How to implement two possible passwords? (one for PEAP and other forTTLS)

Ivan Kalik tnt at kalik.net
Wed Apr 30 14:50:26 CEST 2008


1) Leave as it is.

http://www.freeradius.org/features/virtual_servers.html

2) Create a virtual server for peap and send peap requests to it. In
users file for that server enter:

DEFAULT   Cleartext-Password := whatever

You don't need radiusPassword attribute at all.

Ivan Kalik
Kalik Informatika ISP


Dana 30/4/2008, "Sergio Belkin" <sebelk at gmail.com> piše:

>Hi,
>
>I've added an new attribute called "radiusPassword" this a clear-text
>password exclusively for radius usage. I want that:
>
>1) All Linux, MAC OS X, and all Windows users that want to and can
>install (or already have installed and configured) securew2 use their
>usual encrypted userPassword. (EAP-TTLS)
>2) All users that don't want to install securew2 (Windows users) and
>want to use PEAP instead TTLS use the radiusPassword as their password
>for access to wireless network.
>
>How can I do that? These are my current config files:
>
>----------
>radiusd.conf
>----------------
>
>prefix = /usr/local-2.0.2
>exec_prefix = ${prefix}
>sysconfdir = ${prefix}/etc
>localstatedir = ${prefix}/var
>sbindir = ${exec_prefix}/sbin
>logdir = ${localstatedir}/log/radius
>raddbdir = ${sysconfdir}/raddb
>radacctdir = ${logdir}/radacct
>confdir = ${raddbdir}
>run_dir = ${localstatedir}/run/radiusd
>db_dir = $(raddbdir)
>libdir = ${exec_prefix}/lib
>pidfile = ${run_dir}/radiusd.pid
>user = radiusd
>group = radiusd
>max_request_time = 30
>cleanup_delay = 5
>max_requests = 1024
>listen {
>        type = auth
>        ipaddr = 190.69.213.5
>        port = 0
>}
>listen {
>        ipaddr = 190.69.213.5
>        port = 0
>        type = acct
>}
>hostname_lookups = no
>allow_core_dumps = no
>regular_expressions     = yes
>extended_expressions    = yes
>log {
>        destination = files
>        file = ${logdir}/radius.log
>        syslog_facility = daemon
>        stripped_names = yes
>        auth = yes
>        auth_badpass = no
>        auth_goodpass = no
>}
>checkrad = ${sbindir}/checkrad
>security {
>        max_attributes = 190
>        reject_delay = 1
>        status_server = yes
>}
>proxy_requests  = no
>$INCLUDE proxy.conf
>$INCLUDE clients.conf
>snmp    = no
>$INCLUDE snmp.conf
>thread pool {
>        start_servers = 5
>        max_servers = 32
>        min_spare_servers = 3
>        max_spare_servers = 10
>        max_requests_per_server = 0
>}
>modules {
>        pap {
>                auto_header = yes
>        }
>        chap {
>                authtype = CHAP
>        }
>        pam {
>                pam_auth = radiusd
>        }
>        unix {
>                radwtmp = ${logdir}/radwtmp
>        }
>$INCLUDE eap.conf
>        mschap {
>        }
>        ldap {
>                server = "ldap.cadorna.edu
>                identity = "cn=freeradius,ou=applications,dc=cadorna,dc=edu"
>                port = 636
>                password = doyouwantocrakforgetitdude
>                basedn = "ou=people,dc=cadorna,dc=edu"
>                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>                ldap_connections_number = 5
>                timeout = 4
>                timelimit = 3
>                net_timeout = 1
>                tls {
>                        start_tls = no
>                        cacertfile      = /etc/raddb-2.0.2/cacert.pem
>                        randfile                = /dev/urandom
>                        require_cert    = "allow"
>                }
>                access_attr = "radiusAllowed"
>                dictionary_mapping = ${confdir}/ldap.attrmap
>                edir_account_policy_check = no
>        }
>        realm IPASS {
>                format = prefix
>                delimiter = "/"
>        }
>        realm suffix {
>                format = suffix
>                delimiter = "@"
>        }
>        realm realmpercent {
>                format = suffix
>                delimiter = "%"
>        }
>        realm ntdomain {
>                format = prefix
>                delimiter = "\\"
>        }
>        checkval {
>                item-name = Calling-Station-Id
>                check-name = Calling-Station-Id
>                data-type = string
>        }
>
>        preprocess {
>                huntgroups = ${confdir}/huntgroups
>                hints = ${confdir}/hints
>                with_ascend_hack = no
>                ascend_channels_per_line = 23
>                with_ntdomain_hack = no
>                with_specialix_jetstream_hack = no
>                with_cisco_vsa_hack = no
>        }
>        files {
>                usersfile = ${confdir}/users
>                acctusersfile = ${confdir}/acct_users
>                preproxy_usersfile = ${confdir}/preproxy_users
>                compat = no
>        }
>        detail {
>                detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
>                detailperm = 0600
>                header = "%t"
>                suppress {
>                         User-Password
>                }
>        }
>         detail auth_log {
>                 detailfile =
>${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
>                suppress {
>                         User-Password
>                }
>         }
>        acct_unique {
>                key = "User-Name, Acct-Session-Id, NAS-IP-Address,
>Client-IP-Address, NAS-Port"
>        }
>        $INCLUDE sql.conf
>
>        radutmp {
>                filename = ${logdir}/radutmp
>                username = %{User-Name}
>                case_sensitive = yes
>                check_with_nas = yes
>                perm = 0600
>                callerid = "yes"
>        }
>        radutmp sradutmp {
>                filename = ${logdir}/sradutmp
>                perm = 0644
>                callerid = "no"
>        }
>        attr_filter attr_filter.post-proxy {
>                attrsfile = ${confdir}/attrs
>        }
>        attr_filter attr_filter.pre-proxy {
>                attrsfile = ${confdir}/attrs.pre-proxy
>        }
>        attr_filter attr_filter.access_reject {
>                key = %{User-Name}
>                attrsfile = ${confdir}/attrs.access_reject
>        }
>        attr_filter attr_filter.accounting_response {
>                key = %{User-Name}
>                attrsfile = ${confdir}/attrs.accounting_response
>        }
>        counter daily {
>                filename = ${db_dir}/db.daily
>                key = User-Name
>                count-attribute = Acct-Session-Time
>                reset = daily
>                counter-name = Daily-Session-Time
>                check-name = Max-Daily-Session
>                reply-name = Session-Timeout
>                allowed-servicetype = Framed-User
>                cache-size = 5000
>        }
>        $INCLUDE sql/mysql/counter.conf
>        always fail {
>                rcode = fail
>        }
>        always reject {
>                rcode = reject
>        }
>        always noop {
>                rcode = noop
>        }
>        always handled {
>                rcode = handled
>        }
>        always updated {
>                rcode = updated
>        }
>        always notfound {
>                rcode = notfound
>        }
>        always ok {
>                rcode = ok
>                simulcount = 0
>                mpp = no
>        }
>        expr {
>        }
>        digest {
>        }
>        expiration {
>                reply-message = "Password Has Expired\r\n"
>        }
>        logintime {
>                reply-message = "You are calling outside your allowed
>timespan\r\n"
>                minimum-timeout = 60
>        }
>        exec {
>                wait = yes
>                input_pairs = request
>                shell_escape = yes
>                output = none
>        }
>        exec echo {
>                wait = yes
>                program = "/bin/echo %{User-Name}"
>                input_pairs = request
>                output_pairs = reply
>                shell_escape = yes
>        }
>        ippool main_pool {
>                range-start = 192.168.1.1
>                range-stop = 192.168.3.254
>                netmask = 255.255.255.0
>                cache-size = 800
>                session-db = ${db_dir}/db.ippool
>                ip-index = ${db_dir}/db.ipindex
>                override = no
>                maximum-timeout = 0
>        }
>        policy {
>               filename = ${confdir}/policy.txt
>        }
>}
>instantiate {
>        exec
>        expr
>        expiration
>        logintime
>}
>$INCLUDE policy.conf
>$INCLUDE sites-enabled/
>
>EOF
>
>--------------
>eap.conf
>----------------
>eap {
>                default_eap_type = peap
>                timer_expire     = 60
>                ignore_unknown_eap_types = no
>                cisco_accounting_username_bug = no
>                md5 {
>                }
>                leap {
>                }
>                gtc {
>                        auth_type = PAP
>                }
>                tls {
>                        private_key_file =
>/etc/pki/tls/certs/ips-spectrum-key.pem
>                        certificate_file =
>/etc/pki/tls/certs/ips-spectrum-crt.pem
>                        CA_file = /etc/pki/tls/certs/ips-ca-bundle.crt
>                        dh_file = ${raddbdir}/certs/dh
>                        random_file = ${raddbdir}/certs/random
>                        cipher_list = "DEFAULT"
>                }
>                ttls {
>                        default_eap_type = md5
>                        copy_request_to_tunnel = no
>                        use_tunneled_reply = yes
>                }
>                peap {
>                        default_eap_type = mschapv2
>                        copy_request_to_tunnel = no
>                        use_tunneled_reply = no
>                }
>                mschapv2 {
>                }
>        }
>EOF
>
>-------------------
>ldap.attrmap
>checkItem       $GENERIC$                       radiusCheckItem
>replyItem       $GENERIC$                       radiusReplyItem
>checkItem   Cleartext-Password       clrtxtPassword
>checkItem       User-Password                   userPassword
>replyItem   Tunnel-Type                            radiusTunnelType
>replyItem   Tunnel-Medium-Type             radiusTunnelMediumType
>replyItem   Tunnel-Private-Group-Id        radiusTunnelPrivateGroupId
>checkItem       Auth-Type                       radiusAuthType
>checkItem       Simultaneous-Use                radiusSimultaneousUse
>checkItem       Called-Station-Id               radiusCalledStationId
>checkItem       Calling-Station-Id              radiusCallingStationId
>checkItem       LM-Password                     lmPassword
>checkItem       NT-Password                     ntPassword
>checkItem       LM-Password                     sambaLmPassword
>checkItem       NT-Password                     sambaNtPassword
>checkItem       SMB-Account-CTRL-TEXT           acctFlags
>checkItem       Expiration                      radiusExpiration
>checkItem       NAS-IP-Address                  radiusNASIpAddress
>replyItem       Service-Type                    radiusServiceType
>replyItem       Framed-Protocol                 radiusFramedProtocol
>replyItem       Framed-IP-Address               radiusFramedIPAddress
>replyItem       Framed-IP-Netmask               radiusFramedIPNetmask
>replyItem       Framed-Route                    radiusFramedRoute
>replyItem       Framed-Routing                  radiusFramedRouting
>replyItem       Filter-Id                       radiusFilterId
>replyItem       Framed-MTU                      radiusFramedMTU
>replyItem       Framed-Compression              radiusFramedCompression
>replyItem       Login-IP-Host                   radiusLoginIPHost
>replyItem       Login-Service                   radiusLoginService
>replyItem       Login-TCP-Port                  radiusLoginTCPPort
>replyItem       Callback-Number                 radiusCallbackNumber
>replyItem       Callback-Id                     radiusCallbackId
>replyItem       Framed-IPX-Network              radiusFramedIPXNetwork
>replyItem       Class                           radiusClass
>replyItem       Session-Timeout                 radiusSessionTimeout
>replyItem       Idle-Timeout                    radiusIdleTimeout
>replyItem       Termination-Action              radiusTerminationAction
>replyItem       Login-LAT-Service               radiusLoginLATService
>replyItem       Login-LAT-Node                  radiusLoginLATNode
>replyItem       Login-LAT-Group                 radiusLoginLATGroup
>replyItem       Framed-AppleTalk-Link           radiusFramedAppleTalkLink
>replyItem       Framed-AppleTalk-Network        radiusFramedAppleTalkNetwork
>replyItem       Framed-AppleTalk-Zone           radiusFramedAppleTalkZone
>replyItem       Port-Limit                      radiusPortLimit
>replyItem       Login-LAT-Port                  radiusLoginLATPort
>replyItem       Reply-Message                   radiusReplyMessage
>
>EOF
>
>Thanks in advance!!
>
>--
>--
>Open Kairos http://www.openkairos.com
>Watch More TV http://sebelk.blogspot.com
>Sergio Belkin -
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>




More information about the Freeradius-Users mailing list