Update warning
If you update from FreeRadius 2.1.9x to 2.1.10x your server might fail to start if the sample virtual server in the proxy.conf file is uncommented. I learned that the hard way Description: MCITP(rgb)_1084_1085 Description: https://exams.giac.org/images/logos/giac_silver_small.gif GIAC Security Leadership Certification (GSLC) image001.jpgimage002.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP w/ freeradius to LDAP storing ntPassword not working
I asked the ldap admin to change the format of the ntPassword to prepend with 0x, now radius -X get the right hash, but it still have no known good password was found in LDAP. Nevertheless, the authorization is ok. What is the right format to put in our ldap ntPassword attribute? Should I ignore the error and focus on the Auth-Type error? I will reinstall 2.1.0 with all default, and try it again. Thanks, Schilling [ldap] looking for check items in directory... [ldap] ntPassword - NT-Password == 0x771cfdfe02a8c15e15b3e0e4974602fa [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user sding authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok On Thu, Nov 4, 2010 at 11:10 PM, Alan DeKok al...@deployingradius.com wrote: schilling wrote: Found Auth-Type = EAP WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. You have edited the default configuration and broken it. Don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP proxy (documentation) issue
While setting up proxying for EAP, I ran into the issue that only the first packet was proxied to the home server. Fortunately, I found the explanation in the list archive that the ok = return line in the eap configuration section of the default virtual server leads to the files section not being considered for follow-up packets. As I'm at least the second person running into this issue, would it make sense to add a comment to the example configuration to the effect that one may want to comment out that line (or, using unlang, if-out the eap section alltogether) if one uses local EAP plus proxied EAP? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 20k r/s hardware requirements
Eichinger, Rene (NSN - AT/Wien) wrote: I need to figure out hardware requirements for a freeradius installation for ~20.000 requests per second. Is this the right place to get this information? As your colleague was told in private email, that question is impossible to answer. It's too vague. The short answer is $200K should buy you hardware that can do 20K requests/s. If that's too much, fine-tune your requirements, and the price will go down. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
samba version
Is there a particular version of samba that runs better than others for ntlm_auth? I have a ubuntu lucid test server that authenticates wireless users fine using ntlm_auth on initial logins, but randomly it will start failing reauth attempts on laptops that have been logged in for a while. I searched through the mailing list archives and someone previously with the same problem downgraded to 3.0.30 to fix it so just curious. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
sorry, but where i checked the shared secret? in clients.conf? if yes, secret is ok! thanks for any help. On 11/04/2010 09:51 AM, eduardo moreira wrote: SOrry about this mail Josip, but i checked again my clients.conf, and i put conf here for u see. clients.conf client 127.0.0.1 { secret = password shortname = localhost nastype = other # localhost isn't usually a NAS... } client 10.12.60.19 { secret = password shortname = any nastype = other } and i use this command to test connection: radtest username 123456 10.12.60.19 1812 0 password And i see log of debug and receive this message: Mon Nov 1 15:06:16 2010 : Debug: Ready to process requests. rad_recv: Access-Request packet from host 10.12.60.19 port 50105, id=100, length=73 User-Name = username User-Password = c\355W'\021tC\372\177R\232(\007\027n\263 NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Framed-Protocol = PPP Thu Nov 4 09:30:02 2010 : Debug: +- entering group authorize Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1 Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 1 Thu Nov 4 09:30:02 2010 : Debug: ++[preprocess] returns ok Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: ++[mschap] returns noop Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: - authorize Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: performing user authorization for username Thu Nov 4 09:30:02 2010 : Debug: expand: (uid=%u) - (uid=username) Thu Nov 4 09:30:02 2010 : Debug: expand: dc=a,dc=a,dc=c,dc=b - dc=a,dc=a,dc=c,dc=b Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: performing search in dc=a,dc=a,dc=c,dc=b,dc=a,dc=a,dc=c,dc=b, with filter (uid=username) Thu Nov 4 09:30:02 2010 : Error: rlm_ldap: ldap_search() failed: LDAP connection lost. Thu Nov 4 09:30:02 2010 : Info: rlm_ldap: Attempting reconnect Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: attempting LDAP reconnection Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: closing existing LDAP connection Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: (re)connect to ldap.intra proxy.intra localhost:389, authentication 0 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: bind as cn=Administrator,dc=a,dc=c,dc=a,dc=c,dc=b/password to ldap.intra proxy.intra localhost:389 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: waiting for bind result ... Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: Bind was successful Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: performing search in dc=a,dc=c,dc=a,dc=a,dc=c,dc=a,dc=c, with filter (uid=username) Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: Added User-Password = {crypt}tg/iHj5yM2iXI in check items Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: No default NMAS login sequence Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: looking for check items in directory... Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute userPassword as RADIUS attribute Password-With-Header == {crypt}tg/iHj5yM2iXI Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute sambantPassword as RADIUS attribute NT-Password == 0x3738463934413643303931413730423936454135373046344341353438304531 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute sambalmPassword as RADIUS attribute LM-Password == 0x3743414142444638393134314430423841414433423433354235313430344545 Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute cn as RADIUS attribute Group == username Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: looking for reply items in directory... Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: user username authorized to use remote access Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: ++[ldap] returns ok Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: rlm_eap: No EAP-Message, not doing EAP Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: ++[eap] returns noop Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 1 Thu Nov 4 09:30:02 2010 : Debug: ++[chap] returns noop Thu Nov 4
Re: Doubt - Freeradius + Ldap
On 11/05/2010 06:47 PM, Eduardo Moreira wrote: sorry, but where i checked the shared secret? in clients.conf? Yes if yes, secret is ok! No it isn't; look at the packet: Mon Nov 1 15:06:16 2010 : Debug: Ready to process requests. rad_recv: Access-Request packet from host 10.12.60.19 port 50105, id=100, length=73 User-Name = username User-Password = c\355W'\021tC\372\177R\232(\007\027n\263 NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Framed-Protocol = PPP The User-Password attribute has clearly been decrypted badly; this means you've got the shared secret wrong somewhere. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
There's many a slip 'twixt the cup and the lip I promise you'll want to kick yourself when you find the simple difference after so many messages. Many of us have the grace to go through this necessarily humbling exercise in private. On 2010-11-05 2:47 PM, Eduardo Moreira wrote: sorry, but where i checked the shared secret? in clients.conf? if yes, secret is ok! thanks for any help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
On 11/05/2010 03:06 PM, Phil Mayers wrote: On 11/05/2010 06:47 PM, Eduardo Moreira wrote: sorry, but where i checked the shared secret? in clients.conf? Yes if yes, secret is ok! No it isn't; look at the packet: Mon Nov 1 15:06:16 2010 : Debug: Ready to process requests. rad_recv: Access-Request packet from host 10.12.60.19 port 50105, id=100, length=73 User-Name = username User-Password = c\355W'\021tC\372\177R\232(\007\027n\263 NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Framed-Protocol = PPP The User-Password attribute has clearly been decrypted badly; this means you've got the shared secret wrong somewhere. A common problem for folks who build their own versions of freeradius and mix it with a prebuilt version is the root prefix is different. If you build yourself the $prefix defaults to /usr/local, but (most?) all prebuilt packages use $prefix of /usr. That means you can end up with two copies of your config files (and loads of other files). Carefully look at the debug output of your radiusd -X, it will give you the full path of the files it's reading. Make sure the clients.conf you're looking at is *exactly* the same one the server is *actually* reading. Do this even if you haven't built your own package, just for sanity sake. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt - Freeradius + Ldap
Thanks john , i install in debian server, default config, apt-get install Directory is: /etc/freeradius ; Sorry, im newbie, but before i configure ldap module freeradius work, after configure ldap module, no way to connect, certain my problem stays with module ldap, authentication ... But dont see where ... Thanks for u reply. On 11/05/2010 05:17 PM, John Dennis wrote: On 11/05/2010 03:06 PM, Phil Mayers wrote: On 11/05/2010 06:47 PM, Eduardo Moreira wrote: sorry, but where i checked the shared secret? in clients.conf? Yes if yes, secret is ok! No it isn't; look at the packet: Mon Nov 1 15:06:16 2010 : Debug: Ready to process requests. rad_recv: Access-Request packet from host 10.12.60.19 port 50105, id=100, length=73 User-Name = username User-Password = c\355W'\021tC\372\177R\232(\007\027n\263 NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Framed-Protocol = PPP The User-Password attribute has clearly been decrypted badly; this means you've got the shared secret wrong somewhere. A common problem for folks who build their own versions of freeradius and mix it with a prebuilt version is the root prefix is different. If you build yourself the $prefix defaults to /usr/local, but (most?) all prebuilt packages use $prefix of /usr. That means you can end up with two copies of your config files (and loads of other files). Carefully look at the debug output of your radiusd -X, it will give you the full path of the files it's reading. Make sure the clients.conf you're looking at is *exactly* the same one the server is *actually* reading. Do this even if you haven't built your own package, just for sanity sake. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP w/ freeradius to LDAP storing ntPassword not working - resolved
I am able to have peap/mschpv2 work with ldap nt hash. radtest -t mschap will not work for peap/mschapv2, the real windows supplicant, wireless access point will work. The format in ldap is not relevant, w/ or w/o the preceding 0x will work. The configuration I changed from default are the following clients.conf to add testing AP ip and secret eap.conf to add the real certificate thing etc. modules/ldap to add the ldap proxy account information. site-enabled/inner-tunnel - uncomment the ldap line in authorize authorize { # # The ldap module will set Auth-Type to LDAP if it has not # already been set ldap } Now whenever I try to have a virtual server for another instance, then it will have the same error as before. Then I copied the site-enabled/default content and put them within the virtual server, it's working again. I then try to reduce to the minimum necessary configuration, the following is for the virtual server to work server ldap_ntpassword_1814 { listen { type = auth ipaddr = * port = 1814 } listen { ipaddr = * port = 1815 type = acct } authorize { eap { ok = return } } authenticate { eap } } Thanks, Schilling On Fri, Nov 5, 2010 at 7:12 AM, schilling schilling2...@gmail.com wrote: I asked the ldap admin to change the format of the ntPassword to prepend with 0x, now radius -X get the right hash, but it still have no known good password was found in LDAP. Nevertheless, the authorization is ok. What is the right format to put in our ldap ntPassword attribute? Should I ignore the error and focus on the Auth-Type error? I will reinstall 2.1.0 with all default, and try it again. Thanks, Schilling [ldap] looking for check items in directory... [ldap] ntPassword - NT-Password == 0x771cfdfe02a8c15e15b3e0e4974602fa [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user sding authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok On Thu, Nov 4, 2010 at 11:10 PM, Alan DeKok al...@deployingradius.com wrote: schilling wrote: Found Auth-Type = EAP WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. You have edited the default configuration and broken it. Don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and Cisco VPN IPSEC profiles authentication
Hi How can I skip to the second DEFAULT if the first DEFAULT doesn't pass ? So if request comes from the 10.1.1.2 and user doesn't pass through authentication, it should be forwarded to another DEFAULT ( with the vpn_auth_name authentication). Now it stops at the first DEFAULT DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252 Tunnel-Type = ESP, Tunnel-Private-Group-ID = Group, Tunnel-Password = cisco, Cisco-Avpair += ipsec:dns-servers=10.1.1.6 10.1.1.7, Cisco-Avpair += ipsec:addr-pool=vpn_pool, Cisco-Avpair += ipsec:inacl=101, Cisco-Avpair += ipsec:key-exchange=ike, Cisco-Avpair += ipsec:key-exchange=preshared-key, Service-Type = Framed-User, Framed-Protocol = PPP, DEFAULT Auth-Type := vpn_auth_name, NAS-IP-Address == 10.1.1.252 Service-Type = Framed-User, Framed-Protocol = PPP, thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html