Hi,
You must have missed the information in RFC 2865 (RADIUS), which is also
a Fine Manual. The PAP password is XOR'd with the MD5 hash of the
shared secret and the authenticator.
Yes, that's a bit clearer than saying the password is hashed, since it
also shows that the process is
Hi,
I thought the username/passwd is transfered while the shake-hand.
Yes and no. I.e. it depends on the precise protocol you're using. For some
of them (mostly PAP, EAP-TTLS/PAP), the password is transfered in an encrypted
form. For others (CHAP, MSCHAP, EAP-MD5, PEAP), the password is
Velikanov schrieb:
I build a billing system based on FREERADIUS+ORACLE and
want to install it for some of ISP.
But I give them FREERADIUS with source, as is as on
www.freeradius.org.
Is this GPL violation ??
IANAL, but I think the critical part probably is section 2.b) of the
Hi,
Sayantan Bhowmick schrieb:
I am trying to authenticate users using CHAP authentication.
(snipp)
users are authenticated successfully( provided userid and
password id correct) irrespective of what is entered for the
shared secret in the client. Is this a defect?
IIRC, yes, that
Hi,
what you are saying is that I should do something like this:
user_ttls EAP-Type != PEAP
that however only prohibits the usage of PEAP for user_ttls while i
would like to only enable TTLS for this specific user (which is not
quite the same).
Yes, however you said
Artur Hecker schrieb:
we naively try to specify EAP-Type == PEAP for user_peap
and == TTLS for
user_ttls but that breaks both methods (which seems
normal since this
EAP-Type definition is not correct for the internal EAP
method which
however uses the same user name).
Why not almost
Paul Hampson schrieb:
And the exclusion of EAP/TLS is due to the well documented conflict
between the GPL license of rlm_eap_tls and the OpenSSL license,
which
makes distributing binaries of rlm_eap_tls that link against openssl
impossible, legally.
Given that the authors of the software are
Hi,
And forces (even if I encountered several times that may not be done like
that) in the users conf :
testuser Auth-Type := PAP, User-Password == testpass
and also tested EAP,
Don't. FreeRadius typically treats EAP-Requests as _two_ requests. It handles
the EAP stuff
and then
Hi,
Palmer J.D.F. schrieb:
If I get a failed login, then try to login again it just
uses cached
credentials and doesn't prompt for details, if I close
and re-open the
browser it does then allow me to enter details.
Sounds like it might be the browser that's caching the
bad
Hi,
(snipp)
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for
Hi,
What can cause dictionry permissions even if
/etc/freeradius/dictionnary has rwxrwxrwx as
permissions setting
I am getting the following:
radclient: dict_init: Couldn't open dictionary
/etc/freeradius/dictionary: Permission denied
Check the permissions of /etc and
Shawn Kennedy schrieb:
Sure, you can use a
Shared Secret and the password is sent with a
MD5 hash, but is there anything better?
Sure, you can use the CHAP protocol or EAP protocols
for authenticating, then no password needs to be
send to the RadiusServer (instead, you get a challenge
and
Brent Smith schrieb:
I am trying to get freeradius to authenticate chap for a
ISDN backup call on a cisco. I am running version 1.0.1.
I am in control of server and clients, so I know the
passwords match, but the logs say they do not.
IIRC earlier 1.0.x releases have problems with MD5 (and
Jim Seymour wrote:
Jas [EMAIL PROTECTED] wrote:
[snip]
/usr/ccs/bin/ld -G -z defs -h libltdl.so.3 -o
.libs/libltdl.so.3.1.0 ltdl.lo -ldl -lnsl -lresolv
-lsocket -lposix4 -lpthread -lcrypto -lssl -lc
ld: fatal: library -lcrypto: not found
ld: fatal: library -lssl: not found
Hi,
We are particulary intrested to solve the problem of
Theft of password.
(snipp)
The advantage of this scheme is proxy
radius server cannot see password in clear text.
Why send clear text passwords over the net at all?
I.e., why don't you simply use CHAP or a similar
protocol?
Hi,
I am really stuck :-(
Let me try to explain what I inted to do:
1.) PAP is just the clear-text password???
- I thought pap is hashing the password with a challenge (MD-5). This
means the client is then transmitting this Hash to the radius, which
might hold the password
Hi,
1) ldd /usr/local/sbin/radiusd
libcrypt.so.1 = /lib/libcrypt.so.1 (0x40033000)
libnsl.so.1 = /lib/libnsl.so.1 (0x4006)
libresolv.so.2 = /lib/libresolv.so.2 (0x40076000)
libpthread.so.0 = /lib/i686/libpthread.so.0 (0x40088000)
Hi,
Thanks a lot., i am new and totally clueless as to what i need to be
doing . I did use ./configure
--with-openssl-includes=/usr/local/openssl/include
--with-openssl-libraries=/usr/local/openssl/lib
What else do i need to be doing to make the radiusd read the right
Hi,
configure --disable-shared
--with-openssl-includes=/usr/local/openssl097g/include \
--with-openssl-libraries=/usr/local/openssl097g/lib \
--prefix=/usr/local/radius
For static SSL libraries, this simply doesn't work, see the mailing
list archive for build problems on Solaris
Maqbool Hashim schrieb:
Unfortunately there are not many of
the token card manafacturers that support the freeradius
server. At the moment it looks as if Cryptocard are the
best bet.
I would be very interested to hear from anyone who has
implemented any
OTP solution with freeradius.
Maqbool Hashim schrieb:
OK do you mean get the radius server to pass user
credentials on to a OTP server?
Yes, exactly. The one developped by the company I'm
working for (see www.kobil.com) is at the same time
a simple RADIUS server (much less features than
FreeRadius, but OTOH nobody would
Edgars schrieb:
you mean radiusd -X?
Can this full debug information somehow be saved in a
file instead of
dirrectly on the console?
radiusd -X logfile ?
HTH,
Stefan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
ATTRIBUTE myattrib 340 string
ATTRIBUTE myattrib2 341 integer
VALUE myattrib2 value0 0
VALUE myattrib2 value1 1
VALUE myattrib2 value2 2
Now im not entirely sure whether this is right. Using the limited
documentation, it appears that values 340 341 are currently unused
Hi,
Ok, added that to the file, permissions on the /etc/raddb/huntgroups
file are still 666, and I still get the same error: Permission denied
(rlm_preprocess: Error reading /etc/raddb/huntgroups).
Any more ideas?
You did check the permission for /etc and /etc/raddb as well as those
[EMAIL PROTECTED] schrieb:
this is my config files:
##EAP.conf##
[EMAIL PROTECTED]:/etc/freeradius# vi eap.conf
#
# The PEAP module needs the TLS module
to be installed
# and
JH schrieb:
Out of curiosity, how can you tell that it was being
swapped around
that was giving the problem?
Well, the first thing I noticed was that configure claimed that I had
no SSL_new in -lssl, which was supicious, so I looked into
config.log for the compilation command used
to run
Terry J Fike Jr schrieb:
Okay, quick (and possible moot) question...
could there be issues on this because of compiling it
64bit instead of
32 bit?
Actually what for? You do realize that there
are a couple of _dis_advantages of building
64bit stuff (larger executables, more memory
ThinkSECURE - Security Starts Here. schrieb:
checking for openssl/ssl/h...yes
checking for DH_new in -lcrypto...yes
checking for SSL_new in -lssl...no
Yes, configure is appending libraries in the wrong order for its
test compilations (-lcrypto -lssl instead of -lssl -lcrypto).
While this is
Michael Mitchell schrieb:
I've found a few issues with the configure scripts in the
past where
things weren't quite right, but they've mostly been
related to Solaris.
Actually, I think, this issue really is not about Solaris (although
that's where it's notoriously encountered [e.g. by
Hi,
I haven't tried linking freeRADIUS with static libraries yet, and I must
admit I missed the --disable-shared in J.Ho's email. Well picked up...
Actually, I meant to refer to the static OpenSSL libs used, not to the
--disable-shared ...
I'm guessing the problem stems from this
Madhu Dubey schrieb:
(snipp)
rlm_eap_md5: User-Password is required for
EAP-MD5authentication
(snipp)
I m not able to understand where should i
set the User-Password
for this EAP client...Can anybody give me a
clue ?
You're missing the point of the error message.
You need to set the
Hi,
I'm wondering if anyone has ever tried to put an NT hash password
directly into the LDAP userPassword field, and have it authenticated
through free radius.
Just one nosy question (I'm always trying to collect data on that issue):
Why are you using NT hash passwords instead of
Neil Craig schrieb:
Does anyone know how to create the MD5 password using the
secret to
insert into MySQL?
Sorry, I'm completely failing to understand what you're trying to do.
What relation do you see between MD5 hash of
the password and the secret?
Is that referring to the radius secret used
Anderson Alves de Albuquerque schrieb:
After I need that RADIUS use crypt or DES to have
password in clean txt.
It's impossible. Once you have the password
crypted, you cannot get the clear text from
it anymore. It's like making an omelette. You
can make one from eggs, but you can't get the
[EMAIL PROTECTED] schrieb:
That means if the LDAP Server would be somehow configured
to send out the
Attribute UserPassword in cleartext, it would work with
MSCHAP?
Yes. If Radius gets the cleartext password from somewhere, it
can check if the MSCHAP stuff which the user did send is
Hi,
The problem seems to be, again, that even one adds
--with-ltdl-lib=/opt/csw/share/libtool/libltdl
--with-ltdl-include=/opt/csw/share/libtool/libltdl
make does not seem to care about it.
I've found this to be the case with several (if not all) of the
--with-BLAH-lib and with
Hi,
I've got this in the radtest
Vendor-32767-Attr-1 = 0x4d656d626572
Idle-Timeout = 300
Interesting approach. Maybe it's really worth adding support for
such syntax (if it doesn't exist) if someone just doesn't want to add
vendor attributes to the dictionary. OTOH,
Hi,
Monthly, i think freeradius reset all connection,
FreeRadius (or any other Radius server) does not touch connections
at all. It's the NAS that is doing all this. The only thing that
FreeRadius does is deciding whether or not to accept a connection,
if it's asked by a NAS. Also, it
Rizwan Khan schrieb:
Thanks Toby, but using mod_auth_radius is not
an option since it is
specifically designed for Apache Webserver,
but we are looking for a
general way of connecting to any webserver.
Does the setup via PAM als support one-time
passwords (i.e. when the user has a
Rizwan Khan schrieb:
A user gets authenticated for the first time (just once)
and then the
Auth_info(Cookie) is passed on to other files accessed
under the same
directory/subdir's until the session remains (i.e browser
window is
closed)
I hope ur question was answered!!!
Yes, many
Alan DeKok schrieb:
Yes please see the existing TTLS and
PEAP code which does exactly this. You have
working examples in front of you.
Use them.
Thanks, that put me on the right track again...
I stupidly was searching for a configuration
error and missed the (now obvious) error in
my
Jeff Stout schrieb:
Has any one out there configured FreeRadius to work with
RSA?
You can either activate the RADIUS-frontend of ACE
(at least the windows version of newer ACE server should have
such a beast) and proxy to that from FreeRadius or you
could obtain Radiator (which is able to
Hi,
I'm having a strange problem with a modified rlm_eap_md5
module and proxying - apparently I'm missing some details
of the internal workings of FreeRADIUS, now I don't understand
what's going on at all ...
I hacked rlm_eap_md5 to actually generate a fake request
containing
Ron Wahler schrieb:
There is a test tool to send an eap request to the
radius Server with a test user.
You could send a test authentication
Off every so often with a script to monitor it's status.
Is that radeapclient you're referring to?
Well, I understood how to make it send an EAP-MD5
Joe H schrieb:
I updated all the server to freebsd 4.10
(snipp)
Program received signal SIGTERM, Terminated.
0x10250654 in __sys_poll () from /usr/lib/libc_r.so.4
I'm not sure how helpful that will be to anyone but it's
all the information it showed.
Sounds like it's telling you that
Kirti S. Bajwa schrieb:
rlm_chap: login attempt by test with CHAP password
rlm_chap: Could not find clear text password for user
test
I believe that the problem lies in the above description.
If that is
correct, why the password be clear test?
Sorry? Somehow that sentence seems to be
Hi,
want to limit the users so that multiple logins are not allowed
using a single account.
At our company we have ( proprietary ) server which forwards
authentication requests to radius which is configured to query Mysql
and confirm the user credentials.
(snipp)
I tried to
Hi,
Then I started to wonder about memory usage.
my cat /proc/meminfo looks like this:
MemTotal: 2055440 kB
MemFree: 13572 kB
Buffers: 54380 kB
Cached:1767756 kB
(snipp)
Even though MemFree is low, the inactive memory is high -
which in turn I
Hi,
I have unsuccessfully attempted to authenticate an XP SP2 user
with PEAP MSCHAPv2. I am using Solaris 8 for the freeRADIUS server
See
http://lists.freeradius.org/archives/freeradius-users/2004/09/msg00816.html
and note that MSCHAP is using MD4 to compute hashes.
Hi,
I have a question about the problem bellow.
If in LDAP (openldap) we provide the ntpassword (with samba), it will
work for authenticate Windows XP users with PEAP + mschapv2 ??
Note however, that storingusing ntpasswords instead of cleartext
passwords offers no advantage at all -
Hi,
(snipp)
drw-r- 3 root radiusd 472 Jan 11 14:36 certs
drw-r- 3 root root 472 Jan 11 15:30 certs_backup
(snipp)
drw-r- 2 root radiusd 200 Jan 11 14:36 demoCA
(snipp)
Directories normally need the x-Bit to be set. Try
chmod u+x certs certs_backup
Hi,
1) users file
##
DEFAULTNAS-Port-Type == ISDN ,Connection-Type == UNLIMITED,
Auth-Type := Reject
Reply-Message = Your account has been disabled.
DEFAULT Auth-Type := LDAP
How many lines do you actually
Hi,
I am looking to have SSH authenticate to a RADIUS server. I believe that
PAM is supported for SSH authentication, so I planned on linking PAM to SSH
(which I think is setup by default).
Note that newer OpenSSH versions (starting with 3.7, IIRC) come with PAM
disabled by default.
Hi,
Somebody tried to help me out but I am still having this problem.
Can anybody have a solution or suggestion?
(snipp)
uname -m = sun4u
uname -r = 5.8
uname -s = SunOS
So we have an ordering sensitive linker. Looks like it might be my
favourite bug in the configure script: It's
Alan DeKok wrote:
[EMAIL PROTECTED] wrote:
Otherwise, it should theoretically be possible to translate
PEAP-MSCHAPv2 to plain MSCHAPv2 and use that for
communication with your simple radius server - however,
that still requires writing suitable code
In eap.conf, peap{} subsection, set
Tim Winders schrieb:
I have tried LD_LIBRARY_PATH=/usr/local/ssl I have tried
--with-openssl-libraries=/usr/local/ssl/lib and
--with-openssl-includes=/usr/local/ssl/include, I have
tried creating
symlinks to the openssl files to the /usr/local/lib
directory, all to no
avail.
This
Hi,
Andree Toonk schrieb:
Don't strip the username. Doing so will break EAP, and
MS-CHAP, as
you are discovering.
But how should I fix this?
User are know as test and not as [EMAIL PROTECTED]
Then change that. If the user uses [EMAIL PROTECTED],
any change you make to the
Alan DeKok wrote:
[EMAIL PROTECTED] wrote:
Otherwise, it should theoretically be possible to translate
PEAP-MSCHAPv2 to plain MSCHAPv2 and use that for
communication with your simple radius server - however,
that still requires writing suitable code
In eap.conf, peap{} subsection,
Hi,
character, and has no special meaning of field name.
Oh yes it does. I'm afraid the rest of the universe disagrees with you!
We use conventions for a reasonm, no?
Right. Notice however, that there are many different and sometimes
contracdicting
conventions. Would you agree that
Hi,
So target is:
Windows XP Workstation WLAN Base Station
FreeRadius My simple radius and its user db
- between Workstation and FreeRadius EAP-PEAP /
PEAP-MSCHAPv2 is used
- between FreeRadius and My simple radius PAP
or CHAP is used
If you can
was receiving/sending?
That way, you might be able to figure out which magic
attribute is currently missing in you current reply attributes
to get things working.
HTH,
Stefan Neis
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
OpenLDAP with NT and LM hashed samba password
After having read similar stuff several times in the past weeks,
what's the real advantage of using NT or LM hashed passwords over
using simple clear text passwords? At least securitywise, I can't
see any.
Regards,
Hi,
Personally think that clear text is bad as anyone intercepting the
packets can easily pick up anything in clear text.
You mean intercepting the packets between LDAP server and
RADIUS server (since the communication with the RADIUS client
isn't affected anyway)? But knowing the LM
Hi,
once the traffic has gotten to the endpoint I would think (stepping to limb
here) that I am dealing
with a decrypted stream of traffic and what ever hash was completed on the
client to the
password. so, if I tell the client to use mschapv2, to hash the password,
then I would be
Hi,
I am trying to just install freeradius without any options and am
getting errors. Here is what I see at the end -
gmake[6]: *** [rlm_krb5.o] Error 1
(snipp)
That's just make passing the error that occured in some recursive
call up to it's parent. The _interesting_ part would be
Hi,
there are obviously different kinds of encryption and as you mention with
out a key, decryption is not possible.
It's not only the question of a key, it's also a question of methods
used. Given a hash value (often called encrypted password), you
just can't get back to the clear
Hi,
(snipp)
CHAP
(snipp)
Encrypted password.
(snipp)
It's impossible to combine CHAP and encrypted (hashed!) passwords,
see my other mail with the subject
Re: problem authenticating to passwd/shadow files
HTH,
Stefan
-
List info/subscribe/unsubscribe? See
Hi,
2. what is the best way to have encrypted transport
and encrypted passwords?
It depends on what you mean by encryption. Of course you
can encrypt stuff by some symmetric encryption method and
store the key to get the cleartext from the encrypted text
somewhere (e.g. radius
Hi,
I did post the errors. Below is the message I sent on 10/15/2004.
Just wanted to point out that you did post the errors of make install
(or maybe a second call to make), which was not helpful at all in
diagnosing the error. The errors generated by make (or even of the
first run of
Ahmad Cheikh Moussa schrieb:
Believe me, I checked the shared secret one hundred
time.
The shared secret is correct. I still believe that there
is a problem
to decode the send password.
Which still hints at a bad secret... I don't really know how
sensitive your cisco box or even freeradius
Ahmad Cheikh Moussa schrieb:
Believe me, I checked the shared secret one hundred
time.
The shared secret is correct. I still believe that there
is a problem
to decode the send password.
Which still hints at a bad secret... I don't really know how
sensitive your cisco box or even freeradius
Cristi Banciu schrieb:
I saw that even with
not a real NAS when a user logs in a record is entered
to radpostauth table
Well, if the radius server gets an authentication request
resulting in an accept, it can guess that somebody just
logged in, even without accounting request.
However, the
Luis Daniel Lucio Quiroz schrieb:
I rather preffer pap, you just only put on risk one
account not everibody
Well, then you just shouldn't use (MS-)CHAP.
Note however that PAP is incompatible with
MS point-to-point-encryption.
Also note that getting access to the radius server
and reading the
Andreas Haumer schrieb:
FreeRADIUS is an additional piece and fits fine in the
whole system
to allow those networks to provide encrypted VPN access
with easy to
use clients and still maintain a central database of
accounts in the
network.
Note however, that MPPE with it's keys derived
Hi,
But clear-text passwords are in many situations a no-no
and usually you already have the sambav3 schema which
gives you
the windows password hashes which will work with mschapv2
authentication
The whole security of RADIUS (and any similar product) is based
on clear-text
Luis Daniel Lucio Quiroz schrieb:
Isn't it a seccurity problem clear tex password to permit
CHAP?
Depending on your configuration, it may be one.
Essentially, there are two possible points of attack:
- the network: Try to intercept the password during
transfer.
- the configuration files: Try
Hernan Cortez schrieb:
Hi, thanks for the answer.
Which config.h file?
The find command show me 13 config.h files:
Sorry, I should have mentioned I was working from
memory, without access to the sources at that moment
- and of course I got the name wrong:
The file I modified is
Mitchell, Michael schrieb:
Hi Steven,
First things to check:
1) Did the eap module/sub modules actually build?
Check the installation lib directory for rlm_eap*. I
found that using
the Sun Workshop C compiler, several modules do not build
as they rely
on gcc features (in particular
Hi,
PPP Users are getting authenticated and allowed through the box:
however, when the PPP session goes down PPP is not clearing them in
RadAcct. They are allowed back in, and a radwho shows two sessions
for the same user, but a ps on the system only shows the current
actually
Hi,
configure: warning: silently not building rlm_sql_postgresql.
configure: warning: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq.
These files are not only in my prefix/include dir but ive gone so far as
to put them in the build/src/include dir as well, and yet the
Robert Schultz schrieb:
Hello.
I am trying to run freeRADIUS 1.0.0 with openssl 0.9.7d.
While doing
./configure --with-openssl-libraries=/usr/local/lib
--with-openssl-includes=
/usr/local/include
or
./configure
--with-openssl-libraries=/usr/local/openssl/lib
--with-openssl-i
Christian Balzer schrieb:
user User-Password == '%u'
(let alone that rewriting the quoting as suggested would
require quite more effort than some global config option
somewhere).
1. sed something suitable to escape quotes old_file tmp_file
2. sed s/\(User-Password *==
Hi,
The patch checked out OK and has been committed.
BTW, how do you do that kind of testing? Does everyone of the
developpers have lots of software and hardware clients to do
all kind of testing or what?
Excuse the stupid question, but I'd like to play a bit with
EAP-TTLS and PEAP
Hi,
Excuse the stupid question, but I'd like to play a bit with
EAP-TTLS and PEAP (possibly submitting some patches at a later
time) and don't really know how to even generate suitable queries
to test what I'm doing. :-(
Use various clients.
--verbose ?
I.e. can you recommand
xsupplicant, alfa arris...
Thanks a lot.
Google can help, too.
Sure. However, that gave me lots of references to lots of
different stuff, all of which I never heard of (while I've
been using various RADIUS stuff for quite some time, I'm
completely new to the world of EAP protocols ...).
Hi,
When I try to compile freeradius, it show:
(snipp)
Somebody can help me?
If you provide some more information (e.g. what system are you
compiling on? Which openssl version are you using?) somebody _might_
be able to help.
Stefan
-
List info/subscribe/unsubscribe? See
Larry LeBlanc schrieb:
Hello,
I've installed OpenSSL 0.9.7d in /usr/local/ssl/ on my
system and have configured freeRADIUS 1.0.0pre3 with:
--with-openssl-include=/usr/local/ssl/include
--with-openssl-libraries=/usr/local/ssl/libraries
However after building I end up with radiusd having
** Reply to note from Nils =?ISO-8859-1?Q?R=F8nhovde?= [EMAIL PROTECTED] Wed, 11 Aug
2004 07:31:44 +0200
Hello,
I am a bit puzzled that radiusd says Ignoring deprecated command-line option -p
while usage() says:
-p port Bind to 'port', and not to the radius/udp, or 1646/udp.
I
containing
-lssl -lcrypto -L_OpenSSL_Lib_Directory -lssl -lcrypto
which fails with library -lssl: not found. I'm lost...
Any idea how to make FreeRADIUS compile with OpenSSL support
enabled?
Regards,
Stefan
TIA,
Stefan Neis
-
List info
Hi,
Is there a way to map all users to an exist unix acct or to autocreate an
account with the successful completion of authentication or just get to a
shell without defining local users?
Depends on what you want exactly. If you're e.g. authenticating via
a PAM-RADIUS module, which
Alan DeKok schrieb:
If you're using EAP-TTLS, then the tunneled session
is often just
normal non-EAP authentication, and that can be
proxied.
(and I suppose the same applies more or less to PEAP?)
No. PEAP tunnels EAP, and only EAP.
I see. However, theoretically, I again
91 matches
Mail list logo