Discussion:
freeradius 3 + OPENLDAP
(too old to reply)
Eyal Zarchi
2018-11-14 16:21:15 UTC
Permalink
Hello all

I am trying to configure freeradius to work with openldap for wireless
authentications.

The idea is to configure Access Points (that work just fine when connected
using the user file)

I configured the LDAP (radtest works just fine)



[***@mvm01 ~]#radtest user password localhost 0 testing123

Sent Access-Request Id 16 from 0.0.0.0:54110 to 127.0.0.1:1812 length 75

User-Name = "user"

User-Password = "password"

NAS-IP-Address = 10.9.8.5

NAS-Port = 0

Message-Authenticator = 0x00

Cleartext-Password = "password"

Received Access-Accept Id 16 from 127.0.0.1:1812 to 0.0.0.0:0 length 20





But as soon as I add the MSCHAP option (although I have no windows domain),

I hope someone can find where I config wrong.

I get the following errors:



[***@mvm01 ~]#radtest -t mschap user *password* localhost 0 testing123

Sent Access-Request Id 124 from 0.0.0.0:44991 to 127.0.0.1:1812 length 131

User-Name = "user"

MS-CHAP-Password = "password"

NAS-IP-Address = 10.9.8.5

NAS-Port = 0

Message-Authenticator = 0x00

Cleartext-Password = " password "

MS-CHAP-Challenge = 0xe4594d14941e6067

MS-CHAP-Response =
0x000100000000000000000000000000000000000000000000000085dcfd958b6e0adc908fb6
3efb356cfe593a52522914f06f

Received Access-Reject Id 124 from 127.0.0.1:1812 to 0.0.0.0:0 length 61

MS-CHAP-Error = "\000E=691 R=1 C=d38a3a773855b34d V=2"

(0) -: Expected Access-Accept got Access-Reject









And on the debug:

[***@mvm01 ~]#radiusd -X

FreeRADIUS Version 3.0.13

Copyright (C) 1999-2017 The FreeRADIUS server project and contributors

There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE

You may redistribute copies of FreeRADIUS under the terms of the

GNU General Public License

For more information about these matters, see the file named COPYRIGHT

Starting - reading configuration files ...

including dictionary file /usr/share/freeradius/dictionary

including dictionary file /usr/share/freeradius/dictionary.dhcp

including dictionary file /usr/share/freeradius/dictionary.vqp

including dictionary file /etc/raddb/dictionary

including configuration file /etc/raddb/radiusd.conf

including configuration file /etc/raddb/proxy.conf

including configuration file /etc/raddb/clients.conf

including files in directory /etc/raddb/mods-enabled/

including configuration file /etc/raddb/mods-enabled/always

including configuration file /etc/raddb/mods-enabled/attr_filter

including configuration file /etc/raddb/mods-enabled/cache_eap

including configuration file /etc/raddb/mods-enabled/chap

including configuration file /etc/raddb/mods-enabled/date

including configuration file /etc/raddb/mods-enabled/detail

including configuration file /etc/raddb/mods-enabled/detail.log

including configuration file /etc/raddb/mods-enabled/dhcp

including configuration file /etc/raddb/mods-enabled/digest

including configuration file /etc/raddb/mods-enabled/dynamic_clients

including configuration file /etc/raddb/mods-enabled/eap

including configuration file /etc/raddb/mods-enabled/echo

including configuration file /etc/raddb/mods-enabled/exec

including configuration file /etc/raddb/mods-enabled/expiration

including configuration file /etc/raddb/mods-enabled/expr

including configuration file /etc/raddb/mods-enabled/files

including configuration file /etc/raddb/mods-enabled/linelog

including configuration file /etc/raddb/mods-enabled/logintime

including configuration file /etc/raddb/mods-enabled/mschap

including configuration file /etc/raddb/mods-enabled/ntlm_auth

including configuration file /etc/raddb/mods-enabled/pap

including configuration file /etc/raddb/mods-enabled/passwd

including configuration file /etc/raddb/mods-enabled/preprocess

including configuration file /etc/raddb/mods-enabled/radutmp

including configuration file /etc/raddb/mods-enabled/realm

including configuration file /etc/raddb/mods-enabled/replicate

including configuration file /etc/raddb/mods-enabled/soh

including configuration file /etc/raddb/mods-enabled/sradutmp

including configuration file /etc/raddb/mods-enabled/unix

including configuration file /etc/raddb/mods-enabled/unpack

including configuration file /etc/raddb/mods-enabled/utf8

including configuration file /etc/raddb/mods-enabled/ldap

including files in directory /etc/raddb/policy.d/

including configuration file /etc/raddb/policy.d/accounting

including configuration file /etc/raddb/policy.d/canonicalization

including configuration file /etc/raddb/policy.d/control

including configuration file /etc/raddb/policy.d/cui

including configuration file /etc/raddb/policy.d/debug

including configuration file /etc/raddb/policy.d/dhcp

including configuration file /etc/raddb/policy.d/eap

including configuration file /etc/raddb/policy.d/filter

including configuration file /etc/raddb/policy.d/operator-name

including files in directory /etc/raddb/sites-enabled/

including configuration file /etc/raddb/sites-enabled/default

including configuration file /etc/raddb/sites-enabled/inner-tunnel

main {

security {

user = "radiusd"

group = "radiusd"

allow_core_dumps = no

}

name = "radiusd"

prefix = "/usr"

localstatedir = "/var"

logdir = "/var/log/radius"

run_dir = "/var/run/radiusd"

}

main {

name = "radiusd"

prefix = "/usr"

localstatedir = "/var"

sbindir = "/usr/sbin"

logdir = "/var/log/radius"

run_dir = "/var/run/radiusd"

libdir = "/usr/lib64/freeradius"

radacctdir = "/var/log/radius/radacct"

hostname_lookups = no

max_request_time = 30

cleanup_delay = 5

max_requests = 16384

pidfile = "/var/run/radiusd/radiusd.pid"

checkrad = "/usr/sbin/checkrad"

debug_level = 0

proxy_requests = yes

log {

stripped_names = no

auth = no

auth_badpass = no

auth_goodpass = no

colourise = yes

msg_denied = "You are already logged in - access denied"

}

resources {

}

security {

max_attributes = 200

reject_delay = 1.000000

status_server = yes

}

}

radiusd: #### Loading Realms and Home Servers ####

proxy server {

retry_delay = 5

retry_count = 3

default_fallback = no

dead_time = 120

wake_all_if_all_dead = no

}

home_server localhost {

ipaddr = 127.0.0.1

port = 1812

type = "auth"

secret = <<< secret >>>

response_window = 20.000000

response_timeouts = 1

max_outstanding = 65536

zombie_period = 40

status_check = "status-server"

ping_interval = 30

check_interval = 30

check_timeout = 4

num_answers_to_alive = 3

revive_interval = 120

limit {

max_connections = 16

max_requests = 0

lifetime = 0

idle_timeout = 0

}

coa {

irt = 2

mrt = 16

mrc = 5

mrd = 30

}

}

home_server_pool my_auth_failover {

type = fail-over

home_server = localhost

}

realm example.com {

auth_pool = my_auth_failover

}

realm LOCAL {

}

radiusd: #### Loading Clients ####

client localhost {

ipaddr = 127.0.0.1

require_message_authenticator = no

secret = <<< secret >>>

nas_type = "other"

proto = "*"

limit {

max_connections = 16

lifetime = 0

idle_timeout = 30

}

}

client localhost_ipv6 {

ipv6addr = ::1

require_message_authenticator = no

secret = <<< secret >>>

limit {

max_connections = 16

lifetime = 0

idle_timeout = 30

}

}

client ap02 {

ipaddr = 10.9.12.152

require_message_authenticator = no

secret = <<< secret >>>

limit {

max_connections = 16

lifetime = 0

idle_timeout = 30

}

}

client ap06 {

ipaddr = 10.9.12.156

require_message_authenticator = no

secret = <<< secret >>>

limit {

max_connections = 16

lifetime = 0

idle_timeout = 30

}

}

client ap07 {

ipaddr = 10.9.12.157

require_message_authenticator = no

secret = <<< secret >>>

limit {

max_connections = 16

lifetime = 0

idle_timeout = 30

}

}

client ap08 {

ipaddr = 10.9.12.158

require_message_authenticator = no

secret = <<< secret >>>

limit {

max_connections = 16

lifetime = 0

idle_timeout = 30

}

}

client ap09 {

ipaddr = 10.9.12.159

require_message_authenticator = no

secret = <<< secret >>>

limit {

max_connections = 16

lifetime = 0

idle_timeout = 30

}

}

client ap10 {

ipaddr = 10.9.12.160

require_message_authenticator = no

secret = <<< secret >>>

limit {

max_connections = 16

lifetime = 0

idle_timeout = 30

}

}

Debugger not attached

# Creating Auth-Type = mschap

# Creating Auth-Type = digest

# Creating Auth-Type = eap

# Creating Auth-Type = PAP

# Creating Auth-Type = CHAP

# Creating Auth-Type = MS-CHAP

# Creating Auth-Type = LDAP

radiusd: #### Instantiating modules ####

modules {

# Loaded module rlm_always

# Loading module "reject" from file /etc/raddb/mods-enabled/always

always reject {

rcode = "reject"

simulcount = 0

mpp = no

}

# Loading module "fail" from file /etc/raddb/mods-enabled/always

always fail {

rcode = "fail"

simulcount = 0

mpp = no

}

# Loading module "ok" from file /etc/raddb/mods-enabled/always

always ok {

rcode = "ok"

simulcount = 0

mpp = no

}

# Loading module "handled" from file /etc/raddb/mods-enabled/always

always handled {

rcode = "handled"

simulcount = 0

mpp = no

}

# Loading module "invalid" from file /etc/raddb/mods-enabled/always

always invalid {

rcode = "invalid"

simulcount = 0

mpp = no

}

# Loading module "userlock" from file /etc/raddb/mods-enabled/always

always userlock {

rcode = "userlock"

simulcount = 0

mpp = no

}

# Loading module "notfound" from file /etc/raddb/mods-enabled/always

always notfound {

rcode = "notfound"

simulcount = 0

mpp = no

}

# Loading module "noop" from file /etc/raddb/mods-enabled/always

always noop {

rcode = "noop"

simulcount = 0

mpp = no

}

# Loading module "updated" from file /etc/raddb/mods-enabled/always

always updated {

rcode = "updated"

simulcount = 0

mpp = no

}

# Loaded module rlm_attr_filter

# Loading module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter

attr_filter attr_filter.post-proxy {

filename = "/etc/raddb/mods-config/attr_filter/post-proxy"

key = "%{Realm}"

relaxed = no

}

# Loading module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter

attr_filter attr_filter.pre-proxy {

filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"

key = "%{Realm}"

relaxed = no

}

# Loading module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter

attr_filter attr_filter.access_reject {

filename = "/etc/raddb/mods-config/attr_filter/access_reject"

key = "%{User-Name}"

relaxed = no

}

# Loading module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter

attr_filter attr_filter.access_challenge {

filename = "/etc/raddb/mods-config/attr_filter/access_challenge"

key = "%{User-Name}"

relaxed = no

}

# Loading module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter

attr_filter attr_filter.accounting_response {

filename = "/etc/raddb/mods-config/attr_filter/accounting_response"

key = "%{User-Name}"

relaxed = no

}

# Loaded module rlm_cache

# Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap

cache cache_eap {

driver = "rlm_cache_rbtree"

key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"

ttl = 15

max_entries = 0

epoch = 0

add_stats = no

}

# Loaded module rlm_chap

# Loading module "chap" from file /etc/raddb/mods-enabled/chap

# Loaded module rlm_date

# Loading module "date" from file /etc/raddb/mods-enabled/date

date {

format = "%b %e %Y %H:%M:%S %Z"

}

# Loaded module rlm_detail

# Loading module "detail" from file /etc/raddb/mods-enabled/detail

detail {

filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/detail-%Y%m%d"

header = "%t"

permissions = 384

locking = no

escape_filenames = no

log_packet_header = no

}

# Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log

detail auth_log {

filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/auth-detail-%Y%m%d"

header = "%t"

permissions = 384

locking = no

escape_filenames = no

log_packet_header = no

}

# Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log

detail reply_log {

filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/reply-detail-%Y%m%d"

header = "%t"

permissions = 384

locking = no

escape_filenames = no

log_packet_header = no

}

# Loading module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log

detail pre_proxy_log {

filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/pre-proxy-detail-%Y%m%d"

header = "%t"

permissions = 384

locking = no

escape_filenames = no

log_packet_header = no

}

# Loading module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log

detail post_proxy_log {

filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/post-proxy-detail-%Y%m%d"

header = "%t"

permissions = 384

locking = no

escape_filenames = no

log_packet_header = no

}

# Loaded module rlm_dhcp

# Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp

# Loaded module rlm_digest

# Loading module "digest" from file /etc/raddb/mods-enabled/digest

# Loaded module rlm_dynamic_clients

# Loading module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients

# Loaded module rlm_eap

# Loading module "eap" from file /etc/raddb/mods-enabled/eap

eap {

default_eap_type = "md5"

timer_expire = 60

ignore_unknown_eap_types = no

cisco_accounting_username_bug = no

max_sessions = 16384

}

# Loaded module rlm_exec

# Loading module "echo" from file /etc/raddb/mods-enabled/echo

exec echo {

wait = yes

program = "/bin/echo %{User-Name}"

input_pairs = "request"

output_pairs = "reply"

shell_escape = yes

}

# Loading module "exec" from file /etc/raddb/mods-enabled/exec

exec {

wait = no

input_pairs = "request"

shell_escape = yes

timeout = 10

}

# Loaded module rlm_expiration

# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration

# Loaded module rlm_expr

# Loading module "expr" from file /etc/raddb/mods-enabled/expr

expr {

safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"

}

# Loaded module rlm_files

# Loading module "files" from file /etc/raddb/mods-enabled/files

files {

filename = "/etc/raddb/mods-config/files/authorize"

acctusersfile = "/etc/raddb/mods-config/files/accounting"

preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"

}

# Loaded module rlm_linelog

# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog

linelog {

filename = "/var/log/radius/linelog"

escape_filenames = no

syslog_severity = "info"

permissions = 384

format = "This is a log message for %{User-Name}"

reference = "messages.%{%{reply:Packet-Type}:-default}"

}

# Loading module "log_accounting" from file
/etc/raddb/mods-enabled/linelog

linelog log_accounting {

filename = "/var/log/radius/linelog-accounting"

escape_filenames = no

syslog_severity = "info"

permissions = 384

format = ""

reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"

}

# Loaded module rlm_logintime

# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime

logintime {

minimum_timeout = 60

}

# Loaded module rlm_mschap

# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap

mschap {

use_mppe = yes

require_encryption = no

require_strong = no

with_ntdomain_hack = yes

passchange {

}

allow_retry = yes

winbind_retry_with_normalised_username = no

}

# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth

exec ntlm_auth {

wait = yes

program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"

shell_escape = yes

}

# Loaded module rlm_pap

# Loading module "pap" from file /etc/raddb/mods-enabled/pap

pap {

normalise = yes

}

# Loaded module rlm_passwd

# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd

passwd etc_passwd {

filename = "/etc/passwd"

format = "*User-Name:Crypt-Password:"

delimiter = ":"

ignore_nislike = no

ignore_empty = yes

allow_multiple_keys = no

hash_size = 100

}

# Loaded module rlm_preprocess

# Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess

preprocess {

huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"

hints = "/etc/raddb/mods-config/preprocess/hints"

with_ascend_hack = no

ascend_channels_per_line = 23

with_ntdomain_hack = no

with_specialix_jetstream_hack = no

with_cisco_vsa_hack = no

with_alvarion_vsa_hack = no

}

# Loaded module rlm_radutmp

# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp

radutmp {

filename = "/var/log/radius/radutmp"

username = "%{User-Name}"

case_sensitive = yes

check_with_nas = yes

permissions = 384

caller_id = yes

}

# Loaded module rlm_realm

# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm

realm IPASS {

format = "prefix"

delimiter = "/"

ignore_default = no

ignore_null = no

}

# Loading module "suffix" from file /etc/raddb/mods-enabled/realm

realm suffix {

format = "suffix"

delimiter = "@"

ignore_default = no

ignore_null = no

}

# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm

realm realmpercent {

format = "suffix"

delimiter = "%"

ignore_default = no

ignore_null = no

}

# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm

realm ntdomain {

format = "prefix"

delimiter = "\\"

ignore_default = no

ignore_null = no

}

# Loaded module rlm_replicate

# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate

# Loaded module rlm_soh

# Loading module "soh" from file /etc/raddb/mods-enabled/soh

soh {

dhcp = yes

}

# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp

radutmp sradutmp {

filename = "/var/log/radius/sradutmp"

username = "%{User-Name}"

case_sensitive = yes

check_with_nas = yes

permissions = 420

caller_id = no

}

# Loaded module rlm_unix

# Loading module "unix" from file /etc/raddb/mods-enabled/unix

unix {

radwtmp = "/var/log/radius/radwtmp"

}

Creating attribute Unix-Group

# Loaded module rlm_unpack

# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack

# Loaded module rlm_utf8

# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8

# Loaded module rlm_ldap

# Loading module "ldap" from file /etc/raddb/mods-enabled/ldap

ldap {

server = "ldaps://ldap.it.qwilt.com"

port = 636

identity = "cn=admin,dc=qwilt,dc=com"

password = <<< secret >>>

sasl {

}

user {

scope = "sub"

access_positive = yes

sasl {

}

}

group {

filter = "(objectClass=posixGroup)"

scope = "sub"

name_attribute = "cn"

membership_attribute = "memberOf"

cacheable_name = no

cacheable_dn = no

}

client {

filter = "(objectClass=radiusClient)"

scope = "sub"

base_dn = "dc=qwilt,dc=com"

}

profile {

}

options {

ldap_debug = 40

chase_referrals = yes

rebind = yes

net_timeout = 1

res_timeout = 10

srv_timelimit = 3

idle = 60

probes = 3

interval = 3

}

tls {

ca_file = "/etc/raddb/certs/qwilt-internal-rootca.pem"

start_tls = no

}

}

Creating attribute LDAP-Group

instantiate {

}

# Instantiating module "reject" from file /etc/raddb/mods-enabled/always

# Instantiating module "fail" from file /etc/raddb/mods-enabled/always

# Instantiating module "ok" from file /etc/raddb/mods-enabled/always

# Instantiating module "handled" from file /etc/raddb/mods-enabled/always

# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always

# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always

# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always

# Instantiating module "noop" from file /etc/raddb/mods-enabled/always

# Instantiating module "updated" from file /etc/raddb/mods-enabled/always

# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter

reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy

# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter

reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy

# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter

reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject

[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".

[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay-USec" found in filter list for realm
"DEFAULT".

# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter

reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge

# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter

reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response

# Instantiating module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap

rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked

# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail

# Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log

rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail
output

# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log

# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log

# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log

# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap

# Linked to sub-module rlm_eap_md5

# Linked to sub-module rlm_eap_leap

# Linked to sub-module rlm_eap_gtc

gtc {

challenge = "Password: "

auth_type = "PAP"

}

# Linked to sub-module rlm_eap_tls

tls {

tls = "tls-common"

}

tls-config tls-common {

verify_depth = 0

ca_path = "/etc/raddb/certs"

pem_file_type = yes

private_key_file = "/etc/raddb/certs/server.pem"

certificate_file = "/etc/raddb/certs/server.pem"

ca_file = "/etc/raddb/certs/ca.pem"

private_key_password = <<< secret >>>

dh_file = "/etc/raddb/certs/dh"

fragment_size = 1024

include_length = yes

auto_chain = yes

check_crl = no

check_all_crl = no

cipher_list = "DEFAULT"

cipher_server_preference = no

ecdh_curve = "prime256v1"

cache {

enable = no

lifetime = 24

max_entries = 255

}

verify {

skip_if_ocsp_ok = no

}

ocsp {

enable = no

override_cert_url = yes

url = "http://127.0.0.1/ocsp/"

use_nonce = yes

timeout = 0

softfail = no

}

}

# Linked to sub-module rlm_eap_ttls

ttls {

tls = "tls-common"

default_eap_type = "md5"

copy_request_to_tunnel = no

use_tunneled_reply = no

virtual_server = "inner-tunnel"

include_length = yes

require_client_cert = no

}

tls: Using cached TLS configuration from previous invocation

# Linked to sub-module rlm_eap_peap

peap {

tls = "tls-common"

default_eap_type = "mschapv2"

copy_request_to_tunnel = no

use_tunneled_reply = no

proxy_tunneled_request_as_eap = yes

virtual_server = "inner-tunnel"

soh = no

require_client_cert = no

}

tls: Using cached TLS configuration from previous invocation

# Linked to sub-module rlm_eap_mschapv2

mschapv2 {

with_ntdomain_hack = no

send_error = no

}

# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration

# Instantiating module "files" from file /etc/raddb/mods-enabled/files

reading pairlist file /etc/raddb/mods-config/files/authorize

reading pairlist file /etc/raddb/mods-config/files/accounting

reading pairlist file /etc/raddb/mods-config/files/pre-proxy

# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog

# Instantiating module "log_accounting" from file
/etc/raddb/mods-enabled/linelog

# Instantiating module "logintime" from file
/etc/raddb/mods-enabled/logintime

# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap

rlm_mschap (mschap): using internal authentication

# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap

# Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd

rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no

# Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess

reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups

reading pairlist file /etc/raddb/mods-config/preprocess/hints

# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm

# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm

# Instantiating module "realmpercent" from file
/etc/raddb/mods-enabled/realm

# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm

# Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap

rlm_ldap: libldap vendor: OpenLDAP, version: 20444

accounting {

reference = "%{tolower:type.%{Acct-Status-Type}}"

}

post-auth {

reference = "."

}

rlm_ldap (ldap): Initialising connection pool

pool {

start = 5

min = 3

max = 32

spare = 10

uses = 0

lifetime = 0

cleanup_interval = 30

idle_timeout = 60

retry_delay = 30

spread = no

}

rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots
used

rlm_ldap (ldap): Connecting to ldaps://ldap.it.qwilt.com:636

TLSMC: MozNSS compatibility interception begins.

tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is
present.

tlsmc_intercept_initialization: INFO: successfully intercepted TLS
initialization. Continuing with OpenSSL only.

TLSMC: MozNSS compatibility interception ends.

rlm_ldap (ldap): Waiting for bind result...

rlm_ldap (ldap): Bind successful

rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots
used

rlm_ldap (ldap): Connecting to ldaps://ldap.it.qwilt.com:636

TLSMC: MozNSS compatibility interception begins.

tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is
present.

tlsmc_intercept_initialization: INFO: successfully intercepted TLS
initialization. Continuing with OpenSSL only.

TLSMC: MozNSS compatibility interception ends.

rlm_ldap (ldap): Waiting for bind result...

rlm_ldap (ldap): Bind successful

rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots
used

rlm_ldap (ldap): Connecting to ldaps://ldap.it.qwilt.com:636

TLSMC: MozNSS compatibility interception begins.

tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is
present.

tlsmc_intercept_initialization: INFO: successfully intercepted TLS
initialization. Continuing with OpenSSL only.

TLSMC: MozNSS compatibility interception ends.

rlm_ldap (ldap): Waiting for bind result...

rlm_ldap (ldap): Bind successful

rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots
used

rlm_ldap (ldap): Connecting to ldaps://ldap.it.qwilt.com:636

TLSMC: MozNSS compatibility interception begins.

tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is
present.

tlsmc_intercept_initialization: INFO: successfully intercepted TLS
initialization. Continuing with OpenSSL only.

TLSMC: MozNSS compatibility interception ends.

rlm_ldap (ldap): Waiting for bind result...

rlm_ldap (ldap): Bind successful

rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots
used

rlm_ldap (ldap): Connecting to ldaps://ldap.it.qwilt.com:636

TLSMC: MozNSS compatibility interception begins.

tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is
present.

tlsmc_intercept_initialization: INFO: successfully intercepted TLS
initialization. Continuing with OpenSSL only.

TLSMC: MozNSS compatibility interception ends.

rlm_ldap (ldap): Waiting for bind result...

rlm_ldap (ldap): Bind successful

} # modules

radiusd: #### Loading Virtual Servers ####

server { # from file /etc/raddb/radiusd.conf

} # server

server default { # from file /etc/raddb/sites-enabled/default

# Loading authenticate {...}

# Loading authorize {...}

Ignoring "sql" (see raddb/mods-available/README.rst)

# Loading preacct {...}

# Loading accounting {...}

# Loading post-proxy {...}

# Loading post-auth {...}

} # server default

server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel

# Loading authenticate {...}

# Loading authorize {...}

# Loading session {...}

# Loading post-proxy {...}

# Loading post-auth {...}

# Skipping contents of 'if' as it is always 'false' --
/etc/raddb/sites-enabled/inner-tunnel:330

} # server inner-tunnel

radiusd: #### Opening IP addresses and Ports ####

listen {

type = "auth"

ipaddr = *

port = 0

limit {

max_connections = 16

lifetime = 0

idle_timeout = 30

}

}

listen {

type = "acct"

ipaddr = *

port = 0

limit {

max_connections = 16

lifetime = 0

idle_timeout = 30

}

}

listen {

type = "auth"

ipv6addr = ::

port = 0

limit {

max_connections = 16

lifetime = 0

idle_timeout = 30

}

}

listen {

type = "acct"

ipv6addr = ::

port = 0

limit {

max_connections = 16

lifetime = 0

idle_timeout = 30

}

}

listen {

type = "auth"

ipaddr = 127.0.0.1

port = 18120

}

Listening on auth address * port 1812 bound to server default

Listening on acct address * port 1813 bound to server default

Listening on auth address :: port 1812 bound to server default

Listening on acct address :: port 1813 bound to server default

Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel

Listening on proxy address * port 53620

Listening on proxy address :: port 60053

Ready to process requests

(0) Received Access-Request Id 124 from 127.0.0.1:44991 to 127.0.0.1:1812
length 131

(0) User-Name = "User"

(0) NAS-IP-Address = 10.9.8.5

(0) NAS-Port = 0

(0) Message-Authenticator = 0xca9abe649bc161840c66db76ac4c5682

(0) MS-CHAP-Challenge = 0xe4594d14941e6067

(0) MS-CHAP-Response =
0x000100000000000000000000000000000000000000000000000085dcfd958b6e0adc908fb6
3efb356cfe593a52522914f06f

(0) # Executing section authorize from file /etc/raddb/sites-enabled/default

(0) authorize {

(0) policy filter_username {

(0) if (&User-Name) {

(0) if (&User-Name) -> TRUE

(0) if (&User-Name) {

(0) if (&User-Name =~ / /) {

(0) if (&User-Name =~ / /) -> FALSE

(0) if (&User-Name =~ /@[^@]*@/ ) {

(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE

(0) if (&User-Name =~ /\.\./ ) {

(0) if (&User-Name =~ /\.\./ ) -> FALSE

(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {

(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE

(0) if (&User-Name =~ /\.$/) {

(0) if (&User-Name =~ /\.$/) -> FALSE

(0) if (&User-Name =~ /@\./) {

(0) if (&User-Name =~ /@\./) -> FALSE

(0) } # if (&User-Name) = notfound

(0) } # policy filter_username = notfound

(0) [preprocess] = ok

(0) [chap] = noop

(0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'

(0) [mschap] = ok

(0) [digest] = noop

(0) suffix: Checking for suffix after "@"

(0) suffix: No '@' in User-Name = "User", looking up realm NULL

(0) suffix: No such realm "NULL"

(0) [suffix] = noop

(0) eap: No EAP-Message, not doing EAP

(0) [eap] = noop

(0) [files] = noop

rlm_ldap (ldap): Reserved connection (0)

(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})

(0) ldap: --> (uid=User)

(0) ldap: Performing search in "dc=qwilt,dc=com" with filter "(uid=User)",
scope "sub"

(0) ldap: Waiting for search result...

(0) ldap: User object found at DN "uid=User,ou=People,dc=qwilt,dc=com"

(0) ldap: Processing user attributes

(0) ldap: control:Password-With-Header +=
'{SSHA}qGc3M+tIwC6k+IzrF9ELgbC9WcEKjFNK'

rlm_ldap (ldap): Released connection (0)

Need 5 more connections to reach 10 spares

rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
used

rlm_ldap (ldap): Connecting to ldaps://ldap.it.qwilt.com:636

TLSMC: MozNSS compatibility interception begins.

tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is
present.

tlsmc_intercept_initialization: INFO: successfully intercepted TLS
initialization. Continuing with OpenSSL only.

TLSMC: MozNSS compatibility interception ends.

rlm_ldap (ldap): Waiting for bind result...

rlm_ldap (ldap): Bind successful

(0) [ldap] = updated

(0) [expiration] = noop

(0) [logintime] = noop

(0) pap: Converted: &control:Password-With-Header -> &control:SSHA1-Password

(0) pap: Removing &control:Password-With-Header

(0) pap: Normalizing SSHA1-Password from base64 encoding, 32 bytes -> 24
bytes

(0) pap: WARNING: Auth-Type already set. Not setting to PAP

(0) [pap] = noop

(0) } # authorize = updated

(0) Found Auth-Type = mschap

(0) # Executing group from file /etc/raddb/sites-enabled/default

(0) authenticate {

(0) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password

(0) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password

(0) mschap: Client is using MS-CHAPv1 with NT-Password

(0) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication

(0) mschap: ERROR: MS-CHAP2-Response is incorrect

(0) [mschap] = reject

(0) } # authenticate = reject

(0) Failed to authenticate the user

(0) Using Post-Auth-Type Reject

(0) # Executing group from file /etc/raddb/sites-enabled/default

(0) Post-Auth-Type REJECT {

(0) attr_filter.access_reject: EXPAND %{User-Name}

(0) attr_filter.access_reject: --> User

(0) attr_filter.access_reject: Matched entry DEFAULT at line 11

(0) [attr_filter.access_reject] = updated

(0) [eap] = noop

(0) policy remove_reply_message_if_eap {

(0) if (&reply:EAP-Message && &reply:Reply-Message) {

(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE

(0) else {

(0) [noop] = noop

(0) } # else = noop

(0) } # policy remove_reply_message_if_eap = noop

(0) } # Post-Auth-Type REJECT = updated

(0) Delaying response for 1.000000 seconds

Waking up in 0.3 seconds.

Waking up in 0.6 seconds.

(0) Sending delayed response

(0) Sent Access-Reject Id 124 from 127.0.0.1:1812 to 127.0.0.1:44991 length
61

(0) MS-CHAP-Error = "\000E=691 R=1 C=d38a3a773855b34d V=2"

Waking up in 3.9 seconds.

(0) Cleaning up request packet ID 124 with timestamp +12

Ready to process requests

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.
Adam Bishop
2018-11-14 16:28:08 UTC
Permalink
Post by Eyal Zarchi
But as soon as I add the MSCHAP option (although I have no windows domain),
You can't use mschap with sha passwords. See the compatibility table:

http://deployingradius.com/documents/protocols/compatibility.html

If you want to use mschap, you need to make sure you add nt hashes to your ldap directory, or store plain passwords.

Adam Bishop

gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
Eyal Zarchi
2018-11-14 16:37:10 UTC
Permalink
Do i need to use mschap for windows connection to wifi via freeradius and
openldap?
Cant i force the use of regular ldap connection just like the radtest?

Its either modify the ldap server or uae the user file?
Post by Eyal Zarchi
Post by Eyal Zarchi
But as soon as I add the MSCHAP option (although I have no windows
domain),
http://deployingradius.com/documents/protocols/compatibility.html
If you want to use mschap, you need to make sure you add nt hashes to your
ldap directory, or store plain passwords.
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT No.
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company
limited by guarantee which is registered in England under company number
2881024, VAT number GB 197 0632 86. The registered office is: One Castle
Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.fr
Marcos Renato da Silva Junior
2018-11-14 17:34:34 UTC
Permalink
If you are doing a fresh installation maybe you can try something like a
combination of openldap with smbldap-tools generating ssha and nt hash
passwords. do not forget to uncomment in the
/etc/freeradius/3.0/mods-available/ldap file:                 control:
NT-Password: = 'sambaNTPassword'                 control: LM-Password: =
'sambaLMPassword'
Post by Eyal Zarchi
Do i need to use mschap for windows connection to wifi via freeradius and
openldap?
Cant i force the use of regular ldap connection just like the radtest?
Its either modify the ldap server or uae the user file?
Post by Eyal Zarchi
Post by Eyal Zarchi
But as soon as I add the MSCHAP option (although I have no windows
domain),
http://deployingradius.com/documents/protocols/compatibility.html
If you want to use mschap, you need to make sure you add nt hashes to your
ldap directory, or store plain passwords.
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT No.
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company
limited by guarantee which is registered in England under company number
2881024, VAT number GB 197 0632 86. The registered office is: One Castle
Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Marcos Renato da Silva Junior
Universidade Estadual Paulista - Unesp
Faculdade de Engenharia de Ilha Solteira - FEIS
Departamento de Engenharia Elétrica - DEE
15385-000 - Ilha Solteira/SP
(18) 3743-1164

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.ht
Alan Buxey
2018-11-14 20:15:41 UTC
Permalink
hi,

Do i need to use mschap for windows connection to wifi via freeradius and
Post by Eyal Zarchi
openldap?
with latest versions of Windows you can use EAP-TTLS/PAP - for older
versions you'd need to install
an extra supplicant to have that option. other OSes have EAP-TTLS/PAP
available to them.

or you can use certificates.... whats the purpose/customers etc?

alan
-
List info/subscribe/unsubscribe? See http
Eyal Zarchi
2018-11-14 20:51:46 UTC
Permalink
No only internal users.
If i need to install a certificate per devicr i can just configure the
users in the user file.
The idea of ldap was to make things simple when a user leaves the company
or a new user joins.
But i think its just easier to create a password for each user in the
network rather than to modify the ldap and maybe cause other issues.

The idea is to secure the internal wifi rather then just use psk-wpa2.
Post by Eyal Zarchi
hi,
Do i need to use mschap for windows connection to wifi via freeradius and
Post by Eyal Zarchi
openldap?
with latest versions of Windows you can use EAP-TTLS/PAP - for older
versions you'd need to install
an extra supplicant to have that option. other OSes have EAP-TTLS/PAP
available to them.
or you can use certificates.... whats the purpose/customers etc?
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.or
Adam Bishop
2018-11-19 13:27:40 UTC
Permalink
I think he's gone, but we'll see.
Unfortunately they're also emailing users directly. I've blocked them on our mail gateway, but I suspect other list users are still having their mailboxes filled :(

Adam Bishop

gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htm
Dave Macias
2018-11-20 02:18:28 UTC
Permalink
Thank you
Post by Adam Bishop
I think he's gone, but we'll see.
Unfortunately they're also emailing users directly. I've blocked them on our mail gateway, but I suspect other list users are still having their mailboxes filled :(
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradiu
Alan DeKok
2018-11-20 02:31:11 UTC
Permalink
Post by Adam Bishop
I think he's gone, but we'll see.
Unfortunately they're also emailing users directly. I've blocked them on our mail gateway, but I suspect other list users are still having their mailboxes filled :(
Yeah. He's set up an auto reply system. Which also replies to autoreply messages it sent to the list. And, then he ran it against his entire inbox, going back to 2015.

He officially wins the "largest asshole of the last 20 years" award.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.or
Krauss International
2018-11-20 06:28:02 UTC
Permalink
I hope you guys disabled him.
and yes the award goes to him no doubt

Thanks & regards
Mankomal Singh
Krauss International
P: +91-9910416231
Post by Adam Bishop
Post by Adam Bishop
I think he's gone, but we'll see.
Unfortunately they're also emailing users directly. I've blocked them on
our mail gateway, but I suspect other list users are still having their
mailboxes filled :(
Yeah. He's set up an auto reply system. Which also replies to
autoreply messages it sent to the list. And, then he ran it against his
entire inbox, going back to 2015.
He officially wins the "largest asshole of the last 20 years" award.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://
Stefan Paetow
2018-11-20 07:33:46 UTC
Permalink
The minute he started bombing through my mailbox I blocked him personally on our mail filters (for my mailbox anyway).

But yes... continuing to pull this stunt is just... beyond idiotic.

Stefan Paetow
Consultant, Trust and Identity

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: ***@jabber.dev.ja.net
skype: stefan.paetow.janet

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
I think he's gone, but we'll see.
Unfortunately they're also emailing users directly. I've blocked them on our mail gateway, but I suspect other list users are still having their mailboxes filled :(

Adam Bishop

gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http:
Ντέντος Σταύρος
2018-11-20 07:39:24 UTC
Permalink
Someone suggested creating a meme.

Any creative brains?

Ντέντος Σταύρος
Post by Stefan Paetow
The minute he started bombing through my mailbox I blocked him personally on our mail filters (for my mailbox anyway).
But yes... continuing to pull this stunt is just... beyond idiotic.
Stefan Paetow
Consultant, Trust and Identity
t: +44 (0)1235 822 125
gpg: 0x3FCE5142
skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
I think he's gone, but we'll see.
Unfortunately they're also emailing users directly. I've blocked them on our mail gateway, but I suspect other list users are still having their mailboxes filled :(
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://w
Chaigneau, Nicolas
2018-11-20 07:51:01 UTC
Permalink
Please don't. He doesn't deserve the fame.

If you want to do something, just send ninjas assassins after him.


-----Message d'origine-----
De : Freeradius-Users <freeradius-users-bounces+nicolas.chaigneau=***@lists.freeradius.org> De la part de ?t??t?? Sta????
Envoyé : mardi 20 novembre 2018 08:39
À : freeradius-***@lists.freeradius.org
Objet : Re: Idiot on the mailing list: Song Zou

Someone suggested creating a meme.

Any creative brains?

Ντέντος Σταύρος
Post by Stefan Paetow
The minute he started bombing through my mailbox I blocked him personally on our mail filters (for my mailbox anyway).
But yes... continuing to pull this stunt is just... beyond idiotic.
Stefan Paetow
Consultant, Trust and Identity
t: +44 (0)1235 822 125
gpg: 0x3FCE5142
skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
I think he's gone, but we'll see.
Unfortunately they're also emailing users directly. I've blocked them on our mail gateway, but I suspect other list users are still having their mailboxes filled :(
Adam Bishop
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

-
List info/subscribe/unsubscribe? See http://www.freer
Alan DeKok
2018-11-20 11:53:30 UTC
Permalink
Post by Adam Bishop
I think he's gone, but we'll see.
Unfortunately they're also emailing users directly. I've blocked them on our mail gateway, but I suspect other list users are still having their mailboxes filled :(
I've reported him to ***@icloud.com . Message is below.

I strongly suggest that everyone affected by him send a similar message.


----
This guy has been spamming a mailing list, and all members of it:

http://lists.freeradius.org/pipermail/freeradius-users/2018-November/thread.html

He's set up an auto-responder that replies to all messages from the list. Including messages from his auto-responder.

The auto-responder replies not only to messages from the list, but also CC's the person who sent the original message.

See multiple reports to the list, including:

http://lists.freeradius.org/pipermail/freeradius-users/2018-November/093752.html

http://lists.freeradius.org/pipermail/freeradius-users/2018-November/093765.html


He's sent hundreds of messages to the mailing list, and to me personally.

Since there is ample evidence of abusive behaviour, can you please stop this abuse? It is ongoing.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/use
Alan DeKok
2018-11-20 11:59:04 UTC
Permalink
Post by Alan DeKok
I strongly suggest that everyone affected by him send a similar message.
... with a subject of "abuse from ***@me.com"

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradi

Matthew Newton
2018-11-14 16:28:34 UTC
Permalink
Post by Eyal Zarchi
(0) ldap: control:Password-With-Header +=
'{SSHA}qGc3M+tIwC6k+IzrF9ELgbC9WcEKjFNK'
...
Post by Eyal Zarchi
(0) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(0) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password
(0) mschap: Client is using MS-CHAPv1 with NT-Password
(0) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform
authentication
Password in LDAP needs to be an NT hash or cleartext.

SSHA won't work with MSCHAP.

See http://deployingradius.com/documents/protocols/compatibility.html
--
Matthew

-
List info/subscribe/unsubscribe? See http://ww
Alan DeKok
2018-11-19 12:57:45 UTC
Permalink
I'm working to ban the most recent idiot who's spamming list list with unsubscribe comments.

These emails serve as a public record that he's too stupid to hit the "unsubscribe" link at the bottom of every message to the list.

What makes this more difficult is that he's using a remailer, so the public address we see isn't the one he's used for subscription.

He also opened a GitHub issue, which again serves as a public record of idiocy.

I think he's gone, but we'll see.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/l
Loading...