two different enable passwords.
Ivan Lago
ivan.lago at ifom-ieo-campus.it
Wed Sep 12 11:55:17 CEST 2007
Not exactly what you want to do, anyway you could set the reply-item:
cisco-avpair = "shell:priv-lvl=15"
on the users entries, and rely on huntgroup to say who can log where;
with this the users will log using THEIR own password and receive a
enable 15 access shell
ashish verma ha scritto:
> Hi all,
>
> I have radius-ldap setup for authenticating network devices.
>
> I have small doubt here.
>
> Is it possible to have different enable passwords for different
> huntgroups?
>
> For e.g. i have 2 huntgroups. one for cisco switches and one for cisco
> routers and I want to have different enable passwords for both.
>
> Currently i have only one entry for enable password and that is commom
> for all the cisco devices.
>
>
> On 9/10/07, * freeradius-users-request at lists.freeradius.org
> <mailto:freeradius-users-request at lists.freeradius.org>*
> <freeradius-users-request at lists.freeradius.org
> <mailto:freeradius-users-request at lists.freeradius.org>> wrote:
>
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
> <mailto:freeradius-users at lists.freeradius.org>
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
> <mailto:freeradius-users-request at lists.freeradius.org>
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
> <mailto:freeradius-users-owner at lists.freeradius.org>
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. RE: Freeradius+Active directory - router login authentciation
> (Rakesh Jha)
> 2. Re: Freeradius doesn't detect EAP when authenticating against
> MySQL (Andrew Rowson)
> 3. RE : LOGs of eap-tls authentication (inelec communication)
> 4. Re: Freeradius doesn't detect EAP when authenticating against
> MySQL (Alan DeKok)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 10 Sep 2007 09:21:42 +0300
> From: "Rakesh Jha" <rakesh at burgan.com <mailto:rakesh at burgan.com>>
> Subject: RE: Freeradius+Active directory - router login authentciation
> To: "FreeRadius users mailing list"
> <freeradius-users at lists.freeradius.org
> <mailto:freeradius-users at lists.freeradius.org>>
> Message-ID:
> <
> A928C53C7FC96746A7C07338F009DCA00C4D37 at BB-MAIL.main.burgan.bnk
> <mailto:A928C53C7FC96746A7C07338F009DCA00C4D37 at BB-MAIL.main.burgan.bnk>>
> Content-Type: text/plain; charset="us-ascii"
>
> Alan,
>
> Please see the complete output of radiusd -X as following -
>
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file: /usr/local/etc/raddb/proxy.conf
> Config: including file: /usr/local/etc/raddb/clients.conf
> Config: including file: /usr/local/etc/raddb/snmp.conf
> Config: including file: /usr/local/etc/raddb/eap.conf
> Config: including file: /usr/local/etc/raddb/sql.conf
> main: prefix = "/usr/local"
> main: localstatedir = "/usr/local/var"
> main: logdir = "/usr/local/var/log/radius"
> main: libdir = "/usr/local/lib"
> main: radacctdir = "/usr/local/var/log/radius/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/usr/local/var/log/radius/radius.log"
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
> main: user = "(null)"
> main: group = "(null)"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/local/sbin/checkrad"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = no
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
> read_config_files: reading dictionary
> read_config_files: reading naslist
> Using deprecated naslist file. Support for this will go away soon.
> read_config_files: reading clients
> read_config_files: reading realms
> radiusd: entering modules setup
> Module: Library search path is /usr/local/lib
> Module: Loaded exec
> exec: wait = yes
> exec: program = "(null)"
> exec: input_pairs = "request"
> exec: output_pairs = "(null)"
> exec: packet_type = "(null)"
> rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> Module: Instantiated exec (exec)
> Module: Loaded expr
> Module: Instantiated expr (expr)
> Module: Loaded PAP
> pap: encryption_scheme = "crypt"
> pap: auto_header = yes
> Module: Instantiated pap (pap)
> Module: Loaded CHAP
> Module: Instantiated chap (chap)
> Module: Loaded MS-CHAP
> mschap: use_mppe = yes
> mschap: require_encryption = no
> mschap: require_strong = no
> mschap: with_ntdomain_hack = yes
> mschap: passwd = "(null)"
> mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --domain=%{mschap:NT-D
> omain:-burgan_dom} --username=%{mschap:User-Name:-None}
> --challenge=%{mschap:Cha
> llenge:-00} --nt-response=%{mschap:NT-Response:-00}"
> Module: Instantiated mschap (mschap)
> Module: Loaded System
> unix: cache = no
> unix: passwd = "(null)"
> unix: shadow = "(null)"
> unix: group = "(null)"
> unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
> unix: usegroup = no
> unix: cache_reload = 600
> Module: Instantiated unix (unix)
> Module: Loaded eap
> eap: default_eap_type = "tls"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = no
> eap: cisco_accounting_username_bug = no
> rlm_eap: Loaded and initialized type md5
> rlm_eap: Loaded and initialized type leap
> gtc: challenge = "Password: "
> gtc: auth_type = "PAP"
> rlm_eap: Loaded and initialized type gtc
> tls: rsa_key_exchange = no
> tls: dh_key_exchange = yes
> tls: rsa_key_length = 512
> tls: dh_key_length = 512
> tls: verify_depth = 0
> tls: CA_path = "(null)"
> tls: pem_file_type = yes
> tls: private_key_file = "/usr/local/etc/raddb/certs/cert- srv.pem"
> tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
> tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
> tls: private_key_password = "whatever"
> tls: dh_file = "(null)"
> tls: random_file = "/dev/urandom"
> tls: fragment_size = 1024
> tls: include_length = yes
> tls: check_crl = no
> tls: check_cert_cn = "(null)"
> tls: cipher_list = "(null)"
> tls: check_cert_issuer = "(null)"
> rlm_eap_tls: Loading the certificate file as a chain
> rlm_eap_tls: Unable to open DH file - (null)
> rlm_eap: Failed to initialize type tls
> radiusd.conf[10]: eap: Module instantiation failed.
> radiusd.conf[1962] Unknown module "eap".
> radiusd.conf[1909] Failed to parse authenticate section.
>
> As you have written 'as are most "helpful" pages not on
> freeradius.org <http://freeradius.org>',
> can you please suggest some links which guide correctly to configure
> radius, openssl and active directory.
>
> Thanks a lot,
> Rakesh Jha
>
> -----Original Message-----
> From: freeradius-users-bounces at lists.freeradius.org
> <mailto:freeradius-users-bounces at lists.freeradius.org>
> [mailto:freeradius-users-bounces at lists.freeradius.org
> <mailto:freeradius-users-bounces at lists.freeradius.org>] On Behalf
> Of Alan
> DeKok
> Sent: Monday, September 10, 2007 8:35 AM
> To: FreeRadius users mailing list
> Subject: Re: Freeradius+Active directory - router login authentciation
>
> Rakesh Jha wrote:
> ...
> > After following FreeRADIUS Tutorial for AD integration I am not able
> to
> > start radius daemon as it complains -
> >
> > radiusd.conf[10]: eap: Module instantiation failed.
> > radiusd.conf[1962] Unknown module "eap".
> > radiusd.conf[1909] Failed to parse authenticate section.
>
> I'm at a bit of a loss for why so many people are so insistent on
> removing all useful messages.
>
> Attention:
> Any non-official business related views, opinions and other
> information presented in this electronic mail
> are solely those of the sender/author.
> Burgan Bank does not endorse or accept responsibility for their
> opinions. If you are not the addressed
> indicated in this mail or responsible for delivering this message
> to the intended,
> you should delete this message and notify the sender immediately.
> -------------------------------------------------------
> Burgan Bank S.A.K
> www.burgan.com <http://www.burgan.com>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 10 Sep 2007 08:47:09 +0100
> From: Andrew Rowson <freeradius at growse.com
> <mailto:freeradius at growse.com>>
> Subject: Re: Freeradius doesn't detect EAP when authenticating
> against
> MySQL
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org
> <mailto:freeradius-users at lists.freeradius.org>>
> Message-ID: <
> b03eaa106466517b3d809c38044273f9 at ticklemail.mrmen.home
> <mailto:b03eaa106466517b3d809c38044273f9 at ticklemail.mrmen.home>>
> Content-Type: text/plain; charset="UTF-8"
>
>
>
> On Mon, 10 Sep 2007 07:31:04 +0200, Alan DeKok <
> aland at deployingradius.com <mailto:aland at deployingradius.com>>
> wrote:
> > Andrew Rowson wrote:
> >> Looking over it, it seems that a problem comes up with the
> MSCHAP bit:
> >>
> >> rlm_mschap: No User-Password configured. Cannot create
> LM-Password.
> >> rlm_mschap: No User-Password configured. Cannot create
> NT-Password.
> >> rlm_mschap: Told to do MS-CHAPv2 for growse with NT-Password
> >> rlm_mschap: FAILED: No NT/LM-Password. Cannot perform
> authentication.
> >> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
> >> modcall[authenticate]: module "mschap" returns reject for
> request 14
> >>
> >> This appears to imply that there's no User-Password entry found
> anywhere
> >> for the user in the database. This would be correct, as the
> attribute in
> >> the radcheck table is set to Cleartext-Password. Anything other
> than
> >> Cleartext-Password and freeradius doesn't attempt an auth-type
> of EAP,
> >> but Local instead, going back to my original problem.
> >
> > What does the database contain? Cleartext-Password == password,
> > or Cleartext-Password := password ?
> >
>
> The database contains Cleartext-Password == password. I've tried
> it with
> :=, but if I remember correctly that fails as well, with the Auth-type
> being set to local again. I'll see if I can get a log of that
> failure as
> well, if it'd be helpful?
>
> Andrew
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 10 Sep 2007 10:23:19 +0200 (CEST)
> From: inelec communication <inelec_communication at yahoo.fr
> <mailto:inelec_communication at yahoo.fr>>
> Subject: RE : LOGs of eap-tls authentication
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org
> <mailto:freeradius-users at lists.freeradius.org>>
> Message-ID: < 60722.76768.qm at web26011.mail.ukl.yahoo.com
> <mailto:60722.76768.qm at web26011.mail.ukl.yahoo.com>>
> Content-Type: text/plain; charset="iso-8859-1"
>
> hello,
> running radius in debug mode doesn't give any log file ,i meen
> it doesn't give logs in radiusd.log ; if you give me your result
> when you have rubn radiusd -X -A perhaps i can help
>
> regards
>
>
> anoop_c at sifycorp.com <mailto:anoop_c at sifycorp.com> a ?crit :
>
> Hi 1 I am using eap-tls authentication.My setup is working
> well with certificates. I am unable to get logs of user
> login ok or denied in the radius.log file [root at anoop sbin]#
> radiusd -X -A Starting - reading configuration files
> ... reread_config: reading radiusd.conf Config: including
> file: /etc/raddb/proxy.conf Config: including file:
> /etc/raddb/clients.conf Config: including file:
> /etc/raddb/snmp.conf Config: including file:
> /etc/raddb/eap.conf Config: including file:
> /etc/raddb/sql.conf main: prefix = \"/usr/local\" main:
> localstatedir = \"/usr/local/var\" main: logdir =
> \"/usr/local/var/log/radius\" main: libdir =
> \"/usr/local/lib\" main: radacctdir =
> \"/usr/local/var/log/radius/radacct\" main: hostname_lookups =
> no main: snmp = no main: max_request_time = 30 main:
> cleanup_delay = 5 main: max_requests = 1024 main:
> delete_blocked_requests = 0 main: port = 0 main:
> allow_core_dumps = no main: log_stripped_names
> = yes main: log_file =
> \"/usr/local/var/log/radius/radius.log\" main: log_auth = yes
> main: log_auth_badpass = yes main: log_auth_goodpass = yes
> main: pidfile = \"/usr/local/var/run/radiusd/radiusd.pid\" main:
> user = \"(null)\" main: group = \"(null)\" main: usercollide =
> no main: lower_user = \"no\" main: lower_pass = \"no\" main:
> nospace_user = \"no\" main: nospace_pass = \"no\" main:
> checkrad = \"/usr/local/sbin/checkrad\" main: proxy_requests =
> yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy:
> synchronous = no proxy: default_fallback = yes proxy:
> dead_time = 120 proxy: post_proxy_authorize = no proxy:
> wake_all_if_all_dead = no security: max_attributes = 200
> security: reject_delay = 1 security: status_server = no main:
> debug_level = 0 read_config_files: reading
> dictionary read_config_files: reading naslist Using deprecated
> naslist file. Support for this will go away
> soon. read_config_files: reading clients
> read_config_files: reading realms radiusd: entering modules
> setup Module: Library search path is /usr/local/lib Module:
> Loaded exec exec: wait = yes exec: program = \"(null)\"
> exec: input_pairs = \"request\" exec: output_pairs =
> \"(null)\" exec: packet_type = \"(null)\" rlm_exec: Wait=yes
> but no output defined. Did you mean output=none? Module:
> Instantiated exec (exec) Module: Loaded expr Module:
> Instantiated expr (expr) Module: Loaded System unix: cache =
> no unix: passwd = \"(null)\" unix: shadow = \"(null)\" unix:
> group = \"(null)\" unix: radwtmp =
> \"/usr/local/var/log/radius/radwtmp\" unix: usegroup = no
> unix: cache_reload = 600 Module: Instantiated unix
> (unix) Module: Loaded eap eap: default_eap_type = \"tls\"
> eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap:
> cisco_accounting_username_bug = no rlm_eap: Loaded and
> initialized type md5 rlm_eap: Loaded and initialized type leap
> gtc: challenge = \"Password: \"
> gtc: auth_type = \"PAP\" rlm_eap: Loaded and initialized type
> gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes
> tls: rsa_key_length = 512 tls: dh_key_length = 512 tls:
> verify_depth = 0 tls: CA_path = \"(null)\" tls: pem_file_type
> = yes tls: private_key_file = \"/etc/1x/07xwifi.pem\" tls:
> certificate_file = \"/etc/1x/07xwifi.pem\" tls: CA_file =
> \"/etc/1x/root.pem\" tls: private_key_password = \"password\"
> tls: dh_file = \"/etc/1x/DH\" tls: random_file =
> \"/etc/1x/random\" tls: fragment_size = 1024 tls:
> include_length = yes tls: check_crl = no tls: check_cert_cn =
> \"(null)\" tls: cipher_list = \"(null)\" tls:
> check_cert_issuer = \"(null)\" rlm_eap_tls: Loading the
> certificate file as a chain WARNING: rlm_eap_tls: Unable to set
> DH parameters. DH cipher suites may not work! WARNING: Fix this
> by running the OpenSSL command listed in eap.conf rlm_eap: Loaded
> and initialized type tls mschapv2: with_ntdomain_hack = no
> rlm_eap: Loaded and initialized type mschapv2 Module:
> Instantiated eap (eap) Module: Loaded preprocess preprocess:
> huntgroups = \"/etc/raddb/huntgroups\" preprocess: hints =
> \"/etc/raddb/hints\" preprocess: with_ascend_hack = no
> preprocess: ascend_channels_per_line = 23 preprocess:
> with_ntdomain_hack = no preprocess:
> with_specialix_jetstream_hack = no preprocess:
> with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack =
> no Module: Instantiated preprocess (preprocess) Module: Loaded
> realm realm: format = \"suffix\" realm: delimiter = \"@\"
> realm: ignore_default = no realm: ignore_null = no Module:
> Instantiated realm (suffix) Module: Loaded files files:
> usersfile = \"/etc/raddb/users\" files: acctusersfile =
> \"/etc/raddb/acct_users\" files: preproxy_usersfile =
> \"/etc/raddb/preproxy_users\" files: compat = \"no\" Module:
> Instantiated files (files) Module: Loaded
> Acct-Unique-Session-Id acct_unique: key = \"User-Name,
> Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
> NAS-Port\" Module: Instantiated acct_unique
> (acct_unique) Module: Loaded detail detail: detailfile =
> \"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d\"
> detail: detailperm = 384 detail: dirperm = 493 detail: locking
> = no Module: Instantiated detail (detail) Module: Loaded
> radutmp radutmp: filename =
> \"/usr/local/var/log/radius/radutmp\" radutmp: username =
> \"%{User-Name}\" radutmp: case_sensitive = yes radutmp:
> check_with_nas = yes radutmp: perm = 384 radutmp: callerid =
> yes Module: Instantiated radutmp (radutmp) Listening on
> authentication *:1812 Listening on accounting *:1813 Ready to
> process requests. 2 I am using certificate based
> authentication so do i need to edit anything in the users
> file/ Thanks and regards Anoop
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> ---------------------------------
> Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers
> Yahoo! Mail
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070910/5b02759b/attachment-0001.html
> <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070910/5b02759b/attachment-0001.html>>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 10 Sep 2007 11:15:58 +0200
> From: Alan DeKok <aland at deployingradius.com
> <mailto:aland at deployingradius.com>>
> Subject: Re: Freeradius doesn't detect EAP when authenticating
> against
> MySQL
> To: freeradius at growse.com
> <mailto:freeradius at growse.com>, FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org
> <mailto:freeradius-users at lists.freeradius.org>>
> Message-ID: <46E50B4E.9050407 at deployingradius.com
> <mailto:46E50B4E.9050407 at deployingradius.com>>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Andrew Rowson wrote:
> > The database contains Cleartext-Password == password. I've tried
> it with
> > :=, but if I remember correctly that fails as well,
>
> Use := for Cleartext-Password.
>
> > with the Auth-type
> > being set to local again. I'll see if I can get a log of that
> failure as
> > well, if it'd be helpful?
>
> No.
>
> Upgrade to 1.1.7, I think it solves this problem.
>
> Alan DeKok.
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 29, Issue 25
> ************************************************
>
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list