Re: Help: FreeRadius Users with multiple passwords
Hi, Thanks for your reply :) I have a better news that: By using OpenLDAP for FR Authen & Authorization => I can configure multiple passwords for each user (Uid) and use 1 of those passwords for successfully Authentication! Although it is done manually now, but somehow it solves the matter ! If anyone have experienced this, please give some advices ! Example: How to do it automatically or How to create a pool of passwords then use the pool for multiple users :) Regards! Message: 3 Date: Tue, 15 Nov 2011 16:09:29 +0700 From: "Fajar A. Nugraha" <list@fajar.net> Subject: Re: Help: FreeRadius Users with multiple passwords To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <CAG1y0sffWuNVw08KH5XT8_Ny3NLCe=NFWB4U+=WEXFcmiQ0FoA@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 On Tue, Nov 15, 2011 at 4:00 PM, Duong Manh Truong <ngoahotanglongbk@gmail.com> wrote:
Hi all, I have encounter with an issue and can not find the solution after several days of thinking :( I set up FreeRadius & Mysql successfully, testing with some account ok, but my real case: Lot of my users?have more than 1 passwords,
Example: User: "truongdm" comes with the password "abc123" or the password "123abc" is both ok
Short version: you can't. Long version: it's doable, but ONLY if: - your user sends clear-text password (read: not using MSCHAP or PEAP-MS-CHAP v2, which is the one most often used by windows clients) - you create additional logic to handle authentication, either using unlang or external script (perl, php, whatever). Hint: see http://wiki.freeradius.org/Auth%20Type . Your additional logic would have to set Auth-Type := Accept when conditions (e.g. password) match. -- Fajar ------------------------------ Vào 18:00 Ngày 15 tháng 11 năm 2011, < freeradius-users-request@lists.freeradius.org> đã viết:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: EAP-TLS CRL checking when multiple CAs used (Martin ?mel?k) 2. Help: FreeRadius Users with multiple passwords (Duong Manh Truong) 3. Re: Help: FreeRadius Users with multiple passwords (Fajar A. Nugraha) 4. Re: mysql module help (Alan DeKok) 5. Re: Issues with EAP-TLS and OpenSSL (Alan DeKok) 6. Re: PEAP/mschapv2 - opendirectory (Alan DeKok)
----------------------------------------------------------------------
Message: 1 Date: Tue, 15 Nov 2011 09:23:23 +0100 From: Martin ?mel?k <martin.cmelik@gmail.com> Subject: Re: EAP-TLS CRL checking when multiple CAs used To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <CAGfF+_KCtw6Bet1JMxXJEijmF1dJTK2CekaiXoztVTifpuYOfA@mail.gmail.com
Content-Type: text/plain; charset=UTF-8
Hi all,
problem has been on my side. I miss to add another one CRL into certs directory.
Thank you for all your help!
Best regards,
? Martin ?mel?k
2011/11/14 Martin ?mel?k <martin.cmelik@gmail.com>:
Hi Alan,
I did, there is nothing about it.
Only this:
# ?Check the Certificate Revocation List # # ?1) Copy CA certificates and CRLs to same directory. # ?2) Execute 'c_rehash <CA certs&CRLs Directory>'. # ? ?'c_rehash' is OpenSSL's command. # ?3) uncomment the line below. # ?5) Restart radiusd # ? ? ? check_crl = yes
We have all CAs in ca.pem and CRL lists in separate file crl1.pem+.der, crl2.pem+.der, ect...
Stefan,
that's what I did. OK I will try to do same thing with previous configuration. Maybe that I miss something.
Thank you
? Martin ?mel?k
2011/11/14 Alan DeKok <aland@deployingradius.com>:
Martin ?mel?k wrote:
Question is: When Freeradius receive user certificate how daemon find correct CRL list in certs directory?
?Read raddb/eap.conf. ?This is documented.
?Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
Message: 2 Date: Tue, 15 Nov 2011 16:00:27 +0700 From: Duong Manh Truong <ngoahotanglongbk@gmail.com> Subject: Help: FreeRadius Users with multiple passwords To: freeradius-users@lists.freeradius.org Message-ID: <CAPY3iihX7xHE_kH5+yDB6Fv9=+FSwxVEoOM1R5FtmC8YnZo41A@mail.gmail.com
Content-Type: text/plain; charset="iso-8859-1"
Hi all,
I have encounter with an issue and can not find the solution after several days of thinking :(
I set up FreeRadius & Mysql successfully, testing with some account ok,
but my real case: Lot of my users *have more than 1 passwords*,
Example: User: "truongdm" comes with the password "abc123" or the password "123abc" is both ok
Please help me: How can i set it up?
- I try to insert serveral records with the same "username" and difference "value" - password- in the "radcheck" table but at one time, the server accept 1 pair of "username/value" only :(
- I try to edit the file "users" manually but no help .....
Anyone has had this matter, please help me find the direction!
Thanks & Best Regards!
On Fri, Nov 18, 2011 at 6:20 PM, Duong Manh Truong <ngoahotanglongbk@gmail.com> wrote:
Hi, Thanks for your reply :) I have a better news that: By using OpenLDAP for FR Authen & Authorization => I can configure multiple passwords for each user (Uid) and use 1 of those passwords for successfully Authentication!
you mean put it in different ldap attribute?
Although it is done manually now, but somehow it solves the matter ! If anyone have experienced this, please give some advices ! Example: How to do it automatically
You can't. LDAP attributes gets mapped to radius attribute (both check and reply items). You can't just go and say "hey, if the user can't authenticate with this attribute, then try that attribute". At least not without the hack I mentioned above. Then again, it's entirely possible that I misunderstood what you said. You're not being clear or specific about how you "can configure multiple passwords for each user" ... and PLEASE remove unneeded emails when replying from digest. It's confusing, wasting time and bandwidth, and have no benefit whatsoever. -- Fajar
On 11/18/2011 06:20 AM, Duong Manh Truong wrote:
Hi, Thanks for your reply :)
I have a better news that: By using OpenLDAP for FR Authen & Authorization => I can configure multiple passwords for each user (Uid) and use 1 of those passwords for successfully Authentication!
Although it is done manually now, but somehow it solves the matter !
If anyone have experienced this, please give some advices ! Example: How to do it automatically or How to create a pool of passwords then use the pool for multiple users :)
Not exactly sure what you did, ldap does have the concept of multi-valued attributes but that won't be of any use to you even if you set multiple values for one attribute type (e.g. name). Why? The radius server can only use one password for a user, not exactly sure what it will do if it get more than one back from ldap, I assume it just picks the first one (where first is probably non-deterministic). The bottom line is there must be a one-to-one mapping between users and passwords. User's should have just one password, this is good practice. If you want to write custom code you can bypass the limitation but really really don't want to do that. Accept it as a given, 1 user, 1 password Also please be courteous and trim your emails of non-relevant text. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
participants (3)
-
Duong Manh Truong -
Fajar A. Nugraha -
John Dennis