Re: Any One-Time password system.
On Thu, May 16, 2013 at 11:18 AM, Phil Mayers p.may...@imperial.ac.ukwrote: On 16/05/13 15:45, Sergii Bieliaievskyi wrote: 2013/5/16 Phil Mayers p.may...@imperial.ac.uk mailto:p.may...@imperial.ac.**uk p.may...@imperial.ac.uk No. MPPE requires encryption keys. These can be generated by whatever auth method. If you use plain MSCHAP, MSCHAP generates them. Can you provide more information how can i do that? Or where can i read about that? I apologise - I misunderstood what you were doing. If you're using plain MSCHAP for PPTP and want to combine this with OTP, it's probably impossible. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html Hmm. I did a test integration with our two-factor authentication server and poptop: http://www.howtoforge.com/security-issues-and-poptop-pptp. It worked, but I agree that PPTP is beyond busted. OpenVPN is a much better choice. It is also super simple to integrate via PAM: http://www.wikidsystems.com/support/wikid-support-center/how-to/using-wikid-strong-authentication-with-openvpn . Those examples use our Enterprise edition which supports radius (via a 3rd party, licensed module). I would love it if someone would do a freeradius module using our API: http://www.wikidsystems.com/downloads/network-clients. We have a python package. nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius authentication against LDAP question
In Thu, May 31, 2012 at 10:05 AM, Jimmy g17ji...@gmail.com wrote: How do I enable Freeradius to not only authenticate the a user but verify a specific attribute for the user? I've been going though the docs but this is escaping me. Thanks. - I'm not sure if this will help, but i have tutorial on how to configure two-factor authentication through freeradius with authorization by openldap. The setup uses the access_attr = dialupAccess. I bet you can use whatever. http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-openldap-and-freeradius HTH, Nick -- -- Nick Owen WiKID Systems, Inc. http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius - IIS Outlook Web Access (OWA)
On Thu, May 3, 2012 at 3:51 PM, udptelecom udptele...@gmail.com wrote: Hi, Anyone know of an ISAPI filter that understands RADIUS that can be used to authenticate to FreeRadius. This would be used to authenticate access to Outlook Web Access (OWA) running under IIS. I know of one provider http://www.tcpdata.com - but they're site is currently down and all my calls emails have gone unanswered. Thanks! Abedi Have you seen MS Forefront? -- -- Nick Owen WiKID Systems, Inc. http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a PIN server?
On Wed, Dec 14, 2011 at 5:39 AM, Sušnik Rudolf rudolf.sus...@telekom.si wrote: Perhaps you may want delivering PIN to user's cellular over SMS. Anyway Freeradius seems not to be enough, at least you would need some external database and web server - both for creating and storing PINs. I did the task using FR, Apache and MySql. As I see, my concept is quite similar to Nick's one. Regards, Rudolf. If you are considering SMS for authentication, I suggest you consider the risks involved. The carriers are in no way incented to secure user accounts or SMS. It might be fine for many non-critical uses and is better than just a static password, but if you really need strong authentication, you won't get that from SMS. My latest rant and a listing of examples of SMS breachs: http://www.wikidsystems.com/WiKIDBlog/fraudsters-defeat-poor-risk-management-not-two-factor-authentication Sorry to be off-topic... nick -Original Message- From: freeradius-users-bounces+rudolf.susnik=telekom...@lists.freeradius.org [mailto:freeradius-users-bounces+rudolf.susnik=telekom...@lists.freeradius.org] On Behalf Of Nick Owen Sent: Tuesday, December 13, 2011 6:58 PM To: FreeRadius users mailing list Subject: Re: Freeradius as a PIN server? On Tue, Dec 13, 2011 at 11:07 AM, Peter Moreton peter.more...@cbi.org.uk wrote: Sorry for the newbie question, but, quite simply, could Freeradius be configured to provide a simple 'PIN Server' ? - I want users to be able to choose a 4 digit PIN, and then have Freeradius validate Logon requests using the username/PIN combination (in addition to some separate LDAP authentication) Really, I am looking to build a lightweight 2-factor authentication system, without the expense of RSA SecurID or similar. I'm afraid knowledge of a PIN and knowledge of a password is not two-factor authentication, it is just more of a one-factor authentication. Feel free to use our open-source two-factor authentication system: http://www.wikidsystems.com/community-version. If someone wants to contribute a freeradius rlm module using one of our api packages, we would greatly appreciate it: http://www.wikidsystems.com/downloads/network-clients Nick -- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius as a PIN server?
On Tue, Dec 13, 2011 at 11:07 AM, Peter Moreton peter.more...@cbi.org.uk wrote: Sorry for the newbie question, but, quite simply, could Freeradius be configured to provide a simple ‘PIN Server’ ? – I want users to be able to choose a 4 digit PIN, and then have Freeradius validate Logon requests using the username/PIN combination (in addition to some separate LDAP authentication) Really, I am looking to build a lightweight 2-factor authentication system, without the expense of RSA SecurID or similar. I'm afraid knowledge of a PIN and knowledge of a password is not two-factor authentication, it is just more of a one-factor authentication. Feel free to use our open-source two-factor authentication system: http://www.wikidsystems.com/community-version. If someone wants to contribute a freeradius rlm module using one of our api packages, we would greatly appreciate it: http://www.wikidsystems.com/downloads/network-clients Nick -- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
patch files for pam_radius - adding an 'Always Prompt' option for one-time passcodes
Greetings:
We recently had a customer that wanted to check a password against AD
via kerberos and then an one-time passcode against a WiKID Strong
Authentication server via radius. We found that PAM passed the AD
password to our OTP server, which failed. We have added a pam option
always prompt in the attached code. This will force a WiKID
passcode: prompt regardless of any previous password entry. This can
be changed, of course.
The /etc/pam.d/sshd file looks like:
Here's the /etc/pam.d/sshd:
#%PAM-1.0
auth required /lib/security/pam_krb5.so
auth requisite /lib/security/pam_radius_auth.so always_prompt
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
No changes to system-auth were made. The /etc/ssh/sshd_config looks like:
Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
UseDNS no
Subsystem sftp /usr/libexec/openssh/sftp-server
The key change is that ChallengeResponseAuthentication is yes.
Hopefully, others will find this of use.
Nick
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
124a125,128
} else if (!strcmp(*argv, always_prompt)) {
ctrl |= PAM_ALWAYS_PROMPT;
DPRINT(LOG_DEBUG, DEBUG: Got always_prompt option);
1134,1136c1138,1149
/* grab the password (if any) from the previous authentication layer */
retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password);
PAM_FAIL_CHECK;
---
/* if always_propmpt is specified grab the passcode from the user */
if ((ctrl PAM_ALWAYS_PROMPT)) {
DPRINT(LOG_DEBUG, Should prompt for the passcode now...);
retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, WiKID Passcode: , password);
password = strdup(password);
DPRINT(LOG_DEBUG, Got passcode %s, password);
PAM_FAIL_CHECK;
} else {
/* grab the password (if any) from the previous authentication layer */
retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password);
PAM_FAIL_CHECK;
}
1149c1162
---
1154d1166
124a125,127
} else if (!strcmp(*argv, always_prompt)) {
ctrl |= PAM_ALWAYS_PROMPT;
1134,1136c1137,1146
/* grab the password (if any) from the previous authentication layer */
retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password);
PAM_FAIL_CHECK;
---
/* if always_propmpt is specified grab the passcode from the user */
if ((ctrl PAM_ALWAYS_PROMPT)) {
retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, WiKID Passcode: , password);
password = strdup(password);
PAM_FAIL_CHECK;
} else {
/* grab the password (if any) from the previous authentication layer */
retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password);
PAM_FAIL_CHECK;
}
1149c1159
---
1154d1163
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
patch files for pam_radius - adding an 'Always Prompt' option for one-time passcodes
We recently had a customer that wanted to check a password against AD
via kerberos and then an one-time passcode against a WiKID Strong
Authentication server via radius. We found that PAM passed the AD
password to our OTP server, which failed. We have added a pam option
always prompt in the attached code. This will force a WiKID
passcode: prompt regardless of any previous password entry.
The /etc/pam.d/sshd file looks like:
Here's the /etc/pam.d/sshd:
#%PAM-1.0
auth required /lib/security/pam_krb5.so
auth requisite /lib/security/pam_radius_auth.so always_prompt
accountrequired pam_nologin.so
accountinclude system-auth
password include system-auth
sessionoptional pam_keyinit.so force revoke
sessioninclude system-auth
sessionrequired pam_loginuid.so
No changes to system-auth were made. The /etc/ssh/sshd_config looks like:
Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
UseDNS no
Subsystem sftp/usr/libexec/openssh/sftp-server
The key change is that ChallengeResponseAuthentication is yes.
Hopefully, others will find this of use.
Nick
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
124a125,128
} else if (!strcmp(*argv, always_prompt)) {
ctrl |= PAM_ALWAYS_PROMPT;
DPRINT(LOG_DEBUG, DEBUG: Got always_prompt option);
1134,1136c1138,1149
/* grab the password (if any) from the previous authentication layer */
retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password);
PAM_FAIL_CHECK;
---
/* if always_propmpt is specified grab the passcode from the user */
if ((ctrl PAM_ALWAYS_PROMPT)) {
DPRINT(LOG_DEBUG, Should prompt for the passcode now...);
retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, WiKID Passcode: , password);
password = strdup(password);
DPRINT(LOG_DEBUG, Got passcode %s, password);
PAM_FAIL_CHECK;
} else {
/* grab the password (if any) from the previous authentication layer */
retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password);
PAM_FAIL_CHECK;
}
1149c1162
---
1154d1166
124a125,127
} else if (!strcmp(*argv, always_prompt)) {
ctrl |= PAM_ALWAYS_PROMPT;
1134,1136c1137,1146
/* grab the password (if any) from the previous authentication layer */
retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password);
PAM_FAIL_CHECK;
---
/* if always_propmpt is specified grab the passcode from the user */
if ((ctrl PAM_ALWAYS_PROMPT)) {
retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, WiKID Passcode: , password);
password = strdup(password);
PAM_FAIL_CHECK;
} else {
/* grab the password (if any) from the previous authentication layer */
retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password);
PAM_FAIL_CHECK;
}
1149c1159
---
1154d1163
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The story of PAP, CHAP and the blank password
In Wed, Mar 16, 2011 at 10:21 AM, Kenneth Marshall k...@rice.edu wrote: On Wed, Mar 16, 2011 at 06:19:08PM +0530, pradyumna dash wrote: Hi, Need a doc/pointer on FreeRadius+OpenLDAP+Mobile-OTP configuration, I would be implementing this in a SuSE server. Can any one help me how to do it? Regards, Neo I thought there was a link to a how-to for this on the mobile-otp website. I am getting ready to do it here as well with Redhat. Here's one that I did for WiKID one-time password system. I bet that the first half on openldap and freeradius would be exactly the same: http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-openldap-and-freeradius/?searchterm=freeradius HTH, Nick Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating agains AD issues
On Fri, Oct 29, 2010 at 6:37 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, This may be 100% off the mark, but have tried using the AD radius plugin IAS? I have tested its support for proxying for a proof-of-concept and it was quite simple to setup. I have no production experience. cough splutter. why use IAS? this is a FreeRADIUS mailing list. FR is superior in so many ways its not even funnyso if the choice of RADIUS is FR - then why think of using another one? AD integration with FR works fine (we use it and have AAA action of several thousand sessions per hour) - some distros and setups (particular the windows side of the setup) may require some extra knowledge. binding our systems to the local ADs (all 3 of them) was trivial Oh, yes, to be clear, I only meant to use IAS to check the membership in AD from Freeradius. Not as a replacement of Freeradius. I do give credit to MS for their support of the standard. nick -- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating agains AD issues
On Thu, Oct 28, 2010 at 6:15 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, I ran across a post on the redhat forums that stated that you must start smbd before winbindd, otherwise even though running ntlm_auth seems to work from the command line. It doesn't work when running FreeRadius. interesting; do you have a link? I cant pull out a direct link but can say that standard system scripts start smbd before winbindd - as winbindd uses some samba reosurces it does make sense. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This may be 100% off the mark, but have tried using the AD radius plugin IAS? I have tested its support for proxying for a proof-of-concept and it was quite simple to setup. I have no production experience. nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is Centralized SSH Public Key Authentication Possible?
On Wed, Feb 17, 2010 at 3:24 PM, John L. Singleton jsing...@gmail.comwrote: Hi All, I am trying to set up a centralized SSH authentication server that allows authentication via public keys. I can't find anything on the web about if this is possible with FR. Is it? Basically all I need is for FR to allow authentication off of a respective users's .ssh/.authorized_keys file. So far all I can seem to get going is password authentication. Can anyone let me know if this is even doable?-- You are probably barking up the wrong tree with freeradius. Check out this tutorial I wrote on setting up a centralized SSH server: http://www.howtoforge.net/secure_ssh_with_wikid_two_factor_authentication. The difference is that I suggest using two-factor authentication with OTPs to get into the key server (because public key SSH does not meet certain regulatory requirements). You may want to use Freeradius to route the OTPs to the auth server. HTH, nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OT: Implementing RSA's SecurID
On Tue, Mar 3, 2009 at 11:38 PM, Greg Vickers g.vick...@qut.edu.au wrote: Hi, (Apologies for an OT post) I was wondering if anyone know of any user list that would contain a community of people who implement systems like RSA's SecurID? The reason is that I am researching who else has implemented SecurID and am trying to find if there is another company or organisation who has implemented it in the way we wish to. Thanks, -- Greg Vickers Phone: +61 7 3138 6902 IT Security Engineer Project Manager Queensland University of Technology, CRICOS No. 00213J There's a yahoo group for RSA. I suggest you try there. I would think you could also try RSA itself. -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with PAM authentication
On Wed, Feb 11, 2009 at 10:52 PM, robin abdullah.hoss...@aamra.com.bd wrote: Can anyone help me to configure PAM authentication with freeradius ? can anyone have step by step guide for pam authentication or suggest me the tutorials to follow Any tips and guide on this issue will be highly appreciated. Thanks in advance Robin: I have some how-tos on PAM radius, mostly to configure two-factor authentication, but they may be of general use: http://www.wikidsystems.com/support/wikid-support-center/how-to/pam-radius-how-to/ http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-secure-ssh-with-two-factor-authentication-from-wikid/ Mostly these are based on Redhat flavors. Keep in mind that each OS has different methods of handling their /etc/pam.d/sshd settings. HTH, Nick -- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius integration
On Thu, Jan 29, 2009 at 2:26 AM, Alan DeKok al...@deployingradius.com wrote: Amy Hawke wrote: We would like to get two factor authentication working using the username/password from our current LDAP directories and then username/RSA token code. That will likely *not* work. The NAS has to support this behavior, and usually doesn't. The RSA product is unable to connect to our current directories, so if possible we would like to perform the first step using FreeRADIUS and then proxy the second part of the request through to the RSA Authentication manager. We're currently working to get FreeRADIUS integrated with the RSA token libraries. There are licensing restrictions, so the resulting code will likely not be part of the official release. But it should be available. We're interested in getting libraries integrated with Freeradius and there would be no licensing issues - we can do a complete opensource offering. What's the best way to get this started? What are the programming requirements? One concern is that while we have support for java, python, C#, PHP and Ruby, we do not have any C libraries. Is it of interest? -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius integration
On Sun, Feb 1, 2009 at 12:58 PM, Alan DeKok al...@deployingradius.com wrote: Nick Owen wrote: We're interested in getting libraries integrated with Freeradius and there would be no licensing issues - we can do a complete opensource offering. What's the best way to get this started? What are the programming requirements? One concern is that while we have support for java, python, C#, PHP and Ruby, we do not have any C libraries. Is it of interest? Yes. The server supports both Java Python, though the Python interpreter is directly integrated, and the Java one isn't. My suggestion is to supply a sample Python configuration Python script that uses your system. They can then go into: scripts/wikid.py# python script using your libraries raddb/modules/wikid # rlm_python configuration Excellent, I will take a crack at this - it might be a while as I'm recovering from a laptop near death experience (covered by warrantee but requires off-site repair). Nick -- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM for RADIUS
On Mon, May 5, 2008 at 5:46 AM, Ravi setty [EMAIL PROTECTED] wrote: Hi, We are trying to authenticate Solaris box using RADIUS user accounts, and configured PAM to send ssh requests to RADIUS. Eventhough RADIUS accepts the user request by sending Access-Accept packet, ssh is not logging in to the system. Can anybody know what to configure to make Radius users to login to solaris box. Thanks, Ravi Ravi: It sounds like this is more of a PAM issue than radius. I know nothing about PAM on Solaris, but perhaps it is your pam.d/sshd file. You might get more info on the PAM list or from Sun. In your pam.d/sshd file, check the setting for account and session. Does your log say that the user is being authenticated? What messages are you getting? hth. nick -- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: local ssh authentication via radius possible?
On Nov 26, 2007 10:55 AM, Dan Gahlinger [EMAIL PROTECTED] wrote: there is a lot of documentation missing. for example, when users are using SSH what's the Login-Service supposed to be? setting it to SSH doesn't work. so many unanswered questions about this. with SSH we don't want to assign the user an IP address so I just used Login-IP-Host and Service-Type Login-User radiusd also complains unknown module files this could really use a newbie setup guide with examples http://www.howtoforge.com/configuring-ssh-to-use-freeradius-and-wikid-for-two-factor-authentication This guide will essentially show you how to allow users to ssh to a box using a freeradius server on that same box, which I think is your goal. It sound like you have 'over-configured' something along the way. For example, I would drop the Login-IP-Host accounting piece until you've got the basics running. hth, nick -- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM_RADIUS_AUTH
On 10/30/07, Sobanbabu Bakthavathsalu [EMAIL PROTECTED] wrote: Hi I am trying install the PAM_RADIUS_AUTH on a Solaris 10 server to use RADIUS for user authentication. I have managed to successfully compile and install the pam plugin. When I tried to telnet to the machine from a different server I am getting the following error. Failed looking up IP address for RADIUS server radius1 (errcode=12) I have made a host entry for this server name in /etc/hosts file and able to ping the RADIUS server with name. But still its not working. Could you please help on resolving this. Lots of times this is a firewall issue where the port opening is set for tcp and not UDP. check that. Check that both are using port 1812, if that is what you are using. Have you edited your telnet pam entry? I'm not familiar with solaris, but that is what I would check. More info would be helpful too. HTH, Nick -- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius
On 7/19/07, Alan DeKok [EMAIL PROTECTED] wrote: Rascher, Markus wrote: # service httpd start Starting httpd: httpd: Syntax error on line 205 of /etc/httpd/conf/httpd.conf: Cannot load /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf There are patches to make the module build with newer versions of Apache. They should really be applied, but I've been busy with other things. Once that's done, a new version of the module should be released. Or are the patches are available somewhere and can be applied? Any idea on a time-frame for a new release? thanks, nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access only particular website through RADIUS
On 8/26/07, Arran Cudbard-Bell [EMAIL PROTECTED] wrote: liran tal wrote: Others may correct me but I believe that this is not the role of the RADIUS server. To actually do this kind of filtering you need to use other technologies such as proxies or captive portal (see chillispot). Yep for the most part your correct. However, some specific NAS vendors like HP, have included Access Control List features setable using VSAs (Vendor specific attributes). But these are usually only available on the prohibitively expensive switches. Firewall, proxy server,or captive portal is the way to go with this one... Though if you want proper 802.1x authentication , then it's firewall/proxy server only. Regards, Liran. For an example of how to do this with Apache, you can see this page. You may not want two-factor authentication, but the idea is the same. Note that there have been problems reported using a version of Apache later than 2.2.2. http://www.wikidsystems.com/documentation/howtos/how-to-add-two-factor-authentication-to-apache/ HTH, Nick On 8/26/07, *zamshed* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: dear Friends. I am a very new user of RADIUS. how can I configure this RADIUS for a particular USER,such as when that USER login with RADIUS,then that user only get PERMIT to access a fixed WEBSITE only,the rest others will b BLOCKED for that particular USER. Can I do that with this RADIUS server? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add OTP validation to FreeRadius
On 4/25/07, Ouahiba MACHANI [EMAIL PROTECTED] wrote: Thanks Nick for replaying. can you give me exemples of such systems? If you are looking for a software-based two-factor authentication system: http://www.wikidsystems.com - our commercial server supports radius and will work with freeradius, out of the box. If you want open source - you would need to develop a plug-in connecting WiKID to freeradius. I think the way to that would be to use jradius (http://jradius.org/) and our java network client (https://sourceforge.net/project/showfiles.php?group_id=144774package_id=181280). We would really appreciate the help. You can also google up OPIE as well. For hardware: http://www.rsasecurity.com - Securid http://www.vasco.com and many others. Google two-factor authentication and you will get plenty. It is a very competitive space. or you can run WiKID on a USB drive, if you're ok with that sort of thing. HTH, nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 (desk) 404.542.9453 (cell) http://www.wikidsystems.com At last, two-factor authentication, without the hassle factor Now open source: http://sourceforge.net/projects/wikid-twofactor/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to add OTP validation to FreeRadius
On 4/24/07, Ouahiba MACHANI [EMAIL PROTECTED] wrote: Hi all, I have to find a solution that integrates the use of OTP (One Time Password ) as a second factor authentication in addition to the first factor authentication (witch is generally username and password) to an existing authentication System. This solution should be integrated easily to the existing authentication system regardless the protocol used for authentication (Rdius, Kerberos, Http, EAP, etc) and regardless the OS. My questions are: 1- What are the possibilities and the facilities offered by FreeRadius?? 2- I though about tow solutions : a- Developing a plug-in that could be integrated to the existing authentication system. This plug-in will interact with the OTP-Server for otp validation. b- Installing a radius server in front of the existing IT system. This server will be configured in a way it will redirect first factor authentication requests (exple : username/password) to the existing authentication system and the OTP second factor authentication to the OTP services Server hosted and give access to user only when this 2 factors are valide. I have no idea about Radius. And these are general ideas and I want someone to tell me if these solutions are possible and how to proceed. Wats is best or better to do? Is there any other solution? I don't think this is really a freeradius question. You need to choose a two-factor authentication system that supports radius. Luckily, most do. hth, Nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius-apache authentication problem
FWIW, I have had a chance to test this on 2.2.3 and it did not work for me either. Not sure if it is a bug in apache or a change has been made and the mod_auth modules need updating. On 3/29/07, Nick Owen [EMAIL PROTECTED] wrote: On 3/28/07, Ramazan Ulker [EMAIL PROTECTED] wrote: Hi these are error lines in apache error log and apache conf files. thanks for your assistance No problem. The fewer passwords the better :). I don't see anything that stands out. However, when I set up apache with our two-factor I did everything inside of httpd.conf inside the vhost listing: VirtualHost Location /WiKIDBlog/*/cbentry_view AuthType Basic AuthName WiKID Two-factor + Apache AuthXRadiusAddServer wikid_server:1812 radius_secret AuthXRadiusTimeout 7 AuthXRadiusRetries 2 require valid-user /Location /VirtualHost So, perhaps apache is getting confused about what mechanism to use where, putting it all in one place might clarify things. HTH, Nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 (desk) 404.542.9453 (cell) http://www.wikidsystems.com At last, two-factor authentication, without the hassle factor Now open source: http://sourceforge.net/projects/wikid-twofactor/ -- Nick Owen WiKID Systems, Inc. 404.962.8983 (desk) 404.542.9453 (cell) http://www.wikidsystems.com At last, two-factor authentication, without the hassle factor Now open source: http://sourceforge.net/projects/wikid-twofactor/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius-apache authentication problem
On 3/28/07, Ramazan Ulker [EMAIL PROTECTED] wrote: Hi these are error lines in apache error log and apache conf files. thanks for your assistance No problem. The fewer passwords the better :). I don't see anything that stands out. However, when I set up apache with our two-factor I did everything inside of httpd.conf inside the vhost listing: VirtualHost Location /WiKIDBlog/*/cbentry_view AuthType Basic AuthName WiKID Two-factor + Apache AuthXRadiusAddServer wikid_server:1812 radius_secret AuthXRadiusTimeout 7 AuthXRadiusRetries 2 require valid-user /Location /VirtualHost So, perhaps apache is getting confused about what mechanism to use where, putting it all in one place might clarify things. HTH, Nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 (desk) 404.542.9453 (cell) http://www.wikidsystems.com At last, two-factor authentication, without the hassle factor Now open source: http://sourceforge.net/projects/wikid-twofactor/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius-apache authentication problem
On 3/27/07, Ramazan Ulker [EMAIL PROTECTED] wrote: no change, same errors. mod_auth_xradius don't work in apache 2.2.3 I have only tested with 2.2.2. FWIW, authn_file_module is loaded. Why don't you post the relevant portions of your htaccess and httpd.conf files. -- Nick Owen WiKID Systems, Inc. 404.962.8983 (desk) 404.542.9453 (cell) http://www.wikidsystems.com At last, two-factor authentication, without the hassle factor Now open source: http://sourceforge.net/projects/wikid-twofactor/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius-apache authentication problem
You might try using mod_auth_xradius: http://www.outoforder.cc/projects/apache/mod_auth_xradius/ More information can be found here: http://www.howtoforge.com/apache_radius_two_factor_authentication HTH, Nick On 3/26/07, Ramazan Ulker [EMAIL PROTECTED] wrote: Hi I want to implement otp authentication for a web site. Radius and otp scripts works well together but apache don't send any authentication data to radius. I followed instructions in http://www.freeradius.org/mod_auth_radius/ but apache mod_authn_file wants passwords and could not be disabled. when i removed the module no authn provider configured are seen in apache error logs. Changing AuthBasicAuthorative on or off in .htaccess didn't solve the problem. Problem stems from apache but someone solves such a problem can respond me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Nick Owen WiKID Systems, Inc. 404.962.8983 (desk) 404.542.9453 (cell) http://www.wikidsystems.com At last, two-factor authentication, without the hassle factor Now open source: http://sourceforge.net/projects/wikid-twofactor/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Apache2 - PAM - freeRADIUS - users
On 3/21/07, Helmut Tröbs [EMAIL PROTECTED] wrote: Hello Michael, freeRADIUS works quite good and it's possible to authenticate via PAM, for example local logins, ssh-logins, su, chsh, gdm, ... are working quite fine. The only thing is the htaccess from apache2 which will not work. The Radius gets the request and permits the user: I would suggest finding out why Apache is requiring more from PAM than everyone else does. It's not really a pam_radius problem, because it works with everything else. we had similar problems with radius and Apache2 (it is not a RADIUS/PAM problem!) PAM didn't work for us neither, so a colleague found another radius module for Apache 2: http://www.outoforder.cc/projects/apache/mod_auth_xradius/ But it only works with Apache 2.0.x. With Apache 2.2.x we didn't manage to get any radius authentication working. I got apache - radius working with mod_auth_xradius with apache-2.2.2 on FC6. a very basic how-to is here: http://www.howtoforge.com/apache_radius_two_factor_authentication hth. nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 (desk) 404.542.9453 (cell) http://www.wikidsystems.com At last, two-factor authentication, without the hassle factor Now open source: http://sourceforge.net/projects/wikid-twofactor/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Management of temporary users
On 2/7/07, Alan DeKok [EMAIL PROTECTED] wrote: Nick Owen wrote: I am looking for the best way to provision groups of users for temporary access across multiple servers. The users would be using ssh and sudo. They would be assigned to a group of servers, then removed after the job was complete. There a hundreds of servers involved. RADIUS may not be a good way to do this, because the users will still need UID's, etc., which RADIUS doesn't supply. I think we can put the UIDs into our auth server, which supports radius. I was hoping that the requests would come from the target server to the freeradius box, which would check to see if that user/group had current rights to that server, then proxy the auth request to our auth server to validate the one-time password. -- Nick Owen WiKID Systems, Inc. 404.962.8983 (desk) 404.542.9453 (cell) http://www.wikidsystems.com At last, two-factor authentication, without the hassle factor Now open source: http://sourceforge.net/projects/wikid-twofactor/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Management of temporary users
Greetings: I am looking for the best way to provision groups of users for temporary access across multiple servers. The users would be using ssh and sudo. They would be assigned to a group of servers, then removed after the job was complete. There a hundreds of servers involved. I was thinking that I could use freeradius with dialup_admin to quickly add and remove users from huntgroup, but it doesn't appear that huntgroups are supported in dialup_admin, or am I missing something? Any suggestions welcome. Sincerely, nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 (desk) 404.542.9453 (cell) http://www.wikidsystems.com At last, two-factor authentication, without the hassle factor Now open source: http://sourceforge.net/projects/wikid-twofactor/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
