RE: [EAP/TLS] Authenfication through a certificate
i begin setting up configuration. bit i got two problems :
client with good certificate can be authenticated even if they're not in
users file.
I assume it's due to my code. Here is under authenticate section of default :
Auth-Type eap {
eap
if ( %{TLS-Client-Cert-Subject} =~ /\/\// ) {
if ( %{TLS-Client-Cert-Subject} =~ /\/xxx\//
) {
ok
}
else {
fail
}
It's like when condition is checked, it bypassed users file.
Maybe, i must move these lines under authorize ?
anyone to confirm it ?
cheers
Date: Mon, 4 Feb 2013 10:32:22 -0500
From: al...@deployingradius.com
To: freeradius-users@lists.freeradius.org
Subject: Re: [EAP/TLS] Authenfication through a certificate
vazoumana fofana wrote:
i've got question about EAP/TLS and authentification for a client
through a certificate ?
I succeed setting up. But , i notice that freeradius matches client
login with certificate CNAME.
Is it possible to change it in order to match email instead of CNAME ?
Yes.
Read the eap.conf file, and the raddb/sites-available/default. This
is documented.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [EAP/TLS] Authenfication through a certificate
here is the output :
Evaluating (%{TLS-Client-Cert-Subject} =~//) - TRUE
++? if (%{TLS-Client-Cert-Subject} =~ /\/xx\// ) - TRUE
++- entering if (%{TLS-Client-Cert-Subject} =~ /\/O=\// ) {...}
+++? if (%{TLS-Client-Cert-Subject} =~ /\/OU=\// )
expand: %{TLS-Client-Cert-Subject} -
/
? Evaluating (%{TLS-Client-Cert-Subject} =~ /\/xxx\//) - TRUE
+++? if (%{TLS-Client-Cert-Subject} =~ /\/x\// ) - TRUE
+++- entering if (%{TLS-Client-Cert-Subject} =~ /\/xx\// )
{...}
[noop] returns noop
+++- if (%{TLS-Client-Cert-Subject} =~ /\/xxx\// ) returns
noop
+++ ... skipping else for request 21: Preceding if was taken
++- if (%{TLS-Client-Cert-Subject} =~ /\/xx\// ) returns
noop
Login OK: [xx] (from client xxx
I understand that eap returns ok so user is authenticated.
It's not what i want to do.
i want client certificate to be authenticated by :
- be in users files
- have the right certificate
From: a.l.m.bu...@lboro.ac.uk
To: zoumlan...@hotmail.com; freeradius-users@lists.freeradius.org
Subject: Re: [EAP/TLS] Authenfication through a certificate
Date: Fri, 8 Feb 2013 16:20:20 +
As already said, post output of radiusd -X
(that will clearly show the logic taken)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[EAP/TLS] Authenfication through a certificate
Dear everybody, i've got question about EAP/TLS and authentification for a client through a certificate ? I succeed setting up. But , i notice that freeradius matches client login with certificate CNAME. Is it possible to change it in order to match email instead of CNAME ? Best regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x Issue
Yes we can. It depends of your system version. On windows seven, PAP is possible. On my windows XP it s not possible. After you can install some drivers or softs mangers for wireless cards wich implements other protocols. From: brekle...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: 802.1x Issue Date: Fri, 30 Nov 2012 16:23:46 + Is there any way a Microsoft Notebook authenticate using MD5 or PAP ?By default is only EAP (PEAP) or card/certificate, i need to know if there is anything you guys know that makes windows works on PAP or MD5...Im searching on internet right now to see if i can find, anyways i leave the question open here to anyone who knows. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
matching entry in users file
Dear all, i ve got question about authentication : i want to set in users file, a user who can be authenticated by two ways : EAP-TLS (certificate) and EAP-TTLSP, PAP (login password). For a same and unique login, can i do this ? Or freeradius just check the first entry wich corresponds ? Cheers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: matching entry in users file
Date: Tue, 27 Nov 2012 11:48:58 -0500 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: matching entry in users file vazoumana fofana wrote: i ve got question about authentication : i want to set in users file, a user who can be authenticated by two ways : EAP-TLS (certificate) and EAP-TTLSP, PAP (login password). EAP-TLS doesn't really use the users file. i wanted to say if a user is not on users file, it can't be authenticated with any protocole (EAP-TLS and others) For a same and unique login, can i do this ? Or freeradius just check the first entry wich corresponds ? FreeRADIUS authenticates the user with the information it has. If the user has a valid certificate, he's authenticated. If the user has a valid password, he's authenticated. I try to do this : napoleon SMD5-Password :=yyy napoleon : NT-Password := xx When i try to authenticate with nt-password, it fails. But when i delete SMD5 entry, it works. In twice, freeradius has the right information. This is the same as a user trying PAP, CHAP, or MS-CHAP. They all work. They can all be used by the same user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: trouble with encrypted password
Dear all, i solved trouble with MD5 encryption. Indeed, to encrypt password with MD5 , i use external fonctions (thanks to Dirk van der Walt) written in perl in order to use radcrypt. Cheers. From: zoumlan...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: trouble with encrypted password Date: Fri, 16 Nov 2012 12:54:09 + hello everybody, i ve got trouble with encrypted password. I want to manage users with password wich are more longer than 8 caracters. When i use radcrypt (based on crypt), it doesn't work. It's normal due to limitation of crypt. I must cut password to 8 caracters for make running. When i use radcrypt with MD5 encryption , it doesn't run : indeed the encrypted string generated by MD5 radcrypt is more than 16 caracters. How can i use encrypted password without limited password to 8 caracters ? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
trouble with encrypted password
hello everybody, i ve got trouble with encrypted password. I want to manage users with password wich are more longer than 8 caracters. When i use radcrypt (based on crypt), it doesn't work. It's normal due to limitation of crypt. I must cut password to 8 caracters for make running. When i use radcrypt with MD5 encryption , it doesn't run : indeed the encrypted string generated by MD5 radcrypt is more than 16 caracters. How can i use encrypted password without limited password to 8 caracters ? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: linelog and accounting informations
Dear all, I 've almost reolved trouble. Indeed, i actived accounting on my nas to make acounting running. But i felt my nas or something else is bugged. When a connection is sucessful , i can see packets on port 1812 and 1813. But after 20 seconds, i see log accounting wich announced Acct-Status-Type = Stop Acct-Input-Octets = 18014 Acct-Output-Octets = 58987 Acct-Input-Packets = 190 Acct-Output-Packets = 98 Acct-Terminate-Cause = Lost-Service Acct-Session-Time = 16 In fact, i didn't lost connectivity because client is always there and running without trouble. So i want to understand something. For accounting packets, is this radius server who requets accounting fields to the NAs controller ? When a client is disconnected for any reasons, how does it warn Nas controller ?Does the Nas wontroller role to warn radius server when it looses a client ? Best regards. From: zoumlan...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: linelog and accounting informations Date: Mon, 30 Jul 2012 09:25:43 + Thanks for your answer. i had ever added linelog under accounting section. I'm gonna check if my NAS sends accounting packets by tcpdumping port 1813 on my server. From: a.cudba...@freeradius.org Subject: Re: linelog and accounting informations Date: Fri, 27 Jul 2012 15:51:55 +0100 To: freeradius-users@lists.freeradius.org On 27 Jul 2012, at 15:06, vazoumana fofana zoumlan...@hotmail.com wrote:Hello every body, i got a question about linelog : Indeed i want to log and store any informations . I'm focusing on accounting data. The filename is linelog under logdir. I create linelog under /var/log/radius/linelog myself with rights 644. . When i run freeradius, there is no data filled under after a sucessful authentification and connection. Do i miss something ?Are there any things to do to ? Here is linelog on attached file. You listed linelog in the accounting section of the default server right? Have you verified your NAS is actually sending accounting packets? -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: linelog and accounting informations
Date: Thu, 2 Aug 2012 09:23:57 -0700 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: linelog and accounting informations vazoumana fofana wrote: For accounting packets, is this radius server who requets accounting fields to the NAs controller ? No. The NAS sends data in an accounting packet. The server has NO CONTROL over what the NAS sends. I don't understand very well. i set accounting fields under linelog. So these fields come from radius server , don't they ? When a client is disconnected for any reasons, how does it warn Nas controller ?Does the Nas wontroller role to warn radius server when it looses a client ? Yes. But not all NASes do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: linelog and accounting informations
Thanks for your answer. i had ever added linelog under accounting section. I'm gonna check if my NAS sends accounting packets by tcpdumping port 1813 on my server. From: a.cudba...@freeradius.org Subject: Re: linelog and accounting informations Date: Fri, 27 Jul 2012 15:51:55 +0100 To: freeradius-users@lists.freeradius.org On 27 Jul 2012, at 15:06, vazoumana fofana zoumlan...@hotmail.com wrote:Hello every body, i got a question about linelog : Indeed i want to log and store any informations . I'm focusing on accounting data. The filename is linelog under logdir. I create linelog under /var/log/radius/linelog myself with rights 644. . When i run freeradius, there is no data filled under after a sucessful authentification and connection. Do i miss something ?Are there any things to do to ? Here is linelog on attached file. You listed linelog in the accounting section of the default server right? Have you verified your NAS is actually sending accounting packets? -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
linelog and accounting informations
Hello every body, i got a question about linelog : Indeed i want to log and store any informations . I'm focusing on accounting data. The filename is linelog under logdir. I create linelog under /var/log/radius/linelog myself with rights 644. . When i run freeradius, there is no data filled under after a sucessful authentification and connection. Do i miss something ?Are there any things to do to ? Here is linelog on attached file. Cheers. linelog Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: passwd encrypted in user file
Thanks for your answer. Date: Fri, 20 Apr 2012 15:36:53 +0100 From: m...@leicester.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: passwd encrypted in user file On Fri, Apr 20, 2012 at 02:27:25PM +, vazoumana fofana wrote: username Crypt-Password := $1$5oVGRb3C$PCKT5Fv7d81NZTmzEm83e0. ... To configure windows client, i use PEAP with mschap V2. Is it right ? I don't find other ways to connect windows client with login/passwd. You can't, unless you use a 3rd party supplicant or Windows 8. Windows built-in only supports PEAP/MS-CHAPv2 for auth. The password has to be stored clear-text or as an NT hash. http://deployingradius.com/documents/protocols/compatibility.html This was posted to the list just earlier today. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
passwd encrypted in user file
Hello everybody, sorry for this question : i want to use encrypted passwd in users file without using unix files. So, i have to write : username Crypt-Password := $1$5oVGRb3C$PCKT5Fv7d81NZTmzEm83e0. How does Freeradius link the encrypted password with password ? I want to run a command wich crypt password. Wich command could i use ? My system is unix-like. Then, i want to store this encrypted password in users file ? i look to man rlm_pap and i set yes to auto_header. Thanks for any answer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: passwd encrypted in user file
Date: Fri, 20 Apr 2012 15:47:28 +0200
From: al...@deployingradius.com
To: freeradius-users@lists.freeradius.org
Subject: Re: passwd encrypted in user file
vazoumana fofana wrote:
i want to use encrypted passwd in users file without using unix files.
So, i have to write :
username Crypt-Password := $1$5oVGRb3C$PCKT5Fv7d81NZTmzEm83e0.
How does Freeradius link the encrypted password with password ?
The PAP module does this. It sees the Crypt-Password as one of the
formats supported for known good passwords. It then uses
User-Password from the packet, and compares the two.
I want to run a command wich crypt password. Wich command could i use ?
My system is unix-like.
See radcrypt, which comes with the server.
I use radcrypt but i note that for the same passwd , the encrypted passwd
changes everytime. It it right ?
How does freeradius link passwd and encrypt-passwd if this last changes at each
run ?
I try to connect a client with encrypted passwd. I used radcrypt without
option. I inserted result in users file.
Here s the debug :
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: vazou
[mschap] Told to do MS-CHAPv2 for vazou with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
To configure windows client, i use PEAP with mschap V2. Is it right ? I don't
find other ways to connect windows client with login/passwd.
Then, i want to store this encrypted password in users file ?
Yes.
i look
to man rlm_pap and i set yes to auto_header.
You don't need to set that. Leave it as the default.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls questions with freeradius
sorry, i ve got persistents problems :
- i filter client certificate under authenticate section (under eap) with :
Auth-Type eap {
if ( %{TLS-Client-Cert-Subject} =~ /OU=x/ ) {
reject
}
}.
Firstly, it s' written on default file :
Please do not put unlang configurations into the authenticate
# section. Put them in the post-auth section instead. That's what
# the post-auth section is for.
But, according to me , it's not right because i don't want to enter into
post-auth. It must be rejected before.
secondly,
with this configuration, i try to authenticate a client with certificate
OU=x. According to mode debug, it seemed to work. Client (windows XP)
requested 21 times without sucess. But at 22nd, it seemed authenticate
sucessful because i see client which is associated to AP. after times (5-10
minutes), Client seemed to be detached and entered in authenticating loop until
succeed authenticating.
do you know why client success authenticating for a time ?
Is it possible to avoid request of certain client ?
I restrict authentication request to chooser NAS. I want to avoid clients to
enter loop authentication. But these client can request authentication through
NAS choosen.
Cheers.
From: zoumlan...@hotmail.com
To: freeradius-users@lists.freeradius.org
Subject: RE: eap/tls questions with freeradius
Date: Fri, 23 Dec 2011 10:32:54 +
Thanks!!!
Date: Fri, 23 Dec 2011 16:26:20 +0700
Subject: Re: eap/tls questions with freeradius
From: l...@fajar.net
To: freeradius-users@lists.freeradius.org
On Fri, Dec 23, 2011 at 3:54 PM, vazoumana fofana
zoumlan...@hotmail.com wrote:
Do you know where i can insert script to add new fonctions like described
in my previous email ?
When client sends its certificate , server checks before username or
certificate validity ?
Try:
- http://wiki.freeradius.org/Sites%20configuration
- http://freeradius.org/radiusd/man/unlang.html
- http://wiki.freeradius.org/Rlm_perl
Use unlang and attributes (such as TLS-Client-Cert-Common-Name) to do
whatever filtering you want. If you need complex processing, you might
have to use rlm_perl as well.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls questions with freeradius
Do you know where i can insert script to add new fonctions like described in my previous email ? When client sends its certificate , server checks before username or certificate validity ? From: zoumlan...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: eap/tls questions with freeradius Date: Tue, 20 Dec 2011 16:13:55 + Precisely, i search check_cert_subject wich checks client's certificate field. From: zoumlan...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: eap/tls questions with freeradius Date: Tue, 20 Dec 2011 12:23:50 + Hi , i've got a question : i've set up a freeradius server with EAP/TLS. In my configuration, i use check_cert_issuer in order to check certificate. Is there any functions wich allows me to check client's certificate subject (C,O,OU ??) ? Further more, i got an other question : when a client requests authentication, server checks before users file then certificate validity of a client ? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls questions with freeradius
Thanks!!! Date: Fri, 23 Dec 2011 16:26:20 +0700 Subject: Re: eap/tls questions with freeradius From: l...@fajar.net To: freeradius-users@lists.freeradius.org On Fri, Dec 23, 2011 at 3:54 PM, vazoumana fofana zoumlan...@hotmail.com wrote: Do you know where i can insert script to add new fonctions like described in my previous email ? When client sends its certificate , server checks before username or certificate validity ? Try: - http://wiki.freeradius.org/Sites%20configuration - http://freeradius.org/radiusd/man/unlang.html - http://wiki.freeradius.org/Rlm_perl Use unlang and attributes (such as TLS-Client-Cert-Common-Name) to do whatever filtering you want. If you need complex processing, you might have to use rlm_perl as well. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap/tls questions with freeradius
Hi , i've got a question : i've set up a freeradius server with EAP/TLS. In my configuration, i use check_cert_issuer in order to check certificate. Is there any functions wich allows me to check client's certificate subject (C,O,OU ??) ? Further more, i got an other question : when a client requests authentication, server checks before users file then certificate validity of a client ? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls questions with freeradius
Precisely, i search check_cert_subject wich checks client's certificate field. From: zoumlan...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: eap/tls questions with freeradius Date: Tue, 20 Dec 2011 12:23:50 + Hi , i've got a question : i've set up a freeradius server with EAP/TLS. In my configuration, i use check_cert_issuer in order to check certificate. Is there any functions wich allows me to check client's certificate subject (C,O,OU ??) ? Further more, i got an other question : when a client requests authentication, server checks before users file then certificate validity of a client ? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
logging accounting
Hello , I enable accounting on freeradius server. I see logs are stored under repository wich contains the ip of controller. Is it possible to change this and specify an other name ? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
