RE: authentification ldap subgroup
I have found the solution just add this group membership filter in
/etc/raddb/modules/ldap file.
groupmembership_filter =
((objectcategory=group)(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn}))
From: tche...@hotmail.com
To: freeradius-users@lists.freeradius.org
Subject: authentification ldap subgroup
Date: Wed, 24 Apr 2013 10:49:42 +0200
Hello all !
I have configured freeradius 2.1.12-4 with ldap group authorization. My problem
is it's doesn't work with subgroup.
I have a group with subgroup and when ldap verify group of user it doesn't see
subgroup of user.
my ldap configuration modules :
ldap {#Note that this needs to match the name in the LDAP#Server certificate,
if you.re usin ldaps.server = 192.168.1.3identity =
cn=user_ldap,ou=users,dc=toto,dc=localpassword = Toto1basedn =
dc=toto,dc=local#filter =
((sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))filter =
((objectclass=user)(objectcategory=user)(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}*))
# Group membership checking. Disabled by default.
#groupname_attribute = cngroupmembership_filter =
(|((objectClass=group)(member=%Ldap-UserDn}))((objectClass=top)(uniquemember=%{Ldap-UserDn})))groupmembership_attribute
= memberOf
chase_referrals = yesrebind = yes}
Anyone can help me ?
Thanks in advance !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authentification ldap subgroup
Hello all !
I have configured freeradius 2.1.12-4 with ldap group authorization. My problem
is it's doesn't work with subgroup.
I have a group with subgroup and when ldap verify group of user it doesn't see
subgroup of user.
my ldap configuration modules :
ldap {#Note that this needs to match the name in the LDAP#Server certificate,
if you.re usin ldaps.server = 192.168.1.3identity =
cn=user_ldap,ou=users,dc=toto,dc=localpassword = Toto1basedn =
dc=toto,dc=local#filter =
((sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))filter =
((objectclass=user)(objectcategory=user)(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}*))
# Group membership checking. Disabled by default.
#groupname_attribute = cngroupmembership_filter =
(|((objectClass=group)(member=%Ldap-UserDn}))((objectClass=top)(uniquemember=%{Ldap-UserDn})))groupmembership_attribute
= memberOf
chase_referrals = yesrebind = yes}
Anyone can help me ?
Thanks in advance ! -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 allow_retry on ldap authentification
On 10/22/2012 09:13 AM, Daniel Ekman wrote: Hi list, I have a fairly large user base doing WPA2-enterprise from various OS'es and smartphones, our FreeRADIUS is running v.2.1.12 and is authenticating via LDAP and things are running pretty well, only snag I have currently with this is when people change their password. I Change their password where? Elsewhere, right? So, you want to prompt the clients to enter a new password, because the user has changed passwords on the server. in the latest version allow_retry and retry_msg in the mschap module was implemented and this works great on my mac and linux userbase, however it does not work for the windows users, the FreeRADIUS server is still sending the same things to the user but for some reason there is no popup telling the user to change their password so here is my actual question, is this supposed to work? should the windows users also get the popup saying please change password? Your terminiology is confusing. Do you mean change password or re-enter your password. Because the two are very, very different. To be honest, your email is sort of vague and specific at the same time, if that makes any sense - there's some LDAP, some different set of accounts, something else... I've got no idea if Windows can even behave the way you want judging from what some threads say like this for example http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg68678.html That message predates major changes to the PEAP and EAP-MSCHAPv2 modules to support password *change* (see why I said it was confusing?). So I'd be cautious about reading too much into it. seems to indicate there are problems but it also sounds like there is a solution. I have also tried adding the send_error setting in eap.conf but that only broke things like I read somewhere it would. ...vague much? Seriously: radiusd -X If I have time today, I'll try to resurrect our for comparison NPS server and see what Microsoft do. It's possible you just can't prompt Windows in the way you want. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 allow_retry on ldap authentification
Thanks for replying and sorry if I'm being vague, I'll try and be more specific. On Tue, Oct 23, 2012 at 10:59 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 10/22/2012 09:13 AM, Daniel Ekman wrote: Hi list, I have a fairly large user base doing WPA2-enterprise from various OS'es and smartphones, our FreeRADIUS is running v.2.1.12 and is authenticating via LDAP and things are running pretty well, only snag I have currently with this is when people change their password. I Change their password where? Elsewhere, right? So, you want to prompt the clients to enter a new password, because the user has changed passwords on the server. Yes, clients change their password on the server via a custom web interface on top of the LDAP and this then obviously do not get automatically updated on the wireless settings on the clients computer. in the latest version allow_retry and retry_msg in the mschap module was implemented and this works great on my mac and linux userbase, however it does not work for the windows users, the FreeRADIUS server is still sending the same things to the user but for some reason there is no popup telling the user to change their password so here is my actual question, is this supposed to work? should the windows users also get the popup saying please change password? Your terminiology is confusing. Do you mean change password or re-enter your password. Because the two are very, very different. Re-enter the password in the wireless setup if they do not get authenticated. To be honest, your email is sort of vague and specific at the same time, if that makes any sense - there's some LDAP, some different set of accounts, something else... I've got no idea if Windows can even behave the way you want judging from what some threads say like this for example http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg68678.html That message predates major changes to the PEAP and EAP-MSCHAPv2 modules to support password *change* (see why I said it was confusing?). So I'd be cautious about reading too much into it. seems to indicate there are problems but it also sounds like there is a solution. I have also tried adding the send_error setting in eap.conf but that only broke things like I read somewhere it would. ...vague much? the send_error was added to version 2.1.11 as a bug fix Allow EAP-MSCHAPv2 to send error message to client. This change allows some clients to prompt the user for a new password. See raddb/eap.conf, mschapv2 section, send_error. This was said in earlier version to solve issues for some clients but *may* also cause other clients to stop working. The setting is also not included in version 2.1.12 eap.conf. Seriously: radiusd -X radiusd -X gives the same output to mac/windows/linux users when they need to re-enter their password but only the mac/linux users get a prompt for it. If I have time today, I'll try to resurrect our for comparison NPS server and see what Microsoft do. It's possible you just can't prompt Windows in the way you want. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 allow_retry on ldap authentification
On 23/10/12 10:52, Daniel Ekman wrote: the send_error was added to version 2.1.11 as a bug fix Allow EAP-MSCHAPv2 to send error message to client. This change allows some clients to prompt the user for a new password. See raddb/eap.conf, mschapv2 section, send_error. I know that. I mean like I read somewhere it would was vague. Seriously: radiusd -X radiusd -X gives the same output to mac/windows/linux users when they need to re-enter their password but only the mac/linux users get a prompt for it. That doesn't mean it wouldn't be helpful to see it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS-CHAP-V2 allow_retry on ldap authentification
Hi list, I have a fairly large user base doing WPA2-enterprise from various OS'es and smartphones, our FreeRADIUS is running v.2.1.12 and is authenticating via LDAP and things are running pretty well, only snag I have currently with this is when people change their password. I realize this has been discussed before because I have spent a lot of time reading through this list and other sources. So current setup is OpenLDAP in a central location, a slave is set up remote with FreeRADIUS on top of that to allow for WPA2, this also means there is no correlation between user accounts on computers and domains so when people change their LDAP password their WPA2 username/password remain the same and the user needs to change it manually. in the latest version allow_retry and retry_msg in the mschap module was implemented and this works great on my mac and linux userbase, however it does not work for the windows users, the FreeRADIUS server is still sending the same things to the user but for some reason there is no popup telling the user to change their password so here is my actual question, is this supposed to work? should the windows users also get the popup saying please change password? judging from what some threads say like this for example http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg68678.html seems to indicate there are problems but it also sounds like there is a solution. I have also tried adding the send_error setting in eap.conf but that only broke things like I read somewhere it would. Thanks for reading :) Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentification Problem with Cisco AP, freeradius and LDAP
Hello,
i have got a realy annoing authentification problem and i would be glad if
you could help me.
I use a Cisco Aironet 1130ag Access Point, the radius-server is a Debian
Squeeze (6.0.5) and i installed FreeRadius Version 2.1.10 from the packet
sources.
After i made some changes to the /etc/freeradius/modules/ldap to let my
radius know where the LDAP is and some other things it looks like this:
-- /etc/freeradius/modules/ldap
ldap {
server = 172.26.100.1
identity= uid=binduser,cn=users,ou=
Infrastruktur,dc=tarent,dc=de
password=
basedn = dc=tarent,dc=de
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
base_filter = (objectclass=posixAccount)
groupname_attribute = cn
# groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
groupmembership_filter =
((objectClass=posixGroup)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))
# groupmembership_attribute = radiusGroupName
groupmembership_attribute = WLAN
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
dictionary_mapping = /etc/freeradius/ldap.attrmap
password_attribute = CleartextPassword
set_auth_type = yes
}
when i start the freeradius with freeradius -X this is the output i get:
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 11
2012 at 17:06:46
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/detail
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/sql_log
including configuration
Re: Authentification Problem with Cisco AP, freeradius and LDAP
1 there is no such word as authentification, its just 'authentication' 2 your client is trying to do EAP-TLS 3 check FreeRADIUS compatability matrix because when you do use eg PEAP (and have the CA cert on the client, the MSCHAPv2 will only work with passwords from LDAP in certain formats alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with CHAP Authentification
Hello everybody, I am trying now for days to get a hotspot with chillispot (on dd-wrt device) and freeradius running. it set up a testuser and if I try a local radcheck on the ubuntu machine, which hosts the freeradius, everything works out fine. when I logon to the wifi, I get a right IP (from 192.168.182.0/24) from the hotspot and I am redirected to hotspotlogin.cgi, where I put in the exact same user and password as with the radtest, but login failed. I get the following debug error from freeradius: when I try it with a wrong password, I get this debug error: has anyone an idea how to disable chap authenitification or better to fix it? I would be really happy about every answer which directs me in a certain way, because the hotspot has to work this weekend and I am getting a little bit nervous ;) Cheers iro -- View this message in context: http://freeradius.1045715.n5.nabble.com/Problem-with-CHAP-Authentification-tp5713646.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Problem with CHAP Authentification
Sorry everybody to bother you again,
But I saw that the included debug code was missing, so here is the complete
post again with the missing code.
Sorry again for the inconvenience.
Cheers iro
#
Hello everybody,
I am trying now for days to get a hotspot with chillispot (on dd-wrt device)
and freeradius running.
it set up a testuser and if I try a local radcheck on the ubuntu machine,
which hosts the freeradius, everything works out fine.
maw@maweee:~$ radtest user 123 192.168.1.2 0 testsecret
Sending Access-Request of id 2 to 192.168.1.2 port 1812
User-Name = user
User-Password = 123
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 192.168.1.2 port 1812, id=2,
length=20
when I logon to the wifi, I get a right IP (from 192.168.182.0/24) from the
hotspot and I am redirected to hotspotlogin.cgi, where I put in the exact
same user and password as with the radtest, but login failed.
I get the following debug error from freeradius:
rad_recv: Access-Request packet from host 192.168.1.1 port 32791, id=0,
length=220
User-Name = user
CHAP-Challenge = 0x6720898bb425aacf39f9c73c8fa166dc
CHAP-Password = 0x0020e82de25a959fe7a132d435066ceecf
NAS-IP-Address = 0.0.0.0
Service-Type = Login-User
Framed-IP-Address = 192.168.182.2
Calling-Station-Id = 70-F3-95-AC-E5-70
Called-Station-Id = 98-FC-11-88-6B-94
NAS-Identifier = GEC_HotSpot
Acct-Session-Id = 4fd61385
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Message-Authenticator = 0x33f2f225ef67e3c956754c385490fcc8
WISPr-Logoff-URL = http://192.168.182.1:3990/logoff;
Mon Jun 11 15:49:49 2012 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Mon Jun 11 15:49:49 2012 : Info: +- entering group authorize {...}
Mon Jun 11 15:49:49 2012 : Info: ++[preprocess] returns ok
Mon Jun 11 15:49:49 2012 : Info: [chap] Setting 'Auth-Type := CHAP'
Mon Jun 11 15:49:49 2012 : Info: ++[chap] returns ok
Mon Jun 11 15:49:49 2012 : Info: ++[mschap] returns noop
Mon Jun 11 15:49:49 2012 : Info: [suffix] No '@' in User-Name = user,
looking up realm NULL
Mon Jun 11 15:49:49 2012 : Info: [suffix] No such realm NULL
Mon Jun 11 15:49:49 2012 : Info: ++[suffix] returns noop
Mon Jun 11 15:49:49 2012 : Info: [eap] No EAP-Message, not doing EAP
Mon Jun 11 15:49:49 2012 : Info: ++[eap] returns noop
Mon Jun 11 15:49:49 2012 : Info: [sql] expand: %{User-Name} - user
Mon Jun 11 15:49:49 2012 : Info: [sql] sql_set_user escaped user -- 'user'
Mon Jun 11 15:49:49 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 4
Mon Jun 11 15:49:49 2012 : Info: [sql] expand: SELECT id, username,
attribute, value, op FROM radcheck WHERE username =
'%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute,
value, op FROM radcheck WHERE username = 'user'
ORDER BY id
Mon Jun 11 15:49:49 2012 : Info: [sql] User found in radcheck table
Mon Jun 11 15:49:49 2012 : Info: [sql] expand: SELECT id, username,
attribute, value, op FROM radreply WHERE username =
'%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute,
value, op FROM radreply WHERE username = 'user'
ORDER BY id
Mon Jun 11 15:49:49 2012 : Info: [sql] expand: SELECT groupname
FROM radusergroup WHERE username = '%{SQL-User-Name}'
ORDER BY priority - SELECT groupname FROM radusergroup
WHERE username = 'user' ORDER BY priority
Mon Jun 11 15:49:49 2012 : Debug: rlm_sql (sql): Released sql socket id: 4
Mon Jun 11 15:49:49 2012 : Info: ++[sql] returns ok
Mon Jun 11 15:49:49 2012 : Info: ++[expiration] returns noop
Mon Jun 11 15:49:49 2012 : Info: ++[logintime] returns noop
Mon Jun 11 15:49:49 2012 : Debug: rlm_sqlcounter: Entering module authorize
code
Mon Jun 11 15:49:49 2012 : Debug: rlm_sqlcounter: Could not find Check item
value pair
Mon Jun 11 15:49:49 2012 : Info: ++[noresetcounter] returns noop
Mon Jun 11 15:49:49 2012 : Debug: rlm_sqlcounter: Entering module authorize
code
Mon Jun 11 15:49:49 2012 : Debug: rlm_sqlcounter: Could not find Check item
value pair
Mon Jun 11 15:49:49 2012 : Info: ++[dailycounter] returns noop
Mon Jun 11 15:49:49 2012 : Debug: rlm_sqlcounter: Entering module authorize
code
Mon Jun 11 15:49:49 2012 : Debug: rlm_sqlcounter: Could not find Check item
value pair
Mon Jun 11 15:49:49 2012 : Info: ++[monthlycounter] returns noop
Mon Jun 11 15:49:49 2012 : Info: Found Auth-Type = CHAP
Mon Jun 11 15:49:49 2012 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Mon Jun 11 15:49:49 2012 : Info: +- entering group CHAP {...}
Mon Jun 11 15:49:49 2012 : Info: [chap] login attempt by user with CHAP
password
Mon Jun 11 15:49:49 2012 : Info: [chap] Using clear text password 123 for
user user authentication.
Mon
Re: Problem with CHAP Authentification
irosaurus wrote: Hello everybody, Please subscribe to the list. You're posting from nabble. I'm inclined to ban nabble for a number of reasons. I get the following debug error from freeradius: when I try it with a wrong password, I get this debug error: has anyone an idea how to disable chap authenitification or better to fix it? Either (a) you didn't include the error messages, or (b) nabble stripped them. Please subscribe to the list. I would be really happy about every answer which directs me in a certain way, because the hotspot has to work this weekend and I am getting a little bit nervous ;) It's trivial to get CHAP working. Set a password as per examples in the FAQ. CHAP will work. If CHAP doesn't work, then (a) you broke CHAP by editing the configuration files, or (b) the password in your DB is incompatible with CHAP. In case of (a), use the default configuration. In case of (b), change passwords to clear-text, or don't use CHAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Problem with CHAP Authentification
Hello Alan, Alan wrote: Please subscribe to the list. You're posting from nabble. I'm inclined to ban nabble for a number of reasons. Either (a) you didn't include the error messages, or (b) nabble stripped them. Please subscribe to the list thanks for your fast reply! I am already subscribed. Saw that the code was missing (must be nabble) so I sent another mail to the list with the complete debuglog. It's trivial to get CHAP working. Set a password as per examples in the FAQ. CHAP will work. If CHAP doesn't work, then (a) you broke CHAP by editing the configuration files, or (b) the password in your DB is incompatible with CHAP. In case of (a), use the default configuration. In case of (b), change passwords to clear-text, or don't use CHAP. First I tried without an SQL-DB and added an user to the users file. That didn't work, so I just uncommented the user steve in the users file with the Cleartype-Password. That did not work either. It works local through radtest, but not for the interaction with the hotspot. So I added the database, and put in a new user called user and password 123. I can, again, do a local radtest, but it does not work with the hotspot authentication. Is there any way to disable CHAP and give it a try with another auth method? I am not sure where to change this and I am a bit confused about the different conf files and the sites-enabled/default file. Cheers iro - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Problem with CHAP Authentification
irosAurus wrote: it set up a testuser and if I try a local radcheck on the ubuntu machine, which hosts the freeradius, everything works out fine. maw@maweee:~$ radtest user 123 192.168.1.2 0 testsecret Sending Access-Request of id 2 to 192.168.1.2 port 1812 User-Name = user User-Password = 123 You do realize that's not doing CHAP, right? See radtest -h for instructions on how to do CHAP authentication with radtest. when I logon to the wifi, I get a right IP (from 192.168.182.0/24) from the hotspot and I am redirected to hotspotlogin.cgi, where I put in the exact same user and password as with the radtest, but login failed. ... Mon Jun 11 15:49:49 2012 : Info: [chap] Using clear text password 123 for user user authentication. Mon Jun 11 15:49:49 2012 : Info: [chap] Password check failed The hostspot device is NOT calculating the correct CHAP-Password. Go fix it. When you have chap working with radtest, this will prove that the problem is the hotspot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Problem with CHAP Authentification
irosAurus wrote: Is there any way to disable CHAP and give it a try with another auth method? Configure the hotspot to use another authentication method. The server has NO CONTROL over this. I am not sure where to change this and I am a bit confused about the different conf files and the sites-enabled/default file. Ignore most of the configuration files. Edit only what you need to edit. Read the comments in those files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Problem with CHAP Authentification
On 11/06/12 15:39, irosAurus wrote: First I tried without an SQL-DB and added an user to the users file. That didn't work, so I just uncommented the user steve in the users file with the Cleartype-Password. That did not work either. It works local through radtest, but not for the interaction with the hotspot. So I added the database, and put in a new user called user and password 123. I can, again, do a local radtest, but it does not work with the hotspot authentication. Logically, the hotspot is mangling the username or passwords. Is there any way to disable CHAP and give it a try with another auth method? I am not sure where to change this and I am a bit confused about the different conf files and the sites-enabled/default file. The authentication method (CHAP, PAP, EAP) is decided by the NAS i.e. the hotspot. FreeRADIUS doesn't decide it, and can't change it. If you want to disable CHAP, you need to do it on the NAS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with CHAP Authentification
Hi, Is there any way to disable CHAP and give it a try with another auth method? I am not sure where to change this and I am a bit confused about the different conf files and the sites-enabled/default file. NAS config - if its sending CHAP then theres nothing you can do at the RADIUS end to 'fix it up' - look at your hotspot config to see what you can change/adjust a that end (and check your shared secret...as its CHAP there isnt a nice User-Password to give you a hint of incorrect setting...) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Problem with CHAP Authentification
Hey all, NAS config - if its sending CHAP then theres nothing you can do at the RADIUS end to 'fix it up' - look at your hotspot config to see what you can change/adjust a that end (and check your shared secret...as its CHAP there isnt a nice User-Password to give you a hint of incorrect setting...) alan Thanks again for all your replys! I have never seen a mailing-list that had so many answers in such a short time :) So the good news first, it works with CHAP, local and remote! It was neither freeradius nor the AP^^ it was the chillispot cgi-script which is responsible for the client login page. I thought that the cgi-bin folder under /var/www/cgi-bin was used. Instead apache2 uses the /usr/lib/cgi-bin folder for cgi scripts. In the end it was the UAM-Secret in the hotspotlogin.cgi, which was not changed. I edited the wrong file the whole time :/ Maybe some reads this in the Nabble forum and finds this information helpful - took me 4 days to figure that little issue ;) Cheers! iro - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentification failure error sql and Daloradius
On Tue, Mar 6, 2012 at 7:27 PM, Javier Ruiz Escalante fruiz...@hotmail.com wrote: Hello, After installing Daloradius I get the following error, could somebody give me a clue of how to solve it? Befoe everything was working... Did you read daloradius documentation, just in case it had some warnings? Did you ask in daloradius list/forum? - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'mysqltest' ORDER BY id rlm_sql_mysql: MYSQL check_error: 1146 received Run that query manually ono your sql server. It should tell you what's wrong. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentification
Good afternoon,
I'm new in Radius and I have no clue what happens, can anybody help me? from
the server in the command line works fine, from the wireless client get this
one.
Thanks
Regards
ad_recv: Access-Request packet from host 127.0.0.1 port 35226, id=0, length=200
User-Name = mysqltest
User-Password = O%:snv\nB\334Ξ\300H\035\235e
NAS-IP-Address = 0.0.0.0
Service-Type = Login-User
Framed-IP-Address = 192.168.182.5
Calling-Station-Id = 68-A3-C4-37-A2-59
Called-Station-Id = 08-00-27-26-2C-CD
NAS-Identifier = nas01
Acct-Session-Id = 4f54a3d9
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Message-Authenticator = 0x6fb3594ad7f0fad5aa33deab91da2216
WISPr-Logoff-URL = http://192.168.182.1:3990/logoff;
Mon Mar 5 12:36:33 2012 : Info: # Executing section authorize from file
/etc/freeradius/radiusd.conf
Mon Mar 5 12:36:33 2012 : Info: +- entering group authorize {...}
Mon Mar 5 12:36:33 2012 : Info: ++[preprocess] returns ok
Mon Mar 5 12:36:33 2012 : Info: ++[chap] returns noop
Mon Mar 5 12:36:33 2012 : Info: ++[mschap] returns noop
Mon Mar 5 12:36:33 2012 : Info: [suffix] No '@' in User-Name = mysqltest,
looking up realm NULL
Mon Mar 5 12:36:33 2012 : Info: [suffix] No such realm NULL
Mon Mar 5 12:36:33 2012 : Info: ++[suffix] returns noop
Mon Mar 5 12:36:33 2012 : Info: [eap] No EAP-Message, not doing EAP
Mon Mar 5 12:36:33 2012 : Info: ++[eap] returns noop
Mon Mar 5 12:36:33 2012 : Info: [sql] expand: %{User-Name} - mysqltest
Mon Mar 5 12:36:33 2012 : Info: [sql] sql_set_user escaped user -- 'mysqltest'
Mon Mar 5 12:36:33 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 0
Mon Mar 5 12:36:33 2012 : Info: [sql] expand: SELECT id, username, attribute,
value, op FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'mysqltest' ORDER BY id
Mon Mar 5 12:36:33 2012 : Info: [sql] User found in radcheck table
Mon Mar 5 12:36:33 2012 : Info: [sql] expand: SELECT id, username, attribute,
value, op FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id - SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'mysqltest' ORDER BY id
Mon Mar 5 12:36:33 2012 : Info: [sql] expand: SELECT groupname FROM
radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY
priority - SELECT groupname FROM radusergroup WHERE
username = 'mysqltest' ORDER BY priority
Mon Mar 5 12:36:33 2012 : Debug: rlm_sql (sql): Released sql socket id: 0
Mon Mar 5 12:36:33 2012 : Info: ++[sql] returns ok
Mon Mar 5 12:36:33 2012 : Info: ++[pap] returns updated
Mon Mar 5 12:36:33 2012 : Info: Found Auth-Type = PAP
Mon Mar 5 12:36:33 2012 : Info: # Executing group from file
/etc/freeradius/radiusd.conf
Mon Mar 5 12:36:33 2012 : Info: +- entering group PAP {...}
Mon Mar 5 12:36:33 2012 : Info: [pap] login attempt with password O%:snv
B��?�H??e
Mon Mar 5 12:36:33 2012 : Info: [pap] Using clear text password testsecret
Mon Mar 5 12:36:33 2012 : Info: [pap] Passwords don't match
Mon Mar 5 12:36:33 2012 : Info: ++[pap] returns reject
Mon Mar 5 12:36:33 2012 : Info: Failed to authenticate the user.
Mon Mar 5 12:36:33 2012 : Debug: WARNING: Unprintable characters in the
password. Double-check the shared secret on the server and the NAS!
Mon Mar 5 12:36:33 2012 : Info: Using Post-Auth-Type Reject
Mon Mar 5 12:36:33 2012 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Mon Mar 5 12:36:33 2012 : Info: +- entering group REJECT {...}
Mon Mar 5 12:36:33 2012 : Info: [attr_filter.access_reject]expand:
%{User-Name} - mysqltest
Mon Mar 5 12:36:33 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11
Mon Mar 5 12:36:33 2012 : Info: ++[attr_filter.access_reject] returns updated
Mon Mar 5 12:36:33 2012 : Info: Delaying reject of request 14 for 1 seconds
Mon Mar 5 12:36:33 2012 : Debug: Going to the next request
Mon Mar 5 12:36:33 2012 : Debug: Waking up in 0.9 seconds.
Mon Mar 5 12:36:34 2012 : Info: Sending delayed reject for request 14
Sending Access-Reject of id 0 to 127.0.0.1 port 35226
Mon Mar 5 12:36:34 2012 : Debug: Waking up in 4.9 seconds.
Mon Mar 5 12:36:39 2012 : Info: Cleaning up request 14 ID 0 with timestamp
+3498
Mon Mar 5 12:36:39 2012 : Info: Ready to process requests.
Javier Ruiz Escalante
Teléfono: 00 34 512 700 524
Skype: fruiz002
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentification
On 05/03/12 13:55, Javier Ruiz Escalante wrote: Good afternoon, I'm new in Radius and I have no clue what happens, can anybody help me? from the server in the command line works fine, from the wireless client get this one. Mon Mar 5 12:36:33 2012 : Debug: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! This message should be clear, no? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentification
Hi, the output is quite clear about what is wrong: Mon Mar 5 12:36:33 2012 : Debug: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! incorrect shared secret alan PS there is no such word as 'Authentification' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentification
Hi, NOTE the section here: User-Name = mysqltest User-Password = O%:snv\nB\334Ξ\300H\035\235e And here Mon Mar 5 12:36:33 2012 : Info: [pap] login attempt with password O%:snv B��?�H??e Mon Mar 5 12:36:33 2012 : Info: [pap] Using clear text password testsecret Mon Mar 5 12:36:33 2012 : Info: [pap] Passwords don't match The password that the client is sending and the one listed in the DB are different. You will need to fix the client password or update the DB. --Ward -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authentification-tp5537600p5537725.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentification
Thank you very much, but the password is testsecret, I don't know why it shows this strange password, I don't know if it is related to the port 443, as in the server console is working perfectly with the password testsecret Thanks!! Regards Javier Ruiz Escalante Teléfono: 00 34 512 700 524 Skype: fruiz002 Date: Mon, 5 Mar 2012 06:46:01 -0800 From: whope...@vocollect.com To: freeradius-users@lists.freeradius.org Subject: Re: Authentification Hi, NOTE the section here: User-Name = mysqltest User-Password = O%:snv\nB\334Ξ\300H\035\235e And here Mon Mar 5 12:36:33 2012 : Info: [pap] login attempt with password O%:snv B��?�H??e Mon Mar 5 12:36:33 2012 : Info: [pap] Using clear text password testsecret Mon Mar 5 12:36:33 2012 : Info: [pap] Passwords don't match The password that the client is sending and the one listed in the DB are different. You will need to fix the client password or update the DB. --Ward -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authentification-tp5537600p5537725.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentification
Can you paste the output of radiusd -X? Please dont use -XX, we dont need timestamps. Jake Sallee Godfather of Bandwidth Network Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] on behalf of Javier Ruiz Escalante [fruiz...@hotmail.com] Sent: Monday, March 05, 2012 9:03 AM To: freeradius-users@lists.freeradius.org Subject: RE: Authentification Thank you very much, but the password is testsecret, I don't know why it shows this strange password, I don't know if it is related to the port 443, as in the server console is working perfectly with the password testsecret Thanks!! Regards Javier Ruiz Escalante Teléfono: 00 34 512 700 524 Skype: fruiz002 Date: Mon, 5 Mar 2012 06:46:01 -0800 From: whope...@vocollect.com To: freeradius-users@lists.freeradius.org Subject: Re: Authentification Hi, NOTE the section here: User-Name = mysqltest User-Password = O%:snv\nB\334Ξ\300H\035\235e And here Mon Mar 5 12:36:33 2012 : Info: [pap] login attempt with password O%:snv B��?�H??e Mon Mar 5 12:36:33 2012 : Info: [pap] Using clear text password testsecret Mon Mar 5 12:36:33 2012 : Info: [pap] Passwords don't match The password that the client is sending and the one listed in the DB are different. You will need to fix the client password or update the DB. --Ward -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authentification-tp5537600p5537725.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentification
The password and the secret are two different things. When you set up FreeRadius you had to put a secret = line in the client clause for your NAS. You have to put that same secret in the NAS (don't ask us where, that depends on the NAS.) In your case your NAS is your AP or your LWAP/CWAP controller. The secret is used to encrypt sensitive fields in RADIUS packets. If it does not match on both ends, those fields look scrambled on the receiving end. From: freeradius-users-bounces+bjulin=clarku@lists.freeradius.org [mailto:freeradius-users-bounces+bjulin=clarku@lists.freeradius.org] On Behalf Of Javier Ruiz Escalante Sent: Monday, March 05, 2012 10:04 AM To: freeradius-users@lists.freeradius.org Subject: RE: Authentification Thank you very much, but the password is testsecret, I don't know why it shows this strange password, I don't know if it is related to the port 443, as in the server console is working perfectly with the password testsecret Thanks!! Regards Javier Ruiz Escalante Teléfono: 00 34 512 700 524 Skype: fruiz002 Date: Mon, 5 Mar 2012 06:46:01 -0800 From: whope...@vocollect.com To: freeradius-users@lists.freeradius.org Subject: Re: Authentification Hi, NOTE the section here: User-Name = mysqltest User-Password = O%:snv\nB\334Ξ\300H\035\235e And here Mon Mar 5 12:36:33 2012 : Info: [pap] login attempt with password O%:snv B��?�H??e Mon Mar 5 12:36:33 2012 : Info: [pap] Using clear text password testsecret Mon Mar 5 12:36:33 2012 : Info: [pap] Passwords don't match The password that the client is sending and the one listed in the DB are different. You will need to fix the client password or update the DB. --Ward -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authentification-tp5537600p5537725.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentification
On 5 Mar 2012, at 16:03, Javier Ruiz Escalante wrote: Thank you very much, but the password is testsecret, I don't know why it shows this strange password, I don't know if it is related to the port 443, as in the server console is working perfectly with the password testsecret Because the RADIUS server cannot correctly decrypt the password that was encrypted with the shared secret, its showing the garbled incorrectly decrypted version. -Arran Thanks!! Regards Javier Ruiz Escalante Teléfono: 00 34 512 700 524 Skype: fruiz002 Date: Mon, 5 Mar 2012 06:46:01 -0800 From: whope...@vocollect.com To: freeradius-users@lists.freeradius.org Subject: Re: Authentification Hi, NOTE the section here: User-Name = mysqltest User-Password = O%:snv\nB\334Ξ\300H\035\235e And here Mon Mar 5 12:36:33 2012 : Info: [pap] login attempt with password O%:snv B��?�H??e Mon Mar 5 12:36:33 2012 : Info: [pap] Using clear text password testsecret Mon Mar 5 12:36:33 2012 : Info: [pap] Passwords don't match The password that the client is sending and the one listed in the DB are different. You will need to fix the client password or update the DB. --Ward -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authentification-tp5537600p5537725.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@networkradius.com Technical consultant and solutions architect 15 Ave. du Granier, Meylan, France +33 4 69 66 54 50 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentification
But where is the shared secret? I have written the same secret everywhere... Javier Ruiz Escalante Teléfono: 00 34 512 700 524 Skype: fruiz002 From: a.cudba...@freeradius.org Subject: Re: Authentification Date: Mon, 5 Mar 2012 16:20:43 +0100 To: freeradius-users@lists.freeradius.org On 5 Mar 2012, at 16:03, Javier Ruiz Escalante wrote:Thank you very much, but the password is testsecret, I don't know why it shows this strange password, I don't know if it is related to the port 443, as in the server console is working perfectly with the password testsecret Because the RADIUS server cannot correctly decrypt the password that was encrypted with the shared secret, its showing the garbled incorrectly decrypted version. -Arran Thanks!! Regards Javier Ruiz Escalante Teléfono: 00 34 512 700 524 Skype: fruiz002 Date: Mon, 5 Mar 2012 06:46:01 -0800 From: whope...@vocollect.com To: freeradius-users@lists.freeradius.org Subject: Re: Authentification Hi, NOTE the section here: User-Name = mysqltest User-Password = O%:snv\nB\334Ξ\300H\035\235e And here Mon Mar 5 12:36:33 2012 : Info: [pap] login attempt with password O%:snv B��?�H??e Mon Mar 5 12:36:33 2012 : Info: [pap] Using clear text password testsecret Mon Mar 5 12:36:33 2012 : Info: [pap] Passwords don't match The password that the client is sending and the one listed in the DB are different. You will need to fix the client password or update the DB. --Ward -- View this message in context: http://freeradius.1045715.n5.nabble.com/Authentification-tp5537600p5537725.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@networkradius.com Technical consultant and solutions architect 15 Ave. du Granier, Meylan, France +33 4 69 66 54 50 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentification
Hi, But where is the shared secret? I have written the same secret everywhere... on the FreeRADIUS server its in clients.conf (or, if you have configured SQL to have NAS tables then in the nas table) on your AP its in the configuration section. note that 'clients' as you know them (laptops, tablets etc) dont know single thing about RADIUS secrets...in the world of RADIUS, clients are the devices that talk directly to the RADIUS server - also knows as NAS (network authentication server) - this will be your microtik device etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentification
Huh... It seems you're firing with closed eyes and you're expecting to hit something... Check this five blog posts and you'll see that RADIUS is not black box when you want to read something... http://www.serveradminblog.com/category/freeradius/ On 3/5/2012 6:20 PM, Alan Buxey wrote: Hi, But where is the shared secret? I have written the same secret everywhere... on the FreeRADIUS server its in clients.conf (or, if you have configured SQL to have NAS tables then in the nas table) on your AP its in the configuration section. note that 'clients' as you know them (laptops, tablets etc) dont know single thing about RADIUS secrets...in the world of RADIUS, clients are the devices that talk directly to the RADIUS server - also knows as NAS (network authentication server) - this will be your microtik device etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: distributed authentification scheme advice needed
thanks for quick reply
Arran Cudbard-Bell (a.cudba...@freeradius.org) [11.09.28 08:28] wrote:
Yes, home server pools let you specify a 'fallback' home server
which can point to a virtual server. It should be working in v2.1.x
but is currently broken in 3.x.
See proxy.conf for details.
if i have core.radius.my.domain as my primary radius server and
fallback.radius.my.domain as radius installed on AP
than i need in proxy.conf
home_server_pool my_auth_failover {
type = fail-over
home_server = core.radius.my.domain
fallback = fallback.radius.my.domain
}
but than, I need configure EAP/TLS on fallback.radius.my.domain
identical to core.radius.my.domain one, correct?
since without the same server certificates my clients will not be able
authenticate with fallback.radius.my.domain
am I correct?
--
Zeus V. Panchenko
JID:z...@gnu.org.ua GMT+2 (EET)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: distributed authentification scheme advice needed
On 28 Sep 2011, at 12:11, Zeus V Panchenko wrote:
thanks for quick reply
Arran Cudbard-Bell (a.cudba...@freeradius.org) [11.09.28 08:28] wrote:
Yes, home server pools let you specify a 'fallback' home server
which can point to a virtual server. It should be working in v2.1.x
but is currently broken in 3.x.
See proxy.conf for details.
if i have core.radius.my.domain as my primary radius server and
fallback.radius.my.domain as radius installed on AP
than i need in proxy.conf
home_server_pool my_auth_failover {
type = fail-over
home_server = core.radius.my.domain
fallback = fallback.radius.my.domain
}
but than, I need configure EAP/TLS on fallback.radius.my.domain
identical to core.radius.my.domain one, correct?
Correct.
since without the same server certificates my clients will not be able
authenticate with fallback.radius.my.domain
am I correct?
Partially. If you're using your own CA, then you could just sign multiple sets
of server certificates and trust your CA on the clients. Thats one of the neat
things about the PKI model.
If you're using a commercial CA, then the cost of all those certificates might
be prohibitive, and you should be using CN field checking, so yes you'd
probably want to use the same certificates on all servers, even though it
increases the risk of private key exposure.
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: distributed authentification scheme advice needed
Zeus V Panchenko wrote: but than, I need configure EAP/TLS on fallback.radius.my.domain identical to core.radius.my.domain one, correct? Yes. Just copy the config the files. since without the same server certificates my clients will not be able authenticate with fallback.radius.my.domain am I correct? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
distributed authentification scheme advice needed
Hi, *please*, I need advice in choosing the strategy for the distributed EAP authentification scheme so, here are details of what I have and want: I run FreeRadius with EAP configured all my WiFi AP are configured to communicate with the radiusd and everything works fine now I need to extend my VPN with several remote branches where inet connection is not stable, but I need to provide WiFi access there too even in case when inet connection is off ... so, is it possible to use local (for each branch) radiusd to allow access, *but* : 1. if inet is alive, than authenticate via the central radius 2. if inet connection is not established, authenticate via local mechanism (preferably EAP) -- Zeus V. Panchenko JID:z...@gnu.org.ua GMT+2 (EET) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: distributed authentification scheme advice needed
On 28 Sep 2011, at 07:12, Zeus V Panchenko wrote: Hi, *please*, I need advice in choosing the strategy for the distributed EAP authentification scheme so, here are details of what I have and want: I run FreeRadius with EAP configured all my WiFi AP are configured to communicate with the radiusd and everything works fine now I need to extend my VPN with several remote branches where inet connection is not stable, but I need to provide WiFi access there too even in case when inet connection is off ... so, is it possible to use local (for each branch) radiusd to allow access, *but* : 1. if inet is alive, than authenticate via the central radius 2. if inet connection is not established, authenticate via local mechanism (preferably EAP) Yes, home server pools let you specify a 'fallback' home server which can point to a virtual server. It should be working in v2.1.x but is currently broken in 3.x. See proxy.conf for details. Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius authentification ldap and windows 7 (PEAP mschapv2)
Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ? Je crée ma boîte mail www.laposte.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: first authentification fail second one works
Markus Burghart wrote: But I want to perform my authentifications while the system is currently booting because i use a LDAP Directory Server and i can't login against the LDAP Server if i haven't got a running Network-Connection (i will get the Connection if the 802.1X Authentification is successful. So i use wpa supplicant on Linux and w2secure on Windows to perform the Authentification while my system boots. That should work. But the debug mode tells me, at the first authentification test, that i'm running in a access-challenge (no reasons were given). Now, if i wait one minute and do nothing while waiting this time, i get a access-accept packet. All EAP / 802.1X is driven by the client PC. If it stops at Access-Challenge, it's because the client PC stops. Can you tell me why this happens and what can i do, that the authentification works with the first run while the system is still booting and so i could login to my operating system. Fix the client PC to keep going. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: first authentification fail second one works
Am 07.01.2011 13:52, schrieb Alan DeKok: Markus Burghart wrote: But I want to perform my authentifications while the system is currently booting because i use a LDAP Directory Server and i can't login against the LDAP Server if i haven't got a running Network-Connection (i will get the Connection if the 802.1X Authentification is successful. So i use wpa supplicant on Linux and w2secure on Windows to perform the Authentification while my system boots. That should work. But the debug mode tells me, at the first authentification test, that i'm running in a access-challenge (no reasons were given). Now, if i wait one minute and do nothing while waiting this time, i get a access-accept packet. All EAP / 802.1X is driven by the client PC. If it stops at Access-Challenge, it's because the client PC stops. Can you tell me why this happens and what can i do, that the authentification works with the first run while the system is still booting and so i could login to my operating system. Fix the client PC to keep going. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you Alan fpr your Statements The problem is that, this fact happens on Linux and Windows clients and i don't know why and i don't know how to fix it. The curious thing on that phenomenon is that the second trying works fine and so i thought i could be sure that everything on the client is all right. In an other case the second Authentification would not work too. Or is this wrong? Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
first authentification fail second one works
Hello Guys I'm writing from Germany. I write my Bachelor Thesis about the Freeradius Projekt. I have a problem and i can't find a solution for it, at the internet by myself. I'm using version 2.1.9 of freeradius and everything works fine with the authentifications agains my Freeradius server, if I'm logged in at the system (Mac OSX, Linux and Windows) But I want to perform my authentifications while the system is currently booting because i use a LDAP Directory Server and i can't login against the LDAP Server if i haven't got a running Network-Connection (i will get the Connection if the 802.1X Authentification is successful. So i use wpa supplicant on Linux and w2secure on Windows to perform the Authentification while my system boots. But the debug mode tells me, at the first authentification test, that i'm running in a access-challenge (no reasons were given). Now, if i wait one minute and do nothing while waiting this time, i get a access-accept packet. Can you tell me why this happens and what can i do, that the authentification works with the first run while the system is still booting and so i could login to my operating system. I'm looking forword to hear from you Yours Markus rslautern 3724 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed (re-)authentification after some time...
Hey Alan! Alan DeKok al...@deployingradius.com hat am 1. September 2010 um 15:46 geschrieben: Jan Zacharias wrote: To speed up the debugging, I introduced a sleep of varying duration in the ntlm_auth_wrapper. I found that freeradius kills the ntlm stuff if it takes longer than ten seconds to complete. Yes. Any child script which takes that long is broken. No, it can also be just someone pulling a network cord/routing changes etc.etc. My suggestion is that we introduce a configuration variable ntlm_auth_retries so that freerad kills the process, No. You can write a shell script wrapper around ntlm_auth that does: - fork ntlm_auth - wait 1s for it to return - if it doesn't return, kill it - try to fork it again Yeah sure, this was also my first idea, but i'm still limited to ten seconds then :( What do you think, Alan? Anyone else? This isn't a server problem, and changing the server isn't necessary. Sure it's not a problem, but it would improve reliability and robustness. This is not about finger pointing or so, I just want to help make freerad even better :) Best, Jan- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed (re-)authentification after some time...
Jan Zacharias wrote: Alan DeKok al...@deployingradius.com hat am 1. September 2010 um 15:46 geschrieben: Yes. Any child script which takes that long is broken. No, it can also be just someone pulling a network cord/routing changes etc.etc. Let me be clear: RADIUS clients and servers expect responses within a short time frame, usually milliseconds. Asking clients to wait many seconds for a slow script on the server is *impossible*. Many clients will give up, and reject the user. i.e. the RADIUS client doesn't care *why* the script is taking too long. All it knows is that the user can't log in. Please explain to your users - fork ntlm_auth - wait 1s for it to return - if it doesn't return, kill it - try to fork it again Yeah sure, this was also my first idea, but i'm still limited to ten seconds then :( So... set the don't wait flag on the executed program. See the documentation for the exec module, or the Exec-Program attribute. This isn't a server problem, and changing the server isn't necessary. Sure it's not a problem, but it would improve reliability and robustness. No, it would not improve reliability and robustness. Adding more This is not about finger pointing or so, I just want to help make freerad even better :) Yes... but we try not to re-invent the wheel. If you can add a feature by writing a few lines of a shell script, there is little reason to update the server source with that feature. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed (re-)authentification after some time...
Alan DeKok al...@deployingradius.com hat am 31. August 2010 um 13:18 geschrieben: Jan Zacharias wrote: Call me dump, but I have no idea what to look for. Neither do I. It's your system... One idea: is ntlm_auth referred to as child? Maybe I sould write a wrapper and see how long execution of this helper program takes, Possibly, yes. │ ├─┬◆ 65437 root sshd: r...@pts/4 (sshd) │ │ └─┬◆ 65440 root -bash (bash) │ │ └─┬◆ 76322 freeradius radiusd -s -X -xx -f │ │ └─┬─ 76421 freeradius /bin/sh /usr/local/bin/ntlm_auth_wrapper --request-nt-key --domain=DFKI --username=jan --challenge=xxx --nt-response=xxx So, yes :) The wrapper logged PID and time (real,sys,user) of ntlm_auth To speed up the debugging, I introduced a sleep of varying duration in the ntlm_auth_wrapper. I found that freeradius kills the ntlm stuff if it takes longer than ten seconds to complete. My suggestion is that we introduce a configuration variable ntlm_auth_retries so that freerad kills the process, but then tries again until the retry-count is reached. This would greatly improve reliability in stress/high load/failover scenarios :) What do you think, Alan? Anyone else? Best, Jan Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed (re-)authentification after some time...
Jan Zacharias wrote: To speed up the debugging, I introduced a sleep of varying duration in the ntlm_auth_wrapper. I found that freeradius kills the ntlm stuff if it takes longer than ten seconds to complete. Yes. Any child script which takes that long is broken. My suggestion is that we introduce a configuration variable ntlm_auth_retries so that freerad kills the process, No. You can write a shell script wrapper around ntlm_auth that does: - fork ntlm_auth - wait 1s for it to return - if it doesn't return, kill it - try to fork it again What do you think, Alan? Anyone else? This isn't a server problem, and changing the server isn't necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed (re-)authentification after some time...
Hey Alan, you suggested: Fix is so that nothing is blocking the server. Call me dump, but I have no idea what to look for. One idea: is ntlm_auth referred to as child? Maybe I sould write a wrapper and see how long execution of this helper program takes, or can I somehow log what program had which PID? Best, Jan Alan DeKok al...@deployingradius.com hat am 30. August 2010 um 22:22 geschrieben: Jan Zacharias wrote: I did more tests (now with two winXP clients and one OSX client), the problem is still unsolved: shrug The solution is still the same. The strange thing: freeradius is started with the no childs option: freeradius 60384 0.0 0.4 11560 9240 4 S 11:57AM 0:49.13 /usr/local/sbin/radiusd -s Well... something is inconsistent. The error messages you posted are produced *only* when the server has child threads. So why does it complain about childs that take to long?! For the same reason as before. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed (re-)authentification after some time...
Jan Zacharias wrote: Call me dump, but I have no idea what to look for. Neither do I. It's your system... One idea: is ntlm_auth referred to as child? Maybe I sould write a wrapper and see how long execution of this helper program takes, Possibly, yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed (re-)authentification after some time...
Hi Alan, I did more tests (now with two winXP clients and one OSX client), the problem is still unsolved: Wed Aug 18 18:03:21 2010 : Auth: Login OK: [jan/via Auth-Type = EAP] (from client swba1-00-test port 0 via TLS tunnel) Wed Aug 18 18:03:21 2010 : Auth: Login OK: [jan/via Auth-Type = EAP] (from client swba1-00-test port 50043 cli 00-08-74-46-34-F7) Wed Aug 18 18:03:24 2010 : Auth: Login OK: [jan/via Auth-Type = mschap] (from client swba1-00-test port 0 via TLS tunnel) Wed Aug 18 18:03:24 2010 : Auth: Login OK: [jan/via Auth-Type = EAP] (from client swba1-00-test port 50039 cli 00-16-CB-AA-0F-CB) Wed Aug 18 18:03:27 2010 : Auth: Login OK: [jan/via Auth-Type = EAP] (from client swba1-00-test port 0 via TLS tunnel) Wed Aug 18 18:03:27 2010 : Auth: Login OK: [jan/via Auth-Type = EAP] (from client swba1-00-test port 50041 cli 00-1E-37-90-89-D2) Wed Aug 18 18:03:45 2010 : Error: Child PID 72473 is taking too much time: forcing failure and killing child. Wed Aug 18 18:03:45 2010 : Auth: Login incorrect: [jan/via Auth-Type = EAP] (from client swba1-00-test port 0 via TLS tunnel) Wed Aug 18 18:03:45 2010 : Auth: Login incorrect: [jan/via Auth-Type = EAP] (from client swba1-00-test port 50043 cli 00-08-74-46-34-F7) Wed Aug 18 18:03:55 2010 : Error: Child PID 72474 is taking too much time: forcing failure and killing child. Wed Aug 18 18:03:55 2010 : Auth: Login incorrect: [jan/via Auth-Type = mschap] (from client swba1-00-test port 0 via TLS tunnel) Wed Aug 18 18:03:55 2010 : Auth: Login incorrect: [jan/via Auth-Type = EAP] (from client swba1-00-test port 50039 cli 00-16-CB-AA-0F-CB) Wed Aug 18 18:03:55 2010 : Error: rlm_eap: No EAP session matching the State variable. Wed Aug 18 18:03:55 2010 : Auth: Login incorrect: [jan/via Auth-Type = EAP] (from client swba1-00-test port 50043 cli 00-08-74-46-34-F7) Wed Aug 18 18:04:05 2010 : Error: Child PID 72475 is taking too much time: forcing failure and killing child. Wed Aug 18 18:04:05 2010 : Auth: Login incorrect: [jan/via Auth-Type = EAP] (from client swba1-00-test port 0 via TLS tunnel) Wed Aug 18 18:04:05 2010 : Auth: Login incorrect: [jan/via Auth-Type = EAP] (from client swba1-00-test port 50041 cli 00-1E-37-90-89-D2) The strange thing: freeradius is started with the no childs option: freeradius 60384 0.0 0.4 11560 9240 4 S 11:57AM 0:49.13 /usr/local/sbin/radiusd -s So why does it complain about childs that take to long?! Btw: The server has a load of 0.00 and network IO is only to the ads server. If I block traffic to it, freerad does not complain about childs that take to long, so the problem hides elsewhere, I guess. Thanks for your help! Best, Jan Alan DeKok al...@deployingradius.com hat am 17. August 2010 um 09:47 geschrieben: Jan Zacharias wrote: Sun Aug 15 10:01:39 2010 : Error: Discarding duplicate request from client swba1-00-test port 1645 - ID: 157 due to unfinished request 125603 As always, something is blocking the server. The entry Sun Aug 15 10:01:39 2010 is interesting as no client was connected to port 1645 at that time shrug The server doesn't invent packets. *Something* sent it a packet. My question: can I somehow extend the timeout or do anything else to prevent this from happening? Fix is so that nothing is blocking the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed (re-)authentification after some time...
Jan Zacharias wrote: I did more tests (now with two winXP clients and one OSX client), the problem is still unsolved: shrug The solution is still the same. The strange thing: freeradius is started with the no childs option: freeradius 60384 0.0 0.4 11560 9240 4 S11:57AM 0:49.13 /usr/local/sbin/radiusd -s Well... something is inconsistent. The error messages you posted are produced *only* when the server has child threads. So why does it complain about childs that take to long?! For the same reason as before. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed (re-)authentification after some time...
Jan Zacharias wrote: Sun Aug 15 10:01:39 2010 : Error: Discarding duplicate request from client swba1-00-test port 1645 - ID: 157 due to unfinished request 125603 As always, something is blocking the server. The entry Sun Aug 15 10:01:39 2010 is interesting as no client was connected to port 1645 at that time shrug The server doesn't invent packets. *Something* sent it a packet. My question: can I somehow extend the timeout or do anything else to prevent this from happening? Fix is so that nothing is blocking the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failed (re-)authentification after some time...
Something strange is going on: we do re-authentification every ten seconds with one WinXP SP3 client hooked up to a Cisco 3560G Switch. The reauth interval is small to stress-test the setup. It works w/a problems for 1-2 Days, then we get: Sun Aug 15 10:00:51 2010 : Auth: Login OK: [jan/via Auth-Type = EAP] (from client swba1-00-test port 0 via TLS tunnel) Sun Aug 15 10:00:51 2010 : Auth: Login OK: [jan/via Auth-Type = EAP] (from client swba1-00-test port 50043 cli 00-08-74-46-34-F7) Sun Aug 15 10:01:05 2010 : Auth: Login OK: [jan/via Auth-Type = EAP] (from client swba1-00-test port 0 via TLS tunnel) Sun Aug 15 10:01:05 2010 : Auth: Login OK: [jan/via Auth-Type = EAP] (from client swba1-00-test port 50043 cli 00-08-74-46-34-F7) Sun Aug 15 10:01:20 2010 : Auth: Login OK: [jan/via Auth-Type = EAP] (from client swba1-00-test port 0 via TLS tunnel) Sun Aug 15 10:01:20 2010 : Auth: Login OK: [jan/via Auth-Type = EAP] (from client swba1-00-test port 50043 cli 00-08-74-46-34-F7) Sun Aug 15 10:01:39 2010 : Error: Discarding duplicate request from client swba1-00-test port 1645 - ID: 157 due to unfinished request 125603 Sun Aug 15 10:01:44 2010 : Error: Child PID 30686 is taking too much time: forcing failure and killing child. Sun Aug 15 10:01:44 2010 : Auth: Login incorrect: [jan/via Auth-Type = EAP] (from client swba1-00-test port 0 via TLS tunnel) Sun Aug 15 10:01:44 2010 : Auth: Login incorrect: [jan/via Auth-Type = EAP] (from client swba1-00-test port 50043 cli 00-08-74-46-34-F7) The last two entries are due to the crappy windows client. If auth fails once, it thinks, that the saved auth info is wrong and deletes it, querying the user to enter mschap(PEAP) login/pw again. The entry Sun Aug 15 10:01:39 2010 is interesting as no client was connected to port 1645 at that time and the two days before, however it seems as if this triggers the timeout initially. My question: can I somehow extend the timeout or do anything else to prevent this from happening?- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentification
On 2010/05/18 10:47 PM, dorra aa wrote: is there somebody want to tell what's the utility of it? From: dj_dido2...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: authentification Date: Tue, 18 May 2010 19:40:28 + hi freeradius, i want to ask how to use MAC Address Authentication in my freeradius. besides, i add an address mac with the daloradius. how can i test the succes of that thnak you Have a look here. http://catb.org/~esr/faqs/smart-questions.html Also here. http://catb.org/~esr/faqs/smart-questions.html#homework -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentification
Hi. With MAC Address Authentication you can use freeradius to authenticate all the network elements (like camcorders, routers, switches...); so that if these elements don't authenticate, not work in the network. Other aplication is to validate users in a captive portal without user interaction. Regards, David P.D: Sorry for my poor english 2010/5/18 dorra aa dj_dido2...@hotmail.com is there somebody want to tell what's the utility of it? -- From: dj_dido2...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: authentification Date: Tue, 18 May 2010 19:40:28 + hi freeradius, i want to ask how to use MAC Address Authentication in my freeradius. besides, i add an address mac with the daloradius. how can i test the succes of that thnak you -- Hotmail: Powerful Free email with security by Microsoft. Get it now.https://signup.live.com/signup.aspx?id=60969 -- Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up now. https://signup.live.com/signup.aspx?id=60969 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authentification
thank you for the explication Date: Wed, 19 May 2010 08:41:05 +0200 Subject: Re: authentification From: davidse...@gmail.com To: freeradius-users@lists.freeradius.org Hi. With MAC Address Authentication you can use freeradius to authenticate all the network elements (like camcorders, routers, switches...); so that if these elements don't authenticate, not work in the network. Other aplication is to validate users in a captive portal without user interaction. Regards, David P.D: Sorry for my poor english 2010/5/18 dorra aa dj_dido2...@hotmail.com is there somebody want to tell what's the utility of it? From: dj_dido2...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: authentification Date: Tue, 18 May 2010 19:40:28 + hi freeradius,i want to ask how to use MAC Address Authentication in my freeradius.besides, i add an address mac with the daloradius. how can i test the succes of that thnak you Hotmail: Powerful Free email with security by Microsoft. Get it now. Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authentification
hi freeradius,i want to ask how to use MAC Address Authentication in my freeradius.besides, i add an address mac with the daloradius. how can i test the succes of thatthnak you _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authentification
is there somebody want to tell what's the utility of it? From: dj_dido2...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: authentification Date: Tue, 18 May 2010 19:40:28 + hi freeradius,i want to ask how to use MAC Address Authentication in my freeradius.besides, i add an address mac with the daloradius. how can i test the succes of thatthnak you Hotmail: Powerful Free email with security by Microsoft. Get it now. _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentification using MS-CHAP with Active Directory
Noro Hasina wrote: Hi everybody, My project have changed, and I should use Active Directory instead of mysql for authentication because we use AD for user's domain administration. My server can join the domain but my problem is that ms-chap does'nt do anything during radtest. Because you're not sending it a packet containing MS-CHAP. See http://deployingradius.com/documents/configuration/active_directory.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentification using MS-CHAP with Active Directory
Hi! Thank you for your answer Alan. I've already read this tuto and I follow it, but I don't understand what you mean.by sending packet? What request should I do I did $ radtest testrad testrad localhost 0 radsecret which testrad is an user in the active directory. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentification using MS-CHAP with Active Directory
Hi everybody,
My project have changed, and I should use Active Directory instead of mysql
for authentication because we use AD for user's domain administration.
My server can join the domain but my problem is that ms-chap does'nt do
anything during radtest. here is the result
when i run radiusd -X the module is linked
*module mschap*
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-CELTELMG}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
}
After the Ready to process requests, I run
# radtest testuser testuser localhost 0 pass
and here but mschap isn't used :
rad_recv: Access-Request packet from host 127.0.0.1 port 45703, id=64,
length=60
User-Name = testuser
User-Password = testuser
NAS-IP-Address =
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
Anyone could help me please!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mac-based authentification fail
After one week search the web for a solution, i come to this maling list. That's a week wasted. Freeradius is under active development and information on the Internet is in most cases out of date. Like the instructions you followed. If only you followed examples in users file ... I have to set up a mac-based authentication system (pretty simple) with HP procurve swtichs. I have see lot of tutorials, buy a book, download more, but it still don't work (access-request denied). Because Auth-Type Local is breaking chap. Remove that. And change password attribute and operator to Cleartext-Password := like in all the examples in users file. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mac-based authentification fail
Hello gentlemen's,
After one week search the web for a solution, i come to this maling list. I
have to set up a mac-based authentication system (pretty simple) with HP
procurve swtichs. I have see lot of tutorials, buy a book, download more, but
it still don't work (access-request denied).
I hope somebody can look at my basic problem a few minute.
User is reconized (found at line X), but freeradius don't know how to
interprete the password (I think).
I have see that the CHAP-password attribute send by the client (HP Procurve
2800), is not the same heach time. Is it normal (I don't think). The switch
look like he is well configured (running-config in attachement).
In attachement, you will find initialisation of freeradius (radius_init), an
acces-request from the client (acces-request), the entry of my test user
(users), and the running config of the HP Procurve.
I hope somebody know this problem.
Kind regards
Sébastien Serre
--
Service informatique
IBGC CNRS
1 rue Camille Saint Saens
33077 BORDEAUX CEDEX
Tel. +33 (0)5 56 99 90 04
Fax. +33 (0)5 56 99 90 59
http://www.ibgc.cnrs.fr
000b5d29434fAuth-Type := Local , User-Password == 000b5d29434f
Tunnel-type = VLAN,
Tunnel-Medium-Type = 802,
Tunnel-Private-Group-ID = 1
FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep 7 2008 at
23:35:34
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/snmp.conf
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/freeradius/freeradius.pid
user = freerad
group = freerad
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
nastype = other
}
client 172.18.100.54 {
require_message_authenticator = no
secret = bidibule
shortname = HP1
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = status-server
ping_check = none
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = request
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = auto
auto_header = yes
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating
Re: mac-based authentification fail
Le Tuesday 28 April 2009 11:42:27 Ivan Kalik, vous avez écrit : adius is under active development and information on the Internet i Youre right. It works! I m so ... disapointed. Thanks a lot kalik. -- Service informatique IBGC CNRS 1 rue Camille Saint Saens 33077 BORDEAUX CEDEX Tel. +33 (0)5 56 99 90 04 Fax. +33 (0)5 56 99 90 59 http://www.ibgc.cnrs.fr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mac-based authentification fail
On 28/4/09 12:30, sserre wrote: Le Tuesday 28 April 2009 11:42:27 Ivan Kalik, vous avez écrit : adius is under active development and information on the Internet i Youre right. It works! I m so ... disapointed. Thanks a lot kalik. Loads of people seem to be asking for this, so i've hashed out a quick example in the wiki for FR v2. http://wiki.freeradius.org/Mac-Auth Thanks, Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC authentification
I want to use freeRADIUS for a global MAC authentification but I cannot find any tutorials for that. What must I do realize it? Thanks in advance. Best regards, F. Niedernolte - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentification
[EMAIL PROTECTED] wrote: I want to use freeRADIUS for a global MAC authentification but I cannot find any tutorials for that. You just need to authenticate based on the User-Name and/or the password. There's nothing magic about MAC authentication. You're just calling the User-Name a MAC rather than a name of a real person. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: MAC authentification
So a simple entry like User42 MAC := 02:01:02:03:04:05 in the users file would be enough!? -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan DeKok Gesendet: Mittwoch, 22. Oktober 2008 10:22 An: FreeRadius users mailing list Betreff: Re: MAC authentification [EMAIL PROTECTED] wrote: I want to use freeRADIUS for a global MAC authentification but I cannot find any tutorials for that. You just need to authenticate based on the User-Name and/or the password. There's nothing magic about MAC authentication. You're just calling the User-Name a MAC rather than a name of a real person. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: MAC authentification
Am Mittwoch, 22. Oktober 2008 10:41 schrieb [EMAIL PROTECTED]: So a simple entry like User42 MAC := 02:01:02:03:04:05 in the users file would be enough!? It depends in which format your NAS sends the MAC address. Somtimes FR get something like 00-01-02-03-04-05 Please FR with option -X to see, what your NAS (Switch) sends. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: [EMAIL PROTECTED] web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: MAC authentification
[EMAIL PROTECTED] wrote: So a simple entry like User42 MAC := 02:01:02:03:04:05 in the users file would be enough!? No. I mentioned the User-Name attribute, not the MAC attribute. Do you see the MAC attribute in the RADIUS packet? Does reading the man page for the users file lead you to believe that an entry like above will do *anything*? What I said was this: MAC authentication is nearly always just normal username/password authentication. If you can configure username/password authentication, you can configure MAC authentication. Just give the users names that match the MAC addresses in the Access-Request, and be sure that the passwords match the User-Password field in the Access-Request. It would help to *look* at an Access-Request for MAC authentication, and forget that it's something magic called MAC authentication. Instead, figure out how you would get this user authenticated in normal user authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: MAC authentification
OK, but the initial idea behind this is correct (without the MAC address syntax), isn't it? F. Niedernolte -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Michael Schwartzkopff Gesendet: Mittwoch, 22. Oktober 2008 10:54 An: FreeRadius users mailing list Betreff: Re: AW: MAC authentification Am Mittwoch, 22. Oktober 2008 10:41 schrieb [EMAIL PROTECTED]: So a simple entry like User42 MAC := 02:01:02:03:04:05 in the users file would be enough!? It depends in which format your NAS sends the MAC address. Somtimes FR get something like 00-01-02-03-04-05 Please FR with option -X to see, what your NAS (Switch) sends. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: [EMAIL PROTECTED] web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: MAC authentification
Isn't it possible without a password? In the current situation I only add a MAC address to an access point and the client can connect to it. Because of many access points this task should be done by the RADIUS-server for all access points. So every access point should forward the authentification request from the client to the RADIUS-server. This server should check if the clients MAC address is allowed and then send back the result to the access point. F. Niedernolte -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan DeKok Gesendet: Mittwoch, 22. Oktober 2008 10:56 An: FreeRadius users mailing list Betreff: Re: AW: MAC authentification [EMAIL PROTECTED] wrote: So a simple entry like User42 MAC := 02:01:02:03:04:05 in the users file would be enough!? No. I mentioned the User-Name attribute, not the MAC attribute. Do you see the MAC attribute in the RADIUS packet? Does reading the man page for the users file lead you to believe that an entry like above will do *anything*? What I said was this: MAC authentication is nearly always just normal username/password authentication. If you can configure username/password authentication, you can configure MAC authentication. Just give the users names that match the MAC addresses in the Access-Request, and be sure that the passwords match the User-Password field in the Access-Request. It would help to *look* at an Access-Request for MAC authentication, and forget that it's something magic called MAC authentication. Instead, figure out how you would get this user authenticated in normal user authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: MAC authentification
If you want to limit user access on specific MAC address use Calling-Station-Id attribute in radcheck table Or if you want to MAC address represent one user, add MAC address in radcheck table as a UserName and set User-Password to blank. On Wed, Oct 22, 2008 at 10:58 AM, [EMAIL PROTECTED]wrote: OK, but the initial idea behind this is correct (without the MAC address syntax), isn't it? F. Niedernolte -Ursprüngliche Nachricht- Von: freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernoltefreeradius-users-bounces%2Bfrederik.niedernolte [EMAIL PROTECTED] Im Auftrag von Michael Schwartzkopff Gesendet: Mittwoch, 22. Oktober 2008 10:54 An: FreeRadius users mailing list Betreff: Re: AW: MAC authentification Am Mittwoch, 22. Oktober 2008 10:41 schrieb [EMAIL PROTECTED]: So a simple entry like User42 MAC := 02:01:02:03:04:05 in the users file would be enough!? It depends in which format your NAS sends the MAC address. Somtimes FR get something like 00-01-02-03-04-05 Please FR with option -X to see, what your NAS (Switch) sends. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: [EMAIL PROTECTED] web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: MAC authentification
Sort of. Entry can look like: ma:ca:dd:re:ss:xx Auth-Type := Accept No user42 - mac address will be coming as username regardless of who is using the machine. mac authentication authenticates the machine not the user. Ivan Kalik Kalik Informatika ISP Dana 22/10/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: OK, but the initial idea behind this is correct (without the MAC address syntax), isn't it? F. Niedernolte -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Michael Schwartzkopff Gesendet: Mittwoch, 22. Oktober 2008 10:54 An: FreeRadius users mailing list Betreff: Re: AW: MAC authentification Am Mittwoch, 22. Oktober 2008 10:41 schrieb [EMAIL PROTECTED]: So a simple entry like User42 MAC := 02:01:02:03:04:05 in the users file would be enough!? It depends in which format your NAS sends the MAC address. Somtimes FR get something like 00-01-02-03-04-05 Please FR with option -X to see, what your NAS (Switch) sends. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: [EMAIL PROTECTED] web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: MAC authentification
[EMAIL PROTECTED] wrote: Isn't it possible without a password? Look at the debug output to see what the NAS is sending you. *I* don't have access to your NAS. In the current situation I only add a MAC address to an access point and the client can connect to it. Because of many access points this task should be done by the RADIUS-server for all access points. So every access point should forward the authentification request from the client to the RADIUS-server. This server should check if the clients MAC address is allowed and then send back the result to the access point. Yes... this isn't the first time we've seen requests for MAC authentication. We know how it works. We *don't* know exactly what your NAS puts in the packets. That's why we suggest debugging mode. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: MAC authentification
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
The scheme used almost universally for Mac-Based authentication is
User-Name == Calling-Station-ID, unfortunately the format of the two mac
addresses often differ.
Here are the examples from our configuration to perform mac-based
authorisation.
- ---
authorize {
# Rewrite called station id attributes into a standard format.
if(%{Calling-Station-Id} =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request {
Calling-Station-Id := %{1}%{2}%{3}%{4}%{5}%{6}
}
}
if(%{User-Name} =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request {
User-Name := %{1}%{2}%{3}%{4}%{5}%{6}
}
}
if(%{User-Name} =~ /^%{Calling-Station-Id}$/i){
update control {
Autz-Type = 'mac-based'
}
}
# Authorisation based on mac address
Autz-Type mac-based {
# This is where you do your authorisation checks
update control {
Auth-Type := 'Accept'
}
}
}
- ---
No you don't need passwords, you force the server to send an
Access-Accept or Access-Reject packet based on your authorisation
policies for certain Mac-Addresses.
Thanks,
Arran
- --
Arran Cudbard-Bell ([EMAIL PROTECTED]),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkj/Cq4ACgkQcaklux5oVKL03ACeNVBkJOkyrnhNtjD+W23Mp8YX
78cAnRgNFEfsewQgPl9WaAO3fQ9btzym
=dPsK
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: MAC authentification
I'm slightly curoous here. What happens when Script Kiddie then spoofs
an appropriate MAC address? You have other mitigating measures in place?
Sent from my iPhone
On 22 Oct 2008, at 12:12, Arran Cudbard-Bell [EMAIL PROTECTED]
wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
The scheme used almost universally for Mac-Based authentication is
User-Name == Calling-Station-ID, unfortunately the format of the two
mac
addresses often differ.
Here are the examples from our configuration to perform mac-based
authorisation.
- ---
authorize {
# Rewrite called station id attributes into a standard format.
if(%{Calling-Station-Id} =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]
{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request {
Calling-Station-Id := %{1}%{2}%{3}%{4}%{5}%{6}
}
}
if(%{User-Name} =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]
{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request {
User-Name := %{1}%{2}%{3}%{4}%{5}%{6}
}
}
if(%{User-Name} =~ /^%{Calling-Station-Id}$/i){
update control {
Autz-Type = 'mac-based'
}
}
# Authorisation based on mac address
Autz-Type mac-based {
# This is where you do your authorisation checks
update control {
Auth-Type := 'Accept'
}
}
}
- ---
No you don't need passwords, you force the server to send an
Access-Accept or Access-Reject packet based on your authorisation
policies for certain Mac-Addresses.
Thanks,
Arran
- --
Arran Cudbard-Bell ([EMAIL PROTECTED]),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkj/Cq4ACgkQcaklux5oVKL03ACeNVBkJOkyrnhNtjD+W23Mp8YX
78cAnRgNFEfsewQgPl9WaAO3fQ9btzym
=dPsK
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: MAC authentification
Anders Holm wrote: I'm slightly curoous here. What happens when Script Kiddie then spoofs an appropriate MAC address? You have other mitigating measures in place? MAC auth just checks the MAC. If someone spoofs their MAC, they can circumvent security. MAC auth is not secure in the face of determined attack. 802.1x is needed for real security. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: MAC authentification
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Anders Holm wrote:
I'm slightly curoous here. What happens when Script Kiddie then spoofs
an appropriate MAC address? You have other mitigating measures in place?
There's nothing you can do, but then Mac-Based authentication should
only ever be used to gain access to sensitive networks, that's why you
have 802.1X authentication.
The ideal situation is to have a NAS that supports both on it's wired
ports, with a catch at the bottom.
So in order of authorisational priority
1. 802.1X
2. Mac-Authentication/ Web-Auth
3. Unauthorised/ port closed
So initially the device starts in the unauthorised state, if Mac-Based
auth succeeds the port will change to reflect the PVID or any other
parameters given in the Mac-Based/Web-Auth access accept, if not then
the client remains in the unauthorised state. If at any point the client
completes 802.1X authentication then the port will change to reflect the
parameters given in the 802.1X Access-Accept, and any other sessions
will be closed. If the client receives an EAPOL-Logoff, then the client
returns to the unauthorised state, and the switch will start Mac-Based
authentication again. In all cases the client physically disconnecting
from the switch returns the port to the unauthorised/closed state.
At least that's how it works in theory, there's no standard defining the
interactions, it's very much dependent on the switch vendor.
HP ProCurve switches as of 2600 series implement the behaviour described
above. I believe Cisco do too, though Ciscos is more broken...
Regards,
Arran
Sent from my iPhone
On 22 Oct 2008, at 12:12, Arran Cudbard-Bell
[EMAIL PROTECTED] wrote:
Hi,
The scheme used almost universally for Mac-Based authentication is
User-Name == Calling-Station-ID, unfortunately the format of the two mac
addresses often differ.
Here are the examples from our configuration to perform mac-based
authorisation.
---
authorize {
# Rewrite called station id attributes into a standard format.
if(%{Calling-Station-Id} =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request {
Calling-Station-Id := %{1}%{2}%{3}%{4}%{5}%{6}
}
}
if(%{User-Name} =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request {
User-Name := %{1}%{2}%{3}%{4}%{5}%{6}
}
}
if(%{User-Name} =~ /^%{Calling-Station-Id}$/i){
update control {
Autz-Type = 'mac-based'
}
}
# Authorisation based on mac address
Autz-Type mac-based {
# This is where you do your authorisation checks
update control {
Auth-Type := 'Accept'
}
}
}
---
No you don't need passwords, you force the server to send an
Access-Accept or Access-Reject packet based on your authorisation
policies for certain Mac-Addresses.
Thanks,
Arran
- -
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- --
Arran Cudbard-Bell ([EMAIL PROTECTED]),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkj/UB4ACgkQcaklux5oVKIYLwCfV8VSEIW1OxjD6bLM/BJUBxxG
0l4AoI5MPjdsQjL++RRk0UqKtdbm50No
=ATo4
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to add feature authentification...
Instead of checking another table make another group with Auth-Type:=Reject and switch users between his regular group and this group in the usergroup table instead of doing that with 1 and 0. Ivan Kalik Kalik Informatika ISP Dana 26/5/2007, Trio Yulistianto [EMAIL PROTECTED] piše: dear all i'm using freeradius-1.1.6 and mysql database... for now running well.. but i need something add to authentification process.. i have one table Payment_Table (username,payment) all username in radcheck already copied to username field,payment field filled by '0' or '1' this is what i need : while user trying to connect, freeradius will check payment_table, if payment field is '0' user cannot log in,except field contain with '1' any suggestion? thanks trio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentification link with PEAP + PAM + LDAP
Hello, Finally my boss is not interested in an PEAP authentication due to password and login stocked in clear in the OpenLDAP database, and he doesn't want to use the ntlm_auth to ask a Active Directory Server. So I wonder if that kind of authentication is possible. PEAP(MsCHAP) request -- Freeradius server (extract the hashed password ) -- Authentication request sent to PAM (login + Hashed password ) via rlm_auth --- OpenLDAP Server ( compare hashed password received with the one stocked in database ) PAM is used as mediator to permit comparason with hashed stocked in OpenLDAP. My boss only wants cipher/hashed password and login. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentification link with PEAP + PAM + LDAP
On 7 Jun 2006, at 13:07, thomas hahusseau wrote: Hello, Finally my boss is not interested in an PEAP authentication due to password and login stocked in clear in the OpenLDAP database, and he doesn't want to use the ntlm_auth to ask a Active Directory Server. So I wonder if that kind of authentication is possible. PEAP(MsCHAP) request -- Freeradius server (extract the hashed password ) -- Authentication request sent to PAM (login + Hashed password ) via rlm_auth --- OpenLDAP Server ( compare hashed password received with the one stocked in database ) You don't need to use PAM - in fact, I don't think its possible. Store your users' passwords in the NTLM hash, and authenticate directly from FreeRADIUS to LDAP. josh. PAM is used as mediator to permit comparason with hashed stocked in OpenLDAP. My boss only wants cipher/hashed password and login. - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html Josh Howlett, Networking Specialist, University of Bristol. email: [EMAIL PROTECTED] | phone: +44 (0)7867 907076 | interal: 7850 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentification link with PEAP + PAM + LDAP
thomas hahusseau [EMAIL PROTECTED] wrote: So I wonder if that kind of authentication is possible. PEAP(MsCHAP) request -- Freeradius server (extract the hashed password ) There is NO hashed password in MSCHAP. Extraction is IMPOSSIBLE. PAM is used as mediator to permit comparason with hashed stocked in OpenLDAP. PAM is not a magic solution that lets you do something FreeRADIUS can't. PAM does a lot LESS than FreeRADIUS, in fact. My boss only wants cipher/hashed password and login. As Joe said, store NT-Password in LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP TLS authentification
Hello, After an authentification with a certificate, the user-name who is return is the common name of the certificate. How can i do to use another field (subject, email, serial number...) because some person can have a same common name ? Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP TLS authentification
[EMAIL PROTECTED] (Philippe Chataigner) wrote: After an authentification with a certificate, the user-name who is return is the common name of the certificate. How can i do to use another field (subject, email, serial number...) because some person can have a same common name ? Edit the source code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authentification with: login, pwd, SSID and Ldap
hiMy authentifacation, with the users freeradius files, start and run perfectly. But now I would like to use Ldap.What is the configuration for it? PleaseThanks a lot for your help. Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentification with: login, password, SSID
I already running the server in debugging mode.And he always xrite this error:Auth: Login incorrect: [vlan4/no User-Password attribute] (from client localhost port 0) Fri Apr 21 09:01:50 2006 : Auth: Login incorrect: [vlan4/no User-Password attribute] (from client symbol port 29 cli 00:11:F5:3A:DC:37) You say: " And don't set "Auth-Type := EAP". The documentation also saysthat's wronh". But I don't understand. What I can put ?Ludovic Alan DeKok [EMAIL PROTECTED] a écrit: ludovic cailleau <[EMAIL PROTECTED]>wrote: I start freeradius, and when I want to connect me with a client PC I'm reject. Logs indicates me:Why are you not running the server in debugging mode? That's whatthe documentation says. Many times. Many, many, many times.And don't set "Auth-Type := EAP". The documentation also saysthat's wronh. Many times.Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentification with: login, password, SSID
ludovic cailleau wrote:
I already running the server in debugging mode. And he always xrite this
error:
Auth: Login incorrect: [vlan4/no User-Password attribute] (from client
localhost port 0)
Fri Apr 21 09:01:50 2006 : Auth: Login incorrect: [vlan4/no
User-Password attribute] (from client symbol port 29 cli
00:11:F5:3A:DC:37)
That is not debugging output. That is the ordinary logging. Go back and
read the docs on how to run it in debugging mode (hint: radiusd -X)
You say: And don't set Auth-Type := EAP. The documentation also says
that's wronh. But I don't understand. What I can put ?
Don't put anything. Don't set Auth-Type at all. The correct version of
your original mail is:
vlan4 User-Password := vlan4, Symbol-SSID == 'CRTguest'
Reply-Message = Hello, %u
Note: no Auth-Type, User-Password set with :=
If you are using eap, almost certainly your problem is that the inner
EAP request does not have the Symbol-SSID attribute. Set the:
copy_request_to_tunnel = yes
...on the eap type in eap.conf - like so:
eap {
# rest of config
peap {
# rest of config
copy_reuest_to_tunnel = yes
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentification with: login, password, SSID
Good morning,I wish to realize an authentication 802.11x for a wireless network. I use a switch wireless Symbol, and Freeradius under fedora 5.The authentication will have to verified 3 parameters: the login, the password, and the SSID. The switch Symbol with the Vendor Specific Attribute (Symbol-SSID) transmits the SSID. I have then creates a Freeradius's dictionary for this attribute (Symbol-SSID). # # dictionary.symbol # VENDOR Symbol 388 ATTRIBUTE Symbol-SSID 2 string Symbol I use the users files of Freeradius. For validate the authentication I use the entry:"vlan4" Auth-Type := eap, User-Password == "vlan4", Symbol-SSID == 'CRTguest' Reply-Message = "Hello, %u" I start freeradius, and when I want to connect me with a client PC I'm reject. Logs indicates me: Fri Apr 21 09:01:34 2006 : Info: Using deprecated naslist file. Support for this will go away soon. Fri Apr 21 09:01:34 2006 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Fri Apr 21 09:01:34 2006 : Info: Ready to process requests. Fri Apr 21 09:01:49 2006 : Info: rlm_eap_tls: Length Included Fri Apr 21 09:01:49 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Fri Apr 21 09:01:49 2006 : Info: rlm_eap_tls: Received EAP-TLS ACK message Fri Apr 21 09:01:49 2006 : Info: rlm_eap_tls: Length Included Fri Apr 21 09:01:49 2006 : Info: (other): SSL negotiation finished successfully Fri Apr 21 09:01:49 2006 : Info: rlm_eap_tls: Received EAP-TLS ACK message Fri Apr 21 09:01:50 2006 : Info: rlm_eap_mschapv2: Issuing Challenge Fri Apr 21 09:01:50 2006 : Auth: Login incorrect: [vlan4/no User-Password attribute] (from client localhost port 0) Fri Apr 21 09:01:50 2006 : Auth: Login incorrect: [vlan4/no User-Password attribute] (from client symbol port 29 cli 00:11:F5:3A:DC:37) Fri Apr 21 09:01:52 2006 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Fri Apr 21 09:01:52 2006 : Auth: Login incorrect: [vlan4/no User-Password attribute] (from client symbol port 29 cli 00:11:F5:3A:DC:37) Fri Apr 21 09:01:54 2006 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Fri Apr 21 09:01:54 2006 : Auth: Login incorrect: [vlan4/no User-Password attribute] (from client symbol port 29 cli 00:11:F5:3A:DC:37) But if I delete the VSA Symbol-SSID, I can connect me.Thank you for your help. Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentification with: login, password, SSID
ludovic cailleau [EMAIL PROTECTED] wrote: I start freeradius, and when I want to connect me with a client PC I'm reject. Logs indicates me: Why are you not running the server in debugging mode? That's what the documentation says. Many times. Many, many, many times. And don't set Auth-Type := EAP. The documentation also says that's wronh. Many times. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using ldap, sql and pam for user authentification
hi all! i want to configure the freeradius server (1.0.5) to use ldap, sql and pam as source for user authentification. i only get the first two to work at the same time (ldap and sql) but not together with pam. if i use this in /etc/raddb/users: # users wlanAuth-Type = EAP testuser Auth-Type := Local, User-Password == secret -- all user in ldap and sql (and of course the testusers in the users file) can be authorized, but if users in pam can not, radiusd says: # radiusd debug output auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. - with the following in /etc/raddb/users: # users DEFAULT Auth-Type = Pam Fall-Through = Yes wlanAuth-Type = EAP testuser Auth-Type := Local, User-Password == secret - users in pam get an access-accept message, but not those in ldap and sql (nor the testuser in users. the debug output for a user in sql says: # radiusd debug output (only important parts as i assume) modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 users: Matched entry DEFAULT at line 1 modcall[authorize]: module files returns ok for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for nig49594 radius_xlat: '(uid=nig49594)' radius_xlat: 'dc=mogli,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=mogli,dc=de, with filter (uid=nig49594) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 6 radius_xlat: 'nig49594' rlm_sql (sql): sql_set_user escaped user -- 'nig49594' [snipp sql queries] rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module sql returns ok for request 6 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: (Check item - counter) is greater than zero rlm_sqlcounter: Authorized user nig49594, check_item=1, counter=0 rlm_sqlcounter: Sent Reply-Item for user nig49594, Type=Session-Timeout, value=1 modcall[authorize]: module onedayaccounts returns ok for request 6 modcall: group authorize returns ok for request 6 rad_check_password: Found Auth-Type Pam auth: type PAM Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 pam_pass: using pamauth string radiusd for pam.conf lookup pam_pass: function pam_authenticate FAILED for nig49594. Reason: User not known to the underlying authentication module modcall[authenticate]: module pam returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. - same for an ldap user: # radiusd debug output (snipped again) rlm_ldap: - authorize rlm_ldap: performing user authorization for ldapuser radius_xlat: '(uid=ldapuser)' radius_xlat: 'dc=mogli,dc=de' [snipp] rlm_ldap: user ldapuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 radius_xlat: 'ldapuser' rlm_sql (sql): sql_set_user escaped user -- 'ldapuser' [snipp] rlm_sql (sql): User ldapuser not found in radcheck rlm_sql (sql): User ldapuser not found in radgroupcheck rlm_sql (sql): User not found rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns notfound for request 0 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module onedayaccounts returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Pam auth: type PAM Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 pam_pass: using pamauth string radiusd for pam.conf lookup pam_pass: function pam_authenticate FAILED for ldapuser. Reason: User not known to the underlying authentication module modcall[authenticate]: module pam returns reject for request 0 modcall: group authenticate returns reject for request 0 auth: Failed to validate the user. Login incorrect: [ldapuser] (from client wlan port 0) - it seems that the pam returns reject if a user is not found by pam, sql and ldap reutrn nofound. how can i set up the pam part to return notfound and not overwrite the ok request by the other modules? thanx in advance for your help! regards markus -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http
RE: Windows Client Authentification bevore Domain logon
Title: Message Hi, I use Funk Odyssey. It works really well with EAP-TTLS/PAP. We use an LDAP connection to our AD Global Catalogs to just query the validity of the user credentials and obtain the memberOf attributes. The Odyssey GINA module seems pretty reliable. Rgds, Guy -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jérémy CluzelSent: 02 September 2005 00:37To: freeradius-users@lists.freeradius.orgSubject: RE: Windows Client Authentification bevore Domain logonHi Guy,Do you know working supplicants with a GINA module ? aegis ? secureW2 ?Regards,Jeremy[EMAIL PROTECTED] a écrit: Date: Thu, 1 Sep 2005 17:10:14 +0100 From: "Guy Davies" [EMAIL PROTECTED] Subject: RE: Windows Client Authentification bevore Domain logon To: "FreeRadius users mailing list" freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset="iso-8859-1" Hi Marc, The only way to do this with the supplicant included with XP is to use machine auth. This must use the same method used by the individual (i.e. EAP-TLS or PEAP/MS-CHAPv2). There is a checkbox that says something like "Use machine credentials if available". Check that and the machine will authenticate before the user. Once the user authenticates, the machine auth is killed and the user's auth is used. This requires that the machine has either a PEAP/MS-CHAPv2 username/password or an EAP-TLS certificate. These are stored in AD so you have to backoff your request to AD. If you want to do that for PEAP/MS-CHAPv2, you'll need NTLM access to the AD server, LDAP won't do because it can't get the cleartext password (unless it is replicated to a non-standard attribute). A better method, in my experience, is to use a supplicant with a GINA module. That stops the windows login process immediately after the user has entered the credentials, takes the user's credentials and uses them to login to the network, then it returns control to the windows login process. This doesn't require any authentication of the machine. Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Marc-Henri Boisis-delavaud Sent: 01 September 2005 15:19 To: FreeRadius users mailing list Subject: Re: Windows Client Authentification bevore Domain logon Le 31 août 05 à 18:53, Alan DeKok a écrit : =?ISO-8859-1?Q?J=E9r=E9my_Cluzel?= [EMAIL PROTECTED] wrote: Sorry, but I didn't find any references of this OID in the creation scripts in the "scripts" directory (Ca.all, CA.certs...). The only OID added seem to be 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2 (in "xpextensions"). Is there any way to do this without patching openssl (like explained there http://lists.cistron.nl/pipermail/freeradius-users/ 2004-July/034141.html) ? You can use that OID just like the other ones. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Can you explain how we can activate 802.1x authentification before logon on xp. And what are the prerequisites ? Marc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Client Authentification bevore Domain logon
Things to look for for machine auth: * SP2 or at least KB826942 loaded * AuthMode key set to 2 * certs + ca loaded into machine store * certs with the correct attributes + the magic attribute I've mentioned before * make sure you select the correct CA in Validate server certificate section * send a big bouquet of flowers to Microsoft for having an utterly unscriptable interface for wireless If you've got multiple private certs loaded into the machine store then you might have issues with the selection process - as far as I can tell it chooses the certificate with the newest Not Before attribute (but that could be an artifact of some other selection criteria). Also watch for timing issues - XP won't use certificates if the time is outside the validity period (i.e. your CA time is ahead of your workstation time). Most of the tutorials cover most of this, but they almost never talk about untangling the knots from slight misconfiguration issues. (Yes, I've dealt with almost every quirk there is to do with EAP-TLS; until tomorrow when we find some more) Cheers, BenOn 9/2/05, Marc-Henri Boisis-delavaud [EMAIL PROTECTED] wrote: Le 31 août 05 à 18:53, Alan DeKok a écrit : =?ISO-8859-1?Q?J=E9r=E9my_Cluzel?= [EMAIL PROTECTED] wrote: Sorry, but I didn't find any references of this OID in the creation scripts in the scripts directory (Ca.all , CA.certs...). The only OID added seem to be 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2 (in xpextensions). Is there any way to do this without patching openssl (like explained there http://lists.cistron.nl/pipermail/freeradius-users/ 2004-July/034141.html) ? You can use that OID just like the other ones. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.htmlCan you explain how we can activate 802.1x authentification beforelogon on xp. And what are the prerequisites ?Marc-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Client Authentification bevore Domain logon
Le 31 août 05 à 18:53, Alan DeKok a écrit : =?ISO-8859-1?Q?J=E9r=E9my_Cluzel?= [EMAIL PROTECTED] wrote: Sorry, but I didn't find any references of this OID in the creation scripts in the scripts directory (Ca.all, CA.certs...). The only OID added seem to be 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2 (in xpextensions). Is there any way to do this without patching openssl (like explained there http://lists.cistron.nl/pipermail/freeradius-users/ 2004-July/034141.html) ? You can use that OID just like the other ones. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Can you explain how we can activate 802.1x authentification before logon on xp. And what are the prerequisites ? Marc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Client Authentification bevore Domain logon
Hi Marc, The only way to do this with the supplicant included with XP is to use machine auth. This must use the same method used by the individual (i.e. EAP-TLS or PEAP/MS-CHAPv2). There is a checkbox that says something like Use machine credentials if available. Check that and the machine will authenticate before the user. Once the user authenticates, the machine auth is killed and the user's auth is used. This requires that the machine has either a PEAP/MS-CHAPv2 username/password or an EAP-TLS certificate. These are stored in AD so you have to backoff your request to AD. If you want to do that for PEAP/MS-CHAPv2, you'll need NTLM access to the AD server, LDAP won't do because it can't get the cleartext password (unless it is replicated to a non-standard attribute). A better method, in my experience, is to use a supplicant with a GINA module. That stops the windows login process immediately after the user has entered the credentials, takes the user's credentials and uses them to login to the network, then it returns control to the windows login process. This doesn't require any authentication of the machine. Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc-Henri Boisis-delavaud Sent: 01 September 2005 15:19 To: FreeRadius users mailing list Subject: Re: Windows Client Authentification bevore Domain logon Le 31 août 05 à 18:53, Alan DeKok a écrit : =?ISO-8859-1?Q?J=E9r=E9my_Cluzel?= [EMAIL PROTECTED] wrote: Sorry, but I didn't find any references of this OID in the creation scripts in the scripts directory (Ca.all, CA.certs...). The only OID added seem to be 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2 (in xpextensions). Is there any way to do this without patching openssl (like explained there http://lists.cistron.nl/pipermail/freeradius-users/ 2004-July/034141.html) ? You can use that OID just like the other ones. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Can you explain how we can activate 802.1x authentification before logon on xp. And what are the prerequisites ? Marc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Client Authentification bevore Domain logon
Please use correct terminology. It's AUTHENTICATION, not authentification! To authenticate = authentication To authorize = authorization To account = accounting To identify = identification -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Client Authentification bevore Domain logon
Hi Guy,
Do you know working supplicants with a GINA module ? aegis ? secureW2 ?
Regards,
Jeremy
[EMAIL PROTECTED] a crit:
Date: Thu, 1 Sep 2005 17:10:14 +0100
From: "Guy Davies" [EMAIL PROTECTED]
Subject: RE: Windows Client Authentification bevore Domain logon
To: "FreeRadius users mailing list"
freeradius-users@lists.freeradius.org
Message-ID:
[EMAIL PROTECTED]
Content-Type: text/plain; charset="iso-8859-1"
Hi Marc,
The only way to do this with the supplicant included with XP is to use machine auth. This must use the same method used by the individual (i.e. EAP-TLS or PEAP/MS-CHAPv2).
There is a checkbox that says something like "Use machine credentials if available". Check that and the machine will authenticate before the user. Once the user authenticates, the machine auth is killed and the user's auth is used. This requires that the machine has either a PEAP/MS-CHAPv2 username/password or an EAP-TLS certificate. These are stored in AD so you have to backoff your request to AD. If you want to do that for PEAP/MS-CHAPv2, you'll need NTLM access to the AD server, LDAP won't do because it can't get the cleartext password (unless it is replicated to a non-standard attribute).
A better method, in my experience, is to use a supplicant with a GINA module. That stops the windows login process immediately after the user has entered the credentials, takes the user's credentials and uses them to login to the network, then it returns control to the windows login process. This doesn't require any authentication of the machine.
Regards,
Guy
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On
Behalf Of Marc-Henri Boisis-delavaud
Sent: 01 September 2005 15:19
To: FreeRadius users mailing list
Subject: Re: Windows Client Authentification bevore Domain logon
Le 31 aot 05 18:53, Alan DeKok a crit :
=?ISO-8859-1?Q?J=E9r=E9my_Cluzel?= [EMAIL PROTECTED] wrote:
Sorry, but I didn't find any references of this OID in the
creation scripts in the "scripts" directory (Ca.all, CA.certs...).
The only OID added seem to be 1.3.6.1.5.5.7.3.1 and
1.3.6.1.5.5.7.3.2 (in "xpextensions").
Is there any way to do this without patching openssl (like
explained there
http://lists.cistron.nl/pipermail/freeradius-users/
2004-July/034141.html) ?
You can use that OID just like the other ones.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/
users.html
Can you explain how we can activate 802.1x authentification before
logon on xp. And what are the prerequisites ?
Marc
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows Client Authentification bevore Domain logon
How can I add this OID to my machine certs ? using CA.certs script and xpextensions file ? Regards, Jeremy Ben Walding ben.walding at gmail.com wrote: I also found using machine certificates to be hit and miss (some machines they'd be picked up, others they wouldn't - all XP SP2 with appropriate patches). And then I stumbled on this http://lists.cistron.nl/pipermail/freeradius-users/2004-July/034141.html 1.3.6.1.4.1.311.17.2 After I started adding that OID to my machine certs, everything started working wonderfully. I shook my fist at Microsoft that day! Cheers, Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows Client Authentification bevore Domain logon
Sorry, but I didn't find any references of this OID in the creation scripts in the scripts directory (Ca.all, CA.certs...). The only OID added seem to be 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2 (in xpextensions). Is there any way to do this without patching openssl (like explained there http://lists.cistron.nl/pipermail/freeradius-users/2004-July/034141.html) ? Regards, Jeremy Alan DeKok aland at ox.org http://lists.freeradius.org/mailman/listinfo/freeradius-users wrote: / / / / That OID is added by the cert creation script in the scripts / /directory, but it should be made more prominent in eap.conf, too. / / / / Alan DeKok. / / - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Client Authentification bevore Domain logon
check this out Jeremy http://www.linuxjournal.com/article/8095 On Wed, 2005-08-31 at 14:22 +0200, Jérémy Cluzel wrote: Sorry, but I didn't find any references of this OID in the creation scripts in the scripts directory (Ca.all, CA.certs...). The only OID added seem to be 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2 (in xpextensions). Is there any way to do this without patching openssl (like explained there http://lists.cistron.nl/pipermail/freeradius-users/2004-July/034141.html) ? Regards, Jeremy Alan DeKok aland at ox.org http://lists.freeradius.org/mailman/listinfo/freeradius-users wrote: / / / / That OID is added by the cert creation script in the scripts / /directory, but it should be made more prominent in eap.conf, too. / / / / Alan DeKok. / / - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Client Authentification bevore Domain logon
System pocztowy Galtex S.A. informuje, iz Twoja wiadomosc zostala dostarczona Wiadomosc wygenerowana automatycznie przez system pocztowy uzytkownika belskia Prosze na ta wiadomosc nie odpowiadac. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Client Authentification bevore Domain logon
Thanks for the answert Alan, but what do you mean that it should be made more prominent in EAP-Conf? Could you give me detailed instructions how i can get this OID to my certificates?ArminFreeRadius users mailing list freeradius-users@lists.freeradius.org schrieb am 25.08.05 17:35:11:Ben Walding [EMAIL PROTECTED] wrote: And then I stumbled on this http://lists.cistron.nl/pipermail/freeradius-users/2004-July/034141.html 1.3.6.1.4.1.311.17.2 After I started adding that OID to my machine certs, everything started working wonderfully.That OID is added by the cert creation script in the "scripts"directory, but it! should be made more prominent in eap.conf, too.Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Client Authentification bevore Domain logon
Armin, At 15:40 24/08/05, you wrote: Ok, the hole day i tried to get it to work but this time when i install the certificate as a machine zertifikate the radius authentifikation log ends up with this log below. The Certificates where generated with openssl and all works fine as User certificates but not as computer zertificate. I set the Registry Patch which was diescribed in the mailing list to a value of 2. As Ben has suggested in another email, there are some required extensions to the certificates to enable Windows to authenticate. How did you make your certificates, I followed the instructions in http://www.linuxjournal.com/article/8095. Steve Atkinson Fallibroome High School Priory Lane Macclesfield Cheshire SK10 4AF - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Client Authentification bevore Domain logon
I also found using machine certificates to be hit and miss (some machines they'd be picked up, others they wouldn't - all XP SP2 with appropriate patches). And then I stumbled on this http://lists.cistron.nl/pipermail/freeradius-users/2004-July/034141.html 1.3.6.1.4.1.311.17.2 After I started adding that OID to my machine certs, everything started working wonderfully. I shook my fist at Microsoft that day! Cheers, Ben On 8/25/05, Steven Atkinson [EMAIL PROTECTED] wrote: Armin, At 15:40 24/08/05, you wrote: Ok, the hole day i tried to get it to work but this time when i install the certificate as a machine zertifikate the radius authentifikation log ends up with this log below. The Certificates where generated with openssl and all works fine as User certificates but not as computer zertificate. I set the Registry Patch which was diescribed in the mailing list to a value of 2. As Ben has suggested in another email, there are some required extensions to the certificates to enable Windows to authenticate. How did you make your certificates, I followed the instructions in http://www.linuxjournal.com/article/8095. Steve Atkinson Fallibroome High School Priory Lane Macclesfield Cheshire SK10 4AF - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Client Authentification bevore Domain logon
Hi, i found this thred yesterday and tried it out to add this OID but it had no effekt...OK maybe i made somthing wrong. Could you describe how you added this oid to your machine zertifikate? Today i built completely new root,server and client certificates depending on the article in www.linuxjournal.com/article/8095. I will post here my users file: My new generated Client Certifikates uses client10 as Client Name.Greetings Armin## Please read the documentation file ../doc/processing_users_file,# or 'man 5 users' (after installing the server) for more information.## This file contains authentication security and configuration# information for each user. Accounting requests are NOT processed# through this file. Instead, see 'acct_users', in this directory.## The first field is the ! user's name and can be up to# 253 characters in length. This is followed (on the same line) with# the list of authentication requirements for that user. This can# include password, comm server name, comm server port number, protocol# type (perhaps set by the "hints" file), and huntgroup name (set by# the "huntgroups" file).## If you are not sure why a particular reply is being sent by the# server, then run the server in debugging mode (radiusd -X), and# you will see which entries in this file are matched.## When an authentication request is received from the comm server,# these values are tested. Only the first match is used unless the# "Fall-Through" variable is set to "Yes".## A special user named "DEFAULT" matches on all usernames.# You can have several DEFAULT entries. All entries are processed# in the order they appear in this file. The first entry that# matches the login-request will stop processing unless you use# the Fall-Through variable.## If you use the databas! e support to turn this file into a .db or .dbm# file, the DEFAULT entr ies _have_ to be at the end of this file and# you can't have multiple entries for one username.## You don't need to specify a password if you set Auth-Type += System# on the list of authentication requirements. The RADIUS server# will then check the system password file.## Indented (with the tab character) lines following the first# line indicate the configuration values to be passed back to# the comm server to allow the initiation of a user session.# This can include things like the PPP configuration values# or the host to log the user onto.## You can include another `users' file with `$INCLUDE users.other'### For a list of RADIUS attributes, and links to their definitions,# see:## http://www.freeradius.org/rfc/attributes.html### Deny access for a specific user. Note that this entry MUST# be before any other 'Auth-Type' attribute which results in the user# being authenticated.## Note that there is NO 'Fall-Through' attribute, so the user will not# be given any additional r! esources.##lameuser Auth-Type := Reject# Reply-Message = "Your account has been disabled."## Deny access for a group of users.## Note that there is NO 'Fall-Through' attribute, so the user will not# be given any additional resources.##DEFAULT Group == "disabled", Auth-Type := Reject# Reply-Message = "Your account has been disabled."### This is a complete entry for "steve". Note that there is no Fall-Through# entry so that no DEFAULT entry will be used, and the user will NOT# get any attributes in addition to the ones listed here.##steve Auth-Type := Local, User-Password == "testing"# Service-Type = Framed-User,# Framed-Protocol = PPP,# Framed-IP-Address = 172.16.3.33,# Framed-IP-Netmask = 255.255.255.0,# Framed-Routing = Broadcast-Listen,# Framed-Filter-Id = "std.ppp",# Framed-MTU = 1500,# Framed-Compression = Van-Jacobsen-TCP-IP#test Auth-Type := Local, User-Password == "testing"# Service-Type = Framed-User,# Framed-Protocol = PPP,# Framed-IP-Address = 172.16.3.33,# Fra! med-IP-Netmask = 255.255.255.0,# Framed-Routing = Broadcast-Listen,# F ramed-Filter-Id = "std.ppp",# Framed-MTU = 1500,# Framed-Compression = Van-Jacobsen-TCP-IP#DEFAULT Auth-Type := EAP-TLS #Local, User-Password == "whatever"#Reply-Message = "Default Client",#Tunnel-Medium-Type = 6,#Tunnel-Private-Group-Id = 1,#Tunnel-Type = 13Client1 Auth-Type := EAP-TLS #Local, User-Password == "whatever" Reply-Message = "Hello,%u Willkommen im Netzwerk der Firma Metaldyne", Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 1, Tunnel-Type = 13host/Client10 Auth-Type := EAP-TLS #Local, User-Password == "whatever" Reply-Message = "Client10", Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 1, Tunnel-Type = 13Workstation3 Auth-Type := EAP-TLS #Local, User-Password == "whatever" Reply-Message = "client3", Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 1, Tunnel-Type = 13## This is an entry for a user with a space in their name.# Note ! the double quotes surrounding the name.##"John Doe" Auth-Type := Local, User-Password ==
