Matthew, Great! Thanks for your reply. It helps. We will use this solution. Tom ------------------ Original ------------------ From: "freeradius-users"<freeradius-users-request@lists.freeradius.org>; Date: Fri, Apr 20, 2012 05:30 PM To: "freeradius-users"<freeradius-users@lists.freeradius.org>; Subject: Freeradius-Users Digest, Vol 84, Issue 65 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Re:Freeradius Access Requet ID (Matthew Newton) 2. Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. (Wassim Zaarour) 3. Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. (Fajar A. Nugraha) 4. Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. (Alan DeKok) 5. Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. (alan buxey) 6. Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. (Wassim Zaarour) 7. Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. (Wassim Zaarour) 8. How to grant access to a network regardless of the username/password? (Henrik Karlsson) ---------------------------------------------------------------------- Message: 1 Date: Fri, 20 Apr 2012 08:52:15 +0100 From: Matthew Newton <mcn4@leicester.ac.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re:Freeradius Access Requet ID Message-ID: <20120420075215.GA7240@rootmail.cc.le.ac.uk> Content-Type: text/plain; charset=utf-8 On Fri, Apr 20, 2012 at 03:42:09PM +0800, ?????? wrote:
We know the post-authentication query can do something which we know who is pass.
We don't have a method to log the rejected request.
Put something in the Post-Auth-Type REJECT section of post-auth to log whatever you want. post-auth { Post-Auth-Type REJECT { # here } } Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> ------------------------------ Message: 2 Date: Fri, 20 Apr 2012 10:53:32 +0300 From: Wassim Zaarour <wassim.zaarour@navlink.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. Message-ID: <CBB6EF8C.ED0C%wassim.zaarour@navlink.com> Content-Type: text/plain; CHARSET=US-ASCII Hi Farja, I just checked with the ldap admin and he told me passwords are stored with SHA encryption and not cleartext. ( can't change them to clear text) Does that means there is no way to make TTLS/PEAP/MSCHAPv2 work with it?? If I use TTLS/PAP from a Mac OS laptop, it works fine, but I'm stuck with the windows laptops as they have PEAP/MSCHAPv2 only. Any workaround? Thanks Wassim. On 4/20/12 10:30 AM, "Fajar A. Nugraha" <list@fajar.net> wrote:
On Fri, Apr 20, 2012 at 2:22 PM, Wassim Zaarour <wassim.zaarour@navlink.com> wrote:
On 4/20/12 10:15 AM, "Fajar A. Nugraha" <list@fajar.net> wrote:
Long version: MSCHAPv2 (which also means PEAP-MSCHAPv2) needs either: - Cleartext-Password or NT-Hash available (in LDAP, sql, users file whatever), OR - an active directory
If you don't have either, then it won't work.
Hi Farja,
Passwords are stored as clear text in my LDAP, that should make MSCHAPv2 work right?
Yes, if FR can find them. This part of the log says it can't:
[ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter (uid=pk) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
You might need to play around with the user used to login to LDAP, as some systems only give out passwords to admin accounts. Testing manual LDAP lookup using command line tool (e.g. ldapsearch) helps. If you CAN get your ldap server to return cleartext password with ldapsearch, then you should be able to configure FR to get that as well.
-- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------ Message: 3 Date: Fri, 20 Apr 2012 15:01:13 +0700 From: "Fajar A. Nugraha" <list@fajar.net> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. Message-ID: <CAG1y0segiKtFkiE2M5xu+7kAwYtjvNc0+0PCxZTT51AuKYjJWw@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 On Fri, Apr 20, 2012 at 2:53 PM, Wassim Zaarour <wassim.zaarour@navlink.com> wrote:
I just checked with the ldap admin and he told me passwords are stored with SHA encryption and not cleartext. ( can't change them to clear text)
Figured as much :)
Does that means there is no way to make TTLS/PEAP/MSCHAPv2 work with it??
Yes
If I use TTLS/PAP from a Mac OS laptop, it works fine, but I'm stuck with the windows laptops as they have PEAP/MSCHAPv2 only.
Any workaround?
No. Not unless you're willing to install 3rd-party supplicant on every windows client. -- Fajar ------------------------------ Message: 4 Date: Fri, 20 Apr 2012 10:15:03 +0200 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. Message-ID: <4F911B07.50509@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1 Wassim Zaarour wrote:
Hi Farja,
I just checked with the ldap admin and he told me passwords are stored with SHA encryption and not cleartext. ( can't change them to clear text)
Does that means there is no way to make TTLS/PEAP/MSCHAPv2 work with it??
If I use TTLS/PAP from a Mac OS laptop, it works fine, but I'm stuck with the windows laptops as they have PEAP/MSCHAPv2 only.
Any workaround?
http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok. ------------------------------ Message: 5 Date: Fri, 20 Apr 2012 09:18:59 +0100 From: alan buxey <A.L.M.Buxey@lboro.ac.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. Message-ID: <20120420081859.GA11042@lboro.ac.uk> Content-Type: text/plain; charset=us-ascii Hi,
I just checked with the ldap admin and he told me passwords are stored with SHA encryption and not cleartext. ( can't change them to clear text)
is this LDAP or AD? if its AD then you can bind your FreeRADIUS box to the AD as per docs on deployingradius.com - then it can use ntlm_auth to do PEAP very happily for windows clients - its what we do for our 20k users for 802.1X alan ------------------------------ Message: 6 Date: Fri, 20 Apr 2012 11:19:43 +0300 From: Wassim Zaarour <wassim.zaarour@navlink.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. Message-ID: <CBB6F671.ED1B%wassim.zaarour@navlink.com> Content-Type: text/plain; CHARSET=US-ASCII Thanks Alan for the link, I just ran to it few minutes back and its clear :) Guess I'm gonna have to settle for a third party supplicant since I can't change in the LDAP password storage config. Thanks also for the other Alan and Farja. On 4/20/12 11:15 AM, "Alan DeKok" <aland@deployingradius.com> wrote:
Wassim Zaarour wrote:
Hi Farja,
I just checked with the ldap admin and he told me passwords are stored with SHA encryption and not cleartext. ( can't change them to clear text)
Does that means there is no way to make TTLS/PEAP/MSCHAPv2 work with it??
If I use TTLS/PAP from a Mac OS laptop, it works fine, but I'm stuck with the windows laptops as they have PEAP/MSCHAPv2 only.
Any workaround?
http://deployingradius.com/documents/protocols/compatibility.html
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------ Message: 7 Date: Fri, 20 Apr 2012 11:28:54 +0300 From: Wassim Zaarour <wassim.zaarour@navlink.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. Message-ID: <CBB6F8CA.ED21%wassim.zaarour@navlink.com> Content-Type: text/plain; CHARSET=US-ASCII It's Sun Directory Server, hence LDAP not AD. Thanks anyways :) On 4/20/12 11:18 AM, "alan buxey" <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
I just checked with the ldap admin and he told me passwords are stored with SHA encryption and not cleartext. ( can't change them to clear text)
is this LDAP or AD? if its AD then you can bind your FreeRADIUS box to the AD as per docs on deployingradius.com - then it can use ntlm_auth to do PEAP very happily for windows clients - its what we do for our 20k users for 802.1X
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------ Message: 8 Date: Fri, 20 Apr 2012 11:30:13 +0200 From: Henrik Karlsson <Henrik.Karlsson@Generic.se> To: "freeradius-users@lists.freeradius.org" <freeradius-users@lists.freeradius.org> Subject: How to grant access to a network regardless of the username/password? Message-ID: <5D4FE383D0CD43418076B92AA238BA8B0100EBB56656@nova.intra.generic.se> Content-Type: text/plain; charset="us-ascii" Hi, I have a dial-in system that use freeRADIUS as radius server. I have figured out how to log username and password from access requests in a SQL database. My next goal is to be able to keep on logging Username and password but accept all users regardless of username/password. The user shall not need to be listed as a user in the RADIUS server. I want to grant access for all users that dial in for access to the network, hut I need to log the username and password that they send to the RADIUS server. Username and password are stored in a Mysql database and we use PAP. Is it possible to make this configuration and if it is possible how do I do it. /Henrik -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120420/c90a307b/attachment.html> ------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 84, Issue 65 ************************************************