Re: How to make an open auth realm?
Hello! I have one question is it possible to add some information on the end of the line in radius.log like user not in db when I let in users without account in my database? POzdrawiam Marcin S. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to make an open auth realm?
Hello I want to ask if you succeeded in making open auth? I want to let in users without passwords or with incorrect pass, users without account in my database too. I have add to my sql.conf lines that give something like this when there is no such user in databese: authorize_check_query = call rad1('%{User-Name}'); gives +-+--+---+++ | id | UserName | Attribute | Value | op | +-+--+---+++ | 001 | someone | Auth-Type | Accept | == | +-+--+---+++ authorize_reply_query = call rad2('%{User-Name}'); +-+--+-+-++ | id | UserName | Attribute | Value | op | +-+--+-+-++ | 001 | someone | Framed-IP-Address | 192.168.4.200 | := | | 001 | someone | Framed-IP-Netmask | 255.255.255.255 | := | | 001 | someone | Mikrotik-Rate-Limit | 128k/64k| := | +-+--+-+-++ in radius logs a get: Wed Feb 10 15:29:15 2010 : Auth: Login OK: [someone/via Auth-Type = mschap] (from client router port 307 cli 00:21:00:11:90:58) but in windows I get error 778 cannot verify server identity Can you send me a clue? What I do wrong? P.S. I'm sorry for my English! W dniu 2010-02-09 23:30, Nick Bright pisze: Greetings! I'd like to configure freeradius such that my local realm is an open authentication realm, by this I mean that I would like to return Access-Accept back to any Access-Request no matter what username password is submitted. This seems like it should be pretty easy, but I'm just not seeing how to do it. I will of course continue to review the documentation after sending this message, but I would appreciate any tips that the mailing list can offer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to make an open auth realm?
Marcin S. wrote: I have add to my sql.conf lines that give something like this when there is no such user in databese: authorize_check_query = call rad1('%{User-Name}'); gives +-+--+---+++ | id | UserName | Attribute | Value | op | +-+--+---+++ | 001 | someone | Auth-Type | Accept | == | +-+--+---+++ Read doc/rlm_sql for the meaning of the operators. in radius logs a get: Could you explain why you're not using debug mode? Wed Feb 10 15:29:15 2010 : Auth: Login OK: [someone/via Auth-Type = mschap] (from client router port 307 cli 00:21:00:11:90:58) but in windows I get error 778 cannot verify server identity Can you send me a clue? What I do wrong? You haven't given the debug log which contains the authentication protocol. My *guess* is that you're doing MS-CHAP. You CANNOT just return Access-Accept. The Windows machine won't like it. It's impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to make an open auth realm?
working(user from database): rad_recv: Access-Request packet from host 192.168.0.2 port 45023, id=7, length=188 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 362 NAS-Port-Type = Ethernet User-Name = neptun Calling-Station-Id = 00:21:00:11:90:58 Called-Station-Id = service1 NAS-Port-Id = bridge1 MS-CHAP-Challenge = 0x789a686362d46451ad1b12d6d1fecfb4 MS-CHAP2-Response = 0x0100efef25766b55d6f212d5332ed21e16d7ae2174f15545d09d57abb1befd659c8255b254db8f45bfc9 NAS-Identifier = MikroTik NAS-IP-Address = 192.168.0.2 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /usr/local/radius/var/log/radius/rad [auth_log] /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/radius/var/log/radius/radacct/ [auth_log] expand: %t - Wed Feb 10 17:45:13 2010 ++[auth_log] returns ok [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [sql] expand: %{User-Name} - neptun [sql] sql_set_user escaped user -- 'neptun' rlm_sql (sql): Reserving sql socket id: 12 [sql] expand: call rad1('%{User-Name}'); - call rad1('neptun'); [sql] User found in radcheck table [sql] expand: call rad2('%{User-Name}'); - call rad2('neptun'); rlm_sql (sql): Released sql socket id: 12 ++[sql] returns ok Found Auth-Type = MSCHAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! +- entering group authenticate {...} [mschap] Told to do MS-CHAPv2 for neptun with NT-Password ++[mschap] returns ok +- entering group session {...} ++[sql] returns noop Login OK: [neptun/via Auth-Type = mschap] (from client router port 362 cli 00:21:00:11:90:58) +- entering group post-auth {...} [sql] expand: %{User-Name} - neptun [sql] sql_set_user escaped user -- 'neptun' [sql] expand: UPDATE nodes SET lastonline = unix_timestamp() WHERE name='%{User-Name}' or mac='%{User-Name}'; - UPDATE nodes SET lastonline = rlm_sql (sql) in sql_postauth: query is UPDATE nodes SET lastonline = unix_timestamp() WHERE name='neptun' or mac='neptun'; rlm_sql (sql): Reserving sql socket id: 11 rlm_sql (sql): Released sql socket id: 11 ++[sql] returns ok Sending Access-Accept of id 7 to 192.168.0.2 port 45023 Framed-IP-Address == 192.168.4.201 Framed-IP-Netmask == 255.255.255.255 Mikrotik-Rate-Limit := 386k/3072k 0/3584k 0/1536k 0/25 8 MS-CHAP2-Success = 0x01533d4534463736334639323031324637414537464136303643463031463233433632423036383138 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 192.168.0.2 port 59326, id=8, length=146 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 362 NAS-Port-Type = Ethernet User-Name = neptun Calling-Station-Id = 00:21:00:11:90:58 Called-Station-Id = service1 NAS-Port-Id = bridge1 Acct-Session-Id = 81400150 Framed-IP-Address = 192.168.4.201 Acct-Authentic = RADIUS Event-Timestamp = Feb 10 2010 17:45:14 CET Acct-Status-Type = Start NAS-Identifier = MikroTik NAS-IP-Address = 192.168.0.2 Acct-Delay-Time = 0 +- entering group accounting {...} [sql] expand: %{User-Name} - neptun [sql] sql_set_user escaped user -- 'neptun' [sql] expand: - rlm_sql (sql): Reserving sql socket id: 10 rlm_sql (sql): Released sql socket id: 10 ++[sql] returns ok Sending Accounting-Response of id 8 to 192.168.0.2 port 59326 Finished request 2. Cleaning up request 2 ID 8 with timestamp +2 Going to the next request Waking up in 4.9 seconds. not working(alien user): rad_recv: Access-Request packet from host 192.168.0.2 port 57789, id=234, length=189 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 353 NAS-Port-Type = Ethernet User-Name = someone Calling-Station-Id = 00:21:00:11:90:58 Called-Station-Id = service1 NAS-Port-Id = bridge1 MS-CHAP-Challenge = 0xd74b24161391b697f91dee51eccb3898 MS-CHAP2-Response = 0x010004148d0dcca8dba78110be592613bf908a03009aa6e54aaf8af8bdd6ca4e3f366fdeb668b11a8ce7 NAS-Identifier = MikroTik NAS-IP-Address = 192.168.0.2 +- entering group authorize
Re: How to make an open auth realm?
Marcin S. wrote: So what should I return to let in user without account in my database? Did you read my previous message? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to make an open auth realm?
On Thu, Feb 11, 2010 at 12:15 AM, Marcin S. red...@tlen.pl wrote: working(user from database): MS-CHAP-Challenge = 0x789a686362d46451ad1b12d6d1fecfb4 MS-CHAP2-Response = 0x0100efef25766b55d6f212d5332ed21e16d7ae2174f15545d09d57abb1befd659c8255b254db8f45bfc9 MS-CHAP does not send user's plain-text password. It requires the server to know user's password. So what should I return to let in user without account in my database? You can't. Not when using ms-chap. You might be able to do so by disabling ms-chap in the server, and use only pap (enabled by default). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to make an open auth realm?
And there is no other way than using pap instead of mschapv2 to let in that sort of users? W dniu 2010-02-10 23:14, Fajar A. Nugraha pisze: On Thu, Feb 11, 2010 at 12:15 AM, Marcin S.red...@tlen.pl wrote: working(user from database): MS-CHAP-Challenge = 0x789a686362d46451ad1b12d6d1fecfb4 MS-CHAP2-Response = 0x0100efef25766b55d6f212d5332ed21e16d7ae2174f15545d09d57abb1befd659c8255b254db8f45bfc9 MS-CHAP does not send user's plain-text password. It requires the server to know user's password. So what should I return to let in user without account in my database? You can't. Not when using ms-chap. You might be able to do so by disabling ms-chap in the server, and use only pap (enabled by default). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to make an open auth realm?
Hi Nick, You should be able to update your users file with your realm, similar to this: DEFAULT Suffix == @YourRealm.com, Auth-Type := Accept You can add commas and additional attributes to return to the NAS to help direct the NAS in handling these local realm users. Oh, btw, I'm running 1.1.7, hopefully it's similar in later versions... -Benjamin Date: Tue, 9 Feb 2010 16:30:54 -0600 From: nick.bri...@valnet.net To: freeradius-users@lists.freeradius.org Subject: How to make an open auth realm? Greetings! I'd like to configure freeradius such that my local realm is an open authentication realm, by this I mean that I would like to return Access-Accept back to any Access-Request no matter what username password is submitted. This seems like it should be pretty easy, but I'm just not seeing how to do it. I will of course continue to review the documentation after sending this message, but I would appreciate any tips that the mailing list can offer. -- --- - Nick Bright Network Administrator Valnet Telecommunications, LLC Tel 888-332-1616 x 315 Fax 620-332-1201 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ La tua posta e molto altro anche in viaggio. Richiedi gratuitamente Windows Live Hotmail. https://signup.live.com/signup.aspx?id=60969- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to make an open auth realm?
That worked wonderfully. Thanks for the great tip! --- - Nick Bright Network Administrator Valnet Telecommunications, LLC Tel 888-332-1616 x 315 Fax 620-332-1201 Benjamin Marvin wrote: Hi Nick, You should be able to update your users file with your realm, similar to this: DEFAULT Suffix == @YourRealm.com, Auth-Type := Accept You can add commas and additional attributes to return to the NAS to help direct the NAS in handling these local realm users. Oh, btw, I'm running 1.1.7, hopefully it's similar in later versions... -Benjamin Date: Tue, 9 Feb 2010 16:30:54 -0600 From: nick.bri...@valnet.net To: freeradius-users@lists.freeradius.org Subject: How to make an open auth realm? Greetings! I'd like to configure freeradius such that my local realm is an open authentication realm, by this I mean that I would like to return Access-Accept back to any Access-Request no matter what username password is submitted. This seems like it should be pretty easy, but I'm just not seeing how to do it. I will of course continue to review the documentation after sending this message, but I would appreciate any tips that the mailing list can offer. -- --- - Nick Bright Network Administrator Valnet Telecommunications, LLC Tel 888-332-1616 x 315 Fax 620-332-1201 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html La tua posta e molto altro anche in viaggio. Richiedi gratuitamente Windows Live Hotmail. Iscriviti subito. https://signup.live.com/signup.aspx?id=60969 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html