Update warning
If you update from FreeRadius 2.1.9x to 2.1.10x your server might fail to start if the sample virtual server in the proxy.conf file is uncommented. I learned that the hard way Description: MCITP(rgb)_1084_1085 Description: https://exams.giac.org/images/logos/giac_silver_small.gif GIAC Security Leadership Certification (GSLC) image001.jpgimage002.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP w/ freeradius to LDAP storing ntPassword not working
I asked the ldap admin to change the format of the ntPassword to prepend with 0x, now radius -X get the right hash, but it still have no known good password was found in LDAP. Nevertheless, the authorization is ok. What is the right format to put in our ldap ntPassword attribute? Should I ignore the error and focus on the Auth-Type error? I will reinstall 2.1.0 with all default, and try it again. Thanks, Schilling [ldap] looking for check items in directory... [ldap] ntPassword - NT-Password == 0x771cfdfe02a8c15e15b3e0e4974602fa [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user sding authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok On Thu, Nov 4, 2010 at 11:10 PM, Alan DeKok al...@deployingradius.com wrote: schilling wrote: Found Auth-Type = EAP WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. You have edited the default configuration and broken it. Don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP proxy (documentation) issue
While setting up proxying for EAP, I ran into the issue that only the first packet was proxied to the home server. Fortunately, I found the explanation in the list archive that the ok = return line in the eap configuration section of the default virtual server leads to the files section not being considered for follow-up packets. As I'm at least the second person running into this issue, would it make sense to add a comment to the example configuration to the effect that one may want to comment out that line (or, using unlang, if-out the eap section alltogether) if one uses local EAP plus proxied EAP? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 20k r/s hardware requirements
Eichinger, Rene (NSN - AT/Wien) wrote: I need to figure out hardware requirements for a freeradius installation for ~20.000 requests per second. Is this the right place to get this information? As your colleague was told in private email, that question is impossible to answer. It's too vague. The short answer is $200K should buy you hardware that can do 20K requests/s. If that's too much, fine-tune your requirements, and the price will go down. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
samba version
Is there a particular version of samba that runs better than others for ntlm_auth? I have a ubuntu lucid test server that authenticates wireless users fine using ntlm_auth on initial logins, but randomly it will start failing reauth attempts on laptops that have been logged in for a while. I searched through the mailing list archives and someone previously with the same problem downgraded to 3.0.30 to fix it so just curious. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
sorry, but where i checked the shared secret? in clients.conf?
if yes, secret is ok!
thanks for any help.
On 11/04/2010 09:51 AM, eduardo moreira wrote:
SOrry about this mail Josip, but i checked again my clients.conf, and
i put conf here for u see.
clients.conf
client 127.0.0.1 {
secret = password
shortname = localhost
nastype = other # localhost isn't usually a NAS...
}
client 10.12.60.19 {
secret = password
shortname = any
nastype = other
}
and i use this command to test connection:
radtest username 123456 10.12.60.19 1812 0 password
And i see log of debug and receive this message:
Mon Nov 1 15:06:16 2010 : Debug: Ready to process requests.
rad_recv: Access-Request packet from host 10.12.60.19 port 50105,
id=100, length=73
User-Name = username
User-Password = c\355W'\021tC\372\177R\232(\007\027n\263
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Framed-Protocol = PPP
Thu Nov 4 09:30:02 2010 : Debug: +- entering group authorize
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 1
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned
from preprocess (rlm_preprocess) for request 1
Thu Nov 4 09:30:02 2010 : Debug: ++[preprocess] returns ok
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling
mschap (rlm_mschap) for request 1
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned
from mschap (rlm_mschap) for request 1
Thu Nov 4 09:30:02 2010 : Debug: ++[mschap] returns noop
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling ldap
(rlm_ldap) for request 1
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: - authorize
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: performing user
authorization for username
Thu Nov 4 09:30:02 2010 : Debug: expand: (uid=%u) - (uid=username)
Thu Nov 4 09:30:02 2010 : Debug: expand: dc=a,dc=a,dc=c,dc=b -
dc=a,dc=a,dc=c,dc=b
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: performing search in
dc=a,dc=a,dc=c,dc=b,dc=a,dc=a,dc=c,dc=b, with filter (uid=username)
Thu Nov 4 09:30:02 2010 : Error: rlm_ldap: ldap_search() failed: LDAP
connection lost.
Thu Nov 4 09:30:02 2010 : Info: rlm_ldap: Attempting reconnect
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: attempting LDAP reconnection
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: closing existing LDAP
connection
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: (re)connect to ldap.intra
proxy.intra localhost:389, authentication 0
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: bind as
cn=Administrator,dc=a,dc=c,dc=a,dc=c,dc=b/password to ldap.intra
proxy.intra localhost:389
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: waiting for bind result ...
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: Bind was successful
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: performing search in
dc=a,dc=c,dc=a,dc=a,dc=c,dc=a,dc=c, with filter (uid=username)
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: Added User-Password =
{crypt}tg/iHj5yM2iXI in check items
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: No default NMAS login sequence
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: looking for check items in
directory...
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute
userPassword as RADIUS attribute Password-With-Header ==
{crypt}tg/iHj5yM2iXI
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute
sambantPassword as RADIUS attribute NT-Password ==
0x3738463934413643303931413730423936454135373046344341353438304531
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute
sambalmPassword as RADIUS attribute LM-Password ==
0x3743414142444638393134314430423841414433423433354235313430344545
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute cn as
RADIUS attribute Group == username
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: looking for reply items in
directory...
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: user username authorized
to use remote access
Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: ldap_release_conn: Release
Id: 0
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned
from ldap (rlm_ldap) for request 1
Thu Nov 4 09:30:02 2010 : Debug: ++[ldap] returns ok
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling eap
(rlm_eap) for request 1
Thu Nov 4 09:30:02 2010 : Debug: rlm_eap: No EAP-Message, not doing EAP
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned
from eap (rlm_eap) for request 1
Thu Nov 4 09:30:02 2010 : Debug: ++[eap] returns noop
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling chap
(rlm_chap) for request 1
Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned
from chap (rlm_chap) for request 1
Thu Nov 4 09:30:02 2010 : Debug: ++[chap] returns noop
Thu Nov 4
Re: Doubt - Freeradius + Ldap
On 11/05/2010 06:47 PM, Eduardo Moreira wrote: sorry, but where i checked the shared secret? in clients.conf? Yes if yes, secret is ok! No it isn't; look at the packet: Mon Nov 1 15:06:16 2010 : Debug: Ready to process requests. rad_recv: Access-Request packet from host 10.12.60.19 port 50105, id=100, length=73 User-Name = username User-Password = c\355W'\021tC\372\177R\232(\007\027n\263 NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Framed-Protocol = PPP The User-Password attribute has clearly been decrypted badly; this means you've got the shared secret wrong somewhere. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
There's many a slip 'twixt the cup and the lip I promise you'll want to kick yourself when you find the simple difference after so many messages. Many of us have the grace to go through this necessarily humbling exercise in private. On 2010-11-05 2:47 PM, Eduardo Moreira wrote: sorry, but where i checked the shared secret? in clients.conf? if yes, secret is ok! thanks for any help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
On 11/05/2010 03:06 PM, Phil Mayers wrote: On 11/05/2010 06:47 PM, Eduardo Moreira wrote: sorry, but where i checked the shared secret? in clients.conf? Yes if yes, secret is ok! No it isn't; look at the packet: Mon Nov 1 15:06:16 2010 : Debug: Ready to process requests. rad_recv: Access-Request packet from host 10.12.60.19 port 50105, id=100, length=73 User-Name = username User-Password = c\355W'\021tC\372\177R\232(\007\027n\263 NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Framed-Protocol = PPP The User-Password attribute has clearly been decrypted badly; this means you've got the shared secret wrong somewhere. A common problem for folks who build their own versions of freeradius and mix it with a prebuilt version is the root prefix is different. If you build yourself the $prefix defaults to /usr/local, but (most?) all prebuilt packages use $prefix of /usr. That means you can end up with two copies of your config files (and loads of other files). Carefully look at the debug output of your radiusd -X, it will give you the full path of the files it's reading. Make sure the clients.conf you're looking at is *exactly* the same one the server is *actually* reading. Do this even if you haven't built your own package, just for sanity sake. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
Thanks john , i install in debian server, default config, apt-get install Directory is: /etc/freeradius ; Sorry, im newbie, but before i configure ldap module freeradius work, after configure ldap module, no way to connect, certain my problem stays with module ldap, authentication ... But dont see where ... Thanks for u reply. On 11/05/2010 05:17 PM, John Dennis wrote: On 11/05/2010 03:06 PM, Phil Mayers wrote: On 11/05/2010 06:47 PM, Eduardo Moreira wrote: sorry, but where i checked the shared secret? in clients.conf? Yes if yes, secret is ok! No it isn't; look at the packet: Mon Nov 1 15:06:16 2010 : Debug: Ready to process requests. rad_recv: Access-Request packet from host 10.12.60.19 port 50105, id=100, length=73 User-Name = username User-Password = c\355W'\021tC\372\177R\232(\007\027n\263 NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Framed-Protocol = PPP The User-Password attribute has clearly been decrypted badly; this means you've got the shared secret wrong somewhere. A common problem for folks who build their own versions of freeradius and mix it with a prebuilt version is the root prefix is different. If you build yourself the $prefix defaults to /usr/local, but (most?) all prebuilt packages use $prefix of /usr. That means you can end up with two copies of your config files (and loads of other files). Carefully look at the debug output of your radiusd -X, it will give you the full path of the files it's reading. Make sure the clients.conf you're looking at is *exactly* the same one the server is *actually* reading. Do this even if you haven't built your own package, just for sanity sake. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP w/ freeradius to LDAP storing ntPassword not working - resolved
I am able to have peap/mschpv2 work with ldap nt hash.
radtest -t mschap will not work for peap/mschapv2, the real windows
supplicant, wireless access point will work.
The format in ldap is not relevant, w/ or w/o the preceding 0x will work.
The configuration I changed from default are the following
clients.conf to add testing AP ip and secret
eap.conf to add the real certificate thing etc.
modules/ldap to add the ldap proxy account information.
site-enabled/inner-tunnel - uncomment the ldap line in authorize
authorize {
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap
}
Now whenever I try to have a virtual server for another instance, then
it will have the same error as before.
Then I copied the site-enabled/default content and put them within the
virtual server, it's working again. I then try to reduce to the
minimum necessary configuration, the following is for the virtual
server to work
server ldap_ntpassword_1814 {
listen {
type = auth
ipaddr = *
port = 1814
}
listen {
ipaddr = *
port = 1815
type = acct
}
authorize {
eap {
ok = return
}
}
authenticate {
eap
}
}
Thanks,
Schilling
On Fri, Nov 5, 2010 at 7:12 AM, schilling schilling2...@gmail.com wrote:
I asked the ldap admin to change the format of the ntPassword to
prepend with 0x, now radius -X get the right hash, but it still have
no known good password was found in LDAP. Nevertheless, the
authorization is ok. What is the right format to put in our ldap
ntPassword attribute? Should I ignore the error and focus on the
Auth-Type error?
I will reinstall 2.1.0 with all default, and try it again.
Thanks,
Schilling
[ldap] looking for check items in directory...
[ldap] ntPassword - NT-Password == 0x771cfdfe02a8c15e15b3e0e4974602fa
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure
that the user is configured correctly?
[ldap] user sding authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
On Thu, Nov 4, 2010 at 11:10 PM, Alan DeKok al...@deployingradius.com wrote:
schilling wrote:
Found Auth-Type = EAP
WARNING: Unknown value specified for Auth-Type. Cannot perform
requested action.
You have edited the default configuration and broken it. Don't do that.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and Cisco VPN IPSEC profiles authentication
Hi How can I skip to the second DEFAULT if the first DEFAULT doesn't pass ? So if request comes from the 10.1.1.2 and user doesn't pass through authentication, it should be forwarded to another DEFAULT ( with the vpn_auth_name authentication). Now it stops at the first DEFAULT DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252 Tunnel-Type = ESP, Tunnel-Private-Group-ID = Group, Tunnel-Password = cisco, Cisco-Avpair += ipsec:dns-servers=10.1.1.6 10.1.1.7, Cisco-Avpair += ipsec:addr-pool=vpn_pool, Cisco-Avpair += ipsec:inacl=101, Cisco-Avpair += ipsec:key-exchange=ike, Cisco-Avpair += ipsec:key-exchange=preshared-key, Service-Type = Framed-User, Framed-Protocol = PPP, DEFAULT Auth-Type := vpn_auth_name, NAS-IP-Address == 10.1.1.252 Service-Type = Framed-User, Framed-Protocol = PPP, thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
