Re: Res: Res: EAP-TTLS + Post-auth clear password
Erico Augusto wrote: as suggested, I'm working with exec module. radiusd.conf: ... exec { post-auth:User-Password = `%{exec:/usr/local/etc/raddb/jradius.forward}` wait = yes input_pairs = request } ... the content of /usr/local/etc/raddb/jradius.forward script is just: #!/bin/bash echo 123456 so, the user's password that I'm using is 123456(inserted at secureW2 Windows XP popup), but I'm yet receiving ciphered User-Password at destination custom app... All I can say is huh? You want to use a custom app, and you solution is to write a shell script that does... nothing? Perhaps you could explain how the custom app *currently* interacts with FreeRADIUS. From the examples you've posted, it doesn't. My suggestion was to write a program that would send the username password to the custom app. See the documentation for how to see the username password in a shell script run by rlm_exec. I have changing the content of jradius.forward script to #!/bin/bash echo 123456789 just to see if the password sended is the one returned by jradius.forward script, What makes you think that the shell script changes the password? Nothing in the documentation or examples would lead you to believe that simple echoing a number would have the magic side-effect of changing the password. some idea about what is wrong? The configurations you've shown don't match the documentation. i.e. You think they do one thing, but the documentation says they do something else. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Res: Res: Res: EAP-TTLS + Post-auth clear password
- Mensagem original De: Alan DeKok [EMAIL PROTECTED] Para: FreeRadius users mailing list freeradius-users@lists.freeradius.org Enviadas: Sexta-feira, 23 de Março de 2007 3:54:41 Assunto: Re: Res: Res: EAP-TTLS + Post-auth clear password Erico Augusto wrote: All I can say is huh? You want to use a custom app, and you solution is to write a shell script that does... nothing? sure not! Perhaps you could explain how the custom app *currently* interacts with FreeRADIUS. From the examples you've posted, it doesn't. it's called learning ... My suggestion was to write a program that would send the username password to the custom app. See the documentation for how to see the username password in a shell script run by rlm_exec. that's what I'm looking for ... constructive suggestions ... What makes you think that the shell script changes the password? Nothing in the documentation or examples would lead you to believe that simple echoing a number would have the magic side-effect of changing the password. just learning how the tool works... The configurations you've shown don't match the documentation. i.e. You think they do one thing, but the documentation says they do something else. The interaction with JRadius now works ... it wasn't an issue with freeradius ... JRadius API was outputing [Encrypted String] to the password ... in truth, it's just in ASCII ... a simple casting fix everything. So, to get cleartext password with WinXP SecureW2(EAP-TTLS) Supplicant configured to PAP at Authentication Tab, using JRadius API, just gather password bytes as following: byte [] passByte = requestPacket.getAttributes().get(Attr_UserPassword.NAME). getValue().getBytes(); where requestPacket is a RadiusPacket object. Erico. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Fale com seus amigos de graça com o novo Yahoo! Messenger http://br.messenger.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Res: EAP-TTLS + Post-auth clear password
Erico Augusto wrote: I'm trying to forward username and password to my own app, using post-auth section, to perform user authentication, as described below ... is that possible? Yes. See the exec module. Why do you think the pap module has anything to do with it? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Res: Res: EAP-TTLS + Post-auth clear password
Hi, as suggested, I'm working with exec module. radiusd.conf: ... exec { post-auth:User-Password = `%{exec:/usr/local/etc/raddb/jradius.forward}` wait = yes input_pairs = request } ... the content of /usr/local/etc/raddb/jradius.forward script is just: #!/bin/bash echo 123456 so, the user's password that I'm using is 123456(inserted at secureW2 Windows XP popup), but I'm yet receiving ciphered User-Password at destination custom app... I have changing the content of jradius.forward script to #!/bin/bash echo 123456789 just to see if the password sended is the one returned by jradius.forward script, but all entries at radiusd -X shows: ... Processing the post-auth section of radiusd.conf ... rlm_jradius: packing attribute User-Password (type: 2; len: 6) ... Conclusion: the User-Password attribute is not been changed by the external script, once the length should be 9 ... some idea about what is wrong? one more point: I'm setting user's password at etc/raddb/users file (it mey be a problem, i mean ... does it fixing the password?). thanks a lot, Erico. - Mensagem original De: Alan DeKok [EMAIL PROTECTED] Para: FreeRadius users mailing list freeradius-users@lists.freeradius.org Enviadas: Quinta-feira, 22 de Março de 2007 5:29:24 Assunto: Re: Res: EAP-TTLS + Post-auth clear password Erico Augusto wrote: I'm trying to forward username and password to my own app, using post-auth section, to perform user authentication, as described below ... is that possible? Yes. See the exec module. Why do you think the pap module has anything to do with it? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Fale com seus amigos de graça com o novo Yahoo! Messenger http://br.messenger.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS + Post-auth clear password
Hi, I would like to send clear-text password at post-auth using eap-ttls. is there a way? I'm avoiding to write a lot of details about the question. Just using post-auth I got to send User-password attribute, but it's cyphered at destination(Yes, there is all the TLS tunneling stuff, but I'm trying to see the problem at a simpler-unknown perspective). I'm using SecureW2 as supplicant(PAP), freeradius-1.1.2+jradius patch. Thanks a lot. Erico. - Mensagem original De: Nick Owen [EMAIL PROTECTED] Para: FreeRadius users mailing list freeradius-users@lists.freeradius.org Enviadas: Quarta-feira, 21 de Março de 2007 16:45:43 Assunto: Re: Apache2 - PAM - freeRADIUS - users On 3/21/07, Helmut Tröbs [EMAIL PROTECTED] wrote: Hello Michael, freeRADIUS works quite good and it's possible to authenticate via PAM, for example local logins, ssh-logins, su, chsh, gdm, ... are working quite fine. The only thing is the htaccess from apache2 which will not work. The Radius gets the request and permits the user: I would suggest finding out why Apache is requiring more from PAM than everyone else does. It's not really a pam_radius problem, because it works with everything else. we had similar problems with radius and Apache2 (it is not a RADIUS/PAM problem!) PAM didn't work for us neither, so a colleague found another radius module for Apache 2: http://www.outoforder.cc/projects/apache/mod_auth_xradius/ But it only works with Apache 2.0.x. With Apache 2.2.x we didn't manage to get any radius authentication working. I got apache - radius working with mod_auth_xradius with apache-2.2.2 on FC6. a very basic how-to is here: http://www.howtoforge.com/apache_radius_two_factor_authentication hth. nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 (desk) 404.542.9453 (cell) http://www.wikidsystems.com At last, two-factor authentication, without the hassle factor Now open source: http://sourceforge.net/projects/wikid-twofactor/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Fale com seus amigos de graça com o novo Yahoo! Messenger http://br.messenger.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS + Post-auth clear password
Erico Augusto wrote: Hi, I would like to send clear-text password at post-auth using eap-ttls. is there a way? I'm avoiding to write a lot of details about the question. Just using post-auth I got to send User-password attribute, but it's cyphered at destination(Yes, there is all the TLS tunneling stuff, but I'm trying to see the problem at a simpler-unknown perspective). i think by default pap is an md5 hash, you should be able to change that tho in the radiusd.conf (altho i could be totally insane.) in 1.1.4+ this looks to have changed to be auto negotiated. other people will know better than me but, i think this is accurate. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Res: EAP-TTLS + Post-auth clear password
thanks joe, my pap's modules section is already as follows: pap { encryption_scheme = clear } I'm trying to forward username and password to my own app, using post-auth section, to perform user authentication, as described below ... is that possible? Erico. - Mensagem original De: joe vieira [EMAIL PROTECTED] Para: FreeRadius users mailing list freeradius-users@lists.freeradius.org Enviadas: Quarta-feira, 21 de Março de 2007 17:17:18 Assunto: Re: EAP-TTLS + Post-auth clear password Erico Augusto wrote: Hi, I would like to send clear-text password at post-auth using eap-ttls. is there a way? I'm avoiding to write a lot of details about the question. Just using post-auth I got to send User-password attribute, but it's cyphered at destination(Yes, there is all the TLS tunneling stuff, but I'm trying to see the problem at a simpler-unknown perspective). I'm using SecureW2 as supplicant(PAP), freeradius-1.1.2+jradius patch. i think by default pap is an md5 hash, you should be able to change that tho in the radiusd.conf (altho i could be totally insane.) in 1.1.4+ this looks to have changed to be auto negotiated. other people will know better than me but, i think this is accurate. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Fale com seus amigos de graça com o novo Yahoo! Messenger http://br.messenger.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html