Second level authentication..

Fri Jul 20 06:56:23 CEST 2007

Hi Ivan,

What i meant is you type "enable" but the password you give should be
authenticated by RADIUS server not the "enable password stored on the
device".
I am not sure whether it is possible or not. But just wanted to know from
the experts.

Thanks,
Ashish

On 7/19/07, freeradius-users-request at lists.freeradius.org <
freeradius-users-request at lists.freeradius.org> wrote:
>
> Send Freeradius-Users mailing list submissions to
>         freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>         freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>         freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. Second level authentication. (ashish verma)
>    2. Re: Second level authentication. (tnt at kalik.co.yu)
>    3. Re: TLS cant connect ldap+freeradius+novell (tnt at kalik.co.yu)
>    4. Re: Quirky question about rewriting usernames (Cliff Cole)
>    5. Re: Second level authentication. (Claudiu Filip)
>    6. Re: TLS cant connect ldap+freeradius+novell (Martin G)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 19 Jul 2007 22:21:30 +0530
> From: "ashish verma" <ashish.scit at gmail.com>
> Subject: Second level authentication.
> To: freeradius-users at lists.freeradius.org
> Message-ID:
>         <11b554120707190951xff545a5j9cb83a1a9b31835d at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi Stefan,
>
> I read the document and thanks for giving the link, that was helpful.
>
> Well I think i put my question in a wrong way.
> Let me put it in a different way.
>
> I dont want the user to go directly in priv mode.
> through priv level = 15 we direclty get into priv level right.
>
> what i am looking for is first the user get into user level  and then with
> another
> password in level 2. (not with enable password)..it should be through
> RADIUS
> server.
>
>
> Ashish
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/4c1e3a0e/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Thu, 19 Jul 2007 18:13:00 +0100
> From: <tnt at kalik.co.yu>
> Subject: Re: Second level authentication.
> To: "FreeRadius users mailing list"
>         <freeradius-users at lists.freeradius.org>
> Message-ID: <CdxoYguY.1184865180.8635700.tnt at kalik.co.yu>
> Content-Type: text/plain; charset=ISO-8859-2
>
> You want a shell user to get to privilege mode without typing
> "enable"and knowing enable password? I am quite certain that Cisco
> spent many years making sure that's impossible. If you find a way to do
> that you can blackmail them for a hell of a lot of money.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 19/7/2007, "ashish verma" <ashish.scit at gmail.com> pi?e:
>
> >Hi Stefan,
> >
> >I read the document and thanks for giving the link, that was helpful.
> >
> >Well I think i put my question in a wrong way.
> >Let me put it in a different way.
> >
> >I dont want the user to go directly in priv mode.
> >through priv level = 15 we direclty get into priv level right.
> >
> >what i am looking for is first the user get into user level  and then
> with
> >another
> >password in level 2. (not with enable password)..it should be through
> RADIUS
> >server.
> >
> >
> >Ashish
> >
> >
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 19 Jul 2007 18:19:59 +0100
> From: <tnt at kalik.co.yu>
> Subject: Re: TLS cant connect ldap+freeradius+novell
> To: "FreeRadius users mailing list"
>         <freeradius-users at lists.freeradius.org>
> Message-ID: <YLaGN7JO.1184865599.0231840.tnt at kalik.co.yu>
> Content-Type: text/plain; charset=ISO-8859-2
>
> >Any idea how to type the FQDN !? :(
>
> Well if this was your server:
>
> >http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
> FQDN would be: messenger.msn.click-url.com
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 19 Jul 2007 13:30:23 -0400
> From: "Cliff Cole" <clifflcole at gmail.com>
> Subject: Re: Quirky question about rewriting usernames
> To: "FreeRadius users mailing list"
>         <freeradius-users at lists.freeradius.org>
> Message-ID:
>         <5da254220707191030m47088b8egfec8a097a3d43720 at mail.gmail.com>
> Content-Type: text/plain; charset=WINDOWS-1252; format=flowed
>
> Once again.  I am backwards on my wording, I am so sorry.  This should
> be correct.
>
> IF the username does have @domain.com and NAS = "NAS A"
> THEN continue with username as is
>
> IF the username does not have @domain.com and NAS = "NAS A"
> THEN append the @domain.com
>
> I have been trying the hints file.  I'm able to append @domain.com but
> do not know how to check for @domain.com and continue if the
> @domain.com is present.
>
> Here is what I have in my hints file.
>
> DEFAULT NAS-IP-Address == "255.255.255.255"
>         User-Name := "%{User-Name}@domainname.com"
>
> This part works great and hopefully I'm FINALLY clear on what I'm
> trying to accomplish.
>
> Cliff
>
>
> On 7/19/07, tnt at kalik.co.yu <tnt at kalik.co.yu> wrote:
> > How about the other way around:
> >
> > IF the username does not have @domain.com and NAS = "NAS A"
> > THEN continue with username as is
> >
> > IF the username has @domain.com and NAS = "NAS A"
> > THEN strip @domain.com
> >
> > That works by default. If you want to keep it the other way around have
> a
> > look at the hints file.
> >
> > Ivan Kalik
> > Kalik Informatika ISP
> >
> >
> >
> > Dana 19/7/2007, "Cliff Cole" <clifflcole at gmail.com> pi?e:
> >
> > >Thanks for the reply.  I'm new to free radius and have been
> > >overwhelmed with documentation the past few days.  Let me explain in
> > >some logic and maybe I can make some sense as to what I'm trying to
> > >do.
> > >
> > >User authentication comes from "NAS A"
> > >
> > >IF the username does not have @domain.com and NAS = "NAS A"
> > >THEN append @domain.com
> > >
> > >IF the username has @domain.com and NAS = "NAS A"
> > >THEN continue with username as is.
> > >
> > >Hope this helps to clear up what I'm trying to do.  I appologize for
> > >not being very clear.
> > >
> > >Thanks
> > >
> > >Cliff
> > >
> > >
> > >
> > >On 7/19/07, Pshem Kowalczyk <pshem.k at gmail.com> wrote:
> > >> Hi
> > >>
> > >> On 19/07/07, Cliff Cole <clifflcole at gmail.com> wrote:
> > >> > Hello all.
> > >> >
> > >> > Here is my issue.  This is very weird and would only affect one
> NAS.
> > >> > I'm not sure freeradius is capable of this.  I want a username that
> > >> > comes in to check for an @domainname.  If the domainname is there I
> > >> > want it to be stripped and added back later.  If the domainname is
> not
> > >> > there I'd like it to continue and have to domainname added later in
> > >> > the authentication process.  I hope this makes sense and any help
> is
> > >> > appreciated
> > >>
> > >> What do you mean by 'later' you can definitely check for the presence
> > >> of domain, you can strip  it and add it again. you just have to
> define
> > >> the flow. rlm_attr will be of help to you (for both stripping and
> > >> adding).
> > >>
> > >> kind regards
> > >> Pshem
> > >> -
> > >> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> > >>
> > >-
> > >List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> > >
> > >
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
>
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 19 Jul 2007 20:44:04 +0300
> From: Claudiu Filip <claudiu at globtel.ro>
> Subject: Re: Second level authentication.
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Message-ID: <1943345512.20070719204404 at globtel.ro>
> Content-Type: text/plain; charset="us-ascii"
>
> An HTML attachment was scrubbed...
> URL:
> https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/b668ab5b/attachment-0001.html
>
> ------------------------------
>
> Message: 6
> Date: Thu, 19 Jul 2007 20:11:01 +0200
> From: "Martin G" <kapten_kanelbulle at hotmail.com>
> Subject: Re: TLS cant connect ldap+freeradius+novell
> To: freeradius-users at lists.freeradius.org
> Message-ID: <BAY123-F2155EC5301E6D887A0E9CB8AFB0 at phx.gbl>
> Content-Type: text/plain; format=flowed
>
> Iv found the following on the novellserver (CA-service):
> Distinguished name: WIFITREE CA.Security
> Host server: NW1.SYSTEM.WIFI
>
> "NW1" would be the servername and "NW1.SYSTEM.WIFI" the FQDN?
> I added the info in all kinds of sorts in my hosts-file to the novell-ip
> on
> the linux-server but still no progress :( Still:
>
> ldapsearch -vvv -h NW1.SYSTEM.WIFI wifi -x -Z -b ou=adm,ou=malmo,o=wifi
> "cn=lotta"
> ldap_initialize( ldap://wifi )
> ldap_start_tls: Connect error (-11)
>         additional info: TLS: hostname does not match CN in peer
> certificate
> filter: cn=lotta
> requesting: All userApplication attributes
>
> Any good idea!?
> (iv added the novell-servers dns-ip to the ifconfig-dns of the linux also,
> but no help from that either).
>
> /Mr G
>
> >>Any idea how to type the FQDN !? :(
> >
> >Well if this was your server:
> >
> >>http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> >
> >FQDN would be: messenger.msn.click-url.com
> >
> >Ivan Kalik
> >Kalik Informatika ISP
> >
> >- List info/subscribe/unsubscribe? See
> >http://www.freeradius.org/list/users.html
>
>
>
>
> >From: "Martin G" <kapten_kanelbulle at hotmail.com>
> >Reply-To: FreeRadius users mailing list
> ><freeradius-users at lists.freeradius.org>
> >To: freeradius-users at lists.freeradius.org
> >Subject: Re: TLS cant connect ldap+freeradius+novell
> >Date: Thu, 19 Jul 2007 18:05:22 +0200
> >
> >Subject of the novell-server-certificate is : O = WIFITREE
> >OU = Organizational CA
> >And thats no FQDN!?
> >(I exported it from the novell as an .der and extracted it to see the
> >subject, maby wrong way to do it? i havent exported the private key with
> >either the .b64 or the .der and that shouldnt matter ?)
> >
> >*output from novell*
> >Subject name: OU=Organizational CA.O=WIFITREE
> >Issuer name: OU=Organizational CA.O=WIFITREE
> >Effective date: den 22 oktober 2005 23:04:08
> >Expiration date:  den 22 oktober 2015 23:04:08
> >Certificate status: Valid
> >
> >Any idea how to type the FQDN !? :(
> >
> >(Thx for all the good answers this far!)
> >
> >/Mr G
> >
> >
> > >From: "Reimer Karlsen-Masur, DFN-CERT" <karlsen-masur at dfn-cert.de>
> > >Reply-To: FreeRadius users mailing list
> > ><freeradius-users at lists.freeradius.org>
> > >To: FreeRadius users mailing list <
> freeradius-users at lists.freeradius.org>
> > >Subject: Re: TLS cant connect ldap+freeradius+novell
> > >Date: Thu, 19 Jul 2007 17:51:24 +0200
> > >
> > >Hmmmmm.
> > >
> > >Martin G wrote:
> > > > Sorry, when i tried to rehash my certificate, id changed its path,
> but
> > >now
> > > > its back and i got a new output from my ldapsearch-command:
> > > >
> > > > ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou
> > > > =adm,ou=malmo,o=wifi "cn=lotta"
> > > > ldap_initialize( ldap://10.10.0.11 )
> > > > ldap_start_tls: Connect error (-11)
> > > >         additional info: TLS: hostname does not match CN in peer
> > >certificate
> > >
> > >What is the CN in the SubjectDN of the ldap servers certificate? Is it
> a
> > >FQDN?
> > >
> > >If so, try to map IP# 10.10.0.11 to this FQDN via /etc/hosts if your
> DNS
> > >server can't find the FQDN. Try to call ldapsearch with -h FQDN option.
> > >
> > >Is above warning going away?
> > >
> > > > filter: cn=lotta
> > > > requesting: All userApplication attributes
> > > > # extended LDIF
> > > > #
> > > > # LDAPv3
> > > > # base <ou=adm,ou=malmo,o=wifi> with scope subtree
> > > > # filter: cn=lotta
> > > > # requesting: ALL
> > > > #
> > > >
> > > > # lotta, ADM, MALMO, WIFI
> > > > dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI
> > > > zenzfdVersion::
> > >
> > >Something is at least working. It's not SSL secured though.
> > >
> > >...
> > > >
> > > > Iv also added the loglevel -1 to the /etc/ldap/ldap.conf and removed
> >the
> > > > TLSCertificateFile and TLSCertificateKeyFile from the
> > >/etc/ldap/sldap.conf
> > > > as i did forget before.
> > >
> > >slapd.conf is the config file of the openldap *server*. Messing with
> this
> > >file should not change anything. Or was that a typo?
> > >
> > > > Do i need to convert the certificate to .pem and how if the c_rehash
> > >dont
> > > > work?
> > >
> > >If tls_cacertdir is not set, then don't use c_rehash.
> > >
> > >Set tls_cacertfile to a single ASCII file containing all PEM formatted
> CA
> > >certificates of the CA certificate chain that is needed to validate
> your
> > >ldap servers certificate. Concatenate these PEM formatted CA certs into
> > >this
> > >single ASCII file.
> > >
> > >And I forgot, set ldap_debug to -1 in the radius config file.
> > >
> > >Don't send your ldap servers password in log files ;-)
> > >
> > >...
> > > > Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded LDAP
> > > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: server = "10.10.0.11"
> > > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: port = 389
> > > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: net_timeout = 1
> > > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: timeout = 4
> > > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: timelimit = 3
> > > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: identity =
> "cn=admin,o=wifi"
> > > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_mode = no
> > > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: start_tls = yes
> > > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_cacertfile =
> > > > "/etc/freeradius/certs
> > > > /WIFITREE_CA.b64"
> > > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_cacertdir = "(null)"
> > > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_certfile = "(null)"
> > > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_keyfile = "(null)"
> > > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_randfile = "(null)"
> > > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: tls_require_cert = "allow"
> > > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: password = "novell"
> > > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: basedn =
> > >"ou=adm,ou=malmo,o=wifi"
> > >...
> > > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: ldap_debug = 0
> > > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: ldap_connections_number = 5
> > > > Tue Jul 10 12:35:00 2007 : Debug:  ldap: compare_check_items = no
> > >
> > >--
> > >Beste Gruesse / Kind Regards
> > >
> > >Reimer Karlsen-Masur
> > >
> > >DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
> > >--
> > >Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
> > >DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40
> 808077-555
> > >Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE
> 232129737
> >
> >
> > ><< smime.p7s >>
> >
> >
> >
> >
> > >-
> > >List info/subscribe/unsubscribe? See
> > >http://www.freeradius.org/list/users.html
> >
> >_________________________________________________________________
> >Express yourself instantly with MSN Messenger! Download today it's FREE!
> >http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> >
> >-
> >List info/subscribe/unsubscribe? See
> >http://www.freeradius.org/list/users.html
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today it's FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 27, Issue 126
> *************************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070720/c502629b/attachment.html>