscaler which authenticates user against active directory with PAP. First against Active Directory using krb5 and second against smsotp using a PAP Access challenge. If someone knows a username he can type in multiple times the right username with the wrong password and can so lock the account in active directory. Now I'm looking for solutions to avoid that. Is there a FreeRadius Module which accounts the login failures of another FreeRadius Module (krb5) within a given time range and stops prompting the underlying FreeRadius Module (krb5) if a user has authenticated itself for example 3 times within one hour, if not whatever practical solutions do you have in mind? Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Uninstall FreeRadius
Hello George, How can one uninstall the Freeradius 2.1.1 from Ubuntu 12 LTS # Run this command to find out the name of the radius server package dpkg -l | grep -i radius # Purge (deinstall and remove configuration files) of the package dpkg -P name of packet Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP followed by smsotp authentication [WAS: Re: MSCHAPv2 followed by a smsotp authentication]
Hello Alan, [ sorry for the late response, I read that mailinglist only every few days ] The tar file seems strange. There's a smsotpd.2012-06-04c directory, but most of the files seem to have a smsotpd.2012-06-04 prefix. *Without* the directory: thank you for telling me. There was a slash missing in my git-archive command. I fixed that: git archive --format=tar --prefix=smsotpd.2012-06-04/ HEAD | bzip2 -9 ~/.www/smsotpd.2012-06-04.tar.bz2 # ~ slash was missing Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP followed by smsotp authentication [WAS: Re: MSCHAPv2 followed by a smsotp authentication]
Hello everyone, here is a c implementation of the smsotpd. http://thomas.glanzmann.de/smsotpd.2012-06-04.tar.bz2 Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP followed by smsotp authentication [WAS: Re: MSCHAPv2 followed by a smsotp authentication]
Hello everyone, find a video which describes the setup of a freeradius server here: http://thomas.glanzmann.de/smsotp.pdf http://thomas.glanzmann.de/smsotp.swf Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Test Client which supports PAP Access-Challenge
Hello, I'm interested in a radius test client which supports pap ACCESS-Challenge. Can anyone point me to one or to a library which allows me to easily write on preferrably in perl? Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Client which supports PAP Access-Challenge
Hello Matthew, You should not be getting a challenge with PAP, so there is no need for a test client for it. for Citrix Netscaler and VMware View 5.1 if you want to support two-factor authentication for example with rlm_smsotp this is necessary. However there is currently no test client for it that I'm aware of. The Net::Radius::Packet perl library is probably the quickest approch to get something working, I'll post it here, if I got one. See also: http://wiki.freeradius.org/Rlm_smsotp http://thread.gmane.org/gmane.comp.dial-up.freeradius.user/86365 Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Client which supports PAP Access-Challenge
Hello Matthew,
Forget that - I've not had enough coffee yet today :) You need to
respond to the challenge, not send one yourself...
exactly, however the Authen::Radius perl module saved my day:
#!/usr/bin/perl -w
# Thomas Glanzmann 16:06 2012-05-21
# First Argument is username, second argument is password
# Authen::Radius requires a legacy dictionary without advanced
# keywords like encrypted or $INCLUDEs
use strict;
use warnings FATAL = 'all';
use Authen::Radius;
my $r = new Authen::Radius(Host = '127.0.0.1', Secret = 'testing123');
Authen::Radius-load_dictionary('/home/sithglan/work/smsotpd/dictionary');
$r-add_attributes (
{ Name = 'User-Name', Value = $ARGV[0] },
{ Name = 'User-Password', Value = $ARGV[1] },
);
$r-send_packet(ACCESS_REQUEST) || die;
my $type = $r-recv_packet();
print server response type = $type\n;
my $state = undef;
for $a ($r-get_attributes()) {
if ($a-{Name} eq 'State') {
$state = $a-{RawValue};
}
}
print Enter otp: ;
my $otp = STDIN;
chomp($otp);
$r-add_attributes (
{ Name = 'User-Name', Value = $ARGV[0] },
{ Name = 'User-Password', Value = $otp },
);
$r-send_packet(ACCESS_REQUEST) || die;
$type = $r-recv_packet();
print server response type = $type\n;
# Execution:
(minisqueeze) [~/work/smsotpd] ./pap_challenge_request.pl
'administra...@directory.gmvl.de' 'password'
server response type = 11
Enter otp: 82701
server response type = 2
# radiusd -X
rad_recv: Access-Request packet from host 127.0.0.1 port 49189, id=40, length=71
User-Name = administra...@directory.gmvl.de
User-Password = password
# Executing section authorize from file
/local/freeradius-server-2.1.9/etc/raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess]expand: %{User-Name} - administra...@directory.gmvl.de
[preprocess]expand: %{User-Name} - administra...@directory.gmvl.de
[preprocess] hints: Matched DEFAULT at 4
[preprocess]expand: %{1}@DIRECTORY.GMVL.DE -
administra...@directory.gmvl.de
++[preprocess] returns ok
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[smsotp] returns ok
Found Auth-Type = smsotp
# Executing group from file
/local/freeradius-server-2.1.9/etc/raddb/sites-enabled/default
+- entering group smsotp {...}
rlm_krb5: verify_krb_v5_tgt: host key not found : Configuration file does not
specify default realm
++[krb5] returns ok
rlm_smsotp: Generate OTP
rlm_smsotp: Uniq id is 5500455282
rlm_smsotp: Sending Access-Challenge.
++[smsotp] returns handled
Sending Access-Challenge of id 40 to 127.0.0.1 port 49189
Reply-Message = Enter Mobile PIN:
State = 0x35353030343535323832
Finished request 18.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 49189, id=41,
length=102
Reply-Message = Enter Mobile PIN:
State = 0x35353030343535323832
User-Name = administra...@directory.gmvl.de
User-Password = 82701
# Executing section authorize from file
/local/freeradius-server-2.1.9/etc/raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess]expand: %{User-Name} - administra...@directory.gmvl.de
[preprocess]expand: %{User-Name} - administra...@directory.gmvl.de
[preprocess] hints: Matched DEFAULT at 4
[preprocess]expand: %{1}@DIRECTORY.GMVL.DE -
administra...@directory.gmvl.de
++[preprocess] returns ok
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
rlm_smsotp: Found reply to access challenge (AUTZ), Adding Auth-Type
'smsotp-reply'
++[smsotp] returns ok
Found Auth-Type = smsotp-reply
# Executing group from file
/local/freeradius-server-2.1.9/etc/raddb/sites-enabled/default
+- entering group smsotp-reply {...}
rlm_smsotp: Found reply to access challenge
rlm_smsotp: SocketReply is OK
++[smsotp] returns ok
# Executing section post-auth from file
/local/freeradius-server-2.1.9/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 41 to 127.0.0.1 port 49189
Finished request 19.
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Test Client which supports PAP Access-Challenge
Hello everyone, find attached the new and improved version for checking pap access challenge: (minisqueeze) [~/work/smsotpd] ./pap_challenge_request.pl Enter username: directory\Administrator Enter password: server response type = Access-Reject (3) (minisqueeze) [~/work/smsotpd] ./pap_challenge_request.pl Enter username: directory\Administrator Enter password: server response type = Access-Challenge (11) Enter otp: 97350 server response type = Access-Accept (2) Cheers, Thomas pap_challenge_request.pl Description: Perl program ATTRIBUTE User-Name 1 string ATTRIBUTE User-Password 2 string ATTRIBUTE CHAP-Password 3 octets ATTRIBUTE NAS-IP-Address 4 ipaddr ATTRIBUTE NAS-Port5 integer ATTRIBUTE Service-Type6 integer ATTRIBUTE Framed-Protocol 7 integer ATTRIBUTE Framed-IP-Address 8 ipaddr ATTRIBUTE Framed-IP-Netmask 9 ipaddr ATTRIBUTE Framed-Routing 10 integer ATTRIBUTE Filter-Id 11 string ATTRIBUTE Framed-MTU 12 integer ATTRIBUTE Framed-Compression 13 integer ATTRIBUTE Login-IP-Host 14 ipaddr ATTRIBUTE Login-Service 15 integer ATTRIBUTE Login-TCP-Port 16 integer ATTRIBUTE Reply-Message 18 string ATTRIBUTE Callback-Number 19 string ATTRIBUTE Callback-Id 20 string ATTRIBUTE Framed-Route22 string ATTRIBUTE Framed-IPX-Network 23 ipaddr ATTRIBUTE State 24 octets ATTRIBUTE Class 25 octets ATTRIBUTE Vendor-Specific 26 octets ATTRIBUTE Session-Timeout 27 integer ATTRIBUTE Idle-Timeout28 integer ATTRIBUTE Termination-Action 29 integer ATTRIBUTE Called-Station-Id 30 string ATTRIBUTE Calling-Station-Id 31 string ATTRIBUTE NAS-Identifier 32 string ATTRIBUTE Proxy-State 33 octets ATTRIBUTE Login-LAT-Service 34 string ATTRIBUTE Login-LAT-Node 35 string ATTRIBUTE Login-LAT-Group 36 octets ATTRIBUTE Framed-AppleTalk-Link 37 integer ATTRIBUTE Framed-AppleTalk-Network38 integer ATTRIBUTE Framed-AppleTalk-Zone 39 string ATTRIBUTE CHAP-Challenge 60 octets ATTRIBUTE NAS-Port-Type 61 integer ATTRIBUTE Port-Limit 62 integer ATTRIBUTE Login-LAT-Port 63 string - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prob web wiki.freeradius.org
Hello Alan, Torsten Lehmann wrote: http://wiki.freeradius.org/ (or faq) returns: Forbidden * Alan DeKok al...@deployingradius.com [2012-05-09 09:44]: It works for me. We upgraded the machine, and had a few problems with editing the wiki. But it should be OK now. for me it does not, I still have the problem. If you want I can record the problem for you as flash video. I'm using github to authenticate. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Prob web wiki.freeradius.org
Hello everyone, * Thomas Glanzmann tho...@glanzmann.de [2012-05-09 09:58]: for me it does not, I still have the problem. If you want I can record the problem for you as flash video. I'm using github to authenticate. I have problem editing the page, accessing is fine. But Arran seems to fix that. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hallo - Freeradius frage
Hallo Axel,
Dein Deutsch ist gut, aber ich antworte auf Englisch.
You can download the daemon from the freeradius mailing list or the
attachment of this e-mail, I configured the following:
users:
DEFAULT Auth-Type := smsotp
sites-enabled/default:
authenticate {
Auth-Type smsotp {
ntlm_auth
smsotp
}
Auth-Type smsotp-reply {
smsotp
}
}
modules/ntlm_auth:
exec ntlm_auth {
wait = yes
program = /home/sithglan/work/smsotpd/ntlm_auth.pl %{User-Name}
%{User-Password}
}
I compiled freeradius using the following command line on debian:
sudo apt-get install ssh sudo gcc libssl-dev make openssl
./configure --with-openssl --prefix=/local/freeradius-server-2.1.9; make; make
install
cd /local/freeradius-server-2.1.9/etc/raddb/certs; make
Cheers,
Thomas
smsotpd.pl
Description: Perl program
ntlm_auth.pl
Description: Perl program
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hallo - Freeradius frage
Hello Axel, Thanks a lot for your answer. Yet I see the complete process :-) If I just want a normal PAP authent, It's just the same as your configuration, but instead of ntlm_auth I let PAP, no? yes, and use the following users entries: Administrator Cleartext-Password := password, Auth-Type := smsotp Grüße Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How secure is the radius encryption
Hello Jason, The passwords are weakly encrypted using a mechanism that is basically an XOR of the password and an MD5 hash of the request authenticator and the shared secret. thanks for the thorough explanation, I'll go with IPSEC or openvpn. I recall reading in Bruce Schneiers book 'Secret and lies' that xor is only secure if you use the key only once, so it is very easy to break it if you see enough traffic, probably also with different usernames. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSSCHAP auth + LDAP authorizaton
Hello Andreas,
How to tell freeradius, that after successful MSCHAP auth against AD
it must browse AD via LDAP and check that te username belongs to
specified group?
I think, you need to write a script that makes sure that the user is
part of a specific group. I would do that in perl, because it gets the
job done fast. I copied and pasted such a script not so long time ago in
csharp:
using System.Collections.Generic;
using System.DirectoryServices;
namespace de.glanzmann.ActiveDirectoryGroupMembership
{
public class ActiveDirectoryGroupMembership
{
string ad_connection =
LDAP://ad.gmvl.de/DC=directory,DC=gmvl,DC=de;
string ad_username = Administrator;
string ad_password = password;
string RemoveADGroup(string name) {
string[] ary = name.Split(new char[] { '\\' });
return ary[ary.Length - 1];
}
string[] GetRolesForUser(string userName) {
userName = RemoveADGroup(userName);
return GetUserRoles(userName);
}
string[] GetUserRoles(string userName) {
DirectoryEntry obEntry = new
DirectoryEntry(ad_connection, ad_username, ad_password);
DirectorySearcher srch = new DirectorySearcher(obEntry,
(sAMAccountName= + userName + ));
SearchResult res = srch.FindOne();
Dictionarystring, string dictionary = new
Dictionarystring, string();
if (res != null) {
DirectoryEntry obUser = new
DirectoryEntry(res.Path, ad_username, ad_password);
string rootPath = ad_connection;
rootPath = rootPath.Substring(0,
rootPath.LastIndexOf(@/) + 1);
GetMemberships(obUser, dictionary, rootPath);
}
string[] ary = new string[dictionary.Count];
dictionary.Values.CopyTo(ary, 0);
return ary;
}
void GetMemberships(DirectoryEntry entry, Dictionarystring,
string dictionary, string rootPath) {
ListDirectoryEntry childrenToCheck = new
ListDirectoryEntry();
PropertyValueCollection children =
entry.Properties[memberOf];
foreach (string childDN in children) {
if (! dictionary.ContainsKey(childDN)) {
DirectoryEntry obGpEntry = new
DirectoryEntry(rootPath + childDN, ad_username, ad_password);
string groupName =
obGpEntry.Properties[sAMAccountName].Value.ToString();
dictionary.Add(childDN, groupName);
childrenToCheck.Add(obGpEntry);
}
}
foreach (DirectoryEntry child in childrenToCheck) {
GetMemberships(child, dictionary, rootPath);
}
}
public bool IsUserInRole(string username, string roleName) {
string[] ary = GetRolesForUser(username);
foreach (string s in ary) {
if (roleName.ToLower() == s.ToLower()) {
return true;
}
}
return false;
}
}
}
You can copy the logic and put it into perl.
Source:
http://www.codeproject.com/Articles/36670/Active-Directory-Forms-Authentication-User-IsInRol
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSSCHAP auth + LDAP authorizaton
Hello Matthew,
Why do in perl what you can do in FR directly? That will just
slow things down.
if (!(Ldap-group == 'cn=group,dc=example,dc=com')) {
reject
}
will this work with nested groups?
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How secure is the radius encryption
Hello,
I wonder if the radius encryption between radius client and radius is
secure enough if you choose a decent password like the following:
'O([G6krj\9[9FN#GVn(/|9+8h5vq2!W*J:OrA;2Uvk1G*z~-6'emgQV 2X5iDa('
Or if someone should always protect the connection between radius client
to radius server using ipsec or some other VPN software like for example
openvpn? I don't want to do radius over the internet but in a coporate
intranet. However I want also to absolutly sure that noone is reading my
pap passwords on the wire between radius client and radius server.
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Plain text shared secrets problematic?
Hello, (c) use IPSec for connectivity or if you don't like the complexity that comes with ipsec, use OpenVPN or any other VPN software. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAPv2 followed by a smsotp authentication
Hello Alan, Authenticator must be wrong You're wasting your time. You're right. I found the problem. The proprietary radius client chokes on the \ in the username, I can't believe it. However it is working for me now. Who do I need to approach in order to submit the 'smsotpd' perl implementation to the freeradius distribution once I cleaned it up so that I can release it to the general public? I would also write documentation to smsotpd in the wiki, I already checked out the wiki using, git, who do I submit my changes to or is it possible to get write access for the one page using a git commit trigger? Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP followed by smsotp authentication [WAS: Re: MSCHAPv2 followed by a smsotp authentication]
Hello Alan, If it's small, email it to the list. Otherwise, use github. find smsotpd.pl attached. Please consider it for upstream. If you reject it, please let me know exactly what needs to be changed in order to accept it to upstream. You can't write to the wiki via git. You have to use the web interface. I put the documentation here: http://wiki.freeradius.org/Rlm_smsotp Please proof-read (spelling, grammar but most important correctnes) and modify or tell me what is missing. Alan, I thank you for walking me through this. Cheers, Thomas smsotpd.pl Description: Perl program - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAPv2 followed by a smsotp authentication
Hello Alan, Possibly. If so, the proprietary client doesn't implement RADIUS. thanks a lot. However, I'm going to hunt that one down, because I think I'm very close to solve it and than I'll document it here. As soon as the product is released to the public I'll also add a wiki entry or howto guide. The State field is not interpreted. It's used simply as an opaque blob that ties a challenge to a subsequent request. I saw that when I opened it in wireshark. I changed the source code of rlm_smsotp to only include integers, however that did not solve it yet, but it can't be much else, I'll report back as soon as I figured it out. Thank you for all the input you gave me. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Challenge-Response
Hello Mercier, According to the Radius RFC, Chapter 2.1 Challenge-response (http://www.ietf.org/rfc/rfc2865.txt), I read that it's possible to activate a challenge-reponse (Access-Request, Access-Challenge, Access-Request, Access-Accept) with Radius, is that possible with Free Radius, and if it's possible how to make this ? I just want to analyze the frame with Wireshark, for the contents of the frames. it is possible, at least soon it will be for sure. What I learned so far, that it works with pap and only pap. There is commercial radius server otp from nordic edge available with a free evaluation license. I had it running within 10 minutes. Here are the frames for you to analyze in wireshark: http://upload.glanzmann.de/radius.pcap Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAPv2 followed by a smsotp authentication
Hello Alan, my initial thought that the state may only contain numbers, was wrong. Now I want to verify that the message authenticator sent by freeradius is correct, can you please walk me through how to do that? I also added debugging code to freeradius so that it tells me that it creates the Authenticator after smsotp was called and the reply type is set to Access-Challenge. But it needs to be something and the Message Authenticator is the only thing that I can't currently verify, so I have the hope that freeradius does calculate it wrong for Access-Challenges at least when using the rlm_smsotp module. Please advice. Shared secret between freeradius and client: testing123 PCAP File: http://thomas.glanzmann.de/tmp/freeradius.pcap And I'm interested how I can verify that the Message Authentictor in the Access-Challenge is correct. Btw. do you know of any 'radtest' client which supports challenge-response? Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAPv2 followed by a smsotp authentication
Hello Alan, PAP. And only PAP. And sometimes not even there. I now installed a commercial radius server (Nordic Edge) which supports it and I sniffed a successful exchange. You can find it here: http://upload.glanzmann.de/radius.pcap Could you please let me know if it is possible to configure freeradius that it behaves the same way? If this is not possible I assume to stack 'pap' on top of rlm_example. In that case can you please let me know what do I need to configure in order to have pap and rlm_example on top? Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAPv2 followed by a smsotp authentication
Hallo Alan, here is the nordic edge radius server pcap: http://upload.glanzmann.de/radius.pcap here is the freeradius server pcap: http://upload.glanzmann.de/freeradius.pcap What I don't get is, when I compare the two 'Access-Challenges' they look very similar to me. However my propiertary radius client does not send another packet after I typed in the otp. Any idea what freeradius does different here? Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAPv2 followed by a smsotp authentication
Hello Alan, Any idea what freeradius does different here? the only difference I see here is that radius has a hex number in the state field while the propietary has digits. I assume that is why my propiertary client chokes. I'll try to configure freeradius to produce digits as well and retry and also file a bug report with the propiertary vendor. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MSCHAPv2 followed by a smsotp authentication
Hello,
I have a propiertary radius client which I want to authenticate against
freeradius the following way:
- User types is username: directory\Administrator password:secret
- Freeradius authenticates against active directory.
This already works
- From the documentation of the propiertary radius client:
After authenticating to RADIUS, you may get another prompt if
the RADIUS server responded with a supported Access Challenge.
Full generic RADIUS challenge/response is not supported, but a
limited access challenge for a string token code is supported.
- So now I want freeradius to send 'Access Challenge' and send a
sms to the user (for that purpose I wrote a perl daemon which
listens on a unix socket in order to talk to smsotp freeradius
module)[1]. However nothing comes in.
I configured freeradius the following way:
sites-enabled/default:
authorize {
smsotp
mschap
}
authenticate {
mschap
Auth-Type smsotp {
mschap
smsotp
}
Auth-Type smsotp-reply {
smsotp
}
}
users:
DEFAULT Auth-Type = smsotp
radius -X output here: http://thomas.glanzmann.de/tmp/radius-x.txt
[1] smsotpd: http://thomas.glanzmann.de/tmp/smsotpd.pl
And now my questions:
- Is it possible to do a mschapv2 authentication followed by
Access challenge in order to send out a sms with a one time
password by configuring freeradius or do I need to code? Where
do I find pointers? I read the source code of the smsotp and
the rlm_example module, I get the basic idea that first the
otp is generated and than it is checked, however I don't get
how to configure freeradius to choose the codepath. I also
don't get if it is possible to stack authentication methods in
freeradius.
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAPv2 followed by a smsotp authentication
Hello Alan,
Which authentication method? This matters a lot.
I configured it to use MSCHAPv2 (but they also support PAP, CHAP and
MSCHAPv1)
After authenticating to RADIUS, you may get another prompt if
the RADIUS server responded with a supported Access Challenge.
Full generic RADIUS challenge/response is not supported, but a
limited access challenge for a string token code is supported.
What does that mean?
I have absolutly no clue, but I'm getting closer. I now managed to
configure freeradius in order that I get the second prompt (see below).
- So now I want freeradius to send 'Access Challenge' and send a
sms to the user (for that purpose I wrote a perl daemon which
listens on a unix socket in order to talk to smsotp freeradius
module)[1]. However nothing comes in.
What does that mean? nothing comes in ???
I meant that my perl deamon is never called by freeradius, but now I
figured out to receive at least the first stage of the smsotp (I had to send
out a greeting on the socket otherwise smsotpd radius plugin would wait for
ever) configuration.
authenticate {
mschap
Auth-Type smsotp {
mschap
smsotp
}
I really doubt that will work.
I modified it to look like that:
authorize {
mschap
}
authenticate {
Auth-Type MS-CHAP {
mschap
smsotp
}
Auth-Type smsotp-reply {
smsotp
}
}
I now get the first prompt, followed by the second prompt which is
asking for the pin received via sms. However when I type in a code, I
don't see anything in freeradius or my smsotpd.
Output of smsotpd now shows:
(minisqueeze) [~/work/smsotpd] ./smsotpd.pl
generate otp for directory\Administrator
generate otp for directory\Administrator
quit
Received QUIT
Which is the first stage of the challenge response.
http://thomas.glanzmann.de/tmp/radius-x.txt
http://thomas.glanzmann.de/tmp/smsotpd.pl
http://thomas.glanzmann.de/tmp/radius.pcap
I sniffed and I only see two packets (one Access Request and one Access
Challenge). However when I type the sms passocde and press return,
absolutly nothing happens (no packets are send over the network and I
get a new prompt.
Cheers,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAPv2 followed by a smsotp authentication
Hello Alan, MSCHAPv2 So when I said it was impossible, what did you think that meant? a) keep working on it b) try something else your e-mail arrived after I did the 'progress'. Can you tell me for which other authentication (pap, chap, mschapv1) methods it works? Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAPv2 followed by a smsotp authentication
Hello Alan, your e-mail arrived after I did the 'progress'. Can you tell me for which other authentication (pap, chap, mschapv1) methods it works? I configured it to use pap, and I have now the same behaviour using pap, mschapv1 and mschapv2. The client sends a 'Access Request' the server answers with a 'Access Challenge', I get a prompt, but no further communication when I press OK. I now try to get a pcap from a working authentication in order to see what is going on here. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
