How to enable Access-challenge in Free radius
sridhar Varadarajan
sridharww at yahoo.co.in
Fri May 8 14:42:19 CEST 2015
On May 7, 2015, at 3:17 AM, sridharww at yahoo.co.in wrote:
> I am using Free Radius version of 1.1.7-r0.0.2
Wow... upgrade to a version released in the last 8 years.
> When i searched for windows version, i could only get http://freeradius.net/Downloads.html site where 1.1.7 is the pointer for it. No other binaries are shown here. So I have taken the version of linux (version 3) and installed in REDHAT box. faced following problem with openssl
https://www.openssl.org/news/secadv_20140407.txt
Even i have upgraded openssl in my box to 1.0.2g and did configure , make and make install of radius tool but still it throws the same error.
openssl downloaded from : http://www.linuxfromscratch.org/blfs/view/svn/postlfs/openssl.html
I edited security.allow_vulnerable_openssl = 'CVE-2014-0160' or security.allow_vulnerable_openssl = no or security.allow_vulnerable_openssl = yes or allow_vulnerable_openssl = yes or allow_vulnerable_openssl = no or allow_vulnerable_openssl = 'CVE-2014-0160' followed by again configure, make , make install.
but still its not working. following is seen when trying to start up the server.
security { max_attributes = 200 reject_delay = 1.000000 status_server = yes allow_vulnerable_openssl = "no"
Debugger not attachedRefusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 0x1000105f (1.0.1e release) (in range 1.0.1 dev - 1.0.1f release)Security advisory CVE-2014-0160 (Heartbleed)For more information see http://heartbleed.comOnce you have verified libssl has been correctly patched, set security.allow_vulnerable_openssl = 'CVE-2014-0160'
I think some more things needs to be done to overcome this problem.
> I have an software where i will provide my RADIUS server details i.e. IP address, port to communicate, protocol (in my case i either use CHAP or PAP)
>
> So when i am trying to login to the software i will provide username and password which will be parsed to the Freeradius installed server which will check in radius server database (users.conf) file. Based on the permission i have provided it allows me to login to my software and if the user is missing in that conf file then it will deny my access
>
> Now, i need to provide second level authentication i.e. secure ID token in addition to the username and password .
>
> FOr this i believe if i enable access-challenge in Free radius tool, then if any user login request comes in i.e. access-request packet then i expect Free radius should validate the request and if the user is present in radius tool then it challenge my software with access-challenge request .
Modern versions of FreeRADIUS include an rlm_securid module. You can use that.
>I found a Freed radius along with my REDHAT OS which i have installed using yum command and its successful too.
Now i can able to access my software with normal authentication but i need to add it more with secure ID + access challenge part. Can you guide me on this now. I am also surfing internet to find some guides / solutions to get it configured in Free radius tool.Below are the log outputs taken from radius server.
RADIUS details:Authentication request: Fri May 8 13:49:21 2015 Packet-Type = Access-Request NAS-Port = 825766194 Attr-4 = 0x3132372e302e302e31 User-Name = "test" Reply for request:Fri May 8 13:49:21 2015Packet-Type = Access-Accept Name : freeradiusArch : x86_64Version : 2.1.12Release : 6.el6Size : 5.7 MRepo : installedFrom repo : rhel-x86_64-server-6
Can you guide me on the further steps to configure the access-challenge + secure ID part now. hope this version of linux shoud do the needful.
>
Alan DeKok.
From: Alan DeKok <aland at deployingradius.com>
To: sridharww at yahoo.co.in
Sent: Thursday, 7 May 2015 7:13 PM
Subject: Re: How to enable Access-challenge in Free radius
On May 7, 2015, at 3:17 AM, sridharww at yahoo.co.in wrote:
> I am using Free Radius version of 1.1.7-r0.0.2
Wow... upgrade to a version released in the last 8 years.
> I have an software where i will provide my RADIUS server details i.e. IP address, port to communicate, protocol (in my case i either use CHAP or PAP)
>
> So when i am trying to login to the software i will provide username and password which will be parsed to the Freeradius installed server which will check in radius server database (users.conf) file. Based on the permission i have provided it allows me to login to my software and if the user is missing in that conf file then it will deny my access
>
> Now, i need to provide second level authentication i.e. secure ID token in addition to the username and password .
>
> FOr this i believe if i enable access-challenge in Free radius tool, then if any user login request comes in i.e. access-request packet then i expect Free radius should validate the request and if the user is present in radius tool then it challenge my software with access-challenge request .
Modern versions of FreeRADIUS include an rlm_securid module. You can use that.
>
Alan DeKok.
More information about the Freeradius-Users
mailing list