Re: How to make an open auth realm?
Hello! I have one question is it possible to add some information on the end of the line in radius.log like user not in db when I let in users without account in my database? POzdrawiam Marcin S. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to make an open auth realm?
Hello
I want to ask if you succeeded in making open auth?
I want to let in users without passwords or with incorrect pass, users
without account in my database too.
I have add to my sql.conf lines that give something like this when there
is no such user in databese:
authorize_check_query = call rad1('%{User-Name}'); gives
+-+--+---+++
| id | UserName | Attribute | Value | op |
+-+--+---+++
| 001 | someone | Auth-Type | Accept | == |
+-+--+---+++
authorize_reply_query = call rad2('%{User-Name}');
+-+--+-+-++
| id | UserName | Attribute | Value | op |
+-+--+-+-++
| 001 | someone | Framed-IP-Address | 192.168.4.200 | := |
| 001 | someone | Framed-IP-Netmask | 255.255.255.255 | := |
| 001 | someone | Mikrotik-Rate-Limit | 128k/64k| := |
+-+--+-+-++
in radius logs a get:
Wed Feb 10 15:29:15 2010 : Auth: Login OK: [someone/via Auth-Type =
mschap] (from client router port 307 cli 00:21:00:11:90:58)
but in windows I get error 778 cannot verify server identity
Can you send me a clue? What I do wrong?
P.S. I'm sorry for my English!
W dniu 2010-02-09 23:30, Nick Bright pisze:
Greetings!
I'd like to configure freeradius such that my local realm is an open
authentication realm, by this I mean that I would like to return
Access-Accept back to any Access-Request no matter what username
password is submitted.
This seems like it should be pretty easy, but I'm just not seeing how
to do it. I will of course continue to review the documentation after
sending this message, but I would appreciate any tips that the mailing
list can offer.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to make an open auth realm?
Marcin S. wrote:
I have add to my sql.conf lines that give something like this when there
is no such user in databese:
authorize_check_query = call rad1('%{User-Name}'); gives
+-+--+---+++
| id | UserName | Attribute | Value | op |
+-+--+---+++
| 001 | someone | Auth-Type | Accept | == |
+-+--+---+++
Read doc/rlm_sql for the meaning of the operators.
in radius logs a get:
Could you explain why you're not using debug mode?
Wed Feb 10 15:29:15 2010 : Auth: Login OK: [someone/via Auth-Type =
mschap] (from client router port 307 cli 00:21:00:11:90:58)
but in windows I get error 778 cannot verify server identity
Can you send me a clue? What I do wrong?
You haven't given the debug log which contains the authentication
protocol.
My *guess* is that you're doing MS-CHAP. You CANNOT just return
Access-Accept. The Windows machine won't like it. It's impossible.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to make an open auth realm?
working(user from database):
rad_recv: Access-Request packet from host 192.168.0.2 port 45023, id=7,
length=188
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 362
NAS-Port-Type = Ethernet
User-Name = neptun
Calling-Station-Id = 00:21:00:11:90:58
Called-Station-Id = service1
NAS-Port-Id = bridge1
MS-CHAP-Challenge = 0x789a686362d46451ad1b12d6d1fecfb4
MS-CHAP2-Response =
0x0100efef25766b55d6f212d5332ed21e16d7ae2174f15545d09d57abb1befd659c8255b254db8f45bfc9
NAS-Identifier = MikroTik
NAS-IP-Address = 192.168.0.2
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
- /usr/local/radius/var/log/radius/rad
[auth_log]
/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /usr/local/radius/var/log/radius/radacct/
[auth_log] expand: %t - Wed Feb 10 17:45:13 2010
++[auth_log] returns ok
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[sql] expand: %{User-Name} - neptun
[sql] sql_set_user escaped user -- 'neptun'
rlm_sql (sql): Reserving sql socket id: 12
[sql] expand: call rad1('%{User-Name}'); - call rad1('neptun');
[sql] User found in radcheck table
[sql] expand: call rad2('%{User-Name}'); - call rad2('neptun');
rlm_sql (sql): Released sql socket id: 12
++[sql] returns ok
Found Auth-Type = MSCHAP
!!!
!!!Replacing User-Password in config items with
Cleartext-Password. !!!
!!!
!!!
!!! Please update your configuration so that the known
good !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
!!!
+- entering group authenticate {...}
[mschap] Told to do MS-CHAPv2 for neptun with NT-Password
++[mschap] returns ok
+- entering group session {...}
++[sql] returns noop
Login OK: [neptun/via Auth-Type = mschap] (from client router port 362
cli 00:21:00:11:90:58)
+- entering group post-auth {...}
[sql] expand: %{User-Name} - neptun
[sql] sql_set_user escaped user -- 'neptun'
[sql] expand: UPDATE nodes SET lastonline = unix_timestamp() WHERE
name='%{User-Name}' or mac='%{User-Name}'; - UPDATE nodes SET lastonline =
rlm_sql (sql) in sql_postauth: query is UPDATE nodes SET lastonline =
unix_timestamp() WHERE name='neptun' or mac='neptun';
rlm_sql (sql): Reserving sql socket id: 11
rlm_sql (sql): Released sql socket id: 11
++[sql] returns ok
Sending Access-Accept of id 7 to 192.168.0.2 port 45023
Framed-IP-Address == 192.168.4.201
Framed-IP-Netmask == 255.255.255.255
Mikrotik-Rate-Limit := 386k/3072k 0/3584k 0/1536k 0/25 8
MS-CHAP2-Success =
0x01533d4534463736334639323031324637414537464136303643463031463233433632423036383138
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 192.168.0.2 port 59326,
id=8, length=146
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 362
NAS-Port-Type = Ethernet
User-Name = neptun
Calling-Station-Id = 00:21:00:11:90:58
Called-Station-Id = service1
NAS-Port-Id = bridge1
Acct-Session-Id = 81400150
Framed-IP-Address = 192.168.4.201
Acct-Authentic = RADIUS
Event-Timestamp = Feb 10 2010 17:45:14 CET
Acct-Status-Type = Start
NAS-Identifier = MikroTik
NAS-IP-Address = 192.168.0.2
Acct-Delay-Time = 0
+- entering group accounting {...}
[sql] expand: %{User-Name} - neptun
[sql] sql_set_user escaped user -- 'neptun'
[sql] expand: -
rlm_sql (sql): Reserving sql socket id: 10
rlm_sql (sql): Released sql socket id: 10
++[sql] returns ok
Sending Accounting-Response of id 8 to 192.168.0.2 port 59326
Finished request 2.
Cleaning up request 2 ID 8 with timestamp +2
Going to the next request
Waking up in 4.9 seconds.
not working(alien user):
rad_recv: Access-Request packet from host 192.168.0.2 port 57789,
id=234, length=189
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 353
NAS-Port-Type = Ethernet
User-Name = someone
Calling-Station-Id = 00:21:00:11:90:58
Called-Station-Id = service1
NAS-Port-Id = bridge1
MS-CHAP-Challenge = 0xd74b24161391b697f91dee51eccb3898
MS-CHAP2-Response =
0x010004148d0dcca8dba78110be592613bf908a03009aa6e54aaf8af8bdd6ca4e3f366fdeb668b11a8ce7
NAS-Identifier = MikroTik
NAS-IP-Address = 192.168.0.2
+- entering group authorize
Re: How to make an open auth realm?
Marcin S. wrote: So what should I return to let in user without account in my database? Did you read my previous message? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to make an open auth realm?
On Thu, Feb 11, 2010 at 12:15 AM, Marcin S. red...@tlen.pl wrote: working(user from database): MS-CHAP-Challenge = 0x789a686362d46451ad1b12d6d1fecfb4 MS-CHAP2-Response = 0x0100efef25766b55d6f212d5332ed21e16d7ae2174f15545d09d57abb1befd659c8255b254db8f45bfc9 MS-CHAP does not send user's plain-text password. It requires the server to know user's password. So what should I return to let in user without account in my database? You can't. Not when using ms-chap. You might be able to do so by disabling ms-chap in the server, and use only pap (enabled by default). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to make an open auth realm?
And there is no other way than using pap instead of mschapv2 to let in that sort of users? W dniu 2010-02-10 23:14, Fajar A. Nugraha pisze: On Thu, Feb 11, 2010 at 12:15 AM, Marcin S.red...@tlen.pl wrote: working(user from database): MS-CHAP-Challenge = 0x789a686362d46451ad1b12d6d1fecfb4 MS-CHAP2-Response = 0x0100efef25766b55d6f212d5332ed21e16d7ae2174f15545d09d57abb1befd659c8255b254db8f45bfc9 MS-CHAP does not send user's plain-text password. It requires the server to know user's password. So what should I return to let in user without account in my database? You can't. Not when using ms-chap. You might be able to do so by disabling ms-chap in the server, and use only pap (enabled by default). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to make an open auth realm?
Hi Nick, You should be able to update your users file with your realm, similar to this: DEFAULT Suffix == @YourRealm.com, Auth-Type := Accept You can add commas and additional attributes to return to the NAS to help direct the NAS in handling these local realm users. Oh, btw, I'm running 1.1.7, hopefully it's similar in later versions... -Benjamin Date: Tue, 9 Feb 2010 16:30:54 -0600 From: nick.bri...@valnet.net To: freeradius-users@lists.freeradius.org Subject: How to make an open auth realm? Greetings! I'd like to configure freeradius such that my local realm is an open authentication realm, by this I mean that I would like to return Access-Accept back to any Access-Request no matter what username password is submitted. This seems like it should be pretty easy, but I'm just not seeing how to do it. I will of course continue to review the documentation after sending this message, but I would appreciate any tips that the mailing list can offer. -- --- - Nick Bright Network Administrator Valnet Telecommunications, LLC Tel 888-332-1616 x 315 Fax 620-332-1201 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ La tua posta e molto altro anche in viaggio. Richiedi gratuitamente Windows Live Hotmail. https://signup.live.com/signup.aspx?id=60969- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to make an open auth realm?
That worked wonderfully. Thanks for the great tip! --- - Nick Bright Network Administrator Valnet Telecommunications, LLC Tel 888-332-1616 x 315 Fax 620-332-1201 Benjamin Marvin wrote: Hi Nick, You should be able to update your users file with your realm, similar to this: DEFAULT Suffix == @YourRealm.com, Auth-Type := Accept You can add commas and additional attributes to return to the NAS to help direct the NAS in handling these local realm users. Oh, btw, I'm running 1.1.7, hopefully it's similar in later versions... -Benjamin Date: Tue, 9 Feb 2010 16:30:54 -0600 From: nick.bri...@valnet.net To: freeradius-users@lists.freeradius.org Subject: How to make an open auth realm? Greetings! I'd like to configure freeradius such that my local realm is an open authentication realm, by this I mean that I would like to return Access-Accept back to any Access-Request no matter what username password is submitted. This seems like it should be pretty easy, but I'm just not seeing how to do it. I will of course continue to review the documentation after sending this message, but I would appreciate any tips that the mailing list can offer. -- --- - Nick Bright Network Administrator Valnet Telecommunications, LLC Tel 888-332-1616 x 315 Fax 620-332-1201 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html La tua posta e molto altro anche in viaggio. Richiedi gratuitamente Windows Live Hotmail. Iscriviti subito. https://signup.live.com/signup.aspx?id=60969 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
