I need our radius servers to accept any login attempt regardless of what the username is or the password. Is there a way of doing this? I know I can set our radius to accept any password sent but the user has to exist. We are taking over the users from a company that has gone bust. We can have the telco point radius authentication for the dial numbers the users dial into to a temporary radius server we have put online. We have no idea what usernames or passwords the users will be using until we have time to email them and get replies back. So for now we want them to continue service and have move them to our own dial numbers with valid usernames/passwords when we contact them. Thanks in advance. John -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.0.407 / Virus Database: 268.12.12/461 - Release Date: 02/10/2006
"John Williams" <john.williams@eurisp.co.uk> wrote:
I need our radius servers to accept any login attempt regardless of what the username is or the password.
Is there a way of doing this?
Auth-Type := Accept. But it won't work for MS-CHAP or wireless authentication.
I know I can set our radius to accept any password sent but the user has to exist.
Check for existence in LDAP, for example. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
I need our radius servers to accept any login attempt regardless of what the username is or the password.
Is there a way of doing this?
Auth-Type := Accept. But it won't work for MS-CHAP or wireless authentication.
That’s going to be a bummer since near enough all users are going to be using MS-CHAP. I guess there isn't anyway of doing it then.. John -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.0.407 / Virus Database: 268.12.12/461 - Release Date: 02/10/2006
"John Williams" <john.williams@eurisp.co.uk> wrote:
That's going to be a bummer since near enough all users are going to be using MS-CHAP. I guess there isn't anyway of doing it then..
No. MS-CHAP requires that the server know the password. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On Tuesday 03 October 2006 09:18, John Williams wrote:
I need our radius servers to accept any login attempt regardless of what the username is or the password.
Is there a way of doing this?
Yes. You can set a line in your users file like this: DEFAULT Auth-Type := Accept If you also have in your radius.conf file: log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes Then you should be able to collect the passwords sent to you if you use PAP authentication, from your $ACCOUNTING_PATH/radius.log file. Since all users will be able to connect, any user/password will work. You will get a lot of bogus ones, but those are easy enough to weed out.. We used this to collect passwords from our users without having to re-contact them when we had a major failure (Still using system password files for authentication for some connection). Took about a week and we had 90% of our users and passwords figured out. Wm <snip>
On Tue 03 Oct 2006 18:45, William wrote:
On Tuesday 03 October 2006 09:18, John Williams wrote:
I need our radius servers to accept any login attempt regardless of what the username is or the password.
Is there a way of doing this?
Yes. You can set a line in your users file like this:
DEFAULT Auth-Type := Accept
If you also have in your radius.conf file:
log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes
Then you should be able to collect the passwords sent to you if you use PAP authentication, from your $ACCOUNTING_PATH/radius.log file.
Since all users will be able to connect, any user/password will work. You will get a lot of bogus ones, but those are easy enough to weed out..
We used this to collect passwords from our users without having to re-contact them when we had a major failure (Still using system password files for authentication for some connection). Took about a week and we had 90% of our users and passwords figured out.
Even better you can do something like the following: post-auth { Post-Auth-Type REJECT { # Log rejects into database sql } } We use this to log failed auths directly into sql. I believe you should be able to do the same thing for ACCEPT :-) Note: It uses the "postauth_query" in the sql config file... Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc
Ok so Accept doesn't work for MS-CHAP. And I know I can grab the rejected usernames and drop them into the DB so the next time they try to auth it works. I did want to try and avoid rejecting the users and them getting fed up. Someone did mention to me that you can auth a NAS so any auth requests coming from that NAS will be authenticated. Is this right? John
-----Original Message----- From: freeradius-users- bounces+john.williams=eurisp.co.uk@lists.freeradius.org [mailto:freeradius-users- bounces+john.williams=eurisp.co.uk@lists.freeradius.org] On Behalf Of Peter Nixon Sent: 03 October 2006 17:42 To: FreeRadius users mailing list Subject: Re: Accepting any login attempt
On Tue 03 Oct 2006 18:45, William wrote:
On Tuesday 03 October 2006 09:18, John Williams wrote:
I need our radius servers to accept any login attempt regardless of what the username is or the password.
Is there a way of doing this?
Yes. You can set a line in your users file like this:
DEFAULT Auth-Type := Accept
If you also have in your radius.conf file:
log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes
Then you should be able to collect the passwords sent to you if you use PAP authentication, from your $ACCOUNTING_PATH/radius.log file.
Since all users will be able to connect, any user/password will work. You will get a lot of bogus ones, but those are easy enough to weed out..
We used this to collect passwords from our users without having to re-contact them when we had a major failure (Still using system password files for authentication for some connection). Took about a week and we had 90% of our users and passwords figured out.
Even better you can do something like the following:
post-auth { Post-Auth-Type REJECT { # Log rejects into database sql } }
We use this to log failed auths directly into sql. I believe you should be able to do the same thing for ACCEPT :-)
Note: It uses the "postauth_query" in the sql config file...
Cheers
--
Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc
-- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.0.407 / Virus Database: 268.12.12/462 - Release Date: 03/10/2006
-- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.0.407 / Virus Database: 268.12.13/463 - Release Date: 04/10/2006
"John Williams" <john.williams@eurisp.co.uk> wrote:
Someone did mention to me that you can auth a NAS so any auth requests coming from that NAS will be authenticated. Is this right?
Sort of, but for your purposes, no. You *can* do: DEFAULT Client-IP-Address == 1.2.3.4, Auth-Type := Accept Which is "authenticate all requests from NAS 1.2.3.4". But it's no different than the previous problems with Auth-Type := Accept. The problem you're running into is not the NAS, it's the software on the end user machine. It's doing MS-CHAP, and the NAS is just blindly passing traffic back and forth. Anyways, I explain this in more detail in my book. It should be done by Christmas. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
John Williams wrote:
Ok so Accept doesn't work for MS-CHAP. And I know I can grab the rejected usernames and drop them into the DB so the next time they try to auth it works.
I did want to try and avoid rejecting the users and them getting fed up.
Someone did mention to me that you can auth a NAS so any auth requests coming from that NAS will be authenticated. Is this right?
It's impossible with MS-CHAP. In MS-CHAP, the server validates the client (which you can just skip) but the client also validates the server - if the server doesn't have the password, this will fail. So, impossible with MS-CHAP, and in fact CHAP. Only possible with PAP
participants (5)
-
Alan DeKok -
John Williams -
Peter Nixon -
Phil Mayers -
William