Freeradius Access Requet ID

全球无线联盟 2394263740 at qq.com
Sat Apr 21 09:44:06 CEST 2012 

Matthew,
  
 Great!
  
 Thanks for your reply. It helps. We will use this solution.
  
 Tom
   
  
  ------------------ Original ------------------
  From:  "freeradius-users"<freeradius-users-request at lists.freeradius.org>;
 Date:  Fri, Apr 20, 2012 05:30 PM
 To:  "freeradius-users"<freeradius-users at lists.freeradius.org>; 
 
 Subject:  Freeradius-Users Digest, Vol 84, Issue 65

  
Send Freeradius-Users mailing list submissions to
freeradius-users at lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request at lists.freeradius.org

You can reach the person managing the list at
freeradius-users-owner at lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

   1. Re:Freeradius Access Requet ID (Matthew Newton)
   2. Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. (Wassim Zaarour)
   3. Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. (Fajar A. Nugraha)
   4. Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. (Alan DeKok)
   5. Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. (alan buxey)
   6. Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. (Wassim Zaarour)
   7. Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails. (Wassim Zaarour)
   8. How to grant access to a network regardless of the
      username/password? (Henrik Karlsson)


----------------------------------------------------------------------

Message: 1
Date: Fri, 20 Apr 2012 08:52:15 +0100
From: Matthew Newton <mcn4 at leicester.ac.uk>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re:Freeradius Access Requet ID
Message-ID: <20120420075215.GA7240 at rootmail.cc.le.ac.uk>
Content-Type: text/plain; charset=utf-8

On Fri, Apr 20, 2012 at 03:42:09PM +0800, ?????? wrote:
>  We know the post-authentication query can do something which we know who is pass.
>   
>  We don't have a method to log the rejected request.

Put something in the Post-Auth-Type REJECT section of post-auth to
log whatever you want.

post-auth {
  Post-Auth-Type REJECT {

  # here

  }
}

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


------------------------------

Message: 2
Date: Fri, 20 Apr 2012 10:53:32 +0300
From: Wassim Zaarour <wassim.zaarour at navlink.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails.
Message-ID: <CBB6EF8C.ED0C%wassim.zaarour at navlink.com>
Content-Type: text/plain; CHARSET=US-ASCII

Hi Farja,

I just checked with the ldap admin and he told me passwords are stored
with SHA encryption and not cleartext. ( can't change them to clear text)

Does that means there is no way to make TTLS/PEAP/MSCHAPv2 work with it??

If I use TTLS/PAP from a Mac OS laptop, it works fine, but I'm stuck with
the windows laptops as they have PEAP/MSCHAPv2 only.

Any workaround?

Thanks
Wassim.







On 4/20/12 10:30 AM, "Fajar A. Nugraha" <list at fajar.net> wrote:

>On Fri, Apr 20, 2012 at 2:22 PM, Wassim Zaarour
><wassim.zaarour at navlink.com> wrote:
>
>> On 4/20/12 10:15 AM, "Fajar A. Nugraha" <list at fajar.net> wrote:
>
>>>Long version:
>>>MSCHAPv2 (which also means PEAP-MSCHAPv2) needs either:
>>>- Cleartext-Password or NT-Hash available (in LDAP, sql, users file
>>>whatever), OR
>>>- an active directory
>>>
>>>If you don't have either, then it won't work.
>>
>> Hi Farja,
>>
>> Passwords are stored as clear text in my LDAP, that should make MSCHAPv2
>> work right?
>
>Yes, if FR can find them. This part of the log says it can't:
>
>[ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter
>(uid=pk)
>[ldap] looking for check items in directory...
>[ldap] looking for reply items in directory...
>WARNING: No "known good" password was found in LDAP.  Are you sure that
>the user is configured correctly?
>
>You might need to play around with the user used to login to LDAP,  as
>some systems only give out passwords to admin accounts. Testing manual
>LDAP lookup using command line tool (e.g. ldapsearch) helps. If you
>CAN get your ldap server to return cleartext password with ldapsearch,
>then you should be able to configure FR to get that as well.
>
>-- 
>Fajar
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html




------------------------------

Message: 3
Date: Fri, 20 Apr 2012 15:01:13 +0700
From: "Fajar A. Nugraha" <list at fajar.net>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails.
Message-ID:
<CAG1y0segiKtFkiE2M5xu+7kAwYtjvNc0+0PCxZTT51AuKYjJWw at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On Fri, Apr 20, 2012 at 2:53 PM, Wassim Zaarour
<wassim.zaarour at navlink.com> wrote:
> I just checked with the ldap admin and he told me passwords are stored
> with SHA encryption and not cleartext. ( can't change them to clear text)

Figured as much :)

> Does that means there is no way to make TTLS/PEAP/MSCHAPv2 work with it??

Yes

> If I use TTLS/PAP from a Mac OS laptop, it works fine, but I'm stuck with
> the windows laptops as they have PEAP/MSCHAPv2 only.
>
> Any workaround?

No.

Not unless you're willing to install 3rd-party supplicant on every
windows client.

-- 
Fajar


------------------------------

Message: 4
Date: Fri, 20 Apr 2012 10:15:03 +0200
From: Alan DeKok <aland at deployingradius.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails.
Message-ID: <4F911B07.50509 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

Wassim Zaarour wrote:
> Hi Farja,
> 
> I just checked with the ldap admin and he told me passwords are stored
> with SHA encryption and not cleartext. ( can't change them to clear text)
> 
> Does that means there is no way to make TTLS/PEAP/MSCHAPv2 work with it??
> 
> If I use TTLS/PAP from a Mac OS laptop, it works fine, but I'm stuck with
> the windows laptops as they have PEAP/MSCHAPv2 only.
> 
> Any workaround?

http://deployingradius.com/documents/protocols/compatibility.html

  Alan DeKok.


------------------------------

Message: 5
Date: Fri, 20 Apr 2012 09:18:59 +0100
From: alan buxey <A.L.M.Buxey at lboro.ac.uk>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails.
Message-ID: <20120420081859.GA11042 at lboro.ac.uk>
Content-Type: text/plain; charset=us-ascii

Hi,

> I just checked with the ldap admin and he told me passwords are stored
> with SHA encryption and not cleartext. ( can't change them to clear text)

is this LDAP or AD? if its AD then you can bind your FreeRADIUS box to the AD
as per docs on deployingradius.com  - then it can use ntlm_auth to do PEAP
very happily for windows clients - its what we do for our 20k users for 802.1X

alan


------------------------------

Message: 6
Date: Fri, 20 Apr 2012 11:19:43 +0300
From: Wassim Zaarour <wassim.zaarour at navlink.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails.
Message-ID: <CBB6F671.ED1B%wassim.zaarour at navlink.com>
Content-Type: text/plain; CHARSET=US-ASCII

Thanks Alan for the link,

I just ran to it few minutes back and its clear :)

Guess I'm gonna have to settle for a third party supplicant since I can't
change in the LDAP password storage config.

Thanks also for the other Alan and Farja.






On 4/20/12 11:15 AM, "Alan DeKok" <aland at deployingradius.com> wrote:

>Wassim Zaarour wrote:
>> Hi Farja,
>> 
>> I just checked with the ldap admin and he told me passwords are stored
>> with SHA encryption and not cleartext. ( can't change them to clear
>>text)
>> 
>> Does that means there is no way to make TTLS/PEAP/MSCHAPv2 work with
>>it??
>> 
>> If I use TTLS/PAP from a Mac OS laptop, it works fine, but I'm stuck
>>with
>> the windows laptops as they have PEAP/MSCHAPv2 only.
>> 
>> Any workaround?
>
>http://deployingradius.com/documents/protocols/compatibility.html
>
>  Alan DeKok.
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html




------------------------------

Message: 7
Date: Fri, 20 Apr 2012 11:28:54 +0300
From: Wassim Zaarour <wassim.zaarour at navlink.com>
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Subject: Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails.
Message-ID: <CBB6F8CA.ED21%wassim.zaarour at navlink.com>
Content-Type: text/plain; CHARSET=US-ASCII

It's Sun Directory Server, hence LDAP not AD.

Thanks anyways :)





On 4/20/12 11:18 AM, "alan buxey" <A.L.M.Buxey at lboro.ac.uk> wrote:

>Hi,
>
>> I just checked with the ldap admin and he told me passwords are stored
>> with SHA encryption and not cleartext. ( can't change them to clear
>>text)
>
>is this LDAP or AD? if its AD then you can bind your FreeRADIUS box to
>the AD
>as per docs on deployingradius.com  - then it can use ntlm_auth to do PEAP
>very happily for windows clients - its what we do for our 20k users for
>802.1X
>
>alan
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html




------------------------------

Message: 8
Date: Fri, 20 Apr 2012 11:30:13 +0200
From: Henrik Karlsson <Henrik.Karlsson at Generic.se>
To: "freeradius-users at lists.freeradius.org"
<freeradius-users at lists.freeradius.org>
Subject: How to grant access to a network regardless of the
username/password?
Message-ID:
<5D4FE383D0CD43418076B92AA238BA8B0100EBB56656 at nova.intra.generic.se>
Content-Type: text/plain; charset="us-ascii"

Hi,
I have a dial-in system that use freeRADIUS as radius server. I have figured out how to log username and password from access requests in a SQL database. My next goal is to be able to keep on logging Username and password but accept all users regardless of username/password. The user shall not need to be listed as a user in the RADIUS server. I want to grant access for all users that dial in for access to the network, hut I need to log the username and password that they send to the RADIUS server.

Username and password are stored in a Mysql database and we use PAP.

Is it possible to make this configuration and if it is possible how do I do it.

/Henrik


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120420/c90a307b/attachment.html>

------------------------------

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

End of Freeradius-Users Digest, Vol 84, Issue 65
************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120421/16041363/attachment-0001.html>

More information about the Freeradius-Users mailing list