Help me with Access-Challenge configuration

classic Classic list List threaded Threaded
13 messages Options
| Threaded
Open this post in threaded view
|

Help me with Access-Challenge configuration

GreenUA
I reviewed RFC and FAQ, but i can't fined sane info about configuration of
freeRADIUS server (on Windows) to send access-challenge message on
access-request.

My configuration is (users.conf):

test           Auth-Type := Local, User-Password == "test"
           Service-Type = Login-User,
           Login-IP-Host = 192.99.98.119,
           Login-Service = Telnet,
           CS_Priv_Level = 2,
                       Reply-Message = "Hello, %u. Wellcome from RADIUS. You are Administrator"


For such configuration RADIUS server (receive access-request)checks Login +
Pass and if they are correct sends "Reply-Message" with right
"CS_Priv_Level" for Client (access-accept).
But i need to validate one more parameter from client and sent for him
access-challenge, and i don't know how to configure my RADIUS server to send
"Access-challenge".
Guys pls help me with the answer or if it's possible give me some link or
manual in which i can fined the answer.
| Threaded
Open this post in threaded view
|

Re: Help me with Access-Challenge configuration

Alexander Clouter
GreenUA <[hidden email]> wrote:
>
> I reviewed RFC and FAQ, but i can't fined sane info about
> configuration of freeRADIUS server (on Windows) to send
> access-challenge message on access-request.
>
...because running FreeRADIUS is not a sane thing to do.
 
> My configuration is (users.conf):
>
> [snipped AWOL radiusd.conf file]
>
> Guys pls help me with the answer or if it's possible give me some link
> or manual in which i can fined the answer.
>
The best links on FreeRADIUS can be found at:

http://wiki.freeradius.org/index.php/FAQ#Debugging_it_yourself
http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21

Cheers

--
Alexander Clouter
.sigmonster says: Check your local listings.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help me with Access-Challenge configuration

Arran Cudbard-Bell-4

On Apr 11, 2011, at 1:40 PM, Alexander Clouter wrote:

> GreenUA <[hidden email]> wrote:
>>
>> I reviewed RFC and FAQ, but i can't fined sane info about
>> configuration of freeRADIUS server (on Windows) to send
>> access-challenge message on access-request.
>>
> ...because running FreeRADIUS is not a sane thing to do.

Shouldn't that be running Windows is not a sane thing to do? :P

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help me with Access-Challenge configuration

Alexander Clouter
Arran Cudbard-Bell <[hidden email]> wrote:

>
> On Apr 11, 2011, at 1:40 PM, Alexander Clouter wrote:
>
>> GreenUA <[hidden email]> wrote:
>>>
>>> I reviewed RFC and FAQ, but i can't fined sane info about
>>> configuration of freeRADIUS server (on Windows) to send
>>> access-challenge message on access-request.
>>>
>> ...because running FreeRADIUS is not a sane thing to do.
>
> Shouldn't that be running Windows is not a sane thing to do? :P
>
Bah, and it would have looked so awesome if I didn't screw it up.

*ahem*

...because running FreeRADIUS on Windows is not a sane thing to do.

<ta da>

Cheers

--
Alexander Clouter
.sigmonster says: Some restrictions may apply.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help me with Access-Challenge configuration

GreenUA
OK guys )
Ha Ha i know about "windows must die..." but i can't do nothing with that.
Give me examples for Linux... what files i need to configure,
maybe i should use another "Auth-Type" or something else...

Thanks to Alexander Clouter for FAQ links, but this is debugging and it will be
useful if configuration exist and you don't know why it doesn't work.
My question was how to "say" RADIUS server send "Access-Challenge" for client "Access-request"

In my configuration RADIUS checks login and password, so it returns "Access-accept" or "Access-reject".

| Threaded
Open this post in threaded view
|

Re: Help me with Access-Challenge configuration

Alan DeKok-2
GreenUA wrote:
> In my configuration RADIUS checks login and password, so it returns
> "Access-accept" or "Access-reject".

  That's what a RADIUS server does.

  Specific authentication methods allow for Access-Challenges.  If
you're not using one of those methods, you won't get Access-Challenges.

  You're trying to solve one problem, but not saying what it is.  You've
somehow convinced yourself that Access-Challenges are the solution to
that problem. So you're asking questions about that instead.

  What, exactly, is the problem, and why do you think Access-Challenges
are the solution?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help me with Access-Challenge configuration

GreenUA
"Specific authentication methods allow for Access-Challenges.  If
you're not using one of those methods, you won't get Access-Challenges."

What methods? How i can configure it?

Maybe my post was not clear enough.


"You're trying to solve one problem, but not saying what it is.  You've
somehow convinced yourself that Access-Challenges are the solution to
that problem. So you're asking questions about that instead.

  What, exactly, is the problem, and why do you think Access-Challenges
are the solution? "

I'm not trying to configure correct authorization via RADIUS server it's not my main goal.
I just want to configure and send back "Access-challenge" message to the client side.
I need to see how my client process challenge response. And i can't generate that message.

| Threaded
Open this post in threaded view
|

Re: Help me with Access-Challenge configuration

Alan DeKok-2
GreenUA wrote:
> What methods? How i can configure it?

  If you don't know, you don't need Access-Challenges.

> I need to see how my client process challenge response. And i can't generate
> that message.

  If you're debugging a RADIUS client you wrote, then this isn't a
FreeRADIUS question.

  As a hint: people who don't understand the RADIUS protocol shouldn't
write RADIUS clients.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help me with Access-Challenge configuration

GreenUA
To Alan DeKok-2
Sorry, for my maybe inconsistent question.
I try to explain:

1. "If you're debugging a RADIUS client you wrote, then this isn't a
FreeRADIUS question. "
It's freeRADIUS question because i need to configure freeRADIUS server

2. "> What methods? How i can configure it?

  If you don't know, you don't need Access-Challenges."

If i don't now how to configure it, i don't need it? In such way why are you replaying on mails from this forum?
I want to configure, and i don't know how, that's why i posted my question here.

FROM RFC:
 
"If all conditions are met and the RADIUS server wishes to issue a
   challenge to which the user must respond, the RADIUS server sends an
   "Access-Challenge" response.  It MAY include a text message to be
   displayed by the client to the user prompting for a response to the
   challenge, and MAY include a State attribute."

But there is noting about: what conditions, "server wishes", etc.


3. "As a hint: people who don't understand the RADIUS protocol shouldn't
write RADIUS clients. "

Again sorry if my question not correct, and don't worry i'm not writing RADIUS client.


My simple question:
How to configure freeRADIUS server so it replay "access-challenge" message on "access-request" from a client?  
| Threaded
Open this post in threaded view
|

Re: Help me with Access-Challenge configuration

Alan DeKok-2
GreenUA wrote:
> 1. "If you're debugging a RADIUS client you wrote, then this isn't a
> FreeRADIUS question. "
> It's freeRADIUS question because i need to configure freeRADIUS server

  If you know so much more than we do, why are you asking questions on
this list?

> 2. "> What methods? How i can configure it?
>
>   If you don't know, you don't need Access-Challenges."
>
> If i don't now how to configure it, i don't need it? In such way why are you
> replaying on mails from this forum?

  Yes.

  You *don't* configure it.  If the authentication method requires
Access-Challenge, then the Access-Challenge is automatically generated.
 If Access-Challenge is not automatically generated, then you don't need it.

> Again sorry if my question not correct, and don't worry i'm not writing
> RADIUS client.

  Well, you said you were.

> My simple question:
> How to configure freeRADIUS server so it replay "access-challenge" message
> on "access-request" from a client?  

  My answer (again) is "you don't".

  If you keep asking the question, then it's clear you don't understand
the answer.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Help me with Access-Challenge configuration

Stefan Winter-4
In reply to this post by GreenUA
Hi,

> My simple question:
> How to configure freeRADIUS server so it replay "access-challenge" message
> on "access-request" from a client?  

Alan's problem with this "simple" question of yours is that it's not
just simple, but simplistic. RADIUS can convey *many different*
authentication protocols which are all using an Access-Challenge to send
challenge data back. The content of the Access-Challenge, and the
configuration needed for that specific Access-Challenge, is
significantly different.

The fact that you ask the question like you did is a strong indication
that you don't know about this fact. Please ask a question like

How to configure freeRADIUS server so it replies with a CHAP "access-challenge" message on "access-request" from a client?
How to configure freeRADIUS server so it replies with a MS-CHAP "access-challenge" message on "access-request" from a client?
How to configure freeRADIUS server so it replies with a MS-CHAPv2 "access-challenge" message on "access-request" from a client?
How to configure freeRADIUS server so it replies with a EAP-TLS "access-challenge" message on "access-request" from a client?
How to configure freeRADIUS server so it replies with a EAP-TTLS "access-challenge" message on "access-request" from a client?
How to configure freeRADIUS server so it replies with a PEAP "access-challenge" message on "access-request" from a client?

See? You need to be more specific in your question before anyone here can give you an answer. Or better yet, read up on RADIUS, and/or EAP methods, and *then* ask a well-informed question.

Greetings,


Stefan Winter

> --
> View this message in context: http://freeradius.1045715.n5.nabble.com/Help-me-with-Access-Challenge-configuration-tp4296727p4297493.html
> Sent from the FreeRadius - User mailing list archive at Nabble.com.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (270 bytes) Download Attachment
| Threaded
Open this post in threaded view
|

Re: Help me with Access-Challenge configuration

GreenUA
Aaaaaa Stefan Winter-4,

Thanks a lot, now i underspend how to configure my configuration!!!!
It's what i need to hear!
Have a nice day!
 
| Threaded
Open this post in threaded view
|

Re: Help me with Access-Challenge configuration

Saber Chebka
This post has NOT been accepted by the mailing list yet.
GreenUA, could you please, tell what you have done to succeed your configuration ?
I need the same scenario in order to test my radius client.

I followed your discussion from the beginning, and you was quit clear, but can't understand why answers were all telling you are asking a wrong question.