How to implement two possible passwords? (one for PEAP and other forTTLS)
Ivan Kalik
tnt at kalik.net
Wed Apr 30 14:50:26 CEST 2008
1) Leave as it is.
http://www.freeradius.org/features/virtual_servers.html
2) Create a virtual server for peap and send peap requests to it. In
users file for that server enter:
DEFAULT Cleartext-Password := whatever
You don't need radiusPassword attribute at all.
Ivan Kalik
Kalik Informatika ISP
Dana 30/4/2008, "Sergio Belkin" <sebelk at gmail.com> piše:
>Hi,
>
>I've added an new attribute called "radiusPassword" this a clear-text
>password exclusively for radius usage. I want that:
>
>1) All Linux, MAC OS X, and all Windows users that want to and can
>install (or already have installed and configured) securew2 use their
>usual encrypted userPassword. (EAP-TTLS)
>2) All users that don't want to install securew2 (Windows users) and
>want to use PEAP instead TTLS use the radiusPassword as their password
>for access to wireless network.
>
>How can I do that? These are my current config files:
>
>----------
>radiusd.conf
>----------------
>
>prefix = /usr/local-2.0.2
>exec_prefix = ${prefix}
>sysconfdir = ${prefix}/etc
>localstatedir = ${prefix}/var
>sbindir = ${exec_prefix}/sbin
>logdir = ${localstatedir}/log/radius
>raddbdir = ${sysconfdir}/raddb
>radacctdir = ${logdir}/radacct
>confdir = ${raddbdir}
>run_dir = ${localstatedir}/run/radiusd
>db_dir = $(raddbdir)
>libdir = ${exec_prefix}/lib
>pidfile = ${run_dir}/radiusd.pid
>user = radiusd
>group = radiusd
>max_request_time = 30
>cleanup_delay = 5
>max_requests = 1024
>listen {
> type = auth
> ipaddr = 190.69.213.5
> port = 0
>}
>listen {
> ipaddr = 190.69.213.5
> port = 0
> type = acct
>}
>hostname_lookups = no
>allow_core_dumps = no
>regular_expressions = yes
>extended_expressions = yes
>log {
> destination = files
> file = ${logdir}/radius.log
> syslog_facility = daemon
> stripped_names = yes
> auth = yes
> auth_badpass = no
> auth_goodpass = no
>}
>checkrad = ${sbindir}/checkrad
>security {
> max_attributes = 190
> reject_delay = 1
> status_server = yes
>}
>proxy_requests = no
>$INCLUDE proxy.conf
>$INCLUDE clients.conf
>snmp = no
>$INCLUDE snmp.conf
>thread pool {
> start_servers = 5
> max_servers = 32
> min_spare_servers = 3
> max_spare_servers = 10
> max_requests_per_server = 0
>}
>modules {
> pap {
> auto_header = yes
> }
> chap {
> authtype = CHAP
> }
> pam {
> pam_auth = radiusd
> }
> unix {
> radwtmp = ${logdir}/radwtmp
> }
>$INCLUDE eap.conf
> mschap {
> }
> ldap {
> server = "ldap.cadorna.edu
> identity = "cn=freeradius,ou=applications,dc=cadorna,dc=edu"
> port = 636
> password = doyouwantocrakforgetitdude
> basedn = "ou=people,dc=cadorna,dc=edu"
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> ldap_connections_number = 5
> timeout = 4
> timelimit = 3
> net_timeout = 1
> tls {
> start_tls = no
> cacertfile = /etc/raddb-2.0.2/cacert.pem
> randfile = /dev/urandom
> require_cert = "allow"
> }
> access_attr = "radiusAllowed"
> dictionary_mapping = ${confdir}/ldap.attrmap
> edir_account_policy_check = no
> }
> realm IPASS {
> format = prefix
> delimiter = "/"
> }
> realm suffix {
> format = suffix
> delimiter = "@"
> }
> realm realmpercent {
> format = suffix
> delimiter = "%"
> }
> realm ntdomain {
> format = prefix
> delimiter = "\\"
> }
> checkval {
> item-name = Calling-Station-Id
> check-name = Calling-Station-Id
> data-type = string
> }
>
> preprocess {
> huntgroups = ${confdir}/huntgroups
> hints = ${confdir}/hints
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> }
> files {
> usersfile = ${confdir}/users
> acctusersfile = ${confdir}/acct_users
> preproxy_usersfile = ${confdir}/preproxy_users
> compat = no
> }
> detail {
> detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
> detailperm = 0600
> header = "%t"
> suppress {
> User-Password
> }
> }
> detail auth_log {
> detailfile =
>${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
> suppress {
> User-Password
> }
> }
> acct_unique {
> key = "User-Name, Acct-Session-Id, NAS-IP-Address,
>Client-IP-Address, NAS-Port"
> }
> $INCLUDE sql.conf
>
> radutmp {
> filename = ${logdir}/radutmp
> username = %{User-Name}
> case_sensitive = yes
> check_with_nas = yes
> perm = 0600
> callerid = "yes"
> }
> radutmp sradutmp {
> filename = ${logdir}/sradutmp
> perm = 0644
> callerid = "no"
> }
> attr_filter attr_filter.post-proxy {
> attrsfile = ${confdir}/attrs
> }
> attr_filter attr_filter.pre-proxy {
> attrsfile = ${confdir}/attrs.pre-proxy
> }
> attr_filter attr_filter.access_reject {
> key = %{User-Name}
> attrsfile = ${confdir}/attrs.access_reject
> }
> attr_filter attr_filter.accounting_response {
> key = %{User-Name}
> attrsfile = ${confdir}/attrs.accounting_response
> }
> counter daily {
> filename = ${db_dir}/db.daily
> key = User-Name
> count-attribute = Acct-Session-Time
> reset = daily
> counter-name = Daily-Session-Time
> check-name = Max-Daily-Session
> reply-name = Session-Timeout
> allowed-servicetype = Framed-User
> cache-size = 5000
> }
> $INCLUDE sql/mysql/counter.conf
> always fail {
> rcode = fail
> }
> always reject {
> rcode = reject
> }
> always noop {
> rcode = noop
> }
> always handled {
> rcode = handled
> }
> always updated {
> rcode = updated
> }
> always notfound {
> rcode = notfound
> }
> always ok {
> rcode = ok
> simulcount = 0
> mpp = no
> }
> expr {
> }
> digest {
> }
> expiration {
> reply-message = "Password Has Expired\r\n"
> }
> logintime {
> reply-message = "You are calling outside your allowed
>timespan\r\n"
> minimum-timeout = 60
> }
> exec {
> wait = yes
> input_pairs = request
> shell_escape = yes
> output = none
> }
> exec echo {
> wait = yes
> program = "/bin/echo %{User-Name}"
> input_pairs = request
> output_pairs = reply
> shell_escape = yes
> }
> ippool main_pool {
> range-start = 192.168.1.1
> range-stop = 192.168.3.254
> netmask = 255.255.255.0
> cache-size = 800
> session-db = ${db_dir}/db.ippool
> ip-index = ${db_dir}/db.ipindex
> override = no
> maximum-timeout = 0
> }
> policy {
> filename = ${confdir}/policy.txt
> }
>}
>instantiate {
> exec
> expr
> expiration
> logintime
>}
>$INCLUDE policy.conf
>$INCLUDE sites-enabled/
>
>EOF
>
>--------------
>eap.conf
>----------------
>eap {
> default_eap_type = peap
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> md5 {
> }
> leap {
> }
> gtc {
> auth_type = PAP
> }
> tls {
> private_key_file =
>/etc/pki/tls/certs/ips-spectrum-key.pem
> certificate_file =
>/etc/pki/tls/certs/ips-spectrum-crt.pem
> CA_file = /etc/pki/tls/certs/ips-ca-bundle.crt
> dh_file = ${raddbdir}/certs/dh
> random_file = ${raddbdir}/certs/random
> cipher_list = "DEFAULT"
> }
> ttls {
> default_eap_type = md5
> copy_request_to_tunnel = no
> use_tunneled_reply = yes
> }
> peap {
> default_eap_type = mschapv2
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> }
> mschapv2 {
> }
> }
>EOF
>
>-------------------
>ldap.attrmap
>checkItem $GENERIC$ radiusCheckItem
>replyItem $GENERIC$ radiusReplyItem
>checkItem Cleartext-Password clrtxtPassword
>checkItem User-Password userPassword
>replyItem Tunnel-Type radiusTunnelType
>replyItem Tunnel-Medium-Type radiusTunnelMediumType
>replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId
>checkItem Auth-Type radiusAuthType
>checkItem Simultaneous-Use radiusSimultaneousUse
>checkItem Called-Station-Id radiusCalledStationId
>checkItem Calling-Station-Id radiusCallingStationId
>checkItem LM-Password lmPassword
>checkItem NT-Password ntPassword
>checkItem LM-Password sambaLmPassword
>checkItem NT-Password sambaNtPassword
>checkItem SMB-Account-CTRL-TEXT acctFlags
>checkItem Expiration radiusExpiration
>checkItem NAS-IP-Address radiusNASIpAddress
>replyItem Service-Type radiusServiceType
>replyItem Framed-Protocol radiusFramedProtocol
>replyItem Framed-IP-Address radiusFramedIPAddress
>replyItem Framed-IP-Netmask radiusFramedIPNetmask
>replyItem Framed-Route radiusFramedRoute
>replyItem Framed-Routing radiusFramedRouting
>replyItem Filter-Id radiusFilterId
>replyItem Framed-MTU radiusFramedMTU
>replyItem Framed-Compression radiusFramedCompression
>replyItem Login-IP-Host radiusLoginIPHost
>replyItem Login-Service radiusLoginService
>replyItem Login-TCP-Port radiusLoginTCPPort
>replyItem Callback-Number radiusCallbackNumber
>replyItem Callback-Id radiusCallbackId
>replyItem Framed-IPX-Network radiusFramedIPXNetwork
>replyItem Class radiusClass
>replyItem Session-Timeout radiusSessionTimeout
>replyItem Idle-Timeout radiusIdleTimeout
>replyItem Termination-Action radiusTerminationAction
>replyItem Login-LAT-Service radiusLoginLATService
>replyItem Login-LAT-Node radiusLoginLATNode
>replyItem Login-LAT-Group radiusLoginLATGroup
>replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink
>replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork
>replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone
>replyItem Port-Limit radiusPortLimit
>replyItem Login-LAT-Port radiusLoginLATPort
>replyItem Reply-Message radiusReplyMessage
>
>EOF
>
>Thanks in advance!!
>
>--
>--
>Open Kairos http://www.openkairos.com
>Watch More TV http://sebelk.blogspot.com
>Sergio Belkin -
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
More information about the Freeradius-Users
mailing list