Hi Ken, What happens if, using radtest, you specify the username *without* the realm from the remote machine?
josh. > -----Original Message----- > From: > [EMAIL PROTECTED] > us.org > [mailto:[EMAIL PROTECTED] freeradius.org] On Behalf Of ken > Sent: 03 July 2007 22:02 > To: FreeRadius users mailing list > Subject: "Shared secret is incorrect" - but it is identical! > > I'm trying to get FreeRadius working on a Fedora Core 6 > server with a view to eventually using it to authenticate > against Windows Active Directory via ntlm_auth for the Janet > Roaming Service. The first attempts at configuring it failed > rather drastically so I went back to the beginning and I'm > doing things one step at at time, making one-line changes to > configs then using radtest and/or radclient to ensure it > still works. I can now authenticate a users defined in users > file, or in the Unix passwd file, from radtest on local > machine. (i.e. the same one the server is running on). Next > step is to check that I can use FreeRadius over the network > by trying radclient on another machine. > > It doesn't work from the networked machine. I see the > "invalid signature (err=2)! (Shared secret is incorrect.)" message. > > Debug log says to "double check the shared secret on the > server". I have more than double checked it. I'm using the > same shared secret on both machines. I "know" the shared > secret is correct because it works from the local machine. > But obviously it isn't! Because the encrypted password can't > be read on the server. What can I do to make sure the shared > secret truly is correct? > > The definitions for both hosts are identical in the > clients.conf file. At one point I manually edited them to > swap the names of servers while leaving the secrets the same, > just in case there was some hidden unprintable character - > but the new local one still worked, proving that the two > entries in the clients.conf file are in fact identical. > > The shared secrets used in the radtest command are identical. > I'm cutting and pasting the *same* radtest command in, not > retyping it. > > To test for sure I put radclient commands in scripts on the > remote machine, where they failed. Then I ftped them from > the machine they failed on to the other one - where they > worked! So it *has* to be the same! And if I alter it in any > way there then radtest fails so its not getting a free > passage just because its local. > > I have a horrid fear I've missed something totally obvious > about how radclient works and that I'm doing something really > really stupid stupid - but I can't see what. And I've been > stuck here for over a week now. Any clues? > > From the local machine I get: > > =================== > [EMAIL PROTECTED] ~]$ /usr/local/bin/radtest -d /etc/raddb > [EMAIL PROTECTED] password server.IP.addr 122 sharedsecret > Sending Access-Request of id 121 to server.IP.addr port 1812 > User-Name = "[EMAIL PROTECTED]" > User-Password = "password" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 122 > rad_recv: Access-Accept packet from host server.IP.addr:1812, > id=121, length=20 =================== > > But when I try from the remote machine I get: > > =================== > /usr/local/bin/radtest -d /etc/raddb [EMAIL PROTECTED] > password server.IP.addr 122 sharedsecret Sending > Access-Request of id 184 to server.IP.addr port 1812 > User-Name = "[EMAIL PROTECTED]" > User-Password = "password" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 122 > rad_recv: Access-Reject packet from host server.IP.addr:1812, > id=184, length=20 > rad_verify: Received Access-Reject packet from client > server.IP.addr port 1812 with invalid signature (err=2)! > (Shared secret is incorrect.) > [EMAIL PROTECTED] ~]$ /usr/local/bin/radtest -d /etc/raddb > [EMAIL PROTECTED] password server.IP.addr 122 sharedsecret > Sending Access-Request of id 246 to server.IP.addr port 1812 > User-Name = "[EMAIL PROTECTED]" > User-Password = "password" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 122 > rad_recv: Access-Reject packet from host server.IP.addr:1812, > id=246, length=20 > rad_verify: Received Access-Reject packet from client > server.IP.addr port 1812 with invalid signature (err=2)! > (Shared secret is incorrect.) > [EMAIL PROTECTED] ~]$ /usr/local/bin/radtest -d /etc/raddb > [EMAIL PROTECTED] password server.IP.addr 122 sharedsecret > Sending Access-Request of id 7 to server.IP.addr port 1812 > User-Name = "[EMAIL PROTECTED]" > User-Password = "password" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 122 > rad_recv: Access-Reject packet from host server.IP.addr:1812, > id=7, length=20 > rad_verify: Received Access-Reject packet from client > server.IP.addr port 1812 with invalid signature (err=2)! > (Shared secret is incorrect.) > ================== > > > I strongly suspect that I am doing something stupid on the > client side, because the same request works from the local > server. But just in case its relevant, on the server in debug > mode the failed transaction looks like this: > > > ================== > rad_recv: Access-Request packet from host > client.IP.addr:32772, id=61, length=68 > User-Name = "[EMAIL PROTECTED]" > User-Password = > "V\303\245\321\364Fb\334\373\275\242\203\\o6\264" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 122 > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 9 > modcall[authorize]: module "preprocess" returns ok for request 9 > radius_xlat: > '/var/log/radius/radacct/client.IP.addr/auth-detail-20070703' > rlm_detail: > /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d > expands to > /var/log/radius/radacct/client.IP.addr/auth-detail-20070703 > modcall[authorize]: module "auth_log" returns ok for request 9 > modcall[authorize]: module "chap" returns noop for request 9 > modcall[authorize]: module "mschap" returns noop for request 9 > rlm_realm: Looking up realm "bbk.ac.uk" for User-Name = > "[EMAIL PROTECTED]" > rlm_realm: Found realm "bbk.ac.uk" > rlm_realm: Adding Stripped-User-Name = "username" > rlm_realm: Proxying request from user username to realm bbk.ac.uk > rlm_realm: Adding Realm = "bbk.ac.uk" > rlm_realm: Authentication realm is LOCAL. > modcall[authorize]: module "suffix" returns noop for request 9 > rlm_eap: No EAP-Message, not doing EAP > modcall[authorize]: module "eap" returns noop for request 9 > users: Matched entry DEFAULT at line 20 > modcall[authorize]: module "files" returns ok for request 9 > rlm_pap: WARNING! No "known good" password found for the user. > Authentication may fail because of this. > modcall[authorize]: module "pap" returns noop for request 9 > modcall: leaving group authorize (returns ok) for request 9 > rad_check_password: Found Auth-Type System > auth: type "System" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 9 > modcall[authenticate]: module "unix" returns notfound for request 9 > modcall: leaving group authenticate (returns notfound) for request 9 > auth: Failed to validate the user. > WARNING: Unprintable characters in the password. ? > Double-check the shared secret on the server and the NAS! > Delaying request 9 for 1 seconds > Finished request 9 > Going to the next request > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Sending Access-Reject of id 61 to client.IP.addr port 32772 > Waking up in 4 seconds... > --- Walking the entire request list --- > Cleaning up request 9 ID 61 with timestamp 468aaada Nothing > to do. Sleeping until we see a request. > ================== > > > And a successful one looks like this - the obvious difference > is that the password is in clear (though I have obfuscated it > here) - as would be expected if there was no shared secret. > > ================== > rad_recv: Access-Request packet from host > server.IP.addr:32770, id=170, length=46 > User-Name = "username" > User-Password = "password" > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 10 > modcall[authorize]: module "preprocess" returns ok for request 10 > radius_xlat: > '/var/log/radius/radacct/server.IP.addr/auth-detail-20070703' > rlm_detail: > /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d > expands to > /var/log/radius/radacct/server.IP.addr/auth-detail-20070703 > modcall[authorize]: module "auth_log" returns ok for request 10 > modcall[authorize]: module "chap" returns noop for request 10 > modcall[authorize]: module "mschap" returns noop for request 10 > rlm_realm: No '@' in User-Name = "username", looking up > realm NULL > rlm_realm: Found realm "NULL" > rlm_realm: Adding Stripped-User-Name = "username" > rlm_realm: Proxying request from user username to realm NULL > rlm_realm: Adding Realm = "NULL" > rlm_realm: Authentication realm is LOCAL. > modcall[authorize]: module "suffix" returns noop for request 10 > rlm_eap: No EAP-Message, not doing EAP > modcall[authorize]: module "eap" returns noop for request 10 > users: Matched entry username at line 2 > modcall[authorize]: module "files" returns ok for request 10 > rlm_pap: Found existing Auth-Type, not changing it. > modcall[authorize]: module "pap" returns noop for request 10 > modcall: leaving group authorize (returns ok) for request 10 > rad_check_password: Found Auth-Type Local > auth: type Local > auth: user supplied User-Password matches local User-Password > Processing the post-auth section of radiusd.conf > modcall: entering group post-auth for request 10 > radius_xlat: > '/var/log/radius/radacct/server.IP.addr/reply-detail-20070703' > rlm_detail: > /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d > expands to > /var/log/radius/radacct/server.IP.addr/reply-detail-20070703 > modcall[post-auth]: module "reply_log" returns ok for request 10 > modcall: leaving group post-auth (returns ok) for request 10 > Sending Access-Accept of id 170 to server.IP.addr port 32770 > Finished request 10 Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > --- Walking the entire request list --- > Cleaning up request 10 ID 170 with timestamp 468aab69 Nothing > to do. Sleeping until we see a ================== > > > Debug of startup looks like this (same in both cases obviously). > I made new conf files to contain any local changes I might > make & to yhelp me find my way aroudn radiusd.conf more > easily - but they are just the sections of conf I might want > to change pulled out and INCLUDEd back in so no substantial change: > > ================== > /usr/local/sbin/radiusd -X -d /etc/raddb Starting - reading > configuration files ... > reread_config: reading radiusd.conf > Config: including file: /etc/raddb/bbk_fr_listen.conf > Config: including file: /etc/raddb/bbk_fr_security.conf > Config: including file: /etc/raddb/proxy.conf > Config: including file: /etc/raddb/clients.conf > Config: including file: /etc/raddb/snmp.conf > Config: including file: /etc/raddb/eap.conf > Config: including file: /etc/raddb/bbk_fr_mschap.conf > Config: including file: /etc/raddb/bbk_fr_ldap.conf > Config: including file: /etc/raddb/bbk_fr_passwd.conf > Config: including file: /etc/raddb/bbk_fr_realms.conf > Config: including file: /etc/raddb/bbk_fr_details.conf > Config: including file: /etc/raddb/sql.conf > Config: including file: /etc/raddb/bbk_fr_radutmp.conf > Config: including file: /etc/raddb/bbk_fr_counters.conf > Config: including file: /etc/raddb/bbk_fr_exec.conf > Config: including file: /etc/raddb/bbk_fr_ippool.conf > main: prefix = "/usr/local" > main: localstatedir = "/var" > main: logdir = "/var/log/radius" > main: libdir = "/usr/local/lib" > main: radacctdir = "/var/log/radius/radacct" > main: hostname_lookups = no > main: max_request_time = 30 > main: cleanup_delay = 5 > main: max_requests = 1024 > main: delete_blocked_requests = 0 > main: port = 0 > main: allow_core_dumps = no > main: log_stripped_names = no > main: log_file = "/var/log/radius/radius.log" > main: log_auth = no > main: log_auth_badpass = no > main: log_auth_goodpass = no > main: pidfile = "/var/run/radiusd/radiusd.pid" > main: user = "(null)" > main: group = "(null)" > main: usercollide = no > main: lower_user = "no" > main: lower_pass = "no" > main: nospace_user = "no" > main: nospace_pass = "no" > main: checkrad = "/usr/local/sbin/checkrad" > main: proxy_requests = yes > proxy: retry_delay = 5 > proxy: retry_count = 3 > proxy: synchronous = no > proxy: default_fallback = yes > proxy: dead_time = 120 > proxy: post_proxy_authorize = no > proxy: wake_all_if_all_dead = no > security: max_attributes = 200 > security: reject_delay = 1 > security: status_server = yes > main: debug_level = 0 > read_config_files: reading dictionary > read_config_files: reading naslist > Using deprecated naslist file. Support for this will go away soon. > read_config_files: reading clients > read_config_files: reading realms > radiusd: entering modules setup > Module: Library search path is /usr/local/lib > Module: Loaded exec > exec: wait = yes > exec: program = "(null)" > exec: input_pairs = "request" > exec: output_pairs = "(null)" > exec: packet_type = "(null)" > rlm_exec: Wait=yes but no output defined. Did you mean output=none? > Module: Instantiated exec (exec) > Module: Loaded expr > Module: Instantiated expr (expr) > Module: Loaded PAP > pap: encryption_scheme = "crypt" > pap: auto_header = yes > Module: Instantiated pap (pap) > Module: Loaded CHAP > Module: Instantiated chap (chap) > Module: Loaded MS-CHAP > mschap: use_mppe = yes > mschap: require_encryption = yes > mschap: require_strong = yes > mschap: with_ntdomain_hack = yes > mschap: passwd = "(null)" > mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > --username=%{Stripped-User-Name:-%{User-Name:-None}} > --challenge=%{mschap:Challenge:-00} > --nt-response=%{mschap:NT-Response:-00}" > Module: Instantiated mschap (mschap) > Module: Loaded System > unix: cache = no > unix: passwd = "(null)" > unix: shadow = "(null)" > unix: group = "(null)" > unix: radwtmp = "/var/log/radius/radwtmp" > unix: usegroup = no > unix: cache_reload = 600 > Module: Instantiated unix (unix) > Module: Loaded eap > eap: default_eap_type = "peap" > eap: timer_expire = 60 > eap: ignore_unknown_eap_types = no > eap: cisco_accounting_username_bug = no > rlm_eap: Loaded and initialized type md5 > rlm_eap: Loaded and initialized type leap > gtc: challenge = "Password: " > gtc: auth_type = "PAP" > rlm_eap: Loaded and initialized type gtc > tls: rsa_key_exchange = no > tls: dh_key_exchange = yes > tls: rsa_key_length = 512 > tls: dh_key_length = 512 > tls: verify_depth = 0 > tls: CA_path = "(null)" > tls: pem_file_type = yes > tls: private_key_file = "/etc/raddb/certs/radius2.bbk.ac.uk.key" > tls: certificate_file = "/etc/raddb/certs/radius2.bbk.ac.uk.pem" > tls: CA_file = "/etc/raddb/certs/ct_root.pem" > tls: private_key_password = "whatever" > tls: dh_file = "/etc/raddb/certs/dh" > tls: random_file = "/dev/urandom" > tls: fragment_size = 1024 > tls: include_length = yes > tls: check_crl = no > tls: check_cert_cn = "(null)" > tls: cipher_list = "(null)" > tls: check_cert_issuer = "(null)" > rlm_eap_tls: Loading the certificate file as a chain > rlm_eap: Loaded and initialized type tls > peap: default_eap_type = "mschapv2" > peap: copy_request_to_tunnel = no > peap: use_tunneled_reply = no > peap: proxy_tunneled_request_as_eap = yes > rlm_eap: Loaded and initialized type peap > mschapv2: with_ntdomain_hack = no > rlm_eap: Loaded and initialized type mschapv2 > Module: Instantiated eap (eap) > Module: Loaded preprocess > preprocess: huntgroups = "/etc/raddb/huntgroups" > preprocess: hints = "/etc/raddb/hints" > preprocess: with_ascend_hack = no > preprocess: ascend_channels_per_line = 23 > preprocess: with_ntdomain_hack = no > preprocess: with_specialix_jetstream_hack = no > preprocess: with_cisco_vsa_hack = no > preprocess: with_alvarion_vsa_hack = no > Module: Instantiated preprocess (preprocess) > Module: Loaded detail > detail: detailfile = > "/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" > detail: detailperm = 384 > detail: dirperm = 493 > detail: locking = no > Module: Instantiated detail (auth_log) > Module: Loaded realm > realm: format = "suffix" > realm: delimiter = "@" > realm: ignore_default = no > realm: ignore_null = no > Module: Instantiated realm (suffix) > Module: Loaded files > files: usersfile = "/etc/raddb/users" > files: acctusersfile = "/etc/raddb/acct_users" > files: preproxy_usersfile = "/etc/raddb/preproxy_users" > files: compat = "no" > Module: Instantiated files (files) > Module: Loaded Acct-Unique-Session-Id > acct_unique: key = "User-Name, Acct-Session-Id, > NAS-IP-Address, Client-IP-Address, NAS-Port" > Module: Instantiated acct_unique (acct_unique) > detail: detailfile = > "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" > detail: detailperm = 384 > detail: dirperm = 493 > detail: locking = no > Module: Instantiated detail (detail) > Module: Loaded radutmp > radutmp: filename = "/var/log/radius/radutmp" > radutmp: username = "%{User-Name}" > radutmp: case_sensitive = yes > radutmp: check_with_nas = yes > radutmp: perm = 384 > radutmp: callerid = yes > Module: Instantiated radutmp (radutmp) > detail: detailfile = > "/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d" > detail: detailperm = 384 > detail: dirperm = 493 > detail: locking = no > Module: Instantiated detail (pre_proxy_log) > detail: detailfile = > "/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detai l-%Y%m%d" > detail: detailperm = 384 > detail: dirperm = 493 > detail: locking = no > Module: Instantiated detail (post_proxy_log) > detail: detailfile = > "/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d" > detail: detailperm = 384 > detail: dirperm = 493 > detail: locking = no > Module: Instantiated detail (reply_log) > Listening on authentication *:1812 > Listening on accounting *:1813 > Listening on proxy *:1814 > Ready to process requests. > > ================== > > > FreeRADIUS Version 1.1.5, for host i686-pc-linux-gnu, built > on Mar 9 2007 at 15:07:40 > > > The configurations are minimal: > > > relevant entries in clients file: > > ================== > client nnn.nnn.nnn.nnn { > secret = sharedsecret > shortname = monstera > nastype = other > } > client nnn.nnn.nnn.nnn { > secret = sharedsecret > shortname = ficus > nastype = other > } > ================== > > relevant entry in users file > > ================== > username Auth-Type := Local, User-Password == "password" > ================== > > > As I said, authentication works for the host on which Freeradius > is running, but not on the other. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html