subject:"RE\: peap with mysql"

Re: peap/mschapv2 + mysql + filter-id

2008-07-30 Thread Alan DeKok

Adam W. Sewell wrote:
 I've been working trying to setup freeradius to work with peap/mschapv2 
 backended by a mysql database on Enterasys switches. I've got almost 
 everything working except for when a user authenticates with a 802.1x 
 supplicant with peap/mschapv2, freeradius sends an access-accept packet but 
 does not append the Filter-Id that is required for Enterasys switches to 
 switch the default port policy. However, when I authenticate to the 
 management portion of the switch, which uses pap, it authenticates and sends 
 the Filter-Id as it should. I'm not sure what I'm missing here and I honestly 
 don't know what configs you guys would need to see to help with this. So if I 
 can provide any logs or config files, please let me know.

  Read the debug output.  Or, post the output here, and maybe a sample
of your config files.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: peap/mschapv2 + mysql + filter-id

2008-07-30 Thread Adam W. Sewell

 an on-going EAP conversation
++[eap] returns updated
expand: %{User-Name} - generic
rlm_sql (sql): sql_set_user escaped user -- 'generic'
rlm_sql (sql): Reserving sql socket id: 1
expand: SELECT id, username, attribute, value, op   FROM 
radcheck   WHERE username = '%{SQL-User-Name}'   ORDER BY id - 
SELECT id, username, attribute, value, op   FROM radcheck   
WHERE username = 'generic'   ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op   FROM 
radreply   WHERE username = '%{SQL-User-Name}'   ORDER BY id - 
SELECT id, username, attribute, value, op   FROM radreply   
WHERE username = 'generic'   ORDER BY id
expand: SELECT groupname   FROM usergroup   WHERE 
username = '%{SQL-User-Name}'   ORDER BY priority - SELECT groupname   
FROM usergroup   WHERE username = 'generic'   ORDER BY 
priority
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [generic/via Auth-Type = EAP] (from client TestSwitches port 0 via 
TLS tunnel)
  PEAP: Tunneled authentication was successful.
  rlm_eap_peap: SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 25 to 192.16.240.77 port 1930
EAP-Message = 
0x01df002b1900170301002007b66e03cf1277bb89b88a78357462d463bce87424d6f2c889a218e607e2b958
Message-Authenticator = 0x
State = 0xcff4dbb0c72bc29d2aff3c6f56cfbfb0
Finished request 8.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.16.240.77 port 1930, id=26, 
length=232
Message-Authenticator = 0xf246ed24c1d8cdece97a0b0814fc0d81
User-Name = generic
State = 0xcff4dbb0c72bc29d2aff3c6f56cfbfb0
NAS-IP-Address = 192.16.240.77
NAS-Port = 8
NAS-Port-Type = Ethernet
Calling-Station-Id = 00-16-D3-30-E5-74
Called-Station-Id = 00-01-F4-93-14-00
Framed-MTU = 1000
EAP-Message = 
0x02df00501900170301002090c5a627b284c660af3348c538297fc2b3e59ebbfa74ed335ebfdf782e3df0721703010020c24cb49475b2e47d8dbd0afb64f429081c610acdac786c7c26f1b28d152927a7
NAS-Identifier = TEST_M48
NAS-Port-Id = fe.0.8
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
rlm_realm: No '@' in User-Name = generic, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
  rlm_eap: EAP packet type response id 223 length 80
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap: Success
  rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [generic/via Auth-Type = EAP] (from client TestSwitches port 8 cli 
00-16-D3-30-E5-74)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 26 to 192.16.240.77 port 1930
MS-MPPE-Recv-Key = 
0x680f34a977769aa71a178722683534da074169a1b7f994e643785f0f90ba5930
MS-MPPE-Send-Key = 
0x502aacfc317b2197d001bc706b1581972ec6e97ffd344b2fe434dbda852a81c3
EAP-Message = 0x03df0004
Message-Authenticator = 0x
User-Name = generic
Finished request 9.
Going to the next request
Waking up in 4.7 seconds.
Cleaning up request 0 ID 17 with timestamp +15
Cleaning up request 1 ID 18 with timestamp +15
Cleaning up request 2 ID 19 with timestamp +15
Cleaning up request 3 ID 20 with timestamp +15
Waking up in 0.1 seconds.
Cleaning up request 4 ID 21 with timestamp +15
Cleaning up request 5 ID 22 with timestamp +15
Cleaning up request 6 ID 23 with timestamp +15
Cleaning up request 7 ID 24 with timestamp +15
Cleaning up request 8 ID 25 with timestamp +15
Cleaning up request 9 ID 26 with timestamp +15
Ready to process requests.

-Original Message-
From: Alan DeKok [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, July 30, 2008 2:32 AM
To: FreeRadius users mailing list
Subject: Re: peap/mschapv2 + mysql + filter-id

Adam W. Sewell wrote:
 I've been working trying to setup freeradius to work with peap/mschapv2 
 backended by a mysql

RE: peap with mysql

2006-05-19 Thread Chris Liles

) for request 7


--
Chris Liles


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Liles
Sent: Friday, May 19, 2006 10:42 AM
To: FreeRadius users mailing list
Subject: RE: peap with mysql 

Please forgive my ignorance, but can you be a little bit more specific.

I tried putting the following in the database:

mysql select * from radcheck;
++--++++
| id | UserName | Attribute  | op | Value  |
++--++++
|  1 | temptest | Password   | := | authme |
|  2 | temptest | MS-CHAP-User-NTLM-Auth | == | No |
++--++++

I added the following to dictionary:
ATTRIBUTE   MS-CHAP-User-NTLM-Auth  3003string


But I am still seeing the call made for ntlm authing:

radius_xlat:  'temptest'
rlm_sql (sql): sql_set_user escaped user -- 'temptest'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op   FROM 
radcheck   WHERE Username = 'temptest'   ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat:  'SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'temptest' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op   FROM 
radreply   WHERE Username = 'temptest'   ORDER BY id'
radius_xlat:  'SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
  FROM radgroupreply,usergroup WHERE usergroup.Username = 'temptest' AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
rlm_sql (sql): No matching entry in the database for request from user 
[temptest]
  modcall[authorize]: module sql returns notfound for request 16
modcall: leaving group authorize (returns updated) for request 16
  rad_check_password:  Found Auth-Type EAP
auth: type EAP
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 16
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 16
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for temptest with NT-Password
radius_xlat: Running registered xlat function of module mschap for string 
'User-Name'
radius_xlat: Running registered xlat function of module mschap for string 
'Challenge'
 mschap2: d2
radius_xlat: Running registered xlat function of module mschap for string 
'NT-Response'
radius_xlat:  '/usr/bin/ntlm_auth --request-nt-key --username=temptest 
--challenge=f323f6e00a6e7eef 
--nt-response=adbc3550e29c702918ea4c1a3f6a5811d1b58dbfcf3a21d2 
--require-membership-of=DOMAIN+wifi-secure'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=temptest 
--challenge=f323f6e00a6e7eef 
--nt-response=adbc3550e29c702918ea4c1a3f6a5811d1b58dbfcf3a21d2 
--require-membership-of=DOMAIN+wifi-secure
Exec-Program output: Logon failure (0xc06d) 
Exec-Program-Wait: plaintext: Logon failure (0xc06d) 
Exec-Program: returned: 1
  rlm_mschap: External script failed.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module mschap returns reject for request 16
modcall: leaving group MS-CHAP (returns reject) for request 16


I'm guessing that I need to put the MS-CHAP-User-NTLM-Auth somewhere else??


--
Chris Liles


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Thursday, May 18, 2006 8:31 PM
To: FreeRadius users mailing list
Subject: Re: peap with mysql 

Chris Liles [EMAIL PROTECTED] wrote:
 How can I make the mschap module use both ntlm and mysql?

  If it gets a clear-text password, it should probably default to
using that.  For now, you can set the check item MS-CHAP-User-NTLM-Auth = No.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: peap with mysql

2006-05-19 Thread Alan DeKok

Chris Liles [EMAIL PROTECTED] wrote:
 mysql select * from radgroupreply;
 ++---+++---+
 | id | GroupName | Attribute  | op | Value |
 ++---+++---+
 |  1 | guests| MS-CHAP-User-NTLM-Auth | == | No|

  It's a check attribute, not a reply attribute.  You had that right
the first time.

  I said to correct the attribute name.  You didn't.

  I said to correct the operator.  You didn't.

  Please read the responses to your messages.  If you don't, there's
no point in posting questions.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: peap with mysql

2006-05-18 Thread Chris Liles

Thanks Alan,

That worked perfectly.

Now the next problem:

I'm trying to set up freeradius to do ntlm and mysql. 

Currently mysql only works when I comment out the ntlm_auth line in the mschap 
section. I'm thinking because it is sending the username/password to the Domain 
Controller, which won't auth it because the info is in the mysql database when 
the ntlm line is present.

How can I make the mschap module use both ntlm and mysql?



--
Chris Liles


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Wednesday, May 17, 2006 7:08 PM
To: FreeRadius users mailing list
Subject: Re: peap with mysql 

Chris Liles [EMAIL PROTECTED] wrote:
 To get peap working with a mysql backend do I need to store the LM
 and NT hashes of the password?

  No.

 I currently have my db setup like this:
 
 
 mysql select * from radcheck;
 ++--+---+++
 | id | UserName | Attribute | op | Value  |
 ++--+---+++
 |  1 | temptest | User-Password | == | authme |

  You should :=, not ==.

 Currently it works fine with NTRadPing, but not from the MS Supplicant :(

  Debug mode will tell you why: there's no User-Password in the
MS-CHAP request to do == comparisons on.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: peap with mysql

2006-05-18 Thread Alan DeKok

Chris Liles [EMAIL PROTECTED] wrote:
 How can I make the mschap module use both ntlm and mysql?

  If it gets a clear-text password, it should probably default to
using that.  For now, you can set the check item MS-CHAP-User-NTLM-Auth = No.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: peap with mysql

2006-05-17 Thread Alan DeKok

Chris Liles [EMAIL PROTECTED] wrote:
 To get peap working with a mysql backend do I need to store the LM
 and NT hashes of the password?

  No.

 I currently have my db setup like this:
 
 
 mysql select * from radcheck;
 ++--+---+++
 | id | UserName | Attribute | op | Value  |
 ++--+---+++
 |  1 | temptest | User-Password | == | authme |

  You should :=, not ==.

 Currently it works fine with NTRadPing, but not from the MS Supplicant :(

  Debug mode will tell you why: there's no User-Password in the
MS-CHAP request to do == comparisons on.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: peap/mschapv2 + mysql + filter-id

RE: peap/mschapv2 + mysql + filter-id

RE: peap with mysql

Re: peap with mysql

RE: peap with mysql

Re: peap with mysql

Re: peap with mysql

7 matches

Site Navigation

Mail list logo

Footer information