Grant access for all users before login
Hi I'm using freeradius with ldap users and mschap + peap. But i have one problem. When a user gets his login prompt, no access to the network is allowed because they first get access when they login and freeradius can perform an ldap check with the username. But when a new user wants to login or the user uses an different computer, the user dosen't exist on this machine - so they can't login - no network connection -can't load profile - no local user. So i have tested a little bit with guest vlan ... but this didn't solve my problem. What can i do to solve this issue? I think it will be possible if alle users get access to an restricted vlan before they login with their user credentials. Then the profile can be loaded from server and then the user can validate. But how can i do this, that every user get access before login? I'll hope you understand my problem und you can give me some futher hints what i can do to solve this. best regards -- View this message in context: http://freeradius.1045715.n5.nabble.com/Grant-access-for-all-users-before-login-tp3285753p3285753.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pppoe ntp attribute
27/11/2010 12:47, wrote: Does the NAS documentation say that it accepts such an option? Good question. I could try and see if it'll accept. But... which one try? Sorry, but do I wrote something wrong that no one reply to me? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql_postgresql and plus sign
Hi list,
today I discover a strange behaviour with FR and the PG backend: if the
authorize_group_check_query query returns a value that has a plus sign
(+) inside the groupname, FR thread that value as unicode. I think this
because into the next authorize_group_reply_query query, it use the
'=2B' chars.
The log:
[sql] expand: SELECT id, GroupName, Attribute, Value, op FROM
pppoe_group_check('%{SQL-User-Name}') - SELECT id, GroupName,
Attribute, Value, op FROM pppoe_group_check('VALUE')
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
[sql] User found in group G1+
[sql] expand: SELECT id, GroupName, Attribute, Value, op FROM
pppoe_group_reply() WHERE GroupName = '%{Sql-Group}' ORDER BY id -
SELECT id, GroupName, Attribute, Value, op FROM pppoe_group_reply()
WHERE GroupName = 'G1=2B' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
Like you can see I modify the queries, but I can't believe that is this
the problem
Thanks,
Michele
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_postgresql and plus sign
Michele Petrazzo michele.petra...@unipex.it writes: today I discover a strange behaviour with FR and the PG backend: if the authorize_group_check_query query returns a value that has a plus sign (+) inside the groupname, FR thread that value as unicode. I think this because into the next authorize_group_reply_query query, it use the '=2B' chars. look near the top of raddb/sql/postgresql/dialup.conf : # Safe characters list for sql queries. Everything else is replaced # with their mime-encoded equivalents. # The default list should be ok # safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: / Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_postgresql and plus sign
Bjørn Mork wrote: look near the top of raddb/sql/postgresql/dialup.conf : # Safe characters list for sql queries. Everything else is replaced # with their mime-encoded equivalents. # The default list should be ok # safe-characters = @abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: / My fault. Only for curiosity, these chars are hard-coded inside the sources or in other place and loaded at startup? Thanks, Michele - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql_postgresql and plus sign
Michele Petrazzo michele.petra...@unipex.it writes:
Only for curiosity, these chars are hard-coded inside the sources or
in other place and loaded at startup?
defined like any other module option default in
src/modules/rlm_sql/rlm_sql.c :
static const CONF_PARSER module_config[] = {
/* .. */
{safe-characters, PW_TYPE_STRING_PTR,
offsetof(SQL_CONFIG,allowed_chars), NULL,
@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/},
/* .. */
};
Bjørn
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to filter MAC addresses within Freeradius?
-Original Message- On Behalf Of Christ Schlacta mac filtering should happen at the AP level. Ever try maintaining large (300+) MAC auth lists on multiple APs? Not fun at all. Even maintaining a consistent list of 50 addresses across multiple APs is not that fun, though a bit more manageable in a pinch. When the lists are so large that you have to modify your APs to even be able to store the list in NVRAM, it becomes an even larger pain when adding new APs to your infrastructure as you have to modify the new APs before you can even use them. (Had to increase the size of the virtual NVRAM to use more flash space, which caused strange errors on the APs after a while.) Maintaining the list in RADIUS makes it much simpler as you now only have one location with all your access lists that you can easily manipulate to do pretty much anything you want with. And in regards to maintaining large access lists on each AP: yes, we could have bought a Cisco AP controller for $ that we don't have in our budget (which sadly keeps shrinking instead of growing) that doesn't do much more than FreeRADIUS, or implement a FreeRADIUS server for free on some old hardware we had laying around. You do the math, though I still would like a controller for a couple of the radio and AP balancing functions it can do, I'd still tie it into the FreeRADIUS server for AAA for centralization of all our access rules (wired and wireless) and accounting. On Mon, Nov 29, 2010 at 7:23 PM, Viirydiianah Robles Hi I have ubuntu 10.4 with freeradisUs-server-2.1.10 my question is, where to add the Mac address? in users or clients.conf clients.conf is where you would put your APs/switches/etc. You would add the MAC addresses for your users' machines to the users file. Or to SQL/LDAP or Perl function. -- John D McDonnell Penn Cambria School District mcdon...@pcam.org O ASCII Ribbon Campaign - http://www.asciiribbon.org/ smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Grant access for all users before login
When a user gets his login prompt, no access to the network is allowed because they first get access when they login and freeradius can perform an ldap check with the username. But when a new user wants to login or the user uses an different computer, the user dosen't exist on this machine - so they can't login - no network connection -can't load profile - no local user. Use machine authentication (if wireless, use automatic connect). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkval weird issue with LDAP backend and PAM authentication
On 11/25/2010 04:24 PM, Marco Carcano wrote:
Hi John
thank you very much for the reply - I haven't noticed that exists a
freeradius2 rpm package
I tried, and after a lot of arrangement on the config files -
freeradius2 splits a lot radiusd.conf - I got it working
but I have to point out this thing - that I hope you - Red Hat -
will fix: /etc/pam.d/radiusd is wrong (maybe the issue is only in
CentOS package):
this is the content of the original file
#%PAM-1.0 auth include password-auth accountrequired
pam_nologin.so accountinclude password-auth password
include password-auth sessioninclude password-auth
it is wrong: it causes PAM auth to fail with a really strange error
pam_pass: using pamauth stringradiusd for pam.conf lookup
pam_pass: function pam_authenticate FAILED fortestuser. Reason:
Module is unknown ++[pam] returns reject Failed to authenticate the
user. Using Post-Auth-Type Reject +- entering group REJECT {...}
this error caused me a little headache because initially I tough it
was a mine misconfiguration of freeradius.
the fix is to replace the contents of /etc/pam.d/radiusd with
#%PAM-1.0 auth include system-auth accountrequired
pam_nologin.so accountinclude system-auth password include
system-auth sessioninclude system-auth
PAM is usefull in situations like the my Easy Configuration Kit -
ECK: I built an AAA system that relies on Freeradius that do
Accounting in MySQL, Authorization with OpenLDAP and Authentication
by Kerberos - the LDAP directory is Kerberized. I think that PAM and
SASL are the good way to accomplish this - In ECK it works.
Maybe you already know about this issue - I hope this post can help
anybody will get this strange error - until the package got fixed
/etc/pam.d/radiusd was deliberately changed from using system-auth to
use password-auth about a year ago.
The reason is that the services cannot use the local means of
authentication with an out-of-band data channel for the credentials such
as Fingerprint and Smart card devices and should use password-auth
instead of system-auth file. SMTP, FTP, and other services use it as
well. So the problem is not in the change in the freeradius radiusd PAM
config.
There is likely an error in the password-auth file on your system. It
should be possible to find out in /var/log/secure which module is the
problem.
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checkval weird issue with LDAP backend and PAM authentication
On 11/30/2010 09:45 AM, John Dennis wrote:
On 11/25/2010 04:24 PM, Marco Carcano wrote:
Hi John
thank you very much for the reply - I haven't noticed that exists a
freeradius2 rpm package
I tried, and after a lot of arrangement on the config files -
freeradius2 splits a lot radiusd.conf - I got it working
but I have to point out this thing - that I hope you - Red Hat -
will fix: /etc/pam.d/radiusd is wrong (maybe the issue is only in
CentOS package):
this is the content of the original file
#%PAM-1.0 auth include password-auth accountrequired
pam_nologin.so accountinclude password-auth password
include password-auth sessioninclude password-auth
it is wrong: it causes PAM auth to fail with a really strange error
pam_pass: using pamauth stringradiusd for pam.conf lookup
pam_pass: function pam_authenticate FAILED fortestuser. Reason:
Module is unknown ++[pam] returns reject Failed to authenticate the
user. Using Post-Auth-Type Reject +- entering group REJECT {...}
this error caused me a little headache because initially I tough it
was a mine misconfiguration of freeradius.
the fix is to replace the contents of /etc/pam.d/radiusd with
#%PAM-1.0 auth include system-auth accountrequired
pam_nologin.so accountinclude system-auth password include
system-auth sessioninclude system-auth
PAM is usefull in situations like the my Easy Configuration Kit -
ECK: I built an AAA system that relies on Freeradius that do
Accounting in MySQL, Authorization with OpenLDAP and Authentication
by Kerberos - the LDAP directory is Kerberized. I think that PAM and
SASL are the good way to accomplish this - In ECK it works.
Maybe you already know about this issue - I hope this post can help
anybody will get this strange error - until the package got fixed
/etc/pam.d/radiusd was deliberately changed from using system-auth to
use password-auth about a year ago.
The reason is that the services cannot use the local means of
authentication with an out-of-band data channel for the credentials such
as Fingerprint and Smart card devices and should use password-auth
instead of system-auth file. SMTP, FTP, and other services use it as
well. So the problem is not in the change in the freeradius radiusd PAM
config.
There is likely an error in the password-auth file on your system. It
should be possible to find out in /var/log/secure which module is the
problem.
My apologies, I now realize there is a version mismatch. RHEL5 has not
been updated with the password-auth module, it's exists only in Fedora
and RHEL6. The RHEL5 version of /etc/pam.d/radiusd should be using
system-auth as you correctly point out. The pam change was inadvertently
copied into the RHEL5 version of FreeRADIUS, I will open a bug against
the RHEL5 version.
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: TLS authentication works, but does not check usernames against 'users' file.
-Original Message- On Behalf Of Andrew Bovill Hi, I'm trying to get WPA Enterprise EAP/TLS working with my wireless router. It appears that the TLS portion of the authentication works (valid certificates give me a working connection) but it does NOT appear to actually be checking the username/password combination that is also sent along the line. I have followed the WPA_HOWTO as best I could (my clients are OS X and Android and Gentoo, not Windows XP) but I can't figure out how to 'fail' an auth attempt with an invalid user/pass combination. Here is the debug output: Thanks for any advice. I didn't want to start reconfiguring with a shotgun :) *snipped* IIRC, that is how EAP-TLS works. If the client has a valid certificate, it can connect. Check this previous message that is similar to what I think you are trying to do: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg66246.h tml -- John D McDonnell Penn Cambria School District mcdon...@pcam.org O ASCII Ribbon Campaign - http://www.asciiribbon.org/ smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS authentication works, but does not check usernames against 'users' file.
On 11/30/2010 11:05 AM, John McDonnell wrote: -Original Message- On Behalf Of Andrew Bovill Hi, I'm trying to get WPA Enterprise EAP/TLS working with my wireless router. It appears that the TLS portion of the authentication works (valid certificates give me a working connection) but it does NOT appear to actually be checking the username/password combination that is also sent along the line. I have followed the WPA_HOWTO as best I could (my clients are OS X and Android and Gentoo, not Windows XP) but I can't figure out how to 'fail' an auth attempt with an invalid user/pass combination. Here is the debug output: Thanks for any advice. I didn't want to start reconfiguring with a shotgun :) *snipped* IIRC, that is how EAP-TLS works. If the client has a valid certificate, it can connect. Check this previous message that is similar to what I think you are trying to do: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg66246.h tml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Cool, I was wondering about that. It just seems weird that nearly ALL of the suplicants I've used *require* me to give a username/password (or at least an Identifier + password) in addition to the unlocked certificate. Maybe a better question is: What's the point of the username/pass that's also being sent by the supplicant? Thanks --Andrew Bovill - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS authentication works, but does not check usernames against 'users' file.
On 30/11/10 16:10, Andrew Bovill wrote: It just seems weird that nearly ALL of the suplicants I've used *require* me to give a username/password (or at least an Identifier + password) in addition to the unlocked certificate. Maybe a better question is: What's the point of the username/pass that's also being sent by the supplicant? Well, the username goes into the EAP-Identity field. For example you might put: u...@home.org.com ...and be in a radius roaming federation like eduroam, but your certificate may contain: cn=user,o=Home Org,... ...so you need to be able to specific a username. Password is not used in EAP-TLS; the supplicants I've seen don't ask for it (Windows, MacOS, Linux/NetworkManager, Nokia E-series) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: MAC Address Filtering
hi I have the operating system ubunto 10.4 with freeradisUs-server-2.1.10 where to add the Mac address? Jessica Alejandra Martinez Bautista - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin and HTTP Authentication
OK, so to get this working I modified the Dialup Admin functions.php3 file to use $_SERVER instead of $HTTP_SERVER_VARS and to use REMOTE_USER instead of PHP_AUTH_USER. PHP_AUTH_USER wasn't being populated, but REMOTE_USER was so I just used that. Not sure if that's good, bad or indifferent, but it does work. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Dialup-Admin-and-HTTP-Authentication-tp3285681p3286362.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS authentication works, but does not check usernames against 'users' file.
On 11/30/2010 11:15 AM, Phil Mayers wrote: On 30/11/10 16:10, Andrew Bovill wrote: It just seems weird that nearly ALL of the suplicants I've used *require* me to give a username/password (or at least an Identifier + password) in addition to the unlocked certificate. Maybe a better question is: What's the point of the username/pass that's also being sent by the supplicant? Well, the username goes into the EAP-Identity field. For example you might put: u...@home.org.com ...and be in a radius roaming federation like eduroam, but your certificate may contain: cn=user,o=Home Org,... ...so you need to be able to specific a username. Password is not used in EAP-TLS; the supplicants I've seen don't ask for it (Windows, MacOS, Linux/NetworkManager, Nokia E-series) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ok, this makes more sense now. I think what was throwing me off was that the Android supplicant asks for the following when doing 802.1x EAP: EAP Method (I chose TLS) Phase 2 authentication (I left as none, but has things like CHAP, PAP, etc) CA cert user cert Identity Anonymous Identity Password It seemed to me that it wouldn't connect if I left the Identity blank, so that may be what was confusing me. I doesn't seem to me like there would be, but is there any way to have, say, a 'guest' certificate, that can be handed out to multiple people and be used simultaneously with EAP/TLS? --Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS authentication works, but does not check usernames against 'users' file.
On 30/11/10 16:55, Andrew Bovill wrote: It seemed to me that it wouldn't connect if I left the Identity blank, so that may be what was confusing me. Most supplicants will use the cn=XXX from the cert as the identity, but it really makes sense to ask, because they may not be (often are not) the same I doesn't seem to me like there would be, but is there any way to have, say, a 'guest' certificate, that can be handed out to multiple people and be used simultaneously with EAP/TLS? A certificate is like any other credential; anyone who knows it (or has it) can use it. Whether that's a good idea is another matter; how do you revoke it and manage re-issuance once one guest leaves? How do you distinguish between their activity? And so on. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wifi ip allocation
Hi every body, While all the documentation on the web seems to answer *NO*, and because I feel like i need to talk to someone today, I was wondering if there is any way to allocate IP address to wifi user using radius Attributes instead of DHCP? Or maybe I should ask... How can i allocate IP address from differents Pools based on login (final goal would be to have transparent squid treat user differently )? Thanks. -- Follow us on: twitter https://www.twitter.com/manainternet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Grant access for all users before login
Garber, Neal-2 wrote: When a user gets his login prompt, no access to the network is allowed because they first get access when they login and freeradius can perform an ldap check with the username. But when a new user wants to login or the user uses an different computer, the user dosen't exist on this machine - so they can't login - no network connection -can't load profile - no local user. Use machine authentication (if wireless, use automatic connect). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Ok that means i must install the certificate (ca.der) on the client. And what else i have to do that the client perform an machine authentication before the user logins? is it neccessary to change some freeradius configuration parameters? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Grant-access-for-all-users-before-login-tp3285753p3286631.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wifi ip allocation
Alexandre Chapellon wrote: Hi every body, While all the documentation on the web seems to answer *NO*, and because I feel like i need to talk to someone today, I was wondering if there is any way to allocate IP address to wifi user using radius Attributes instead of DHCP? Nope. The only way this would work is if the AP cached the Framed-IP-Address from the Access-Accept, and then grabbed the DHCP packet, and put the Framed-IP-Address in it as a DHCP response. Or maybe I should ask... How can i allocate IP address from differents Pools based on login (final goal would be to have transparent squid treat user differently )? Run FreeRADIUS as a DHCP server. :) It works, and you can put session information from RADIUS into an SQL DB, and then query that data when it receives a DHCP packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wifi ip allocation
On Nov 30, 2010, at 11:33 AM, Alexandre Chapellon wrote: Hi every body, While all the documentation on the web seems to answer *NO*, and because I feel like i need to talk to someone today, I was wondering if there is any way to allocate IP address to wifi user using radius Attributes instead of DHCP? Or maybe I should ask... How can i allocate IP address from differents Pools based on login (final goal would be to have transparent squid treat user differently )? No. Not unless your Access point has a built in DHCP server which can create temporary leases based on RADIUS attributes provided by the RADIUS Server. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: altas de direcciones mac
From: cosita_bodo...@hotmail.com
To: freeradius-users@lists.freeradius.org
Subject: altas de direcciones mac
Date: Tue, 30 Nov 2010 20:19:42 +
Hello I am Leonardo Fajardo Lopez,
I am working with an operating system Ubuntu 9.10 and with
freeradius-server-02.01.1910
and say high to a customer in the file clients.conf
Client localhost {
ipaddr = 127.0.0.1
secret = testing123
}
and a user in the users file
steveCleartext-Passwords=testing
sirvice=Type=Framed-User,
Framed-Protocot=PPP
Framed Compression=van-Jscobsen=TCP-IP
I want to know is where you should enlist the mac direcion?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mac address validation
Hello ... my name is Jorge I raised a question I am making the draft validation of users by MAC address and my question is not that high given file directions Mac, I installed before 1.2.1910 Freeradius a virtual machine VirtualBox-3.2.8 Win-64453-OS Ubuntu 9.10 in the / raddb belonging to freeradius files are users and clients.conf which amended. your help will be very important - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mac address validation
Hello ... my name is Jorge I raised a question I am making the draft validation of users by MAC address and my question is not that high given file directions Mac, I installed before 1.2.1910 Freeradius a virtual machine VirtualBox-3.2.8 Win-64453-OS Ubuntu 9.10 in the / raddb belonging to freeradius files are users and clients.conf which amended. your help will be very important - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
