Re: EAP logging
On 28 Aug 2013, at 23:39, Andrej andrej.gro...@gmail.com wrote: I would like f_ticks to write out a single line into syslog that contains the inner and outer identity of an authentication request, the station ID and MAC address. In case of a successful authentication or rejection I'd like to have the inner identity and a status on a line, We do this by using lots of custom linelog instances. In linelog.conf (just a few examples): linelog acceptlog { filename = /var/log/radius/auth-%D.log format = %S (%l) id %I ACCEPT %{User-Name} (station %{%{Calling-Station -Id}:--}) auth-type %{control:Auth-Type}/%{EAP-Type} realm %{%{Realm}:--} nas %{ %{NAS-IP-Address}:-%{%{NAS-IPv6-Address}:--}-}/%{%{NAS-Port}:--} (operator %{%{O perator-Name}:--}) client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Addres s}:--}} (%{Client-Shortname}) ap '%{%{UCam-AP-Name}:--}' essid '%{%{UCam-Essid-N ame}:--}' = %{%{reply:User-Name}:--} reply-msg '%{reply:Reply-Message}' } linelog inner-acceptlog { filename = /var/log/radius/auth-%D.log format = %S (%l) id %I INNER-TUNNEL ACCEPT %{User-Name} (station %{%{ou ter.request:Calling-Station-Id}:--}) outer-id %{outer.request:User-Name} auth-ty pe %{outer.control:Auth-Type}/%{outer.request:EAP-Type}/%{control:Auth-Type} rea lm %{%{Realm}:--} nas %{%{outer.request:NAS-IP-Address}:-%{%{outer.request:NAS-I Pv6-Address}:--}}/%{%{outer.request:NAS-Port}:--} (operator %{%{outer.request:Op erator-Name}:--}) client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Address }:--}} (%{Client-Shortname}) ap '%{%{outer.request:UCam-AP-Name}:--}' essid '%{% {outer.request:UCam-Essid-Name}:--}' = %{%{reply:User-Name}:--} reply-msg '%{re ply:Reply-Message}' } linelog proxy-replylog { filename = /var/log/radius/auth-%D.log format = %S (%l) id %I PROXY REPLY %{User-Name} (station %{%{Calling-St ation-Id}:--}) auth-type /%{EAP-Type} realm %{%{Realm}:--} nas %{%{NAS-IP-Addres s}:-%{%{NAS-IPv6-Address}:--}-}/%{%{NAS-Port}:--} (operator %{%{Operator-Name}:- -}) client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Address}:--}} (%{Clie nt-Shortname}) proxy %{%{proxy-reply:Packet-Src-IP-Address}:-%{%{proxy-reply:Pac ket-Src-IPv6-Address}:--}} proxy-reply-type %{proxy-reply:Packet-Type} proxy-rep ly-msg '%{proxy-reply:Reply-Message}' = %{%{proxy-reply:User-Name}:--} } We call them as follows: [default] post-proxy { ... proxy-replylog ... } post-auth { ... acceptlog ... } [inner-tunnel] post-auth { ... inner-acceptlog ... } There are some references to %{UCam-AP-Name} and things in there -- we set these with things like: if (%{Aruba-Location-Id}) { update request { UCam-AP-Name := %{Aruba-Location-Id} UCam-Essid-Name := %{Aruba-Essid-Name} } } ... they let us not refer to the direct Aruba attributes and would allow us to more easily add another wireless system (we used to have Cisco but migrated away) - if we had to move again, we don't have lots of Cisco-specific bits all over the place. Note that the attributes are defined in 'dictionary'. The above stuff will give lines like: 2013-08-29 10:53:02 (1377769982) id 175 INNER-TUNNEL ACCEPT rc...@cam.ac.uk (station 0015AF81CEB3) outer-id @cam.ac.uk auth-type EAP/PEAP/EAP realm LOCAL nas 131.111.1.20/0 (operator 1lapwing.cam.ac.uk) client 131.111.1.20 (erri...@lapwing.cam.ac.uk) ap '00:24:6c:c3:24:fd' essid 'eduroam' = rcf34 reply-msg '[cam.ac.uk] Successful authentication ACCEPT' [example from inner-acceptlog.] Hope this helps, - Bob -- Bob Franklin rc...@cam.ac.uk +44 1223 748479 Network Division, University of Cambridge Computing Service - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-Peap-MSchapv2 proxy from innertunnel
I'm trying to do a proxy from the inner-tunnel over to another radius server. The primary reason for this is that we need to strip off the realm before passing to the proxy. I'm getting an EAP error response from the other server about it not liking the id number Supplicant sent unmatched EAP response packet identifier ( This is an EAP-PEAP-MSCHAPv2 scenerio) The EAP.conf file is configured with: proxy_tunneled_request_as_eap = yes I've included a TCP dump of the main freeradius server below WC -- Wireless controller FR-2.10 -- Freeradius server ISE-proxy -- The server FR-2.10 is sending proxy requests to: It does appear that FR-2.10 is beginning a conversation with ISE-proxy and id: 0xde It seem that ISE-proxy responds ok, but then the next message from FR-2.10 to ISE-proxy has id: 0xa8, but I'm thinking that ISE-proxy is expecting 0xdf ?.. I'll admit I'm still pretty confused about much of the EAP, stuff.. but maybe I'm missing something simple in the config ? Any ideas would be greatly appreciated.. Thanks, Robert 07:03:51.286831 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x82 length: 227 07:03:51.287639 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x82 length: 64 07:03:51.289921 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x83 length: 354 07:03:51.300931 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x83 length: 1090 07:03:51.304143 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x84 length: 238 07:03:51.304640 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x84 length: 1086 07:03:51.307583 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x85 length: 238 07:03:51.314568 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x85 length: 1086 07:03:51.317658 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x86 length: 238 07:03:51.324409 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x86 length: 923 07:03:51.335322 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x87 length: 440 07:03:51.337658 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x87 length: 123 07:03:51.339867 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x88 length: 238 07:03:51.344424 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x88 length: 101 07:03:51.346564 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x89 length: 328 --- Begin proxy ? 07:03:51.354527 IP FR-2.10.1814 ISE-proxy.radius: RADIUS, Access Request (1), id: 0xde length: 246 07:03:51.371848 IP ISE-proxy.radius FR-2.10.1814: RADIUS, Access Challenge (11), id: 0xde length: 132 07:03:51.372108 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x89 length: 101 07:03:51.374137 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x8a length: 312 07:03:51.384449 IP FR-2.10.1814 ISE-proxy.radius: RADIUS, Access Request (1), id: 0xa8 length: 306 07:03:51.386386 IP ISE-proxy.radius FR-2.10.1814: RADIUS, Access Reject (3), id: 0xa8 length: 49 07:03:52.387589 IP FR-2.10.radius WC.32769: RADIUS, Access Reject (3), id: 0x8a length: 101 --End proxy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-Peap-MSchapv2 proxy from innertunnel
I guess I assumed the id: in the TCP dump below was the EAP Response Identifier maybe not ? Is there a different EAP response identifier ? I actually have been running with debug radius -X. Obviously a lot longer output than just the TCP dump. That is why I first tried just the TCP dump. I guess I was also hoping somebody might have just had a thought about a common configuration issue... I just went back to run another test and the proxy server now seems to be down. This server is run by our network group and I don't know when it might be back.. As soon as it comes back, I will run and capture the debug and see if I can see the EAP-message AVP's ? I will also post the debug Thanks, Robert 07:03:51.354527 IP FR-2.10.1814 ISE-proxy.radius: RADIUS, Access Request (1), id: 0xde length: 246 07:03:51.371848 IP ISE-proxy.radius FR-2.10.1814: RADIUS, Access Challenge (11), id: 0xde length: 132 07:03:51.384449 IP FR-2.10.1814 ISE-proxy.radius: RADIUS, Access Request (1), id: 0xa8 length: 306 07:03:51.386386 IP ISE-proxy.radius FR-2.10.1814: RADIUS, Access Reject (3), id: 0xa8 length: 49 From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] on behalf of Martin Kraus [lists...@wujiman.net] Sent: Thursday, August 29, 2013 8:11 AM To: FreeRadius users mailing list Subject: Re: EAP-Peap-MSchapv2 proxy from innertunnel On Thu, Aug 29, 2013 at 01:35:25PM +, Robert Roll wrote: I'm getting an EAP error response from the other server about it not liking the id number Supplicant sent unmatched EAP response packet identifier EAP Response identifier sent by the client has to match EAP Request identifier sent by the server which would be ISE. can you see the EAP-Message AVPs sent and received by freeradius? identifier is the second byte. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-Peap-MSchapv2 proxy from innertunnel
Ok, Below is the TCP dump. I have attached the Freeradius Debug output beginning near the start of the proxy.. WC-- is the wirless controller (155.99.193.24) FR-2.10 -- Freeradius 2.10 (155.97.182.175) ISE-proxy -- ISE proxy server (155.97.185.76) Again, any help would be much appreciated.. Thanks, Robert 09:31:25.451223 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x72 length: 229 09:31:25.452467 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x72 length: 64 09:31:25.454469 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x73 length: 355 09:31:25.461847 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x73 length: 1090 09:31:25.465436 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x74 length: 239 09:31:25.465779 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x74 length: 1086 09:31:25.469322 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x75 length: 239 09:31:25.469644 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x75 length: 1086 09:31:25.472928 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x76 length: 239 09:31:25.473199 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x76 length: 923 09:31:25.482815 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x77 length: 441 09:31:25.485315 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x77 length: 123 09:31:25.488059 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x78 length: 239 09:31:25.488362 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x78 length: 101 09:31:25.490724 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x79 length: 329 --Begin Proxy 09:31:25.491570 IP FR-2.10.1814 ISE-proxy.radius: RADIUS, Access Request (1), id: 0xd8 length: 242 09:31:25.497310 IP ISE-proxy.radius FR-2.10.1814: RADIUS, Access Challenge (11), id: 0xd8 length: 128 09:31:25.497504 IP FR-2.10.radius WC.32769: RADIUS, Access Challenge (11), id: 0x79 length: 101 09:31:25.499645 IP WC.32769 FR-2.10.radius: RADIUS, Access Request (1), id: 0x7a length: 313 09:31:25.500528 IP FR-2.10.1814 ISE-proxy.radius: RADIUS, Access Request (1), id: 0x47 length: 300 09:31:25.502871 IP ISE-proxy.radius FR-2.10.1814: RADIUS, Access Reject (3), id: 0x47 length: 49 09:31:26.504148 IP FR-2.10.radius WC.32769: RADIUS, Access Reject (3), id: 0x7a length: 101 From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] on behalf of Phil Mayers [p.may...@imperial.ac.uk] Sent: Thursday, August 29, 2013 7:58 AM To: freeradius-users@lists.freeradius.org Subject: Re: EAP-Peap-MSchapv2 proxy from innertunnel On 29/08/13 14:35, Robert Roll wrote: I'm trying to do a proxy from the inner-tunnel over to another radius server. The primary reason for this is that we need to strip off the realm before passing to the proxy. I'm getting an EAP error response from the other server about it not liking the id number Supplicant sent unmatched EAP response packet identifier ( This is an EAP-PEAP-MSCHAPv2 scenerio) The EAP.conf file is configured with: proxy_tunneled_request_as_eap = yes I've included a TCP dump of the main freeradius server below But not a debug gathered with radiusd -X which is the only thing anyone ever wants to see. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html rdebug.out Description: rdebug.out - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-Peap-MSchapv2 proxy from innertunnel
Ok, I've tried this with 2.2 and still get the same behavior.. If I actually look at the proxy-inner-tunnel I see the following for post-proxy.. post-proxy { # # This is necessary for LEAP, or if you set: # # proxy_tunneled_request_as_eap = no # eap I see that eap needs be invoked if using proxy_tunneled_request_as_eap = no Does it actually need to NOT be there for proxy_tunneled_request_as_eap = no I should say I'm actually NOT using the proxy-inner-tunnel server, but rather the default inner-tunnl with: # If you want the inner tunnel request to be proxied, delete # the next few lines. # # update control { # Proxy-To-Realm := LOCAL # } Thanks, Robert From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] on behalf of Phil Mayers [p.may...@imperial.ac.uk] Sent: Thursday, August 29, 2013 9:38 AM To: freeradius-users@lists.freeradius.org Subject: Re: EAP-Peap-MSchapv2 proxy from innertunnel On 29/08/13 15:56, Robert Roll wrote: I guess I assumed the id: in the TCP dump below was the EAP Response Identifier maybe not ? Is there a different EAP response identifier ? Yes, in the EAP-Message attribute (EAP packet) I actually have been running with debug radius -X. Obviously a lot longer output than just the TCP dump. That is why I first tried just the TCP dump. I guess I was also hoping somebody might have just had a thought about a common configuration issue... TBH proxying EAP inner is not common at all; there have been bugs in that area in the past. Re-reading I notice that you're running 2.10 - upgrade. I'm pretty certain that version has inner-eap proxy bugs. Go to 2.2.0. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: Override EAP invalid result in authentication section
Hi! I need to send devices with expired or revoked certificates to a remediation vlan, but my reject vlan is for guest access. Both checks happen at the end of the EAP process where the switch expects a reject or accept packet. I need now to change the reject for the expired to a accept. Setting the vlan for the switch is no problem I do that already, I just need an accept. ;-) I hope it's clear what I want/need. ;-) Robert -Ursprüngliche Nachricht- Von: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org [mailto:freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] Im Auftrag von Phil Mayers Gesendet: Dienstag, 4. Juni 2013 11:37 An: freeradius-users@lists.freeradius.org Betreff: Re: AW: AW: Override EAP invalid result in authentication section On 04/06/13 08:55, PENZ Robert wrote: Hi Phil! do you need something additional from me? I'm not really sure what the question is. You've setup FreeRADIUS to reject certain certificates, using the verify callout config option. If you don't want to reject those certs, change the callout to permit them, and instead return the sandbox VLAN. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Override EAP invalid result in authentication section
Hi! That doesn't work. You MUST return an EAP-Message attribute in the reply. Just sending an Access-Accept means that the NAS will *ignore* it, and close the connection. I've removed the Auth-Type := Accept lines and keep the ok line. so it looks this way # EAP didn't work if (EAP-Type == NAK) { update control { MACAU-Reason := unsupported EAP typ -- Client misconfiguration } } else { update control { MACAU-Reason := certificate invalid (e.g. revoked/expired) } } ok which leads to this Tue May 28 09:49:44 2013 : Info: +++? if (EAP-Type == NAK) Tue May 28 09:49:44 2013 : Info: ? Evaluating (EAP-Type == NAK) - FALSE Tue May 28 09:49:44 2013 : Info: +++? if (EAP-Type == NAK) - FALSE Tue May 28 09:49:44 2013 : Info: +++- entering else else {...} Tue May 28 09:49:44 2013 : Info: [control] returns invalid Tue May 28 09:49:44 2013 : Info: +++- else else returns invalid Tue May 28 09:49:44 2013 : Info: ++- else else returns invalid Tue May 28 09:49:44 2013 : Info: Failed to authenticate the user. Tue May 28 09:49:44 2013 : Auth: Login incorrect (TLS Alert write:fatal:certificate unknown): [host//via Auth-Type = EAP] (from client xxx port 1015 cli ) Tue May 28 09:49:44 2013 : Info: Using Post-Auth-Type Reject Tue May 28 09:49:44 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default And this kind of thing is generally not recommended, because the server isn't really designed to fail authentication, and then force a success. You should instead do as little as possible in the authenticate section. Just change the return code to ok. Then do any policy setting (VLAN, etc.) in post-auth. But I can't change a Reject to Accept in Post-Auth .. at least that's what I read. Can you show me what I should to? I don't need to change VLANs .. just need an accept, the VLAN is already correct (set in authorize already as it's the same as for MAC authentication) Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Override EAP invalid result in authentication section
Hi! I want to configure Freeradius (freeradius-2.1.12-4.el6_3) to authenticate failed EAP-TLS requests (from authorized MACs) to a remediation VLAN and not reject them to the guest VLAN. My config looks like this: authorize { # we don't know the MAC reject it to the guest net if (!ok) { update control { MACAU-Reason := MAC address not in DB } reject } # if not 802.1x its only MAC auth if (!EAP-Message) { # mac has already been checked, accept (it gets into the remediation VLAN) update control { Auth-Type := Accept MACAU-Reason := only MAC, no 802.1x } } else { # we're in the 802.1x path continued in the authenticate section eap } } authenticate { Auth-Type EAP { eap { handled = 1 invalid = 1 } if (ok) { # update VLAN to production client network # this part works perfectly } else { # EAP didn't work if (EAP-Type == NAK) { update control { MACAU-Reason := unsupported EAP typ -- Client misconfiguration Auth-Type := Accept } } else { update control { MACAU-Reason := certificate invalid (e.g. revoked/expired) Auth-Type := Accept } } ok- does not work } I just need an accept here, the VLAN which will be returned is already the remediation VLAN (as it is the same as if the client uses only MAC authentication). Currently the client gets rejected if e.g. the certificate is expired as the client has not been in the network for some time. MACAU-Reason is logged to the DB in post-auth. This is the log: Mon May 27 15:17:55 2013 : Info: [tls] eaptls_process returned 4 Mon May 27 15:17:55 2013 : Info: [eap] Handler failed in EAP/tls Mon May 27 15:17:55 2013 : Info: [eap] Failed in EAP select Mon May 27 15:17:55 2013 : Info: ++[eap] returns invalid Mon May 27 15:17:55 2013 : Info: ++? if (ok) Mon May 27 15:17:55 2013 : Info: ? Evaluating (ok) - FALSE Mon May 27 15:17:55 2013 : Info: ++? if (ok) - FALSE Mon May 27 15:17:55 2013 : Info: ++- entering else else {...} Mon May 27 15:17:55 2013 : Info: +++? if (EAP-Type == NAK) Mon May 27 15:17:55 2013 : Info: ? Evaluating (EAP-Type == NAK) - FALSE Mon May 27 15:17:55 2013 : Info: +++? if (EAP-Type == NAK) - FALSE Mon May 27 15:17:55 2013 : Info: +++- entering else else {...} Mon May 27 15:17:55 2013 : Info: [control] returns invalid Mon May 27 15:17:55 2013 : Info: +++- else else returns invalid Mon May 27 15:17:55 2013 : Info: ++- else else returns invalid Mon May 27 15:17:55 2013 : Info: Failed to authenticate the user. Mon May 27 15:17:55 2013 : Auth: Login incorrect (TLS Alert write:fatal:certificate unknown): [host/x/via Auth-Type = Accept] (from client port cli xxx) Mon May 27 15:17:55 2013 : Info: Using Post-Auth-Type Reject I hope someone can help me. Thx! Mit freundlichen Grüßen Robert Penz -- Dipl.Inf. Robert Penz DVT - Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 (0)512 508 3334 / Fax: +43 (0)512 508 74 3355 E-Mail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?
Thank you! The configuration in the link works. The key is setting fragment_size correctly. But I am confused about the two methods : Is EAP PEAP/TLS = EAP PEAP/EAP-TLS ? Or they are two different methods? -Original Message- From: freeradius-users-bounces+robert_chen=favite@lists.freeradius.org [mailto:freeradius-users-bounces+robert_chen=favite@lists.freeradius.org ] On Behalf Of Phil Mayers Sent: Monday, May 20, 2013 5:51 PM To: freeradius-users@lists.freeradius.org Subject: Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ? On 20/05/13 09:02, Robert wrote: Hi I use freeradius v2.1.10 in Debian Squeeze 6.0.1. I want to know if freeradius supports the following methods : See here: http://notes.asd.me.uk/2012/01/20/freeradius-with-peap-eap-tls-for-microsoft -soh/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - 未在此訊息中找到病毒。 已透過 AVG 檢查 - www.avg.com 版本: 2012.0.2242 / 病毒庫: 3162/5839 - 發佈日期: 05/19/13 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?
Hi I use freeradius v2.1.10 in Debian Squeeze 6.0.1. I want to know if freeradius supports the following methods : l EAP PEAP/TLS l EAP PEAP/EAP-TLS ? The client I use is wpa_supplicant v0.6.9. Regards, Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: EAP-TLS Failed in handler question
Hi! Phil, thx again for your help - according to Extreme the bug has been fixed in summitX-15.2.2.7-patch1-2 PD4-3163943281 802.1x re-authentication fails when EAP ID reaches 255. This version fixes also a bug we reported which is related to 802.1x PD4-3271740739 While using Dot1x and MAC-based netlogin on the same port, the MAC reauthentication timer should stop after the client is authenticated with dot1x credentials. -Ursprüngliche Nachricht- Von: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org [mailto:freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] Im Auftrag von PENZ Robert Gesendet: Dienstag, 11. Dezember 2012 16:30 An: FreeRadius users mailing list Betreff: AW: AW: AW: EAP-TLS Failed in handler question Hi! Phil, Really BIG THANKS for your help! I'll talk to Extreme Networks. Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: EAP-TLS Failed in handler question
Hi! Phil, Really BIG THANKS for your help! I'll talk to Extreme Networks. Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: AW: AW: EAP-TLS Failed in handler question
@PhilMayers: Did you get the Mail with the full logfile? do you need more? Mit freundlichen Grüßen Robert Penz Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.p...@tirol.gv.at From: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org [freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] On Behalf Of PENZ Robert [robert.p...@tirol.gv.at] Sent: Wednesday, December 05, 2012 8:32 AM To: FreeRadius users mailing list Subject: AW: AW: AW: EAP-TLS Failed in handler question There is no other packet between this two and only 5 seconds, server has not been restarted. Weird. But we need the *full* debug please! some special option or the full log file? The second I send you in a private mail. Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: EAP-TLS Failed in handler question
Hi! I was still not able to get a trace on the client site, but I believe these debug log entries should help. This time I got the start packet and it is within some seconds that I get the 2 packet to the radius server and the State variable seems to be the same. Ready to process requests. rad_recv: Access-Request packet from host 10.xx.xx.5 port 54217, id=11, length=152 User-Name = host/x.local EAP-Message = 0x02ff002101686f73742f4456542d303039363832322e7469726f6c2e6c6f63616c NAS-IP-Address = 10.xx.xx.5 Service-Type = Login-User Calling-Station-Id = xx-xx-xx-xx-xx-xx NAS-Port-Id = 1:29 NAS-Port = 1029 NAS-Port-Type = Ethernet Message-Authenticator = 0xd080844ef3e47a9bc21e8c848b5a8548 .. [eap] EAP packet type response id 255 length 33 [eap] No EAP Start, assuming it's an on-going EAP conversation +++[eap] returns updated ++- else else returns updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group EAP {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 .. Sending Access-Challenge of id 11 to 10.xx.xx.5 port 54217 EAP-Message = 0x01060d20 Message-Authenticator = 0x State = 0x642534cc642539e20b4be1e3ae0328c0 Finished request 62603. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10. xx.xx.5 port 54217, id=12, length=242 User-Name = host/x.tirol.local EAP-Message = 0x02ff00690d80005f160301005a0156030150bd9377fb696c9f5eaedc568220f9aa35ab65930cf2232f4131c054b056295418002f00350005000ac013c014c009c00a00320038001300040115ff0100010a0006000400170018000b00020100 NAS-IP-Address = 10.xx.xx.5 Service-Type = Login-User Calling-Station-Id = xx-xx-xx-xx-xx-xx NAS-Port-Id = 1:29 NAS-Port = 1029 NAS-Port-Type = Ethernet State = 0x642534cc642539e20b4be1e3ae0328c0 Message-Authenticator = 0xeada93f9da1ca47a6f0325e8ad0414a9 ... [eap] EAP packet type response id 255 length 105 [eap] No EAP Start, assuming it's an on-going EAP conversation +++[eap] returns updated ++- else else returns updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group EAP {...} rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request [eap] Failed in handler ++[eap] returns invalid There is no other packet between this two and only 5 seconds, server has not been restarted. Robert -Ursprüngliche Nachricht- Von: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org [mailto:freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] Im Auftrag von PENZ Robert Gesendet: Dienstag, 27. November 2012 17:38 An: FreeRadius users mailing list Betreff: AW: AW: EAP-TLS Failed in handler question With first packet I meant first packet the radius server saw in some time ... the switch forces a reauthentification every 2h A re-auth is a fresh EAP session. So even on a re-auth, the first packet would not have a State attribute, absent software bugs. ok It *could* be that the client just got stuck and is responding (very) late. But I'm quite surprised the NAS didn't timeout the EAP auth before that. We're running Extreme Networks Switches with following timers set: configure netlogin dot1x timers quiet-period 30 configure netlogin dot1x timers reauth-period 7200 We run SummitX edge, and when I've tested dot1x netlogin in the past, I haven't seen this issue. We've never widely deployed it, however, so it's possible there's an XOS bug where a small percentage of re-auths erroneously re-use the State. You'd need to get a packet capture to be sure. ok ... will try to get one .. is not easy ... but reject means the switch sets the port to the guest vlan, and therefor the PC loses the connections ... is there a way to request a new full eap/tls handshake from the client? You're not understanding, or I'm not making myself clear. Suggestion: fire up wireshark, and take a careful look at a normal EAP authentication. You'll see that the first packet is an EAP-Identity without a State attribute, which the server responds to with an Access-Challenge containing the default eap type start payload, and a State attribute. Are you *absolutely sure* that these packets are really the first RADIUS packet in the auth/re-auth? will check again and get back to you If you're sure, your problem seems to be that the correct first packet isn't being sent; the switch is just jumping straight in with the EAP payload *and* a State attribute
AW: AW: AW: EAP-TLS Failed in handler question
There is no other packet between this two and only 5 seconds, server has not been restarted. Weird. But we need the *full* debug please! some special option or the full log file? The second I send you in a private mail. Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: EAP-TLS Failed in handler question
With first packet I meant first packet the radius server saw in some time ... the switch forces a reauthentification every 2h A re-auth is a fresh EAP session. So even on a re-auth, the first packet would not have a State attribute, absent software bugs. ok It *could* be that the client just got stuck and is responding (very) late. But I'm quite surprised the NAS didn't timeout the EAP auth before that. We're running Extreme Networks Switches with following timers set: configure netlogin dot1x timers quiet-period 30 configure netlogin dot1x timers reauth-period 7200 We run SummitX edge, and when I've tested dot1x netlogin in the past, I haven't seen this issue. We've never widely deployed it, however, so it's possible there's an XOS bug where a small percentage of re-auths erroneously re-use the State. You'd need to get a packet capture to be sure. ok ... will try to get one .. is not easy ... but reject means the switch sets the port to the guest vlan, and therefor the PC loses the connections ... is there a way to request a new full eap/tls handshake from the client? You're not understanding, or I'm not making myself clear. Suggestion: fire up wireshark, and take a careful look at a normal EAP authentication. You'll see that the first packet is an EAP-Identity without a State attribute, which the server responds to with an Access-Challenge containing the default eap type start payload, and a State attribute. Are you *absolutely sure* that these packets are really the first RADIUS packet in the auth/re-auth? will check again and get back to you If you're sure, your problem seems to be that the correct first packet isn't being sent; the switch is just jumping straight in with the EAP payload *and* a State attribute. I am curious to know where it's getting that State attribute. The server source code assumes that a State attribute will be valid. There's no setting to just accept it. Interestingly, I see the RADIUS RFC does actually allow clients to send a previous State if you send an Access-Accept with: Termination-Action = RADIUS-request You're not doing that, are you? no, I'm not No. As above, re-auths start new EAP sessions. You would only reject any EAP sessions that were in the *middle* of performing an auth, as the state would be lost across restarts. But this is a very narrow window. so I would be best to set iptables to drop requests for 1min than restart the radius und remove the iptables rules? or can I set freeradius in a mode where is does not accept new sessions? and after 2 minutes I restart it? So that the switch is forced onto the other switch. or what is the best practice to never have falls rejects? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: EAP-TLS Failed in handler question
Hi! first thx for your response. My first question is, how can I decode a EAP-Message from the debug Wireshark, or read the EAP RFC and decode it manually (see below) ok, I'll believe i got lucky and got a tcpdump trace on a client yesterday ... need to check it and if it is the same problem I'll provide more info. log to check if the request is itself ok. Here is first packet from No, this is *not* the first packet, because it has a State attribute, which is only present in 2nd and subsequent packets of the EAP exchange. With first packet I meant first packet the radius server saw in some time ... the switch forces a reauthentification every 2h The reason you're getting the error message is that the State attribute is unknown, so FR can't proceed with the EAP session and has no choice but to drop it. Check you haven't reduced the timer_expire value in eap.conf to a too-low value. # A list is maintained to correlate EAP-Response # packets with EAP-Request packets. After a # configurable length of time, entries in the list # expire, and are deleted. # timer_expire = 120 default was 60 .. I doubled it some weeks ago, as I saw No EAP session matching the State variable entries in the log. How many FR servers do you have serving this NAS? Is it possible the NAS is sending packets in a round-robin fashion (which is bad) which is why you're seeing a packet for which you don't have State? In this case it is only one .. we're running in pre-production with the IT department clients (about 100 clients) to make sure it is stable before rollout. But in production it will be more than one ... good point, we need to check that too, before going into production. I guess it's possible something is mangling the State attribute from the previous packet (which is *actually* the first packet). Otherwise, the client or NAS is doing something odd. It *could* be that the client just got stuck and is responding (very) late. But I'm quite surprised the NAS didn't timeout the EAP auth before that. We're running Extreme Networks Switches with following timers set: configure netlogin dot1x timers quiet-period 30 configure netlogin dot1x timers reauth-period 7200 following other timers are set to the default values: server-timeout Configure RADIUS server timeout for 802.1X supp-resp-timeout Configure supplicant response timeout rad_recv: Access-Request packet from host 10.xxx.xxx.4 port 44519, id=151, length=244 User-Name = host/x.tirol.local EAP-Message = 0x02ff00690d80005f160301005a01 Ok so this says: 02 - eap response ff - eap ID 255 - bit odd.. 0069 - length in hex 0d - eap type 13 (EAP-TLS) 80 - eap TLS flags = length included 005f - tls length 160301 - TLS packet 0x16==22==handshake record, version 3,1 (TLS 1.0) 005a - record length 01 - handshake=client hello cool !! etc. etc. So, it's the start of an EAP-TLS exchange, but as above, it's *not* the first packet. If you start a tcpdump on the server, you'll see how this works: C: Access-Request, no state, EAP-Identity=abc S: Access-Challenge, state=, EAP-TLS blah C: Access-Request, state=, EAP-TLS blah ok i.e. the NAS has to reflect the State back to FreeRADIUS on each packet. Something is interfering with that, or erasing the State at your end (a timer or restart). rlm_eap: No EAP session matching the State variable See? But I didn't see a reason for it ;-) Invalid means I return a reject ... should I return something else? No. but reject means the switch sets the port to the guest vlan, and therefor the PC loses the connections ... is there a way to request a new full eap/tls handshake from the client? Is this a client problem or a misconfiguration on my part? It's probably a client or NAS problem, unless you've set timer_expire too low. However: I guess this could also happen right after the server is restarted. Could that be it - is a cron job restarting it maybe? no the server is running for 10 days but if I would restart the server I would reject all clients to the guest vlan on reauthentication after that ... that can't be the designed way. Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS Failed in handler question
Hi! I've 802.1x (EAP-TLS) on a wired network activated, and it works 99% of the time ... just some authentications fail, but some minutes later the same client authenticates without a problem. As it happens only once every few days and always with a new client I cannot put a sniffer between the PC and switch, as I don't know which client is the next. But I enabled the debug logging on the freeradius server. The Clients are Windows 7 PCs and I'm running freeradius2-2.1.12-3.el5 on RHEL5. My first question is, how can I decode a EAP-Message from the debug log to check if the request is itself ok. Here is first packet from this client in some time, and it already generates the error. But the same client worked before and after it for days without a problem: rad_recv: Access-Request packet from host 10.xxx.xxx.4 port 44519, id=151, length=244 User-Name = host/x.tirol.local EAP-Message = 0x02ff00690d80005f160301005a0156030150a6115ee4ca2d9456a7fa7edad2fb1c7b221fc747eb78eb4d789ff077c48ef818002f00350005000ac013c014c009c00a00320038001300040115ff0100010a0006000400170018000b00020100 NAS-IP-Address = 10.xxx.xxx.4 Service-Type = Login-User Calling-Station-Id = xx-xx-xx-xx-xx-xx NAS-Port-Id = 2:3 NAS-Port = 2003 NAS-Port-Type = Ethernet State = 0x8df2b5f98df2b8eb6e43e372671f4335 Message-Authenticator = 0x6822006f5e7cf03d00a08b04869d19d8 and the relevant other log lines: ++? if (!EAP-Message) ? Evaluating !(EAP-Message) - FALSE ++? if (!EAP-Message) - FALSE ++- entering else else {...} [eap] EAP packet type response id 255 length 105 [eap] No EAP Start, assuming it's an on-going EAP conversation +++[eap] returns updated ++- else else returns updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group EAP {...} rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request [eap] Failed in handler ++[eap] returns invalid Invalid means I return a reject ... should I return something else? Is this a client problem or a misconfiguration on my part? Thx for your help! Mit freundlichen Grüßen Robert Penz -- Dipl.Inf. Robert Penz DVT - Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 (0)512 508 3334 / Fax: +43 (0)512 508 3355 E-Mail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Windows 7 answers LAN based EAP-TLS with EAP-NAK and PEAP
Hi! We've found the problem und fixed it together with the Microsoft support and here is the link to the Hotfix, if other FreeRadius users have the same problem: http://support.microsoft.com/kb/2481614 Robert -Ursprüngliche Nachricht- Von: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org [mailto:freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] Im Auftrag von PENZ Robert Gesendet: Dienstag, 7. August 2012 13:22 An: FreeRadius users mailing list Betreff: AW: Windows 7 answers LAN based EAP-TLS with EAP-NAK and PEAP The problem now is that in 1/3 of the clients boots (done over 40 times with a tap devices running as sniffer) the Windows Client sends an response: Legacy Nak (Response only) [RFC3748] with the wish for PEAP. After this the freeradius Server sends a reject ([eap] NAK asked for unsupported type PEAP). Either configure PEAP, or fix the client to stop asking for PEAP. trying ... ;-) In the 2/3 of the cases it works the Client does not send a NAK, so I believe it is a client problem but it’s Windows 7 … there must be thousands of installs with Windows 7 and 802.1x EAP/TLS. It's definitely a client problem. Yeah, we'll open a case. I seems to be a problem if the configuration is done via GPOs, but not sure. My suggestion is to do a re-install on the client. Other Windows 7 machines don't behave this way. does not help. We can reproduce the problem on multiple machines. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with Nortel hardware
Dear list, We have rather strange problem with Nortel hardware and freeradius. We run freeradius-2.1.12-3 on Red Hat 6 in our organization. Our setup is as follows: We have two type of wireless hardware Nortel and Aerohive. We have two radius servers. Windows Radius which is connected to AD and Freeradius server which proxy to the Windows Radius. Our freeradius setup works perfect with Aerohive hardware but unfortunately it doesn't work with Nortel. In our freeradius setup we strip @domain.name from the username (in realm section), and we pass the request to the Windows Radius, this seems to work with Aerohive hardware, but when trying to do the same with Nortel hardware, Windows Radius indicates that we are sending a usern...@domain.name (and it fails there), in other words the username does not get stripped. I wonder why this is happening only to a Nortel hardware and it works perfect with Aerohive? Many thanks, Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with crypt passwords matching
I am running Freeradius 2.1.12 on a Centos box. I am able to authenticate from the server command line, and from a Cisco ASR1k BRAS via the command line. However, when I attempt to authenticate customers from the DSL network, I get a reject, even though the crypt'd passwords match! Here is a sample from a trace: rad_recv: Access-Request packet from host 204.111.5.9 port 1645, id=235, length=89 Framed-Protocol = PPP User-Name = k143rott User-Password = k* NAS-Port-Type = Virtual NAS-Port = 0 NAS-Port-Id = 0/0/0/304 Service-Type = Framed-User NAS-IP-Address = 204.111.5.9 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = k143rott, looking up realm NULL [suffix] Found realm NULL [suffix] Adding Stripped-User-Name = k143rott [suffix] Adding Realm = NULL [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated [files] users: Matched entry DEFAULT at line 169 [files] users: Matched entry DEFAULT at line 172 [files] users: Matched entry DEFAULT at line 186 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password krt444 [pap] Using CRYPT password *3u.3LS/VKTOVc [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Login incorrect (rlm_pap: CRYPT password check failed): [k143rott/k*] (from client va-edbg-bras-1 port 0) Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - k143rott attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 30 for 1 seconds Going to the next request Sending delayed reject for request 21 Sending Access-Reject of id 227 to 204.111.5.9 port 1645 The crypt'd password (*3u.3LS/VKTOVc) is exactly what is in the /etc/shadow file. So I am confident the shared secret is correct. What am I doing wrong? -- Haskins Family Farm Middletown, VA web: http://www.haskinsfamilyfarm.com FB: http://www.facebook.com/pages/Middletown-VA/Haskins-Family-Farm/114984971161 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with crypt passwords matching
What do you mean by editing the passwd module? As for the users lines, here is what is in that file (first line is 169 and the last one is 186): DEFAULT Auth-Type == System Fall-Through == 1 DEFAULT Service-Type == Framed-User Framed-IP-Address == 255.255.255.254, Framed-Netmask == 255.255.255.255, Framed-MTU == 1500, Service-Type == Framed-User, Framed-Routing == None, Fall-Through == Yes # # Default for PPP: dynamic IP address, PPP mode, VJ-compression. # NOTE: we do not use Hint = PPP, since PPP might also be auto-detected # by the terminal server in which case there may not be a P suffix. # The terminal server sends Framed-Protocol = PPP for auto PPP. # DEFAULT Framed-Protocol == PPP On Wed, Aug 15, 2012 at 4:52 PM, alan buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, ++[unix] returns updated okay...so I assume you have edited the passwd module to read thew shadow file? [files] users: Matched entry DEFAULT at line 169 [files] users: Matched entry DEFAULT at line 172 [files] users: Matched entry DEFAULT at line 186 what do these lines have/say? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Haskins Family Farm Middletown, VA web: http://www.haskinsfamilyfarm.com FB: http://www.facebook.com/pages/Middletown-VA/Haskins-Family-Farm/114984971161 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Windows 7 answers LAN based EAP-TLS with EAP-NAK and PEAP
The problem now is that in 1/3 of the clients boots (done over 40 times with a tap devices running as sniffer) the Windows Client sends an response: Legacy Nak (Response only) [RFC3748] with the wish for PEAP. After this the freeradius Server sends a reject ([eap] NAK asked for unsupported type PEAP). Either configure PEAP, or fix the client to stop asking for PEAP. trying ... ;-) In the 2/3 of the cases it works the Client does not send a NAK, so I believe it is a client problem but it’s Windows 7 … there must be thousands of installs with Windows 7 and 802.1x EAP/TLS. It's definitely a client problem. Yeah, we'll open a case. I seems to be a problem if the configuration is done via GPOs, but not sure. My suggestion is to do a re-install on the client. Other Windows 7 machines don't behave this way. does not help. We can reproduce the problem on multiple machines. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows 7 answers LAN based EAP-TLS with EAP-NAK and PEAP
Hi! I've a problem with 802.1x and EAP-TLS where I'm not quite sure who is responsible for this problem and how to work around it. I hope someone can help me - I couldn't find anything with Google and I just can't believe I'm the first guy with this problem. The setup is following. - Windows 7 SP1 Client with 802.1x and EAP-TLS configurated - Extreme Networks 450e Switches -- LAN based 802.1x - Freeradius 2.1.12-3.el5 on RHEL5 only TLS as EAP type configured/allowed The problem now is that in 1/3 of the clients boots (done over 40 times with a tap devices running as sniffer) the Windows Client sends an response: Legacy Nak (Response only) [RFC3748] with the wish for PEAP. After this the freeradius Server sends a reject ([eap] NAK asked for unsupported type PEAP). With the next identity request the Client does an clean EAP-TLs handshake, but the switch already put the client into the reject network. Here is the communication flow in these cases (Wireshark): Line 5 / Packet 54 is the problem No. TimeSource DestinationProtocol Length Info 9 27.371093 switch -- client EAP 60 Request, Identity [RFC3748] 51 43.669530 switch -- client EAP 60 Request, Identity [RFC3748] 52 43.693510 client -- switch EAP 60 Response, Identity [RFC3748] 53 43.699498 switch -- client EAP 60 Request, EAP-TLS [RFC5216] [Aboba] 54 43.700496 client -- switch EAP 60 Response, Legacy Nak (Response only) [RFC3748] 84 44.639980 switch -- client EAP 60 Request, Identity [RFC3748] 85 44.646980 client -- switch EAP 60 Response, Identity [RFC3748] 86 44.652974 switch -- client EAP 60 Request, EAP-TLS [RFC5216] [Aboba] 87 44.758887 client -- switch TLSv1123Client Hello 88 44.765875 switch -- client TLSv11042 Server Hello, Certificate, Certificate Request, Server Hello Done 89 44.766875 client -- switch EAP 60 Response, EAP-TLS [RFC5216] [Aboba] 90 44.772880 switch -- client TLSv11042 Server Hello, Certificate, Certificate Request, Server Hello Done 91 44.772892 client -- switch EAP 60 Response, EAP-TLS [RFC5216] [Aboba] 92 44.778868 switch -- client TLSv11042 Server Hello, Certificate, Certificate Request, Server Hello Done 93 44.779865 client -- switch EAP 60 Response, EAP-TLS [RFC5216] [Aboba] 94 44.784859 switch -- client TLSv1177Server Hello, Certificate, Certificate Request, Server Hello Done 95 44.787862 client -- switch TLSv11510 Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message 96 44.793854 switch -- client EAP 60 Request, EAP-TLS [RFC5216] [Aboba] 97 44.793861 client -- switch TLSv1530Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message 98 44.807887 switch -- client TLSv187 Change Cipher Spec, Encrypted Handshake Message 102 44.818881 client -- switch EAP 60 Response, EAP-TLS [RFC5216] [Aboba] 103 44.855827 switch -- client EAP 60 Success It seems to be a timing issue anyway: - Windows 7 is configured to EAP-TLS with GPOs - I've uninstalled anti-virus, behavior detection software In the 2/3 of the cases it works the Client does not send a NAK, so I believe it is a client problem but it's Windows 7 ... there must be thousands of installs with Windows 7 and 802.1x EAP/TLS. Would it help if freeradius ignores the EAP-NAK packets? Any help appreciated! Mit freundlichen Grüßen Robert Penz -- Dipl.Inf. Robert Penz DVT - Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 (0)512 508 3334 / Fax: +43 (0)512 508 3355 E-Mail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Invalid Authenticator... i.e. munged nt-key from Winbindd ...
Yes, I know this is really a Samba problem. I'm asking on this list because I really feel that a number of the users of ntlm_auth, winbindd are Radius admins. This is in regards to the munged nt-key bug in Winbindd. Most of the suggestions have been to simply upgrade Samba. From my reading, this all seems to go back to Samba 3.2.X'ish ? Well we are(were) running Samba 3.5.6. I figured that was relatively safe? Actually, I had noticed that the bug did still seem to exist, but would only occur after running Winbindd for a while. I found other admins on the net reporting the same thing. We all seemed to adopt the same solution. Simply re-start Winbindd when the problem arose. This scheme worked very well for over a year. Then around 16:40 last Friday afternoon, something in our environment changed and this bug seemed to get tweaked all of the time. The radius servers just seemed to start to melt down. Actually, after a few hours 4 of 10 of our backend servers seemed to find a somewhat stable situation. In any case, I tried installing an older version of Samba 3.0.31 as there was some reference that nobody had seemed to see this problem with that version. However, that version did not do authentication at all against our win2008R2 directories. I found a bug report about that, and it basically said, yes we know, we don't intend to fix it in 3.0.31 as that is an old version, upgrade. So, in any case, I did upgrade to the latest Samba 3.5.16 and things seem to be working now. After all said above, my real question is, has anybody seen anything somewhat definitive on this bug that would indicate the source of the problem has really been found and fixed ? Or, does it just seem that other changes to Winbindd have just seemed to make this bug go away (or hide better) ? The reason I ask, is that we use Freeradius here and we are a large R1 University with associated medical center. Our radius architecture is beginning to support not only the Campus, but the medical center as well. The plan is to really bring ALL of the medical center Wireless that requires authentication into our Freeradius architecture. Believe it or not, there are becoming more and more medical devices that are starting to have some wireless capabilities now. From what I can tell, most of the use is to simply gather data about the device and ship it off to some master data gathering tool for analysis at a later time. However, I'm not sure, but some EKG devices in the future might start using this to actually ship the EKG results in real time to a doctor that is actually remotely located. This and other potential real time uses start to scare me a bit ??? I know that these devices should have some other backup capabilities for transmitting the data, but.. Thanks, Robert Robert Roll Computer Professional University of Utah (801) 581-7655 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Invalid Authenticator... i.e. munged nt-key from Winbindd ...
Yes, I do believe this is the bug in question. I did find this yesterday and noticed that while the problem may not happen 100% of the time, There are reports of it still happening. Even as late as version 3.5.10.. I am planning on adding my incident to the list... Thanks Much, Robert From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] on behalf of Phil Mayers [p.may...@imperial.ac.uk] Sent: Monday, July 30, 2012 10:11 AM To: freeradius-users@lists.freeradius.org Subject: Re: Invalid Authenticator... i.e. munged nt-key from Winbindd ... On 30/07/12 16:14, Robert Roll wrote: This is in regards to the munged nt-key bug in Winbindd. Most of Are you referring to this bug: https://bugzilla.samba.org/show_bug.cgi?id=6563 It looks to me like that bug has fallen into the weeds after being thought fixed. My advice would be to post on the Samba mailing list, and see if you can get someone interested. to go back to Samba 3.2.X'ish ? Well we are(were) running Samba 3.5.6. I figured that was relatively safe? Actually, I had noticed that the bug did still seem to exist, but would only occur after running Winbindd for a while. I found other admins on the net reporting the same thing. We all seemed to adopt the same solution. Simply re-start Winbindd when the problem arose. This scheme worked very well for over a year. Then around 16:40 last Friday afternoon, something in our environment changed and this bug seemed to get tweaked all of the time. The radius servers just seemed to start to melt down. Actually, after a few hours 4 of 10 of our backend servers seemed to find a somewhat stable situation. For what it's worth, we're running Samba 3.5.4 (RHEL5 package samba3x-3.5.4-0.70.el5) on Win2k8R2 DCs, and have no problems. Have you spoken to your AD admins? It seems likely some event (AD controller rebooting for patches?) triggered it. If you can figure out how to reproduce it, you can gather detailed debugging and hopefully solve the problem. Hell, if you can figure out how to reproduce it, *I* will crack out GDB and take a look. After all said above, my real question is, has anybody seen anything somewhat definitive on this bug that would indicate the source of the problem has really been found and fixed ? Or, does it just seem that other changes to Winbindd have just seemed to make this bug go away (or hide better) ? I know it's not what you want to hear, but this really *is* a Samba problem. Active Directory is, fundamentally, a closed system. You can only access it with the interfaces Microsoft makes available. Those interfaces are poorly documented, and have undesirable failure characteristics in the very best case. However, I'm not sure, but some EKG devices in the future might start using this to actually ship the EKG results in real time to a doctor that is actually remotely located. This and other potential real time uses start to scare me a bit ??? I know that these devices should have some other backup capabilities for transmitting the data, but.. I'm sympathetic to your concerns but honestly, if you have a requirement for that level of reliability, my advice would be to abandon Active Directory for those credentials. It is relatively simple to store some credentials in a local users file or SQL database, and disable ntlm_auth for those users e.g. med-device-123 Cleartext-Password := foo, MS-CHAP-Use-NTLM-Auth := 0 ...or equivalent in SQL. As well as being a lot more reliable, this approach has some other advantages - you don't necessarily want to use a real username for this kinds of embedded systems, and provisioning an AD account for them runs the risk of that account being given privileges it shouldn't have. If your local policy permits, and you can justify it, you could even do this will all users (use a password change policy DLL to capture all passwords to a database, optionally NT-hashed). But I doubt that's tenable. Alternatives include using EAP-TLS with client certs (horrible PKI mess) or EAP-TTLS/PAP and use a simpler method than ntlm_auth to check the PAP. In theory, EAP-TEAP (formerly EAP-FASTv2) with tickets on the client would solve this, but I see no realistic possibility of that appearing in client devices any time soon :o( Cheers, Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_python configTuple question
Hi! The python functions should return (return, replyTuple, configTuple). return is one of the following constants #RLM_MODULE_REJECT = 0 # /* immediately reject the request */ #RLM_MODULE_FAIL = 1 # /* module failed, don't reply */ #RLM_MODULE_OK = 2 # /* the module is OK, continue */ #RLM_MODULE_HANDLED = 3 # /* the module handled the request, so stop. */ #RLM_MODULE_INVALID = 4 # /* the module considers the request invalid. */ #RLM_MODULE_USERLOCK = 5 # /* reject the request (user is locked out) */ #RLM_MODULE_NOTFOUND = 6 # /* user not found */ #RLM_MODULE_NOOP = 7 # /* module succeeded without doing anything */ #RLM_MODULE_UPDATED = 8 # /* OK (pairs modified) */ #RLM_MODULE_NUMCODES = 9 # /* How many return codes there are */ replyTuble are the attributes which are send to the requesting NAS, but I couldn't find out what configTuple is exactly. I currently only pass an () and it works. Is it the same as update control and setting variables in the normal config files? What I would like to do is to provide a variable which can be used in the config file after calling the python module to compare it against %{TLS-Client-Cert-Subject} as I don't see a possible to get this variable in the python module to do the compare there. Thx for your help. Mit freundlichen Grüßen Robert Penz -- Dipl.Inf. Robert Penz DVT - Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 (0)512 508 3334 / Fax: +43 (0)512 508 3355 E-Mail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
set and use internal comment variable
Hi! I've a setup where it is possible to deny a request at various places for different reasons. I use sql_log in post-auth to log the replies. It would now be nice to add a comment variable which I fill at the various stations, that can deny a request, so I know why a request was denied. How should I try to solve this? Or is there an even better way without a comment variable to do something like this? Thx for your help. Mit freundlichen Grüßen Robert Penz Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x/EAP-TLS and MAC authentication via SQL with dynamic VLANs
Hi! We've currently a MAC authentication running with dynamic VLANs via SQL for wired clients. We return the wished VLAN for the client by using the SQL function authorize_reply_query. We now want to add 802.1x EAP-TLS as supported authentication method. I got the setup sofar that I'm able to authenticated a client which supports it via 802.1x and the others as fallback with MAC. With MAC auth everything works but with 802.1x I'm not able to return the VLAN the switch should use. How can I tell freeradius to make a sql lookup for the reply values? And how can I use the CN of the certificate in the SQL query? I believe I need one query for MAC and one for EAP-TLS, as for one I search for the MAC address and in the other the CN ... correct? The last question is more general. How do I get the mac address for a client that is authenticating with EAP-TLS, would like to add this to the sqllog? Thx for your help! I'm using freeradius2-2.1.7-7.el5 on rhel5 with following config authorize { eap { ok = return } redundant { sql do_not_respond #send nothing to the switch if sql fails, another server will take over } if (ok) { update control { Auth-Type := Accept } # 'handled' does not work here ok = return } } Mit freundlichen Grüßen Robert Penz Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: 802.1x/EAP-TLS and MAC authentication via SQL with dynamic VLANs
Hi! Thx for the fast response! But how to I execute the SQL authorize_reply_query query after I did a EAP authentication? I don't do that currently in post-auth. I just have the sql modul activated in authorize. Or would it be anyway a better Idea to have more than one issuers and I return the VLAN data based on that? E.g. one issuer for the PC net and one for the printer net? Can I use the issuer in a SQL query? As I've different switch types which need different responses. I use a SQL lookup with the NAS IP with a switch type table to get the correct response. Mit freundlichen Grüßen Robert Penz -Ursprüngliche Nachricht- Von: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org [mailto:freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] Im Auftrag von Matthew Newton Gesendet: Donnerstag, 22. März 2012 15:48 An: FreeRadius users mailing list Betreff: Re: 802.1x/EAP-TLS and MAC authentication via SQL with dynamic VLANs Hi, On Thu, Mar 22, 2012 at 03:24:41PM +0100, PENZ Robert wrote: And how can I use the CN of the certificate in the SQL query? I believe I need one query for MAC and one for EAP-TLS, as for one I search for the MAC address and in the other the CN ... correct? Common Name of the cert is in TLS-Client-Cert-Common-Name, but only available in post-auth. However, that should be OK to update the reply to set a VLAN. I'm using freeradius2-2.1.7-7.el5 on rhel5 with following config You'll need to upgrade to 2.1.12. This is too old and doesn't have the above attribute. The last question is more general. How do I get the mac address for a client that is authenticating with EAP-TLS, would like to add this to the sqllog? Thx for your help! Calling-Station-Id, as usual. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: canceling/redirecting realm in pre-proxy ?
Good thought, but it doesn't seem to do the trick, but thanks.. Why don't you just avoid starting the proxy in the first place... I want to actually proxy to a remote server, but they might send it back for further authentication.. I need to detect and handle that, otherwise there would be a loop... Thanks, Robert From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell [a.cudba...@freeradius.org] Sent: Thursday, October 06, 2011 12:58 PM To: FreeRadius users mailing list Subject: Re: canceling/redirecting realm in pre-proxy ? On 6 Oct 2011, at 20:19, Robert Roll wrote: There seems to be some comments about being able to cancel a proxy in the pre-proxy section.. # When the server decides to proxy a request to a home server, # the proxied request is first passed through the pre-proxy # stage. This stage can re-write the request, or decide to # cancel the proxy. What I really want to do is test some variables (unlang) and based on the outcome, I want to actually handle the request locally rather than proxy. Maybe this is obvious, but I am not seeing it ? update control { Proxy-To-Realm := 'local' } Why d Maybe... I'm not sure if it'll work. Why don't you just avoid starting the proxy in the first place... -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: canceling/redirecting realm in pre-proxy ?
Below is my pre-proxy paragraph.. Below that is some output.. It just continues to loop.. It looks like the the test is working.. I don't know if it is meaningful or not, but.. +++[control] returns noop Does this mean it did NOT set the value local in Proxy-To-Realm ? Thanks, Robert pre-proxy { if( %{Packet-Src-IP-Address} == '160.36.188.8' ) { update control { Proxy-To-Realm := 'local' } } } # Executing section pre-proxy from file /opt/Radius/freeradius/Configs/BackEnd/etc/raddb/proxy.conf +- entering group pre-proxy {...} ++? if (%{Packet-Src-IP-Address} == '160.36.188.8' ) expand: %{Packet-Src-IP-Address} - 160.36.188.8 ? Evaluating (%{Packet-Src-IP-Address} == '160.36.188.8' ) - TRUE ++? if (%{Packet-Src-IP-Address} == '160.36.188.8' ) - TRUE ++- entering if (%{Packet-Src-IP-Address} == '160.36.188.8' ) {...} +++[control] returns noop ++- if (%{Packet-Src-IP-Address} == '160.36.188.8' ) returns noop From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf Of Fajar A. Nugraha [l...@fajar.net] Sent: Friday, October 07, 2011 8:41 AM To: FreeRadius users mailing list Subject: Re: canceling/redirecting realm in pre-proxy ? On Fri, Oct 7, 2011 at 8:28 PM, Robert Roll robert.r...@utah.edu wrote: Good thought, but it doesn't seem to do the trick, but thanks.. Really? Where did you put it, in authorize? It should work in pre-proxy Why don't you just avoid starting the proxy in the first place... I want to actually proxy to a remote server, but they might send it back for further authentication.. I need to detect and handle that, otherwise there would be a loop... for complex scenarios it might be easier to use rlm_perl, or even rlm_exec. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
canceling/redirecting realm in pre-proxy ?
There seems to be some comments about being able to cancel a proxy in the pre-proxy section.. # When the server decides to proxy a request to a home server, # the proxied request is first passed through the pre-proxy # stage. This stage can re-write the request, or decide to # cancel the proxy. What I really want to do is test some variables (unlang) and based on the outcome, I want to actually handle the request locally rather than proxy. Maybe this is obvious, but I am not seeing it ? Thanks, Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Returning Multiple Reply Items problem ?
I seen to have encountered a problem with returning multiple reply-item attributes ? They seem to be found, but only some arereturned... see the debug snippets below... It seems if they have the same name, only one of them gets returned ? However, for the Cisco-AVPair attributes, it is very common to need to define many of them ? Is there a way to get them all returned ? Currently running 2.1.10 .. Thanks, Robert i.e. # Seem to be found in Directory ##3 [ldapADutVLANs] looking for reply items in directory... [ldapADutVLANs] extracted attribute Airespace-Interface-Name from generic item Airespace-Interface-Name=wifi-hist-uconnect [ldapADutVLANs] extracted attribute Airespace-Interface-Name from generic item Airespace-Interface-Name=wifi-noc-uconnect [ldapADutVLANs] extracted attribute Cisco-AVPair from generic item cisco-avpair=tunnel-private-group-ID(#81)=noc [ldapADutVLANs] extracted attribute Cisco-AVPair from generic item cisco-avpair=tunnel-medium-type(#65)=802 media(6) [ldapADutVLANs] extracted attribute Cisco-AVPair from generic item cisco-avpair=tunnel-type(#64)=VLAN(13) ## However when they need to be returned, only one of each gets returned ? ## [peap] Using saved attributes from the original Access-Accept Airespace-Interface-Name = wifi-hist-uconnect Cisco-AVPair = tunnel-private-group-ID(#81)=noc Sending Access-Accept of id 11 to 155.97.142.192 port 53533 Airespace-Interface-Name = wifi-hist-uconnect Cisco-AVPair = tunnel-private-group-ID(#81)=noc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Returning Multiple Reply Items problem ?
Ok, I seem to have found some information on the net .. Is it as simple as changing the '=' to '+=' when creating the ldap entry ? i.e. from: cisco-avpair=tunnel-private-group-ID(#81)=noc to: cisco-avpair+=tunnel-private-group-ID(#81)=noc Currently, I use a GENERIC attribute for replyItem, so even though the documentation seems to indicate an operator might be defined in lap.attrmap for the particular replyitem, I don't think I want to do this ? Thanks, Robert From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf Of Robert Roll [robert.r...@utah.edu] Sent: Wednesday, June 22, 2011 7:38 AM To: freeradius-users@lists.freeradius.org Subject: Returning Multiple Reply Items problem ? I seen to have encountered a problem with returning multiple reply-item attributes ? They seem to be found, but only some arereturned... see the debug snippets below... It seems if they have the same name, only one of them gets returned ? However, for the Cisco-AVPair attributes, it is very common to need to define many of them ? Is there a way to get them all returned ? Currently running 2.1.10 .. Thanks, Robert i.e. # Seem to be found in Directory ##3 [ldapADutVLANs] looking for reply items in directory... [ldapADutVLANs] extracted attribute Airespace-Interface-Name from generic item Airespace-Interface-Name=wifi-hist-uconnect [ldapADutVLANs] extracted attribute Airespace-Interface-Name from generic item Airespace-Interface-Name=wifi-noc-uconnect [ldapADutVLANs] extracted attribute Cisco-AVPair from generic item cisco-avpair=tunnel-private-group-ID(#81)=noc [ldapADutVLANs] extracted attribute Cisco-AVPair from generic item cisco-avpair=tunnel-medium-type(#65)=802 media(6) [ldapADutVLANs] extracted attribute Cisco-AVPair from generic item cisco-avpair=tunnel-type(#64)=VLAN(13) ## However when they need to be returned, only one of each gets returned ? ## [peap] Using saved attributes from the original Access-Accept Airespace-Interface-Name = wifi-hist-uconnect Cisco-AVPair = tunnel-private-group-ID(#81)=noc Sending Access-Accept of id 11 to 155.97.142.192 port 53533 Airespace-Interface-Name = wifi-hist-uconnect Cisco-AVPair = tunnel-private-group-ID(#81)=noc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: User-Name is not the same as MS-CHAP name
If the User-Name is being rewritten it is not intentional. Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = CAD08862\\ldapuser but I don't know want I am doing wrong. http://www.cspi.qc.ca/sinfrmc/windowsxp2.htm freeradius:/etc # diff -qr raddb raddefault Files raddb/clients.conf and raddefault/clients.conf differ Files raddb/modules/attr_rewrite and raddefault/modules/attr_rewrite differ Files raddb/modules/ldap and raddefault/modules/ldap differ Files raddb/modules/mschap and raddefault/modules/mschap differ Files raddb/sites-available/inner-tunnel and raddefault/sites-available/inner-tunnel differ Files raddb/sites-enabled/inner-tunnel and raddefault/sites-enabled/inner-tunnel differ - freeradius:/etc # diff raddb/clients.conf raddefault/clients.conf 206,209d205 client 10.0.0.0/8 { secret = testing123 shortname = net1 } freeradius:/etc # diff raddb/modules/attr_rewrite raddefault/modules/attr_rewrite 32,65d31 attr_rewrite copy.user-name { attribute = Stripped-User-Name new_attribute = yes searchfor = searchin = packet replacewith = %{User-Name} } attr_rewrite remove-domain-name { attribute = Stripped-User-Name searchfor = (\.test\.local) searchin = packet new_attribute = no replacewith = } attr_rewrite add-dollar-sign { attribute = Stripped-User-Name searchfor = ^(host/.*) searchin = packet new_attribute = no replacewith = %{1}$ } attr_rewrite strip-realm-name { attribute = Stripped-User-Name new_attribute = no searchin = packet searchfor = ^(.*[\\/]+) replacewith = max_matches = 1 } -- freeradius:/etc # diff raddb/modules/ldap raddefault/modules/ldap 33,36c33,36 server = 10.220.7.7 identity = cn=tics,o=test password = ldappass basedn = o=test --- server = ldap.your.domain #identity = cn=admin,o=My Org,c=UA #password = mypass basedn = o=My Org,c=UA 77,79c77,78 #start_tls = no start_tls = yes port=636 --- start_tls = no 118c117 password_attribute = nspmPassword --- 124c123 edir_account_policy_check = yes --- edir_account_policy_check = no -- freeradius:/etc # diff raddb/modules/mschap raddefault/modules/mschap 37c37 with_ntdomain_hack = yes --- 65,66c65 #ntlm_auth = /path/to/nitlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-NW2} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --- #ntlm_auth = /path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} freeradius:/etc # diff raddb/sites-available/inner-tunnel raddefault/sites-available/inner-tunnel 48,52d47 if (User-Name !~ /^host\//) { update control { MS-CHAP-Use-NTLM-Auth := no } } 97,101c92 copy.user-name remove-domain-name add-dollar-sign strip-realm-name ntdomain --- # ntdomain 151c142 ldap --- # ldap 239,241c230,232 Auth-Type LDAP { ldap } --- # Auth-Type LDAP { # ldap # } 299c290 ldap --- # ldap 311d301 ldap Robert Mc Cready wrote: I do not rewrite the User-name attribute I rewrite only the Stripped-User-Name attribute with these: No. Go READ the debug log you posted. The inner-tunnel virtual server gets: Sending tunneled request EAP-Message = 0x020800421a0208003d314cc241739d871a4cb33b6338671202
RE: Error: User-Name is not the same as MS-CHAP name
The host name are not domain names, there are computers account name, and we have hundreds of them . We only use the MS Domain to authenticate the computers account, not the users. -Message d'origine- De : freeradius-users-bounces+robert-mccready=cspi.qc...@lists.freeradius.org [mailto:freeradius-users-bounces+robert-mccready=cspi.qc.ca@lists.freeradius .org] De la part de Alan DeKok Envoyé : 10 mai 2011 10:49 À : FreeRadius users mailing list Objet : Re: Error: User-Name is not the same as MS-CHAP name Robert Mc Cready wrote: If the User-Name is being rewritten it is not intentional. Well... it's obviously someone you've changed, because it doesn't happen in the default configuration. Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = CAD08862\\ldapuser but I don't know want I am doing wrong. You're stripping the domain. Why? It's just not necessary. The way you're doing it is wrong, and is breaking the server. Instead, set up CAD08862 as a LOCAL realm. See proxy.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6110 (20110510) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6110 (20110510) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: User-Name is not the same as MS-CHAP name
seconds. Packet 9 rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=180, length=212 User-Name = CAD08862\\ldapuser NAS-IP-Address = 10.220.30.5 NAS-Port = 0 Called-Station-Id = 58-16-26-AA-F7-B1:WIRELESS Calling-Station-Id = 00-16-EA-C5-78-9C Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 0Mbps 802.11g EAP-Message = 0x021400261900170301001b7a27bfb0b0524f3a9afbf1b1f407 ... State = 0xa5fe4130adea583a08d7b8b3e893ab3f Message-Authenticator = 0xe8c786bb73038b5f6172a3637d73a61d # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = CAD08862\ldapuser, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 20 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for reject or fail. Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - CAD08862\ldapuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 238 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 238 Sending Access-Reject of id 180 to 10.220.30.5 port 29002 EAP-Message = 0x04140004 Message-Authenticator = 0x Waking up in 3.8 seconds. Cleaning up request 229 ID 171 with timestamp +857 Cleaning up request 230 ID 172 with timestamp +857 Cleaning up request 231 ID 173 with timestamp +857 Cleaning up request 232 ID 174 with timestamp +857 Cleaning up request 233 ID 175 with timestamp +857 Cleaning up request 234 ID 176 with timestamp +857 Cleaning up request 235 ID 177 with timestamp +857 Cleaning up request 236 ID 178 with timestamp +857 Cleaning up request 237 ID 179 with timestamp +857 Waking up in 1.0 seconds. --- On 05/10/2011 03:35 PM, Robert Mc Cready wrote: If the User-Name is being rewritten it is not intentional. Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = CAD08862\\ldapuser but I don't know want I am doing wrong. http://www.cspi.qc.ca/sinfrmc/windowsxp2.htm I presume there's a debug at this URL, but I have no reachability to it from where I am (tried from a couple of different source networks): 17 Vlan1999.icore1.MTT-Montreal.as6453.net (216.6.115.54) 90.786 ms 90.770 ms 90.740 ms 18 Vlan50.icore1.MTT-Montreal.as6453.net (206.82.135.10) 90.800 ms 90.918 ms 91.056 ms 19 tge-1-3.ar1.mtl2.mtotelecom.net (64.254.224.165) 91.241 ms 90.598 ms 90.634 ms 20 tge-1-2.ar1.mtrlpq07.mtotelecom.net (64.254.224.198) 79.405 ms 79.282 ms 79.230 ms 21 * * * 22 * * * 23 * * * __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6110 (20110510) __ Le message a ete verifie par ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error: User-Name is not the same as MS-CHAP name
I do not rewrite the User-name attribute I rewrite only the Stripped-User-Name attribute with these: attr_rewrite copy.user-name { attribute = Stripped-User-Name new_attribute = yes searchfor = searchin = packet replacewith = %{User-Name} } attr_rewrite remove-domain-name { attribute = Stripped-User-Name searchfor = (\.nw2\.test\.local) searchin = packet new_attribute = no replacewith = } attr_rewrite add-dollar-sign { attribute = Stripped-User-Name searchfor = ^(host/.*) searchin = packet new_attribute = no replacewith = %{1}$ } attr_rewrite strip-realm-name { attribute = Stripped-User-Name new_attribute = no searchin = packet searchfor = ^(.*[\\/]+) replacewith = max_matches = 1 } This is where I use Stripped-User-Name: freeradius:/etc/raddb # grep -ir Stripped-User-Name * | grep -v \# modules/attr_rewrite:attribute = Stripped-User-Name modules/attr_rewrite:attribute = Stripped-User-Name modules/attr_rewrite:attribute = Stripped-User-Name modules/attr_rewrite:attribute = Stripped-User-Name modules/ldap: filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) The User-Name attribute is untouch. [mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from EAP-MSCHAPv2 As I mentionned before the host name (CAD08862) is not a domain name it's a computer account name. I tried with_ntdomain_hack, no luck. freeradius:/etc/raddb # grep -ir with_ntdomain_hack * | grep -v \# modules/preprocess: with_ntdomain_hack = no modules/mschap: with_ntdomain_hack = yes Windows XP debug: http://www.cspi.qc.ca/sinfrmc/windowsxp.htm Windows 7 debug: http://www.cspi.qc.ca/sinfrmc/windows7.htm On 05/07/2011 07:50 PM, Robert Mc Cready wrote: The MS-CHAP-Use-NTLM-Auth := no did the job but I still have one problem with Windows XP clients, I get a [mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from EAP-MSCHAPv2. Users log on locally, the host name is not a domain name. Windows 7 clients work fine because they send only the username. I do some rewrites so I can get the username for the LDAP authentication and the computers name for computer account authentication (I'm not familiar with unlang yet). We use FR 2.1.10. Any idea how to fix this ? You CANNOT rewrite the User-Name attribute, or you will have this problem. If you want to manipulate the username, you must do so in a separate attribute, like so: if (User-Name =~ /^(.+)\\(.+)/) { update request { Stripped-User-Name := %{2} } } An easier alternative is to not mangle the username at all, and instead update any string expansions to use: %{mschap:User-Name} ...including your LDAP filters. This will just work - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6106 (20110509) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6107 (20110509) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6107 (20110509) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: User-Name is not the same as MS-CHAP name
The MS-CHAP-Use-NTLM-Auth := no did the job but I still have one problem with Windows XP clients, I get a [mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from EAP-MSCHAPv2. Users log on locally, the host name is not a domain name. Windows 7 clients work fine because they send only the username. I do some rewrites so I can get the username for the LDAP authentication and the computers name for computer account authentication (I'm not familiar with unlang yet). We use FR 2.1.10. Any idea how to fix this ? Windows XP debug: http://www.cspi.qc.ca/sinfrmc/windowsxp.htm Windows 7 debug: http://www.cspi.qc.ca/sinfrmc/windows7.htm On 05/05/11 15:17, Robert Mc Cready wrote: We use Novell eDirectory and DSFW (Directory Services for Windows) which is kind of a Windows domain inside an OU in eDirectory. I want to authenticate users using LDAP and Windows computers account using ntlm_auth. There is only computers accounts in the Windows domain. The computer authentication is working fine but the users authentication with LDAP fails if ntlm_auth is configured. If I don't use ntlm_auth the users authentication works. Is there a way to have both of them working together? Yes. Something like this: authorize { ... if (User-Name !~ /^host\//) { update control { MS-CHAP-Use-NTLM-Auth := no } } ... } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html We use Novell eDirectory and DSFW (Directory Services for Windows) which is kind of a Windows domain inside an OU in eDirectory. I want to authenticate users using LDAP and Windows computers account using ntlm_auth. There is only computers accounts in the Windows domain. The computer authentication is working fine but the users authentication with LDAP fails if ntlm_auth is configured. If I don't use ntlm_auth the users authentication works. Is there a way to have both of them working together? We use PEAP. Working user authentication with LDAP debug (ntlm_auth not configured): http://www.cspi.qc.ca/sinfrmc/ldap_only.htm Working Windows computer account authentication: http://www.cspi.qc.ca/sinfrmc/mschap_only.htm User account getting rejected debug (with ntlm_auth configured): http://www.cspi.qc.ca/sinfrmc/mschap_and_ldap.htm Thanks, Robert. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with LDAP and ntlm_auth
We use Novell eDirectory and DSFW (Directory Services for Windows) which is kind of a Windows domain inside an OU in eDirectory. I want to authenticate users using LDAP and Windows computers account using ntlm_auth. There is only computers accounts in the Windows domain. The computer authentication is working fine but the users authentication with LDAP fails if ntlm_auth is configured. If I don't use ntlm_auth the users authentication works. Is there a way to have both of them working together? We use PEAP. Working user authentication with LDAP debug (ntlm_auth not configured): http://www.cspi.qc.ca/sinfrmc/ldap_only.htm Working Windows computer account authentication: http://www.cspi.qc.ca/sinfrmc/mschap_only.htm User account getting rejected debug (with ntlm_auth configured): http://www.cspi.qc.ca/sinfrmc/mschap_and_ldap.htm Thanks, Robert. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with LDAP and ntlm_auth
It's working now. Thanks for the help. -Message d'origine- De : freeradius-users-bounces+robert-mccready=cspi.qc...@lists.freeradius.org [mailto:freeradius-users-bounces+robert-mccready=cspi.qc.ca@lists.freeradius .org] De la part de Phil Mayers Envoyé : 5 mai 2011 11:03 À : freeradius-users@lists.freeradius.org Objet : Re: Problem with LDAP and ntlm_auth On 05/05/11 15:17, Robert Mc Cready wrote: We use Novell eDirectory and DSFW (Directory Services for Windows) which is kind of a Windows domain inside an OU in eDirectory. I want to authenticate users using LDAP and Windows computers account using ntlm_auth. There is only computers accounts in the Windows domain. The computer authentication is working fine but the users authentication with LDAP fails if ntlm_auth is configured. If I don't use ntlm_auth the users authentication works. Is there a way to have both of them working together? Yes. Something like this: authorize { ... if (User-Name !~ /^host\//) { update control { MS-CHAP-Use-NTLM-Auth := no } } ... } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6097 (20110505) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6097 (20110505) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com __ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6097 (20110505) __ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attribute NOT being returned in access-accept ?
Freeradius Version 2.1.10 I'm trying to return a vendor attribute, but I don't seem to be seeing it in the access-accept ? I am inner tunneling to Peap, and you can see the attribute is there... Airespace-Interface-Name = wifi-chem-uconnect but I'm not seeing it in the packet from eapol and I'm also seeing it in the final Access-Accept sent from freeradius ? Sending Access-Accept of id 10 to 155.97.142.192 port 52965 MS-MPPE-Recv-Key = 0x0e6bf137da352024fe32478d9b9c2cdabbba6a94f9e185e16ce5601b8e4a8328 MS-MPPE-Send-Key = 0x99880b1843e321c484ceeb0ed19f55e2bbfa769f68e8783615beb220b13bb761 EAP-Message = 0x030a0004 Message-Authenticator = 0x User-Name = whatever From Peap --- [peap] Got tunneled reply RADIUS code 2 Airespace-Interface-Name = wifi-chem-uconnect MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 MS-MPPE-Send-Key = 0x7aa77766e328dcdf3e38555995889912 MS-MPPE-Recv-Key = 0x6af45f9c8437843caf8d2c2ea1f7d7d2 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = tstRad9 [peap] Tunneled authentication was successful. Thanks, Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Attribute NOT being returned in access-accept ?
That seemed to do the trick... Thanks Much, Robert From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf Of James J J Hooper [jjj.hoo...@bristol.ac.uk] Sent: Wednesday, March 30, 2011 4:11 PM To: freeradius-users@lists.freeradius.org Subject: Re: Attribute NOT being returned in access-accept ? On 30/03/2011 22:59, Robert Roll wrote: Freeradius Version 2.1.10 I'm trying to return a vendor attribute, but I don't seem to be seeing it in the access-accept ? I am inner tunneling to Peap, and you can see the attribute is there... Airespace-Interface-Name = wifi-chem-uconnect but I'm not seeing it in the packet from eapol and I'm also seeing it in the final Access-Accept sent from freeradius ? Sending Access-Accept of id 10 to 155.97.142.192 port 52965 MS-MPPE-Recv-Key = 0x0e6bf137da352024fe32478d9b9c2cdabbba6a94f9e185e16ce5601b8e4a8328 MS-MPPE-Send-Key = 0x99880b1843e321c484ceeb0ed19f55e2bbfa769f68e8783615beb220b13bb761 EAP-Message = 0x030a0004 Message-Authenticator = 0x User-Name = whatever From Peap --- [peap] Got tunneled reply RADIUS code 2 Airespace-Interface-Name = wifi-chem-uconnect MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 MS-MPPE-Send-Key = 0x7aa77766e328dcdf3e38555995889912 MS-MPPE-Recv-Key = 0x6af45f9c8437843caf8d2c2ea1f7d7d2 EAP-Message = 0x03090004 Message-Authenticator = 0x User-Name = tstRad9 [peap] Tunneled authentication was successful. Set use_tunnelled_reply to yes in eap.conf: https://github.com/alandekok/freeradius-server/blob/14f534aa405cf0063bb10f4bc36493721e054246/raddb/eap.conf#L471 (also line 570 - once for TTLS, once for PEAP) -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
testing which client initiated request ? Client-shortname ... FreeRADIUS-Client-Shortname
I'd like to test and see which particular client was responsible for a request. I found two attributes Client-Shortname and FreeRADIUS-Client-Shortname, but when I try and use this in unlang they do not seem to have values ? Any suggestions... Thanks, Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: testing which client initiated request ? Client-shortname ... FreeRADIUS-Client-Shortname
Still does not seem to be working.. Still looks like its expanding to nothing ? ++? if (%{client: shortname} == WCSmgmt ) expand: %{client: shortname} - ? Evaluating (%{client: shortname} == WCSmgmt ) - FALSE ++? if (%{client: shortname} == WCSmgmt ) - FALSE } Yet in clients.conf: client 155.97.142.192 { secret = doesntmatter shortname = WCSmgmt } The request does seem to be coming from the correct client ? rad_recv: Access-Request packet from host 155.97.142.192 port 55567, id=0, length=124 Thanks, Robert From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf Of Alan DeKok [al...@deployingradius.com] Sent: Tuesday, March 29, 2011 12:00 PM To: FreeRadius users mailing list Subject: Re: testing which client initiated request ? Client-shortname ... FreeRADIUS-Client-Shortname Robert Roll wrote: I'd like to test and see which particular client was responsible for a request. I found two attributes Client-Shortname and FreeRADIUS-Client-Shortname, but when I try and use this in unlang they do not seem to have values ? Any suggestions... Use Packet-Src-IP-Address Or, %{client: shortname}, if it's configured in clients.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: testing which client initiated request ? Client-shortname ... FreeRADIUS-Client-Shortname
The Use Packet-Src-IP-Address does appear to work.. However, I would really like to have a set of clients behave the same way. I would really like to do something like: client 1.2.3.4 { secret XX shortname mgmtStation Identical-client 1.2.3.5, 1.2.3.6, 1.2.3,7 } Then later on simply test on shortname mgmtStation ? If there is nothing like Identical-client... I did notice while debugging that doing something like: client 1.2.3.4 { secret XX shortname stMgt } client 1.2.3.5 { secret XX shortname stMgt } Assigning two different IP number clients the same shortname ? I noticed that when I looked at some logs, the shortname was used in the log text for BOTH clients.. This could be exploited for what I want, if only the testing client based on shortname worked ? Thanks, Robert From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf Of Robert Roll [robert.r...@utah.edu] Sent: Tuesday, March 29, 2011 12:16 PM To: FreeRadius users mailing list Subject: RE: testing which client initiated request ? Client-shortname ... FreeRADIUS-Client-Shortname Still does not seem to be working.. Still looks like its expanding to nothing ? ++? if (%{client: shortname} == WCSmgmt ) expand: %{client: shortname} - ? Evaluating (%{client: shortname} == WCSmgmt ) - FALSE ++? if (%{client: shortname} == WCSmgmt ) - FALSE } Yet in clients.conf: client 155.97.142.192 { secret = doesntmatter shortname = WCSmgmt } The request does seem to be coming from the correct client ? rad_recv: Access-Request packet from host 155.97.142.192 port 55567, id=0, length=124 Thanks, Robert From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf Of Alan DeKok [al...@deployingradius.com] Sent: Tuesday, March 29, 2011 12:00 PM To: FreeRadius users mailing list Subject: Re: testing which client initiated request ? Client-shortname ... FreeRADIUS-Client-Shortname Robert Roll wrote: I'd like to test and see which particular client was responsible for a request. I found two attributes Client-Shortname and FreeRADIUS-Client-Shortname, but when I try and use this in unlang they do not seem to have values ? Any suggestions... Use Packet-Src-IP-Address Or, %{client: shortname}, if it's configured in clients.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Strip off the domain part from the User-Name
Thank You ! This is very good information... I did NOT realize that user@undefinedRealm would NOT preserve Realm. That does make a hugh difference... I did read your other post, and am really NOT adverse to making use of unlang. I did start to read a little about policy.conf and like the idea of sort of subroutines defined there... Thanks Much, Robert From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf Of Phil Mayers [p.may...@imperial.ac.uk] Sent: Saturday, March 26, 2011 4:59 AM To: freeradius-users@lists.freeradius.org Subject: Re: Strip off the domain part from the User-Name On 03/25/2011 09:45 PM, Robert Roll wrote: Note that in the above the Realm is quite useful, but there is NO need to actually do proxy, so really no REAL need to get into the proxy.conf ? This is a good reason to use unlang rather than realm. realm is designed for proxying, always gets it list of realms from proxy.conf and sets the control:Proxy-To-Realm attribute. You also may not realise that user@undefined realm will set: Stripped-User-Name = use Realm = DEFAULT i.e. the Realm value does *not* preserve the text after the @. Your original problem (crazy loop) occurred because the DEFAULT realm you defined in proxy.conf was pointing somewhere else - probably back at the very same radius server, resulting in an infinite loop. HTH - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Strip off the domain part from the User-Name
We're currently running 2.1.10.. I seemed to notice that the Out of the Box Config does not seem to actually create a Stripped-Username and Realm. I did find that when I created a real realm in the proxy.conf file, then a Stripped-Username and Realm were available. So, I thought that if I really wanted ALL usernames stripped into their component parts, I would just change the example.com realm in the proxy.conf file to be DEFAULT ? This then seemed to send the request into some sort of endless loop ? Thanks, Robert From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf Of Nolan King [nk...@mnwd.com] Sent: Friday, March 25, 2011 10:35 AM To: freeradius list Subject: Re: Strip off the domain part from the User-Name freeradius 2.1.8: My environment uses ntlm_auth and ldap modules. in mschap module, i have a line like: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-re$ also, in ldap: filter = ((sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) no edits to default or inner-tunnel (other than to uncomment the ntlm_auth and mschap lines). I use this method to auth users connecting to wireless APs with xp, ios, linux, and win7 machines. I want users to be forced to enter their password to connect, so the clients are configured not to use the domain\username, just username and pw. Set up this way, a client sending username in domain\username form will be rejected. I am not sure this is right, but it allows me to use mschap auth with several different types of clients, and control access with an ldap group without worrying about the domain\user nonsense. Of course, i only have a single domain which simplifies things. Nolan On 3/25/2011 at 7:41 AM, in message 201103251541.07053.thomas.wun...@swt-bamberg.de, Thomas Wunder thomas.wun...@swt-bamberg.de wrote: On Friday 25 March 2011 11:15:58 you wrote: Use %{mschap:User-Name} everywhere; this will give the bare username That sounds consequent but what exactly do you mean by everywhere? I use the policy.conf (as you can see by the debug output from my previous posting) to define some policies that are later on used within the 'authorize {...}' groups of sites-available/default and sites-available/inner-tunnel. I don't utilize rlm_files any more but I use rlm_ldap to retrieve user/group information from my LDAP-server. The only place where I consciously reference any User-Name attribute is the modules/ldap and there I already do as you suggest (see attachment). Where else do I need to explicitly specify '%{mschap:User-Name}' to have rlm_mschap accept user names that incorporate a NT-domain name (i.e. to have rlm_mschap ignore the domain component of the user name)? My modules/mschap config file is pretty lucid at present: mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = no } And what about the realms approach? Can I save the trouble? (and also correctly translate host/name.domain.com, if you later do machine auth) Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Strip off the domain part from the User-Name
Uh.. if you don't read the documentation and don't understand what you're doing, it probably won't do what you want. Sometimes true, sometimes not :) Rather than randomly making changes, perhaps you could explain what you're trying to do, and why. Right now, I'm just experimenting and trying to learn how things work... In any case, to give you an idea of one of the things I was thinking about... One idea, is that we have a number of departments that want to be put into a particular VLAN when they login. When a user normally logs in, they simply use their username. This simply puts them in the general user VLAN. However, if they login with username@department, and they are authorized, we will return the particular radius attribute to put them into their specific department VLAN. A normal authorize might look like: ldapAuthUser if( %Realm ) { ldapAuthVLAN } If one is smart about naming the Group in ldap the same as the Realm, then one can quite easily construct a search filter in the ldap module to look at the appropriate group in ldap. That group would actually have the particular radiusReplyItem to return the correct VLAN... Note that in the above the Realm is quite useful, but there is NO need to actually do proxy, so really no REAL need to get into the proxy.conf ? Thanks, Robert From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf Of Alan DeKok [al...@deployingradius.com] Sent: Friday, March 25, 2011 1:09 PM To: FreeRadius users mailing list Subject: Re: Strip off the domain part from the User-Name Robert Roll wrote: We're currently running 2.1.10.. I seemed to notice that the Out of the Box Config does not seem to actually create a Stripped-Username and Realm. It creates those attributes if you define a realm. If you don't define a realm, it doesn't know how to create a Realm attribute. I did find that when I created a real realm in the proxy.conf file, then a Stripped-Username and Realm were available. Yes... So, I thought that if I really wanted ALL usernames stripped into their component parts, I would just change the example.com realm in the proxy.conf file to be DEFAULT ? This then seemed to send the request into some sort of endless loop ? Uh.. if you don't read the documentation and don't understand what you're doing, it probably won't do what you want. Rather than randomly making changes, perhaps you could explain what you're trying to do, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Strip off the domain part from the User-Name
If you just want to split username@realm into username and realm, you should be able to use this in authorize section if (%{request:User-Name} =~ /^(.*)@/) { update request { Stripped-User-Name := %{1} Realm := %{2} } } Yes, thanks, and we may end up doing exactly that. However, I just point out that freeradius OBVIOUSLY already has the capability to do exactly this, so why re-invent the wheel ? As a side note, even if you only use freeradius locally (without any external server to proxy to), using proxy can be useful if you have multiple realms with different configurations. Using proxy you can split the request into different virtual servers based on their realm. -- Fajar Yes, I do agree... As I said earlier, some of what I am doing is just to try and experiment and see what is possible. I'm actually quite impressed with Freeradius and right now, we are still a ways from what I would consider any kind of final configuration... Thanks, Robert From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf Of Fajar A. Nugraha [l...@fajar.net] Sent: Friday, March 25, 2011 4:00 PM To: FreeRadius users mailing list Subject: Re: Strip off the domain part from the User-Name On Sat, Mar 26, 2011 at 4:45 AM, Robert Roll robert.r...@utah.edu wrote: A normal authorize might look like: ldapAuthUser if( %Realm ) { ldapAuthVLAN } If one is smart about naming the Group in ldap the same as the Realm, then one can quite easily construct a search filter in the ldap module to look at the appropriate group in ldap. That group would actually have the particular radiusReplyItem to return the correct VLAN... Note that in the above the Realm is quite useful, but there is NO need to actually do proxy, so really no REAL need to get into the proxy.conf ? If you just want to split username@realm into username and realm, you should be able to use this in authorize section if (%{request:User-Name} =~ /^(.*)@/) { update request { Stripped-User-Name := %{1} Realm := %{2} } } As a side note, even if you only use freeradius locally (without any external server to proxy to), using proxy can be useful if you have multiple realms with different configurations. Using proxy you can split the request into different virtual servers based on their realm. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Load Balancing EAP with freeradius...
Thanks, The following seems to work pretty well for us. authorize { update control { #Load-Balance-Key := %{NAS-IP-Address} %{NAS-Port} %{User-Name} %{Calling-Station-ID} Load-Balance-Key := %{Calling-Station-ID} } I had taken a snap shot of unique client-mac addresses we encountered over about a 3 month period. That came to 28,874. Doing a test with balancing off of the client-mac addresses, the hash seems to create nearly equal buckets. My test was with 4 backend servers behind a load balancer... Again thanks, Robert From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf Of Alexander Clouter [a...@digriz.org.uk] Sent: Thursday, March 24, 2011 4:15 AM To: freeradius-users@lists.freeradius.org Subject: Re: Load Balancing EAP with freeradius... Robert Roll robert.r...@utah.edu wrote: I'd like to try load balancing EAP/PEAP/MSCHAPV2 using freeradius. I looked at the proxy.conf and it seems that there are two options, because you have to insure the same end client talks to the same radius server. There seems to be client-balance that uses IP source addresses and there is Load-Balance-Key something like update control { Load-Balance-Key := %{NAS-IP-Address} %{NAS-Port} %{User-Name} %{Calling-Station-ID} } Currently, we have a Radiator server that uses client mac-addresses for this purpose. If I do want to use the Load-Balance-Key, I'm honestly not sure where to put the update of the Load-Balance-Key.. Does it go in the proxy.conf ? Straight into your 'authorize' section, as close to the top as you like/can. The following is roughly what we use, we only do it for 'Realm == DEFAULT' as that is for our 'eduroam'ing userbase: authorize { preprocess suffix [unlang/policy that is used for *all* packets] eap { ok = return } # done after eap so we find can record what guests are using if (Realm == DEFAULT) { update control { Load-Balance-Key := %{NAS-IPv6-Address} %{NAS-IP-Address} %{NAS-Port} %{User-Name} %{Calling-Station-Id} } # break out of 'authorize' early to spare CPU cycles handled } [unlang/policy that is used for all *non-proxied* packets] } Cheers -- Alexander Clouter .sigmonster says: People who push both buttons should get their wish. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Group checking in ldap authorization
Thanks for helping me to understand this. I think the way this really works has more utility than what I was thinking. I can actually accomplish what I want using two ldap instance authorizations. One for the User look up, then one for the Group VLAN setting. There were going to be two ldap queries in any case... Thanks, Robert From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf Of Phil Mayers [p.may...@imperial.ac.uk] Sent: Wednesday, March 23, 2011 3:14 AM To: freeradius-users@lists.freeradius.org Subject: Re: Group checking in ldap authorization On 03/22/2011 06:15 PM, Robert Roll wrote: This does seem to work differently than I thought.. Yeah, like I say: it's a virtual attribute that does the group search when you compare it. My model was something like ntlm_auth, which allows an authentication, but one can also require membership in a group at the same time... i.e. ntlm_auth ...--require-membership-of={SID|Name} Nope, different. What I was really hoping is that I could look someone up in the directory in the user tree, but also then require they be in a particular group. The group would actually have a specific replyItem attribute that would return a VLAN if the user was part of the group... There are other ways of accomplishing this I think you may want the LDAP profiles stuff? Or, use an xlat: update reply { Tunnel-Private-Group-Id = %{ldap:ldap query url here} } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Load Balancing EAP with freeradius...
I'd like to try load balancing EAP/PEAP/MSCHAPV2 using freeradius. I looked at the proxy.conf and it seems that there are two options, because you have to insure the same end client talks to the same radius server. There seems to be client-balance that uses IP source addresses and there is Load-Balance-Key something like update control { Load-Balance-Key := %{NAS-IP-Address} %{NAS-Port} %{User-Name} %{Calling-Station-ID} } Currently, we have a Radiator server that uses client mac-addresses for this purpose. If I do want to use the Load-Balance-Key, I'm honestly not sure where to put the update of the Load-Balance-Key.. Does it go in the proxy.conf ? Thanks, Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Load Balancing EAP with freeradius...
Thanks, I put the update Load-Balance-Key right at the top of the authorize section in the ../sites-enabled/default... that seems to be working pretty well... I'll look more at the client-port-balance ... thanks, Robert From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf Of Phil Mayers [p.may...@imperial.ac.uk] Sent: Wednesday, March 23, 2011 3:47 PM To: freeradius-users@lists.freeradius.org Subject: Re: Load Balancing EAP with freeradius... On 03/23/2011 08:56 PM, Robert Roll wrote: I'd like to try load balancing EAP/PEAP/MSCHAPV2 using freeradius. I looked at the proxy.conf and it seems that there are two options, because you have to insure the same end client talks to the same radius server. There seems to be client-balance that uses IP source addresses and We use client-port-balance. IIRC this is the recommended method for UK eduroam sites. there is Load-Balance-Key something like update control { Load-Balance-Key := %{NAS-IP-Address} %{NAS-Port} %{User-Name} %{Calling-Station-ID} } Huh. Neat. I hadn't seen that. Currently, we have a Radiator server that uses client mac-addresses for this purpose. If I do want to use the Load-Balance-Key, I'm honestly not sure where to put the update of the Load-Balance-Key.. Does it go in the proxy.conf ? That's an unlang statement, so it goes in a radius virtual server. Since you want to use it for proxying you will have to do it in the authorize section (or maybe pre-proxy) e.g. /etc/raddb/sites-enabled/default: authorize { update control { Load-Balance-Key = %{Calling-Station-Id} } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Group checking in ldap authorization
I have an ldap module that I want to force to do group checking. Reading the documentation, it seems that there should be an attribute (I'm assuming control?) that should force that check ? i.e. instance-name-Ldap-Group .. I notice that the ldap module seems to have group checking disabled by default. I thought that uncommenting the group config below should enable it ? # # Group membership checking. Disabled by default. # groupname_attribute = cn groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) groupmembership_attribute = radiusGroupName Below is what I have in my authorization section. I update control { ldapADut-Ldap-Group := cn=chemVLAN,OU=Groups,OU=UofURadius,dc=ad,dc=utah,dc=edu } ldapADut { notfound = reject } Looking at the debug, it seems that there is no attempt to actually do any group checking ? What am I doing wrong ? Thanks, Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Group checking in ldap authorization
The below is out of the .../share/doc/freeradius/rlm_ldap Note that it shows the Ldap_Group variable being set in the users file, but I'm assuming it should not really matter where it gets set ? DEFAULTLdap-Group == cn=disabled,dc=company,dc=com Also, the part about the specific instance Ldap-Group is: Also if you are using multiple ldap module instances a per instance Ldap-Group attribute is registered and can be used. It is of the form instance_name-Ldap-Group. In other words if in radiusd.conf we configure an ldap module instance like ... Note, I do not want to test for Ldap_Group, I want to be able to actually set it so it is used within the ldap module ? Thanks, Robert From .../share/doc/freeradius/rlm_ldap GROUP SUPPORT: The module supports searching for ldap groups by use of the Ldap-Group attribute. As long as the module has been instanciated it can be used to do group membership checks through other modules. For example in the users file: DEFAULT Ldap-Group == disabled, Auth-Type := Reject Reply-Message = Sorry, you are not allowed to have dialup access DNs are also accepted as Ldap-Group values, i.e.: DEFAULT Ldap-Group == cn=disabled,dc=company,dc=com, Auth-Type := Reject Reply-Message = Sorry, you are not allowed to have dialup access Also if you are using multiple ldap module instances a per instance Ldap-Group attribute is registered and can be used. It is of the form instance_name-Ldap-Group. In other words if in radiusd.conf we configure an ldap module instance like: ldap myname { [...] } we can then use the myname-Ldap-Group attribute to match user groups. Make sure though that the ldap module is instantiated *before* the files module so that it will have time to register the corresponding attribute. One solution would be to add the ldap module in the instantiate{} block in radiusd.conf From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf Of Phil Mayers [p.may...@imperial.ac.uk] Sent: Tuesday, March 22, 2011 8:46 AM To: freeradius-users@lists.freeradius.org Subject: Re: Group checking in ldap authorization On 22/03/11 14:24, Robert Roll wrote: Below is what I have in my authorization section. I update control { ldapADut-Ldap-Group := cn=chemVLAN,OU=Groups,OU=UofURadius,dc=ad,dc=utah,dc=edu } ldapADut { notfound = reject } Where did you get this from? It's totally wrong. Try: if (Ldap-Group == chemVLAN) { } Ldap-Group (or modname-Ldap-Group) is a virtual attribute, that will perform the group membership check when you run a comparison. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Group checking in ldap authorization
This does seem to work differently than I thought.. My model was something like ntlm_auth, which allows an authentication, but one can also require membership in a group at the same time... i.e. ntlm_auth ...--require-membership-of={SID|Name} What I was really hoping is that I could look someone up in the directory in the user tree, but also then require they be in a particular group. The group would actually have a specific replyItem attribute that would return a VLAN if the user was part of the group... There are other ways of accomplishing this Thanks, Robert From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf Of Robert Roll [robert.r...@utah.edu] Sent: Tuesday, March 22, 2011 11:21 AM To: FreeRadius users mailing list Subject: RE: Group checking in ldap authorization The below is out of the .../share/doc/freeradius/rlm_ldap Note that it shows the Ldap_Group variable being set in the users file, but I'm assuming it should not really matter where it gets set ? DEFAULTLdap-Group == cn=disabled,dc=company,dc=com Also, the part about the specific instance Ldap-Group is: Also if you are using multiple ldap module instances a per instance Ldap-Group attribute is registered and can be used. It is of the form instance_name-Ldap-Group. In other words if in radiusd.conf we configure an ldap module instance like ... Note, I do not want to test for Ldap_Group, I want to be able to actually set it so it is used within the ldap module ? Thanks, Robert From .../share/doc/freeradius/rlm_ldap GROUP SUPPORT: The module supports searching for ldap groups by use of the Ldap-Group attribute. As long as the module has been instanciated it can be used to do group membership checks through other modules. For example in the users file: DEFAULT Ldap-Group == disabled, Auth-Type := Reject Reply-Message = Sorry, you are not allowed to have dialup access DNs are also accepted as Ldap-Group values, i.e.: DEFAULT Ldap-Group == cn=disabled,dc=company,dc=com, Auth-Type := Reject Reply-Message = Sorry, you are not allowed to have dialup access Also if you are using multiple ldap module instances a per instance Ldap-Group attribute is registered and can be used. It is of the form instance_name-Ldap-Group. In other words if in radiusd.conf we configure an ldap module instance like: ldap myname { [...] } we can then use the myname-Ldap-Group attribute to match user groups. Make sure though that the ldap module is instantiated *before* the files module so that it will have time to register the corresponding attribute. One solution would be to add the ldap module in the instantiate{} block in radiusd.conf From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf Of Phil Mayers [p.may...@imperial.ac.uk] Sent: Tuesday, March 22, 2011 8:46 AM To: freeradius-users@lists.freeradius.org Subject: Re: Group checking in ldap authorization On 22/03/11 14:24, Robert Roll wrote: Below is what I have in my authorization section. I update control { ldapADut-Ldap-Group := cn=chemVLAN,OU=Groups,OU=UofURadius,dc=ad,dc=utah,dc=edu } ldapADut { notfound = reject } Where did you get this from? It's totally wrong. Try: if (Ldap-Group == chemVLAN) { } Ldap-Group (or modname-Ldap-Group) is a virtual attribute, that will perform the group membership check when you run a comparison. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Behaviour of multiple sequenced authorization modules ?
I would like to have multiple authorization modules invoked and then reject if ANY do NOT authorize ? For instance.. authorize { ldap1 ldap2 } It appears if just one returns OK, then the subsequent authentication works. BTW.. The subsequent authentication is actually a PEAP/MSCHAPV2... Therefore, the ldap modules are ONLY used for authorization... Is there somewhere that discusses the various options on how to control the behaviour when multiple authorization modules are involved ? Thanks, Robert Robert Roll Computer Professiona University of Utah robert.r...@utah.edu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Behaviour of multiple sequenced authorization modules ?
I'm a little new to freeradius.. Hmm.. I guess I made the assumption that a user notfound would actually imply no authorization ? That doesn't seem to be the case ? So, I did the following... authorize { ldap1 { notfound = reject } ldap2 ( notfound = reject } } is this the correct way to do this ? Thanks, Robert From: freeradius-users-bounces+robert.roll=utah@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah@lists.freeradius.org] On Behalf Of Robert Roll [robert.r...@utah.edu] Sent: Monday, March 21, 2011 4:23 PM To: FreeRadius users mailing list Subject: Behaviour of multiple sequenced authorization modules ? I would like to have multiple authorization modules invoked and then reject if ANY do NOT authorize ? For instance.. authorize { ldap1 ldap2 } It appears if just one returns OK, then the subsequent authentication works. BTW.. The subsequent authentication is actually a PEAP/MSCHAPV2... Therefore, the ldap modules are ONLY used for authorization... Is there somewhere that discusses the various options on how to control the behaviour when multiple authorization modules are involved ? Thanks, Robert Robert Roll Computer Professiona University of Utah robert.r...@utah.edu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Corrupted Secret with squid_radius_auth
I managed to fix this, my mistake was downloading the Radius_Auth V1.10 helper separately. When I compiled the Radius_Auth included in the squid package, it worked perfectly. A related question, is there a way to put two radius servers in the config file or do I need to call the radius_auth helper twice pointing to two different config files? TIA Rob -Original Message- From: freeradius-users-bounces+robert=saq.co...@lists.freeradius.org [mailto:freeradius-users-bounces+robert=saq.co...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 17 February 2011 14:39 To: FreeRadius users mailing list Subject: Re: Corrupted Secret with squid_radius_auth Robert Dunkley wrote: I was wondering if anyone knew of a fix for the corrupted secret issue with squid_radius_auth under 64bit OS? Ask the squid people to fix their software. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The SAQ Group Registered Office: 18 Chapel Street, Petersfield, Hampshire GU32 3DZ SAQ is the trading name of SEMTEC Limited. Registered in England Wales Company Number: 06481952 http://www.saqnet.co.uk AS29219 SAQ Group Delivers high quality, honestly priced communication and I.T. services to UK Business. Broadband : Domains : Email : Hosting : CoLo : Servers : Racks : Transit : Backups : Managed Networks : Remote Support. ISPA Member - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Corrupted Secret with squid_radius_auth
Sorry, I thought I was emailing the squid lists. Rob -Original Message- From: freeradius-users-bounces+robert=saq.co...@lists.freeradius.org [mailto:freeradius-users-bounces+robert=saq.co...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 18 February 2011 11:43 To: FreeRadius users mailing list Subject: Re: Corrupted Secret with squid_radius_auth Robert Dunkley wrote: A related question, is there a way to put two radius servers in the config file or do I need to call the radius_auth helper twice pointing to two different config files? Ask the squid people how to use their software. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The SAQ Group Registered Office: 18 Chapel Street, Petersfield, Hampshire GU32 3DZ SAQ is the trading name of SEMTEC Limited. Registered in England Wales Company Number: 06481952 http://www.saqnet.co.uk AS29219 SAQ Group Delivers high quality, honestly priced communication and I.T. services to UK Business. Broadband : Domains : Email : Hosting : CoLo : Servers : Racks : Transit : Backups : Managed Networks : Remote Support. ISPA Member - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Corrupted Secret with squid_radius_auth
I was wondering if anyone knew of a fix for the corrupted secret issue with squid_radius_auth under 64bit OS? I have the exact same issue as the user in the link below but am using Radiator (Works fine with other Radius clients): http://freeradius.1045715.n5.nabble.com/Issues-with-squid-radius-auth-td 2788947.html TIA Rob The SAQ Group Registered Office: 18 Chapel Street, Petersfield, Hampshire GU32 3DZ SAQ is the trading name of SEMTEC Limited. Registered in England Wales Company Number: 06481952 http://www.saqnet.co.uk AS29219 SAQ Group Delivers high quality, honestly priced communication and I.T. services to UK Business. Broadband : Domains : Email : Hosting : CoLo : Servers : Racks : Transit : Backups : Managed Networks : Remote Support. ISPA Member - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Corrupted Secret with squid_radius_auth
Hi Alan, Thanks for the reply. I think it might be possible to achieve the same thing with this: http://freeradius.org/pam_radius_auth/ Never used PAM though so it's a bit of a learning curve. Do you know of people successfully running radius auth for squid on a 64bit OS? Thanks again, Rob -Original Message- From: freeradius-users-bounces+robert=saq.co...@lists.freeradius.org [mailto:freeradius-users-bounces+robert=saq.co...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 17 February 2011 14:39 To: FreeRadius users mailing list Subject: Re: Corrupted Secret with squid_radius_auth Robert Dunkley wrote: I was wondering if anyone knew of a fix for the corrupted secret issue with squid_radius_auth under 64bit OS? Ask the squid people to fix their software. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The SAQ Group Registered Office: 18 Chapel Street, Petersfield, Hampshire GU32 3DZ SAQ is the trading name of SEMTEC Limited. Registered in England Wales Company Number: 06481952 http://www.saqnet.co.uk AS29219 SAQ Group Delivers high quality, honestly priced communication and I.T. services to UK Business. Broadband : Domains : Email : Hosting : CoLo : Servers : Racks : Transit : Backups : Managed Networks : Remote Support. ISPA Member - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Machine Authentication and Active Directory group lookups
Hello all, I have FreeRadius v 2.1.10 installed and configured to authenticate users against Active Directory using PEAP/MSChapV2 and perform Group membership lookups via the ldap module so that I can configure radius reply attributes to provide VLAN assignment and Dymanic ACL's. All is working extremely well, but one item that I would also like to get working is the Machine Authentication.Machine Authentication is working with the exception of the ldap group lookup. From what I can tell, when the machine authenticates, the ntlm_auth knows that the request is a Machine Authentication and appends the $ to the end of the username for the sAMAccountName: # Executing group from file /usr//etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [inner-eap] Request found, released from the list [inner-eap] EAP/mschapv2 [inner-eap] processing type mschapv2 [mschapv2] # Executing group from file /usr//etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: host/lab..com [mschap] Told to do MS-CHAPv2 for host/lab..XXX with NT-Password [mschap]expand: --username=%{mschap:User-Name:-None} - --username=lab$ [mschap] mschap2: 78 [mschap] Creating challenge hash with username: host/lab..XXX [mschap]expand: --challenge=%{mschap:Challenge:-00} - --challenge=a9c34f78fae78fd0 [mschap]expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=961d047adaedc84346d00fcd2a0a67139ff4a95c9e13ae61 Exec-Program output: NT_KEY: 65891DD9BE6290D3EEB54D8EB6612EFF Exec-Program-Wait: plaintext: NT_KEY: 65891DD9BE6290D3EEB54D8EB6612EFF Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success Since I am using: filter = ((sAMAccountName=%{mschap:User-Name})) in the ldap module, FreeRadius is trying to do a group lookup on: lab$ which is not found in any Active Directory groups: # Executing section post-auth from file /usr//etc/raddb/sites-enabled/default +- entering group post-auth {...} [ldap] Entering ldap_groupcmp() [files] expand: ou=,dc=,dc=XXX - ou=,dc=,dc=XXX [files] expand: ((sAMAccountName=%{mschap:User-Name})) - ((sAMAccountName=lab$)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=,dc=,dc=XXX, with filter ((sAMAccountName=lab$)) [ldap] object not found Is it possible to remove the $ from the sAMAccountName in the LDAP module without breaking the User Authentication? Thanks Robert Graham - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Problem with PEAP MS-ChapV2 against AD
Alan, Thanks for the tips. I followed everything, PAP worked fine, but I still had problems with EAP even with using the certificates from the Radius disto. The part that didn't make a lot of sense to me was it would go thru all the process, and MSCHAP showed success: [mschap] Creating challenge hash with username: test1 [mschap]expand: --challenge=%{mschap:Challenge:-00} - --challenge=101d5affa80deb2a [mschap]expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=2ff233ba94c6cc0ff8b204e09e8217c1f93dd23f6a175caa Exec-Program output: NT_KEY: D17434B7303CD6FA2ABE17CDB536D69D Exec-Program-Wait: plaintext: NT_KEY: D17434B7303CD6FA2ABE17CDB536D69D Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success But after that was [peap] Got tunneled reply code 11. Some searches on google indicated that I might be facing a Samba bug. After upddating to the latest release 3.5.6 and adding winbind:forcesamlogon to the smb.conf file it started working. Now I am off to adding LDAP for group membership and configure for dynamic vlans and acls. -Robert -- View this message in context: http://freeradius.1045715.n5.nabble.com/FW-Problem-with-PEAP-MS-ChapV2-against-AD-tp3340563p3342137.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: Problem with PEAP MS-ChapV2 against AD
Alan, Thanks for the quick response. The reason I generated my own certs was that if we can get 802.1x to work, when we move to production we will want to have the certificate signed by our Windows CA. So I wanted this to be part of the test plan. I looked at that webpage at least three times today. I think I am so glued to the issue that the xpextension are missing or wrong, but when I view the certificate issued by our CA, it does have the attributes there with an OID of 1.3.6.1.5.5.7.3.1 for Server Certificate Requirements. http://freeradius.1045715.n5.nabble.com/file/n3340698/cert.jpg Are you referring to the Debugging it yourself section? I am in the process of installing screen and going through those steps. Thanks -Robert -- View this message in context: http://freeradius.1045715.n5.nabble.com/FW-Problem-with-PEAP-MS-ChapV2-against-AD-tp3340563p3340698.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap - edirectory authentication
Thanks for everyone's help on this. We got it to work, now using eap-peap. We truly believe it was using mschapv2 before, but cannot prove that to ourselves. Everytime something changes we learn much more than we knew before, so I guess that's a good thing. thanks again. robert Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640 Alexander Clouter a...@digriz.org.uk 12/11/2010 4:35 AM Peter Lambrechtsen plambrecht...@gmail.com wrote: On Sat, Dec 11, 2010 at 3:59 AM, Gary Gatten ggat...@waddell.com wrote: Look in the configure script, or maybe try ./configure --help. Else the config options are probably listed in one of the readme's. Yes it's a configure switch when you compile FR. I would assume that since it's a version distributed with SLES (I would assume OpenSUSE would be the same), but can check in the srpm to make sure it's in there. But I would be surprised if it wasn't. The main things to be sure is your Universal Password policy assigned to your users allows Admin's (or a specific user) to retreieve the User's password, and that the service account you use to bind to eDirectory in FR is one of those accounts. And that you are binding over LDAPS (SSL) on port 636 typlically. Which may require you to import in the LDAP Server's CA Cert into the certificate keystore in the LDAP SSL Config. Am I missing something obvious but in the original post was: rlm_ldap: Added the eDirectory password 51601222 in check items as Cleartext-Password We are ourselves condemned to hell to and are forced to use Novell but all this UP malarkey works for us just fine. The OP obviously has already enabled universal password according to the debugging message, a five second look at the source code also confirms this: https://github.com/alandekok/freeradius-server/blob/v2.1.x/src/modules/rlm_ldap/rlm_ldap.c#L1592 Of course I have no idea why the Cleartext-Password attribute is disappearing after passing through authorize/ldap before it gets to pap/chap/mschap but I cannot see the OP's config. The problem seems not not to be a flag at compile time, it's a configuration problem. Cheers -- Alexander Clouter .sigmonster says: No purchase necessary. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ This communication is intended for the use of the recipient to which it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communication received in error, or subsequent reply, should be deleted or destroyed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ldap - edirectory authentication
I actually just edited the files without copying. But thanks. We are trying to hold onto Novell as long as we can. robert Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640 Gary Gatten ggat...@waddell.com 12/9/2010 3:46 PM Good to see Novell fans still exist! No time to dig into this, but I’ve seen on the list several times that copying configs from one version of FR to another is not always supported / recommended. Probably doesn’t help much, but maybe point you in the right direction. Can you reinstall the original working version and conf of FR? From:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Robert Koskey Sent: Thursday, December 09, 2010 4:41 PM To: freeradius-users@lists.freeradius.org Subject: ldap - edirectory authentication Can anyone help? We are trying to do a ldap authentication from novell's edirectory to an Aruba controller for wireless access. These are the error's we are getting. It used to work perfectly but the original radius server blew up. We installed a new one with the same configuration and it doesn't work. The problem areas are bold'ed. The problem seems to occur after the ldap authentication. I don't think we are entirely clear about the order in which the whole process happens. Any help or suggestions would be greatly appreciated. The set up is: OpenSuse 11.0 FreeRadius 2.0.5 We have tried: OpenSuse 11.3 FreeRadius 2.1.9 (same result) rad_recv: Access-Request packet from host 10.215.10.100 port 34806, id=218, length=199 User-Name = jordanhkaltenbruner NAS-IP-Address = 10.200.8.30 NAS-Port = 2 NAS-Identifier = 10.215.10.99 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 78CA39B5D3E5 Called-Station-Id = 000B8661AC58 Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x02010018016a6f7264616e686b616c74656e6272756e6572 Aruba-Essid-Name = SCHS-Student Aruba-Location-Id = SpringbankW2-9 Message-Authenticator = 0x4542e9b98b5978ca1ca52b7617910620 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = jordanhkaltenbruner, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for jordanhkaltenbruner WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=jordanhkaltenbruner) expand: ou=springhigh_lab,o=springhigh - ou=springhigh_lab,o=springhigh rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.215.0.3:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as cn=admin,o=springhigh/ to 10.215.0.3:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=springhigh_lab,o=springhigh, with filter (uid=jordanhkaltenbruner) rlm_ldap: Added the eDirectory password 51601222 in check items as Cleartext-Password rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user jordanhkaltenbruner authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: No clear-text password in the request. Not performing PAP. ++[pap] returns noop auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - jordanhkaltenbruner attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 218 to 10.215.10.100 port 34806 Finished request 0. Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640 Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640 _ This communication is intended for the use of the recipient to which it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communication received in error, or subsequent reply, should be deleted or destroyed. This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying
Re: ldap - edirectory authentication
We really aren't too sure about that. We just installed it from the media that OpenSuse 11.3 came with. We have noticed the bit about the --with-edir but even when we downloaded and compiled the FR 2.1.10 (latest) we didn't see how we could install with that option. If you know, please shed some light. thanks, Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640 Peter Lambrechtsen plambrecht...@gmail.com 12/9/2010 3:48 PM You may need to comment out the logintime and pap sections, since this isn't a pap authentication. It seems like the password is being correctly extracted out of eDirectory using Universal Password, but are you sure that's properly configured in the build version of FreeRadius? On Fri, Dec 10, 2010 at 11:40 AM, Robert Koskey rkos...@rockyview.ab.ca wrote: Can anyone help? We are trying to do a ldap authentication from novell's edirectory to an Aruba controller for wireless access. These are the error's we are getting. It used to work perfectly but the original radius server blew up. We installed a new one with the same configuration and it doesn't work. The problem areas are bold'ed. The problem seems to occur after the ldap authentication. I don't think we are entirely clear about the order in which the whole process happens. Any help or suggestions would be greatly appreciated. The set up is: OpenSuse 11.0 FreeRadius 2.0.5 We have tried: OpenSuse 11.3 FreeRadius 2.1.9 (same result) rad_recv: Access-Request packet from host 10.215.10.100 port 34806, id=218, length=199 User-Name = jordanhkaltenbruner NAS-IP-Address = 10.200.8.30 NAS-Port = 2 NAS-Identifier = 10.215.10.99 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 78CA39B5D3E5 Called-Station-Id = 000B8661AC58 Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x02010018016a6f7264616e686b616c74656e6272756e6572 Aruba-Essid-Name = SCHS-Student Aruba-Location-Id = SpringbankW2-9 Message-Authenticator = 0x4542e9b98b5978ca1ca52b7617910620 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' ( mailto:%...@%27 ) in User-Name = jordanhkaltenbruner, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for jordanhkaltenbruner WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=jordanhkaltenbruner) expand: ou=springhigh_lab,o=springhigh - ou=springhigh_lab,o=springhigh rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.215.0.3:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as cn=admin,o=springhigh/ to 10.215.0.3:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=springhigh_lab,o=springhigh, with filter (uid=jordanhkaltenbruner) rlm_ldap: Added the eDirectory password 51601222 in check items as Cleartext-Password rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user jordanhkaltenbruner authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: No clear-text password in the request. Not performing PAP. ++[pap] returns noop auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - jordanhkaltenbruner attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 218 to 10.215.10.100 port 34806 Finished request 0. Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640 Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640 _ This communication is intended for the use of the recipient to which it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communication received in error, or subsequent reply, should be deleted or destroyed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ This communication is intended for the use of the recipient to which it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you
RE: ldap - edirectory authentication
Not too sure. We've looked thru all the conf's. Where would I look? robert Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640 Gary Gatten ggat...@waddell.com 12/10/2010 7:37 AM It’s a configure flag no? From:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Robert Koskey Sent: Friday, December 10, 2010 8:30 AM To: FreeRadius users mailing list Subject: Re: ldap - edirectory authentication We really aren't too sure about that. We just installed it from the media that OpenSuse 11.3 came with. We have noticed the bit about the --with-edir but even when we downloaded and compiled the FR 2.1.10 (latest) we didn't see how we could install with that option. If you know, please shed some light. thanks, Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640 Peter Lambrechtsen plambrecht...@gmail.com 12/9/2010 3:48 PM You may need to comment out the logintime and pap sections, since this isn't a pap authentication. It seems like the password is being correctly extracted out of eDirectory using Universal Password, but are you sure that's properly configured in the build version of FreeRadius? On Fri, Dec 10, 2010 at 11:40 AM, Robert Koskey rkos...@rockyview.ab.ca wrote: Can anyone help? We are trying to do a ldap authentication from novell's edirectory to an Aruba controller for wireless access. These are the error's we are getting. It used to work perfectly but the original radius server blew up. We installed a new one with the same configuration and it doesn't work. The problem areas are bold'ed. The problem seems to occur after the ldap authentication. I don't think we are entirely clear about the order in which the whole process happens. Any help or suggestions would be greatly appreciated. The set up is: OpenSuse 11.0 FreeRadius 2.0.5 We have tried: OpenSuse 11.3 FreeRadius 2.1.9 (same result) rad_recv: Access-Request packet from host 10.215.10.100 port 34806, id=218, length=199 User-Name = jordanhkaltenbruner NAS-IP-Address = 10.200.8.30 NAS-Port = 2 NAS-Identifier = 10.215.10.99 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 78CA39B5D3E5 Called-Station-Id = 000B8661AC58 Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x02010018016a6f7264616e686b616c74656e6272756e6572 Aruba-Essid-Name = SCHS-Student Aruba-Location-Id = SpringbankW2-9 Message-Authenticator = 0x4542e9b98b5978ca1ca52b7617910620 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' ( mailto:%...@%27 ) in User-Name = jordanhkaltenbruner, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for jordanhkaltenbruner WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=jordanhkaltenbruner) expand: ou=springhigh_lab,o=springhigh - ou=springhigh_lab,o=springhigh rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.215.0.3:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as cn=admin,o=springhigh/ to 10.215.0.3:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=springhigh_lab,o=springhigh, with filter (uid=jordanhkaltenbruner) rlm_ldap: Added the eDirectory password 51601222 in check items as Cleartext-Password rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user jordanhkaltenbruner authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: No clear-text password in the request. Not performing PAP. ++[pap] returns noop auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - jordanhkaltenbruner attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 218 to 10.215.10.100 port 34806 Finished request 0. Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640 Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640 _ This communication is intended for the use of the recipient to which it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you
Re: ldap - edirectory authentication
thanks, I'll try that. robert Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640 Gary Gatten ggat...@waddell.com 12/10/2010 7:59 AM Look in the configure script, or maybe try ./configure --help. Else the config options are probably listed in one of the readme's. From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Sent: Fri Dec 10 08:54:18 2010 Subject: RE: ldap - edirectory authentication Not too sure. We've looked thru all the conf's. Where would I look? robert Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640 Gary Gatten ggat...@waddell.com 12/10/2010 7:37 AM It’s a configure flag no? From:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Robert Koskey Sent: Friday, December 10, 2010 8:30 AM To: FreeRadius users mailing list Subject: Re: ldap - edirectory authentication We really aren't too sure about that. We just installed it from the media that OpenSuse 11.3 came with. We have noticed the bit about the --with-edir but even when we downloaded and compiled the FR 2.1.10 (latest) we didn't see how we could install with that option. If you know, please shed some light. thanks, Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640 Peter Lambrechtsen plambrecht...@gmail.com 12/9/2010 3:48 PM You may need to comment out the logintime and pap sections, since this isn't a pap authentication. It seems like the password is being correctly extracted out of eDirectory using Universal Password, but are you sure that's properly configured in the build version of FreeRadius? On Fri, Dec 10, 2010 at 11:40 AM, Robert Koskey rkos...@rockyview.ab.ca wrote: Can anyone help? We are trying to do a ldap authentication from novell's edirectory to an Aruba controller for wireless access. These are the error's we are getting. It used to work perfectly but the original radius server blew up. We installed a new one with the same configuration and it doesn't work. The problem areas are bold'ed. The problem seems to occur after the ldap authentication. I don't think we are entirely clear about the order in which the whole process happens. Any help or suggestions would be greatly appreciated. The set up is: OpenSuse 11.0 FreeRadius 2.0.5 We have tried: OpenSuse 11.3 FreeRadius 2.1.9 (same result) rad_recv: Access-Request packet from host 10.215.10.100 port 34806, id=218, length=199 User-Name = jordanhkaltenbruner NAS-IP-Address = 10.200.8.30 NAS-Port = 2 NAS-Identifier = 10.215.10.99 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 78CA39B5D3E5 Called-Station-Id = 000B8661AC58 Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x02010018016a6f7264616e686b616c74656e6272756e6572 Aruba-Essid-Name = SCHS-Student Aruba-Location-Id = SpringbankW2-9 Message-Authenticator = 0x4542e9b98b5978ca1ca52b7617910620 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' ( mailto:%...@%27 ) in User-Name = jordanhkaltenbruner, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for jordanhkaltenbruner WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=jordanhkaltenbruner) expand: ou=springhigh_lab,o=springhigh - ou=springhigh_lab,o=springhigh rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.215.0.3:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as cn=admin,o=springhigh/ to 10.215.0.3:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=springhigh_lab,o=springhigh, with filter (uid=jordanhkaltenbruner) rlm_ldap: Added the eDirectory password 51601222 in check items as Cleartext-Password rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user jordanhkaltenbruner authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: No clear-text password in the request. Not performing PAP. ++[pap] returns noop auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - jordanhkaltenbruner attr_filter: Matched entry DEFAULT at line 11
ldap - edirectory authentication
Can anyone help? We are trying to do a ldap authentication from novell's edirectory to an Aruba controller for wireless access. These are the error's we are getting. It used to work perfectly but the original radius server blew up. We installed a new one with the same configuration and it doesn't work. The problem areas are bold'ed. The problem seems to occur after the ldap authentication. I don't think we are entirely clear about the order in which the whole process happens. Any help or suggestions would be greatly appreciated. The set up is: OpenSuse 11.0 FreeRadius 2.0.5 We have tried: OpenSuse 11.3 FreeRadius 2.1.9 (same result) rad_recv: Access-Request packet from host 10.215.10.100 port 34806, id=218, length=199 User-Name = jordanhkaltenbruner NAS-IP-Address = 10.200.8.30 NAS-Port = 2 NAS-Identifier = 10.215.10.99 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 78CA39B5D3E5 Called-Station-Id = 000B8661AC58 Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x02010018016a6f7264616e686b616c74656e6272756e6572 Aruba-Essid-Name = SCHS-Student Aruba-Location-Id = SpringbankW2-9 Message-Authenticator = 0x4542e9b98b5978ca1ca52b7617910620 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = jordanhkaltenbruner, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for jordanhkaltenbruner WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=jordanhkaltenbruner) expand: ou=springhigh_lab,o=springhigh - ou=springhigh_lab,o=springhigh rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.215.0.3:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as cn=admin,o=springhigh/ to 10.215.0.3:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=springhigh_lab,o=springhigh, with filter (uid=jordanhkaltenbruner) rlm_ldap: Added the eDirectory password 51601222 in check items as Cleartext-Password rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user jordanhkaltenbruner authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: No clear-text password in the request. Not performing PAP. ++[pap] returns noop auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - jordanhkaltenbruner attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 218 to 10.215.10.100 port 34806 Finished request 0. Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640 Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640 _ This communication is intended for the use of the recipient to which it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communication received in error, or subsequent reply, should be deleted or destroyed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Oracle OID and FreeRadius
Okay, so we've got the whole ancient version thing sorted out, and we now have things working - sort of. To recap: We've been working on using Freeradius on RHEL5.4 to link a Motorola RFS6000 with Oracle OID. We now have the following situation - and fair warning this is something of an edge-case as far as FreeRadius goes, as the problem appears to be more OID. We can: Use the oracleadmin user to bind to OID and have everything work. This is sub-optimal for more reasons than I care to count, and probably more than I can imagine. We can: Set up an ACL/ACI in OID to allow the purpose-created bind-user to access the userpassword of a specific user. Radius authentication then works for that user. Needless to say, it is impractical to do this for every single user. We cannot: Set up an OID ACL/ACI to allow the purpose created bind-user to access the userpassword of every user. This is where we want to get to. An alternate path would be to convince FreeRadius to obtain the user-supplied password via EAP-GTC *before* connecting to OID to authenticate the user, if that is possible. (None of the doco I have read to date suggests that it is.) Does anyone have any suggestions? Oracle are being questioned on this as well, but are not being particularly helpful yet. -Rob. Unix Systems Administrator Bunnings Group Limited 126 Pilbara Street, Welshpool WA 6106 Locked Bag 20, Welshpool WA 6986 Phone : (08) 9365-1507 Fax : (08) 9358-6054 E-mail : rmast...@bunnings.com.au Website : www.bunnings.com.au Bunnings Legal Disclaimer: 1) This email is confidential and may contain legally privileged information. If you are not the intended recipient, you must not disclose or use the information contained in it. If you have received this email in error, please notify us immediately by return email and delete the document. 2) All emails sent to and sent from Bunnings Group Limited. are scanned for content. Any material deemed to contain inappropriate subject matter will be reported to the email administrator of all parties concerned. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Oracle OID and FreeRadius
I had forgotten about that - thanks, I'll try giving that a go. -Rob -Original Message- From: freeradius-users-bounces+rmasters=bunnings.com...@lists.freeradius.org [mailto:freeradius-users-bounces+rmasters=bunnings.com...@lists.freeradi us.org] On Behalf Of Fajar A. Nugraha Sent: Wednesday, 8 December 2010 11:20 AM To: FreeRadius users mailing list Subject: Re: Oracle OID and FreeRadius On Wed, Dec 8, 2010 at 9:50 AM, Robert Masters rmast...@bunnings.com.au wrote: An alternate path would be to convince FreeRadius to obtain the user-supplied password via EAP-GTC *before* connecting to OID to authenticate the user, if that is possible. (None of the doco I have read to date suggests that it is.) That is possible. Have you read the reply I sent to your previous mail? http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg668 72.html Note that if you go that route it's not enough to simply configure FreeRadius to use EAP-GTC. You must configure all clients to do EAP-GTC as well. Does anyone have any suggestions? It works for Lotus Domino's LDAP. It should work as well for any LDAP server that allows bind as a user. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Bunnings Legal Disclaimer: 1) This email is confidential and may contain legally privileged information. If you are not the intended recipient, you must not disclose or use the information contained in it. If you have received this email in error, please notify us immediately by return email and delete the document. 2) All emails sent to and sent from Bunnings Group Limited. are scanned for content. Any material deemed to contain inappropriate subject matter will be reported to the email administrator of all parties concerned. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap-gtc error in authentication
I would just like to take this opportunity to thank RedHat for their wonderfully consistent naming of packages. I just did not *think*, being so used to RedHat version numbers being way out of sync with reality, thanks to their backport policy. (Departs to *fix* things - with prejudice.) Thanks for pointing out my stupidity to me. -Original Message- From: freeradius-users-bounces+rmasters=bunnings.com...@lists.freeradius.org [mailto:freeradius-users-bounces+rmasters=bunnings.com...@lists.freeradi us.org] On Behalf Of John Dennis Sent: Wednesday, 24 November 2010 8:38 PM To: FreeRadius users mailing list Cc: Alexander Clouter Subject: Re: eap-gtc error in authentication On 11/24/2010 03:51 AM, Alexander Clouter wrote: Hi, Robert Mastersrmast...@bunnings.com.au wrote: We've been working on using Freeradius on RHEL5.4 to link a Motorola RFS6000 with Oracle OID. We've had a number of hiccoughs along the way, and solved most of them - mainly thanks to the archives of this list. We are now getting the following error: rlm_eap_gtc: ERROR: Clear-test User-Password is required for authentication. Bad UNIX sysadmin *BAD* My git log tells me you are running a version of FreeRADIUS from *before* Aug 15 2006. Maybe I am the first to tell you, but it is 2010, and nearly 2011 :) The 2.x version of FreeRADIUS on RHEL 5 is available under the package name freeradius2. This is documented in the RHEL release notes and the Red Hat FreeRADIUS FAQ http://wiki.freeradius.org/Red_Hat_FAQ -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Bunnings Legal Disclaimer: 1) This email is confidential and may contain legally privileged information. If you are not the intended recipient, you must not disclose or use the information contained in it. If you have received this email in error, please notify us immediately by return email and delete the document. 2) All emails sent to and sent from Bunnings Group Limited. are scanned for content. Any material deemed to contain inappropriate subject matter will be reported to the email administrator of all parties concerned. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging reply-detail only produces single line of output
I want to log all replies from Radius to my NAS so I edited my sites-enabled file and uncommented 'reply_log'. I then went to modules/detail and added: detail reply_log { detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d detailperm = 0600 } Now if i go to my log directory I do see reply-detail-%Y%m%d files created however the content is not what I expected. Rather than outputting all the attributes of the reply, all i see is: Thu Nov 25 02:11:29 2010 Packet-Type = Access-Accept Thu Nov 25 08:29:22 2010 Packet-Type = Access-Accept How can I change the behavior to log all reply attributes? Thanks, Rob White - IMPORTANT NOTICE : The information in this email is confidential and may also be privileged. If you are not the intended recipient, any use or dissemination of the information and any disclosure or copying of this email is unauthorised and strictly prohibited. If you have received this email in error, please promptly inform us by reply email or telephone. You should also delete this email and destroy any hard copies produced. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging reply-detail only produces single line of output
OK so I used TCPDUMP and it seems that the log is not incorrect... Radius is only sending the access-accept and nothing else. It should be sending other attributes but it is not. However, the attributes are included in my main dictionary file (dictionary.wisp and dictionary.chillispot) - that should be it shouldn't it? Rob White IT Manager, Core Infrastructure Systems Development Global Gossip 14 Wentworth Ave Surry Hills, NSW 2010 Australia office: +61 2 9263 0400 mobile: +61 410 700 733 email: rwh...@globalgossip.net http://www.globalgossipgroup.com On 25 November 2010 11:41, Robert White rwh...@globalgossip.net wrote: I want to log all replies from Radius to my NAS so I edited my sites-enabled file and uncommented 'reply_log'. I then went to modules/detail and added: detail reply_log { detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d detailperm = 0600 } Now if i go to my log directory I do see reply-detail-%Y%m%d files created however the content is not what I expected. Rather than outputting all the attributes of the reply, all i see is: Thu Nov 25 02:11:29 2010 Packet-Type = Access-Accept Thu Nov 25 08:29:22 2010 Packet-Type = Access-Accept How can I change the behavior to log all reply attributes? Thanks, Rob White - IMPORTANT NOTICE : The information in this email is confidential and may also be privileged. If you are not the intended recipient, any use or dissemination of the information and any disclosure or copying of this email is unauthorised and strictly prohibited. If you have received this email in error, please promptly inform us by reply email or telephone. You should also delete this email and destroy any hard copies produced. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-gtc error in authentication
We've been working on using Freeradius on RHEL5.4 to link a Motorola RFS6000 with Oracle OID. We've had a number of hiccoughs along the way, and solved most of them - mainly thanks to the archives of this list. We are now getting the following error: rlm_eap_gtc: ERROR: Clear-test User-Password is required for authentication. We are running : radiusd: FreeRADIUS Version 1.1.3, for host i386-redhat-linux-gnu, built on Dec 4 2009 at 13:48:28 Which we are kind of stuck on if we want to maintain consistency with RHN. The full conversation log is long (882 lines), and with the config files this is getting long enough, but I'll post it if it will help (and apologise to the digest readers). Some pertinent bits from it, though (these all refer to a conversation that starts with request 0): Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/gtc rlm_eap: processing type gtc rlm_eap_gtc: ERROR: Clear-test User-Password is required for authentication. rlm_eap: Handler failed in EAP/gtc rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 8 modcall: leaving group authenticate (returns invalid) for request 8 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 EAP-Message = 0x04090004 Message-Authenticator = 0x PEAP: Processing from tunneled session code 0x977b0b0 3 EAP-Message = 0x04090004 Message-Authenticator = 0x PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 9 Here is our radiusd.conf: prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions= yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp= no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = clear } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { } ldap { server = stingaree.bbs.bunnings.com.au port = 3061 identity = cn=bglpdtven,cn=users,dc=bbs,dc=bunnings,dc=com,dc=au password = XXX basedn = dc=bbs,dc=bunnings,dc=com,dc=au filter = (uid=%u) base_filter = (objectclass=radiusprofile) start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = OrclPassword groupname_attribute = cn groupmembership_filter = (|((objectClass=group)(member=%{Ldap-UserDn}))((objectClass=GroupOfUn iqueNames)(uniquemember=%{Ldap-UserDn}))) groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 } realm IPASS {
dictionary vendor options
Hi! I'm running # rpm -qa | grep radius freeradius2-mysql-2.1.7-7.el5 freeradius2-2.1.7-7.el5 freeradius2-python-2.1.7-7.el5 freeradius2-utils-2.1.7-7.el5 and I copied following into the /etc/raddb/dictionary VENDOR Extreme 1916 ATTRIBUTE Extreme-CLI-Authorization 201 integer Extreme ATTRIBUTE Extreme-Shell-Command 202 string Extreme ATTRIBUTE Extreme-Netlogin-Vlan 203 string Extreme ATTRIBUTE Extreme-Netlogin-Url204 string Extreme ATTRIBUTE Extreme-Netlogin-Url-Desc 205 string Extreme ATTRIBUTE Extreme-Netlogin-Only 206 integer Extreme ATTRIBUTE Extreme-User-Location 208 string Extreme ATTRIBUTE Extreme-Netlogin-Vlan-Tag 209 integer Extreme ATTRIBUTE Extreme-Netlogin-Extended-Vlan 211 string Extreme ATTRIBUTE Extreme-Security-Profile212 string Extreme VALUE Extreme-CLI-Authorization Disabled0 VALUE Extreme-CLI-Authorization Enabled 1 VALUE Extreme-Netlogin-Only Disabled0 VALUE Extreme-Netlogin-Only Enabled 1 which seems ok for me but the freeradius thinks otherwise as I get including dictionary file /etc/raddb/dictionary Errors reading dictionary: dict_init: /etc/raddb/dictionary[37]: unknown option Extreme Does anyone know the problem with my config? thx! Mit freundlichen Grüßen Robert Penz Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: dictionary vendor options
Hi! Ah, did not know about the default extreme config. I just went along the official Howto from Extreme Networks and it stated that I need to put the lines into the dictionary... Thx for the Info ;-) Mit freundlichen Grüßen Robert Penz -Ursprüngliche Nachricht- Von: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org [mailto:freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 20. September 2010 11:40 An: FreeRadius users mailing list Betreff: Re: dictionary vendor options PENZ Robert wrote: # rpm -qa | grep radius freeradius2-mysql-2.1.7-7.el5 ... and I copied following into the /etc/raddb/dictionary Why? What's wrong with the dictionary.extreme file that is included with the server? After 10 years of doing FreeRADIUS, I *still* don't understand why many people feel the need to destroy the default configuration as soon as they install the server. including dictionary file /etc/raddb/dictionary Errors reading dictionary: dict_init: /etc/raddb/dictionary[37]: unknown option Extreme It's a bug in 2.1.7. If you used the *default* dictionaries, the VSAs would work, and there wouldn't be a problem. Does anyone know the problem with my config? thx! Stop destroying the default configuration. If you did *less* work, you would have *better* results. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
convert mac adresses to lower case
Hi! I'm running # rpm -qa | grep radius freeradius2-mysql-2.1.7-7.el5 freeradius2-2.1.7-7.el5 freeradius2-python-2.1.7-7.el5 freeradius2-utils-2.1.7-7.el5 and I've different switch types. Some send the MAC address lower case the others upper case. For switches which send it lower it case it works (as the macs are stored lower case in the db). How can I convert them all in the clear text password attribute to lower case? The attr_rewrite module looks good, but the only way I see is to have 6 rewrite rules each replacing one letter, but that seems inefficient. The matching in the SQL Database works case insensitive and returns a row but the pap check logs following: rlm_sql (sql): Released sql socket id: 1 +++[sql] returns ok ++- policy redundant returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password 0025B3A013AA [pap] Using clear text password 0025b3a013aa [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. I tried to remove pap but then I get following +++[sql] returns ok ++- policy redundant returns ok ++[expiration] returns noop ++[logintime] returns noop WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request does NOT match known good password. Failed to authenticate the user. Hope someone can help me. Thx! Mit freundlichen Grüßen Robert Penz Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: convert mac adresses to lower case
Hi! But thats not the problem. The mac address matches in the SQL statement but I need also to return the mac address to the radius. In this reply the mac address is lower case. And now the radius checks that against its upper case version it gets from the switch. I cannot return the mac always upper case as it would not work with the switches which send the mac lower case. I hope this makes sense. Mit freundlichen Grüßen Robert Penz -Ursprüngliche Nachricht- Von: freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org [mailto:freeradius-users-bounces+robert.penz=tirol.gv...@lists.freeradius.org] Im Auftrag von ironr...@yahoo.com Gesendet: Montag, 20. September 2010 15:26 An: FreeRadius users mailing list Betreff: Re: convert mac adresses to lower case I beieve there is a lower() function you can use in the sql statement. Sent from Verizon Wireless -Original Message- From: PENZ Robert robert.p...@tirol.gv.at Sender: freeradius-users-bounces+ironrake=yahoo@lists.freeradius.org Date: Mon, 20 Sep 2010 14:11:14 To: FreeRadius users mailing listfreeradius-users@lists.freeradius.org Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: convert mac adresses to lower case Hi! I'm running # rpm -qa | grep radius freeradius2-mysql-2.1.7-7.el5 freeradius2-2.1.7-7.el5 freeradius2-python-2.1.7-7.el5 freeradius2-utils-2.1.7-7.el5 and I've different switch types. Some send the MAC address lower case the others upper case. For switches which send it lower it case it works (as the macs are stored lower case in the db). How can I convert them all in the clear text password attribute to lower case? The attr_rewrite module looks good, but the only way I see is to have 6 rewrite rules each replacing one letter, but that seems inefficient. The matching in the SQL Database works case insensitive and returns a row but the pap check logs following: rlm_sql (sql): Released sql socket id: 1 +++[sql] returns ok ++- policy redundant returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password 0025B3A013AA [pap] Using clear text password 0025b3a013aa [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. I tried to remove pap but then I get following +++[sql] returns ok ++- policy redundant returns ok ++[expiration] returns noop ++[logintime] returns noop WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request does NOT match known good password. Failed to authenticate the user. Hope someone can help me. Thx! Mit freundlichen Grüßen Robert Penz Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
timeout if mysql backend not reachable
Hi! I've more than one radius server configured on my switches. If one server timeouts the switch takes the second server. On each radius server a freeradius and a mysql db is running. I'm now searching for a way that the freeradius does not return anything (=timeout for the switch) if he cannot reach its mysql db (on the same machine). Currently I get a reject reply for the authentication request. How can I configure that? Thx! Mit freundlichen Grüßen Robert Penz Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Samba Bug #6563
Our AD team recently upgraded their servers from Windows 2003 to 2008 and broke the Samba 3.0.34 installation we had been using for ntlm_auth. We couldn't get this version of Samba to join the upgraded servers, so we were forced to look into patching Samba 3.5.4 (latest) to fix the issue where ntlm_auth returns an invalid NT_KEY. I believe this issue has been open for about 2 years and hasn't moved much in the Samba bug list: https://bugzilla.samba.org/show_bug.cgi?id=6563 A committer named Volker Lendecke suggested that the source was SamLogonEx... by using SamLogon instead, you can get around the issue. This seems to stem from the SamLogonEx function using session keys versus credentials... but I'd like to ask a windows/samba expert for a better opinion. I've attached a patch to the bug report above which adds the --force-samlogon option to winbind. If winbind is started without this flag, it operates normally and we get an invalid NT_KEY returned. If it's started with the flag, the issue is resolved. We've been running this in production and haven't run into any issues with a few thousand 802.1x users. I hope this helps a few people who have been stuck in Samba purgatory. Rob Colantuoni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can freeradius support multiple client CA certificates?
On 21 Jun 2010, at 19:53, John Dennis wrote: A (FreeRADIUS) virtual server does not have a different IP address nor would it have different subject names nor subject alt names. I'm not getting the feeling you understand how PKI works, it might be worthwhile to read up on it. When testing a new server certificate with a different chain to a new root CA, I set up a separate eap module with different certificates. The two EAP modules were selected using the realm in the username -- someth...@cam.ac.uk gave the normal certificates and someth...@test.cam.ac.uk gave the new ones but used the same backend SQL lookup to find account information. - Bob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dynamic VLANs for many switches
Hi! We've a quite big network and I want to assign VLANs dynamically based on the MAC address, as backend I want to uses a SQL database. My problem now is that the VLAN IDs on different access switch stacks (used Layer2 switches) are different for the same network area, e.g. on switch1 vlan 123 is used for printers and on switch2 vlan124 is used for printers. The reason for this is the Layer3 switch (which we use as a distribution switch of the building) needs to be part of all VLANs and we can't use one VLAN for a building as the subnet would get too big. A other requirement is that a device can roam between different access switches(=floors and buildings), so the VLAN the switch port should get set needs to be different, based on which switch is making the request. This problem is easily solvable if I can use VLAN names in Tunnel-Private-Group-ID tags, as I would set the name always e.g. to printervlan. But in RFC 3580 is written: Note that the VLANID is 12-bits, taking a value between 1 and 4094, inclusive. Since the Tunnel-Private-Group-ID is of type String as defined in [RFC2868], for use with IEEE 802.1X, the VLANID integer value is encoded as a string. So what is the recommended solution if I can use only the numerical IDs. Thx for your help! Mit freundlichen Grüßen Robert Penz Dipl. Inf. Robert Penz DVT-Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 512 508 3334 / Fax: +43 512 508 3355 eMail: robert.p...@tirol.gv.at - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: dynamic VLANs for many switches
Hi! This is not a FreeRADIUS question, it is a NAS question and whether your NAS supports VLAN *names* rather than just numbers. I'm looking for a way to work with switches that do not support VLAN Names, and therefore I believe it is a free radius question. E.g. It would be possible for me to create a table with the VLAN IDs and the NAS IPs, so that freeradius could match them and send the correct VLAN ID, but I don't know how to use the NAS IP for such an lookup. Or maybe there is a better way to do it. For the record, Cisco switches do support the use of names (if you have put it in your VLAN database), and their thick and thin AP's do too. YMMV with other venduhs though. To be honest, the time it took you to send this email, you could have actually tested it on your equipment...*sigh*. I don't know the vendor of the switches so far as it is a running public tendering procedure (hope that's the correct English term for it) where I was not able to require it as MUST feature, but I need to make the planning for migration and implementation of dynamic VLANs now. ;-( Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
badusers issues
i get this message from the bad users page: Database query failed: Unknown column 'incidentdate' in 'where clause' Is this something that is critical or concerning? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius-dialupadmin
Freeradius-dialupadmin Check Server page only shows: (test user dummy) Does this indicate that it isn't working correctly? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
github wiki
Hello Alan, I want to thank you for your services. Not just for myself but for everyone that you assisted over the years it seems. You are a tireless soldier. I have visited github made some notes on the Wiki there. I am dedicated to streamlining the process of installing FR. The present system of passing information and knowledge can be daunting to new users. I nearly gave up myself due the sheer amount of old and misleading sources that exist. By writing guides and docs I intend to learn more about FR and hopefully the community will benefit by having a greater number of users that will in turn help others along. I would like to thank the two Alans for your fine work. Please contact me if there are any additional matters that you think might be useful in increasing the knowledge base. Kind Regards, Robert Wilkinson ps I still have a few issues with sql but I am certainly going in the right direction now. I have now spent 5 days and I have been worn out. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql wont pass radtest
Hello. After lots of reading and time testing I have been unable to get sql to authenticate with using radtest. Am I having issues with the the DB setup? I am having no problems with the users file. But there seems to be nothing to pursue with the SQL issues. I am almost moved to tears.. and tearing my hair out. I am using: Ubuntu 10.4 (Linode account) Freeradius 2.1.8 MySql5 I want to setup a wireless hotspot. I have spent 4 days tring to get my mind around this. I have uncommented the SQL lines where needed. Is it my database or the options I have made. I have spent lots of time on the wiki and mailing list, to the point that confusion now reigns. There needs to be a way for simple setups to be made easy. here is my freeradius -X FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 5 2010 at 02:49:11 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/mysql/dialup.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = freerad group = freerad allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/freeradius/freeradius.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = no log { stripped_names = no
Re: sql wont pass radtest
On Wed, 2010-05-26 at 19:58 +0100, Alan Buxey wrote: hi, your output doesnt show SQL being loaded up as the daemon startsits very obvious when it does use SQL as there'll be a lot of SQL stuff shown in the startup eg sockets connecting to the SQL etc. Just realised that the server needs to be restarted after each change in configuration. Important to know that. check that you have the INCLUDE sql.conf in the radiusd.conf and chck that you have uncommented the sql lines in the virtual servers that you want to use (ie 'default' for plain stuff and 'inner-tunnel' for EAP stuff) I have uncommented all the SQL lines to no avail. No module is loaded. Is it important to have a NAS installed at this stage? Here is my radiusd -X output: FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 5 2010 at 02:49:11 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/mysql/counter.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = freerad group = freerad allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/freeradius/freeradius.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = no log { stripped_names
Re: no access-accept with users file
I am aiming to get daloradius working with freeradius. I want to get freeradius in a state of usefulness. To be honest I may have forgotten the 'normal' state it was in when it worked using the users file. I am having an issue with the sites-enabled file.. a matter of global permissions. I dont know what was responsible for that. Such is life. Thank you for your support. On 05/25/2010 02:51 AM, James J J Hooper wrote: On 25/05/2010 06:30, Robert Wilkinson wrote: I feel defeated. I was able to get an access-accept result. During my attempt to use MySQL it appears that I broke my configuration. I am using freeradius 2.1.8 on ubuntu 10.4 server. Here is my freeradius -X debug output: WARNING: Empty section. Using default return values. No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Hi Robert, What do you actually want it to do, auth against MySQL, or auth against the users file, both or something else? At the moment it seems to be configured to do nothing: WARNING: Empty section. Using default return values. No authenticate method (Auth-Type) configuration found for the request: Rejecting the user ... so, its doing nothing. I'd go back to the default config, and change one thing at a time, then test that it does what you expect, repeat until it works totally as you wish, or your break it. If the latter, revert the most recent config change. ... and the documentation: http://wiki.freeradius.org/SQL_HOWTO etc Regards, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Chief Geek Open Technology Group Bermuda Please visit www.otgb.net. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
no access-accept with users file
to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { modules { } # modules } # server radiusd: Opening IP addresses and Ports listen { type = auth ipaddr = * port = 0 } listen { type = acct ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 41227, id=30, length=55 User-Name = bob User-Password = hello NAS-IP-Address = 74.207.237.249 NAS-Port = 0 WARNING: Empty section. Using default return values. No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 30 to 127.0.0.1 port 41227 Waking up in 4.9 seconds. Cleaning up request 0 ID 30 with timestamp +14 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 54343, id=126, length=55 User-Name = bob User-Password = hello NAS-IP-Address = 74.207.237.249 NAS-Port = 0 WARNING: Empty section. Using default return values. No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 126 to 127.0.0.1 port 54343 Waking up in 4.9 seconds. Cleaning up request 1 ID 126 with timestamp +1574 Ready to process requests. I have spent 2 days on this with little reward. Please help. Thank you. Robert Wilkinson -- Chief Geek Open Technology Group Bermuda Please visit www.otgb.net. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Max Query Length Exceeded and Field Truncated
Hello all, Our network had some change somewhere and now all MySQL insert queries are failing with the last field been truncated and the character count is always 4097 from the CDRs been sent by our NAS (Acme Packet SBC). Having looked at the source we see: src/modules/rlm_sql/conf.h src/modules/rlm_sql/rlm_sql.c /* SQL defines */ #define MAX_QUERY_LEN 4096 #define SQL_LOCK_LEN MAX_QUERY_LEN I'm not sure here, can we just increase to 8192 etc. or is this being stupid? Can I edit the above and recompile? Unfortunately we are running FreeRADIUS 1.1.7 and yes, everyone must be screaming upgrade! Linux klio 2.6.24-21-server #1 SMP Wed Oct 22 00:18:13 UTC 2008 i686 GNU/Linux. MySQL 5.0.51a-3ubuntu5.4-log. I've looked at the above files in 2.1.8 and the values are the same. Does this mean an upgrade will not fix this? The RADIUS RFC says a maximum length of 4096, is this what we are breaking or something else? Please advise as to the best solution. FreeRADIUS log: Wed Mar 17 16:10:50 2010 : Error: rlm_sql_mysql: MySQL error 'You have an error in your SQL syntax; check the manual that corresponds to y our MySQL server version for the right syntax to use near ''sip:0827355...@hugetipjhb01' at line 1' MySQL log (shortened for brevity's sake): INSERT into accounting (AcctStatusType, AcctTerminateCause, CalledStationId, NASIdentifier, h323setuptime, h323connecttime, h323disconnecttime, h323disconnectcause) values ('0', '0', '0', '0', '0', '0', '0', 'sip:0738063...@h From the FreeRADIUS SQL trace (shortened for brevity's sake): INSERT into accounting (AcctStatusType, AcctTerminateCause, CalledStationId, NASIdentifier, h323setuptime, h323connecttime, h323disconnecttime, h323disconnectcause, CallingRTCPMaxLatency_FS1, CallingRTPPacketsLost_FS1, CallingRTPAvgJitter_FS1, CallingRTPMaxJitter_FS1, SessionIngressRealm, SessionEgressRealm, SessionProtocolType) values ('196.31.63.118', '15830', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', 'sip:0823246912@; - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Max Query Length Exceeded and Field Truncated
On 18 March 2010 19:07, Alan DeKok al...@deployingradius.com wrote: Robert Gabriel wrote: Hello all, Our network had some change somewhere and now all MySQL insert queries are failing with the last field been truncated and the character count is always 4097 from the CDRs What does that mean? What's a character count? been sent by our NAS (Acme Packet SBC). Having looked at the source we see: src/modules/rlm_sql/conf.h src/modules/rlm_sql/rlm_sql.c /* SQL defines */ #define MAX_QUERY_LEN 4096 #define SQL_LOCK_LEN MAX_QUERY_LEN I'm not sure here, can we just increase to 8192 etc. or is this being stupid? Can I edit the above and recompile? Yes. But I fail to see why the SQL queries are huge. There's really no reason for this. MySQL log (shortened for brevity's sake): INSERT into accounting (AcctStatusType, AcctTerminateCause, CalledStationId, NASIdentifier, h323setuptime, h323connecttime, h323disconnecttime, h323disconnectcause) values ('0', '0', '0', '0', '0', '0', '0', 'sip:0738063...@h Think a bit: that line looks truncated, but there is NO WAY it's 4K in size. Something else is going on. Find out what, and fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Alan, I don't appreciate your harsh response. One comes to these lists for help not scorn and ridicule. Character count meaning the below and as stated above (IT WAS SHORTENED FOR BREVITY'S SAKE) so I didn't take up the whole post with log lines and surely now we can see it is 4KB in size (so it's 4096 bytes less the semicolon my mistake). Am I thinking a bit? $ wc -c INSERT into accounting (AcctStatusType, AcctTerminateCause, CalledStationId, NASIdentifier, h323setuptime, h323connecttime, h323disconnecttime, h323disconnectcause, SessionGenericId, FlowID_FS1_F, FlowType_FS1_F, SessionIngressCallId, SessionEgressCallId, FlowInRealm_FS1_F, FlowInSrcAddr_FS1_F, FlowInSrcPort_FS1_F, FlowInDstAddr_FS1_F, FlowInDstPort_FS1_F, FlowOutRealm_FS1_F, FlowOutSrcAddr_FS1_F, FlowOutSrcPort_FS1_F, FlowOutDstAddr_FS1_F, FlowOutDstPort_FS1_F, CallingOctets_FS1, CallingPackets_FS1, CallingRTCPPacketsLost_FS1, CallingRTCPAvgJitter_FS1, CallingRTCPAvgLatency_FS1, CallingRTCPMaxJitter_FS1, CallingRTCPMaxLatency_FS1, CallingRTPPacketsLost_FS1, CallingRTPAvgJitter_FS1, CallingRTPMaxJitter_FS1, SessionIngressRealm, SessionEgressRealm, SessionProtocolType, CalledOctets_FS1, CalledPackets_FS1, CalledRTCPPacketsLost_FS1, CalledRTCPAvgJitter_FS1, CalledRTCPAvgLatency_FS1, CalledRTCPMaxJitter_FS1, CalledRTCPMaxLatency_FS1, CalledRTPPacketsLost_FS1, CalledRTPAvgJitter_FS1, CalledRTPMaxJitter_FS1, SessionChargingVector, SessionChargingFunction_Address, FirmwareVersion, LocalTimeZone, PostDialDelay, CDRSequenceNumber, SessionDisposition, DisconnectInitiator, DisconnectCause, Intermediate_Time, PrimaryRoutingNumber, OriginatingTrunkGroup, TerminatingTrunkGroup, OriginatingTrunkContext, TerminatingTrunkContext, PAssertedID, SIPDiversion, SIPStatus, IngressLocalAddr, IngressRemoteAddr, EgressLocalAddr, EgressRemoteAddr, FlowID_FS1_R, FlowType_FS1_R, FlowInRealm_FS1_R, FlowInSrcAddr_FS1_R, FlowInSrcPort_FS1_R, FlowInDstAddr_FS1_R, FlowInDstPort_FS1_R, FlowOutRealm_FS1_R, FlowOutSrcAddr_FS1_R, FlowOutSrcPort_FS1_R, FlowOutDstAddr_FS1_R, FlowOutDstPort_FS1_R, FlowID_FS2_F, FlowType_FS2_F, FlowInRealm_FS2_F, FlowInSrcAddr_FS2_F, FlowInSrcPort_FS2_F, FlowInDstAddr_FS2_F, FlowInDstPort_FS2_F, FlowOutRealm_FS2_F, FlowOutSrcAddr_FS2_F, FlowOutSrcPort_FS2_F, FlowOutDstAddr_FS2_F, FlowOutDstPort_FS2_F, CallingOctets_FS2, CallingPackets_FS2, CallingRTCPPacketsLost_FS2, CallingRTCPAvgJitter_FS2, CallingRTCPAvgLatency_FS2, CallingRTCPMaxJitter_FS2, CallingRTCPMaxLatency_FS2, CallingRTPPacketsLost_FS2, CallingRTPAvgJitter_FS2, CallingRTPMaxJitter_FS2, FlowID_FS2_R, FlowType_FS2_R, FlowInRealm_FS2_R, FlowInSrcAddr_FS2_R, FlowInSrcPort_FS2_R, FlowInDstAddr_FS2_R, FlowInDstPort_FS2_R, FlowOutRealm_FS2_R, FlowOutSrcAddr_FS2_R, FlowOutSrcPort_FS2_R, FlowOutDstAddr_FS2_R, FlowOutDstPort_FS2_R, CalledOctets_FS2, CalledPackets_FS2, CalledRTCPPacketsLost_FS2, CalledRTCPAvgJitter_FS2, CalledRTCPAvgLatency_FS2, CalledRTCPMaxJitter_FS2, CalledRTCPMaxLatency_FS2, CalledRTPPacketsLost_FS2, CalledRTPAvgJitter_FS2, CalledRTPMaxJitter_FS2, EgressFinalRoutingNumber ) values ('Stop', 'User-Request', 'sip:27823246...@196.30.132.98:5060', 'acmepacket', '14:47:22.831 GMT+2 MAR 12 2010', '14:47:36.670 GMT+2 MAR 12 2010', '14:50:10.179 GMT+2 MAR 12 2010', '1', '', 'localhost:652024', 'G729', '310075-3477386742-88...@nextone-msw.mydomain.com', '310075-3477386742-88...@nextone-msw.mydomain.com', 'oscar_telecom', '196.31.63.118', '15826', '172.28.18.226', '12450', 'QUESCFARM', '10.0.64.10', '18334', '10.0.32.8', '11252', '624088', '7956', '72', '215', '1784', '263', '2045', '41', '0', '45', 'oscar_telecom', 'QUESCFARM', 'SIP', '623574', '7945', '52', '3', '873', '4', '2047', '60
Re: Accessing a second AV Pair
Ah ha! Thanks for that. I've managed to access my second AVPair by using []. Now, because it's a Quintum, much like a cisco, the value is Quintum-AVPair = h323-incoming-conf-id=34623031 35363261 3031 rather than the preferred Quintum-AVPair = 34623031 35363261 3031 . I have the vsa hack enabled and it works on a value such as Quintum-h323-setup-time = h323-setup-time=03:39:54.875 UTC Mon Nov 16 2009 but not on the Quintum-AVPairs. Is there a way to run the AVPairs through whatever method it is that applies the vsa hack? Thanks, Rob 2009/11/18 Alan DeKok al...@deployingradius.com Robert White wrote: No problem! Anyone else have any thoughts? $ man unlang See the section on VARIABLES Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Rob White Assistant IT Manager Core Infrastructure System Development Global Gossip Group Address: 14 Wentworth Avenue, Sydney NSW 2010 Telephone: +61 292 630 460 Fax: +61 292 630 404 Mobile: +61 410 700 733 Email: rwh...@globalgossip.net Skype: robwhite83 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accessing a second AV Pair
No problem! Anyone else have any thoughts? Thanks, Rob 2009/11/17 Andrew Paternoster and...@gpk.net.au Ops sorry i thought you were sending avpairs not receiving. Sorry. * Andrew Paternoster* Senior System Engineer http://www.gpk.net.au/ http://www.gpk.net.au 2/94 Abbott Road, Hallam, VIC 3083 *Phone:* 1300 854 223* Fax:* 1300 854 228 *www.gpk.net.au* *Did you know that you can now log faults by just sending an email to ** supp...@gpk.net.au* supp...@gpk.net.au *From:* freeradius-users-bounces+andrew=gpk.net...@lists.freeradius.org[mailto: freeradius-users-bounces+andrew freeradius-users-bounces%2Bandrew= gpk.net...@lists.freeradius.org] *On Behalf Of *Robert White *Sent:* Tuesday, 17 November 2009 6:33 PM *To:* FreeRadius users mailing list *Subject:* Re: Accessing a second AV Pair My full SQL statement is: accounting_stop_query = EXEC ${stopacnt_sp} @username = '%{SQL-User-Name}', @av_pair = '%{h323-incoming-conf-id}', @gw_session_id_out = '%{Quintum-h323-conf-id}', @call_origin = '%{Quintum-h323-call-origin}', @dialstring_from = '%{Calling-Station-Id}', @dialstring_to = '%{Called-Station-Id}', @disconnect_code_hex = '%{Quintum-h323-disconnect-cause}', @session_time = '%{Acct-Session-Time}', @gw_ip = '%{NAS-IP-Address}', @gw_name = '' 2009/11/17 Andrew Paternoster and...@gpk.net.au What operator are you using? I have multi AVPairs and i have := on the first one and += on the others working for me. * Andrew Paternoster* Senior System Engineer *Error! Filename not specified.* http://www.gpk.net.au/ *Error! Filename not specified.* http://www.gpk.net.au 2/94 Abbott Road, Hallam, VIC 3083 *Phone:* 1300 854 223* Fax:* 1300 854 228 *www.gpk.net.au* *Did you know that you can now log faults by just sending an email to ** supp...@gpk.net.au* supp...@gpk.net.au The information contained in or accompanying this e-mail is intended only for the use of the stated recipient and may contain information that is confidential and/or privileged. If the reader is not the intended recipient or the agent thereof, you are hereby notified that any dissemination, distribution or copying of this e-mail is strictly prohibited and may constitute a breach of confidence and/or privilege. If you have received this e-mail in error, please notify us immediately. Any views or opinions presented are those solely of the author and do not necessarily represent those of GPK Computers Pty Ltd.. Warning: Although the company has taken reasonable precautions to ensure no viruses are present in this e-mail, the company cannot accept responsibility for any loss or damage arising from the use of this e-mail or attachments *From:* freeradius-users-bounces+andrew=gpk.net...@lists.freeradius.org[mailto: freeradius-users-bounces+andrew freeradius-users-bounces%2Bandrew= gpk.net...@lists.freeradius.org] *On Behalf Of *Robert White *Sent:* Tuesday, 17 November 2009 1:05 PM *To:* FreeRadius users mailing list *Subject:* Accessing a second AV Pair Hi, I have a Radius message which has two AV Pairs and I want to insert them both in to a database. However, I'm unable to access the second AVPair. Here is the Radius packet rad_recv: Accounting-Request packet from host 10.152.0.7 port 20001, id=87, length=662 NAS-IP-Address = 10.152.0.7 Quintum-NAS-Port = 0 7/7/24 NAS-Port-Type = Async User-Name = Called-Station-Id = 990006 Calling-Station-Id = 1002 Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Input-Octets = 0 Acct-Output-Octets = 0 Acct-Session-Id = 00AA0039 Acct-Session-Time = 75 Acct-Input-Packets = 0 Acct-Output-Packets = 0 Service-Type = Login-User Quintum-AVPair = h323-ivr-out=ACCESSCODE:990006 Quintum-h323-conf-id = h323-conf-id=34623032 38616662 32630030 3700 Quintum-AVPair = h323-incoming-conf-id=34623032 38616662 32630030 3700 Quintum-h323-gw-id = h323-gw-id=au-syd-test1 Quintum-h323-call-origin = h323-call-origin=answer Quintum-h323-call-type = h323-call-type=Telephony Quintum-h323-setup-time = h323-setup-time=01:37:31.685 UTC Tue Nov 17 2009 Quintum-h323-connect-time = h323-connect-time=01:37:31.885 UTC Tue Nov 17 2009 Quintum-h323-disconnect-time = h323-disconnect-time=01:38:46.495 UTC Tue Nov 17 2009 Quintum-h323-disconnect-cause = h323-disconnect-cause=10 Quintum-h323-voice-quality = h323-voice-quality=0 Quintum-Trunkid-In = 0 7/7/24 Quintum-Trunkid-Out = 10.0.20.36 When using the standard dictionary.quintum %{Quintum-AVPair} = h323-ivr-out=ACCESSCODE:990006. I couldn't read the second AVPair. I did some Googling and read if it [the preprocess module] founds Cisco-AVPair attribute like Cisco
Accessing a second AV Pair
Hi, I have a Radius message which has two AV Pairs and I want to insert them both in to a database. However, I'm unable to access the second AVPair. Here is the Radius packet rad_recv: Accounting-Request packet from host 10.152.0.7 port 20001, id=87, length=662 NAS-IP-Address = 10.152.0.7 Quintum-NAS-Port = 0 7/7/24 NAS-Port-Type = Async User-Name = Called-Station-Id = 990006 Calling-Station-Id = 1002 Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Input-Octets = 0 Acct-Output-Octets = 0 Acct-Session-Id = 00AA0039 Acct-Session-Time = 75 Acct-Input-Packets = 0 Acct-Output-Packets = 0 Service-Type = Login-User Quintum-AVPair = h323-ivr-out=ACCESSCODE:990006 Quintum-h323-conf-id = h323-conf-id=34623032 38616662 32630030 3700 Quintum-AVPair = h323-incoming-conf-id=34623032 38616662 32630030 3700 Quintum-h323-gw-id = h323-gw-id=au-syd-test1 Quintum-h323-call-origin = h323-call-origin=answer Quintum-h323-call-type = h323-call-type=Telephony Quintum-h323-setup-time = h323-setup-time=01:37:31.685 UTC Tue Nov 17 2009 Quintum-h323-connect-time = h323-connect-time=01:37:31.885 UTC Tue Nov 17 2009 Quintum-h323-disconnect-time = h323-disconnect-time=01:38:46.495 UTC Tue Nov 17 2009 Quintum-h323-disconnect-cause = h323-disconnect-cause=10 Quintum-h323-voice-quality = h323-voice-quality=0 Quintum-Trunkid-In = 0 7/7/24 Quintum-Trunkid-Out = 10.0.20.36 When using the standard dictionary.quintum %{Quintum-AVPair} = h323-ivr-out=ACCESSCODE:990006. I couldn't read the second AVPair. I did some Googling and read if it [the preprocess module] founds Cisco-AVPair attribute like Cisco-AVPair = gw-rxd-cdn=ton:0,npi:1,#: and there's dictionary attribute gw-rxd-cdn, then it adds new attribute gw-rxd-cdn with value ton:0,npi:1,#:. So if you have Cisco-AVPair attributes which you would like to insert into SQL, you need to create them in cisco dictionary. As Quintum and Cisco are very similar I tried the same thing and edited the dictionary.quintum file adding in the following lines: ATTRIBUTE h323-ivr-out3000string ATTRIBUTE h323-incoming-conf-id 3001string I noted that there is already a very similar attribute for h323-incoming-conf-id - it just has the word 'Quintum' prepended to it. However, after the dictionary edit, Radius failed to load. I got the following error: Errors reading dictionary: dict_init: /usr/local/share/freeradius/dictionary.quintum[53]: dict_init: /usr/local/share/freeradius/dictionary.quintum[53]: Am I on the right track here? Any help appreciated. Thanks, Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html