Re: Freeradius-Users Digest, Vol 181, Issue 21

classic Classic list List threaded Threaded
1 message Options
| Threaded
Open this post in threaded view
|

Re: Freeradius-Users Digest, Vol 181, Issue 21

imdadk
So, if i want to make the framed-ip with dynamic value than how can i do
that.?

And i seen one vendor that use the freeradius and that use own module in
perl for CHAP authentication. For MSCHAP and EAP its using built in
system's (FreeRADIUS) module.

Is that possible?

On Fri, May 15, 2020 at 3:30 PM <
[hidden email]> wrote:

> Send Freeradius-Users mailing list submissions to
>         [hidden email]
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>         [hidden email]
>
> You can reach the person managing the list at
>         [hidden email]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. Re: Wifi + Active Directory without ntlm (Alan DeKok)
>    2. Re: Wifi + Active Directory without ntlm (Fabrice Durand)
>    3. looking for test client for PEAP/MSCHAPv2 (Jim Shi)
>    4. Re: looking for test client for PEAP/MSCHAPv2 (Matthew Newton)
>    5. Re: looking for test client for PEAP/MSCHAPv2 (Jorge Pereira)
>    6. CHAP Authentication with rlm_perl module (Imdad Hasan)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 14 May 2020 10:59:13 -0400
> From: Alan DeKok <[hidden email]>
> To: FreeRadius users mailing list
>         <[hidden email]>
> Subject: Re: Wifi + Active Directory without ntlm
> Message-ID: <[hidden email]>
> Content-Type: text/plain;       charset=utf-8
>
> On May 14, 2020, at 10:56 AM, Клеусов Владимир Сергеевич via
> Freeradius-Users <[hidden email]> wrote:
> >
> > The idea was to link freeradius and ad via an ldap module. That is, do
> not install samba and windbind. To authentifizierte using the ldap module.
> That is, it will not work like this. Right ?
>
>   That question has been asked and answered about 4 times now.  The answer
> won't change if you keep asking the same question.  The only thing you'll
> do is annoy the people who are trying to help you.
>
> > So the ldap module is it for other LDAP implementations, such as
> openldap ?
>
>   The LDAP module is for any server which implements LDAP.  Like AD.
>
>   But as you were already told, the issue isn't LDAP.  It's AD.
>
>   Alan DeKok.
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 14 May 2020 12:53:24 -0400
> From: Fabrice Durand <[hidden email]>
> To: [hidden email]
> Subject: Re: Wifi + Active Directory without ntlm
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> I did this kind of configuration a long time ago and most of the work
> needs to be done on the AD side.
>
> The idea is to mimic what a Edirectory server do (universal password)
> and create a ldap attribute where you will store the NTHASH of the
> user/computer.
>
>
> https://github.com/inverse-inc/packetfence/tree/devel/addons/nthash_AD_attribute
>
>
> The other way is to extract the NTHASH for each users, store it
> somewhere (sql per example) and configure FreeRADIUS to fetch the NTHASH
> based on the username.
>
>
> https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py
>
>
> Regards
>
> Fabrice
>
> Le 20-05-14 à 10 h 56, Клеусов Владимир Сергеевич via Freeradius-Users a
> écrit :
> > The idea was to link freeradius and ad via an ldap module. That is, do
> not install samba and windbind. To authentifizierte using the ldap module.
> That is, it will not work like this. Right ? So the ldap module is it for
> other LDAP implementations, such as openldap ?
> >
> >> 14 мая 2020 г., в 16:40, Josef Vybíhal <[hidden email]>
> написал(а):
> >>
> >> Is it possible, that you mean that you just don't want to use ntlm_auth
> >> command? If yes, then read the winbind comment section in the mschap
> module
> >> config.
> >> # winbind_username = "%{mschap:User-Name}"
> >> # winbind_domain = "%{mschap:NT-Domain}"
> >>
> >> or this
> >> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind
> >>
> >> On Thu, May 14, 2020 at 3:32 PM Клеусов Владимир Сергеевич via
> >> Freeradius-Users <[hidden email]> wrote:
> >>
> >>> Ideally, I want to authenticate the domain user and if he is in the
> >>> domain, check his group. If not in the group, do not connect to wifi.
> Is
> >>> this possible without ntlm ?
> >>>
> >>> 14 мая 2020 г., в 16:07, Matthew Newton <[hidden email]<mailto:
> >>> [hidden email]>> написал(а):
> >>>
> >>> o do what? Just get policy information/groups etc, or to authenticate?
> >>>
> >>> FreeRADIUS can use LDAP to query AD to get group information etc just
> >>> fine. However, AD won't give you a password over LDAP. So in the vast
> >>> majority of cases if you want to authenticate you need to use mschap.
> >>>
> >>> -
> >>> List info/subscribe/unsubscribe? See
> >>> http://www.freeradius.org/list/users.html
> >> -
> >> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> --
> Fabrice Durand
> [hidden email] ::  +1.514.447.4918 (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (
> http://packetfence.org)
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 14 May 2020 18:04:10 +0000 (UTC)
> From: Jim Shi <[hidden email]>
> To: "[hidden email]"
>         <[hidden email]>
> Subject: looking for test client for PEAP/MSCHAPv2
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset=UTF-8
>
> Hi,
>  I am looking for a test client that I can use to test PEAP/MSCHAPv2
> Seems radtest does not support PEAP/MSCHAPv2?
> Any help is appreciated.
> Thanks a lot.
> Jim
>
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 14 May 2020 19:07:50 +0100
> From: Matthew Newton <[hidden email]>
> To: [hidden email]
> Subject: Re: looking for test client for PEAP/MSCHAPv2
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
>
> On 14/05/2020 19:04, Jim Shi via Freeradius-Users wrote:
> >   I am looking for a test client that I can use to test PEAP/MSCHAPv2
> > Seems radtest does not support PEAP/MSCHAPv2?
>
> eapol_test from wpa_supplicant:
>
> https://w1.fi/wpa_supplicant/
>
> There are example configs in the FreeRADIUS source (see "make test").
>
> --
> Matthew
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 14 May 2020 15:12:15 -0300
> From: Jorge Pereira <[hidden email]>
> To: FreeRadius users mailing list
>         <[hidden email]>
> Subject: Re: looking for test client for PEAP/MSCHAPv2
> Message-ID: <[hidden email]>
> Content-Type: text/plain;       charset=utf-8
>
> Hi Jimm
>
> Take a look at “eapol_test” tool. We have some config samples in our repo.
>
> e.g:
>
> [jpereira@jorge-sugarloaf freeradius-server-v3.0.x.git]$ grep eapol_test
> -r src/
> src//tests/eap-md5.conf:#   eapol_test -c eap-md5.conf -s testing123 -n
> src//tests/Makefile:EAPOL_TEST = $(shell which eapol_test)
> src//tests/Makefile:#  Run eapol_test if it exists.  Otherwise do nothing
> src//tests/eap-mschapv2.conf:#   eapol_test -c eap-mschapv2.conf -s
> testing123
> src//tests/eap-ttls-eap-mschapv2.conf:#   eapol_test -c
> eap-ttls-eap-mschapv2.conf -s testing123
> src//tests/peap-mschapv2.conf:#   ./eapol_test -c peap-mschapv2.conf -s
> testing123
> src//tests/eap-ttls-mschapv2.conf:#   eapol_test -c eap-ttls-mschapv2.conf
> -s testing123
> src//tests/peap-client-mschapv2.conf:#   ./eapol_test -c
> peap-mschapv2.conf -s testing123
> src//tests/.gitignore:eapol_test
> src//tests/eap-tls.conf:#   eapol_test -c eap-tls.conf -s testing123
> src//tests/eap-ttls-pap.conf:#   eapol_test -c eap-ttls-pap.conf -s
> testing123
> [jpereira@jorge-sugarloaf freeradius-server-v3.0.x.git]$
>
> ---
> Jorge Pereira
> [hidden email] <mailto:[hidden email]>
>
>
>
>
> > On 14 May 2020, at 15:04, Jim Shi via Freeradius-Users <
> [hidden email]> wrote:
> >
> > Hi,
> >  I am looking for a test client that I can use to test PEAP/MSCHAPv2
> > Seems radtest does not support PEAP/MSCHAPv2?
> > Any help is appreciated.
> > Thanks a lot.
> > Jim
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> ------------------------------
>
> Message: 6
> Date: Fri, 15 May 2020 04:30:52 +0530
> From: Imdad Hasan <[hidden email]>
> To: [hidden email]
> Subject: CHAP Authentication with rlm_perl module
> Message-ID:
>         <
> [hidden email]>
> Content-Type: text/plain; charset="UTF-8"
>
> Dear all,
>
> i am using perl module, its working all like exec module but no doubt its
> increased the performance on high load. But i have some queries when i use
> CHAP authentication method with perl module.
>
>
> In CHAP authentication i can't verify the password with Cleartext-Password,
> right?
> That's why i set RADCHECK attribute Cleartext-Password="password" and after
> that freeradius verify them with authenticator and all. and if password
> doesn't matched than its return Reject.
>
> But if i want to accept those user ( who have wrong password ) with special
> disabled framed-ip than how can i??
>
>
> Thanks all,
>
> Imdad
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 181, Issue 21
> *************************************************
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html