Re: Any One-Time password system.
Hello Sergii, Is it possible to use OTP with ms-chap authorization? no, it is _not_. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any One-Time password system.
This is so frustrating :( How it can be possible to do strong security using reliable passwords and to have no encryption in the same time. 2013/5/16 Thomas Glanzmann tho...@glanzmann.de Hello Sergii, Is it possible to use OTP with ms-chap authorization? no, it is _not_. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited. If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any One-Time password system.
Sergii Bieliaievskyi wrote: This is so frustrating :( How it can be possible to do strong security using reliable passwords and to have no encryption in the same time. I think you misunderstand the issues. OTP passwords were created so that it doesn't *require* that the password be hidden. Systems like MSCHAP were created so that the passwords could be used many times, because they're hashed. The two systems are *designed* to be incompatible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any One-Time password system.
On 16/05/13 13:44, Sergii Bieliaievskyi wrote: This is so frustrating :( How it can be possible to do strong security using reliable passwords and to have no encryption in the same time. Because the protocols are old, and badly designed, but are widely deployed because the vendor (Microsoft) has monopoly power. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any One-Time password system.
2013/5/16 Alan DeKok al...@deployingradius.com Sergii Bieliaievskyi wrote: This is so frustrating :( How it can be possible to do strong security using reliable passwords and to have no encryption in the same time. I think you misunderstand the issues. OTP passwords were created so that it doesn't *require* that the password be hidden. Systems like MSCHAP were created so that the passwords could be used many times, because they're hashed. The two systems are *designed* to be incompatible. But only ms-chap supports data encryption. I want to use OTP and MPPE simulteniosly. But MPPE without ms-chap cann`t exist. Am I right? -- -- PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited. If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with PAP autentification on freeradius-3.0.0
Hi, I have problem with PAP autentification on freeradius-3.0.0, but on freeradius-2.2.1 everythink works correct. Could you please help me, thx. Debug output for freeradius-3.0.0: radiusd@tdrad1test:/storage/app/radius/raddb/auth-new$ /storage/app/radius/freeradius-3.0.0/sbin/radiusd -X -d /storage/app/radius/raddb/auth-new radiusd: FreeRADIUS Version 3.0.0, for host x86_64-unknown-linux-gnu, built on May 14 2013 at 16:22:54 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... ... Listening on proxy address * port 0 Listening on auth address * port 1812 as server default Listening on auth address * port 1645 as server default Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 50633, id=15, length=115 NAS-Port-Type = Virtual Service-Type = Framed-User Calling-Station-Id = 421905012405 Called-Station-Id = l2tp.vps Framed-Protocol = PPP User-Name = l...@radiustest.sk User-Password = l2tp Connect-Info = 864 NAS-IP-Address = 213.151.234.114 (0) # Executing section authorize from file /storage/app/radius/raddb/auth-new/sites-enabled/default (0) group authorize { (0) - entering group authorize {...} (0) [chap] = noop (0) suffix : Looking up realm radiustest.sk for User-Name = l...@radiustest.sk (0) suffix : Found realm DEFAULT (0) suffix : Adding Stripped-User-Name = l2tp (0) suffix : Adding Realm = DEFAULT (0) suffix : Authentication realm is LOCAL. (0) [suffix] = ok rlm_perl: Added pair NAS-Port-Type = Virtual rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Called-Station-Id = l2tp.vps rlm_perl: Added pair Calling-Station-Id = 421905012405 rlm_perl: Added pair Framed-Protocol = PPP rlm_perl: Added pair User-Name = l...@radiustest.sk rlm_perl: Added pair User-Password = l2tp rlm_perl: Added pair Connect-Info = 864 rlm_perl: Added pair Realm = DEFAULT rlm_perl: Added pair Stripped-User-Name = l2tp rlm_perl: Added pair NAS-IP-Address = 213.151.234.114 rlm_perl: Added pair Current-Time = 1368711260 rlm_perl: Added pair Password-With-Header = {SSHA}cAgh2LCe5649EzEAbc+nAfIOvOyOJSmU+sKiPA== rlm_perl: Added pair VPDN_SERVICE_ID = User-GPRS-L2TP (0) [perl] = ok (0) [pap] = updated (0) Found Auth-Type = PAP (0) # Executing group from file /storage/app/radius/raddb/auth-new/sites-enabled/default (0) group PAP { (0) - entering group PAP {...} (0) pap : login attempt with password l2tp (0) pap : Using SSHA encryption. (0) ERROR: pap : SSHA password check failed (0) pap : Passwords don't match (0) [pap] = reject (0) Failed to authenticate the user. (0) Login incorrect (pap: SSHA password check failed): [l...@radiustest.sk/l2tp] (from client localhost port 0 cli 421905012405) Debug output for freeradius-2.2.1: radiusd@tdrad1test:/storage/app/radius/raddb/auth$ /storage/app/radius/freeradius/sbin/radiusd -X -d /storage/app/radius/raddb/auth radiusd: FreeRADIUS Version 2.2.1, for host x86_64-unknown-linux-gnu, built on May 2 2013 at 09:22:02 Copyright (C) 1999-2013 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... ... Listening on authentication address * port 1812 Listening on authentication address * port 1645 Listening on proxy address * port 37677 Listening on command file ../../log/radius/radius_auth.sock Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 57436, id=196, length=115 NAS-Port-Type = Virtual Service-Type = Framed-User Calling-Station-Id = 421905012405 Called-Station-Id = l2tp.vps Framed-Protocol = PPP User-Name = l...@radiustest.sk User-Password = l2tp Connect-Info = 864 NAS-IP-Address = 213.151.234.114 # Executing section authorize from file /storage/app/radius/raddb/auth/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] Looking up realm radiustest.sk for User-Name = l...@radiustest.sk [suffix] Found realm DEFAULT [suffix] Adding Stripped-User-Name = l2tp [suffix] Adding Realm = DEFAULT [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[files] returns noop rlm_perl: Added pair NAS-Port-Type = Virtual rlm_perl: Added pair
Re: Any One-Time password system.
I want to change my security strategy. It would be better to user two step verification by google. There is google-authenticator (http://code.google.com/p/google-authenticator/) but it checks users in local database /etc/passwd and so on. How should I synchronize my unix box with corporate google account database? Does anybody have such an experience? 2013/5/16 Sergii Bieliaievskyi s.bieliaievs...@sethq.com 2013/5/16 Alan DeKok al...@deployingradius.com Sergii Bieliaievskyi wrote: This is so frustrating :( How it can be possible to do strong security using reliable passwords and to have no encryption in the same time. I think you misunderstand the issues. OTP passwords were created so that it doesn't *require* that the password be hidden. Systems like MSCHAP were created so that the passwords could be used many times, because they're hashed. The two systems are *designed* to be incompatible. But only ms-chap supports data encryption. I want to use OTP and MPPE simulteniosly. But MPPE without ms-chap cann`t exist. Am I right? -- -- PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited. If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any One-Time password system.
Sergii Bieliaievskyi wrote: But only ms-chap supports data encryption. I want to use OTP and MPPE simulteniosly. But MPPE without ms-chap cann`t exist. Am I right? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any One-Time password system.
On 16/05/13 14:27, Sergii Bieliaievskyi wrote: 2013/5/16 Alan DeKok al...@deployingradius.com mailto:al...@deployingradius.com Sergii Bieliaievskyi wrote: This is so frustrating :( How it can be possible to do strong security using reliable passwords and to have no encryption in the same time. I think you misunderstand the issues. OTP passwords were created so that it doesn't *require* that the password be hidden. Systems like MSCHAP were created so that the passwords could be used many times, because they're hashed. The two systems are *designed* to be incompatible. But only ms-chap supports data encryption. I want to use OTP and MPPE simulteniosly. But MPPE without ms-chap cann`t exist. Am I right? No. MPPE requires encryption keys. These can be generated by whatever auth method. If you use plain MSCHAP, MSCHAP generates them. If you use PEAP/MSCHAP, PEAP generates them - the MSCHAP MPPE keys are thrown away, and not used. If you use PEAP/GTC, again PEAP generates the MPPE keys. If you use TTLS/PAP, TTLS generates the MPPE keys. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any One-Time password system.
On 16 May 2013, at 09:27, Sergii Bieliaievskyi s.bieliaievs...@sethq.com wrote: 2013/5/16 Alan DeKok al...@deployingradius.com Sergii Bieliaievskyi wrote: This is so frustrating :( How it can be possible to do strong security using reliable passwords and to have no encryption in the same time. I think you misunderstand the issues. OTP passwords were created so that it doesn't *require* that the password be hidden. Systems like MSCHAP were created so that the passwords could be used many times, because they're hashed. The two systems are *designed* to be incompatible. But only ms-chap supports data encryption. I want to use OTP and MPPE simulteniosly. But MPPE without ms-chap cann`t exist. Am I right? What are you actually trying to use this with? 802.1X/WPA2-Enterprise or for VPN authentication. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any One-Time password system.
Sergii Bieliaievskyi wrote: I want to change my security strategy. I think you're taking the wrong approach. You don't get security by using a bunch of security software. You get security by understanding the risks, and working to minimize them. It would be better to user two step verification by google. There is google-authenticator (http://code.google.com/p/google-authenticator/) but it checks users in local database /etc/passwd and so on. How should I synchronize my unix box with corporate google account database? Does anybody have such an experience? I doubt it. And you'll probably run into timeouts. Users will take a long time to do two-step authentication. By the time they're done, the NAS will often give up on the authentication request. Your system will be so secure that no one will be able to log in. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question to authenticate switches and Linux boxes
Roberto Carna wrote: Dear, sorry for my confusion...I need to do te following: 1) Autehnticate and authorize users accesing switches through TELNET and/or HTTP 2) Authenticate and authorize users accesing Linux servers through SSH You're about 2 steps removed from RADIUS. First, find out how those systems use RADIUS. Then look at the RADIUS pieces. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any One-Time password system.
2013/5/16 Alan DeKok al...@deployingradius.com Sergii Bieliaievskyi wrote: But only ms-chap supports data encryption. I want to use OTP and MPPE simulteniosly. But MPPE without ms-chap cann`t exist. Am I right? Yes. So OTP is useless I donn`t need system with strong password and unencrypted data transfer. -- -- PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited. If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any One-Time password system.
2013/5/16 Arran Cudbard-Bell a.cudba...@freeradius.org What are you actually trying to use this with? 802.1X/WPA2-Enterprise or for VPN authentication. VPN authentication. And it should be multiplatform VPN. PPTP is supported by almost every vendors. I can establish PPTP connection from iPhone, Android,Linux, MacOS and so on That`s why PPTP is preferable. -- -- PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited. If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with PAP autentification on freeradius-3.0.0
BALSIANOK, Peter wrote: I have problem with PAP autentification on freeradius-3.0.0, but on freeradius-2.2.1 everythink works correct. Could you please help me, thx. Test cases are wonderful, thanks. Do a git pull. It's fixed. See changes to src/lib/base64.c. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any One-Time password system.
2013/5/16 Phil Mayers p.may...@imperial.ac.uk No. MPPE requires encryption keys. These can be generated by whatever auth method. If you use plain MSCHAP, MSCHAP generates them. Can you provide more information how can i do that? Or where can i read about that? Thnx. -- -- PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited. If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any One-Time password system.
PPTP is broken [1]. OpenVPN (for which there are clients for Android, iPhone, MacOS, Linux, Windows) is not. OpenVPN will use TLS certificates as well as other centrally managed authentication based systems (e.g. Radius, MOTP, maybe Google Authenticator?) to authenticate and authorize. There are lots and lots and lots of postings online discussing how to do these. [1] https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ also http://www.h-online.com/security/features/A-death-blow-for-PPTP-1716768.htmland many others. -- Jon The Nice Guy Spriggs On 16 May 2013 15:41, Sergii Bieliaievskyi s.bieliaievs...@sethq.comwrote: 2013/5/16 Arran Cudbard-Bell a.cudba...@freeradius.org What are you actually trying to use this with? 802.1X/WPA2-Enterprise or for VPN authentication. VPN authentication. And it should be multiplatform VPN. PPTP is supported by almost every vendors. I can establish PPTP connection from iPhone, Android,Linux, MacOS and so on That`s why PPTP is preferable. -- PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is strictly prohibited. If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any One-Time password system.
On 16/05/13 15:45, Sergii Bieliaievskyi wrote: 2013/5/16 Phil Mayers p.may...@imperial.ac.uk mailto:p.may...@imperial.ac.uk No. MPPE requires encryption keys. These can be generated by whatever auth method. If you use plain MSCHAP, MSCHAP generates them. Can you provide more information how can i do that? Or where can i read about that? I apologise - I misunderstood what you were doing. If you're using plain MSCHAP for PPTP and want to combine this with OTP, it's probably impossible. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any One-Time password system.
On Thu, May 16, 2013 at 11:18 AM, Phil Mayers p.may...@imperial.ac.ukwrote: On 16/05/13 15:45, Sergii Bieliaievskyi wrote: 2013/5/16 Phil Mayers p.may...@imperial.ac.uk mailto:p.may...@imperial.ac.**uk p.may...@imperial.ac.uk No. MPPE requires encryption keys. These can be generated by whatever auth method. If you use plain MSCHAP, MSCHAP generates them. Can you provide more information how can i do that? Or where can i read about that? I apologise - I misunderstood what you were doing. If you're using plain MSCHAP for PPTP and want to combine this with OTP, it's probably impossible. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html Hmm. I did a test integration with our two-factor authentication server and poptop: http://www.howtoforge.com/security-issues-and-poptop-pptp. It worked, but I agree that PPTP is beyond busted. OpenVPN is a much better choice. It is also super simple to integrate via PAM: http://www.wikidsystems.com/support/wikid-support-center/how-to/using-wikid-strong-authentication-with-openvpn . Those examples use our Enterprise edition which supports radius (via a 3rd party, licensed module). I would love it if someone would do a freeradius module using our API: http://www.wikidsystems.com/downloads/network-clients. We have a python package. nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help: login incorrect with FR 2.2.1
On Fri, May 17, 2013 at 2:09 AM, Wang, Yu ywan...@fsu.edu wrote: Hello, I upgraded FR from 2.1.10 to 2.2.1. Everything went well except about 25% of our wireless users cannot authenticate after the upgrade. The backend authentication server is Active Directory and we use ntlm_auth from winbind to pass MSCHAPv2 response from FR to AD. rlm_perl: Added pair NT-Password = 0x33343133344331374133364243314244413638324232323239443431 [pap] Normalizing NT-Password from hex encoding Just curious. Does ALL the failed user have NT-Password attribute added by rlm_perl? IIRC the reason for using ntlm_auth is that AD would NOT give out NT-Passowrd when running in LDAP mode. Or to put it another way, if you had access to NT-Password (e.g. stored in another database, whatever), then you won't need ntlm_auth at all. If fo DO use ntlm_auth (which I don't see from the debug log), try removing NT-Password from the list of attributes added by rlm_perl. My guess is whatever your rlm_perl data source is out of sync with your AD. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html