Re: WiMAX TLV value correct in debug but not correct in packet capture
The last attempt was on a dedicated piece of hardware, not a VM. I also switched the OS to 64bit. As for the network card, since I get this in the VM system (v2 rpm and V3 compiled), and on the dedicated hardware (Fedora 19 rpm), and I am performing the capture on the radius server itself (before it hits the card) this shouldn't be the problem (or if it is I'm going to buy a lottery ticket). The config on the latest system is all in file, made it as basic as I could. Radclient is a good suggestion, I will try it and see what happens, perhaps it will yield something interesting, perhaps a strange interaction that the client itself is causing. Thanks, James On 08/01/2013 12:02 AM, Alan DeKok wrote: Re: WiMAX TLV value correct in debug but not correct in packet capture James Leavitt wrote: I just rebuilt a new server on a newer os (and 64 bit vs 32), and I am still seeing the same issue. Weird... I must have something messed up somewhere. Only thing is order of the whole structure is different from my prod, but that shouldn't matter. It's hard to mess up basic RADIUS packet encoding. The whole point of the server design is that you *can't* mess it up. You deal with Attribute = value, not with hex bytes in a packet. Here's my eap.conf just in case there is something worth looking at, most significant changes that I've done here is copy_request_to_tunnel = yes and use_tunneled_reply = yes: Nothing there is relevant. What happens when you put the sample entry into the users file, and run radclient with a fixed name / password? If the encoding is still broken, then the problem is definitely not EAP. I fail to see how the encoding can be broken... especially on v2 and v3, which have completely different packet encoders. Are you sure that nothing else in the network is breaking the packets? i.e. is your network card OK? What happens when you try to run it on different physical hardware? I've seen issues like this before when a network card was broken. Change the card (or entire machine), and the problem goes away. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned by MailScanner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiMAX TLV value correct in debug but not correct in packet capture
HI Alan, Still no dice. I've disabled the database and used the file as suggested (which is something that I had yet to try, but as you recommended I've done so). I have tried with and without the Session-Timeout and Acct-Interim-Interval without any effect. Here's the hex output (from the attached pcap): 1c 11 00 01 04 45 b7 02 04 cf b7 03 06 cf b7 01 00 1c 11 00 01 04 45 b7 02 04 d2 b7 03 06 d0 b7 00 00 And the debug snip (this is from a time I removed the other two *working* values): [ttls] Got tunneled reply code 2 WiMAX-Packet-Data-Flow-Id := 14 WiMAX-Service-Data-Flow-Id := 14 WiMAX-Service-Profile-Id := 14 WiMAX-Packet-Data-Flow-Id += 17 WiMAX-Service-Data-Flow-Id += 17 WiMAX-Service-Profile-Id += 17 Attached is a pcap of the transaction indicating the TLVs are not consistent with the DB or the file. It has been consistent with radsniff, although I use tcpdump / wireshark when comparing with the working systems. One thing to note is that I am using TTLS and copying the values to the outer tunnel, are you performing the same in your test? I wonder if it's a library somewhere on the OS that's making it go awry. I keep thinking I've set something that would make this happen, but I cannot get over the fact that other values are working fine. Thanks, James On 07/31/2013 10:06 AM, Alan DeKok wrote: Re: WiMAX TLV value correct in debug but not correct in packet capture James Leavitt wrote: After some compiling and configuring, I've managed to get version 3.0.0 up and running, and I seem to be having a similar issue: I don't see that on my systems. radsniff, radclient, and pcap all show that the WiMAX attributes are correct. Data: 1a 17 00 00 60 b5 1c 11 00 01 04 00 0e 02 04 00 0e 03 06 00 00 00 0e 1a 17 00 00 60 b5 1c 11 00 01 04 00 11 02 04 00 11 03 06 00 00 00 11 Please post a hex dump of the packets. i.e. put this into the users file: bob Cleartext-Password := bob WiMAX-Packet-Data-Flow-Id := 14, WiMAX-Service-Data-Flow-Id := 14, WiMAX-Service-Profile-Id := 14, WiMAX-Packet-Data-Flow-Id += 17, WiMAX-Service-Data-Flow-Id += 17, WiMAX-Service-Profile-Id += 17 And run radclient - args to do the test. You will get a hex dump like I posted above. It should be identical. My guess is that you have FreeRADIUS using one WiMAX dictionary, and radsniff, etc. using another. Some vendors made their own, incompatible, version of the WiMAX dictionaries. Which is a stupid idea, but that's what vendors do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned by MailScanner -- James Leavitt Network Systems Architect Xplornet Communications Inc. 300 Lockhart Mill Road Woodstock, NB E7M 5C3 Phone: (506) 324-8659 Fax: (506) 328-1582 Cell: (506) 324-4960 Helpdesk: (888) 439-6511 Email: james.leav...@corp.xplornet.com mailto: james.leav...@corp.xplornet.com Xplornet - Broadband Everywhere. GPG / SSH Public Keys in V-Card Notes 1370_tlv_issue.pcap Description: application/vnd.tcpdump.pcap - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiMAX TLV value correct in debug but not correct in packet capture
Sorry Alan, I left that part out since it is coming through ok, here's the whole thing (you can see the 00 00 60 b5 after the 1a 17): 1a 17 00 00 60 b5 1c 11 00 01 04 45 b7 02 04 cf b7 03 06 cf b7 01 00 1a 17 00 00 60 b5 1c 11 00 01 04 45 b7 02 04 d2 b7 03 06 d0 b7 00 00 Interesting theory though, I did *try* a change in the dictionaries in a vain attempt solve this issue (tried the included wimax and wichorus), but I rolled them back. I also compiled 3.0.0 and installed in a new location, and never touched those dictionaries at all, same bizarre problem. If the binaries are broken, then I now have two sets of broken binaries (granted they are on the same platform so perhaps it's a library problem?). Perhaps I should install a whole new system / os and test on it to see if a similar problem exists. What I will try now is another TLV and see how it behaves. Thanks, James On 07/31/2013 01:19 PM, Alan DeKok wrote: Re: WiMAX TLV value correct in debug but not correct in packet capture See the hex output. The 00 00 60 b5 is the WiMAX forum vendor ID. Your debug output has 00 01 04 45 in the same place. So either the dictionaries are broken, or the binaries are broken. Either way, this problem doesnt appear in a stock install with the stock dictionaries. So what changes have you made, and why? On 2013-07-31, at 10:57 AM, James Leavitt james.leav...@corp.xplornet.com wrote: HI Alan, Still no dice. I've disabled the database and used the file as suggested (which is something that I had yet to try, but as you recommended I've done so). I have tried with and without the Session-Timeout and Acct-Interim-Interval without any effect. Here's the hex output (from the attached pcap): 1c 11 00 01 04 45 b7 02 04 cf b7 03 06 cf b7 01 00 1c 11 00 01 04 45 b7 02 04 d2 b7 03 06 d0 b7 00 00 And the debug snip (this is from a time I removed the other two *working* values): [ttls] Got tunneled reply code 2 WiMAX-Packet-Data-Flow-Id := 14 WiMAX-Service-Data-Flow-Id := 14 WiMAX-Service-Profile-Id := 14 WiMAX-Packet-Data-Flow-Id += 17 WiMAX-Service-Data-Flow-Id += 17 WiMAX-Service-Profile-Id += 17 Attached is a pcap of the transaction indicating the TLVs are not consistent with the DB or the file. It has been consistent with radsniff, although I use tcpdump / wireshark when comparing with the working systems. One thing to note is that I am using TTLS and copying the values to the outer tunnel, are you performing the same in your test? I wonder if it's a library somewhere on the OS that's making it go awry. I keep thinking I've set something that would make this happen, but I cannot get over the fact that other values are working fine. Thanks, James On 07/31/2013 10:06 AM, Alan DeKok wrote: Re: WiMAX TLV value correct in debug but not correct in packet capture James Leavitt wrote: After some compiling and configuring, I've managed to get version 3.0.0 up and running, and I seem to be having a similar issue: I don't see that on my systems. radsniff, radclient, and pcap all show that the WiMAX attributes are correct. Data: 1a 17 00 00 60 b5 1c 11 00 01 04 00 0e 02 04 00 0e 03 06 00 00 00 0e 1a 17 00 00 60 b5 1c 11 00 01 04 00 11 02 04 00 11 03 06 00 00 00 11 Please post a hex dump of the packets. i.e. put this into the users file: bob Cleartext-Password := bob WiMAX-Packet-Data-Flow-Id := 14, WiMAX-Service-Data-Flow-Id := 14, WiMAX-Service-Profile-Id := 14, WiMAX-Packet-Data-Flow-Id += 17, WiMAX-Service-Data-Flow-Id += 17, WiMAX-Service-Profile-Id += 17 And run radclient - args to do the test. You will get a hex dump like I posted above. It should be identical. My guess is that you have FreeRADIUS using one WiMAX dictionary, and radsniff, etc. using another. Some vendors made their own, incompatible, version of the WiMAX dictionaries. Which is a stupid idea, but that's what vendors do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned by MailScanner -- 1370_tlv_issue.pcap - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiMAX TLV value correct in debug but not correct in packet capture
Understood Alan, As I admitted I should have followed your example and copied the whole VSA, not just the TLV section, again mea culpa. I did however include the PCAP as you had requested, which has the works. James On 07/31/2013 02:34 PM, Alan DeKok wrote: Re: WiMAX TLV value correct in debug but not correct in packet capture If you're asking for help, it's a good idea to be honest about it. Editing the hex output and *not* saying so is rude The reason I asked for the hex output is because I wanted the hex output. I didn't want a butchered version of he hex output. On 2013-07-31, at 1:19 PM, James Leavitt james.leav...@corp.xplornet.com wrote: Sorry Alan, I left that part out since it is coming through ok, here's the whole thing (you can see the 00 00 60 b5 after the 1a 17): 1a 17 00 00 60 b5 1c 11 00 01 04 45 b7 02 04 cf b7 03 06 cf b7 01 00 1a 17 00 00 60 b5 1c 11 00 01 04 45 b7 02 04 d2 b7 03 06 d0 b7 00 00 Interesting theory though, I did *try* a change in the dictionaries in a vain attempt solve this issue (tried the included wimax and wichorus), but I rolled them back. I also compiled 3.0.0 and installed in a new location, and never touched those dictionaries at all, same bizarre problem. If the binaries are broken, then I now have two sets of broken binaries (granted they are on the same platform so perhaps it's a library problem?). Perhaps I should install a whole new system / os and test on it to see if a similar problem exists. What I will try now is another TLV and see how it behaves. Thanks, James On 07/31/2013 01:19 PM, Alan DeKok wrote: Re: WiMAX TLV value correct in debug but not correct in packet capture See the hex output. The 00 00 60 b5 is the WiMAX forum vendor ID. Your debug output has 00 01 04 45 in the same place. So either the dictionaries are broken, or the binaries are broken. Either way, this problem doesnt appear in a stock install with the stock dictionaries. So what changes have you made, and why? On 2013-07-31, at 10:57 AM, James Leavitt james.leav...@corp.xplornet.com wrote: HI Alan, Still no dice. I've disabled the database and used the file as suggested (which is something that I had yet to try, but as you recommended I've done so). I have tried with and without the Session-Timeout and Acct-Interim-Interval without any effect. Here's the hex output (from the attached pcap): 1c 11 00 01 04 45 b7 02 04 cf b7 03 06 cf b7 01 00 1c 11 00 01 04 45 b7 02 04 d2 b7 03 06 d0 b7 00 00 And the debug snip (this is from a time I removed the other two *working* values): [ttls] Got tunneled reply code 2 WiMAX-Packet-Data-Flow-Id := 14 WiMAX-Service-Data-Flow-Id := 14 WiMAX-Service-Profile-Id := 14 WiMAX-Packet-Data-Flow-Id += 17 WiMAX-Service-Data-Flow-Id += 17 WiMAX-Service-Profile-Id += 17 Attached is a pcap of the transaction indicating the TLVs are not consistent with the DB or the file. It has been consistent with radsniff, although I use tcpdump / wireshark when comparing with the working systems. One thing to note is that I am using TTLS and copying the values to the outer tunnel, are you performing the same in your test? I wonder if it's a library somewhere on the OS that's making it go awry. I keep thinking I've set something that would make this happen, but I cannot get over the fact that other values are working fine. Thanks, James On 07/31/2013 10:06 AM, Alan DeKok wrote: Re: WiMAX TLV value correct in debug but not correct in packet capture James Leavitt wrote: After some compiling and configuring, I've managed to get version 3.0.0 up and running, and I seem to be having a similar issue: I don't see that on my systems. radsniff, radclient, and pcap all show that the WiMAX attributes are correct. Data: 1a 17 00 00 60 b5 1c 11 00 01 04 00 0e 02 04 00 0e 03 06 00 00 00 0e 1a 17 00 00 60 b5 1c 11 00 01 04 00 11 02 04 00 11 03 06 00 00 00 11 Please post a hex dump of the packets. i.e. put this into the users file: bob Cleartext-Password := bob WiMAX-Packet-Data-Flow-Id := 14, WiMAX-Service-Data-Flow-Id := 14, WiMAX-Service-Profile-Id := 14, WiMAX-Packet-Data-Flow-Id += 17, WiMAX-Service-Data-Flow-Id += 17, WiMAX-Service-Profile-Id += 17 And run radclient - args to do the test. You will get a hex dump like I posted above. It should be identical. My guess is that you have FreeRADIUS using one WiMAX dictionary, and radsniff, etc. using another. Some vendors made their own, incompatible, version of the WiMAX dictionaries. Which is a stupid idea, but that's what vendors do. Alan DeKok. - List info/subscribe/unsubscribe? See http
Re: WiMAX TLV value correct in debug but not correct in packet capture
Strange indeed. I just rebuilt a new server on a newer os (and 64 bit vs 32), and I am still seeing the same issue. I must have something messed up somewhere. Only thing is order of the whole structure is different from my prod, but that shouldn't matter. Here's my eap.conf just in case there is something worth looking at, most significant changes that I've done here is copy_request_to_tunnel = yes and use_tunneled_reply = yes: # -*- text -*- ## ## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) ## ##$Id$ ### # # Whatever you do, do NOT set 'Auth-Type := EAP'. The server # is smart enough to figure this out on its own. The most # common side effect of setting 'Auth-Type := EAP' is that the # users then cannot use ANY other authentication method. # # EAP types NOT listed here may be supported via the eap2 module. # See experimental.conf for documentation. # eap { # Invoke the default supported EAP type when # EAP-Identity response is received. # # The incoming EAP messages DO NOT specify which EAP # type they will be using, so it MUST be set here. # # For now, only one default EAP type may be used at a time. # # If the EAP-Type attribute is set by another module, # then that EAP type takes precedence over the # default type configured here. # default_eap_type = md5 # A list is maintained to correlate EAP-Response # packets with EAP-Request packets. After a # configurable length of time, entries in the list # expire, and are deleted. # timer_expire = 60 # There are many EAP types, but the server has support # for only a limited subset. If the server receives # a request for an EAP type it does not support, then # it normally rejects the request. By setting this # configuration to yes, you can tell the server to # instead keep processing the request. Another module # MUST then be configured to proxy the request to # another RADIUS server which supports that EAP type. # # If another module is NOT configured to handle the # request, then the request will still end up being # rejected. ignore_unknown_eap_types = no # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given # a User-Name attribute in an Access-Accept, it copies one # more byte than it should. # # We can work around it by configurably adding an extra # zero byte. cisco_accounting_username_bug = no # # Help prevent DoS attacks by limiting the number of # sessions that the server is tracking. Most systems # can handle ~30 EAP sessions/s, so the default limit # of 4096 should be OK. max_sessions = 4096 # Supported EAP-types # # We do NOT recommend using EAP-MD5 authentication # for wireless connections. It is insecure, and does # not provide for dynamic WEP keys. # md5 { } # Cisco LEAP # # We do not recommend using LEAP in new deployments. See: # http://www.securiteam.com/tools/5TP012ACKE.html # # Cisco LEAP uses the MS-CHAP algorithm (but not # the MS-CHAP attributes) to perform it's authentication. # # As a result, LEAP *requires* access to the plain-text # User-Password, or the NT-Password attributes. # 'System' authentication is impossible with LEAP. # leap { } # Generic Token Card. # # Currently, this is only permitted inside of EAP-TTLS, # or EAP-PEAP. The module challenges the user with # text, and the response from the user is taken to be # the User-Password. # # Proxying the tunneled EAP-GTC session is a bad idea, # the users password will go over the wire in plain-text, # for anyone to see. # gtc { # The default challenge, which many clients # ignore.. #challenge = Password: # The plain-text response which comes back # is put into a User-Password attribute, # and passed to another module for # authentication. This allows the EAP-GTC # response to be checked against plain-text, # or crypt'd passwords. # # If you say Local instead of PAP, then # the module will look for a User-Password # configured for the request, and do the # authentication itself. # auth_type = PAP } ## EAP-TLS # # See raddb/certs/README for
Re: WiMAX TLV value correct in debug but not correct in packet capture
I've just tried other TLVs and the same problem, meanwhile everything that is not a TLV works. Thanks, James On 07/31/2013 05:10 PM, James Leavitt wrote: Re: WiMAX TLV value correct in debug but not correct in packet capture Strange indeed. I just rebuilt a new server on a newer os (and 64 bit vs 32), and I am still seeing the same issue. I must have something messed up somewhere. Only thing is order of the whole structure is different from my prod, but that shouldn't matter. Here's my eap.conf just in case there is something worth looking at, most significant changes that I've done here is copy_request_to_tunnel = yes and use_tunneled_reply = yes: # -*- text -*- ## ## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) ## ##$Id$ ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiMAX TLV value correct in debug but not correct in packet capture
Thank you Gentlemen, I am working with Alvarion CPEs but a WiChorus ASN, which I have setup on a commercial AAA without issues. I also have Freeradius working with WiChorus on another instance also but not for receiving these particular TLVs. I initially performed a tcpdump and this was where I was seeing the different values (which match radsniff btw) than what was programmed. I then compared the capture to our working solution (a commercial radius platform) and confirmed that the values radsniff / tcpdump were what I was expecting, which in turn do not match the output from Freeradius. I feel the problem is when the values are copied to the outer tunnel, but just these TLVs get corrupted. I'll take a look at 3.0.0 and see if I can work with that and post back my findings. Thanks again, James On 07/30/2013 11:13 AM, David Peterson wrote: RE: WiMAX TLV value correct in debug but not correct in packet capture Don't forget if the hardware is Alvarion or Runcom you cannot use the standard dictionaries. Alvarion (now Telrad) is proprietary but similar to the standard dictionary and Runcom only uses their own. David -Original Message- From: freeradius-users-bounces+davidp=wirelessconnections@lists.freeradius.org [mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freera dius.org] On Behalf Of Alan DeKok Sent: Tuesday, July 30, 2013 8:02 AM To: FreeRadius users mailing list Subject: Re: WiMAX TLV value correct in debug but not correct in packet capture James Leavitt wrote: I've probably missed something or buggered an option, but I've searched and searched and cannot find an answer to this. This is for a WiMAX deployment and am using the built in dictionaries. The issue is with the WiMAX-Packet-Flow-Descriptor tlv . ... Everything looks good but on a pcap / radsniff I get this: Put the raw pcap file somewhere. Maybe the issue is the server, maybe it's radsniff. You could also try the git branch release_branch_3.0.0. It has a re-written WiMAX encoder / decoder, which now works everywhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned by MailScanner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WiMAX TLV value correct in debug but not correct in packet capture
Ok, After some compiling and configuring, I've managed to get version 3.0.0 up and running, and I seem to be having a similar issue: Radsniff on the wire (verified that it is the same in tcpdump and wireshark): Access-Accept Id 20410.199.10.14:1812 - 10.199.20.240:6217+3.541 Session-Timeout = 86400 Acct-Interim-Interval = 60 WiMAX-Packet-Data-Flow-Id = 18359 WiMAX-Service-Data-Flow-Id = 3513 WiMAX-Service-Profile-Id = 263782400 WiMAX-Packet-Data-Flow-Id = 18359 WiMAX-Service-Data-Flow-Id = 18359 WiMAX-Service-Profile-Id = 0 Microsoft-Attr-17 = 0x86c4d95414f6aecd8f16cc5ef0aa1ff8b5354e553cb724bc9f103636741cdef35a57f89db1afca3711c57d5d900a06b2578b Microsoft-Attr-16 = 0x8812b94254b5c21e2be59bd62927f045f5536b1844f79f45ca7d9442db106f538f8b960b61bb483f61bad39442975af58612 EAP-Message = 0x03070004 Message-Authenticator = 0xd4654370830d4a11371d217714ee7b4f User-Name = 1b2d2f35483d3bef7d8827ea61f8e...@undisclosed.com Debug on the radius server process shows things as they are in the DB: Sending Access-Accept of id 204 to 10.199.20.240 port 6217 Session-Timeout := 86400 Acct-Interim-Interval := 60 WiMAX-Packet-Data-Flow-Id := 14 WiMAX-Service-Data-Flow-Id := 14 WiMAX-Service-Profile-Id := 14 WiMAX-Packet-Data-Flow-Id += 17 WiMAX-Service-Data-Flow-Id += 17 WiMAX-Service-Profile-Id += 17 MS-MPPE-Recv-Key = 0xc5232594526fb99097311c861a49671710a2d6db7c0068788ef0122c9b551ae1 MS-MPPE-Send-Key = 0xed6c9de58fabf8519b09d2900849d611142ece093a7a6973869761872d9c9bc6 EAP-Message = 0x03070004 Message-Authenticator = 0x User-Name = 1b2d2f35483d3bef7d8827ea61f8e...@undisclosed.com I am trying to get a tcp capture but the system is now not letting me re-auth (I was working on fixing the CSID in the accounting and must have changed something it doesn't like) so not sure what's up, but I don't believe v3 is the solution. I will get a tcpdump if it's worth while. Thanks, James On 07/30/2013 12:01 PM, James Leavitt wrote: Re: WiMAX TLV value correct in debug but not correct in packet capture Thank you Gentlemen, I am working with Alvarion CPEs but a WiChorus ASN, which I have setup on a commercial AAA without issues. I also have Freeradius working with WiChorus on another instance also but not for receiving these particular TLVs. I initially performed a tcpdump and this was where I was seeing the different values (which match radsniff btw) than what was programmed. I then compared the capture to our working solution (a commercial radius platform) and confirmed that the values radsniff / tcpdump were what I was expecting, which in turn do not match the output from Freeradius. I feel the problem is when the values are copied to the outer tunnel, but just these TLVs get corrupted. I'll take a look at 3.0.0 and see if I can work with that and post back my findings. Thanks again, James On 07/30/2013 11:13 AM, David Peterson wrote: RE: WiMAX TLV value correct in debug but not correct in packet capture Don't forget if the hardware is Alvarion or Runcom you cannot use the standard dictionaries. Alvarion (now Telrad) is proprietary but similar to the standard dictionary and Runcom only uses their own. David -Original Message- From: freeradius-users-bounces+davidp=wirelessconnections@lists.freeradius.org [mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freera dius.org] On Behalf Of Alan DeKok Sent: Tuesday, July 30, 2013 8:02 AM To: FreeRadius users mailing list Subject: Re: WiMAX TLV value correct in debug but not correct in packet capture James Leavitt wrote: I've probably missed something or buggered an option, but I've searched and searched and cannot find an answer to this. This is for a WiMAX deployment and am using the built in dictionaries. The issue is with the WiMAX-Packet-Flow-Descriptor tlv . ... Everything looks good but on a pcap / radsniff I get this: Put the raw pcap file somewhere. Maybe the issue is the server, maybe it's radsniff. You could also try the git branch release_branch_3.0.0. It has a re-written WiMAX encoder / decoder, which now works everywhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned by MailScanner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned by MailScanner -- James Leavitt Network Systems Architect Xplornet Communications Inc. 300 Lockhart Mill Road Woodstock, NB E7M 5C3 Phone: (506) 324-8659 Fax: (506) 328-1582 Cell: (506) 324-4960 Helpdesk: (888) 439-6511 Email: james.leav...@corp.xplornet.com mailto: james.leav...@corp.xplornet.com
WiMAX TLV value correct in debug but not correct in packet capture
Version info: radiusd: FreeRADIUS Version 2.2.0, for host i686-redhat-linux-gnu, built on Oct 9 2012 at 17:47:30 Copyright (C) 1999-2011 The FreeRADIUS server project and contributors. Hello Everyone, I've probably missed something or buggered an option, but I've searched and searched and cannot find an answer to this. This is for a WiMAX deployment and am using the built in dictionaries. The issue is with the WiMAX-Packet-Flow-Descriptor tlv . Below is what's configured in my DB: id | groupname | attribute | op | value -+---+++--- 100 | Business | Session-Timeout| := | 86400 101 | Business | Acct-Interim-Interval | := | 60 110 | Business | WiMAX-Packet-Data-Flow-Id | := | 14 111 | Business | WiMAX-Service-Data-Flow-Id | := | 14 112 | Business | WiMAX-Service-Profile-Id | := | 14 120 | Business | WiMAX-Packet-Data-Flow-Id | += | 17 121 | Business | WiMAX-Service-Data-Flow-Id | += | 17 122 | Business | WiMAX-Service-Profile-Id | += | 17 From a debug I get this (relevant section): Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake is finished [ttls] eaptls_verify returned 3 [ttls] eaptls_process returned 3 [ttls] Using saved attributes from the original Access-Accept Session-Timeout := 86400 Acct-Interim-Interval := 60 WiMAX-Packet-Data-Flow-Id := 14 WiMAX-Service-Data-Flow-Id := 14 WiMAX-Service-Profile-Id := 14 WiMAX-Packet-Data-Flow-Id += 17 WiMAX-Service-Data-Flow-Id += 17 WiMAX-Service-Profile-Id += 17 [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop [wimax] MIP-RK = 0x00b0ce41e978a30ec9b196bdea7bd74def743761ddc81add6cb19ca577056e59ea814c5b54891482a045773e861657260658939502a9babd7c0a59a92a99cf87 [wimax] MIP-SPI = 42f4fa35 [wimax] WARNING: WiMAX-MN-NAI was not found in the request or in the reply. [wimax] WARNING: We cannot calculate MN-HA keys. [wimax] WARNING: WiMAX-IP-Technology not found in reply. [wimax] WARNING: Not calculating MN-HA keys ++[wimax] returns updated Sending Access-Accept of id 2 to 10.199.20.240 port 6219 Session-Timeout := 86400 Acct-Interim-Interval := 60 WiMAX-Packet-Data-Flow-Id := 14 WiMAX-Service-Data-Flow-Id := 14 WiMAX-Service-Profile-Id := 14 WiMAX-Packet-Data-Flow-Id += 17 WiMAX-Service-Data-Flow-Id += 17 WiMAX-Service-Profile-Id += 17 MS-MPPE-Recv-Key = 0x6b033615247e78ea0e225bea745bba8c33634e0bf28ea0388174965a980b1642 MS-MPPE-Send-Key = 0x1a21679697b923cc88f4b4ba4fa37ded7f00c035811cd6ff18b4fb4e64956077 EAP-Message = 0x03070004 Message-Authenticator = 0x User-Name = 1320cd7377dcb1aa6bacbbad1a23a...@undisclosed.com Finished request 14. Everything looks good but on a pcap / radsniff I get this: Access-Accept Id 2 10.199.10.14:1812 - 10.199.20.240:6219 +31.411 Session-Timeout = 86400 Acct-Interim-Interval = 60 WiMAX-Packet-Data-Flow-Id = 17079 -- WiMAX-Service-Data-Flow-Id = 13496-- WiMAX-Service-Profile-Id = 918034516 -- WiMAX-Packet-Data-Flow-Id = 17079 -- WiMAX-Service-Data-Flow-Id = 17079-- WiMAX-Service-Profile-Id = 884473856 -- Microsoft-Attr-17 = 0x812038c3de66aec29f91928f3e5346f5911aa110d4c33dfd5556b1aebeb7c637b53c2420b3cd73763eb7c06f5386e6cef612 MS-MPPE-Send-Key = 0x1be2107278 EAP-Message = 0x03070004 Message-Authenticator = 0x70f2a2f9037b10be87a6ad954a205159 User-Name = 1320cd7377dcb1aa6bacbbad1a23a...@undisclosed.com As can be seen, Session-Timeout and Acct-Interim-Interval all match up, but the others don't, and even change from time to time without anything other than a restart of radiusd. I see the definition in the wimax dictionary is short Anyhow, if there's a bug / solution / setting that I've blatantly missed, please let me know. I am attaching more debug below. Thanks, James Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 10.199.20.240 port 6216, id=0, length=274 User-Name = 1320cd7377dcb1aa6bacbbad1a23a...@undisclosed.com Chargeable-User-Identity = null NAS-IP-Address = 10.199.20.240 NAS-Port = 5 NAS-Port-Type = Wireless-802.16 Framed-MTU = 1400 NAS-Identifier = test Calling-Station-Id = \000\202g\023p Service-Type = Framed-User WiMAX-GMT-Timezone-offset = 0 WiMAX-BS-Id = 0x83010102
Re: Proxy Treatment of PAP/Chap Auth Types
Thanks for your usual indulgence and assistance, Alan and all. Much appreciated. I did the hopelessly illogical thing of testing it from an actual NAS associated with the proxy. The home server, which had been returning those rejects thus far, now accepted the user without fuss. Must be something specific to the configuration of radtest on proxy server, from which I had been testing. Having cleared that hurdle, I have a slight difficulty in accounting, if you have a minute, wise ones. Can the proxy server server log all accounting requests to the sql module before (or after?) it passes them on to the home server? Is there a switch i can test for (in the same way as notfound) in the accounting module that can prompt the proxy sql module to run even if the home server has marked the request handled? Many Thanks, JamesTM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Treatment of PAP/Chap Auth Types
Hi, Hope someone can give me a pointer on this matter. We have 2 RADIUS installations, thus: 1. FreeRADIUS/mysql Version 2.1.1, in whose radcheck, Password attribute is 'User-Password' 2. FreeRADIUS/mysql Version 2.1.10, in whose radcheck, Password attribute is 'Cleartext-Password' On both freeradius servers sql and perl modules are enabled in authorize and accounting groups, and both servers accept PAP and CHAP auth if queried directly Server 2 is configured to proxy requests for unknown users for certain prefixes/suffixes to server 1, if perl and sql return no user: authorize { preprocess chap mschap digest eap { ok = return } files expiration logintime sql perl if (notfound) { suffix hotspotUser } pap } Challenge is, on Server 2, testing with radtest (passing the attributes so: radtest -t type iS_u2h4gna a2uwv localhost 1812 secret) , local users are authed fine, but non-local users always return with a reject. Debug output of server 1, if I use CHAP to attempt auth with radtest on server 2, is always: ++[pap] returns noop Found Auth-Type = CHAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! +- entering group CHAP {...} [chap] login attempt by iS_u2h4gna with CHAP password [chap] Using clear text password uz3f9 for user iS_u2h4gna authentication. [chap] Password check failed ++[chap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} If, I use PAP with radtest on server 2, server 1 returns ++[pap] returns updated Found Auth-Type = PAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! +- entering group PAP {...} [pap] login attempt with password a2uwv [pap] Using clear text password uz3f9 [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} I have tried changing the known good clear text password on server 1 as recommended in the warning to no effect. (Is this because User-Password and Cleartext-Password must necessarily be the unequal and co-related)? If so, How can i convert 1 to the other? Hopefully, JamesTM -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eduroam FreeRadius not working so well
On 11 December 2012 03:14, Mike Diggins mike.digg...@mcmaster.ca wrote: ok, both the default and inner-tunnel, I assume? default only - you don't want to proxy the inner bit - if the inner realm doesn't match blank or yours, you need to reject. I added the section to authorize, but the DEBUG output indicates the regular expression is rejecting a valid user. Is there someone that could confirm the RE? if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) { ... add the case-insensitive flag i.e. end the line with $/i) { instead of your current: $/) { Kind regards, James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius like WPA2-PSK
On 28 November 2012 19:54, Brian Julin bju...@clarku.edu wrote: WPA2-Enterprise with PEAP authentication is automatically recognized by most new clients these days. The clients will prompt for a username and a password. If you generate an ntcrypt (by shelling out of FR to a utility to do so) for an inbound username/password on the RADIUS side from a known cleartext password on the fly, you can arrange things such that that password is accepted for any username. Hi Brian, Slightly tangential to the original question. But if you want to implement as per this suggestion, why do you need the external ntcrypt script. All that functionality is built in, just do this: server INNER-eap { authorize { ... update control { Cleartext-Password := 'thePassword' MS-CHAP-Use-NTLM-Auth := 0 } ... } ... } Kind regards, James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuration check
I ran into an issue where proxy.conf was globally readable for some reason, freeradius wouldn't start because of this and this wasn't picked up by radiusd -C. Can this check be added? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration check
* globally writable I mean On Tue, Nov 27, 2012 at 8:55 AM, James Devine fxmul...@gmail.com wrote: I ran into an issue where proxy.conf was globally readable for some reason, freeradius wouldn't start because of this and this wasn't picked up by radiusd -C. Can this check be added? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration check
radiusd -XC seems to produce what I was looking for, thanks. On Tue, Nov 27, 2012 at 9:10 AM, Alan DeKok al...@deployingradius.comwrote: James Devine wrote: * globally writable I mean It already checks that. $ chmod a+w raddb/proxy.con $ radiusd -XC ... Configuration file ./raddb//proxy.conf is globally writable. Refusing to start due to insecure configuration. Errors reading or parsing ./raddb//debug.conf If you don't see this, it's because you're running a very old version without that check, or raddb/proxy.conf isn't actually globally writable. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Aliased IPs
I have a freeradius server which has multiple IPs aliased on the same interface. This works if I specify each IP explicitly in its own listen { } section but if I try to listen on * all responses are sent from the same IP regardless of which IP the request was received on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Aliased IPs
On Fri, Nov 9, 2012 at 12:47 PM, Phil Mayers p.may...@imperial.ac.ukwrote: James Devine fxmul...@gmail.com wrote: I have a freeradius server which has multiple IPs aliased on the same interface. This works if I specify each IP explicitly in its own listen { } section but if I try to listen on * all responses are sent from the same IP regardless of which IP the request was received on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yes. Don't do this. List each ip Or, look at udpfromto as an argument to ./configure -- Sent from my phone. Please excuse brevity and typos. the --with-udpfromto configure option worked, thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SSH to Cisco Devices
You definitely can. The Cisco configuration would look like this: ! version 15.0 ! aaa new-model aaa group server radius FreeRadius server 192.168.0.1 auth-port 1812 acct-port 1813 ip radius source-interface Vlan10 aaa authentication login default group FreeRadius local aaa authorization exec default group FreeRadius local radius-server host 192.168.0.1 auth-port 1812 acct-port 1813 key * In clients.conf you have a section that looks like this: DEFAULT Group==netadmins,Auth-type := System Service-Type = Administrative-User, Fall-Through = No Then whomever is in your netadmins group on the FreeRadius system will be allowed administrative access to the devices. -Original Message- From: freeradius-users-bounces+jsmith=windmobile...@lists.freeradius.org [mailto:freeradius-users-bounces+jsmith=windmobile...@lists.freeradius.org] On Behalf Of Michael Schwartzkopff Sent: August-09-12 12:25 AM To: freeradius-users@lists.freeradius.org Subject: SSH to Cisco Devices Hi, I know it is possible to use FreeRADIUS to authenticate SSH access to Cisco devices with username/password scheme. Cisco's IOS in version 15 also offers the private/public key authentication scheme. Is is possible to authenticate the key scheme in FreeRADIUS? Or does anybody know if that is possible in Cisco's ACS? Thanks for any hint. -- Dr. Michael Schwartzkopff Guardinistr. 63 81375 München Tel: (0163) 172 50 98 Fax: (089) 620 304 13 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
v2.1.x/src/modules/rlm_mschap/rlm_mschap.c
Hi Alan, @dcc5543c03 recently committed to github was: } -snprintf(buffer + 12 + 32, sizeof(buffer) - 45, +snprintf(buffer + 45, sizeof(buffer) - 45, V=3 M=%s, inst-retry_msg); } I may have miscounted, but shouldn't that be: snprintf(buffer + 44, sizeof(buffer) - 44, ^^^ ^^^ ? Kind regards, James -- James J J Hooper Senior Network Specialist, University of Bristol http://wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Specific User Trace and multiple radiusd instant
On 15/05/2012 02:34, 全球无线联盟 wrote: 2. We tried to run multiple radiusd at same server while the second failed. Can anyone advise how to configure the server to run multiple radiusd simultaneously? Why do you need to do this? FreeRADIUS has virtual-server functionality, so you can create separate logical instances running a single daemon. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAP Errors
On 11/05/2012 13:35, Phil Mayers wrote: On 11/05/12 13:10, sgilmour wrote: --nt-response=46eb0f981a6121ad65e5726b0ee0e2097d610172204c7f24 Fri May 11 08:08:13 2012 : Debug: Exec-Program output: Access denied (0xc022) Fri May 11 08:08:13 2012 : Debug: Exec-Program-Wait: plaintext: Access denied (0xc022) Fri May 11 08:08:13 2012 : Debug: Exec-Program: returned: 1 Fri May 11 08:08:13 2012 : Info: [mschap] External script failed. Fri May 11 08:08:13 2012 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect The ntlm_auth helper is returning errors. Try the command from the CLI and examine the output. Check the permissions on the winbind socket (google for details) and SELinux contexts, if applicable. AD can return 0xc022 when for example the domain controller ntlm_auth/winbind is talking to can not contact the PDC. If you are continuing to have issues, and have completed Phil's suggestions, check the logs on your domain controllers for anomalies. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAPv2, allow_retry=yes, but no code to handle the retry?
Hi All, FR 2.1.x Git, doing PEAP against AD via ntlm_auth. I thought that with: allow_retry = yes [in modules/mschap] and send_error = yes [in modules/eap] ...FR has the functionality to take the second password attempt, and re-try it against AD i.e. The scenario outlined in section 9.1.4 of RFC2759: http://tools.ietf.org/html/rfc2759#section-9.1.4 I can't get it to work: Configuring as above does indeed make Windows re-prompt for the password if the first attempt is bad, but when this comes back to FR, nothing seems to be done with it. I've had a look at the code. From the little I can understand of it, the new challenge is generated into 'buffer', and sent back to the client in the MS-CHAP-Error attribute (C=new-challenge). However the challenge in buffer is not then put somewhere safe until the client sends it's response against the new challenge [having re-prompted the user for the correct password], and when the response comes in it isn't sent to do_mschap() Am I mistaken and this functionality hasn't been written yet? ...or have I mis-configured something? Debug snippet appended. Thanks, James ## INITIAL ATTEMPT WITH BAD PASSWORD: Debug: modsingle[authorize]: calling eduroamlocaleap-bris-ca (rlm_eap) for request 629 Debug: [eduroamlocaleap-bris-ca] EAP packet type response id 9 length 80 Debug: [eduroamlocaleap-bris-ca] No EAP Start, assuming it's an on-going EAP conversation Debug: modsingle[authorize]: returned from eduroamlocaleap-bris-ca (rlm_eap) for request 629 Debug: +++[eduroamlocaleap-bris-ca] returns updated Debug: ++- else else returns updated Debug: Found Auth-Type = eduroamlocaleap-bris-ca Debug: # Executing group from file /usr/local/etc/raddb/sites-enabled/eduroamlocal-inner Debug: +- entering group eduroamlocaleap-bris-ca {...} Debug: modsingle[authenticate]: calling eduroamlocaleap-bris-ca (rlm_eap) for request 629 Debug: [eduroamlocaleap-bris-ca] Request found, released from the list Debug: [eduroamlocaleap-bris-ca] EAP/mschapv2 Debug: [eduroamlocaleap-bris-ca] processing type mschapv2 Debug: [mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/eduroamlocal-inner Debug: [mschapv2] +- entering group MS-CHAP {...} Debug: [mschapv2] modsingle[authenticate]: calling eduroamlocalmschap (rlm_mschap) for request 629 Debug: [eduroamlocalmschap] Creating challenge hash with username: jh01...@bristol.ac.uk Debug: [eduroamlocalmschap] Told to do MS-CHAPv2 for jh01...@bristol.ac.uk with NT-Password Debug: [eduroamlocalmschap] expand: %{Stripped-User-Name} - jh01761 Debug: [eduroamlocalmschap] expand: --username=%{%{Stripped-User-Name}:-%{eduroamlocalmschap:User-Name}} - --username=jh01761 Debug: [eduroamlocalmschap] radius_xlat: Running registered xlat function of module eduroamlocalmschap for string 'Challenge' Debug: [eduroamlocalmschap] Creating challenge hash with username: jh01...@bristol.ac.uk Debug: [eduroamlocalmschap] expand: --challenge=%{eduroamlocalmschap:Challenge} - --challenge=3db717d83ec4e184 Debug: [eduroamlocalmschap] radius_xlat: Running registered xlat function of module eduroamlocalmschap for string 'NT-Response' Debug: [eduroamlocalmschap] expand: --nt-response=%{eduroamlocalmschap:NT-Response} - --nt-response=0b7588b2a33b43f7379d4bded3d69adcfbe5da07911b8485 Debug: [eduroamlocalmschap] External script failed. Debug: [eduroamlocalmschap] FAILED: MS-CHAP2-Response is incorrect Debug: modsingle[authenticate]: returned from eduroamlocalmschap (rlm_mschap) for request 629 Debug: ++[eduroamlocalmschap] returns reject Debug: ++? if (reject) Debug: RECURSING WITH ... reject) Debug: LOOKING AT reject) Debug: Comparison returned 1 Debug: ? Evaluating (reject) - TRUE Debug: GOT result 1 Debug: AT EOL - 1 Debug: AFTER RECURSION ... ) Debug: AT EOL - 1 Debug: ++? if (reject) - TRUE Debug: ++- entering if (reject) {...} Debug: ::: FROM 1 TO 25 MAX 26 Debug: ::: Examining UOB-Info-Type Debug: ::: APPENDING UOB-Info-Type FROM 0 TO 25 Debug: ::: TO in 25 out 26 Debug: ::: to[0] = EAP-Message Debug: ::: to[1] = FreeRADIUS-Proxied-To Debug: ::: to[2] = User-Name Debug: ::: to[3] = State Debug: ::: to[4] = Calling-Station-Id Debug: ::: to[5] = Called-Station-Id Debug: ::: to[6] = NAS-Port Debug: ::: to[7] = Cisco-AVPair Debug: ::: to[8] = NAS-IP-Address Debug: ::: to[9] = NAS-Identifier Debug: ::: to[10] = Airespace-Wlan-Id Debug: ::: to[11] = Service-Type Debug: ::: to[12] = Framed-MTU Debug: ::: to[13] = NAS-Port-Type Debug: ::: to[14] = Tunnel-Type Debug: ::: to[15] = Tunnel-Medium-Type Debug: ::: to[16] = Tunnel-Private-Group-Id Debug: ::: to[17] = UOB-Stripped-MAC Debug: ::: to[18] = Stripped-User-Name Debug: ::: to[19] = Realm Debug: ::: to[20] = EAP-Type Debug: ::: to[21] = MS-CHAP-Challenge Debug: ::: to[22] = MS-CHAP2-Response Debug: ::: to[23] = NTLM-User-Name Debug: ::: to[24] = Module-Failure-Message Debug: ::: to[25] = UOB-Info-Type Debug: +++[request] returns reject Debug
Re: MS-CHAPv2, allow_retry=yes, but no code to handle the retry?
On 11/04/2012 17:24, James J J Hooper wrote: Hi All, FR 2.1.x Git, doing PEAP against AD via ntlm_auth. I thought that with: allow_retry = yes [in modules/mschap] and send_error = yes [in modules/eap] ...FR has the functionality to take the second password attempt, and re-try it against AD i.e. The scenario outlined in section 9.1.4 of RFC2759: http://tools.ietf.org/html/rfc2759#section-9.1.4 I can't get it to work: Configuring as above does indeed make Windows re-prompt for the password if the first attempt is bad, but when this comes back to FR, nothing seems to be done with it. I've had a look at the code. From the little I can understand of it, the new challenge is generated into 'buffer', and sent back to the client in the MS-CHAP-Error attribute (C=new-challenge). However the challenge in buffer is not then put somewhere safe until the client sends it's response against the new challenge [having re-prompted the user for the correct password], and when the response comes in it isn't sent to do_mschap() Am I mistaken and this functionality hasn't been written yet? ...or have I mis-configured something? Ok - More delving into the code (rlm_eap_mschapv2.c) seems to indicate that the bits missing in 2.1.x are possibly there in FR3: + + /* +* Pxarse the new challenge out of the +* MS-CHAP-Error, so that if the client +* issues a re-try, we will know which +* challenge value that they used. +*/ + n = sscanf(response-vp_strvalue, %*cE=%d R=%d C=%32s, err, retry, buf[0]); + if (n == 3) { +DEBUG2( Found new challenge from MS-CHAP-Error: err=%d retry=%d challenge=%s, err, retry, buf); + fr_hex2bin(buf, data-challenge, 16); + } else { + DEBUG2( Could not parse new challenge from MS-CHAP-Error: %d, n); + } So I'll see about getting an FR3 test instance going :) -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Minor typo in master/raddb/mods-available/mschap
--- mschap-orig 2012-04-08 00:39:44.0 +0100 +++ mschap-new 2012-04-08 00:41:06.0 +0100 @@ -78,3 +78,3 @@ # ntlm_auth_username = username: %{mschap:User-Name} -# ntlm_auth_domain = username: %{mschap:NT-Domain} +# ntlm_auth_domain = nt-domain: %{mschap:NT-Domain} -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Zombie Clarification
On 24/03/2012 13:13, Alan Buxey wrote: Hi, there was never any more on this thread, so just to add some final info Now, for whatever reason, the Windows box decides to discard some requests. Unfortunately, the error reporting is pretty weak (discarding invalid request). Our Windows guys are digging into this. It seems to be client specific, we suspect something with our recently changed certificate. I don't see how. Normal RADIUS doesn't use certificates. And if your home server *randomly* discards requests, then your priority should be to fix that. No amount of poking FreeRADIUS will make the home server magically work. No amount of poking FreeRADIUS will work around the fact that the home server is broken. Microsoft decided, in their wisdom, to just discard packets that arent right. this affects IAS and NPS. if your policy says, for example, NAS-Port-Type = Wireless-802.11 an the packet doesnt have that attribute...or its not Wireless-802.11..then the packet is just silently dropped. the RADIUS proxies throughout the proxy chain then think the server is dead status-server kicks in oh, guess what. they dont support that, so it stays marked dead. the remote proxies might be lucky...as their status-server will be answered by the proxy above them...which, if its FreeRADIUS or RADIATOR *will* respond in some way to show they are alive. IAS and NPS are a mess with proxied RADIUS - especially when there are policies involved. Further to what Alan says above IAS/NPS can report invalid request if it contains an attribute not in their dictionaries, or an attribute where the value does not match the type in their dictionaries. As NPS and IAS dictionaries are old, don't match the RFCs, and it seems MS never update the dictionaries, this means NPS and IAS discard a lot of valid packets! If you are proxying to IAS or NPS, filter the attributes very carefully before they hit the MS radius servers. Regards, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius questions
attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = /etc/raddb/attrs.access_reject key = %{User-Name} } } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /etc/raddb/huntgroups hints = /etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d header = %t detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = /etc/raddb/attrs.accounting_response key = %{User-Name} } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = 10.0.8.9 port = 0 } listen { type = acct ipaddr = * port = 0 } Listening on authentication address 10.0.8.9 port 1812 Listening on accounting address * port 1813 Listening on proxy address 10.0.8.9 port 1814 Ready to process requests. In the second terminal window we ran: radtest bob hello localhost 0 testing123 And got these results Sending Access-Request of id 186 to 127.0.0.1 port 1812 User-Name = bob User-Password = hello NAS-IP-Address = 127.0.0.2 NAS-Port = 0 Sending Access-Request of id 186 to 127.0.0.1 port 1812 User-Name = bob User-Password = hello NAS-IP-Address = 127.0.0.2 NAS-Port = 0 Sending Access-Request of id 186 to 127.0.0.1 port 1812 User-Name = bob User-Password = hello NAS-IP-Address = 127.0.0.2 NAS-Port = 0 Sending Access-Request of id 186 to 127.0.0.1 port 1812 User-Name = bob User-Password = hello NAS-IP-Address = 127.0.0.2 NAS-Port = 0 Sending Access-Request of id 186 to 127.0.0.1 port 1812 User-Name = bob User-Password = hello NAS-IP-Address = 127.0.0.2 NAS-Port = 0 Sending Access-Request of id 186 to 127.0.0.1 port 1812 User-Name = bob User-Password = hello NAS-IP-Address = 127.0.0.2 NAS-Port = 0 Sending Access-Request of id 186 to 127.0.0.1 port 1812 User-Name = bob User-Password = hello NAS-IP-Address = 127.0.0.2 NAS-Port = 0 Sending Access-Request of id 186 to 127.0.0.1 port 1812 User-Name = bob User-Password = hello NAS-IP-Address = 127.0.0.2 NAS-Port = 0 Sending Access-Request of id 186 to 127.0.0.1 port 1812 User-Name = bob User-Password = hello NAS-IP-Address = 127.0.0.2 NAS-Port = 0 Sending Access-Request of id 186 to 127.0.0.1 port 1812 User-Name = bob User-Password = hello NAS-IP-Address = 127.0.0.2 NAS-Port = 0 radclient: no response from server for ID 186 socket 3 Searched for solutions to this error message, but have not been able to find any that work. Could you please tell us what we did wrong. James M. DeLuca Network Administrator Kiski Area School District 200 Poplar St Vandergrift, PA 15690 Office: 724-845-6188 Cell: 724-640-4681 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius questions
Firewall is turned off on the server at this time. From: freeradius-users-bounces+jdeluca=wiu.k12.pa...@lists.freeradius.org [mailto:freeradius-users-bounces+jdeluca=wiu.k12.pa...@lists.freeradius.org] On Behalf Of hashim zayed Sent: Tuesday, February 28, 2012 2:16 PM To: FreeRadius users mailing list Subject: Re: FreeRadius questions Please make sure that port 1812/1813 are enabled on your server firewall. Hashim Mohammed Zayed Moeen IT On 2012 2 28 17:10, James DeLuca jdel...@wiu.k12.pa.usmailto:jdel...@wiu.k12.pa.us wrote: Hope you can help us out. First time dealing with RADIUS servers. Following your instructions. Seem to have missed something along the way. We are running FreeRadius(Version 2.1.1) on a SLES version 11 server. The serve has a static IP address. We have tried both of the following setting in our client.conf file(/etc/raddb/clients.conf). Neither have produced good results. client localhost { ipadddr = 127.0.0.1 require_message_authenticator = no secret = x nastype = other } client localhost { ipadddr = 10.0.xxx.xxx require_message_authenticator = no secret = x nastype = other } We entered a user in our user(/etc/raddb/users) file bob Cleartext-Password := hello Started two terminal sessions. In the first session we ran /usr/sbin/radiusd -X And received these results FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu, built on Feb 23 2009 at 21:34:25 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/detail.example.comhttp://detail.example.com including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/sql/mysql/counter.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/radius libdir = /usr/lib/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30
RE: FreeRadius questions
Changed the radtest to radtest bob hello 10.0.8.9 0 testing123 Now in the terminal windows where we ran radiusd -X we get the following error Ignoring request to authentication address 10.0.8.9 port 1812 from unknown client 10.0.8.9 port 56524 The terminal session we ran the radtest bob hello 10.0.8.9 0 testing123 still has the no response message. From: freeradius-users-bounces+jdeluca=wiu.k12.pa...@lists.freeradius.org [freeradius-users-bounces+jdeluca=wiu.k12.pa...@lists.freeradius.org] on behalf of Alan Buxey [a.l.m.bu...@lboro.ac.uk] Sent: Tuesday, February 28, 2012 2:50 PM To: FreeRadius users mailing list Subject: Re: FreeRadius questions hi, you have configured your server to listen for authentications on IP 10.0.8.9 ..but then you try sending a request to 127.0.0.1 (localhost) of course it isnt going to work. either configure the server to listen on all interfaces (*) as a default install would, or use 10.0.8.9 as the destination address with radtest alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to Restrict All Users from Certain APs
On 25/01/2012 20:35, White III, Joe wrote: I'm running Freeradius 1.0.1 using MySQL as the database backend. I need to configure the server so that all users are restricted from using certain access points (i.e. guest network). It appears I need to use a DEFAULT user definition in the users file, but I can't find any examples to work from. Has someone else done this? If so, I'd give anything to see how you did it. Generally, you can only do this is if the requests from those certain APs have something which distinguishes them. Then you can match on this in the users file [using 'DEFAULT'] and set Auth-Type to Reject. Something like as documented!: https://github.com/alandekok/freeradius-server/blob/master/raddb/users If you are really still using 1.0.1 (Sept 2004!?), please do upgrade. Apart from the technical/security aspects, the current published documentation will apply ;) -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Group assign to vlan after AD user authentication
Hi, I've successfully set up a radius server to support 802.1x authentication using peap mschapv2 and samba to authenticate users against AD. To do this I followed configuration on the freeradius.org website and the AD integration howto on deployingradius.com, thank you very much for writing these! I now need to assign the vlan due to membership of some group in AD and I understand that an ldap lookup is needed. Where in the configuration do I check this group and map it to a vlan? Can I do it as a default entry in the users file or is it needed somewhere else? Thank you very much, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, problem with chap ?
On 01/12/2011 22:41, Piotr wrote: This is debug from l2tp/ipsec connection: CHAP-Password = 0x01972f0886c4e5e2f30e32053dbcf67504 [chap] login attempt by tom3 with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Login incorrect (rlm_chap: Clear text password not available): and here is debug from working connection for sslvpn: User-Password = bd8d9a [MOTP] expand: %{User-Password} - bd8d9a Exec-Program: returned: 0 ++[MOTP] returns ok Login OK: [tom3/bd8d9a] (from client ciscoasa port 5353472 cli 9.72.8.13) If you want FR to handle the CHAP for you: [chap] Cleartext-Password is required for authentication If FR doesn't know the correct password, you can't expect it to do CHAP. Change things so FR knows the password, or do plain text authn as per your first scenario. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 78, Issue 111
On 10/26/2011 12:11 AM, freeradius-users-requ...@lists.freeradius.org wrote: You just add the attributes, and the server will take care of encapsulating them in TLVs. Is there any thing i must pay attention to with regard to either (or both of): 1. The order in which i define the attributes, especially when i am defining 2 QoS-Descriptors (for downlink and uplink e.g.) and 2 or more Packet-Flow-Descriptors (for controlling different types of traffic) 2. The operator I should use. When should I use '+=', or is ':=' alright in every instance? Regards, JamesTM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius rlm_sql: Failed to create the pair: Invalid TLV specification (WiMAX MS)
Apologies for my incorrectly headed last response: On 10/26/2011 12:11 AM, freeradius-users-requ...@lists.freeradius.org wrote: You just add the attributes, and the server will take care of encapsulating them in TLVs. Is there any thing i must pay attention to with regard to either (or both of): 1. The order in which i define the attributes, especially when i am defining 2 QoS-Descriptors (for downlink and uplink e.g.) and 2 or more Packet-Flow-Descriptors (for controlling different types of traffic) 2. The operator I should use. When should I use '+=', or is ':=' alright in every instance? Regards, JamesTM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unencrypted username in radacct/radpostauth for ttls tunnel authenticated user
Hi, I have managed to auth a Greenpacket WiMAX MS via an eap ttls tunnel. Thanks to Alan's direction earlier, I can also send the service flow definitions correctly. I have now found that subsequent db writes (and logging) associated with accounting and postauth functions are the encrypted values (available in the tunnel?). Is there a way to ensure that the plaintext values are used with all subsequent logging actions? Regards, JamesTM Irrationally held truths may be more harmful than reasoned errors. - Thomas H. Huxley - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unencrypted username in radacct/radpostauth for ttls tunnel authenticated user
On 10/26/2011 02:49 PM, freeradius-users-requ...@lists.freeradius.org wrote: On Access-Accept, store the unencrypted User-Name in the DB, along with a Class attribute. When you receive an accounting packet, look up the Class attribute to find the unencrypted User-Name. Thanks I notice when running in debug mode, I have: [ttls] Got tunneled request User-Name = testairs...@iconnect.zm User-Password = airspan FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = testairs...@iconnect.zm User-Password = airspan FreeRADIUS-Proxied-To = 127.0.0.1 Calling-Station-Id = 00-1f-fb-20-7b-0e Service-Type = Framed-User NAS-Port-Type = Wireless-802.16 WiMAX-Release = 1.0 ... ... ... [sql] expand: %{User-Name} - testairs...@iconnect.zm [sql] sql_set_user escaped user -- 'testairs...@iconnect.zm' The user is then correctly authenticated and receives the relevant parameters What attribute contains the unencrypted username, and at which stage of the inner-tunnel session can I retrieve it? That's pretty much the only way with WiMAX. Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorize all/any users for a PEAP, WPA2 enterprise setup
On 27/10/2011 00:51, Toby wrote: Hi all, I apologize in advance if this question has been answered previously but I have searched extensively and cannot find discussion of this particular topic. What I am wanting to setup, at least initially, is a WPA2 enterprise (802.11i) wireless access point that will authorize ANY user (accept all credentials/username-password combinations) and thereby provide encrypted wireless access as well as confirmation of the access point's identity, but not restrict which users can connect. Your body doesn't mention PEAP, but your subject does. If you have to use PEAP i.e. MS-CHAPv2 inner, it's not possible: http://wiki.freeradius.org/FAQ#How+do+I+permit+access+to+any+user+regardless+of+password%3F You could perhaps do it with TTLS/PAP. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius rlm_sql: Failed to create the pair: Invalid TLV specification (WiMAX MS)
Hi, I am running 2.1.12 in an attempt to auth Wimax users. However I am having difficulty defining TLVs for WiMAX-QoS-Descriptor and associated WiMAX-Packet-Flow-Descriptor I used a post on the matter in the freeradius mailing list which suggested something to the effect of: INSERT INTO radgroupreply (groupname, attribute, op, value) VALUES ('WiMAX_Test3', 'WiMAX-QoS-Id', ':=', '101'), ('WiMAX_Test3', 'WiMAX-Service-Class-Name', ':=', 'DATA'), ('WiMAX_Test3', 'WiMAX-Schedule-Type', ':=', 'Best-Effort'), ('WiMAX_Test3', 'WiMAX-Traffic-Priority', ':=', '1'), ('WiMAX_Test3', 'WiMAX-Maximum-Sustained-Traffic-Rate', ':=','512000'), ('WiMAX_Test3', 'WiMAX-Reduced-Resources-Code', ':=', '1'), ('WiMAX_Test3', 'WiMAX-Packet-Data-Flow-Id', ':=', '21'), ('WiMAX_Test3', 'WiMAX-Service-Data-Flow-Id', ':=', '21'), ('WiMAX_Test3', 'WiMAX-Direction', ':=', '1'), ('WiMAX_Test3', 'WiMAX-Activation-Trigger', ':=', '15'), ('WiMAX_Test3', 'WiMAX-Transport-Type', ':=', 'IPv4-CS'), ('WiMAX_Test3', 'WiMAX-Uplink-QOS-Id', ':=', '101'), ('WiMAX_Test3', 'WiMAX-Uplink-Classifier', ':=', 'permit in any src any dst any priority 1'), ...etc This did not work, as the greenpacket SM keeps on trying to connect as if it is not authenticated, despite the following attributes being returned in the Access-Accept packet: Sending Access-Accept of id 84 to 10.11.12.13 port 1812 Framed-IP-Address := XXX.XX.12.12 Framed-IP-Netmask := 255.255.255.224 WiMAX-DNS-Server := XXX.XX.12.65 Framed-Route := XXX.XX.12.30 WiMAX-QoS-Id := 101 WiMAX-Service-Class-Name := DATA WiMAX-Schedule-Type := Best-Effort WiMAX-Traffic-Priority := 1 WiMAX-Maximum-Sustained-Traffic-Rate := 512000 WiMAX-Reduced-Resources-Code := 1 WiMAX-Packet-Data-Flow-Id := 22 WiMAX-Service-Data-Flow-Id := 22 WiMAX-Direction := Downlink WiMAX-Activation-Trigger := 15 WiMAX-Transport-Type := IPv4-CS WiMAX-Uplink-QOS-Id := 101 WiMAX-Uplink-Classifier := permit in any src any dst any priority 1 WiMAX-QoS-Id += 102 WiMAX-Service-Class-Name += DATA WiMAX-Schedule-Type += Best-Effort WiMAX-Traffic-Priority += 1 WiMAX-Maximum-Sustained-Traffic-Rate += 40 WiMAX-Reduced-Resources-Code += 1 WiMAX-Downlink-QOS-Id := 102 WiMAX-Downlink-Classifier := permit in any src any dst any priority 1 MS-MPPE-Recv-Key = 0xdd5af25dadbfeba854cc0c6a5694abe0636104f1551530a9537855ecb6629d7e MS-MPPE-Send-Key = 0x93064994b3908d600cdab33f17742a4de175db703101a8cd5019b0384a885d98 EAP-Message = 0x03040004 Message-Authenticator = 0x User-Name = {am=1}00E6D4F0ED7C281D867BE1534026CDA8IC3513 Finished request 4. I thought i would add an attribute pair to be explicit that I am defining TLVs, by inserting the following rows in the database (at the appropriate rows by id): ('WiMAX_Test3', 'WiMAX-QoS-Descriptor', '=', '...'), ('WiMAX_Test3', 'WiMAX-Packet-Flow-Descriptor', '=', '...'), ...etc but i then get the error specified in the subject above. Can anyone shed light on how to correctly populate radgroupreply to ensure proper definition of WiMAX TLVs? Or perhaps I am doing something else wrong? Hopefully, JamesTM -- Irrationally held truths may be more harmful than reasoned errors. - Thomas H. Huxley - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius + ldap + ntlm
On 23/10/2011 16:02, Andreas Rudat wrote: Hello, I understand it correctly, that I can't use peap + mschapv2 with ldap? Im realy confused atm, what I can realy use, everytime I think its fine, I found another unsecure thing :/ To use PEAP/MS-CHAPv2, LDAP has to provide FR with either a plain text password, or the NTLM hash of the password. If your LDAP directly has plain text passwords, or NTLM hashes, then you can use it for authentication. You can use LDAP for authorization in any case. Regards, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL error after updating cert
On 21/10/2011 20:44, Eric Geier wrote: Hi, I’m trying to update my server’s cert, but getting errors after applying it: Fri Oct 21 12:26:45 2011 : Error: TLS Alert read:fatal:certificate expired Fri Oct 21 12:26:45 2011 : Error: TLS_accept:failed in SSLv3 read client certificate A Fri Oct 21 12:26:45 2011 : Error: rlm_eap: SSL error error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired Fri Oct 21 12:26:45 2011 : Error: rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. Says expired but I’m using the new cert, which is a renewal from a third-party CA and using the same private key. I apply it by inserting the text of the .crt file into the server-cert.pem file in the certs folder. I think that’s all I have to do and restart freeradius? 1) Check the date on the client system is correct 2) do: openssl -in /path/to/your/raddb/server-cert.pem -noout -text and verify the properties of the cert you have. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL error after updating cert
On 21/10/2011 22:31, Eric Geier wrote: Thanks for the reply! Yes, the clients are set with correct time/date. That command didn't work. Did you mean openssl verify command? I ran that and both the old cert (still valid for a few days) and the new cert (already valid) shows correct domain but then says: 2) do: openssl -in /path/to/your/raddb/server-cert.pem -noout -text and verify the properties of the cert you have. I forgot the x509, it should have been: openssl x509 -in /path/to/your/raddb/server-cert.pem -noout -text -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Policy construct for string concatenation
On 15/10/2011 12:14, Ray Scholl wrote: Good morning: So, I took all of your advice - example constructs, suggestion to do a little testing etc. I built a duplicate server and my question still remain. The construct I have - if ( clients_ldap-Ldap-Group == %{FreeRadius-Client-Shortname}%{'otp'} ) { How does the above match the below and previous examples you were given!? They're just strings. If you've done any kind of computer programming, string expansion should be familiar. (1) take the string ... (2) Expand everything which looks like %{NAME} (3) leave everything else alone. Hello, my name is %{User-Name} -- Hello, my name is bob Try: if (clients_ldap:Ldap-Group == %{FreeRadius-Client-Shortname}otp) { 1) Is clients_ldap an ldap instance name, or have you defined a new attribute clients_ldap-Ldap-Group ?? I've presumed it's an instance name thus the colon. If it's an attribute, then replace the colon above with the hyphen you had. 2) otp is a fixed string, %{anything} means a not-fixed string (an expansion). so you don't need the %{}. 3) How about sending us your radiusd -X from your duplicate server, then we can all see what's actually happenning? -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
On 14/10/2011 16:13, Martin Ubank wrote: Here’s the full output from ‘radiusd –X’: The bit at the top that tells us what radiusd has read from the config files is missing. It's not executing ntlm_auth by the looks of what you posted, so you need to look at why. The first bit of radiusd -X will tell you which files it's reading. Check it's reading your mschap file (the one you configured, not some other one). -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Terminate-Cause
On 15/10/2011 01:18, OzSpots - Carl Sawers wrote: Hi All, I have searched high and low for a Radacct Terminate cause description for Freeradius, the terminate cause states “Lost-Session” , anyone know what it refers too? Please set a subject when posting to a mailing list. http://freeradius.org/rfc/rfc2866.html#Acct-Terminate-Cause If you need to know precisely when your NAS sets one or other value for this attribute, you would have to ask the NAS manufacturer. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 / Freeradius / AD
On 13/10/2011 21:16, Kevin Chan wrote: Hi all, hopefully i got to the right group of people. We are trying to use Freeradius to do PEAP/MSCHAPv2 authentication against Active Directory (2003). Our realm is abc.acme.edu, but since Eduroam doesn't allow subdomain, end user has to use b...@acme.edu instead b...@abc.acme.edu as username. Presumably you are in the US? ... It's a shame that US eduroam seems to forbid subdomains for it's own institutions (lots of organisations doing eduroam in Europe use subdomain realms). My question is can you modify the realm behind the user's back? (during EAP process). I think this may mess things up... but you shouldn't need to *modify* the realm? [More info about your specifics please]? The realm on the outer ID will get the auth to your FR (anyth...@uni.edu). The realm [if present] on the inner ID is generally stripped before it goes to ntlm_auth against your AD). Regards, James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 / Freeradius / AD
On 13/10/2011 21:35, James J J Hooper wrote: On 13/10/2011 21:16, Kevin Chan wrote: Hi all, hopefully i got to the right group of people. We are trying to use Freeradius to do PEAP/MSCHAPv2 authentication against Active Directory (2003). Our realm is abc.acme.edu, but since Eduroam doesn't allow subdomain, end user has to use b...@acme.edu instead b...@abc.acme.edu as username. Presumably you are in the US? ... It's a shame that US eduroam seems to forbid subdomains for it's own institutions (lots of organisations doing eduroam in Europe use subdomain realms). I re-read http://www.eduroamus.org/node/29 ... It says that *you* shouldn't forward subdomains of your own realm to the national proxies, which would be filtered. This indeed makes sense for loop protection. ...and it implies only usernames of the form u...@institution.edu should be accepted, but it doesn't actually state that you can't use subdomains. I suppose it depends on how the routing on the US level eduroam proxies is set-up: if (Realm =~ /^(.+\.)?\.uni\.edu$/) { } or if (Realm =~ /^uni\.edu$/) { } -James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Locked account
How do I get freeradius to deny access based on the ldap attribute nsAccountLock = true? http://g.bfbcs.com/175/pc_Lt%20Lotz.png Description: pc_Lt Lotz image003.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rewriting wimax calling-station-id with perl
Hi, All Thanks a bunch for this. I have tested both the ubuntu and CentOS/RedHat variants successfully on separate machines, integrated with postgresql. (The mysql was a typo incited by a previous install of freeradius-mysql). Ironically, i also managed to build deb packages from the 2.1.12 git source separately which included wimax, mysql and postgresql modules. Thanks, in particular, to Fajar for taking the time to update the ppa. Cheers, JamesTM Irrationally held truths may be more harmful than reasoned errors. - Thomas H. Huxley On 10/07/2011 10:13 AM, freeradius-users-requ...@lists.freeradius.org wrote: Of course there are. In RHEL5 the package is called freeradius2 and is prebuilt with wimax an mysql. The current version is 2.1.7, but if you wait a little while for the 5.8 update the latest 2.1.12 will be available. -- John Dennis jden...@redhat.com On 10/07/2011 10:13 AM, freeradius-users-requ...@lists.freeradius.org wrote: I've updated the package on https://launchpad.net/~freeradius/+archive/stable (the update is Natty-only for now), which adds freeradius-experimental package. It has rlm_wimax, rlm_sql_sqlite, rlm_caching, and more. If you're still having problem compiling yourself and don't mind using unsupported ppa, you can use that. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
git.freeradius.org
Hi Alan et al, I'm having trouble getting FR by git (was previously working): $ grep url .git/config url = git://git.freeradius.org/freeradius-server.git $ git pull origin v2.1.x:v2.1.x fatal: The remote end hung up unexpectedly Is there an issue with git.freeradius.org? (Is anyone else having the same issue?) ... or is it just me? -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rewriting wimax calling-station-id with perl
Hi, Apologies for the late response. Our mail system went down at a terrible time! From: Johan Meiringjmeir...@pcservices.co.za Subject: Re: Rewriting wimax calling-station-id with perl Which version of debian do you need packages for? I am trying to install it on ubuntu 11.04 server. If there are rpm packages suitable for CentOS 5.x prebuilt with wimax and mysql, i would take that! With respect to Alan's observation: But why worry about a deb package? Just install it from source. That works. Alan DeKok. Installing from source also dies when I make with the same libtool error on my ubuntu server 11.04 install. I know i have to add 'rlm_wimax' to src/modules/stable to have it compile, but the Make fails with or without this entry. Adding the suggestive -DIE_LIBTOOL_DIE to CFLAGS makes no difference Regards JamesTM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rewriting wimax calling-station-id with perl
Hi, As you are undoubtedly aware, the ubuntu/debian package of freeradius comes without the wimax module (despite having the wimax module) installed. My own attempts to compile/install/build deb package for ubuntu always die with the infamous undefined reference to `lt_preloaded_symbols' that apparently has even Alan opting to forsake libtool. Because many people would still like to implement mac authentication on a wimax network, I was wondering whether the c subroutine that does this in the module: /* *Fix Calling-Station-Id. Damn you, WiMAX! */ vp = pairfind(request-packet-vps, PW_CALLING_STATION_ID); if (vp (vp-length == 6)) { int i; uint8_t buffer[6]; memcpy(buffer, vp-vp_octets, 6); /* *RFC 3580 Section 3.20 says this is the preferred *format. Everyone *SANE* is using this format, *so we fix it here. */ for (i = 0; i 6; i++) { fr_bin2hex(buffer[i], vp-vp_strvalue[i * 3], 1); vp-vp_strvalue[(i * 3) + 2] = '-'; } vp-vp_strvalue[(5*3)+2] = '\0'; vp-length = (5*3)+2; DEBUG2(rlm_wimax: Fixing WiMAX binary Calling-Station-Id to %s, buffer); } can be easily translated to perl to rewrite the calling-station-id (only when it does not meet the standard), as that module works fine and is correctly compiled? If so, would anyone here be able to mash up a few lines of perl code to this end? Please? I, unfortunately am not familiar enough with c to translate the logic behind the code above flawlessly. Hopefully, JamesTM Irrationally held truths may be more harmful than reasoned errors. - Thomas H. Huxley On 10/05/2011 02:10 PM, freeradius-users-requ...@lists.freeradius.org wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: FreeRadius with Eduroam - Accounting (Alan DeKok) 2. Re: MySQL and FreeRADIUS environment (tonimanel) 3. Re: FreeRadius with Eduroam - Accounting (Phil Mayers) 4. Mac access mixed ldap access same NAS (Alejandro Gandara) 5. Re: MySQL and FreeRADIUS environment (Fajar A. Nugraha) 6. Re: MySQL and FreeRADIUS environment (tonimanel) 7. MySQL and FreeRADIUS environment (tonimanel) 8. Re: MySQL and FreeRADIUS environment (Alan DeKok) 9. Re: MySQL and FreeRADIUS environment (tonimanel) -- Message: 1 Date: Wed, 05 Oct 2011 12:09:39 +0200 From: Alan DeKokal...@deployingradius.com Subject: Re: FreeRadius with Eduroam - Accounting To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID:4e8c2ce3.7000...@deployingradius.com Content-Type: text/plain; charset=ISO-8859-1 Arran Cudbard-Bell wrote: It's a bad way of doing it. At least with replicate every accounting packet has a chance... Using Acct-Delay-Time you'll end up dumping anywhere between 1-15 seconds accounting data for all realms if one realm is unreachable. shrug if (Packet-Transmit-Counter 5) { ok } else { ... proxy ... } If the home server doesn't get it after 5 tries, throw it away. In 2.1.10 later, IIRC. Alan DeKok. -- Message: 2 Date: Wed, 5 Oct 2011 03:49:16 -0700 (PDT) From: tonimanelantoniofernan...@fabergames.com Subject: Re: MySQL and FreeRADIUS environment To: freeradius-users@lists.freeradius.org Message-ID:1317811756198-4872269.p...@n5.nabble.com Content-Type: text/plain; charset=us-ascii My FreeRADIU version is 2.1.10 on Debian. Suggest me update? Or is a valid verstion to work and implement freeradius replication with radrelay? Thanks, -- View this message in context: http://freeradius.1045715.n5.nabble.com/MySQL-and-FreeRADIUS-environment-tp4845985p4872269.html Sent from the FreeRadius - User mailing list archive at Nabble.com. -- Message: 3 Date: Wed, 05 Oct 2011 11:50:12 +0100 From: Phil Mayersp.may...@imperial.ac.uk Subject: Re: FreeRadius with Eduroam - Accounting To: freeradius-users@lists.freeradius.org Message-ID:4e8c3664.5070...@imperial.ac.uk Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 05/10/11 09:56, Arran Cudbard-Bell wrote: On 5 Oct 2011, at 10:40, Phil Mayers wrote: On 10/05/2011 09:26 AM, Alan DeKok wrote: Phil Mayers wrote: I guess that's ok, in that it stops an
Re: 2.1.12 potential problem...
On 20/09/2011 11:38, denizaydin wrote: I can not see its giving this error while starting. Do I have to change installation directory or the library dirctory in the radiusd.conf? [10:15:39.9] gmake[11]: Entering directory `/home/network/Downloads/freeradius-server-2.1.12/src/modules/rlm_sql/drivers/rlm_sql_postgresql' [10:15:39.9] if [ x != x ]; then \ [10:15:39.9] /home/network/Downloads/freeradius-server-2.1.12/libtool --mode=install /home/network/Downloads/freeradius-server-2.1.12/install-sh -c -c \ [10:15:39.9] .la /usr/local/lib/.la || exit $?; \ [10:15:39.9] rm -f /usr/local/lib/-2.1.12.la; \ [10:15:39.9] ln -s .la /usr/local/lib/-2.1.12.la || exit $?; \ [10:15:39.9] fi DETAIL LOG file : http://freeradius.1045715.n5.nabble.com/file/n4822062/installtionlog.txt installtionlog.txt You have to read the output of ./configure ... [10:12:29.8] === configuring in ./drivers/rlm_sql_postgresql (/home/network/Downloads/freeradius-server-2.1.12/src/modules/rlm_sql/./drivers/rlm_sql_postgresql) [10:12:29.8] configure: running /bin/sh ./configure '--prefix=/usr/local' '--enable-ltdl-install' --cache-file=/dev/null --srcdir=. [10:12:30.0] checking for gcc... gcc [10:12:30.1] checking for C compiler default output file name... a.out [10:12:30.2] checking whether the C compiler works... yes [10:12:30.2] checking whether we are cross compiling... no [10:12:30.2] checking for suffix of executables... [10:12:30.3] checking for suffix of object files... o [10:12:30.3] checking whether we are using the GNU C compiler... yes [10:12:30.3] checking whether gcc accepts -g... yes [10:12:30.3] checking for gcc option to accept ISO C89... none needed [10:12:30.3] checking for libpq-fe.h... no [10:12:30.8] checking for PQconnectdb in -lpq... no [10:12:31.2] configure: WARNING: silently not building rlm_sql_postgresql. [10:12:31.2] configure: WARNING: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. Fix this, and then re-compile it. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.1.12 potential problem...
On 17/09/2011 01:56, Alan DeKok wrote: James J J Hooper wrote: Above won't work since: https://github.com/alandekok/freeradius-server/commit/1a00da32c13fb979e11748250da469c7ac4474a8 -James https://github.com/alandekok/freeradius-server/commit/1a00da In fact this dictionary change breaks other stuff too, e.g. below: I've pushed a fix already. Hi Alan, This doesn't seem to have reached github yet. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reverting Accept-Reject to Access-Accept
On 16/09/2011 17:24, Phil Mayers wrote: On 16/09/11 16:59, denizaydin wrote: Hi, I am using Version 2.1.11 for broadband PPP authentication. I want to put the unauthenticated users to a default service. I have to revert the access-reject message to access-accept because once CISCO ISG get a access-reject from the AAA server it's terminating the ppp with access-reject. Don't do that. Instead, don't reject the in the first place. For example: authorize { ... sql if (notfound) { update control { Auth-Type := Accept } } } Above won't work since: https://github.com/alandekok/freeradius-server/commit/1a00da32c13fb979e11748250da469c7ac4474a8 -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.1.12 potential problem...
Don't do that. Instead, don't reject the in the first place. For example: authorize { ... sql if (notfound) { update control { Auth-Type := Accept } } } Above won't work since: https://github.com/alandekok/freeradius-server/commit/1a00da32c13fb979e11748250da469c7ac4474a8 -James https://github.com/alandekok/freeradius-server/commit/1a00da In fact this dictionary change breaks other stuff too, e.g. below: [vpieap] Request found, released from the list [vpieap] EAP/mschapv2 [vpieap] processing type mschapv2 [mschapv2] WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. [mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/vpi-inner [vpieap] Freeing handler ++[vpieap] returns reject Failed to authenticate the user. and e.g: grep -R 'pairmake(Auth-Type, ' freeradius-server/src/* freeradius-server/src/modules/rlm_chap/rlm_chap.c: pairmake(Auth-Type, CHAP, T_OP_EQ)); freeradius-server/src/modules/rlm_digest/rlm_digest.c: pairmake(Auth-Type, DIGEST, T_OP_EQ)); -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different acctuniqueids with common keys?
On 06/09/2011 00:36, Rob Turner wrote: Default in modules/acct_unique: acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } The man page for rlm_acct_unique shows: acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Port } Anyone know when this was changed? Apparently, a long time ago: https://github.com/alandekok/freeradius-server/commits/master/raddb/modules/acct_unique -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre release of 2.1.12
On 29/08/2011 15:13, Alan DeKok wrote: I've put some pre releases of 2.1.12 on the web site: http://git.freeradius.org/pre/ Please let me know if there are any problems. If not, this can become 2.1.12. All seems good so far. -James radmin show version FreeRADIUS Version 2.1.12, for host i686-pc-linux-gnu, built on Aug 30 2011 at 01:08:47 radmin show uptime Up since Thu Sep 1 04:02:20 2011 radmin stats client auth requests419006 responses 432061 accepts 56219 rejects 4154 challenges 371688 dup 44 invalid 0 malformed 0 bad_signature 0 dropped 65 unknown_types 0 radmin stats client acct requests93500 responses 93499 dup 0 invalid 0 malformed 0 bad_signature 0 dropped 0 unknown_types 0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OT: Cisco Disconnect-Request packets
On 24/08/2011 11:31, Jonathan Gazeley wrote: Hi all, Not directly related to FreeRADIUS but I gather people here have some experience with Cisco WiSMs and 802.1x. I'm trying to use radclient to craft a Disconnect-Request packet to disconnect a user on an 802.1x network. I've checked the RFCs for the Disconnect-Request packets and I believe I am providing all the necessary attributes to disconnect a user, however the WiSM always responds: rad_recv: Disconnect-NAK packet from host 172.17.107.211 port 3799, id=219, length=26 Error-Cause = Missing-Attribute I am sending packets like these: Sending Disconnect-Request of id 219 to 172.17.107.211 port 3799 User-Name = jg4461 Calling-Station-Id = 00:1b:63:08:b4:eb Framed-IP-Address = 172.21.107.197 Called-Station-Id = 00:21:55:ac:5b:60:ResNet-Wireless NAS-Port-Id = 29 NAS-Port-Type = Async Acct-Session-Id = jg44614ddcd9e6/00:1b:63:08:b4:eb/222935 NAS-IP-Address = 172.17.107.211 NAS-Port = 29 NAS-Identifier = wism11 So, does anyone know which attributes I must send to disconnect a user in this way? Is there an easier way of doing it? radclient -xs -f /tmp/disconnect.txt 172.17.107.210:3799 disconnect secret Sending Disconnect-Request of id 7 to 172.17.107.210 port 3799 User-Name = testu...@bristol.ac.uk Calling-Station-Id = 89:c6:65:99:39:52 Service-Type = Login-User rad_recv: Disconnect-ACK packet from host 172.17.107.210 port 3799, id=7, length=20 Total approved auths: 1 Total denied auths: 0 Total lost auths: 0 ...so it seems you need User-Name, Calling-Station-Id and Service-Type. -James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius cisco COA
On 21/08/2011 13:10, Arran Cudbard-Bell wrote: Wow ok a lot of CoA and DM questions lately. anyone have like experience to share ,,, Well it should be the same as any other CoA implementation, except IIRC its on port 1700 instead of 3779. Cisco wireless or wired? We're using Cisco WiSMs/WiSM2s [wireless]. You have to enable RFC3576 capability per radius server in the config. They use destination UDP/3799. The only gotcha we've had so far, is that the CoA packet has to come from the same source IP and *port* as the radius server is configured as in the WiSM config. Depending on how you are generating the CoA this may be problematic, but is easily solved with a line in your iptables config: *nat -A POSTROUTING -p udp --dport 3799 -d NAS-IP -j SNAT --to-source radius-server-IP:radius-listening-port COMMIT -James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate problems? Freeradius 2.1.10 on Debian squeeze
On 05/08/2011 17:00, John Dunning wrote: Greetings all, We've been running freeradius 1.x on Debian Lenny for some time with great success authenticating against Novell eDirectory/LDAP. Our Linux guru has moved on to exciting new opportunities and while the rest of us are decent at linux we're certainly missing his input here :) We're trying to update the system to Squeeze and move from eDirectory to Active Directory authentication to stay more easily within the debian package scope. I think I largely have the system setup to do EAP-TLS/PEAP/MS-CHAPv2 with Windows 7 supplicant but for some reason I can't seem to get the EAP-TLS tunnel to fire up. I've tried going through http://wiki.freeradius.org/Certificate_Compatibility with the delivered certs (which are evidently supposed to be compatible) but I seem to be missing something. I've got NTLM_AUTH working correctly (once I actually get that far), so I'm hoping that if I can get this cert issue figured out I'll be good to go. Using a Cisco AIR1220 AP and have tried both Windows 7 and android supplicants and get the same problem (see -X log below). Thanks in advance!! JD certificate_file = /etc/freeradius/certs/server.pem (1) Do: openssl x509 -in /etc/freeradius/certs/server.pem -noout -text Check that the output contains this: X509v3 Extended Key Usage: TLS Web Server Authentication ...If it doesn't see the OIDs comments in the FR wiki page. (2) Check that Windows 7 is correctly configured to trust your certificates. Refer to 15-19 on: http://www.wireless.bris.ac.uk/eduroam/instructions/go-vista/#wifi [obviously you need to trust your root CA, not mine though] For testing you can un-tick Validate server certificate, but you should never do this with real credentials, or with real users. (3) Android probably isn't a good OS to use for AAA testing, because depending on which version you have there are various bugs with it's enterprise wi-fi support. Regards, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Security issues with 1.1.3 flatfile
On 01/08/2011 22:08, d.tom.schm...@l-3com.com wrote: Currently running 1.1.3 on CentOS 5.x. Upgrade I am currently using the flat file option and it works just fine as long as the permissions on the file are: 664 RW-RW-R— Record in the file looks like: Tom tab Auth-Type := Local, User-Password := “tompass” This allows everyone to read the file – not good security. If I change the permissions to 660 RW-RW then freeRADIUS will not restart. Who owns the file? Which user does FR run as? If FR runs as 'radiusd' and the file is owned by root:root, then it's not surprising that FR cant read the file unless it is chmod o+r. [upgrade and] fix the permissions and it will work. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Yet another multiple SSID setup question
On 12/07/2011 02:50, Nick Kartsioukas wrote: I've been looking through the wiki and staring at the config files and I'm...confused. I've successfully gotten our Cisco WLC to authenticate against ActiveDirectory as well as a Sun LDAP server (just one at a time) via FreeRADIUS for a single test SSID, but now I'm trying to figure out how to split that into conditional checks. Before I go chopping up the existing config files and making a horrible mess of things, I wanted to verify a few things with the wisdom of the list. Okay...let's say I have an SSID for students and an SSID for staff. Students authenticate against LDAP, which stores passwords as salted SHA1 hashes. Staff authenticate against Windows ActiveDirectory. I've found where the WLC sends the SSID to FreeRADIUS, so I can get at that. My question is, how do I set up the EAP-TTLS/PAP session for the Student SSID and the separate PEAP/MSCHAPv2 session for the Staff SSID? Are these configured as different virtual servers? Or just different modules that I call from the users file like so: DEFAULT Auth-Type := student_module, Called-Station-SSID := student DEFAULT Auth-Type := staff_module, Called-Station-SSID := staff If so how do I set that up, as that would be two different eap.conf setups (wouldn't it)? Am I missing something obvious in the docs? Thanks for taking the time to help me out! If they are different SSIDs on the Cisco WLC, you should be able to assign different radius servers for each SSID. Do that, e.g: ssid1 - 192.0.2.1:1645 ssid2 - 192.0.2.1:1812 Then use a different FreeRADIUS virtual server to handle each (i.e. on virtual server listening on port 1812 , and one listening on port 1812). This way you can keep the intricacies of each separate. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth authentication results logging messages
On 19/05/2011 21:00, Garber, Neal wrote: I found a similar user in an old thread who submitted a patch: (http://freeradius.1045715.n5.nabble.com/Capturing-ntlm-auth-failure- reasons-in-rlm-mschap-td2791760.html) And it appears that this patch made it into the rlm_mschap.c module code: I submitted that patch and it was included in FR v1. Unfortunately, a change in v2 regressed this functionality. In v2, there's now an additional round trip, so the ntlm_auth results need to be saved - they are saved, in the current version, for success; but, not for failure. I submitted another patch for v2 last year that saves the ntlm_auth results for failures as well; but, it required rework (Alan wanted it split into two separate patches) and I haven't had a chance to rework it yet. Other, really nice mschap patches have been submitted since then (thank you Phil), so the rework, for me, is now a bit more. Note that needing the results saved is probably because you want to do something with the information in post-auth. John, if you just want to log the information you can do something like [in the inner-tunnel file]: authenticate { Auth-Type MS-CHAP { mschap { reject = 1 } if (reject) { linelog reject } } ... } The linelog module (or any other module you want to use e.g. SQL) can log to a file or syslog or somethingelse at this point. The information you want will be in the %{Module-Failure-Message} and %{reply:MS-CHAP-Error} attributes. We use linelog extensively to syslog to a file and then have a webpage that does the equivalent of tail the file and refresh routinely - very easy for the help desk staff to see what is going on without needing to ssh to anything. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap and xlat
On 17/05/2011 22:28, Frank Dornheim wrote: Dear FreeRADIUS users, i try to migrate my radius setup to LDAP. I use mainly the informations from Frank Ranner (http://lists.cistron.nl/pipermail/freeradius-users/2007-September/msg00205.html). Today i have a problem to understand the xlat statement in the hint file: DEFAULT Hint = `%{ldap:ldap:///ou=hosts,dc=whatever?radiusHuntgroupName?one?ipHostNumber=%{NAS-IP-Address}}` Can anybody explain that, step by step? (yes i read the rlm_ldap doku file and tryed the mailinglistsearch) Hint = : Set Hint to the value of the right hand side of the = %{...} : Variable to be expanded ldap: : process the next bit with the LDAP module. %{NAS-IP-Address} : The value of the NAS-IP-Address attribute in the request. ...e.g. 192.0.2.99 ldap:///ou=hosts,dc=whatever?radiusHuntgroupName?one?ipHostNumber=192.0.2.99 : LDAP URL as per http://www.ietf.org/rfc/rfc2255.txt -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap
How do I deny access based on the ldap attribute nsAccountLock = true? http://g.bfbcs.com/175/pc_Lt%20Lotz.png Description: pc_Lt Lotz image003.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct segfault in git v2.1.x
On 09/05/2011 12:22, Alan DeKok wrote: Alexander Clouter wrote: Updating to git's v2.1.x to go on a post-Easter bughunt and found the following accounting packet[1] seems to segfault freeradius: ... #1 0x403075d8 in fnmatch () from /lib/libc.so.6 #2 0x409da598 in do_detail (instance=0x114e50, request=0x43443240, packet=0x43446dd8, compat=value optimized out) at rlm_detail.c:301 Hmm... calling fnmatch() when the packet was *not* read from the detail file is a bad idea. Oops. On closer inspection, much of the logic in rlm_detail is broken. If you need the FreeRADIUS -X malarkey, then do ask, it is just tricker to get on a production box... :) Nah. I think the Feynman method is fine. 1) look at problem 2) think hard 3) write down solution Give me a bit and I'll push a change to git. It now seems to create a *directory* with the name that should be the detail *file*... custard radius # find ./ -type d ./ ./radacct ./radacct/eduroamalien-soh-bsql ./radacct/vpi-soh-bsql ./radacct/eduroamlocal-soh-bsql ./radacct/nomadicvpn-bsql ./radacct/uobgear ./radacct/eduroamlocal-inner ./radacct/eduroamlocal-bsql ./radacct/vpi ./radacct/eduroamalien-inner ./radacct/eduroamlocal ./radacct/vpi-inner ./radacct/eduroamalien ./radacct/nomadicvpn custard radius # killall -9 radiusd ; /usr/local/sbin/radiusd custard radius # tail -n 0 -f radius*.log SNIP == radiusd-eduroamlocal.log == Mon May 9 17:50:25 2011 : Error: [detail-bsql] rlm_detail: Couldn't open file /var/log/radius/radacct/eduroamlocal-bsql/detail-bsql.log: Is a directory Mon May 9 17:50:25 2011 : Error: [detail-bsql] rlm_detail: Couldn't open file /var/log/radius/radacct/eduroamlocal-bsql/detail-bsql.log: Is a directory ls -la also shows that radiusd has indeed created a directory with what should have been the file name. module config: custard radius # cat /usr/local/etc/serviceraddb/modules/detail-bsql | grep '[[:print:]]' | grep -v '#' detail detail-bsql { detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}-bsql/detail-bsql.log detailperm = 0600 header = %t } -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR 2.1.x git + SoH: ASSERT FAILED xlat.c[1048]: outlen 0
Hi All, Sorry for the sketchy details We got an ASSERT FAILED xlat.c[1048]: outlen 0 with a PEAP user. The bit of the -X I have is as below, and the soh virtual server config is attached. I have no further details at the moment because the client has gone away (and I've disabled SoH in the EAP module config in case they come back and knock it over again while I'm away). The same set-up has been fine with many other SoH clients previously. Can anyone point me in the right direction? The only think that came to mind was the packet getting a bit big with all those attributes? Thanks, James [updated] returns updated +++- if ((Calling-Station-Id) %{Calling-Station-Id} =~ /^%{config:policy.mac-addr}$/i) returns updated +++ ... skipping else for request 750: Preceding if was taken ++- policy create.uob-stripped-mac returns updated SoH-Supported = yes SoH-MS-Machine-OS-vendor = Microsoft SoH-MS-Machine-OS-version = 6 SoH-MS-Machine-OS-release = 0 SoH-MS-Machine-OS-build = 6000 SoH-MS-Machine-SP-version = 0 SoH-MS-Machine-SP-release = 0 SoH-MS-Machine-Processor = x86 SoH-MS-Machine-Name = AlexanderPC SoH-MS-Correlation-Id = 0x81aa82cd69f946f2bae142fd0fbfcc3e01cc09847027078c SoH-MS-Machine-Role = client SoH-MS-Windows-Health-Status = firewall ok snoozed=0 microsoft=0 up2date=1 enabled=0 SoH-MS-Windows-Health-Status = firewall ok snoozed=0 microsoft=0 up2date=1 enabled=0 SoH-MS-Windows-Health-Status = firewall ok snoozed=0 microsoft=1 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=0 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=0 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=0 enabled=1 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=0 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=1 up2date=0 enabled=0 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=0 enabled=1 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = auto-updates ok action=install by-policy=1 SoH-MS-Windows-Health-Status = security-updates error no-wsus-srv FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = abc...@bris.ac.uk Calling-Station-Id = 00:1b:77:xx:xx:xx Called-Station-Id = 00:3a:98:9d:17:30:eduroam NAS-Port = 29 NAS-IP-Address = 172.17.107.207 NAS-Identifier = wism7 Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 448 ASSERT FAILED xlat.c[1048]: outlen 0 -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- Config bits: server eduroamlocal-soh { authorize { if (SoH-Supported == no) { update config { Auth-Type = Accept } } else { detail-bsql update config { Auth-Type = Accept } detail detail-bsql { detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}-bsql/detail-bsql.log detailperm = 0600 header = %t } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.x git + SoH: ASSERT FAILED xlat.c[1048]: outlen 0
On 04/05/2011 11:24, Phil Mayers wrote: On 04/05/11 10:42, James J J Hooper wrote: [updated] returns updated +++- if ((Calling-Station-Id) %{Calling-Station-Id} =~ /^%{config:policy.mac-addr}$/i) returns updated +++ ... skipping else for request 750: Preceding if was taken ++- policy create.uob-stripped-mac returns updated Is that all? It jumps straight from the above to dumping the SoH packet? Yes SoH-Supported = yes SoH-MS-Machine-OS-vendor = Microsoft SoH-MS-Machine-OS-version = 6 SoH-MS-Machine-OS-release = 0 SoH-MS-Machine-OS-build = 6000 SoH-MS-Machine-SP-version = 0 SoH-MS-Machine-SP-release = 0 SoH-MS-Machine-Processor = x86 SoH-MS-Machine-Name = AlexanderPC SoH-MS-Correlation-Id = 0x81aa82cd69f946f2bae142fd0fbfcc3e01cc09847027078c SoH-MS-Machine-Role = client SoH-MS-Windows-Health-Status = firewall ok snoozed=0 microsoft=0 up2date=1 enabled=0 SoH-MS-Windows-Health-Status = firewall ok snoozed=0 microsoft=0 up2date=1 enabled=0 SoH-MS-Windows-Health-Status = firewall ok snoozed=0 microsoft=1 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 Ok, something has gone wildly wrong there Unless they really do have 3 firewall, 7 AV and 8 anti-spyware products installed! Indeed - We all know how messed up clients can get, so this one is probably due for some TLC (if I can get them to come in). up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=0 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=0 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=0 enabled=1 SoH-MS-Windows-Health-Status = antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=0 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=1 up2date=0 enabled=0 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=0 enabled=1 SoH-MS-Windows-Health-Status = antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1 SoH-MS-Windows-Health-Status = auto-updates ok action=install by-policy=1 SoH-MS-Windows-Health-Status = security-updates error no-wsus-srv FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = abc...@bris.ac.uk Calling-Station-Id = 00:1b:77:xx:xx:xx Called-Station-Id = 00:3a:98:9d:17:30:eduroam NAS-Port = 29 NAS-IP-Address = 172.17.107.207 NAS-Identifier = wism7 Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 448 ASSERT FAILED xlat.c[1048]: outlen 0 Config bits: server eduroamlocal-soh { authorize { if (SoH-Supported == no) { update config { Auth-Type = Accept } } else { detail-bsql What's the config for this module? As below i.e. a plain old detail module update config { Auth-Type = Accept } detail detail-bsql { detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}-bsql/detail-bsql.log detailperm = 0600 header = %t } -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.x git + SoH: ASSERT FAILED xlat.c[1048]: outlen 0
On 04/05/2011 11:37, Phil Mayers wrote: On 04/05/11 10:42, James J J Hooper wrote: Hi All, Sorry for the sketchy details We got an ASSERT FAILED xlat.c[1048]: outlen 0 with a PEAP user. The bit of the -X I have is as below, and the soh virtual server config is attached. I have no further details at the moment because the client has gone away (and I've disabled SoH in the EAP module config in case they come back and knock it over again while I'm away). The same set-up has been fine with many other SoH clients previously. Can anyone point me in the right direction? The only think that came to mind was the packet getting a bit big with all those attributes? From what I can tell, that's a pretty hard error condition to produce. xlat.c:1048 is inside xlat_copy, which is the default escaping function when radius_xlat is called with a NULL final argument. The assert means that there was no room left in the output buffer, but the very first check inside the while() loop in radius_xlat is: while (*p) { /* Calculate freespace in output */ freespace = outlen - (q - out); if (freespace = 1) break; A quick look at the code gives me the impression it should be pretty hard to trigger this error condition; I can't see how freespace 1 ever allows xlat_copy to be called. [updated] returns updated +++- if ((Calling-Station-Id) %{Calling-Station-Id} =~ /^%{config:policy.mac-addr}$/i) returns updated +++ ... skipping else for request 750: Preceding if was taken ++- policy create.uob-stripped-mac returns updated The above policy: where is that? It's clearly not in your SoH virtual server - is this the inner-tunnel stuff? Can we see the config? I suspect something in the SoH is triggering this when it dumps the AVPs. Both inner and outer configs start: -- server eduroamlocal-inner { authorize { create.uob-stripped-mac preprocess -- server eduroamlocal { authorize { create.uob-stripped-mac preprocess -- where create.uob-stripped-mac is: -- create.uob-stripped-mac { if((Calling-Station-Id) %{Calling-Station-Id} =~ /^%{config:policy.mac-addr}$/i) { update request { UOB-Stripped-MAC := %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}} } updated } else { noop } } -- -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 10/04/2011 07:03, Alan DeKok wrote: James J J Hooper wrote: I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? Yes, thanks. Also, args to pairmove2 are wrong way around, as attached. -James p4.txt.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 10/04/2011 12:16, James J J Hooper wrote: On 10/04/2011 07:03, Alan DeKok wrote: James J J Hooper wrote: I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? Yes, thanks. Also, args to pairmove2 are wrong way around, as attached. After that last change (p4.txt.gz), I think it's now doing the right thing: * wpa_supplicant output matches Phil's (against W2k8 NPS), with the exception that M=... is always present. * With allow_retry = no, XP pop's up the usual 'enter credentials...' bubble, and box. * With allow_retry = yes, XP pops a click to process credentials bubble, then a type your password again box: http://www.wireless.bris.ac.uk/gfx/random/xp--retry-is-yes.png -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 10/04/2011 12:39, James J J Hooper wrote: On 10/04/2011 12:16, James J J Hooper wrote: On 10/04/2011 07:03, Alan DeKok wrote: James J J Hooper wrote: I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? Yes, thanks. Also, args to pairmove2 are wrong way around, as attached. After that last change (p4.txt.gz), I think it's now doing the right thing: * wpa_supplicant output matches Phil's (against W2k8 NPS), with the exception that M=... is always present. * With allow_retry = no, XP pop's up the usual 'enter credentials...' bubble, and box. * With allow_retry = yes, XP pops a click to process credentials bubble, then a type your password again box: http://www.wireless.bris.ac.uk/gfx/random/xp--retry-is-yes.png ...Although, when you correct the password in the 'allow_retry = yes popup, I don't think FR has got the bit to handle that yet: Found Auth-Type = eduroamalieneap-bris-sha-ca # Executing group from file /usr/local/etc/raddb/sites-enabled/eduroamalien-inner +- entering group eduroamalieneap-bris-sha-ca {...} [eduroamalieneap-bris-sha-ca] Request found, released from the list [eduroamalieneap-bris-sha-ca] EAP/mschapv2 [eduroamalieneap-bris-sha-ca] processing type mschapv2 rlm_eap_mschapv2: Unexpected response received *** [eduroamalieneap-bris-sha-ca] Handler failed in EAP/mschapv2 [eduroamalieneap-bris-sha-ca] Failed in EAP select ++[eduroamalieneap-bris-sha-ca] returns invalid Failed to authenticate the user. Login incorrect: [jh176...@bris.ac.uk] (from client JamesJJ port 256 cli 00-1a-4d-35-b0-5a via TLS tunnel) } # server eduroamalien-inner [peap] Got tunneled reply code 3 EAP-Message = 0x040c0004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x040c0004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 10/04/2011 12:57, James J J Hooper wrote: On 10/04/2011 12:39, James J J Hooper wrote: On 10/04/2011 12:16, James J J Hooper wrote: On 10/04/2011 07:03, Alan DeKok wrote: James J J Hooper wrote: I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? Yes, thanks. Also, args to pairmove2 are wrong way around, as attached. After that last change (p4.txt.gz), I think it's now doing the right thing: * wpa_supplicant output matches Phil's (against W2k8 NPS), with the exception that M=... is always present. * With allow_retry = no, XP pop's up the usual 'enter credentials...' bubble, and box. * With allow_retry = yes, XP pops a click to process credentials bubble, then a type your password again box: http://www.wireless.bris.ac.uk/gfx/random/xp--retry-is-yes.png ...Although, when you correct the password in the 'allow_retry = yes popup, I don't think FR has got the bit to handle that yet: Found Auth-Type = eduroamalieneap-bris-sha-ca # Executing group from file /usr/local/etc/raddb/sites-enabled/eduroamalien-inner +- entering group eduroamalieneap-bris-sha-ca {...} [eduroamalieneap-bris-sha-ca] Request found, released from the list [eduroamalieneap-bris-sha-ca] EAP/mschapv2 [eduroamalieneap-bris-sha-ca] processing type mschapv2 rlm_eap_mschapv2: Unexpected response received *** [eduroamalieneap-bris-sha-ca] Handler failed in EAP/mschapv2 [eduroamalieneap-bris-sha-ca] Failed in EAP select ++[eduroamalieneap-bris-sha-ca] returns invalid Failed to authenticate the user. Login incorrect: [jh176...@bris.ac.uk] (from client JamesJJ port 256 cli 00-1a-4d-35-b0-5a via TLS tunnel) } # server eduroamalien-inner [peap] Got tunneled reply code 3 EAP-Message = 0x040c0004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x040c0004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE I think it needs two things now: 1) Something like: @@ -433,8 +433,8 @@ static int mschapv2_authenticate(void *arg, EAP_HANDLER *handler) * a challenge. */ case PW_EAP_MSCHAPV2_RESPONSE: - if (data-code != PW_EAP_MSCHAPV2_CHALLENGE) { - radlog(L_ERR, rlm_eap_mschapv2: Unexpected response received); + if ((data-code != PW_EAP_MSCHAPV2_CHALLENGE) (data-code != PW_EAP_MSCHAPV2_FAILURE)) { + radlog(L_ERR, rlm_eap_mschapv2: Unexpected response received: %d, data-code); return 0; } ... because the response to our MSCHAPV2_FAILURE seems to be a MSCHAPV2_FAILURE 2) if (inst-retry_msg) { snprintf(buffer + 9, sizeof(buffer), C=); for (i = 0; i 16; i++) { snprintf(buffer + 12 + i*2, sizeof(buffer), %02x, fr_rand() 0xff); } This C=random needs to be saved and eventually make it's way in to data-challenge so that the line lower down: memcpy(challenge-vp_strvalue, data-challenge, MSCHAPV2_CHALLENGE_LEN); has the correct challenge, and can then process the clients retry correctly? (help, I havn't managed to work out the mechanism from the current challenge generation bits yet!) -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 08/04/2011 08:54, Alan DeKok wrote: Phil Mayers wrote: +1 - In my experience it's necessary to cater for windows' weirdness *first*. Most other clients have sane behaviours. I'm concerned about the we didn't do much windows testing line... Yup. I've just pushed some changes to the git v2.1.x branch. See: raddb/modules/mschap - allow_retry - retry_msg raddb/eap.socn - send_error The default is no change. See the documentation for how to test the new features. Hi Alan, I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? http://tools.ietf.org/html/draft-kamath-pppext-eap-mschapv2-01#page-12 ...as per attached diff? -James p3.txt.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
--On Wednesday, April 06, 2011 15:42:11 -0500 john.hayw...@wheaton.edu wrote: List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I don't know if this should be sent to the developers list instead. === Background === When there is a failure of the client to match the challenge of the server: According to rfc2759 a failure packet in section 6 a failure packet includes a message like: E=ee R=r C= V=vv M=msg where E is the error code, R 1/0 allow/disallow retry C an ascii version of the challenge V=3 and M= some text message. After this mschap failure message is sent by the server an acknowledgment which seems to be have a failure code should be returned from the client. At that point the server can close the eap connection with a failure. What the 2.1.10 code (and earlier) appears to do is after mschap is detected immediately close the eap connection with a failure. The effect for windows XP/7 machines connecting wirelessly using mschapv2 is that they are presented with a dialog box and can enter new credentials. What happens with mac/iphones/androids/ubuntu is that they appear to be confused and time out and re-send (at various rates) authentication attempts without presenting a dialog box to the user. For some environments (such as using Novell NDS to authenticate) if configured modules/ldap edir_account_policy_check=yes then these repeated failures result in account lock outs. Scenario: Institution requires periodic change of password - user uses a web site to change password - user forgets to update their mac/iphone/android - user turns on their mac/iphone/android - shortly after user cannot access any resources (such as blackboard/portal etc) because their account is locked out. == proposed fix Modify freeradius to follow rfc2759. This requires patches to two source files: o src/modules/rlm_mschap/rlm_mschap.c to include a message which conforms to rfc2759 o src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c to use the response created by rlm_mschap.c and send that back, also accept an authentication failure acknowledgment before sending eap failure packet. Below are the diffs: == Comments o Results: We have implemented this patch (along with the configuration change edir_account_policy_check=no) and observe: 1) no more lockouts 2) Mac/Iphones users are now presented with a dialog box where they can update their password. o Code: a) I don't like the 100 character msg variable - there is probably a better way to do this. b) There is probably a function in free radius library to do the sprintf which should be used. c) samba locked accounts should probably have a similar message generated if they are mschapv2. I would be happy if someone could look over these patches and incorporate the ideas into freeradius for future releases. Hi John, I had trouble applying the patches to 2.1.x git -- maybe because they got mushed during the email process. Adding the bits by hand seemed to work, and I can confirm the result is as you describe on an iPhone (that's all I had to hand to test). Attached are the two 'git diff' that I ended up with. -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- index c512018..3f3fc46 100644 --- a/src/modules/rlm_mschap/rlm_mschap.c +++ b/src/modules/rlm_mschap/rlm_mschap.c @@ -1239,9 +1239,21 @@ static int mschap_authenticate(void * instance, REQUEST *request) response-vp_octets + 26, nthashhash, do_ntlm_auth) 0) { RDEBUG2(FAILED: MS-CHAP2-Response is incorrect); + + /* JCH - changes to include challenge and message */ +char msg[100]; +strcpy(msg, E=691 R=0 C=); +int i, offset = strlen(msg); +char *ptr = msg[offset]; +for (i=0; i16; i++, ptr+=2) { + sprintf(ptr, %02X, response-vp_octets[i+2]); +} +*ptr = 0; +strcat(msg, V=3 M=May Need to reset cached password); + mschap_add_reply(request, request-reply-vps, *response-vp_octets, -MS-CHAP-Error, E=691 R=1, 9); +MS-CHAP-Error, msg, strlen(msg)); return RLM_MODULE_REJECT; } index bdf4668..051fe71 100644 --- a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c +++ b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c @@ -195,7 +195,9 @@ static int eapmschapv2_compose(EAP_HANDLER *handler, VALUE_PAIR *reply) case
Re: MS-CHAP-V2 with no retry
--On Thursday, April 07, 2011 13:33:33 +0100 James J J Hooper jjj.hoo...@bristol.ac.uk wrote: Attached are the two 'git diff' that I ended up with. gzipped so they don't get messed up. -James p1.txt.gz Description: Binary data p2.txt.gz Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 07/04/2011 13:33, James J J Hooper wrote: --On Wednesday, April 06, 2011 15:42:11 -0500 john.hayw...@wheaton.edu wrote: List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I don't know if this should be sent to the developers list instead. === Background === When there is a failure of the client to match the challenge of the server: According to rfc2759 a failure packet in section 6 a failure packet includes a message like: E=ee R=r C= V=vv M=msg where E is the error code, R 1/0 allow/disallow retry C an ascii version of the challenge V=3 and M= some text message. After this mschap failure message is sent by the server an acknowledgment which seems to be have a failure code should be returned from the client. At that point the server can close the eap connection with a failure. What the 2.1.10 code (and earlier) appears to do is after mschap is detected immediately close the eap connection with a failure. The effect for windows XP/7 machines connecting wirelessly using mschapv2 is that they are presented with a dialog box and can enter new credentials. What happens with mac/iphones/androids/ubuntu is that they appear to be confused and time out and re-send (at various rates) authentication attempts without presenting a dialog box to the user. For some environments (such as using Novell NDS to authenticate) if configured modules/ldap edir_account_policy_check=yes then these repeated failures result in account lock outs. Scenario: Institution requires periodic change of password - user uses a web site to change password - user forgets to update their mac/iphone/android - user turns on their mac/iphone/android - shortly after user cannot access any resources (such as blackboard/portal etc) because their account is locked out. == proposed fix Modify freeradius to follow rfc2759. This requires patches to two source files: o src/modules/rlm_mschap/rlm_mschap.c to include a message which conforms to rfc2759 o src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c to use the response created by rlm_mschap.c and send that back, also accept an authentication failure acknowledgment before sending eap failure packet. Below are the diffs: == Comments o Results: We have implemented this patch (along with the configuration change edir_account_policy_check=no) and observe: 1) no more lockouts 2) Mac/Iphones users are now presented with a dialog box where they can update their password. o Code: a) I don't like the 100 character msg variable - there is probably a better way to do this. b) There is probably a function in free radius library to do the sprintf which should be used. c) samba locked accounts should probably have a similar message generated if they are mschapv2. I would be happy if someone could look over these patches and incorporate the ideas into freeradius for future releases. Hi John, I had trouble applying the patches to 2.1.x git -- maybe because they got mushed during the email process. Adding the bits by hand seemed to work, and I can confirm the result is as you describe on an iPhone (that's all I had to hand to test). Attached are the two 'git diff' that I ended up with. Hi John, It works on Mac OS and iOS, but I havn't been able to get it to work as expected on XP or Win7: * Win7 does as it did before * XP: The [builtin] supplicant gets stuck at the 'tryng to authenticate' message. Could you forward your patches gzipped [so they don't get mangled] so I can verify I have patched the source correctly? Regards, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+ldap: Invalid DN syntax
On 02/04/2011 18:29, ziko wrote: Hello. I am using Freeradius 2 with openldap 2.3.43 on my CentOS 5. My OPenldap works grate without freeradius, and freeradius works without ldap. But i cant connect ldap and freeradius. my ldapsearch output: ldapsearch -x # extended LDIF # # LDAPv3 # base dc=my-domain,dc=com (default) with scope subtree ..^^...^^ my /etc/raddb/modules/ldap: ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = server2.**.ge identity = cn=Manager,dc=my-domain,dc=com password = ** basedn = dn=my-domain,dn=com ^^...^^ radiusd -X output: . rlm_ldap: performing search in dn=my-domain,dn=com, with filter (uid=gchkhetiani) rlm_ldap: ldap_search() failed: Invalid DN syntax There is rlm_ldap: ldap_search() failed: Invalid DN syntax error. How can I fix it? ...configure the basedn correctly!! wrong: basedn = dn=my-domain,dn=com correct:basedn = dc=my-domain,dc=com -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute NOT being returned in access-accept ?
On 30/03/2011 22:59, Robert Roll wrote: Freeradius Version 2.1.10 I'm trying to return a vendor attribute, but I don't seem to be seeing it in the access-accept ? I am inner tunneling to Peap, and you can see the attribute is there... Airespace-Interface-Name = wifi-chem-uconnect but I'm not seeing it in the packet from eapol and I'm also seeing it in the final Access-Accept sent from freeradius ? Sending Access-Accept of id 10 to 155.97.142.192 port 52965 MS-MPPE-Recv-Key = 0x0e6bf137da352024fe32478d9b9c2cdabbba6a94f9e185e16ce5601b8e4a8328 MS-MPPE-Send-Key = 0x99880b1843e321c484ceeb0ed19f55e2bbfa769f68e8783615beb220b13bb761 EAP-Message = 0x030a0004 Message-Authenticator = 0x User-Name = whatever From Peap --- [peap] Got tunneled reply RADIUS code 2 Airespace-Interface-Name = wifi-chem-uconnect MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 MS-MPPE-Send-Key = 0x7aa77766e328dcdf3e38555995889912 MS-MPPE-Recv-Key = 0x6af45f9c8437843caf8d2c2ea1f7d7d2 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = tstRad9 [peap] Tunneled authentication was successful. Set use_tunnelled_reply to yes in eap.conf: https://github.com/alandekok/freeradius-server/blob/14f534aa405cf0063bb10f4bc36493721e054246/raddb/eap.conf#L471 (also line 570 - once for TTLS, once for PEAP) -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: signed server certs
On 07/03/2011 21:42, John Dennis wrote: I changed default_eap_type=md5 to default_eap_type=ttls and now the Macs are able to authenticate without Certs or any configuration on their side!! ...remember though that working != secure [necessarily]. Clients defaulting to accept any radius server cert, or those that default to prompt the user, are vulnerable to rogue AP/credential stealing attacks etc. This may be acceptable in your environment, but if not, you'll still need to actively configure the client. I've seen statements on this list in the past asserting that if you have a server cert signed by a public CA (e.g. a CA the client is preconfigured to trust) it is a security vulnerability because clients will blindly trust they are connecting to server they expect when in fact it could be a rouge server impersonating the server. The above comment seems to fall into the same category. I have never understood this advice or it's rationale. I was hoping someone could explain it because it does not match my understanding of PKI, here's why: When a client negotiates a SSL/TLS session it's supposed to validate the server cert. In simplicity this is a 2 step process. 1) It validates the server cert to assure it's signed by a CA it trusts (possibly via a cert chain). 2) It then validates the certificate subject to make sure the server it thought it was connecting to appears in the certificate (either as the certificate subject or one of the certificate subject alternate names). If either 1 or 2 fails it should abort the connection. If it were possible on an SSL/TLS connection to impersonate another server then most of PKI would be a complete failure. So why does this group think PKI doesn't work? Hi John, Ok, first your (1) - matching a presented server cert to a pre-trusted CA cert on the client. This works and does exactly that. Consider this: * The client will validate my cert against the CA I signed it with. * The client will also validate a cert that badPerson has purchased from e.g. verisign Why - because an unconfigured EAP client will likely trust *all* root CAs (~like your web browser does by default). So, to mitigate this I can set my EAP client to only trust my CA e.g. verisign. ... but badPerson bought their cert from verisign too! ... so we have to move to the next level - your step (2), the CN. So how do we configure the client to trust the appropriate CN just that *configure it* ...an unconfigured/default config client will likely trust any CN. It is this step that is very different from the web. In the web world, the client can check the cert CN matches the DNS name that the user typed, and that this matches the reverse DNS of the IP that the cert came from. In the EAP world, there is no DNS, no IP, no way to determine the source of the cert at all. ...which is why there is nothing wrong with the mechanism, as long as you configure it properly. Some EAP clients do not let you specify a CN to match, so using a self-signed cert, and setting the client just to trust that CA mitigates the public CA vector. -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: signed server certs
On 07/03/2011 22:18, Arran Cudbard-Bell wrote: On Mar 7, 2011, at 4:05 PM, James J J Hooper wrote: On 07/03/2011 21:42, John Dennis wrote: I changed default_eap_type=md5 to default_eap_type=ttls and now the Macs are able to authenticate without Certs or any configuration on their side!! ...remember though that working != secure [necessarily]. Clients defaulting to accept any radius server cert, or those that default to prompt the user, are vulnerable to rogue AP/credential stealing attacks etc. This may be acceptable in your environment, but if not, you'll still need to actively configure the client. I've seen statements on this list in the past asserting that if you have a server cert signed by a public CA (e.g. a CA the client is preconfigured to trust) it is a security vulnerability because clients will blindly trust they are connecting to server they expect when in fact it could be a rouge server impersonating the server. The above comment seems to fall into the same category. I have never understood this advice or it's rationale. I was hoping someone could explain it because it does not match my understanding of PKI, here's why: When a client negotiates a SSL/TLS session it's supposed to validate the server cert. In simplicity this is a 2 step process. 1) It validates the server cert to assure it's signed by a CA it trusts (possibly via a cert chain). 2) It then validates the certificate subject to make sure the server it thought it was connecting to appears in the certificate (either as the certificate subject or one of the certificate subject alternate names). If either 1 or 2 fails it should abort the connection. If it were possible on an SSL/TLS connection to impersonate another server then most of PKI would be a complete failure. So why does this group think PKI doesn't work? Hi John, Ok, first your (1) - matching a presented server cert to a pre-trusted CA cert on the client. This works and does exactly that. Consider this: * The client will validate my cert against the CA I signed it with. * The client will also validate a cert that badPerson has purchased from e.g. verisign Why - because an unconfigured EAP client will likely trust *all* root CAs (~like your web browser does by default). So, to mitigate this I can set my EAP client to only trust my CA e.g. verisign. ... but badPerson bought their cert from verisign too! ... so we have to move to the next level - your step (2), the CN. So how do we configure the client to trust the appropriate CN just that *configure it* ...an unconfigured/default config client will likely trust any CN. That's not really true, even windows requires the user confirm that they trust the CN in the certificate unless the CA has been *explicitly* trusted, and none are by default. The CA would have to fail to verify that the domain used in the CN of the CSR was actually owned by the entity requesting the certificate Of course, that is true (on windows and mac) ... but Android? some linux? Windows Mobile? ... or the user would have to fail to manually validate the CN presented to them by the supplicant. I forgive my cynicism, but users click 'yes connect me', for one of two reasons: 1) they don't read the popup, and 'yes' usually means 'make it work' 2) they have no clue what the CN should be, so bristol.com, bristol.wifi.com, uni-wifi.co.uk, eduroam.wireless.bris.ac.uk are all just as good. (2) isn't the end user's fault ...the admin or the setup wizard should configure the CN validation for the end user. ...or the user gets popup panic and call IT support. Which comes full-circle: just configure it right in the first place ;-) -James -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2 and OSX clients no TLS
--On 6 March 2011 16:31:54 + Guy g...@britewhite.net wrote: On 6 Mar 2011, at 13:03, Phil Mayers wrote: On 03/05/2011 04:46 PM, Guy wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I'm setting up Freeradius2 (FreeRADIUS Version 2.1.7) for WPA Enterprise 2, and I have it basically working. my iPhone/iPad are able to authenticate and connect via the base station. However my Mac (OSX 10.6 Snow leopard) Laptops are having issues. I do not want to push out Client certificates to the laptops. I also do not want people to have to perform any customisations on the clients. When the laptop attempts to join the network I get a nice login window, with username/password. This is fine. However without playing with the network settings (802.1x settings). I'm not able to join the network because I do not have a client Cert: ... I changed default_eap_type=md5 to default_eap_type=ttls and now the Macs are able to authenticate without Certs or any configuration on their side!! ...remember though that working != secure [necessarily]. Clients defaulting to accept any radius server cert, or those that default to prompt the user, are vulnerable to rogue AP/credential stealing attacks etc. This may be acceptable in your environment, but if not, you'll still need to actively configure the client. -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
--On 04 March 2011 10:46 +0100 Alan DeKok al...@deployingradius.com wrote: Phil Mayers wrote: The FreeRadius EAP-MSCHAP (rlm_eap_mschap) has a hardcoded error message: E=691 R=0 Really? I don't see that. What I do see is that it doesn't copy the MS-CHAP-Error into the TLS tunnel. That could be fixed for 2.1.11, I guess. If someone can test it... Yes please, and will do. -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
--On Friday, March 04, 2011 11:49:50 +0100 Alan DeKok al...@deployingradius.com wrote: James J J Hooper wrote: That could be fixed for 2.1.11, I guess. If someone can test it... Yes please, and will do. Try this patch. You should see MSCHAP Failure in the debug log, where it wasn't there before. Try it for normal accounts which are locked out (SMB-Account-Ctrl = 1024) Alan DeKok. Hi Alan, Compile error ( result of patch .c attached): Making all in rlm_eap_mschapv2... gmake[9]: Entering directory `/usr/local/dnsnode/src/radiusd/20110105/freeradius-server/src/modules/rlm_eap/types/rlm_eap_mschapv2' /usr/local/dnsnode/src/radiusd/20110105/freeradius-server/libtool --mode=compile gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/usr/local/dnsnode/src/radiusd/20110105/freeradius-server/src -I../.. -I../../libeap -c rlm_eap_mschapv2.c mkdir .libs gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/usr/local/dnsnode/src/radiusd/20110105/freeradius-server/src -I../.. -I../../libeap -c rlm_eap_mschapv2.c -fPIC -DPIC -o .libs/rlm_eap_mschapv2.o rlm_eap_mschapv2.c: In function `mschapv2_authenticate': rlm_eap_mschapv2.c:658: error: called object is not a function rlm_eap_mschapv2.c:658: error: too few arguments to function `pairmove2' gmake[9]: *** [rlm_eap_mschapv2.lo] Error 1 gmake[9]: Leaving directory `/usr/local/dnsnode/src/radiusd/20110105/freeradius-server/src/modules/rlm_eap/types/rlm_eap_mschapv2' gmake[8]: *** [rlm_eap_mschapv2] Error 2 -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- rlm_eap_mschapv2.c--new1.gz Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
--On Friday, March 04, 2011 12:04:51 + James J J Hooper jjj.hoo...@bristol.ac.uk wrote: --On Friday, March 04, 2011 11:49:50 +0100 Alan DeKok al...@deployingradius.com wrote: James J J Hooper wrote: That could be fixed for 2.1.11, I guess. If someone can test it... Yes please, and will do. Try this patch. You should see MSCHAP Failure in the debug log, where it wasn't there before. Try it for normal accounts which are locked out (SMB-Account-Ctrl = 1024) Alan DeKok. Hi Alan, Compile error ( result of patch .c attached): rlm_eap_mschapv2.c: In function `mschapv2_authenticate': rlm_eap_mschapv2.c:658: error: called object is not a function rlm_eap_mschapv2.c:658: error: too few arguments to function `pairmove2' I've added the missing comma, and it's building now :-) -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
--On Friday, March 04, 2011 13:32:35 +0100 Alan DeKok al...@deployingradius.com wrote: Alan DeKok wrote: James J J Hooper wrote: rlm_eap_mschapv2.c: In function `mschapv2_authenticate': rlm_eap_mschapv2.c:658: error: called object is not a function rlm_eap_mschapv2.c:658: error: too few arguments to function `pairmove2' I've added the missing comma, and it's building now :-) Then you're using the git master branch, and not 2.1.x. Nope, my mistake. See the recent message for a better patch. *** With a bad password it does: [eduroamlocalmschap] expand: --nt-response=%{eduroamlocalmschap:NT-Response} - --nt-response=58a58ef81a7975443ce2f2ea61d6e66b11974cd3fbbf2b2d Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 [eduroamlocalmschap] External script failed. [eduroamlocalmschap] FAILED: MS-CHAP2-Response is incorrect ++[eduroamlocalmschap] returns reject rlm_eap_mschapv2: No MS-CHAPv2-Success or MS-CHAP-Error was found. [eduroamlocaleap-bris-sha-ca] Handler failed in EAP/mschapv2 [eduroamlocaleap-bris-sha-ca] Failed in EAP select ++[eduroamlocaleap-bris-sha-ca] returns invalid Failed to authenticate the user. Login incorrect (eduroamlocalmschap: External script says Logon failure (0xc06d)): [jh1...@bris.ac.uk] (from client custard-66 port 0 cli 99-88-77-66-55-44 via TLS tunnel) } # server eduroamlocal-inner [peap] Got tunneled reply code 3 MS-CHAP-Error = \tE=691 R=1 EAP-Message = 0x04090004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = \tE=691 R=1 EAP-Message = 0x04090004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eduroamlocaleap-bris-sha-ca] returns handled *** With a locked out user it does: server eduroamlocal-inner { Exec-Program output: Account locked out (0xc234) Exec-Program-Wait: plaintext: Account locked out (0xc234) Exec-Program: returned: 1 rlm_eap_mschapv2: No MS-CHAPv2-Success or MS-CHAP-Error was found. Login incorrect (eduroamlocalmschap: External script says Account locked out (0xc234)): [jh176...@bris.ac.uk] (from client custard-66 port 0 cli 99-88-77-66-55-44 via TLS tunnel) } # server eduroamlocal-inner MS-CHAP-Error = \007E=691 R=1 EAP-Message = 0x04070004 Message-Authenticator = 0x MS-CHAP-Error = \007E=691 R=1 EAP-Message = 0x04070004 Message-Authenticator = 0x attr_filter: Matched entry DEFAULT at line 1 Sending Access-Challenge of id 7 to 137.222.253.66 port 48817 EAP-Message = 0x0108002b19001703010020bfba7af9865436c3cbcd179868046228adb578769d6312fd4cb3caaf3626edc0 Message-Authenticator = 0x State = 0x2183e4ed268bfd6e277ccbd19a06e21c * Also, each time MS-CHAP-Error seems to be prefixed with a character - Is that intended? -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Caching techniques with ntlm_auth usage? (EAP-PEAP-MSchapV2)
--On 04 March 2011 12:34 -0500 John Douglass john.dougl...@oit.gatech.edu wrote: Group, Recently, my AD servers were patched by another support group and this caused a (small but noticeable) service outage for our WPA radius services (Radius 2.1.9) I can think of two things to investigate: * Recent Samba can do winbind credential caching IIRC - I haven't experimented with this so I'm not sure if it will work for this application. * Enable Fast Session Resumption: https://github.com/alandekok/freeradius-server/blob/master/raddb/modules/eap#L312 ... We dropped the hits on our DCs by 40% by doing this. N.B Resumed sessions will not touch your inner-tunnel config, so you have to make sure that you pay attention when (re-)assigning VLANs / other returned attributes based on username. -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New User and AD Question
On 27/02/2011 18:08, McNutt, Justin M. wrote: New member to the list, here. I have a question about AD computer-based authentication. Basically, how is it accomplished? I have Googled and Googled, but only found references to the fact that it *can* be done (mostly from archives of this list), but little reference on HOW to do it, other than that it has something to do with editing the realms file. I also went to #freeradius on FreeNode, but it seemed there was rarely anyone in the channel. So here I am. I'm running FreeRADIUS 2.1.7 from the RHEL 5 RPM (freeradius2-2.1.7-7.el5). It's running on an RHEL 5 virtual machine that is a member of an AD domain via Samba 3.5.4 (which was required to talk to the 2008R2 domain controllers). We have a multi-domain, single forest environment. I'm running two virtual servers, based on the defaults. I have the campus-main virtual server that is pretty much the exact same as the default, except that I have LDAP authentication enabled. This works perfectly and is able to authenticate users for all domains. I also have the campus-eap and campus-inner-tunnel virtual servers for EAP authentication that are the same as the default and inner-tunnel servers except for the names. (I copied them so I could make changes to the campus-XXX virtual servers and still have the originals for reference.) The EAP functions for clients using EAP-TTLS and EAP-PEAP work just fine for all users in all domains (authenticated via ntlm_auth) EXCEPT for the host\\computer.domain.name users (the computer accounts). I'd like to make this work, partly because a large number of the failed login attempts in my logs are from hosts that are valid domain members. Sooo... help? What's the basic idea behind making this work? Hi Justin, Could you send us the output of radiusd -X for a computer auth? If it works for users it should just work for machines. You'll need to make sure you have samba 3.0.23 [IIRC] [which you seem to have] and your ntlm_auth line has to have an appropriately formatted User-Name bit e.g. %{mschap:User-Name} (the mschap module will take host\\computer.domain.name and turn it in to computer$ automatically). -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address AVP missing
--On Friday, February 11, 2011 11:36:09 +0530 Rajkumar R rajkuma...@aricent.com wrote: Hi, This query is related to Cisco-7206 equipment behavior. Indeed, so you should be asking Cisco not FreeRADIUS We have a Cisco 7206(IOS12.2(33)) equipment associated with freeRadius server2.1.10. Upon PPPOE client start, dynamic IP is assigned from the IP-Pool to the PPPOE client. However this IP address, is not included in the Frame-IP-Address AVP sent in the Access-Request message from the NAS. Request to provide your inputs on this, as this is reported across other forums(unfortunately, no answers available there :)) Read RFC 2865. Section 5.8... [paraphrase] Framed-IP-Address is primarily so RADIUS can tell the NAS which IP to give to the client, not the other way around. Most NAS's not allocate an IP until authentication has succeeded. You may well be able to find the given IP from an accounting packet though. Use a DB to match things up. Regards, James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and Accounting
--On Thursday, February 10, 2011 08:25:13 -0500 David Peterson dav...@wirelessconnections.net wrote: I am working with a NAS that only sends accounting packets with the EAP style username. Other than matching up =7Bam=3D1=7df717cc32fff26ff29ca0baac5833f...@wimax.com with b...@wimax.com manually in the database are there other methods for achieving this? Configure RADIUS to send the inner User-Name b...@wimax.com back in the outer Access-Accept. Your NAS should then use this User-Name when Accounting (if it doesn't, you need to refer to your NAS manufacturer). Regards, James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unable to authenticate in case of multilingual characters
--On 04 February 2011 22:02 +0530 karnik jain karnik.j...@gmail.com wrote: Hi Alan, I have written multilingual character *∞ *directly in RADIUS server's *users file.* without encoding it into UTF-8. * * Do I need to write Username in *user file of RADIUS server *after converting it into UTF-8 to make the *whole thing work*? If Yes then How can I write UTF-8 characters into *users file of RADIUS server.* Do I need to write directly the *HEX of encoded characters* or some other way into the *users file of RADIUS server as shown in attached users file of RADIUS server*? * * I have double check that the UTF-8 Encoder of mine is working fine. Multilingual character = ∞ (infinity symbol) is having equivalent form in HEX = *0xe2889e* and UTF-8 encoding of *0xe2889e* is = *0xf8 0xb8 0xa2 0x9e.* *Can any one please look into to above issue * *and guide me How can I configure the files of free RADIUS server * *to use USER-NAME field other than **US-ASCII like * *Chinese etc.?* * * *Regards,* *Karnik jain* Hi Karnik, If you put UTF in the users file and UTF in the User-Name in the radius request it will work. For example: users: 現年快樂Auth-Type := Accept ...and then testing it: echo 'User-Name = 現年快樂' | radclient -x 137.222.253.91:16010 auth SECRET Sending Access-Request of id 161 to 137.222.253.91 port 16010 User-Name = 現年快樂 rad_recv: Access-Accept packet from host 137.222.253.91 port 16010, id=161, length=20 Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Radius logs
--On Tuesday, February 01, 2011 08:41:54 -0800 Brett Littrell blittr...@musd.org wrote: Hi All, Real quick and I am sure easy question here. I read through the unlang man page, really helped in getting a clue. One thing I was wondering though, is there a way to output text to the log based on a condition? What I mean is something like if x!=y then printf( x did not equal y). This would be for debugging and log review. Currently we use Cisco ACS, which with all it's limitations the one thing that is great about it is it's pass/fail logs. Our techs use them all the time to diagnose problems. If I could inject text strings into the logs when certain issues occur it would make it a lot easier to figure out scripts as well as make common issues easier for techs to troubleshoot. From what I can tell in the unlang man page it did not mention this, perhaps I missed it though. Hi Brett, It sounds like the linelog module may do what you need, in conjunction with unlang for the conditionals: https://github.com/alandekok/freeradius-server/blob/v2.1.x/raddb/modules/linelog Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.10 WARNING: Internal sanity check failed
On 13/01/2011 18:26, joanroldan wrote: I'm sorry! Try to rewrite the e-mail to a human mode ; ) Hi, I am configuring a freeradius for a institution for eduroam purposes, using Fedora 13 and with freeradius 2.1.10. The only EAP type supported is EAP-TTLS/PAP. I attach the radius -X output: ... So I have mainly tho doubts: First, one why this warning happens and how to solve it. Second one, is it normal that EAP-TTLS does not begin? Thanks in advance, Joan. Hi Joan, 1) This happens because you have made big changes to the default config. 2) You have configured FreeRADIUS to proxy the request to somewhere else. For eduroam, you usually need to configure it so that: * If the realm is one of your organisation's, the request is not proxied, but handled by FR * If the realm is blank or rubbish, the request can be immediately rejected. * If the realm is valid, and not your own organisations, you should proxy the request to your national RADIUS servers. I'd suggest going back to the default config. Read each file and get your TTLS/PAP working first, then add the proxying for other realms last. See also: http://www.ja.net/documents/services/janet-roaming/sussex-freeradius-case-study.pdf Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SoH patch (was Re: Microsoft SoH Support)
On 11/10/2010 22:14, James J J Hooper wrote: On 11/10/2010 12:37, Phil Mayers wrote: On 09/10/10 15:01, Garber, Neal wrote: Thanks to a lot of work by Phil Mayers, the server now has support for Microsoft SoH in PEAP, normal RADIUS (MS VPN gateway), and in DHCP. Wow! That *must* have been a lot of work! Thank you Phil. Does this mean FreeRADIUS can now act as a Health Policy Server? Yes, though it's not 100%. Specifically the code can challenge clients for an SoH, and the client will submit it and FreeRadius decode it. There is not (yet) support for FreeRadius generating and emitting an SoHR, because I don't have a working example of such, and decoding the MS-SOH spec is REALLY REALLY hard without at least some working data to compare to the awful spec language! Hi Phil, Alan, http://msdn.microsoft.com/en-us/library/cc251376%28v=PROT.10%29.aspx - Independent of the above states, the last bit of the third byte of the AU ClientStatusCode can take the value of 1 if the AU settings on the client are controlled by policy. Hi Guys, I've re-written the patch I originally forwarded to account for the third byte-first bit flag MS stuck in the middle of AU ClientStatusCode. As attached - still not pretty~~ -James diff --git a/src/main/soh.c b/src/main/soh.c index 9ea5698..e57a714 100644 --- a/src/main/soh.c +++ b/src/main/soh.c @@ -499,21 +499,23 @@ int soh_verify(REQUEST *request, VALUE_PAIR *sohvp, const uint8_t *data, unsigne case 3: /* auto updates */ s = auto-updates; - switch (hcstatus) { + /* The first bit of the second octet indicates if the case is by-policy (e.g. Group Policy) or not. + We ignore this bit in the switch, and then deal with it if necessary in each case */ + switch (hcstatus 0xfeff) { case 1: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn disabled, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn disabled by-policy=%i, s, hcstatus 0x0100 ? 1 : 0); break; case 2: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=check-only, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=check-only by-policy=%i, s, hcstatus 0x0100 ? 1 : 0); break; case 3: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=download, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=download by-policy=%i, s, hcstatus 0x0100 ? 1 : 0); break; case 4: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=install, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s ok action=install by-policy=%i, s, hcstatus 0x0100 ? 1 : 0); break; case 5: - snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn unconfigured, s); + snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn unconfigured by-policy=%i, s, hcstatus 0x0100 ? 1 : 0); break; case 0xc0ff0003: snprintf(vp-vp_strvalue, sizeof(vp-vp_strvalue), %s warn service-down, s); - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help Configuring Radius and Ldap
Oh dear. A lot of the online info is out-of-date or plain wrong. If you've made a lot of changes, and you're not sure exactly what youve changed and why, my advice would be to start again from scratch. Restore the default configs, and use the following system: 1. Check the config into version control 2. Make ONE and ONLY ONE change 3. Test it 4. Goto step 1 One of the new DVCSes like git/bzr/hg are ideal for this. The *first* change you want to make is adding a user to the users file usernameCleartext-Password := password Check that what you want to do works with that user. Then you can move onto LDAP. Keeping a dump of the debug output at each step can be handy too - then you can compare them. Hope this helps. Phil, Thank you very much the advice worked like a charm, and now I have everything up and running again... - james - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help Configuring Radius and Ldap
...there was no userPassword (or it wasn't readable) I think I have a problem with Ldap reading the password correctly. If i have read correctly, it needs a clear text password Secondly, the debug output you posted returns an Access-Accept because, although the LDAP module was unable to see a userPassword attribute on the LDAP entry, a later module sets the Auth-Type to ntlm_auth and your server then obeys that. I shall comment this line out, and try it out today This is all a non-standard config, so *someone* has configured the server - was it you? I have been working on configuring the server for a little bit now. I tried following several different online manuals before I consulted the group. The remote device also told me that the authentication was invalid. I Well, FreeRadius sent an Access-Accept. What is the remote device? If you hadn't trimmed the debugging output I might be able to suggest more. The radius server would tell me Access-Accept, but then my remote device would not let me login. The current remote device is a hp pro- curve 5412. was able to successfully authenticate on this device by using the local users file(on the radius server). So compare the reply in that case with the reply in this case, and configure the radius server to send the same attributes. Will try this today, thank you very much for the informative advice. - james - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help Configuring Radius and Ldap
The above log doesn't look like authentication; rather it's authorization. If you want your LDAP module instance to authenticate, too, call it from the 'authenticate' section? I do include ldap in my authenticate section of sites-enabled/default, do i need to include any other lines in this area? - james - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help Configuring Radius and Ldap
My apologies before hand if this is an easy fix, but I have been working on configuring a radius server on and off now for a few weeks. As a note, I have Radius 2.1.10 installed and I am trying to authenticate using Ldap as the user database. I have little to no experience in both Radius and Ldap, but I have been reading up and looking for documents that explain the process well. The majority of documents that I did find were on an older version of radius, or were not pertinent to my situation. The following is a copy of my screen when I try authenticating a remote device to the radius server, please let me know if this helps(or if you would like more information on my config) Thanks in advance, - James # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [files] users: Matched entry DEFAULT at line 58 ++[files] returns ok [ldap] performing user authorization for jwn6657 [ldap] expand: (samaccountname=%{User-Name}) - (samaccountname=jwn6657) [ldap] expand: cn=Users,dc=ds,dc=saintjoe,dc=edu - cn=Users,dc=ds,dc=saintjoe,dc=edu [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=ds,dc=saintjoe,dc=edu, with filter (samaccountname=jwn6657) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user jwn6657 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth # Executing group from file /etc/raddb/sites-enabled/default +- entering group ntlm_auth {...} [2010/12/03 10:14:58.799575, 1] param/loadparm.c:6494(map_parameter) Unknown parameter encountered: idmap domains [2010/12/03 10:14:58.799645, 0] param/loadparm.c:7588(lp_do_parameter) Ignoring unknown parameter idmap domains [2010/12/03 10:14:58.799870, 1] param/loadparm.c:6494(map_parameter) Unknown parameter encountered: master browser [2010/12/03 10:14:58.799883, 0] param/loadparm.c:7588(lp_do_parameter) Ignoring unknown parameter master browser Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 186 to 131.93.254.2 port 4844 Finished request 3. Going to the next request Waking up in 4.9 seconds. Cleaning up request 3 ID 186 with timestamp +452 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help Configuring Radius and Ldap
On Dec 3, 2010, at 10:52 AM, Phil Mayers wrote: You haven't said what your problem is Sorry! My server tells me that it ldap did not find a correct matchup, but then returns true. [ldap] performing search in cn=Users,dc=ds,dc=saintjoe,dc=edu, with filter (samaccountname=jwn6657) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user jwn6657 authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok It also then continues to search through other forms of authentication, and then it seems to return false to the remote device if any of these are false. The remote device also told me that the authentication was invalid. I was able to successfully authenticate on this device by using the local users file(on the radius server). The radius server is authenticating the user successfully: Sending Access-Accept of id 186 to 131.93.254.2 port 4844 Finished request 3. Going to the next request ...so what's the problem? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE:
You need to be more specific with your questions. The config files have examples on your question as well Description: Description: MCITP(rgb)_1084_1085 Description: Description: Description: rhct_logo-clr Description: Description: https://exams.giac.org/images/logos/giac_silver_small.gif GIAC Security Leadership Certification (GSLC) From: freeradius-users-bounces+midnightsteel=msn@lists.freeradius.org [mailto:freeradius-users-bounces+midnightsteel=msn@lists.freeradius.org] On Behalf Of Zoet Omar Zepeda Sent: Monday, November 22, 2010 11:07 PM To: freeradius-users@lists.freeradius.org Subject: How to register a user in freeradius? image001.jpgimage004.jpgimage005.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html