Help: FreeRadius Users with multiple passwords

Duong Manh Truong ngoahotanglongbk at gmail.com
Fri Nov 18 12:20:25 CET 2011


Hi,
Thanks for your reply :)

I have a better news that: By using OpenLDAP for FR Authen & Authorization
=> I can configure multiple passwords for each user (Uid)
and use 1 of those passwords for successfully Authentication!

Although it is done manually now, but somehow it solves the matter !

If anyone have experienced this, please give some advices !
Example: How to do it automatically or
How to create a pool of passwords then use the pool for multiple users :)

Regards!

Message: 3
Date: Tue, 15 Nov 2011 16:09:29 +0700
From: "Fajar A. Nugraha" <list at fajar.net>
Subject: Re: Help: FreeRadius Users with multiple passwords
To: FreeRadius users mailing list
       <freeradius-users at lists.freeradius.org>
Message-ID:
       <CAG1y0sffWuNVw08KH5XT8_Ny3NLCe=NFWB4U+=WEXFcmiQ0FoA at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1


On Tue, Nov 15, 2011 at 4:00 PM, Duong Manh Truong
<ngoahotanglongbk at gmail.com> wrote:
> Hi all,
> I have encounter with an issue and can not find the solution after several
> days of thinking :(
> I set up FreeRadius & Mysql successfully, testing with some account ok,
> but my real case: Lot of my users?have more than 1 passwords,

> Example: User: "truongdm" comes with the password "abc123" or the password
> "123abc" is both ok

Short version: you can't.

Long version:
it's doable, but ONLY if:
- your user sends clear-text password (read: not using MSCHAP or
PEAP-MS-CHAP v2, which is the one most often used by windows clients)
- you create additional logic to handle authentication, either using
unlang or external script (perl, php, whatever). Hint: see
http://wiki.freeradius.org/Auth%20Type . Your additional logic would
have to set Auth-Type := Accept when conditions (e.g. password) match.

--
Fajar



------------------------------
Vào 18:00 Ngày 15 tháng 11 năm 2011, <
freeradius-users-request at lists.freeradius.org> đã viết:

> Send Freeradius-Users mailing list submissions to
>        freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>        freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>        freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>   1. Re: EAP-TLS CRL checking when multiple CAs used (Martin ?mel?k)
>   2. Help: FreeRadius Users with multiple passwords (Duong Manh Truong)
>   3. Re: Help: FreeRadius Users with multiple passwords
>      (Fajar A. Nugraha)
>   4. Re: mysql module help (Alan DeKok)
>   5. Re: Issues with EAP-TLS and OpenSSL (Alan DeKok)
>   6. Re: PEAP/mschapv2 - opendirectory (Alan DeKok)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 15 Nov 2011 09:23:23 +0100
> From: Martin ?mel?k <martin.cmelik at gmail.com>
> Subject: Re: EAP-TLS CRL checking when multiple CAs used
> To: FreeRadius users mailing list
>        <freeradius-users at lists.freeradius.org>
> Message-ID:
>        <CAGfF+_KCtw6Bet1JMxXJEijmF1dJTK2CekaiXoztVTifpuYOfA at mail.gmail.com
> >
> Content-Type: text/plain; charset=UTF-8
>
> Hi all,
>
> problem has been on my side. I miss to add another one CRL into certs
> directory.
>
> Thank you for all your help!
>
> Best regards,
>
> ?
> Martin ?mel?k
>
>
>
> 2011/11/14 Martin ?mel?k <martin.cmelik at gmail.com>:
> > Hi Alan,
> >
> > I did, there is nothing about it.
> >
> > Only this:
> >
> > # ?Check the Certificate Revocation List
> > #
> > # ?1) Copy CA certificates and CRLs to same directory.
> > # ?2) Execute 'c_rehash <CA certs&CRLs Directory>'.
> > # ? ?'c_rehash' is OpenSSL's command.
> > # ?3) uncomment the line below.
> > # ?5) Restart radiusd
> > # ? ? ? check_crl = yes
> >
> > We have all CAs in ca.pem and CRL lists in separate file
> > crl1.pem+.der, crl2.pem+.der, ect...
> >
> > Stefan,
> >
> > that's what I did.
> > OK I will try to do same thing with previous configuration. Maybe that
> > I miss something.
> >
> > Thank you
> >
> >
> > ?
> > Martin ?mel?k
> >
> >
> >
> >
> > 2011/11/14 Alan DeKok <aland at deployingradius.com>:
> >> Martin ?mel?k wrote:
> >>> Question is: When Freeradius receive user certificate how daemon find
> >>> correct CRL list in certs directory?
> >>
> >> ?Read raddb/eap.conf. ?This is documented.
> >>
> >> ?Alan DeKok.
> >> -
> >> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >>
> >
>
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 15 Nov 2011 16:00:27 +0700
> From: Duong Manh Truong <ngoahotanglongbk at gmail.com>
> Subject: Help: FreeRadius Users with multiple passwords
> To: freeradius-users at lists.freeradius.org
> Message-ID:
>        <CAPY3iihX7xHE_kH5+yDB6Fv9=+FSwxVEoOM1R5FtmC8YnZo41A at mail.gmail.com
> >
> Content-Type: text/plain; charset="iso-8859-1"
>
>
> Hi all,
>
> I have encounter with an issue and can not find the solution after several
> days of thinking :(
>
> I set up FreeRadius & Mysql successfully, testing with some account ok,
>
> but my real case: Lot of my users *have more than 1 passwords*,
>
>
> Example: User: "truongdm" comes with the password "abc123" or the password
> "123abc" is both ok
>
>
> Please help me: How can i set it up?
>
> - I try to insert serveral records with the same "username" and difference
> "value" - password- in the "radcheck" table
> but at one time, the server accept 1 pair of "username/value" only :(
>
> - I try to edit the file "users" manually but no help .....
>
> Anyone has had this matter, please help me find the direction!
>
> Thanks & Best Regards!
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://lists.freeradius.org/pipermail/freeradius-users/attachments/20111115/0c35664f/attachment.html
> >
>
> ------------------------------
>
> Message: 3
> Date: Tue, 15 Nov 2011 16:09:29 +0700
> From: "Fajar A. Nugraha" <list at fajar.net>
> Subject: Re: Help: FreeRadius Users with multiple passwords
> To: FreeRadius users mailing list
>        <freeradius-users at lists.freeradius.org>
> Message-ID:
>        <CAG1y0sffWuNVw08KH5XT8_Ny3NLCe=NFWB4U+=WEXFcmiQ0FoA at mail.gmail.com
> >
> Content-Type: text/plain; charset=ISO-8859-1
>
>
> On Tue, Nov 15, 2011 at 4:00 PM, Duong Manh Truong
> <ngoahotanglongbk at gmail.com> wrote:
> > Hi all,
> > I have encounter with an issue and can not find the solution after
> several
> > days of thinking :(
> > I set up FreeRadius & Mysql successfully, testing with some account ok,
> > but my real case: Lot of my users?have more than 1 passwords,
>
> > Example: User: "truongdm" comes with the password "abc123" or the
> password
> > "123abc" is both ok
>
> Short version: you can't.
>
> Long version:
> it's doable, but ONLY if:
> - your user sends clear-text password (read: not using MSCHAP or
> PEAP-MS-CHAP v2, which is the one most often used by windows clients)
> - you create additional logic to handle authentication, either using
> unlang or external script (perl, php, whatever). Hint: see
> http://wiki.freeradius.org/Auth%20Type . Your additional logic would
> have to set Auth-Type := Accept when conditions (e.g. password) match.
>
> --
> Fajar
>
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 15 Nov 2011 10:10:16 +0100
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: mysql module help
> To: Ski Mountain <ski_the_mountain at yahoo.com>,  FreeRadius users
>        mailing list <freeradius-users at lists.freeradius.org>
> Message-ID: <4EC22C78.50505 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Ski Mountain wrote:
> > I am trying to get freeradius working with mysql on a new system.  I
> > even copied the configuration files from a working system, but I am
> > still having trouble getting the mysql module to load.  Yes I have
> >     $INCLUDE sql.conf
> > uncommitted from radius.conf
>
>  Read raddb/sites-available/default.  Look for "sql"
>
>  Then, read the SQL documentation on the wiki.
>
>  Alan DeKok.
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 15 Nov 2011 10:24:31 +0100
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: Issues with EAP-TLS and OpenSSL
> To: FreeRadius users mailing list
>        <freeradius-users at lists.freeradius.org>
> Message-ID: <4EC22FCF.2000400 at deployingradius.com>
> Content-Type: text/plain; charset=UTF-8
>
> Houston-III, Lester L wrote:
> > I?m trying to configure my FreeRADIUS server to support EAP-TLS but it
> > keeps reporting that there is no OpenSSL support.
>
>  You need to install the openssl-dev package.  It includes the OpenSSL
> header files.
>
>  This is probably on the Wiki, under "building it yourself".
>
>  Alan DeKok.
>
>
> ------------------------------
>
> Message: 6
> Date: Tue, 15 Nov 2011 10:27:38 +0100
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: PEAP/mschapv2 - opendirectory
> To: FreeRadius users mailing list
>        <freeradius-users at lists.freeradius.org>
> Message-ID: <4EC2308A.1070307 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Kemal YILDIRIM wrote:
> > Hello all,
> > I've just able to implemented Wired 802.1x system with PEAP/mschapv2
> > authentication against opendirectory which is running on MacOSX server
> > 10.6.8 Leopard.
> > At the end I have a "working" setup, but I like to learn more to fix my
> > faults.
>
>  What is going wrong?
>
>  You've posted a long message showing authentication succeeded, but no
> errors.
>
>  Alan DeKok.
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 79, Issue 49
> ************************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20111118/b1c7dc6a/attachment.html>


More information about the Freeradius-Users mailing list