AW: Freeradius on lenny doesn't permit mschap auth
Hi David,
In case you have not found it yet, in the lenny package somehow there is one
line missing in the radiusd.conf file. In the modules section there should be:
$INCLUDE ${confdir}/modules/
I would suggest, top of the modules section.
Then ntlm_auth should work.
Good luck,
Chris
-Ursprüngliche Nachricht-
Von: freeradius-users-bounces+chris.schaatsbergen=aleo-
solar...@lists.freeradius.org [mailto:freeradius-users-
bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im
Auftrag von David Dumortier
Gesendet: Freitag, 14. Januar 2011 11:27
An: freeradius-users@lists.freeradius.org
Betreff: Freeradius on lenny doesn't permit mschap auth
Hi all,
I had read and configure like
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWT
O
I have test ntlm_auth with success but
radtest user passwd localhost 0 testing123 fail
I attach my debug output
Thanks
--
David Dumortier
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
On 14/01/2011 23:47, Alan DeKok wrote: Fabien COMBERNOUS wrote: [...] David is not bridling but just remember his constraints. They are *his* constraints. If he can't even install a version of 2.1.10 in order to run radtest which can do MS-CHAP, then those constraints are ridiculous. Even if he have to consider them, perhaps he thinks like you. :) In a complex environment to change a piece of software can have unexpected consequences. And so to change it, it demands long testing procedures for several teams. I already worked in this kind of environment. And you have to give good reasons enough to make a modification of the setup. If it is impossible to do what it is necessary, a help for him is probably to provide the good reasons of the modification of his setup.Only blaming the person is not useful in my opinion. How ever, i understand that you don't want to loose your time. Regards, -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
Fabien COMBERNOUS fcombern...@kezia.com writes: In a complex environment to change a piece of software can have unexpected consequences. And so to change it, it demands long testing procedures for several teams. I already worked in this kind of environment. And you have to give good reasons enough to make a modification of the setup. So? You've painted yourself into an unsupportable environment. The polite thing to do would be to state this when asking, to avoid wasting everyones time. Noone really cares whether it's stupidity on an individual or an enterprise level. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
Le Mon Jan 17 2011 � 09:29:47AM +0100, Fabien COMBERNOUS dit : On 14/01/2011 23:47, Alan DeKok wrote: Fabien COMBERNOUS wrote: [...] David is not bridling but just remember his constraints. They are *his* constraints. If he can't even install a version of 2.1.10 in order to run radtest which can do MS-CHAP, then those constraints are ridiculous. Even if he have to consider them, perhaps he thinks like you. :) To resume to be in a distribution make easy security updates. I wait squeeze in hurry (perhaps before the end of my radius project ;-) ). In a complex environment to change a piece of software can have unexpected consequences. And so to change it, it demands long testing procedures for several teams. I already worked in this kind of environment. And you have to give good reasons enough to make a modification of the setup. If it is impossible to do what it is necessary, a help for him is probably to provide the good reasons of the modification of his setup.Only blaming the person is not useful in my opinion. How ever, i understand that you don't want to loose your time. Thanks for my defense. But I consider the flame closed. And I understand too the lake of time for everyone. I will try to find a mschap string with a second installation on a second server. After that I will see and tell the result here. I expect to have some other questions about the differences beetween the 2 versions but I hope it will be ok. Regards, -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group Regards, -- David Dumortier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
I think some comments.. are too heavys : P I'm reading this list looking for solutions, or improvements for my servers, but this threads are disgusting me. It's not necessary to write thing like this.. I'm not agree with this. When someone requests help, you can help as usually. If he can't do what is necessary, is his problem, but no more.. next thread : D! It's not necessary to start a war in the list.. * Martín Ruiz* * * *Ibersystems Solutions, SL* * * Dpto. Redes Inalámbricas Tel. 902 909 858 93 184 52 13 669 37 95 21 Fax 93 758 63 01 http://www.ibersystems.es martinr...@ibersystems.es *Estemensaje puede contener información confidencial y/o privilegiada. Siusted no es el destinatario o una persona expresamente autorizada pararecibir este envío no debe utilizar, copiar, reenviar, distribuir, o engeneral disponer de ninguna forma de la información incluida. Sihubiera recibido este mensaje por error, sírvase informar al emisormediante una respuesta inmediata y bórrelo, por favor. Muchas gracias.* ***Antes de imprimir este e-mail, piensa en si es realmente necesario: El Medio Ambiente es responsabilidad de todos* 2011/1/17 Bjørn Mork bj...@mork.no Fabien COMBERNOUS fcombern...@kezia.com writes: In a complex environment to change a piece of software can have unexpected consequences. And so to change it, it demands long testing procedures for several teams. I already worked in this kind of environment. And you have to give good reasons enough to make a modification of the setup. So? You've painted yourself into an unsupportable environment. The polite thing to do would be to state this when asking, to avoid wasting everyones time. Noone really cares whether it's stupidity on an individual or an enterprise level. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
Le Mon Jan 17 2011 � 10:13:56AM +0100, Bjørn Mork dit : Fabien COMBERNOUS fcombern...@kezia.com writes: [...] So? You've painted yourself into an unsupportable environment. The polite thing to do would be to state this when asking, to avoid wasting everyones time. Noone really cares whether it's stupidity on an individual or an enterprise level. Please, my intention was not to produce a flamewar. It is the first time it happen for me and make me unconfortable. I probably misunderstood some terms in mails and was probably misunderstood in my intention. What I seek on this list is your expertise on freeradius to solve a problem that I described. Think I have some problem with english and freeradius (it is the first time I deal with freeradius and all these strange words as mschap and eap and ... ;-) ) I'm ready to make many efforts to solve my problems, but I cannot without your help, please be clear on explanation as I'm a newby in this area. (for exemple the idea of made another server to have the mschap string was not clear in the begginning for me). Bjørn Beside our past disagreement, thank you for your help. -- David Dumortier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
On Mon, Jan 17, 2011 at 10:20:00AM +0100, David Dumortier wrote: In a complex environment to change a piece of software can have unexpected consequences. And so to change it, it demands long testing procedures for several teams. I will try to find a mschap string with a second installation on a second server. This was supposed to be the solution to the showstopper from the get-go. The client and the server simply do not have to be installed from the same source on the same machine. Adding a new machine with newer software for a specific purpose is usually a triviality these days. As usual, it would have helped if all parties would have steered away from snappy remarks. Rather than do that, it's often simpler and eminently more productive to keep silent. (Yes, I know I've said this before. Repetitio est mater studiorum.) -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
Josip Rodin j...@entuzijast.net writes: As usual, it would have helped if all parties would have steered away from snappy remarks. Rather than do that, it's often simpler and eminently more productive to keep silent. You are of course correct. I apologise for my unnecessary comment. I will try to avoid such comments in the future. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius on lenny doesn't permit mschap auth
Hi all,
I had read and configure like
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
I have test ntlm_auth with success but
radtest user passwd localhost 0 testing123
fail
I attach my debug output
Thanks
--
David Dumortier
FreeRADIUS Version 2.0.4, for host x86_64-pc-linux-gnu, built on Sep 7 2008 at
17:42:33
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/snmp.conf
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/freeradius/freeradius.pid
user = freerad
group = freerad
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
nastype = other
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = status-server
ping_check = none
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm mydomain {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = request
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = auto
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = no
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --username=%{mschap:User-Name}
--password=%{User-Password} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = /var/log/freeradius/radwtmp
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = Password:
auth_type = PAP
}
rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support.
rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL support.
rlm_eap: Ignoring
Re: Freeradius on lenny doesn't permit mschap auth
David Dumortier wrote: Hi all, I had read and configure like http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO You didn't follow the steps. If you had, it would have worked. See also http://deployingradius.com/. It includes instructions on configuring Active Directory. I attach my debug output You're running 2.0.4. I suggest upgrading to 2.1.10. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
Hi, Le Fri Jan 14 2011 � 11:36:04AM +0100, Alan DeKok dit : David Dumortier wrote: Hi all, I had read and configure like http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO You didn't follow the steps. If you had, it would have worked. If it had worked I woundn't have post here. See also http://deployingradius.com/. It includes instructions on configuring Active Directory. I read this documentation too (I read about 150 post/doc/howto without success). I attach my debug output You're running 2.0.4. I suggest upgrading to 2.1.10. I'm on Debian/lenny, I will stay on lenny. Alan DeKok. I admit I can have made a mistake but currently I don't see it, so I post here. -- David Dumortier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
On 14/01/11 10:59, David Dumortier wrote: You're running 2.0.4. I suggest upgrading to 2.1.10. I'm on Debian/lenny, I will stay on lenny. Sigh. So you're not willing to follow the advice people give you. Why ask? I admit I can have made a mistake but currently I don't see it, so I post here. You have made a mistake: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 47992, id=115, length=59 User-Name = user User-Password = passwd NAS-IP-Address = 192.168.15.22 NAS-Port = 0 ...this is not an mschap request. Therefore: ++[mschap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user ...i.e. the mschap module ignores it, because it's not mschap, and no other module catches it, so it can't be handled/authenticated. If you want to test mschap... send an mschap request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
David Dumortier wrote: If it had worked I woundn't have post here. OK... so the documentation which works for everyone else doesn't work for you. Or, based on the debug output you posted, you didn't follow the documentation. See also http://deployingradius.com/. It includes instructions on configuring Active Directory. I read this documentation too (I read about 150 post/doc/howto without success). That page is simple, and contains a series of simple steps. You don't need 150 other posts. You just need to follow the docs, and do it step by step. At some point, either a step will not work, and you will be able to see why. Or, all of the steps will work, and you will see that you *previously* didn't follow them. I attach my debug output You're running 2.0.4. I suggest upgrading to 2.1.10. I'm on Debian/lenny, I will stay on lenny. That's your choice. But... not our recommendation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
On 2011/01/14 02:07 PM, Alan DeKok wrote: I attach my debug output You're running 2.0.4. I suggest upgrading to 2.1.10. I'm on Debian/lenny, I will stay on lenny. That's your choice. But... not our recommendation. I run debian lenny and 2.1.10. Download the source. Extract. run dpkg-buildpackage You have a debian package for 2.1.10 that you can install. Its that simple. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
Le Fri Jan 14 2011 � 12:05:36PM +, Phil Mayers dit : On 14/01/11 10:59, David Dumortier wrote: You're running 2.0.4. I suggest upgrading to 2.1.10. I'm on Debian/lenny, I will stay on lenny. Sigh. So you're not willing to follow the advice people give you. Why ask? Mmmmh seems to be pretty offensive ! In a production environement you can't make what you want. /end of the troll. I admit I can have made a mistake but currently I don't see it, so I post here. You have made a mistake: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 47992, id=115, length=59 User-Name = user User-Password = passwd NAS-IP-Address = 192.168.15.22 NAS-Port = 0 ...this is not an mschap request. Therefore: ++[mschap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user ...i.e. the mschap module ignores it, because it's not mschap, and no other module catches it, so it can't be handled/authenticated. If you want to test mschap... send an mschap request. So radtest can't make an mschap request ? -- David Dumortier PS : I'm not here to listen read the doc, I read it and others. I tryed 2 times step by step and have a problem. I'm not here to be bashed, thank you. It is the first time in ten years I have a welcome like this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
David Dumortier wrote: Le Fri Jan 14 2011 � 12:05:36PM +, Phil Mayers dit : Sigh. So you're not willing to follow the advice people give you. Why ask? Mmmmh seems to be pretty offensive ! If you're offended when we give advice, I suggest you stop asking questions on this list. In a production environement you can't make what you want. /end of the troll. That's *your* choice. So radtest can't make an mschap request ? In 2.1.10, yes. But you want to use tools which are years out of date. So... you're offended when we give advice, and you're not willing to follow any advice that's given. Why, exactly, are you posting questions here? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
Le Fri Jan 14 2011 � 01:49:28PM +0100, Alan DeKok dit : David Dumortier wrote: [...] So radtest can't make an mschap request ? In 2.1.10, yes. But you want to use tools which are years out of date. I have some constraint, one is to be lenny compliant with lenny software, no backport. So... you're offended when we give advice, and you're not willing to follow any advice that's given. Why, exactly, are you posting questions here? Because I followed this doc : http://deployingradius.com/documents/configuration/active_directory.html step by step and can't solve the problem. At line : $ radtest user password localhost 0 testing123 I've got a failed message: rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=115, length=20 And I can't solve it. Alan DeKok. -- David Dumortier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
David, I think you really are taking it the wrong way. Advices given by Alan are good ones. There's no point feeling offended by an email... it's even quite ridiculous (don't be offended). For Lenny there is absolutely no pb building a nice package from sources or even use backports repository which are officialy supported by debian nowadays. I suggest you follow what people say here: -upgrade using your fav method -follow the steps presented in documentation. Regards. 2011/1/14 Alan DeKok al...@deployingradius.com: David Dumortier wrote: Le Fri Jan 14 2011 � 12:05:36PM +, Phil Mayers dit : Sigh. So you're not willing to follow the advice people give you. Why ask? Mmmmh seems to be pretty offensive ! If you're offended when we give advice, I suggest you stop asking questions on this list. In a production environement you can't make what you want. /end of the troll. That's *your* choice. So radtest can't make an mschap request ? In 2.1.10, yes. But you want to use tools which are years out of date. So... you're offended when we give advice, and you're not willing to follow any advice that's given. Why, exactly, are you posting questions here? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
David Dumortier wrote: I have some constraint, one is to be lenny compliant with lenny software, no backport. Our constraints are that when people ask questions, they follow the instructions in the answers. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
On Fri, Jan 14, 2011 at 02:39:58PM +0200, Johan Meiring wrote: On 2011/01/14 02:07 PM, Alan DeKok wrote: I attach my debug output You're running 2.0.4. I suggest upgrading to 2.1.10. I'm on Debian/lenny, I will stay on lenny. That's your choice. But... not our recommendation. I run debian lenny and 2.1.10. Download the source. Extract. run dpkg-buildpackage You have a debian package for 2.1.10 that you can install. Its that simple. Actually it's even simpler. Add lenny-backports to sources.list, update, and just install the new packages. -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
On Fri, Jan 14, 2011 at 02:57:26PM +0100, joy wrote: On Fri, Jan 14, 2011 at 02:39:58PM +0200, Johan Meiring wrote: On 2011/01/14 02:07 PM, Alan DeKok wrote: I attach my debug output You're running 2.0.4. I suggest upgrading to 2.1.10. I'm on Debian/lenny, I will stay on lenny. That's your choice. But... not our recommendation. I run debian lenny and 2.1.10. Download the source. Extract. run dpkg-buildpackage You have a debian package for 2.1.10 that you can install. Its that simple. Actually it's even simpler. Add lenny-backports to sources.list, update, and just install the new packages. Since this doesn't seem to be so trivial, I've added step-by-step instructions on the wiki: http://wiki.freeradius.org/Debian -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
Oh mates! Free hugs here. : D! * Martín Ruiz* * * *Ibersystems Solutions, SL* * * Dpto. Redes Inalámbricas Tel. 902 909 858 93 184 52 13 669 37 95 21 Fax 93 758 63 01 http://www.ibersystems.es martinr...@ibersystems.es *Estemensaje puede contener información confidencial y/o privilegiada. Siusted no es el destinatario o una persona expresamente autorizada pararecibir este envío no debe utilizar, copiar, reenviar, distribuir, o engeneral disponer de ninguna forma de la información incluida. Sihubiera recibido este mensaje por error, sírvase informar al emisormediante una respuesta inmediata y bórrelo, por favor. Muchas gracias.* ***Antes de imprimir este e-mail, piensa en si es realmente necesario: El Medio Ambiente es responsabilidad de todos* 2011/1/14 Alan DeKok al...@deployingradius.com David Dumortier wrote: I have some constraint, one is to be lenny compliant with lenny software, no backport. Our constraints are that when people ask questions, they follow the instructions in the answers. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
On 14/01/11 12:44, David Dumortier wrote: Le Fri Jan 14 2011 � 12:05:36PM +, Phil Mayers dit : On 14/01/11 10:59, David Dumortier wrote: You're running 2.0.4. I suggest upgrading to 2.1.10. I'm on Debian/lenny, I will stay on lenny. Sigh. So you're not willing to follow the advice people give you. Why ask? Mmmmh seems to be pretty offensive ! Shrug. You are entitled to your opinion. I'm not going to lose any sleep over it. In a production environement you can't make what you want./end of the troll. We run a locally-built version of FreeRadius 2.1.10 + patches in a production enviroment doing millions of authentications per-day. Maybe it's just you that can't run what you like? ...i.e. the mschap module ignores it, because it's not mschap, and no other module catches it, so it can't be handled/authenticated. If you want to test mschap... send an mschap request. So radtest can't make an mschap request ? Yes. In 2.1.10, which you don't want to run. Even though you are bridling at my advice, I'm going to try one last time to be helpful. An MS-CHAP request looks like this: User-Name = theuser MS-CHAP-Challenge = 0x32 hex digits MS-CHAP2-Response = 0x100 hex digits ...and in all versions of FreeRadius, a request like the above can be put into a test file and sent with radclient like so: radclient -s -f request.txt $HOST auth $SECRET All you need to do is generate a valid mschap challenge response pair; you can send the same one again and again (because in mschap the NAS generates and supplies the challenge, unlike EAP-MSCHAP where the radius server generates it). You can generate a valid mschap challenge/response by reading the MS-CHAP RFCs and writing some code. Or you can install FreeRadius 2.1.10, on another machine for example, and send the mschap requests from there using radtest from 2.1.10. Or you can use a real NAS to send a real MSCHAP requests, capture it using FreeRadius in debug mode, then replay it for testing. So, you've actually got lots of options. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
On 2011/01/14 03:57 PM, Josip Rodin wrote: Actually it's even simpler. Add lenny-backports to sources.list, update, and just install the new packages. Must say I didn't know that backports also maintained freeradius. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
Le Fri Jan 14 2011 � 02:13:04PM +0100, Alexandre dit : David, I think you really are taking it the wrong way. I'm upset about my problem and not english speaker. I'm reading docs many times about a subject I don't understand quite good. I reacted a bit angrily, my apologizes. Advices given by Alan are good ones. There's no point feeling offended by an email... it's even quite ridiculous (don't be offended). For Lenny there is absolutely no pb building a nice package from sources or even use backports repository which are officialy supported by debian nowadays. I don't deny the value of anybody. I have some constraints on my installation and have to fit them. I prefer a I don't know than a you're deaf. I suggest you follow what people say here: -upgrade using your fav method I can *not* -follow the steps presented in documentation. file raddb/modules/ntlm_auth doesn't exist (the directory modules doesn't either). So I added ntlm_auth = /usr/bin/ntlm_auth ... in the mschap on radiusd.conf As I understand I have to send an mschap request because my radtest version doesn't, right ? As other problem DEFAULT Auth-Type = ntlm_auth is not recognize in users file because section is not define. I think the 2 problems are linked but cannot find a doc about this damn 2.0.4 version that explain how to create the module. Regards. Best regards, -- David Dumortier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
Le Fri Jan 14 2011 � 02:32:12PM +, Phil Mayers dit : [...] Even though you are bridling at my advice, I'm going to try one last time to be helpful. An MS-CHAP request looks like this: User-Name = theuser MS-CHAP-Challenge = 0x32 hex digits MS-CHAP2-Response = 0x100 hex digits ...and in all versions of FreeRadius, a request like the above can be put into a test file and sent with radclient like so: radclient -s -f request.txt $HOST auth $SECRET All you need to do is generate a valid mschap challenge response pair; you can send the same one again and again (because in mschap the NAS generates and supplies the challenge, unlike EAP-MSCHAP where the radius server generates it). You can generate a valid mschap challenge/response by reading the MS-CHAP RFCs and writing some code. Or you can install FreeRadius 2.1.10, on another machine for example, and send the mschap requests from there using radtest from 2.1.10. Or you can use a real NAS to send a real MSCHAP requests, capture it using FreeRadius in debug mode, then replay it for testing. So, you've actually got lots of options. Thank you, it is that I searched. Regards, -- David Dumortier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
David Dumortier wrote: -follow the steps presented in documentation. file raddb/modules/ntlm_auth doesn't exist (the directory modules doesn't either). Because you're running an old version. With all due respect, nothing prevents you from downloading 2.1.10, and *not* installing it. Read the examples config. Many will still work in 2.0.4. So I added ntlm_auth = /usr/bin/ntlm_auth ... in the mschap on radiusd.conf As I understand I have to send an mschap request because my radtest version doesn't, right ? sigh This questions has been answered repeatedly in previous messages. As other problem DEFAULT Auth-Type = ntlm_auth is not recognize in users file because section is not define. Because you didn't follow the documentation. I think the 2 problems are linked but cannot find a doc about this damn 2.0.4 version that explain how to create the module. For what you're doing, there are *very* few differences between 2.0.4 and 2.1.10. The examples, documentation, and howtos still largely apply. There's nothing preventing you from *installing* a test version of 2.1.10. Then, configuring that to work. And once it works, figuring out how to apply that configuration to 2.0.4. Installing a test version of 2.1.10 would have been *less* work than arguing on this list. Go do it now, and stop complaining about the documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
Title: mail Kezia : Fabien COMBERNOUS On 14/01/2011 15:32, Phil Mayers wrote: [...] Even though you are bridling at my advice, I'm going to try one last time to be helpful. Imagine that David is alone, on an very isolated island without any others humans. And he needs to eat. He asks help to learn how to kill animals of this island. Your answer was "go to the supermarket". This answer didn't consider the question enough. David is not bridling but just remember his constraints. Best regards, -- Fabien COMBERNOUS unix system engineer www.kezia.com Tel: +33 (0) 467 992 986 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on lenny doesn't permit mschap auth
Fabien COMBERNOUS wrote: Imagine that David is alone, on an very isolated island without any others humans. And he needs to eat. He asks help to learn how to kill animals of this island. Your answer was go to the supermarket. This answer didn't consider the question enough. He was told multiple times how to fix his problem while meeting his constraints. David is not bridling but just remember his constraints. They are *his* constraints. If he can't even install a version of 2.1.10 in order to run radtest which can do MS-CHAP, then those constraints are ridiculous. As always, if you're not going to follow instructions, don't ask for help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
