RE: [EAP/TLS] Authenfication through a certificate
i begin setting up configuration. bit i got two problems : client with good certificate can be authenticated even if they're not in users file. I assume it's due to my code. Here is under authenticate section of default : Auth-Type eap { eap if ( %{TLS-Client-Cert-Subject} =~ /\/\// ) { if ( %{TLS-Client-Cert-Subject} =~ /\/xxx\// ) { ok } else { fail } It's like when condition is checked, it bypassed users file. Maybe, i must move these lines under authorize ? anyone to confirm it ? cheers Date: Mon, 4 Feb 2013 10:32:22 -0500 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: [EAP/TLS] Authenfication through a certificate vazoumana fofana wrote: i've got question about EAP/TLS and authentification for a client through a certificate ? I succeed setting up. But , i notice that freeradius matches client login with certificate CNAME. Is it possible to change it in order to match email instead of CNAME ? Yes. Read the eap.conf file, and the raddb/sites-available/default. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [EAP/TLS] Authenfication through a certificate
here is the output : Evaluating (%{TLS-Client-Cert-Subject} =~//) - TRUE ++? if (%{TLS-Client-Cert-Subject} =~ /\/xx\// ) - TRUE ++- entering if (%{TLS-Client-Cert-Subject} =~ /\/O=\// ) {...} +++? if (%{TLS-Client-Cert-Subject} =~ /\/OU=\// ) expand: %{TLS-Client-Cert-Subject} - / ? Evaluating (%{TLS-Client-Cert-Subject} =~ /\/xxx\//) - TRUE +++? if (%{TLS-Client-Cert-Subject} =~ /\/x\// ) - TRUE +++- entering if (%{TLS-Client-Cert-Subject} =~ /\/xx\// ) {...} [noop] returns noop +++- if (%{TLS-Client-Cert-Subject} =~ /\/xxx\// ) returns noop +++ ... skipping else for request 21: Preceding if was taken ++- if (%{TLS-Client-Cert-Subject} =~ /\/xx\// ) returns noop Login OK: [xx] (from client xxx I understand that eap returns ok so user is authenticated. It's not what i want to do. i want client certificate to be authenticated by : - be in users files - have the right certificate From: a.l.m.bu...@lboro.ac.uk To: zoumlan...@hotmail.com; freeradius-users@lists.freeradius.org Subject: Re: [EAP/TLS] Authenfication through a certificate Date: Fri, 8 Feb 2013 16:20:20 + As already said, post output of radiusd -X (that will clearly show the logic taken) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[EAP/TLS] Authenfication through a certificate
Dear everybody, i've got question about EAP/TLS and authentification for a client through a certificate ? I succeed setting up. But , i notice that freeradius matches client login with certificate CNAME. Is it possible to change it in order to match email instead of CNAME ? Best regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x Issue
Yes we can. It depends of your system version. On windows seven, PAP is possible. On my windows XP it s not possible. After you can install some drivers or softs mangers for wireless cards wich implements other protocols. From: brekle...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: 802.1x Issue Date: Fri, 30 Nov 2012 16:23:46 + Is there any way a Microsoft Notebook authenticate using MD5 or PAP ?By default is only EAP (PEAP) or card/certificate, i need to know if there is anything you guys know that makes windows works on PAP or MD5...Im searching on internet right now to see if i can find, anyways i leave the question open here to anyone who knows. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
matching entry in users file
Dear all, i ve got question about authentication : i want to set in users file, a user who can be authenticated by two ways : EAP-TLS (certificate) and EAP-TTLSP, PAP (login password). For a same and unique login, can i do this ? Or freeradius just check the first entry wich corresponds ? Cheers. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: matching entry in users file
Date: Tue, 27 Nov 2012 11:48:58 -0500 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: matching entry in users file vazoumana fofana wrote: i ve got question about authentication : i want to set in users file, a user who can be authenticated by two ways : EAP-TLS (certificate) and EAP-TTLSP, PAP (login password). EAP-TLS doesn't really use the users file. i wanted to say if a user is not on users file, it can't be authenticated with any protocole (EAP-TLS and others) For a same and unique login, can i do this ? Or freeradius just check the first entry wich corresponds ? FreeRADIUS authenticates the user with the information it has. If the user has a valid certificate, he's authenticated. If the user has a valid password, he's authenticated. I try to do this : napoleon SMD5-Password :=yyy napoleon : NT-Password := xx When i try to authenticate with nt-password, it fails. But when i delete SMD5 entry, it works. In twice, freeradius has the right information. This is the same as a user trying PAP, CHAP, or MS-CHAP. They all work. They can all be used by the same user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: trouble with encrypted password
Dear all, i solved trouble with MD5 encryption. Indeed, to encrypt password with MD5 , i use external fonctions (thanks to Dirk van der Walt) written in perl in order to use radcrypt. Cheers. From: zoumlan...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: trouble with encrypted password Date: Fri, 16 Nov 2012 12:54:09 + hello everybody, i ve got trouble with encrypted password. I want to manage users with password wich are more longer than 8 caracters. When i use radcrypt (based on crypt), it doesn't work. It's normal due to limitation of crypt. I must cut password to 8 caracters for make running. When i use radcrypt with MD5 encryption , it doesn't run : indeed the encrypted string generated by MD5 radcrypt is more than 16 caracters. How can i use encrypted password without limited password to 8 caracters ? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
trouble with encrypted password
hello everybody, i ve got trouble with encrypted password. I want to manage users with password wich are more longer than 8 caracters. When i use radcrypt (based on crypt), it doesn't work. It's normal due to limitation of crypt. I must cut password to 8 caracters for make running. When i use radcrypt with MD5 encryption , it doesn't run : indeed the encrypted string generated by MD5 radcrypt is more than 16 caracters. How can i use encrypted password without limited password to 8 caracters ? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: linelog and accounting informations
Dear all, I 've almost reolved trouble. Indeed, i actived accounting on my nas to make acounting running. But i felt my nas or something else is bugged. When a connection is sucessful , i can see packets on port 1812 and 1813. But after 20 seconds, i see log accounting wich announced Acct-Status-Type = Stop Acct-Input-Octets = 18014 Acct-Output-Octets = 58987 Acct-Input-Packets = 190 Acct-Output-Packets = 98 Acct-Terminate-Cause = Lost-Service Acct-Session-Time = 16 In fact, i didn't lost connectivity because client is always there and running without trouble. So i want to understand something. For accounting packets, is this radius server who requets accounting fields to the NAs controller ? When a client is disconnected for any reasons, how does it warn Nas controller ?Does the Nas wontroller role to warn radius server when it looses a client ? Best regards. From: zoumlan...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: linelog and accounting informations Date: Mon, 30 Jul 2012 09:25:43 + Thanks for your answer. i had ever added linelog under accounting section. I'm gonna check if my NAS sends accounting packets by tcpdumping port 1813 on my server. From: a.cudba...@freeradius.org Subject: Re: linelog and accounting informations Date: Fri, 27 Jul 2012 15:51:55 +0100 To: freeradius-users@lists.freeradius.org On 27 Jul 2012, at 15:06, vazoumana fofana zoumlan...@hotmail.com wrote:Hello every body, i got a question about linelog : Indeed i want to log and store any informations . I'm focusing on accounting data. The filename is linelog under logdir. I create linelog under /var/log/radius/linelog myself with rights 644. . When i run freeradius, there is no data filled under after a sucessful authentification and connection. Do i miss something ?Are there any things to do to ? Here is linelog on attached file. You listed linelog in the accounting section of the default server right? Have you verified your NAS is actually sending accounting packets? -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: linelog and accounting informations
Date: Thu, 2 Aug 2012 09:23:57 -0700 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: linelog and accounting informations vazoumana fofana wrote: For accounting packets, is this radius server who requets accounting fields to the NAs controller ? No. The NAS sends data in an accounting packet. The server has NO CONTROL over what the NAS sends. I don't understand very well. i set accounting fields under linelog. So these fields come from radius server , don't they ? When a client is disconnected for any reasons, how does it warn Nas controller ?Does the Nas wontroller role to warn radius server when it looses a client ? Yes. But not all NASes do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: linelog and accounting informations
Thanks for your answer. i had ever added linelog under accounting section. I'm gonna check if my NAS sends accounting packets by tcpdumping port 1813 on my server. From: a.cudba...@freeradius.org Subject: Re: linelog and accounting informations Date: Fri, 27 Jul 2012 15:51:55 +0100 To: freeradius-users@lists.freeradius.org On 27 Jul 2012, at 15:06, vazoumana fofana zoumlan...@hotmail.com wrote:Hello every body, i got a question about linelog : Indeed i want to log and store any informations . I'm focusing on accounting data. The filename is linelog under logdir. I create linelog under /var/log/radius/linelog myself with rights 644. . When i run freeradius, there is no data filled under after a sucessful authentification and connection. Do i miss something ?Are there any things to do to ? Here is linelog on attached file. You listed linelog in the accounting section of the default server right? Have you verified your NAS is actually sending accounting packets? -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
linelog and accounting informations
Hello every body, i got a question about linelog : Indeed i want to log and store any informations . I'm focusing on accounting data. The filename is linelog under logdir. I create linelog under /var/log/radius/linelog myself with rights 644. . When i run freeradius, there is no data filled under after a sucessful authentification and connection. Do i miss something ?Are there any things to do to ? Here is linelog on attached file. Cheers. linelog Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: passwd encrypted in user file
Thanks for your answer. Date: Fri, 20 Apr 2012 15:36:53 +0100 From: m...@leicester.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: passwd encrypted in user file On Fri, Apr 20, 2012 at 02:27:25PM +, vazoumana fofana wrote: username Crypt-Password := $1$5oVGRb3C$PCKT5Fv7d81NZTmzEm83e0. ... To configure windows client, i use PEAP with mschap V2. Is it right ? I don't find other ways to connect windows client with login/passwd. You can't, unless you use a 3rd party supplicant or Windows 8. Windows built-in only supports PEAP/MS-CHAPv2 for auth. The password has to be stored clear-text or as an NT hash. http://deployingradius.com/documents/protocols/compatibility.html This was posted to the list just earlier today. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
passwd encrypted in user file
Hello everybody, sorry for this question : i want to use encrypted passwd in users file without using unix files. So, i have to write : username Crypt-Password := $1$5oVGRb3C$PCKT5Fv7d81NZTmzEm83e0. How does Freeradius link the encrypted password with password ? I want to run a command wich crypt password. Wich command could i use ? My system is unix-like. Then, i want to store this encrypted password in users file ? i look to man rlm_pap and i set yes to auto_header. Thanks for any answer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: passwd encrypted in user file
Date: Fri, 20 Apr 2012 15:47:28 +0200 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: passwd encrypted in user file vazoumana fofana wrote: i want to use encrypted passwd in users file without using unix files. So, i have to write : username Crypt-Password := $1$5oVGRb3C$PCKT5Fv7d81NZTmzEm83e0. How does Freeradius link the encrypted password with password ? The PAP module does this. It sees the Crypt-Password as one of the formats supported for known good passwords. It then uses User-Password from the packet, and compares the two. I want to run a command wich crypt password. Wich command could i use ? My system is unix-like. See radcrypt, which comes with the server. I use radcrypt but i note that for the same passwd , the encrypted passwd changes everytime. It it right ? How does freeradius link passwd and encrypt-passwd if this last changes at each run ? I try to connect a client with encrypted passwd. I used radcrypt without option. I inserted result in users file. Here s the debug : [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: vazou [mschap] Told to do MS-CHAPv2 for vazou with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject To configure windows client, i use PEAP with mschap V2. Is it right ? I don't find other ways to connect windows client with login/passwd. Then, i want to store this encrypted password in users file ? Yes. i look to man rlm_pap and i set yes to auto_header. You don't need to set that. Leave it as the default. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls questions with freeradius
sorry, i ve got persistents problems : - i filter client certificate under authenticate section (under eap) with : Auth-Type eap { if ( %{TLS-Client-Cert-Subject} =~ /OU=x/ ) { reject } }. Firstly, it s' written on default file : Please do not put unlang configurations into the authenticate # section. Put them in the post-auth section instead. That's what # the post-auth section is for. But, according to me , it's not right because i don't want to enter into post-auth. It must be rejected before. secondly, with this configuration, i try to authenticate a client with certificate OU=x. According to mode debug, it seemed to work. Client (windows XP) requested 21 times without sucess. But at 22nd, it seemed authenticate sucessful because i see client which is associated to AP. after times (5-10 minutes), Client seemed to be detached and entered in authenticating loop until succeed authenticating. do you know why client success authenticating for a time ? Is it possible to avoid request of certain client ? I restrict authentication request to chooser NAS. I want to avoid clients to enter loop authentication. But these client can request authentication through NAS choosen. Cheers. From: zoumlan...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: eap/tls questions with freeradius Date: Fri, 23 Dec 2011 10:32:54 + Thanks!!! Date: Fri, 23 Dec 2011 16:26:20 +0700 Subject: Re: eap/tls questions with freeradius From: l...@fajar.net To: freeradius-users@lists.freeradius.org On Fri, Dec 23, 2011 at 3:54 PM, vazoumana fofana zoumlan...@hotmail.com wrote: Do you know where i can insert script to add new fonctions like described in my previous email ? When client sends its certificate , server checks before username or certificate validity ? Try: - http://wiki.freeradius.org/Sites%20configuration - http://freeradius.org/radiusd/man/unlang.html - http://wiki.freeradius.org/Rlm_perl Use unlang and attributes (such as TLS-Client-Cert-Common-Name) to do whatever filtering you want. If you need complex processing, you might have to use rlm_perl as well. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls questions with freeradius
Do you know where i can insert script to add new fonctions like described in my previous email ? When client sends its certificate , server checks before username or certificate validity ? From: zoumlan...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: eap/tls questions with freeradius Date: Tue, 20 Dec 2011 16:13:55 + Precisely, i search check_cert_subject wich checks client's certificate field. From: zoumlan...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: eap/tls questions with freeradius Date: Tue, 20 Dec 2011 12:23:50 + Hi , i've got a question : i've set up a freeradius server with EAP/TLS. In my configuration, i use check_cert_issuer in order to check certificate. Is there any functions wich allows me to check client's certificate subject (C,O,OU ??) ? Further more, i got an other question : when a client requests authentication, server checks before users file then certificate validity of a client ? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls questions with freeradius
Thanks!!! Date: Fri, 23 Dec 2011 16:26:20 +0700 Subject: Re: eap/tls questions with freeradius From: l...@fajar.net To: freeradius-users@lists.freeradius.org On Fri, Dec 23, 2011 at 3:54 PM, vazoumana fofana zoumlan...@hotmail.com wrote: Do you know where i can insert script to add new fonctions like described in my previous email ? When client sends its certificate , server checks before username or certificate validity ? Try: - http://wiki.freeradius.org/Sites%20configuration - http://freeradius.org/radiusd/man/unlang.html - http://wiki.freeradius.org/Rlm_perl Use unlang and attributes (such as TLS-Client-Cert-Common-Name) to do whatever filtering you want. If you need complex processing, you might have to use rlm_perl as well. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap/tls questions with freeradius
Hi , i've got a question : i've set up a freeradius server with EAP/TLS. In my configuration, i use check_cert_issuer in order to check certificate. Is there any functions wich allows me to check client's certificate subject (C,O,OU ??) ? Further more, i got an other question : when a client requests authentication, server checks before users file then certificate validity of a client ? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls questions with freeradius
Precisely, i search check_cert_subject wich checks client's certificate field. From: zoumlan...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: eap/tls questions with freeradius Date: Tue, 20 Dec 2011 12:23:50 + Hi , i've got a question : i've set up a freeradius server with EAP/TLS. In my configuration, i use check_cert_issuer in order to check certificate. Is there any functions wich allows me to check client's certificate subject (C,O,OU ??) ? Further more, i got an other question : when a client requests authentication, server checks before users file then certificate validity of a client ? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
logging accounting
Hello , I enable accounting on freeradius server. I see logs are stored under repository wich contains the ip of controller. Is it possible to change this and specify an other name ? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html