Re: Auth by NAS-Identifier using unlang
I assume that's the freeradius2 package rather than freeradius as 1.x doesn't have unlang alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Diffrent authentication based by SSID
Thank You for reply Alan.
I have working eap-tls for my staff and
Dnia 5 sierpnia 2013 21:52 a.l.m.bu...@lboro.ac.uk napisaĆ(a):
Hi,
gt; In that situation i need to have active, both sql and ldap, authorization
gt; modules in inner-tunnel. So users, who should identify by login/pass in
gt; guest SSID, can be authenticate via inner-tunnel ldap module. I don't want
gt; this.
use whatever you want to use. what do you use now? all you need to do is
distinguish between
the two types of requests. and handle them how you want. will the guest SSID be
802.1X
if so, inner-tunnel is available by default (as thats used for EAP) - if not,
then you wont
configure anything in there.
each SSID will be presented to your RADIUS server with particular
attributes...you will
be able to use those to decide what to do eg
if (%{whatever-attribute} =~ /sometext/ ) {
ldap
}
else {
sql
}
that sort of thing. and to be honest. you WILL need some decent data source for
advancing your
RADIUS into something scalable and usable...ie SQL or LDAP - sticking with a
flat users file
will end up with tears in most systems.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: returning a HEX String as a HEX String (bit string) instead of the decimal equivalent - FreeRADIUS 2.1.10
Hi, yes thank you, that is the guide I have been following.. And as that guide highlights the switch needs a 'bit string', not a decimal number; The value of Egress-VLANID is a bit string, the first 8 bits specify whether the VLAN is tagged or untagged and must be either 0x31 (tagged) or 0x32 (untagged). The next 12 bits are padding 0x000, and the final 12 bits are the VLAN ID as an integer value.. Thus I need; 'Egress-VLANID = 0x3113' in the FreeRADIUS reply But FreeRADIUS is NOT sending that bit string, it is sending; Sending Access-Accept of id 41 to 10.0.0.242 port 1812 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Egress-VLANID = 822083602 HP-Cos = 3 Finished request 18. I have stored the HEX String in OpenLDAP with various data types, but the FreeRADIUS always converts the number to the decimal equivalent (822083602) which is out of range for the switch? How can I stop this conversion? HPO switch debug; 0049:03:34:00.18 MAC mWebAuth:Port: 29 MAC: 080027-e4b2cd new client detected on vid: 11. 0049:03:34:00.18 MAC mWebAuth:Port: 29 MAC: 080027-e4b2cd RADIUS CHAP authentication started, session: 2985. 0049:03:34:00.20 MAC mWebAuth:Port: 29 MAC: 080027-e4b2cd vid attribute error during RADIUS processing. 0049:03:34:00.20 MAC mWebAuth:Port: 29 MAC: 080027-e4b2cd client rejected, session: 2985, invalid attributes. 0049:03:34:00.20 MAC mWebAuth:Port: 29 MAC: 080027-e4b2cd client authentication failed, login retry count: 1 = max-retires: 0, no unauth-vid configured, entering quiet-period: 30 seconds. W 08/06/13 09:45:58 02400 dca: macAuth client, RADIUS-assigned VID validation error. MAC 080027E4B2CD port 29 VLAN-Id 0 or unknown. Thanks, Andy. On Mon 05 Aug 2013 23:59:36 BST, Arran Cudbard-Bell wrote: On 5 Aug 2013, at 23:39, Andy a...@brandwatch.com mailto:a...@brandwatch.com wrote: Hello, This is my first post here so please excuse any missed etiquette. I have read through the wiki's and googled a lot and not found anything. http://wiki.freeradius.org/vendor/HP#RFC-4675-(multiple-tagged/untagged-VLAN)-Assignment *sigh* I have been trying configure our switch ports (HP 2910al) with Tagged VLANs via Egress-VLANID and Egress-VLAN-Name. The Radius backend is OpenLDAP, and I have tried setting the data type in OpenLDAP to binary, UTF-8 and IA5, but no matter what I do, the value returned by RADIUS is the decimal equivalent of the HEX bit string I enter :( For example I'm trying to store and send 0x3112 to indicate a tagged VLAN (0x31) on VLAN 12. But looking at freeradius -X output I can see it sending the decimal number, when the switch wants the bit string as it was stored, and hence throws an error! No. The HP switch does not care that FreeRADIUS displayed (but later encoded correctly) your hex string as an integer. It does care that you don't seem to understand how to convert decimal numbers to hex and are actually specifying VLAN 18 tagged, which probably doesn't exist if you're getting errors. You want 0x310C for VLAN 12 tagged. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: returning a HEX String as a HEX String (bit string) instead of the decimal equivalent - FreeRADIUS 2.1.10
Ahh, No. The HP switch does not care that FreeRADIUS displayed (but later encoded correctly) your hex string as an integer. It does care that you don't seem to understand how to convert decimal numbers to hex and are actually specifying VLAN 18 tagged, which probably doesn't exist if you're getting errors. You want 0x310C for VLAN 12 tagged. I apologise! I can't believe I did that! How stupid of me to not actually convert the VLAN number! I just got thrown when I saw the base 16 to base 10 conversion and got stuck on that.. Serves me right for trying to figure these things out after mid night when I should have been sleeping.. Thanks, Andy. On Mon 05 Aug 2013 23:59:36 BST, Arran Cudbard-Bell wrote: On 5 Aug 2013, at 23:39, Andy a...@brandwatch.com mailto:a...@brandwatch.com wrote: Hello, This is my first post here so please excuse any missed etiquette. I have read through the wiki's and googled a lot and not found anything. http://wiki.freeradius.org/vendor/HP#RFC-4675-(multiple-tagged/untagged-VLAN)-Assignment *sigh* I have been trying configure our switch ports (HP 2910al) with Tagged VLANs via Egress-VLANID and Egress-VLAN-Name. The Radius backend is OpenLDAP, and I have tried setting the data type in OpenLDAP to binary, UTF-8 and IA5, but no matter what I do, the value returned by RADIUS is the decimal equivalent of the HEX bit string I enter :( For example I'm trying to store and send 0x3112 to indicate a tagged VLAN (0x31) on VLAN 12. But looking at freeradius -X output I can see it sending the decimal number, when the switch wants the bit string as it was stored, and hence throws an error! No. The HP switch does not care that FreeRADIUS displayed (but later encoded correctly) your hex string as an integer. It does care that you don't seem to understand how to convert decimal numbers to hex and are actually specifying VLAN 18 tagged, which probably doesn't exist if you're getting errors. You want 0x310C for VLAN 12 tagged. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: returning a HEX String as a HEX String (bit string) instead of the decimal equivalent - FreeRADIUS 2.1.10
It still doesn't work :( Sorry but I have been working on RFC 4675 for a long time before I emailed this list, which is why I was a bit short in my first reply (sorry) and jumped the gun before reading all of your email. I /really/ have trawled every page I can find.. I have changed OpenLDAP to 0x310C (thanks for pointing that silly mistake out), and I get a reply from FreeRADIUS with; Sending Access-Accept of id 48 to 10.0.0.242 port 1812 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Egress-VLAN-Name = VLAN12 Egress-VLANID = 822083596 HP-Cos = 3 Finished request 1. And on the switch I have defined the VLAN; vlan 12 name VLAN12 ip address 10.2.46.242 255.255.255.0 ip helper-address 10.0.0.1 ip igmp exit But I still get the error on the switch; 0049:03:54:30.02 MAC mWebAuth:Port: 29 MAC: 080027-e4b2cd new client detected on vid: 1. 0049:03:54:30.02 MAC mWebAuth:Port: 29 MAC: 080027-e4b2cd RADIUS CHAP authentication started, session: 2991. 0049:03:54:30.04 MAC mWebAuth:Port: 29 MAC: 080027-e4b2cd vid attribute error during RADIUS processing. 0049:03:54:30.04 MAC mWebAuth:Port: 29 MAC: 080027-e4b2cd client rejected, session: 2991, invalid attributes. 0049:03:54:30.04 MAC mWebAuth:Port: 29 MAC: 080027-e4b2cd client authentication failed, login retry count: 1 = max-retires: 0, no unauth-vid configured, entering quiet-period: 30 seconds. W 08/06/13 10:06:28 02400 dca: macAuth client, RADIUS-assigned VID validation error. MAC 080027E4B2CD port 29 VLAN-Id 0 or unknown. I can get RFC 3580 to work fine with the following; Sending Access-Accept of id 50 to 10.0.0.242 port 1812 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP HP-Cos = 3 Tunnel-Private-Group-Id:0 = 11 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Finished request 3. But I really need to get Tagged VLAN working! If no one has any ideas I'll try and raise a support call with HP.. Wish me luck I may never return and be lost in their 'support system' forever...! ;) On 05/08/13 23:59, Arran Cudbard-Bell wrote: On 5 Aug 2013, at 23:39, Andy a...@brandwatch.com mailto:a...@brandwatch.com wrote: Hello, This is my first post here so please excuse any missed etiquette. I have read through the wiki's and googled a lot and not found anything. http://wiki.freeradius.org/vendor/HP#RFC-4675-(multiple-tagged/untagged-VLAN)-Assignment http://wiki.freeradius.org/vendor/HP#RFC-4675-%28multiple-tagged/untagged-VLAN%29-Assignment *sigh* I have been trying configure our switch ports (HP 2910al) with Tagged VLANs via Egress-VLANID and Egress-VLAN-Name. The Radius backend is OpenLDAP, and I have tried setting the data type in OpenLDAP to binary, UTF-8 and IA5, but no matter what I do, the value returned by RADIUS is the decimal equivalent of the HEX bit string I enter :( For example I'm trying to store and send 0x3112 to indicate a tagged VLAN (0x31) on VLAN 12. But looking at freeradius -X output I can see it sending the decimal number, when the switch wants the bit string as it was stored, and hence throws an error! No. The HP switch does not care that FreeRADIUS displayed (but later encoded correctly) your hex string as an integer. It does care that you don't seem to understand how to convert decimal numbers to hex and are actually specifying VLAN 18 tagged, which probably doesn't exist if you're getting errors. You want 0x310C for VLAN 12 tagged. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: returning a HEX String as a HEX String (bit string) instead of the decimal equivalent - FreeRADIUS 2.1.10
On 6 Aug 2013, at 10:50, Andy a...@brandwatch.com wrote: Hi, yes thank you, that is the guide I have been following.. And as that guide highlights the switch needs a 'bit string', not a decimal number; The value of Egress-VLANID is a bit string, the first 8 bits specify whether the VLAN is tagged or untagged and must be either 0x31 (tagged) or 0x32 (untagged). The next 12 bits are padding 0x000, and the final 12 bits are the VLAN ID as an integer value.. Thus I need; 'Egress-VLANID = 0x3113' in the FreeRADIUS reply But FreeRADIUS is NOT sending that bit string, it is sending; Sending Access-Accept of id 41 to 10.0.0.242 port 1812 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Egress-VLANID = 822083602 You're still sending the wrong binary string. 822083602 == 0x3112 The RFC specifies that Egress-VLANID has a 4 octet value, whoever wrote the dictionary decided to represent it as a 32bit unsigned integer, but that should be OK. HP-Cos = 3 Finished request 18. OK. First, you're not doing PPP, remove the default entries in the users file for Framed-Protocol and Framed-Compression. Second there's no special encoding for an unsigned integer. Chances are, the on the wire format of the value matches the hex string. Look at a dump in wireshark if you don't believe me. If it doesn't, that's a problem, and we can look at fixing it. I have stored the HEX String in OpenLDAP with various data types, but the FreeRADIUS always converts the number to the decimal equivalent (822083602) which is out of range for the switch? *sigh*, no. How can I stop this conversion? The on the wire raw format will be the same for the integer and for the binary string. HPO switch debug; 0049:03:34:00.18 MAC mWebAuth:Port: 29 MAC: 080027-e4b2cd new client detected on vid: 11. 0049:03:34:00.18 MAC mWebAuth:Port: 29 MAC: 080027-e4b2cd RADIUS CHAP authentication started, session: 2985. 0049:03:34:00.20 MAC mWebAuth:Port: 29 MAC: 080027-e4b2cd vid attribute error during RADIUS processing. 0049:03:34:00.20 MAC mWebAuth:Port: 29 MAC: 080027-e4b2cd client rejected, session: 2985, invalid attributes. 0049:03:34:00.20 MAC mWebAuth:Port: 29 MAC: 080027-e4b2cd client authentication failed, login retry count: 1 = max-retires: 0, no unauth-vid configured, entering quiet-period: 30 seconds. W 08/06/13 09:45:58 02400 dca: macAuth client, RADIUS-assigned VID validation error. MAC 080027E4B2CD port 29 VLAN-Id 0 or unknown. Because you're still sending the wrong value? -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to store session info in external database?
Hi, I would like to store freeradius session information like
Acct-Session-Id, Acct-Start-Time, Acct-Stop-Time, Acct-Input-Octets,
Acct-Output-Octets, Framed-IP-Address, NAS-IP-Address in external database.
We have our devices connected to databases which are readonly so we cannot
store those informations there. Also we have database where we want to
store session statistics from all devices.
Is that possible to achieve ?
Till now we tried setting up virtual host with Auth-Type rules redirecting
to script but we cannot receive Acct-Session-Id. Here is how our
/etc/freeradius/sites-avaliable/default looks like:
authorize {
chap
mschap
sql
update control {
Auth-Type := `/etc/freeradius/bin/testradius '%{User-Name}'
'%{Calling-Station-Id}' '%{NAS-IP-Address}' '%{reply:Framed-IP-Address}'
'%{reply:Acct-Session-Id}' '%{reply:Acct-Unique-Session-Id}'`
}
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
}
preacct {
acct_unique
}
accounting {
# sql
}
session {
# sql
}
post-auth {
# sql
}
Sorry for any language mistakes :)
--
Pozdrawiam
Maciej Lew
tel. 883-376-062
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Response-Packet-Type == Access-Challenge
Hi,
I have no luck with testing the Reponse-Packet-Type in the post-proxy
section, after rad_recv: Access-Challenge packet...
Something like :
post-proxy {
...
if (Response-Packet-Type == Access-Challenge) {
...
}
...
}
What am I doing wrong?
Dominique
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Response-Packet-Type == Access-Challenge
On 6 Aug 2013, at 12:35, Dominique Frise dominique.fr...@unil.ch wrote:
Hi,
I have no luck with testing the Reponse-Packet-Type in the post-proxy
section, after rad_recv: Access-Challenge packet...
Something like :
post-proxy {
...
if (Response-Packet-Type == Access-Challenge) {
...
}
...
}
What am I doing wrong?
Nothing. That's not officially supported. You may find it works in 2.x.x HEAD
though :)
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to store session info in external database?
Hi,
Hi, I would like to store freeradius session information like
Acct-Session-Id, Acct-Start-Time, Acct-Stop-Time, Acct-Input-Octets,
Acct-Output-Octets, Framed-IP-Address, NAS-IP-Address in external
database.
the defauly config does this - you just need to edit the SQL module to
be appropriate to your database (and have a DB you can write to!) and then
use the 'sql' option in the accounting section (thats the section that will have
those details as they are in RADIUS Accounting packets).
accounting {
# sql
}
look. there.
to optimise you might then want to look at other virtual servers to do this
stuff like
bufferedsql or the remote accounting proxy one.and then make sure your DB is
optimisedboth running environment (memory allocation, disk platters etc) ,
the
table indexes and the DB engine used for the tables.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Response-Packet-Type == Access-Challenge
On 08/06/2013 01:55 PM, Arran Cudbard-Bell wrote:
On 6 Aug 2013, at 12:35, Dominique Frise dominique.fr...@unil.ch wrote:
Hi,
I have no luck with testing the Reponse-Packet-Type in the post-proxy section, after
rad_recv: Access-Challenge packet...
Something like :
post-proxy {
...
if (Response-Packet-Type == Access-Challenge) {
...
}
...
}
What am I doing wrong?
Nothing. That's not officially supported. You may find it works in 2.x.x HEAD
though :)
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Arran,
I forgot to mention that I am using freeradius-2.2.0-2.el6.x86_64.
Should this version support it or not?
Dominique
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
On 08/06/2013 02:31 AM, Alan Buxey wrote: I assume that's the freeradius2 package rather than freeradius as 1.x doesn't have unlang The OP said Fedora. Fedora has never had a freeradius2 package (only ever existed in RHEL 5.x). Fedora has had 2.x for many years. So either the OP is using an extremely old version, doesn't know what OS they're on, or is trying to blame the package for a failure to read the doc. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: returning a HEX String as a HEX String (bit string) instead of the decimal equivalent - FreeRADIUS 2.1.10
HPO switch debug; 0049:03:34:00.18 MAC mWebAuth:Port: 29 MAC: 080027-e4b2cd new client detected on vid: 11. 0049:03:34:00.18 MAC mWebAuth:Port: 29 MAC: 080027-e4b2cd RADIUS CHAP authentication started, session: 2985. 0049:03:34:00.20 MAC mWebAuth:Port: 29 MAC: 080027-e4b2cd vid attribute error during RADIUS processing. 0049:03:34:00.20 MAC mWebAuth:Port: 29 MAC: 080027-e4b2cd client rejected, session: 2985, invalid attributes. 0049:03:34:00.20 MAC mWebAuth:Port: 29 MAC: 080027-e4b2cd client authentication failed, login retry count: 1 = max-retires: 0, no unauth-vid configured, entering quiet-period: 30 seconds. W 08/06/13 09:45:58 02400 dca: macAuth client, RADIUS-assigned VID validation error. MAC 080027E4B2CD port 29 VLAN-Id 0 or unknown. Because you're still sending the wrong value? ...and why the hell couldn't they include the VLAN ID that the switch thinks it received. Nathan Jenne, if you read the list, your code sucks :P -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Response-Packet-Type == Access-Challenge
On 6 Aug 2013, at 13:20, Dominique Frise dominique.fr...@unil.ch wrote:
On 08/06/2013 01:55 PM, Arran Cudbard-Bell wrote:
On 6 Aug 2013, at 12:35, Dominique Frise dominique.fr...@unil.ch wrote:
Hi,
I have no luck with testing the Reponse-Packet-Type in the post-proxy
section, after rad_recv: Access-Challenge packet...
Something like :
post-proxy {
...
if (Response-Packet-Type == Access-Challenge) {
...
}
...
}
What am I doing wrong?
Nothing. That's not officially supported. You may find it works in 2.x.x
HEAD though :)
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Thanks Arran,
I forgot to mention that I am using freeradius-2.2.0-2.el6.x86_64. Should
this version support it or not?
No.
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to store session info in external database?
The problem is we have databases in slave mode, only reading is allowed. We
want pass these informations to another database...
2013/8/6 a.l.m.bu...@lboro.ac.uk
Hi,
Hi, I would like to store freeradius session information like
Acct-Session-Id, Acct-Start-Time, Acct-Stop-Time, Acct-Input-Octets,
Acct-Output-Octets, Framed-IP-Address, NAS-IP-Address in external
database.
the defauly config does this - you just need to edit the SQL module to
be appropriate to your database (and have a DB you can write to!) and then
use the 'sql' option in the accounting section (thats the section that
will have
those details as they are in RADIUS Accounting packets).
accounting {
# sql
}
look. there.
to optimise you might then want to look at other virtual servers to do
this stuff like
bufferedsql or the remote accounting proxy one.and then make sure your
DB is
optimisedboth running environment (memory allocation, disk platters
etc) , the
table indexes and the DB engine used for the tables.
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Pozdrawiam
Maciej Lew
tel. 883-376-062
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Response-Packet-Type == Access-Challenge
Hi, I forgot to mention that I am using freeradius-2.2.0-2.el6.x86_64. Should this version support it or not? no, it wont support it. you need the latest code from the GIT to use that feature. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL-Relay log - radacctdir - High Disk usage
If I disable the var 'sql_log' it will stop do write on relay log file, right? but will still writing on radpostauth table correctly? 2013/7/31 Alisson alissongoncal...@bsd.com.br Hi Alan, the sql_log var, just write a text file with the sql statements, correctly? 2013/7/31 Alan DeKok al...@deployingradius.com need to understand the syste - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to store session info in external database?
Maciej Lew wrote: The problem is we have databases in slave mode, only reading is allowed. We want pass these informations to another database... Then configure another SQL module to talk to another database. There's no magic here. If you want to write to a database, configure the server to talk to a writable database. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Response-Packet-Type == Access-Challenge
On 08/06/2013 03:36 PM, a.l.m.bu...@lboro.ac.uk wrote: Hi, I forgot to mention that I am using freeradius-2.2.0-2.el6.x86_64. Should this version support it or not? no, it wont support it. you need the latest code from the GIT to use that feature. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Is there any other flag/function that would indicate that an Access-Challenge packet was received from the NAS? Dominique - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pptpd mschap auth fails
i have pptpd on a centos 6 box configured to use radius for auth.
radius in turn checks credentials in ldap.
the user in ldap has a samba extension and a configured password (i used
ldap account manager to set it up) it also has a sambaNTPassword field
and it's populated.
rpm -q freeradius gives freeradius-2.1.12-4.el6_3.x86_64
the auth fails however when i try conencting from my windows8 client.
i need to mention that i am sure i'm inputting correct passwords.
this is the log from radiusd -X
rad_recv: Access-Request packet from host 127.0.0.1 port 49338,
id=12, length=152
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = testuser1
MS-CHAP-Challenge = 0x09235ac983790fedc6ccf93af69b67bf
MS-CHAP2-Response =
0x5e004a81f91bcf75cd6452c64bd587a74f21ff5eaa8a5df6639683423ed294074ceb705105d5d762932d
Calling-Station-Id = ***.***.***.*** - edited out
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = testuser1, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
[ldap] performing user authorization for testuser1
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - testuser1
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=testuser1)
[ldap] expand: dc=my-domain,dc=com - dc=my-domain,dc=com - edited out
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=my-domain,dc=com, with filter
(uid=testuser1)
[ldap] looking for check items in directory...
[ldap] userPassword - Password-With-Header ==
{SSHA}YQwkujoqTZAKF1Jl1e1JRxKKvDVVRGYv
[ldap] sambaNtPassword - NT-Password ==
0x3331443643464530443136414539333142373343353944374530433038394330
[ldap] looking for reply items in directory...
[ldap] user testuser1 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] Found NT-Password
[mschap] Creating challenge hash with username: testuser1
[mschap] Told to do MS-CHAPv2 for testuser1 with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - testuser1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 4 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 4
Sending Access-Reject of id 12 to 127.0.0.1 port 49338
MS-CHAP-Error = ^E=691 R=1
C=50685502b0ea6334450d0cd8077ac242 V=3 M=Re-enter (or reset) the
password
Waking up in 4.9 seconds.
Cleaning up request 4 ID 12 with timestamp +801
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Response-Packet-Type == Access-Challenge
Dominique Frise wrote: Is there any other flag/function that would indicate that an Access-Challenge packet was received from the NAS? A NAS will NEVER send an Access-Challenge to the server. A proxy will receive an Access-Challenge from a home server. As was said, you need the latest code from the GIT to use that feature. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to store session info in external database?
On 6 Aug 2013, at 14:29, Maciej Lew mac...@lanserver.pl wrote:
The problem is we have databases in slave mode, only reading is allowed. We
want pass these informations to another database...
Modules can have multiple instances.
sql.conf
sql sql_write {
sql config
}
accounting {
sql_write
}
-Arran
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL-Relay log - radacctdir - High Disk usage
Alisson wrote: If I disable the var 'sql_log' it will stop do write on relay log file, right? Yes. but will still writing on radpostauth table correctly? Yes. It helps to understand the servers configuration. You should read ALL of the configuration files you have enabled. It's what everyone does. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pptpd mschap auth fails
On 06/08/13 16:04, Horatiu Nimigean wrote: i have pptpd on a centos 6 box configured to use radius for auth. radius in turn checks credentials in ldap. the user in ldap has a samba extension and a configured password (i used ldap account manager to set it up) it also has a sambaNTPassword field and it's populated. rpm -q freeradius gives freeradius-2.1.12-4.el6_3.x86_64 the auth fails however when i try conencting from my windows8 client. i need to mention that i am sure i'm inputting correct passwords. I you are *really* sure of this (have you created a test user with a simple password?), then it might be the PAP module helpfully fiddling with the password: [pap] Normalizing NT-Password from hex encoding [pap] Normalizing SSHA1-Password from base64 encoding Try commenting out pap, since you're not using it - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pptpd mschap auth fails
Horatiu Nimigean wrote: the auth fails however when i try conencting from my windows8 client. i need to mention that i am sure i'm inputting correct passwords. No, you're not. [mschap] Found NT-Password [mschap] Creating challenge hash with username: testuser1 [mschap] Told to do MS-CHAPv2 for testuser1 with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect The passwords are different. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Response-Packet-Type == Access-Challenge
Hi,
Is there any other flag/function that would indicate that an
Access-Challenge packet was received from the NAS?
dont know..I have the following on a 2.2.0 box in the authenticate section:
if (handled (Response-Packet-Type == Access-Challenge)) {
attr_filter.access_challenge.post-auth
handled # override the updated code from attr_filter
note the (Response-Packet-Type == Access-Challenge) bit.
what does your debug show you?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pptpd mschap auth fails
ok so i edited /etc/raddb/sites-enabled/default
and
commented pap from authorize { ... }
and commented
Auth-Type PAP {
pap
}
from authenticate { ... }
but i still have the same error .
i have also created a new user betatesting1
i have also tested in the local shell (although it attempts mschapv1)
and it gives me the same error
[root@be-vpn ~]# radtest -t mschap betatesting1 secret 127.0.0.1
1812 myubersecretpassword
Sending Access-Request of id 13 to 127.0.0.1 port 1812
User-Name = betatesting1
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x
MS-CHAP-Challenge = 0xdca09b5922346674
MS-CHAP-Response =
0x000148cc2307c5dcb95d9cdc59f621d5d7e4b17c391d8ab5b4f4
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=13,
length=112
MS-CHAP-Error = \000E=691 R=1
C=f20ec16aa685d6a06f1ed900857d9c0e V=3 M=Re-enter (or reset) the
password
On 8/6/2013 6:31 PM, Phil Mayers wrote:
On 06/08/13 16:04, Horatiu Nimigean wrote:
i have pptpd on a centos 6 box configured to use radius for auth.
radius in turn checks credentials in ldap.
the user in ldap has a samba extension and a configured password (i used
ldap account manager to set it up) it also has a sambaNTPassword field
and it's populated.
rpm -q freeradius gives freeradius-2.1.12-4.el6_3.x86_64
the auth fails however when i try conencting from my windows8 client.
i need to mention that i am sure i'm inputting correct passwords.
I you are *really* sure of this (have you created a test user with a
simple password?), then it might be the PAP module helpfully
fiddling with the password:
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
Try commenting out pap, since you're not using it
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pptpd mschap auth fails
oook the damn password is letmein for testing purposes. i can't seriously mistype it that many times. and i did not. it turns out lam successfully reports changing both unix and samba passwords but upon closer inspection and verifying with smbencrypt cli tool the samba hases are NOT updated. Apologies. upon editing with apache directory studio it auths perfectly. both from win8 client as well as radtest. thanks for strongly pointing out that indeed there s a problem with the damn hashes. Cheers. On 8/6/2013 6:36 PM, Alan DeKok wrote: Horatiu Nimigean wrote: the auth fails however when i try conencting from my windows8 client. i need to mention that i am sure i'm inputting correct passwords. No, you're not. [mschap] Found NT-Password [mschap] Creating challenge hash with username: testuser1 [mschap] Told to do MS-CHAPv2 for testuser1 with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect The passwords are different. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I don't want to see clear text password in debug mode
Dear, when I execute freeradius -X the daemon starts in debug mode.
After that when a any user authenticate againts freradisu service, I can
see in the screen something like this:
[sql] expand: %{User-Name} - roberto
[sql] sql_set_user escaped user -- 'roberto'
[sql] expand: %{User-Password} - 123456
My password is encrypted with MD5 but it can be seen in the debug screen.
Is there any way to disallow or masquerade the use's password in debug mode
???
Really thanks,
Roberto
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I don't want to see clear text password in debug mode
On 6 Aug 2013, at 19:49, Roberto Carna robertocarn...@gmail.com wrote:
Dear, when I execute freeradius -X the daemon starts in debug mode.
After that when a any user authenticate againts freradisu service, I can see
in the screen something like this:
[sql] expand: %{User-Name} - roberto
[sql] sql_set_user escaped user -- 'roberto'
[sql] expand: %{User-Password} - 123456
My password is encrypted with MD5 but it can be seen in the debug screen.
*sigh* No. You have an MD5 hash of the password, the cleartext version is being
sent from the NAS.
Is there any way to disallow or masquerade the use's password in debug mode
???
No. This would be difficult to implement, especially for SQL queries where the
password value is inserted into another string to form the query.
-Arran
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Response-Packet-Type == Access-Challenge
On 6 Aug 2013, at 16:38, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Is there any other flag/function that would indicate that an
Access-Challenge packet was received from the NAS?
dont know..I have the following on a 2.2.0 box in the authenticate section:
if (handled (Response-Packet-Type == Access-Challenge)) {
attr_filter.access_challenge.post-auth
handled # override the updated code from attr_filter
Right, but you're not attempting to change this in Post-Proxy which is a
different
code path, and was not allowed for philosophical reasons before 2.2.x.
-Arran
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I don't want to see clear text password in debug mode
Hi, My password is encrypted with MD5 but it can be seen in the debug screen. Is there any way to disallow or masquerade the use's password in debug mode ??? its debug mode. the entire purpose is to ensure that things are what they appear to be and silly things like, 'its doesnt work!' are found to be your password handling etc. the server knows the password is you are dealing with PAP or MD5 etc etc - thats the nature of such a server. why are you running in debug mode? you shouldnt for production systems - the server sees the same sorts of logs as ther daemons - if you dont run mailservers or web servers in full debugging mode you wouldnt know that. if you really dont like it then you can edit the source code to replace the print function with eg ***obfuscated*** or such and then hope that you never need to work with some obscure issue. you might also want to check what logging/detail logging you have on. a server can be configured to log good passwors to file and the detail.log module will be slapping the password into auth_log files if not told not to. this is also why you should be moving away from such passwords - challenge response style passwords wont give you this issue. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Response-Packet-Type == Access-Challenge
On 08/06/2013 05:29 PM, Alan DeKok wrote: Dominique Frise wrote: Is there any other flag/function that would indicate that an Access-Challenge packet was received from the NAS? A NAS will NEVER send an Access-Challenge to the server. A proxy will receive an Access-Challenge from a home server. As was said, you need the latest code from the GIT to use that feature. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yeah, sorry about this mistake. I actually wanted to mean the home server. ;-). I will then compile a fresh code. Thanks for your help, Dominique - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
