Freeradius-Users Digest, Vol 181, Issue 21

Imdad Hasan imdadalikadiwala0 at gmail.com
Fri May 15 18:10:42 CEST 2020 

So, if i want to make the framed-ip with dynamic value than how can i do
that.?

And i seen one vendor that use the freeradius and that use own module in
perl for CHAP authentication. For MSCHAP and EAP its using built in
system's (FreeRADIUS) module.

Is that possible?

On Fri, May 15, 2020 at 3:30 PM <
freeradius-users-request at lists.freeradius.org> wrote:

> Send Freeradius-Users mailing list submissions to
>         freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>         freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>         freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. Re: Wifi + Active Directory without ntlm (Alan DeKok)
>    2. Re: Wifi + Active Directory without ntlm (Fabrice Durand)
>    3. looking for test client for PEAP/MSCHAPv2 (Jim Shi)
>    4. Re: looking for test client for PEAP/MSCHAPv2 (Matthew Newton)
>    5. Re: looking for test client for PEAP/MSCHAPv2 (Jorge Pereira)
>    6. CHAP Authentication with rlm_perl module (Imdad Hasan)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 14 May 2020 10:59:13 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: Wifi + Active Directory without ntlm
> Message-ID: <8A61A9A6-900D-41D6-9F33-3174FCFCF6D9 at deployingradius.com>
> Content-Type: text/plain;       charset=utf-8
>
> On May 14, 2020, at 10:56 AM, Клеусов Владимир Сергеевич via
> Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> >
> > The idea was to link freeradius and ad via an ldap module. That is, do
> not install samba and windbind. To authentifizierte using the ldap module.
> That is, it will not work like this. Right ?
>
>   That question has been asked and answered about 4 times now.  The answer
> won't change if you keep asking the same question.  The only thing you'll
> do is annoy the people who are trying to help you.
>
> > So the ldap module is it for other LDAP implementations, such as
> openldap ?
>
>   The LDAP module is for any server which implements LDAP.  Like AD.
>
>   But as you were already told, the issue isn't LDAP.  It's AD.
>
>   Alan DeKok.
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 14 May 2020 12:53:24 -0400
> From: Fabrice Durand <fdurand at inverse.ca>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: Wifi + Active Directory without ntlm
> Message-ID: <4d796e43-502b-b71f-4c6e-d4394ee70176 at inverse.ca>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> I did this kind of configuration a long time ago and most of the work
> needs to be done on the AD side.
>
> The idea is to mimic what a Edirectory server do (universal password)
> and create a ldap attribute where you will store the NTHASH of the
> user/computer.
>
>
> https://github.com/inverse-inc/packetfence/tree/devel/addons/nthash_AD_attribute
>
>
> The other way is to extract the NTHASH for each users, store it
> somewhere (sql per example) and configure FreeRADIUS to fetch the NTHASH
> based on the username.
>
>
> https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py
>
>
> Regards
>
> Fabrice
>
> Le 20-05-14 à 10 h 56, Клеусов Владимир Сергеевич via Freeradius-Users a
> écrit :
> > The idea was to link freeradius and ad via an ldap module. That is, do
> not install samba and windbind. To authentifizierte using the ldap module.
> That is, it will not work like this. Right ? So the ldap module is it for
> other LDAP implementations, such as openldap ?
> >
> >> 14 мая 2020 г., в 16:40, Josef Vybíhal <josef.vybihal at gmail.com>
> написал(а):
> >>
> >> Is it possible, that you mean that you just don't want to use ntlm_auth
> >> command? If yes, then read the winbind comment section in the mschap
> module
> >> config.
> >> # winbind_username = "%{mschap:User-Name}"
> >> # winbind_domain = "%{mschap:NT-Domain}"
> >>
> >> or this
> >> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
> >>
> >> On Thu, May 14, 2020 at 3:32 PM Клеусов Владимир Сергеевич via
> >> Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> >>
> >>> Ideally, I want to authenticate the domain user and if he is in the
> >>> domain, check his group. If not in the group, do not connect to wifi.
> Is
> >>> this possible without ntlm ?
> >>>
> >>> 14 мая 2020 г., в 16:07, Matthew Newton <mcn at freeradius.org<mailto:
> >>> mcn at freeradius.org>> написал(а):
> >>>
> >>> o do what? Just get policy information/groups etc, or to authenticate?
> >>>
> >>> FreeRADIUS can use LDAP to query AD to get group information etc just
> >>> fine. However, AD won't give you a password over LDAP. So in the vast
> >>> majority of cases if you want to authenticate you need to use mschap.
> >>>
> >>> -
> >>> List info/subscribe/unsubscribe? See
> >>> http://www.freeradius.org/list/users.html
> >> -
> >> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> --
> Fabrice Durand
> fdurand at inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (
> http://packetfence.org)
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 14 May 2020 18:04:10 +0000 (UTC)
> From: Jim Shi <hjshi at yahoo.com>
> To: "freeradius-users at lists.freeradius.org"
>         <freeradius-users at lists.freeradius.org>
> Subject: looking for test client for PEAP/MSCHAPv2
> Message-ID: <1191804016.213541.1589479450003 at mail.yahoo.com>
> Content-Type: text/plain; charset=UTF-8
>
> Hi,
>  I am looking for a test client that I can use to test PEAP/MSCHAPv2
> Seems radtest does not support PEAP/MSCHAPv2?
> Any help is appreciated.
> Thanks a lot.
> Jim
>
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 14 May 2020 19:07:50 +0100
> From: Matthew Newton <mcn at freeradius.org>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: looking for test client for PEAP/MSCHAPv2
> Message-ID: <a71f17df-a2f0-da95-9b20-4980b93e2956 at freeradius.org>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
>
> On 14/05/2020 19:04, Jim Shi via Freeradius-Users wrote:
> >   I am looking for a test client that I can use to test PEAP/MSCHAPv2
> > Seems radtest does not support PEAP/MSCHAPv2?
>
> eapol_test from wpa_supplicant:
>
> https://w1.fi/wpa_supplicant/
>
> There are example configs in the FreeRADIUS source (see "make test").
>
> --
> Matthew
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 14 May 2020 15:12:15 -0300
> From: Jorge Pereira <jpereira at freeradius.org>
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Subject: Re: looking for test client for PEAP/MSCHAPv2
> Message-ID: <47565E26-014E-4114-B3BC-186CDD7E113B at freeradius.org>
> Content-Type: text/plain;       charset=utf-8
>
> Hi Jimm
>
> Take a look at “eapol_test” tool. We have some config samples in our repo.
>
> e.g:
>
> [jpereira at jorge-sugarloaf freeradius-server-v3.0.x.git]$ grep eapol_test
> -r src/
> src//tests/eap-md5.conf:#   eapol_test -c eap-md5.conf -s testing123 -n
> src//tests/Makefile:EAPOL_TEST = $(shell which eapol_test)
> src//tests/Makefile:#  Run eapol_test if it exists.  Otherwise do nothing
> src//tests/eap-mschapv2.conf:#   eapol_test -c eap-mschapv2.conf -s
> testing123
> src//tests/eap-ttls-eap-mschapv2.conf:#   eapol_test -c
> eap-ttls-eap-mschapv2.conf -s testing123
> src//tests/peap-mschapv2.conf:#   ./eapol_test -c peap-mschapv2.conf -s
> testing123
> src//tests/eap-ttls-mschapv2.conf:#   eapol_test -c eap-ttls-mschapv2.conf
> -s testing123
> src//tests/peap-client-mschapv2.conf:#   ./eapol_test -c
> peap-mschapv2.conf -s testing123
> src//tests/.gitignore:eapol_test
> src//tests/eap-tls.conf:#   eapol_test -c eap-tls.conf -s testing123
> src//tests/eap-ttls-pap.conf:#   eapol_test -c eap-ttls-pap.conf -s
> testing123
> [jpereira at jorge-sugarloaf freeradius-server-v3.0.x.git]$
>
> ---
> Jorge Pereira
> jpereira at freeradius.org <mailto:jpereira at freeradius.org>
>
>
>
>
> > On 14 May 2020, at 15:04, Jim Shi via Freeradius-Users <
> freeradius-users at lists.freeradius.org> wrote:
> >
> > Hi,
> >  I am looking for a test client that I can use to test PEAP/MSCHAPv2
> > Seems radtest does not support PEAP/MSCHAPv2?
> > Any help is appreciated.
> > Thanks a lot.
> > Jim
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> ------------------------------
>
> Message: 6
> Date: Fri, 15 May 2020 04:30:52 +0530
> From: Imdad Hasan <imdadalikadiwala0 at gmail.com>
> To: freeradius-users at lists.freeradius.org
> Subject: CHAP Authentication with rlm_perl module
> Message-ID:
>         <
> CAPidyMXKC+6zXm1sCNpHiSfaJKddrbNM7D7Ayd2JWM0hXjpfkQ at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Dear all,
>
> i am using perl module, its working all like exec module but no doubt its
> increased the performance on high load. But i have some queries when i use
> CHAP authentication method with perl module.
>
>
> In CHAP authentication i can't verify the password with Cleartext-Password,
> right?
> That's why i set RADCHECK attribute Cleartext-Password="password" and after
> that freeradius verify them with authenticator and all. and if password
> doesn't matched than its return Reject.
>
> But if i want to accept those user ( who have wrong password ) with special
> disabled framed-ip than how can i??
>
>
> Thanks all,
>
> Imdad
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 181, Issue 21
> *************************************************
>

More information about the Freeradius-Users mailing list