Set up FreeRadius on SLES 10. Using the NTRadPing utility we can authenticate to our back end LDAP server (eDirectory) w/o problem. However, when we enabled Radius authentication on two separate Wireless access points (Linksys WRT54 and DLink WBR 1310), they both fail authentication because the password they pass (or how FreeRadius interprets the password) changes one letter of the password. For example, we set up a radtest user with a password of radtest. FreeRadius server in debug shows the request come in but passes a password value of aadtest. So, as a test we changed the password to aadtest for the radtest user. The password then came across as badtest. So, we thought we'd change the password to cadtest to see what would happen. Now the password was sent/received as aadtest again. Using NTRadPing utility, we see the request come in, get processed and then login....... Running FreeRadius 1.1.0 as this is the version that Novell "supports." Please don't yell at me on this. Their documentation is based on this version and not the latest version....... Has anyone seen this behavior before and if so, know how to fix it? TIA!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p3307174.ht... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Someone will for SURE yell at you for using something that old. Or, they'll just ignore you. That is a weird a$$ problem for sure! Why can't you upgrade? At LEAST to the latest 1.x version? -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of discgolfer72 Sent: Wednesday, December 15, 2010 5:36 PM To: freeradius-users@lists.freeradius.org Subject: Password oddity Set up FreeRadius on SLES 10. Using the NTRadPing utility we can authenticate to our back end LDAP server (eDirectory) w/o problem. However, when we enabled Radius authentication on two separate Wireless access points (Linksys WRT54 and DLink WBR 1310), they both fail authentication because the password they pass (or how FreeRadius interprets the password) changes one letter of the password. For example, we set up a radtest user with a password of radtest. FreeRadius server in debug shows the request come in but passes a password value of aadtest. So, as a test we changed the password to aadtest for the radtest user. The password then came across as badtest. So, we thought we'd change the password to cadtest to see what would happen. Now the password was sent/received as aadtest again. Using NTRadPing utility, we see the request come in, get processed and then login....... Running FreeRadius 1.1.0 as this is the version that Novell "supports." Please don't yell at me on this. Their documentation is based on this version and not the latest version....... Has anyone seen this behavior before and if so, know how to fix it? TIA!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p3307174.ht... Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
I guess that would be my next step. Anyone else out there seen this particular issue? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p3307212.ht... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi Gary, I'm from Northern Lights school Division 69, We run Sles 10, with OES2 SP2 services on it, and are using edirectory 8.8 SP5 (I think the newest one), and guess what, I'm using radius 2.1.9, and it works like a hot damn. I think i can help you :) I have Freeradius, Authenticating against edir, with about 300+ users. My authetication uses the secure certificate from the Novell OES2 server embedded into freeradius, and I have no authentication issues (Other than the users choking out the access points with youtube ;) my config even follows edir policy, IE disables accounts, time frames etc. Let me know if you're interested in that. Matt Anyways, I could probably modify my instructions to meet your sites needs. Matthew Stavert ITSM, ACMT Information Systems Analyst NLSD. 69 PH: 780-826-3145 Cell: 780-207-1146
Gary Gatten <Ggatten@waddell.com> 12/15/2010 4:52 PM >>> Someone will for SURE yell at you for using something that old. Or, they'll just ignore you.
That is a weird a$$ problem for sure! Why can't you upgrade? At LEAST to the latest 1.x version? -----Original Message----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of discgolfer72 Sent: Wednesday, December 15, 2010 5:36 PM To: freeradius-users@lists.freeradius.org Subject: Password oddity Set up FreeRadius on SLES 10. Using the NTRadPing utility we can authenticate to our back end LDAP server (eDirectory) w/o problem. However, when we enabled Radius authentication on two separate Wireless access points (Linksys WRT54 and DLink WBR 1310), they both fail authentication because the password they pass (or how FreeRadius interprets the password) changes one letter of the password. For example, we set up a radtest user with a password of radtest. FreeRadius server in debug shows the request come in but passes a password value of aadtest. So, as a test we changed the password to aadtest for the radtest user. The password then came across as badtest. So, we thought we'd change the password to cadtest to see what would happen. Now the password was sent/received as aadtest again. Using NTRadPing utility, we see the request come in, get processed and then login....... Running FreeRadius 1.1.0 as this is the version that Novell "supports." Please don't yell at me on this. Their documentation is based on this version and not the latest version....... Has anyone seen this behavior before and if so, know how to fix it? TIA!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p3307174.ht... Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Absolutely. I'm interested! We've just set up a fresh SLES10 box fully patched to see if we still have the same issue with it. I'm about to test that shortly as I still need to install FreeRadius and configure it. I just don't know if it's an authentication issue since the NTRadPing utility works/logs in but the two WAP's we've tried to use do not (the odd password behavior problem). Thanks for offering! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p3308642.ht... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Okay, let me update the docs a bit and get back to you :) Matthew Stavert ITSM, ACMT Information Systems Analyst NLSD. 69 PH: 780-826-3145 Cell: 780-207-1146
discgolfer72 <ben@lewisit.net> 12/16/2010 2:28 PM >>>
Absolutely. I'm interested! We've just set up a fresh SLES10 box fully patched to see if we still have the same issue with it. I'm about to test that shortly as I still need to install FreeRadius and configure it. I just don't know if it's an authentication issue since the NTRadPing utility works/logs in but the two WAP's we've tried to use do not (the odd password behavior problem). Thanks for offering! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p3308642.ht... Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I'll do ya one better, I'll make you a screen cast, and then pass you my config files, because, I am doing a new radius server on a fresh install for a new school right now, so that way you can just follow along, and it should work perfect once you;re done :) Matthew Stavert ITSM, ACMT Information Systems Analyst NLSD. 69 PH: 780-826-3145 Cell: 780-207-1146
discgolfer72 <ben@lewisit.net> 12/16/2010 2:28 PM >>>
Absolutely. I'm interested! We've just set up a fresh SLES10 box fully patched to see if we still have the same issue with it. I'm about to test that shortly as I still need to install FreeRadius and configure it. I just don't know if it's an authentication issue since the NTRadPing utility works/logs in but the two WAP's we've tried to use do not (the odd password behavior problem). Thanks for offering! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p3308642.ht... Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fabulous!!!! Thank you, thank you, thank you! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p3308662.ht... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Where do you play disc golf? -----Original Message----- From: freeradius-users-bounces+jtabasz=cisco.com@lists.freeradius.org [mailto:freeradius-users-bounces+jtabasz=cisco.com@lists.freeradius.org] On Behalf Of discgolfer72 Sent: Wednesday, December 15, 2010 3:36 PM To: freeradius-users@lists.freeradius.org Subject: Password oddity Set up FreeRadius on SLES 10. Using the NTRadPing utility we can authenticate to our back end LDAP server (eDirectory) w/o problem. However, when we enabled Radius authentication on two separate Wireless access points (Linksys WRT54 and DLink WBR 1310), they both fail authentication because the password they pass (or how FreeRadius interprets the password) changes one letter of the password. For example, we set up a radtest user with a password of radtest. FreeRadius server in debug shows the request come in but passes a password value of aadtest. So, as a test we changed the password to aadtest for the radtest user. The password then came across as badtest. So, we thought we'd change the password to cadtest to see what would happen. Now the password was sent/received as aadtest again. Using NTRadPing utility, we see the request come in, get processed and then login....... Running FreeRadius 1.1.0 as this is the version that Novell "supports." Please don't yell at me on this. Their documentation is based on this version and not the latest version....... Has anyone seen this behavior before and if so, know how to fix it? TIA!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p330717 4.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mainly Tennessee. You? Sent via DROID on Verizon Wireless -----Original message----- From: "John Tabasz (jtabasz)" <jtabasz@cisco.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Thu, Dec 16, 2010 00:12:43 GMT+00:00 Subject: RE: Password oddity Where do you play disc golf? -----Original Message----- From: freeradius-users-bounces+jtabasz=cisco.com@lists.freeradius.org [mailto:freeradius-users-bounces+jtabasz=cisco.com@lists.freeradius.org] On Behalf Of discgolfer72 Sent: Wednesday, December 15, 2010 3:36 PM To: freeradius-users@lists.freeradius.org Subject: Password oddity Set up FreeRadius on SLES 10. Using the NTRadPing utility we can authenticate to our back end LDAP server (eDirectory) w/o problem. However, when we enabled Radius authentication on two separate Wireless access points (Linksys WRT54 and DLink WBR 1310), they both fail authentication because the password they pass (or how FreeRadius interprets the password) changes one letter of the password. For example, we set up a radtest user with a password of radtest. FreeRadius server in debug shows the request come in but passes a password value of aadtest. So, as a test we changed the password to aadtest for the radtest user. The password then came across as badtest. So, we thought we'd change the password to cadtest to see what would happen. Now the password was sent/received as aadtest again. Using NTRadPing utility, we see the request come in, get processed and then login....... Running FreeRadius 1.1.0 as this is the version that Novell "supports." Please don't yell at me on this. Their documentation is based on this version and not the latest version....... Has anyone seen this behavior before and if so, know how to fix it? TIA!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p330717 4.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nice. I have switched to basketball for the time being but DeLaveaga is my home course in Santa Cruz CA. Love it. From: freeradius-users-bounces+jtabasz=cisco.com@lists.freeradius.org [mailto:freeradius-users-bounces+jtabasz=cisco.com@lists.freeradius.org] On Behalf Of Ben Lewis Sent: Wednesday, December 15, 2010 4:19 PM To: FreeRadius users mailing list Subject: RE: Password oddity Mainly Tennessee. You? Sent via DROID on Verizon Wireless -----Original message----- From: "John Tabasz (jtabasz)" <jtabasz@cisco.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Thu, Dec 16, 2010 00:12:43 GMT+00:00 Subject: RE: Password oddity Where do you play disc golf? -----Original Message----- From: freeradius-users-bounces+jtabasz=cisco.com@lists.freeradius.org [mailto:freeradius-users-bounces+jtabasz=cisco.com@lists.freeradius.org] On Behalf Of discgolfer72 Sent: Wednesday, December 15, 2010 3:36 PM To: freeradius-users@lists.freeradius.org Subject: Password oddity Set up FreeRadius on SLES 10. Using the NTRadPing utility we can authenticate to our back end LDAP server (eDirectory) w/o problem. However, when we enabled Radius authentication on two separate Wireless access points (Linksys WRT54 and DLink WBR 1310), they both fail authentication because the password they pass (or how FreeRadius interprets the password) changes one letter of the password. For example, we set up a radtest user with a password of radtest. FreeRadius server in debug shows the request come in but passes a password value of aadtest. So, as a test we changed the password to aadtest for the radtest user. The password then came across as badtest. So, we thought we'd change the password to cadtest to see what would happen. Now the password was sent/received as aadtest again. Using NTRadPing utility, we see the request come in, get processed and then login....... Running FreeRadius 1.1.0 as this is the version that Novell "supports." Please don't yell at me on this. Their documentation is based on this version and not the latest version....... Has anyone seen this behavior before and if so, know how to fix it? TIA!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p330717 4.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
discgolfer72 wrote:
Set up FreeRadius on SLES 10. Using the NTRadPing utility we can authenticate to our back end LDAP server (eDirectory) w/o problem. However, when we enabled Radius authentication on two separate Wireless access points (Linksys WRT54 and DLink WBR 1310), they both fail authentication because the password they pass (or how FreeRadius interprets the password) changes one letter of the password.
As *always*, run the server in debugging mode to see what's going on. You should see what the server receives.
For example, we set up a radtest user with a password of radtest. FreeRadius server in debug shows the request come in but passes a password value of aadtest. So, as a test we changed the password to aadtest for the radtest user. The password then came across as badtest. So, we thought we'd change the password to cadtest to see what would happen. Now the password was sent/received as aadtest again.
There is nothing in the default configuration which does this kind of thing.
Running FreeRadius 1.1.0 as this is the version that Novell "supports." Please don't yell at me on this. Their documentation is based on this version and not the latest version.......
Then ask Novell for support. It's really not that hard. If you have a supported version, as the people who support it for help. If you want our advice, use the version *we* support.
Has anyone seen this behavior before and if so, know how to fix it?
Upgrade to 2.1.10. Alan DeKok.
Sounds like it's authenticating but failing on authorization. If it authenticates correctly but the proper attributes aren't returned it will fail on authorization and the edirectory code will force a failed login by changing a character in the password. If edirectory is set up to lock the account on a number of failed logins a repeated attempt to login when not authorized to use wireless will lock out the account. Make sure you have the proper radius attributes in the edirectory schema and the users are properly set up for radius authentication. That's about all I can help with. We ditched edirectory a few years back so I can't go much further than that. -----Original Message----- From: freeradius-users-bounces+jmdanner=samford.edu@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford.edu@lists.freeradius.org] On Behalf Of discgolfer72 Sent: Wednesday, December 15, 2010 5:36 PM To: freeradius-users@lists.freeradius.org Subject: Password oddity Set up FreeRadius on SLES 10. Using the NTRadPing utility we can authenticate to our back end LDAP server (eDirectory) w/o problem. However, when we enabled Radius authentication on two separate Wireless access points (Linksys WRT54 and DLink WBR 1310), they both fail authentication because the password they pass (or how FreeRadius interprets the password) changes one letter of the password. For example, we set up a radtest user with a password of radtest. FreeRadius server in debug shows the request come in but passes a password value of aadtest. So, as a test we changed the password to aadtest for the radtest user. The password then came across as badtest. So, we thought we'd change the password to cadtest to see what would happen. Now the password was sent/received as aadtest again. Using NTRadPing utility, we see the request come in, get processed and then login....... Running FreeRadius 1.1.0 as this is the version that Novell "supports." Please don't yell at me on this. Their documentation is based on this version and not the latest version....... Has anyone seen this behavior before and if so, know how to fix it? TIA!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p3307174.ht... Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (7)
-
Alan DeKok -
Ben Lewis -
Danner, Mearl -
discgolfer72 -
Gary Gatten -
John Tabasz (jtabasz) -
Matthew Stavert