Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
On Mon, Mar 18, 2013 at 8:42 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: The old HP switches used to convert the Reply-Message into an EAP-Notification and send it after the EAP-Success or EAP-Failure. This is not compliant with the EAP specification (EAP-Notification needs to be sent prior to completion of an EAP authentication method). Sending it after EAP-Success or EAP-Failure would look like an attempt to initiate another authentication exchange. It may be possible to send it before the EAP-Success/EAP-Failure message for some EAP methods, but chances are not all supplicants will like it, and most probably won't display anything. EAP-Notification is not really supported in general and even the specification does not really require displaying anything from this message to the user.. There is also no way of authenticating this information, so this would not be ideal for authorization failures. - Jouni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
On 21 Mar 2013, at 13:26, Jouni Malinen jkmali...@gmail.com wrote: On Mon, Mar 18, 2013 at 8:42 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: The old HP switches used to convert the Reply-Message into an EAP-Notification and send it after the EAP-Success or EAP-Failure. This is not compliant with the EAP specification (EAP-Notification needs to be sent prior to completion of an EAP authentication method). Sending it after EAP-Success or EAP-Failure would look like an attempt to initiate another authentication exchange. Their 802.1X implementation was pre RFC3579. In newer firmware releases this has been fixed. It may be possible to send it before the EAP-Success/EAP-Failure message for some EAP methods, but chances are not all supplicants will like it, and most probably won't display anything. EAP-Notification is not really supported in general and even the specification does not really require displaying anything from this message to the user.. There is also no way of authenticating this information, so this would not be ideal for authorization failures. Agreed. But in the absence of a standards solution it might be interesting to experiment and see how supplicants respond to this. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
Quoting Arran Cudbard-Bell a.cudba...@freeradius.org: On 21 Mar 2013, at 13:26, Jouni Malinen jkmali...@gmail.com wrote: On Mon, Mar 18, 2013 at 8:42 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: The old HP switches used to convert the Reply-Message into an EAP-Notification and send it after the EAP-Success or EAP-Failure. This is not compliant with the EAP specification (EAP-Notification needs to be sent prior to completion of an EAP authentication method). Sending it after EAP-Success or EAP-Failure would look like an attempt to initiate another authentication exchange. Their 802.1X implementation was pre RFC3579. In newer firmware releases this has been fixed. It may be possible to send it before the EAP-Success/EAP-Failure message for some EAP methods, but chances are not all supplicants will like it, and most probably won't display anything. EAP-Notification is not really supported in general and even the specification does not really require displaying anything from this message to the user.. There is also no way of authenticating this information, so this would not be ideal for authorization failures. Agreed. But in the absence of a standards solution it might be interesting to experiment and see how supplicants respond to this. My RSA Windows EAP module sends EAP Notification messages under 4 different error circumstances. These are typically retry-able input problems. It was the default until the boffins that took over EAP for Windows 7 broke their code. XP and Vista worked fine, they took the request and responded with a blank response. No user visible message resulted. Win7 didn't respond at all, which caused the protocol to break. They patched it when I pointed out the problem. But I flipped off the default, don't know if/when that was released. There is a registry key that controls it. Dave. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
On 21 Mar 2013, at 15:56, David Mitton da...@mitton.com wrote: Quoting Arran Cudbard-Bell a.cudba...@freeradius.org: On 21 Mar 2013, at 13:26, Jouni Malinen jkmali...@gmail.com wrote: On Mon, Mar 18, 2013 at 8:42 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: The old HP switches used to convert the Reply-Message into an EAP-Notification and send it after the EAP-Success or EAP-Failure. This is not compliant with the EAP specification (EAP-Notification needs to be sent prior to completion of an EAP authentication method). Sending it after EAP-Success or EAP-Failure would look like an attempt to initiate another authentication exchange. Their 802.1X implementation was pre RFC3579. In newer firmware releases this has been fixed. It may be possible to send it before the EAP-Success/EAP-Failure message for some EAP methods, but chances are not all supplicants will like it, and most probably won't display anything. EAP-Notification is not really supported in general and even the specification does not really require displaying anything from this message to the user.. There is also no way of authenticating this information, so this would not be ideal for authorization failures. Agreed. But in the absence of a standards solution it might be interesting to experiment and see how supplicants respond to this. My RSA Windows EAP module sends EAP Notification messages under 4 different error circumstances. These are typically retry-able input problems. It was the default until the boffins that took over EAP for Windows 7 broke their code. XP and Vista worked fine, they took the request and responded with a blank response. No user visible message resulted. Win7 didn't respond at all, which caused the protocol to break. They patched it when I pointed out the problem. But I flipped off the default, don't know if/when that was released. There is a registry key that controls it. Interesting. OSX does a similar thing, but it logs the notification, which can be very helpful if you're on the helpdesk and trying to diagnose issues. I wonder if Windows also does the silent logging. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Help] Is that possible to change the reject message that appears at the Windows Pop Up
Hi All,
So i have been able to authenticate my wireless user using 802.1x + LDAP +
MAC address (using CallingStationID attriubute). So now for example when
user A have MAC 11:22:33 but tried to login using another device there will
be a pop up window when they try to connect - just a plain error popup
saying Unable to connect. Is there any way we can customize this error
from radius? or should be from the wireless AP?
So below is the unlang code that i use to check whether the user have a set
of MAC address in their ldap profile or not
if(!control:Calling-Station-Id){
reject
}
Possible to have that reject command to return some code that Windows
client can understand like No MAC address etc?
Thanks in advance
Danny
--
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
On 18.03.2013 16:48, Danny Kurniawan wrote:
Hi All,
So i have been able to authenticate my wireless user using 802.1x + LDAP
+ MAC address (using CallingStationID attriubute). So now for example
when user A have MAC 11:22:33 but tried to login using another device
there will be a pop up window when they try to connect - just a plain
error popup saying Unable to connect. Is there any way we can
customize this error from radius? or should be from the wireless AP?
So below is the unlang code that i use to check whether the user have a
set of MAC address in their ldap profile or not
if(!control:Calling-Station-Id){
reject
}
Possible to have that reject command to return some code that Windows
client can understand like No MAC address etc?
Thanks in advance
Danny
you could send back a reply-message.
But it is forbidden if you are doing EAP.
And anyway, Micro$oft is not paying attention to it and will disregard it.
so no, you can't send a message to the user.
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
hi, we would all love to be able to send a relevant error message to our clients if they fail to authenticate (either locally or remotely). but we cant. :-( alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
Thanks a lot :) Well i guess we just have to live with it :) -Danny On Tue, Mar 19, 2013 at 12:07 AM, a.l.m.bu...@lboro.ac.uk wrote: hi, we would all love to be able to send a relevant error message to our clients if they fail to authenticate (either locally or remotely). but we cant. :-( alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is that possible to change the reject message that appears at the Windows Pop Up
On 18 Mar 2013, at 12:07, a.l.m.bu...@lboro.ac.uk wrote: hi, we would all love to be able to send a relevant error message to our clients if they fail to authenticate (either locally or remotely). but we cant. :-( The old HP switches used to convert the Reply-Message into an EAP-Notification and send it after the EAP-Success or EAP-Failure. The native OSX supplicant used to log this even though it never displayed it to the user. The Windows supplicant ignored it completely. WPA_Supplicant restarted authentication and went into an infinite authentication loop. It may be possible to send it before the EAP-Success/EAP-Failure message for some EAP methods, but chances are not all supplicants will like it, and most probably won't display anything. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP relay IP and gateway IP, possible bad logic?
On 03/04/2013 11:03 PM, Phil Mayers wrote: There are a bunch of subtleties in this whole area - some devices offer knobs to control giaddr in the case of multinettings, and some devices offer knobs to control srcip - but, in my experience, you are asking for trouble if giaddr is not valid for accepting relayed replies. We've had significant problems with setups where this is difficult or impossible to achieve as a result. Multinetting a private and public range onto the same interface falls into exactly that category. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yes, i aggree. But, CM's are in private network. CPE's are behind CM's, in public network. CPE's are connected to CMTS through CM's. Because of that you have public and private network on one interface. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP relay IP and gateway IP, possible bad logic?
On 03/01/2013 04:12 PM, Alan DeKok wrote:
Can you supply the debug output?
When set that freeradius sends IP, NETMASK, DNS... *WITHOUT DEFAULT
GATEWAY*:
*This packet is sent to RELAY_IP*
*$RAD_REPLY{'DHCP-Gateway-IP-Address'} NOT SENT*
---
TIME: 09:46:24.886544
OP: 2 (BOOTPREPLY)
HTYPE: 1 (Ethernet)
HLEN: 6
HOPS: 1
SECS: 0
FLAGS: 0
CIADDR: 0.0.0.0
YIADDR: CPE_PUBLIC_IP
SIADDR: RADIUS_IP
*GIADDR: PRIVATE_RELAY_IP*
CHADDR: **:**:**:**:**:**:00:00:00:00:00:00:00:00:00:00
SNAME: .
FNAME: .
OPTION: 53 ( 1) DHCP message type 2 (DHCPOFFER)
OPTION: 1 ( 4) Subnet mask 255.255.255.240
OPTION: 2 ( 4) Time offset 7200 (2h)
OPTION: 3 ( 4) Routers RELAY_PRIVATE_IP
OPTION: 6 ( 4) DNS serverDNS_IP
OPTION: 12 ( 17) Host name HOST_MAC_ADDRESS
OPTION: 15 ( 8) DomainnameDOMAIN
OPTION: 51 ( 4) IP address leasetime 7200 (2h)
OPTION: 54 ( 4) Server identifier RADIUS_IP
OPTION: 57 ( 2) Maximum DHCP message size 1500
When set that freeradius sends IP, NETMASK, DNS... *WITH DEFAULT GATEWAY*:
*This packet is sent to GIADDR**, whis is wrong**!!!*
*$RAD_REPLY{'DHCP-Gateway-IP-Address'} SENT*
---
TIME: 09:46:24.886544
OP: 2 (BOOTPREPLY)
HTYPE: 1 (Ethernet)
HLEN: 6
HOPS: 1
SECS: 0
FLAGS: 0
CIADDR: 0.0.0.0
YIADDR: CPE_PUBLIC_IP
SIADDR: RADIUS_IP
*GIADDR: **$RAD_REPLY{'DHCP-Gateway-IP-Address'}*
CHADDR: **:**:**:**:**:**:00:00:00:00:00:00:00:00:00:00
SNAME: .
FNAME: .
OPTION: 53 ( 1) DHCP message type 2 (DHCPOFFER)
OPTION: 1 ( 4) Subnet mask 255.255.255.240
OPTION: 2 ( 4) Time offset 7200 (2h)
OPTION: 3 ( 4) Routers RELAY_PRIVATE_IP
OPTION: 6 ( 4) DNS serverDNS_IP
OPTION: 12 ( 17) Host name HOST_MAC_ADDRESS
OPTION: 15 ( 8) DomainnameDOMAIN
OPTION: 51 ( 4) IP address leasetime 7200 (2h)
OPTION: 54 ( 4) Server identifier RADIUS_IP
OPTION: 57 ( 2) Maximum DHCP message size 1500
So, when freeradius sees *DHCP-Gateway-IP-Address *inside reply offer he
uses it as destination where to send reply which is wrong. He should use
RELAY IP instead no matter what's inside BOOTREPLY.*
*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP relay IP and gateway IP, possible bad logic?
Igor Smitran wrote: On 03/01/2013 04:12 PM, Alan DeKok wrote: Can you supply the debug output? When set that freeradius sends IP, NETMASK, DNS... *WITHOUT DEFAULT GATEWAY*: The point of asking for debug output is to see what the server is doing. I'm not sure what the rest of your message means. The server defaults to copying the giaddr from the request to the reply. This is so that the reply can use the giaddr as the destination IP. If you use Perl to update the giaddr to something else... then the reply will be sent there. i.e. if you want to use the correct giaddr, don't change it. *This packet is sent to RELAY_IP* The point of me asking for debug output is to see *why* this is happening. When you only look at the packets, you ignore the one piece of information which will help you solve the problem. So, when freeradius sees *DHCP-Gateway-IP-Address *inside reply offer he uses it as destination where to send reply which is wrong. He should use RELAY IP instead no matter what's inside BOOTREPLY.* Where is the server getting the updated DHCP-Gateway-IP-Address from? Not the source code. It doesn't change it. Not the default config. It doesn't change it. So... until you show debug output, this largely looks like you edited the configuration and broke it. Don't do that. The only real bug I can see is that the offer has a non-zero giaddr field. This is wrong, as the packet is already unicast to the giaddr. The DHCP specs say that the giaddr in reply packets (offer, etc.) should be zero. I'll go fix that. Please also try with the v2.x.x branch from git. It contains some minor updates to the debug output which clarify what it's doing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP relay IP and gateway IP, possible bad logic?
On 03/04/2013 04:54 PM, Alan DeKok wrote: The point of asking for debug output is to see what the server is doing. I'm not sure what the rest of your message means. The server defaults to copying the giaddr from the request to the reply. This is so that the reply can use the giaddr as the destination IP. If you use Perl to update the giaddr to something else... then the reply will be sent there. I have to do that, this is cable IP network that i am talking about. Real life example. I am using Cisco CMTS and his primary interface IP as cable-helper/relay IP. This is by desing. I am sorry for my bad english but i will try to explain, please bare with me... This is CM/CPE bundle interface: interface Bundle1.150 vrf forwarding vrf_name ip address public_ip 255.255.255.240 secondary ip address private_ip 255.255.192.0 no ip unreachables no cable arp cable source-verify dhcp cable helper-address radius_ip end As you can see CMTS will relay all requests from CM's and CPE's over primary interface address (private_ip/255.255.192.0) radius will get all requests from that IP. all offers need to go back to that same ip, no matter what giaddr is sent to client. *i have it already working that way with another dhcp server, in production.** **also, couple of commercial products that i was testing had exactly the same logic implemented, all offers were sent to relay ip, no matter what was set as giaddr.* Let us say that i have two pools for CPE devices, imaginary: 200.200.200.0/28 200.200.100.0/28 In that case i will have two lines in bundle interface setup: ip address 200.200.200.1 255.255.255.240 secondary ip address 200.200.100.1 255.255.255.240 secondary and this is relay_ip (primary ip address of bundle interface) ip address 10.10.10.1 255.255.192.0 If dhcp finds free address from first pool (200.200.200.10/28) offer will be somethink like this: giaddr: 200.200.200.1 yiadd: 200.200.200.10 OPTION: 1 ( 4) Subnet mask 255.255.255.240 ... *but offer still needs to be sent to 10.10.10.1*, where requests came from in the first place. I didn't break anything, i have to do it that way. As far as dhcp server goes, it would be logical for him to return the offer to relay ip. relay will forward it to a client and client will get correct data. If offer goes to any other address Cisco ASA will drop that packet because it doesn't have it in initiated/established chains... Next time CPE tries to renew/release address request will come from 10.10.10.1 again... That is why i said that relay_ip shouldn't be replaced with giaddr. FR i am using is 2.2.0, latest stable version. i will try to send debug info tomorrow AM CET... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP relay IP and gateway IP, possible bad logic?
Igor Smitran wrote: As you can see CMTS will relay all requests from CM's and CPE's over primary interface address (private_ip/255.255.192.0) radius will get all requests from that IP. all offers need to go back to that same ip, no matter what giaddr is sent to client. Ah, OK. As always: $ git pull :) I've put some changes in to add a DHCP-Relay-IP-Address. It's visible in the reply, and is copied from the original packet giaddr. The send logic is: - if relay-ip-addr, unicast to it - if giaddr, unicast to it - if NAK or broadcast flag or no ciaddr, send broadcast - if yiaddr, unicast to it - otherwise unicast to ciaddr. *i have it already working that way with another dhcp server, in production.** **also, couple of commercial products that i was testing had exactly the same logic implemented, all offers were sent to relay ip, no matter what was set as giaddr.* OK. The above changes should fix that. I didn't break anything, i have to do it that way. OK. As far as dhcp server goes, it would be logical for him to return the offer to relay ip. relay will forward it to a client and client will get correct data. Yes. i will try to send debug info tomorrow AM CET... Please grab a copy of the v2.x.x branch from git. It should have all fixes in it, and it should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP relay IP and gateway IP, possible bad logic?
On 03/04/2013 07:05 PM, Igor Smitran wrote: As you can see CMTS will relay all requests from CM's and CPE's over primary interface address (private_ip/255.255.192.0) radius will get all requests from that IP. all offers need to go back to that same ip, no matter what giaddr is sent to client. I'm confused. First, it shouldn't matter which IP you reply to; both are on the same device, and both are routeable. Second, reply to giaddr is mandated in the DHCP spec; are you *sure* you have other DHCP servers which reply to source ip? Which servers? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP relay IP and gateway IP, possible bad logic?
Phil Mayers wrote: Second, reply to giaddr is mandated in the DHCP spec; are you *sure* you have other DHCP servers which reply to source ip? Which servers? The issue is that giaddr serves two purposes. In the request, it indicates that the server MUST send the reply to that IP. In the reply, it means that the client sends the NEXT request to the giaddr. ASCII art helps: client -- 1 NAS 2 --- server The client sends broadcast packets to the NAS, using a private network The NAS unicasts them FROM NAS address 2 to the server, using giaddr = 2. NAS address 2 and the server are on a public network. The server knows that the NAS has a private address. So it sends the unicast answer back to NAS address 2, with giaddr = NAS address 1. The NAS broadcasts (or unicasts) this response back to the client. On a renew, the client unicasts the packet to NAS address 1, which forwards it to the server using address 2, and giaddr ==2. And the whole process starts again. I think I know have a handle on DHCP and RADIUS. My head is getting full... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP relay IP and gateway IP, possible bad logic?
On 03/04/2013 08:59 PM, Alan DeKok wrote: Phil Mayers wrote: Second, reply to giaddr is mandated in the DHCP spec; are you *sure* you have other DHCP servers which reply to source ip? Which servers? The issue is that giaddr serves two purposes. In the request, it indicates that the server MUST send the reply to that IP. In the reply, it means that the client sends the NEXT request to the giaddr. ASCII art helps: client -- 1 NAS 2 --- server The client sends broadcast packets to the NAS, using a private network The NAS unicasts them FROM NAS address 2 to the server, using giaddr = 2. NAS address 2 and the server are on a public network. The server knows that the NAS has a private address. So it sends the unicast answer back to NAS address 2, with giaddr = NAS address 1. The NAS broadcasts (or unicasts) this response back to the client. On a renew, the client unicasts the packet to NAS address 1, which forwards it to the server using address 2, and giaddr ==2. Perhaps I've misunderstood, but this doesn't reflect the DHCP behaviour I've seen on normal clients. As far as I know, it goes (starting from INIT, as opposed to INIT-REBOOT which effectively starts from step 4): 1. Client sends DISCOVER to broadcast 2. NAS forwards to server; giaddr==1, srcip==2 3. Server sends DHCPOFFER; dstip==giaddr, server_id=$SERVER 4. Repeat 1-3 with DHCPREQUEST/ACK 5. Client comes to t1 - unicast DHCPREQUEST dstip=$SERVER 6. If no reply, at t2 - broadcast DHCPREQUEST i.e. AFAIK, the client *always* sends packets to broadcast or to the server ident (DHCP option 54). Note the latter is mandatory in all DHCP replies. There are a bunch of subtleties in this whole area - some devices offer knobs to control giaddr in the case of multinettings, and some devices offer knobs to control srcip - but, in my experience, you are asking for trouble if giaddr is not valid for accepting relayed replies. We've had significant problems with setups where this is difficult or impossible to achieve as a result. Multinetting a private and public range onto the same interface falls into exactly that category. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP relay IP and gateway IP, possible bad logic?
Phil Mayers wrote: Perhaps I've misunderstood, but this doesn't reflect the DHCP behaviour I've seen on normal clients. It's possible. As far as I know, it goes (starting from INIT, as opposed to INIT-REBOOT which effectively starts from step 4): 1. Client sends DISCOVER to broadcast 2. NAS forwards to server; giaddr==1, srcip==2 3. Server sends DHCPOFFER; dstip==giaddr, server_id=$SERVER 4. Repeat 1-3 with DHCPREQUEST/ACK 5. Client comes to t1 - unicast DHCPREQUEST dstip=$SERVER 6. If no reply, at t2 - broadcast DHCPREQUEST Yes. i.e. AFAIK, the client *always* sends packets to broadcast or to the server ident (DHCP option 54). Note the latter is mandatory in all DHCP replies. That's the usual practice... but some clients may be weird. There are a bunch of subtleties in this whole area - some devices offer knobs to control giaddr in the case of multinettings, and some devices offer knobs to control srcip - but, in my experience, you are asking for trouble if giaddr is not valid for accepting relayed replies. We've had significant problems with setups where this is difficult or impossible to achieve as a result. Multinetting a private and public range onto the same interface falls into exactly that category. Yes. Maybe I got parts of the explanation wrong, but the DHCP handling of giaddr is just weird. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DHCP relay IP and gateway IP, possible bad logic?
In case when freeradius is talking to a DHCP relay it should *always* send answears to a initiating relay IP. But, it doesn't. Cisco CMTS is using 10.10.10.1 as his giaddr for all requests made by CM's, MTA's and CPE's. All replies should go to 10.10.10.1. But, currently, if CPE gets public IP 200.200.200.2 with gateway 200.200.200.1, freeradius tries to send reply to 200.200.200.1 instead of 10.10.10.1. This is my opinion, maybe i am wrong... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP relay IP and gateway IP, possible bad logic?
Igor Smitran wrote: In case when freeradius is talking to a DHCP relay it should *always* send answears to a initiating relay IP. But, it doesn't. Can you supply the debug output? Cisco CMTS is using 10.10.10.1 as his giaddr for all requests made by CM's, MTA's and CPE's. All replies should go to 10.10.10.1. Usually... there is are some weird requirements on how DHCP operates. But, currently, if CPE gets public IP 200.200.200.2 with gateway 200.200.200.1, freeradius tries to send reply to 200.200.200.1 instead of 10.10.10.1. The DHCP code ignores the *routing* gateway address. It instead uses the DHCP giaddr field to send responses. Again, debug output would help here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd running config - is it possible to display
Hello All, Is it possible to display the running config of freeradius without having to capture the output of radiusd -X? Best regards, Bertalan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd running config - is it possible to display
? It's all on disk. And if that's changed since the server was run then radiusd -X won't help. You know you can run a check/verify instance...? And that using radmin you can check the configuration of particular modules in the current running instance? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible to display/capture values of variables/attributes at various points in the RADIUS conversation?
Joshua Paye wrote: Hello, Would like to get the value of request:EAP-Type after the authorize section of the site config has been processed, and have it returned in the debug output or logged, so I can look at it. Is ther a way to do this? $ man unlang This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible to display/capture values of variables/attributes at various points in the RADIUS conversation?
Thank you for the response Alan.
For other people who find this isn't immediately obvous after reading the
unlang man page:
%{foo} will exapnd the variable/attribute foo. If you are running
radiusd in debug mode then it will print the value of the exapnded
variable/attribute to stdout.
Example:
Placed in site config: %{request:EAP-Type}
Corresponding debug output: expand: %{request:EAP-Type} - Identity
Thanks,
Joshua
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Possible-to-display-capture-values-of-variables-attributes-at-various-points-in-the-RADIUS-conversat-tp5713787p5713834.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Possible to display/capture values of variables/attributes at various points in the RADIUS conversation?
Hello, Would like to get the value of request:EAP-Type after the authorize section of the site config has been processed, and have it returned in the debug output or logged, so I can look at it. Is ther a way to do this? Thanks, Joshua - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reject reason logged in radius.log. Possible?
I recently set up a banned mac address database to reject authentication
from proved compromised clients.
I'd like to have a significant record in freeradius logfile for
connection debugging reasons.
Ways I use to implement this results in ambiguous Invalid user or
Login incorrect misleading messages in radius.log .
Users are in effect valid and correct, but their equipment is not.
Does anybody know how this scenario can be improved?
---
Relevant lines of default virtual server authorize section are:
authorize {
if ( %{Calling-Station-Id} =~ /([a-fA-F0-9]{2}.?){6}/ %{sql:
SELECT 1 FROM callingstidbanlist WHERE mac='%{Calling-Station-Id}'} ==
1 ) {
update reply {
# Select ban reason from radgroupreply Port-Message attribute
related to the ban group
Reply-Message := Access forbidden from this terminal ( %{sql:
SELECT value FROM radgroupreply WHERE attribute = 'Port-Message' AND
groupname IN (SELECT bangroup FROM callingstidbanlist WHERE mac =
'%{Calling-Station-Id}' ) ; } ) .
}
#update control {
# Auth-Type := Reject
#}
# Line in radius.log:
# Auth: Login incorrect: [myusername] (from client wall1-wigate1
port 122 cli 00-1C-CC-C3-C7-1A)
reject
# Line in radius.log:
# Auth: Invalid user: [myusername] (from client wall1-wigate1 port
122 cli 00-1C-CC-C3-C7-1A)
}
}
--
Daniele ALBRIZIO - albri...@univ.trieste.it
Tel. +39-040.558.3319
UNIVERSITY OF TRIESTE - Network Services
Divisione V - Infrastrutture e Servizi Informativi
via Alfonso Valerio, 12 I-34127 Trieste, Italy
Sezione Infrastrutture Informatiche e Telematiche
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reject reason logged in radius.log. Possible?
Daniele Albrizio wrote:
Ways I use to implement this results in ambiguous Invalid user or
Login incorrect misleading messages in radius.log .
Well, rejecting users means that something is invalid or incorrect.
Users are in effect valid and correct, but their equipment is not.
Does anybody know how this scenario can be improved?
update request {
Module-Failure-Message := the real reason it failed
}
That message will be included in the Login incorrect or Invalid
user log message.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap attribute in pre-proxy possible?
On 11/05/12 20:25, Mike wrote: Phil, I meant to say proxy-request, not proxy-reply. Ah, ok. Secondly, why would you need a log file to show an attribute expanding to nothing? I just told you it is expanding to nothing aka it has no assigned value once reaching the pre-proxy stage. Because I think you're probably doing something wrong, and the debug will show me (and others) straight away what it is. The alternative is for me to make wild guesses, or spend a lot of time thinking about it. Guess which one I prefer? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ldap attribute in pre-proxy possible?
Hello,
Is it possible store and access an ldap attribute in pre-proxy?
1. Attribute defined in dictionary
2. Attribute mapped in ldap.attrmap
2. Trying to access using:
pre-proxy {
If (%{reply:attributename} == cookies {
update proxy-reply {
Whatever = cookies
}}
}
the problem is the attribute is expanding to nothing. This does work in the
auth section but i need to update the proxy msg. What am i doing wrong?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap attribute in pre-proxy possible?
On 11/05/12 16:39, Mike wrote:
Hello,
Is it possible store and access an ldap attribute in pre-proxy? 1.
Attribute defined in dictionary 2. Attribute mapped in ldap.attrmap
2. Trying to access using:
pre-proxy { If (%{reply:attributename} == cookies { update
proxy-reply { Whatever = cookies }} }
You can't update the proxy-reply in pre-proxy; there is no proxy-reply
at this stage.
the problem is the attribute is expanding to nothing. This does work
in the auth section but i need to update the proxy msg. What am i
doing wrong?
We don't know, because we're not psychic and you didn't include a debug
of it failing.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:re: Re: Ldap attribute in pre-proxy possible?
Phil,
I meant to say proxy-request, not proxy-reply.
Secondly, why would you need a log file to show an attribute expanding to
nothing? I just told you it is expanding to nothing aka it has no assigned
value once reaching the pre-proxy stage.
Message: 3
Date: Fri, 11 May 2012 18:07:40 +0100
From: Phil Mayers p.may...@imperial.ac.uk
To: freeradius-users@lists.freeradius.org
Subject: Re: Ldap attribute in pre-proxy possible?
Message-ID: 4fad475c.7090...@imperial.ac.uk
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 11/05/12 16:39, Mike wrote:
Hello,
Is it possible store and access an ldap attribute in pre-proxy? 1.
Attribute defined in dictionary 2. Attribute mapped in ldap.attrmap
2. Trying to access using:
pre-proxy { If (%{reply:attributename} == cookies { update
proxy-reply { Whatever = cookies }} }
You can't update the proxy-reply in pre-proxy; there is no proxy-reply
at this stage.
the problem is the attribute is expanding to nothing. This does work
in the auth section but i need to update the proxy msg. What am i
doing wrong?
We don't know, because we're not psychic and you didn't include a debug
of it failing.
--
Message: 4
Date: Fri, 11 May 2012 13:42:29 -0400
From: Luo, Frank Y.F. Mr. l...@muohio.edu
To: freeradius-users@lists.freeradius.org
freeradius-users@lists.freeradius.org
Subject: max_request
Message-ID: 200cb918-2061-4829-a888-8901a235e...@muohio.edu
Content-Type: text/plain; charset=us-ascii
So there is this setting max_request that the server keeps track of. The
question is how i can find the current active request that the server keeps
track of.
My experience is the sever silently drops the connection if max_request is
reached. So I want to find out more info about the current status of the
server.
Thanks
Frank
--
Message: 5
Date: Fri, 11 May 2012 20:25:06 +0200
From: Alan DeKok al...@deployingradius.com
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: Re: max_request
Message-ID: 4fad5982.1080...@deployingradius.com
Content-Type: text/plain; charset=ISO-8859-1
Luo, Frank Y.F. Mr. wrote:
So there is this setting max_request that the server keeps track of. The
question is how i can find the current active request that the server keeps
track of.
My experience is the sever silently drops the connection if max_request is
reached. So I want to find out more info about the current status of the
server.
In 2.1.12, there's no way to see that number in a live server.
Alan DeKok.
--
Message: 6
Date: Fri, 11 May 2012 14:31:09 -0400
From: Luo, Frank Y.F. Mr. l...@muohio.edu
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: Re: max_request
Message-ID: 0c11c863-c520-491d-ad91-320b65e54...@muohio.edu
Content-Type: text/plain; charset=us-ascii
are you sure?
Then how do i know I run out of request number and need to increase it?
Thanks
Frank
On May 11, 2012, at 2:25 PM, Alan DeKok wrote:
Luo, Frank Y.F. Mr. wrote:
So there is this setting max_request that the server keeps track of. The
question is how i can find the current active request that the server keeps
track of.
My experience is the sever silently drops the connection if max_request is
reached. So I want to find out more info about the current status of the
server.
In 2.1.12, there's no way to see that number in a live server.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Message: 7
Date: Fri, 11 May 2012 20:39:03 +0200
From: Alan DeKok al...@deployingradius.com
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: Re: max_request
Message-ID: 4fad5cc7.1090...@deployingradius.com
Content-Type: text/plain; charset=ISO-8859-1
Luo, Frank Y.F. Mr. wrote:
are you sure?
Then how do i know I run out of request number and need to increase it?
You read the logs.
You CANNOT increase it while the server is running.
The best approach is to set it to a large value, and ignore it. If
you get errors in the logs about max_requests, it means that something
is catastrophically wrong. Increasing max_requests WILL NOT HELP.
You will need to fix the underlying problem: usually a slow / broken
database.
Alan DeKok.
--
Message: 8
Date: Fri, 11 May 2012 14:45:29 -0400
From: Luo, Frank Y.F. Mr. l...@muohio.edu
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: Re: max_request
Message-ID: a6e5f923-8012-468f-8e93-5ca954b97...@muohio.edu
Content-Type: text/plain; charset=us-ascii
I will read the logs - but what I look for in the log?
I already set it to a large value and don't expect problem
Re: re: Re: Ldap attribute in pre-proxy possible?
Hi, Secondly, why would you need a log file to show an attribute expanding to nothing? I just told you it is expanding to nothing aka it has no assigned value once reaching the pre-proxy stage. as per the mailing list information, no radiusd -X, no help alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is this a possible project?
Hello Everybody: Recently,I got a project,it requires set a Radius Server in the company,and 100 APs in 100 Restarants in the city,all the APs of course connected to its own router. I want to the customers who want to use wifi in any of these restarant need to get authentication through the Radius Server locate in my company rather than the traditional wpa/wpa2 ways. for honestly,i am new to freeRadius,i even not really sure if is it a possible project? The radius server could have a static WAN ip address,but all the APs could only got a LAN ip address like 192.168.*.*,when I set up the freeRadius+Mysql system,how could i distinguish different AP?because,i know in the LAN,i set the IP address for different AP for the nasname option in nas.sql. sorry for too many questions here, thank you in advanced Joey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is this a possible project?
On 12 Mar 2012, at 15:32, 甄鹏 wrote: Hello Everybody: Recently,I got a project,it requires set a Radius Server in the company,and 100 APs in 100 Restarants in the city,all the APs of course connected to its own router. I want to the customers who want to use wifi in any of these restarant need to get authentication through the Radius Server locate in my company rather than the traditional wpa/wpa2 ways. Do you want to use WPA/WPA2 Enterprise instead, or through a captive portal on the access point, or through mac authentication? for honestly,i am new to freeRadius,i even not really sure if is it a possible project? The radius server could have a static WAN ip address,but all the APs could only got a LAN ip address like 192.168.*.*,when I set up the freeRadius+Mysql system,how could i distinguish different AP? Depends on the AP, some will send the NAS-Identifier attribute which you could use to distinguish between them. Otherwise most will include a Called-Station-ID attribute which *may* contain a Mac-Address associated with the Access point, you'll need what your Access Point sends. Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is this a possible project?
On 03/12/2012 03:32 PM, 甄鹏 wrote: Hello Everybody: Recently,I got a project,it requires set a Radius Server in the company,and 100 APs in 100 Restarants in the city,all the APs of course connected to its own router. I want to the customers who want to use wifi in any of these restarant need to get authentication through the Radius Server locate in my company rather than the traditional wpa/wpa2 ways. for honestly,i am new to freeRadius,i even not really sure if is it a possible project? The radius server could have a static WAN ip address,but all the APs could only got a LAN ip address like 192.168.*.*,when I set up the freeRadius+Mysql system,how could i distinguish different AP?because,i know in the LAN,i set the IP address for different AP for the nasname option in nas.sql. sorry for too many questions here, thank you in advanced In a setup like that I would start looking at an Aruba (http://www.arubanetworks.com/) setup. That gives you the possibility to create environments where every app sends out the corporate SSID with WPA2-Enterprise and give guests access to a local guest network with a controlled internet breakout. This can all work very fine with freeradius. -- Met vriendelijke groet, Jan Hugo Prins E: j...@jhprins.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible bug in rlm_sqlcounter examples
On 02/21/2012 11:04 PM, Tim White wrote: Following on from my previous email, I've checked an x86 machine as well, and get the same behaviour. I should hope so; SQL is not architecture specific! Your original solution was correct as far as I could see; if there's any chance a column might be absent/null, coalesce or nullif are required. I don't use rlm_sqlcounter so can't say whether absent/null values are expected or a peculiarity of your setup, but a mix of both is possible. Debug logs follow, the first being the initial login for the day, showing sqlcounter not finding an integer and hence returning noop. The second being after an initial login where a correct integer is returned. Can anyone else confirm that the example sqlcounter queries are at fault and that we need ether an IFNULL or COALESCE surrounding the SUM? I'll be updating the Grase Hotspot files, but I'm wondering if a change was made in rlm_sqlcounter in the last few months (year) that has caused it to treat NULL as NULL and not as 0, and hence the SQL queries need to be updated? Try looking through the source code history: https://github.com/alandekok/freeradius-server - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible bug in rlm_sqlcounter examples
Following on from my previous email, I've checked an x86 machine as
well, and get the same behaviour.
Debug logs follow, the first being the initial login for the day,
showing sqlcounter not finding an integer and hence returning noop. The
second being after an initial login where a correct integer is returned.
Can anyone else confirm that the example sqlcounter queries are at fault
and that we need ether an IFNULL or COALESCE surrounding the SUM? I'll
be updating the Grase Hotspot files, but I'm wondering if a change was
made in rlm_sqlcounter in the last few months (year) that has caused it
to treat NULL as NULL and not as 0, and hence the SQL queries need to be
updated?
Thanks
Tim
--
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(acctsessiontime -
GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)),
0)) FROM radacct WHERE username = '%{User-Name}'
AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime
'1329832800''
[dailycounter] expand: SELECT SUM(acctsessiontime -
GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)),
0)) FROM radacct WHERE username = '%{User-Name}'
AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime
'1329832800' - SELECT SUM(acctsessiontime -
GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)),
0)) FROM radacct WHERE username = 'timtest'
AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime
'1329832800'
sqlcounter_expand: '%{sql:SELECT SUM(acctsessiontime -
GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)),
0)) FROM radacct WHERE username = 'timtest'
AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime
'1329832800'}'
[dailycounter] sql_xlat
[dailycounter] expand: %{User-Name} - timtest
[dailycounter] sql_set_user escaped user -- 'timtest'
[dailycounter] expand: SELECT SUM(acctsessiontime -
GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)),
0)) FROM radacct WHERE username = 'timtest'
AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime
'1329832800' - SELECT SUM(acctsessiontime -
GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)),
0)) FROM radacct WHERE username = 'timtest'
AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime
'1329832800'
rlm_sql (sql): Reserving sql socket id: 3
[dailycounter] row[0] returned NULL
rlm_sql (sql): Released sql socket id: 3
[dailycounter] expand: %{sql:SELECT SUM(acctsessiontime
- GREATEST((1329832800 -
UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE
username = 'timtest' AND UNIX_TIMESTAMP(acctstarttime)
+ acctsessiontime '1329832800'} -
rlm_sqlcounter: No integer found in string
++[dailycounter] returns noop
--
rlm_sqlcounter: Entering module authorize code
sqlcounter_expand: 'SELECT SUM(acctsessiontime -
GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)),
0)) FROM radacct WHERE username = '%{User-Name}'
AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime
'1329832800''
[dailycounter] expand: SELECT SUM(acctsessiontime -
GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)),
0)) FROM radacct WHERE username = '%{User-Name}'
AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime
'1329832800' - SELECT SUM(acctsessiontime -
GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)),
0)) FROM radacct WHERE username = 'timtest'
AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime
'1329832800'
sqlcounter_expand: '%{sql:SELECT SUM(acctsessiontime -
GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)),
0)) FROM radacct WHERE username = 'timtest'
AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime
'1329832800'}'
[dailycounter] sql_xlat
[dailycounter] expand: %{User-Name} - timtest
[dailycounter] sql_set_user escaped user -- 'timtest'
[dailycounter] expand: SELECT SUM(acctsessiontime -
GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)),
0)) FROM radacct WHERE username = 'timtest'
AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime
'1329832800' - SELECT SUM(acctsessiontime -
GREATEST((1329832800 - UNIX_TIMESTAMP(acctstarttime)),
0)) FROM radacct WHERE username = 'timtest'
AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime
'1329832800'
rlm_sql (sql): Reserving sql socket id: 3
[dailycounter] sql_xlat finished
rlm_sql (sql): Released sql socket id: 3
[dailycounter] expand: %{sql:SELECT SUM(acctsessiontime
-
Possible bug in rlm_sqlcounter examples
Hi All.
I am using the following SQL in sqlcounter for a MySQL database in the
Grase Hotspot project, as part of daily/hourly/monthly counters.
query = SELECT SUM(acctsessiontime - \
GREATEST((%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \
FROM radacct WHERE username = '%{%k}' AND \
UNIX_TIMESTAMP(acctstarttime) + acctsessiontime '%b'
This is taken directly out of the examples that come with Freeradius,
and is also in the Wiki.
http://wiki.freeradius.org/Rlm_sqlcounter#Example+Setup
Recently I was having problems where the first login for a day, wasn't
being limited to it's daily limit. However, subsequent logins for they
day were. So for example, if they had a 4 hour limit, and the first
login went over 4 hours, it could keep going as Session-Limit was being
returned by freeradius. However, all subsequent logins would return a
valid Session-Limit (timeout?) or an access denied if they had gone over
the daily limit.
Some poking around showed that if there was no logins for that day, the
above SQL will return NULL, which Freeradius complains about, something
along the lines of there not being an integer in the results (I can't
get the exact error message right now), and so the sqlcounter just
passes through as noop.
To solve the problem, I needed to use an IFNULL (or COALESCE) to return
a 0 instead of NULL and then Freeradius sqlcounter returns the correct
attributes.
query = SELECT COALESCE( SUM(acctsessiontime - \
GREATEST((%b - UNIX_TIMESTAMP(acctstarttime)), 0)) ) \
FROM radacct WHERE username = '%{%k}' AND \
UNIX_TIMESTAMP(acctstarttime) + acctsessiontime '%b'
This happens on the arm architecture, and so may be architecture
dependent. A quick test on x86 MySQL shows it also returns NULL, however
I've not had the chance to test how Freeradius interprets the NULL, as 0
or NULL. I will get out an x86 test machine shortly and test what
Freeradius is returning.
$ apt-cache policy freeradius
freeradius:
Installed: 2.1.10+dfsg-2
Debian 6.0.3 Linux Kernel 2.6.32 armv5tel
Has anyone else run into this problem?
Tim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is it Possible to use FreeRadius without certificates
I would like to just have freeRadius authenticate against my active directory in windows using only the user name and password in Active Directory for authentication. Is this possible to do I don't want to have to mess with installing certificates on the user machines or the server. Is this possible? Thanks, Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it Possible to use FreeRadius without certificates
McSparin, Joe wrote: I would like to just have freeRadius authenticate against my active directory in windows using only the user name and password in Active Directory for authentication. Is this possible to do I don't want to have to mess with installing certificates on the user machines or the server. Is this possible? Yes. See the existing documentation in the server and on the wiki. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it Possible to use FreeRadius without certificates
On Tue, Dec 27, 2011 at 3:42 AM, McSparin, Joe jmcspa...@hillcountrymemorial.org wrote: I would like to just have freeRadius authenticate against my active directory in windows using only the user name and password in Active Directory for authentication. Is this possible to do I don't want to have to mess with installing certificates on the user machines or the server. Is this possible? Should be possible, but that means you won't be able to use EAP or 802.1x. If you only use plain PAP/MSCHAP anyway, it should work. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local User with multiple passwords (or RegEX passwords) possible?
Did my last mail made it?
- Last Mail: -
Phil, you got it working!
All of what you wrote was right:
- added Cleartext-Password2 to
/usr/share/freeradius/dictionary.freeradius.internal
- created user file like this:
user Cleartext-Password := 1, Cleartext-Password2 += 2
- updated sites-enabled/default to look like this (*authorize *section)
[..]
#
# Read the 'users' file
files {
}
if ((%{User-Password} != %{control:Cleartext-Password})
(%{User-Password} != %{control:Cleartext-Password2})) {
update reply {
Reply-Message = I suck at FreeRadiusing!
}
reject
}
else {
update control {
Auth-Type := Accept
}
}
[..]
If I can buy you a beer or something (thinking of
https://secure.wikimedia.org/wikipedia/en/wiki/Beerware or
https://secure.wikimedia.org/wikipedia/en/wiki/Postcardware
) just email me :)
Best Regards
2011/7/7 Phil Mayers p.may...@imperial.ac.uk
On 07/07/11 13:18, Equin Nix wrote:
Hi Phil,
thanks a lot for the fast answer! Unfortunatelly your radius-skills seem
to be far far from mine, but I think I get the point.
I tried to add the following to /sites-enabled/default/ (int authorize
section) (Its not a full copy of your text, I wanted to start step by
step):
[...]
#
# Read the 'users' file
files {
# compare them
No, that's wrong. As per my original email, it should be:
authorize {
files
if (...) {
}
You've got:
authorize {
files {
...
}
}
...which is wrong.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/**
list/users.html http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Local User with multiple passwords (or RegEX passwords) possible?
Hi, I am trying to set up something very basic (at least from my point of view): I would like to have a User with multiple passwords (two actually). How would I do this? I tried the following: *alice Auth-Type=Local, Cleartext-Password := test1 alice Auth-Type=Local, Cleartext-Password := test2* which (of course) did not work. Then *alice Auth-Type=Local, Cleartext-Password := test1 Fall-Through = Yes alice Auth-Type=Local, Cleartext-Password := test2* which (of course) did not work, too. Then I tried some regex, from which, the following do not work: *alice Auth-Type=Local, User-Password =~ [*]* alice Auth-Type=Local, User-Password =~ /*/i alice Auth-Type=Local, User-Password =~ (test1)** alice Auth-Type=Local, User-Password =~ [.]* ...* How would I make an entry to users to have *alice *log in with *test1* OR *test2* as password? Best regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local User with multiple passwords (or RegEX passwords) possible?
On 07/07/11 09:51, Equin Nix wrote:
Hi,
I am trying to set up something very basic (at least from my point of
view): I would like to have a User with multiple passwords (two
actually). How would I do this? I tried the following:
/alice Auth-Type=Local, Cleartext-Password := test1
alice Auth-Type=Local, Cleartext-Password := test2/
Do not set Auth-Type. It's almost always wrong, and is certainly wrong
in this case.
It might be possible to have 1 password; but it will probably only work
for PAP requests, unless you play carefully with module failover.
It also probably won't work in the users file; this is because the
User-Password attribute is handled specially here, as a compatibility
synonym for Cleartext-Password.
You could try something like this - define a second password attribute
in raddb/dictionary:
ATTRIBUTE Cleartext-Password2 3002string
...then set both in the users file:
alice Cleartext-Password := foo, Cleartext-Password2 := bar
...then use unlang to perform the comparisons in sites-enabled/default:
authorize {
...
# read the passwords from files
files
# compare them
if ((User-Password != control:Cleartext-Password) \
(User-Password != control:Cleartext-Password2)) {
reject
}
# probably need to set Auth-Type := Accept here
update control {
Auth-Type := Accept
}
}
If you want to do this with requests that aren't PAP e.g. CHAP,
MSCHAP/PEAP etc. then it will be much harder.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local User with multiple passwords (or RegEX passwords) possible?
Hi Phil,
thanks a lot for the fast answer! Unfortunatelly your radius-skills seem to
be far far from mine, but I think I get the point.
I tried to add the following to *sites-enabled/default* (int authorize
section) (Its not a full copy of your text, I wanted to start step by step):
[...]
#
# Read the 'users' file
files {
# compare them
if (User-Password != control:Cleartext-Password) {
reject
}
# probably need to set Auth-Type := Accept here
update control {
Auth-Type := Accept
}
}
[...]
and freeradius won't start (even if I remove the update control section).
This is the error:
[...]
/etc/freeradius/sites-enabled/default[154]: Subsection of module instance
call not allowed
/etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section.
Any idea what might cause the trouble? Line 154 is the if
(User-Password line.
BTW: It is not possible with RegEx?
Best regards from Germany
2011/7/7 Phil Mayers p.may...@imperial.ac.uk
On 07/07/11 09:51, Equin Nix wrote:
Hi,
I am trying to set up something very basic (at least from my point of
view): I would like to have a User with multiple passwords (two
actually). How would I do this? I tried the following:
/alice Auth-Type=Local, Cleartext-Password := test1
alice Auth-Type=Local, Cleartext-Password := test2/
Do not set Auth-Type. It's almost always wrong, and is certainly wrong in
this case.
It might be possible to have 1 password; but it will probably only work
for PAP requests, unless you play carefully with module failover.
It also probably won't work in the users file; this is because the
User-Password attribute is handled specially here, as a compatibility
synonym for Cleartext-Password.
You could try something like this - define a second password attribute in
raddb/dictionary:
ATTRIBUTE Cleartext-Password2 3002string
...then set both in the users file:
alice Cleartext-Password := foo, Cleartext-Password2 := bar
...then use unlang to perform the comparisons in sites-enabled/default:
authorize {
...
# read the passwords from files
files
# compare them
if ((User-Password != control:Cleartext-Password) \
(User-Password != control:Cleartext-Password2)) {
reject
}
# probably need to set Auth-Type := Accept here
update control {
Auth-Type := Accept
}
}
If you want to do this with requests that aren't PAP e.g. CHAP, MSCHAP/PEAP
etc. then it will be much harder.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/**
list/users.html http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local User with multiple passwords (or RegEX passwords) possible?
You can't put unlang in the configuration block of the files module... Unlang
can only exist in policy.conf and in virtual server files.
-Arran
On Jul 7, 2011, at 2:18 PM, Equin Nix wrote:
Hi Phil,
thanks a lot for the fast answer! Unfortunatelly your radius-skills seem to
be far far from mine, but I think I get the point.
I tried to add the following to sites-enabled/default (int authorize section)
(Its not a full copy of your text, I wanted to start step by step):
[...]
#
# Read the 'users' file
files {
# compare them
if (User-Password != control:Cleartext-Password) {
reject
}
# probably need to set Auth-Type := Accept here
update control {
Auth-Type := Accept
}
}
[...]
and freeradius won't start (even if I remove the update control section).
This is the error:
[...]
/etc/freeradius/sites-enabled/default[154]: Subsection of module instance
call not allowed
/etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section.
Any idea what might cause the trouble? Line 154 is the if
(User-Password line.
BTW: It is not possible with RegEx?
Best regards from Germany
2011/7/7 Phil Mayers p.may...@imperial.ac.uk
On 07/07/11 09:51, Equin Nix wrote:
Hi,
I am trying to set up something very basic (at least from my point of
view): I would like to have a User with multiple passwords (two
actually). How would I do this? I tried the following:
/alice Auth-Type=Local, Cleartext-Password := test1
alice Auth-Type=Local, Cleartext-Password := test2/
Do not set Auth-Type. It's almost always wrong, and is certainly wrong in
this case.
It might be possible to have 1 password; but it will probably only work for
PAP requests, unless you play carefully with module failover.
It also probably won't work in the users file; this is because the
User-Password attribute is handled specially here, as a compatibility
synonym for Cleartext-Password.
You could try something like this - define a second password attribute in
raddb/dictionary:
ATTRIBUTE Cleartext-Password2 3002string
...then set both in the users file:
alice Cleartext-Password := foo, Cleartext-Password2 := bar
...then use unlang to perform the comparisons in sites-enabled/default:
authorize {
...
# read the passwords from files
files
# compare them
if ((User-Password != control:Cleartext-Password) \
(User-Password != control:Cleartext-Password2)) {
reject
}
# probably need to set Auth-Type := Accept here
update control {
Auth-Type := Accept
}
}
If you want to do this with requests that aren't PAP e.g. CHAP, MSCHAP/PEAP
etc. then it will be much harder.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local User with multiple passwords (or RegEX passwords) possible?
On Thu, Jul 7, 2011 at 7:18 PM, Equin Nix equin@googlemail.com wrote:
Hi Phil,
thanks a lot for the fast answer! Unfortunatelly your radius-skills seem to
be far far from mine, but I think I get the point.
I tried to add the following to sites-enabled/default (int authorize
section) (Its not a full copy of your text, I wanted to start step by step):
[...]
#
# Read the 'users' file
files {
# compare them
if (User-Password != control:Cleartext-Password) {
reject
}
# probably need to set Auth-Type := Accept here
update control {
Auth-Type := Accept
}
}
[...]
and freeradius won't start (even if I remove the update control section).
This is the error:
[...]
/etc/freeradius/sites-enabled/default[154]: Subsection of module instance
call not allowed
Don't put the comparison as a subsection of module instance. i.e. do NOT use
files {
your stuff here
}
instead use
files
your stuff here
also see man unlang. Among others, it explains how to use
attributes, variables, and regex.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local User with multiple passwords (or RegEX passwords) possible?
Sorry, make that: module calls cannot contain unlang, only rcode overrides.
You want:
#
# Read the 'users' file
files
# compare them
if (User-Password != control:Cleartext-Password) {
reject
}
# probably need to set Auth-Type := Accept here
update control {
Auth-Type := Accept
}
On Jul 7, 2011, at 2:18 PM, Equin Nix wrote:
Hi Phil,
thanks a lot for the fast answer! Unfortunatelly your radius-skills seem to
be far far from mine, but I think I get the point.
I tried to add the following to sites-enabled/default (int authorize section)
(Its not a full copy of your text, I wanted to start step by step):
[...]
#
# Read the 'users' file
files {
# compare them
if (User-Password != control:Cleartext-Password) {
reject
}
# probably need to set Auth-Type := Accept here
update control {
Auth-Type := Accept
}
}
[...]
and freeradius won't start (even if I remove the update control section).
This is the error:
[...]
/etc/freeradius/sites-enabled/default[154]: Subsection of module instance
call not allowed
/etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section.
Any idea what might cause the trouble? Line 154 is the if
(User-Password line.
BTW: It is not possible with RegEx?
Best regards from Germany
2011/7/7 Phil Mayers p.may...@imperial.ac.uk
On 07/07/11 09:51, Equin Nix wrote:
Hi,
I am trying to set up something very basic (at least from my point of
view): I would like to have a User with multiple passwords (two
actually). How would I do this? I tried the following:
/alice Auth-Type=Local, Cleartext-Password := test1
alice Auth-Type=Local, Cleartext-Password := test2/
Do not set Auth-Type. It's almost always wrong, and is certainly wrong in
this case.
It might be possible to have 1 password; but it will probably only work for
PAP requests, unless you play carefully with module failover.
It also probably won't work in the users file; this is because the
User-Password attribute is handled specially here, as a compatibility
synonym for Cleartext-Password.
You could try something like this - define a second password attribute in
raddb/dictionary:
ATTRIBUTE Cleartext-Password2 3002string
...then set both in the users file:
alice Cleartext-Password := foo, Cleartext-Password2 := bar
...then use unlang to perform the comparisons in sites-enabled/default:
authorize {
...
# read the passwords from files
files
# compare them
if ((User-Password != control:Cleartext-Password) \
(User-Password != control:Cleartext-Password2)) {
reject
}
# probably need to set Auth-Type := Accept here
update control {
Auth-Type := Accept
}
}
If you want to do this with requests that aren't PAP e.g. CHAP, MSCHAP/PEAP
etc. then it will be much harder.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local User with multiple passwords (or RegEX passwords) possible?
On 07/07/11 13:18, Equin Nix wrote:
Hi Phil,
thanks a lot for the fast answer! Unfortunatelly your radius-skills seem
to be far far from mine, but I think I get the point.
I tried to add the following to /sites-enabled/default/ (int authorize
section) (Its not a full copy of your text, I wanted to start step by step):
[...]
#
# Read the 'users' file
files {
# compare them
No, that's wrong. As per my original email, it should be:
authorize {
files
if (...) {
}
You've got:
authorize {
files {
...
}
}
...which is wrong.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Local User with multiple passwords (or RegEX passwords) possible?
Phil, you got it working!
All of what you wrote was right:
- added Cleartext-Password2 to
/usr/share/freeradius/dictionary.freeradius.internal
- created user file like this:
user Cleartext-Password := 1, Cleartext-Password2 += 2
- updated sites-enabled/default to look like this (*authorize *section)
[..]
#
# Read the 'users' file
files {
}
if ((%{User-Password} != %{control:Cleartext-Password})
(%{User-Password} != %{control:Cleartext-Password2})) {
update reply {
Reply-Message = I suck at FreeRadiusing!
}
reject
}
else {
update control {
Auth-Type := Accept
}
}
[..]
If I can buy you a beer or something (thinking of
https://secure.wikimedia.org/wikipedia/en/wiki/Beerware or
https://secure.wikimedia.org/wikipedia/en/wiki/Postcardware) just email me
:)
Best Regards
2011/7/7 Equin Nix equin@googlemail.com
Hi Phil,
thanks a lot for the fast answer! Unfortunatelly your radius-skills seem to
be far far from mine, but I think I get the point.
I tried to add the following to *sites-enabled/default* (int authorize
section) (Its not a full copy of your text, I wanted to start step by step):
[...]
#
# Read the 'users' file
files {
# compare them
if (User-Password != control:Cleartext-Password) {
reject
}
# probably need to set Auth-Type := Accept here
update control {
Auth-Type := Accept
}
}
[...]
and freeradius won't start (even if I remove the update control section).
This is the error:
[...]
/etc/freeradius/sites-enabled/default[154]: Subsection of module instance
call not allowed
/etc/freeradius/sites-enabled/default[62]: Errors parsing authorize
section.
Any idea what might cause the trouble? Line 154 is the if
(User-Password line.
BTW: It is not possible with RegEx?
Best regards from Germany
2011/7/7 Phil Mayers p.may...@imperial.ac.uk
On 07/07/11 09:51, Equin Nix wrote:
Hi,
I am trying to set up something very basic (at least from my point of
view): I would like to have a User with multiple passwords (two
actually). How would I do this? I tried the following:
/alice Auth-Type=Local, Cleartext-Password := test1
alice Auth-Type=Local, Cleartext-Password := test2/
Do not set Auth-Type. It's almost always wrong, and is certainly wrong in
this case.
It might be possible to have 1 password; but it will probably only work
for PAP requests, unless you play carefully with module failover.
It also probably won't work in the users file; this is because the
User-Password attribute is handled specially here, as a compatibility
synonym for Cleartext-Password.
You could try something like this - define a second password attribute in
raddb/dictionary:
ATTRIBUTE Cleartext-Password2 3002string
...then set both in the users file:
alice Cleartext-Password := foo, Cleartext-Password2 := bar
...then use unlang to perform the comparisons in sites-enabled/default:
authorize {
...
# read the passwords from files
files
# compare them
if ((User-Password != control:Cleartext-Password) \
(User-Password != control:Cleartext-Password2)) {
reject
}
# probably need to set Auth-Type := Accept here
update control {
Auth-Type := Accept
}
}
If you want to do this with requests that aren't PAP e.g. CHAP,
MSCHAP/PEAP etc. then it will be much harder.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/**
list/users.html http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two-phase, pass-thru authentication possible?
On 06/15/2011 11:15 PM, cwfnetman wrote:
mac address filtering isn't my idea, so please refrain from questioning why.
It's not totally useless. We do it. MAC address is a quick, reasonable
proxy for the hardware and since it's the hardware/OS combo that gets
infected with malware etc. it's a reasonable thing to key on.
simple whitelist (several hundred mac addresses) to validate against. If the
incoming mac address on the authentication request is simply somewhere on
the whitelist (anywhere within those hundreds of addresses), then I next
need to authenticate the Windows AD credentials, and if they're good, and in
a certain AD group, and their domain member workstation PC is in a certain
machine account group, etc, etc, according to the set of remote access
policies in the IAS server, then go ahead and let 'em in.
This is where I get confused; how do you expect to have both the user
and workstation credentials? AFAIK there is no EAP method that provides
both. You can *either* have workstation *or* user auth.
So, can FreeRadius be set up to perform a sort of two-phase, cascaded
authentication such that the Cisco WiFi controller first sends the incoming
authentication access-request to FreeRadius, which checks a big whitelist of
pre-approved mac addresses, and if that tests good, then FreeRadius acts as
a relay/proxy/radius client to pass the next ActiveDirectory authentication
portion of the request off to my Windows IAS server, then if that part comes
back good, to reassemble all the pieces-parts back together as a completed
access-accept message and hand it back to the Cisco wireless system to let
the wireless user in, and basically fool the Cisco WiFi system into thinking
that one Radius server handled it all?
Sort of, but not in the way you're describing.
The EAP requests contain the MAC address, so basically you just want to:
1. Receive the EAP request
2. Check against whitelist
3. if match - unconditionally proxy to IAS
4. else reject
See the 1st example here:
http://wiki.freeradius.org/Mac%20Auth
... except instead of doing accept you should forward/proxy, like so:
authorize {
preprocess
# if cleaning up the Calling-Station-Id...
rewrite_calling_station_id
# now check against the authorized_macs file
authorized_macs
if (!ok) {
reject
}
else {
# forward to IAS
update control {
Proxy-To-Realm := IAS
}
}
}
You can extend the whitelist to live in SQL, a passwd-style file or
whatever.
You'll need to create appropriate realm home server definitions in
proxy.conf - see the examples there, but something like:
home_server IAS {
type = auth+acct
ipaddr = x.x.x.x
port = 1812
secret =
}
home_server_pool IAS {
type = client-port-balance
home_server = IAS
}
realm IAS {
auth_pool = IAS
}
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Two-phase-pass-thru-authentication-possible-tp4492840p4492840.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Two-phase, pass-thru authentication possible?
I've got an interesting problem to try to solve and was curious if such a concept is even possible with FreeRadius. I've got to implement mac address filtering to a Cisco WiFi (WLC plus numerous LWAPPs) system that also requires Active Directory authentication of the Windows credentials of the user plus the wireless client workstation machine's AD account. Presently I'm using Microsoft IAS on a Windows 2003 server to act as my Windows AD radius server. Implementing the additional mac address filtering isn't my idea, so please refrain from questioning why. I know it really does nothing for true security, but I'm ordered to do so my authorities above me, so I must implement this mandate just because... well it's now become mandatory for my job. A problem is that the mac addresses of the wifi interfaces in all the various workstations are not always rigidly assigned to any particular laptop PC, the WiFi adapters in the set of client PCs are subject to frequent change and movement around the pool of PCs, so basically I need a simple whitelist (several hundred mac addresses) to validate against. If the incoming mac address on the authentication request is simply somewhere on the whitelist (anywhere within those hundreds of addresses), then I next need to authenticate the Windows AD credentials, and if they're good, and in a certain AD group, and their domain member workstation PC is in a certain machine account group, etc, etc, according to the set of remote access policies in the IAS server, then go ahead and let 'em in. So, can FreeRadius be set up to perform a sort of two-phase, cascaded authentication such that the Cisco WiFi controller first sends the incoming authentication access-request to FreeRadius, which checks a big whitelist of pre-approved mac addresses, and if that tests good, then FreeRadius acts as a relay/proxy/radius client to pass the next ActiveDirectory authentication portion of the request off to my Windows IAS server, then if that part comes back good, to reassemble all the pieces-parts back together as a completed access-accept message and hand it back to the Cisco wireless system to let the wireless user in, and basically fool the Cisco WiFi system into thinking that one Radius server handled it all? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Two-phase-pass-thru-authentication-possible-tp4492840p4492840.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple ldaps (SSL) backends and only the first queried works.?Possible bug?
On 03/05/11 21:41, Alexander Clouter wrote: Daniele Albrizio albri...@univ.trieste.it wrote: I suspect the cacertfile attribute is not correctly re-instantiated and only the value of the first request is used to check against when instantiating a new ldaps connection. Without a doubt the chaining is not working on your LDAP servers. What What I suspect is that this is not working with ANY ldap servers as long as you have multiple ldaps backend configured and ldap servers are secured by SSL certificates signed by different CAs is the full output of: openssl s_client -connect myAD.ds.units.it:636 -showcerts openssl s_client -connect myopenldap.units.it:636 -showcerts http://pastebin.com/kyb34c9M for the first http://pastebin.com/Kqd12KQL for the second You can pipe the server cert (cut'n'paste on stdin) through the following to see the useful parts of the certs: openssl x509 -noout -text Yes, perhaps the problem is not whether the verification is successful or not (it works on each server only if we are in the first ldaps conection n a freshly started freeradius), but what happens if the Nth request with N != 1st goes to the other ldap server. This Nth request fails with TLS: peer cert untrusted or revoked (0x42) but it is configured correctly. I suspect this could be a bug in the way multiple CA cert attribute of subsequent requests are handled in freeradius code. You probably will find if you change those tls 'demands' to 'never' things work, but then it kinda is self defeating :) Obviously, I don't want that :) -- Daniele ALBRIZIO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple ldaps (SSL) backends and only the first queried works.?Possible bug?
On 04/05/11 09:37, Daniele Albrizio wrote: On 03/05/11 21:41, Alexander Clouter wrote: Daniele Albrizioalbri...@univ.trieste.it wrote: I suspect the cacertfile attribute is not correctly re-instantiated and only the value of the first request is used to check against when instantiating a new ldaps connection. Without a doubt the chaining is not working on your LDAP servers. What What I suspect is that this is not working with ANY ldap servers as long as you have multiple ldaps backend configured and ldap servers are secured by SSL certificates signed by different CAs is the full output of: openssl s_client -connect myAD.ds.units.it:636 -showcerts openssl s_client -connect myopenldap.units.it:636 -showcerts http://pastebin.com/kyb34c9M for the first http://pastebin.com/Kqd12KQL for the second You can pipe the server cert (cut'n'paste on stdin) through the following to see the useful parts of the certs: openssl x509 -noout -text Yes, perhaps the problem is not whether the verification is successful or not (it works on each server only if we are in the first ldaps conection n a freshly started freeradius), but what happens if the Nth request with N != 1st goes to the other ldap server. This Nth request fails with TLS: peer cert untrusted or revoked (0x42) but it is configured correctly. I suspect this could be a bug in the way multiple CA cert attribute of subsequent requests are handled in freeradius code. FreeRADIUS just calls: ldap_set_option( NULL, LDAP_OPT_X_TLS_CACERTFILE, ...) ...and similar in rlm_ldap.c:ldap_connect Interestingly, the 1st argument is NULL, not the LDAP* instance which has been created higher up, meaning those options are being (re)set globally, not per-connection. I wonder if that's the problem? You could try: perl -pe 's/(ldap[_a-z0-9]+)\(\s*NULL,/\1(ld,/g' src/modules/rlm_ldap/rlm_ldap.c ...which will change the above to: ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, ...) i.e. they'll be set on the connection created, not globally. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple ldaps (SSL) backends and only the first queried works.?Possible bug?
Hi all is there anybody can tell me why my mikrotik ppp user sometimes authenticate fail on free radius? how to fix it? after few mins it will be oke... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple ldaps (SSL) backends and only the first queried works.?Possible bug?
On 05/04/2011 08:46 PM, Tanjil Ahmed wrote: Hi all is there anybody can tell me why my mikrotik ppp user sometimes authenticate fail on free radius? Please don't hijack an existing thread. Start a new one. how to fix it? after few mins it will be oke... You need to give us more information. See the FAQ for it still doesn't work - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple ldaps (SSL) backends and only the first queried works. Possible bug?
I've two ldaps backends instantiated like:
authorize {
...
Autz-Type OPENLDAP {
openldap
}
Autz-Type ADLDAP {
adldap
}
...
}
authenticate {
...
Auth-Type OPENLDAP {
openldap
}
Auth-Type ADLDAP {
adldap
}
...
}
The two modules are configured as follows using DIFFERENT issuing CAs...
ldap adldap {
server = ldaps://myAD.ds.units.it
identity = ...
password = ...
basedn = ...
filter = (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
cacertfile = /usr/local/etc/raddb/.../certs/ad_root_ca.pem
require_cert= demand
}
...
}
ldap openldap {
server = ldaps://myopenldap.units.it
identity = ...
password = ...
basedn = ...
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
ldap_connections_number = 5
timeout = 5
timelimit = 5
net_timeout = 10
tls {
start_tls = no
cacertfile = /etc/ssl/certs/AddTrust_External_Root.pem
require_cert= demand
}
...
}
Now, the problem is that once I started freeradius, the first connection
to an ldap server goes straight, while the second (to the other one) says:
ldap_create
ldap_url_parse_ext(ldaps://myAD.ds.units.it)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP myAD.ds.units.it:636
ldap_new_socket: 32
ldap_prepare_socket: 32
ldap_connect_to_host: Trying yyy.yyy.yyy.yyy:636
ldap_pvt_connect: fd: 32 tm: 1 async: 0
ldap_ndelay_on: 32
ldap_int_poll: fd: 32 tm: 1
ldap_is_sock_ready: 32
ldap_ndelay_off: 32
ldap_pvt_connect: 0
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
...and letting the first request to be to the myAD server (soon after a
restart):
ldap_create
ldap_url_parse_ext(ldaps://myopenldap.units.it)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP myopenldap.units.it:636
ldap_new_socket: 33
ldap_prepare_socket: 33
ldap_connect_to_host: Trying xxx.xxx.xxx.xxx:636
ldap_pvt_connect: fd: 33 tm: 10 async: 0
ldap_ndelay_on: 33
ldap_int_poll: fd: 33 tm: 10
ldap_is_sock_ready: 33
ldap_ndelay_off: 33
ldap_pvt_connect: 0
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
I suspect the cacertfile attribute is not correctly re-instantiated
and only the value of the first request is used to check against when
instantiating a new ldaps connection.
Any suggestions?
--
Daniele ALBRIZIO - albri...@univ.trieste.it
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple ldaps (SSL) backends and only the first queried works. Possible bug?
On 03/05/11 19:00, Daniele Albrizio wrote: I've two ldaps backends instantiated like: Forgot... Using compiled freeradius-server-2.1.10 on Debian GNU/Linux 6.0 -- Daniele ALBRIZIO - albri...@univ.trieste.it Tel. +39-040.558.3319 UNIVERSITY OF TRIESTE - Network Services Divisione V - Infrastrutture e Servizi Informativi via Alfonso Valerio, 12 I-34127 Trieste, Italy Sezione Infrastrutture Informatiche e Telematiche - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple ldaps (SSL) backends and only the first queried works.?Possible bug?
Daniele Albrizio albri...@univ.trieste.it wrote: I suspect the cacertfile attribute is not correctly re-instantiated and only the value of the first request is used to check against when instantiating a new ldaps connection. Without a doubt the chaining is not working on your LDAP servers. What is the full output of: openssl s_client -connect myAD.ds.units.it:636 -showcerts openssl s_client -connect myopenldap.units.it:636 -showcerts You can pipe the server cert (cut'n'paste on stdin) through the following to see the useful parts of the certs: openssl x509 -noout -text You probably will find if you change those tls 'demands' to 'never' things work, but then it kinda is self defeating :) Cheers -- Alexander Clouter .sigmonster says: You can't break eggs without making an omelet. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is it possible to write client information into database other than clients.conf in default virtual server?
Dear All, I know a little about dynamic client, it may be used in virtual server; But just as the mentioned subject, is it possible to write client information into database other than clients.conf in default virtual server? thx all WeiJingPeng - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is it possible to write proxy information into database other than proxy.conf?
many thx WeiJingPeng - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it possible to write client information into database other than clients.conf in default virtual server?
魏景鹏 wrote: is it possible to write client information into database other than clients.conf in default virtual server? Yes. Read raddb/sql.conf. Look for client. And see the NAS schema shipped with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it possible to write proxy information into database other than proxy.conf?
魏景鹏 wrote: many thx It's not possible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it possible to get packet id in pre-proxy section?
魏景鹏 wrote: One side auth with pap method, but the other side needs chap auth method, so I have to do some translating work. chap-string = Packet-Id + Cleartext-Password + authenticator chap-password = packet-id + md5(chap-string) Is it possible to get packet id in pre-proxy section? It's not the packet Id. It's a random 8 bit Id. The simplest way to do this would be via a Perl module. You *might* be able to do it via unlang, but I haven't tried. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Needed Freeradius 2.x + MySQL + Dynamic DHCP.. its possible?
Or maybe, exist the form to only auth via MySQL and do the Pool via files? Alan DeKok al...@deployingradius.com escribió: Rogelio Sevilla Fernandez wrote: So, If the clients auths from AP1, i need freeradius send DHCP data to my client using one dinamic IP Pool like 192.168.1.0/24 with DefaultGateway, NetworkMask and DNS server. It's possible... but not really easy to do right now. Peter Nixon apparently has some updates to the sql ippool module which makes this work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Este mensaje ha sido analizado por MailScanner del Gobierno del Estado de Colima en busca de virus y otros contenidos peligrosos, y se considera que está limpio. -- Ing. Rogelio C. Sevilla Fernandez Direccion de Desarrollo Telematico / Secretaria de Administracion Gobierno del Estado de Colima Tel (312)3162062 / (312)3162000 ext 2360 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is it possible to get packet id in pre-proxy section?
Helo guys, One side auth with pap method, but the other side needs chap auth method, so I have to do some translating work. chap-string = Packet-Id + Cleartext-Password + authenticator chap-password = packet-id + md5(chap-string) Is it possible to get packet id in pre-proxy section? how can i pack packet-id authenticator into chap-string? Any ideas welcomed. many thx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Needed Freeradius 2.x + MySQL + Dynamic DHCP.. its possible?
Rogelio Sevilla Fernandez wrote: So, If the clients auths from AP1, i need freeradius send DHCP data to my client using one dinamic IP Pool like 192.168.1.0/24 with DefaultGateway, NetworkMask and DNS server. It's possible... but not really easy to do right now. Peter Nixon apparently has some updates to the sql ippool module which makes this work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Needed Freeradius 2.x + MySQL + Dynamic DHCP.. its possible?
Hi.. Im working with Freeradius 2.1.8 + Mysql Support. The Auth system works well. The only thing to do its add DHCP support. This is the Scenario: Client Connects to AP1. AP1 do the request/replies from/to FreeRadius Server.. Client get Authenticated and asking IP from DHCP.. I dont want use the DHCP Server like ISC because i dont want send IPs to my Wired LAN, only for Wireless. So, If the clients auths from AP1, i need freeradius send DHCP data to my client using one dinamic IP Pool like 192.168.1.0/24 with DefaultGateway, NetworkMask and DNS server. If the same client auths from AP2, send DHCP data to the client using another dinamic IP pool like 192.168.2.0/24 with DefaultGW, Netmask and DNS server. Is it possible to that? Im working with DaloRadius... -- Ing. Rogelio C. Sevilla Fernandez Direccion de Desarrollo Telematico / Secretaria de Administracion Gobierno del Estado de Colima Tel (312)3162062 / (312)3162000 ext 2360 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cleartext-Password := %{User-Name} in the users file. Possible?
Hi experts,
I want to try another way to authenticate devices by their MAC addresses. I
don't really care about the security and just try to make the configuration
easy. Here is my configuration:
hints =
DEFAULT User-Name =~ 001422.*
Hint = STB
= users =
DEFAULT Hint == STB, Cleartext-Password := %{User-Name}
Then I use the radtest program to test the setup and it failed...
radtest 00142211 00142211 localhost 1812 test123
Both lines in the hints and users file are match based on the radius -X output.
However the password in the check attribute is not replaced with the
username... Please help, thanks!
Here is the radius -X output:
rad_recv: Access-Request packet from host 127.0.0.1 port 16011, id=123,
length=64
User-Name = 00142211
User-Password = 00142211
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
+- entering group authorize {...}
[preprocess]expand: %{User-Name} - 00142211
[preprocess] hints: Matched DEFAULT at 1
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[Marriott] No '/' in User-Name = 00142211, looking up realm NULL
[Marriott] No such realm NULL
++[Marriott] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password 00142211
[pap] Using clear text password %{User-Name}
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed):
[00142211/00142211] (from client 127.0.0.1/32 port 1812)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - 00142211
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 123 to 127.0.0.1 port 16011
Waking up in 4.9 seconds.
[cid:image002.gif@01CBD982.DFF851C0]Difan Zhao M.Eng | CCNA CCNP CCSP | Network
Engineer
T: 403-509-1010 ext 3048 | M: 403-689-7514 | F: 403.509.1011
difan.z...@guest-tek.commailto:difan.z...@guest-tek.com |
www.guest-tek.comhttp://www.guest-tek.com
The contents of this email are confidential and intended for the recipient
only. If you have received this email in error, please notify us, and destroy
all copies.
inline: image001.gifinline: image002.gif-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cleartext-Password := %{User-Name} in the users file. Possible?
On 03/03/11 16:10, Difan Zhao wrote:
Hi experts,
I want to try another way to authenticate devices by their MAC
addresses. I don’t really care about the security and just try to make
the configuration easy. Here is my configuration:
hints =
DEFAULT User-Name =~ 001422.*
Hint = STB
= users =
DEFAULT Hint == STB, Cleartext-Password := %{User-Name}
Why bother with a password at all?
DEFAULT Hint == STB, Auth-Type := Accept
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cleartext-Password := %{User-Name} in the users file. Possible?
Thanks Phil! It works! It definitely fits what I need! However just be curious,
why my setting won't work?
Thanks!
-Original Message-
From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org
[mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org]
On Behalf Of Phil Mayers
Sent: March-03-11 9:16 AM
To: FreeRadius users mailing list
Subject: Re: Cleartext-Password := %{User-Name} in the users file. Possible?
On 03/03/11 16:10, Difan Zhao wrote:
Hi experts,
I want to try another way to authenticate devices by their MAC
addresses. I don't really care about the security and just try to make
the configuration easy. Here is my configuration:
hints =
DEFAULT User-Name =~ 001422.*
Hint = STB
= users =
DEFAULT Hint == STB, Cleartext-Password := %{User-Name}
Why bother with a password at all?
DEFAULT Hint == STB, Auth-Type := Accept
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cleartext-Password := %{User-Name} in the users file. Possible?
On 03/03/11 18:11, Difan Zhao wrote:
Thanks Phil! It works! It definitely fits what I need! However just be curious,
why my setting won't work?
I'm not sure. It should work; it seems like the expansion:
Cleartext-Password := %{User-Name}
...wasn't being acted on. Are you sure you didn't have a typo somewhere?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cleartext-Password := %{User-Name} in the users file. Possible?
Phil Mayers wrote:
I'm not sure. It should work; it seems like the expansion:
Cleartext-Password := %{User-Name}
...wasn't being acted on. Are you sure you didn't have a typo somewhere?
The control items aren't expanded in the hints or users file.
Use unlang.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible typo in share/dictionary.dhcp
Bjørn Mork wrote: DHCP-Keep=Alive-Garbage ^ I believe Alexander refers to this '=', which does look a tiny bit suspicious Ah... I'll go fix that. Blame it on small font or bad eyes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Possible typo in share/dictionary.dhcp
Hello, if take a look on line 358 of share/dictionary.dhcp you may notice '=': VALUE DHCP-Parameter-Request-List DHCP-Keep-Alive-Interval 38 VALUE DHCP-Parameter-Request-List DHCP-Keep=Alive-Garbage 39 Is it possible typo? -- MINO-RIPE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible typo in share/dictionary.dhcp
Alexander Shikoff wrote: if take a look on line 358 of share/dictionary.dhcp you may notice '=': VALUE DHCP-Parameter-Request-List DHCP-Keep-Alive-Interval 38 VALUE DHCP-Parameter-Request-List DHCP-Keep=Alive-Garbage 39 Is it possible typo? I have no idea what you mean. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible typo in share/dictionary.dhcp
Alan DeKok al...@deployingradius.com writes: Alexander Shikoff wrote: if take a look on line 358 of share/dictionary.dhcp you may notice '=': VALUE DHCP-Parameter-Request-List DHCP-Keep-Alive-Interval 38 VALUE DHCP-Parameter-Request-List DHCP-Keep=Alive-Garbage 39 Is it possible typo? I have no idea what you mean. DHCP-Keep=Alive-Garbage ^ I believe Alexander refers to this '=', which does look a tiny bit suspicious Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius.log records individual client IP. Possible??
Hi experts, I'm wondering if it's possible for the radius.log file to show the NAS IP instead of the client name (which is IP range in my case). Currently the log looks like: Thu Jan 27 11:53:15 2011 : Auth: Login incorrect: [08000f513f60/08000f513f60] (from client 10.143.115.0/24 port 50303 cli 08-00-0F-51-3F-60) It'd be ideal if it can show the IP of the NAS where the request is coming from. I know I could configure the client file to have individual IP for each client instead of entire subnet. However just wondering if there is easy switch to turn it on lol Thanks! Difan Zhao, M.Eng Network Engineer Guest-Tek Interactive Entertainment Inc. Email: difan.z...@guest-tek.commailto:difan.z...@guest-tek.com Office: +1 (403) 509 1010 ext 3048 Cell: +1 (403) 689 7514 www.guest-tek.comhttp://www.guest-tek.com [http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/Logo.jpg] INTERNET | MEDIA | VOICE [http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/image004.jpg] The contents of this email are confidential and intended for the recipient only. If you have received this email in error, please notify us, and destroy all copies. inline: image001.jpginline: image002.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius.log records individual client IP. Possible??
Difan Zhao wrote: I’m wondering if it’s possible for the radius.log file to show the NAS IP instead of the “client” name (which is IP range in my case). Read radiusd.conf, look for msg_goodpass Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Possible memory leak in rlm_sql?
I noticed something in rlm_sql.c function rlm_sql_process_groups(). group_list is allocated at the top of the function, but sql_grouplist_free(group_list) is only called at the end. All the various error exits don't call it. ISTM that's going to leak memory in event of errors, but perhaps I have overlooked something which prevents that. Regards, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Possible memory leak in rlm_sql?
Brian Candler wrote: I noticed something in rlm_sql.c function rlm_sql_process_groups(). group_list is allocated at the top of the function, but sql_grouplist_free(group_list) is only called at the end. All the various error exits don't call it. ISTM that's going to leak memory in event of errors, but perhaps I have overlooked something which prevents that. Nope. You're right. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One virtual server for MS-chapv2 against AD w/ ntlm_auth, the other one against ldap ntpasswd hash possible?
Got the whole setup working. So basically if users sign on with
usern...@foo.edu with eap, they will be sent to ldap w/ ntpassword
authorization. If users sign on with username only with eap, they will
be sent to active directory w/ ntlm authentication.
configuration changes are the following:
etc/raddb/proxy.conf add
realm foo.edu {
}
realm NULL {
}
/etc/raddb/site-enabled/inner-tunnel at the ldap line in authorize section add
switch %{Realm} {
case foo.edu {
ldap
#see /etc/raddb/module/mschap if ntpassword available,
then do not use
#NTLM_auth
update control {
MS-CHAP-Use-NTLM-Auth := NO
}
case NULL {
mschap
}
}
etc/raddb/module/mschap, etc/raddb/module/ntlm are all from integrate
with Active Directory howto.
Thanks for the great software, and can not wait to see the finish of
the book. There are so many internals to be understood.
Schilling
On Wed, Dec 8, 2010 at 2:12 AM, Alan DeKok al...@deployingradius.com wrote:
schilling wrote:
Just to be sure. Both user(username and usern...@foo.edu) will use
eap, mschapv2 to authenticate. But there is only one mschap module in
etc/raddb/modules/?
So... configure another mschap module.
See raddb/modules/files for examples of configuring two instances of
the same module.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
One virtual server for MS-chapv2 against AD w/ ntlm_auth, the other one against ldap ntpasswd hash possible?
We got ntlm_auth against AD working for PEAP, we also got separate server for PEAP against ldap ntPassword hash. in latest etc/raddb/modules/mschap # The module can perform authentication itself, OR # use a Windows Domain Controller. This configuration # directive tells the module to call the ntlm_auth # program, which will do the authentication, and return # the NT-Key. Note that you MUST have winbindd and # nmbd running on the local machine for ntlm_auth # to work. See the ntlm_auth program documentation # for details. # # If ntlm_auth is configured below, then the mschap # module will call ntlm_auth for every MS-CHAP # authentication request. If there is a cleartext # or NT hashed password available, you can set # MS-CHAP-Use-NTLM-Auth := No in the control items, # and the mschap module will do the authentication itself, # without calling ntlm_auth. # # Be VERY careful when editing the following line! Is there any way to have a virtual server(1812/1813) for mschapv2-ntlm_auth-AD and another virtual server(1814/1815) for mschapv2-ldap ntPassword hash? Here is our situation: We have faculty/staff in active directory.So we are using ntlm_auth against AD for their network authentication. Faculty/staff will sign on with username, it will get directed to ntpm_auth against AD. We have student in ldap with ntPassword but not in AD. So we would like to have student sign on with usern...@foo.edu, so we can manipulate the radius configuration to direct usern...@foo.edu to use ldap ntPassword authentication. Is there anyway using freeradius to accomplish this? Thanks for any insight! Schilling - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One virtual server for MS-chapv2 against AD w/ ntlm_auth, the other one against ldap ntpasswd hash possible?
schilling wrote: We got ntlm_auth against AD working for PEAP, we also got separate server for PEAP against ldap ntPassword hash. ... Is there any way to have a virtual server(1812/1813) for mschapv2-ntlm_auth-AD and another virtual server(1814/1815) for mschapv2-ldap ntPassword hash? Yes. But I don't think that's necessary. Here is our situation: We have faculty/staff in active directory.So we are using ntlm_auth against AD for their network authentication. Faculty/staff will sign on with username, it will get directed to ntpm_auth against AD. We have student in ldap with ntPassword but not in AD. So we would like to have student sign on with usern...@foo.edu, so we can manipulate the radius configuration to direct usern...@foo.edu to use ldap ntPassword authentication. Is there anyway using freeradius to accomplish this? Yes. And you don't need two virtual servers. 1) edit the authorize section to do... 2) if people log in with u...@foo.edu, run ldap 3)else force ntlm_auth You might have to declare a foo.edu realm, but that shouldn't be an issue. The config should really be about 10 lines changed from the default. Develop this by: 1) adding realm foo.edu 2) enabling ldap 3) checking authentication 4) adding if not realm foo.edu 5) do ntlm_auth, as per the docs, wiki, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One virtual server for MS-chapv2 against AD w/ ntlm_auth, the other one against ldap ntpasswd hash possible?
Hi Alan, Thanks for the hint. Just to be sure. Both user(username and usern...@foo.edu) will use eap, mschapv2 to authenticate. But there is only one mschap module in etc/raddb/modules/? Regards, Schilling On Tue, Dec 7, 2010 at 3:41 PM, Alan DeKok al...@deployingradius.com wrote: schilling wrote: We got ntlm_auth against AD working for PEAP, we also got separate server for PEAP against ldap ntPassword hash. ... Is there any way to have a virtual server(1812/1813) for mschapv2-ntlm_auth-AD and another virtual server(1814/1815) for mschapv2-ldap ntPassword hash? Yes. But I don't think that's necessary. Here is our situation: We have faculty/staff in active directory.So we are using ntlm_auth against AD for their network authentication. Faculty/staff will sign on with username, it will get directed to ntpm_auth against AD. We have student in ldap with ntPassword but not in AD. So we would like to have student sign on with usern...@foo.edu, so we can manipulate the radius configuration to direct usern...@foo.edu to use ldap ntPassword authentication. Is there anyway using freeradius to accomplish this? Yes. And you don't need two virtual servers. 1) edit the authorize section to do... 2) if people log in with u...@foo.edu, run ldap 3) else force ntlm_auth You might have to declare a foo.edu realm, but that shouldn't be an issue. The config should really be about 10 lines changed from the default. Develop this by: 1) adding realm foo.edu 2) enabling ldap 3) checking authentication 4) adding if not realm foo.edu 5) do ntlm_auth, as per the docs, wiki, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One virtual server for MS-chapv2 against AD w/ ntlm_auth, the other one against ldap ntpasswd hash possible?
schilling wrote: Just to be sure. Both user(username and usern...@foo.edu) will use eap, mschapv2 to authenticate. But there is only one mschap module in etc/raddb/modules/? So... configure another mschap module. See raddb/modules/files for examples of configuring two instances of the same module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 2.1.11git, Dead home server status server reply - possible minor bug
James J J Hooper wrote: The date (Time-Of-Death) seems a little odd. I poked around in the code and got as far as the below, which looks possibly wrong, but I don't understand C enough to work out what to do with it from the surrounding code: You're right. It's a pretty simple typo. I've committed a fix. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR 2.1.11git, Dead home server status server reply - possible minor bug
Hi Alan et al,
{Running FR from GIT upto commit b42665d4475835f38fe71ef749e39cd22587bcfa,
Sat Oct 9 17:52}
Doing:
/bin/echo Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 131,
FreeRADIUS-Stats-Server-IP-Address = ., FreeRADIUS-Stats-Server-Port
= 1812 | /usr/local/bin/radclient localhost:18120 status secret
when the homeserver is dead I get back:
Received response ID 178, code 2, length = 200
FreeRADIUS-Stats-Server-IP-Address = .
FreeRADIUS-Stats-Server-Port = 1812
FreeRADIUS-Stats-Server-Outstanding-Requests = 0
FreeRADIUS-Stats-Server-State = Dead
FreeRADIUS-Stats-Server-Time-Of-Death = Jan 6 1970 18:54:00 UTC
FreeRADIUS-Total-Proxy-Access-Requests = 1651
FreeRADIUS-Total-Proxy-Access-Accepts = 122
FreeRADIUS-Total-Proxy-Access-Rejects = 60
FreeRADIUS-Total-Proxy-Access-Challenges = 1345
FreeRADIUS-Total-Proxy-Auth-Responses = 1527
FreeRADIUS-Total-Proxy-Auth-Duplicate-Requests = 0
FreeRADIUS-Total-Proxy-Auth-Malformed-Requests = 0
FreeRADIUS-Total-Proxy-Auth-Invalid-Requests = 0
FreeRADIUS-Total-Proxy-Auth-Dropped-Requests = 0
FreeRADIUS-Total-Proxy-Auth-Unknown-Types = 0
The date (Time-Of-Death) seems a little odd. I poked around in the code and
got as far as the below, which looks possibly wrong, but I don't understand
C enough to work out what to do with it from the surrounding code:
/src/main/event.c:
/*
* Enable the zombie period when we notice that the home
* server hasn't responded for a while. We back-date the
* zombie period to when we last received a response from
* the home server.
*/
home-state = HOME_STATE_ZOMBIE;
home-zombie_period_start.tv_sec = home-last_packet;
home-zombie_period_start.tv_sec = USEC / 2;
{Apologies if I'm totally going in the wrong direction}
Regards,
James
--
James J J Hooper
Network Specialist
Information Services
University of Bristol
http://www.wireless.bristol.ac.uk
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wildcard in realm name? possible??
Difan Zhao wrote:
So I guess my first question is that, is it possible to have wildcard
(e.g. “*”) in the realm name?
Read raddb/proxy.conf. Look for regex
realm *~*.gtcorp.com* {
That isn't the correct syntax.
Go back and read the example in proxy.conf again.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Wildcard in realm name? possible??
Hi Alan,
Thank you for the quick response! I read again and tried and this one
worked!!
realm ~\.gtcorp\.com
However I did try the one which is same syntax as the example in the
proxy.conf file:
realm ~*\\.gtcorp\\.com$
The radiusd -X can't start and I got this.
realm ~*\.gtcorp\.com$ {
/etc/raddb/proxy.conf[33]: Invalid regex in realm ~*\.gtcorp\.com$
} # realm ~*\.gtcorp\.com$
I tried many other syntax and I found that I can't put ~ and * together
and if I did the process won't start...
I guess my problem is solved! This is just FYI! Thanks again for your
help!
Difan Zhao, M.Eng
Network Engineer
Guest-Tek Interactive Entertainment Inc.
www.guest-tek.com
Email: difan.z...@guest-tek.com
Office: +1 (403) 509 1010 ext 3048
Cell: +1 (403) 689 7514
http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/Logo.jpg
INTERNET | MEDIA | VOICE
http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/image004.jp
g
The contents of this email are confidential and intended for the
recipient only. If you have received this email in error, please notify
us, and destroy all copies.
-Original Message-
From:
freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org
[mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi
us.org] On Behalf Of Alan DeKok
Sent: September-09-10 4:16 AM
To: FreeRadius users mailing list
Subject: Re: Wildcard in realm name? possible??
Difan Zhao wrote:
So I guess my first question is that, is it possible to have wildcard
(e.g. *) in the realm name?
Read raddb/proxy.conf. Look for regex
realm *~*.gtcorp.com* {
That isn't the correct syntax.
Go back and read the example in proxy.conf again.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wildcard in realm name? possible??
Dear developers/experts,
I haven't bugged you guys for too long so I decided to come back with a
strange question so you know that I'm still your loyal user.
I need to proxy requests with the following username pattern to a remote
server.
host/PC name.gtcorp.com
This is what the username looks like when the Windows PC is doing PEAP
with use of the PC's name instead of the actual user's username. Don't
know why but seems to be strange!
So I guess my first question is that, is it possible to have wildcard
(e.g. *) in the realm name?
I did read all the docs I could possibly found and I tested the configs
as well but I couldn't get it to work... Here is the debug while I'm
doing testing with radtest program. As you see that it always matches
the DEFAULT realm but not the *.gtcorp.com that I defined... I'm using
2.1.6 on RHEL4. So! Help help!
[r...@ne_ovi ~]# radtest 'host/difan.gtcorp.com' localhost 0
test123
Sending Access-Request of id 163 to 127.0.0.1 port 1812
User-Name = host/difan.gtcorp.com
User-Password =
NAS-IP-Address = 66.150.161.140
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=163,
length=20
rad_recv: Access-Request packet from host 127.0.0.1 port 15676, id=163,
length=73
User-Name = host/difan.gtcorp.com
User-Password =
NAS-IP-Address = 66.150.161.140
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[GTCORP] Looking up realm difan.gtcorp.com for User-Name =
host/difan.gtcorp.com
[GTCORP] Found realm DEFAULT
[GTCORP] Adding Realm = DEFAULT
[GTCORP] Proxying request from user host to realm DEFAULT
[GTCORP] Preparing to proxy authentication request to realm DEFAULT
++[GTCORP] returns updated
[suffix] Request already proxied. Ignoring.
++[suffix] returns ok
...
The followings are my relevant configs:
==
/etc/raddb/proxy.conf (I did try many other realm names such as
*.gtcorp.com as well)
==
proxy server {
default_fallback = no
}
###
home_server GTK_Radius_Auth {
type = auth
ipaddr = 1.1.1.1
port = 1812
secret =
}
home_server GTK_Radius_Acct {
type = acct
ipaddr = 1.1.1.1
port = 1813
secret =
}
home_server_pool GTK_Radius_Auth_Pool {
type = fail-over
home_server = GTK_Radius_Auth
}
home_server_pool GTK_Radius_Acct_Pool {
type = fail-over
home_server = GTK_Radius_Acct
}
realm ~*.gtcorp.com {
nostrip
auth_pool = GTK_Radius_Auth_Pool
acct_pool = GTK_Radius_Acct_Pool
}
#
# This realm is for requests which don't have an explicit realm
# prefix or suffix. User names like bob will match this one.
#
realm NULL {
nostrip
auth_pool = GTK_Radius_Auth_Pool
acct_pool = GTK_Radius_Acct_Pool
}
#
# This realm is for ALL OTHER requests.
#
realm DEFAULT {
nostrip
auth_pool = GTK_Radius_Auth_Pool
acct_pool = GTK_Radius_Acct_Pool
}
===
/etc/raddb/modules/realm
===
realm GTCORP {
format = suffix
delimiter = /
}
==
/etc/raddb/sites-available/default
==
...
authorize {
preprocess
chap
mschap
GTCORP
Suffix
...
}
Thanks!!
Difan Zhao, M.Eng
Network Engineer
Guest-Tek Interactive Entertainment Inc.
Email: difan.z...@guest-tek.com mailto:difan.z...@guest-tek.com
Office: +1 (403) 509 1010 ext 3048
Cell: +1 (403) 689 7514
www.guest-tek.com http://www.guest-tek.com
http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/Logo.jpght
tp://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/Logo.jpg
INTERNET | MEDIA | VOICE
http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/image004.jp
ghttp://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/image004.
jpg
The contents of this email are confidential and intended for the
recipient only. If you have received this email in error, please notify
us, and destroy all copies.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
At FR2.1.9 this is possible?
Hi
at one auth request happen then
FR Act as like
{ first check remote1 radius Server
if fail
second chek remote 2 radius Server
if fail
third check local DB of file
fi
fi
}
is't a another multi auth check method?
Thaks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: At FR2.1.9 this is possible?
ziyen wrote:
Hi
at one auth request happen then
FR Act as like
{ first check remote1 radius Server
if fail
second chek remote 2 radius Server
See fail-over. This works only if the server is down.
You *cannot* re-proxy a request if the first server returned reject.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditional radreply with Freeradius. Possible somehow ?
Pere Hospital wrote: I have gone again through the SQL wiki. What I am not able to find anywhere (and think that it is what we exactly need) is how to emulate this behaviour of check/reply items that you can get via the users file. i.e. from users file: The SQL schema is intended to mirror the users file. i.e. it can be mapped *directly* from the users file. #swilson Service-Type == Framed-User, Huntgroup-Name == alphen # Framed-IP-Address = 192.168.1.65, # Fall-Through = Yes This becomes (roughly) radcheck: swilson Service-Type == Framed-User swilson Huntgroup-Nmae == alphen radreply: swilson Framed-IP-Address = 192.168.1.65 swilson Fall-Through = Yes This is what I can't see how to do with sql module as radreply is related just to the username. The radreply for the user is referenced *only* if the radcheck entries for that user matched. From SQL Wiki : In radreply, create entries for each user-specific radius reply attribute against their username -- against their username and not username + nas-identifier i.e.). and again If check attributes are found, and there's a match, pull the reply items from the radreply table for this user and add them to the reply -- for this user, so again no info about this user+other requirements ... The check attributes are found text is intended to *be* the other requirements Well, rules are user + NAS based. A user will get a certain IP only if he connects to a certain NAS. And from what you say I assume that configuration files + sql can be used at the same time ?. Yes. All modules are independent. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditional radreply with Freeradius. Possible somehow ?
Pere Hospital wrote: So the logic of the process would be : Receive auth request from VPN server --- Authenticate/Authorize user (via radcheck, checking expiration date, number of simultaneous logins ...). --- If NAS-Identifier = X then return (via radreply) Framed-IP-Address=Y --- If NAS-Identifier = Z then return (via radreply) Framed-IP-Address=W --- otherwise don't return a Framed-IP-Address Is this possible somehow ? Yes. We are using SQL module in freeradius. See the Wiki for how the SQL module works. Though since these rules are NAS based and not user based, I would suggest simply writing them in the configuration. See man unlang. And upgrade to 2.1.9... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conditional radreply with Freeradius. Possible somehow ?
Thx for the answer. I have gone again through the SQL wiki. What I am not able to find anywhere (and think that it is what we exactly need) is how to emulate this behaviour of check/reply items that you can get via the users file. i.e. from users file: # user swilson will only get a static IP number if he logs in with # a framed protocol on a terminal server in Alphen (see the huntgroups file). # # Note that by setting Fall-Through, other attributes will be added from # the following DEFAULT entries # #swilsonService-Type == Framed-User, Huntgroup-Name == alphen # Framed-IP-Address = 192.168.1.65, # Fall-Through = Yes Here you are checking for two parameters (service-type, huntgroup ... in our case could be cleartext pass and nas-identifier) and then if both checks succeed return the framed ip. This is what I can't see how to do with sql module as radreply is related just to the username. From SQL Wiki : In radreply, create entries for each user-specific radius reply attribute against their username -- against their username and not username + nas-identifier i.e.). and again If check attributes are found, and there's a match, pull the reply items from the radreply table for this user and add them to the reply -- for this user, so again no info about this user+other requirements ... Also: Though since these rules are NAS based and not user based, I would suggest simply writing them in the configuration. See man unlang. Well, rules are user + NAS based. A user will get a certain IP only if he connects to a certain NAS. And from what you say I assume that configuration files + sql can be used at the same time ?. Sorry to be so lost here :) Pere On Wed, 26 May 2010 09:18:49 +0200 Alan DeKok al...@deployingradius.com wrote: Pere Hospital wrote: So the logic of the process would be : Receive auth request from VPN server --- Authenticate/Authorize user (via radcheck, checking expiration date, number of simultaneous logins ...). --- If NAS-Identifier = X then return (via radreply) Framed-IP-Address=Y --- If NAS-Identifier = Z then return (via radreply) Framed-IP-Address=W --- otherwise don't return a Framed-IP-Address Is this possible somehow ? Yes. We are using SQL module in freeradius. See the Wiki for how the SQL module works. Though since these rules are NAS based and not user based, I would suggest simply writing them in the configuration. See man unlang. And upgrade to 2.1.9... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Pere Hospital, CISSP®, OSCP® secWays Security First p: +34 933905455 m: +34 649827299 e: p...@secways.com w: www.secways.com PGP keyid: 0x100D35BDA0F669A8 http://keyserver.pgp.com signature.asc Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Conditional radreply with Freeradius. Possible somehow ?
Hi all, Here is the situation. We have a freeradius server that receives autnetication/authorization requests from multiple vpn servers. For just CERTAIN servers we want to return a Framed-IP-Address via radreply. We would control the Framed-IP-Address return value (if any) via Nas-Identifier parameter that we receive from the VPN servers. So the logic of the process would be : Receive auth request from VPN server --- Authenticate/Authorize user (via radcheck, checking expiration date, number of simultaneous logins ...). --- If NAS-Identifier = X then return (via radreply) Framed-IP-Address=Y --- If NAS-Identifier = Z then return (via radreply) Framed-IP-Address=W --- otherwise don't return a Framed-IP-Address Is this possible somehow ? We are using SQL module in freeradius. Details : Debian 5.0.4 freeradius 2.0.4+dfsg-6 Regards, Pere -- Pere Hospital, CISSP®, OSCP® secWays Security First p: +34 933905455 m: +34 649827299 e: p...@secways.com w: www.secways.com PGP keyid: 0x100D35BDA0F669A8 http://keyserver.pgp.com signature.asc Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: MS AD / OpenLDAP with PAP - is it really not possible ?
Hello I have got application that allow only to authenticate using PAP method. My Goal would bo to use Active Directory as a abckend User Database, but I found that: Once the PAP authentication test has been successful, the next step for sites using Active Directory is to configure the system to perform user authentication against Active Directory. The clear-text passwords are unavailable through Active Directory, so we have to use Samba Is it true ? The same page describing to use ntlm_auth instead, But I cannot found how to pass attributes from LDAP Database using ntlm_auth to Radius Client. Is it possible to reply attributes from LDAP using ntlm_auth ? Best Regars Pawel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: MS AD / OpenLDAP with PAP - is it really not possible ?
Pawel Cieplinski wrote: I have got application that allow only to authenticate using PAP method. My Goal would bo to use Active Directory as a abckend User Database, but I found that: It should work. Once the PAP authentication test has been successful, the next step for sites using Active Directory is to configure the system to perform user authentication against Active Directory. The clear-text passwords are unavailable through Active Directory, so we have to use Samba Is it true ? sigh *IF* you're trying to configure EAP. That is one step out of many. It tests that AD integration works before going on to the next step. The same page describing to use ntlm_auth instead, But I cannot found how to pass attributes from LDAP Database using ntlm_auth to Radius Client. Is it possible to reply attributes from LDAP using ntlm_auth ? No. For PAP, configure AD as an LDAP server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is Centralized SSH Public Key Authentication Possible?
On 2/17/10 9:24 PM, John L. Singleton wrote: Hi All, I am trying to set up a centralized SSH authentication server that allows authentication via public keys. I can't find anything on the web about if this is possible with FR. Is it? Basically all I need is for FR to allow authentication off of a respective users's .ssh/.authorized_keys file. So far all I can seem to get going is password authentication. Can anyone let me know if this is even doable? Hello, I'm using OpenSSH-LPK patch. This patch allows to keep public keys in an LDAP tree. But it has nothing to do with RADIUS. http://code.google.com/p/openssh-lpk/ Hope it helps, -- Lech Karol Pawłaszek ike You will never see me fall from grace [KoRn] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
