How to enable Access-challenge in Free radius

sridhar Varadarajan sridharww at yahoo.co.in
Thu May 21 13:00:55 CEST 2015 

> Can anyone help me to get a solution for this. I am still trying to figure out the way to get access-challenge enabled with PAP / CHAP protocol in my RADIUS server. Thanks,
Sridhar

      From: sridhar Varadarajan <sridharww at yahoo.co.in>
 To: "freeradius-users at lists.freeradius.org" <freeradius-users at lists.freeradius.org> 
 Sent: Friday, 8 May 2015 6:12 PM
 Subject: Re: How to enable Access-challenge in Free radius
   


On May 7, 2015, at 3:17 AM, sridharww at yahoo.co.in wrote:
> I am using Free Radius version of 1.1.7-r0.0.2 

  Wow... upgrade to a version released in the last 8 years.
> When i searched for windows version, i could only get http://freeradius.net/Downloads.html site where 1.1.7 is the pointer for it.  No other binaries are shown here. So I have taken the version of linux (version 3) and installed in REDHAT box. faced following problem with openssl
https://www.openssl.org/news/secadv_20140407.txt
Even i have upgraded openssl in my box to 1.0.2g and did configure , make and make install of radius tool but still it throws the same error. 
openssl downloaded from : http://www.linuxfromscratch.org/blfs/view/svn/postlfs/openssl.html
I edited  security.allow_vulnerable_openssl = 'CVE-2014-0160' or  security.allow_vulnerable_openssl = no or  security.allow_vulnerable_openssl = yes or allow_vulnerable_openssl = yes or allow_vulnerable_openssl = no or allow_vulnerable_openssl = 'CVE-2014-0160' followed by again configure, make , make install. 
but still its not working. following is seen when trying to start up the server.
 security {        max_attributes = 200        reject_delay = 1.000000        status_server = yes        allow_vulnerable_openssl = "no"
Debugger not attachedRefusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 0x1000105f (1.0.1e release) (in range 1.0.1 dev - 1.0.1f release)Security advisory CVE-2014-0160 (Heartbleed)For more information see http://heartbleed.comOnce you have verified libssl has been correctly patched, set security.allow_vulnerable_openssl = 'CVE-2014-0160'
I think some more things needs to be done to overcome this problem.

> I have an software where i will provide my RADIUS server details i.e. IP address, port to communicate, protocol (in my case i either use CHAP or PAP) 
> 
> So when i am trying to login to the software i will provide username and password which will be parsed to the Freeradius installed server which will check in radius server database (users.conf) file. Based on the permission i have provided it allows me to login to my software and if the user is missing in that conf file then it will deny my access
> 
> Now, i need to provide second level authentication i.e. secure ID token in addition to the username and password . 
> 
> FOr this i believe if i enable access-challenge in Free radius tool, then if any user login request comes in i.e. access-request packet then i expect Free radius should validate the request and if the user is present in radius tool then it challenge my software with access-challenge request .

  Modern versions of FreeRADIUS include an rlm_securid module.  You can use that.
>I found a Freed radius along with my REDHAT OS which i have installed using yum command and its successful too. 
Now i can able to access my software with normal authentication but i need to add it more with secure ID + access challenge part. Can you guide me on this now.  I am also surfing internet to find some guides / solutions to get it configured in Free radius tool.Below are the log outputs taken from radius server.
RADIUS details:Authentication request:  Fri May  8 13:49:21 2015        Packet-Type = Access-Request        NAS-Port = 825766194        Attr-4 = 0x3132372e302e302e31        User-Name = "test" Reply for request:Fri May  8 13:49:21 2015Packet-Type = Access-Accept     Name        : freeradiusArch        : x86_64Version     : 2.1.12Release     : 6.el6Size        : 5.7 MRepo        : installedFrom repo   : rhel-x86_64-server-6
Can you guide me on the further steps to configure the access-challenge + secure ID part now. hope this version of linux shoud do the needful.
>

  Alan DeKok.

      From: Alan DeKok <aland at deployingradius.com>
 To: sridharww at yahoo.co.in 
 Sent: Thursday, 7 May 2015 7:13 PM
 Subject: Re: How to enable Access-challenge in Free radius
   
On May 7, 2015, at 3:17 AM, sridharww at yahoo.co.in wrote:
> I am using Free Radius version of 1.1.7-r0.0.2 

  Wow... upgrade to a version released in the last 8 years.

> I have an software where i will provide my RADIUS server details i.e. IP address, port to communicate, protocol (in my case i either use CHAP or PAP) 
> 
> So when i am trying to login to the software i will provide username and password which will be parsed to the Freeradius installed server which will check in radius server database (users.conf) file. Based on the permission i have provided it allows me to login to my software and if the user is missing in that conf file then it will deny my access
> 
> Now, i need to provide second level authentication i.e. secure ID token in addition to the username and password . 
> 
> FOr this i believe if i enable access-challenge in Free radius tool, then if any user login request comes in i.e. access-request packet then i expect Free radius should validate the request and if the user is present in radius tool then it challenge my software with access-challenge request .

  Modern versions of FreeRADIUS include an rlm_securid module.  You can use that.

>

  Alan DeKok.

More information about the Freeradius-Users mailing list