Hi again, I'm trying to get FreeRadius to work with Heimdal Kerberos, so I can use it to authenticate my login on my HP-switch. I have searched and read a lot on the internet but I can't find anything useful, and now I am really lost.
######################################## My environment ######################################## Ubuntu Linux 8.04 FreeRadius 1.1.7-1build4 Heimdal-kdc 1.0.1-5ubuntu4 ######################################## My configuration ######################################## ############### Server ############### # Installed software and followed the configuration guide apt-get install freeradius heimdal-kdc heimdal-kcm # Configured Heimdal Kerberos # Creating the database kadmin -l kadmin> init ONE.COM Realm max ticket life [unlimited]: Realm max renewable ticket life [unlimited]: # Add user to database; here rofe kadmin> add rofe Max ticket life [1 day]: Max renewable life [1 week]: Principal expiration time [never]: Password expiration time [never]: Attributes []: [EMAIL PROTECTED]'s Password: Verifying - [EMAIL PROTECTED]'s Password: kadmin> exit # Opened ports in firewall kerberos 88 UDP Default configuration kerberos 88 TCP Alternative configurations for usage with firewalls see below # Added DNS in /etc/hosts 127.0.0.1 rofe.one.com # Test configuration kinit rofe klist rofe kdestroy # It works, I get a ticket. # Making service principal 'radius' and keytab file used by the switch kadmin -l kadmin> add radius # ext_keytab --keytab=<keytab-file> <principal> kadmin> ext_keytab --keytab=/etc/krb5.keytab radius/rofe.one.com # Edit /etc/freeradius/radiusd.conf to use Heimdal Kerberos # Add the following lines in the authenticate section Auth-Type Kerberos { krb5 } # Edit /etc/freeradius/radiusd.conf # Add the following lines in modules section krb5 { # keytab containing the key used by rlm_krb5 keytab = /etc/krb5.keytab # principal that is used by rlm_krb5 service_principal = radius/rofe.one.com } # Edit the /etc/freeradius/clients.conf # Add the switch as a client client 192.168.212.4 { secret = 123456 # Secret also configured on the switch - radius-server key <Unique Key> shortname = ProCurve2650 # Hostname of the swich nastype = other # Type of NAS (Radius Client) } ##### Now if I start FreeRadius with /usr/sbin/freeradius start -X and try to login on the switch I get this: # Output from FreeRadius -X startup # Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/freeradius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/freeradius/freeradius.pid" main: user = "freerad" main: group = "freerad" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded Kerberos krb5: keytab = "/etc/krb5.keytab" krb5: service_principal = "radius/rofe.one.com" rlm_krb5: krb5_init ok Module: Instantiated krb5 (krb5) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/freeradius/huntgroups" preprocess: hints = "/etc/freeradius/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/freeradius/users" files: acctusersfile = "/etc/freeradius/acct_users" files: preproxy_usersfile = "/etc/freeradius/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/freeradius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. ##### And when I try to login from HP-switch with: user: rofe password: 123456 # Output from FreeRadius -X when login attempted # rad_recv: Access-Request packet from host 192.168.212.4:2841, id=59, length=94 User-Name = "rofe" User-Password = "123456" NAS-IP-Address = 192.168.212.4 NAS-Identifier = "ProCurve2650" NAS-Port-Type = Virtual Service-Type = NAS-Prompt-User Message-Authenticator = 0x4bb4032f84e185d55eb0f3683b0ab051 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "rofe", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 users: Matched entry DEFAULT at line 158 modcall[authorize]: module "files" returns ok for request 2 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 2 modcall: leaving group authorize (returns ok) for request 2 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_unix: [rofe]: invalid password modcall[authenticate]: module "unix" returns reject for request 2 modcall: leaving group authenticate (returns reject) for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 59 to 192.168.212.4 port 2841 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 59 with timestamp 48fd9cdd Nothing to do. Sleeping until we see a request. ##### This says that my realm is not found at all: rlm_realm: No '@' in User-Name = "rofe", looking up realm NULL rlm_realm: No such realm "NULL" And when I try to login from HP-switch with: user: [EMAIL PROTECTED] password: 123456 # Output from FreeRadius -X when login attempted # rad_recv: Access-Request packet from host 192.168.212.4:2841, id=58, length=102 User-Name = "[EMAIL PROTECTED]" User-Password = "123456" NAS-IP-Address = 192.168.212.4 NAS-Identifier = "ProCurve2650" NAS-Port-Type = Virtual Service-Type = NAS-Prompt-User Message-Authenticator = 0x56710301a172a54c62ae1441046e0b4e Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: Looking up realm "one.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: No such realm "one.com" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 158 modcall[authorize]: module "files" returns ok for request 1 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 modcall[authenticate]: module "unix" returns notfound for request 1 modcall: leaving group authenticate (returns notfound) for request 1 auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 58 to 192.168.212.4 port 2841 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 58 with timestamp 48fd9c82 Nothing to do. Sleeping until we see a request. ##### This says that my realm ONE.COM is not found: rlm_realm: Looking up realm "one.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: No such realm "one.com" If I try with my local linux user rofe/password I get this output: # Output from HP-switch # Please Enter Login Name: rofe Please Enter Password: Access denied: no user's privilege level supplied by the RADIUS server # Output from FreeRadius -X when login attempted # rad_recv: Access-Request packet from host 192.168.212.4:2841, id=64, length=94 User-Name = "rofe" User-Password = "<password removed>" NAS-IP-Address = 192.168.212.4 NAS-Identifier = "ProCurve2650" NAS-Port-Type = Virtual Service-Type = NAS-Prompt-User Message-Authenticator = 0x05c11e9f7c12361b373504a377975f99 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "rofe", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 7 users: Matched entry DEFAULT at line 158 modcall[authorize]: module "files" returns ok for request 7 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 7 modcall: leaving group authorize (returns ok) for request 7 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 modcall[authenticate]: module "unix" returns ok for request 7 modcall: leaving group authenticate (returns ok) for request 7 Sending Access-Accept of id 64 to 192.168.212.4 port 2841 Finished request 7 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 7 ID 64 with timestamp 48fd9d9c Nothing to do. Sleeping until we see a request. ##### Where FreeRadius seems to accept me?: Sending Access-Accept of id 64 to 192.168.212.4 port 2841 But it still can't find my realm: rlm_realm: No '@' in User-Name = "rofe", looking up realm NULL rlm_realm: No such realm "NULL" # My Heimdal Kerberos configurations files # # /etc/krb5.conf # [realms] ONE.COM = { kdc = rofe admin_server = rofe } ############### HP-switch configuration ############### radius-server host 192.168.212.93 radius-server key 123456 aaa authentication ssh login radius local aaa authentication ssh enable radius local aaa authentication telnet login radius local aaa authentication telnet enable radius local aaa authentication login privilege-mode ############### Debugging ############### I have tried to debug it myself using these guidelines: http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#Debugging_it_yourself Step 7-8 gives me: [EMAIL PROTECTED]:/etc/freeradius# radtest bob bob localhost 0 testing123 Sending Access-Request of id 134 to 127.0.0.1 port 1812 User-Name = "bob" User-Password = "bob" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=134, length=32 Reply-Message = "Hello, bob" If I try with my Kerberos user I get this: [EMAIL PROTECTED]:/etc/freeradius# radtest rofe 123456 localhost 0 testing123 Sending Access-Request of id 152 to 127.0.0.1 port 1812 User-Name = "rofe" User-Password = "123456" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=152, length=20 And if I try with my local linux user I get this: [EMAIL PROTECTED]:/etc/freeradius# radtest rofe <password removed> localhost 0 testing123 Sending Access-Request of id 162 to 127.0.0.1 port 1812 User-Name = "rofe" User-Password = "<password removed>" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=162, length=20 #################### It looks to me that FreeRadius is not using Kerberos to authenticate users? It cant seem to find the realm, I have even tried to make another user, with a username different of my local linux user, but I get the same error, that the realm ONE.COM is not found. As said in the beginning, I have searched the internet and read a lot, but can't find anything useful. Any help to get this to work is appriciated! - Ronni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html