Re: Auth-Type krb5 not recognized by v2.1.12

Tue, 26 Mar 2013 20:16:06 -0700 

Quoting Phil Mayers <p.may...@imperial.ac.uk>:


... you should be using 2.2.0 or 2.2.1 when it's release, as the
2.1.10/11/12 releasea have a known security issue.



I'll be sure to install 2.2.x as soon as a Debian package becomes  
available for it, but for now I'm going to stick with 2.1.x.



I see from the (limited) debug output you've given that you're  
forcing Auth-Type in a "users" file. This is usually a mistake, and  
can cause confusing errors.


If I leave it out, 2.1.10 doesn't work for me.


What follows is a description of how I modified my Freeradius server's  
default configuration in order to get it working for me on Debian  
squeeze with Kerberos support. After installing the freeradius and  
freeradius-krb5 packages along with some dependencies, this is what I  
did:


1.) Added to the end of /etc/freeradius/clients.conf:

  client 192.168.2.2 {
      secret    = <long_secret_string_1>
      shortname = <my_ssid>
  }

2.) Modified attribute in /etc/freeradius/eap.conf, section 'eap':

  default_eap_type = ttls

Modified attribute in subsection 'tls':

  private_key_password = <long_secret_string_2>

3.) Added this line to the end of /etc/freeradius/users:

  DEFAULT Auth-Type = krb5

4.) Changed these two lines in /etc/freeradius/modules/krb5:

  keytab = /etc/freeradius/freeradius.keytab
  service_principal = radius/<host.name>


5.) In /etc/freeradius/sites-enabled/inner-tunnel, added an extra line  
with 'krb5' below the line 'pam' (which is commented out) in section  
'authenticate'.



6.) Installed and configured a Kerberos client on the Freeradius host.  
Of course, this included using kadmin to create a host principal,  
host/<host.name>, as well as a matching keytab (/etc/krb5.keytab) on  
the Freeradius host.



7.) Used the kadmin console again on the Freeradius host to create a  
radius service principal: radius/<host.name>



8.) Created a keytab for the radius service principal:  
/etc/freeradius/freeradius.keytab



9.) Generated a set of self-signed certificates that I copied to the  
/etc/freeradius/certs directory.


When all of this works, 'freeradius -X' shows the following output:

=== Begin 2.1.10 success ================================

[eap] EAP packet type response id 6 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
        User-Name = "jwinius"
        User-Password = "<my_password>"
        FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
        User-Name = "jwinius"
        User-Password = "<my_password>"
        FreeRADIUS-Proxied-To = 127.0.0.1
server inner-tunnel {

# Executing section authorize from file  
/etc/freeradius/sites-enabled/inner-tunnel

+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "jwinius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 207
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = krb5
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
rlm_krb5: verify_krb_v5_tgt: host key not found : Permission denied
++[krb5] returns ok
  WARNING: Empty post-auth section.  Using default return values.

# Executing section post-auth from file  
/etc/freeradius/sites-enabled/inner-tunnel

} # server inner-tunnel
[ttls] Got tunneled reply code 2
[ttls] Got tunneled Access-Accept
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 0 to 192.168.2.2 port 1025

        MS-MPPE-Recv-Key =  
0xab083ff864d0156503438d3bac157120ac64723522901d27a41564a100bb42a8
        MS-MPPE-Send-Key =  
0xb31e8a4a4cfe891d652a209aa8e14e5eaa460d3becda0c6cb7d23f5e181c159c

        EAP-Message = 0x03060004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "jwinius"

=== End 2.1.10 success ==================================


On the other hand, it doesn't work if I remove the 'DEFAULT Auth-Type  
= krb5' in the users file. Without that line I get this result:


=== Begin 2.1.10 fail ===================================

[eap] EAP packet type response id 6 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
        User-Name = "jwinius"
        User-Password = "<my_password>"
        FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
        User-Name = "jwinius"
        User-Password = "<my_password>"
        FreeRADIUS-Proxied-To = 127.0.0.1
server inner-tunnel {

# Executing section authorize from file  
/etc/freeradius/sites-enabled/inner-tunnel

+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "jwinius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop

ERROR: No authenticate method (Auth-Type) found for the request:  
Rejecting the user

Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> jwinius
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 0 to 192.168.2.2 port 1025
        EAP-Message = 0x04060004
        Message-Authenticator = 0x00000000000000000000000000000000

=== End 2.1.10 fail =====================================


After upgrading to 2.1.12, what kills my setup is that Freeradius will  
no longer start up if I leave 'DEFAULT Auth-Type = krb5' enabled in  
the users file. But if I disable it, I get exactly the same failure  
output as I do from 2.1.10 when I disable that line in the users file.


Cheers,

Jaap
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to